chore: update filename when creating resource (#1460 )

chore: add default local storage path (#1457 )
chore: delete resource related file (#1456 )
2025-06-05 22:09:59 +02:00 · 2023-04-03 23:16:43 +08:00 · 2023-04-03 17:13:41 +08:00 · 2023-04-03 17:02:47 +08:00 · 2023-04-03 15:38:14 +08:00 · 2023-04-03 14:52:36 +08:00
441 changed files with 28164 additions and 8290 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,2 +1 @@
 web/node_modules
-web/yarn.lock
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: usememos
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,31 @@
+name: Bug Report
+description: Create a report to help us improve
+labels: [bug]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        If you are reporting a new issue, make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead.
+  - type: textarea
+    attributes:
+      label: Describe the bug
+      description: |
+        Briefly describe the problem you are having in a few paragraphs.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Steps to reproduce
+      description: |
+        Provide the steps to reproduce the issue.
+      placeholder: |
+        1. Go to '...'
+        2. Click on '....'
+        3. See error
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Screenshots or additional context
+      description: |
+        Add screenshots or any other context about the problem.
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -0,0 +1,28 @@
+name: Feature Request
+description: Suggest an idea for this project
+labels: [enhancement]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to suggest an idea for Memos!
+  - type: textarea
+    attributes:
+      label: Is your feature request related to a problem?
+      description: |
+        A clear and concise description of what the problem is.
+      placeholder: |
+        I'm always frustrated when [...]
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Describe the solution you'd like
+      description: |
+        A clear and concise description of what you want to happen.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Additional context
+      description: Add any other context or screenshots about the feature request.
--- a/.github/workflows/backend-tests.yml
+++ b/.github/workflows/backend-tests.yml
@@ -0,0 +1,42 @@
+name: Backend Test
+
+on:
+  pull_request:
+    branches:
+      - main
+      - "release/*.*.*"
+
+jobs:
+  go-static-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+          check-latest: true
+          cache: true
+      - name: Verify go.mod is tidy
+        run: |
+          go mod tidy -go=1.19
+          git diff --exit-code
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: v1.52.0
+          args: -v --timeout=3m
+          skip-cache: true
+
+  go-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+          check-latest: true
+          cache: true
+      - name: Run all tests
+        run: go test -v ./... | tee test.log; exit ${PIPESTATUS[0]}
+      - name: Pretty print tests running time
+        run: grep --color=never -e '--- PASS:' -e '--- FAIL:' test.log | sed 's/[:()]//g' | awk '{print $2,$3,$4}' | sort -t' ' -nk3 -r | awk '{sum += $3; print $1,$2,$3,sum"s"}'
--- a/.github/workflows/build-and-push-dev-image.yml
+++ b/.github/workflows/build-and-push-dev-image.yml
@@ -1,31 +0,0 @@
-name: build-and-push-dev-image
-
-on:
-  push:
-    branches:
-      - "main"
-
-jobs:
-  build-and-push-dev-image:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKER_NEOSMEMO_USERNAME }}
-          password: ${{ secrets.DOCKER_NEOSMEMO_TOKEN }}
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Build and Push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          context: ./
-          file: ./Dockerfile
-          push: true
-          tags: ${{ secrets.DOCKER_NEOSMEMO_USERNAME }}/memos:dev
--- a/.github/workflows/build-and-push-release-image.yml
+++ b/.github/workflows/build-and-push-release-image.yml
@@ -4,35 +4,42 @@ on:
  push:
    branches:
      # Run on pushing branches like `release/1.0.0`
-      - "release/v*.*.*"
+      - "release/*.*.*"

 jobs:
  build-and-push-release-image:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2

      - name: Extract build args
        # Extract version from branch name
-        # Example: branch name `release/v1.0.0` sets up env.VERSION=1.0.0
+        # Example: branch name `release/1.0.0` sets up env.VERSION=1.0.0
        run: |
-          echo "VERSION=${GITHUB_REF_NAME#release/v}" >> $GITHUB_ENV
+          echo "VERSION=${GITHUB_REF_NAME#release/}" >> $GITHUB_ENV

      - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
        with:
-          username: ${{ secrets.DOCKER_NEOSMEMO_USERNAME }}
+          username: neosmemo
          password: ${{ secrets.DOCKER_NEOSMEMO_TOKEN }}

      - name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+        with:
+          install: true
+          version: v0.9.1

      - name: Build and Push
        id: docker_build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
        with:
          context: ./
          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
          push: true
-          tags: ${{ secrets.DOCKER_NEOSMEMO_USERNAME }}/memos:${{ env.VERSION }}
+          tags: neosmemo/memos:latest, neosmemo/memos:${{ env.VERSION }}
--- a/.github/workflows/build-and-push-test-image.yml
+++ b/.github/workflows/build-and-push-test-image.yml
@@ -0,0 +1,37 @@
+name: build-and-push-test-image
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  build-and-push-test-image:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: neosmemo
+          password: ${{ secrets.DOCKER_NEOSMEMO_TOKEN }}
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          install: true
+          version: v0.9.1
+
+      - name: Build and Push
+        id: docker_build
+        uses: docker/build-push-action@v3
+        with:
+          context: ./
+          file: ./Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: neosmemo/memos:test
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -13,12 +13,10 @@ name: "CodeQL"

 on:
  push:
-    branches: [ main ]
+    branches: [main]
  pull_request:
    # The branches below must be a subset of the branches above
-    branches: [ main ]
-  schedule:
-    - cron: '27 12 * * 0'
+    branches: [main]

 jobs:
  analyze:
@@ -32,39 +30,39 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        language: [ 'go', 'javascript' ]
+        language: ["go", "javascript"]
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
        # Learn more about CodeQL language support at https://git.io/codeql-language-support

    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
+      - name: Checkout repository
+        uses: actions/checkout@v2

-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main

-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v1

-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl

-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+      #    and modify them (or add more) to build your code if your project
+      #    uses a compiled language

-    #- run: |
-    #   make bootstrap
-    #   make release
+      #- run: |
+      #   make bootstrap
+      #   make release

-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1
--- a/.github/workflows/frontend-tests.yml
+++ b/.github/workflows/frontend-tests.yml
@@ -0,0 +1,38 @@
+name: Frontend Test
+
+on:
+  pull_request:
+    branches:
+      - main
+      - "release/*.*.*"
+
+jobs:
+  eslint-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: "18"
+          cache: yarn
+          cache-dependency-path: "web/yarn.lock"
+      - run: yarn
+        working-directory: web
+      - name: Run eslint check
+        run: yarn lint
+        working-directory: web
+
+  frontend-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: "18"
+          cache: yarn
+          cache-dependency-path: "web/yarn.lock"
+      - run: yarn
+        working-directory: web
+      - name: Run frontend build
+        run: yarn build
+        working-directory: web
--- a/.github/workflows/issue-translator.yml
+++ b/.github/workflows/issue-translator.yml
@@ -0,0 +1,18 @@
+name: 'issue-translator'
+on: 
+  issue_comment: 
+    types: [created]
+  issues: 
+    types: [opened]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: usthe/issues-translate-action@v2.7
+        with:
+          IS_MODIFY_TITLE: false
+          # not require, default false, . Decide whether to modify the issue title
+          # if true, the robot account @Issues-translate-bot must have modification permissions, invite @Issues-translate-bot to your project or use your custom bot.
+          CUSTOM_BOT_NOTE: Issue is not in English. It has been translated automatically.
+          # not require. Customize the translation robot prefix message.
--- a/.github/workflows/uffizzi-build.yml
+++ b/.github/workflows/uffizzi-build.yml
@@ -0,0 +1,85 @@
+name: Build PR Image
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, closed]
+
+jobs:
+  build-memos:
+    name: Build and push `Memos`
+    runs-on: ubuntu-latest
+    outputs:
+      tags: ${{ steps.meta.outputs.tags }}
+    if: ${{ github.event.action != 'closed' }}
+    steps:
+      - name: Checkout git repo
+        uses: actions/checkout@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Generate UUID image name
+        id: uuid
+        run: echo "UUID_WORKER=$(uuidgen)" >> $GITHUB_ENV
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: registry.uffizzi.com/${{ env.UUID_WORKER }}
+          tags: |
+            type=raw,value=60d
+
+      - name: Build and Push Image to registry.uffizzi.com - Uffizzi's ephemeral Registry
+        uses: docker/build-push-action@v3
+        with:
+          context: ./
+          file: Dockerfile
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          push: true
+          cache-from: type=gha
+          cache-to: type=gha, mode=max
+
+  render-compose-file:
+    name: Render Docker Compose File
+    # Pass output of this workflow to another triggered by `workflow_run` event.
+    runs-on: ubuntu-latest
+    needs:
+      - build-memos
+    outputs:
+      compose-file-cache-key: ${{ steps.hash.outputs.hash }}
+    steps:
+      - name: Checkout git repo
+        uses: actions/checkout@v3
+      - name: Render Compose File
+        run: |
+          MEMOS_IMAGE=${{ needs.build-memos.outputs.tags }}
+          export MEMOS_IMAGE
+          # Render simple template from environment variables.
+          envsubst < docker-compose.uffizzi.yml > docker-compose.rendered.yml
+          cat docker-compose.rendered.yml
+      - name: Upload Rendered Compose File as Artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: preview-spec
+          path: docker-compose.rendered.yml
+          retention-days: 2
+      - name: Upload PR Event as Artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: preview-spec
+          path: ${{github.event_path}}
+          retention-days: 2
+
+  delete-preview:
+    name: Call for Preview Deletion
+    runs-on: ubuntu-latest
+    if: ${{ github.event.action == 'closed' }}
+    steps:
+      # If this PR is closing, we will not render a compose file nor pass it to the next workflow.
+      - name: Upload PR Event as Artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: preview-spec
+          path: ${{github.event_path}}
+          retention-days: 2
--- a/.github/workflows/uffizzi-preview.yml
+++ b/.github/workflows/uffizzi-preview.yml
@@ -0,0 +1,88 @@
+name: Deploy Uffizzi Preview
+
+on:
+  workflow_run:
+    workflows:
+      - "Build PR Image"
+    types:
+      - completed
+
+
+jobs:
+  cache-compose-file:
+    name: Cache Compose File
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    outputs:
+      compose-file-cache-key: ${{ env.HASH }}
+      pr-number: ${{ env.PR_NUMBER }}
+    steps:
+      - name: 'Download artifacts'
+        # Fetch output (zip archive) from the workflow run that triggered this workflow.
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "preview-spec"
+            })[0];
+            let download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            let fs = require('fs');
+            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/preview-spec.zip`, Buffer.from(download.data));
+
+      - name: 'Unzip artifact'
+        run: unzip preview-spec.zip
+      - name: Read Event into ENV
+        run: |
+          echo 'EVENT_JSON<<EOF' >> $GITHUB_ENV
+          cat event.json >> $GITHUB_ENV
+          echo -e '\nEOF' >> $GITHUB_ENV
+
+      - name: Hash Rendered Compose File
+        id: hash
+        # If the previous workflow was triggered by a PR close event, we will not have a compose file artifact.
+        if: ${{ fromJSON(env.EVENT_JSON).action != 'closed' }}
+        run: echo "HASH=$(md5sum docker-compose.rendered.yml | awk '{ print $1 }')" >> $GITHUB_ENV
+      - name: Cache Rendered Compose File
+        if: ${{ fromJSON(env.EVENT_JSON).action != 'closed' }}
+        uses: actions/cache@v3
+        with:
+          path: docker-compose.rendered.yml
+          key: ${{ env.HASH }}
+
+      - name: Read PR Number From Event Object
+        id: pr
+        run: echo "PR_NUMBER=${{ fromJSON(env.EVENT_JSON).number }}" >> $GITHUB_ENV
+      - name: DEBUG - Print Job Outputs
+        if: ${{ runner.debug }}
+        run: |
+          echo "PR number: ${{ env.PR_NUMBER }}"
+          echo "Compose file hash: ${{ env.HASH }}"
+          cat event.json
+
+  deploy-uffizzi-preview:
+    name: Use Remote Workflow to Preview on Uffizzi
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    needs:
+      - cache-compose-file
+    uses: UffizziCloud/preview-action/.github/workflows/reusable.yaml@v2
+    with:
+      # If this workflow was triggered by a PR close event, cache-key will be an empty string
+      # and this reusable workflow will delete the preview deployment.
+      compose-file-cache-key: ${{ needs.cache-compose-file.outputs.compose-file-cache-key }}
+      compose-file-cache-path: docker-compose.rendered.yml
+      server: https://app.uffizzi.com
+      pr-number: ${{ needs.cache-compose-file.outputs.pr-number }}
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
--- a/.gitignore
+++ b/.gitignore
@@ -1,28 +1,18 @@
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-
-# Test binary, built with `go test -c`
-*.test
-
-# Temp output
-*.out
-*.log
-tmp
-
 # Air (hot reload) generated
 .air

-# Frontend asset
-dist
+# temp folder
+tmp

-# Dev database
-data
+# Frontend asset
+web/dist

 # build folder
 build

-.DS_Store
+.DS_Store
+
+# Jetbrains
+.idea
+
+bin/air
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -0,0 +1,64 @@
+linters:
+  enable:
+    - goimports
+    - revive
+    - govet
+    - staticcheck
+    - misspell
+    - gocritic
+    - sqlclosecheck
+    - rowserrcheck
+    - nilerr
+    - godot
+
+issues:
+  exclude:
+    - Rollback
+    - fmt.Printf
+    - fmt.Print
+
+linters-settings:
+  revive:
+    enable-all-rules: true
+    rules:
+      - name: file-header
+        disabled: true
+      - name: line-length-limit
+        disabled: true
+      - name: function-length
+        disabled: true
+      - name: max-public-structs
+        disabled: true
+      - name: function-result-limit
+        disabled: true
+      - name: banned-characters
+        disabled: true
+      - name: argument-limit
+        disabled: true
+      - name: cognitive-complexity
+        disabled: true
+      - name: cyclomatic
+        disabled: true
+      - name: confusing-results
+        disabled: true
+      - name: add-constant
+        disabled: true
+      - name: flag-parameter
+        disabled: true
+      - name: nested-structs
+        disabled: true
+      - name: import-shadowing
+        disabled: true
+      - name: early-return
+        disabled: true
+  gocritic:
+    disabled-checks:
+      - ifElseChain
+  govet:
+    settings:
+      printf:
+        funcs:
+          - common.Errorf
+  forbidigo:
+    forbid:
+      - 'fmt\.Errorf(# Please use errors\.Wrap\|Wrapf\|Errorf instead)?'
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -0,0 +1,3 @@
+{
+  "recommendations": ["golang.go"]
+}
--- a/.vscode/project.code-workspace
+++ b/.vscode/project.code-workspace
@@ -0,0 +1,12 @@
+{
+  "folders": [
+    {
+      "name": "server",
+      "path": "../"
+    },
+    {
+      "name": "web",
+      "path": "../web"
+    }
+  ]
+}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -0,0 +1,5 @@
+{
+  "go.lintOnSave": "workspace",
+  "go.lintTool": "golangci-lint",
+  "go.inferGopath": false
+}
--- a/2
+++ b/2
@@ -1,2 +1,2 @@
 # These owners will be the default owners for everything in the repo.
-* @boojack @lqwakeup
+* @boojack
--- a/23
+++ b/23
@@ -1,32 +1,35 @@
 # Build frontend dist.
-FROM node:14.18.2-alpine3.14 AS frontend
+FROM node:18.12.1-alpine3.16 AS frontend
 WORKDIR /frontend-build

+COPY ./web/package.json ./web/yarn.lock ./
+
+RUN yarn
+
 COPY ./web/ .

-RUN yarn
 RUN yarn build

 # Build backend exec file.
-FROM golang:1.16.12-alpine3.15 AS backend
+FROM golang:1.19.3-alpine3.16 AS backend
 WORKDIR /backend-build

-RUN apk --no-cache add gcc musl-dev
+RUN apk update && apk add --no-cache gcc musl-dev

 COPY . .
+COPY --from=frontend /frontend-build/dist ./server/dist

-RUN go build \
-    -o memos \
-    ./bin/server/main.go
+RUN go build -o memos ./main.go

 # Make workspace with above generated files.
-FROM alpine:3.14.3 AS monolithic
+FROM alpine:3.16 AS monolithic
 WORKDIR /usr/local/memos

 COPY --from=backend /backend-build/memos /usr/local/memos/
-COPY --from=frontend /frontend-build/dist /usr/local/memos/web/dist
+
+EXPOSE 5230

 # Directory to store the data, which can be referenced as the mounting point.
 RUN mkdir -p /var/opt/memos

-ENTRYPOINT ["./memos"]
+ENTRYPOINT ["./memos", "--mode", "prod", "--port", "5230"]
--- a/README.md
+++ b/README.md
@@ -1,85 +1,63 @@
-<h1 align="center">✍️ Memos</h1>
+# memos

-<p align="center">An open source, self-hosted knowledge base that works with a SQLite db file.</p>
+<img height="72px" src="https://usememos.com/logo.webp" alt="✍️ memos" align="right" />

-<p align="center">
-  <img alt="GitHub stars" src="https://img.shields.io/github/stars/usememos/memos" />
-  <img alt="Docker pull" src="https://img.shields.io/docker/pulls/neosmemo/memos.svg" />
-  <img alt="Go report" src="https://goreportcard.com/badge/github.com/usememos/memos" />
+A lightweight, self-hosted memo hub. Open Source and Free forever.
+
+<a href="https://demo.usememos.com/">Live Demo</a> •
+Discuss in <a href="https://t.me/+-_tNF1k70UU4ZTc9">Telegram</a> / <a href="https://discord.gg/tfPJa4UmAv">Discord</a>
+
+<p>
+  <a href="https://github.com/usememos/memos/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/usememos/memos" /></a>
+  <a href="https://hub.docker.com/r/neosmemo/memos"><img alt="Docker pull" src="https://img.shields.io/docker/pulls/neosmemo/memos.svg" /></a>
+  <a href="https://discord.gg/tfPJa4UmAv"><img alt="Discord" src="https://img.shields.io/badge/discord-chat-5865f2?logo=discord&logoColor=f5f5f5" /></a>
 </p>

-<p align="center">
-  <a href="https://memos.onrender.com/">Live Demo</a> •
-  <a href="https://github.com/usememos/memos/discussions">Discussions</a>
-</p>
+![demo](https://usememos.com/demo.webp)

-![demo](https://raw.githubusercontent.com/usememos/memos/main/resources/demo.png)
+## Key points

-## 🎯 Intentions
+- Open source and free forever
+- Self-hosting with Docker in seconds
+- Markdown support
+- Customizable and sharable
+- RESTful API for self-service

- ✍️ Write down the light-card memos very easily;
- 🏗️ Build the fragmented knowledge management tool for yourself;
- 📒 For noting your 📅 daily/weekly plans, 💡 fantastic ideas, 📕 reading thoughts...
+## Deploy with Docker in seconds

-## ✨ Features
-
- 🦄 Fully open source;
- 👍 Write in the plain textarea without any burden;
- 🤠 Great UI and never miss any detail;
- 🚀 Super quick self-hosted with `Docker` and `SQLite`;
-
-## ⚓️ Deploy with Docker
-
-```docker
-docker run --name memos --publish 5230:5230 --volume ~/.memos/:/var/opt/memos -e mode=prod -e port=5230 neosmemo/memos:0.1.2
+```bash
+docker run -d --name memos -p 5230:5230 -v ~/.memos/:/var/opt/memos neosmemo/memos:latest
 ```

-Memos should now be running at [http://localhost:5230](http://localhost:5230). If the `~/.memos/` does not have a `memos_prod.db` file, then `memos` will auto generate it.
+> The `~/.memos/` directory will be used as the data directory on your local machine, while `/var/opt/memos` is the directory of the volume in Docker and should not be modified.

-## 🏗 Development
+Learn more about [other installation methods](https://usememos.com/docs/install).

-Memos is built with a curated tech stack. It is optimized for developer experience and is very easy to start working on the code:
+## Contribution

-1. It has no external dependency.
-2. It requires zero config.
-3. 1 command to start backend and 1 command to start frontend, both with live reload support.
+Contributions are what make the open-source community such an amazing place to learn, inspire, and create. We greatly appreciate any contributions you make. Thank you for being a part of our community! 🥰

-### Tech Stack
-
-<img alt="tech stack" src="https://raw.githubusercontent.com/usememos/memos/main/resources/tech-stack.png" width="360" />
-
-### Prerequisites
-
- [Go](https://golang.org/doc/install) (1.16 or later)
- [Air](https://github.com/cosmtrek/air#installation) for backend live reload
- [yarn](https://yarnpkg.com/getting-started/install)
-
-### Steps
-
-1. pull source code
-
-   ```bash
-   git clone https://github.com/usememos/memos
-   ```
-
-2. start backend using air(with live reload)
-
-   ```bash
-   air -c scripts/.air.toml
-   ```
-
-3. start frontend dev server
-
-   ```bash
-   cd web && yarn && yarn dev
-   ```
-
-Memos should now be running at [http://localhost:3000](http://localhost:3000) and change either frontend or backend code would trigger live reload.
-
-## 🌟 Star history
-
-[![Star History Chart](https://api.star-history.com/svg?repos=usememos/memos&type=Date)](https://star-history.com/#usememos/memos&Date)
+<a href="https://github.com/usememos/memos/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=usememos/memos" />
+</a>

 ---

-Just enjoy it.
+- [Moe Memos](https://memos.moe/) - Third party client for iOS and Android
+- [lmm214/memos-bber](https://github.com/lmm214/memos-bber) - Chrome extension
+- [Rabithua/memos_wmp](https://github.com/Rabithua/memos_wmp) - WeChat MiniProgram
+- [qazxcdswe123/telegramMemoBot](https://github.com/qazxcdswe123/telegramMemoBot) - Telegram bot
+- [eallion/memos.top](https://github.com/eallion/memos.top) - Static page rendered with the Memos API
+- [eindex/logseq-memos-sync](https://github.com/EINDEX/logseq-memos-sync) - Logseq plugin
+- [JakeLaoyu/memos-import-from-flomo](https://github.com/JakeLaoyu/memos-import-from-flomo) - Import data. Support from flomo, wechat reading
+- [Send to memos](https://sharecuts.cn/shortcut/12640) - A shortcut for iOS
+- [Memos Raycast Extension](https://www.raycast.com/JakeYu/memos) - Raycast extension
+- [Memos Desktop](https://github.com/xudaolong/memos-desktop) - Third party client for MacOS and Windows
+
+## Acknowledgements
+
+- Thanks [Uffizzi](https://www.uffizzi.com/) for sponsoring preview environments for PRs.
+
+## Star history
+
+[![Star History Chart](https://api.star-history.com/svg?repos=usememos/memos&type=Date)](https://star-history.com/#usememos/memos&Date)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,7 @@
+# Security Policy
+
+## Reporting a bug
+
+Report security bugs via GitHub [issues](https://github.com/usememos/memos/issues).
+
+For more information, please contact [stevenlgtm@gmail.com](stevenlgtm@gmail.com).
--- a/api/activity.go
+++ b/api/activity.go
@@ -0,0 +1,137 @@
+package api
+
+import "github.com/usememos/memos/server/profile"
+
+// ActivityType is the type for an activity.
+type ActivityType string
+
+const (
+	// User related.
+
+	// ActivityUserCreate is the type for creating users.
+	ActivityUserCreate ActivityType = "user.create"
+	// ActivityUserUpdate is the type for updating users.
+	ActivityUserUpdate ActivityType = "user.update"
+	// ActivityUserDelete is the type for deleting users.
+	ActivityUserDelete ActivityType = "user.delete"
+	// ActivityUserAuthSignIn is the type for user signin.
+	ActivityUserAuthSignIn ActivityType = "user.auth.signin"
+	// ActivityUserAuthSignUp is the type for user signup.
+	ActivityUserAuthSignUp ActivityType = "user.auth.signup"
+	// ActivityUserSettingUpdate is the type for updating user settings.
+	ActivityUserSettingUpdate ActivityType = "user.setting.update"
+
+	// Memo related.
+
+	// ActivityMemoCreate is the type for creating memos.
+	ActivityMemoCreate ActivityType = "memo.create"
+	// ActivityMemoUpdate is the type for updating memos.
+	ActivityMemoUpdate ActivityType = "memo.update"
+	// ActivityMemoDelete is the type for deleting memos.
+	ActivityMemoDelete ActivityType = "memo.delete"
+
+	// Shortcut related.
+
+	// ActivityShortcutCreate is the type for creating shortcuts.
+	ActivityShortcutCreate ActivityType = "shortcut.create"
+	// ActivityShortcutUpdate is the type for updating shortcuts.
+	ActivityShortcutUpdate ActivityType = "shortcut.update"
+	// ActivityShortcutDelete is the type for deleting shortcuts.
+	ActivityShortcutDelete ActivityType = "shortcut.delete"
+
+	// Resource related.
+
+	// ActivityResourceCreate is the type for creating resources.
+	ActivityResourceCreate ActivityType = "resource.create"
+	// ActivityResourceDelete is the type for deleting resources.
+	ActivityResourceDelete ActivityType = "resource.delete"
+
+	// Tag related.
+
+	// ActivityTagCreate is the type for creating tags.
+	ActivityTagCreate ActivityType = "tag.create"
+	// ActivityTagDelete is the type for deleting tags.
+	ActivityTagDelete ActivityType = "tag.delete"
+
+	// Server related.
+
+	// ActivityServerStart is the type for starting server.
+	ActivityServerStart ActivityType = "server.start"
+)
+
+// ActivityLevel is the level of activities.
+type ActivityLevel string
+
+const (
+	// ActivityInfo is the INFO level of activities.
+	ActivityInfo ActivityLevel = "INFO"
+	// ActivityWarn is the WARN level of activities.
+	ActivityWarn ActivityLevel = "WARN"
+	// ActivityError is the ERROR level of activities.
+	ActivityError ActivityLevel = "ERROR"
+)
+
+type ActivityUserCreatePayload struct {
+	UserID   int    `json:"userId"`
+	Username string `json:"username"`
+	Role     Role   `json:"role"`
+}
+
+type ActivityUserAuthSignInPayload struct {
+	UserID int    `json:"userId"`
+	IP     string `json:"ip"`
+}
+
+type ActivityUserAuthSignUpPayload struct {
+	Username string `json:"username"`
+	IP       string `json:"ip"`
+}
+
+type ActivityMemoCreatePayload struct {
+	Content    string `json:"content"`
+	Visibility string `json:"visibility"`
+}
+
+type ActivityShortcutCreatePayload struct {
+	Title   string `json:"title"`
+	Payload string `json:"payload"`
+}
+
+type ActivityResourceCreatePayload struct {
+	Filename string `json:"filename"`
+	Type     string `json:"type"`
+	Size     int64  `json:"size"`
+}
+
+type ActivityTagCreatePayload struct {
+	TagName string `json:"tagName"`
+}
+
+type ActivityServerStartPayload struct {
+	ServerID string           `json:"serverId"`
+	Profile  *profile.Profile `json:"profile"`
+}
+
+type Activity struct {
+	ID int `json:"id"`
+
+	// Standard fields
+	CreatorID int   `json:"creatorId"`
+	CreatedTs int64 `json:"createdTs"`
+
+	// Domain specific fields
+	Type    ActivityType  `json:"type"`
+	Level   ActivityLevel `json:"level"`
+	Payload string        `json:"payload"`
+}
+
+// ActivityCreate is the API message for creating an activity.
+type ActivityCreate struct {
+	// Standard fields
+	CreatorID int
+
+	// Domain specific fields
+	Type    ActivityType `json:"type"`
+	Level   ActivityLevel
+	Payload string `json:"payload"`
+}
--- a/api/auth.go
+++ b/api/auth.go
@@ -1,13 +1,17 @@
 package api

-type Login struct {
-	Email    string `json:"email"`
+type SignIn struct {
+	Username string `json:"username"`
 	Password string `json:"password"`
 }

-type Signup struct {
-	Email    string `json:"email"`
-	Role     Role   `json:"role"`
-	Name     string `json:"name"`
+type SSOSignIn struct {
+	IdentityProviderID int    `json:"identityProviderId"`
+	Code               string `json:"code"`
+	RedirectURI        string `json:"redirectUri"`
+}
+
+type SignUp struct {
+	Username string `json:"username"`
 	Password string `json:"password"`
 }
--- a/api/common.go
+++ b/api/common.go
@@ -1,5 +1,8 @@
 package api

+// UnknownID is the ID for unknowns.
+const UnknownID = -1
+
 // RowStatus is the status for a row.
 type RowStatus string

--- a/api/idp.go
+++ b/api/idp.go
@@ -0,0 +1,58 @@
+package api
+
+type IdentityProviderType string
+
+const (
+	IdentityProviderOAuth2 IdentityProviderType = "OAUTH2"
+)
+
+type IdentityProviderConfig struct {
+	OAuth2Config *IdentityProviderOAuth2Config `json:"oauth2Config"`
+}
+
+type IdentityProviderOAuth2Config struct {
+	ClientID     string        `json:"clientId"`
+	ClientSecret string        `json:"clientSecret"`
+	AuthURL      string        `json:"authUrl"`
+	TokenURL     string        `json:"tokenUrl"`
+	UserInfoURL  string        `json:"userInfoUrl"`
+	Scopes       []string      `json:"scopes"`
+	FieldMapping *FieldMapping `json:"fieldMapping"`
+}
+
+type FieldMapping struct {
+	Identifier  string `json:"identifier"`
+	DisplayName string `json:"displayName"`
+	Email       string `json:"email"`
+}
+
+type IdentityProvider struct {
+	ID               int                     `json:"id"`
+	Name             string                  `json:"name"`
+	Type             IdentityProviderType    `json:"type"`
+	IdentifierFilter string                  `json:"identifierFilter"`
+	Config           *IdentityProviderConfig `json:"config"`
+}
+
+type IdentityProviderCreate struct {
+	Name             string                  `json:"name"`
+	Type             IdentityProviderType    `json:"type"`
+	IdentifierFilter string                  `json:"identifierFilter"`
+	Config           *IdentityProviderConfig `json:"config"`
+}
+
+type IdentityProviderFind struct {
+	ID *int
+}
+
+type IdentityProviderPatch struct {
+	ID               int
+	Type             IdentityProviderType    `json:"type"`
+	Name             *string                 `json:"name"`
+	IdentifierFilter *string                 `json:"identifierFilter"`
+	Config           *IdentityProviderConfig `json:"config"`
+}
+
+type IdentityProviderDelete struct {
+	ID int
+}
--- a/api/memo.go
+++ b/api/memo.go
@@ -1,5 +1,32 @@
 package api

+// MaxContentLength means the max memo content bytes is 1MB.
+const MaxContentLength = 1 << 30
+
+// Visibility is the type of a visibility.
+type Visibility string
+
+const (
+	// Public is the PUBLIC visibility.
+	Public Visibility = "PUBLIC"
+	// Protected is the PROTECTED visibility.
+	Protected Visibility = "PROTECTED"
+	// Private is the PRIVATE visibility.
+	Private Visibility = "PRIVATE"
+)
+
+func (e Visibility) String() string {
+	switch e {
+	case Public:
+		return "PUBLIC"
+	case Protected:
+		return "PROTECTED"
+	case Private:
+		return "PRIVATE"
+	}
+	return "PRIVATE"
+}
+
 type Memo struct {
 	ID int `json:"id"`

@@ -10,46 +37,61 @@ type Memo struct {
 	UpdatedTs int64     `json:"updatedTs"`

 	// Domain specific fields
-	Content string `json:"content"`
-	Pinned  bool   `json:"pinned"`
+	Content    string     `json:"content"`
+	Visibility Visibility `json:"visibility"`
+	Pinned     bool       `json:"pinned"`
+
+	// Related fields
+	CreatorName  string      `json:"creatorName"`
+	ResourceList []*Resource `json:"resourceList"`
 }

 type MemoCreate struct {
 	// Standard fields
-	CreatorID int
-	// Used to import memos with a clearly created ts.
+	CreatorID int    `json:"-"`
 	CreatedTs *int64 `json:"createdTs"`

 	// Domain specific fields
-	Content string `json:"content"`
+	Visibility Visibility `json:"visibility"`
+	Content    string     `json:"content"`
+
+	// Related fields
+	ResourceIDList []int `json:"resourceIdList"`
 }

 type MemoPatch struct {
-	ID int
+	ID int `json:"-"`

 	// Standard fields
+	CreatedTs *int64 `json:"createdTs"`
+	UpdatedTs *int64
 	RowStatus *RowStatus `json:"rowStatus"`

 	// Domain specific fields
-	Content *string `json:"content"`
+	Content    *string     `json:"content"`
+	Visibility *Visibility `json:"visibility"`
+
+	// Related fields
+	ResourceIDList []int `json:"resourceIdList"`
 }

 type MemoFind struct {
-	ID *int `json:"id"`
+	ID *int

 	// Standard fields
-	RowStatus *RowStatus `json:"rowStatus"`
-	CreatorID *int       `json:"creatorId"`
+	RowStatus *RowStatus
+	CreatorID *int

 	// Domain specific fields
-	Pinned        *bool
-	ContentSearch *string
+	Pinned         *bool
+	ContentSearch  *string
+	VisibilityList []Visibility

 	// Pagination
-	Limit  int
-	Offset int
+	Limit  *int
+	Offset *int
 }

 type MemoDelete struct {
-	ID int `json:"id"`
+	ID int
 }
--- a/api/memo_organizer.go
+++ b/api/memo_organizer.go
@@ -9,13 +9,18 @@ type MemoOrganizer struct {
 	Pinned bool
 }

+type MemoOrganizerUpsert struct {
+	MemoID int  `json:"-"`
+	UserID int  `json:"-"`
+	Pinned bool `json:"pinned"`
+}
+
 type MemoOrganizerFind struct {
 	MemoID int
 	UserID int
 }

-type MemoOrganizerUpsert struct {
-	MemoID int
-	UserID int
-	Pinned bool `json:"pinned"`
+type MemoOrganizerDelete struct {
+	MemoID *int
+	UserID *int
 }
--- a/api/memo_resource.go
+++ b/api/memo_resource.go
@@ -0,0 +1,24 @@
+package api
+
+type MemoResource struct {
+	MemoID     int
+	ResourceID int
+	CreatedTs  int64
+	UpdatedTs  int64
+}
+
+type MemoResourceUpsert struct {
+	MemoID     int `json:"-"`
+	ResourceID int
+	UpdatedTs  *int64
+}
+
+type MemoResourceFind struct {
+	MemoID     *int
+	ResourceID *int
+}
+
+type MemoResourceDelete struct {
+	MemoID     *int
+	ResourceID *int
+}
--- a/api/resource.go
+++ b/api/resource.go
@@ -9,21 +9,30 @@ type Resource struct {
 	UpdatedTs int64 `json:"updatedTs"`

 	// Domain specific fields
-	Filename string `json:"filename"`
-	Blob     []byte `json:"blob"`
-	Type     string `json:"type"`
-	Size     int64  `json:"size"`
+	Filename     string `json:"filename"`
+	Blob         []byte `json:"-"`
+	InternalPath string `json:"internalPath"`
+	ExternalLink string `json:"externalLink"`
+	Type         string `json:"type"`
+	Size         int64  `json:"size"`
+	PublicID     string `json:"publicId"`
+
+	// Related fields
+	LinkedMemoAmount int `json:"linkedMemoAmount"`
 }

 type ResourceCreate struct {
 	// Standard fields
-	CreatorID int
+	CreatorID int `json:"-"`

 	// Domain specific fields
-	Filename string `json:"filename"`
-	Blob     []byte `json:"blob"`
-	Type     string `json:"type"`
-	Size     int64  `json:"size"`
+	Filename     string `json:"filename"`
+	Blob         []byte `json:"-"`
+	InternalPath string `json:"internalPath"`
+	ExternalLink string `json:"externalLink"`
+	Type         string `json:"type"`
+	Size         int64  `json:"-"`
+	PublicID     string `json:"publicId"`
 }

 type ResourceFind struct {
@@ -34,6 +43,25 @@ type ResourceFind struct {

 	// Domain specific fields
 	Filename *string `json:"filename"`
+	MemoID   *int
+	PublicID *string `json:"publicId"`
+	GetBlob  bool
+
+	// Pagination
+	Limit  *int
+	Offset *int
+}
+
+type ResourcePatch struct {
+	ID int `json:"-"`
+
+	// Standard fields
+	UpdatedTs *int64
+
+	// Domain specific fields
+	Filename      *string `json:"filename"`
+	ResetPublicID *bool   `json:"resetPublicId"`
+	PublicID      *string `json:"-"`
 }

 type ResourceDelete struct {
--- a/api/shortcut.go
+++ b/api/shortcut.go
@@ -16,7 +16,7 @@ type Shortcut struct {

 type ShortcutCreate struct {
 	// Standard fields
-	CreatorID int
+	CreatorID int `json:"-"`

 	// Domain specific fields
 	Title   string `json:"title"`
@@ -24,9 +24,10 @@ type ShortcutCreate struct {
 }

 type ShortcutPatch struct {
-	ID int
+	ID int `json:"-"`

 	// Standard fields
+	UpdatedTs *int64
 	RowStatus *RowStatus `json:"rowStatus"`

 	// Domain specific fields
@@ -45,5 +46,8 @@ type ShortcutFind struct {
 }

 type ShortcutDelete struct {
-	ID int
+	ID *int
+
+	// Standard fields
+	CreatorID *int
 }
--- a/api/storage.go
+++ b/api/storage.go
@@ -0,0 +1,57 @@
+package api
+
+const (
+	// LocalStorage means the storage service is local file system.
+	LocalStorage = -1
+	// DatabaseStorage means the storage service is database.
+	DatabaseStorage = 0
+)
+
+type StorageType string
+
+const (
+	StorageS3 StorageType = "S3"
+)
+
+type StorageConfig struct {
+	S3Config *StorageS3Config `json:"s3Config"`
+}
+
+type StorageS3Config struct {
+	EndPoint  string `json:"endPoint"`
+	Path      string `json:"path"`
+	Region    string `json:"region"`
+	AccessKey string `json:"accessKey"`
+	SecretKey string `json:"secretKey"`
+	Bucket    string `json:"bucket"`
+	URLPrefix string `json:"urlPrefix"`
+	URLSuffix string `json:"urlSuffix"`
+}
+
+type Storage struct {
+	ID     int            `json:"id"`
+	Name   string         `json:"name"`
+	Type   StorageType    `json:"type"`
+	Config *StorageConfig `json:"config"`
+}
+
+type StorageCreate struct {
+	Name   string         `json:"name"`
+	Type   StorageType    `json:"type"`
+	Config *StorageConfig `json:"config"`
+}
+
+type StoragePatch struct {
+	ID     int            `json:"id"`
+	Type   StorageType    `json:"type"`
+	Name   *string        `json:"name"`
+	Config *StorageConfig `json:"config"`
+}
+
+type StorageFind struct {
+	ID *int `json:"id"`
+}
+
+type StorageDelete struct {
+	ID int `json:"id"`
+}
--- a/api/system.go
+++ b/api/system.go
@@ -1,8 +1,25 @@
 package api

-import "memos/server/profile"
+import "github.com/usememos/memos/server/profile"

 type SystemStatus struct {
-	Owner   *User            `json:"owner"`
-	Profile *profile.Profile `json:"profile"`
+	Host    *User           `json:"host"`
+	Profile profile.Profile `json:"profile"`
+	DBSize  int64           `json:"dbSize"`
+
+	// System settings
+	// Allow sign up.
+	AllowSignUp bool `json:"allowSignUp"`
+	// Disable public memos.
+	DisablePublicMemos bool `json:"disablePublicMemos"`
+	// Additional style.
+	AdditionalStyle string `json:"additionalStyle"`
+	// Additional script.
+	AdditionalScript string `json:"additionalScript"`
+	// Customized server profile, including server name and external url.
+	CustomizedProfile CustomizedProfile `json:"customizedProfile"`
+	// Storage service ID.
+	StorageServiceID int `json:"storageServiceId"`
+	// Local storage path
+	LocalStoragePath string `json:"localStoragePath"`
 }
--- a/api/system_setting.go
+++ b/api/system_setting.go
@@ -0,0 +1,170 @@
+package api
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	"golang.org/x/exp/slices"
+)
+
+type SystemSettingName string
+
+const (
+	// SystemSettingServerIDName is the name of server id.
+	SystemSettingServerIDName SystemSettingName = "server-id"
+	// SystemSettingSecretSessionName is the name of secret session.
+	SystemSettingSecretSessionName SystemSettingName = "secret-session"
+	// SystemSettingAllowSignUpName is the name of allow signup setting.
+	SystemSettingAllowSignUpName SystemSettingName = "allow-signup"
+	// SystemSettingDisablePublicMemosName is the name of disable public memos setting.
+	SystemSettingDisablePublicMemosName SystemSettingName = "disable-public-memos"
+	// SystemSettingAdditionalStyleName is the name of additional style.
+	SystemSettingAdditionalStyleName SystemSettingName = "additional-style"
+	// SystemSettingAdditionalScriptName is the name of additional script.
+	SystemSettingAdditionalScriptName SystemSettingName = "additional-script"
+	// SystemSettingCustomizedProfileName is the name of customized server profile.
+	SystemSettingCustomizedProfileName SystemSettingName = "customized-profile"
+	// SystemSettingStorageServiceIDName is the name of storage service ID.
+	SystemSettingStorageServiceIDName SystemSettingName = "storage-service-id"
+	// SystemSettingLocalStoragePathName is the name of local storage path.
+	SystemSettingLocalStoragePathName SystemSettingName = "local-storage-path"
+	// SystemSettingOpenAIConfigName is the name of OpenAI config.
+	SystemSettingOpenAIConfigName SystemSettingName = "openai-config"
+)
+
+// CustomizedProfile is the struct definition for SystemSettingCustomizedProfileName system setting item.
+type CustomizedProfile struct {
+	// Name is the server name, default is `memos`
+	Name string `json:"name"`
+	// LogoURL is the url of logo image.
+	LogoURL string `json:"logoUrl"`
+	// Description is the server description.
+	Description string `json:"description"`
+	// Locale is the server default locale.
+	Locale string `json:"locale"`
+	// Appearance is the server default appearance.
+	Appearance string `json:"appearance"`
+	// ExternalURL is the external url of server. e.g. https://usermemos.com
+	ExternalURL string `json:"externalUrl"`
+}
+
+type OpenAIConfig struct {
+	Key  string `json:"key"`
+	Host string `json:"host"`
+}
+
+func (key SystemSettingName) String() string {
+	switch key {
+	case SystemSettingServerIDName:
+		return "server-id"
+	case SystemSettingSecretSessionName:
+		return "secret-session"
+	case SystemSettingAllowSignUpName:
+		return "allow-signup"
+	case SystemSettingDisablePublicMemosName:
+		return "disable-public-memos"
+	case SystemSettingAdditionalStyleName:
+		return "additional-style"
+	case SystemSettingAdditionalScriptName:
+		return "additional-script"
+	case SystemSettingCustomizedProfileName:
+		return "customized-profile"
+	case SystemSettingStorageServiceIDName:
+		return "storage-service-id"
+	case SystemSettingLocalStoragePathName:
+		return "local-storage-path"
+	case SystemSettingOpenAIConfigName:
+		return "openai-config"
+	}
+	return ""
+}
+
+type SystemSetting struct {
+	Name SystemSettingName `json:"name"`
+	// Value is a JSON string with basic value.
+	Value       string `json:"value"`
+	Description string `json:"description"`
+}
+
+type SystemSettingUpsert struct {
+	Name        SystemSettingName `json:"name"`
+	Value       string            `json:"value"`
+	Description string            `json:"description"`
+}
+
+func (upsert SystemSettingUpsert) Validate() error {
+	if upsert.Name == SystemSettingServerIDName {
+		return errors.New("update server id is not allowed")
+	} else if upsert.Name == SystemSettingAllowSignUpName {
+		value := false
+		err := json.Unmarshal([]byte(upsert.Value), &value)
+		if err != nil {
+			return fmt.Errorf("failed to unmarshal system setting allow signup value")
+		}
+	} else if upsert.Name == SystemSettingDisablePublicMemosName {
+		value := false
+		err := json.Unmarshal([]byte(upsert.Value), &value)
+		if err != nil {
+			return fmt.Errorf("failed to unmarshal system setting disable public memos value")
+		}
+	} else if upsert.Name == SystemSettingAdditionalStyleName {
+		value := ""
+		err := json.Unmarshal([]byte(upsert.Value), &value)
+		if err != nil {
+			return fmt.Errorf("failed to unmarshal system setting additional style value")
+		}
+	} else if upsert.Name == SystemSettingAdditionalScriptName {
+		value := ""
+		err := json.Unmarshal([]byte(upsert.Value), &value)
+		if err != nil {
+			return fmt.Errorf("failed to unmarshal system setting additional script value")
+		}
+	} else if upsert.Name == SystemSettingCustomizedProfileName {
+		customizedProfile := CustomizedProfile{
+			Name:        "memos",
+			LogoURL:     "",
+			Description: "",
+			Locale:      "en",
+			Appearance:  "system",
+			ExternalURL: "",
+		}
+		err := json.Unmarshal([]byte(upsert.Value), &customizedProfile)
+		if err != nil {
+			return fmt.Errorf("failed to unmarshal system setting customized profile value")
+		}
+		if !slices.Contains(UserSettingLocaleValue, customizedProfile.Locale) {
+			return fmt.Errorf("invalid locale value")
+		}
+		if !slices.Contains(UserSettingAppearanceValue, customizedProfile.Appearance) {
+			return fmt.Errorf("invalid appearance value")
+		}
+	} else if upsert.Name == SystemSettingStorageServiceIDName {
+		value := DatabaseStorage
+		err := json.Unmarshal([]byte(upsert.Value), &value)
+		if err != nil {
+			return fmt.Errorf("failed to unmarshal system setting storage service id value")
+		}
+		return nil
+	} else if upsert.Name == SystemSettingLocalStoragePathName {
+		value := ""
+		err := json.Unmarshal([]byte(upsert.Value), &value)
+		if err != nil {
+			return fmt.Errorf("failed to unmarshal system setting local storage path value")
+		}
+	} else if upsert.Name == SystemSettingOpenAIConfigName {
+		value := OpenAIConfig{}
+		err := json.Unmarshal([]byte(upsert.Value), &value)
+		if err != nil {
+			return fmt.Errorf("failed to unmarshal system setting openai api config value")
+		}
+	} else {
+		return fmt.Errorf("invalid system setting name")
+	}
+
+	return nil
+}
+
+type SystemSettingFind struct {
+	Name SystemSettingName `json:"name"`
+}
--- a/api/tag.go
+++ b/api/tag.go
@@ -0,0 +1,20 @@
+package api
+
+type Tag struct {
+	Name      string
+	CreatorID int
+}
+
+type TagUpsert struct {
+	Name      string
+	CreatorID int `json:"-"`
+}
+
+type TagFind struct {
+	CreatorID int
+}
+
+type TagDelete struct {
+	Name      string `json:"name"`
+	CreatorID int
+}
--- a/api/user.go
+++ b/api/user.go
@@ -1,19 +1,29 @@
 package api

+import (
+	"fmt"
+
+	"github.com/usememos/memos/common"
+)
+
 // Role is the type of a role.
 type Role string

 const (
-	// Owner is the OWNER role.
-	Owner Role = "OWNER"
+	// Host is the HOST role.
+	Host Role = "HOST"
+	// Admin is the ADMIN role.
+	Admin Role = "ADMIN"
 	// NormalUser is the USER role.
 	NormalUser Role = "USER"
 )

 func (e Role) String() string {
 	switch e {
-	case Owner:
-		return "OWNER"
+	case Host:
+		return "HOST"
+	case Admin:
+		return "ADMIN"
 	case NormalUser:
 		return "USER"
 	}
@@ -29,38 +39,106 @@ type User struct {
 	UpdatedTs int64     `json:"updatedTs"`

 	// Domain specific fields
-	Email        string `json:"email"`
-	Role         Role   `json:"role"`
-	Name         string `json:"name"`
-	PasswordHash string `json:"-"`
-	OpenID       string `json:"openId"`
+	Username        string         `json:"username"`
+	Role            Role           `json:"role"`
+	Email           string         `json:"email"`
+	Nickname        string         `json:"nickname"`
+	PasswordHash    string         `json:"-"`
+	OpenID          string         `json:"openId"`
+	AvatarURL       string         `json:"avatarUrl"`
+	UserSettingList []*UserSetting `json:"userSettingList"`
 }

 type UserCreate struct {
 	// Domain specific fields
-	Email        string `json:"email"`
+	Username     string `json:"username"`
 	Role         Role   `json:"role"`
-	Name         string `json:"name"`
+	Email        string `json:"email"`
+	Nickname     string `json:"nickname"`
 	Password     string `json:"password"`
 	PasswordHash string
 	OpenID       string
 }

+func (create UserCreate) Validate() error {
+	if len(create.Username) < 3 {
+		return fmt.Errorf("username is too short, minimum length is 3")
+	}
+	if len(create.Username) > 32 {
+		return fmt.Errorf("username is too long, maximum length is 32")
+	}
+	if len(create.Password) < 3 {
+		return fmt.Errorf("password is too short, minimum length is 6")
+	}
+	if len(create.Password) > 512 {
+		return fmt.Errorf("password is too long, maximum length is 512")
+	}
+	if len(create.Nickname) > 64 {
+		return fmt.Errorf("nickname is too long, maximum length is 64")
+	}
+	if create.Email != "" {
+		if len(create.Email) > 256 {
+			return fmt.Errorf("email is too long, maximum length is 256")
+		}
+		if !common.ValidateEmail(create.Email) {
+			return fmt.Errorf("invalid email format")
+		}
+	}
+
+	return nil
+}
+
 type UserPatch struct {
-	ID int
+	ID int `json:"-"`

 	// Standard fields
+	UpdatedTs *int64
 	RowStatus *RowStatus `json:"rowStatus"`

 	// Domain specific fields
+	Username     *string `json:"username"`
 	Email        *string `json:"email"`
-	Name         *string `json:"name"`
+	Nickname     *string `json:"nickname"`
 	Password     *string `json:"password"`
 	ResetOpenID  *bool   `json:"resetOpenId"`
+	AvatarURL    *string `json:"avatarUrl"`
 	PasswordHash *string
 	OpenID       *string
 }

+func (patch UserPatch) Validate() error {
+	if patch.Username != nil && len(*patch.Username) < 3 {
+		return fmt.Errorf("username is too short, minimum length is 3")
+	}
+	if patch.Username != nil && len(*patch.Username) > 32 {
+		return fmt.Errorf("username is too long, maximum length is 32")
+	}
+	if patch.Password != nil && len(*patch.Password) < 3 {
+		return fmt.Errorf("password is too short, minimum length is 6")
+	}
+	if patch.Password != nil && len(*patch.Password) > 512 {
+		return fmt.Errorf("password is too long, maximum length is 512")
+	}
+	if patch.Nickname != nil && len(*patch.Nickname) > 64 {
+		return fmt.Errorf("nickname is too long, maximum length is 64")
+	}
+	if patch.AvatarURL != nil {
+		if len(*patch.AvatarURL) > 2<<20 {
+			return fmt.Errorf("avatar is too large, maximum is 2MB")
+		}
+	}
+	if patch.Email != nil && *patch.Email != "" {
+		if len(*patch.Email) > 256 {
+			return fmt.Errorf("email is too long, maximum length is 256")
+		}
+		if !common.ValidateEmail(*patch.Email) {
+			return fmt.Errorf("invalid email format")
+		}
+	}
+
+	return nil
+}
+
 type UserFind struct {
 	ID *int `json:"id"`

@@ -68,8 +146,13 @@ type UserFind struct {
 	RowStatus *RowStatus `json:"rowStatus"`

 	// Domain specific fields
-	Email  *string `json:"email"`
-	Role   *Role
-	Name   *string `json:"name"`
-	OpenID *string
+	Username *string `json:"username"`
+	Role     *Role
+	Email    *string `json:"email"`
+	Nickname *string `json:"nickname"`
+	OpenID   *string
+}
+
+type UserDelete struct {
+	ID int
 }
--- a/api/user_setting.go
+++ b/api/user_setting.go
@@ -0,0 +1,96 @@
+package api
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"golang.org/x/exp/slices"
+)
+
+type UserSettingKey string
+
+const (
+	// UserSettingLocaleKey is the key type for user locale.
+	UserSettingLocaleKey UserSettingKey = "locale"
+	// UserSettingAppearanceKey is the key type for user appearance.
+	UserSettingAppearanceKey UserSettingKey = "appearance"
+	// UserSettingMemoVisibilityKey is the key type for user preference memo default visibility.
+	UserSettingMemoVisibilityKey UserSettingKey = "memo-visibility"
+)
+
+// String returns the string format of UserSettingKey type.
+func (key UserSettingKey) String() string {
+	switch key {
+	case UserSettingLocaleKey:
+		return "locale"
+	case UserSettingAppearanceKey:
+		return "appearance"
+	case UserSettingMemoVisibilityKey:
+		return "memo-visibility"
+	}
+	return ""
+}
+
+var (
+	UserSettingLocaleValue         = []string{"en", "zh", "vi", "fr", "nl", "sv", "de", "es", "uk", "ru", "it", "hant", "tr", "ko", "sl"}
+	UserSettingAppearanceValue     = []string{"system", "light", "dark"}
+	UserSettingMemoVisibilityValue = []Visibility{Private, Protected, Public}
+)
+
+type UserSetting struct {
+	UserID int
+	Key    UserSettingKey `json:"key"`
+	// Value is a JSON string with basic value
+	Value string `json:"value"`
+}
+
+type UserSettingUpsert struct {
+	UserID int            `json:"-"`
+	Key    UserSettingKey `json:"key"`
+	Value  string         `json:"value"`
+}
+
+func (upsert UserSettingUpsert) Validate() error {
+	if upsert.Key == UserSettingLocaleKey {
+		localeValue := "en"
+		err := json.Unmarshal([]byte(upsert.Value), &localeValue)
+		if err != nil {
+			return fmt.Errorf("failed to unmarshal user setting locale value")
+		}
+		if !slices.Contains(UserSettingLocaleValue, localeValue) {
+			return fmt.Errorf("invalid user setting locale value")
+		}
+	} else if upsert.Key == UserSettingAppearanceKey {
+		appearanceValue := "system"
+		err := json.Unmarshal([]byte(upsert.Value), &appearanceValue)
+		if err != nil {
+			return fmt.Errorf("failed to unmarshal user setting appearance value")
+		}
+		if !slices.Contains(UserSettingAppearanceValue, appearanceValue) {
+			return fmt.Errorf("invalid user setting appearance value")
+		}
+	} else if upsert.Key == UserSettingMemoVisibilityKey {
+		memoVisibilityValue := Private
+		err := json.Unmarshal([]byte(upsert.Value), &memoVisibilityValue)
+		if err != nil {
+			return fmt.Errorf("failed to unmarshal user setting memo visibility value")
+		}
+		if !slices.Contains(UserSettingMemoVisibilityValue, memoVisibilityValue) {
+			return fmt.Errorf("invalid user setting memo visibility value")
+		}
+	} else {
+		return fmt.Errorf("invalid user setting key")
+	}
+
+	return nil
+}
+
+type UserSettingFind struct {
+	UserID int
+
+	Key UserSettingKey `json:"key"`
+}
+
+type UserSettingDelete struct {
+	UserID int
+}
--- a/resources/tech-stack.png
+++ b/resources/tech-stack.png
--- a/bin/server/cmd/root.go
+++ b/bin/server/cmd/root.go
@@ -1,59 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"os"
-
-	"memos/server"
-	"memos/server/profile"
-	"memos/store"
-	DB "memos/store/db"
-)
-
-const (
-	greetingBanner = `
-███╗   ███╗███████╗███╗   ███╗ ██████╗ ███████╗
-████╗ ████║██╔════╝████╗ ████║██╔═══██╗██╔════╝
-██╔████╔██║█████╗  ██╔████╔██║██║   ██║███████╗
-██║╚██╔╝██║██╔══╝  ██║╚██╔╝██║██║   ██║╚════██║
-██║ ╚═╝ ██║███████╗██║ ╚═╝ ██║╚██████╔╝███████║
-╚═╝     ╚═╝╚══════╝╚═╝     ╚═╝ ╚═════╝ ╚══════╝
-`
-)
-
-type Main struct {
-	profile *profile.Profile
-}
-
-func (m *Main) Run() error {
-	db := DB.NewDB(m.profile)
-	if err := db.Open(); err != nil {
-		return fmt.Errorf("cannot open db: %w", err)
-	}
-
-	s := server.NewServer(m.profile)
-
-	storeInstance := store.New(db.Db, m.profile)
-	s.Store = storeInstance
-
-	if err := s.Run(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func Execute() {
-	profile := profile.GetProfile()
-	m := Main{
-		profile: profile,
-	}
-
-	println(greetingBanner)
-	fmt.Printf("Version %s has started at :%d\n", profile.Version, profile.Port)
-
-	if err := m.Run(); err != nil {
-		fmt.Printf("error: %+v\n", err)
-		os.Exit(1)
-	}
-}
--- a/bin/server/main.go
+++ b/bin/server/main.go
@@ -1,7 +0,0 @@
-package main
-
-import "memos/bin/server/cmd"
-
-func main() {
-	cmd.Execute()
-}
--- a/cmd/memos.go
+++ b/cmd/memos.go
@@ -0,0 +1,166 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+
+	"github.com/usememos/memos/server"
+	_profile "github.com/usememos/memos/server/profile"
+	"github.com/usememos/memos/setup"
+	"github.com/usememos/memos/store"
+	"github.com/usememos/memos/store/db"
+)
+
+const (
+	greetingBanner = `
+███╗   ███╗███████╗███╗   ███╗ ██████╗ ███████╗
+████╗ ████║██╔════╝████╗ ████║██╔═══██╗██╔════╝
+██╔████╔██║█████╗  ██╔████╔██║██║   ██║███████╗
+██║╚██╔╝██║██╔══╝  ██║╚██╔╝██║██║   ██║╚════██║
+██║ ╚═╝ ██║███████╗██║ ╚═╝ ██║╚██████╔╝███████║
+╚═╝     ╚═╝╚══════╝╚═╝     ╚═╝ ╚═════╝ ╚══════╝
+`
+)
+
+var (
+	profile *_profile.Profile
+	mode    string
+	port    int
+	data    string
+
+	rootCmd = &cobra.Command{
+		Use:   "memos",
+		Short: `An open-source, self-hosted memo hub with knowledge management and social networking.`,
+		Run: func(_cmd *cobra.Command, _args []string) {
+			ctx, cancel := context.WithCancel(context.Background())
+			s, err := server.NewServer(ctx, profile)
+			if err != nil {
+				cancel()
+				fmt.Printf("failed to create server, error: %+v\n", err)
+				return
+			}
+
+			c := make(chan os.Signal, 1)
+			// Trigger graceful shutdown on SIGINT or SIGTERM.
+			// The default signal sent by the `kill` command is SIGTERM,
+			// which is taken as the graceful shutdown signal for many systems, eg., Kubernetes, Gunicorn.
+			signal.Notify(c, os.Interrupt, syscall.SIGTERM)
+			go func() {
+				sig := <-c
+				fmt.Printf("%s received.\n", sig.String())
+				s.Shutdown(ctx)
+				cancel()
+			}()
+
+			println(greetingBanner)
+			fmt.Printf("Version %s has started at :%d\n", profile.Version, profile.Port)
+			if err := s.Start(ctx); err != nil {
+				if err != http.ErrServerClosed {
+					fmt.Printf("failed to start server, error: %+v\n", err)
+					cancel()
+				}
+			}
+
+			// Wait for CTRL-C.
+			<-ctx.Done()
+		},
+	}
+
+	setupCmd = &cobra.Command{
+		Use:   "setup",
+		Short: "Make initial setup for memos",
+		Run: func(cmd *cobra.Command, _ []string) {
+			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+			defer cancel()
+
+			hostUsername, err := cmd.Flags().GetString(setupCmdFlagHostUsername)
+			if err != nil {
+				fmt.Printf("failed to get owner username, error: %+v\n", err)
+				return
+			}
+
+			hostPassword, err := cmd.Flags().GetString(setupCmdFlagHostPassword)
+			if err != nil {
+				fmt.Printf("failed to get owner password, error: %+v\n", err)
+				return
+			}
+
+			db := db.NewDB(profile)
+			if err := db.Open(ctx); err != nil {
+				fmt.Printf("failed to open db, error: %+v\n", err)
+				return
+			}
+
+			store := store.New(db.DBInstance, profile)
+			if err := setup.Execute(ctx, store, hostUsername, hostPassword); err != nil {
+				fmt.Printf("failed to setup, error: %+v\n", err)
+				return
+			}
+		},
+	}
+)
+
+func Execute() error {
+	return rootCmd.Execute()
+}
+
+func init() {
+	cobra.OnInitialize(initConfig)
+
+	rootCmd.PersistentFlags().StringVarP(&mode, "mode", "m", "demo", `mode of server, can be "prod" or "dev" or "demo"`)
+	rootCmd.PersistentFlags().IntVarP(&port, "port", "p", 8081, "port of server")
+	rootCmd.PersistentFlags().StringVarP(&data, "data", "d", "", "data directory")
+
+	err := viper.BindPFlag("mode", rootCmd.PersistentFlags().Lookup("mode"))
+	if err != nil {
+		panic(err)
+	}
+	err = viper.BindPFlag("port", rootCmd.PersistentFlags().Lookup("port"))
+	if err != nil {
+		panic(err)
+	}
+	err = viper.BindPFlag("data", rootCmd.PersistentFlags().Lookup("data"))
+	if err != nil {
+		panic(err)
+	}
+
+	viper.SetDefault("mode", "demo")
+	viper.SetDefault("port", 8081)
+	viper.SetEnvPrefix("memos")
+
+	setupCmd.Flags().String(setupCmdFlagHostUsername, "", "Owner username")
+	setupCmd.Flags().String(setupCmdFlagHostPassword, "", "Owner password")
+
+	rootCmd.AddCommand(setupCmd)
+}
+
+func initConfig() {
+	viper.AutomaticEnv()
+	var err error
+	profile, err = _profile.GetProfile()
+	if err != nil {
+		fmt.Printf("failed to get profile, error: %+v\n", err)
+		return
+	}
+
+	println("---")
+	println("Server profile")
+	println("dsn:", profile.DSN)
+	println("port:", profile.Port)
+	println("mode:", profile.Mode)
+	println("version:", profile.Version)
+	println("---")
+}
+
+const (
+	setupCmdFlagHostUsername = "host-username"
+	setupCmdFlagHostPassword = "host-password"
+)
--- a/common/error.go
+++ b/common/error.go
@@ -9,7 +9,7 @@ type Code int

 // Application error codes.
 const (
-	// 0 ~ 99 general error
+	// 0 ~ 99 general error.
 	Ok             Code = 0
 	Internal       Code = 1
 	NotAuthorized  Code = 2
@@ -17,11 +17,6 @@ const (
 	NotFound       Code = 4
 	Conflict       Code = 5
 	NotImplemented Code = 6
-
-	// 101 ~ 199 db error
-	DbConnectionFailure    Code = 101
-	DbStatementSyntaxError Code = 102
-	DbExecutionError       Code = 103
 )

 // Error represents an application-specific error. Application errors can be
--- a/common/log/logger.go
+++ b/common/log/logger.go
@@ -0,0 +1,67 @@
+// Package log implements a simple logging package.
+package log
+
+import (
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+)
+
+var (
+	// `gl` is the global logger.
+	// Other packages should use public methods such as Info/Error to do the logging.
+	// For other types of logging, e.g. logging to a separate file, they should use their own loggers.
+	gl     *zap.Logger
+	gLevel zap.AtomicLevel
+)
+
+// Initializes the global console logger.
+func init() {
+	gLevel = zap.NewAtomicLevelAt(zap.InfoLevel)
+	gl, _ = zap.Config{
+		Level:       gLevel,
+		Development: true,
+		// Use "console" to print readable stacktrace.
+		Encoding:         "console",
+		EncoderConfig:    zap.NewDevelopmentEncoderConfig(),
+		OutputPaths:      []string{"stderr"},
+		ErrorOutputPaths: []string{"stderr"},
+	}.Build(
+		// Skip one caller stack to locate the correct caller.
+		zap.AddCallerSkip(1),
+	)
+}
+
+// SetLevel wraps the zap Level's SetLevel method.
+func SetLevel(level zapcore.Level) {
+	gLevel.SetLevel(level)
+}
+
+// EnabledLevel wraps the zap Level's Enabled method.
+func EnabledLevel(level zapcore.Level) bool {
+	return gLevel.Enabled(level)
+}
+
+// Debug wraps the zap Logger's Debug method.
+func Debug(msg string, fields ...zap.Field) {
+	gl.Debug(msg, fields...)
+}
+
+// Info wraps the zap Logger's Info method.
+func Info(msg string, fields ...zap.Field) {
+	gl.Info(msg, fields...)
+}
+
+// Warn wraps the zap Logger's Warn method.
+func Warn(msg string, fields ...zap.Field) {
+	gl.Warn(msg, fields...)
+}
+
+// Error wraps the zap Logger's Error method.
+func Error(msg string, fields ...zap.Field) {
+	gl.Error(msg, fields...)
+}
+
+// Sync wraps the zap Logger's Sync method.
+func Sync() {
+	_ = gl.Sync()
+}
--- a/common/util.go
+++ b/common/util.go
@@ -1,6 +1,9 @@
 package common

 import (
+	"crypto/rand"
+	"math/big"
+	"net/mail"
 	"strings"

 	"github.com/google/uuid"
@@ -16,6 +19,42 @@ func HasPrefixes(src string, prefixes ...string) bool {
 	return false
 }

+// ValidateEmail validates the email.
+func ValidateEmail(email string) bool {
+	if _, err := mail.ParseAddress(email); err != nil {
+		return false
+	}
+	return true
+}
+
 func GenUUID() string {
 	return uuid.New().String()
 }
+
+func Min(x, y int) int {
+	if x < y {
+		return x
+	}
+	return y
+}
+
+var letters = []rune("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
+
+// RandomString returns a random string with length n.
+func RandomString(n int) (string, error) {
+	var sb strings.Builder
+	sb.Grow(n)
+	for i := 0; i < n; i++ {
+		// The reason for using crypto/rand instead of math/rand is that
+		// the former relies on hardware to generate random numbers and
+		// thus has a stronger source of random numbers.
+		randNum, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters))))
+		if err != nil {
+			return "", err
+		}
+		if _, err := sb.WriteRune(letters[randNum.Uint64()]); err != nil {
+			return "", err
+		}
+	}
+	return sb.String(), nil
+}
--- a/common/util_test.go
+++ b/common/util_test.go
@@ -0,0 +1,31 @@
+package common
+
+import (
+	"testing"
+)
+
+func TestValidateEmail(t *testing.T) {
+	tests := []struct {
+		email string
+		want  bool
+	}{
+		{
+			email: "t@gmail.com",
+			want:  true,
+		},
+		{
+			email: "@qq.com",
+			want:  false,
+		},
+		{
+			email: "1@gmail",
+			want:  true,
+		},
+	}
+	for _, test := range tests {
+		result := ValidateEmail(test.email)
+		if result != test.want {
+			t.Errorf("Validate Email %s: got result %v, want %v.", test.email, result, test.want)
+		}
+	}
+}
--- a/common/version.go
+++ b/common/version.go
@@ -1,4 +0,0 @@
-package common
-
-// Version is the service current released version.
-var Version = "0.1.2"
--- a/docker-compose.uffizzi.yml
+++ b/docker-compose.uffizzi.yml
@@ -0,0 +1,17 @@
+version: "3.0"
+
+# uffizzi integration
+x-uffizzi:
+  ingress:
+    service: memos
+    port: 5230
+
+services:
+  memos:
+    image: "${MEMOS_IMAGE}"
+    volumes:
+      - memos_volume:/var/opt/memos
+    command: ["--mode", "demo"]
+
+volumes:
+  memos_volume:
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -0,0 +1,9 @@
+version: "3.0"
+services:
+  memos:
+    image: neosmemo/memos:latest
+    container_name: memos
+    volumes:
+      - ~/.memos/:/var/opt/memos
+    ports:
+      - 5230:5230
--- a/docs/custom-themes.md
+++ b/docs/custom-themes.md
@@ -0,0 +1,18 @@
+# Adding A Custom Theme
+
+1. Open the Settings Dialog
+2. Navigate to the System Tab
+3. In the "Additional Styles" box add these lines of code:
+
+   ```css
+   .memo-list-container {
+     background-color: #INSERT COLOR HERE;
+   }
+   .page-container {
+     background-color: #INSERT COLOR HERE;
+   }
+   ```
+
+   It is recommended that you choose the same color for both options
+
+4. Refresh the page and the background color of your memos app will successfully update to reflect your changes
--- a/docs/deploy-with-render.md
+++ b/docs/deploy-with-render.md
@@ -0,0 +1,133 @@
+# A Beginner's Guide to Deploying Memos on Render.com
+
+written by [AJ](https://memos.ajstephens.website/) (also a noob)
+
+<img height="64px" src="https://usememos.com/logo-full.png" alt="✍️ memos" />
+
+[Live Demo](https://demo.usememos.com) • [Official Website](https://usememos.com) • [Source Code](https://github.com/usememos/memos)
+
+## Who is this guide for?
+
+Someone who...
+
+- doesn't have much experience with self hosting
+- has a minimal understanding of docker
+
+Someone who wants...
+
+- to use memos
+- to support the memos project
+- a cost effective and simple way to host it on the cloud with reliablity and persistance
+- to share memos with friends
+
+## Requirements
+
+- Can follow instructions
+- Have 7ish USD a month on a debit/credit card
+
+## Guide
+
+Create an account at [Render](https://dashboard.render.com/register)
+![ss1](https://i.imgur.com/l3K7aqC.png)
+
+1. Go to your dashboard
+
+[https://dashboard.render.com/](https://dashboard.render.com/)
+
+2. Select New Web Service
+
+   ![ss2](https://i.imgur.com/IIDdK2y.png)
+
+3. Scroll down to "Public Git repository"
+
+4. Paste in the link for the public git repository for memos (https://github.com/usememos/memos) and press continue
+
+   ![ss3](https://i.imgur.com/OXoCWoJ.png)
+
+5. Render will pre-fill most of the fields but you will need to create a unique name for your web service
+
+6. Adjust region if you want to
+
+7. Don't touch the "branch", "root directory", and "environment" fields
+
+   ![ss4](https://i.imgur.com/v7Sw3fp.png)
+
+8. Click "enter your payment information" and do so
+
+   ![ss5](https://i.imgur.com/paKcQFl.png)
+
+   ![ss6](https://i.imgur.com/JdcO1HC.png)
+
+9. Select the starter plan ($7 a month - a requirement for persistant data - render's free instances spin down when inactive and lose all data)
+
+10. Click "Create Web Service"
+
+![ss7](https://i.imgur.com/MHe45J4.png)
+
+11. Wait patiently while the _magic_ happens 🤷‍♂️
+
+![ss8](https://i.imgur.com/h1PXHHJ.png)
+
+12. After some time (~ 6 min for me) the build will finish and you will see the web service is live
+
+![ss9](https://i.imgur.com/msapkRw.png)
+
+13. Now it's time to add the disk so your data won't dissappear when the webservice redeploys (redeploys happen automatically when the public repo is updated)
+
+14. Select the "Disks" tab on the left menu and then click "Add Disk"
+
+![ss10](https://i.imgur.com/rGeI0bv.png)
+
+15. Name your disk (can be whatever)
+
+16. Set the "Mount Path" to `/var/opt/memos`
+
+17. Set the disk size (default is 10GB but 1GB is plenty and can be increased at any time)
+
+18. Click "Save"
+
+    ![ss11](https://i.imgur.com/Jbg7O6q.png)
+
+19. Wait...again...while the webservice redeploys with the persistant disk
+
+    ![ss12](https://i.imgur.com/pTzpE34.png)
+
+20. aaaand....we're back online!
+
+    ![ss13](https://i.imgur.com/qdsFfSa.png)
+
+21. Time to test! We're going to make sure everything is working correctly.
+
+22. Click the link in the top left, it should look like `https://the-name-you-chose.onrender.com` - this is your self hosted memos link!
+
+    ![ss14](https://i.imgur.com/cgzFSIn.png)
+
+23. Create a Username and Password (remember these) then click "Sign up as Host"
+
+    ![ss15](https://i.imgur.com/kuRStAj.png)
+
+24. Create a test memo then click save
+
+    ![ss16](https://i.imgur.com/Eh2AB44.png)
+
+25. Sign out of your self-hosted memos
+
+    ![ss17](https://i.imgur.com/0mMb88G.png)
+
+26. Return to your Render dashboard, click the "Manual Deploy" dropdown button and click "Deploy latest commit" and wait until the webservice is live again (This is to test that your data is persistant)
+
+    ![ss18](https://i.imgur.com/w1N7VTb.png)
+
+27. Once the webservice is live go back to your self-hosted memos page and sign in! (If your memos screen looks different then something went wrong)
+
+28. Once you're logged in, verify your test memo is still there after the redeploy
+
+    ![ss19](https://i.imgur.com/dTcEQZS.png)
+
+    ![ss20](https://i.imgur.com/VE2lu8H.png)
+
+## 🎉Celebrate!🎉
+
+You did it! Enjoy using memos!
+
+Want to learn more or need more guidance? Join the community on [telegram](https://t.me/+-_tNF1k70UU4ZTc9) and [discord](https://discord.gg/tfPJa4UmAv).
--- a/docs/development.md
+++ b/docs/development.md
@@ -0,0 +1,40 @@
+# Development
+
+Memos is built with a curated tech stack. It is optimized for developer experience and is very easy to start working on the code:
+
+1. It has no external dependency.
+2. It requires zero config.
+3. 1 command to start backend and 1 command to start frontend, both with live reload support.
+
+## Tech Stack
+
+![tech-stack](https://raw.githubusercontent.com/usememos/memos/main/assets/tech-stack.png)
+
+## Prerequisites
+
+- [Go](https://golang.org/doc/install)
+- [Air](https://github.com/cosmtrek/air#installation) for backend live reload
+- [Node.js](https://nodejs.org/)
+- [yarn](https://yarnpkg.com/getting-started/install)
+
+## Steps
+
+1. pull source code
+
+   ```bash
+   git clone https://github.com/usememos/memos
+   ```
+
+2. start backend using air(with live reload)
+
+   ```bash
+   air -c scripts/.air.toml
+   ```
+
+3. start frontend dev server
+
+   ```bash
+   cd web && yarn && yarn dev
+   ```
+
+Memos should now be running at [http://localhost:3001](http://localhost:3001) and change either frontend or backend code would trigger live reload.
--- a/docs/setup.md
+++ b/docs/setup.md
@@ -0,0 +1,6 @@
+# Setup
+
+After deploying and running Memos in `prod` mode, you should create "host" user. There are two ways to do this:
+
+1. Navigate to the Memos application URL, such as `http://localhost:5230`, and follow the prompts to create a username and password for the "host" user.
+2. Use the command `memos setup --host-username=$USERNAME --host-password=$PASSWORD --mode=prod` to set up the host user. This method may be more convenient for deploying through Ansible or other provisioning softwares.
--- a/go.mod
+++ b/go.mod
@@ -1,32 +1,76 @@
-module memos
+module github.com/usememos/memos

-go 1.17
-
-require github.com/mattn/go-sqlite3 v1.14.9
-
-require github.com/google/uuid v1.3.0
+go 1.19

 require (
+	github.com/aws/aws-sdk-go-v2 v1.17.4
+	github.com/aws/aws-sdk-go-v2/config v1.18.12
+	github.com/aws/aws-sdk-go-v2/credentials v1.13.12
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.51
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.30.3
+	github.com/google/uuid v1.3.0
+	github.com/gorilla/feeds v1.1.1
+	github.com/labstack/echo/v4 v4.9.0
+	github.com/mattn/go-sqlite3 v1.14.9
+	github.com/pkg/errors v0.9.1
+	github.com/spf13/cobra v1.6.1
+	github.com/spf13/viper v1.15.0
+	github.com/stretchr/testify v1.8.1
+	go.uber.org/zap v1.24.0
+	golang.org/x/crypto v0.1.0
+	golang.org/x/exp v0.0.0-20230111222715-75897c7a292a
+	golang.org/x/mod v0.6.0
+	golang.org/x/net v0.7.0
+	golang.org/x/oauth2 v0.5.0
+)
+
+require (
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.22 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.28 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.22 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.29 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.20 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.23 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.22 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.22 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.12.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.18.3 // indirect
+	github.com/aws/smithy-go v1.13.5 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
-	github.com/mattn/go-colorable v0.1.11 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/labstack/gommon v0.3.1 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/spf13/afero v1.9.3 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stretchr/objx v0.5.0 // indirect
+	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasttemplate v1.2.1 // indirect
-	golang.org/x/crypto v0.0.0-20210920023735-84f357641f63
-	golang.org/x/net v0.0.0-20210917221730-978cfadd31cf // indirect
-	golang.org/x/sys v0.0.0-20211103235746-7861aae1554b // indirect
-	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 // indirect
-)
-
-require (
-	github.com/gorilla/context v1.1.1 // indirect
-	github.com/labstack/echo/v4 v4.6.3
-	github.com/labstack/gommon v0.3.1 // indirect
-)
-
-require (
-	github.com/gorilla/securecookie v1.1.1
-	github.com/gorilla/sessions v1.2.1
-	github.com/labstack/echo-contrib v0.12.0
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.8.0 // indirect
+	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/time v0.1.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -3,6 +3,7 @@ cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
 cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
+cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
 cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
 cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
 cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
@@ -13,6 +14,9 @@ cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKV
 cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
 cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
 cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
+cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
+cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
+cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
@@ -30,69 +34,80 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
+cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo=
-github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
-github.com/Shopify/sarama v1.30.0/go.mod h1:zujlQQx1kzHsh4jfV1USnptCQrHAEZ2Hk8fTKCulPVs=
-github.com/Shopify/toxiproxy/v2 v2.1.6-0.20210914104332-15ea381dcdae/go.mod h1:/cvHQkZ1fst0EmZnA5dFtiQdWCNCFYzb+uE2vqVgvx0=
-github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
-github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
-github.com/appleboy/gofight/v2 v2.1.2/go.mod h1:frW+U1QZEdDgixycTj4CygQ48yLTUhplt43+Wczp3rw=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
-github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/casbin/casbin/v2 v2.40.6/go.mod h1:sEL80qBYTbd+BPeL4iyvwYzFT3qwLaESq5aFKVLbLfA=
+github.com/aws/aws-sdk-go-v2 v1.17.4 h1:wyC6p9Yfq6V2y98wfDsj6OnNQa4w2BLGCLIxzNhwOGY=
+github.com/aws/aws-sdk-go-v2 v1.17.4/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10 h1:dK82zF6kkPeCo8J1e+tGx4JdvDIQzj7ygIoLg8WMuGs=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10/go.mod h1:VeTZetY5KRJLuD/7fkQXMU6Mw7H5m/KP2J5Iy9osMno=
+github.com/aws/aws-sdk-go-v2/config v1.18.12 h1:fKs/I4wccmfrNRO9rdrbMO1NgLxct6H9rNMiPdBxHWw=
+github.com/aws/aws-sdk-go-v2/config v1.18.12/go.mod h1:J36fOhj1LQBr+O4hJCiT8FwVvieeoSGOtPuvhKlsNu8=
+github.com/aws/aws-sdk-go-v2/credentials v1.13.12 h1:Cb+HhuEnV19zHRaYYVglwvdHGMJWbdsyP4oHhw04xws=
+github.com/aws/aws-sdk-go-v2/credentials v1.13.12/go.mod h1:37HG2MBroXK3jXfxVGtbM2J48ra2+Ltu+tmwr/jO0KA=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.22 h1:3aMfcTmoXtTZnaT86QlVaYh+BRMbvrrmZwIQ5jWqCZQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.22/go.mod h1:YGSIJyQ6D6FjKMQh16hVFSIUD54L4F7zTGePqYMYYJU=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.51 h1:iTFYCAdKzSAjGnVIUe88Hxvix0uaBqr0Rv7qJEOX5hE=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.51/go.mod h1:7Grl2gV+dx9SWrUIgwwlUvU40t7+lOSbx34XwfmsTkY=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.28 h1:r+XwaCLpIvCKjBIYy/HVZujQS9tsz5ohHG3ZIe0wKoE=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.28/go.mod h1:3lwChorpIM/BhImY/hy+Z6jekmN92cXGPI1QJasVPYY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.22 h1:7AwGYXDdqRQYsluvKFmWoqpcOQJ4bH634SkYf3FNj/A=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.22/go.mod h1:EqK7gVrIGAHyZItrD1D8B0ilgwMD1GiWAmbU4u/JHNk=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.29 h1:J4xhFd6zHhdF9jPP0FQJ6WknzBboGMBNjKOv4iTuw4A=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.29/go.mod h1:TwuqRBGzxjQJIwH16/fOZodwXt2Zxa9/cwJC5ke4j7s=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.19/go.mod h1:8W88sW3PjamQpKFUQvHWWKay6ARsNvZnzU7+a4apubw=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.20 h1:YIvKIfPXQVp0EhXUV644kmQo6cQPPSRmC44A1HSoJeg=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.20/go.mod h1:8W88sW3PjamQpKFUQvHWWKay6ARsNvZnzU7+a4apubw=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 h1:y2+VQzC6Zh2ojtV2LoC0MNwHWc6qXv/j2vrQtlftkdA=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11/go.mod h1:iV4q2hsqtNECrfmlXyord9u4zyuFEJX9eLgLpSPzWA8=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.23 h1:c5+bNdV8E4fIPteWx4HZSkqI07oY9exbfQ7JH7Yx4PI=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.23/go.mod h1:1jcUfF+FAOEwtIcNiHPaV4TSoZqkUIPzrohmD7fb95c=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.22 h1:LjFQf8hFuMO22HkV5VWGLBvmCLBCLPivUAmpdpnp4Vs=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.22/go.mod h1:xt0Au8yPIwYXf/GYPy/vl4K3CgwhfQMYbrH7DlUUIws=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.22 h1:ISLJ2BKXe4zzyZ7mp5ewKECiw0U7KpLgS3S6OxY9Cm0=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.22/go.mod h1:QFVbqK54XArazLvn2wvWMRBi/jGrWii46qbr5DyPGjc=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.30.2/go.mod h1:SXDHd6fI2RhqB7vmAzyYQCTQnpZrIprVJvYxpzW3JAM=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.30.3 h1:PVieHTwugdlHedlxLpYLQsOZAq736RScuEb/m4zhzc4=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.30.3/go.mod h1:XN3YcdmnWYZ3Hrnojvo5p2mc/wfF973nkq3ClXPDMHk=
+github.com/aws/aws-sdk-go-v2/service/sso v1.12.1 h1:lQKN/LNa3qqu2cDOQZybP7oL4nMGGiFqob0jZJaR8/4=
+github.com/aws/aws-sdk-go-v2/service/sso v1.12.1/go.mod h1:IgV8l3sj22nQDd5qcAGY0WenwCzCphqdbFOpfktZPrI=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.1 h1:0bLhH6DRAqox+g0LatcjGKjjhU6Eudyys6HB6DJVPj8=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.1/go.mod h1:O1YSOg3aekZibh2SngvCRRG+cRHKKlYgxf/JBF/Kr/k=
+github.com/aws/aws-sdk-go-v2/service/sts v1.18.3 h1:s49mSnsBZEXjfGBkRfmK+nPqzT7Lt3+t2SmAKNyHblw=
+github.com/aws/aws-sdk-go-v2/service/sts v1.18.3/go.mod h1:b+psTJn33Q4qGoDaM7ZiOVVG8uVjGI6HaZ8WBHdgDgU=
+github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8=
+github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
+github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/eapache/go-resiliency v1.2.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
-github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
-github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
-github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
-github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
+github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
+github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
-github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
-github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
+github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -119,8 +134,8 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -130,11 +145,14 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
@@ -142,140 +160,101 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
-github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
-github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
-github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
-github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
-github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
-github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
+github.com/gorilla/feeds v1.1.1 h1:HwKXxqzcRNg9to+BbvJog4+f3s/xzvtZXICcQGutYfY=
+github.com/gorilla/feeds v1.1.1/go.mod h1:Nk0jZrvPFZX1OBe5NPiddPw7CfwF6Q9eqzaBbaightA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
-github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
-github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o=
-github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
-github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aWNYyvBVK62bc=
-github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
-github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
+github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/labstack/echo-contrib v0.12.0 h1:NPr1ez+XUa5s/4LujEon+32Bxg5DO6EKSW/va06pmLc=
-github.com/labstack/echo-contrib v0.12.0/go.mod h1:kR62TbwsBgmpV2HVab5iQRsQtLuhPyGqCBee88XRc4M=
-github.com/labstack/echo/v4 v4.6.1/go.mod h1:RnjgMWNDB9g/HucVWhQYNQP9PvbYf6adqftqryo7s9k=
-github.com/labstack/echo/v4 v4.6.3 h1:VhPuIZYxsbPmo4m9KAkMU/el2442eB7EBFFhNTTT9ac=
-github.com/labstack/echo/v4 v4.6.3/go.mod h1:Hk5OiHj0kDqmFq7aHe7eDqI7CUhuCrfpupQtLGGLm7A=
-github.com/labstack/gommon v0.3.0/go.mod h1:MULnywXg0yavhxWKc+lOruYdAhDwPK9wf0OL7NoOu+k=
+github.com/labstack/echo/v4 v4.9.0 h1:wPOF1CE6gvt/kmbMR4dGzWvHMPT+sAEUJOwOTtvITVY=
+github.com/labstack/echo/v4 v4.9.0/go.mod h1:xkCDAdFCIf8jsFQ5NnbK7oqaF/yU1A1X20Ltm0OvSks=
 github.com/labstack/gommon v0.3.1 h1:OomWaJXm7xR6L1HmEtGyQf26TEn7V6X88mktX9kee9o=
 github.com/labstack/gommon v0.3.1/go.mod h1:uW6kP17uPlLJsD3ijUYn3/M5bAxtlZhMI6m3MFxTMTM=
-github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-colorable v0.1.11 h1:nQ+aFkoE2TMGc0b68U2OKSexC+eq46+XwZzWXHRmPYs=
+github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
+github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mattn/go-colorable v0.1.11/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
-github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
-github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
+github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
+github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
 github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-sqlite3 v1.14.9 h1:10HX2Td0ocZpYEjhilsuo6WWtUqttj2Kb0KtD86/KYA=
 github.com/mattn/go-sqlite3 v1.14.9/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
-github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
-github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
-github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
-github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
-github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
-github.com/openzipkin/zipkin-go v0.3.0/go.mod h1:4c3sLeE8xjNqehmF5RpAFLPLJxXscc0R4l6Zg0P1tTQ=
-github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/pelletier/go-toml/v2 v2.0.6 h1:nrzqCb7j9cDFj2coyLNLaZuJTLjWjlaz6nvTvIwycIU=
+github.com/pelletier/go-toml/v2 v2.0.6/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
-github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
-github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
-github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
-github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
-github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/rabbitmq/amqp091-go v1.1.0/go.mod h1:ogQDLSOACsLPsIq0NpbtiifNZi2YOz0VTJ0kHRghqbM=
-github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
-github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
-github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/afero v1.9.3 h1:41FoI0fD7OR7mGcKE/aOiLkGreyf8ifIOQmJANWogMk=
+github.com/spf13/afero v1.9.3/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
+github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
+github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
+github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=
+github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
+github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
+github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.15.0 h1:js3yy885G8xwJa6iOISGFwd+qlUo5AvyXb7CiihdtiU=
+github.com/spf13/viper v1.15.0/go.mod h1:fFcTBJxvhhzSJiZy8n+PeW6t8l+KeT/uTARa0jHOQLA=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
-github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
-github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8=
+github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
 github.com/valyala/fasttemplate v1.2.1 h1:TVEnxayobAdVkhQfrfes2IzOB6o+z4roRkPF52WA1u4=
 github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
-github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
-github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs=
-github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -285,22 +264,25 @@ go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
+go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
+go.uber.org/multierr v1.8.0 h1:dg6GjLku4EH+249NNmoIciG9N/jURbDG+pFlTkhzIC8=
+go.uber.org/multierr v1.8.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
+go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
+go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20210920023735-84f357641f63 h1:kETrAMYZq6WVGPa8IIixL0CaEcIUNi+1WX7grUoi3y8=
-golang.org/x/crypto v0.0.0-20210920023735-84f357641f63/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
+golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
 golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
@@ -310,7 +292,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs=
+golang.org/x/exp v0.0.0-20230111222715-75897c7a292a h1:/YWeLOBWYV5WAQORVPkZF3Pq9IppkcT72GKnWjNf5W8=
+golang.org/x/exp v0.0.0-20230111222715-75897c7a292a/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -323,6 +306,7 @@ golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHl
 golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
@@ -331,10 +315,12 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I=
+golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -342,7 +328,6 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -356,24 +341,28 @@ golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
-golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210913180222-943fd674d43e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210917221730-978cfadd31cf h1:R150MpwJIv1MpS0N/pc+NhTM8ajzvlmxlY5OYsrevXQ=
-golang.org/x/net v0.0.0-20210917221730-978cfadd31cf/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s=
+golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -385,30 +374,18 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -420,40 +397,38 @@ golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210910150752-751e447fb3d0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211103235746-7861aae1554b h1:1VkfZQv42XQlA/jchYumAnv1UPo6RgF9rJFkTgZIxO4=
 golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 h1:Hir2P/De0WpUhtrKGGjvSb2YxUgyZ7EFOSLIcSSpiwE=
-golang.org/x/time v0.0.0-20201208040808-7e3f01d25324/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA=
+golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
@@ -492,15 +467,17 @@ golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
+golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo=
-gonum.org/v1/gonum v0.8.2/go.mod h1:oe/vMfY3deqTw+1EZJhuvEW2iwGF1bW9wwu7XCu0+v0=
-gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
-gonum.org/v1/plot v0.0.0-20190515093506-e2840ee46a6b/go.mod h1:Wt8AAjI+ypCyYX3nZBvf6cAIx93T+c/OS2HFAYskSZc=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -517,12 +494,17 @@ google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0M
 google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
 google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
 google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
+google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
+google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
+google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -546,13 +528,19 @@ google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfG
 google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
 google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -565,9 +553,10 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
-google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k=
+google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
+google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
+google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -580,26 +569,22 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
+google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
+gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -608,6 +593,5 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
-rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
--- a/main.go
+++ b/main.go
@@ -0,0 +1,14 @@
+package main
+
+import (
+	_ "github.com/mattn/go-sqlite3"
+
+	"github.com/usememos/memos/cmd"
+)
+
+func main() {
+	err := cmd.Execute()
+	if err != nil {
+		panic(err)
+	}
+}
--- a/plugin/http-getter/html_meta.go
+++ b/plugin/http-getter/html_meta.go
@@ -0,0 +1,98 @@
+package getter
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+
+	"golang.org/x/net/html"
+	"golang.org/x/net/html/atom"
+)
+
+type HTMLMeta struct {
+	Title       string `json:"title"`
+	Description string `json:"description"`
+	Image       string `json:"image"`
+}
+
+func GetHTMLMeta(urlStr string) (*HTMLMeta, error) {
+	if _, err := url.Parse(urlStr); err != nil {
+		return nil, err
+	}
+
+	response, err := http.Get(urlStr)
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	mediatype, err := getMediatype(response)
+	if err != nil {
+		return nil, err
+	}
+	if mediatype != "text/html" {
+		return nil, fmt.Errorf("Wrong website mediatype")
+	}
+
+	htmlMeta := extractHTMLMeta(response.Body)
+	return htmlMeta, nil
+}
+
+func extractHTMLMeta(resp io.Reader) *HTMLMeta {
+	tokenizer := html.NewTokenizer(resp)
+	htmlMeta := new(HTMLMeta)
+
+	for {
+		tokenType := tokenizer.Next()
+		if tokenType == html.ErrorToken {
+			break
+		} else if tokenType == html.StartTagToken || tokenType == html.SelfClosingTagToken {
+			token := tokenizer.Token()
+			if token.DataAtom == atom.Body {
+				break
+			}
+
+			if token.DataAtom == atom.Title {
+				tokenizer.Next()
+				token := tokenizer.Token()
+				htmlMeta.Title = token.Data
+			} else if token.DataAtom == atom.Meta {
+				description, ok := extractMetaProperty(token, "description")
+				if ok {
+					htmlMeta.Description = description
+				}
+
+				ogTitle, ok := extractMetaProperty(token, "og:title")
+				if ok {
+					htmlMeta.Title = ogTitle
+				}
+
+				ogDescription, ok := extractMetaProperty(token, "og:description")
+				if ok {
+					htmlMeta.Description = ogDescription
+				}
+
+				ogImage, ok := extractMetaProperty(token, "og:image")
+				if ok {
+					htmlMeta.Image = ogImage
+				}
+			}
+		}
+	}
+
+	return htmlMeta
+}
+
+func extractMetaProperty(token html.Token, prop string) (content string, ok bool) {
+	content, ok = "", false
+	for _, attr := range token.Attr {
+		if attr.Key == "property" && attr.Val == prop {
+			ok = true
+		}
+		if attr.Key == "content" {
+			content = attr.Val
+		}
+	}
+	return content, ok
+}
--- a/plugin/http-getter/html_meta_test.go
+++ b/plugin/http-getter/html_meta_test.go
@@ -0,0 +1,19 @@
+package getter
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetHTMLMeta(t *testing.T) {
+	tests := []struct {
+		urlStr   string
+		htmlMeta HTMLMeta
+	}{}
+	for _, test := range tests {
+		metadata, err := GetHTMLMeta(test.urlStr)
+		require.NoError(t, err)
+		require.Equal(t, test.htmlMeta, *metadata)
+	}
+}
--- a/plugin/http-getter/http_getter.go
+++ b/plugin/http-getter/http_getter.go
@@ -0,0 +1,4 @@
+// Package getter is using to get resources from url.
+// * Get metadata for website;
+// * Get image blob to avoid CORS;
+package getter
--- a/plugin/http-getter/image.go
+++ b/plugin/http-getter/image.go
@@ -0,0 +1,45 @@
+package getter
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+type Image struct {
+	Blob      []byte
+	Mediatype string
+}
+
+func GetImage(urlStr string) (*Image, error) {
+	if _, err := url.Parse(urlStr); err != nil {
+		return nil, err
+	}
+
+	response, err := http.Get(urlStr)
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	mediatype, err := getMediatype(response)
+	if err != nil {
+		return nil, err
+	}
+	if !strings.HasPrefix(mediatype, "image/") {
+		return nil, fmt.Errorf("Wrong image mediatype")
+	}
+
+	bodyBytes, err := io.ReadAll(response.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	image := &Image{
+		Blob:      bodyBytes,
+		Mediatype: mediatype,
+	}
+	return image, nil
+}
--- a/plugin/http-getter/util.go
+++ b/plugin/http-getter/util.go
@@ -0,0 +1,15 @@
+package getter
+
+import (
+	"mime"
+	"net/http"
+)
+
+func getMediatype(response *http.Response) (string, error) {
+	contentType := response.Header.Get("content-type")
+	mediatype, _, err := mime.ParseMediaType(contentType)
+	if err != nil {
+		return "", err
+	}
+	return mediatype, nil
+}
--- a/plugin/idp/idp.go
+++ b/plugin/idp/idp.go
@@ -0,0 +1,7 @@
+package idp
+
+type IdentityProviderUserInfo struct {
+	Identifier  string
+	DisplayName string
+	Email       string
+}
--- a/plugin/idp/oauth2/oauth2.go
+++ b/plugin/idp/oauth2/oauth2.go
@@ -0,0 +1,115 @@
+// Package oauth2 is the plugin for OAuth2 Identity Provider.
+package oauth2
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/pkg/errors"
+	"github.com/usememos/memos/plugin/idp"
+	"github.com/usememos/memos/store"
+	"golang.org/x/oauth2"
+)
+
+// IdentityProvider represents an OAuth2 Identity Provider.
+type IdentityProvider struct {
+	config *store.IdentityProviderOAuth2Config
+}
+
+// NewIdentityProvider initializes a new OAuth2 Identity Provider with the given configuration.
+func NewIdentityProvider(config *store.IdentityProviderOAuth2Config) (*IdentityProvider, error) {
+	for v, field := range map[string]string{
+		config.ClientID:                "clientId",
+		config.ClientSecret:            "clientSecret",
+		config.TokenURL:                "tokenUrl",
+		config.UserInfoURL:             "userInfoUrl",
+		config.FieldMapping.Identifier: "fieldMapping.identifier",
+	} {
+		if v == "" {
+			return nil, errors.Errorf(`the field "%s" is empty but required`, field)
+		}
+	}
+
+	return &IdentityProvider{
+		config: config,
+	}, nil
+}
+
+// ExchangeToken returns the exchanged OAuth2 token using the given authorization code.
+func (p *IdentityProvider) ExchangeToken(ctx context.Context, redirectURL, code string) (string, error) {
+	conf := &oauth2.Config{
+		ClientID:     p.config.ClientID,
+		ClientSecret: p.config.ClientSecret,
+		RedirectURL:  redirectURL,
+		Scopes:       p.config.Scopes,
+		Endpoint: oauth2.Endpoint{
+			AuthURL:   p.config.AuthURL,
+			TokenURL:  p.config.TokenURL,
+			AuthStyle: oauth2.AuthStyleInParams,
+		},
+	}
+
+	token, err := conf.Exchange(ctx, code)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to exchange access token")
+	}
+
+	accessToken, ok := token.Extra("access_token").(string)
+	if !ok {
+		return "", errors.New(`missing "access_token" from authorization response`)
+	}
+
+	return accessToken, nil
+}
+
+// UserInfo returns the parsed user information using the given OAuth2 token.
+func (p *IdentityProvider) UserInfo(token string) (*idp.IdentityProviderUserInfo, error) {
+	client := &http.Client{}
+	req, err := http.NewRequest(http.MethodGet, p.config.UserInfoURL, nil)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to new http request")
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get user information")
+	}
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to read response body")
+	}
+
+	var claims map[string]any
+	err = json.Unmarshal(body, &claims)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to unmarshal response body")
+	}
+
+	userInfo := &idp.IdentityProviderUserInfo{}
+	if v, ok := claims[p.config.FieldMapping.Identifier].(string); ok {
+		userInfo.Identifier = v
+	}
+	if userInfo.Identifier == "" {
+		return nil, errors.Errorf("the field %q is not found in claims or has empty value", p.config.FieldMapping.Identifier)
+	}
+
+	// Best effort to map optional fields
+	if p.config.FieldMapping.DisplayName != "" {
+		if v, ok := claims[p.config.FieldMapping.DisplayName].(string); ok {
+			userInfo.DisplayName = v
+		}
+	}
+	if userInfo.DisplayName == "" {
+		userInfo.DisplayName = userInfo.Identifier
+	}
+	if p.config.FieldMapping.Email != "" {
+		if v, ok := claims[p.config.FieldMapping.Email].(string); ok {
+			userInfo.Email = v
+		}
+	}
+	return userInfo, nil
+}
--- a/plugin/idp/oauth2/oauth2_test.go
+++ b/plugin/idp/oauth2/oauth2_test.go
@@ -0,0 +1,163 @@
+package oauth2
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/usememos/memos/plugin/idp"
+	"github.com/usememos/memos/store"
+)
+
+func TestNewIdentityProvider(t *testing.T) {
+	tests := []struct {
+		name        string
+		config      *store.IdentityProviderOAuth2Config
+		containsErr string
+	}{
+		{
+			name: "no tokenUrl",
+			config: &store.IdentityProviderOAuth2Config{
+				ClientID:     "test-client-id",
+				ClientSecret: "test-client-secret",
+				AuthURL:      "",
+				TokenURL:     "",
+				UserInfoURL:  "https://example.com/api/user",
+				FieldMapping: &store.FieldMapping{
+					Identifier: "login",
+				},
+			},
+			containsErr: `the field "tokenUrl" is empty but required`,
+		},
+		{
+			name: "no userInfoUrl",
+			config: &store.IdentityProviderOAuth2Config{
+				ClientID:     "test-client-id",
+				ClientSecret: "test-client-secret",
+				AuthURL:      "",
+				TokenURL:     "https://example.com/token",
+				UserInfoURL:  "",
+				FieldMapping: &store.FieldMapping{
+					Identifier: "login",
+				},
+			},
+			containsErr: `the field "userInfoUrl" is empty but required`,
+		},
+		{
+			name: "no field mapping identifier",
+			config: &store.IdentityProviderOAuth2Config{
+				ClientID:     "test-client-id",
+				ClientSecret: "test-client-secret",
+				AuthURL:      "",
+				TokenURL:     "https://example.com/token",
+				UserInfoURL:  "https://example.com/api/user",
+				FieldMapping: &store.FieldMapping{
+					Identifier: "",
+				},
+			},
+			containsErr: `the field "fieldMapping.identifier" is empty but required`,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			_, err := NewIdentityProvider(test.config)
+			assert.ErrorContains(t, err, test.containsErr)
+		})
+	}
+}
+
+func newMockServer(t *testing.T, code, accessToken string, userinfo []byte) *httptest.Server {
+	mux := http.NewServeMux()
+
+	var rawIDToken string
+	mux.HandleFunc("/oauth2/token", func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, http.MethodPost, r.Method)
+
+		body, err := io.ReadAll(r.Body)
+		require.NoError(t, err)
+		vals, err := url.ParseQuery(string(body))
+		require.NoError(t, err)
+
+		require.Equal(t, code, vals.Get("code"))
+		require.Equal(t, "authorization_code", vals.Get("grant_type"))
+
+		w.Header().Set("Content-Type", "application/json")
+		err = json.NewEncoder(w).Encode(map[string]any{
+			"access_token":  accessToken,
+			"token_type":    "Bearer",
+			"refresh_token": "test-refresh-token",
+			"expires_in":    3600,
+			"id_token":      rawIDToken,
+		})
+		require.NoError(t, err)
+	})
+	mux.HandleFunc("/oauth2/userinfo", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		_, err := w.Write(userinfo)
+		require.NoError(t, err)
+	})
+
+	s := httptest.NewServer(mux)
+
+	return s
+}
+
+func TestIdentityProvider(t *testing.T) {
+	ctx := context.Background()
+
+	const (
+		testClientID    = "test-client-id"
+		testCode        = "test-code"
+		testAccessToken = "test-access-token"
+		testSubject     = "123456789"
+		testName        = "John Doe"
+		testEmail       = "john.doe@example.com"
+	)
+	userInfo, err := json.Marshal(
+		map[string]any{
+			"sub":   testSubject,
+			"name":  testName,
+			"email": testEmail,
+		},
+	)
+	require.NoError(t, err)
+
+	s := newMockServer(t, testCode, testAccessToken, userInfo)
+
+	oauth2, err := NewIdentityProvider(
+		&store.IdentityProviderOAuth2Config{
+			ClientID:     testClientID,
+			ClientSecret: "test-client-secret",
+			TokenURL:     fmt.Sprintf("%s/oauth2/token", s.URL),
+			UserInfoURL:  fmt.Sprintf("%s/oauth2/userinfo", s.URL),
+			FieldMapping: &store.FieldMapping{
+				Identifier:  "sub",
+				DisplayName: "name",
+				Email:       "email",
+			},
+		},
+	)
+	require.NoError(t, err)
+
+	redirectURL := "https://example.com/oauth/callback"
+	oauthToken, err := oauth2.ExchangeToken(ctx, redirectURL, testCode)
+	require.NoError(t, err)
+	require.Equal(t, testAccessToken, oauthToken)
+
+	userInfoResult, err := oauth2.UserInfo(oauthToken)
+	require.NoError(t, err)
+
+	wantUserInfo := &idp.IdentityProviderUserInfo{
+		Identifier:  testSubject,
+		DisplayName: testName,
+		Email:       testEmail,
+	}
+	assert.Equal(t, wantUserInfo, userInfoResult)
+}
--- a/plugin/openai/chat_completion.go
+++ b/plugin/openai/chat_completion.go
@@ -0,0 +1,88 @@
+package openai
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"io"
+	"net/http"
+	"net/url"
+)
+
+type ChatCompletionMessage struct {
+	Role    string `json:"role"`
+	Content string `json:"content"`
+}
+
+type ChatCompletionChoice struct {
+	Message *ChatCompletionMessage `json:"message"`
+}
+
+type ChatCompletionResponse struct {
+	Error   any                    `json:"error"`
+	Model   string                 `json:"model"`
+	Choices []ChatCompletionChoice `json:"choices"`
+}
+
+func PostChatCompletion(messages []ChatCompletionMessage, apiKey string, apiHost string) (string, error) {
+	if apiHost == "" {
+		apiHost = "https://api.openai.com"
+	}
+	url, err := url.JoinPath(apiHost, "/v1/chat/completions")
+	if err != nil {
+		return "", err
+	}
+
+	values := map[string]any{
+		"model":             "gpt-3.5-turbo",
+		"messages":          messages,
+		"max_tokens":        2000,
+		"temperature":       0,
+		"frequency_penalty": 0.0,
+		"presence_penalty":  0.0,
+	}
+	jsonValue, err := json.Marshal(values)
+	if err != nil {
+		return "", err
+	}
+
+	req, err := http.NewRequest("POST", url, bytes.NewBuffer(jsonValue))
+	if err != nil {
+		return "", err
+	}
+
+	// Set the API key in the request header
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "Bearer "+apiKey)
+
+	// Send the request to OpenAI's API
+	client := http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	// Read the response body
+	responseBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	chatCompletionResponse := ChatCompletionResponse{}
+	err = json.Unmarshal(responseBody, &chatCompletionResponse)
+	if err != nil {
+		return "", err
+	}
+	if chatCompletionResponse.Error != nil {
+		errorBytes, err := json.Marshal(chatCompletionResponse.Error)
+		if err != nil {
+			return "", err
+		}
+		return "", errors.New(string(errorBytes))
+	}
+	if len(chatCompletionResponse.Choices) == 0 {
+		return "", nil
+	}
+	return chatCompletionResponse.Choices[0].Message.Content, nil
+}
--- a/plugin/openai/text_completion.go
+++ b/plugin/openai/text_completion.go
@@ -0,0 +1,83 @@
+package openai
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"io"
+	"net/http"
+	"net/url"
+)
+
+type TextCompletionChoice struct {
+	Text string `json:"text"`
+}
+
+type TextCompletionResponse struct {
+	Error   any                    `json:"error"`
+	Model   string                 `json:"model"`
+	Choices []TextCompletionChoice `json:"choices"`
+}
+
+func PostTextCompletion(prompt string, apiKey string, apiHost string) (string, error) {
+	if apiHost == "" {
+		apiHost = "https://api.openai.com"
+	}
+	url, err := url.JoinPath(apiHost, "/v1/chat/completions")
+	if err != nil {
+		return "", err
+	}
+
+	values := map[string]any{
+		"model":       "gpt-3.5-turbo",
+		"prompt":      prompt,
+		"temperature": 0.5,
+		"max_tokens":  100,
+		"n":           1,
+		"stop":        ".",
+	}
+	jsonValue, err := json.Marshal(values)
+	if err != nil {
+		return "", err
+	}
+
+	req, err := http.NewRequest("POST", url, bytes.NewBuffer(jsonValue))
+	if err != nil {
+		return "", err
+	}
+
+	// Set the API key in the request header
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "Bearer "+apiKey)
+
+	// Send the request to OpenAI's API
+	client := http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	// Read the response body
+	responseBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	textCompletionResponse := TextCompletionResponse{}
+	err = json.Unmarshal(responseBody, &textCompletionResponse)
+	if err != nil {
+		return "", err
+	}
+	if textCompletionResponse.Error != nil {
+		errorBytes, err := json.Marshal(textCompletionResponse.Error)
+		if err != nil {
+			return "", err
+		}
+		return "", errors.New(string(errorBytes))
+	}
+	if len(textCompletionResponse.Choices) == 0 {
+		return "", nil
+	}
+	return textCompletionResponse.Choices[0].Text, nil
+}
--- a/plugin/storage/s3/s3.go
+++ b/plugin/storage/s3/s3.go
@@ -0,0 +1,77 @@
+package s3
+
+import (
+	"context"
+	"fmt"
+	"io"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	s3config "github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/feature/s3/manager"
+	awss3 "github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+)
+
+type Config struct {
+	AccessKey string
+	SecretKey string
+	Bucket    string
+	EndPoint  string
+	Region    string
+	URLPrefix string
+	URLSuffix string
+}
+
+type Client struct {
+	Client *awss3.Client
+	Config *Config
+}
+
+func NewClient(ctx context.Context, config *Config) (*Client, error) {
+	resolver := aws.EndpointResolverWithOptionsFunc(func(service, region string, options ...any) (aws.Endpoint, error) {
+		return aws.Endpoint{
+			URL:           config.EndPoint,
+			SigningRegion: config.Region,
+		}, nil
+	})
+
+	awsConfig, err := s3config.LoadDefaultConfig(ctx,
+		s3config.WithEndpointResolverWithOptions(resolver),
+		s3config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(config.AccessKey, config.SecretKey, "")),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	client := awss3.NewFromConfig(awsConfig)
+
+	return &Client{
+		Client: client,
+		Config: config,
+	}, nil
+}
+
+func (client *Client) UploadFile(ctx context.Context, filename string, fileType string, src io.Reader) (string, error) {
+	uploader := manager.NewUploader(client.Client)
+	uploadOutput, err := uploader.Upload(ctx, &awss3.PutObjectInput{
+		Bucket:      aws.String(client.Config.Bucket),
+		Key:         aws.String(filename),
+		Body:        src,
+		ContentType: aws.String(fileType),
+		ACL:         types.ObjectCannedACL(*aws.String("public-read")),
+	})
+	if err != nil {
+		return "", err
+	}
+
+	link := uploadOutput.Location
+	// If url prefix is set, use it as the file link.
+	if client.Config.URLPrefix != "" {
+		link = fmt.Sprintf("%s/%s%s", client.Config.URLPrefix, filename, client.Config.URLSuffix)
+	}
+	if link == "" {
+		return "", fmt.Errorf("failed to get file link")
+	}
+	return link, nil
+}
--- a/resources/demo.png
+++ b/resources/demo.png
--- a/scripts/.air.toml
+++ b/scripts/.air.toml
@@ -3,11 +3,13 @@ tmp_dir = ".air"

 [build]
  bin = "./.air/memos"
-  cmd = "go build -o ./.air/memos ./bin/server/main.go"
+  cmd = "go build -o ./.air/memos ./main.go"
  delay = 1000
-  exclude_dir = [".air", "web"]
+  exclude_dir = [".air", "web", "build"]
  exclude_file = []
  exclude_regex = []
  exclude_unchanged = false
  follow_symlink = false
  full_bin = ""
+  send_interrupt = true
+  kill_delay = 2000
--- a/scripts/build.sh
+++ b/scripts/build.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Usage: ./scripts/build.sh
+
+set -e
+
+cd "$(dirname "$0")/../"
+
+echo "Start building backend..."
+
+go build -o ./build/memos ./main.go
+
+echo "Backend built!"
--- a/scripts/start.sh
+++ b/scripts/start.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Usage: ./scripts/start.sh
+
+set -e
+
+cd "$(dirname "$0")/../"
+
+air -c ./scripts/.air.toml
--- a/server/auth.go
+++ b/server/auth.go
@@ -3,87 +3,187 @@ package server
 import (
 	"encoding/json"
 	"fmt"
-	"memos/api"
-	"memos/common"
 	"net/http"
+	"regexp"
+
+	"github.com/pkg/errors"
+	"github.com/usememos/memos/api"
+	"github.com/usememos/memos/common"
+	"github.com/usememos/memos/plugin/idp"
+	"github.com/usememos/memos/plugin/idp/oauth2"
+	"github.com/usememos/memos/store"

 	"github.com/labstack/echo/v4"
 	"golang.org/x/crypto/bcrypt"
 )

-func (s *Server) registerAuthRoutes(g *echo.Group) {
-	g.POST("/auth/login", func(c echo.Context) error {
-		login := &api.Login{}
-		if err := json.NewDecoder(c.Request().Body).Decode(login); err != nil {
-			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted login request").SetInternal(err)
+func (s *Server) registerAuthRoutes(g *echo.Group, secret string) {
+	g.POST("/auth/signin", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		signin := &api.SignIn{}
+		if err := json.NewDecoder(c.Request().Body).Decode(signin); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted signin request").SetInternal(err)
 		}

 		userFind := &api.UserFind{
-			Email: &login.Email,
+			Username: &signin.Username,
 		}
-		user, err := s.Store.FindUser(userFind)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find user by email %s", login.Email)).SetInternal(err)
+		user, err := s.Store.FindUser(ctx, userFind)
+		if err != nil && common.ErrorCode(err) != common.NotFound {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Incorrect login credentials, please try again")
 		}
 		if user == nil {
-			return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("User not found with email %s", login.Email))
+			return echo.NewHTTPError(http.StatusUnauthorized, "Incorrect login credentials, please try again")
 		} else if user.RowStatus == api.Archived {
-			return echo.NewHTTPError(http.StatusForbidden, fmt.Sprintf("User has been archived with email %s", login.Email))
+			return echo.NewHTTPError(http.StatusForbidden, fmt.Sprintf("User has been archived with username %s", signin.Username))
 		}

 		// Compare the stored hashed password, with the hashed version of the password that was received.
-		if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(login.Password)); err != nil {
+		if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(signin.Password)); err != nil {
 			// If the two passwords don't match, return a 401 status.
-			return echo.NewHTTPError(http.StatusUnauthorized, "Incorrect password").SetInternal(err)
+			return echo.NewHTTPError(http.StatusUnauthorized, "Incorrect login credentials, please try again")
 		}

-		if err = setUserSession(c, user); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to set login session").SetInternal(err)
+		if err := GenerateTokensAndSetCookies(c, user, s.Profile.Mode, secret); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate tokens").SetInternal(err)
 		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(user)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode user response").SetInternal(err)
+		if err := s.createUserAuthSignInActivity(c, user); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create activity").SetInternal(err)
 		}
-		return nil
+		return c.JSON(http.StatusOK, composeResponse(user))
 	})

-	g.POST("/auth/logout", func(c echo.Context) error {
-		err := removeUserSession(c)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to set logout session").SetInternal(err)
+	g.POST("/auth/signin/sso", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		signin := &api.SSOSignIn{}
+		if err := json.NewDecoder(c.Request().Body).Decode(signin); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted signin request").SetInternal(err)
 		}

-		c.Response().WriteHeader(http.StatusOK)
-		return nil
+		identityProviderMessage, err := s.Store.GetIdentityProvider(ctx, &store.FindIdentityProviderMessage{
+			ID: &signin.IdentityProviderID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find identity provider").SetInternal(err)
+		}
+
+		var userInfo *idp.IdentityProviderUserInfo
+		if identityProviderMessage.Type == store.IdentityProviderOAuth2 {
+			oauth2IdentityProvider, err := oauth2.NewIdentityProvider(identityProviderMessage.Config.OAuth2Config)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create identity provider instance").SetInternal(err)
+			}
+			token, err := oauth2IdentityProvider.ExchangeToken(ctx, signin.RedirectURI, signin.Code)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to exchange token").SetInternal(err)
+			}
+			userInfo, err = oauth2IdentityProvider.UserInfo(token)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get user info").SetInternal(err)
+			}
+		}
+
+		identifierFilter := identityProviderMessage.IdentifierFilter
+		if identifierFilter != "" {
+			identifierFilterRegex, err := regexp.Compile(identifierFilter)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to compile identifier filter").SetInternal(err)
+			}
+			if !identifierFilterRegex.MatchString(userInfo.Identifier) {
+				return echo.NewHTTPError(http.StatusUnauthorized, "Access denied, identifier does not match the filter.").SetInternal(err)
+			}
+		}
+
+		user, err := s.Store.FindUser(ctx, &api.UserFind{
+			Username: &userInfo.Identifier,
+		})
+		if err != nil && common.ErrorCode(err) != common.NotFound {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Incorrect login credentials, please try again")
+		}
+		if user == nil {
+			userCreate := &api.UserCreate{
+				Username: userInfo.Identifier,
+				// The new signup user should be normal user by default.
+				Role:     api.NormalUser,
+				Nickname: userInfo.DisplayName,
+				Email:    userInfo.Email,
+				Password: userInfo.Email,
+				OpenID:   common.GenUUID(),
+			}
+			password, err := common.RandomString(20)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate random password").SetInternal(err)
+			}
+			passwordHash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate password hash").SetInternal(err)
+			}
+			userCreate.PasswordHash = string(passwordHash)
+			user, err = s.Store.CreateUser(ctx, userCreate)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create user").SetInternal(err)
+			}
+		}
+		if user.RowStatus == api.Archived {
+			return echo.NewHTTPError(http.StatusForbidden, fmt.Sprintf("User has been archived with username %s", userInfo.Identifier))
+		}
+
+		if err := GenerateTokensAndSetCookies(c, user, s.Profile.Mode, secret); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate tokens").SetInternal(err)
+		}
+		if err := s.createUserAuthSignInActivity(c, user); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create activity").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(user))
 	})

 	g.POST("/auth/signup", func(c echo.Context) error {
-		// Don't allow to signup by this api if site owner existed.
-		ownerUserType := api.Owner
-		ownerUserFind := api.UserFind{
-			Role: &ownerUserType,
-		}
-		ownerUser, err := s.Store.FindUser(&ownerUserFind)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find owner user").SetInternal(err)
-		}
-		if ownerUser != nil {
-			return echo.NewHTTPError(http.StatusUnauthorized, "Site Owner existed, please contact the site owner to signin account firstly.").SetInternal(err)
-		}
-
-		signup := &api.Signup{}
+		ctx := c.Request().Context()
+		signup := &api.SignUp{}
 		if err := json.NewDecoder(c.Request().Body).Decode(signup); err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted signup request").SetInternal(err)
 		}

-		// Validate signup form.
-		// We can do stricter checks later.
-		if len(signup.Email) < 6 {
-			return echo.NewHTTPError(http.StatusBadRequest, "Email is too short, minimum length is 6.")
+		userCreate := &api.UserCreate{
+			Username: signup.Username,
+			// The new signup user should be normal user by default.
+			Role:     api.NormalUser,
+			Nickname: signup.Username,
+			Password: signup.Password,
+			OpenID:   common.GenUUID(),
 		}
-		if len(signup.Password) < 6 {
-			return echo.NewHTTPError(http.StatusBadRequest, "Password is too short, minimum length is 6.")
+		hostUserType := api.Host
+		existedHostUsers, err := s.Store.FindUserList(ctx, &api.UserFind{
+			Role: &hostUserType,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Failed to find users").SetInternal(err)
+		}
+		if len(existedHostUsers) == 0 {
+			// Change the default role to host if there is no host user.
+			userCreate.Role = api.Host
+		} else {
+			allowSignUpSetting, err := s.Store.FindSystemSetting(ctx, &api.SystemSettingFind{
+				Name: api.SystemSettingAllowSignUpName,
+			})
+			if err != nil && common.ErrorCode(err) != common.NotFound {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting").SetInternal(err)
+			}
+
+			allowSignUpSettingValue := false
+			if allowSignUpSetting != nil {
+				err = json.Unmarshal([]byte(allowSignUpSetting.Value), &allowSignUpSettingValue)
+				if err != nil {
+					return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting allow signup").SetInternal(err)
+				}
+			}
+			if !allowSignUpSettingValue {
+				return echo.NewHTTPError(http.StatusUnauthorized, "signup is disabled").SetInternal(err)
+			}
+		}
+
+		if err := userCreate.Validate(); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Invalid user create format").SetInternal(err)
 		}

 		passwordHash, err := bcrypt.GenerateFromPassword([]byte(signup.Password), bcrypt.DefaultCost)
@@ -91,27 +191,67 @@ func (s *Server) registerAuthRoutes(g *echo.Group) {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate password hash").SetInternal(err)
 		}

-		userCreate := &api.UserCreate{
-			Email:        signup.Email,
-			Role:         api.Role(signup.Role),
-			Name:         signup.Name,
-			PasswordHash: string(passwordHash),
-			OpenID:       common.GenUUID(),
-		}
-		user, err := s.Store.CreateUser(userCreate)
+		userCreate.PasswordHash = string(passwordHash)
+		user, err := s.Store.CreateUser(ctx, userCreate)
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create user").SetInternal(err)
 		}
-
-		err = setUserSession(c, user)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to set signup session").SetInternal(err)
+		if err := GenerateTokensAndSetCookies(c, user, s.Profile.Mode, secret); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate tokens").SetInternal(err)
+		}
+		if err := s.createUserAuthSignUpActivity(c, user); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create activity").SetInternal(err)
 		}

-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(user)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode created user response").SetInternal(err)
-		}
-		return nil
+		return c.JSON(http.StatusOK, composeResponse(user))
+	})
+
+	g.POST("/auth/signout", func(c echo.Context) error {
+		RemoveTokensAndCookies(c)
+		return c.JSON(http.StatusOK, true)
 	})
 }
+
+func (s *Server) createUserAuthSignInActivity(c echo.Context, user *api.User) error {
+	ctx := c.Request().Context()
+	payload := api.ActivityUserAuthSignInPayload{
+		UserID: user.ID,
+		IP:     echo.ExtractIPFromRealIPHeader()(c.Request()),
+	}
+	payloadBytes, err := json.Marshal(payload)
+	if err != nil {
+		return errors.Wrap(err, "failed to marshal activity payload")
+	}
+	activity, err := s.Store.CreateActivity(ctx, &api.ActivityCreate{
+		CreatorID: user.ID,
+		Type:      api.ActivityUserAuthSignIn,
+		Level:     api.ActivityInfo,
+		Payload:   string(payloadBytes),
+	})
+	if err != nil || activity == nil {
+		return errors.Wrap(err, "failed to create activity")
+	}
+	return err
+}
+
+func (s *Server) createUserAuthSignUpActivity(c echo.Context, user *api.User) error {
+	ctx := c.Request().Context()
+	payload := api.ActivityUserAuthSignUpPayload{
+		Username: user.Username,
+		IP:       echo.ExtractIPFromRealIPHeader()(c.Request()),
+	}
+	payloadBytes, err := json.Marshal(payload)
+	if err != nil {
+		return errors.Wrap(err, "failed to marshal activity payload")
+	}
+	activity, err := s.Store.CreateActivity(ctx, &api.ActivityCreate{
+		CreatorID: user.ID,
+		Type:      api.ActivityUserAuthSignUp,
+		Level:     api.ActivityInfo,
+		Payload:   string(payloadBytes),
+	})
+	if err != nil || activity == nil {
+		return errors.Wrap(err, "failed to create activity")
+	}
+	return err
+}
--- a/server/auth/auth.go
+++ b/server/auth/auth.go
@@ -0,0 +1,88 @@
+package auth
+
+import (
+	"fmt"
+	"strconv"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+)
+
+const (
+	issuer = "memos"
+	// Signing key section. For now, this is only used for signing, not for verifying since we only
+	// have 1 version. But it will be used to maintain backward compatibility if we change the signing mechanism.
+	keyID = "v1"
+	// AccessTokenAudienceFmt is the format of the acccess token audience.
+	AccessTokenAudienceFmt = "user.access.%s"
+	// RefreshTokenAudienceFmt is the format of the refresh token audience.
+	RefreshTokenAudienceFmt = "user.refresh.%s"
+	apiTokenDuration        = 2 * time.Hour
+	accessTokenDuration     = 24 * time.Hour
+	refreshTokenDuration    = 7 * 24 * time.Hour
+	// RefreshThresholdDuration is the threshold duration for refreshing token.
+	RefreshThresholdDuration = 1 * time.Hour
+
+	// CookieExpDuration expires slightly earlier than the jwt expiration. Client would be logged out if the user
+	// cookie expires, thus the client would always logout first before attempting to make a request with the expired jwt.
+	// Suppose we have a valid refresh token, we will refresh the token in 2 cases:
+	// 1. The access token is about to expire in <<refreshThresholdDuration>>
+	// 2. The access token has already expired, we refresh the token so that the ongoing request can pass through.
+	CookieExpDuration = refreshTokenDuration - 1*time.Minute
+	// AccessTokenCookieName is the cookie name of access token.
+	AccessTokenCookieName = "access-token"
+	// RefreshTokenCookieName is the cookie name of refresh token.
+	RefreshTokenCookieName = "refresh-token"
+	// UserIDCookieName is the cookie name of user ID.
+	UserIDCookieName = "user"
+)
+
+type claimsMessage struct {
+	Name string `json:"name"`
+	jwt.RegisteredClaims
+}
+
+// GenerateAPIToken generates an API token.
+func GenerateAPIToken(userName string, userID int, mode string, secret string) (string, error) {
+	expirationTime := time.Now().Add(apiTokenDuration)
+	return generateToken(userName, userID, fmt.Sprintf(AccessTokenAudienceFmt, mode), expirationTime, []byte(secret))
+}
+
+// GenerateAccessToken generates an access token for web.
+func GenerateAccessToken(userName string, userID int, mode string, secret string) (string, error) {
+	expirationTime := time.Now().Add(accessTokenDuration)
+	return generateToken(userName, userID, fmt.Sprintf(AccessTokenAudienceFmt, mode), expirationTime, []byte(secret))
+}
+
+// GenerateRefreshToken generates a refresh token for web.
+func GenerateRefreshToken(userName string, userID int, mode string, secret string) (string, error) {
+	expirationTime := time.Now().Add(refreshTokenDuration)
+	return generateToken(userName, userID, fmt.Sprintf(RefreshTokenAudienceFmt, mode), expirationTime, []byte(secret))
+}
+
+func generateToken(username string, userID int, aud string, expirationTime time.Time, secret []byte) (string, error) {
+	// Create the JWT claims, which includes the username and expiry time.
+	claims := &claimsMessage{
+		Name: username,
+		RegisteredClaims: jwt.RegisteredClaims{
+			Audience: jwt.ClaimStrings{aud},
+			// In JWT, the expiry time is expressed as unix milliseconds.
+			ExpiresAt: jwt.NewNumericDate(expirationTime),
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+			Issuer:    issuer,
+			Subject:   strconv.Itoa(userID),
+		},
+	}
+
+	// Declare the token with the HS256 algorithm used for signing, and the claims.
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	token.Header["kid"] = keyID
+
+	// Create the JWT string.
+	tokenString, err := token.SignedString(secret)
+	if err != nil {
+		return "", err
+	}
+
+	return tokenString, nil
+}
--- a/server/basic_auth.go
+++ b/server/basic_auth.go
@@ -1,95 +0,0 @@
-package server
-
-import (
-	"fmt"
-	"memos/api"
-	"memos/common"
-	"net/http"
-	"strconv"
-
-	"github.com/gorilla/sessions"
-	"github.com/labstack/echo-contrib/session"
-	"github.com/labstack/echo/v4"
-)
-
-var (
-	userIDContextKey = "user-id"
-)
-
-func getUserIDContextKey() string {
-	return userIDContextKey
-}
-
-func setUserSession(c echo.Context, user *api.User) error {
-	sess, _ := session.Get("session", c)
-	sess.Options = &sessions.Options{
-		Path:     "/",
-		MaxAge:   1000 * 3600 * 24 * 30,
-		HttpOnly: true,
-	}
-	sess.Values[userIDContextKey] = user.ID
-	err := sess.Save(c.Request(), c.Response())
-	if err != nil {
-		return fmt.Errorf("failed to set session, err: %w", err)
-	}
-	return nil
-}
-
-func removeUserSession(c echo.Context) error {
-	sess, _ := session.Get("session", c)
-	sess.Options = &sessions.Options{
-		Path:     "/",
-		MaxAge:   0,
-		HttpOnly: true,
-	}
-	sess.Values[userIDContextKey] = nil
-	err := sess.Save(c.Request(), c.Response())
-	if err != nil {
-		return fmt.Errorf("failed to set session, err: %w", err)
-	}
-	return nil
-}
-
-// Use session to store user.id.
-func BasicAuthMiddleware(s *Server, next echo.HandlerFunc) echo.HandlerFunc {
-	return func(c echo.Context) error {
-		// Skips auth
-		if common.HasPrefixes(c.Path(), "/api/auth", "/api/ping", "/api/status") {
-			return next(c)
-		}
-
-		sess, err := session.Get("session", c)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusUnauthorized, "Missing session").SetInternal(err)
-		}
-
-		userIDValue := sess.Values[userIDContextKey]
-		if userIDValue == nil {
-			return echo.NewHTTPError(http.StatusUnauthorized, "Missing userID in session")
-		}
-
-		userID, err := strconv.Atoi(fmt.Sprintf("%v", userIDValue))
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to malformatted user id in the session.").SetInternal(err)
-		}
-
-		// Even if there is no error, we still need to make sure the user still exists.
-		userFind := &api.UserFind{
-			ID: &userID,
-		}
-		user, err := s.Store.FindUser(userFind)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find user by ID: %d", userID)).SetInternal(err)
-		}
-		if user == nil {
-			return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("Not found user ID: %d", userID))
-		} else if user.RowStatus == api.Archived {
-			return echo.NewHTTPError(http.StatusForbidden, fmt.Sprintf("User has been archived with email %s", user.Email))
-		}
-
-		// Stores userID into context.
-		c.Set(getUserIDContextKey(), userID)
-
-		return next(c)
-	}
-}
--- a/server/common.go
+++ b/server/common.go
@@ -1,11 +1,57 @@
 package server

-func composeResponse(data interface{}) interface{} {
-	type R struct {
-		Data interface{} `json:"data"`
-	}
+import (
+	"net/http"

-	return R{
+	"github.com/labstack/echo/v4"
+	"github.com/usememos/memos/api"
+	"github.com/usememos/memos/common"
+)
+
+type response struct {
+	Data any `json:"data"`
+}
+
+func composeResponse(data any) response {
+	return response{
 		Data: data,
 	}
 }
+
+func defaultGetRequestSkipper(c echo.Context) bool {
+	return c.Request().Method == http.MethodGet
+}
+
+func defaultAPIRequestSkipper(c echo.Context) bool {
+	path := c.Path()
+	return common.HasPrefixes(path, "/api")
+}
+
+func (server *Server) defaultAuthSkipper(c echo.Context) bool {
+	ctx := c.Request().Context()
+	path := c.Path()
+
+	// Skip auth.
+	if common.HasPrefixes(path, "/api/auth") {
+		return true
+	}
+
+	// If there is openId in query string and related user is found, then skip auth.
+	openID := c.QueryParam("openId")
+	if openID != "" {
+		userFind := &api.UserFind{
+			OpenID: &openID,
+		}
+		user, err := server.Store.FindUser(ctx, userFind)
+		if err != nil && common.ErrorCode(err) != common.NotFound {
+			return false
+		}
+		if user != nil {
+			// Stores userID into context.
+			c.Set(getUserIDContextKey(), user.ID)
+			return true
+		}
+	}
+
+	return false
+}
--- a/server/dist/index.html
+++ b/server/dist/index.html
@@ -0,0 +1,13 @@
+<!-- THIS FILE IS A PLACEHOLDER AND SHOULD NOT BE CHANGED -->
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Memos</title>
+  </head>
+  <body>
+    <p>No frontend embeded.</p>
+  </body>
+</html>
--- a/server/embed_frontend.go
+++ b/server/embed_frontend.go
@@ -0,0 +1,45 @@
+package server
+
+import (
+	"embed"
+	"io/fs"
+	"net/http"
+
+	"github.com/labstack/echo/v4"
+	"github.com/labstack/echo/v4/middleware"
+)
+
+//go:embed dist
+var embeddedFiles embed.FS
+
+func getFileSystem(path string) http.FileSystem {
+	fs, err := fs.Sub(embeddedFiles, path)
+	if err != nil {
+		panic(err)
+	}
+
+	return http.FS(fs)
+}
+
+func embedFrontend(e *echo.Echo) {
+	// Use echo static middleware to serve the built dist folder
+	// refer: https://github.com/labstack/echo/blob/master/middleware/static.go
+	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
+		Skipper:    defaultAPIRequestSkipper,
+		HTML5:      true,
+		Filesystem: getFileSystem("dist"),
+	}))
+
+	assetsGroup := e.Group("assets")
+	assetsGroup.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(c echo.Context) error {
+			c.Response().Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
+			return next(c)
+		}
+	})
+	assetsGroup.Use(middleware.StaticWithConfig(middleware.StaticConfig{
+		Skipper:    defaultAPIRequestSkipper,
+		HTML5:      true,
+		Filesystem: getFileSystem("dist/assets"),
+	}))
+}
--- a/server/http_getter.go
+++ b/server/http_getter.go
@@ -0,0 +1,51 @@
+package server
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"github.com/labstack/echo/v4"
+	getter "github.com/usememos/memos/plugin/http-getter"
+)
+
+func registerGetterPublicRoutes(g *echo.Group) {
+	g.GET("/get/httpmeta", func(c echo.Context) error {
+		urlStr := c.QueryParam("url")
+		if urlStr == "" {
+			return echo.NewHTTPError(http.StatusBadRequest, "Missing website url")
+		}
+		if _, err := url.Parse(urlStr); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Wrong url").SetInternal(err)
+		}
+
+		htmlMeta, err := getter.GetHTMLMeta(urlStr)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusNotAcceptable, fmt.Sprintf("Failed to get website meta with url: %s", urlStr)).SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(htmlMeta))
+	})
+
+	g.GET("/get/image", func(c echo.Context) error {
+		urlStr := c.QueryParam("url")
+		if urlStr == "" {
+			return echo.NewHTTPError(http.StatusBadRequest, "Missing image url")
+		}
+		if _, err := url.Parse(urlStr); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Wrong url").SetInternal(err)
+		}
+
+		image, err := getter.GetImage(urlStr)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Failed to get image url: %s", urlStr)).SetInternal(err)
+		}
+
+		c.Response().Writer.WriteHeader(http.StatusOK)
+		c.Response().Writer.Header().Set("Content-Type", image.Mediatype)
+		c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
+		if _, err := c.Response().Writer.Write(image.Blob); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to write image blob").SetInternal(err)
+		}
+		return nil
+	})
+}
--- a/server/idp.go
+++ b/server/idp.go
@@ -0,0 +1,232 @@
+package server
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+
+	"github.com/labstack/echo/v4"
+	"github.com/usememos/memos/api"
+	"github.com/usememos/memos/common"
+	"github.com/usememos/memos/store"
+)
+
+func (s *Server) registerIdentityProviderRoutes(g *echo.Group) {
+	g.POST("/idp", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
+		user, err := s.Store.FindUser(ctx, &api.UserFind{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+		if user == nil || user.Role != api.Host {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		identityProviderCreate := &api.IdentityProviderCreate{}
+		if err := json.NewDecoder(c.Request().Body).Decode(identityProviderCreate); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post identity provider request").SetInternal(err)
+		}
+
+		identityProviderMessage, err := s.Store.CreateIdentityProvider(ctx, &store.IdentityProviderMessage{
+			Name:             identityProviderCreate.Name,
+			Type:             store.IdentityProviderType(identityProviderCreate.Type),
+			IdentifierFilter: identityProviderCreate.IdentifierFilter,
+			Config:           convertIdentityProviderConfigToStore(identityProviderCreate.Config),
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create identity provider").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(convertIdentityProviderFromStore(identityProviderMessage)))
+	})
+
+	g.PATCH("/idp/:idpId", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
+		user, err := s.Store.FindUser(ctx, &api.UserFind{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+		if user == nil || user.Role != api.Host {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		identityProviderID, err := strconv.Atoi(c.Param("idpId"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("idpId"))).SetInternal(err)
+		}
+
+		identityProviderPatch := &api.IdentityProviderPatch{
+			ID: identityProviderID,
+		}
+		if err := json.NewDecoder(c.Request().Body).Decode(identityProviderPatch); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch identity provider request").SetInternal(err)
+		}
+
+		identityProviderMessage, err := s.Store.UpdateIdentityProvider(ctx, &store.UpdateIdentityProviderMessage{
+			ID:               identityProviderPatch.ID,
+			Type:             store.IdentityProviderType(identityProviderPatch.Type),
+			Name:             identityProviderPatch.Name,
+			IdentifierFilter: identityProviderPatch.IdentifierFilter,
+			Config:           convertIdentityProviderConfigToStore(identityProviderPatch.Config),
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch identity provider").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(convertIdentityProviderFromStore(identityProviderMessage)))
+	})
+
+	g.GET("/idp", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		identityProviderMessageList, err := s.Store.ListIdentityProviders(ctx, &store.FindIdentityProviderMessage{})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find identity provider list").SetInternal(err)
+		}
+
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		isHostUser := false
+		if ok {
+			user, err := s.Store.FindUser(ctx, &api.UserFind{
+				ID: &userID,
+			})
+			if err != nil && common.ErrorCode(err) != common.NotFound {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+			}
+			if user != nil && user.Role == api.Host {
+				isHostUser = true
+			}
+		}
+
+		identityProviderList := []*api.IdentityProvider{}
+		for _, identityProviderMessage := range identityProviderMessageList {
+			identityProvider := convertIdentityProviderFromStore(identityProviderMessage)
+			// data desensitize
+			if !isHostUser {
+				identityProvider.Config.OAuth2Config.ClientSecret = ""
+			}
+			identityProviderList = append(identityProviderList, identityProvider)
+		}
+		return c.JSON(http.StatusOK, composeResponse(identityProviderList))
+	})
+
+	g.GET("/idp/:idpId", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
+		user, err := s.Store.FindUser(ctx, &api.UserFind{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+		// We should only show identity provider list to host user.
+		if user == nil || user.Role != api.Host {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		identityProviderID, err := strconv.Atoi(c.Param("idpId"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("idpId"))).SetInternal(err)
+		}
+		identityProviderMessage, err := s.Store.GetIdentityProvider(ctx, &store.FindIdentityProviderMessage{
+			ID: &identityProviderID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get identity provider").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(convertIdentityProviderFromStore(identityProviderMessage)))
+	})
+
+	g.DELETE("/idp/:idpId", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
+		user, err := s.Store.FindUser(ctx, &api.UserFind{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+		if user == nil || user.Role != api.Host {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		identityProviderID, err := strconv.Atoi(c.Param("idpId"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("idpId"))).SetInternal(err)
+		}
+
+		if err = s.Store.DeleteIdentityProvider(ctx, &store.DeleteIdentityProviderMessage{ID: identityProviderID}); err != nil {
+			if common.ErrorCode(err) == common.NotFound {
+				return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Identity provider ID not found: %d", identityProviderID))
+			}
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete identity provider").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, true)
+	})
+}
+
+func convertIdentityProviderFromStore(identityProviderMessage *store.IdentityProviderMessage) *api.IdentityProvider {
+	return &api.IdentityProvider{
+		ID:               identityProviderMessage.ID,
+		Name:             identityProviderMessage.Name,
+		Type:             api.IdentityProviderType(identityProviderMessage.Type),
+		IdentifierFilter: identityProviderMessage.IdentifierFilter,
+		Config:           convertIdentityProviderConfigFromStore(identityProviderMessage.Config),
+	}
+}
+
+func convertIdentityProviderConfigFromStore(config *store.IdentityProviderConfig) *api.IdentityProviderConfig {
+	return &api.IdentityProviderConfig{
+		OAuth2Config: &api.IdentityProviderOAuth2Config{
+			ClientID:     config.OAuth2Config.ClientID,
+			ClientSecret: config.OAuth2Config.ClientSecret,
+			AuthURL:      config.OAuth2Config.AuthURL,
+			TokenURL:     config.OAuth2Config.TokenURL,
+			UserInfoURL:  config.OAuth2Config.UserInfoURL,
+			Scopes:       config.OAuth2Config.Scopes,
+			FieldMapping: &api.FieldMapping{
+				Identifier:  config.OAuth2Config.FieldMapping.Identifier,
+				DisplayName: config.OAuth2Config.FieldMapping.DisplayName,
+				Email:       config.OAuth2Config.FieldMapping.Email,
+			},
+		},
+	}
+}
+
+func convertIdentityProviderConfigToStore(config *api.IdentityProviderConfig) *store.IdentityProviderConfig {
+	return &store.IdentityProviderConfig{
+		OAuth2Config: &store.IdentityProviderOAuth2Config{
+			ClientID:     config.OAuth2Config.ClientID,
+			ClientSecret: config.OAuth2Config.ClientSecret,
+			AuthURL:      config.OAuth2Config.AuthURL,
+			TokenURL:     config.OAuth2Config.TokenURL,
+			UserInfoURL:  config.OAuth2Config.UserInfoURL,
+			Scopes:       config.OAuth2Config.Scopes,
+			FieldMapping: &store.FieldMapping{
+				Identifier:  config.OAuth2Config.FieldMapping.Identifier,
+				DisplayName: config.OAuth2Config.FieldMapping.DisplayName,
+				Email:       config.OAuth2Config.FieldMapping.Email,
+			},
+		},
+	}
+}
--- a/server/jwt.go
+++ b/server/jwt.go
@@ -0,0 +1,260 @@
+package server
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/labstack/echo/v4"
+	pkgerrors "github.com/pkg/errors"
+	"github.com/usememos/memos/api"
+	"github.com/usememos/memos/common"
+	"github.com/usememos/memos/server/auth"
+)
+
+const (
+	// Context section
+	// The key name used to store user id in the context
+	// user id is extracted from the jwt token subject field.
+	userIDContextKey = "user-id"
+)
+
+// Claims creates a struct that will be encoded to a JWT.
+// We add jwt.RegisteredClaims as an embedded type, to provide fields such as name.
+type Claims struct {
+	Name string `json:"name"`
+	jwt.RegisteredClaims
+}
+
+func getUserIDContextKey() string {
+	return userIDContextKey
+}
+
+// GenerateTokensAndSetCookies generates jwt token and saves it to the http-only cookie.
+func GenerateTokensAndSetCookies(c echo.Context, user *api.User, mode string, secret string) error {
+	accessToken, err := auth.GenerateAccessToken(user.Username, user.ID, mode, secret)
+	if err != nil {
+		return pkgerrors.Wrap(err, "failed to generate access token")
+	}
+
+	cookieExp := time.Now().Add(auth.CookieExpDuration)
+	setTokenCookie(c, auth.AccessTokenCookieName, accessToken, cookieExp)
+
+	// We generate here a new refresh token and saving it to the cookie.
+	refreshToken, err := auth.GenerateRefreshToken(user.Username, user.ID, mode, secret)
+	if err != nil {
+		return pkgerrors.Wrap(err, "failed to generate refresh token")
+	}
+	setTokenCookie(c, auth.RefreshTokenCookieName, refreshToken, cookieExp)
+
+	return nil
+}
+
+// RemoveTokensAndCookies removes the jwt token and refresh token from the cookies.
+func RemoveTokensAndCookies(c echo.Context) {
+	// We set the expiration time to the past, so that the cookie will be removed.
+	cookieExp := time.Now().Add(-1 * time.Hour)
+	setTokenCookie(c, auth.AccessTokenCookieName, "", cookieExp)
+	setTokenCookie(c, auth.RefreshTokenCookieName, "", cookieExp)
+}
+
+// Here we are creating a new cookie, which will store the valid JWT token.
+func setTokenCookie(c echo.Context, name, token string, expiration time.Time) {
+	cookie := new(http.Cookie)
+	cookie.Name = name
+	cookie.Value = token
+	cookie.Expires = expiration
+	cookie.Path = "/"
+	// Http-only helps mitigate the risk of client side script accessing the protected cookie.
+	cookie.HttpOnly = true
+	cookie.SameSite = http.SameSiteStrictMode
+	c.SetCookie(cookie)
+}
+
+func extractTokenFromHeader(c echo.Context) (string, error) {
+	authHeader := c.Request().Header.Get("Authorization")
+	if authHeader == "" {
+		return "", nil
+	}
+
+	authHeaderParts := strings.Fields(authHeader)
+	if len(authHeaderParts) != 2 || strings.ToLower(authHeaderParts[0]) != "bearer" {
+		return "", errors.New("Authorization header format must be Bearer {token}")
+	}
+
+	return authHeaderParts[1], nil
+}
+
+func findAccessToken(c echo.Context) string {
+	accessToken := ""
+	cookie, _ := c.Cookie(auth.AccessTokenCookieName)
+	if cookie != nil {
+		accessToken = cookie.Value
+	}
+	if accessToken == "" {
+		accessToken, _ = extractTokenFromHeader(c)
+	}
+
+	return accessToken
+}
+
+// JWTMiddleware validates the access token.
+// If the access token is about to expire or has expired and the request has a valid refresh token, it
+// will try to generate new access token and refresh token.
+func JWTMiddleware(server *Server, next echo.HandlerFunc, secret string) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		path := c.Request().URL.Path
+		method := c.Request().Method
+		mode := server.Profile.Mode
+
+		if server.defaultAuthSkipper(c) {
+			return next(c)
+		}
+
+		// Skip validation for server status endpoints.
+		if common.HasPrefixes(path, "/api/ping", "/api/status", "/api/idp", "/api/user/:id") && method == http.MethodGet {
+			return next(c)
+		}
+
+		token := findAccessToken(c)
+		if token == "" {
+			// Allow the user to access the public endpoints.
+			if common.HasPrefixes(path, "/o") {
+				return next(c)
+			}
+			// When the request is not authenticated, we allow the user to access the memo endpoints for those public memos.
+			if common.HasPrefixes(path, "/api/memo") && method == http.MethodGet {
+				return next(c)
+			}
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing access token")
+		}
+
+		claims := &Claims{}
+		accessToken, err := jwt.ParseWithClaims(token, claims, func(t *jwt.Token) (any, error) {
+			if t.Method.Alg() != jwt.SigningMethodHS256.Name {
+				return nil, pkgerrors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
+			}
+			if kid, ok := t.Header["kid"].(string); ok {
+				if kid == "v1" {
+					return []byte(secret), nil
+				}
+			}
+			return nil, pkgerrors.Errorf("unexpected access token kid=%v", t.Header["kid"])
+		})
+
+		if !audienceContains(claims.Audience, fmt.Sprintf(auth.AccessTokenAudienceFmt, mode)) {
+			return echo.NewHTTPError(http.StatusUnauthorized,
+				fmt.Sprintf("Invalid access token, audience mismatch, got %q, expected %q. you may send request to the wrong environment",
+					claims.Audience,
+					fmt.Sprintf(auth.AccessTokenAudienceFmt, mode),
+				))
+		}
+
+		generateToken := time.Until(claims.ExpiresAt.Time) < auth.RefreshThresholdDuration
+		if err != nil {
+			var ve *jwt.ValidationError
+			if errors.As(err, &ve) {
+				// If expiration error is the only error, we will clear the err
+				// and generate new access token and refresh token
+				if ve.Errors == jwt.ValidationErrorExpired {
+					generateToken = true
+				}
+			} else {
+				return &echo.HTTPError{
+					Code:     http.StatusUnauthorized,
+					Message:  "Invalid or expired access token",
+					Internal: err,
+				}
+			}
+		}
+
+		// We either have a valid access token or we will attempt to generate new access token and refresh token
+		ctx := c.Request().Context()
+		userID, err := strconv.Atoi(claims.Subject)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Malformed ID in the token.")
+		}
+
+		// Even if there is no error, we still need to make sure the user still exists.
+		user, err := server.Store.FindUser(ctx, &api.UserFind{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Server error to find user ID: %d", userID)).SetInternal(err)
+		}
+		if user == nil {
+			return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("Failed to find user ID: %d", userID))
+		}
+
+		if generateToken {
+			generateTokenFunc := func() error {
+				rc, err := c.Cookie(auth.RefreshTokenCookieName)
+
+				if err != nil {
+					return echo.NewHTTPError(http.StatusUnauthorized, "Failed to generate access token. Missing refresh token.")
+				}
+
+				// Parses token and checks if it's valid.
+				refreshTokenClaims := &Claims{}
+				refreshToken, err := jwt.ParseWithClaims(rc.Value, refreshTokenClaims, func(t *jwt.Token) (any, error) {
+					if t.Method.Alg() != jwt.SigningMethodHS256.Name {
+						return nil, pkgerrors.Errorf("unexpected refresh token signing method=%v, expected %v", t.Header["alg"], jwt.SigningMethodHS256)
+					}
+
+					if kid, ok := t.Header["kid"].(string); ok {
+						if kid == "v1" {
+							return []byte(secret), nil
+						}
+					}
+					return nil, pkgerrors.Errorf("unexpected refresh token kid=%v", t.Header["kid"])
+				})
+				if err != nil {
+					if err == jwt.ErrSignatureInvalid {
+						return echo.NewHTTPError(http.StatusUnauthorized, "Failed to generate access token. Invalid refresh token signature.")
+					}
+					return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Server error to refresh expired token. User Id %d", userID)).SetInternal(err)
+				}
+
+				if !audienceContains(refreshTokenClaims.Audience, fmt.Sprintf(auth.RefreshTokenAudienceFmt, mode)) {
+					return echo.NewHTTPError(http.StatusUnauthorized,
+						fmt.Sprintf("Invalid refresh token, audience mismatch, got %q, expected %q. you may send request to the wrong environment",
+							refreshTokenClaims.Audience,
+							fmt.Sprintf(auth.RefreshTokenAudienceFmt, mode),
+						))
+				}
+
+				// If we have a valid refresh token, we will generate new access token and refresh token
+				if refreshToken != nil && refreshToken.Valid {
+					if err := GenerateTokensAndSetCookies(c, user, mode, secret); err != nil {
+						return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Server error to refresh expired token. User Id %d", userID)).SetInternal(err)
+					}
+				}
+
+				return nil
+			}
+
+			// It may happen that we still have a valid access token, but we encounter issue when trying to generate new token
+			// In such case, we won't return the error.
+			if err := generateTokenFunc(); err != nil && !accessToken.Valid {
+				return err
+			}
+		}
+
+		// Stores userID into context.
+		c.Set(getUserIDContextKey(), userID)
+		return next(c)
+	}
+}
+
+func audienceContains(audience jwt.ClaimStrings, token string) bool {
+	for _, v := range audience {
+		if v == token {
+			return true
+		}
+	}
+	return false
+}
--- a/server/memo.go
+++ b/server/memo.go
@@ -3,65 +3,175 @@ package server
 import (
 	"encoding/json"
 	"fmt"
-	"memos/api"
-	"memos/common"
 	"net/http"
 	"strconv"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+	"github.com/usememos/memos/api"
+	"github.com/usememos/memos/common"

 	"github.com/labstack/echo/v4"
 )

 func (s *Server) registerMemoRoutes(g *echo.Group) {
 	g.POST("/memo", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
-		memoCreate := &api.MemoCreate{
-			CreatorID: userID,
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
+
+		memoCreate := &api.MemoCreate{}
 		if err := json.NewDecoder(c.Request().Body).Decode(memoCreate); err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post memo request").SetInternal(err)
 		}

-		memo, err := s.Store.CreateMemo(memoCreate)
+		if memoCreate.Visibility == "" {
+			userMemoVisibilitySetting, err := s.Store.FindUserSetting(ctx, &api.UserSettingFind{
+				UserID: userID,
+				Key:    api.UserSettingMemoVisibilityKey,
+			})
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user setting").SetInternal(err)
+			}
+
+			if userMemoVisibilitySetting != nil {
+				memoVisibility := api.Private
+				err := json.Unmarshal([]byte(userMemoVisibilitySetting.Value), &memoVisibility)
+				if err != nil {
+					return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal user setting value").SetInternal(err)
+				}
+				memoCreate.Visibility = memoVisibility
+			} else {
+				// Private is the default memo visibility.
+				memoCreate.Visibility = api.Private
+			}
+		}
+
+		// Find system settings
+		disablePublicMemosSystemSetting, err := s.Store.FindSystemSetting(ctx, &api.SystemSettingFind{
+			Name: api.SystemSettingDisablePublicMemosName,
+		})
+		if err != nil && common.ErrorCode(err) != common.NotFound {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting").SetInternal(err)
+		}
+		if disablePublicMemosSystemSetting != nil {
+			disablePublicMemos := false
+			err = json.Unmarshal([]byte(disablePublicMemosSystemSetting.Value), &disablePublicMemos)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting").SetInternal(err)
+			}
+			if disablePublicMemos {
+				memoCreate.Visibility = api.Private
+			}
+		}
+
+		if len(memoCreate.Content) > api.MaxContentLength {
+			return echo.NewHTTPError(http.StatusBadRequest, "Content size overflow, up to 1MB").SetInternal(err)
+		}
+
+		memoCreate.CreatorID = userID
+		memo, err := s.Store.CreateMemo(ctx, memoCreate)
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create memo").SetInternal(err)
 		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(memo)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode memo response").SetInternal(err)
+		if err := s.createMemoCreateActivity(c, memo); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create activity").SetInternal(err)
 		}
-		return nil
+
+		for _, resourceID := range memoCreate.ResourceIDList {
+			if _, err := s.Store.UpsertMemoResource(ctx, &api.MemoResourceUpsert{
+				MemoID:     memo.ID,
+				ResourceID: resourceID,
+			}); err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert memo resource").SetInternal(err)
+			}
+		}
+
+		memo, err = s.Store.ComposeMemo(ctx, memo)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to compose memo").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(memo))
 	})

 	g.PATCH("/memo/:memoId", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
 		memoID, err := strconv.Atoi(c.Param("memoId"))
 		if err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
 		}

+		memo, err := s.Store.FindMemo(ctx, &api.MemoFind{
+			ID: &memoID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo").SetInternal(err)
+		}
+		if memo.CreatorID != userID {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		currentTs := time.Now().Unix()
 		memoPatch := &api.MemoPatch{
-			ID: memoID,
+			ID:        memoID,
+			UpdatedTs: &currentTs,
 		}
 		if err := json.NewDecoder(c.Request().Body).Decode(memoPatch); err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch memo request").SetInternal(err)
 		}

-		memo, err := s.Store.PatchMemo(memoPatch)
+		if memoPatch.Content != nil && len(*memoPatch.Content) > api.MaxContentLength {
+			return echo.NewHTTPError(http.StatusBadRequest, "Content size overflow, up to 1MB").SetInternal(err)
+		}
+
+		memo, err = s.Store.PatchMemo(ctx, memoPatch)
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch memo").SetInternal(err)
 		}

-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(memo)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode memo response").SetInternal(err)
+		for _, resourceID := range memoPatch.ResourceIDList {
+			if _, err := s.Store.UpsertMemoResource(ctx, &api.MemoResourceUpsert{
+				MemoID:     memo.ID,
+				ResourceID: resourceID,
+			}); err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert memo resource").SetInternal(err)
+			}
 		}
-		return nil
+
+		memo, err = s.Store.ComposeMemo(ctx, memo)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to compose memo").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(memo))
 	})

 	g.GET("/memo", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
-		memoFind := &api.MemoFind{
-			CreatorID: &userID,
+		ctx := c.Request().Context()
+		memoFind := &api.MemoFind{}
+		if userID, err := strconv.Atoi(c.QueryParam("creatorId")); err == nil {
+			memoFind.CreatorID = &userID
+		}
+
+		currentUserID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			if memoFind.CreatorID == nil {
+				return echo.NewHTTPError(http.StatusBadRequest, "Missing user id to find memo")
+			}
+			memoFind.VisibilityList = []api.Visibility{api.Public}
+		} else {
+			if memoFind.CreatorID == nil {
+				memoFind.CreatorID = &currentUserID
+			} else {
+				memoFind.VisibilityList = []api.Visibility{api.Public, api.Protected}
+			}
 		}

 		rowStatus := api.RowStatus(c.QueryParam("rowStatus"))
@@ -75,49 +185,87 @@ func (s *Server) registerMemoRoutes(g *echo.Group) {
 		}
 		tag := c.QueryParam("tag")
 		if tag != "" {
-			contentSearch := "#" + tag + " "
+			contentSearch := "#" + tag
 			memoFind.ContentSearch = &contentSearch
 		}
+		visibilityListStr := c.QueryParam("visibility")
+		if visibilityListStr != "" {
+			visibilityList := []api.Visibility{}
+			for _, visibility := range strings.Split(visibilityListStr, ",") {
+				visibilityList = append(visibilityList, api.Visibility(visibility))
+			}
+			memoFind.VisibilityList = visibilityList
+		}
 		if limit, err := strconv.Atoi(c.QueryParam("limit")); err == nil {
-			memoFind.Limit = limit
+			memoFind.Limit = &limit
 		}
 		if offset, err := strconv.Atoi(c.QueryParam("offset")); err == nil {
-			memoFind.Offset = offset
+			memoFind.Offset = &offset
 		}

-		list, err := s.Store.FindMemoList(memoFind)
+		list, err := s.Store.FindMemoList(ctx, memoFind)
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch memo list").SetInternal(err)
 		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(list)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode memo list response").SetInternal(err)
-		}
-		return nil
+		return c.JSON(http.StatusOK, composeResponse(list))
 	})

-	g.POST("/memo/:memoId/organizer", func(c echo.Context) error {
+	g.GET("/memo/:memoId", func(c echo.Context) error {
+		ctx := c.Request().Context()
 		memoID, err := strconv.Atoi(c.Param("memoId"))
 		if err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
 		}

-		userID := c.Get(getUserIDContextKey()).(int)
-		memoOrganizerUpsert := &api.MemoOrganizerUpsert{
-			MemoID: memoID,
-			UserID: userID,
+		memoFind := &api.MemoFind{
+			ID: &memoID,
 		}
+		memo, err := s.Store.FindMemo(ctx, memoFind)
+		if err != nil {
+			if common.ErrorCode(err) == common.NotFound {
+				return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Memo ID not found: %d", memoID)).SetInternal(err)
+			}
+
+			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find memo by ID: %v", memoID)).SetInternal(err)
+		}
+
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if memo.Visibility == api.Private {
+			if !ok || memo.CreatorID != userID {
+				return echo.NewHTTPError(http.StatusForbidden, "this memo is private only")
+			}
+		} else if memo.Visibility == api.Protected {
+			if !ok {
+				return echo.NewHTTPError(http.StatusForbidden, "this memo is protected, missing user in session")
+			}
+		}
+		return c.JSON(http.StatusOK, composeResponse(memo))
+	})
+
+	g.POST("/memo/:memoId/organizer", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		memoID, err := strconv.Atoi(c.Param("memoId"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
+		}
+
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+		memoOrganizerUpsert := &api.MemoOrganizerUpsert{}
 		if err := json.NewDecoder(c.Request().Body).Decode(memoOrganizerUpsert); err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post memo organizer request").SetInternal(err)
 		}
+		memoOrganizerUpsert.MemoID = memoID
+		memoOrganizerUpsert.UserID = userID

-		err = s.Store.UpsertMemoOrganizer(memoOrganizerUpsert)
+		err = s.Store.UpsertMemoOrganizer(ctx, memoOrganizerUpsert)
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert memo organizer").SetInternal(err)
 		}

-		memo, err := s.Store.FindMemo(&api.MemoFind{
+		memo, err := s.Store.FindMemo(ctx, &api.MemoFind{
 			ID: &memoID,
 		})
 		if err != nil {
@@ -127,75 +275,233 @@ func (s *Server) registerMemoRoutes(g *echo.Group) {

 			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find memo by ID: %v", memoID)).SetInternal(err)
 		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(memo)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode memo response").SetInternal(err)
-		}
-		return nil
+		return c.JSON(http.StatusOK, composeResponse(memo))
 	})

-	g.GET("/memo/:memoId", func(c echo.Context) error {
+	g.POST("/memo/:memoId/resource", func(c echo.Context) error {
+		ctx := c.Request().Context()
 		memoID, err := strconv.Atoi(c.Param("memoId"))
 		if err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
 		}

-		memoFind := &api.MemoFind{
-			ID: &memoID,
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
-		memo, err := s.Store.FindMemo(memoFind)
+		memoResourceUpsert := &api.MemoResourceUpsert{}
+		if err := json.NewDecoder(c.Request().Body).Decode(memoResourceUpsert); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post memo resource request").SetInternal(err)
+		}
+		resourceFind := &api.ResourceFind{
+			ID: &memoResourceUpsert.ResourceID,
+		}
+		resource, err := s.Store.FindResource(ctx, resourceFind)
 		if err != nil {
-			if common.ErrorCode(err) == common.NotFound {
-				return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Memo ID not found: %d", memoID)).SetInternal(err)
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch resource").SetInternal(err)
+		}
+		if resource == nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Resource not found").SetInternal(err)
+		} else if resource.CreatorID != userID {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized to bind this resource").SetInternal(err)
+		}
+
+		memoResourceUpsert.MemoID = memoID
+		currentTs := time.Now().Unix()
+		memoResourceUpsert.UpdatedTs = &currentTs
+		if _, err := s.Store.UpsertMemoResource(ctx, memoResourceUpsert); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert memo resource").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(resource))
+	})
+
+	g.GET("/memo/:memoId/resource", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		memoID, err := strconv.Atoi(c.Param("memoId"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
+		}
+
+		resourceFind := &api.ResourceFind{
+			MemoID: &memoID,
+		}
+		resourceList, err := s.Store.FindResourceList(ctx, resourceFind)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch resource list").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(resourceList))
+	})
+
+	g.GET("/memo/stats", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		normalStatus := api.Normal
+		memoFind := &api.MemoFind{
+			RowStatus: &normalStatus,
+		}
+		if creatorID, err := strconv.Atoi(c.QueryParam("creatorId")); err == nil {
+			memoFind.CreatorID = &creatorID
+		}
+		if memoFind.CreatorID == nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Missing user id to find memo")
+		}
+
+		currentUserID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			memoFind.VisibilityList = []api.Visibility{api.Public}
+		} else {
+			if *memoFind.CreatorID != currentUserID {
+				memoFind.VisibilityList = []api.Visibility{api.Public, api.Protected}
+			} else {
+				memoFind.VisibilityList = []api.Visibility{api.Public, api.Protected, api.Private}
 			}
-
-			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find memo by ID: %v", memoID)).SetInternal(err)
 		}

-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(memo)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode memo response").SetInternal(err)
+		list, err := s.Store.FindMemoList(ctx, memoFind)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch memo list").SetInternal(err)
 		}
-		return nil
+
+		createdTsList := []int64{}
+		for _, memo := range list {
+			createdTsList = append(createdTsList, memo.CreatedTs)
+		}
+		return c.JSON(http.StatusOK, composeResponse(createdTsList))
+	})
+
+	g.GET("/memo/all", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		memoFind := &api.MemoFind{}
+
+		_, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			memoFind.VisibilityList = []api.Visibility{api.Public}
+		} else {
+			memoFind.VisibilityList = []api.Visibility{api.Public, api.Protected}
+		}
+
+		pinnedStr := c.QueryParam("pinned")
+		if pinnedStr != "" {
+			pinned := pinnedStr == "true"
+			memoFind.Pinned = &pinned
+		}
+		tag := c.QueryParam("tag")
+		if tag != "" {
+			contentSearch := "#" + tag + " "
+			memoFind.ContentSearch = &contentSearch
+		}
+		visibilityListStr := c.QueryParam("visibility")
+		if visibilityListStr != "" {
+			visibilityList := []api.Visibility{}
+			for _, visibility := range strings.Split(visibilityListStr, ",") {
+				visibilityList = append(visibilityList, api.Visibility(visibility))
+			}
+			memoFind.VisibilityList = visibilityList
+		}
+		if limit, err := strconv.Atoi(c.QueryParam("limit")); err == nil {
+			memoFind.Limit = &limit
+		}
+		if offset, err := strconv.Atoi(c.QueryParam("offset")); err == nil {
+			memoFind.Offset = &offset
+		}
+
+		// Only fetch normal status memos.
+		normalStatus := api.Normal
+		memoFind.RowStatus = &normalStatus
+
+		list, err := s.Store.FindMemoList(ctx, memoFind)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch all memo list").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(list))
 	})

 	g.DELETE("/memo/:memoId", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
 		memoID, err := strconv.Atoi(c.Param("memoId"))
 		if err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
 		}

+		memo, err := s.Store.FindMemo(ctx, &api.MemoFind{
+			ID: &memoID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo").SetInternal(err)
+		}
+		if memo.CreatorID != userID {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
 		memoDelete := &api.MemoDelete{
 			ID: memoID,
 		}
-
-		err = s.Store.DeleteMemo(memoDelete)
-		if err != nil {
+		if err := s.Store.DeleteMemo(ctx, memoDelete); err != nil {
+			if common.ErrorCode(err) == common.NotFound {
+				return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Memo ID not found: %d", memoID))
+			}
 			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to delete memo ID: %v", memoID)).SetInternal(err)
 		}
-
-		c.JSON(http.StatusOK, true)
-		return nil
+		return c.JSON(http.StatusOK, true)
 	})

-	g.GET("/memo/amount", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
-		normalRowStatus := api.Normal
-		memoFind := &api.MemoFind{
-			CreatorID: &userID,
-			RowStatus: &normalRowStatus,
+	g.DELETE("/memo/:memoId/resource/:resourceId", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
-
-		memoList, err := s.Store.FindMemoList(memoFind)
+		memoID, err := strconv.Atoi(c.Param("memoId"))
 		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo list").SetInternal(err)
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Memo ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
+		}
+		resourceID, err := strconv.Atoi(c.Param("resourceId"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Resource ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
 		}

-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(len(memoList))); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode memo amount").SetInternal(err)
+		memo, err := s.Store.FindMemo(ctx, &api.MemoFind{
+			ID: &memoID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo").SetInternal(err)
 		}
-		return nil
+		if memo.CreatorID != userID {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		memoResourceDelete := &api.MemoResourceDelete{
+			MemoID:     &memoID,
+			ResourceID: &resourceID,
+		}
+		if err := s.Store.DeleteMemoResource(ctx, memoResourceDelete); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch resource list").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, true)
 	})
 }
+
+func (s *Server) createMemoCreateActivity(c echo.Context, memo *api.Memo) error {
+	ctx := c.Request().Context()
+	payload := api.ActivityMemoCreatePayload{
+		Content:    memo.Content,
+		Visibility: memo.Visibility.String(),
+	}
+	payloadBytes, err := json.Marshal(payload)
+	if err != nil {
+		return errors.Wrap(err, "failed to marshal activity payload")
+	}
+	activity, err := s.Store.CreateActivity(ctx, &api.ActivityCreate{
+		CreatorID: memo.CreatorID,
+		Type:      api.ActivityMemoCreate,
+		Level:     api.ActivityInfo,
+		Payload:   string(payloadBytes),
+	})
+	if err != nil || activity == nil {
+		return errors.Wrap(err, "failed to create activity")
+	}
+	return err
+}
--- a/server/openai.go
+++ b/server/openai.go
@@ -0,0 +1,72 @@
+package server
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/labstack/echo/v4"
+	"github.com/usememos/memos/api"
+	"github.com/usememos/memos/common"
+	"github.com/usememos/memos/plugin/openai"
+)
+
+func (s *Server) registerOpenAIRoutes(g *echo.Group) {
+	g.POST("/openai/chat-completion", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		openAIConfigSetting, err := s.Store.FindSystemSetting(ctx, &api.SystemSettingFind{
+			Name: api.SystemSettingOpenAIConfigName,
+		})
+		if err != nil && common.ErrorCode(err) != common.NotFound {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find openai key").SetInternal(err)
+		}
+
+		openAIConfig := api.OpenAIConfig{}
+		if openAIConfigSetting != nil {
+			err = json.Unmarshal([]byte(openAIConfigSetting.Value), &openAIConfig)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal openai system setting value").SetInternal(err)
+			}
+		}
+		if openAIConfig.Key == "" {
+			return echo.NewHTTPError(http.StatusBadRequest, "OpenAI API key not set")
+		}
+
+		messages := []openai.ChatCompletionMessage{}
+		if err := json.NewDecoder(c.Request().Body).Decode(&messages); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post chat completion request").SetInternal(err)
+		}
+		if len(messages) == 0 {
+			return echo.NewHTTPError(http.StatusBadRequest, "No messages provided")
+		}
+
+		result, err := openai.PostChatCompletion(messages, openAIConfig.Key, openAIConfig.Host)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to post chat completion").SetInternal(err)
+		}
+
+		return c.JSON(http.StatusOK, composeResponse(result))
+	})
+
+	g.GET("/openai/enabled", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		openAIConfigSetting, err := s.Store.FindSystemSetting(ctx, &api.SystemSettingFind{
+			Name: api.SystemSettingOpenAIConfigName,
+		})
+		if err != nil && common.ErrorCode(err) != common.NotFound {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find openai key").SetInternal(err)
+		}
+
+		openAIConfig := api.OpenAIConfig{}
+		if openAIConfigSetting != nil {
+			err = json.Unmarshal([]byte(openAIConfigSetting.Value), &openAIConfig)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal openai system setting value").SetInternal(err)
+			}
+		}
+		if openAIConfig.Key == "" {
+			return echo.NewHTTPError(http.StatusBadRequest, "OpenAI API key not set")
+		}
+
+		return c.JSON(http.StatusOK, composeResponse(openAIConfig.Key != ""))
+	})
+}
--- a/server/profile/profile.go
+++ b/server/profile/profile.go
@@ -2,25 +2,32 @@ package profile

 import (
 	"fmt"
-	"memos/common"
 	"os"
 	"path/filepath"
-	"strconv"
 	"strings"
+
+	"github.com/spf13/viper"
+	"github.com/usememos/memos/server/version"
 )

 // Profile is the configuration to start main server.
 type Profile struct {
-	// Mode can be "prod" or "dev"
+	// Mode can be "prod" or "dev" or "demo"
 	Mode string `json:"mode"`
 	// Port is the binding port for server
-	Port int `json:"port"`
+	Port int `json:"-"`
+	// Data is the data directory
+	Data string `json:"-"`
 	// DSN points to where Memos stores its own data
-	DSN string `json:"dsn"`
+	DSN string `json:"-"`
 	// Version is the current version of server
 	Version string `json:"version"`
 }

+func (p *Profile) IsDev() bool {
+	return p.Mode != "prod"
+}
+
 func checkDSN(dataDir string) (string, error) {
 	// Convert to absolute path if relative path is supplied.
 	if !filepath.IsAbs(dataDir) {
@@ -35,42 +42,37 @@ func checkDSN(dataDir string) (string, error) {
 	dataDir = strings.TrimRight(dataDir, "/")

 	if _, err := os.Stat(dataDir); err != nil {
-		error := fmt.Errorf("unable to access -data %s, err %w", dataDir, err)
-		return "", error
+		return "", fmt.Errorf("unable to access data folder %s, err %w", dataDir, err)
 	}

 	return dataDir, nil
 }

-// GetDevProfile will return a profile for dev.
-func GetProfile() *Profile {
-	mode := os.Getenv("mode")
-	if mode != "dev" && mode != "prod" {
-		mode = "dev"
-	}
-
-	port, err := strconv.Atoi(os.Getenv("port"))
+// GetProfile will return a profile for dev or prod.
+func GetProfile() (*Profile, error) {
+	profile := Profile{}
+	err := viper.Unmarshal(&profile)
 	if err != nil {
-		port = 8080
+		return nil, err
 	}

-	data := ""
-	if mode == "prod" {
-		data = "/var/opt/memos"
+	if profile.Mode != "demo" && profile.Mode != "dev" && profile.Mode != "prod" {
+		profile.Mode = "demo"
 	}

-	dataDir, err := checkDSN(data)
+	if profile.Mode == "prod" && profile.Data == "" {
+		profile.Data = "/var/opt/memos"
+	}
+
+	dataDir, err := checkDSN(profile.Data)
 	if err != nil {
 		fmt.Printf("Failed to check dsn: %s, err: %+v\n", dataDir, err)
-		os.Exit(1)
+		return nil, err
 	}

-	dsn := fmt.Sprintf("%s/memos_%s.db", dataDir, mode)
+	profile.Data = dataDir
+	profile.DSN = fmt.Sprintf("%s/memos_%s.db", dataDir, profile.Mode)
+	profile.Version = version.GetCurrentVersion(profile.Mode)

-	return &Profile{
-		Mode:    mode,
-		Port:    port,
-		DSN:     dsn,
-		Version: common.Version,
-	}
+	return &profile, nil
 }
--- a/server/resource.go
+++ b/server/resource.go
@@ -1,140 +1,414 @@
 package server

 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
-	"memos/api"
+	"io"
 	"net/http"
+	"net/url"
+	"os"
+	"path"
+	"path/filepath"
+	"regexp"
 	"strconv"
+	"strings"
+	"time"

 	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+	"github.com/usememos/memos/api"
+	"github.com/usememos/memos/common"
+	"github.com/usememos/memos/common/log"
+	"github.com/usememos/memos/plugin/storage/s3"
+	"go.uber.org/zap"
 )

+const (
+	// The max file size is 32MB.
+	maxFileSize = 32 << 20
+)
+
+var fileKeyPattern = regexp.MustCompile(`\{[a-z]{1,9}\}`)
+
 func (s *Server) registerResourceRoutes(g *echo.Group) {
 	g.POST("/resource", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}

-		err := c.Request().ParseMultipartForm(64 << 20)
+		resourceCreate := &api.ResourceCreate{}
+		if err := json.NewDecoder(c.Request().Body).Decode(resourceCreate); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post resource request").SetInternal(err)
+		}
+
+		resourceCreate.CreatorID = userID
+		// Only allow those external links with http prefix.
+		if resourceCreate.ExternalLink != "" && !strings.HasPrefix(resourceCreate.ExternalLink, "http") {
+			return echo.NewHTTPError(http.StatusBadRequest, "Invalid external link")
+		}
+
+		resource, err := s.Store.CreateResource(ctx, resourceCreate)
 		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create resource").SetInternal(err)
+		}
+		if err := s.createResourceCreateActivity(c, resource); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create activity").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(resource))
+	})
+
+	g.POST("/resource/blob", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
+		if err := c.Request().ParseMultipartForm(maxFileSize); err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, "Upload file overload max size").SetInternal(err)
 		}

 		file, err := c.FormFile("file")
 		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get uploading file").SetInternal(err)
+		}
+		if file == nil {
 			return echo.NewHTTPError(http.StatusBadRequest, "Upload file not found").SetInternal(err)
 		}

-		filename := file.Filename
 		filetype := file.Header.Get("Content-Type")
 		size := file.Size
-		src, err := file.Open()
+		sourceFile, err := file.Open()
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to open file").SetInternal(err)
 		}
-		defer src.Close()
+		defer sourceFile.Close()

-		fileBytes, err := ioutil.ReadAll(src)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to read file").SetInternal(err)
+		var resourceCreate *api.ResourceCreate
+		systemSettingStorageServiceID, err := s.Store.FindSystemSetting(ctx, &api.SystemSettingFind{Name: api.SystemSettingStorageServiceIDName})
+		if err != nil && common.ErrorCode(err) != common.NotFound {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find storage").SetInternal(err)
+		}
+		storageServiceID := api.DatabaseStorage
+		if systemSettingStorageServiceID != nil {
+			err = json.Unmarshal([]byte(systemSettingStorageServiceID.Value), &storageServiceID)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal storage service id").SetInternal(err)
+			}
+		}
+		if storageServiceID == api.DatabaseStorage {
+			fileBytes, err := io.ReadAll(sourceFile)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to read file").SetInternal(err)
+			}
+			resourceCreate = &api.ResourceCreate{
+				CreatorID: userID,
+				Filename:  file.Filename,
+				Type:      filetype,
+				Size:      size,
+				Blob:      fileBytes,
+			}
+		} else if storageServiceID == api.LocalStorage {
+			systemSettingLocalStoragePath, err := s.Store.FindSystemSetting(ctx, &api.SystemSettingFind{Name: api.SystemSettingLocalStoragePathName})
+			if err != nil && common.ErrorCode(err) != common.NotFound {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find local storage path setting").SetInternal(err)
+			}
+			localStoragePath := ""
+			if systemSettingLocalStoragePath != nil {
+				err = json.Unmarshal([]byte(systemSettingLocalStoragePath.Value), &localStoragePath)
+				if err != nil {
+					return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal local storage path setting").SetInternal(err)
+				}
+			}
+			filePath := localStoragePath
+			if !strings.Contains(filePath, "{filename}") {
+				filePath = path.Join(filePath, "{filename}")
+			}
+			filePath = path.Join(s.Profile.Data, replacePathTemplate(filePath, file.Filename))
+			dir, filename := filepath.Split(filePath)
+			if err = os.MkdirAll(dir, os.ModePerm); err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create directory").SetInternal(err)
+			}
+			dst, err := os.Create(filePath)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create file").SetInternal(err)
+			}
+			defer dst.Close()
+			_, err = io.Copy(dst, sourceFile)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to copy file").SetInternal(err)
+			}
+
+			resourceCreate = &api.ResourceCreate{
+				CreatorID:    userID,
+				Filename:     filename,
+				Type:         filetype,
+				Size:         size,
+				InternalPath: filePath,
+			}
+		} else {
+			storage, err := s.Store.FindStorage(ctx, &api.StorageFind{ID: &storageServiceID})
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find storage").SetInternal(err)
+			}
+
+			if storage.Type == api.StorageS3 {
+				s3Config := storage.Config.S3Config
+				s3Client, err := s3.NewClient(ctx, &s3.Config{
+					AccessKey: s3Config.AccessKey,
+					SecretKey: s3Config.SecretKey,
+					EndPoint:  s3Config.EndPoint,
+					Region:    s3Config.Region,
+					Bucket:    s3Config.Bucket,
+					URLPrefix: s3Config.URLPrefix,
+					URLSuffix: s3Config.URLSuffix,
+				})
+				if err != nil {
+					return echo.NewHTTPError(http.StatusInternalServerError, "Failed to new s3 client").SetInternal(err)
+				}
+
+				filePath := s3Config.Path
+				if !strings.Contains(filePath, "{filename}") {
+					filePath = path.Join(filePath, "{filename}")
+				}
+				filePath = replacePathTemplate(filePath, file.Filename)
+				_, filename := filepath.Split(filePath)
+				link, err := s3Client.UploadFile(ctx, filePath, filetype, sourceFile)
+				if err != nil {
+					return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upload via s3 client").SetInternal(err)
+				}
+				resourceCreate = &api.ResourceCreate{
+					CreatorID:    userID,
+					Filename:     filename,
+					Type:         filetype,
+					ExternalLink: link,
+				}
+			} else {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Unsupported storage type")
+			}
 		}

-		resourceCreate := &api.ResourceCreate{
-			Filename:  filename,
-			Type:      filetype,
-			Size:      size,
-			Blob:      fileBytes,
-			CreatorID: userID,
-		}
-
-		resource, err := s.Store.CreateResource(resourceCreate)
+		publicID := common.GenUUID()
+		resourceCreate.PublicID = publicID
+		resource, err := s.Store.CreateResource(ctx, resourceCreate)
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create resource").SetInternal(err)
 		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(resource)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode resource response").SetInternal(err)
+		if err := s.createResourceCreateActivity(c, resource); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create activity").SetInternal(err)
 		}
-		return nil
+		return c.JSON(http.StatusOK, composeResponse(resource))
 	})

 	g.GET("/resource", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
 		resourceFind := &api.ResourceFind{
 			CreatorID: &userID,
 		}
-		list, err := s.Store.FindResourceList(resourceFind)
+		if limit, err := strconv.Atoi(c.QueryParam("limit")); err == nil {
+			resourceFind.Limit = &limit
+		}
+		if offset, err := strconv.Atoi(c.QueryParam("offset")); err == nil {
+			resourceFind.Offset = &offset
+		}
+
+		list, err := s.Store.FindResourceList(ctx, resourceFind)
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch resource list").SetInternal(err)
 		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(list)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode resource list response").SetInternal(err)
-		}
-		return nil
+		return c.JSON(http.StatusOK, composeResponse(list))
 	})

-	g.GET("/resource/:resourceId", func(c echo.Context) error {
+	g.PATCH("/resource/:resourceId", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
 		resourceID, err := strconv.Atoi(c.Param("resourceId"))
 		if err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
 		}

-		userID := c.Get(getUserIDContextKey()).(int)
 		resourceFind := &api.ResourceFind{
-			ID:        &resourceID,
-			CreatorID: &userID,
+			ID: &resourceID,
 		}
-		resource, err := s.Store.FindResource(resourceFind)
+		resource, err := s.Store.FindResource(ctx, resourceFind)
 		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch resource").SetInternal(err)
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find resource").SetInternal(err)
+		}
+		if resource.CreatorID != userID {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
 		}

-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(resource)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode resource response").SetInternal(err)
+		currentTs := time.Now().Unix()
+		resourcePatch := &api.ResourcePatch{
+			UpdatedTs: &currentTs,
+		}
+		if err := json.NewDecoder(c.Request().Body).Decode(resourcePatch); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch resource request").SetInternal(err)
 		}
-		return nil
-	})

-	g.GET("/resource/:resourceId/blob", func(c echo.Context) error {
-		resourceID, err := strconv.Atoi(c.Param("resourceId"))
+		if resourcePatch.ResetPublicID != nil && *resourcePatch.ResetPublicID {
+			publicID := common.GenUUID()
+			resourcePatch.PublicID = &publicID
+		}
+
+		resourcePatch.ID = resourceID
+		resource, err = s.Store.PatchResource(ctx, resourcePatch)
 		if err != nil {
-			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch resource").SetInternal(err)
 		}
-
-		userID := c.Get(getUserIDContextKey()).(int)
-		resourceFind := &api.ResourceFind{
-			ID:        &resourceID,
-			CreatorID: &userID,
-		}
-		resource, err := s.Store.FindResource(resourceFind)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch resource").SetInternal(err)
-		}
-
-		c.Response().Writer.WriteHeader(http.StatusOK)
-		c.Response().Writer.Header().Set("Content-Type", resource.Type)
-		c.Response().Writer.Write(resource.Blob)
-		return nil
+		return c.JSON(http.StatusOK, composeResponse(resource))
 	})

 	g.DELETE("/resource/:resourceId", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
 		resourceID, err := strconv.Atoi(c.Param("resourceId"))
 		if err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
 		}

+		resource, err := s.Store.FindResource(ctx, &api.ResourceFind{
+			ID:        &resourceID,
+			CreatorID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find resource").SetInternal(err)
+		}
+		if resource.CreatorID != userID {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		if resource.InternalPath != "" {
+			err := os.Remove(resource.InternalPath)
+			if err != nil {
+				log.Warn(fmt.Sprintf("failed to delete local file with path %s", resource.InternalPath), zap.Error(err))
+			}
+		}
+
 		resourceDelete := &api.ResourceDelete{
 			ID: resourceID,
 		}
-		if err := s.Store.DeleteResource(resourceDelete); err != nil {
+		if err := s.Store.DeleteResource(ctx, resourceDelete); err != nil {
+			if common.ErrorCode(err) == common.NotFound {
+				return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Resource ID not found: %d", resourceID))
+			}
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete resource").SetInternal(err)
 		}
-
-		c.JSON(http.StatusOK, true)
-		return nil
+		return c.JSON(http.StatusOK, true)
 	})
 }
+
+func (s *Server) registerResourcePublicRoutes(g *echo.Group) {
+	g.GET("/r/:resourceId/:publicId", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		resourceID, err := strconv.Atoi(c.Param("resourceId"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
+		}
+		publicID, err := url.QueryUnescape(c.Param("publicId"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("publicID is invalid: %s", c.Param("publicId"))).SetInternal(err)
+		}
+		resourceFind := &api.ResourceFind{
+			ID:       &resourceID,
+			PublicID: &publicID,
+			GetBlob:  true,
+		}
+		resource, err := s.Store.FindResource(ctx, resourceFind)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find resource by ID: %v", resourceID)).SetInternal(err)
+		}
+
+		if resource.ExternalLink != "" {
+			return c.Redirect(http.StatusSeeOther, resource.ExternalLink)
+		}
+
+		blob := resource.Blob
+		if resource.InternalPath != "" {
+			src, err := os.Open(resource.InternalPath)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to open the local resource: %s", resource.InternalPath)).SetInternal(err)
+			}
+			defer src.Close()
+			blob, err = io.ReadAll(src)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to read the local resource: %s", resource.InternalPath)).SetInternal(err)
+			}
+		}
+
+		c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
+		c.Response().Writer.Header().Set(echo.HeaderContentSecurityPolicy, "default-src 'self'")
+		resourceType := strings.ToLower(resource.Type)
+		if strings.HasPrefix(resourceType, "text") {
+			resourceType = echo.MIMETextPlainCharsetUTF8
+		} else if strings.HasPrefix(resourceType, "video") || strings.HasPrefix(resourceType, "audio") {
+			http.ServeContent(c.Response(), c.Request(), resource.Filename, time.Unix(resource.UpdatedTs, 0), bytes.NewReader(blob))
+			return nil
+		}
+		return c.Stream(http.StatusOK, resourceType, bytes.NewReader(blob))
+	})
+}
+
+func (s *Server) createResourceCreateActivity(c echo.Context, resource *api.Resource) error {
+	ctx := c.Request().Context()
+	payload := api.ActivityResourceCreatePayload{
+		Filename: resource.Filename,
+		Type:     resource.Type,
+		Size:     resource.Size,
+	}
+	payloadBytes, err := json.Marshal(payload)
+	if err != nil {
+		return errors.Wrap(err, "failed to marshal activity payload")
+	}
+	activity, err := s.Store.CreateActivity(ctx, &api.ActivityCreate{
+		CreatorID: resource.CreatorID,
+		Type:      api.ActivityResourceCreate,
+		Level:     api.ActivityInfo,
+		Payload:   string(payloadBytes),
+	})
+	if err != nil || activity == nil {
+		return errors.Wrap(err, "failed to create activity")
+	}
+	return err
+}
+
+func replacePathTemplate(path string, filename string) string {
+	t := time.Now()
+	path = fileKeyPattern.ReplaceAllStringFunc(path, func(s string) string {
+		switch s {
+		case "{filename}":
+			return filename
+		case "{timestamp}":
+			return fmt.Sprintf("%d", t.Unix())
+		case "{year}":
+			return fmt.Sprintf("%d", t.Year())
+		case "{month}":
+			return fmt.Sprintf("%02d", t.Month())
+		case "{day}":
+			return fmt.Sprintf("%02d", t.Day())
+		case "{hour}":
+			return fmt.Sprintf("%02d", t.Hour())
+		case "{minute}":
+			return fmt.Sprintf("%02d", t.Minute())
+		case "{second}":
+			return fmt.Sprintf("%02d", t.Second())
+		}
+		return s
+	})
+	return path
+}
--- a/server/rss.go
+++ b/server/rss.go
@@ -0,0 +1,174 @@
+package server
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/gorilla/feeds"
+	"github.com/labstack/echo/v4"
+	"github.com/usememos/memos/api"
+)
+
+func (s *Server) registerRSSRoutes(g *echo.Group) {
+	g.GET("/explore/rss.xml", func(c echo.Context) error {
+		ctx := c.Request().Context()
+
+		systemCustomizedProfile, err := getSystemCustomizedProfile(ctx, s)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get system customized profile").SetInternal(err)
+		}
+
+		normalStatus := api.Normal
+		memoFind := api.MemoFind{
+			RowStatus: &normalStatus,
+			VisibilityList: []api.Visibility{
+				api.Public,
+			},
+		}
+		memoList, err := s.Store.FindMemoList(ctx, &memoFind)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo list").SetInternal(err)
+		}
+
+		baseURL := c.Scheme() + "://" + c.Request().Host
+		rss, err := generateRSSFromMemoList(memoList, baseURL, systemCustomizedProfile)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate rss").SetInternal(err)
+		}
+
+		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationXMLCharsetUTF8)
+		return c.String(http.StatusOK, rss)
+	})
+
+	g.GET("/u/:id/rss.xml", func(c echo.Context) error {
+		ctx := c.Request().Context()
+
+		systemCustomizedProfile, err := getSystemCustomizedProfile(ctx, s)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get system customized profile").SetInternal(err)
+		}
+
+		id, err := strconv.Atoi(c.Param("id"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "User id is not a number").SetInternal(err)
+		}
+
+		normalStatus := api.Normal
+		memoFind := api.MemoFind{
+			CreatorID: &id,
+			RowStatus: &normalStatus,
+			VisibilityList: []api.Visibility{
+				api.Public,
+			},
+		}
+		memoList, err := s.Store.FindMemoList(ctx, &memoFind)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo list").SetInternal(err)
+		}
+
+		baseURL := c.Scheme() + "://" + c.Request().Host
+
+		rss, err := generateRSSFromMemoList(memoList, baseURL, systemCustomizedProfile)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate rss").SetInternal(err)
+		}
+		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationXMLCharsetUTF8)
+		return c.String(http.StatusOK, rss)
+	})
+}
+
+const MaxRSSItemCount = 100
+const MaxRSSItemTitleLength = 100
+
+func generateRSSFromMemoList(memoList []*api.Memo, baseURL string, profile *api.CustomizedProfile) (string, error) {
+	feed := &feeds.Feed{
+		Title:       profile.Name,
+		Link:        &feeds.Link{Href: baseURL},
+		Description: profile.Description,
+		Created:     time.Now(),
+	}
+
+	var itemCountLimit = min(len(memoList), MaxRSSItemCount)
+
+	feed.Items = make([]*feeds.Item, itemCountLimit)
+
+	for i := 0; i < itemCountLimit; i++ {
+		memo := memoList[i]
+
+		feed.Items[i] = &feeds.Item{
+			Title:       getRSSItemTitle(memo.Content),
+			Link:        &feeds.Link{Href: baseURL + "/m/" + strconv.Itoa(memo.ID)},
+			Description: getRSSItemDescription(memo.Content),
+			Created:     time.Unix(memo.CreatedTs, 0),
+		}
+	}
+
+	rss, err := feed.ToRss()
+	if err != nil {
+		return "", err
+	}
+	return rss, nil
+}
+
+func getSystemCustomizedProfile(ctx context.Context, s *Server) (*api.CustomizedProfile, error) {
+	customizedProfile := &api.CustomizedProfile{
+		Name:        "memos",
+		LogoURL:     "",
+		Description: "",
+		Locale:      "en",
+		Appearance:  "system",
+		ExternalURL: "",
+	}
+	systemSetting, err := s.Store.FindSystemSetting(ctx, &api.SystemSettingFind{
+		Name: api.SystemSettingCustomizedProfileName,
+	})
+	if err != nil {
+		return customizedProfile, err
+	}
+
+	err = json.Unmarshal([]byte(systemSetting.Value), customizedProfile)
+	if err != nil {
+		return customizedProfile, err
+	}
+	return customizedProfile, nil
+}
+
+func min(a, b int) int {
+	if a < b {
+		return a
+	}
+	return b
+}
+
+func getRSSItemTitle(content string) string {
+	var title string
+	if isTitleDefined(content) {
+		title = strings.Split(content, "\n")[0][2:]
+	} else {
+		title = strings.Split(content, "\n")[0]
+		var titleLengthLimit = min(len(title), MaxRSSItemTitleLength)
+		if titleLengthLimit < len(title) {
+			title = title[:titleLengthLimit] + "..."
+		}
+	}
+	return title
+}
+
+func getRSSItemDescription(content string) string {
+	var description string
+	if isTitleDefined(content) {
+		var firstLineEnd = strings.Index(content, "\n")
+		description = strings.Trim(content[firstLineEnd+1:], " ")
+	} else {
+		description = content
+	}
+	return description
+}
+
+func isTitleDefined(content string) bool {
+	return strings.HasPrefix(content, "# ")
+}
--- a/server/server.go
+++ b/server/server.go
@@ -1,80 +1,163 @@
 package server

 import (
+	"context"
+	"database/sql"
+	"encoding/json"
 	"fmt"
-	"memos/server/profile"
-	"memos/store"
 	"time"

-	"github.com/gorilla/securecookie"
-	"github.com/gorilla/sessions"
-	"github.com/labstack/echo-contrib/session"
+	"github.com/pkg/errors"
+	"github.com/usememos/memos/api"
+	"github.com/usememos/memos/server/profile"
+	"github.com/usememos/memos/store"
+	"github.com/usememos/memos/store/db"
+
 	"github.com/labstack/echo/v4"
 	"github.com/labstack/echo/v4/middleware"
 )

 type Server struct {
-	e *echo.Echo
+	e  *echo.Echo
+	db *sql.DB

+	ID      string
 	Profile *profile.Profile
-
-	Store *store.Store
+	Store   *store.Store
 }

-func NewServer(profile *profile.Profile) *Server {
+func NewServer(ctx context.Context, profile *profile.Profile) (*Server, error) {
 	e := echo.New()
 	e.Debug = true
 	e.HideBanner = true
 	e.HidePort = true

+	db := db.NewDB(profile)
+	if err := db.Open(ctx); err != nil {
+		return nil, errors.Wrap(err, "cannot open db")
+	}
+
+	s := &Server{
+		e:       e,
+		db:      db.DBInstance,
+		Profile: profile,
+	}
+	storeInstance := store.New(db.DBInstance, profile)
+	s.Store = storeInstance
+
 	e.Use(middleware.LoggerWithConfig(middleware.LoggerConfig{
-		Format: "${method} ${uri} ${status}\n",
+		Format: `{"time":"${time_rfc3339}",` +
+			`"method":"${method}","uri":"${uri}",` +
+			`"status":${status},"error":"${error}"}` + "\n",
+	}))
+
+	e.Use(middleware.Gzip())
+
+	e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
+		Skipper:     s.defaultAuthSkipper,
+		TokenLookup: "cookie:_csrf",
+	}))
+
+	e.Use(middleware.CORS())
+
+	e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
+		Skipper:            defaultGetRequestSkipper,
+		XSSProtection:      "1; mode=block",
+		ContentTypeNosniff: "nosniff",
+		XFrameOptions:      "SAMEORIGIN",
+		HSTSPreloadEnabled: false,
 	}))

 	e.Use(middleware.TimeoutWithConfig(middleware.TimeoutConfig{
-		Skipper:      middleware.DefaultSkipper,
 		ErrorMessage: "Request timeout",
 		Timeout:      30 * time.Second,
 	}))

-	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
-		Skipper: middleware.DefaultSkipper,
-		Root:    "web/dist",
-		Browse:  false,
-		HTML5:   true,
-	}))
+	serverID, err := s.getSystemServerID(ctx)
+	if err != nil {
+		return nil, err
+	}
+	s.ID = serverID

-	// In dev mode, set the const secret key to make login session persistence.
-	secret := []byte("usememos")
+	embedFrontend(e)
+
+	secret := "usememos"
 	if profile.Mode == "prod" {
-		secret = securecookie.GenerateRandomKey(16)
-	}
-	e.Use(session.Middleware(sessions.NewCookieStore(secret)))
-
-	s := &Server{
-		e:       e,
-		Profile: profile,
+		secret, err = s.getSystemSecretSessionName(ctx)
+		if err != nil {
+			return nil, err
+		}
 	}

-	// Webhooks api skips auth checker.
-	webhookGroup := e.Group("/h")
-	s.registerWebhookRoutes(webhookGroup)
+	rootGroup := e.Group("")
+	s.registerRSSRoutes(rootGroup)
+
+	publicGroup := e.Group("/o")
+	publicGroup.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
+		return JWTMiddleware(s, next, secret)
+	})
+	registerGetterPublicRoutes(publicGroup)
+	s.registerResourcePublicRoutes(publicGroup)

 	apiGroup := e.Group("/api")
 	apiGroup.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
-		return BasicAuthMiddleware(s, next)
+		return JWTMiddleware(s, next, secret)
 	})
 	s.registerSystemRoutes(apiGroup)
-	s.registerAuthRoutes(apiGroup)
+	s.registerAuthRoutes(apiGroup, secret)
 	s.registerUserRoutes(apiGroup)
 	s.registerMemoRoutes(apiGroup)
 	s.registerShortcutRoutes(apiGroup)
 	s.registerResourceRoutes(apiGroup)
 	s.registerTagRoutes(apiGroup)
+	s.registerStorageRoutes(apiGroup)
+	s.registerIdentityProviderRoutes(apiGroup)
+	s.registerOpenAIRoutes(apiGroup)

-	return s
+	return s, nil
 }

-func (server *Server) Run() error {
-	return server.e.Start(fmt.Sprintf(":%d", server.Profile.Port))
+func (s *Server) Start(ctx context.Context) error {
+	if err := s.createServerStartActivity(ctx); err != nil {
+		return errors.Wrap(err, "failed to create activity")
+	}
+	return s.e.Start(fmt.Sprintf(":%d", s.Profile.Port))
+}
+
+func (s *Server) Shutdown(ctx context.Context) {
+	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+	defer cancel()
+
+	// Shutdown echo server
+	if err := s.e.Shutdown(ctx); err != nil {
+		fmt.Printf("failed to shutdown server, error: %v\n", err)
+	}
+
+	// Close database connection
+	if err := s.db.Close(); err != nil {
+		fmt.Printf("failed to close database, error: %v\n", err)
+	}
+
+	fmt.Printf("memos stopped properly\n")
+}
+
+func (s *Server) createServerStartActivity(ctx context.Context) error {
+	payload := api.ActivityServerStartPayload{
+		ServerID: s.ID,
+		Profile:  s.Profile,
+	}
+	payloadBytes, err := json.Marshal(payload)
+	if err != nil {
+		return errors.Wrap(err, "failed to marshal activity payload")
+	}
+	activity, err := s.Store.CreateActivity(ctx, &api.ActivityCreate{
+		CreatorID: api.UnknownID,
+		Type:      api.ActivityServerStart,
+		Level:     api.ActivityInfo,
+		Payload:   string(payloadBytes),
+	})
+	if err != nil || activity == nil {
+		return errors.Wrap(err, "failed to create activity")
+	}
+	return err
 }
--- a/server/shortcut.go
+++ b/server/shortcut.go
@@ -3,78 +3,46 @@ package server
 import (
 	"encoding/json"
 	"fmt"
-	"memos/api"
 	"net/http"
 	"strconv"
+	"time"
+
+	"github.com/pkg/errors"
+	"github.com/usememos/memos/api"
+	"github.com/usememos/memos/common"

 	"github.com/labstack/echo/v4"
 )

 func (s *Server) registerShortcutRoutes(g *echo.Group) {
 	g.POST("/shortcut", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
-		shortcutCreate := &api.ShortcutCreate{
-			CreatorID: userID,
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
+		shortcutCreate := &api.ShortcutCreate{}
 		if err := json.NewDecoder(c.Request().Body).Decode(shortcutCreate); err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post shortcut request").SetInternal(err)
 		}

-		shortcut, err := s.Store.CreateShortcut(shortcutCreate)
+		shortcutCreate.CreatorID = userID
+		shortcut, err := s.Store.CreateShortcut(ctx, shortcutCreate)
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create shortcut").SetInternal(err)
 		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(shortcut)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode shortcut response").SetInternal(err)
+		if err := s.createShortcutCreateActivity(c, shortcut); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create activity").SetInternal(err)
 		}
-		return nil
+		return c.JSON(http.StatusOK, composeResponse(shortcut))
 	})

 	g.PATCH("/shortcut/:shortcutId", func(c echo.Context) error {
-		shortcutID, err := strconv.Atoi(c.Param("shortcutId"))
-		if err != nil {
-			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("shortcutId"))).SetInternal(err)
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
-
-		shortcutPatch := &api.ShortcutPatch{
-			ID: shortcutID,
-		}
-		if err := json.NewDecoder(c.Request().Body).Decode(shortcutPatch); err != nil {
-			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch shortcut request").SetInternal(err)
-		}
-
-		shortcut, err := s.Store.PatchShortcut(shortcutPatch)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch shortcut").SetInternal(err)
-		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(shortcut)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode shortcut response").SetInternal(err)
-		}
-		return nil
-	})
-
-	g.GET("/shortcut", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
-		shortcutFind := &api.ShortcutFind{
-			CreatorID: &userID,
-		}
-		list, err := s.Store.FindShortcutList(shortcutFind)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch shortcut list").SetInternal(err)
-		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(list)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode shortcut list response").SetInternal(err)
-		}
-		return nil
-	})
-
-	g.GET("/shortcut/:shortcutId", func(c echo.Context) error {
 		shortcutID, err := strconv.Atoi(c.Param("shortcutId"))
 		if err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("shortcutId"))).SetInternal(err)
@@ -83,32 +51,117 @@ func (s *Server) registerShortcutRoutes(g *echo.Group) {
 		shortcutFind := &api.ShortcutFind{
 			ID: &shortcutID,
 		}
-		shortcut, err := s.Store.FindShortcut(shortcutFind)
+		shortcut, err := s.Store.FindShortcut(ctx, shortcutFind)
 		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to fetch shortcut by ID %d", *shortcutFind.ID)).SetInternal(err)
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find shortcut").SetInternal(err)
+		}
+		if shortcut.CreatorID != userID {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
 		}

-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(shortcut)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode shortcut response").SetInternal(err)
+		currentTs := time.Now().Unix()
+		shortcutPatch := &api.ShortcutPatch{
+			UpdatedTs: &currentTs,
 		}
-		return nil
+		if err := json.NewDecoder(c.Request().Body).Decode(shortcutPatch); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch shortcut request").SetInternal(err)
+		}
+
+		shortcutPatch.ID = shortcutID
+		shortcut, err = s.Store.PatchShortcut(ctx, shortcutPatch)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch shortcut").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(shortcut))
 	})

-	g.DELETE("/shortcut/:shortcutId", func(c echo.Context) error {
+	g.GET("/shortcut", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusBadRequest, "Missing user id to find shortcut")
+		}
+
+		shortcutFind := &api.ShortcutFind{
+			CreatorID: &userID,
+		}
+		list, err := s.Store.FindShortcutList(ctx, shortcutFind)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch shortcut list").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(list))
+	})
+
+	g.GET("/shortcut/:shortcutId", func(c echo.Context) error {
+		ctx := c.Request().Context()
 		shortcutID, err := strconv.Atoi(c.Param("shortcutId"))
 		if err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("shortcutId"))).SetInternal(err)
 		}

-		shortcutDelete := &api.ShortcutDelete{
-			ID: shortcutID,
+		shortcutFind := &api.ShortcutFind{
+			ID: &shortcutID,
 		}
-		if err := s.Store.DeleteShortcut(shortcutDelete); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete shortcut").SetInternal(err)
+		shortcut, err := s.Store.FindShortcut(ctx, shortcutFind)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to fetch shortcut by ID %d", *shortcutFind.ID)).SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(shortcut))
+	})
+
+	g.DELETE("/shortcut/:shortcutId", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+		shortcutID, err := strconv.Atoi(c.Param("shortcutId"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("shortcutId"))).SetInternal(err)
 		}

-		c.JSON(http.StatusOK, true)
-		return nil
+		shortcutFind := &api.ShortcutFind{
+			ID: &shortcutID,
+		}
+		shortcut, err := s.Store.FindShortcut(ctx, shortcutFind)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find shortcut").SetInternal(err)
+		}
+		if shortcut.CreatorID != userID {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		shortcutDelete := &api.ShortcutDelete{
+			ID: &shortcutID,
+		}
+		if err := s.Store.DeleteShortcut(ctx, shortcutDelete); err != nil {
+			if common.ErrorCode(err) == common.NotFound {
+				return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Shortcut ID not found: %d", shortcutID))
+			}
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete shortcut").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, true)
 	})
 }
+
+func (s *Server) createShortcutCreateActivity(c echo.Context, shortcut *api.Shortcut) error {
+	ctx := c.Request().Context()
+	payload := api.ActivityShortcutCreatePayload{
+		Title:   shortcut.Title,
+		Payload: shortcut.Payload,
+	}
+	payloadBytes, err := json.Marshal(payload)
+	if err != nil {
+		return errors.Wrap(err, "failed to marshal activity payload")
+	}
+	activity, err := s.Store.CreateActivity(ctx, &api.ActivityCreate{
+		CreatorID: shortcut.CreatorID,
+		Type:      api.ActivityShortcutCreate,
+		Level:     api.ActivityInfo,
+		Payload:   string(payloadBytes),
+	})
+	if err != nil || activity == nil {
+		return errors.Wrap(err, "failed to create activity")
+	}
+	return err
+}
--- a/server/storage.go
+++ b/server/storage.go
@@ -0,0 +1,150 @@
+package server
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+
+	"github.com/labstack/echo/v4"
+	"github.com/usememos/memos/api"
+	"github.com/usememos/memos/common"
+)
+
+func (s *Server) registerStorageRoutes(g *echo.Group) {
+	g.POST("/storage", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
+		user, err := s.Store.FindUser(ctx, &api.UserFind{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+		if user == nil || user.Role != api.Host {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		storageCreate := &api.StorageCreate{}
+		if err := json.NewDecoder(c.Request().Body).Decode(storageCreate); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post storage request").SetInternal(err)
+		}
+
+		storage, err := s.Store.CreateStorage(ctx, storageCreate)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create storage").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(storage))
+	})
+
+	g.PATCH("/storage/:storageId", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
+		user, err := s.Store.FindUser(ctx, &api.UserFind{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+		if user == nil || user.Role != api.Host {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		storageID, err := strconv.Atoi(c.Param("storageId"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("storageId"))).SetInternal(err)
+		}
+
+		storagePatch := &api.StoragePatch{
+			ID: storageID,
+		}
+		if err := json.NewDecoder(c.Request().Body).Decode(storagePatch); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch storage request").SetInternal(err)
+		}
+
+		storage, err := s.Store.PatchStorage(ctx, storagePatch)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch storage").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(storage))
+	})
+
+	g.GET("/storage", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
+		user, err := s.Store.FindUser(ctx, &api.UserFind{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+		// We should only show storage list to host user.
+		if user == nil || user.Role != api.Host {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		storageList, err := s.Store.FindStorageList(ctx, &api.StorageFind{})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find storage list").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(storageList))
+	})
+
+	g.DELETE("/storage/:storageId", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
+		user, err := s.Store.FindUser(ctx, &api.UserFind{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+		if user == nil || user.Role != api.Host {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		storageID, err := strconv.Atoi(c.Param("storageId"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("storageId"))).SetInternal(err)
+		}
+
+		systemSetting, err := s.Store.FindSystemSetting(ctx, &api.SystemSettingFind{Name: api.SystemSettingStorageServiceIDName})
+		if err != nil && common.ErrorCode(err) != common.NotFound {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find storage").SetInternal(err)
+		}
+		if systemSetting != nil {
+			storageServiceID := api.DatabaseStorage
+			err = json.Unmarshal([]byte(systemSetting.Value), &storageServiceID)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal storage service id").SetInternal(err)
+			}
+			if storageServiceID == storageID {
+				return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Storage service %d is using", storageID))
+			}
+		}
+
+		if err = s.Store.DeleteStorage(ctx, &api.StorageDelete{ID: storageID}); err != nil {
+			if common.ErrorCode(err) == common.NotFound {
+				return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Storage ID not found: %d", storageID))
+			}
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete storage").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, true)
+	})
+}
--- a/server/system.go
+++ b/server/system.go
@@ -1,46 +1,231 @@
 package server

 import (
+	"context"
 	"encoding/json"
-	"memos/api"
 	"net/http"
+	"os"
+
+	"github.com/google/uuid"
+	"github.com/usememos/memos/api"
+	"github.com/usememos/memos/common"

 	"github.com/labstack/echo/v4"
 )

 func (s *Server) registerSystemRoutes(g *echo.Group) {
 	g.GET("/ping", func(c echo.Context) error {
-		data := s.Profile
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(data)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to compose system profile").SetInternal(err)
-		}
-		return nil
+		return c.JSON(http.StatusOK, composeResponse(s.Profile))
 	})

 	g.GET("/status", func(c echo.Context) error {
-		ownerUserType := api.Owner
-		ownerUserFind := api.UserFind{
-			Role: &ownerUserType,
+		ctx := c.Request().Context()
+		hostUserType := api.Host
+		hostUserFind := api.UserFind{
+			Role: &hostUserType,
 		}
-		ownerUser, err := s.Store.FindUser(&ownerUserFind)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find owner user").SetInternal(err)
+		hostUser, err := s.Store.FindUser(ctx, &hostUserFind)
+		if err != nil && common.ErrorCode(err) != common.NotFound {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find host user").SetInternal(err)
 		}

-		// data desensitize
-		ownerUser.OpenID = ""
+		if hostUser != nil {
+			// data desensitize
+			hostUser.OpenID = ""
+			hostUser.Email = ""
+		}

 		systemStatus := api.SystemStatus{
-			Owner:   ownerUser,
-			Profile: s.Profile,
+			Host:               hostUser,
+			Profile:            *s.Profile,
+			DBSize:             0,
+			AllowSignUp:        false,
+			DisablePublicMemos: false,
+			AdditionalStyle:    "",
+			AdditionalScript:   "",
+			CustomizedProfile: api.CustomizedProfile{
+				Name:        "memos",
+				LogoURL:     "",
+				Description: "",
+				Locale:      "en",
+				Appearance:  "system",
+				ExternalURL: "",
+			},
+			StorageServiceID: api.DatabaseStorage,
+			LocalStoragePath: "",
 		}

-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(systemStatus)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode system status response").SetInternal(err)
+		systemSettingList, err := s.Store.FindSystemSettingList(ctx, &api.SystemSettingFind{})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting list").SetInternal(err)
 		}
-		return nil
+		for _, systemSetting := range systemSettingList {
+			if systemSetting.Name == api.SystemSettingServerIDName || systemSetting.Name == api.SystemSettingSecretSessionName || systemSetting.Name == api.SystemSettingOpenAIConfigName {
+				continue
+			}
+
+			var baseValue any
+			err := json.Unmarshal([]byte(systemSetting.Value), &baseValue)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting value").SetInternal(err)
+			}
+
+			if systemSetting.Name == api.SystemSettingAllowSignUpName {
+				systemStatus.AllowSignUp = baseValue.(bool)
+			} else if systemSetting.Name == api.SystemSettingDisablePublicMemosName {
+				systemStatus.DisablePublicMemos = baseValue.(bool)
+			} else if systemSetting.Name == api.SystemSettingAdditionalStyleName {
+				systemStatus.AdditionalStyle = baseValue.(string)
+			} else if systemSetting.Name == api.SystemSettingAdditionalScriptName {
+				systemStatus.AdditionalScript = baseValue.(string)
+			} else if systemSetting.Name == api.SystemSettingCustomizedProfileName {
+				customizedProfile := api.CustomizedProfile{}
+				err := json.Unmarshal([]byte(systemSetting.Value), &customizedProfile)
+				if err != nil {
+					return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting customized profile value").SetInternal(err)
+				}
+				systemStatus.CustomizedProfile = customizedProfile
+			} else if systemSetting.Name == api.SystemSettingStorageServiceIDName {
+				systemStatus.StorageServiceID = int(baseValue.(float64))
+			} else if systemSetting.Name == api.SystemSettingLocalStoragePathName {
+				systemStatus.LocalStoragePath = baseValue.(string)
+			}
+		}
+
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		// Get database size for host user.
+		if ok {
+			user, err := s.Store.FindUser(ctx, &api.UserFind{
+				ID: &userID,
+			})
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+			}
+			if user != nil && user.Role == api.Host {
+				fi, err := os.Stat(s.Profile.DSN)
+				if err != nil {
+					return echo.NewHTTPError(http.StatusInternalServerError, "Failed to read database fileinfo").SetInternal(err)
+				}
+				systemStatus.DBSize = fi.Size()
+			}
+		}
+		return c.JSON(http.StatusOK, composeResponse(systemStatus))
+	})
+
+	g.POST("/system/setting", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
+		user, err := s.Store.FindUser(ctx, &api.UserFind{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+		if user == nil || user.Role != api.Host {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		systemSettingUpsert := &api.SystemSettingUpsert{}
+		if err := json.NewDecoder(c.Request().Body).Decode(systemSettingUpsert); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post system setting request").SetInternal(err)
+		}
+		if err := systemSettingUpsert.Validate(); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "system setting invalidate").SetInternal(err)
+		}
+
+		systemSetting, err := s.Store.UpsertSystemSetting(ctx, systemSettingUpsert)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert system setting").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(systemSetting))
+	})
+
+	g.GET("/system/setting", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
+		user, err := s.Store.FindUser(ctx, &api.UserFind{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+		if user == nil || user.Role != api.Host {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		systemSettingList, err := s.Store.FindSystemSettingList(ctx, &api.SystemSettingFind{})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting list").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(systemSettingList))
+	})
+
+	g.POST("/system/vacuum", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
+		user, err := s.Store.FindUser(ctx, &api.UserFind{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+		if user == nil || user.Role != api.Host {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
+		if err := s.Store.Vacuum(ctx); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to vacuum database").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, true)
 	})
 }
+
+func (s *Server) getSystemServerID(ctx context.Context) (string, error) {
+	serverIDValue, err := s.Store.FindSystemSetting(ctx, &api.SystemSettingFind{
+		Name: api.SystemSettingServerIDName,
+	})
+	if err != nil && common.ErrorCode(err) != common.NotFound {
+		return "", err
+	}
+	if serverIDValue == nil || serverIDValue.Value == "" {
+		serverIDValue, err = s.Store.UpsertSystemSetting(ctx, &api.SystemSettingUpsert{
+			Name:  api.SystemSettingServerIDName,
+			Value: uuid.NewString(),
+		})
+		if err != nil {
+			return "", err
+		}
+	}
+	return serverIDValue.Value, nil
+}
+
+func (s *Server) getSystemSecretSessionName(ctx context.Context) (string, error) {
+	secretSessionNameValue, err := s.Store.FindSystemSetting(ctx, &api.SystemSettingFind{
+		Name: api.SystemSettingSecretSessionName,
+	})
+	if err != nil && common.ErrorCode(err) != common.NotFound {
+		return "", err
+	}
+	if secretSessionNameValue == nil || secretSessionNameValue.Value == "" {
+		secretSessionNameValue, err = s.Store.UpsertSystemSetting(ctx, &api.SystemSettingUpsert{
+			Name:  api.SystemSettingSecretSessionName,
+			Value: uuid.NewString(),
+		})
+		if err != nil {
+			return "", err
+		}
+	}
+	return secretSessionNameValue.Value, nil
+}
--- a/server/tag.go
+++ b/server/tag.go
@@ -2,16 +2,74 @@ package server

 import (
 	"encoding/json"
-	"memos/api"
+	"fmt"
 	"net/http"
 	"regexp"
+	"sort"
+
+	"github.com/pkg/errors"
+	"github.com/usememos/memos/api"
+	"github.com/usememos/memos/common"
+	"golang.org/x/exp/slices"

 	"github.com/labstack/echo/v4"
 )

 func (s *Server) registerTagRoutes(g *echo.Group) {
+	g.POST("/tag", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+
+		tagUpsert := &api.TagUpsert{}
+		if err := json.NewDecoder(c.Request().Body).Decode(tagUpsert); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post tag request").SetInternal(err)
+		}
+		if tagUpsert.Name == "" {
+			return echo.NewHTTPError(http.StatusBadRequest, "Tag name shouldn't be empty")
+		}
+
+		tagUpsert.CreatorID = userID
+		tag, err := s.Store.UpsertTag(ctx, tagUpsert)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert tag").SetInternal(err)
+		}
+		if err := s.createTagCreateActivity(c, tag); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create activity").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(tag.Name))
+	})
+
 	g.GET("/tag", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusBadRequest, "Missing user id to find tag")
+		}
+
+		tagFind := &api.TagFind{
+			CreatorID: userID,
+		}
+		tagList, err := s.Store.FindTagList(ctx, tagFind)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find tag list").SetInternal(err)
+		}
+
+		tagNameList := []string{}
+		for _, tag := range tagList {
+			tagNameList = append(tagNameList, tag.Name)
+		}
+		return c.JSON(http.StatusOK, composeResponse(tagNameList))
+	})
+
+	g.GET("/tag/suggestion", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusBadRequest, "Missing user session")
+		}
 		contentSearch := "#"
 		normalRowStatus := api.Normal
 		memoFind := api.MemoFind{
@@ -20,33 +78,100 @@ func (s *Server) registerTagRoutes(g *echo.Group) {
 			RowStatus:     &normalRowStatus,
 		}

-		memoList, err := s.Store.FindMemoList(&memoFind)
+		memoList, err := s.Store.FindMemoList(ctx, &memoFind)
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo list").SetInternal(err)
 		}

-		tagMapSet := make(map[string]bool)
-
-		r, err := regexp.Compile("#(.+?) ")
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to compile regexp").SetInternal(err)
+		tagFind := &api.TagFind{
+			CreatorID: userID,
 		}
+		existTagList, err := s.Store.FindTagList(ctx, tagFind)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find tag list").SetInternal(err)
+		}
+		tagNameList := []string{}
+		for _, tag := range existTagList {
+			tagNameList = append(tagNameList, tag.Name)
+		}
+
+		tagMapSet := make(map[string]bool)
 		for _, memo := range memoList {
-			for _, rawTag := range r.FindAllString(memo.Content, -1) {
-				tag := r.ReplaceAllString(rawTag, "$1")
-				tagMapSet[tag] = true
+			for _, tag := range findTagListFromMemoContent(memo.Content) {
+				if !slices.Contains(tagNameList, tag) {
+					tagMapSet[tag] = true
+				}
 			}
 		}
-
 		tagList := []string{}
 		for tag := range tagMapSet {
 			tagList = append(tagList, tag)
 		}
+		sort.Strings(tagList)
+		return c.JSON(http.StatusOK, composeResponse(tagList))
+	})

-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(tagList)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode tags response").SetInternal(err)
+	g.POST("/tag/delete", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
-		return nil
+
+		tagDelete := &api.TagDelete{}
+		if err := json.NewDecoder(c.Request().Body).Decode(tagDelete); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post tag request").SetInternal(err)
+		}
+		if tagDelete.Name == "" {
+			return echo.NewHTTPError(http.StatusBadRequest, "Tag name shouldn't be empty")
+		}
+
+		tagDelete.CreatorID = userID
+		if err := s.Store.DeleteTag(ctx, tagDelete); err != nil {
+			if common.ErrorCode(err) == common.NotFound {
+				return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Tag name not found: %s", tagDelete.Name))
+			}
+			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to delete tag name: %v", tagDelete.Name)).SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, true)
 	})
 }
+
+var tagRegexp = regexp.MustCompile(`#([^\s#]+)`)
+
+func findTagListFromMemoContent(memoContent string) []string {
+	tagMapSet := make(map[string]bool)
+	matches := tagRegexp.FindAllStringSubmatch(memoContent, -1)
+	for _, v := range matches {
+		tagName := v[1]
+		tagMapSet[tagName] = true
+	}
+
+	tagList := []string{}
+	for tag := range tagMapSet {
+		tagList = append(tagList, tag)
+	}
+	sort.Strings(tagList)
+	return tagList
+}
+
+func (s *Server) createTagCreateActivity(c echo.Context, tag *api.Tag) error {
+	ctx := c.Request().Context()
+	payload := api.ActivityTagCreatePayload{
+		TagName: tag.Name,
+	}
+	payloadBytes, err := json.Marshal(payload)
+	if err != nil {
+		return errors.Wrap(err, "failed to marshal activity payload")
+	}
+	activity, err := s.Store.CreateActivity(ctx, &api.ActivityCreate{
+		CreatorID: tag.CreatorID,
+		Type:      api.ActivityTagCreate,
+		Level:     api.ActivityInfo,
+		Payload:   string(payloadBytes),
+	})
+	if err != nil || activity == nil {
+		return errors.Wrap(err, "failed to create activity")
+	}
+	return err
+}
--- a/server/tag_test.go
+++ b/server/tag_test.go
@@ -0,0 +1,47 @@
+package server
+
+import (
+	"testing"
+)
+
+func TestFindTagListFromMemoContent(t *testing.T) {
+	tests := []struct {
+		memoContent string
+		want        []string
+	}{
+		{
+			memoContent: "#tag1 ",
+			want:        []string{"tag1"},
+		},
+		{
+			memoContent: "#tag1 #tag2 ",
+			want:        []string{"tag1", "tag2"},
+		},
+		{
+			memoContent: "#tag1 #tag2 \n#tag3 ",
+			want:        []string{"tag1", "tag2", "tag3"},
+		},
+		{
+			memoContent: "#tag1 #tag2 \n#tag3 #tag4 ",
+			want:        []string{"tag1", "tag2", "tag3", "tag4"},
+		},
+		{
+			memoContent: "#tag1 #tag2 \n#tag3  #tag4 ",
+			want:        []string{"tag1", "tag2", "tag3", "tag4"},
+		},
+		{
+			memoContent: "#tag1 123123#tag2 \n#tag3  #tag4 ",
+			want:        []string{"tag1", "tag2", "tag3", "tag4"},
+		},
+		{
+			memoContent: "#tag1 http://123123.com?123123#tag2 \n#tag3  #tag4 http://123123.com?123123#tag2) ",
+			want:        []string{"tag1", "tag2", "tag2)", "tag3", "tag4"},
+		},
+	}
+	for _, test := range tests {
+		result := findTagListFromMemoContent(test.memoContent)
+		if len(result) != len(test.want) {
+			t.Errorf("Find tag list %s: got result %v, want %v.", test.memoContent, result, test.want)
+		}
+	}
+}
--- a/server/user.go
+++ b/server/user.go
@@ -3,10 +3,13 @@ package server
 import (
 	"encoding/json"
 	"fmt"
-	"memos/api"
-	"memos/common"
 	"net/http"
 	"strconv"
+	"time"
+
+	"github.com/pkg/errors"
+	"github.com/usememos/memos/api"
+	"github.com/usememos/memos/common"

 	"github.com/labstack/echo/v4"
 	"golang.org/x/crypto/bcrypt"
@@ -14,10 +17,33 @@ import (

 func (s *Server) registerUserRoutes(g *echo.Group) {
 	g.POST("/user", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
+		}
+		currentUser, err := s.Store.FindUser(ctx, &api.UserFind{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user by id").SetInternal(err)
+		}
+		if currentUser.Role != api.Host {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Only Host user can create member")
+		}
+
 		userCreate := &api.UserCreate{}
 		if err := json.NewDecoder(c.Request().Body).Decode(userCreate); err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post user request").SetInternal(err)
 		}
+		if userCreate.Role == api.Host {
+			return echo.NewHTTPError(http.StatusForbidden, "Could not create host user")
+		}
+		userCreate.OpenID = common.GenUUID()
+
+		if err := userCreate.Validate(); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Invalid user create format").SetInternal(err)
+		}

 		passwordHash, err := bcrypt.GenerateFromPassword([]byte(userCreate.Password), bcrypt.DefaultCost)
 		if err != nil {
@@ -25,62 +51,132 @@ func (s *Server) registerUserRoutes(g *echo.Group) {
 		}

 		userCreate.PasswordHash = string(passwordHash)
-		user, err := s.Store.CreateUser(userCreate)
+		user, err := s.Store.CreateUser(ctx, userCreate)
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create user").SetInternal(err)
 		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(user)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode user response").SetInternal(err)
+		if err := s.createUserCreateActivity(c, user); err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create activity").SetInternal(err)
 		}
-		return nil
+		return c.JSON(http.StatusOK, composeResponse(user))
 	})

 	g.GET("/user", func(c echo.Context) error {
-		userList, err := s.Store.FindUserList(&api.UserFind{})
+		ctx := c.Request().Context()
+		userList, err := s.Store.FindUserList(ctx, &api.UserFind{})
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch user list").SetInternal(err)
 		}

-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(userList)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode user list response").SetInternal(err)
+		for _, user := range userList {
+			// data desensitize
+			user.OpenID = ""
+			user.Email = ""
 		}
-		return nil
+		return c.JSON(http.StatusOK, composeResponse(userList))
+	})
+
+	g.POST("/user/setting", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
+		}
+
+		userSettingUpsert := &api.UserSettingUpsert{}
+		if err := json.NewDecoder(c.Request().Body).Decode(userSettingUpsert); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post user setting upsert request").SetInternal(err)
+		}
+		if err := userSettingUpsert.Validate(); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Invalid user setting format").SetInternal(err)
+		}
+
+		userSettingUpsert.UserID = userID
+		userSetting, err := s.Store.UpsertUserSetting(ctx, userSettingUpsert)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert user setting").SetInternal(err)
+		}
+		return c.JSON(http.StatusOK, composeResponse(userSetting))
 	})

 	// GET /api/user/me is used to check if the user is logged in.
 	g.GET("/user/me", func(c echo.Context) error {
-		userSessionID := c.Get(getUserIDContextKey())
-		if userSessionID == nil {
+		ctx := c.Request().Context()
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
 			return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
 		}

-		userID := userSessionID.(int)
 		userFind := &api.UserFind{
 			ID: &userID,
 		}
-		user, err := s.Store.FindUser(userFind)
+		user, err := s.Store.FindUser(ctx, userFind)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+
+		userSettingList, err := s.Store.FindUserSettingList(ctx, &api.UserSettingFind{
+			UserID: userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find userSettingList").SetInternal(err)
+		}
+		user.UserSettingList = userSettingList
+		return c.JSON(http.StatusOK, composeResponse(user))
+	})
+
+	g.GET("/user/:id", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		id, err := strconv.Atoi(c.Param("id"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted user id").SetInternal(err)
+		}
+
+		user, err := s.Store.FindUser(ctx, &api.UserFind{
+			ID: &id,
+		})
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch user").SetInternal(err)
 		}

-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(user)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode user response").SetInternal(err)
+		if user != nil {
+			// data desensitize
+			user.OpenID = ""
+			user.Email = ""
 		}
-		return nil
+		return c.JSON(http.StatusOK, composeResponse(user))
 	})

-	g.PATCH("/user/me", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
+	g.PATCH("/user/:id", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		userID, err := strconv.Atoi(c.Param("id"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("id"))).SetInternal(err)
+		}
+		currentUserID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+		currentUser, err := s.Store.FindUser(ctx, &api.UserFind{
+			ID: &currentUserID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+		if currentUser == nil {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Current session user not found with ID: %d", currentUserID)).SetInternal(err)
+		} else if currentUser.Role != api.Host && currentUserID != userID {
+			return echo.NewHTTPError(http.StatusForbidden, "Access forbidden for current session user").SetInternal(err)
+		}
+
+		currentTs := time.Now().Unix()
 		userPatch := &api.UserPatch{
-			ID: userID,
+			UpdatedTs: &currentTs,
 		}
 		if err := json.NewDecoder(c.Request().Body).Decode(userPatch); err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch user request").SetInternal(err)
 		}
+		userPatch.ID = userID

 		if userPatch.Password != nil && *userPatch.Password != "" {
 			passwordHash, err := bcrypt.GenerateFromPassword([]byte(*userPatch.Password), bcrypt.DefaultCost)
@@ -97,21 +193,32 @@ func (s *Server) registerUserRoutes(g *echo.Group) {
 			userPatch.OpenID = &openID
 		}

-		user, err := s.Store.PatchUser(userPatch)
+		if err := userPatch.Validate(); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Invalid user patch format").SetInternal(err)
+		}
+
+		user, err := s.Store.PatchUser(ctx, userPatch)
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch user").SetInternal(err)
 		}

-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(user)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode user response").SetInternal(err)
+		userSettingList, err := s.Store.FindUserSettingList(ctx, &api.UserSettingFind{
+			UserID: userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find userSettingList").SetInternal(err)
 		}
-		return nil
+		user.UserSettingList = userSettingList
+		return c.JSON(http.StatusOK, composeResponse(user))
 	})

-	g.PATCH("/user/:userId", func(c echo.Context) error {
-		currentUserID := c.Get(getUserIDContextKey()).(int)
-		currentUser, err := s.Store.FindUser(&api.UserFind{
+	g.DELETE("/user/:id", func(c echo.Context) error {
+		ctx := c.Request().Context()
+		currentUserID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
+		currentUser, err := s.Store.FindUser(ctx, &api.UserFind{
 			ID: &currentUserID,
 		})
 		if err != nil {
@@ -119,41 +226,48 @@ func (s *Server) registerUserRoutes(g *echo.Group) {
 		}
 		if currentUser == nil {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Current session user not found with ID: %d", currentUserID)).SetInternal(err)
-		} else if currentUser.Role != api.Owner {
+		} else if currentUser.Role != api.Host {
 			return echo.NewHTTPError(http.StatusForbidden, "Access forbidden for current session user").SetInternal(err)
 		}

-		userID, err := strconv.Atoi(c.Param("userId"))
+		userID, err := strconv.Atoi(c.Param("id"))
 		if err != nil {
-			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("userId"))).SetInternal(err)
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("id"))).SetInternal(err)
 		}

-		userPatch := &api.UserPatch{
+		userDelete := &api.UserDelete{
 			ID: userID,
 		}
-		if err := json.NewDecoder(c.Request().Body).Decode(userPatch); err != nil {
-			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch user request").SetInternal(err)
-		}
-
-		if userPatch.Password != nil && *userPatch.Password != "" {
-			passwordHash, err := bcrypt.GenerateFromPassword([]byte(*userPatch.Password), bcrypt.DefaultCost)
-			if err != nil {
-				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate password hash").SetInternal(err)
+		if err := s.Store.DeleteUser(ctx, userDelete); err != nil {
+			if common.ErrorCode(err) == common.NotFound {
+				return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("User ID not found: %d", userID))
 			}
-
-			passwordHashStr := string(passwordHash)
-			userPatch.PasswordHash = &passwordHashStr
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete user").SetInternal(err)
 		}

-		user, err := s.Store.PatchUser(userPatch)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch user").SetInternal(err)
-		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(user)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode user response").SetInternal(err)
-		}
-		return nil
+		return c.JSON(http.StatusOK, true)
 	})
 }
+
+func (s *Server) createUserCreateActivity(c echo.Context, user *api.User) error {
+	ctx := c.Request().Context()
+	payload := api.ActivityUserCreatePayload{
+		UserID:   user.ID,
+		Username: user.Username,
+		Role:     user.Role,
+	}
+	payloadBytes, err := json.Marshal(payload)
+	if err != nil {
+		return errors.Wrap(err, "failed to marshal activity payload")
+	}
+	activity, err := s.Store.CreateActivity(ctx, &api.ActivityCreate{
+		CreatorID: user.ID,
+		Type:      api.ActivityUserCreate,
+		Level:     api.ActivityInfo,
+		Payload:   string(payloadBytes),
+	})
+	if err != nil || activity == nil {
+		return errors.Wrap(err, "failed to create activity")
+	}
+	return err
+}
--- a/server/version/version.go
+++ b/server/version/version.go
@@ -0,0 +1,61 @@
+package version
+
+import (
+	"fmt"
+	"strings"
+
+	"golang.org/x/mod/semver"
+)
+
+// Version is the service current released version.
+// Semantic versioning: https://semver.org/
+var Version = "0.12.0"
+
+// DevVersion is the service current development version.
+var DevVersion = "0.12.0"
+
+func GetCurrentVersion(mode string) string {
+	if mode == "dev" || mode == "demo" {
+		return DevVersion
+	}
+	return Version
+}
+
+func GetMinorVersion(version string) string {
+	versionList := strings.Split(version, ".")
+	if len(versionList) < 3 {
+		return ""
+	}
+	return versionList[0] + "." + versionList[1]
+}
+
+func GetSchemaVersion(version string) string {
+	minorVersion := GetMinorVersion(version)
+	return minorVersion + ".0"
+}
+
+// IsVersionGreaterOrEqualThan returns true if version is greater than or equal to target.
+func IsVersionGreaterOrEqualThan(version, target string) bool {
+	return semver.Compare(fmt.Sprintf("v%s", version), fmt.Sprintf("v%s", target)) > -1
+}
+
+// IsVersionGreaterThan returns true if version is greater than target.
+func IsVersionGreaterThan(version, target string) bool {
+	return semver.Compare(fmt.Sprintf("v%s", version), fmt.Sprintf("v%s", target)) > 0
+}
+
+type SortVersion []string
+
+func (s SortVersion) Len() int {
+	return len(s)
+}
+
+func (s SortVersion) Swap(i, j int) {
+	s[i], s[j] = s[j], s[i]
+}
+
+func (s SortVersion) Less(i, j int) bool {
+	v1 := fmt.Sprintf("v%s", s[i])
+	v2 := fmt.Sprintf("v%s", s[j])
+	return semver.Compare(v1, v2) == -1
+}
--- a/server/version/version_test.go
+++ b/server/version/version_test.go
@@ -0,0 +1,93 @@
+package version
+
+import (
+	"sort"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsVersionGreaterOrEqualThan(t *testing.T) {
+	tests := []struct {
+		version string
+		target  string
+		want    bool
+	}{
+		{
+			version: "0.9.1",
+			target:  "0.9.1",
+			want:    true,
+		},
+		{
+			version: "0.10.0",
+			target:  "0.9.1",
+			want:    true,
+		},
+		{
+			version: "0.9.0",
+			target:  "0.9.1",
+			want:    false,
+		},
+	}
+	for _, test := range tests {
+		result := IsVersionGreaterOrEqualThan(test.version, test.target)
+		if result != test.want {
+			t.Errorf("got result %v, want %v.", result, test.want)
+		}
+	}
+}
+
+func TestIsVersionGreaterThan(t *testing.T) {
+	tests := []struct {
+		version string
+		target  string
+		want    bool
+	}{
+		{
+			version: "0.9.1",
+			target:  "0.9.1",
+			want:    false,
+		},
+		{
+			version: "0.10.0",
+			target:  "0.8.0",
+			want:    true,
+		},
+		{
+			version: "0.8.0",
+			target:  "0.10.0",
+			want:    false,
+		},
+		{
+			version: "0.9.0",
+			target:  "0.9.1",
+			want:    false,
+		},
+	}
+	for _, test := range tests {
+		result := IsVersionGreaterThan(test.version, test.target)
+		if result != test.want {
+			t.Errorf("got result %v, want %v.", result, test.want)
+		}
+	}
+}
+
+func TestSortVersion(t *testing.T) {
+	tests := []struct {
+		versionList []string
+		want        []string
+	}{
+		{
+			versionList: []string{"0.9.1", "0.10.0", "0.8.0"},
+			want:        []string{"0.8.0", "0.9.1", "0.10.0"},
+		},
+		{
+			versionList: []string{"1.9.1", "0.9.1", "0.10.0", "0.8.0"},
+			want:        []string{"0.8.0", "0.9.1", "0.10.0", "1.9.1"},
+		},
+	}
+	for _, test := range tests {
+		sort.Sort(SortVersion(test.versionList))
+		assert.Equal(t, test.versionList, test.want)
+	}
+}
--- a/server/webhook.go
+++ b/server/webhook.go
@@ -1,214 +0,0 @@
-package server
-
-import (
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"memos/api"
-	"net/http"
-	"strconv"
-
-	"github.com/labstack/echo/v4"
-)
-
-func (s *Server) registerWebhookRoutes(g *echo.Group) {
-	g.GET("/test", func(c echo.Context) error {
-		return c.HTML(http.StatusOK, "<strong>Hello, World!</strong>")
-	})
-
-	g.POST("/:openId/memo", func(c echo.Context) error {
-		openID := c.Param("openId")
-		userFind := &api.UserFind{
-			OpenID: &openID,
-		}
-		user, err := s.Store.FindUser(userFind)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user by open_id").SetInternal(err)
-		}
-		if user == nil {
-			return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("User openId not found: %s", openID))
-		}
-
-		memoCreate := &api.MemoCreate{
-			CreatorID: user.ID,
-		}
-		if err := json.NewDecoder(c.Request().Body).Decode(memoCreate); err != nil {
-			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post memo request by open api").SetInternal(err)
-		}
-
-		memo, err := s.Store.CreateMemo(memoCreate)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create memo").SetInternal(err)
-		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(memo)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode memo response").SetInternal(err)
-		}
-		return nil
-	})
-
-	g.PATCH("/:openId/memo/:memoId", func(c echo.Context) error {
-		openID := c.Param("openId")
-		userFind := &api.UserFind{
-			OpenID: &openID,
-		}
-		user, err := s.Store.FindUser(userFind)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user by open_id").SetInternal(err)
-		}
-		if user == nil {
-			return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("User openId not found: %s", openID))
-		}
-
-		memoID, err := strconv.Atoi(c.Param("memoId"))
-		if err != nil {
-			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("memoId is not a number: %s", c.Param("memoId"))).SetInternal(err)
-		}
-
-		memoPatch := &api.MemoPatch{
-			ID: memoID,
-		}
-		if err := json.NewDecoder(c.Request().Body).Decode(memoPatch); err != nil {
-			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch memo request by open api").SetInternal(err)
-		}
-
-		memo, err := s.Store.PatchMemo(memoPatch)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch memo").SetInternal(err)
-		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(memo)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode memo response").SetInternal(err)
-		}
-		return nil
-	})
-
-	g.GET("/:openId/memo", func(c echo.Context) error {
-		openID := c.Param("openId")
-		userFind := &api.UserFind{
-			OpenID: &openID,
-		}
-		user, err := s.Store.FindUser(userFind)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user by open_id").SetInternal(err)
-		}
-		if user == nil {
-			return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Not found user with openid: %s", openID))
-		}
-
-		memoFind := &api.MemoFind{
-			CreatorID: &user.ID,
-		}
-		rowStatus := api.RowStatus(c.QueryParam("rowStatus"))
-		if rowStatus != "" {
-			memoFind.RowStatus = &rowStatus
-		}
-		pinnedStr := c.QueryParam("pinned")
-		if pinnedStr != "" {
-			pinned := pinnedStr == "true"
-			memoFind.Pinned = &pinned
-		}
-		tag := c.QueryParam("tag")
-		if tag != "" {
-			contentSearch := tag + " "
-			memoFind.ContentSearch = &contentSearch
-		}
-		if limit, err := strconv.Atoi(c.QueryParam("limit")); err == nil {
-			memoFind.Limit = limit
-		}
-		if offset, err := strconv.Atoi(c.QueryParam("offset")); err == nil {
-			memoFind.Offset = offset
-		}
-
-		list, err := s.Store.FindMemoList(memoFind)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch memo list").SetInternal(err)
-		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(list)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode memo list response").SetInternal(err)
-		}
-		return nil
-	})
-
-	g.POST("/:openId/resource", func(c echo.Context) error {
-		openID := c.Param("openId")
-		userFind := &api.UserFind{
-			OpenID: &openID,
-		}
-		user, err := s.Store.FindUser(userFind)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user by open_id").SetInternal(err)
-		}
-		if user == nil {
-			return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("User openId not found: %s", openID))
-		}
-
-		if err := c.Request().ParseMultipartForm(64 << 20); err != nil {
-			return echo.NewHTTPError(http.StatusBadRequest, "Upload file overload max size").SetInternal(err)
-		}
-
-		file, err := c.FormFile("file")
-		if err != nil {
-			return echo.NewHTTPError(http.StatusBadRequest, "Upload file not found").SetInternal(err)
-		}
-
-		filename := file.Filename
-		filetype := file.Header.Get("Content-Type")
-		size := file.Size
-		src, err := file.Open()
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to open file").SetInternal(err)
-		}
-		defer src.Close()
-
-		fileBytes, err := ioutil.ReadAll(src)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to read file").SetInternal(err)
-		}
-
-		resourceCreate := &api.ResourceCreate{
-			Filename:  filename,
-			Type:      filetype,
-			Size:      size,
-			Blob:      fileBytes,
-			CreatorID: user.ID,
-		}
-
-		resource, err := s.Store.CreateResource(resourceCreate)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create resource").SetInternal(err)
-		}
-
-		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
-		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(resource)); err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode resource response").SetInternal(err)
-		}
-		return nil
-	})
-
-	g.GET("/r/:resourceId/:filename", func(c echo.Context) error {
-		resourceID, err := strconv.Atoi(c.Param("resourceId"))
-		if err != nil {
-			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
-		}
-
-		filename := c.Param("filename")
-		resourceFind := &api.ResourceFind{
-			ID:       &resourceID,
-			Filename: &filename,
-		}
-		resource, err := s.Store.FindResource(resourceFind)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to fetch resource ID: %v", resourceID)).SetInternal(err)
-		}
-
-		c.Response().Writer.WriteHeader(http.StatusOK)
-		c.Response().Writer.Header().Set("Content-Type", resource.Type)
-		c.Response().Writer.Write(resource.Blob)
-		return nil
-	})
-}
--- a/setup/setup.go
+++ b/setup/setup.go
@@ -0,0 +1,90 @@
+package setup
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"golang.org/x/crypto/bcrypt"
+
+	"github.com/usememos/memos/api"
+	"github.com/usememos/memos/common"
+)
+
+func Execute(
+	ctx context.Context,
+	store store,
+	hostUsername, hostPassword string,
+) error {
+	s := setupService{store: store}
+	return s.Setup(ctx, hostUsername, hostPassword)
+}
+
+type store interface {
+	FindUserList(ctx context.Context, find *api.UserFind) ([]*api.User, error)
+	CreateUser(ctx context.Context, create *api.UserCreate) (*api.User, error)
+}
+
+type setupService struct {
+	store store
+}
+
+func (s setupService) Setup(
+	ctx context.Context,
+	hostUsername, hostPassword string,
+) error {
+	if err := s.makeSureHostUserNotExists(ctx); err != nil {
+		return err
+	}
+
+	if err := s.createUser(ctx, hostUsername, hostPassword); err != nil {
+		return fmt.Errorf("create user: %w", err)
+	}
+	return nil
+}
+
+func (s setupService) makeSureHostUserNotExists(ctx context.Context) error {
+	hostUserType := api.Host
+	existedHostUsers, err := s.store.FindUserList(ctx, &api.UserFind{
+		Role: &hostUserType,
+	})
+	if err != nil {
+		return fmt.Errorf("find user list: %w", err)
+	}
+
+	if len(existedHostUsers) != 0 {
+		return errors.New("host user already exists")
+	}
+
+	return nil
+}
+
+func (s setupService) createUser(
+	ctx context.Context,
+	hostUsername, hostPassword string,
+) error {
+	userCreate := &api.UserCreate{
+		Username: hostUsername,
+		// The new signup user should be normal user by default.
+		Role:     api.Host,
+		Nickname: hostUsername,
+		Password: hostPassword,
+		OpenID:   common.GenUUID(),
+	}
+
+	if err := userCreate.Validate(); err != nil {
+		return fmt.Errorf("validate: %w", err)
+	}
+
+	passwordHash, err := bcrypt.GenerateFromPassword([]byte(hostPassword), bcrypt.DefaultCost)
+	if err != nil {
+		return fmt.Errorf("hash password: %w", err)
+	}
+
+	userCreate.PasswordHash = string(passwordHash)
+	if _, err := s.store.CreateUser(ctx, userCreate); err != nil {
+		return fmt.Errorf("create user: %w", err)
+	}
+
+	return nil
+}
--- a/setup/setup_test.go
+++ b/setup/setup_test.go
@@ -0,0 +1,181 @@
+package setup
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+
+	"github.com/usememos/memos/api"
+)
+
+func TestSetupServiceMakeSureHostUserNotExists(t *testing.T) {
+	cc := map[string]struct {
+		setupStore  func(*storeMock)
+		expectedErr string
+	}{
+		"failed to get list": {
+			setupStore: func(m *storeMock) {
+				hostUserType := api.Host
+				m.
+					On("FindUserList", mock.Anything, &api.UserFind{
+						Role: &hostUserType,
+					}).
+					Return(nil, errors.New("fake error"))
+			},
+			expectedErr: "find user list: fake error",
+		},
+		"success, not empty": {
+			setupStore: func(m *storeMock) {
+				hostUserType := api.Host
+				m.
+					On("FindUserList", mock.Anything, &api.UserFind{
+						Role: &hostUserType,
+					}).
+					Return([]*api.User{
+						{},
+					}, nil)
+			},
+			expectedErr: "host user already exists",
+		},
+		"success, empty": {
+			setupStore: func(m *storeMock) {
+				hostUserType := api.Host
+				m.
+					On("FindUserList", mock.Anything, &api.UserFind{
+						Role: &hostUserType,
+					}).
+					Return(nil, nil)
+			},
+		},
+	}
+
+	for n, c := range cc {
+		c := c
+		t.Run(n, func(t *testing.T) {
+			sm := newStoreMock(t)
+			if c.setupStore != nil {
+				c.setupStore(sm)
+			}
+
+			srv := setupService{store: sm}
+			err := srv.makeSureHostUserNotExists(context.Background())
+			if c.expectedErr == "" {
+				assert.NoError(t, err)
+			} else {
+				assert.EqualError(t, err, c.expectedErr)
+			}
+		})
+	}
+}
+
+func TestSetupServiceCreateUser(t *testing.T) {
+	expectedCreated := &api.UserCreate{
+		Username: "demohero",
+		Role:     api.Host,
+		Nickname: "demohero",
+		Password: "123456",
+	}
+
+	userCreateMatcher := mock.MatchedBy(func(arg *api.UserCreate) bool {
+		return arg.Username == expectedCreated.Username &&
+			arg.Role == expectedCreated.Role &&
+			arg.Nickname == expectedCreated.Nickname &&
+			arg.Password == expectedCreated.Password &&
+			arg.PasswordHash != ""
+	})
+
+	cc := map[string]struct {
+		setupStore                 func(*storeMock)
+		hostUsername, hostPassword string
+		expectedErr                string
+	}{
+		`username == "", password == ""`: {
+			expectedErr: "validate: username is too short, minimum length is 3",
+		},
+		`username == "", password != ""`: {
+			hostPassword: expectedCreated.Password,
+			expectedErr:  "validate: username is too short, minimum length is 3",
+		},
+		`username != "", password == ""`: {
+			hostUsername: expectedCreated.Username,
+			expectedErr:  "validate: password is too short, minimum length is 6",
+		},
+		"failed to create": {
+			setupStore: func(m *storeMock) {
+				m.
+					On("CreateUser", mock.Anything, userCreateMatcher).
+					Return(nil, errors.New("fake error"))
+			},
+			hostUsername: expectedCreated.Username,
+			hostPassword: expectedCreated.Password,
+			expectedErr:  "create user: fake error",
+		},
+		"success": {
+			setupStore: func(m *storeMock) {
+				m.
+					On("CreateUser", mock.Anything, userCreateMatcher).
+					Return(nil, nil)
+			},
+			hostUsername: expectedCreated.Username,
+			hostPassword: expectedCreated.Password,
+		},
+	}
+
+	for n, c := range cc {
+		c := c
+		t.Run(n, func(t *testing.T) {
+			sm := newStoreMock(t)
+			if c.setupStore != nil {
+				c.setupStore(sm)
+			}
+
+			srv := setupService{store: sm}
+			err := srv.createUser(context.Background(), c.hostUsername, c.hostPassword)
+			if c.expectedErr == "" {
+				assert.NoError(t, err)
+			} else {
+				assert.EqualError(t, err, c.expectedErr)
+			}
+		})
+	}
+}
+
+type storeMock struct {
+	mock.Mock
+}
+
+func (m *storeMock) FindUserList(ctx context.Context, find *api.UserFind) ([]*api.User, error) {
+	ret := m.Called(ctx, find)
+
+	var u []*api.User
+	ret1 := ret.Get(0)
+	if ret1 != nil {
+		u = ret1.([]*api.User)
+	}
+
+	return u, ret.Error(1)
+}
+
+func (m *storeMock) CreateUser(ctx context.Context, create *api.UserCreate) (*api.User, error) {
+	ret := m.Called(ctx, create)
+
+	var u *api.User
+	ret1 := ret.Get(0)
+	if ret1 != nil {
+		u = ret1.(*api.User)
+	}
+
+	return u, ret.Error(1)
+}
+
+func newStoreMock(t *testing.T) *storeMock {
+	m := &storeMock{}
+	m.Mock.Test(t)
+
+	t.Cleanup(func() { m.AssertExpectations(t) })
+
+	return m
+}
--- a/store/activity.go
+++ b/store/activity.go
@@ -0,0 +1,89 @@
+package store
+
+import (
+	"context"
+	"database/sql"
+
+	"github.com/usememos/memos/api"
+)
+
+// activityRaw is the store model for an Activity.
+// Fields have exactly the same meanings as Activity.
+type activityRaw struct {
+	ID int
+
+	// Standard fields
+	CreatorID int
+	CreatedTs int64
+
+	// Domain specific fields
+	Type    api.ActivityType
+	Level   api.ActivityLevel
+	Payload string
+}
+
+// toActivity creates an instance of Activity based on the ActivityRaw.
+func (raw *activityRaw) toActivity() *api.Activity {
+	return &api.Activity{
+		ID: raw.ID,
+
+		CreatorID: raw.CreatorID,
+		CreatedTs: raw.CreatedTs,
+
+		Type:    raw.Type,
+		Level:   raw.Level,
+		Payload: raw.Payload,
+	}
+}
+
+// CreateActivity creates an instance of Activity.
+func (s *Store) CreateActivity(ctx context.Context, create *api.ActivityCreate) (*api.Activity, error) {
+	if s.profile.Mode == "prod" {
+		return nil, nil
+	}
+
+	tx, err := s.db.BeginTx(ctx, nil)
+	if err != nil {
+		return nil, FormatError(err)
+	}
+	defer tx.Rollback()
+
+	activityRaw, err := createActivity(ctx, tx, create)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := tx.Commit(); err != nil {
+		return nil, FormatError(err)
+	}
+
+	activity := activityRaw.toActivity()
+	return activity, nil
+}
+
+// createActivity creates a new activity.
+func createActivity(ctx context.Context, tx *sql.Tx, create *api.ActivityCreate) (*activityRaw, error) {
+	query := `
+		INSERT INTO activity (
+			creator_id, 
+			type, 
+			level, 
+			payload
+		)
+		VALUES (?, ?, ?, ?)
+		RETURNING id, type, level, payload, creator_id, created_ts
+	`
+	var activityRaw activityRaw
+	if err := tx.QueryRowContext(ctx, query, create.CreatorID, create.Type, create.Level, create.Payload).Scan(
+		&activityRaw.ID,
+		&activityRaw.Type,
+		&activityRaw.Level,
+		&activityRaw.Payload,
+		&activityRaw.CreatorID,
+		&activityRaw.CreatedTs,
+	); err != nil {
+		return nil, FormatError(err)
+	}
+
+	return &activityRaw, nil
+}
--- a/store/cache.go
+++ b/store/cache.go
@@ -0,0 +1,15 @@
+package store
+
+import (
+	"fmt"
+
+	"github.com/usememos/memos/api"
+)
+
+func getUserSettingCacheKey(userSetting userSettingRaw) string {
+	return fmt.Sprintf("%d-%s", userSetting.UserID, userSetting.Key.String())
+}
+
+func getUserSettingFindCacheKey(userSettingFind *api.UserSettingFind) string {
+	return fmt.Sprintf("%d-%s", userSettingFind.UserID, userSettingFind.Key.String())
+}
--- a/store/db/db.go
+++ b/store/db/db.go
@@ -1,17 +1,19 @@
 package db

 import (
+	"context"
 	"database/sql"
 	"embed"
 	"errors"
 	"fmt"
 	"io/fs"
-	"memos/common"
-	"memos/server/profile"
 	"os"
+	"regexp"
 	"sort"
+	"time"

-	_ "github.com/mattn/go-sqlite3"
+	"github.com/usememos/memos/server/profile"
+	"github.com/usememos/memos/server/version"
 )

 //go:embed migration
@@ -22,146 +24,227 @@ var seedFS embed.FS

 type DB struct {
 	// sqlite db connection instance
-	Db *sql.DB
-	// datasource name
-	DSN string
-	// mode should be prod or dev
-	mode string
+	DBInstance *sql.DB
+	profile    *profile.Profile
 }

 // NewDB returns a new instance of DB associated with the given datasource name.
 func NewDB(profile *profile.Profile) *DB {
 	db := &DB{
-		DSN:  profile.DSN,
-		mode: profile.Mode,
+		profile: profile,
 	}
 	return db
 }

-func (db *DB) Open() (err error) {
+func (db *DB) Open(ctx context.Context) (err error) {
 	// Ensure a DSN is set before attempting to open the database.
-	if db.DSN == "" {
+	if db.profile.DSN == "" {
 		return fmt.Errorf("dsn required")
 	}

-	// Connect to the database.
-	sqlDB, err := sql.Open("sqlite3", db.DSN)
+	// Connect to the database without foreign_key.
+	sqliteDB, err := sql.Open("sqlite3", db.profile.DSN+"?cache=shared&_foreign_keys=0&_journal_mode=WAL")
 	if err != nil {
-		return fmt.Errorf("failed to open db with dsn: %s, err: %w", db.DSN, err)
+		return fmt.Errorf("failed to open db with dsn: %s, err: %w", db.profile.DSN, err)
 	}
+	db.DBInstance = sqliteDB

-	db.Db = sqlDB
-	// If db file not exists, we should migrate and seed the database.
-	if _, err := os.Stat(db.DSN); errors.Is(err, os.ErrNotExist) {
-		if err := db.migrate(); err != nil {
-			return fmt.Errorf("failed to migrate: %w", err)
+	if db.profile.Mode == "prod" {
+		// If db file not exists, we should migrate the database.
+		if _, err := os.Stat(db.profile.DSN); errors.Is(err, os.ErrNotExist) {
+			if err := db.applyLatestSchema(ctx); err != nil {
+				return fmt.Errorf("failed to apply latest schema: %w", err)
+			}
 		}
-		// If mode is dev, then seed the database.
-		if db.mode == "dev" {
-			if err := db.seed(); err != nil {
-				return fmt.Errorf("failed to seed: %w", err)
+
+		currentVersion := version.GetCurrentVersion(db.profile.Mode)
+		migrationHistoryList, err := db.FindMigrationHistoryList(ctx, &MigrationHistoryFind{})
+		if err != nil {
+			return fmt.Errorf("failed to find migration history, err: %w", err)
+		}
+		if len(migrationHistoryList) == 0 {
+			_, err := db.UpsertMigrationHistory(ctx, &MigrationHistoryUpsert{
+				Version: currentVersion,
+			})
+			if err != nil {
+				return fmt.Errorf("failed to upsert migration history, err: %w", err)
+			}
+			return nil
+		}
+
+		migrationHistoryVersionList := []string{}
+		for _, migrationHistory := range migrationHistoryList {
+			migrationHistoryVersionList = append(migrationHistoryVersionList, migrationHistory.Version)
+		}
+		sort.Sort(version.SortVersion(migrationHistoryVersionList))
+		latestMigrationHistoryVersion := migrationHistoryVersionList[len(migrationHistoryVersionList)-1]
+
+		if version.IsVersionGreaterThan(version.GetSchemaVersion(currentVersion), latestMigrationHistoryVersion) {
+			minorVersionList := getMinorVersionList()
+
+			// backup the raw database file before migration
+			rawBytes, err := os.ReadFile(db.profile.DSN)
+			if err != nil {
+				return fmt.Errorf("failed to read raw database file, err: %w", err)
+			}
+			backupDBFilePath := fmt.Sprintf("%s/memos_%s_%d_backup.db", db.profile.Data, db.profile.Version, time.Now().Unix())
+			if err := os.WriteFile(backupDBFilePath, rawBytes, 0644); err != nil {
+				return fmt.Errorf("failed to write raw database file, err: %w", err)
+			}
+			println("succeed to copy a backup database file")
+
+			println("start migrate")
+			for _, minorVersion := range minorVersionList {
+				normalizedVersion := minorVersion + ".0"
+				if version.IsVersionGreaterThan(normalizedVersion, latestMigrationHistoryVersion) && version.IsVersionGreaterOrEqualThan(currentVersion, normalizedVersion) {
+					println("applying migration for", normalizedVersion)
+					if err := db.applyMigrationForMinorVersion(ctx, minorVersion); err != nil {
+						return fmt.Errorf("failed to apply minor version migration: %w", err)
+					}
+				}
+			}
+			println("end migrate")
+
+			// remove the created backup db file after migrate succeed
+			if err := os.Remove(backupDBFilePath); err != nil {
+				println(fmt.Sprintf("Failed to remove temp database file, err %v", err))
 			}
 		}
 	} else {
-		// If db file exists and mode is dev, we should migrate and seed the database.
-		if db.mode == "dev" {
-			if err := db.migrate(); err != nil {
-				return fmt.Errorf("failed to migrate: %w", err)
+		// In non-prod mode, we should always migrate the database.
+		if _, err := os.Stat(db.profile.DSN); errors.Is(err, os.ErrNotExist) {
+			if err := db.applyLatestSchema(ctx); err != nil {
+				return fmt.Errorf("failed to apply latest schema: %w", err)
 			}
-			if err := db.seed(); err != nil {
-				return fmt.Errorf("failed to seed: %w", err)
+			// In demo mode, we should seed the database.
+			if db.profile.Mode == "demo" {
+				if err := db.seed(ctx); err != nil {
+					return fmt.Errorf("failed to seed: %w", err)
+				}
 			}
 		}
 	}

-	return err
+	return nil
 }

-func (db *DB) migrate() error {
-	err := db.compareMigrationHistory()
-	if err != nil {
-		return fmt.Errorf("failed to compare migration history, err=%w", err)
+const (
+	latestSchemaFileName = "LATEST__SCHEMA.sql"
+)
+
+func (db *DB) applyLatestSchema(ctx context.Context) error {
+	schemaMode := "dev"
+	if db.profile.Mode == "prod" {
+		schemaMode = "prod"
 	}
-
-	filenames, err := fs.Glob(migrationFS, fmt.Sprintf("%s/*.sql", "migration"))
+	latestSchemaPath := fmt.Sprintf("%s/%s/%s", "migration", schemaMode, latestSchemaFileName)
+	buf, err := migrationFS.ReadFile(latestSchemaPath)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to read latest schema %q, error %w", latestSchemaPath, err)
 	}
-
-	sort.Strings(filenames)
-
-	// Loop over all migration files and execute them in order.
-	for _, filename := range filenames {
-		if err := db.executeFile(migrationFS, filename); err != nil {
-			return fmt.Errorf("migrate error: name=%q err=%w", filename, err)
-		}
+	stmt := string(buf)
+	if err := db.execute(ctx, stmt); err != nil {
+		return fmt.Errorf("migrate error: statement:%s err=%w", stmt, err)
 	}
 	return nil
 }

-func (db *DB) seed() error {
-	filenames, err := fs.Glob(seedFS, fmt.Sprintf("%s/*.sql", "seed"))
+func (db *DB) applyMigrationForMinorVersion(ctx context.Context, minorVersion string) error {
+	filenames, err := fs.Glob(migrationFS, fmt.Sprintf("%s/%s/*.sql", "migration/prod", minorVersion))
+	if err != nil {
+		return fmt.Errorf("failed to read ddl files, err: %w", err)
+	}
+
+	sort.Strings(filenames)
+	migrationStmt := ""
+
+	// Loop over all migration files and execute them in order.
+	for _, filename := range filenames {
+		buf, err := migrationFS.ReadFile(filename)
+		if err != nil {
+			return fmt.Errorf("failed to read minor version migration file, filename=%s err=%w", filename, err)
+		}
+		stmt := string(buf)
+		migrationStmt += stmt
+		if err := db.execute(ctx, stmt); err != nil {
+			return fmt.Errorf("migrate error: statement:%s err=%w", stmt, err)
+		}
+	}
+
+	tx, err := db.DBInstance.Begin()
 	if err != nil {
 		return err
 	}
+	defer tx.Rollback()
+
+	// upsert the newest version to migration_history
+	version := minorVersion + ".0"
+	if _, err = upsertMigrationHistory(ctx, tx, &MigrationHistoryUpsert{
+		Version: version,
+	}); err != nil {
+		return fmt.Errorf("failed to upsert migration history with version: %s, err: %w", version, err)
+	}
+
+	return tx.Commit()
+}
+
+func (db *DB) seed(ctx context.Context) error {
+	filenames, err := fs.Glob(seedFS, fmt.Sprintf("%s/*.sql", "seed"))
+	if err != nil {
+		return fmt.Errorf("failed to read seed files, err: %w", err)
+	}

 	sort.Strings(filenames)

 	// Loop over all seed files and execute them in order.
 	for _, filename := range filenames {
-		if err := db.executeFile(seedFS, filename); err != nil {
-			return fmt.Errorf("seed error: name=%q err=%w", filename, err)
+		buf, err := seedFS.ReadFile(filename)
+		if err != nil {
+			return fmt.Errorf("failed to read seed file, filename=%s err=%w", filename, err)
+		}
+		stmt := string(buf)
+		if err := db.execute(ctx, stmt); err != nil {
+			return fmt.Errorf("seed error: statement:%s err=%w", stmt, err)
 		}
 	}
 	return nil
 }

-// executeFile runs a single seed file within a transaction.
-func (db *DB) executeFile(FS embed.FS, name string) error {
-	tx, err := db.Db.Begin()
+// execute runs a single SQL statement within a transaction.
+func (db *DB) execute(ctx context.Context, stmt string) error {
+	tx, err := db.DBInstance.Begin()
 	if err != nil {
 		return err
 	}
 	defer tx.Rollback()

-	// Read and execute SQL file.
-	if buf, err := fs.ReadFile(FS, name); err != nil {
-		return err
-	} else if _, err := tx.Exec(string(buf)); err != nil {
-		return err
+	if _, err := tx.ExecContext(ctx, stmt); err != nil {
+		return fmt.Errorf("failed to execute statement, err: %w", err)
 	}

 	return tx.Commit()
 }

-// compareMigrationHistory compares migration history data
-func (db *DB) compareMigrationHistory() error {
-	table, err := findTable(db, "migration_history")
-	if err != nil {
-		return err
-	}
-	if table == nil {
-		createTable(db, `
-		CREATE TABLE migration_history (
-			version TEXT NOT NULL PRIMARY KEY,
-			created_ts BIGINT NOT NULL DEFAULT (strftime('%s', 'now'))
-		);
-		`)
-	}
+// minorDirRegexp is a regular expression for minor version directory.
+var minorDirRegexp = regexp.MustCompile(`^migration/prod/[0-9]+\.[0-9]+$`)

-	migrationHistoryList, err := findMigrationHistoryList(db)
-	if err != nil {
-		return err
-	}
+func getMinorVersionList() []string {
+	minorVersionList := []string{}

-	if len(migrationHistoryList) == 0 {
-		createMigrationHistory(db, common.Version)
-	} else {
-		migrationHistory := migrationHistoryList[0]
-		if migrationHistory.Version != common.Version {
-			createMigrationHistory(db, common.Version)
+	if err := fs.WalkDir(migrationFS, "migration", func(path string, file fs.DirEntry, err error) error {
+		if err != nil {
+			return err
 		}
+		if file.IsDir() && minorDirRegexp.MatchString(path) {
+			minorVersionList = append(minorVersionList, file.Name())
+		}
+
+		return nil
+	}); err != nil {
+		panic(err)
 	}

-	return nil
+	sort.Sort(version.SortVersion(minorVersionList))
+
+	return minorVersionList
 }
--- a/store/db/migration/10000__reset.sql
+++ b/store/db/migration/10000__reset.sql
@@ -1,5 +0,0 @@
-DROP TABLE IF EXISTS `memo_organizer`;
-DROP TABLE IF EXISTS `memo`;
-DROP TABLE IF EXISTS `shortcut`;
-DROP TABLE IF EXISTS `resource`;
-DROP TABLE IF EXISTS `user`;
--- a/Show More
+++ b/Show More