chore: fix filter initial state

* fix: wrong order in resource page timeline

* feat: add webhook when create memos using Telegram bot

* rename variables and fix typos for static checks

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,11 +1,11 @@
 name: Bug Report
-description: Create a report to help us improve
+description: If something isn't working as expected
 labels: [bug]
 body:
   - type: markdown
     attributes:
       value: |
-        If you are reporting a new issue, make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead.
+        Before submitting a bug report, please check if the issue is already present in the issues. If it is, please add a reaction to the issue. If it isn't, please fill out the form below.
   - type: textarea
     attributes:
       label: Describe the bug
@@ -24,8 +24,15 @@ body:
         3. See error
     validations:
       required: true
+  - type: input
+    attributes:
+      label: The version of Memos you're using
+      description: |
+        Provide the version of Memos you're using.
+    validations:
+      required: true
   - type: textarea
     attributes:
       label: Screenshots or additional context
       description: |
-        Add screenshots or any other context about the problem.
+        If applicable, add screenshots to help explain your problem. And add any other context about the problem here. Such as the device you're using, etc.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,28 +1,36 @@
 name: Feature Request
-description: Suggest an idea for this project
+description: If you have a suggestion for a new feature
 labels: [enhancement]
 body:
   - type: markdown
     attributes:
       value: |
-        Thanks for taking the time to suggest an idea for Memos!
-  - type: textarea
-    attributes:
-      label: Is your feature request related to a problem?
-      description: |
-        A clear and concise description of what the problem is.
-      placeholder: |
-        I'm always frustrated when [...]
-    validations:
-      required: true
+        Before submitting a feature request, please check if the issue is already present in the issues. If it is, please add a reaction to the issue. If it isn't, please fill out the form below.
   - type: textarea
     attributes:
       label: Describe the solution you'd like
       description: |
         A clear and concise description of what you want to happen.
+      placeholder: |
+        It would be great if [...]
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Type of feature
+      description: What type of feature is this?
+      options:
+        - User Interface (UI)
+        - User Experience (UX)
+        - API
+        - Documentation
+        - Integrations
+        - Other
+      default: 0
     validations:
       required: true
   - type: textarea
     attributes:
       label: Additional context
-      description: Add any other context or screenshots about the feature request.
+      description: |
+        What are you trying to do? Why is this important to you?

.github/workflows/backend-tests.yml

@@ -1,39 +1,45 @@
 name: Backend Test
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches:
       - main
       - "release/*.*.*"
+    paths:
+      - "go.mod"
+      - "go.sum"
+      - "**.go"
 
 jobs:
   go-static-checks:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
-          go-version: 1.19
+          go-version: 1.21
           check-latest: true
           cache: true
       - name: Verify go.mod is tidy
         run: |
-          go mod tidy -go=1.19
+          go mod tidy -go=1.21
           git diff --exit-code
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.52.0
-          args: -v --timeout=3m
+          version: v1.54.1
+          args: --verbose --timeout=3m
           skip-cache: true
 
   go-tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
-          go-version: 1.19
+          go-version: 1.21
           check-latest: true
           cache: true
       - name: Run all tests

.github/workflows/build-and-push-release-image.yml

@@ -13,10 +13,10 @@ jobs:
       contents: read
       packages: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Extract build args
         # Extract version from branch name
@@ -25,13 +25,13 @@ jobs:
           echo "VERSION=${GITHUB_REF_NAME#release/}" >> $GITHUB_ENV
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: neosmemo
           password: ${{ secrets.DOCKER_NEOSMEMO_TOKEN }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -39,31 +39,29 @@ jobs:
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           install: true
           version: v0.9.1
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: |
             neosmemo/memos
             ghcr.io/usememos/memos
           tags: |
-            type=raw,value=latest
             type=semver,pattern={{version}},value=${{ env.VERSION }}
             type=semver,pattern={{major}}.{{minor}},value=${{ env.VERSION }}
-            type=semver,pattern={{major}},value=${{ env.VERSION }}
 
       - name: Build and Push
         id: docker_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: ./
           file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}

.github/workflows/build-and-push-stable-image.yml

@@ -0,0 +1,61 @@
+name: build-and-push-stable-image
+
+on:
+  push:
+    branches:
+      - "stable"
+
+jobs:
+  build-and-push-release-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: neosmemo
+          password: ${{ secrets.DOCKER_NEOSMEMO_TOKEN }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          install: true
+          version: v0.9.1
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            neosmemo/memos
+            ghcr.io/usememos/memos
+          tags: |
+            type=raw,value=stable
+          flavor: |
+            latest=true
+
+      - name: Build and Push
+        id: docker_build
+        uses: docker/build-push-action@v5
+        with:
+          context: ./
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/build-and-push-test-image.yml

@@ -11,19 +11,19 @@ jobs:
       contents: read
       packages: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: neosmemo
           password: ${{ secrets.DOCKER_NEOSMEMO_TOKEN }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -31,14 +31,14 @@ jobs:
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           install: true
           version: v0.9.1
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: |
             neosmemo/memos
@@ -50,7 +50,7 @@ jobs:
 
       - name: Build and Push
         id: docker_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: ./
           file: ./Dockerfile

.github/workflows/build-artifacts.yml

@@ -1,87 +0,0 @@
-name: build-artifacts
-
-on:
-  push:
-    branches:
-      # Run on pushing branches like `release/1.0.0`
-      - "release/*.*.*"
-
-jobs:
-  build-artifacts:
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest]
-        goarch: [amd64, arm64]
-        include:
-          - os: windows-latest
-            goos: windows
-            goarch: amd64
-            cgo_env: CC=x86_64-w64-mingw32-gcc
-
-    env:
-      GOOS: ${{ matrix.goos }}
-      GOARCH: ${{ matrix.goarch }}
-      CGO_ENABLED: 1
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
-
-      - name: Clone Memos
-        run: git clone https://github.com/usememos/memos.git
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v2
-        with:
-          node-version: "18"
-
-      - name: Build frontend (Windows)
-        if: matrix.os == 'windows-latest'
-        shell: pwsh
-        run: |
-          cd memos/web
-          npm install -g pnpm
-          pnpm i --frozen-lockfile
-          pnpm build
-          Remove-Item -Path ../server/dist -Recurse -Force
-          mv dist ../server/
-
-      - name: Build frontend (non-Windows)
-        if: matrix.os != 'windows-latest'
-        run: |
-          cd memos/web
-          npm install -g pnpm
-          pnpm i --frozen-lockfile
-          pnpm build
-          rm -rf ../server/dist
-          mv dist ../server/
-
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.19
-
-      - name: Install mingw-w64 (Windows)
-        if: matrix.os == 'windows-latest'
-        run: |
-          choco install mingw
-          echo ${{ matrix.cgo_env }} >> $GITHUB_ENV
-
-      - name: Install gcc-aarch64-linux-gnu (Ubuntu ARM64)
-        if: matrix.os == 'ubuntu-latest' && matrix.goarch == 'arm64'
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y gcc-aarch64-linux-gnu
-          echo "CC=aarch64-linux-gnu-gcc" >> $GITHUB_ENV
-
-      - name: Build backend
-        run: |
-          cd memos
-          go build -o memos-${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.os == 'windows-latest' && '.exe' || '' }} ./main.go
-
-      - name: Upload artifacts
-        uses: actions/upload-artifact@v2
-        with:
-          name: memos-binary-${{ matrix.os }}-${{ matrix.goarch }}
-          path: memos/memos-${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.os == 'windows-latest' && '.exe' || '' }}

.github/workflows/codeql.yml

@@ -17,6 +17,12 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [main]
+    paths:
+      - "go.mod"
+      - "go.sum"
+      - "**.go"
+      - "proto/**"
+      - "web/**"
 
 jobs:
   analyze:
@@ -36,11 +42,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -51,7 +57,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@v2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -65,4 +71,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2

.github/workflows/e2e-test.yml

@@ -1,66 +0,0 @@
-name: "E2E Test"
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-jobs:
-  build:
-    name: Build and Run Memos With E2E Test
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Build Docker image
-        id: docker_build
-        uses: docker/build-push-action@v3
-        with:
-          context: ./
-          file: ./Dockerfile
-          platforms: linux/amd64
-          push: false
-          tags: neosmemo/memos:e2e
-          labels: neosmemo/memos:e2e
-
-      - name: Run Docker container
-        run: docker run -d -p 5230:5230 neosmemo/memos:e2e
-
-      - uses: pnpm/action-setup@v2.2.4
-        with:
-          version: 8.0.0
-
-      - uses: actions/setup-node@v3
-        with:
-          node-version: 18
-          cache: "pnpm"
-          cache-dependency-path: ./web/pnpm-lock.yaml
-
-      - name: Install dependencies
-        working-directory: web
-        run: pnpm install
-
-      - name: Install Playwright Browsers
-        working-directory: web
-        run: npx playwright install --with-deps
-
-      - name: Run Playwright tests
-        working-directory: web
-        run: npx playwright test
-
-      - uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: playwright-report
-          path: web/playwright-report/
-          retention-days: 30
-
-      - uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: playwright-screenshot
-          path: web/playwright-screenshot/
-          retention-days: 30
-
-      - name: Stop Docker container
-        run: docker stop $(docker ps -q)

.github/workflows/frontend-tests.yml

@@ -1,26 +1,32 @@
 name: Frontend Test
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches:
       - main
       - "release/*.*.*"
+    paths:
+      - "web/**"
 
 jobs:
   eslint-checks:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: pnpm/action-setup@v2.2.4
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v2.4.0
         with:
-          version: 8.0.0
-      - uses: actions/setup-node@v3
+          version: 8
+      - uses: actions/setup-node@v4
         with:
-          node-version: "18"
+          node-version: "20"
           cache: pnpm
           cache-dependency-path: "web/pnpm-lock.yaml"
       - run: pnpm install
         working-directory: web
+      - run: pnpm type-gen
+        working-directory: web
       - name: Run eslint check
         run: pnpm lint
         working-directory: web
@@ -28,17 +34,19 @@ jobs:
   frontend-build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: pnpm/action-setup@v2.2.4
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v2.4.0
         with:
-          version: 8.0.0
-      - uses: actions/setup-node@v3
+          version: 8
+      - uses: actions/setup-node@v4
         with:
-          node-version: "18"
+          node-version: "20"
           cache: pnpm
           cache-dependency-path: "web/pnpm-lock.yaml"
       - run: pnpm install
         working-directory: web
+      - run: pnpm type-gen
+        working-directory: web
       - name: Run frontend build
         run: pnpm build
         working-directory: web

.github/workflows/proto-linter.yml

@@ -0,0 +1,34 @@
+name: Proto linter
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches:
+      - main
+      - "release/*.*.*"
+    paths:
+      - "proto/**"
+
+jobs:
+  lint-protos:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Setup buf
+        uses: bufbuild/buf-setup-action@v1
+        with:
+          github_token: ${{ github.token }}
+      - name: buf lint
+        uses: bufbuild/buf-lint-action@v1
+        with:
+          input: "proto"
+      - name: buf format
+        run: |
+          if [[ $(buf format -d) ]]; then
+            echo "Run 'buf format -w'"
+            exit 1
+          fi

.github/workflows/stale.yml

@@ -0,0 +1,19 @@
+name: Close Stale Issues
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+
+    steps:
+      - uses: actions/stale@v9.0.0
+        with:
+          stale-issue-message: "This issue is stale because it has been open 14 days with no activity."
+          close-issue-message: "This issue was closed because it has been stalled for 28 days with no activity."
+          days-before-issue-stale: 14
+          days-before-issue-close: 14

.github/workflows/uffizzi-build.yml

@@ -1,85 +0,0 @@
-name: Build PR Image
-on:
-  pull_request:
-    types: [opened, synchronize, reopened, closed]
-
-jobs:
-  build-memos:
-    name: Build and push `Memos`
-    runs-on: ubuntu-latest
-    outputs:
-      tags: ${{ steps.meta.outputs.tags }}
-    if: ${{ github.event.action != 'closed' }}
-    steps:
-      - name: Checkout git repo
-        uses: actions/checkout@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: Generate UUID image name
-        id: uuid
-        run: echo "UUID_WORKER=$(uuidgen)" >> $GITHUB_ENV
-
-      - name: Docker metadata
-        id: meta
-        uses: docker/metadata-action@v4
-        with:
-          images: registry.uffizzi.com/${{ env.UUID_WORKER }}
-          tags: |
-            type=raw,value=60d
-
-      - name: Build and Push Image to registry.uffizzi.com - Uffizzi's ephemeral Registry
-        uses: docker/build-push-action@v3
-        with:
-          context: ./
-          file: Dockerfile
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          push: true
-          cache-from: type=gha
-          cache-to: type=gha, mode=max
-
-  render-compose-file:
-    name: Render Docker Compose File
-    # Pass output of this workflow to another triggered by `workflow_run` event.
-    runs-on: ubuntu-latest
-    needs:
-      - build-memos
-    outputs:
-      compose-file-cache-key: ${{ steps.hash.outputs.hash }}
-    steps:
-      - name: Checkout git repo
-        uses: actions/checkout@v3
-      - name: Render Compose File
-        run: |
-          MEMOS_IMAGE=${{ needs.build-memos.outputs.tags }}
-          export MEMOS_IMAGE
-          # Render simple template from environment variables.
-          envsubst < docker-compose.uffizzi.yml > docker-compose.rendered.yml
-          cat docker-compose.rendered.yml
-      - name: Upload Rendered Compose File as Artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: preview-spec
-          path: docker-compose.rendered.yml
-          retention-days: 2
-      - name: Upload PR Event as Artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: preview-spec
-          path: ${{github.event_path}}
-          retention-days: 2
-
-  delete-preview:
-    name: Call for Preview Deletion
-    runs-on: ubuntu-latest
-    if: ${{ github.event.action == 'closed' }}
-    steps:
-      # If this PR is closing, we will not render a compose file nor pass it to the next workflow.
-      - name: Upload PR Event as Artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: preview-spec
-          path: ${{github.event_path}}
-          retention-days: 2

.github/workflows/uffizzi-preview.yml

@@ -1,88 +0,0 @@
-name: Deploy Uffizzi Preview
-
-on:
-  workflow_run:
-    workflows:
-      - "Build PR Image"
-    types:
-      - completed
-
-
-jobs:
-  cache-compose-file:
-    name: Cache Compose File
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
-    runs-on: ubuntu-latest
-    outputs:
-      compose-file-cache-key: ${{ env.HASH }}
-      pr-number: ${{ env.PR_NUMBER }}
-    steps:
-      - name: 'Download artifacts'
-        # Fetch output (zip archive) from the workflow run that triggered this workflow.
-        uses: actions/github-script@v6
-        with:
-          script: |
-            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: context.payload.workflow_run.id,
-            });
-            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
-              return artifact.name == "preview-spec"
-            })[0];
-            let download = await github.rest.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip',
-            });
-            let fs = require('fs');
-            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/preview-spec.zip`, Buffer.from(download.data));
-
-      - name: 'Unzip artifact'
-        run: unzip preview-spec.zip
-      - name: Read Event into ENV
-        run: |
-          echo 'EVENT_JSON<<EOF' >> $GITHUB_ENV
-          cat event.json >> $GITHUB_ENV
-          echo -e '\nEOF' >> $GITHUB_ENV
-
-      - name: Hash Rendered Compose File
-        id: hash
-        # If the previous workflow was triggered by a PR close event, we will not have a compose file artifact.
-        if: ${{ fromJSON(env.EVENT_JSON).action != 'closed' }}
-        run: echo "HASH=$(md5sum docker-compose.rendered.yml | awk '{ print $1 }')" >> $GITHUB_ENV
-      - name: Cache Rendered Compose File
-        if: ${{ fromJSON(env.EVENT_JSON).action != 'closed' }}
-        uses: actions/cache@v3
-        with:
-          path: docker-compose.rendered.yml
-          key: ${{ env.HASH }}
-
-      - name: Read PR Number From Event Object
-        id: pr
-        run: echo "PR_NUMBER=${{ fromJSON(env.EVENT_JSON).number }}" >> $GITHUB_ENV
-      - name: DEBUG - Print Job Outputs
-        if: ${{ runner.debug }}
-        run: |
-          echo "PR number: ${{ env.PR_NUMBER }}"
-          echo "Compose file hash: ${{ env.HASH }}"
-          cat event.json
-
-  deploy-uffizzi-preview:
-    name: Use Remote Workflow to Preview on Uffizzi
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
-    needs:
-      - cache-compose-file
-    uses: UffizziCloud/preview-action/.github/workflows/reusable.yaml@v2
-    with:
-      # If this workflow was triggered by a PR close event, cache-key will be an empty string
-      # and this reusable workflow will delete the preview deployment.
-      compose-file-cache-key: ${{ needs.cache-compose-file.outputs.compose-file-cache-key }}
-      compose-file-cache-path: docker-compose.rendered.yml
-      server: https://app.uffizzi.com
-      pr-number: ${{ needs.cache-compose-file.outputs.pr-number }}
-    permissions:
-      contents: read
-      pull-requests: write
-      id-token: write

.gitignore

@@ -6,6 +6,7 @@ tmp
 
 # Frontend asset
 web/dist
+server/frontend/dist
 
 # build folder
 build
@@ -15,4 +16,9 @@ build
 # Jetbrains
 .idea
 
+# Docker Compose Environment File
+.env
+
 bin/air
+
+dev-dist

.golangci.yaml

@@ -1,5 +1,8 @@
+run:
+  timeout: 10m
 linters:
   enable:
+    - errcheck
     - goimports
     - revive
     - govet
@@ -10,17 +13,30 @@ linters:
     - rowserrcheck
     - nilerr
     - godot
+    - forbidigo
+    - mirror
+    - bodyclose
 
 issues:
+  include:
+    # https://golangci-lint.run/usage/configuration/#command-line-options
   exclude:
     - Rollback
+    - logger.Sync
+    - pgInstance.Stop
     - fmt.Printf
-    - fmt.Print
+    - Enter(.*)_(.*)
+    - Exit(.*)_(.*)
 
 linters-settings:
+  goimports:
+    # Put imports beginning with prefix after 3rd-party packages.
+    local-prefixes: github.com/usememos/memos
   revive:
+    # Default to run all linters so that new rules in the future could automatically be added to the static check.
     enable-all-rules: true
     rules:
+      # The following rules are too strict and make coding harder. We do not enable them for now.
       - name: file-header
         disabled: true
       - name: line-length-limit
@@ -51,14 +67,27 @@ linters-settings:
         disabled: true
       - name: early-return
         disabled: true
+      - name: use-any
+        disabled: true
+      - name: exported
+        disabled: true
+      - name: unhandled-error
+        disabled: true
+      - name: if-return
+        disabled: true
   gocritic:
     disabled-checks:
       - ifElseChain
   govet:
     settings:
-      printf:
-        funcs:
+      printf: # The name of the analyzer, run `go tool vet help` to see the list of all analyzers
+        funcs: # Run `go tool vet help printf` to see the full configuration of `printf`.
           - common.Errorf
+    enable-all: true
+    disable:
+      - fieldalignment
+      - shadow
   forbidigo:
     forbid:
       - 'fmt\.Errorf(# Please use errors\.Wrap\|Wrapf\|Errorf instead)?'
+      - 'ioutil\.ReadDir(# Please use os\.ReadDir)?'

.vscode/extensions.json

@@ -1,3 +0,0 @@
-{
-  "recommendations": ["golang.go"]
-}

.vscode/project.code-workspace

@@ -1,12 +0,0 @@
-{
-  "folders": [
-    {
-      "name": "server",
-      "path": "../"
-    },
-    {
-      "name": "web",
-      "path": "../web"
-    }
-  ]
-}

.vscode/settings.json

@@ -1,5 +0,0 @@
-{
-  "go.lintOnSave": "workspace",
-  "go.lintTool": "golangci-lint",
-  "go.inferGopath": false
-}

Dockerfile

@@ -1,38 +1,40 @@
 # Build frontend dist.
-FROM node:18.12.1-alpine3.16 AS frontend
+FROM node:20-alpine AS frontend
 WORKDIR /frontend-build
 
-COPY ./web/package.json ./web/pnpm-lock.yaml ./
+COPY . .
 
-RUN corepack enable && pnpm i --frozen-lockfile
+WORKDIR /frontend-build/web
 
-COPY ./web/ .
+RUN corepack enable && pnpm i --frozen-lockfile && pnpm type-gen
 
 RUN pnpm build
 
 # Build backend exec file.
-FROM golang:1.19.3-alpine3.16 AS backend
+FROM golang:1.21-alpine AS backend
 WORKDIR /backend-build
 
-RUN apk update && apk add --no-cache gcc musl-dev
-
 COPY . .
-COPY --from=frontend /frontend-build/dist ./server/dist
 
-RUN go build -o memos ./main.go
+RUN CGO_ENABLED=0 go build -o memos ./bin/memos/main.go
 
 # Make workspace with above generated files.
-FROM alpine:3.16 AS monolithic
+FROM alpine:latest AS monolithic
 WORKDIR /usr/local/memos
 
 RUN apk add --no-cache tzdata
 ENV TZ="UTC"
 
+COPY --from=frontend /frontend-build/web/dist /usr/local/memos/dist
 COPY --from=backend /backend-build/memos /usr/local/memos/
 
 EXPOSE 5230
 
 # Directory to store the data, which can be referenced as the mounting point.
 RUN mkdir -p /var/opt/memos
+VOLUME /var/opt/memos
 
-ENTRYPOINT ["./memos", "--mode", "prod", "--port", "5230"]
+ENV MEMOS_MODE="prod"
+ENV MEMOS_PORT="5230"
+
+ENTRYPOINT ["./memos"]

README.md

@@ -1,63 +1,46 @@
-# memos
+<img height="56px" src="https://www.usememos.com/full-logo-landscape.png" alt="Memos" />
 
-<img height="72px" src="https://usememos.com/logo.webp" alt="✍️ memos" align="right" />
+A privacy-first, lightweight note-taking service. Easily capture and share your great thoughts.
 
-A lightweight, self-hosted memo hub. Open Source and Free forever.
-
-<a href="https://usememos.com/docs">Documentation</a> •
-Discuss in <a href="https://discord.gg/tfPJa4UmAv">Discord</a> / <a href="https://t.me/+-_tNF1k70UU4ZTc9">Telegram</a>
+<a href="https://www.usememos.com">Home Page</a> •
+<a href="https://www.usememos.com/blog">Blogs</a> •
+<a href="https://www.usememos.com/docs">Docs</a> •
+<a href="https://demo.usememos.com/">Live Demo</a>
 
 <p>
-  <a href="https://github.com/usememos/memos/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/usememos/memos?logo=github" /></a>
+  <a href="https://hub.docker.com/r/neosmemo/memos"><img alt="Docker pull" src="https://img.shields.io/docker/pulls/neosmemo/memos.svg"/></a>
+  <a href="https://hosted.weblate.org/engage/memos-i18n/"><img src="https://hosted.weblate.org/widget/memos-i18n/english/svg-badge.svg" alt="Translation status" /></a>
   <a href="https://discord.gg/tfPJa4UmAv"><img alt="Discord" src="https://img.shields.io/badge/discord-chat-5865f2?logo=discord&logoColor=f5f5f5" /></a>
 </p>
 
-![demo](https://usememos.com/demo.webp)
+![demo](https://www.usememos.com/demo.png)
 
 ## Key points
 
-- Open source and free forever
-- Self-hosting with Docker in seconds
-- Markdown support
-- Customizable and sharable
-- RESTful API for self-service
+- **Open source and free forever**. Embrace a future where creativity knows no boundaries with our open-source solution – free today, tomorrow, and always.
+- **Self-hosting with Docker in just seconds**. Enjoy the flexibility, scalability, and ease of setup that Docker provides, allowing you to have full control over your data and privacy.
+- **Pure text with added Markdown support.** Say goodbye to the overwhelming mental burden of rich formatting and embrace a minimalist approach.
+- **Customize and share your notes effortlessly**. With our intuitive sharing features, you can easily collaborate and distribute your notes with others.
+- **RESTful API for third-party services.** Embrace the power of integration and unleash new possibilities with our RESTful API support.
 
 ## Deploy with Docker in seconds
 
 ```bash
-docker run -d --name memos -p 5230:5230 -v ~/.memos/:/var/opt/memos ghcr.io/usememos/memos:latest
+docker run -d --name memos -p 5230:5230 -v ~/.memos/:/var/opt/memos neosmemo/memos:stable
 ```
 
 > The `~/.memos/` directory will be used as the data directory on your local machine, while `/var/opt/memos` is the directory of the volume in Docker and should not be modified.
 
-Learn more about [other installation methods](https://usememos.com/docs#installation).
+Learn more about [other installation methods](https://www.usememos.com/docs/install).
 
 ## Contribution
 
 Contributions are what make the open-source community such an amazing place to learn, inspire, and create. We greatly appreciate any contributions you make. Thank you for being a part of our community! 🥰
 
 <a href="https://github.com/usememos/memos/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=usememos/memos" />
+  <img src="https://contri-graphy.yourselfhosted.com/graph?repo=usememos/memos&format=svg" />
 </a>
 
----
-
-- [Moe Memos](https://memos.moe/) - Third party client for iOS and Android
-- [lmm214/memos-bber](https://github.com/lmm214/memos-bber) - Chrome extension
-- [Rabithua/memos_wmp](https://github.com/Rabithua/memos_wmp) - WeChat MiniProgram
-- [qazxcdswe123/telegramMemoBot](https://github.com/qazxcdswe123/telegramMemoBot) - Telegram bot
-- [eallion/memos.top](https://github.com/eallion/memos.top) - Static page rendered with the Memos API
-- [eindex/logseq-memos-sync](https://github.com/EINDEX/logseq-memos-sync) - Logseq plugin
-- [JakeLaoyu/memos-import-from-flomo](https://github.com/JakeLaoyu/memos-import-from-flomo) - Import data. Support from flomo, wechat reading
-- [Send to memos](https://sharecuts.cn/shortcut/12640) - A shortcut for iOS
-- [Memos Raycast Extension](https://www.raycast.com/JakeYu/memos) - Raycast extension
-- [Memos Desktop](https://github.com/xudaolong/memos-desktop) - Third party client for MacOS and Windows
-- [MemosGallery](https://github.com/BarryYangi/MemosGallery) - A static Gallery rendered with the Memos API
-
-## Acknowledgements
-
-- Thanks [Uffizzi](https://www.uffizzi.com/) for sponsoring preview environments for PRs.
-
 ## Star history
 
 [![Star History Chart](https://api.star-history.com/svg?repos=usememos/memos&type=Date)](https://star-history.com/#usememos/memos&Date)

SECURITY.md

@@ -4,4 +4,4 @@
 
 Report security bugs via GitHub [issues](https://github.com/usememos/memos/issues).
 
-For more information, please contact [stevenlgtm@gmail.com](stevenlgtm@gmail.com).
+For more information, please contact [usememos@gmail.com](usememos@gmail.com).

api/activity.go

@@ -1,137 +0,0 @@
-package api
-
-import "github.com/usememos/memos/server/profile"
-
-// ActivityType is the type for an activity.
-type ActivityType string
-
-const (
-	// User related.
-
-	// ActivityUserCreate is the type for creating users.
-	ActivityUserCreate ActivityType = "user.create"
-	// ActivityUserUpdate is the type for updating users.
-	ActivityUserUpdate ActivityType = "user.update"
-	// ActivityUserDelete is the type for deleting users.
-	ActivityUserDelete ActivityType = "user.delete"
-	// ActivityUserAuthSignIn is the type for user signin.
-	ActivityUserAuthSignIn ActivityType = "user.auth.signin"
-	// ActivityUserAuthSignUp is the type for user signup.
-	ActivityUserAuthSignUp ActivityType = "user.auth.signup"
-	// ActivityUserSettingUpdate is the type for updating user settings.
-	ActivityUserSettingUpdate ActivityType = "user.setting.update"
-
-	// Memo related.
-
-	// ActivityMemoCreate is the type for creating memos.
-	ActivityMemoCreate ActivityType = "memo.create"
-	// ActivityMemoUpdate is the type for updating memos.
-	ActivityMemoUpdate ActivityType = "memo.update"
-	// ActivityMemoDelete is the type for deleting memos.
-	ActivityMemoDelete ActivityType = "memo.delete"
-
-	// Shortcut related.
-
-	// ActivityShortcutCreate is the type for creating shortcuts.
-	ActivityShortcutCreate ActivityType = "shortcut.create"
-	// ActivityShortcutUpdate is the type for updating shortcuts.
-	ActivityShortcutUpdate ActivityType = "shortcut.update"
-	// ActivityShortcutDelete is the type for deleting shortcuts.
-	ActivityShortcutDelete ActivityType = "shortcut.delete"
-
-	// Resource related.
-
-	// ActivityResourceCreate is the type for creating resources.
-	ActivityResourceCreate ActivityType = "resource.create"
-	// ActivityResourceDelete is the type for deleting resources.
-	ActivityResourceDelete ActivityType = "resource.delete"
-
-	// Tag related.
-
-	// ActivityTagCreate is the type for creating tags.
-	ActivityTagCreate ActivityType = "tag.create"
-	// ActivityTagDelete is the type for deleting tags.
-	ActivityTagDelete ActivityType = "tag.delete"
-
-	// Server related.
-
-	// ActivityServerStart is the type for starting server.
-	ActivityServerStart ActivityType = "server.start"
-)
-
-// ActivityLevel is the level of activities.
-type ActivityLevel string
-
-const (
-	// ActivityInfo is the INFO level of activities.
-	ActivityInfo ActivityLevel = "INFO"
-	// ActivityWarn is the WARN level of activities.
-	ActivityWarn ActivityLevel = "WARN"
-	// ActivityError is the ERROR level of activities.
-	ActivityError ActivityLevel = "ERROR"
-)
-
-type ActivityUserCreatePayload struct {
-	UserID   int    `json:"userId"`
-	Username string `json:"username"`
-	Role     Role   `json:"role"`
-}
-
-type ActivityUserAuthSignInPayload struct {
-	UserID int    `json:"userId"`
-	IP     string `json:"ip"`
-}
-
-type ActivityUserAuthSignUpPayload struct {
-	Username string `json:"username"`
-	IP       string `json:"ip"`
-}
-
-type ActivityMemoCreatePayload struct {
-	Content    string `json:"content"`
-	Visibility string `json:"visibility"`
-}
-
-type ActivityShortcutCreatePayload struct {
-	Title   string `json:"title"`
-	Payload string `json:"payload"`
-}
-
-type ActivityResourceCreatePayload struct {
-	Filename string `json:"filename"`
-	Type     string `json:"type"`
-	Size     int64  `json:"size"`
-}
-
-type ActivityTagCreatePayload struct {
-	TagName string `json:"tagName"`
-}
-
-type ActivityServerStartPayload struct {
-	ServerID string           `json:"serverId"`
-	Profile  *profile.Profile `json:"profile"`
-}
-
-type Activity struct {
-	ID int `json:"id"`
-
-	// Standard fields
-	CreatorID int   `json:"creatorId"`
-	CreatedTs int64 `json:"createdTs"`
-
-	// Domain specific fields
-	Type    ActivityType  `json:"type"`
-	Level   ActivityLevel `json:"level"`
-	Payload string        `json:"payload"`
-}
-
-// ActivityCreate is the API message for creating an activity.
-type ActivityCreate struct {
-	// Standard fields
-	CreatorID int
-
-	// Domain specific fields
-	Type    ActivityType `json:"type"`
-	Level   ActivityLevel
-	Payload string `json:"payload"`
-}

api/auth.go

@@ -1,17 +0,0 @@
-package api
-
-type SignIn struct {
-	Username string `json:"username"`
-	Password string `json:"password"`
-}
-
-type SSOSignIn struct {
-	IdentityProviderID int    `json:"identityProviderId"`
-	Code               string `json:"code"`
-	RedirectURI        string `json:"redirectUri"`
-}
-
-type SignUp struct {
-	Username string `json:"username"`
-	Password string `json:"password"`
-}

api/auth/auth.go

@@ -0,0 +1,63 @@
+package auth
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+const (
+	// issuer is the issuer of the jwt token.
+	Issuer = "memos"
+	// Signing key section. For now, this is only used for signing, not for verifying since we only
+	// have 1 version. But it will be used to maintain backward compatibility if we change the signing mechanism.
+	KeyID = "v1"
+	// AccessTokenAudienceName is the audience name of the access token.
+	AccessTokenAudienceName = "user.access-token"
+	AccessTokenDuration     = 7 * 24 * time.Hour
+
+	// CookieExpDuration expires slightly earlier than the jwt expiration. Client would be logged out if the user
+	// cookie expires, thus the client would always logout first before attempting to make a request with the expired jwt.
+	CookieExpDuration = AccessTokenDuration - 1*time.Minute
+	// AccessTokenCookieName is the cookie name of access token.
+	AccessTokenCookieName = "memos.access-token"
+)
+
+type ClaimsMessage struct {
+	Name string `json:"name"`
+	jwt.RegisteredClaims
+}
+
+// GenerateAccessToken generates an access token.
+func GenerateAccessToken(username string, userID int32, expirationTime time.Time, secret []byte) (string, error) {
+	return generateToken(username, userID, AccessTokenAudienceName, expirationTime, secret)
+}
+
+// generateToken generates a jwt token.
+func generateToken(username string, userID int32, audience string, expirationTime time.Time, secret []byte) (string, error) {
+	registeredClaims := jwt.RegisteredClaims{
+		Issuer:   Issuer,
+		Audience: jwt.ClaimStrings{audience},
+		IssuedAt: jwt.NewNumericDate(time.Now()),
+		Subject:  fmt.Sprint(userID),
+	}
+	if !expirationTime.IsZero() {
+		registeredClaims.ExpiresAt = jwt.NewNumericDate(expirationTime)
+	}
+
+	// Declare the token with the HS256 algorithm used for signing, and the claims.
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, &ClaimsMessage{
+		Name:             username,
+		RegisteredClaims: registeredClaims,
+	})
+	token.Header["kid"] = KeyID
+
+	// Create the JWT string.
+	tokenString, err := token.SignedString(secret)
+	if err != nil {
+		return "", err
+	}
+
+	return tokenString, nil
+}

api/idp.go

@@ -1,58 +0,0 @@
-package api
-
-type IdentityProviderType string
-
-const (
-	IdentityProviderOAuth2 IdentityProviderType = "OAUTH2"
-)
-
-type IdentityProviderConfig struct {
-	OAuth2Config *IdentityProviderOAuth2Config `json:"oauth2Config"`
-}
-
-type IdentityProviderOAuth2Config struct {
-	ClientID     string        `json:"clientId"`
-	ClientSecret string        `json:"clientSecret"`
-	AuthURL      string        `json:"authUrl"`
-	TokenURL     string        `json:"tokenUrl"`
-	UserInfoURL  string        `json:"userInfoUrl"`
-	Scopes       []string      `json:"scopes"`
-	FieldMapping *FieldMapping `json:"fieldMapping"`
-}
-
-type FieldMapping struct {
-	Identifier  string `json:"identifier"`
-	DisplayName string `json:"displayName"`
-	Email       string `json:"email"`
-}
-
-type IdentityProvider struct {
-	ID               int                     `json:"id"`
-	Name             string                  `json:"name"`
-	Type             IdentityProviderType    `json:"type"`
-	IdentifierFilter string                  `json:"identifierFilter"`
-	Config           *IdentityProviderConfig `json:"config"`
-}
-
-type IdentityProviderCreate struct {
-	Name             string                  `json:"name"`
-	Type             IdentityProviderType    `json:"type"`
-	IdentifierFilter string                  `json:"identifierFilter"`
-	Config           *IdentityProviderConfig `json:"config"`
-}
-
-type IdentityProviderFind struct {
-	ID *int
-}
-
-type IdentityProviderPatch struct {
-	ID               int
-	Type             IdentityProviderType    `json:"type"`
-	Name             *string                 `json:"name"`
-	IdentifierFilter *string                 `json:"identifierFilter"`
-	Config           *IdentityProviderConfig `json:"config"`
-}
-
-type IdentityProviderDelete struct {
-	ID int
-}

api/memo.go

@@ -1,100 +0,0 @@
-package api
-
-// MaxContentLength means the max memo content bytes is 1MB.
-const MaxContentLength = 1 << 30
-
-// Visibility is the type of a visibility.
-type Visibility string
-
-const (
-	// Public is the PUBLIC visibility.
-	Public Visibility = "PUBLIC"
-	// Protected is the PROTECTED visibility.
-	Protected Visibility = "PROTECTED"
-	// Private is the PRIVATE visibility.
-	Private Visibility = "PRIVATE"
-)
-
-func (e Visibility) String() string {
-	switch e {
-	case Public:
-		return "PUBLIC"
-	case Protected:
-		return "PROTECTED"
-	case Private:
-		return "PRIVATE"
-	}
-	return "PRIVATE"
-}
-
-type Memo struct {
-	ID int `json:"id"`
-
-	// Standard fields
-	RowStatus RowStatus `json:"rowStatus"`
-	CreatorID int       `json:"creatorId"`
-	CreatedTs int64     `json:"createdTs"`
-	UpdatedTs int64     `json:"updatedTs"`
-
-	// Domain specific fields
-	Content    string     `json:"content"`
-	Visibility Visibility `json:"visibility"`
-	Pinned     bool       `json:"pinned"`
-
-	// Related fields
-	CreatorName  string          `json:"creatorName"`
-	ResourceList []*Resource     `json:"resourceList"`
-	RelationList []*MemoRelation `json:"relationList"`
-}
-
-type MemoCreate struct {
-	// Standard fields
-	CreatorID int    `json:"-"`
-	CreatedTs *int64 `json:"createdTs"`
-
-	// Domain specific fields
-	Visibility Visibility `json:"visibility"`
-	Content    string     `json:"content"`
-
-	// Related fields
-	ResourceIDList []int                 `json:"resourceIdList"`
-	RelationList   []*MemoRelationUpsert `json:"relationList"`
-}
-
-type MemoPatch struct {
-	ID int `json:"-"`
-
-	// Standard fields
-	CreatedTs *int64 `json:"createdTs"`
-	UpdatedTs *int64
-	RowStatus *RowStatus `json:"rowStatus"`
-
-	// Domain specific fields
-	Content    *string     `json:"content"`
-	Visibility *Visibility `json:"visibility"`
-
-	// Related fields
-	ResourceIDList []int                 `json:"resourceIdList"`
-	RelationList   []*MemoRelationUpsert `json:"relationList"`
-}
-
-type MemoFind struct {
-	ID *int
-
-	// Standard fields
-	RowStatus *RowStatus
-	CreatorID *int
-
-	// Domain specific fields
-	Pinned         *bool
-	ContentSearch  *string
-	VisibilityList []Visibility
-
-	// Pagination
-	Limit  *int
-	Offset *int
-}
-
-type MemoDelete struct {
-	ID int
-}

api/memo_organizer.go

@@ -1,24 +0,0 @@
-package api
-
-type MemoOrganizer struct {
-	// Domain specific fields
-	MemoID int
-	UserID int
-	Pinned bool
-}
-
-type MemoOrganizerUpsert struct {
-	MemoID int  `json:"-"`
-	UserID int  `json:"-"`
-	Pinned bool `json:"pinned"`
-}
-
-type MemoOrganizerFind struct {
-	MemoID int
-	UserID int
-}
-
-type MemoOrganizerDelete struct {
-	MemoID *int
-	UserID *int
-}

api/memo_relation.go

@@ -1,19 +0,0 @@
-package api
-
-type MemoRelationType string
-
-const (
-	MemoRelationReference  MemoRelationType = "REFERENCE"
-	MemoRelationAdditional MemoRelationType = "ADDITIONAL"
-)
-
-type MemoRelation struct {
-	MemoID        int              `json:"memoId"`
-	RelatedMemoID int              `json:"relatedMemoId"`
-	Type          MemoRelationType `json:"type"`
-}
-
-type MemoRelationUpsert struct {
-	RelatedMemoID int              `json:"relatedMemoId"`
-	Type          MemoRelationType `json:"type"`
-}

api/memo_resource.go

@@ -1,24 +0,0 @@
-package api
-
-type MemoResource struct {
-	MemoID     int
-	ResourceID int
-	CreatedTs  int64
-	UpdatedTs  int64
-}
-
-type MemoResourceUpsert struct {
-	MemoID     int `json:"-"`
-	ResourceID int
-	UpdatedTs  *int64
-}
-
-type MemoResourceFind struct {
-	MemoID     *int
-	ResourceID *int
-}
-
-type MemoResourceDelete struct {
-	MemoID     *int
-	ResourceID *int
-}

api/resource.go

@@ -1,69 +0,0 @@
-package api
-
-type Resource struct {
-	ID int `json:"id"`
-
-	// Standard fields
-	CreatorID int   `json:"creatorId"`
-	CreatedTs int64 `json:"createdTs"`
-	UpdatedTs int64 `json:"updatedTs"`
-
-	// Domain specific fields
-	Filename     string `json:"filename"`
-	Blob         []byte `json:"-"`
-	InternalPath string `json:"internalPath"`
-	ExternalLink string `json:"externalLink"`
-	Type         string `json:"type"`
-	Size         int64  `json:"size"`
-	PublicID     string `json:"publicId"`
-
-	// Related fields
-	LinkedMemoAmount int `json:"linkedMemoAmount"`
-}
-
-type ResourceCreate struct {
-	// Standard fields
-	CreatorID int `json:"-"`
-
-	// Domain specific fields
-	Filename     string `json:"filename"`
-	Blob         []byte `json:"-"`
-	InternalPath string `json:"internalPath"`
-	ExternalLink string `json:"externalLink"`
-	Type         string `json:"type"`
-	Size         int64  `json:"-"`
-	PublicID     string `json:"publicId"`
-}
-
-type ResourceFind struct {
-	ID *int `json:"id"`
-
-	// Standard fields
-	CreatorID *int `json:"creatorId"`
-
-	// Domain specific fields
-	Filename *string `json:"filename"`
-	MemoID   *int
-	PublicID *string `json:"publicId"`
-	GetBlob  bool
-
-	// Pagination
-	Limit  *int
-	Offset *int
-}
-
-type ResourcePatch struct {
-	ID int `json:"-"`
-
-	// Standard fields
-	UpdatedTs *int64
-
-	// Domain specific fields
-	Filename      *string `json:"filename"`
-	ResetPublicID *bool   `json:"resetPublicId"`
-	PublicID      *string `json:"-"`
-}
-
-type ResourceDelete struct {
-	ID int
-}

api/resource/resource.go

@@ -0,0 +1,164 @@
+package resource
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	"github.com/disintegration/imaging"
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+
+	"github.com/usememos/memos/internal/log"
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/server/profile"
+	"github.com/usememos/memos/store"
+)
+
+const (
+	// The key name used to store user id in the context
+	// user id is extracted from the jwt token subject field.
+	userIDContextKey = "user-id"
+	// thumbnailImagePath is the directory to store image thumbnails.
+	thumbnailImagePath = ".thumbnail_cache"
+)
+
+type ResourceService struct {
+	Profile *profile.Profile
+	Store   *store.Store
+}
+
+func NewResourceService(profile *profile.Profile, store *store.Store) *ResourceService {
+	return &ResourceService{
+		Profile: profile,
+		Store:   store,
+	}
+}
+
+func (s *ResourceService) RegisterRoutes(g *echo.Group) {
+	g.GET("/r/:resourceName", s.streamResource)
+	g.GET("/r/:resourceName/*", s.streamResource)
+}
+
+func (s *ResourceService) streamResource(c echo.Context) error {
+	ctx := c.Request().Context()
+	resourceName := c.Param("resourceName")
+	resource, err := s.Store.GetResource(ctx, &store.FindResource{
+		ResourceName: &resourceName,
+		GetBlob:      true,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find resource by id: %s", resourceName)).SetInternal(err)
+	}
+	if resource == nil {
+		return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Resource not found: %s", resourceName))
+	}
+	// Check the related memo visibility.
+	if resource.MemoID != nil {
+		memo, err := s.Store.GetMemo(ctx, &store.FindMemo{
+			ID: resource.MemoID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find memo by ID: %v", resource.MemoID)).SetInternal(err)
+		}
+		if memo != nil && memo.Visibility != store.Public {
+			userID, ok := c.Get(userIDContextKey).(int32)
+			if !ok || (memo.Visibility == store.Private && userID != resource.CreatorID) {
+				return echo.NewHTTPError(http.StatusUnauthorized, "Resource visibility not match")
+			}
+		}
+	}
+
+	blob := resource.Blob
+	if resource.InternalPath != "" {
+		resourcePath := filepath.FromSlash(resource.InternalPath)
+		if !filepath.IsAbs(resourcePath) {
+			resourcePath = filepath.Join(s.Profile.Data, resourcePath)
+		}
+
+		src, err := os.Open(resourcePath)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to open the local resource: %s", resourcePath)).SetInternal(err)
+		}
+		defer src.Close()
+		blob, err = io.ReadAll(src)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to read the local resource: %s", resourcePath)).SetInternal(err)
+		}
+	}
+
+	if c.QueryParam("thumbnail") == "1" && util.HasPrefixes(resource.Type, "image/png", "image/jpeg") {
+		ext := filepath.Ext(resource.Filename)
+		thumbnailPath := filepath.Join(s.Profile.Data, thumbnailImagePath, fmt.Sprintf("%d%s", resource.ID, ext))
+		thumbnailBlob, err := getOrGenerateThumbnailImage(blob, thumbnailPath)
+		if err != nil {
+			log.Warn(fmt.Sprintf("failed to get or generate local thumbnail with path %s", thumbnailPath), zap.Error(err))
+		} else {
+			blob = thumbnailBlob
+		}
+	}
+
+	c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=3600")
+	c.Response().Writer.Header().Set(echo.HeaderContentSecurityPolicy, "default-src 'none'; script-src 'none'; img-src 'self'; media-src 'self'; sandbox;")
+	c.Response().Writer.Header().Set("Content-Disposition", fmt.Sprintf(`filename="%s"`, resource.Filename))
+	resourceType := strings.ToLower(resource.Type)
+	if strings.HasPrefix(resourceType, "text") {
+		resourceType = echo.MIMETextPlainCharsetUTF8
+	} else if strings.HasPrefix(resourceType, "video") || strings.HasPrefix(resourceType, "audio") {
+		http.ServeContent(c.Response(), c.Request(), resource.Filename, time.Unix(resource.UpdatedTs, 0), bytes.NewReader(blob))
+		return nil
+	}
+	return c.Stream(http.StatusOK, resourceType, bytes.NewReader(blob))
+}
+
+var availableGeneratorAmount int32 = 32
+
+func getOrGenerateThumbnailImage(srcBlob []byte, dstPath string) ([]byte, error) {
+	if _, err := os.Stat(dstPath); err != nil {
+		if !errors.Is(err, os.ErrNotExist) {
+			return nil, errors.Wrap(err, "failed to check thumbnail image stat")
+		}
+
+		if atomic.LoadInt32(&availableGeneratorAmount) <= 0 {
+			return nil, errors.New("not enough available generator amount")
+		}
+		atomic.AddInt32(&availableGeneratorAmount, -1)
+		defer func() {
+			atomic.AddInt32(&availableGeneratorAmount, 1)
+		}()
+
+		reader := bytes.NewReader(srcBlob)
+		src, err := imaging.Decode(reader, imaging.AutoOrientation(true))
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to decode thumbnail image")
+		}
+		thumbnailImage := imaging.Resize(src, 512, 0, imaging.Lanczos)
+
+		dstDir := filepath.Dir(dstPath)
+		if err := os.MkdirAll(dstDir, os.ModePerm); err != nil {
+			return nil, errors.Wrap(err, "failed to create thumbnail dir")
+		}
+
+		if err := imaging.Save(thumbnailImage, dstPath); err != nil {
+			return nil, errors.Wrap(err, "failed to resize thumbnail image")
+		}
+	}
+
+	dstFile, err := os.Open(dstPath)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to open the local resource")
+	}
+	defer dstFile.Close()
+	dstBlob, err := io.ReadAll(dstFile)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to read the local resource")
+	}
+	return dstBlob, nil
+}

api/rss/rss.go

@@ -0,0 +1,169 @@
+package rss
+
+import (
+	"context"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/gorilla/feeds"
+	"github.com/labstack/echo/v4"
+	"github.com/yourselfhosted/gomark"
+	"github.com/yourselfhosted/gomark/ast"
+	"github.com/yourselfhosted/gomark/renderer"
+
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/server/profile"
+	"github.com/usememos/memos/store"
+)
+
+const (
+	maxRSSItemCount       = 100
+	maxRSSItemTitleLength = 128
+)
+
+type RSSService struct {
+	Profile *profile.Profile
+	Store   *store.Store
+}
+
+func NewRSSService(profile *profile.Profile, store *store.Store) *RSSService {
+	return &RSSService{
+		Profile: profile,
+		Store:   store,
+	}
+}
+
+func (s *RSSService) RegisterRoutes(g *echo.Group) {
+	g.GET("/explore/rss.xml", s.GetExploreRSS)
+	g.GET("/u/:username/rss.xml", s.GetUserRSS)
+}
+
+func (s *RSSService) GetExploreRSS(c echo.Context) error {
+	ctx := c.Request().Context()
+	normalStatus := store.Normal
+	memoFind := store.FindMemo{
+		RowStatus:      &normalStatus,
+		VisibilityList: []store.Visibility{store.Public},
+	}
+	memoList, err := s.Store.ListMemos(ctx, &memoFind)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo list").SetInternal(err)
+	}
+
+	baseURL := c.Scheme() + "://" + c.Request().Host
+	rss, err := s.generateRSSFromMemoList(ctx, memoList, baseURL)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate rss").SetInternal(err)
+	}
+	c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationXMLCharsetUTF8)
+	return c.String(http.StatusOK, rss)
+}
+
+func (s *RSSService) GetUserRSS(c echo.Context) error {
+	ctx := c.Request().Context()
+	username := c.Param("username")
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil {
+		return echo.NewHTTPError(http.StatusNotFound, "User not found")
+	}
+
+	normalStatus := store.Normal
+	memoFind := store.FindMemo{
+		CreatorID:      &user.ID,
+		RowStatus:      &normalStatus,
+		VisibilityList: []store.Visibility{store.Public},
+	}
+	memoList, err := s.Store.ListMemos(ctx, &memoFind)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo list").SetInternal(err)
+	}
+
+	baseURL := c.Scheme() + "://" + c.Request().Host
+	rss, err := s.generateRSSFromMemoList(ctx, memoList, baseURL)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate rss").SetInternal(err)
+	}
+	c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationXMLCharsetUTF8)
+	return c.String(http.StatusOK, rss)
+}
+
+func (s *RSSService) generateRSSFromMemoList(ctx context.Context, memoList []*store.Memo, baseURL string) (string, error) {
+	feed := &feeds.Feed{
+		Title:       "Memos",
+		Link:        &feeds.Link{Href: baseURL},
+		Description: "An open source, lightweight note-taking service. Easily capture and share your great thoughts.",
+		Created:     time.Now(),
+	}
+
+	var itemCountLimit = util.Min(len(memoList), maxRSSItemCount)
+	feed.Items = make([]*feeds.Item, itemCountLimit)
+	for i := 0; i < itemCountLimit; i++ {
+		memo := memoList[i]
+		description, err := getRSSItemDescription(memo.Content)
+		if err != nil {
+			return "", err
+		}
+		feed.Items[i] = &feeds.Item{
+			Title:       getRSSItemTitle(memo.Content),
+			Link:        &feeds.Link{Href: baseURL + "/m/" + memo.ResourceName},
+			Description: description,
+			Created:     time.Unix(memo.CreatedTs, 0),
+		}
+		resources, err := s.Store.ListResources(ctx, &store.FindResource{
+			MemoID: &memo.ID,
+		})
+		if err != nil {
+			return "", err
+		}
+		if len(resources) > 0 {
+			resource := resources[0]
+			enclosure := feeds.Enclosure{}
+			if resource.ExternalLink != "" {
+				enclosure.Url = resource.ExternalLink
+			} else {
+				enclosure.Url = baseURL + "/o/r/" + resource.ResourceName
+			}
+			enclosure.Length = strconv.Itoa(int(resource.Size))
+			enclosure.Type = resource.Type
+			feed.Items[i].Enclosure = &enclosure
+		}
+	}
+
+	rss, err := feed.ToRss()
+	if err != nil {
+		return "", err
+	}
+	return rss, nil
+}
+
+func getRSSItemTitle(content string) string {
+	nodes, _ := gomark.Parse(content)
+	if len(nodes) > 0 {
+		firstNode := nodes[0]
+		title := renderer.NewStringRenderer().Render([]ast.Node{firstNode})
+		return title
+	}
+
+	title := strings.Split(content, "\n")[0]
+	var titleLengthLimit = util.Min(len(title), maxRSSItemTitleLength)
+	if titleLengthLimit < len(title) {
+		title = title[:titleLengthLimit] + "..."
+	}
+	return title
+}
+
+func getRSSItemDescription(content string) (string, error) {
+	nodes, err := gomark.Parse(content)
+	if err != nil {
+		return "", err
+	}
+	result := renderer.NewHTMLRenderer().Render(nodes)
+	return result, nil
+}

api/shortcut.go

@@ -1,53 +0,0 @@
-package api
-
-type Shortcut struct {
-	ID int `json:"id"`
-
-	// Standard fields
-	RowStatus RowStatus `json:"rowStatus"`
-	CreatorID int       `json:"creatorId"`
-	CreatedTs int64     `json:"createdTs"`
-	UpdatedTs int64     `json:"updatedTs"`
-
-	// Domain specific fields
-	Title   string `json:"title"`
-	Payload string `json:"payload"`
-}
-
-type ShortcutCreate struct {
-	// Standard fields
-	CreatorID int `json:"-"`
-
-	// Domain specific fields
-	Title   string `json:"title"`
-	Payload string `json:"payload"`
-}
-
-type ShortcutPatch struct {
-	ID int `json:"-"`
-
-	// Standard fields
-	UpdatedTs *int64
-	RowStatus *RowStatus `json:"rowStatus"`
-
-	// Domain specific fields
-	Title   *string `json:"title"`
-	Payload *string `json:"payload"`
-}
-
-type ShortcutFind struct {
-	ID *int
-
-	// Standard fields
-	CreatorID *int
-
-	// Domain specific fields
-	Title *string `json:"title"`
-}
-
-type ShortcutDelete struct {
-	ID *int
-
-	// Standard fields
-	CreatorID *int
-}

api/storage.go

@@ -1,57 +0,0 @@
-package api
-
-const (
-	// LocalStorage means the storage service is local file system.
-	LocalStorage = -1
-	// DatabaseStorage means the storage service is database.
-	DatabaseStorage = 0
-)
-
-type StorageType string
-
-const (
-	StorageS3 StorageType = "S3"
-)
-
-type StorageConfig struct {
-	S3Config *StorageS3Config `json:"s3Config"`
-}
-
-type StorageS3Config struct {
-	EndPoint  string `json:"endPoint"`
-	Path      string `json:"path"`
-	Region    string `json:"region"`
-	AccessKey string `json:"accessKey"`
-	SecretKey string `json:"secretKey"`
-	Bucket    string `json:"bucket"`
-	URLPrefix string `json:"urlPrefix"`
-	URLSuffix string `json:"urlSuffix"`
-}
-
-type Storage struct {
-	ID     int            `json:"id"`
-	Name   string         `json:"name"`
-	Type   StorageType    `json:"type"`
-	Config *StorageConfig `json:"config"`
-}
-
-type StorageCreate struct {
-	Name   string         `json:"name"`
-	Type   StorageType    `json:"type"`
-	Config *StorageConfig `json:"config"`
-}
-
-type StoragePatch struct {
-	ID     int            `json:"id"`
-	Type   StorageType    `json:"type"`
-	Name   *string        `json:"name"`
-	Config *StorageConfig `json:"config"`
-}
-
-type StorageFind struct {
-	ID *int `json:"id"`
-}
-
-type StorageDelete struct {
-	ID int `json:"id"`
-}

api/system.go

@@ -1,29 +0,0 @@
-package api
-
-import "github.com/usememos/memos/server/profile"
-
-type SystemStatus struct {
-	Host    *User           `json:"host"`
-	Profile profile.Profile `json:"profile"`
-	DBSize  int64           `json:"dbSize"`
-
-	// System settings
-	// Allow sign up.
-	AllowSignUp bool `json:"allowSignUp"`
-	// Ignore upgrade
-	IgnoreUpgrade bool `json:"ignoreUpgrade"`
-	// Disable public memos.
-	DisablePublicMemos bool `json:"disablePublicMemos"`
-	// Max upload size.
-	MaxUploadSizeMiB int `json:"maxUploadSizeMiB"`
-	// Additional style.
-	AdditionalStyle string `json:"additionalStyle"`
-	// Additional script.
-	AdditionalScript string `json:"additionalScript"`
-	// Customized server profile, including server name and external url.
-	CustomizedProfile CustomizedProfile `json:"customizedProfile"`
-	// Storage service ID.
-	StorageServiceID int `json:"storageServiceId"`
-	// Local storage path
-	LocalStoragePath string `json:"localStoragePath"`
-}

api/system_setting.go

@@ -1,194 +0,0 @@
-package api
-
-import (
-	"encoding/json"
-	"fmt"
-
-	"golang.org/x/exp/slices"
-)
-
-type SystemSettingName string
-
-const (
-	// SystemSettingServerIDName is the name of server id.
-	SystemSettingServerIDName SystemSettingName = "server-id"
-	// SystemSettingSecretSessionName is the name of secret session.
-	SystemSettingSecretSessionName SystemSettingName = "secret-session"
-	// SystemSettingAllowSignUpName is the name of allow signup setting.
-	SystemSettingAllowSignUpName SystemSettingName = "allow-signup"
-	// SystemSettingIgnoreUpgradeName is the name of ignore upgrade.
-	SystemSettingIgnoreUpgradeName SystemSettingName = "ignore-upgrade"
-	// SystemSettingDisablePublicMemosName is the name of disable public memos setting.
-	SystemSettingDisablePublicMemosName SystemSettingName = "disable-public-memos"
-	// SystemSettingMaxUploadSizeMiBName is the name of max upload size setting.
-	SystemSettingMaxUploadSizeMiBName SystemSettingName = "max-upload-size-mib"
-	// SystemSettingAdditionalStyleName is the name of additional style.
-	SystemSettingAdditionalStyleName SystemSettingName = "additional-style"
-	// SystemSettingAdditionalScriptName is the name of additional script.
-	SystemSettingAdditionalScriptName SystemSettingName = "additional-script"
-	// SystemSettingCustomizedProfileName is the name of customized server profile.
-	SystemSettingCustomizedProfileName SystemSettingName = "customized-profile"
-	// SystemSettingStorageServiceIDName is the name of storage service ID.
-	SystemSettingStorageServiceIDName SystemSettingName = "storage-service-id"
-	// SystemSettingLocalStoragePathName is the name of local storage path.
-	SystemSettingLocalStoragePathName SystemSettingName = "local-storage-path"
-	// SystemSettingOpenAIConfigName is the name of OpenAI config.
-	SystemSettingOpenAIConfigName SystemSettingName = "openai-config"
-)
-
-// CustomizedProfile is the struct definition for SystemSettingCustomizedProfileName system setting item.
-type CustomizedProfile struct {
-	// Name is the server name, default is `memos`
-	Name string `json:"name"`
-	// LogoURL is the url of logo image.
-	LogoURL string `json:"logoUrl"`
-	// Description is the server description.
-	Description string `json:"description"`
-	// Locale is the server default locale.
-	Locale string `json:"locale"`
-	// Appearance is the server default appearance.
-	Appearance string `json:"appearance"`
-	// ExternalURL is the external url of server. e.g. https://usermemos.com
-	ExternalURL string `json:"externalUrl"`
-}
-
-type OpenAIConfig struct {
-	Key  string `json:"key"`
-	Host string `json:"host"`
-}
-
-func (key SystemSettingName) String() string {
-	switch key {
-	case SystemSettingServerIDName:
-		return "server-id"
-	case SystemSettingSecretSessionName:
-		return "secret-session"
-	case SystemSettingAllowSignUpName:
-		return "allow-signup"
-	case SystemSettingIgnoreUpgradeName:
-		return "ignore-upgrade"
-	case SystemSettingDisablePublicMemosName:
-		return "disable-public-memos"
-	case SystemSettingMaxUploadSizeMiBName:
-		return "max-upload-size-mib"
-	case SystemSettingAdditionalStyleName:
-		return "additional-style"
-	case SystemSettingAdditionalScriptName:
-		return "additional-script"
-	case SystemSettingCustomizedProfileName:
-		return "customized-profile"
-	case SystemSettingStorageServiceIDName:
-		return "storage-service-id"
-	case SystemSettingLocalStoragePathName:
-		return "local-storage-path"
-	case SystemSettingOpenAIConfigName:
-		return "openai-config"
-	}
-	return ""
-}
-
-type SystemSetting struct {
-	Name SystemSettingName `json:"name"`
-	// Value is a JSON string with basic value.
-	Value       string `json:"value"`
-	Description string `json:"description"`
-}
-
-type SystemSettingUpsert struct {
-	Name        SystemSettingName `json:"name"`
-	Value       string            `json:"value"`
-	Description string            `json:"description"`
-}
-
-const systemSettingUnmarshalError = `failed to unmarshal value from system setting "%v"`
-
-func (upsert SystemSettingUpsert) Validate() error {
-	switch settingName := upsert.Name; settingName {
-	case SystemSettingServerIDName:
-		return fmt.Errorf("updating %v is not allowed", settingName)
-
-	case SystemSettingAllowSignUpName:
-		var value bool
-		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
-			return fmt.Errorf(systemSettingUnmarshalError, settingName)
-		}
-
-	case SystemSettingIgnoreUpgradeName:
-		var value bool
-		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
-			return fmt.Errorf(systemSettingUnmarshalError, settingName)
-		}
-
-	case SystemSettingDisablePublicMemosName:
-		var value bool
-		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
-			return fmt.Errorf(systemSettingUnmarshalError, settingName)
-		}
-
-	case SystemSettingMaxUploadSizeMiBName:
-		var value int
-		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
-			return fmt.Errorf(systemSettingUnmarshalError, settingName)
-		}
-
-	case SystemSettingAdditionalStyleName:
-		var value string
-		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
-			return fmt.Errorf(systemSettingUnmarshalError, settingName)
-		}
-
-	case SystemSettingAdditionalScriptName:
-		var value string
-		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
-			return fmt.Errorf(systemSettingUnmarshalError, settingName)
-		}
-
-	case SystemSettingCustomizedProfileName:
-		customizedProfile := CustomizedProfile{
-			Name:        "memos",
-			LogoURL:     "",
-			Description: "",
-			Locale:      "en",
-			Appearance:  "system",
-			ExternalURL: "",
-		}
-
-		if err := json.Unmarshal([]byte(upsert.Value), &customizedProfile); err != nil {
-			return fmt.Errorf(systemSettingUnmarshalError, settingName)
-		}
-		if !slices.Contains(UserSettingLocaleValue, customizedProfile.Locale) {
-			return fmt.Errorf(`invalid locale value for system setting "%v"`, settingName)
-		}
-		if !slices.Contains(UserSettingAppearanceValue, customizedProfile.Appearance) {
-			return fmt.Errorf(`invalid appearance value for system setting "%v"`, settingName)
-		}
-
-	case SystemSettingStorageServiceIDName:
-		value := DatabaseStorage
-		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
-			return fmt.Errorf(systemSettingUnmarshalError, settingName)
-		}
-		return nil
-
-	case SystemSettingLocalStoragePathName:
-		value := ""
-		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
-			return fmt.Errorf(systemSettingUnmarshalError, settingName)
-		}
-
-	case SystemSettingOpenAIConfigName:
-		value := OpenAIConfig{}
-		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
-			return fmt.Errorf(systemSettingUnmarshalError, settingName)
-		}
-
-	default:
-		return fmt.Errorf("invalid system setting name")
-	}
-
-	return nil
-}
-
-type SystemSettingFind struct {
-	Name SystemSettingName `json:"name"`
-}

api/tag.go

@@ -1,20 +0,0 @@
-package api
-
-type Tag struct {
-	Name      string
-	CreatorID int
-}
-
-type TagUpsert struct {
-	Name      string
-	CreatorID int `json:"-"`
-}
-
-type TagFind struct {
-	CreatorID int
-}
-
-type TagDelete struct {
-	Name      string `json:"name"`
-	CreatorID int
-}

api/user.go

@@ -1,158 +0,0 @@
-package api
-
-import (
-	"fmt"
-
-	"github.com/usememos/memos/common"
-)
-
-// Role is the type of a role.
-type Role string
-
-const (
-	// Host is the HOST role.
-	Host Role = "HOST"
-	// Admin is the ADMIN role.
-	Admin Role = "ADMIN"
-	// NormalUser is the USER role.
-	NormalUser Role = "USER"
-)
-
-func (e Role) String() string {
-	switch e {
-	case Host:
-		return "HOST"
-	case Admin:
-		return "ADMIN"
-	case NormalUser:
-		return "USER"
-	}
-	return "USER"
-}
-
-type User struct {
-	ID int `json:"id"`
-
-	// Standard fields
-	RowStatus RowStatus `json:"rowStatus"`
-	CreatedTs int64     `json:"createdTs"`
-	UpdatedTs int64     `json:"updatedTs"`
-
-	// Domain specific fields
-	Username        string         `json:"username"`
-	Role            Role           `json:"role"`
-	Email           string         `json:"email"`
-	Nickname        string         `json:"nickname"`
-	PasswordHash    string         `json:"-"`
-	OpenID          string         `json:"openId"`
-	AvatarURL       string         `json:"avatarUrl"`
-	UserSettingList []*UserSetting `json:"userSettingList"`
-}
-
-type UserCreate struct {
-	// Domain specific fields
-	Username     string `json:"username"`
-	Role         Role   `json:"role"`
-	Email        string `json:"email"`
-	Nickname     string `json:"nickname"`
-	Password     string `json:"password"`
-	PasswordHash string
-	OpenID       string
-}
-
-func (create UserCreate) Validate() error {
-	if len(create.Username) < 3 {
-		return fmt.Errorf("username is too short, minimum length is 3")
-	}
-	if len(create.Username) > 32 {
-		return fmt.Errorf("username is too long, maximum length is 32")
-	}
-	if len(create.Password) < 3 {
-		return fmt.Errorf("password is too short, minimum length is 6")
-	}
-	if len(create.Password) > 512 {
-		return fmt.Errorf("password is too long, maximum length is 512")
-	}
-	if len(create.Nickname) > 64 {
-		return fmt.Errorf("nickname is too long, maximum length is 64")
-	}
-	if create.Email != "" {
-		if len(create.Email) > 256 {
-			return fmt.Errorf("email is too long, maximum length is 256")
-		}
-		if !common.ValidateEmail(create.Email) {
-			return fmt.Errorf("invalid email format")
-		}
-	}
-
-	return nil
-}
-
-type UserPatch struct {
-	ID int `json:"-"`
-
-	// Standard fields
-	UpdatedTs *int64
-	RowStatus *RowStatus `json:"rowStatus"`
-
-	// Domain specific fields
-	Username     *string `json:"username"`
-	Email        *string `json:"email"`
-	Nickname     *string `json:"nickname"`
-	Password     *string `json:"password"`
-	ResetOpenID  *bool   `json:"resetOpenId"`
-	AvatarURL    *string `json:"avatarUrl"`
-	PasswordHash *string
-	OpenID       *string
-}
-
-func (patch UserPatch) Validate() error {
-	if patch.Username != nil && len(*patch.Username) < 3 {
-		return fmt.Errorf("username is too short, minimum length is 3")
-	}
-	if patch.Username != nil && len(*patch.Username) > 32 {
-		return fmt.Errorf("username is too long, maximum length is 32")
-	}
-	if patch.Password != nil && len(*patch.Password) < 3 {
-		return fmt.Errorf("password is too short, minimum length is 6")
-	}
-	if patch.Password != nil && len(*patch.Password) > 512 {
-		return fmt.Errorf("password is too long, maximum length is 512")
-	}
-	if patch.Nickname != nil && len(*patch.Nickname) > 64 {
-		return fmt.Errorf("nickname is too long, maximum length is 64")
-	}
-	if patch.AvatarURL != nil {
-		if len(*patch.AvatarURL) > 2<<20 {
-			return fmt.Errorf("avatar is too large, maximum is 2MB")
-		}
-	}
-	if patch.Email != nil && *patch.Email != "" {
-		if len(*patch.Email) > 256 {
-			return fmt.Errorf("email is too long, maximum length is 256")
-		}
-		if !common.ValidateEmail(*patch.Email) {
-			return fmt.Errorf("invalid email format")
-		}
-	}
-
-	return nil
-}
-
-type UserFind struct {
-	ID *int `json:"id"`
-
-	// Standard fields
-	RowStatus *RowStatus `json:"rowStatus"`
-
-	// Domain specific fields
-	Username *string `json:"username"`
-	Role     *Role
-	Email    *string `json:"email"`
-	Nickname *string `json:"nickname"`
-	OpenID   *string
-}
-
-type UserDelete struct {
-	ID int
-}

api/user_setting.go

@@ -1,114 +0,0 @@
-package api
-
-import (
-	"encoding/json"
-	"fmt"
-
-	"golang.org/x/exp/slices"
-)
-
-type UserSettingKey string
-
-const (
-	// UserSettingLocaleKey is the key type for user locale.
-	UserSettingLocaleKey UserSettingKey = "locale"
-	// UserSettingAppearanceKey is the key type for user appearance.
-	UserSettingAppearanceKey UserSettingKey = "appearance"
-	// UserSettingMemoVisibilityKey is the key type for user preference memo default visibility.
-	UserSettingMemoVisibilityKey UserSettingKey = "memo-visibility"
-)
-
-// String returns the string format of UserSettingKey type.
-func (key UserSettingKey) String() string {
-	switch key {
-	case UserSettingLocaleKey:
-		return "locale"
-	case UserSettingAppearanceKey:
-		return "appearance"
-	case UserSettingMemoVisibilityKey:
-		return "memo-visibility"
-	}
-	return ""
-}
-
-var (
-	UserSettingLocaleValue = []string{
-		"de",
-		"en",
-		"es",
-		"fr",
-		"it",
-		"ko",
-		"nl",
-		"pl",
-		"pt-BR",
-		"ru",
-		"sl",
-		"sv",
-		"tr",
-		"uk",
-		"vi",
-		"zh-Hans",
-		"zh-Hant",
-	}
-	UserSettingAppearanceValue     = []string{"system", "light", "dark"}
-	UserSettingMemoVisibilityValue = []Visibility{Private, Protected, Public}
-)
-
-type UserSetting struct {
-	UserID int
-	Key    UserSettingKey `json:"key"`
-	// Value is a JSON string with basic value
-	Value string `json:"value"`
-}
-
-type UserSettingUpsert struct {
-	UserID int            `json:"-"`
-	Key    UserSettingKey `json:"key"`
-	Value  string         `json:"value"`
-}
-
-func (upsert UserSettingUpsert) Validate() error {
-	if upsert.Key == UserSettingLocaleKey {
-		localeValue := "en"
-		err := json.Unmarshal([]byte(upsert.Value), &localeValue)
-		if err != nil {
-			return fmt.Errorf("failed to unmarshal user setting locale value")
-		}
-		if !slices.Contains(UserSettingLocaleValue, localeValue) {
-			return fmt.Errorf("invalid user setting locale value")
-		}
-	} else if upsert.Key == UserSettingAppearanceKey {
-		appearanceValue := "system"
-		err := json.Unmarshal([]byte(upsert.Value), &appearanceValue)
-		if err != nil {
-			return fmt.Errorf("failed to unmarshal user setting appearance value")
-		}
-		if !slices.Contains(UserSettingAppearanceValue, appearanceValue) {
-			return fmt.Errorf("invalid user setting appearance value")
-		}
-	} else if upsert.Key == UserSettingMemoVisibilityKey {
-		memoVisibilityValue := Private
-		err := json.Unmarshal([]byte(upsert.Value), &memoVisibilityValue)
-		if err != nil {
-			return fmt.Errorf("failed to unmarshal user setting memo visibility value")
-		}
-		if !slices.Contains(UserSettingMemoVisibilityValue, memoVisibilityValue) {
-			return fmt.Errorf("invalid user setting memo visibility value")
-		}
-	} else {
-		return fmt.Errorf("invalid user setting key")
-	}
-
-	return nil
-}
-
-type UserSettingFind struct {
-	UserID int
-
-	Key UserSettingKey `json:"key"`
-}
-
-type UserSettingDelete struct {
-	UserID int
-}

api/v1/auth.go

@@ -0,0 +1,412 @@
+package v1
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/bcrypt"
+
+	"github.com/usememos/memos/api/auth"
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/plugin/idp"
+	"github.com/usememos/memos/plugin/idp/oauth2"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/store"
+)
+
+type SignIn struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+	Remember bool   `json:"remember"`
+}
+
+type SSOSignIn struct {
+	IdentityProviderID int32  `json:"identityProviderId"`
+	Code               string `json:"code"`
+	RedirectURI        string `json:"redirectUri"`
+}
+
+type SignUp struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+func (s *APIV1Service) registerAuthRoutes(g *echo.Group) {
+	g.POST("/auth/signin", s.SignIn)
+	g.POST("/auth/signin/sso", s.SignInSSO)
+	g.POST("/auth/signout", s.SignOut)
+	g.POST("/auth/signup", s.SignUp)
+}
+
+// SignIn godoc
+//
+//	@Summary	Sign-in to memos.
+//	@Tags		auth
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		SignIn		true	"Sign-in object"
+//	@Success	200		{object}	store.User	"User information"
+//	@Failure	400		{object}	nil			"Malformatted signin request"
+//	@Failure	401		{object}	nil			"Password login is deactivated | Incorrect login credentials, please try again"
+//	@Failure	403		{object}	nil			"User has been archived with username %s"
+//	@Failure	500		{object}	nil			"Failed to find system setting | Failed to unmarshal system setting | Incorrect login credentials, please try again | Failed to generate tokens | Failed to create activity"
+//	@Router		/api/v1/auth/signin [POST]
+func (s *APIV1Service) SignIn(c echo.Context) error {
+	ctx := c.Request().Context()
+	signin := &SignIn{}
+
+	disablePasswordLoginSystemSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
+		Name: SystemSettingDisablePasswordLoginName.String(),
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting").SetInternal(err)
+	}
+	if disablePasswordLoginSystemSetting != nil {
+		disablePasswordLogin := false
+		err = json.Unmarshal([]byte(disablePasswordLoginSystemSetting.Value), &disablePasswordLogin)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting").SetInternal(err)
+		}
+		if disablePasswordLogin {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Password login is deactivated")
+		}
+	}
+
+	if err := json.NewDecoder(c.Request().Body).Decode(signin); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted signin request").SetInternal(err)
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &signin.Username,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Incorrect login credentials, please try again")
+	}
+	if user == nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Incorrect login credentials, please try again")
+	} else if user.RowStatus == store.Archived {
+		return echo.NewHTTPError(http.StatusForbidden, fmt.Sprintf("User has been archived with username %s", signin.Username))
+	}
+
+	// Compare the stored hashed password, with the hashed version of the password that was received.
+	if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(signin.Password)); err != nil {
+		// If the two passwords don't match, return a 401 status.
+		return echo.NewHTTPError(http.StatusUnauthorized, "Incorrect login credentials, please try again")
+	}
+
+	var expireAt time.Time
+	// Set cookie expiration to 100 years to make it persistent.
+	cookieExp := time.Now().AddDate(100, 0, 0)
+	if !signin.Remember {
+		expireAt = time.Now().Add(auth.AccessTokenDuration)
+		cookieExp = time.Now().Add(auth.CookieExpDuration)
+	}
+
+	accessToken, err := auth.GenerateAccessToken(user.Username, user.ID, expireAt, []byte(s.Secret))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to generate tokens, err: %s", err)).SetInternal(err)
+	}
+	if err := s.UpsertAccessTokenToStore(ctx, user, accessToken); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to upsert access token, err: %s", err)).SetInternal(err)
+	}
+	setTokenCookie(c, auth.AccessTokenCookieName, accessToken, cookieExp)
+	userMessage := convertUserFromStore(user)
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+// SignInSSO godoc
+//
+//	@Summary	Sign-in to memos using SSO.
+//	@Tags		auth
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		SSOSignIn	true	"SSO sign-in object"
+//	@Success	200		{object}	store.User	"User information"
+//	@Failure	400		{object}	nil			"Malformatted signin request"
+//	@Failure	401		{object}	nil			"Access denied, identifier does not match the filter."
+//	@Failure	403		{object}	nil			"User has been archived with username {username}"
+//	@Failure	404		{object}	nil			"Identity provider not found"
+//	@Failure	500		{object}	nil			"Failed to find identity provider | Failed to create identity provider instance | Failed to exchange token | Failed to get user info | Failed to compile identifier filter | Incorrect login credentials, please try again | Failed to generate random password | Failed to generate password hash | Failed to create user | Failed to generate tokens | Failed to create activity"
+//	@Router		/api/v1/auth/signin/sso [POST]
+func (s *APIV1Service) SignInSSO(c echo.Context) error {
+	ctx := c.Request().Context()
+	signin := &SSOSignIn{}
+	if err := json.NewDecoder(c.Request().Body).Decode(signin); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted signin request").SetInternal(err)
+	}
+
+	identityProvider, err := s.Store.GetIdentityProvider(ctx, &store.FindIdentityProvider{
+		ID: &signin.IdentityProviderID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find identity provider").SetInternal(err)
+	}
+	if identityProvider == nil {
+		return echo.NewHTTPError(http.StatusNotFound, "Identity provider not found")
+	}
+
+	var userInfo *idp.IdentityProviderUserInfo
+	if identityProvider.Type == store.IdentityProviderOAuth2Type {
+		oauth2IdentityProvider, err := oauth2.NewIdentityProvider(identityProvider.Config.OAuth2Config)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create identity provider instance").SetInternal(err)
+		}
+		token, err := oauth2IdentityProvider.ExchangeToken(ctx, signin.RedirectURI, signin.Code)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to exchange token").SetInternal(err)
+		}
+		userInfo, err = oauth2IdentityProvider.UserInfo(token)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get user info").SetInternal(err)
+		}
+	}
+
+	identifierFilter := identityProvider.IdentifierFilter
+	if identifierFilter != "" {
+		identifierFilterRegex, err := regexp.Compile(identifierFilter)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to compile identifier filter").SetInternal(err)
+		}
+		if !identifierFilterRegex.MatchString(userInfo.Identifier) {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Access denied, identifier does not match the filter.").SetInternal(err)
+		}
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &userInfo.Identifier,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Incorrect login credentials, please try again")
+	}
+	if user == nil {
+		allowSignUpSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
+			Name: SystemSettingAllowSignUpName.String(),
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting").SetInternal(err)
+		}
+
+		allowSignUpSettingValue := true
+		if allowSignUpSetting != nil {
+			err = json.Unmarshal([]byte(allowSignUpSetting.Value), &allowSignUpSettingValue)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting allow signup").SetInternal(err)
+			}
+		}
+		if !allowSignUpSettingValue {
+			return echo.NewHTTPError(http.StatusUnauthorized, "signup is disabled").SetInternal(err)
+		}
+
+		userCreate := &store.User{
+			Username: userInfo.Identifier,
+			// The new signup user should be normal user by default.
+			Role:     store.RoleUser,
+			Nickname: userInfo.DisplayName,
+			Email:    userInfo.Email,
+		}
+		password, err := util.RandomString(20)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate random password").SetInternal(err)
+		}
+		passwordHash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate password hash").SetInternal(err)
+		}
+		userCreate.PasswordHash = string(passwordHash)
+		user, err = s.Store.CreateUser(ctx, userCreate)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create user").SetInternal(err)
+		}
+	}
+	if user.RowStatus == store.Archived {
+		return echo.NewHTTPError(http.StatusForbidden, fmt.Sprintf("User has been archived with username %s", userInfo.Identifier))
+	}
+
+	accessToken, err := auth.GenerateAccessToken(user.Username, user.ID, time.Now().Add(auth.AccessTokenDuration), []byte(s.Secret))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to generate tokens, err: %s", err)).SetInternal(err)
+	}
+	if err := s.UpsertAccessTokenToStore(ctx, user, accessToken); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to upsert access token, err: %s", err)).SetInternal(err)
+	}
+	cookieExp := time.Now().Add(auth.CookieExpDuration)
+	setTokenCookie(c, auth.AccessTokenCookieName, accessToken, cookieExp)
+	userMessage := convertUserFromStore(user)
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+// SignOut godoc
+//
+//	@Summary	Sign-out from memos.
+//	@Tags		auth
+//	@Produce	json
+//	@Success	200	{boolean}	true	"Sign-out success"
+//	@Router		/api/v1/auth/signout [POST]
+func (s *APIV1Service) SignOut(c echo.Context) error {
+	accessToken := findAccessToken(c)
+	userID, _ := getUserIDFromAccessToken(accessToken, s.Secret)
+
+	err := removeAccessTokenAndCookies(c, s.Store, userID, accessToken)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to remove access token, err: %s", err)).SetInternal(err)
+	}
+
+	return c.JSON(http.StatusOK, true)
+}
+
+// SignUp godoc
+//
+//	@Summary	Sign-up to memos.
+//	@Tags		auth
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		SignUp		true	"Sign-up object"
+//	@Success	200		{object}	store.User	"User information"
+//	@Failure	400		{object}	nil			"Malformatted signup request | Failed to find users"
+//	@Failure	401		{object}	nil			"signup is disabled"
+//	@Failure	403		{object}	nil			"Forbidden"
+//	@Failure	404		{object}	nil			"Not found"
+//	@Failure	500		{object}	nil			"Failed to find system setting | Failed to unmarshal system setting allow signup | Failed to generate password hash | Failed to create user | Failed to generate tokens | Failed to create activity"
+//	@Router		/api/v1/auth/signup [POST]
+func (s *APIV1Service) SignUp(c echo.Context) error {
+	ctx := c.Request().Context()
+	signup := &SignUp{}
+	if err := json.NewDecoder(c.Request().Body).Decode(signup); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted signup request").SetInternal(err)
+	}
+
+	hostUserType := store.RoleHost
+	existedHostUsers, err := s.Store.ListUsers(ctx, &store.FindUser{
+		Role: &hostUserType,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Failed to find users").SetInternal(err)
+	}
+	if !util.ResourceNameMatcher.MatchString(strings.ToLower(signup.Username)) {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Invalid username %s", signup.Username)).SetInternal(err)
+	}
+
+	userCreate := &store.User{
+		Username: signup.Username,
+		// The new signup user should be normal user by default.
+		Role:     store.RoleUser,
+		Nickname: signup.Username,
+	}
+	if len(existedHostUsers) == 0 {
+		// Change the default role to host if there is no host user.
+		userCreate.Role = store.RoleHost
+	} else {
+		allowSignUpSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
+			Name: SystemSettingAllowSignUpName.String(),
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting").SetInternal(err)
+		}
+
+		allowSignUpSettingValue := true
+		if allowSignUpSetting != nil {
+			err = json.Unmarshal([]byte(allowSignUpSetting.Value), &allowSignUpSettingValue)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting allow signup").SetInternal(err)
+			}
+		}
+		if !allowSignUpSettingValue {
+			return echo.NewHTTPError(http.StatusUnauthorized, "signup is disabled").SetInternal(err)
+		}
+
+		disablePasswordLoginSystemSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
+			Name: SystemSettingDisablePasswordLoginName.String(),
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting").SetInternal(err)
+		}
+		if disablePasswordLoginSystemSetting != nil {
+			disablePasswordLogin := false
+			err = json.Unmarshal([]byte(disablePasswordLoginSystemSetting.Value), &disablePasswordLogin)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting").SetInternal(err)
+			}
+			if disablePasswordLogin {
+				return echo.NewHTTPError(http.StatusUnauthorized, "password login is deactivated")
+			}
+		}
+	}
+
+	passwordHash, err := bcrypt.GenerateFromPassword([]byte(signup.Password), bcrypt.DefaultCost)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate password hash").SetInternal(err)
+	}
+
+	userCreate.PasswordHash = string(passwordHash)
+	user, err := s.Store.CreateUser(ctx, userCreate)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create user").SetInternal(err)
+	}
+	accessToken, err := auth.GenerateAccessToken(user.Username, user.ID, time.Now().Add(auth.AccessTokenDuration), []byte(s.Secret))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to generate tokens, err: %s", err)).SetInternal(err)
+	}
+	if err := s.UpsertAccessTokenToStore(ctx, user, accessToken); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to upsert access token, err: %s", err)).SetInternal(err)
+	}
+	cookieExp := time.Now().Add(auth.CookieExpDuration)
+	setTokenCookie(c, auth.AccessTokenCookieName, accessToken, cookieExp)
+	userMessage := convertUserFromStore(user)
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+func (s *APIV1Service) UpsertAccessTokenToStore(ctx context.Context, user *store.User, accessToken string) error {
+	userAccessTokens, err := s.Store.GetUserAccessTokens(ctx, user.ID)
+	if err != nil {
+		return errors.Wrap(err, "failed to get user access tokens")
+	}
+	userAccessToken := storepb.AccessTokensUserSetting_AccessToken{
+		AccessToken: accessToken,
+		Description: "Account sign in",
+	}
+	userAccessTokens = append(userAccessTokens, &userAccessToken)
+	if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
+		UserId: user.ID,
+		Key:    storepb.UserSettingKey_USER_SETTING_ACCESS_TOKENS,
+		Value: &storepb.UserSetting_AccessTokens{
+			AccessTokens: &storepb.AccessTokensUserSetting{
+				AccessTokens: userAccessTokens,
+			},
+		},
+	}); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to upsert user setting, err: %s", err)).SetInternal(err)
+	}
+	return nil
+}
+
+// removeAccessTokenAndCookies removes the jwt token from the cookies.
+func removeAccessTokenAndCookies(c echo.Context, s *store.Store, userID int32, token string) error {
+	err := s.RemoveUserAccessToken(c.Request().Context(), userID, token)
+	if err != nil {
+		return err
+	}
+
+	cookieExp := time.Now().Add(-1 * time.Hour)
+	setTokenCookie(c, auth.AccessTokenCookieName, "", cookieExp)
+	return nil
+}
+
+// setTokenCookie sets the token to the cookie.
+func setTokenCookie(c echo.Context, name, token string, expiration time.Time) {
+	cookie := new(http.Cookie)
+	cookie.Name = name
+	cookie.Value = token
+	cookie.Expires = expiration
+	cookie.Path = "/"
+	// Http-only helps mitigate the risk of client side script accessing the protected cookie.
+	cookie.HttpOnly = true
+	cookie.SameSite = http.SameSiteStrictMode
+	c.SetCookie(cookie)
+}

api/v1/common.go

@@ -1,7 +1,4 @@
-package api
-
-// UnknownID is the ID for unknowns.
-const UnknownID = -1
+package v1
 
 // RowStatus is the status for a row.
 type RowStatus string
@@ -13,12 +10,6 @@ const (
 	Archived RowStatus = "ARCHIVED"
 )
 
-func (e RowStatus) String() string {
-	switch e {
-	case Normal:
-		return "NORMAL"
-	case Archived:
-		return "ARCHIVED"
-	}
-	return ""
+func (r RowStatus) String() string {
+	return string(r)
 }

api/v1/http_getter.go

@@ -0,0 +1,49 @@
+package v1
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"github.com/labstack/echo/v4"
+
+	getter "github.com/usememos/memos/plugin/http-getter"
+)
+
+func (*APIV1Service) registerGetterPublicRoutes(g *echo.Group) {
+	// GET /get/image?url={url} - Get image.
+	g.GET("/get/image", GetImage)
+}
+
+// GetImage godoc
+//
+//	@Summary	Get GetImage from URL
+//	@Tags		image-url
+//	@Produce	GetImage/*
+//	@Param		url	query		string	true	"Image url"
+//	@Success	200	{object}	nil		"Image"
+//	@Failure	400	{object}	nil		"Missing GetImage url | Wrong url | Failed to get GetImage url: %s"
+//	@Failure	500	{object}	nil		"Failed to write GetImage blob"
+//	@Router		/o/get/GetImage [GET]
+func GetImage(c echo.Context) error {
+	urlStr := c.QueryParam("url")
+	if urlStr == "" {
+		return echo.NewHTTPError(http.StatusBadRequest, "Missing image url")
+	}
+	if _, err := url.Parse(urlStr); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Wrong url").SetInternal(err)
+	}
+
+	image, err := getter.GetImage(urlStr)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Failed to get image url: %s", urlStr)).SetInternal(err)
+	}
+
+	c.Response().Writer.WriteHeader(http.StatusOK)
+	c.Response().Writer.Header().Set("Content-Type", image.Mediatype)
+	c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
+	if _, err := c.Response().Writer.Write(image.Blob); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to write image blob").SetInternal(err)
+	}
+	return nil
+}

api/v1/idp.go

@@ -0,0 +1,349 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/labstack/echo/v4"
+
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/store"
+)
+
+type IdentityProviderType string
+
+const (
+	IdentityProviderOAuth2Type IdentityProviderType = "OAUTH2"
+)
+
+func (t IdentityProviderType) String() string {
+	return string(t)
+}
+
+type IdentityProviderConfig struct {
+	OAuth2Config *IdentityProviderOAuth2Config `json:"oauth2Config"`
+}
+
+type IdentityProviderOAuth2Config struct {
+	ClientID     string        `json:"clientId"`
+	ClientSecret string        `json:"clientSecret"`
+	AuthURL      string        `json:"authUrl"`
+	TokenURL     string        `json:"tokenUrl"`
+	UserInfoURL  string        `json:"userInfoUrl"`
+	Scopes       []string      `json:"scopes"`
+	FieldMapping *FieldMapping `json:"fieldMapping"`
+}
+
+type FieldMapping struct {
+	Identifier  string `json:"identifier"`
+	DisplayName string `json:"displayName"`
+	Email       string `json:"email"`
+}
+
+type IdentityProvider struct {
+	ID               int32                   `json:"id"`
+	Name             string                  `json:"name"`
+	Type             IdentityProviderType    `json:"type"`
+	IdentifierFilter string                  `json:"identifierFilter"`
+	Config           *IdentityProviderConfig `json:"config"`
+}
+
+type CreateIdentityProviderRequest struct {
+	Name             string                  `json:"name"`
+	Type             IdentityProviderType    `json:"type"`
+	IdentifierFilter string                  `json:"identifierFilter"`
+	Config           *IdentityProviderConfig `json:"config"`
+}
+
+type UpdateIdentityProviderRequest struct {
+	ID               int32                   `json:"-"`
+	Type             IdentityProviderType    `json:"type"`
+	Name             *string                 `json:"name"`
+	IdentifierFilter *string                 `json:"identifierFilter"`
+	Config           *IdentityProviderConfig `json:"config"`
+}
+
+func (s *APIV1Service) registerIdentityProviderRoutes(g *echo.Group) {
+	g.GET("/idp", s.GetIdentityProviderList)
+	g.POST("/idp", s.CreateIdentityProvider)
+	g.GET("/idp/:idpId", s.GetIdentityProvider)
+	g.PATCH("/idp/:idpId", s.UpdateIdentityProvider)
+	g.DELETE("/idp/:idpId", s.DeleteIdentityProvider)
+}
+
+// GetIdentityProviderList godoc
+//
+//	@Summary		Get a list of identity providers
+//	@Description	*clientSecret is only available for host user
+//	@Tags			idp
+//	@Produce		json
+//	@Success		200	{object}	[]IdentityProvider	"List of available identity providers"
+//	@Failure		500	{object}	nil					"Failed to find identity provider list | Failed to find user"
+//	@Router			/api/v1/idp [GET]
+func (s *APIV1Service) GetIdentityProviderList(c echo.Context) error {
+	ctx := c.Request().Context()
+	list, err := s.Store.ListIdentityProviders(ctx, &store.FindIdentityProvider{})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find identity provider list").SetInternal(err)
+	}
+
+	userID, ok := c.Get(userIDContextKey).(int32)
+	isHostUser := false
+	if ok {
+		user, err := s.Store.GetUser(ctx, &store.FindUser{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+		if user == nil || user.Role == store.RoleHost {
+			isHostUser = true
+		}
+	}
+
+	identityProviderList := []*IdentityProvider{}
+	for _, item := range list {
+		identityProvider := convertIdentityProviderFromStore(item)
+		// data desensitize
+		if !isHostUser {
+			identityProvider.Config.OAuth2Config.ClientSecret = ""
+		}
+		identityProviderList = append(identityProviderList, identityProvider)
+	}
+	return c.JSON(http.StatusOK, identityProviderList)
+}
+
+// CreateIdentityProvider godoc
+//
+//	@Summary	Create Identity Provider
+//	@Tags		idp
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		CreateIdentityProviderRequest	true	"Identity provider information"
+//	@Success	200		{object}	store.IdentityProvider			"Identity provider information"
+//	@Failure	401		{object}	nil								"Missing user in session | Unauthorized"
+//	@Failure	400		{object}	nil								"Malformatted post identity provider request"
+//	@Failure	500		{object}	nil								"Failed to find user | Failed to create identity provider"
+//	@Router		/api/v1/idp [POST]
+func (s *APIV1Service) CreateIdentityProvider(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	identityProviderCreate := &CreateIdentityProviderRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(identityProviderCreate); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post identity provider request").SetInternal(err)
+	}
+
+	identityProvider, err := s.Store.CreateIdentityProvider(ctx, &store.IdentityProvider{
+		Name:             identityProviderCreate.Name,
+		Type:             store.IdentityProviderType(identityProviderCreate.Type),
+		IdentifierFilter: identityProviderCreate.IdentifierFilter,
+		Config:           convertIdentityProviderConfigToStore(identityProviderCreate.Config),
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create identity provider").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, convertIdentityProviderFromStore(identityProvider))
+}
+
+// GetIdentityProvider godoc
+//
+//	@Summary	Get an identity provider by ID
+//	@Tags		idp
+//	@Accept		json
+//	@Produce	json
+//	@Param		idpId	path		int						true	"Identity provider ID"
+//	@Success	200		{object}	store.IdentityProvider	"Requested identity provider"
+//	@Failure	400		{object}	nil						"ID is not a number: %s"
+//	@Failure	401		{object}	nil						"Missing user in session | Unauthorized"
+//	@Failure	404		{object}	nil						"Identity provider not found"
+//	@Failure	500		{object}	nil						"Failed to find identity provider list | Failed to find user"
+//	@Router		/api/v1/idp/{idpId} [GET]
+func (s *APIV1Service) GetIdentityProvider(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	identityProviderID, err := util.ConvertStringToInt32(c.Param("idpId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("idpId"))).SetInternal(err)
+	}
+	identityProvider, err := s.Store.GetIdentityProvider(ctx, &store.FindIdentityProvider{
+		ID: &identityProviderID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get identity provider").SetInternal(err)
+	}
+	if identityProvider == nil {
+		return echo.NewHTTPError(http.StatusNotFound, "Identity provider not found")
+	}
+
+	return c.JSON(http.StatusOK, convertIdentityProviderFromStore(identityProvider))
+}
+
+// DeleteIdentityProvider godoc
+//
+//	@Summary	Delete an identity provider by ID
+//	@Tags		idp
+//	@Accept		json
+//	@Produce	json
+//	@Param		idpId	path		int		true	"Identity Provider ID"
+//	@Success	200		{boolean}	true	"Identity Provider deleted"
+//	@Failure	400		{object}	nil		"ID is not a number: %s | Malformatted patch identity provider request"
+//	@Failure	401		{object}	nil		"Missing user in session | Unauthorized"
+//	@Failure	500		{object}	nil		"Failed to find user | Failed to patch identity provider"
+//	@Router		/api/v1/idp/{idpId} [DELETE]
+func (s *APIV1Service) DeleteIdentityProvider(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	identityProviderID, err := util.ConvertStringToInt32(c.Param("idpId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("idpId"))).SetInternal(err)
+	}
+
+	if err = s.Store.DeleteIdentityProvider(ctx, &store.DeleteIdentityProvider{ID: identityProviderID}); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete identity provider").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, true)
+}
+
+// UpdateIdentityProvider godoc
+//
+//	@Summary	Update an identity provider by ID
+//	@Tags		idp
+//	@Accept		json
+//	@Produce	json
+//	@Param		idpId	path		int								true	"Identity Provider ID"
+//	@Param		body	body		UpdateIdentityProviderRequest	true	"Patched identity provider information"
+//	@Success	200		{object}	store.IdentityProvider			"Patched identity provider"
+//	@Failure	400		{object}	nil								"ID is not a number: %s | Malformatted patch identity provider request"
+//	@Failure	401		{object}	nil								"Missing user in session | Unauthorized
+//	@Failure	500		{object}	nil								"Failed to find user | Failed to patch identity provider"
+//	@Router		/api/v1/idp/{idpId} [PATCH]
+func (s *APIV1Service) UpdateIdentityProvider(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	identityProviderID, err := util.ConvertStringToInt32(c.Param("idpId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("idpId"))).SetInternal(err)
+	}
+
+	identityProviderPatch := &UpdateIdentityProviderRequest{
+		ID: identityProviderID,
+	}
+	if err := json.NewDecoder(c.Request().Body).Decode(identityProviderPatch); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch identity provider request").SetInternal(err)
+	}
+
+	identityProvider, err := s.Store.UpdateIdentityProvider(ctx, &store.UpdateIdentityProvider{
+		ID:               identityProviderPatch.ID,
+		Type:             store.IdentityProviderType(identityProviderPatch.Type),
+		Name:             identityProviderPatch.Name,
+		IdentifierFilter: identityProviderPatch.IdentifierFilter,
+		Config:           convertIdentityProviderConfigToStore(identityProviderPatch.Config),
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch identity provider").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, convertIdentityProviderFromStore(identityProvider))
+}
+
+func convertIdentityProviderFromStore(identityProvider *store.IdentityProvider) *IdentityProvider {
+	return &IdentityProvider{
+		ID:               identityProvider.ID,
+		Name:             identityProvider.Name,
+		Type:             IdentityProviderType(identityProvider.Type),
+		IdentifierFilter: identityProvider.IdentifierFilter,
+		Config:           convertIdentityProviderConfigFromStore(identityProvider.Config),
+	}
+}
+
+func convertIdentityProviderConfigFromStore(config *store.IdentityProviderConfig) *IdentityProviderConfig {
+	return &IdentityProviderConfig{
+		OAuth2Config: &IdentityProviderOAuth2Config{
+			ClientID:     config.OAuth2Config.ClientID,
+			ClientSecret: config.OAuth2Config.ClientSecret,
+			AuthURL:      config.OAuth2Config.AuthURL,
+			TokenURL:     config.OAuth2Config.TokenURL,
+			UserInfoURL:  config.OAuth2Config.UserInfoURL,
+			Scopes:       config.OAuth2Config.Scopes,
+			FieldMapping: &FieldMapping{
+				Identifier:  config.OAuth2Config.FieldMapping.Identifier,
+				DisplayName: config.OAuth2Config.FieldMapping.DisplayName,
+				Email:       config.OAuth2Config.FieldMapping.Email,
+			},
+		},
+	}
+}
+
+func convertIdentityProviderConfigToStore(config *IdentityProviderConfig) *store.IdentityProviderConfig {
+	return &store.IdentityProviderConfig{
+		OAuth2Config: &store.IdentityProviderOAuth2Config{
+			ClientID:     config.OAuth2Config.ClientID,
+			ClientSecret: config.OAuth2Config.ClientSecret,
+			AuthURL:      config.OAuth2Config.AuthURL,
+			TokenURL:     config.OAuth2Config.TokenURL,
+			UserInfoURL:  config.OAuth2Config.UserInfoURL,
+			Scopes:       config.OAuth2Config.Scopes,
+			FieldMapping: &store.FieldMapping{
+				Identifier:  config.OAuth2Config.FieldMapping.Identifier,
+				DisplayName: config.OAuth2Config.FieldMapping.DisplayName,
+				Email:       config.OAuth2Config.FieldMapping.Email,
+			},
+		},
+	}
+}

api/v1/jwt.go

@@ -0,0 +1,156 @@
+package v1
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+
+	"github.com/usememos/memos/api/auth"
+	"github.com/usememos/memos/internal/log"
+	"github.com/usememos/memos/internal/util"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/store"
+)
+
+const (
+	// The key name used to store user id in the context
+	// user id is extracted from the jwt token subject field.
+	userIDContextKey = "user-id"
+)
+
+func extractTokenFromHeader(c echo.Context) (string, error) {
+	authHeader := c.Request().Header.Get("Authorization")
+	if authHeader == "" {
+		return "", nil
+	}
+
+	authHeaderParts := strings.Fields(authHeader)
+	if len(authHeaderParts) != 2 || strings.ToLower(authHeaderParts[0]) != "bearer" {
+		return "", errors.New("Authorization header format must be Bearer {token}")
+	}
+
+	return authHeaderParts[1], nil
+}
+
+func findAccessToken(c echo.Context) string {
+	// Check the HTTP request header first.
+	accessToken, _ := extractTokenFromHeader(c)
+	if accessToken == "" {
+		// Check the cookie.
+		cookie, _ := c.Cookie(auth.AccessTokenCookieName)
+		if cookie != nil {
+			accessToken = cookie.Value
+		}
+	}
+	return accessToken
+}
+
+// JWTMiddleware validates the access token.
+func JWTMiddleware(server *APIV1Service, next echo.HandlerFunc, secret string) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		ctx := c.Request().Context()
+		path := c.Request().URL.Path
+		method := c.Request().Method
+
+		if server.defaultAuthSkipper(c) {
+			return next(c)
+		}
+
+		// Skip validation for server status endpoints.
+		if util.HasPrefixes(path, "/api/v1/ping", "/api/v1/status") && method == http.MethodGet {
+			return next(c)
+		}
+
+		accessToken := findAccessToken(c)
+		if accessToken == "" {
+			// Allow the user to access the public endpoints.
+			if util.HasPrefixes(path, "/o") {
+				return next(c)
+			}
+			// When the request is not authenticated, we allow the user to access the memo endpoints for those public memos.
+			if util.HasPrefixes(path, "/api/v1/idp", "/api/v1/memo", "/api/v1/user") && path != "/api/v1/user" && method == http.MethodGet {
+				return next(c)
+			}
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing access token")
+		}
+
+		userID, err := getUserIDFromAccessToken(accessToken, secret)
+		if err != nil {
+			err = removeAccessTokenAndCookies(c, server.Store, userID, accessToken)
+			if err != nil {
+				log.Error("fail to remove AccessToken and Cookies", zap.Error(err))
+			}
+			return echo.NewHTTPError(http.StatusUnauthorized, "Invalid or expired access token")
+		}
+
+		accessTokens, err := server.Store.GetUserAccessTokens(ctx, userID)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get user access tokens.").WithInternal(err)
+		}
+		if !validateAccessToken(accessToken, accessTokens) {
+			err = removeAccessTokenAndCookies(c, server.Store, userID, accessToken)
+			if err != nil {
+				log.Error("fail to remove AccessToken and Cookies", zap.Error(err))
+			}
+			return echo.NewHTTPError(http.StatusUnauthorized, "Invalid access token.")
+		}
+
+		// Even if there is no error, we still need to make sure the user still exists.
+		user, err := server.Store.GetUser(ctx, &store.FindUser{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Server error to find user ID: %d", userID)).SetInternal(err)
+		}
+		if user == nil {
+			return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("Failed to find user ID: %d", userID))
+		}
+
+		// Stores userID into context.
+		c.Set(userIDContextKey, userID)
+		return next(c)
+	}
+}
+
+func getUserIDFromAccessToken(accessToken, secret string) (int32, error) {
+	claims := &auth.ClaimsMessage{}
+	_, err := jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) {
+		if t.Method.Alg() != jwt.SigningMethodHS256.Name {
+			return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
+		}
+		if kid, ok := t.Header["kid"].(string); ok {
+			if kid == "v1" {
+				return []byte(secret), nil
+			}
+		}
+		return nil, errors.Errorf("unexpected access token kid=%v", t.Header["kid"])
+	})
+	if err != nil {
+		return 0, errors.Wrap(err, "Invalid or expired access token")
+	}
+	// We either have a valid access token or we will attempt to generate new access token.
+	userID, err := util.ConvertStringToInt32(claims.Subject)
+	if err != nil {
+		return 0, errors.Wrap(err, "Malformed ID in the token")
+	}
+	return userID, nil
+}
+
+func (*APIV1Service) defaultAuthSkipper(c echo.Context) bool {
+	path := c.Path()
+	return util.HasPrefixes(path, "/api/v1/auth")
+}
+
+func validateAccessToken(accessTokenString string, userAccessTokens []*storepb.AccessTokensUserSetting_AccessToken) bool {
+	for _, userAccessToken := range userAccessTokens {
+		if accessTokenString == userAccessToken.AccessToken {
+			return true
+		}
+	}
+	return false
+}

api/v1/memo_organizer.go

@@ -0,0 +1,97 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/labstack/echo/v4"
+
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/store"
+)
+
+type MemoOrganizer struct {
+	MemoID int32 `json:"memoId"`
+	UserID int32 `json:"userId"`
+	Pinned bool  `json:"pinned"`
+}
+
+type UpsertMemoOrganizerRequest struct {
+	Pinned bool `json:"pinned"`
+}
+
+func (s *APIV1Service) registerMemoOrganizerRoutes(g *echo.Group) {
+	g.POST("/memo/:memoId/organizer", s.CreateMemoOrganizer)
+}
+
+// CreateMemoOrganizer godoc
+//
+//	@Summary	Organize memo (pin/unpin)
+//	@Tags		memo-organizer
+//	@Accept		json
+//	@Produce	json
+//	@Param		memoId	path		int							true	"ID of memo to organize"
+//	@Param		body	body		UpsertMemoOrganizerRequest	true	"Memo organizer object"
+//	@Success	200		{object}	store.Memo					"Memo information"
+//	@Failure	400		{object}	nil							"ID is not a number: %s | Malformatted post memo organizer request"
+//	@Failure	401		{object}	nil							"Missing user in session | Unauthorized"
+//	@Failure	404		{object}	nil							"Memo not found: %v"
+//	@Failure	500		{object}	nil							"Failed to find memo | Failed to upsert memo organizer | Failed to find memo by ID: %v | Failed to compose memo response"
+//	@Router		/api/v1/memo/{memoId}/organizer [POST]
+func (s *APIV1Service) CreateMemoOrganizer(c echo.Context) error {
+	ctx := c.Request().Context()
+	memoID, err := util.ConvertStringToInt32(c.Param("memoId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
+	}
+
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	memo, err := s.Store.GetMemo(ctx, &store.FindMemo{
+		ID: &memoID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo").SetInternal(err)
+	}
+	if memo == nil {
+		return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Memo not found: %v", memoID))
+	}
+	if memo.CreatorID != userID {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	request := &UpsertMemoOrganizerRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(request); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post memo organizer request").SetInternal(err)
+	}
+
+	upsert := &store.MemoOrganizer{
+		MemoID: memoID,
+		UserID: userID,
+		Pinned: request.Pinned,
+	}
+	_, err = s.Store.UpsertMemoOrganizer(ctx, upsert)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert memo organizer").SetInternal(err)
+	}
+
+	memo, err = s.Store.GetMemo(ctx, &store.FindMemo{
+		ID: &memoID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find memo by ID: %v", memoID)).SetInternal(err)
+	}
+	if memo == nil {
+		return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Memo not found: %v", memoID))
+	}
+
+	memoResponse, err := s.convertMemoFromStore(ctx, memo)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to compose memo response").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, memoResponse)
+}

api/v1/memo_relation.go

@@ -0,0 +1,156 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/labstack/echo/v4"
+
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/store"
+)
+
+type MemoRelationType string
+
+const (
+	MemoRelationReference MemoRelationType = "REFERENCE"
+	MemoRelationComment   MemoRelationType = "COMMENT"
+)
+
+func (t MemoRelationType) String() string {
+	return string(t)
+}
+
+type MemoRelation struct {
+	MemoID        int32            `json:"memoId"`
+	RelatedMemoID int32            `json:"relatedMemoId"`
+	Type          MemoRelationType `json:"type"`
+}
+
+type UpsertMemoRelationRequest struct {
+	RelatedMemoID int32            `json:"relatedMemoId"`
+	Type          MemoRelationType `json:"type"`
+}
+
+func (s *APIV1Service) registerMemoRelationRoutes(g *echo.Group) {
+	g.GET("/memo/:memoId/relation", s.GetMemoRelationList)
+	g.POST("/memo/:memoId/relation", s.CreateMemoRelation)
+	g.DELETE("/memo/:memoId/relation/:relatedMemoId/type/:relationType", s.DeleteMemoRelation)
+}
+
+// GetMemoRelationList godoc
+//
+//	@Summary	Get a list of Memo Relations
+//	@Tags		memo-relation
+//	@Accept		json
+//	@Produce	json
+//	@Param		memoId	path		int						true	"ID of memo to find relations"
+//	@Success	200		{object}	[]store.MemoRelation	"Memo relation information list"
+//	@Failure	400		{object}	nil						"ID is not a number: %s"
+//	@Failure	500		{object}	nil						"Failed to list memo relations"
+//	@Router		/api/v1/memo/{memoId}/relation [GET]
+func (s *APIV1Service) GetMemoRelationList(c echo.Context) error {
+	ctx := c.Request().Context()
+	memoID, err := util.ConvertStringToInt32(c.Param("memoId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
+	}
+
+	memoRelationList, err := s.Store.ListMemoRelations(ctx, &store.FindMemoRelation{
+		MemoID: &memoID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to list memo relations").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, memoRelationList)
+}
+
+// CreateMemoRelation godoc
+//
+//	@Summary		Create Memo Relation
+//	@Description	Create a relation between two memos
+//	@Tags			memo-relation
+//	@Accept			json
+//	@Produce		json
+//	@Param			memoId	path		int							true	"ID of memo to relate"
+//	@Param			body	body		UpsertMemoRelationRequest	true	"Memo relation object"
+//	@Success		200		{object}	store.MemoRelation			"Memo relation information"
+//	@Failure		400		{object}	nil							"ID is not a number: %s | Malformatted post memo relation request"
+//	@Failure		500		{object}	nil							"Failed to upsert memo relation"
+//	@Router			/api/v1/memo/{memoId}/relation [POST]
+//
+// NOTES:
+// - Currently not secured
+// - It's possible to create relations to memos that doesn't exist, which will trigger 404 errors when the frontend tries to load them.
+// - It's possible to create multiple relations, though the interface only shows first.
+func (s *APIV1Service) CreateMemoRelation(c echo.Context) error {
+	ctx := c.Request().Context()
+	memoID, err := util.ConvertStringToInt32(c.Param("memoId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
+	}
+
+	request := &UpsertMemoRelationRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(request); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post memo relation request").SetInternal(err)
+	}
+
+	memoRelation, err := s.Store.UpsertMemoRelation(ctx, &store.MemoRelation{
+		MemoID:        memoID,
+		RelatedMemoID: request.RelatedMemoID,
+		Type:          store.MemoRelationType(request.Type),
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert memo relation").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, memoRelation)
+}
+
+// DeleteMemoRelation godoc
+//
+//	@Summary		Delete a Memo Relation
+//	@Description	Removes a relation between two memos
+//	@Tags			memo-relation
+//	@Accept			json
+//	@Produce		json
+//	@Param			memoId			path		int					true	"ID of memo to find relations"
+//	@Param			relatedMemoId	path		int					true	"ID of memo to remove relation to"
+//	@Param			relationType	path		MemoRelationType	true	"Type of relation to remove"
+//	@Success		200				{boolean}	true				"Memo relation deleted"
+//	@Failure		400				{object}	nil					"Memo ID is not a number: %s | Related memo ID is not a number: %s"
+//	@Failure		500				{object}	nil					"Failed to delete memo relation"
+//	@Router			/api/v1/memo/{memoId}/relation/{relatedMemoId}/type/{relationType} [DELETE]
+//
+// NOTES:
+// - Currently not secured.
+// - Will always return true, even if the relation doesn't exist.
+func (s *APIV1Service) DeleteMemoRelation(c echo.Context) error {
+	ctx := c.Request().Context()
+	memoID, err := util.ConvertStringToInt32(c.Param("memoId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Memo ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
+	}
+	relatedMemoID, err := util.ConvertStringToInt32(c.Param("relatedMemoId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Related memo ID is not a number: %s", c.Param("relatedMemoId"))).SetInternal(err)
+	}
+	relationType := store.MemoRelationType(c.Param("relationType"))
+
+	if err := s.Store.DeleteMemoRelation(ctx, &store.DeleteMemoRelation{
+		MemoID:        &memoID,
+		RelatedMemoID: &relatedMemoID,
+		Type:          &relationType,
+	}); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete memo relation").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, true)
+}
+
+func convertMemoRelationFromStore(memoRelation *store.MemoRelation) *MemoRelation {
+	return &MemoRelation{
+		MemoID:        memoRelation.MemoID,
+		RelatedMemoID: memoRelation.RelatedMemoID,
+		Type:          MemoRelationType(memoRelation.Type),
+	}
+}

api/v1/resource.go

@@ -0,0 +1,502 @@
+package v1
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/labstack/echo/v4"
+	"github.com/lithammer/shortuuid/v4"
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+
+	"github.com/usememos/memos/internal/log"
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/plugin/storage/s3"
+	"github.com/usememos/memos/server/service/metric"
+	"github.com/usememos/memos/store"
+)
+
+type Resource struct {
+	ID   int32  `json:"id"`
+	Name string `json:"name"`
+
+	// Standard fields
+	CreatorID int32 `json:"creatorId"`
+	CreatedTs int64 `json:"createdTs"`
+	UpdatedTs int64 `json:"updatedTs"`
+
+	// Domain specific fields
+	Filename     string `json:"filename"`
+	Blob         []byte `json:"-"`
+	InternalPath string `json:"-"`
+	ExternalLink string `json:"externalLink"`
+	Type         string `json:"type"`
+	Size         int64  `json:"size"`
+}
+
+type CreateResourceRequest struct {
+	Filename     string `json:"filename"`
+	ExternalLink string `json:"externalLink"`
+	Type         string `json:"type"`
+}
+
+type FindResourceRequest struct {
+	ID        *int32  `json:"id"`
+	CreatorID *int32  `json:"creatorId"`
+	Filename  *string `json:"filename"`
+}
+
+type UpdateResourceRequest struct {
+	Filename *string `json:"filename"`
+}
+
+const (
+	// The upload memory buffer is 32 MiB.
+	// It should be kept low, so RAM usage doesn't get out of control.
+	// This is unrelated to maximum upload size limit, which is now set through system setting.
+	maxUploadBufferSizeBytes = 32 << 20
+	MebiByte                 = 1024 * 1024
+)
+
+var fileKeyPattern = regexp.MustCompile(`\{[a-z]{1,9}\}`)
+
+func (s *APIV1Service) registerResourceRoutes(g *echo.Group) {
+	g.GET("/resource", s.GetResourceList)
+	g.POST("/resource", s.CreateResource)
+	g.POST("/resource/blob", s.UploadResource)
+	g.PATCH("/resource/:resourceId", s.UpdateResource)
+	g.DELETE("/resource/:resourceId", s.DeleteResource)
+}
+
+// GetResourceList godoc
+//
+//	@Summary	Get a list of resources
+//	@Tags		resource
+//	@Produce	json
+//	@Param		limit	query		int					false	"Limit"
+//	@Param		offset	query		int					false	"Offset"
+//	@Success	200		{object}	[]store.Resource	"Resource list"
+//	@Failure	401		{object}	nil					"Missing user in session"
+//	@Failure	500		{object}	nil					"Failed to fetch resource list"
+//	@Router		/api/v1/resource [GET]
+func (s *APIV1Service) GetResourceList(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+	find := &store.FindResource{
+		CreatorID: &userID,
+	}
+	if limit, err := strconv.Atoi(c.QueryParam("limit")); err == nil {
+		find.Limit = &limit
+	}
+	if offset, err := strconv.Atoi(c.QueryParam("offset")); err == nil {
+		find.Offset = &offset
+	}
+
+	list, err := s.Store.ListResources(ctx, find)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch resource list").SetInternal(err)
+	}
+	resourceMessageList := []*Resource{}
+	for _, resource := range list {
+		resourceMessageList = append(resourceMessageList, convertResourceFromStore(resource))
+	}
+	return c.JSON(http.StatusOK, resourceMessageList)
+}
+
+// CreateResource godoc
+//
+//	@Summary	Create resource
+//	@Tags		resource
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		CreateResourceRequest	true	"Request object."
+//	@Success	200		{object}	store.Resource			"Created resource"
+//	@Failure	400		{object}	nil						"Malformatted post resource request | Invalid external link | Invalid external link scheme | Failed to request %s | Failed to read %s | Failed to read mime from %s"
+//	@Failure	401		{object}	nil						"Missing user in session"
+//	@Failure	500		{object}	nil						"Failed to save resource | Failed to create resource | Failed to create activity"
+//	@Router		/api/v1/resource [POST]
+func (s *APIV1Service) CreateResource(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	request := &CreateResourceRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(request); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post resource request").SetInternal(err)
+	}
+
+	create := &store.Resource{
+		ResourceName: shortuuid.New(),
+		CreatorID:    userID,
+		Filename:     request.Filename,
+		ExternalLink: request.ExternalLink,
+		Type:         request.Type,
+	}
+	if request.ExternalLink != "" {
+		// Only allow those external links scheme with http/https
+		linkURL, err := url.Parse(request.ExternalLink)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Invalid external link").SetInternal(err)
+		}
+		if linkURL.Scheme != "http" && linkURL.Scheme != "https" {
+			return echo.NewHTTPError(http.StatusBadRequest, "Invalid external link scheme")
+		}
+	}
+
+	resource, err := s.Store.CreateResource(ctx, create)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create resource").SetInternal(err)
+	}
+	metric.Enqueue("resource create")
+	return c.JSON(http.StatusOK, convertResourceFromStore(resource))
+}
+
+// UploadResource godoc
+//
+//	@Summary	Upload resource
+//	@Tags		resource
+//	@Accept		multipart/form-data
+//	@Produce	json
+//	@Param		file	formData	file			true	"File to upload"
+//	@Success	200		{object}	store.Resource	"Created resource"
+//	@Failure	400		{object}	nil				"Upload file not found | File size exceeds allowed limit of %d MiB | Failed to parse upload data"
+//	@Failure	401		{object}	nil				"Missing user in session"
+//	@Failure	500		{object}	nil				"Failed to get uploading file | Failed to open file | Failed to save resource | Failed to create resource | Failed to create activity"
+//	@Router		/api/v1/resource/blob [POST]
+func (s *APIV1Service) UploadResource(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	// This is the backend default max upload size limit.
+	maxUploadSetting := s.Store.GetWorkspaceSettingWithDefaultValue(ctx, SystemSettingMaxUploadSizeMiBName.String(), "32")
+	var settingMaxUploadSizeBytes int
+	if settingMaxUploadSizeMiB, err := strconv.Atoi(maxUploadSetting); err == nil {
+		settingMaxUploadSizeBytes = settingMaxUploadSizeMiB * MebiByte
+	} else {
+		log.Warn("Failed to parse max upload size", zap.Error(err))
+		settingMaxUploadSizeBytes = 0
+	}
+
+	file, err := c.FormFile("file")
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get uploading file").SetInternal(err)
+	}
+	if file == nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Upload file not found").SetInternal(err)
+	}
+
+	if file.Size > int64(settingMaxUploadSizeBytes) {
+		message := fmt.Sprintf("File size exceeds allowed limit of %d MiB", settingMaxUploadSizeBytes/MebiByte)
+		return echo.NewHTTPError(http.StatusBadRequest, message).SetInternal(err)
+	}
+	if err := c.Request().ParseMultipartForm(maxUploadBufferSizeBytes); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Failed to parse upload data").SetInternal(err)
+	}
+
+	sourceFile, err := file.Open()
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to open file").SetInternal(err)
+	}
+	defer sourceFile.Close()
+
+	create := &store.Resource{
+		ResourceName: shortuuid.New(),
+		CreatorID:    userID,
+		Filename:     file.Filename,
+		Type:         file.Header.Get("Content-Type"),
+		Size:         file.Size,
+	}
+	err = SaveResourceBlob(ctx, s.Store, create, sourceFile)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to save resource").SetInternal(err)
+	}
+
+	resource, err := s.Store.CreateResource(ctx, create)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create resource").SetInternal(err)
+	}
+	metric.Enqueue("resource create")
+	return c.JSON(http.StatusOK, convertResourceFromStore(resource))
+}
+
+// DeleteResource godoc
+//
+//	@Summary	Delete a resource
+//	@Tags		resource
+//	@Produce	json
+//	@Param		resourceId	path		int		true	"Resource ID"
+//	@Success	200			{boolean}	true	"Resource deleted"
+//	@Failure	400			{object}	nil		"ID is not a number: %s"
+//	@Failure	401			{object}	nil		"Missing user in session"
+//	@Failure	404			{object}	nil		"Resource not found: %d"
+//	@Failure	500			{object}	nil		"Failed to find resource | Failed to delete resource"
+//	@Router		/api/v1/resource/{resourceId} [DELETE]
+func (s *APIV1Service) DeleteResource(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	resourceID, err := util.ConvertStringToInt32(c.Param("resourceId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
+	}
+
+	resource, err := s.Store.GetResource(ctx, &store.FindResource{
+		ID:        &resourceID,
+		CreatorID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find resource").SetInternal(err)
+	}
+	if resource == nil {
+		return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Resource not found: %d", resourceID))
+	}
+
+	if err := s.Store.DeleteResource(ctx, &store.DeleteResource{
+		ID: resourceID,
+	}); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete resource").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, true)
+}
+
+// UpdateResource godoc
+//
+//	@Summary	Update a resource
+//	@Tags		resource
+//	@Produce	json
+//	@Param		resourceId	path		int						true	"Resource ID"
+//	@Param		patch		body		UpdateResourceRequest	true	"Patch resource request"
+//	@Success	200			{object}	store.Resource			"Updated resource"
+//	@Failure	400			{object}	nil						"ID is not a number: %s | Malformatted patch resource request"
+//	@Failure	401			{object}	nil						"Missing user in session | Unauthorized"
+//	@Failure	404			{object}	nil						"Resource not found: %d"
+//	@Failure	500			{object}	nil						"Failed to find resource | Failed to patch resource"
+//	@Router		/api/v1/resource/{resourceId} [PATCH]
+func (s *APIV1Service) UpdateResource(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	resourceID, err := util.ConvertStringToInt32(c.Param("resourceId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
+	}
+
+	resource, err := s.Store.GetResource(ctx, &store.FindResource{
+		ID: &resourceID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find resource").SetInternal(err)
+	}
+	if resource == nil {
+		return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Resource not found: %d", resourceID))
+	}
+	if resource.CreatorID != userID {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	request := &UpdateResourceRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(request); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch resource request").SetInternal(err)
+	}
+
+	currentTs := time.Now().Unix()
+	update := &store.UpdateResource{
+		ID:        resourceID,
+		UpdatedTs: &currentTs,
+	}
+	if request.Filename != nil && *request.Filename != "" {
+		update.Filename = request.Filename
+	}
+
+	resource, err = s.Store.UpdateResource(ctx, update)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch resource").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, convertResourceFromStore(resource))
+}
+
+func replacePathTemplate(path, filename string) string {
+	t := time.Now()
+	path = fileKeyPattern.ReplaceAllStringFunc(path, func(s string) string {
+		switch s {
+		case "{filename}":
+			return filename
+		case "{timestamp}":
+			return fmt.Sprintf("%d", t.Unix())
+		case "{year}":
+			return fmt.Sprintf("%d", t.Year())
+		case "{month}":
+			return fmt.Sprintf("%02d", t.Month())
+		case "{day}":
+			return fmt.Sprintf("%02d", t.Day())
+		case "{hour}":
+			return fmt.Sprintf("%02d", t.Hour())
+		case "{minute}":
+			return fmt.Sprintf("%02d", t.Minute())
+		case "{second}":
+			return fmt.Sprintf("%02d", t.Second())
+		case "{uuid}":
+			return util.GenUUID()
+		}
+		return s
+	})
+	return path
+}
+
+func convertResourceFromStore(resource *store.Resource) *Resource {
+	return &Resource{
+		ID:           resource.ID,
+		Name:         resource.ResourceName,
+		CreatorID:    resource.CreatorID,
+		CreatedTs:    resource.CreatedTs,
+		UpdatedTs:    resource.UpdatedTs,
+		Filename:     resource.Filename,
+		Blob:         resource.Blob,
+		InternalPath: resource.InternalPath,
+		ExternalLink: resource.ExternalLink,
+		Type:         resource.Type,
+		Size:         resource.Size,
+	}
+}
+
+// SaveResourceBlob save the blob of resource based on the storage config
+//
+// Depend on the storage config, some fields of *store.ResourceCreate will be changed:
+// 1. *DatabaseStorage*: `create.Blob`.
+// 2. *LocalStorage*: `create.InternalPath`.
+// 3. Others( external service): `create.ExternalLink`.
+func SaveResourceBlob(ctx context.Context, s *store.Store, create *store.Resource, r io.Reader) error {
+	systemSettingStorageServiceID, err := s.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{Name: SystemSettingStorageServiceIDName.String()})
+	if err != nil {
+		return errors.Wrap(err, "Failed to find SystemSettingStorageServiceIDName")
+	}
+
+	storageServiceID := DefaultStorage
+	if systemSettingStorageServiceID != nil {
+		err = json.Unmarshal([]byte(systemSettingStorageServiceID.Value), &storageServiceID)
+		if err != nil {
+			return errors.Wrap(err, "Failed to unmarshal storage service id")
+		}
+	}
+
+	// `DatabaseStorage` means store blob into database
+	if storageServiceID == DatabaseStorage {
+		fileBytes, err := io.ReadAll(r)
+		if err != nil {
+			return errors.Wrap(err, "Failed to read file")
+		}
+		create.Blob = fileBytes
+		return nil
+	} else if storageServiceID == LocalStorage {
+		// `LocalStorage` means save blob into local disk
+		systemSettingLocalStoragePath, err := s.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{Name: SystemSettingLocalStoragePathName.String()})
+		if err != nil {
+			return errors.Wrap(err, "Failed to find SystemSettingLocalStoragePathName")
+		}
+		localStoragePath := "assets/{timestamp}_{filename}"
+		if systemSettingLocalStoragePath != nil && systemSettingLocalStoragePath.Value != "" {
+			err = json.Unmarshal([]byte(systemSettingLocalStoragePath.Value), &localStoragePath)
+			if err != nil {
+				return errors.Wrap(err, "Failed to unmarshal SystemSettingLocalStoragePathName")
+			}
+		}
+
+		internalPath := localStoragePath
+		if !strings.Contains(internalPath, "{filename}") {
+			internalPath = filepath.Join(internalPath, "{filename}")
+		}
+		internalPath = replacePathTemplate(internalPath, create.Filename)
+		internalPath = filepath.ToSlash(internalPath)
+		create.InternalPath = internalPath
+
+		osPath := filepath.FromSlash(internalPath)
+		if !filepath.IsAbs(osPath) {
+			osPath = filepath.Join(s.Profile.Data, osPath)
+		}
+		dir := filepath.Dir(osPath)
+		if err = os.MkdirAll(dir, os.ModePerm); err != nil {
+			return errors.Wrap(err, "Failed to create directory")
+		}
+		dst, err := os.Create(osPath)
+		if err != nil {
+			return errors.Wrap(err, "Failed to create file")
+		}
+		defer dst.Close()
+		_, err = io.Copy(dst, r)
+		if err != nil {
+			return errors.Wrap(err, "Failed to copy file")
+		}
+
+		return nil
+	}
+
+	// Others: store blob into external service, such as S3
+	storage, err := s.GetStorage(ctx, &store.FindStorage{ID: &storageServiceID})
+	if err != nil {
+		return errors.Wrap(err, "Failed to find StorageServiceID")
+	}
+	if storage == nil {
+		return errors.Errorf("Storage %d not found", storageServiceID)
+	}
+	storageMessage, err := ConvertStorageFromStore(storage)
+	if err != nil {
+		return errors.Wrap(err, "Failed to ConvertStorageFromStore")
+	}
+
+	if storageMessage.Type != StorageS3 {
+		return errors.Errorf("Unsupported storage type: %s", storageMessage.Type)
+	}
+
+	s3Config := storageMessage.Config.S3Config
+	s3Client, err := s3.NewClient(ctx, &s3.Config{
+		AccessKey: s3Config.AccessKey,
+		SecretKey: s3Config.SecretKey,
+		EndPoint:  s3Config.EndPoint,
+		Region:    s3Config.Region,
+		Bucket:    s3Config.Bucket,
+		URLPrefix: s3Config.URLPrefix,
+		URLSuffix: s3Config.URLSuffix,
+		PreSign:   s3Config.PreSign,
+	})
+	if err != nil {
+		return errors.Wrap(err, "Failed to create s3 client")
+	}
+
+	filePath := s3Config.Path
+	if !strings.Contains(filePath, "{filename}") {
+		filePath = filepath.Join(filePath, "{filename}")
+	}
+	filePath = replacePathTemplate(filePath, create.Filename)
+
+	link, err := s3Client.UploadFile(ctx, filePath, create.Type, r)
+	if err != nil {
+		return errors.Wrap(err, "Failed to upload via s3 client")
+	}
+
+	create.ExternalLink = link
+	return nil
+}

api/v1/storage.go

@@ -0,0 +1,316 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/labstack/echo/v4"
+
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/store"
+)
+
+const (
+	// LocalStorage means the storage service is local file system.
+	LocalStorage int32 = -1
+	// DatabaseStorage means the storage service is database.
+	DatabaseStorage int32 = 0
+	// Default storage service is database.
+	DefaultStorage int32 = DatabaseStorage
+)
+
+type StorageType string
+
+const (
+	StorageS3 StorageType = "S3"
+)
+
+func (t StorageType) String() string {
+	return string(t)
+}
+
+type StorageConfig struct {
+	S3Config *StorageS3Config `json:"s3Config"`
+}
+
+type StorageS3Config struct {
+	EndPoint  string `json:"endPoint"`
+	Path      string `json:"path"`
+	Region    string `json:"region"`
+	AccessKey string `json:"accessKey"`
+	SecretKey string `json:"secretKey"`
+	Bucket    string `json:"bucket"`
+	URLPrefix string `json:"urlPrefix"`
+	URLSuffix string `json:"urlSuffix"`
+	PreSign   bool   `json:"presign"`
+}
+
+type Storage struct {
+	ID     int32          `json:"id"`
+	Name   string         `json:"name"`
+	Type   StorageType    `json:"type"`
+	Config *StorageConfig `json:"config"`
+}
+
+type CreateStorageRequest struct {
+	Name   string         `json:"name"`
+	Type   StorageType    `json:"type"`
+	Config *StorageConfig `json:"config"`
+}
+
+type UpdateStorageRequest struct {
+	Type   StorageType    `json:"type"`
+	Name   *string        `json:"name"`
+	Config *StorageConfig `json:"config"`
+}
+
+func (s *APIV1Service) registerStorageRoutes(g *echo.Group) {
+	g.GET("/storage", s.GetStorageList)
+	g.POST("/storage", s.CreateStorage)
+	g.PATCH("/storage/:storageId", s.UpdateStorage)
+	g.DELETE("/storage/:storageId", s.DeleteStorage)
+}
+
+// GetStorageList godoc
+//
+//	@Summary	Get a list of storages
+//	@Tags		storage
+//	@Produce	json
+//	@Success	200	{object}	[]store.Storage	"List of storages"
+//	@Failure	401	{object}	nil				"Missing user in session | Unauthorized"
+//	@Failure	500	{object}	nil				"Failed to find user | Failed to convert storage"
+//	@Router		/api/v1/storage [GET]
+func (s *APIV1Service) GetStorageList(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	// We should only show storage list to host user.
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	list, err := s.Store.ListStorages(ctx, &store.FindStorage{})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find storage list").SetInternal(err)
+	}
+
+	storageList := []*Storage{}
+	for _, storage := range list {
+		storageMessage, err := ConvertStorageFromStore(storage)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to convert storage").SetInternal(err)
+		}
+		storageList = append(storageList, storageMessage)
+	}
+	return c.JSON(http.StatusOK, storageList)
+}
+
+// CreateStorage godoc
+//
+//	@Summary	Create storage
+//	@Tags		storage
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		CreateStorageRequest	true	"Request object."
+//	@Success	200		{object}	store.Storage			"Created storage"
+//	@Failure	400		{object}	nil						"Malformatted post storage request"
+//	@Failure	401		{object}	nil						"Missing user in session"
+//	@Failure	500		{object}	nil						"Failed to find user | Failed to create storage | Failed to convert storage"
+//	@Router		/api/v1/storage [POST]
+func (s *APIV1Service) CreateStorage(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	create := &CreateStorageRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(create); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post storage request").SetInternal(err)
+	}
+
+	configString := ""
+	if create.Type == StorageS3 && create.Config.S3Config != nil {
+		configBytes, err := json.Marshal(create.Config.S3Config)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post storage request").SetInternal(err)
+		}
+		configString = string(configBytes)
+	}
+
+	storage, err := s.Store.CreateStorage(ctx, &store.Storage{
+		Name:   create.Name,
+		Type:   create.Type.String(),
+		Config: configString,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create storage").SetInternal(err)
+	}
+	storageMessage, err := ConvertStorageFromStore(storage)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to convert storage").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, storageMessage)
+}
+
+// DeleteStorage godoc
+//
+//	@Summary	Delete a storage
+//	@Tags		storage
+//	@Produce	json
+//	@Param		storageId	path		int		true	"Storage ID"
+//	@Success	200			{boolean}	true	"Storage deleted"
+//	@Failure	400			{object}	nil		"ID is not a number: %s | Storage service %d is using"
+//	@Failure	401			{object}	nil		"Missing user in session | Unauthorized"
+//	@Failure	500			{object}	nil		"Failed to find user | Failed to find storage | Failed to unmarshal storage service id | Failed to delete storage"
+//	@Router		/api/v1/storage/{storageId} [DELETE]
+//
+// NOTES:
+// - error message "Storage service %d is using" probably should be "Storage service %d is in use".
+func (s *APIV1Service) DeleteStorage(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	storageID, err := util.ConvertStringToInt32(c.Param("storageId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("storageId"))).SetInternal(err)
+	}
+
+	systemSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{Name: SystemSettingStorageServiceIDName.String()})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find storage").SetInternal(err)
+	}
+	if systemSetting != nil {
+		storageServiceID := DefaultStorage
+		err = json.Unmarshal([]byte(systemSetting.Value), &storageServiceID)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal storage service id").SetInternal(err)
+		}
+		if storageServiceID == storageID {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Storage service %d is using", storageID))
+		}
+	}
+
+	if err = s.Store.DeleteStorage(ctx, &store.DeleteStorage{ID: storageID}); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete storage").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, true)
+}
+
+// UpdateStorage godoc
+//
+//	@Summary	Update a storage
+//	@Tags		storage
+//	@Produce	json
+//	@Param		storageId	path		int						true	"Storage ID"
+//	@Param		patch		body		UpdateStorageRequest	true	"Patch request"
+//	@Success	200			{object}	store.Storage			"Updated resource"
+//	@Failure	400			{object}	nil						"ID is not a number: %s | Malformatted patch storage request | Malformatted post storage request"
+//	@Failure	401			{object}	nil						"Missing user in session | Unauthorized"
+//	@Failure	500			{object}	nil						"Failed to find user | Failed to patch storage | Failed to convert storage"
+//	@Router		/api/v1/storage/{storageId} [PATCH]
+func (s *APIV1Service) UpdateStorage(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	storageID, err := util.ConvertStringToInt32(c.Param("storageId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("storageId"))).SetInternal(err)
+	}
+
+	update := &UpdateStorageRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(update); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch storage request").SetInternal(err)
+	}
+	storageUpdate := &store.UpdateStorage{
+		ID: storageID,
+	}
+	if update.Name != nil {
+		storageUpdate.Name = update.Name
+	}
+	if update.Config != nil {
+		if update.Type == StorageS3 {
+			configBytes, err := json.Marshal(update.Config.S3Config)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post storage request").SetInternal(err)
+			}
+			configString := string(configBytes)
+			storageUpdate.Config = &configString
+		}
+	}
+
+	storage, err := s.Store.UpdateStorage(ctx, storageUpdate)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch storage").SetInternal(err)
+	}
+	storageMessage, err := ConvertStorageFromStore(storage)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to convert storage").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, storageMessage)
+}
+
+func ConvertStorageFromStore(storage *store.Storage) (*Storage, error) {
+	storageMessage := &Storage{
+		ID:     storage.ID,
+		Name:   storage.Name,
+		Type:   StorageType(storage.Type),
+		Config: &StorageConfig{},
+	}
+	if storageMessage.Type == StorageS3 {
+		s3Config := &StorageS3Config{}
+		if err := json.Unmarshal([]byte(storage.Config), s3Config); err != nil {
+			return nil, err
+		}
+		storageMessage.Config = &StorageConfig{
+			S3Config: s3Config,
+		}
+	}
+	return storageMessage, nil
+}

api/v1/system.go

@@ -0,0 +1,179 @@
+package v1
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/labstack/echo/v4"
+	"go.uber.org/zap"
+
+	"github.com/usememos/memos/internal/log"
+	"github.com/usememos/memos/server/profile"
+	"github.com/usememos/memos/store"
+)
+
+type SystemStatus struct {
+	Host    *User           `json:"host"`
+	Profile profile.Profile `json:"profile"`
+	DBSize  int64           `json:"dbSize"`
+
+	// System settings
+	// Allow sign up.
+	AllowSignUp bool `json:"allowSignUp"`
+	// Disable password login.
+	DisablePasswordLogin bool `json:"disablePasswordLogin"`
+	// Disable public memos.
+	DisablePublicMemos bool `json:"disablePublicMemos"`
+	// Max upload size.
+	MaxUploadSizeMiB int `json:"maxUploadSizeMiB"`
+	// Additional style.
+	AdditionalStyle string `json:"additionalStyle"`
+	// Additional script.
+	AdditionalScript string `json:"additionalScript"`
+	// Customized server profile, including server name and external url.
+	CustomizedProfile CustomizedProfile `json:"customizedProfile"`
+	// Storage service ID.
+	StorageServiceID int32 `json:"storageServiceId"`
+	// Local storage path.
+	LocalStoragePath string `json:"localStoragePath"`
+	// Memo display with updated timestamp.
+	MemoDisplayWithUpdatedTs bool `json:"memoDisplayWithUpdatedTs"`
+}
+
+func (s *APIV1Service) registerSystemRoutes(g *echo.Group) {
+	g.GET("/ping", s.PingSystem)
+	g.GET("/status", s.GetSystemStatus)
+	g.POST("/system/vacuum", s.ExecVacuum)
+}
+
+// PingSystem godoc
+//
+//	@Summary	Ping the system
+//	@Tags		system
+//	@Produce	json
+//	@Success	200	{boolean}	true	"If succeed to ping the system"
+//	@Router		/api/v1/ping [GET]
+func (*APIV1Service) PingSystem(c echo.Context) error {
+	return c.JSON(http.StatusOK, true)
+}
+
+// GetSystemStatus godoc
+//
+//	@Summary	Get system GetSystemStatus
+//	@Tags		system
+//	@Produce	json
+//	@Success	200	{object}	SystemStatus	"System GetSystemStatus"
+//	@Failure	401	{object}	nil				"Missing user in session | Unauthorized"
+//	@Failure	500	{object}	nil				"Failed to find host user | Failed to find system setting list | Failed to unmarshal system setting customized profile value"
+//	@Router		/api/v1/status [GET]
+func (s *APIV1Service) GetSystemStatus(c echo.Context) error {
+	ctx := c.Request().Context()
+
+	systemStatus := SystemStatus{
+		Profile: profile.Profile{
+			Mode:    s.Profile.Mode,
+			Version: s.Profile.Version,
+		},
+		// Allow sign up by default.
+		AllowSignUp:      true,
+		MaxUploadSizeMiB: 32,
+		CustomizedProfile: CustomizedProfile{
+			Name:       "Memos",
+			Locale:     "en",
+			Appearance: "system",
+		},
+		StorageServiceID: DefaultStorage,
+		LocalStoragePath: "assets/{timestamp}_{filename}",
+	}
+
+	hostUserType := store.RoleHost
+	hostUser, err := s.Store.GetUser(ctx, &store.FindUser{
+		Role: &hostUserType,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find host user").SetInternal(err)
+	}
+	if hostUser != nil {
+		systemStatus.Host = &User{ID: hostUser.ID}
+	}
+
+	systemSettingList, err := s.Store.ListWorkspaceSettings(ctx, &store.FindWorkspaceSetting{})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting list").SetInternal(err)
+	}
+	for _, systemSetting := range systemSettingList {
+		if systemSetting.Name == SystemSettingServerIDName.String() || systemSetting.Name == SystemSettingSecretSessionName.String() || systemSetting.Name == SystemSettingTelegramBotTokenName.String() || systemSetting.Name == SystemSettingInstanceURLName.String() {
+			continue
+		}
+
+		var baseValue any
+		err := json.Unmarshal([]byte(systemSetting.Value), &baseValue)
+		if err != nil {
+			// Skip invalid value.
+			continue
+		}
+
+		switch systemSetting.Name {
+		case SystemSettingAllowSignUpName.String():
+			systemStatus.AllowSignUp = baseValue.(bool)
+		case SystemSettingDisablePasswordLoginName.String():
+			systemStatus.DisablePasswordLogin = baseValue.(bool)
+		case SystemSettingDisablePublicMemosName.String():
+			systemStatus.DisablePublicMemos = baseValue.(bool)
+		case SystemSettingMaxUploadSizeMiBName.String():
+			systemStatus.MaxUploadSizeMiB = int(baseValue.(float64))
+		case SystemSettingAdditionalStyleName.String():
+			systemStatus.AdditionalStyle = baseValue.(string)
+		case SystemSettingAdditionalScriptName.String():
+			systemStatus.AdditionalScript = baseValue.(string)
+		case SystemSettingCustomizedProfileName.String():
+			customizedProfile := CustomizedProfile{}
+			if err := json.Unmarshal([]byte(systemSetting.Value), &customizedProfile); err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting customized profile value").SetInternal(err)
+			}
+			systemStatus.CustomizedProfile = customizedProfile
+		case SystemSettingStorageServiceIDName.String():
+			systemStatus.StorageServiceID = int32(baseValue.(float64))
+		case SystemSettingLocalStoragePathName.String():
+			systemStatus.LocalStoragePath = baseValue.(string)
+		case SystemSettingMemoDisplayWithUpdatedTsName.String():
+			systemStatus.MemoDisplayWithUpdatedTs = baseValue.(bool)
+		default:
+			log.Warn("Unknown system setting name", zap.String("setting name", systemSetting.Name))
+		}
+	}
+
+	return c.JSON(http.StatusOK, systemStatus)
+}
+
+// ExecVacuum godoc
+//
+//	@Summary	Vacuum the database
+//	@Tags		system
+//	@Produce	json
+//	@Success	200	{boolean}	true	"Database vacuumed"
+//	@Failure	401	{object}	nil		"Missing user in session | Unauthorized"
+//	@Failure	500	{object}	nil		"Failed to find user | Failed to ExecVacuum database"
+//	@Router		/api/v1/system/vacuum [POST]
+func (s *APIV1Service) ExecVacuum(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	if err := s.Store.Vacuum(ctx); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to vacuum database").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, true)
+}

api/v1/system_setting.go

@@ -0,0 +1,308 @@
+package v1
+
+import (
+	"encoding/json"
+	"net/http"
+	"path/filepath"
+	"strings"
+
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+
+	"github.com/usememos/memos/store"
+)
+
+type SystemSettingName string
+
+const (
+	// SystemSettingServerIDName is the name of server id.
+	SystemSettingServerIDName SystemSettingName = "server-id"
+	// SystemSettingSecretSessionName is the name of secret session.
+	SystemSettingSecretSessionName SystemSettingName = "secret-session"
+	// SystemSettingAllowSignUpName is the name of allow signup setting.
+	SystemSettingAllowSignUpName SystemSettingName = "allow-signup"
+	// SystemSettingDisablePasswordLoginName is the name of disable password login setting.
+	SystemSettingDisablePasswordLoginName SystemSettingName = "disable-password-login"
+	// SystemSettingDisablePublicMemosName is the name of disable public memos setting.
+	SystemSettingDisablePublicMemosName SystemSettingName = "disable-public-memos"
+	// SystemSettingMaxUploadSizeMiBName is the name of max upload size setting.
+	SystemSettingMaxUploadSizeMiBName SystemSettingName = "max-upload-size-mib"
+	// SystemSettingAdditionalStyleName is the name of additional style.
+	SystemSettingAdditionalStyleName SystemSettingName = "additional-style"
+	// SystemSettingAdditionalScriptName is the name of additional script.
+	SystemSettingAdditionalScriptName SystemSettingName = "additional-script"
+	// SystemSettingCustomizedProfileName is the name of customized server profile.
+	SystemSettingCustomizedProfileName SystemSettingName = "customized-profile"
+	// SystemSettingStorageServiceIDName is the name of storage service ID.
+	SystemSettingStorageServiceIDName SystemSettingName = "storage-service-id"
+	// SystemSettingLocalStoragePathName is the name of local storage path.
+	SystemSettingLocalStoragePathName SystemSettingName = "local-storage-path"
+	// SystemSettingTelegramBotTokenName is the name of Telegram Bot Token.
+	SystemSettingTelegramBotTokenName SystemSettingName = "telegram-bot-token"
+	// SystemSettingMemoDisplayWithUpdatedTsName is the name of memo display with updated ts.
+	SystemSettingMemoDisplayWithUpdatedTsName SystemSettingName = "memo-display-with-updated-ts"
+	// SystemSettingInstanceURLName is the name of instance url setting.
+	SystemSettingInstanceURLName SystemSettingName = "instance-url"
+)
+const systemSettingUnmarshalError = `failed to unmarshal value from system setting "%v"`
+
+// CustomizedProfile is the struct definition for SystemSettingCustomizedProfileName system setting item.
+type CustomizedProfile struct {
+	// Name is the server name, default is `memos`
+	Name string `json:"name"`
+	// LogoURL is the url of logo image.
+	LogoURL string `json:"logoUrl"`
+	// Description is the server description.
+	Description string `json:"description"`
+	// Locale is the server default locale.
+	Locale string `json:"locale"`
+	// Appearance is the server default appearance.
+	Appearance string `json:"appearance"`
+	// ExternalURL is the external url of server. e.g. https://usermemos.com
+	ExternalURL string `json:"externalUrl"`
+}
+
+func (key SystemSettingName) String() string {
+	return string(key)
+}
+
+type SystemSetting struct {
+	Name SystemSettingName `json:"name"`
+	// Value is a JSON string with basic value.
+	Value       string `json:"value"`
+	Description string `json:"description"`
+}
+
+type UpsertSystemSettingRequest struct {
+	Name        SystemSettingName `json:"name"`
+	Value       string            `json:"value"`
+	Description string            `json:"description"`
+}
+
+func (s *APIV1Service) registerSystemSettingRoutes(g *echo.Group) {
+	g.GET("/system/setting", s.GetSystemSettingList)
+	g.POST("/system/setting", s.CreateSystemSetting)
+}
+
+// GetSystemSettingList godoc
+//
+//	@Summary	Get a list of system settings
+//	@Tags		system-setting
+//	@Produce	json
+//	@Success	200	{object}	[]SystemSetting	"System setting list"
+//	@Failure	401	{object}	nil				"Missing user in session | Unauthorized"
+//	@Failure	500	{object}	nil				"Failed to find user | Failed to find system setting list"
+//	@Router		/api/v1/system/setting [GET]
+func (s *APIV1Service) GetSystemSettingList(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	list, err := s.Store.ListWorkspaceSettings(ctx, &store.FindWorkspaceSetting{})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting list").SetInternal(err)
+	}
+
+	systemSettingList := make([]*SystemSetting, 0, len(list))
+	for _, systemSetting := range list {
+		systemSettingList = append(systemSettingList, convertSystemSettingFromStore(systemSetting))
+	}
+	return c.JSON(http.StatusOK, systemSettingList)
+}
+
+// CreateSystemSetting godoc
+//
+//	@Summary	Create system setting
+//	@Tags		system-setting
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		UpsertSystemSettingRequest	true	"Request object."
+//	@Success	200		{object}	store.SystemSetting			"Created system setting"
+//	@Failure	400		{object}	nil							"Malformatted post system setting request | invalid system setting"
+//	@Failure	401		{object}	nil							"Missing user in session | Unauthorized"
+//	@Failure	403		{object}	nil							"Cannot disable passwords if no SSO identity provider is configured."
+//	@Failure	500		{object}	nil							"Failed to find user | Failed to upsert system setting"
+//	@Router		/api/v1/system/setting [POST]
+func (s *APIV1Service) CreateSystemSetting(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	systemSettingUpsert := &UpsertSystemSettingRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(systemSettingUpsert); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post system setting request").SetInternal(err)
+	}
+	if err := systemSettingUpsert.Validate(); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "invalid system setting").SetInternal(err)
+	}
+	if s.Profile.Mode == "demo" {
+		switch systemSettingUpsert.Name {
+		case SystemSettingAdditionalStyleName:
+			return echo.NewHTTPError(http.StatusForbidden, "additional style is not allowed in demo mode")
+		case SystemSettingAdditionalScriptName:
+			return echo.NewHTTPError(http.StatusForbidden, "additional script is not allowed in demo mode")
+		case SystemSettingDisablePasswordLoginName:
+			return echo.NewHTTPError(http.StatusForbidden, "disabling password login is not allowed in demo mode")
+		}
+	}
+	if systemSettingUpsert.Name == SystemSettingDisablePasswordLoginName {
+		var disablePasswordLogin bool
+		if err := json.Unmarshal([]byte(systemSettingUpsert.Value), &disablePasswordLogin); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "invalid system setting").SetInternal(err)
+		}
+
+		identityProviderList, err := s.Store.ListIdentityProviders(ctx, &store.FindIdentityProvider{})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert system setting").SetInternal(err)
+		}
+		if disablePasswordLogin && len(identityProviderList) == 0 {
+			return echo.NewHTTPError(http.StatusForbidden, "Cannot disable passwords if no SSO identity provider is configured.")
+		}
+	}
+
+	systemSetting, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
+		Name:        systemSettingUpsert.Name.String(),
+		Value:       systemSettingUpsert.Value,
+		Description: systemSettingUpsert.Description,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert system setting").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, convertSystemSettingFromStore(systemSetting))
+}
+
+func (upsert UpsertSystemSettingRequest) Validate() error {
+	switch settingName := upsert.Name; settingName {
+	case SystemSettingServerIDName:
+		return errors.Errorf("updating %v is not allowed", settingName)
+	case SystemSettingAllowSignUpName:
+		var value bool
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingDisablePasswordLoginName:
+		var value bool
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingDisablePublicMemosName:
+		var value bool
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingMaxUploadSizeMiBName:
+		var value int
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingAdditionalStyleName:
+		var value string
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingAdditionalScriptName:
+		var value string
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingCustomizedProfileName:
+		customizedProfile := CustomizedProfile{
+			Name:        "memos",
+			LogoURL:     "",
+			Description: "",
+			Locale:      "en",
+			Appearance:  "system",
+			ExternalURL: "",
+		}
+		if err := json.Unmarshal([]byte(upsert.Value), &customizedProfile); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingStorageServiceIDName:
+		// Note: 0 is the default value(database) for storage service ID.
+		value := 0
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+		return nil
+	case SystemSettingLocalStoragePathName:
+		value := ""
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+
+		trimmedValue := strings.TrimSpace(value)
+		switch {
+		case trimmedValue != value:
+			return errors.New("local storage path must not contain leading or trailing whitespace")
+		case trimmedValue == "":
+			return errors.New("local storage path can't be empty")
+		case strings.Contains(trimmedValue, "\\"):
+			return errors.New("local storage path must use forward slashes `/`")
+		case strings.Contains(trimmedValue, "../"):
+			return errors.New("local storage path is not allowed to contain `../`")
+		case strings.HasPrefix(trimmedValue, "./"):
+			return errors.New("local storage path is not allowed to start with `./`")
+		case filepath.IsAbs(trimmedValue) || trimmedValue[0] == '/':
+			return errors.New("local storage path must be a relative path")
+		case !strings.Contains(trimmedValue, "{filename}"):
+			return errors.New("local storage path must contain `{filename}`")
+		}
+	case SystemSettingTelegramBotTokenName:
+		if upsert.Value == "" {
+			return nil
+		}
+		// Bot Token with Reverse Proxy shoule like `http.../bot<token>`
+		if strings.HasPrefix(upsert.Value, "http") {
+			slashIndex := strings.LastIndexAny(upsert.Value, "/")
+			if strings.HasPrefix(upsert.Value[slashIndex:], "/bot") {
+				return nil
+			}
+			return errors.New("token start with `http` must end with `/bot<token>`")
+		}
+		fragments := strings.Split(upsert.Value, ":")
+		if len(fragments) != 2 {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingMemoDisplayWithUpdatedTsName:
+		var value bool
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingInstanceURLName:
+	default:
+		return errors.New("invalid system setting name")
+	}
+	return nil
+}
+
+func convertSystemSettingFromStore(systemSetting *store.WorkspaceSetting) *SystemSetting {
+	return &SystemSetting{
+		Name:        SystemSettingName(systemSetting.Name),
+		Value:       systemSetting.Value,
+		Description: systemSetting.Description,
+	}
+}

api/v1/tag.go

@@ -0,0 +1,218 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"regexp"
+	"sort"
+
+	"github.com/labstack/echo/v4"
+	"golang.org/x/exp/slices"
+
+	"github.com/usememos/memos/store"
+)
+
+type Tag struct {
+	Name      string
+	CreatorID int32
+}
+
+type UpsertTagRequest struct {
+	Name string `json:"name"`
+}
+
+type DeleteTagRequest struct {
+	Name string `json:"name"`
+}
+
+func (s *APIV1Service) registerTagRoutes(g *echo.Group) {
+	g.GET("/tag", s.GetTagList)
+	g.POST("/tag", s.CreateTag)
+	g.GET("/tag/suggestion", s.GetTagSuggestion)
+	g.POST("/tag/delete", s.DeleteTag)
+}
+
+// GetTagList godoc
+//
+//	@Summary	Get a list of tags
+//	@Tags		tag
+//	@Produce	json
+//	@Success	200	{object}	[]string	"Tag list"
+//	@Failure	400	{object}	nil			"Missing user id to find tag"
+//	@Failure	500	{object}	nil			"Failed to find tag list"
+//	@Router		/api/v1/tag [GET]
+func (s *APIV1Service) GetTagList(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusBadRequest, "Missing user id to find tag")
+	}
+
+	list, err := s.Store.ListTags(ctx, &store.FindTag{
+		CreatorID: userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find tag list").SetInternal(err)
+	}
+
+	tagNameList := []string{}
+	for _, tag := range list {
+		tagNameList = append(tagNameList, tag.Name)
+	}
+	return c.JSON(http.StatusOK, tagNameList)
+}
+
+// CreateTag godoc
+//
+//	@Summary	Create a tag
+//	@Tags		tag
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		UpsertTagRequest	true	"Request object."
+//	@Success	200		{object}	string				"Created tag name"
+//	@Failure	400		{object}	nil					"Malformatted post tag request | Tag name shouldn't be empty"
+//	@Failure	401		{object}	nil					"Missing user in session"
+//	@Failure	500		{object}	nil					"Failed to upsert tag | Failed to create activity"
+//	@Router		/api/v1/tag [POST]
+func (s *APIV1Service) CreateTag(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	tagUpsert := &UpsertTagRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(tagUpsert); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post tag request").SetInternal(err)
+	}
+	if tagUpsert.Name == "" {
+		return echo.NewHTTPError(http.StatusBadRequest, "Tag name shouldn't be empty")
+	}
+
+	tag, err := s.Store.UpsertTag(ctx, &store.Tag{
+		Name:      tagUpsert.Name,
+		CreatorID: userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert tag").SetInternal(err)
+	}
+	tagMessage := convertTagFromStore(tag)
+	return c.JSON(http.StatusOK, tagMessage.Name)
+}
+
+// DeleteTag godoc
+//
+//	@Summary	Delete a tag
+//	@Tags		tag
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		DeleteTagRequest	true	"Request object."
+//	@Success	200		{boolean}	true				"Tag deleted"
+//	@Failure	400		{object}	nil					"Malformatted post tag request | Tag name shouldn't be empty"
+//	@Failure	401		{object}	nil					"Missing user in session"
+//	@Failure	500		{object}	nil					"Failed to delete tag name: %v"
+//	@Router		/api/v1/tag/delete [POST]
+func (s *APIV1Service) DeleteTag(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	tagDelete := &DeleteTagRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(tagDelete); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post tag request").SetInternal(err)
+	}
+	if tagDelete.Name == "" {
+		return echo.NewHTTPError(http.StatusBadRequest, "Tag name shouldn't be empty")
+	}
+
+	err := s.Store.DeleteTag(ctx, &store.DeleteTag{
+		Name:      tagDelete.Name,
+		CreatorID: userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to delete tag name: %v", tagDelete.Name)).SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, true)
+}
+
+// GetTagSuggestion godoc
+//
+//	@Summary	Get a list of tags suggested from other memos contents
+//	@Tags		tag
+//	@Produce	json
+//	@Success	200	{object}	[]string	"Tag list"
+//	@Failure	400	{object}	nil			"Missing user session"
+//	@Failure	500	{object}	nil			"Failed to find memo list | Failed to find tag list"
+//	@Router		/api/v1/tag/suggestion [GET]
+func (s *APIV1Service) GetTagSuggestion(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusBadRequest, "Missing user session")
+	}
+	normalRowStatus := store.Normal
+	memoFind := &store.FindMemo{
+		CreatorID:     &userID,
+		ContentSearch: []string{"#"},
+		RowStatus:     &normalRowStatus,
+	}
+
+	memoMessageList, err := s.Store.ListMemos(ctx, memoFind)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo list").SetInternal(err)
+	}
+
+	list, err := s.Store.ListTags(ctx, &store.FindTag{
+		CreatorID: userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find tag list").SetInternal(err)
+	}
+	tagNameList := []string{}
+	for _, tag := range list {
+		tagNameList = append(tagNameList, tag.Name)
+	}
+
+	tagMapSet := make(map[string]bool)
+	for _, memo := range memoMessageList {
+		for _, tag := range findTagListFromMemoContent(memo.Content) {
+			if !slices.Contains(tagNameList, tag) {
+				tagMapSet[tag] = true
+			}
+		}
+	}
+	tagList := []string{}
+	for tag := range tagMapSet {
+		tagList = append(tagList, tag)
+	}
+	sort.Strings(tagList)
+	return c.JSON(http.StatusOK, tagList)
+}
+
+func convertTagFromStore(tag *store.Tag) *Tag {
+	return &Tag{
+		Name:      tag.Name,
+		CreatorID: tag.CreatorID,
+	}
+}
+
+var tagRegexp = regexp.MustCompile(`#([^\s#,]+)`)
+
+func findTagListFromMemoContent(memoContent string) []string {
+	tagMapSet := make(map[string]bool)
+	matches := tagRegexp.FindAllStringSubmatch(memoContent, -1)
+	for _, v := range matches {
+		tagName := v[1]
+		tagMapSet[tagName] = true
+	}
+
+	tagList := []string{}
+	for tag := range tagMapSet {
+		tagList = append(tagList, tag)
+	}
+	sort.Strings(tagList)
+	return tagList
+}

api/v1/tag_test.go

@@ -1,4 +1,4 @@
-package server
+package v1
 
 import (
 	"testing"

api/v1/user.go

@@ -0,0 +1,501 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/bcrypt"
+
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/server/service/metric"
+	"github.com/usememos/memos/store"
+)
+
+// Role is the type of a role.
+type Role string
+
+const (
+	// RoleHost is the HOST role.
+	RoleHost Role = "HOST"
+	// RoleAdmin is the ADMIN role.
+	RoleAdmin Role = "ADMIN"
+	// RoleUser is the USER role.
+	RoleUser Role = "USER"
+)
+
+func (role Role) String() string {
+	return string(role)
+}
+
+type User struct {
+	ID int32 `json:"id"`
+
+	// Standard fields
+	RowStatus RowStatus `json:"rowStatus"`
+	CreatedTs int64     `json:"createdTs"`
+	UpdatedTs int64     `json:"updatedTs"`
+
+	// Domain specific fields
+	Username     string `json:"username"`
+	Role         Role   `json:"role"`
+	Email        string `json:"email"`
+	Nickname     string `json:"nickname"`
+	PasswordHash string `json:"-"`
+	AvatarURL    string `json:"avatarUrl"`
+}
+
+type CreateUserRequest struct {
+	Username string `json:"username"`
+	Role     Role   `json:"role"`
+	Email    string `json:"email"`
+	Nickname string `json:"nickname"`
+	Password string `json:"password"`
+}
+
+type UpdateUserRequest struct {
+	RowStatus *RowStatus `json:"rowStatus"`
+	Username  *string    `json:"username"`
+	Email     *string    `json:"email"`
+	Nickname  *string    `json:"nickname"`
+	Password  *string    `json:"password"`
+	AvatarURL *string    `json:"avatarUrl"`
+}
+
+func (s *APIV1Service) registerUserRoutes(g *echo.Group) {
+	g.GET("/user", s.GetUserList)
+	g.POST("/user", s.CreateUser)
+	g.GET("/user/me", s.GetCurrentUser)
+	// NOTE: This should be moved to /api/v2/user/:username
+	g.GET("/user/name/:username", s.GetUserByUsername)
+	g.GET("/user/:id", s.GetUserByID)
+	g.PATCH("/user/:id", s.UpdateUser)
+	g.DELETE("/user/:id", s.DeleteUser)
+}
+
+// GetUserList godoc
+//
+//	@Summary	Get a list of users
+//	@Tags		user
+//	@Produce	json
+//	@Success	200	{object}	[]store.User	"User list"
+//	@Failure	500	{object}	nil				"Failed to fetch user list"
+//	@Router		/api/v1/user [GET]
+func (s *APIV1Service) GetUserList(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
+	}
+	currentUser, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user by id").SetInternal(err)
+	}
+	if currentUser == nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
+	}
+	if currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized to list users")
+	}
+
+	list, err := s.Store.ListUsers(ctx, &store.FindUser{})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch user list").SetInternal(err)
+	}
+
+	userMessageList := make([]*User, 0, len(list))
+	for _, user := range list {
+		userMessage := convertUserFromStore(user)
+		// data desensitize
+		userMessage.Email = ""
+		userMessageList = append(userMessageList, userMessage)
+	}
+	return c.JSON(http.StatusOK, userMessageList)
+}
+
+// CreateUser godoc
+//
+//	@Summary	Create a user
+//	@Tags		user
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		CreateUserRequest	true	"Request object"
+//	@Success	200		{object}	store.User			"Created user"
+//	@Failure	400		{object}	nil					"Malformatted post user request | Invalid user create format"
+//	@Failure	401		{object}	nil					"Missing auth session | Unauthorized to create user"
+//	@Failure	403		{object}	nil					"Could not create host user"
+//	@Failure	500		{object}	nil					"Failed to find user by id | Failed to generate password hash | Failed to create user | Failed to create activity"
+//	@Router		/api/v1/user [POST]
+func (s *APIV1Service) CreateUser(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
+	}
+	currentUser, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user by id").SetInternal(err)
+	}
+	if currentUser == nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
+	}
+	if currentUser.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized to create user")
+	}
+
+	userCreate := &CreateUserRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(userCreate); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post user request").SetInternal(err)
+	}
+	if err := userCreate.Validate(); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Invalid user create format").SetInternal(err)
+	}
+	if !util.ResourceNameMatcher.MatchString(strings.ToLower(userCreate.Username)) {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Invalid username %s", userCreate.Username)).SetInternal(err)
+	}
+	// Disallow host user to be created.
+	if userCreate.Role == RoleHost {
+		return echo.NewHTTPError(http.StatusForbidden, "Could not create host user")
+	}
+
+	passwordHash, err := bcrypt.GenerateFromPassword([]byte(userCreate.Password), bcrypt.DefaultCost)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate password hash").SetInternal(err)
+	}
+
+	user, err := s.Store.CreateUser(ctx, &store.User{
+		Username:     userCreate.Username,
+		Role:         store.Role(userCreate.Role),
+		Email:        userCreate.Email,
+		Nickname:     userCreate.Nickname,
+		PasswordHash: string(passwordHash),
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create user").SetInternal(err)
+	}
+
+	userMessage := convertUserFromStore(user)
+	metric.Enqueue("user create")
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+// GetCurrentUser godoc
+//
+//	@Summary	Get current user
+//	@Tags		user
+//	@Produce	json
+//	@Success	200	{object}	store.User	"Current user"
+//	@Failure	401	{object}	nil			"Missing auth session"
+//	@Failure	500	{object}	nil			"Failed to find user | Failed to find userSettingList"
+//	@Router		/api/v1/user/me [GET]
+func (s *APIV1Service) GetCurrentUser(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{ID: &userID})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
+	}
+
+	userMessage := convertUserFromStore(user)
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+// GetUserByUsername godoc
+//
+//	@Summary	Get user by username
+//	@Tags		user
+//	@Produce	json
+//	@Param		username	path		string		true	"Username"
+//	@Success	200			{object}	store.User	"Requested user"
+//	@Failure	404			{object}	nil			"User not found"
+//	@Failure	500			{object}	nil			"Failed to find user"
+//	@Router		/api/v1/user/name/{username} [GET]
+func (s *APIV1Service) GetUserByUsername(c echo.Context) error {
+	ctx := c.Request().Context()
+	username := c.Param("username")
+	user, err := s.Store.GetUser(ctx, &store.FindUser{Username: &username})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil {
+		return echo.NewHTTPError(http.StatusNotFound, "User not found")
+	}
+
+	userMessage := convertUserFromStore(user)
+	// data desensitize
+	userMessage.Email = ""
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+// GetUserByID godoc
+//
+//	@Summary	Get user by id
+//	@Tags		user
+//	@Produce	json
+//	@Param		id	path		int			true	"User ID"
+//	@Success	200	{object}	store.User	"Requested user"
+//	@Failure	400	{object}	nil			"Malformatted user id"
+//	@Failure	404	{object}	nil			"User not found"
+//	@Failure	500	{object}	nil			"Failed to find user"
+//	@Router		/api/v1/user/{id} [GET]
+func (s *APIV1Service) GetUserByID(c echo.Context) error {
+	ctx := c.Request().Context()
+	id, err := util.ConvertStringToInt32(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted user id").SetInternal(err)
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{ID: &id})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil {
+		return echo.NewHTTPError(http.StatusNotFound, "User not found")
+	}
+
+	userMessage := convertUserFromStore(user)
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok || userID != user.ID {
+		// Data desensitize.
+		userMessage.Email = ""
+	}
+
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+// DeleteUser godoc
+//
+//	@Summary	Delete a user
+//	@Tags		user
+//	@Produce	json
+//	@Param		id	path		string	true	"User ID"
+//	@Success	200	{boolean}	true	"User deleted"
+//	@Failure	400	{object}	nil		"ID is not a number: %s | Current session user not found with ID: %d"
+//	@Failure	401	{object}	nil		"Missing user in session"
+//	@Failure	403	{object}	nil		"Unauthorized to delete user"
+//	@Failure	500	{object}	nil		"Failed to find user | Failed to delete user"
+//	@Router		/api/v1/user/{id} [DELETE]
+func (s *APIV1Service) DeleteUser(c echo.Context) error {
+	ctx := c.Request().Context()
+	currentUserID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+	currentUser, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &currentUserID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if currentUser == nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Current session user not found with ID: %d", currentUserID)).SetInternal(err)
+	} else if currentUser.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusForbidden, "Unauthorized to delete user").SetInternal(err)
+	}
+
+	userID, err := util.ConvertStringToInt32(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("id"))).SetInternal(err)
+	}
+	if currentUserID == userID {
+		return echo.NewHTTPError(http.StatusBadRequest, "Cannot delete current user")
+	}
+
+	findUser, err := s.Store.GetUser(ctx, &store.FindUser{ID: &userID})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if s.Profile.Mode == "demo" && findUser.Username == "memos-demo" {
+		return echo.NewHTTPError(http.StatusForbidden, "Unauthorized to delete this user in demo mode")
+	}
+
+	if err := s.Store.DeleteUser(ctx, &store.DeleteUser{
+		ID: userID,
+	}); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete user").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, true)
+}
+
+// UpdateUser godoc
+//
+//	@Summary	Update a user
+//	@Tags		user
+//	@Produce	json
+//	@Param		id		path		string				true	"User ID"
+//	@Param		patch	body		UpdateUserRequest	true	"Patch request"
+//	@Success	200		{object}	store.User			"Updated user"
+//	@Failure	400		{object}	nil					"ID is not a number: %s | Current session user not found with ID: %d | Malformatted patch user request | Invalid update user request"
+//	@Failure	401		{object}	nil					"Missing user in session"
+//	@Failure	403		{object}	nil					"Unauthorized to update user"
+//	@Failure	500		{object}	nil					"Failed to find user | Failed to generate password hash | Failed to patch user | Failed to find userSettingList"
+//	@Router		/api/v1/user/{id} [PATCH]
+func (s *APIV1Service) UpdateUser(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, err := util.ConvertStringToInt32(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("id"))).SetInternal(err)
+	}
+
+	currentUserID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+	currentUser, err := s.Store.GetUser(ctx, &store.FindUser{ID: &currentUserID})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if currentUser == nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Current session user not found with ID: %d", currentUserID)).SetInternal(err)
+	} else if currentUser.Role != store.RoleHost && currentUserID != userID {
+		return echo.NewHTTPError(http.StatusForbidden, "Unauthorized to update user").SetInternal(err)
+	}
+
+	request := &UpdateUserRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(request); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch user request").SetInternal(err)
+	}
+	if err := request.Validate(); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Invalid update user request").SetInternal(err)
+	}
+
+	if s.Profile.Mode == "demo" && *request.Username == "memos-demo" {
+		return echo.NewHTTPError(http.StatusForbidden, "Unauthorized to update user in demo mode")
+	}
+
+	currentTs := time.Now().Unix()
+	userUpdate := &store.UpdateUser{
+		ID:        userID,
+		UpdatedTs: &currentTs,
+	}
+	if request.RowStatus != nil {
+		rowStatus := store.RowStatus(request.RowStatus.String())
+		userUpdate.RowStatus = &rowStatus
+		if rowStatus == store.Archived && currentUserID == userID {
+			return echo.NewHTTPError(http.StatusBadRequest, "Cannot archive current user")
+		}
+	}
+	if request.Username != nil {
+		if !util.ResourceNameMatcher.MatchString(strings.ToLower(*request.Username)) {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Invalid username %s", *request.Username)).SetInternal(err)
+		}
+		userUpdate.Username = request.Username
+	}
+	if request.Email != nil {
+		userUpdate.Email = request.Email
+	}
+	if request.Nickname != nil {
+		userUpdate.Nickname = request.Nickname
+	}
+	if request.Password != nil {
+		passwordHash, err := bcrypt.GenerateFromPassword([]byte(*request.Password), bcrypt.DefaultCost)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate password hash").SetInternal(err)
+		}
+
+		passwordHashStr := string(passwordHash)
+		userUpdate.PasswordHash = &passwordHashStr
+	}
+	if request.AvatarURL != nil {
+		userUpdate.AvatarURL = request.AvatarURL
+	}
+
+	user, err := s.Store.UpdateUser(ctx, userUpdate)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch user").SetInternal(err)
+	}
+
+	userMessage := convertUserFromStore(user)
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+func (create CreateUserRequest) Validate() error {
+	if len(create.Username) < 3 {
+		return errors.New("username is too short, minimum length is 3")
+	}
+	if len(create.Username) > 32 {
+		return errors.New("username is too long, maximum length is 32")
+	}
+	if len(create.Password) < 3 {
+		return errors.New("password is too short, minimum length is 3")
+	}
+	if len(create.Password) > 512 {
+		return errors.New("password is too long, maximum length is 512")
+	}
+	if len(create.Nickname) > 64 {
+		return errors.New("nickname is too long, maximum length is 64")
+	}
+	if create.Email != "" {
+		if len(create.Email) > 256 {
+			return errors.New("email is too long, maximum length is 256")
+		}
+		if !util.ValidateEmail(create.Email) {
+			return errors.New("invalid email format")
+		}
+	}
+
+	return nil
+}
+
+func (update UpdateUserRequest) Validate() error {
+	if update.Username != nil && len(*update.Username) < 3 {
+		return errors.New("username is too short, minimum length is 3")
+	}
+	if update.Username != nil && len(*update.Username) > 32 {
+		return errors.New("username is too long, maximum length is 32")
+	}
+	if update.Password != nil && len(*update.Password) < 3 {
+		return errors.New("password is too short, minimum length is 3")
+	}
+	if update.Password != nil && len(*update.Password) > 512 {
+		return errors.New("password is too long, maximum length is 512")
+	}
+	if update.Nickname != nil && len(*update.Nickname) > 64 {
+		return errors.New("nickname is too long, maximum length is 64")
+	}
+	if update.AvatarURL != nil {
+		if len(*update.AvatarURL) > 2<<20 {
+			return errors.New("avatar is too large, maximum is 2MB")
+		}
+	}
+	if update.Email != nil && *update.Email != "" {
+		if len(*update.Email) > 256 {
+			return errors.New("email is too long, maximum length is 256")
+		}
+		if !util.ValidateEmail(*update.Email) {
+			return errors.New("invalid email format")
+		}
+	}
+
+	return nil
+}
+
+func convertUserFromStore(user *store.User) *User {
+	return &User{
+		ID:           user.ID,
+		RowStatus:    RowStatus(user.RowStatus),
+		CreatedTs:    user.CreatedTs,
+		UpdatedTs:    user.UpdatedTs,
+		Username:     user.Username,
+		Role:         Role(user.Role),
+		Email:        user.Email,
+		Nickname:     user.Nickname,
+		PasswordHash: user.PasswordHash,
+		AvatarURL:    user.AvatarURL,
+	}
+}

api/v1/v1.go

@@ -0,0 +1,95 @@
+package v1
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/labstack/echo/v4"
+	"github.com/labstack/echo/v4/middleware"
+
+	"github.com/usememos/memos/api/resource"
+	"github.com/usememos/memos/api/rss"
+	"github.com/usememos/memos/plugin/telegram"
+	"github.com/usememos/memos/server/profile"
+	"github.com/usememos/memos/store"
+)
+
+type APIV1Service struct {
+	Secret      string
+	Profile     *profile.Profile
+	Store       *store.Store
+	telegramBot *telegram.Bot
+}
+
+// @title						memos API
+// @version					1.0
+// @description				A privacy-first, lightweight note-taking service.
+//
+// @contact.name				API Support
+// @contact.url				https://github.com/orgs/usememos/discussions
+//
+// @license.name				MIT License
+// @license.url				https://github.com/usememos/memos/blob/main/LICENSE
+//
+// @BasePath					/
+//
+// @externalDocs.url			https://usememos.com/
+// @externalDocs.description	Find out more about Memos.
+func NewAPIV1Service(secret string, profile *profile.Profile, store *store.Store, telegramBot *telegram.Bot) *APIV1Service {
+	return &APIV1Service{
+		Secret:      secret,
+		Profile:     profile,
+		Store:       store,
+		telegramBot: telegramBot,
+	}
+}
+
+func (s *APIV1Service) Register(rootGroup *echo.Group) {
+	// Register API v1 routes.
+	apiV1Group := rootGroup.Group("/api/v1")
+	apiV1Group.Use(middleware.RateLimiterWithConfig(middleware.RateLimiterConfig{
+		Store: middleware.NewRateLimiterMemoryStoreWithConfig(
+			middleware.RateLimiterMemoryStoreConfig{Rate: 30, Burst: 100, ExpiresIn: 3 * time.Minute},
+		),
+		IdentifierExtractor: func(ctx echo.Context) (string, error) {
+			id := ctx.RealIP()
+			return id, nil
+		},
+		ErrorHandler: func(context echo.Context, err error) error {
+			return context.JSON(http.StatusForbidden, nil)
+		},
+		DenyHandler: func(context echo.Context, identifier string, err error) error {
+			return context.JSON(http.StatusTooManyRequests, nil)
+		},
+	}))
+	apiV1Group.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
+		return JWTMiddleware(s, next, s.Secret)
+	})
+	s.registerSystemRoutes(apiV1Group)
+	s.registerSystemSettingRoutes(apiV1Group)
+	s.registerAuthRoutes(apiV1Group)
+	s.registerIdentityProviderRoutes(apiV1Group)
+	s.registerUserRoutes(apiV1Group)
+	s.registerTagRoutes(apiV1Group)
+	s.registerStorageRoutes(apiV1Group)
+	s.registerResourceRoutes(apiV1Group)
+	s.registerMemoRoutes(apiV1Group)
+	s.registerMemoOrganizerRoutes(apiV1Group)
+	s.registerMemoRelationRoutes(apiV1Group)
+
+	// Register public routes.
+	publicGroup := rootGroup.Group("/o")
+	publicGroup.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
+		return JWTMiddleware(s, next, s.Secret)
+	})
+	s.registerGetterPublicRoutes(publicGroup)
+
+	// Create and register resource public routes.
+	resource.NewResourceService(s.Profile, s.Store).RegisterRoutes(publicGroup)
+
+	// Create and register rss public routes.
+	rss.NewRSSService(s.Profile, s.Store).RegisterRoutes(rootGroup)
+
+	// programmatically set API version same as the server version
+	SwaggerInfo.Version = s.Profile.Version
+}

api/v2/acl.go

@@ -0,0 +1,235 @@
+package v2
+
+import (
+	"context"
+	"net/http"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+
+	"github.com/usememos/memos/api/auth"
+	"github.com/usememos/memos/internal/util"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/store"
+)
+
+// ContextKey is the key type of context value.
+type ContextKey int
+
+const (
+	// The key name used to store username in the context
+	// user id is extracted from the jwt token subject field.
+	usernameContextKey ContextKey = iota
+)
+
+// Used to set modified context of ServerStream.
+type WrappedStream struct {
+	ctx    context.Context
+	stream grpc.ServerStream
+}
+
+func (w *WrappedStream) RecvMsg(m any) error {
+	return w.stream.RecvMsg(m)
+}
+
+func (w *WrappedStream) SendMsg(m any) error {
+	return w.stream.SendMsg(m)
+}
+
+func (w *WrappedStream) SendHeader(md metadata.MD) error {
+	return w.stream.SendHeader(md)
+}
+
+func (w *WrappedStream) SetHeader(md metadata.MD) error {
+	return w.stream.SetHeader(md)
+}
+
+func (w *WrappedStream) SetTrailer(md metadata.MD) {
+	w.stream.SetTrailer(md)
+}
+
+func (w *WrappedStream) Context() context.Context {
+	return w.ctx
+}
+
+func newWrappedStream(ctx context.Context, stream grpc.ServerStream) grpc.ServerStream {
+	return &WrappedStream{ctx, stream}
+}
+
+// GRPCAuthInterceptor is the auth interceptor for gRPC server.
+type GRPCAuthInterceptor struct {
+	Store  *store.Store
+	secret string
+}
+
+// NewGRPCAuthInterceptor returns a new API auth interceptor.
+func NewGRPCAuthInterceptor(store *store.Store, secret string) *GRPCAuthInterceptor {
+	return &GRPCAuthInterceptor{
+		Store:  store,
+		secret: secret,
+	}
+}
+
+// AuthenticationInterceptor is the unary interceptor for gRPC API.
+func (in *GRPCAuthInterceptor) AuthenticationInterceptor(ctx context.Context, request any, serverInfo *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return nil, status.Errorf(codes.Unauthenticated, "failed to parse metadata from incoming context")
+	}
+	accessToken, err := getTokenFromMetadata(md)
+	if err != nil {
+		return nil, status.Errorf(codes.Unauthenticated, err.Error())
+	}
+
+	username, err := in.authenticate(ctx, accessToken)
+	if err != nil {
+		if isUnauthorizeAllowedMethod(serverInfo.FullMethod) {
+			return handler(ctx, request)
+		}
+		return nil, err
+	}
+	user, err := in.Store.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get user")
+	}
+	if user == nil {
+		return nil, errors.Errorf("user %q not exists", username)
+	}
+	if user.RowStatus == store.Archived {
+		return nil, errors.Errorf("user %q is archived", username)
+	}
+	if isOnlyForAdminAllowedMethod(serverInfo.FullMethod) && user.Role != store.RoleHost && user.Role != store.RoleAdmin {
+		return nil, errors.Errorf("user %q is not admin", username)
+	}
+
+	// Stores userID into context.
+	childCtx := context.WithValue(ctx, usernameContextKey, username)
+	return handler(childCtx, request)
+}
+
+func (in *GRPCAuthInterceptor) StreamAuthenticationInterceptor(srv any, stream grpc.ServerStream, serverInfo *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
+	md, ok := metadata.FromIncomingContext(stream.Context())
+	if !ok {
+		return status.Errorf(codes.Unauthenticated, "failed to parse metadata from incoming context")
+	}
+	accessToken, err := getTokenFromMetadata(md)
+	if err != nil {
+		return status.Errorf(codes.Unauthenticated, err.Error())
+	}
+
+	username, err := in.authenticate(stream.Context(), accessToken)
+	if err != nil {
+		if isUnauthorizeAllowedMethod(serverInfo.FullMethod) {
+			return handler(stream.Context(), stream)
+		}
+		return err
+	}
+	user, err := in.Store.GetUser(stream.Context(), &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return errors.Wrap(err, "failed to get user")
+	}
+	if user == nil {
+		return errors.Errorf("user %q not exists", username)
+	}
+	if user.RowStatus == store.Archived {
+		return errors.Errorf("user %q is archived", username)
+	}
+	if isOnlyForAdminAllowedMethod(serverInfo.FullMethod) && user.Role != store.RoleHost && user.Role != store.RoleAdmin {
+		return errors.Errorf("user %q is not admin", username)
+	}
+
+	// Stores userID into context.
+	childCtx := context.WithValue(stream.Context(), usernameContextKey, username)
+
+	return handler(srv, newWrappedStream(childCtx, stream))
+}
+
+func (in *GRPCAuthInterceptor) authenticate(ctx context.Context, accessToken string) (string, error) {
+	if accessToken == "" {
+		return "", status.Errorf(codes.Unauthenticated, "access token not found")
+	}
+	claims := &auth.ClaimsMessage{}
+	_, err := jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) {
+		if t.Method.Alg() != jwt.SigningMethodHS256.Name {
+			return nil, status.Errorf(codes.Unauthenticated, "unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
+		}
+		if kid, ok := t.Header["kid"].(string); ok {
+			if kid == "v1" {
+				return []byte(in.secret), nil
+			}
+		}
+		return nil, status.Errorf(codes.Unauthenticated, "unexpected access token kid=%v", t.Header["kid"])
+	})
+	if err != nil {
+		return "", status.Errorf(codes.Unauthenticated, "Invalid or expired access token")
+	}
+
+	// We either have a valid access token or we will attempt to generate new access token.
+	userID, err := util.ConvertStringToInt32(claims.Subject)
+	if err != nil {
+		return "", errors.Wrap(err, "malformed ID in the token")
+	}
+	user, err := in.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return "", errors.Wrap(err, "failed to get user")
+	}
+	if user == nil {
+		return "", errors.Errorf("user %q not exists", userID)
+	}
+	if user.RowStatus == store.Archived {
+		return "", errors.Errorf("user %q is archived", userID)
+	}
+
+	accessTokens, err := in.Store.GetUserAccessTokens(ctx, user.ID)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to get user access tokens")
+	}
+	if !validateAccessToken(accessToken, accessTokens) {
+		return "", status.Errorf(codes.Unauthenticated, "invalid access token")
+	}
+
+	return user.Username, nil
+}
+
+func getTokenFromMetadata(md metadata.MD) (string, error) {
+	// Check the HTTP request header first.
+	authorizationHeaders := md.Get("Authorization")
+	if len(md.Get("Authorization")) > 0 {
+		authHeaderParts := strings.Fields(authorizationHeaders[0])
+		if len(authHeaderParts) != 2 || strings.ToLower(authHeaderParts[0]) != "bearer" {
+			return "", errors.New("authorization header format must be Bearer {token}")
+		}
+		return authHeaderParts[1], nil
+	}
+	// Check the cookie header.
+	var accessToken string
+	for _, t := range append(md.Get("grpcgateway-cookie"), md.Get("cookie")...) {
+		header := http.Header{}
+		header.Add("Cookie", t)
+		request := http.Request{Header: header}
+		if v, _ := request.Cookie(auth.AccessTokenCookieName); v != nil {
+			accessToken = v.Value
+		}
+	}
+	return accessToken, nil
+}
+
+func validateAccessToken(accessTokenString string, userAccessTokens []*storepb.AccessTokensUserSetting_AccessToken) bool {
+	for _, userAccessToken := range userAccessTokens {
+		if accessTokenString == userAccessToken.AccessToken {
+			return true
+		}
+	}
+	return false
+}

api/v2/acl_config.go

@@ -0,0 +1,36 @@
+package v2
+
+import "strings"
+
+var authenticationAllowlistMethods = map[string]bool{
+	"/memos.api.v2.WorkspaceService/GetWorkspaceProfile": true,
+	"/memos.api.v2.AuthService/GetAuthStatus":            true,
+	"/memos.api.v2.AuthService/SignIn":                   true,
+	"/memos.api.v2.AuthService/SignInWithSSO":            true,
+	"/memos.api.v2.AuthService/SignOut":                  true,
+	"/memos.api.v2.AuthService/SignUp":                   true,
+	"/memos.api.v2.UserService/GetUser":                  true,
+	"/memos.api.v2.MemoService/ListMemos":                true,
+	"/memos.api.v2.MemoService/GetMemo":                  true,
+	"/memos.api.v2.MemoService/GetMemoByName":            true,
+	"/memos.api.v2.MemoService/ListMemoResources":        true,
+	"/memos.api.v2.MemoService/ListMemoRelations":        true,
+	"/memos.api.v2.MemoService/ListMemoComments":         true,
+}
+
+// isUnauthorizeAllowedMethod returns whether the method is exempted from authentication.
+func isUnauthorizeAllowedMethod(fullMethodName string) bool {
+	if strings.HasPrefix(fullMethodName, "/grpc.reflection") {
+		return true
+	}
+	return authenticationAllowlistMethods[fullMethodName]
+}
+
+var allowedMethodsOnlyForAdmin = map[string]bool{
+	"/memos.api.v2.UserService/CreateUser": true,
+}
+
+// isOnlyForAdminAllowedMethod returns true if the method is allowed to be called only by admin.
+func isOnlyForAdminAllowedMethod(methodName string) bool {
+	return allowedMethodsOnlyForAdmin[methodName]
+}

api/v2/activity_service.go

@@ -0,0 +1,58 @@
+package v2
+
+import (
+	"context"
+	"time"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) GetActivity(ctx context.Context, request *apiv2pb.GetActivityRequest) (*apiv2pb.GetActivityResponse, error) {
+	activity, err := s.Store.GetActivity(ctx, &store.FindActivity{
+		ID: &request.Id,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get activity: %v", err)
+	}
+
+	activityMessage, err := s.convertActivityFromStore(ctx, activity)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to convert activity from store: %v", err)
+	}
+	return &apiv2pb.GetActivityResponse{
+		Activity: activityMessage,
+	}, nil
+}
+
+func (*APIV2Service) convertActivityFromStore(_ context.Context, activity *store.Activity) (*apiv2pb.Activity, error) {
+	return &apiv2pb.Activity{
+		Id:         activity.ID,
+		CreatorId:  activity.CreatorID,
+		Type:       activity.Type.String(),
+		Level:      activity.Level.String(),
+		CreateTime: timestamppb.New(time.Unix(activity.CreatedTs, 0)),
+		Payload:    convertActivityPayloadFromStore(activity.Payload),
+	}, nil
+}
+
+func convertActivityPayloadFromStore(payload *storepb.ActivityPayload) *apiv2pb.ActivityPayload {
+	v2Payload := &apiv2pb.ActivityPayload{}
+	if payload.MemoComment != nil {
+		v2Payload.MemoComment = &apiv2pb.ActivityMemoCommentPayload{
+			MemoId:        payload.MemoComment.MemoId,
+			RelatedMemoId: payload.MemoComment.RelatedMemoId,
+		}
+	}
+	if payload.VersionUpdate != nil {
+		v2Payload.VersionUpdate = &apiv2pb.ActivityVersionUpdatePayload{
+			Version: payload.VersionUpdate.Version,
+		}
+	}
+	return v2Payload
+}

api/v2/auth_service.go

@@ -0,0 +1,255 @@
+package v2
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"time"
+
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/bcrypt"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/proto"
+
+	"github.com/usememos/memos/api/auth"
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/plugin/idp"
+	"github.com/usememos/memos/plugin/idp/oauth2"
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/server/service/metric"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) GetAuthStatus(ctx context.Context, _ *apiv2pb.GetAuthStatusRequest) (*apiv2pb.GetAuthStatusResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Unauthenticated, "failed to get current user: %v", err)
+	}
+	if user == nil {
+		// Set the cookie header to expire access token.
+		if err := clearAccessTokenCookie(ctx); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to set grpc header")
+		}
+		return nil, status.Errorf(codes.Unauthenticated, "user not found")
+	}
+	return &apiv2pb.GetAuthStatusResponse{
+		User: convertUserFromStore(user),
+	}, nil
+}
+
+func (s *APIV2Service) SignIn(ctx context.Context, request *apiv2pb.SignInRequest) (*apiv2pb.SignInResponse, error) {
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &request.Username,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to find user by username %s", request.Username))
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.InvalidArgument, fmt.Sprintf("user not found with username %s", request.Username))
+	} else if user.RowStatus == store.Archived {
+		return nil, status.Errorf(codes.PermissionDenied, fmt.Sprintf("user has been archived with username %s", request.Username))
+	}
+
+	// Compare the stored hashed password, with the hashed version of the password that was received.
+	if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(request.Password)); err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "unmatched email and password")
+	}
+
+	expireTime := time.Now().Add(auth.AccessTokenDuration)
+	if request.NeverExpire {
+		// Zero time means never expire.
+		expireTime = time.Time{}
+	}
+	if err := s.doSignIn(ctx, user, expireTime); err != nil {
+		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to sign in, err: %s", err))
+	}
+	return &apiv2pb.SignInResponse{
+		User: convertUserFromStore(user),
+	}, nil
+}
+
+func (s *APIV2Service) SignInWithSSO(ctx context.Context, request *apiv2pb.SignInWithSSORequest) (*apiv2pb.SignInWithSSOResponse, error) {
+	identityProvider, err := s.Store.GetIdentityProvider(ctx, &store.FindIdentityProvider{
+		ID: &request.IdpId,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to get identity provider, err: %s", err))
+	}
+	if identityProvider == nil {
+		return nil, status.Errorf(codes.InvalidArgument, fmt.Sprintf("identity provider not found with id %d", request.IdpId))
+	}
+
+	var userInfo *idp.IdentityProviderUserInfo
+	if identityProvider.Type == store.IdentityProviderOAuth2Type {
+		oauth2IdentityProvider, err := oauth2.NewIdentityProvider(identityProvider.Config.OAuth2Config)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to create oauth2 identity provider, err: %s", err))
+		}
+		token, err := oauth2IdentityProvider.ExchangeToken(ctx, request.RedirectUri, request.Code)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to exchange token, err: %s", err))
+		}
+		userInfo, err = oauth2IdentityProvider.UserInfo(token)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to get user info, err: %s", err))
+		}
+	}
+
+	identifierFilter := identityProvider.IdentifierFilter
+	if identifierFilter != "" {
+		identifierFilterRegex, err := regexp.Compile(identifierFilter)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to compile identifier filter regex, err: %s", err))
+		}
+		if !identifierFilterRegex.MatchString(userInfo.Identifier) {
+			return nil, status.Errorf(codes.PermissionDenied, fmt.Sprintf("identifier %s is not allowed", userInfo.Identifier))
+		}
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &userInfo.Identifier,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to find user by username %s", userInfo.Identifier))
+	}
+	if user == nil {
+		userCreate := &store.User{
+			Username: userInfo.Identifier,
+			// The new signup user should be normal user by default.
+			Role:     store.RoleUser,
+			Nickname: userInfo.DisplayName,
+			Email:    userInfo.Email,
+		}
+		password, err := util.RandomString(20)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate random password, err: %s", err))
+		}
+		passwordHash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate password hash, err: %s", err))
+		}
+		userCreate.PasswordHash = string(passwordHash)
+		user, err = s.Store.CreateUser(ctx, userCreate)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to create user, err: %s", err))
+		}
+	}
+	if user.RowStatus == store.Archived {
+		return nil, status.Errorf(codes.PermissionDenied, fmt.Sprintf("user has been archived with username %s", userInfo.Identifier))
+	}
+
+	if err := s.doSignIn(ctx, user, time.Now().Add(auth.AccessTokenDuration)); err != nil {
+		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to sign in, err: %s", err))
+	}
+	return &apiv2pb.SignInWithSSOResponse{
+		User: convertUserFromStore(user),
+	}, nil
+}
+
+func (s *APIV2Service) doSignIn(ctx context.Context, user *store.User, expireTime time.Time) error {
+	accessToken, err := auth.GenerateAccessToken(user.Email, user.ID, expireTime, []byte(s.Secret))
+	if err != nil {
+		return status.Errorf(codes.Internal, fmt.Sprintf("failed to generate tokens, err: %s", err))
+	}
+	if err := s.UpsertAccessTokenToStore(ctx, user, accessToken, "user login"); err != nil {
+		return status.Errorf(codes.Internal, fmt.Sprintf("failed to upsert access token to store, err: %s", err))
+	}
+
+	cookieExpires := time.Now().Add(auth.CookieExpDuration)
+	if expireTime.IsZero() {
+		// Set cookie expires to 100 years.
+		cookieExpires = time.Now().AddDate(100, 0, 0)
+	}
+	if err := grpc.SetHeader(ctx, metadata.New(map[string]string{
+		"Set-Cookie": fmt.Sprintf("%s=%s; Path=/; Expires=%s; HttpOnly; SameSite=Strict", auth.AccessTokenCookieName, accessToken, cookieExpires.Format(time.RFC1123)),
+	})); err != nil {
+		return status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err)
+	}
+
+	metric.Enqueue("user sign in")
+	return nil
+}
+
+func (s *APIV2Service) SignUp(ctx context.Context, request *apiv2pb.SignUpRequest) (*apiv2pb.SignUpResponse, error) {
+	workspaceGeneralSetting, err := s.GetWorkspaceGeneralSetting(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to get workspace setting, err: %s", err))
+	}
+	if workspaceGeneralSetting.DisallowSignup || workspaceGeneralSetting.DisallowPasswordLogin {
+		return nil, status.Errorf(codes.PermissionDenied, "sign up is not allowed")
+	}
+
+	passwordHash, err := bcrypt.GenerateFromPassword([]byte(request.Password), bcrypt.DefaultCost)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate password hash, err: %s", err))
+	}
+
+	create := &store.User{
+		Username:     request.Username,
+		Nickname:     request.Username,
+		PasswordHash: string(passwordHash),
+	}
+
+	hostUserType := store.RoleHost
+	existedHostUsers, err := s.Store.ListUsers(ctx, &store.FindUser{
+		Role: &hostUserType,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to list users, err: %s", err))
+	}
+	if len(existedHostUsers) == 0 {
+		// Change the default role to host if there is no host user.
+		create.Role = store.RoleHost
+	} else {
+		create.Role = store.RoleUser
+	}
+
+	user, err := s.Store.CreateUser(ctx, create)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to create user, err: %s", err))
+	}
+
+	if err := s.doSignIn(ctx, user, time.Now().Add(auth.AccessTokenDuration)); err != nil {
+		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to sign in, err: %s", err))
+	}
+	metric.Enqueue("user sign up")
+	return &apiv2pb.SignUpResponse{
+		User: convertUserFromStore(user),
+	}, nil
+}
+
+func (*APIV2Service) SignOut(ctx context.Context, _ *apiv2pb.SignOutRequest) (*apiv2pb.SignOutResponse, error) {
+	if err := clearAccessTokenCookie(ctx); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err)
+	}
+	return &apiv2pb.SignOutResponse{}, nil
+}
+
+func clearAccessTokenCookie(ctx context.Context) error {
+	if err := grpc.SetHeader(ctx, metadata.New(map[string]string{
+		"Set-Cookie": fmt.Sprintf("%s=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict", auth.AccessTokenCookieName),
+	})); err != nil {
+		return errors.Wrap(err, "failed to set grpc header")
+	}
+	return nil
+}
+
+func (s *APIV2Service) GetWorkspaceGeneralSetting(ctx context.Context) (*storepb.WorkspaceGeneralSetting, error) {
+	workspaceSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
+		Name: storepb.WorkspaceSettingKey_WORKSPACE_SETTING_GENERAL.String(),
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get workspace setting")
+	}
+	workspaceGeneralSetting := &storepb.WorkspaceGeneralSetting{}
+	if workspaceSetting != nil {
+		if err := proto.Unmarshal([]byte(workspaceSetting.Value), workspaceGeneralSetting); err != nil {
+			return nil, errors.Wrap(err, "failed to unmarshal workspace setting")
+		}
+	}
+	return workspaceGeneralSetting, nil
+}

api/v2/common.go

@@ -0,0 +1,74 @@
+package v2
+
+import (
+	"context"
+	"encoding/base64"
+
+	"github.com/pkg/errors"
+	"google.golang.org/protobuf/proto"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/store"
+)
+
+func convertRowStatusFromStore(rowStatus store.RowStatus) apiv2pb.RowStatus {
+	switch rowStatus {
+	case store.Normal:
+		return apiv2pb.RowStatus_ACTIVE
+	case store.Archived:
+		return apiv2pb.RowStatus_ARCHIVED
+	default:
+		return apiv2pb.RowStatus_ROW_STATUS_UNSPECIFIED
+	}
+}
+
+func convertRowStatusToStore(rowStatus apiv2pb.RowStatus) store.RowStatus {
+	switch rowStatus {
+	case apiv2pb.RowStatus_ACTIVE:
+		return store.Normal
+	case apiv2pb.RowStatus_ARCHIVED:
+		return store.Archived
+	default:
+		return store.Normal
+	}
+}
+
+func getCurrentUser(ctx context.Context, s *store.Store) (*store.User, error) {
+	username, ok := ctx.Value(usernameContextKey).(string)
+	if !ok {
+		return nil, nil
+	}
+	user, err := s.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return user, nil
+}
+
+func getPageToken(limit int, offset int) (string, error) {
+	return marshalPageToken(&apiv2pb.PageToken{
+		Limit:  int32(limit),
+		Offset: int32(offset),
+	})
+}
+
+func marshalPageToken(pageToken *apiv2pb.PageToken) (string, error) {
+	b, err := proto.Marshal(pageToken)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to marshal page token")
+	}
+	return base64.StdEncoding.EncodeToString(b), nil
+}
+
+func unmarshalPageToken(s string, pageToken *apiv2pb.PageToken) error {
+	b, err := base64.StdEncoding.DecodeString(s)
+	if err != nil {
+		return errors.Wrapf(err, "failed to decode page token")
+	}
+	if err := proto.Unmarshal(b, pageToken); err != nil {
+		return errors.Wrapf(err, "failed to unmarshal page token")
+	}
+	return nil
+}

api/v2/inbox_service.go

@@ -0,0 +1,138 @@
+package v2
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/pkg/errors"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) ListInboxes(ctx context.Context, _ *apiv2pb.ListInboxesRequest) (*apiv2pb.ListInboxesResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user")
+	}
+
+	inboxes, err := s.Store.ListInboxes(ctx, &store.FindInbox{
+		ReceiverID: &user.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list inbox: %v", err)
+	}
+
+	response := &apiv2pb.ListInboxesResponse{
+		Inboxes: []*apiv2pb.Inbox{},
+	}
+	for _, inbox := range inboxes {
+		inboxMessage, err := s.convertInboxFromStore(ctx, inbox)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to convert inbox from store: %v", err)
+		}
+		response.Inboxes = append(response.Inboxes, inboxMessage)
+	}
+
+	return response, nil
+}
+
+func (s *APIV2Service) UpdateInbox(ctx context.Context, request *apiv2pb.UpdateInboxRequest) (*apiv2pb.UpdateInboxResponse, error) {
+	if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
+		return nil, status.Errorf(codes.InvalidArgument, "update mask is required")
+	}
+
+	inboxID, err := ExtractInboxIDFromName(request.Inbox.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid inbox name: %v", err)
+	}
+	update := &store.UpdateInbox{
+		ID: inboxID,
+	}
+	for _, field := range request.UpdateMask.Paths {
+		if field == "status" {
+			if request.Inbox.Status == apiv2pb.Inbox_STATUS_UNSPECIFIED {
+				return nil, status.Errorf(codes.InvalidArgument, "status is required")
+			}
+			update.Status = convertInboxStatusToStore(request.Inbox.Status)
+		}
+	}
+
+	inbox, err := s.Store.UpdateInbox(ctx, update)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to update inbox: %v", err)
+	}
+
+	inboxMessage, err := s.convertInboxFromStore(ctx, inbox)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to convert inbox from store: %v", err)
+	}
+	return &apiv2pb.UpdateInboxResponse{
+		Inbox: inboxMessage,
+	}, nil
+}
+
+func (s *APIV2Service) DeleteInbox(ctx context.Context, request *apiv2pb.DeleteInboxRequest) (*apiv2pb.DeleteInboxResponse, error) {
+	inboxID, err := ExtractInboxIDFromName(request.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid inbox name: %v", err)
+	}
+
+	if err := s.Store.DeleteInbox(ctx, &store.DeleteInbox{
+		ID: inboxID,
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to update inbox: %v", err)
+	}
+	return &apiv2pb.DeleteInboxResponse{}, nil
+}
+
+func (s *APIV2Service) convertInboxFromStore(ctx context.Context, inbox *store.Inbox) (*apiv2pb.Inbox, error) {
+	sender, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &inbox.SenderID,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get sender")
+	}
+	receiver, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &inbox.ReceiverID,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get receiver")
+	}
+
+	return &apiv2pb.Inbox{
+		Name:       fmt.Sprintf("inboxes/%d", inbox.ID),
+		Sender:     fmt.Sprintf("users/%s", sender.Username),
+		Receiver:   fmt.Sprintf("users/%s", receiver.Username),
+		Status:     convertInboxStatusFromStore(inbox.Status),
+		CreateTime: timestamppb.New(time.Unix(inbox.CreatedTs, 0)),
+		Type:       apiv2pb.Inbox_Type(inbox.Message.Type),
+		ActivityId: inbox.Message.ActivityId,
+	}, nil
+}
+
+func convertInboxStatusFromStore(status store.InboxStatus) apiv2pb.Inbox_Status {
+	switch status {
+	case store.UNREAD:
+		return apiv2pb.Inbox_UNREAD
+	case store.ARCHIVED:
+		return apiv2pb.Inbox_ARCHIVED
+	default:
+		return apiv2pb.Inbox_STATUS_UNSPECIFIED
+	}
+}
+
+func convertInboxStatusToStore(status apiv2pb.Inbox_Status) store.InboxStatus {
+	switch status {
+	case apiv2pb.Inbox_UNREAD:
+		return store.UNREAD
+	case apiv2pb.Inbox_ARCHIVED:
+		return store.ARCHIVED
+	default:
+		return store.UNREAD
+	}
+}

api/v2/memo_relation_service.go

@@ -0,0 +1,100 @@
+package v2
+
+import (
+	"context"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) SetMemoRelations(ctx context.Context, request *apiv2pb.SetMemoRelationsRequest) (*apiv2pb.SetMemoRelationsResponse, error) {
+	referenceType := store.MemoRelationReference
+	// Delete all reference relations first.
+	if err := s.Store.DeleteMemoRelation(ctx, &store.DeleteMemoRelation{
+		MemoID: &request.Id,
+		Type:   &referenceType,
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to delete memo relation")
+	}
+
+	for _, relation := range request.Relations {
+		// Ignore reflexive relations.
+		if request.Id == relation.RelatedMemoId {
+			continue
+		}
+		// Ignore comment relations as there's no need to update a comment's relation.
+		// Inserting/Deleting a comment is handled elsewhere.
+		if relation.Type == apiv2pb.MemoRelation_COMMENT {
+			continue
+		}
+		if _, err := s.Store.UpsertMemoRelation(ctx, &store.MemoRelation{
+			MemoID:        request.Id,
+			RelatedMemoID: relation.RelatedMemoId,
+			Type:          convertMemoRelationTypeToStore(relation.Type),
+		}); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to upsert memo relation")
+		}
+	}
+
+	return &apiv2pb.SetMemoRelationsResponse{}, nil
+}
+
+func (s *APIV2Service) ListMemoRelations(ctx context.Context, request *apiv2pb.ListMemoRelationsRequest) (*apiv2pb.ListMemoRelationsResponse, error) {
+	relationList := []*apiv2pb.MemoRelation{}
+	tempList, err := s.Store.ListMemoRelations(ctx, &store.FindMemoRelation{
+		MemoID: &request.Id,
+	})
+	if err != nil {
+		return nil, err
+	}
+	for _, relation := range tempList {
+		relationList = append(relationList, convertMemoRelationFromStore(relation))
+	}
+	tempList, err = s.Store.ListMemoRelations(ctx, &store.FindMemoRelation{
+		RelatedMemoID: &request.Id,
+	})
+	if err != nil {
+		return nil, err
+	}
+	for _, relation := range tempList {
+		relationList = append(relationList, convertMemoRelationFromStore(relation))
+	}
+
+	response := &apiv2pb.ListMemoRelationsResponse{
+		Relations: relationList,
+	}
+	return response, nil
+}
+
+func convertMemoRelationFromStore(memoRelation *store.MemoRelation) *apiv2pb.MemoRelation {
+	return &apiv2pb.MemoRelation{
+		MemoId:        memoRelation.MemoID,
+		RelatedMemoId: memoRelation.RelatedMemoID,
+		Type:          convertMemoRelationTypeFromStore(memoRelation.Type),
+	}
+}
+
+func convertMemoRelationTypeFromStore(relationType store.MemoRelationType) apiv2pb.MemoRelation_Type {
+	switch relationType {
+	case store.MemoRelationReference:
+		return apiv2pb.MemoRelation_REFERENCE
+	case store.MemoRelationComment:
+		return apiv2pb.MemoRelation_COMMENT
+	default:
+		return apiv2pb.MemoRelation_TYPE_UNSPECIFIED
+	}
+}
+
+func convertMemoRelationTypeToStore(relationType apiv2pb.MemoRelation_Type) store.MemoRelationType {
+	switch relationType {
+	case apiv2pb.MemoRelation_REFERENCE:
+		return store.MemoRelationReference
+	case apiv2pb.MemoRelation_COMMENT:
+		return store.MemoRelationComment
+	default:
+		return store.MemoRelationReference
+	}
+}

api/v2/memo_resource_service.go

@@ -0,0 +1,73 @@
+package v2
+
+import (
+	"context"
+	"slices"
+	"time"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) SetMemoResources(ctx context.Context, request *apiv2pb.SetMemoResourcesRequest) (*apiv2pb.SetMemoResourcesResponse, error) {
+	resources, err := s.Store.ListResources(ctx, &store.FindResource{
+		MemoID: &request.Id,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list resources")
+	}
+
+	// Delete resources that are not in the request.
+	for _, resource := range resources {
+		found := false
+		for _, requestResource := range request.Resources {
+			if resource.ID == int32(requestResource.Id) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			if err = s.Store.DeleteResource(ctx, &store.DeleteResource{
+				ID:     int32(resource.ID),
+				MemoID: &request.Id,
+			}); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to delete resource")
+			}
+		}
+	}
+
+	slices.Reverse(request.Resources)
+	// Update resources' memo_id in the request.
+	for index, resource := range request.Resources {
+		updatedTs := time.Now().Unix() + int64(index)
+		if _, err := s.Store.UpdateResource(ctx, &store.UpdateResource{
+			ID:        resource.Id,
+			MemoID:    &request.Id,
+			UpdatedTs: &updatedTs,
+		}); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to update resource: %v", err)
+		}
+	}
+
+	return &apiv2pb.SetMemoResourcesResponse{}, nil
+}
+
+func (s *APIV2Service) ListMemoResources(ctx context.Context, request *apiv2pb.ListMemoResourcesRequest) (*apiv2pb.ListMemoResourcesResponse, error) {
+	resources, err := s.Store.ListResources(ctx, &store.FindResource{
+		MemoID: &request.Id,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list resources")
+	}
+
+	response := &apiv2pb.ListMemoResourcesResponse{
+		Resources: []*apiv2pb.Resource{},
+	}
+	for _, resource := range resources {
+		response.Resources = append(response.Resources, s.convertResourceFromStore(ctx, resource))
+	}
+	return response, nil
+}

api/v2/memo_service.go

@@ -0,0 +1,909 @@
+package v2
+
+import (
+	"archive/zip"
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/google/cel-go/cel"
+	"github.com/lithammer/shortuuid/v4"
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+	expr "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	apiv1 "github.com/usememos/memos/api/v1"
+	"github.com/usememos/memos/internal/log"
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/plugin/webhook"
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/server/service/metric"
+	"github.com/usememos/memos/store"
+)
+
+const (
+	DefaultPageSize  = 10
+	MaxContentLength = 8 * 1024
+	ChunkSize        = 64 * 1024 // 64 KiB
+)
+
+func (s *APIV2Service) CreateMemo(ctx context.Context, request *apiv2pb.CreateMemoRequest) (*apiv2pb.CreateMemoResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user")
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+	if len(request.Content) > MaxContentLength {
+		return nil, status.Errorf(codes.InvalidArgument, "content too long")
+	}
+
+	create := &store.Memo{
+		ResourceName: shortuuid.New(),
+		CreatorID:    user.ID,
+		Content:      request.Content,
+		Visibility:   convertVisibilityToStore(request.Visibility),
+	}
+	// Find disable public memos system setting.
+	disablePublicMemosSystem, err := s.getDisablePublicMemosSystemSettingValue(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get system setting")
+	}
+	if disablePublicMemosSystem && create.Visibility == store.Public {
+		return nil, status.Errorf(codes.PermissionDenied, "disable public memos system setting is enabled")
+	}
+
+	memo, err := s.Store.CreateMemo(ctx, create)
+	if err != nil {
+		return nil, err
+	}
+	metric.Enqueue("memo create")
+
+	memoMessage, err := s.convertMemoFromStore(ctx, memo)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to convert memo")
+	}
+	// Try to dispatch webhook when memo is created.
+	if err := s.DispatchMemoCreatedWebhook(ctx, memoMessage); err != nil {
+		log.Warn("Failed to dispatch memo created webhook", zap.Error(err))
+	}
+
+	response := &apiv2pb.CreateMemoResponse{
+		Memo: memoMessage,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) ListMemos(ctx context.Context, request *apiv2pb.ListMemosRequest) (*apiv2pb.ListMemosResponse, error) {
+	memoFind, err := s.buildFindMemosWithFilter(ctx, request.Filter, true)
+	if err != nil {
+		return nil, err
+	}
+
+	var limit, offset int
+	if request.PageToken != "" {
+		var pageToken apiv2pb.PageToken
+		if err := unmarshalPageToken(request.PageToken, &pageToken); err != nil {
+			return nil, status.Errorf(codes.InvalidArgument, "invalid page token: %v", err)
+		}
+		if pageToken.Limit < 0 {
+			return nil, status.Errorf(codes.InvalidArgument, "page size cannot be negative")
+		}
+		limit = int(pageToken.Limit)
+		offset = int(pageToken.Offset)
+	} else {
+		limit = int(request.PageSize)
+	}
+	if limit <= 0 {
+		limit = DefaultPageSize
+	}
+	limitPlusOne := limit + 1
+	memoFind.Offset = &offset
+	memoFind.Limit = &limitPlusOne
+	memos, err := s.Store.ListMemos(ctx, memoFind)
+	if err != nil {
+		return nil, err
+	}
+
+	memoMessages := []*apiv2pb.Memo{}
+	nextPageToken := ""
+	if len(memos) == limitPlusOne {
+		memos = memos[:limit]
+		nextPageToken, err = getPageToken(limit, offset+limit)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to get next page token, error: %v", err)
+		}
+	}
+	for _, memo := range memos {
+		memoMessage, err := s.convertMemoFromStore(ctx, memo)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to convert memo")
+		}
+		memoMessages = append(memoMessages, memoMessage)
+	}
+
+	response := &apiv2pb.ListMemosResponse{
+		Memos:         memoMessages,
+		NextPageToken: nextPageToken,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) GetMemo(ctx context.Context, request *apiv2pb.GetMemoRequest) (*apiv2pb.GetMemoResponse, error) {
+	memo, err := s.Store.GetMemo(ctx, &store.FindMemo{
+		ID: &request.Id,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if memo == nil {
+		return nil, status.Errorf(codes.NotFound, "memo not found")
+	}
+	if memo.Visibility != store.Public {
+		user, err := getCurrentUser(ctx, s.Store)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to get user")
+		}
+		if user == nil {
+			return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+		}
+		if memo.Visibility == store.Private && memo.CreatorID != user.ID {
+			return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+		}
+	}
+
+	memoMessage, err := s.convertMemoFromStore(ctx, memo)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to convert memo")
+	}
+	response := &apiv2pb.GetMemoResponse{
+		Memo: memoMessage,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) GetMemoByName(ctx context.Context, request *apiv2pb.GetMemoByNameRequest) (*apiv2pb.GetMemoByNameResponse, error) {
+	memo, err := s.Store.GetMemo(ctx, &store.FindMemo{
+		ResourceName: &request.Name,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if memo == nil {
+		return nil, status.Errorf(codes.NotFound, "memo not found")
+	}
+	if memo.Visibility != store.Public {
+		user, err := getCurrentUser(ctx, s.Store)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to get user")
+		}
+		if user == nil {
+			return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+		}
+		if memo.Visibility == store.Private && memo.CreatorID != user.ID {
+			return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+		}
+	}
+
+	memoMessage, err := s.convertMemoFromStore(ctx, memo)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to convert memo")
+	}
+	response := &apiv2pb.GetMemoByNameResponse{
+		Memo: memoMessage,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) UpdateMemo(ctx context.Context, request *apiv2pb.UpdateMemoRequest) (*apiv2pb.UpdateMemoResponse, error) {
+	if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
+		return nil, status.Errorf(codes.InvalidArgument, "update mask is required")
+	}
+
+	memo, err := s.Store.GetMemo(ctx, &store.FindMemo{
+		ID: &request.Id,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if memo == nil {
+		return nil, status.Errorf(codes.NotFound, "memo not found")
+	}
+
+	user, _ := getCurrentUser(ctx, s.Store)
+	if memo.CreatorID != user.ID {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+
+	currentTs := time.Now().Unix()
+	update := &store.UpdateMemo{
+		ID:        request.Id,
+		UpdatedTs: &currentTs,
+	}
+	for _, path := range request.UpdateMask.Paths {
+		if path == "content" {
+			update.Content = &request.Memo.Content
+		} else if path == "resource_name" {
+			update.ResourceName = &request.Memo.Name
+			if !util.ResourceNameMatcher.MatchString(*update.ResourceName) {
+				return nil, status.Errorf(codes.InvalidArgument, "invalid resource name")
+			}
+		} else if path == "visibility" {
+			visibility := convertVisibilityToStore(request.Memo.Visibility)
+			// Find disable public memos system setting.
+			disablePublicMemosSystem, err := s.getDisablePublicMemosSystemSettingValue(ctx)
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to get system setting")
+			}
+			if disablePublicMemosSystem && visibility == store.Public {
+				return nil, status.Errorf(codes.PermissionDenied, "disable public memos system setting is enabled")
+			}
+			update.Visibility = &visibility
+		} else if path == "row_status" {
+			rowStatus := convertRowStatusToStore(request.Memo.RowStatus)
+			println("rowStatus", rowStatus)
+			update.RowStatus = &rowStatus
+		} else if path == "created_ts" {
+			createdTs := request.Memo.CreateTime.AsTime().Unix()
+			update.CreatedTs = &createdTs
+		} else if path == "pinned" {
+			if _, err := s.Store.UpsertMemoOrganizer(ctx, &store.MemoOrganizer{
+				MemoID: request.Id,
+				UserID: user.ID,
+				Pinned: request.Memo.Pinned,
+			}); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to upsert memo organizer")
+			}
+		}
+	}
+	if update.Content != nil && len(*update.Content) > MaxContentLength {
+		return nil, status.Errorf(codes.InvalidArgument, "content too long")
+	}
+
+	if err = s.Store.UpdateMemo(ctx, update); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to update memo")
+	}
+
+	memo, err = s.Store.GetMemo(ctx, &store.FindMemo{
+		ID: &request.Id,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get memo")
+	}
+	memoMessage, err := s.convertMemoFromStore(ctx, memo)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to convert memo")
+	}
+	// Try to dispatch webhook when memo is updated.
+	if err := s.DispatchMemoUpdatedWebhook(ctx, memoMessage); err != nil {
+		log.Warn("Failed to dispatch memo updated webhook", zap.Error(err))
+	}
+
+	return &apiv2pb.UpdateMemoResponse{
+		Memo: memoMessage,
+	}, nil
+}
+
+func (s *APIV2Service) DeleteMemo(ctx context.Context, request *apiv2pb.DeleteMemoRequest) (*apiv2pb.DeleteMemoResponse, error) {
+	memo, err := s.Store.GetMemo(ctx, &store.FindMemo{
+		ID: &request.Id,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if memo == nil {
+		return nil, status.Errorf(codes.NotFound, "memo not found")
+	}
+
+	user, _ := getCurrentUser(ctx, s.Store)
+	if memo.CreatorID != user.ID {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+
+	if memoMessage, err := s.convertMemoFromStore(ctx, memo); err == nil {
+		// Try to dispatch webhook when memo is deleted.
+		if err := s.DispatchMemoDeletedWebhook(ctx, memoMessage); err != nil {
+			log.Warn("Failed to dispatch memo deleted webhook", zap.Error(err))
+		}
+	}
+
+	if err = s.Store.DeleteMemo(ctx, &store.DeleteMemo{
+		ID: request.Id,
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to delete memo")
+	}
+
+	return &apiv2pb.DeleteMemoResponse{}, nil
+}
+
+func (s *APIV2Service) CreateMemoComment(ctx context.Context, request *apiv2pb.CreateMemoCommentRequest) (*apiv2pb.CreateMemoCommentResponse, error) {
+	relatedMemo, err := s.Store.GetMemo(ctx, &store.FindMemo{ID: &request.Id})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get memo")
+	}
+
+	// Create the comment memo first.
+	createMemoResponse, err := s.CreateMemo(ctx, request.Create)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to create memo")
+	}
+
+	// Build the relation between the comment memo and the original memo.
+	memo := createMemoResponse.Memo
+	_, err = s.Store.UpsertMemoRelation(ctx, &store.MemoRelation{
+		MemoID:        memo.Id,
+		RelatedMemoID: request.Id,
+		Type:          store.MemoRelationComment,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to create memo relation")
+	}
+	if memo.Visibility != apiv2pb.Visibility_PRIVATE && memo.CreatorId != relatedMemo.CreatorID {
+		activity, err := s.Store.CreateActivity(ctx, &store.Activity{
+			CreatorID: memo.CreatorId,
+			Type:      store.ActivityTypeMemoComment,
+			Level:     store.ActivityLevelInfo,
+			Payload: &storepb.ActivityPayload{
+				MemoComment: &storepb.ActivityMemoCommentPayload{
+					MemoId:        memo.Id,
+					RelatedMemoId: request.Id,
+				},
+			},
+		})
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to create activity")
+		}
+		if _, err := s.Store.CreateInbox(ctx, &store.Inbox{
+			SenderID:   memo.CreatorId,
+			ReceiverID: relatedMemo.CreatorID,
+			Status:     store.UNREAD,
+			Message: &storepb.InboxMessage{
+				Type:       storepb.InboxMessage_TYPE_MEMO_COMMENT,
+				ActivityId: &activity.ID,
+			},
+		}); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to create inbox")
+		}
+	}
+	metric.Enqueue("memo comment create")
+
+	response := &apiv2pb.CreateMemoCommentResponse{
+		Memo: memo,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) ListMemoComments(ctx context.Context, request *apiv2pb.ListMemoCommentsRequest) (*apiv2pb.ListMemoCommentsResponse, error) {
+	memoRelationComment := store.MemoRelationComment
+	memoRelations, err := s.Store.ListMemoRelations(ctx, &store.FindMemoRelation{
+		RelatedMemoID: &request.Id,
+		Type:          &memoRelationComment,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list memo relations")
+	}
+
+	var memos []*apiv2pb.Memo
+	for _, memoRelation := range memoRelations {
+		memo, err := s.Store.GetMemo(ctx, &store.FindMemo{
+			ID: &memoRelation.MemoID,
+		})
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to get memo")
+		}
+		if memo != nil {
+			memoMessage, err := s.convertMemoFromStore(ctx, memo)
+			if err != nil {
+				return nil, errors.Wrap(err, "failed to convert memo")
+			}
+			memos = append(memos, memoMessage)
+		}
+	}
+
+	response := &apiv2pb.ListMemoCommentsResponse{
+		Memos: memos,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) GetUserMemosStats(ctx context.Context, request *apiv2pb.GetUserMemosStatsRequest) (*apiv2pb.GetUserMemosStatsResponse, error) {
+	username, err := ExtractUsernameFromName(request.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid username")
+	}
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user")
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+
+	normalRowStatus := store.Normal
+	memoFind := &store.FindMemo{
+		CreatorID:       &user.ID,
+		RowStatus:       &normalRowStatus,
+		ExcludeComments: true,
+		ExcludeContent:  true,
+	}
+	displayWithUpdatedTs, err := s.getMemoDisplayWithUpdatedTsSettingValue(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get memo display with updated ts setting value")
+	}
+	if displayWithUpdatedTs {
+		memoFind.OrderByUpdatedTs = true
+	}
+	if request.Filter != "" {
+		filter, err := parseListMemosFilter(request.Filter)
+		if err != nil {
+			return nil, status.Errorf(codes.InvalidArgument, "invalid filter: %v", err)
+		}
+		if len(filter.ContentSearch) > 0 {
+			memoFind.ContentSearch = filter.ContentSearch
+		}
+		if len(filter.Visibilities) > 0 {
+			memoFind.VisibilityList = filter.Visibilities
+		}
+		if filter.OrderByPinned {
+			memoFind.OrderByPinned = filter.OrderByPinned
+		}
+		if filter.DisplayTimeAfter != nil {
+			displayWithUpdatedTs, err := s.getMemoDisplayWithUpdatedTsSettingValue(ctx)
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to get memo display with updated ts setting value")
+			}
+			if displayWithUpdatedTs {
+				memoFind.UpdatedTsAfter = filter.DisplayTimeAfter
+			} else {
+				memoFind.CreatedTsAfter = filter.DisplayTimeAfter
+			}
+		}
+		if filter.DisplayTimeBefore != nil {
+			displayWithUpdatedTs, err := s.getMemoDisplayWithUpdatedTsSettingValue(ctx)
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to get memo display with updated ts setting value")
+			}
+			if displayWithUpdatedTs {
+				memoFind.UpdatedTsBefore = filter.DisplayTimeBefore
+			} else {
+				memoFind.CreatedTsBefore = filter.DisplayTimeBefore
+			}
+		}
+		if filter.RowStatus != nil {
+			memoFind.RowStatus = filter.RowStatus
+		}
+	}
+
+	memos, err := s.Store.ListMemos(ctx, memoFind)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list memos")
+	}
+
+	location, err := time.LoadLocation(request.Timezone)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "invalid timezone location")
+	}
+
+	stats := make(map[string]int32)
+	for _, memo := range memos {
+		displayTs := memo.CreatedTs
+		if displayWithUpdatedTs {
+			displayTs = memo.UpdatedTs
+		}
+		stats[time.Unix(displayTs, 0).In(location).Format("2006-01-02")]++
+	}
+
+	response := &apiv2pb.GetUserMemosStatsResponse{
+		Stats: stats,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) ExportMemos(request *apiv2pb.ExportMemosRequest, srv apiv2pb.MemoService_ExportMemosServer) error {
+	ctx := srv.Context()
+	fmt.Printf("%+v\n", ctx)
+	memoFind, err := s.buildFindMemosWithFilter(ctx, request.Filter, true)
+	if err != nil {
+		return err
+	}
+
+	memos, err := s.Store.ListMemos(ctx, memoFind)
+	if err != nil {
+		return err
+	}
+
+	buf := new(bytes.Buffer)
+	writer := zip.NewWriter(buf)
+
+	for _, memo := range memos {
+		memoMessage, err := s.convertMemoFromStore(ctx, memo)
+		log.Info(memoMessage.Content)
+		if err != nil {
+			return errors.Wrap(err, "failed to convert memo")
+		}
+		file, err := writer.Create(time.Unix(memo.CreatedTs, 0).Format(time.RFC3339) + ".md")
+		if err != nil {
+			return status.Errorf(codes.Internal, "Failed to create memo file")
+		}
+		_, err = file.Write([]byte(memoMessage.Content))
+		if err != nil {
+			return status.Errorf(codes.Internal, "Failed to write to memo file")
+		}
+	}
+
+	err = writer.Close()
+	if err != nil {
+		return status.Errorf(codes.Internal, "Failed to close zip file writer")
+	}
+
+	exportChunk := &apiv2pb.ExportMemosResponse{}
+	sizeOfFile := len(buf.Bytes())
+	for currentByte := 0; currentByte < sizeOfFile; currentByte += ChunkSize {
+		if currentByte+ChunkSize > sizeOfFile {
+			exportChunk.File = buf.Bytes()[currentByte:sizeOfFile]
+		} else {
+			exportChunk.File = buf.Bytes()[currentByte : currentByte+ChunkSize]
+		}
+
+		err := srv.Send(exportChunk)
+		if err != nil {
+			return status.Error(codes.Internal, "Unable to stream ExportMemosResponse chunk")
+		}
+	}
+
+	return nil
+}
+
+func (s *APIV2Service) convertMemoFromStore(ctx context.Context, memo *store.Memo) (*apiv2pb.Memo, error) {
+	displayTs := memo.CreatedTs
+	if displayWithUpdatedTs, err := s.getMemoDisplayWithUpdatedTsSettingValue(ctx); err == nil && displayWithUpdatedTs {
+		displayTs = memo.UpdatedTs
+	}
+
+	creator, err := s.Store.GetUser(ctx, &store.FindUser{ID: &memo.CreatorID})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get creator")
+	}
+
+	listMemoRelationsResponse, err := s.ListMemoRelations(ctx, &apiv2pb.ListMemoRelationsRequest{Id: memo.ID})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to list memo relations")
+	}
+
+	listMemoResourcesResponse, err := s.ListMemoResources(ctx, &apiv2pb.ListMemoResourcesRequest{Id: memo.ID})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to list memo resources")
+	}
+
+	return &apiv2pb.Memo{
+		Id:          int32(memo.ID),
+		Name:        memo.ResourceName,
+		RowStatus:   convertRowStatusFromStore(memo.RowStatus),
+		Creator:     fmt.Sprintf("%s%s", UserNamePrefix, creator.Username),
+		CreatorId:   int32(memo.CreatorID),
+		CreateTime:  timestamppb.New(time.Unix(memo.CreatedTs, 0)),
+		UpdateTime:  timestamppb.New(time.Unix(memo.UpdatedTs, 0)),
+		DisplayTime: timestamppb.New(time.Unix(displayTs, 0)),
+		Content:     memo.Content,
+		Visibility:  convertVisibilityFromStore(memo.Visibility),
+		Pinned:      memo.Pinned,
+		ParentId:    memo.ParentID,
+		Relations:   listMemoRelationsResponse.Relations,
+		Resources:   listMemoResourcesResponse.Resources,
+	}, nil
+}
+
+func (s *APIV2Service) getMemoDisplayWithUpdatedTsSettingValue(ctx context.Context) (bool, error) {
+	memoDisplayWithUpdatedTsSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
+		Name: apiv1.SystemSettingMemoDisplayWithUpdatedTsName.String(),
+	})
+	if err != nil {
+		return false, errors.Wrap(err, "failed to find system setting")
+	}
+	if memoDisplayWithUpdatedTsSetting == nil {
+		return false, nil
+	}
+
+	memoDisplayWithUpdatedTs := false
+	if err := json.Unmarshal([]byte(memoDisplayWithUpdatedTsSetting.Value), &memoDisplayWithUpdatedTs); err != nil {
+		return false, errors.Wrap(err, "failed to unmarshal system setting value")
+	}
+	return memoDisplayWithUpdatedTs, nil
+}
+
+func (s *APIV2Service) getDisablePublicMemosSystemSettingValue(ctx context.Context) (bool, error) {
+	disablePublicMemosSystemSetting, err := s.Store.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{
+		Name: apiv1.SystemSettingDisablePublicMemosName.String(),
+	})
+	if err != nil {
+		return false, errors.Wrap(err, "failed to find system setting")
+	}
+	if disablePublicMemosSystemSetting == nil {
+		return false, nil
+	}
+
+	disablePublicMemos := false
+	if err := json.Unmarshal([]byte(disablePublicMemosSystemSetting.Value), &disablePublicMemos); err != nil {
+		return false, errors.Wrap(err, "failed to unmarshal system setting value")
+	}
+	return disablePublicMemos, nil
+}
+
+func convertVisibilityFromStore(visibility store.Visibility) apiv2pb.Visibility {
+	switch visibility {
+	case store.Private:
+		return apiv2pb.Visibility_PRIVATE
+	case store.Protected:
+		return apiv2pb.Visibility_PROTECTED
+	case store.Public:
+		return apiv2pb.Visibility_PUBLIC
+	default:
+		return apiv2pb.Visibility_VISIBILITY_UNSPECIFIED
+	}
+}
+
+func convertVisibilityToStore(visibility apiv2pb.Visibility) store.Visibility {
+	switch visibility {
+	case apiv2pb.Visibility_PRIVATE:
+		return store.Private
+	case apiv2pb.Visibility_PROTECTED:
+		return store.Protected
+	case apiv2pb.Visibility_PUBLIC:
+		return store.Public
+	default:
+		return store.Private
+	}
+}
+
+// ListMemosFilterCELAttributes are the CEL attributes for ListMemosFilter.
+var ListMemosFilterCELAttributes = []cel.EnvOption{
+	cel.Variable("content_search", cel.ListType(cel.StringType)),
+	cel.Variable("visibilities", cel.ListType(cel.StringType)),
+	cel.Variable("order_by_pinned", cel.BoolType),
+	cel.Variable("display_time_before", cel.IntType),
+	cel.Variable("display_time_after", cel.IntType),
+	cel.Variable("creator", cel.StringType),
+	cel.Variable("row_status", cel.StringType),
+}
+
+type ListMemosFilter struct {
+	ContentSearch     []string
+	Visibilities      []store.Visibility
+	OrderByPinned     bool
+	DisplayTimeBefore *int64
+	DisplayTimeAfter  *int64
+	Creator           *string
+	RowStatus         *store.RowStatus
+}
+
+func parseListMemosFilter(expression string) (*ListMemosFilter, error) {
+	e, err := cel.NewEnv(ListMemosFilterCELAttributes...)
+	if err != nil {
+		return nil, err
+	}
+	ast, issues := e.Compile(expression)
+	if issues != nil {
+		return nil, errors.Errorf("found issue %v", issues)
+	}
+	filter := &ListMemosFilter{}
+	expr, err := cel.AstToParsedExpr(ast)
+	if err != nil {
+		return nil, err
+	}
+	callExpr := expr.GetExpr().GetCallExpr()
+	findField(callExpr, filter)
+	return filter, nil
+}
+
+func findField(callExpr *expr.Expr_Call, filter *ListMemosFilter) {
+	if len(callExpr.Args) == 2 {
+		idExpr := callExpr.Args[0].GetIdentExpr()
+		if idExpr != nil {
+			if idExpr.Name == "content_search" {
+				contentSearch := []string{}
+				for _, expr := range callExpr.Args[1].GetListExpr().GetElements() {
+					value := expr.GetConstExpr().GetStringValue()
+					contentSearch = append(contentSearch, value)
+				}
+				filter.ContentSearch = contentSearch
+			} else if idExpr.Name == "visibilities" {
+				visibilities := []store.Visibility{}
+				for _, expr := range callExpr.Args[1].GetListExpr().GetElements() {
+					value := expr.GetConstExpr().GetStringValue()
+					visibilities = append(visibilities, store.Visibility(value))
+				}
+				filter.Visibilities = visibilities
+			} else if idExpr.Name == "order_by_pinned" {
+				value := callExpr.Args[1].GetConstExpr().GetBoolValue()
+				filter.OrderByPinned = value
+			} else if idExpr.Name == "display_time_before" {
+				displayTimeBefore := callExpr.Args[1].GetConstExpr().GetInt64Value()
+				filter.DisplayTimeBefore = &displayTimeBefore
+			} else if idExpr.Name == "display_time_after" {
+				displayTimeAfter := callExpr.Args[1].GetConstExpr().GetInt64Value()
+				filter.DisplayTimeAfter = &displayTimeAfter
+			} else if idExpr.Name == "creator" {
+				creator := callExpr.Args[1].GetConstExpr().GetStringValue()
+				filter.Creator = &creator
+			} else if idExpr.Name == "row_status" {
+				rowStatus := store.RowStatus(callExpr.Args[1].GetConstExpr().GetStringValue())
+				filter.RowStatus = &rowStatus
+			}
+			return
+		}
+	}
+	for _, arg := range callExpr.Args {
+		callExpr := arg.GetCallExpr()
+		if callExpr != nil {
+			findField(callExpr, filter)
+		}
+	}
+}
+
+// DispatchMemoCreatedWebhook dispatches webhook when memo is created.
+func (s *APIV2Service) DispatchMemoCreatedWebhook(ctx context.Context, memo *apiv2pb.Memo) error {
+	return s.dispatchMemoRelatedWebhook(ctx, memo, "memos.memo.created")
+}
+
+// DispatchMemoUpdatedWebhook dispatches webhook when memo is updated.
+func (s *APIV2Service) DispatchMemoUpdatedWebhook(ctx context.Context, memo *apiv2pb.Memo) error {
+	return s.dispatchMemoRelatedWebhook(ctx, memo, "memos.memo.updated")
+}
+
+// DispatchMemoDeletedWebhook dispatches webhook when memo is deleted.
+func (s *APIV2Service) DispatchMemoDeletedWebhook(ctx context.Context, memo *apiv2pb.Memo) error {
+	return s.dispatchMemoRelatedWebhook(ctx, memo, "memos.memo.deleted")
+}
+
+func (s *APIV2Service) dispatchMemoRelatedWebhook(ctx context.Context, memo *apiv2pb.Memo, activityType string) error {
+	webhooks, err := s.Store.ListWebhooks(ctx, &store.FindWebhook{
+		CreatorID: &memo.CreatorId,
+	})
+	if err != nil {
+		return err
+	}
+	metric.Enqueue("webhook dispatch")
+	for _, hook := range webhooks {
+		payload := convertMemoToWebhookPayload(memo)
+		payload.ActivityType = activityType
+		payload.URL = hook.Url
+		err := webhook.Post(*payload)
+		if err != nil {
+			return errors.Wrap(err, "failed to post webhook")
+		}
+	}
+	return nil
+}
+
+func (s *APIV2Service) buildFindMemosWithFilter(ctx context.Context, filter string, excludeComments bool) (*store.FindMemo, error) {
+	memoFind := &store.FindMemo{
+		// Exclude comments by default.
+		ExcludeComments: excludeComments,
+	}
+	if filter != "" {
+		filter, err := parseListMemosFilter(filter)
+		if err != nil {
+			return nil, status.Errorf(codes.InvalidArgument, "invalid filter: %v", err)
+		}
+		if len(filter.ContentSearch) > 0 {
+			memoFind.ContentSearch = filter.ContentSearch
+		}
+		if len(filter.Visibilities) > 0 {
+			memoFind.VisibilityList = filter.Visibilities
+		}
+		if filter.OrderByPinned {
+			memoFind.OrderByPinned = filter.OrderByPinned
+		}
+		if filter.DisplayTimeAfter != nil {
+			displayWithUpdatedTs, err := s.getMemoDisplayWithUpdatedTsSettingValue(ctx)
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to get memo display with updated ts setting value")
+			}
+			if displayWithUpdatedTs {
+				memoFind.UpdatedTsAfter = filter.DisplayTimeAfter
+			} else {
+				memoFind.CreatedTsAfter = filter.DisplayTimeAfter
+			}
+		}
+		if filter.DisplayTimeBefore != nil {
+			displayWithUpdatedTs, err := s.getMemoDisplayWithUpdatedTsSettingValue(ctx)
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to get memo display with updated ts setting value")
+			}
+			if displayWithUpdatedTs {
+				memoFind.UpdatedTsBefore = filter.DisplayTimeBefore
+			} else {
+				memoFind.CreatedTsBefore = filter.DisplayTimeBefore
+			}
+		}
+		if filter.Creator != nil {
+			username, err := ExtractUsernameFromName(*filter.Creator)
+			if err != nil {
+				return nil, status.Errorf(codes.InvalidArgument, "invalid creator name")
+			}
+			user, err := s.Store.GetUser(ctx, &store.FindUser{
+				Username: &username,
+			})
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to get user")
+			}
+			if user == nil {
+				return nil, status.Errorf(codes.NotFound, "user not found")
+			}
+			memoFind.CreatorID = &user.ID
+		}
+		if filter.RowStatus != nil {
+			memoFind.RowStatus = filter.RowStatus
+		}
+	} else {
+		return nil, status.Errorf(codes.InvalidArgument, "filter is required")
+	}
+
+	user, _ := getCurrentUser(ctx, s.Store)
+	// If the user is not authenticated, only public memos are visible.
+	if user == nil {
+		memoFind.VisibilityList = []store.Visibility{store.Public}
+	}
+	if user != nil && memoFind.CreatorID != nil && *memoFind.CreatorID != user.ID {
+		memoFind.VisibilityList = []store.Visibility{store.Public, store.Protected}
+	}
+
+	displayWithUpdatedTs, err := s.getMemoDisplayWithUpdatedTsSettingValue(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get memo display with updated ts setting value")
+	}
+	if displayWithUpdatedTs {
+		memoFind.OrderByUpdatedTs = true
+	}
+
+	return memoFind, nil
+}
+
+func convertMemoToWebhookPayload(memo *apiv2pb.Memo) *webhook.WebhookPayload {
+	return &webhook.WebhookPayload{
+		CreatorID: memo.CreatorId,
+		CreatedTs: time.Now().Unix(),
+		Memo: &webhook.Memo{
+			ID:         memo.Id,
+			CreatorID:  memo.CreatorId,
+			CreatedTs:  memo.CreateTime.Seconds,
+			UpdatedTs:  memo.UpdateTime.Seconds,
+			Content:    memo.Content,
+			Visibility: memo.Visibility.String(),
+			Pinned:     memo.Pinned,
+			ResourceList: func() []*webhook.Resource {
+				resources := []*webhook.Resource{}
+				for _, resource := range memo.Resources {
+					resources = append(resources, &webhook.Resource{
+						ID:           resource.Id,
+						Filename:     resource.Filename,
+						ExternalLink: resource.ExternalLink,
+						Type:         resource.Type,
+						Size:         resource.Size,
+					})
+				}
+				return resources
+			}(),
+			RelationList: func() []*webhook.MemoRelation {
+				relations := []*webhook.MemoRelation{}
+				for _, relation := range memo.Relations {
+					relations = append(relations, &webhook.MemoRelation{
+						MemoID:        relation.MemoId,
+						RelatedMemoID: relation.RelatedMemoId,
+						Type:          relation.Type.String(),
+					})
+				}
+				return relations
+			}(),
+		},
+	}
+}

api/v2/resource_name.go

@@ -0,0 +1,57 @@
+package v2
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/pkg/errors"
+
+	"github.com/usememos/memos/internal/util"
+)
+
+const (
+	UserNamePrefix  = "users/"
+	InboxNamePrefix = "inboxes/"
+)
+
+// GetNameParentTokens returns the tokens from a resource name.
+func GetNameParentTokens(name string, tokenPrefixes ...string) ([]string, error) {
+	parts := strings.Split(name, "/")
+	if len(parts) != 2*len(tokenPrefixes) {
+		return nil, errors.Errorf("invalid request %q", name)
+	}
+
+	var tokens []string
+	for i, tokenPrefix := range tokenPrefixes {
+		if fmt.Sprintf("%s/", parts[2*i]) != tokenPrefix {
+			return nil, errors.Errorf("invalid prefix %q in request %q", tokenPrefix, name)
+		}
+		if parts[2*i+1] == "" {
+			return nil, errors.Errorf("invalid request %q with empty prefix %q", name, tokenPrefix)
+		}
+		tokens = append(tokens, parts[2*i+1])
+	}
+	return tokens, nil
+}
+
+// ExtractUsernameFromName returns the username from a resource name.
+func ExtractUsernameFromName(name string) (string, error) {
+	tokens, err := GetNameParentTokens(name, UserNamePrefix)
+	if err != nil {
+		return "", err
+	}
+	return tokens[0], nil
+}
+
+// ExtractInboxIDFromName returns the inbox ID from a resource name.
+func ExtractInboxIDFromName(name string) (int32, error) {
+	tokens, err := GetNameParentTokens(name, InboxNamePrefix)
+	if err != nil {
+		return 0, err
+	}
+	id, err := util.ConvertStringToInt32(tokens[0])
+	if err != nil {
+		return 0, errors.Errorf("invalid inbox ID %q", tokens[0])
+	}
+	return id, nil
+}

api/v2/resource_service.go

@@ -0,0 +1,178 @@
+package v2
+
+import (
+	"context"
+	"net/url"
+	"time"
+
+	"github.com/lithammer/shortuuid/v4"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/server/service/metric"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) CreateResource(ctx context.Context, request *apiv2pb.CreateResourceRequest) (*apiv2pb.CreateResourceResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+	if request.ExternalLink != "" {
+		// Only allow those external links scheme with http/https
+		linkURL, err := url.Parse(request.ExternalLink)
+		if err != nil {
+			return nil, status.Errorf(codes.InvalidArgument, "invalid external link: %v", err)
+		}
+		if linkURL.Scheme != "http" && linkURL.Scheme != "https" {
+			return nil, status.Errorf(codes.InvalidArgument, "invalid external link scheme: %v", linkURL.Scheme)
+		}
+	}
+
+	create := &store.Resource{
+		ResourceName: shortuuid.New(),
+		CreatorID:    user.ID,
+		Filename:     request.Filename,
+		ExternalLink: request.ExternalLink,
+		Type:         request.Type,
+	}
+	if request.MemoId != nil {
+		create.MemoID = request.MemoId
+	}
+	resource, err := s.Store.CreateResource(ctx, create)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to create resource: %v", err)
+	}
+
+	metric.Enqueue("resource create")
+	return &apiv2pb.CreateResourceResponse{
+		Resource: s.convertResourceFromStore(ctx, resource),
+	}, nil
+}
+
+func (s *APIV2Service) ListResources(ctx context.Context, _ *apiv2pb.ListResourcesRequest) (*apiv2pb.ListResourcesResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+	resources, err := s.Store.ListResources(ctx, &store.FindResource{
+		CreatorID: &user.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list resources: %v", err)
+	}
+
+	response := &apiv2pb.ListResourcesResponse{}
+	for _, resource := range resources {
+		response.Resources = append(response.Resources, s.convertResourceFromStore(ctx, resource))
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) GetResource(ctx context.Context, request *apiv2pb.GetResourceRequest) (*apiv2pb.GetResourceResponse, error) {
+	resource, err := s.Store.GetResource(ctx, &store.FindResource{
+		ID: &request.Id,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get resource: %v", err)
+	}
+	if resource == nil {
+		return nil, status.Errorf(codes.NotFound, "resource not found")
+	}
+
+	return &apiv2pb.GetResourceResponse{
+		Resource: s.convertResourceFromStore(ctx, resource),
+	}, nil
+}
+
+func (s *APIV2Service) GetResourceByName(ctx context.Context, request *apiv2pb.GetResourceByNameRequest) (*apiv2pb.GetResourceByNameResponse, error) {
+	resource, err := s.Store.GetResource(ctx, &store.FindResource{
+		ResourceName: &request.Name,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get resource: %v", err)
+	}
+	if resource == nil {
+		return nil, status.Errorf(codes.NotFound, "resource not found")
+	}
+
+	return &apiv2pb.GetResourceByNameResponse{
+		Resource: s.convertResourceFromStore(ctx, resource),
+	}, nil
+}
+
+func (s *APIV2Service) UpdateResource(ctx context.Context, request *apiv2pb.UpdateResourceRequest) (*apiv2pb.UpdateResourceResponse, error) {
+	if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
+		return nil, status.Errorf(codes.InvalidArgument, "update mask is required")
+	}
+
+	currentTs := time.Now().Unix()
+	update := &store.UpdateResource{
+		ID:        request.Resource.Id,
+		UpdatedTs: &currentTs,
+	}
+	for _, field := range request.UpdateMask.Paths {
+		if field == "filename" {
+			update.Filename = &request.Resource.Filename
+		} else if field == "memo_id" {
+			update.MemoID = request.Resource.MemoId
+		}
+	}
+
+	resource, err := s.Store.UpdateResource(ctx, update)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to update resource: %v", err)
+	}
+	return &apiv2pb.UpdateResourceResponse{
+		Resource: s.convertResourceFromStore(ctx, resource),
+	}, nil
+}
+
+func (s *APIV2Service) DeleteResource(ctx context.Context, request *apiv2pb.DeleteResourceRequest) (*apiv2pb.DeleteResourceResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+	resource, err := s.Store.GetResource(ctx, &store.FindResource{
+		ID:        &request.Id,
+		CreatorID: &user.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to find resource: %v", err)
+	}
+	if resource == nil {
+		return nil, status.Errorf(codes.NotFound, "resource not found")
+	}
+	// Delete the resource from the database.
+	if err := s.Store.DeleteResource(ctx, &store.DeleteResource{
+		ID: resource.ID,
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to delete resource: %v", err)
+	}
+	return &apiv2pb.DeleteResourceResponse{}, nil
+}
+
+func (s *APIV2Service) convertResourceFromStore(ctx context.Context, resource *store.Resource) *apiv2pb.Resource {
+	var memoID *int32
+	if resource.MemoID != nil {
+		memo, _ := s.Store.GetMemo(ctx, &store.FindMemo{
+			ID: resource.MemoID,
+		})
+		if memo != nil {
+			memoID = &memo.ID
+		}
+	}
+
+	return &apiv2pb.Resource{
+		Id:           resource.ID,
+		Name:         resource.ResourceName,
+		CreateTime:   timestamppb.New(time.Unix(resource.CreatedTs, 0)),
+		Filename:     resource.Filename,
+		ExternalLink: resource.ExternalLink,
+		Type:         resource.Type,
+		Size:         resource.Size,
+		MemoId:       memoID,
+	}
+}

api/v2/tag_service.go

@@ -0,0 +1,271 @@
+package v2
+
+import (
+	"context"
+	"fmt"
+	"slices"
+	"sort"
+
+	"github.com/pkg/errors"
+	"github.com/yourselfhosted/gomark/ast"
+	"github.com/yourselfhosted/gomark/parser"
+	"github.com/yourselfhosted/gomark/parser/tokenizer"
+	"github.com/yourselfhosted/gomark/restore"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) UpsertTag(ctx context.Context, request *apiv2pb.UpsertTagRequest) (*apiv2pb.UpsertTagResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user")
+	}
+
+	tag, err := s.Store.UpsertTag(ctx, &store.Tag{
+		Name:      request.Name,
+		CreatorID: user.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to upsert tag: %v", err)
+	}
+
+	t, err := s.convertTagFromStore(ctx, tag)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to convert tag: %v", err)
+	}
+	return &apiv2pb.UpsertTagResponse{
+		Tag: t,
+	}, nil
+}
+
+func (s *APIV2Service) BatchUpsertTag(ctx context.Context, request *apiv2pb.BatchUpsertTagRequest) (*apiv2pb.BatchUpsertTagResponse, error) {
+	for _, r := range request.Requests {
+		if _, err := s.UpsertTag(ctx, r); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to batch upsert tags: %v", err)
+		}
+	}
+	return &apiv2pb.BatchUpsertTagResponse{}, nil
+}
+
+func (s *APIV2Service) ListTags(ctx context.Context, request *apiv2pb.ListTagsRequest) (*apiv2pb.ListTagsResponse, error) {
+	username, err := ExtractUsernameFromName(request.User)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid username: %v", err)
+	}
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+	tags, err := s.Store.ListTags(ctx, &store.FindTag{
+		CreatorID: user.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list tags: %v", err)
+	}
+
+	response := &apiv2pb.ListTagsResponse{}
+	for _, tag := range tags {
+		t, err := s.convertTagFromStore(ctx, tag)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to convert tag: %v", err)
+		}
+		response.Tags = append(response.Tags, t)
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) RenameTag(ctx context.Context, request *apiv2pb.RenameTagRequest) (*apiv2pb.RenameTagResponse, error) {
+	username, err := ExtractUsernameFromName(request.User)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid username: %v", err)
+	}
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+
+	// Find all related memos.
+	memos, err := s.Store.ListMemos(ctx, &store.FindMemo{
+		CreatorID:     &user.ID,
+		ContentSearch: []string{fmt.Sprintf("#%s", request.OldName)},
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list memos: %v", err)
+	}
+	// Replace tag name in memo content.
+	for _, memo := range memos {
+		nodes, err := parser.Parse(tokenizer.Tokenize(memo.Content))
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to parse memo: %v", err)
+		}
+		traverseASTNodes(nodes, func(node ast.Node) {
+			if tag, ok := node.(*ast.Tag); ok && tag.Content == request.OldName {
+				tag.Content = request.NewName
+			}
+		})
+		content := restore.Restore(nodes)
+		if err := s.Store.UpdateMemo(ctx, &store.UpdateMemo{
+			ID:      memo.ID,
+			Content: &content,
+		}); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to update memo: %v", err)
+		}
+	}
+
+	// Delete old tag and create new tag.
+	if err := s.Store.DeleteTag(ctx, &store.DeleteTag{
+		CreatorID: user.ID,
+		Name:      request.OldName,
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to delete tag: %v", err)
+	}
+	tag, err := s.Store.UpsertTag(ctx, &store.Tag{
+		CreatorID: user.ID,
+		Name:      request.NewName,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to upsert tag: %v", err)
+	}
+
+	tagMessage, err := s.convertTagFromStore(ctx, tag)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to convert tag: %v", err)
+	}
+	return &apiv2pb.RenameTagResponse{Tag: tagMessage}, nil
+}
+
+func (s *APIV2Service) DeleteTag(ctx context.Context, request *apiv2pb.DeleteTagRequest) (*apiv2pb.DeleteTagResponse, error) {
+	username, err := ExtractUsernameFromName(request.Tag.Creator)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid username: %v", err)
+	}
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+	if err := s.Store.DeleteTag(ctx, &store.DeleteTag{
+		Name:      request.Tag.Name,
+		CreatorID: user.ID,
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to delete tag: %v", err)
+	}
+
+	return &apiv2pb.DeleteTagResponse{}, nil
+}
+
+func (s *APIV2Service) GetTagSuggestions(ctx context.Context, request *apiv2pb.GetTagSuggestionsRequest) (*apiv2pb.GetTagSuggestionsResponse, error) {
+	username, err := ExtractUsernameFromName(request.User)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid username: %v", err)
+	}
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+	normalRowStatus := store.Normal
+	memoFind := &store.FindMemo{
+		CreatorID:     &user.ID,
+		ContentSearch: []string{"#"},
+		RowStatus:     &normalRowStatus,
+	}
+	memos, err := s.Store.ListMemos(ctx, memoFind)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list memos: %v", err)
+	}
+
+	tagList, err := s.Store.ListTags(ctx, &store.FindTag{
+		CreatorID: user.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list tags: %v", err)
+	}
+
+	tagNameList := []string{}
+	for _, tag := range tagList {
+		tagNameList = append(tagNameList, tag.Name)
+	}
+	tagMapSet := make(map[string]bool)
+	for _, memo := range memos {
+		nodes, err := parser.Parse(tokenizer.Tokenize(memo.Content))
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to parse memo content")
+		}
+
+		// Dynamically upsert tags from memo content.
+		traverseASTNodes(nodes, func(node ast.Node) {
+			if tagNode, ok := node.(*ast.Tag); ok {
+				tag := tagNode.Content
+				if !slices.Contains(tagNameList, tag) {
+					tagMapSet[tag] = true
+				}
+			}
+		})
+	}
+	suggestions := []string{}
+	for tag := range tagMapSet {
+		suggestions = append(suggestions, tag)
+	}
+	sort.Strings(suggestions)
+
+	return &apiv2pb.GetTagSuggestionsResponse{
+		Tags: suggestions,
+	}, nil
+}
+
+func (s *APIV2Service) convertTagFromStore(ctx context.Context, tag *store.Tag) (*apiv2pb.Tag, error) {
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &tag.CreatorID,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get user")
+	}
+	return &apiv2pb.Tag{
+		Name:    tag.Name,
+		Creator: fmt.Sprintf("%s%s", UserNamePrefix, user.Username),
+	}, nil
+}
+
+func traverseASTNodes(nodes []ast.Node, fn func(ast.Node)) {
+	for _, node := range nodes {
+		fn(node)
+		switch n := node.(type) {
+		case *ast.Paragraph:
+			traverseASTNodes(n.Children, fn)
+		case *ast.Heading:
+			traverseASTNodes(n.Children, fn)
+		case *ast.Blockquote:
+			traverseASTNodes(n.Children, fn)
+		case *ast.OrderedList:
+			traverseASTNodes(n.Children, fn)
+		case *ast.UnorderedList:
+			traverseASTNodes(n.Children, fn)
+		case *ast.TaskList:
+			traverseASTNodes(n.Children, fn)
+		case *ast.Bold:
+			traverseASTNodes(n.Children, fn)
+		}
+	}
+}

api/v2/user_service.go

@@ -0,0 +1,539 @@
+package v2
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/bcrypt"
+	"golang.org/x/exp/slices"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/usememos/memos/api/auth"
+	"github.com/usememos/memos/internal/util"
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) ListUsers(ctx context.Context, _ *apiv2pb.ListUsersRequest) (*apiv2pb.ListUsersResponse, error) {
+	currentUser, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+
+	users, err := s.Store.ListUsers(ctx, &store.FindUser{})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list users: %v", err)
+	}
+
+	response := &apiv2pb.ListUsersResponse{
+		Users: []*apiv2pb.User{},
+	}
+	for _, user := range users {
+		response.Users = append(response.Users, convertUserFromStore(user))
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) GetUser(ctx context.Context, request *apiv2pb.GetUserRequest) (*apiv2pb.GetUserResponse, error) {
+	username, err := ExtractUsernameFromName(request.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "name is required")
+	}
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+
+	userMessage := convertUserFromStore(user)
+	response := &apiv2pb.GetUserResponse{
+		User: userMessage,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) CreateUser(ctx context.Context, request *apiv2pb.CreateUserRequest) (*apiv2pb.CreateUserResponse, error) {
+	currentUser, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if currentUser.Role != store.RoleHost {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+
+	username, err := ExtractUsernameFromName(request.User.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "name is required")
+	}
+	if !util.ResourceNameMatcher.MatchString(strings.ToLower(username)) {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid username: %s", username)
+	}
+	passwordHash, err := bcrypt.GenerateFromPassword([]byte(request.User.Password), bcrypt.DefaultCost)
+	if err != nil {
+		return nil, echo.NewHTTPError(http.StatusInternalServerError, "failed to generate password hash").SetInternal(err)
+	}
+
+	user, err := s.Store.CreateUser(ctx, &store.User{
+		Username:     username,
+		Role:         convertUserRoleToStore(request.User.Role),
+		Email:        request.User.Email,
+		Nickname:     request.User.Nickname,
+		PasswordHash: string(passwordHash),
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to create user: %v", err)
+	}
+
+	response := &apiv2pb.CreateUserResponse{
+		User: convertUserFromStore(user),
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) UpdateUser(ctx context.Context, request *apiv2pb.UpdateUserRequest) (*apiv2pb.UpdateUserResponse, error) {
+	username, err := ExtractUsernameFromName(request.User.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "name is required")
+	}
+	currentUser, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if currentUser.Username != username && currentUser.Role != store.RoleAdmin && currentUser.Role != store.RoleHost {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+	if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
+		return nil, status.Errorf(codes.InvalidArgument, "update mask is empty")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{Username: &username})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+
+	if s.Profile.Mode == "demo" && user.Username == "memos-demo" {
+		return nil, status.Errorf(codes.PermissionDenied, "unauthorized to update user in demo mode")
+	}
+
+	currentTs := time.Now().Unix()
+	update := &store.UpdateUser{
+		ID:        user.ID,
+		UpdatedTs: &currentTs,
+	}
+	for _, field := range request.UpdateMask.Paths {
+		if field == "username" {
+			if !util.ResourceNameMatcher.MatchString(strings.ToLower(request.User.Username)) {
+				return nil, status.Errorf(codes.InvalidArgument, "invalid username: %s", request.User.Username)
+			}
+			update.Username = &request.User.Username
+		} else if field == "nickname" {
+			update.Nickname = &request.User.Nickname
+		} else if field == "email" {
+			update.Email = &request.User.Email
+		} else if field == "avatar_url" {
+			update.AvatarURL = &request.User.AvatarUrl
+		} else if field == "role" {
+			role := convertUserRoleToStore(request.User.Role)
+			update.Role = &role
+		} else if field == "password" {
+			passwordHash, err := bcrypt.GenerateFromPassword([]byte(request.User.Password), bcrypt.DefaultCost)
+			if err != nil {
+				return nil, echo.NewHTTPError(http.StatusInternalServerError, "failed to generate password hash").SetInternal(err)
+			}
+			passwordHashStr := string(passwordHash)
+			update.PasswordHash = &passwordHashStr
+		} else if field == "row_status" {
+			rowStatus := convertRowStatusToStore(request.User.RowStatus)
+			update.RowStatus = &rowStatus
+		} else {
+			return nil, status.Errorf(codes.InvalidArgument, "invalid update path: %s", field)
+		}
+	}
+
+	updatedUser, err := s.Store.UpdateUser(ctx, update)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to update user: %v", err)
+	}
+
+	response := &apiv2pb.UpdateUserResponse{
+		User: convertUserFromStore(updatedUser),
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) DeleteUser(ctx context.Context, request *apiv2pb.DeleteUserRequest) (*apiv2pb.DeleteUserResponse, error) {
+	username, err := ExtractUsernameFromName(request.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "name is required")
+	}
+	currentUser, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if currentUser.Username != username && currentUser.Role != store.RoleAdmin && currentUser.Role != store.RoleHost {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{Username: &username})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+
+	if s.Profile.Mode == "demo" && user.Username == "memos-demo" {
+		return nil, status.Errorf(codes.PermissionDenied, "unauthorized to delete this user in demo mode")
+	}
+
+	if err := s.Store.DeleteUser(ctx, &store.DeleteUser{
+		ID: user.ID,
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to delete user: %v", err)
+	}
+
+	return &apiv2pb.DeleteUserResponse{}, nil
+}
+
+func getDefaultUserSetting() *apiv2pb.UserSetting {
+	return &apiv2pb.UserSetting{
+		Locale:         "en",
+		Appearance:     "system",
+		MemoVisibility: "PRIVATE",
+	}
+}
+
+func (s *APIV2Service) GetUserSetting(ctx context.Context, _ *apiv2pb.GetUserSettingRequest) (*apiv2pb.GetUserSettingResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+
+	userSettings, err := s.Store.ListUserSettings(ctx, &store.FindUserSetting{
+		UserID: &user.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list user settings: %v", err)
+	}
+	userSettingMessage := getDefaultUserSetting()
+	for _, setting := range userSettings {
+		if setting.Key == storepb.UserSettingKey_USER_SETTING_LOCALE {
+			userSettingMessage.Locale = setting.GetLocale()
+		} else if setting.Key == storepb.UserSettingKey_USER_SETTING_APPEARANCE {
+			userSettingMessage.Appearance = setting.GetAppearance()
+		} else if setting.Key == storepb.UserSettingKey_USER_SETTING_MEMO_VISIBILITY {
+			userSettingMessage.MemoVisibility = setting.GetMemoVisibility()
+		} else if setting.Key == storepb.UserSettingKey_USER_SETTING_TELEGRAM_USER_ID {
+			userSettingMessage.TelegramUserId = setting.GetTelegramUserId()
+		}
+	}
+	return &apiv2pb.GetUserSettingResponse{
+		Setting: userSettingMessage,
+	}, nil
+}
+
+func (s *APIV2Service) UpdateUserSetting(ctx context.Context, request *apiv2pb.UpdateUserSettingRequest) (*apiv2pb.UpdateUserSettingResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+
+	if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
+		return nil, status.Errorf(codes.InvalidArgument, "update mask is empty")
+	}
+
+	for _, field := range request.UpdateMask.Paths {
+		if field == "locale" {
+			if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
+				UserId: user.ID,
+				Key:    storepb.UserSettingKey_USER_SETTING_LOCALE,
+				Value: &storepb.UserSetting_Locale{
+					Locale: request.Setting.Locale,
+				},
+			}); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
+			}
+		} else if field == "appearance" {
+			if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
+				UserId: user.ID,
+				Key:    storepb.UserSettingKey_USER_SETTING_APPEARANCE,
+				Value: &storepb.UserSetting_Appearance{
+					Appearance: request.Setting.Appearance,
+				},
+			}); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
+			}
+		} else if field == "memo_visibility" {
+			if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
+				UserId: user.ID,
+				Key:    storepb.UserSettingKey_USER_SETTING_MEMO_VISIBILITY,
+				Value: &storepb.UserSetting_MemoVisibility{
+					MemoVisibility: request.Setting.MemoVisibility,
+				},
+			}); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
+			}
+		} else if field == "telegram_user_id" {
+			if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
+				UserId: user.ID,
+				Key:    storepb.UserSettingKey_USER_SETTING_TELEGRAM_USER_ID,
+				Value: &storepb.UserSetting_TelegramUserId{
+					TelegramUserId: request.Setting.TelegramUserId,
+				},
+			}); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
+			}
+		} else {
+			return nil, status.Errorf(codes.InvalidArgument, "invalid update path: %s", field)
+		}
+	}
+
+	userSettingResponse, err := s.GetUserSetting(ctx, &apiv2pb.GetUserSettingRequest{})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user setting: %v", err)
+	}
+	return &apiv2pb.UpdateUserSettingResponse{
+		Setting: userSettingResponse.Setting,
+	}, nil
+}
+
+func (s *APIV2Service) ListUserAccessTokens(ctx context.Context, request *apiv2pb.ListUserAccessTokensRequest) (*apiv2pb.ListUserAccessTokensResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+
+	userID := user.ID
+	username, err := ExtractUsernameFromName(request.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "name is required")
+	}
+	// List access token for other users need to be verified.
+	if user.Username != username {
+		// Normal users can only list their access tokens.
+		if user.Role == store.RoleUser {
+			return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+		}
+
+		// The request user must be exist.
+		requestUser, err := s.Store.GetUser(ctx, &store.FindUser{Username: &username})
+		if requestUser == nil || err != nil {
+			return nil, status.Errorf(codes.NotFound, "fail to find user %s", username)
+		}
+		userID = requestUser.ID
+	}
+
+	userAccessTokens, err := s.Store.GetUserAccessTokens(ctx, userID)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list access tokens: %v", err)
+	}
+
+	accessTokens := []*apiv2pb.UserAccessToken{}
+	for _, userAccessToken := range userAccessTokens {
+		claims := &auth.ClaimsMessage{}
+		_, err := jwt.ParseWithClaims(userAccessToken.AccessToken, claims, func(t *jwt.Token) (any, error) {
+			if t.Method.Alg() != jwt.SigningMethodHS256.Name {
+				return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
+			}
+			if kid, ok := t.Header["kid"].(string); ok {
+				if kid == "v1" {
+					return []byte(s.Secret), nil
+				}
+			}
+			return nil, errors.Errorf("unexpected access token kid=%v", t.Header["kid"])
+		})
+		if err != nil {
+			// If the access token is invalid or expired, just ignore it.
+			continue
+		}
+
+		userAccessToken := &apiv2pb.UserAccessToken{
+			AccessToken: userAccessToken.AccessToken,
+			Description: userAccessToken.Description,
+			IssuedAt:    timestamppb.New(claims.IssuedAt.Time),
+		}
+		if claims.ExpiresAt != nil {
+			userAccessToken.ExpiresAt = timestamppb.New(claims.ExpiresAt.Time)
+		}
+		accessTokens = append(accessTokens, userAccessToken)
+	}
+
+	// Sort by issued time in descending order.
+	slices.SortFunc(accessTokens, func(i, j *apiv2pb.UserAccessToken) int {
+		return int(i.IssuedAt.Seconds - j.IssuedAt.Seconds)
+	})
+	response := &apiv2pb.ListUserAccessTokensResponse{
+		AccessTokens: accessTokens,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) CreateUserAccessToken(ctx context.Context, request *apiv2pb.CreateUserAccessTokenRequest) (*apiv2pb.CreateUserAccessTokenResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+
+	expiresAt := time.Time{}
+	if request.ExpiresAt != nil {
+		expiresAt = request.ExpiresAt.AsTime()
+	}
+
+	accessToken, err := auth.GenerateAccessToken(user.Username, user.ID, expiresAt, []byte(s.Secret))
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to generate access token: %v", err)
+	}
+
+	claims := &auth.ClaimsMessage{}
+	_, err = jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) {
+		if t.Method.Alg() != jwt.SigningMethodHS256.Name {
+			return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
+		}
+		if kid, ok := t.Header["kid"].(string); ok {
+			if kid == "v1" {
+				return []byte(s.Secret), nil
+			}
+		}
+		return nil, errors.Errorf("unexpected access token kid=%v", t.Header["kid"])
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to parse access token: %v", err)
+	}
+
+	// Upsert the access token to user setting store.
+	if err := s.UpsertAccessTokenToStore(ctx, user, accessToken, request.Description); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to upsert access token to store: %v", err)
+	}
+
+	userAccessToken := &apiv2pb.UserAccessToken{
+		AccessToken: accessToken,
+		Description: request.Description,
+		IssuedAt:    timestamppb.New(claims.IssuedAt.Time),
+	}
+	if claims.ExpiresAt != nil {
+		userAccessToken.ExpiresAt = timestamppb.New(claims.ExpiresAt.Time)
+	}
+	response := &apiv2pb.CreateUserAccessTokenResponse{
+		AccessToken: userAccessToken,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) DeleteUserAccessToken(ctx context.Context, request *apiv2pb.DeleteUserAccessTokenRequest) (*apiv2pb.DeleteUserAccessTokenResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+
+	userAccessTokens, err := s.Store.GetUserAccessTokens(ctx, user.ID)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list access tokens: %v", err)
+	}
+	updatedUserAccessTokens := []*storepb.AccessTokensUserSetting_AccessToken{}
+	for _, userAccessToken := range userAccessTokens {
+		if userAccessToken.AccessToken == request.AccessToken {
+			continue
+		}
+		updatedUserAccessTokens = append(updatedUserAccessTokens, userAccessToken)
+	}
+	if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
+		UserId: user.ID,
+		Key:    storepb.UserSettingKey_USER_SETTING_ACCESS_TOKENS,
+		Value: &storepb.UserSetting_AccessTokens{
+			AccessTokens: &storepb.AccessTokensUserSetting{
+				AccessTokens: updatedUserAccessTokens,
+			},
+		},
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
+	}
+
+	return &apiv2pb.DeleteUserAccessTokenResponse{}, nil
+}
+
+func (s *APIV2Service) UpsertAccessTokenToStore(ctx context.Context, user *store.User, accessToken, description string) error {
+	userAccessTokens, err := s.Store.GetUserAccessTokens(ctx, user.ID)
+	if err != nil {
+		return errors.Wrap(err, "failed to get user access tokens")
+	}
+	userAccessToken := storepb.AccessTokensUserSetting_AccessToken{
+		AccessToken: accessToken,
+		Description: description,
+	}
+	userAccessTokens = append(userAccessTokens, &userAccessToken)
+	if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
+		UserId: user.ID,
+		Key:    storepb.UserSettingKey_USER_SETTING_ACCESS_TOKENS,
+		Value: &storepb.UserSetting_AccessTokens{
+			AccessTokens: &storepb.AccessTokensUserSetting{
+				AccessTokens: userAccessTokens,
+			},
+		},
+	}); err != nil {
+		return errors.Wrap(err, "failed to upsert user setting")
+	}
+	return nil
+}
+
+func convertUserFromStore(user *store.User) *apiv2pb.User {
+	return &apiv2pb.User{
+		Name:       fmt.Sprintf("%s%s", UserNamePrefix, user.Username),
+		Id:         user.ID,
+		RowStatus:  convertRowStatusFromStore(user.RowStatus),
+		CreateTime: timestamppb.New(time.Unix(user.CreatedTs, 0)),
+		UpdateTime: timestamppb.New(time.Unix(user.UpdatedTs, 0)),
+		Role:       convertUserRoleFromStore(user.Role),
+		Username:   user.Username,
+		Email:      user.Email,
+		Nickname:   user.Nickname,
+		AvatarUrl:  user.AvatarURL,
+	}
+}
+
+func convertUserRoleFromStore(role store.Role) apiv2pb.User_Role {
+	switch role {
+	case store.RoleHost:
+		return apiv2pb.User_HOST
+	case store.RoleAdmin:
+		return apiv2pb.User_ADMIN
+	case store.RoleUser:
+		return apiv2pb.User_USER
+	default:
+		return apiv2pb.User_ROLE_UNSPECIFIED
+	}
+}
+
+func convertUserRoleToStore(role apiv2pb.User_Role) store.Role {
+	switch role {
+	case apiv2pb.User_HOST:
+		return store.RoleHost
+	case apiv2pb.User_ADMIN:
+		return store.RoleAdmin
+	case apiv2pb.User_USER:
+		return store.RoleUser
+	default:
+		return store.RoleUser
+	}
+}

api/v2/v2.go

@@ -0,0 +1,144 @@
+package v2
+
+import (
+	"context"
+	"fmt"
+	"net"
+
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+	"github.com/improbable-eng/grpc-web/go/grpcweb"
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/reflection"
+
+	"github.com/usememos/memos/internal/log"
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/server/profile"
+	"github.com/usememos/memos/store"
+)
+
+type APIV2Service struct {
+	apiv2pb.UnimplementedWorkspaceServiceServer
+	apiv2pb.UnimplementedAuthServiceServer
+	apiv2pb.UnimplementedUserServiceServer
+	apiv2pb.UnimplementedMemoServiceServer
+	apiv2pb.UnimplementedResourceServiceServer
+	apiv2pb.UnimplementedTagServiceServer
+	apiv2pb.UnimplementedInboxServiceServer
+	apiv2pb.UnimplementedActivityServiceServer
+	apiv2pb.UnimplementedWebhookServiceServer
+
+	Secret  string
+	Profile *profile.Profile
+	Store   *store.Store
+
+	grpcServer     *grpc.Server
+	grpcServerPort int
+}
+
+func NewAPIV2Service(secret string, profile *profile.Profile, store *store.Store, grpcServerPort int) *APIV2Service {
+	grpc.EnableTracing = true
+	authProvider := NewGRPCAuthInterceptor(store, secret)
+	grpcServer := grpc.NewServer(
+		grpc.ChainUnaryInterceptor(
+			authProvider.AuthenticationInterceptor,
+		),
+		grpc.ChainStreamInterceptor(
+			authProvider.StreamAuthenticationInterceptor,
+		),
+	)
+	apiv2Service := &APIV2Service{
+		Secret:         secret,
+		Profile:        profile,
+		Store:          store,
+		grpcServer:     grpcServer,
+		grpcServerPort: grpcServerPort,
+	}
+
+	apiv2pb.RegisterWorkspaceServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterAuthServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterUserServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterMemoServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterTagServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterResourceServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterInboxServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterActivityServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterWebhookServiceServer(grpcServer, apiv2Service)
+	reflection.Register(grpcServer)
+
+	return apiv2Service
+}
+
+func (s *APIV2Service) GetGRPCServer() *grpc.Server {
+	return s.grpcServer
+}
+
+// RegisterGateway registers the gRPC-Gateway with the given Echo instance.
+func (s *APIV2Service) RegisterGateway(ctx context.Context, e *echo.Echo) error {
+	// Create a client connection to the gRPC Server we just started.
+	// This is where the gRPC-Gateway proxies the requests.
+	conn, err := grpc.DialContext(
+		ctx,
+		fmt.Sprintf(":%d", s.grpcServerPort),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+	)
+	if err != nil {
+		return err
+	}
+
+	gwMux := runtime.NewServeMux()
+	if err := apiv2pb.RegisterWorkspaceServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterAuthServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterUserServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterMemoServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterTagServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterResourceServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterInboxServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterActivityServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterWebhookServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	e.Any("/api/v2/*", echo.WrapHandler(gwMux))
+
+	// GRPC web proxy.
+	options := []grpcweb.Option{
+		grpcweb.WithCorsForRegisteredEndpointsOnly(false),
+		grpcweb.WithOriginFunc(func(origin string) bool {
+			return true
+		}),
+	}
+	wrappedGrpc := grpcweb.WrapServer(s.grpcServer, options...)
+	e.Any("/memos.api.v2.*", echo.WrapHandler(wrappedGrpc))
+
+	// Start gRPC server.
+	listen, err := net.Listen("tcp", fmt.Sprintf("%s:%d", s.Profile.Addr, s.grpcServerPort))
+	if err != nil {
+		return errors.Wrap(err, "failed to start gRPC server")
+	}
+	go func() {
+		if err := s.grpcServer.Serve(listen); err != nil {
+			log.Error("grpc server listen error", zap.Error(err))
+		}
+	}()
+
+	return nil
+}

api/v2/webhook_service.go

@@ -0,0 +1,120 @@
+package v2
+
+import (
+	"context"
+	"time"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) CreateWebhook(ctx context.Context, request *apiv2pb.CreateWebhookRequest) (*apiv2pb.CreateWebhookResponse, error) {
+	currentUser, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+
+	webhook, err := s.Store.CreateWebhook(ctx, &storepb.Webhook{
+		CreatorId: currentUser.ID,
+		Name:      request.Name,
+		Url:       request.Url,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to create webhook, error: %+v", err)
+	}
+	return &apiv2pb.CreateWebhookResponse{
+		Webhook: convertWebhookFromStore(webhook),
+	}, nil
+}
+
+func (s *APIV2Service) ListWebhooks(ctx context.Context, request *apiv2pb.ListWebhooksRequest) (*apiv2pb.ListWebhooksResponse, error) {
+	webhooks, err := s.Store.ListWebhooks(ctx, &store.FindWebhook{
+		CreatorID: &request.CreatorId,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list webhooks, error: %+v", err)
+	}
+
+	response := &apiv2pb.ListWebhooksResponse{
+		Webhooks: []*apiv2pb.Webhook{},
+	}
+	for _, webhook := range webhooks {
+		response.Webhooks = append(response.Webhooks, convertWebhookFromStore(webhook))
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) GetWebhook(ctx context.Context, request *apiv2pb.GetWebhookRequest) (*apiv2pb.GetWebhookResponse, error) {
+	currentUser, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+
+	webhook, err := s.Store.GetWebhooks(ctx, &store.FindWebhook{
+		ID:        &request.Id,
+		CreatorID: &currentUser.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get webhook, error: %+v", err)
+	}
+	if webhook == nil {
+		return nil, status.Errorf(codes.NotFound, "webhook not found")
+	}
+	return &apiv2pb.GetWebhookResponse{
+		Webhook: convertWebhookFromStore(webhook),
+	}, nil
+}
+
+func (s *APIV2Service) UpdateWebhook(ctx context.Context, request *apiv2pb.UpdateWebhookRequest) (*apiv2pb.UpdateWebhookResponse, error) {
+	if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
+		return nil, status.Errorf(codes.InvalidArgument, "update_mask is required")
+	}
+
+	update := &store.UpdateWebhook{}
+	for _, field := range request.UpdateMask.Paths {
+		switch field {
+		case "row_status":
+			rowStatus := storepb.RowStatus(storepb.RowStatus_value[request.Webhook.RowStatus.String()])
+			update.RowStatus = &rowStatus
+		case "name":
+			update.Name = &request.Webhook.Name
+		case "url":
+			update.URL = &request.Webhook.Url
+		}
+	}
+
+	webhook, err := s.Store.UpdateWebhook(ctx, update)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to update webhook, error: %+v", err)
+	}
+	return &apiv2pb.UpdateWebhookResponse{
+		Webhook: convertWebhookFromStore(webhook),
+	}, nil
+}
+
+func (s *APIV2Service) DeleteWebhook(ctx context.Context, request *apiv2pb.DeleteWebhookRequest) (*apiv2pb.DeleteWebhookResponse, error) {
+	err := s.Store.DeleteWebhook(ctx, &store.DeleteWebhook{
+		ID: request.Id,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to delete webhook, error: %+v", err)
+	}
+	return &apiv2pb.DeleteWebhookResponse{}, nil
+}
+
+func convertWebhookFromStore(webhook *storepb.Webhook) *apiv2pb.Webhook {
+	return &apiv2pb.Webhook{
+		Id:          webhook.Id,
+		CreatedTime: timestamppb.New(time.Unix(webhook.CreatedTs, 0)),
+		UpdatedTime: timestamppb.New(time.Unix(webhook.UpdatedTs, 0)),
+		RowStatus:   apiv2pb.RowStatus(webhook.RowStatus),
+		CreatorId:   webhook.CreatorId,
+		Name:        webhook.Name,
+		Url:         webhook.Url,
+	}
+}

api/v2/workspace_service.go

@@ -0,0 +1,90 @@
+package v2
+
+import (
+	"context"
+	"strconv"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) GetWorkspaceProfile(_ context.Context, _ *apiv2pb.GetWorkspaceProfileRequest) (*apiv2pb.GetWorkspaceProfileResponse, error) {
+	workspaceProfile := &apiv2pb.WorkspaceProfile{
+		Version: s.Profile.Version,
+		Mode:    s.Profile.Mode,
+	}
+	response := &apiv2pb.GetWorkspaceProfileResponse{
+		WorkspaceProfile: workspaceProfile,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) UpdateWorkspaceProfile(ctx context.Context, request *apiv2pb.UpdateWorkspaceProfileRequest) (*apiv2pb.UpdateWorkspaceProfileResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+	if user.Role != store.RoleHost {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+	if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
+		return nil, status.Errorf(codes.InvalidArgument, "update mask is required")
+	}
+
+	// Update system settings.
+	for _, field := range request.UpdateMask.Paths {
+		if field == "allow_registration" {
+			_, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
+				Name:  "allow-signup",
+				Value: strconv.FormatBool(request.WorkspaceProfile.AllowRegistration),
+			})
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to update allow_registration system setting: %v", err)
+			}
+		} else if field == "disable_password_login" {
+			if s.Profile.Mode == "demo" {
+				return nil, status.Errorf(codes.PermissionDenied, "disabling password login is not allowed in demo mode")
+			}
+			_, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
+				Name:  "disable-password-login",
+				Value: strconv.FormatBool(request.WorkspaceProfile.DisablePasswordLogin),
+			})
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to update disable_password_login system setting: %v", err)
+			}
+		} else if field == "additional_script" {
+			if s.Profile.Mode == "demo" {
+				return nil, status.Errorf(codes.PermissionDenied, "additional script is not allowed in demo mode")
+			}
+			_, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
+				Name:  "additional-script",
+				Value: request.WorkspaceProfile.AdditionalScript,
+			})
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to update additional_script system setting: %v", err)
+			}
+		} else if field == "additional_style" {
+			if s.Profile.Mode == "demo" {
+				return nil, status.Errorf(codes.PermissionDenied, "additional style is not allowed in demo mode")
+			}
+			_, err := s.Store.UpsertWorkspaceSetting(ctx, &store.WorkspaceSetting{
+				Name:  "additional-style",
+				Value: request.WorkspaceProfile.AdditionalStyle,
+			})
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to update additional_style system setting: %v", err)
+			}
+		}
+	}
+
+	workspaceProfileMessage, err := s.GetWorkspaceProfile(ctx, &apiv2pb.GetWorkspaceProfileRequest{})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get system info: %v", err)
+	}
+	return &apiv2pb.UpdateWorkspaceProfileResponse{
+		WorkspaceProfile: workspaceProfileMessage.WorkspaceProfile,
+	}, nil
+}

bin/memos/main.go

@@ -1,4 +1,4 @@
-package cmd
+package main
 
 import (
 	"context"
@@ -7,14 +7,17 @@ import (
 	"os"
 	"os/signal"
 	"syscall"
-	"time"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
+	"go.uber.org/zap"
 
+	"github.com/usememos/memos/internal/jobs"
+
+	"github.com/usememos/memos/internal/log"
 	"github.com/usememos/memos/server"
 	_profile "github.com/usememos/memos/server/profile"
-	"github.com/usememos/memos/setup"
+	"github.com/usememos/memos/server/service/metric"
 	"github.com/usememos/memos/store"
 	"github.com/usememos/memos/store/db"
 )
@@ -31,22 +34,44 @@ const (
 )
 
 var (
-	profile *_profile.Profile
-	mode    string
-	port    int
-	data    string
+	profile      *_profile.Profile
+	mode         string
+	addr         string
+	port         int
+	data         string
+	driver       string
+	dsn          string
+	enableMetric bool
 
 	rootCmd = &cobra.Command{
 		Use:   "memos",
 		Short: `An open-source, self-hosted memo hub with knowledge management and social networking.`,
 		Run: func(_cmd *cobra.Command, _args []string) {
 			ctx, cancel := context.WithCancel(context.Background())
-			s, err := server.NewServer(ctx, profile)
+			dbDriver, err := db.NewDBDriver(profile)
 			if err != nil {
 				cancel()
-				fmt.Printf("failed to create server, error: %+v\n", err)
+				log.Error("failed to create db driver", zap.Error(err))
 				return
 			}
+			if err := dbDriver.Migrate(ctx); err != nil {
+				cancel()
+				log.Error("failed to migrate db", zap.Error(err))
+				return
+			}
+
+			storeInstance := store.New(dbDriver, profile)
+			s, err := server.NewServer(ctx, profile, storeInstance)
+			if err != nil {
+				cancel()
+				log.Error("failed to create server", zap.Error(err))
+				return
+			}
+
+			if profile.Metric {
+				// nolint
+				metric.NewMetricClient(s.ID, *profile)
+			}
 
 			c := make(chan os.Signal, 1)
 			// Trigger graceful shutdown on SIGINT or SIGTERM.
@@ -55,16 +80,19 @@ var (
 			signal.Notify(c, os.Interrupt, syscall.SIGTERM)
 			go func() {
 				sig := <-c
-				fmt.Printf("%s received.\n", sig.String())
+				log.Info(fmt.Sprintf("%s received.\n", sig.String()))
 				s.Shutdown(ctx)
 				cancel()
 			}()
 
-			println(greetingBanner)
-			fmt.Printf("Version %s has started at :%d\n", profile.Version, profile.Port)
+			printGreetings()
+
+			// update (pre-sign) object storage links if applicable
+			go jobs.RunPreSignLinks(ctx, storeInstance)
+
 			if err := s.Start(ctx); err != nil {
 				if err != http.ErrServerClosed {
-					fmt.Printf("failed to start server, error: %+v\n", err)
+					log.Error("failed to start server", zap.Error(err))
 					cancel()
 				}
 			}
@@ -73,42 +101,10 @@ var (
 			<-ctx.Done()
 		},
 	}
-
-	setupCmd = &cobra.Command{
-		Use:   "setup",
-		Short: "Make initial setup for memos",
-		Run: func(cmd *cobra.Command, _ []string) {
-			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-			defer cancel()
-
-			hostUsername, err := cmd.Flags().GetString(setupCmdFlagHostUsername)
-			if err != nil {
-				fmt.Printf("failed to get owner username, error: %+v\n", err)
-				return
-			}
-
-			hostPassword, err := cmd.Flags().GetString(setupCmdFlagHostPassword)
-			if err != nil {
-				fmt.Printf("failed to get owner password, error: %+v\n", err)
-				return
-			}
-
-			db := db.NewDB(profile)
-			if err := db.Open(ctx); err != nil {
-				fmt.Printf("failed to open db, error: %+v\n", err)
-				return
-			}
-
-			store := store.New(db.DBInstance, profile)
-			if err := setup.Execute(ctx, store, hostUsername, hostPassword); err != nil {
-				fmt.Printf("failed to setup, error: %+v\n", err)
-				return
-			}
-		},
-	}
 )
 
 func Execute() error {
+	defer log.Sync()
 	return rootCmd.Execute()
 }
 
@@ -116,13 +112,21 @@ func init() {
 	cobra.OnInitialize(initConfig)
 
 	rootCmd.PersistentFlags().StringVarP(&mode, "mode", "m", "demo", `mode of server, can be "prod" or "dev" or "demo"`)
+	rootCmd.PersistentFlags().StringVarP(&addr, "addr", "a", "", "address of server")
 	rootCmd.PersistentFlags().IntVarP(&port, "port", "p", 8081, "port of server")
 	rootCmd.PersistentFlags().StringVarP(&data, "data", "d", "", "data directory")
+	rootCmd.PersistentFlags().StringVarP(&driver, "driver", "", "", "database driver")
+	rootCmd.PersistentFlags().StringVarP(&dsn, "dsn", "", "", "database source name(aka. DSN)")
+	rootCmd.PersistentFlags().BoolVarP(&enableMetric, "metric", "", true, "allow metric collection")
 
 	err := viper.BindPFlag("mode", rootCmd.PersistentFlags().Lookup("mode"))
 	if err != nil {
 		panic(err)
 	}
+	err = viper.BindPFlag("addr", rootCmd.PersistentFlags().Lookup("addr"))
+	if err != nil {
+		panic(err)
+	}
 	err = viper.BindPFlag("port", rootCmd.PersistentFlags().Lookup("port"))
 	if err != nil {
 		panic(err)
@@ -131,15 +135,25 @@ func init() {
 	if err != nil {
 		panic(err)
 	}
+	err = viper.BindPFlag("driver", rootCmd.PersistentFlags().Lookup("driver"))
+	if err != nil {
+		panic(err)
+	}
+	err = viper.BindPFlag("dsn", rootCmd.PersistentFlags().Lookup("dsn"))
+	if err != nil {
+		panic(err)
+	}
+	err = viper.BindPFlag("metric", rootCmd.PersistentFlags().Lookup("metric"))
+	if err != nil {
+		panic(err)
+	}
 
 	viper.SetDefault("mode", "demo")
+	viper.SetDefault("driver", "sqlite")
+	viper.SetDefault("addr", "")
 	viper.SetDefault("port", 8081)
+	viper.SetDefault("metric", true)
 	viper.SetEnvPrefix("memos")
-
-	setupCmd.Flags().String(setupCmdFlagHostUsername, "", "Owner username")
-	setupCmd.Flags().String(setupCmdFlagHostPassword, "", "Owner password")
-
-	rootCmd.AddCommand(setupCmd)
 }
 
 func initConfig() {
@@ -153,14 +167,34 @@ func initConfig() {
 
 	println("---")
 	println("Server profile")
+	println("data:", profile.Data)
 	println("dsn:", profile.DSN)
+	println("addr:", profile.Addr)
 	println("port:", profile.Port)
 	println("mode:", profile.Mode)
+	println("driver:", profile.Driver)
 	println("version:", profile.Version)
+	println("metric:", profile.Metric)
 	println("---")
 }
 
-const (
-	setupCmdFlagHostUsername = "host-username"
-	setupCmdFlagHostPassword = "host-password"
-)
+func printGreetings() {
+	print(greetingBanner)
+	if len(profile.Addr) == 0 {
+		fmt.Printf("Version %s has been started on port %d\n", profile.Version, profile.Port)
+	} else {
+		fmt.Printf("Version %s has been started on address '%s' and port %d\n", profile.Version, profile.Addr, profile.Port)
+	}
+	println("---")
+	println("See more in:")
+	fmt.Printf("👉Website: %s\n", "https://usememos.com")
+	fmt.Printf("👉GitHub: %s\n", "https://github.com/usememos/memos")
+	println("---")
+}
+
+func main() {
+	err := Execute()
+	if err != nil {
+		panic(err)
+	}
+}

common/error.go

@@ -1,72 +0,0 @@
-package common
-
-import (
-	"errors"
-)
-
-// Code is the error code.
-type Code int
-
-// Application error codes.
-const (
-	// 0 ~ 99 general error.
-	Ok             Code = 0
-	Internal       Code = 1
-	NotAuthorized  Code = 2
-	Invalid        Code = 3
-	NotFound       Code = 4
-	Conflict       Code = 5
-	NotImplemented Code = 6
-)
-
-// Error represents an application-specific error. Application errors can be
-// unwrapped by the caller to extract out the code & message.
-//
-// Any non-application error (such as a disk error) should be reported as an
-// Internal error and the human user should only see "Internal error" as the
-// message. These low-level internal error details should only be logged and
-// reported to the operator of the application (not the end user).
-type Error struct {
-	// Machine-readable error code.
-	Code Code
-
-	// Embedded error.
-	Err error
-}
-
-// Error implements the error interface. Not used by the application otherwise.
-func (e *Error) Error() string {
-	return e.Err.Error()
-}
-
-// ErrorCode unwraps an application error and returns its code.
-// Non-application errors always return EINTERNAL.
-func ErrorCode(err error) Code {
-	var e *Error
-	if err == nil {
-		return Ok
-	} else if errors.As(err, &e) {
-		return e.Code
-	}
-	return Internal
-}
-
-// ErrorMessage unwraps an application error and returns its message.
-// Non-application errors always return "Internal error".
-func ErrorMessage(err error) string {
-	var e *Error
-	if err == nil {
-		return ""
-	} else if errors.As(err, &e) {
-		return e.Err.Error()
-	}
-	return "Internal error."
-}
-
-// Errorf is a helper function to return an Error with a given code and error.
-func Errorf(code Code, err error) *Error {
-	return &Error{
-		Code: code,
-		Err:  err,
-	}
-}

docker-compose.uffizzi.yml

@@ -1,17 +0,0 @@
-version: "3.0"
-
-# uffizzi integration
-x-uffizzi:
-  ingress:
-    service: memos
-    port: 5230
-
-services:
-  memos:
-    image: "${MEMOS_IMAGE}"
-    volumes:
-      - memos_volume:/var/opt/memos
-    command: ["--mode", "demo"]
-
-volumes:
-  memos_volume:

docs/development-windows.md

@@ -1,4 +1,4 @@
-# Development
+# Development in Windows
 
 Memos is built with a curated tech stack. It is optimized for developer experience and is very easy to start working on the code:
 
@@ -56,12 +56,12 @@ Memos should now be running at [http://localhost:3001](http://localhost:3001) an
 
 ## Building
 
-Frontend must be built before backend. The built frontend must be placed in the backend ./server/dist directory. Otherwise, you will get a "No frontend embeded" error.
+Frontend must be built before backend. The built frontend must be placed in the backend ./server/frontend/dist directory. Otherwise, you will get a "No frontend embeded" error.
 
 ### Frontend
 
 ```powershell
-Move-Item "./server/dist" "./server/dist.bak"
+Move-Item "./server/frontend/dist" "./server/frontend/dist.bak"
 cd web; pnpm i --frozen-lockfile; pnpm build; cd ..;
 Move-Item "./web/dist" "./server/" -Force
 ```
@@ -69,7 +69,7 @@ Move-Item "./web/dist" "./server/" -Force
 ### Backend
 
 ```powershell
-go build -o ./build/memos.exe ./main.go
+go build -o ./build/memos.exe ./bin/memos/main.go
 ```
 
 ## ❕ Notes

docs/development.md

@@ -6,10 +6,6 @@ Memos is built with a curated tech stack. It is optimized for developer experien
 2. It requires zero config.
 3. 1 command to start backend and 1 command to start frontend, both with live reload support.
 
-## Tech Stack
-
-![tech-stack](https://raw.githubusercontent.com/usememos/memos/main/assets/tech-stack.png)
-
 ## Prerequisites
 
 - [Go](https://golang.org/doc/install)
@@ -19,22 +15,28 @@ Memos is built with a curated tech stack. It is optimized for developer experien
 
 ## Steps
 
-1. pull source code
+1. Pull the source code
 
    ```bash
    git clone https://github.com/usememos/memos
    ```
 
-2. start backend using air(with live reload)
+2. Start backend server with [`air`](https://github.com/cosmtrek/air) (with live reload)
 
    ```bash
    air -c scripts/.air.toml
    ```
 
-3. start frontend dev server
+3. Install frontend dependencies and generate TypeScript code from protobuf
+
+   ```
+   cd web && pnpm i && pnpm type-gen
+   ```
+
+4. Start the dev server of frontend
 
    ```bash
-   cd web && pnpm i && pnpm dev
+   cd web && pnpm dev
    ```
 
 Memos should now be running at [http://localhost:3001](http://localhost:3001) and change either frontend or backend code would trigger live reload.

docs/setup.md

@@ -1,6 +0,0 @@
-# Setup
-
-After deploying and running Memos in `prod` mode, you should create "host" user. There are two ways to do this:
-
-1. Navigate to the Memos application URL, such as `http://localhost:5230`, and follow the prompts to create a username and password for the "host" user.
-2. Use the command `memos setup --host-username=$USERNAME --host-password=$PASSWORD --mode=prod` to set up the host user. This method may be more convenient for deploying through Ansible or other provisioning softwares.

docs/windows-service.md

@@ -1,98 +0,0 @@
-# Installing memos as a service on Windows
-
-While memos first-class support is for Docker, you may also install memos as a Windows service. It will run under SYSTEM account and start automatically at system boot.
-
-❗ All service management methods requires admin privileges. Use [gsudo](https://gerardog.github.io/gsudo/docs/install), or open a new PowerShell terminal as admin:
-
-```powershell
-Start-Process powershell -Verb RunAs
-```
-
-## Choose one of the following methods
-
-### 1. Using [NSSM](https://nssm.cc/download)
-
-NSSM is a lightweight service wrapper.
-
-You may put `nssm.exe` in the same directory as `memos.exe`, or add its directory to your system PATH. Prefer the latest 64-bit version of `nssm.exe`.
-
-```powershell
-# Install memos as a service
-nssm install memos "C:\path\to\memos.exe" --mode prod --port 5230
-
-# Delay auto start
-nssm set memos DisplayName "memos service"
-
-# Configure extra service parameters
-nssm set memos Description "A lightweight, self-hosted memo hub. https://usememos.com/"
-
-# Delay auto start
-nssm set memos Start SERVICE_DELAYED_AUTO_START
-
-# Edit service using NSSM GUI
-nssm edit memos
-
-# Start the service
-nssm start memos
-
-# Remove the service, if ever needed
-nssm remove memos confirm
-```
-
-### 2. Using [WinSW](https://github.com/winsw/winsw)
-
-Find the latest release tag and download the asset `WinSW-net46x.exe`. Then, put it in the same directory as `memos.exe` and rename it to `memos-service.exe`.
-
-Now, in the same directory, create the service configuration file `memos-service.xml`:
-
-```xml
-<service>
-    <id>memos</id>
-    <name>memos service</name>
-    <description>A lightweight, self-hosted memo hub. https://usememos.com/</description>
-    <onfailure action="restart" delay="10 sec"/>
-    <executable>%BASE%\memos.exe</executable>
-    <arguments>--mode prod --port 5230</arguments>
-    <delayedAutoStart>true</delayedAutoStart>
-    <log mode="none" />
-</service>
-```
-
-Then, install the service:
-
-```powershell
-# Install the service
-.\memos-service.exe install
-
-# Start the service
-.\memos-service.exe start
-
-# Remove the service, if ever needed
-.\memos-service.exe uninstall
-```
-
-### Manage the service
-
-You may use the `net` command to manage the service:
-
-```powershell
-net start memos
-net stop memos
-```
-
-Also, by using one of the provided methods, the service will appear in the Windows Services Manager `services.msc`.
-
-## Notes
-
-- On Windows, memos store its data in the following directory:
-
-  ```powershell
-  $env:ProgramData\memos
-  # Typically, this will resolve to C:\ProgramData\memos
-  ```
-
-  You may specify a custom directory by appending `--data <path>` to the service command line.
-
-- If the service fails to start, you should inspect the Windows Event Viewer `eventvwr.msc`.
-
-- Memos will be accessible at [http://localhost:5230](http://localhost:5230) by default.

go.mod

@@ -1,80 +1,122 @@
 module github.com/usememos/memos
 
-go 1.19
+go 1.21
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.17.4
-	github.com/aws/aws-sdk-go-v2/config v1.18.12
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.12
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.51
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.30.3
+	github.com/aws/aws-sdk-go-v2 v1.24.1
+	github.com/aws/aws-sdk-go-v2/config v1.26.6
+	github.com/aws/aws-sdk-go-v2/credentials v1.16.16
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.15
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.48.1
 	github.com/disintegration/imaging v1.6.2
-	github.com/google/uuid v1.3.0
-	github.com/gorilla/feeds v1.1.1
-	github.com/labstack/echo/v4 v4.9.0
-	github.com/mattn/go-sqlite3 v1.14.9
+	github.com/go-sql-driver/mysql v1.7.1
+	github.com/google/cel-go v0.19.0
+	github.com/google/uuid v1.6.0
+	github.com/gorilla/feeds v1.1.2
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1
+	github.com/improbable-eng/grpc-web v0.15.0
+	github.com/joho/godotenv v1.5.1
+	github.com/labstack/echo/v4 v4.11.4
+	github.com/lib/pq v1.10.9
+	github.com/lithammer/shortuuid/v4 v4.0.0
+	github.com/microcosm-cc/bluemonday v1.0.26
 	github.com/pkg/errors v0.9.1
-	github.com/spf13/cobra v1.6.1
-	github.com/spf13/viper v1.15.0
-	github.com/stretchr/testify v1.8.1
-	github.com/yuin/goldmark v1.5.4
-	go.uber.org/zap v1.24.0
-	golang.org/x/crypto v0.1.0
-	golang.org/x/exp v0.0.0-20230111222715-75897c7a292a
-	golang.org/x/mod v0.8.0
-	golang.org/x/net v0.7.0
-	golang.org/x/oauth2 v0.5.0
+	github.com/spf13/cobra v1.8.0
+	github.com/spf13/viper v1.18.2
+	github.com/stretchr/testify v1.8.4
+	github.com/swaggo/swag v1.16.2
+	github.com/yourselfhosted/gomark v0.0.0-20240203134956-f26563ba0069
+	go.uber.org/zap v1.26.0
+	golang.org/x/crypto v0.18.0
+	golang.org/x/exp v0.0.0-20240119083558-1b970713d09a
+	golang.org/x/mod v0.14.0
+	golang.org/x/net v0.20.0
+	golang.org/x/oauth2 v0.16.0
+	google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe
+	google.golang.org/grpc v1.61.0
+	modernc.org/sqlite v1.28.0
 )
 
-require golang.org/x/image v0.7.0 // indirect
+require (
+	github.com/KyleBanks/depth v1.2.1 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
+	github.com/aymerick/douceur v0.2.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
+	github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/go-openapi/jsonpointer v0.20.2 // indirect
+	github.com/go-openapi/jsonreference v0.20.4 // indirect
+	github.com/go-openapi/spec v0.20.14 // indirect
+	github.com/go-openapi/swag v0.22.9 // indirect
+	github.com/gorilla/css v1.0.1 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/rs/cors v1.10.1 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
+	golang.org/x/image v0.15.0 // indirect
+	golang.org/x/tools v0.17.0 // indirect
+	google.golang.org/genproto v0.0.0-20240125205218-1f4bbc51befe // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe // indirect
+	lukechampine.com/uint128 v1.3.0 // indirect
+	modernc.org/cc/v3 v3.41.0 // indirect
+	modernc.org/ccgo/v3 v3.16.15 // indirect
+	modernc.org/libc v1.40.8 // indirect
+	modernc.org/mathutil v1.6.0 // indirect
+	modernc.org/memory v1.7.2 // indirect
+	modernc.org/opt v0.1.3 // indirect
+	modernc.org/strutil v1.2.0 // indirect
+	modernc.org/token v1.1.0 // indirect
+	nhooyr.io/websocket v1.8.10 // indirect
+)
 
 require (
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.22 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.28 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.22 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.29 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.20 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.23 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.22 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.22 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.12.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.18.3 // indirect
-	github.com/aws/smithy-go v1.13.5 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
+	github.com/aws/smithy-go v1.19.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.0
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
-	github.com/labstack/gommon v0.3.1 // indirect
+	github.com/labstack/gommon v0.4.2 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
-	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/spf13/afero v1.9.3 // indirect
-	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.1.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/posthog/posthog-go v0.0.0-20240115103626-fbd687c18571
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/objx v0.5.0 // indirect
-	github.com/subosito/gotenv v1.4.2 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
-	github.com/valyala/fasttemplate v1.2.1 // indirect
-	go.uber.org/atomic v1.9.0 // indirect
-	go.uber.org/multierr v1.8.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
-	golang.org/x/time v0.1.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
-	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	github.com/valyala/fasttemplate v1.2.2 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/protobuf v1.32.0
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

internal/cron/cron.go

@@ -0,0 +1,179 @@
+// Package cron implements a crontab-like service to execute and schedule repeative tasks/jobs.
+package cron
+
+// Example:
+//
+//	c := cron.New()
+//	c.MustAdd("dailyReport", "0 0 * * *", func() { ... })
+//	c.Start()
+
+import (
+	"sync"
+	"time"
+
+	"github.com/pkg/errors"
+)
+
+type job struct {
+	schedule *Schedule
+	run      func()
+}
+
+// Cron is a crontab-like struct for tasks/jobs scheduling.
+type Cron struct {
+	sync.RWMutex
+
+	interval time.Duration
+	timezone *time.Location
+	ticker   *time.Ticker
+	jobs     map[string]*job
+}
+
+// New create a new Cron struct with default tick interval of 1 minute
+// and timezone in UTC.
+//
+// You can change the default tick interval with Cron.SetInterval().
+// You can change the default timezone with Cron.SetTimezone().
+func New() *Cron {
+	return &Cron{
+		interval: 1 * time.Minute,
+		timezone: time.UTC,
+		jobs:     map[string]*job{},
+	}
+}
+
+// SetInterval changes the current cron tick interval
+// (it usually should be >= 1 minute).
+func (c *Cron) SetInterval(d time.Duration) {
+	// update interval
+	c.Lock()
+	wasStarted := c.ticker != nil
+	c.interval = d
+	c.Unlock()
+
+	// restart the ticker
+	if wasStarted {
+		c.Start()
+	}
+}
+
+// SetTimezone changes the current cron tick timezone.
+func (c *Cron) SetTimezone(l *time.Location) {
+	c.Lock()
+	defer c.Unlock()
+
+	c.timezone = l
+}
+
+// MustAdd is similar to Add() but panic on failure.
+func (c *Cron) MustAdd(jobID string, cronExpr string, run func()) {
+	if err := c.Add(jobID, cronExpr, run); err != nil {
+		panic(err)
+	}
+}
+
+// Add registers a single cron job.
+//
+// If there is already a job with the provided id, then the old job
+// will be replaced with the new one.
+//
+// cronExpr is a regular cron expression, eg. "0 */3 * * *" (aka. at minute 0 past every 3rd hour).
+// Check cron.NewSchedule() for the supported tokens.
+func (c *Cron) Add(jobID string, cronExpr string, run func()) error {
+	if run == nil {
+		return errors.New("failed to add new cron job: run must be non-nil function")
+	}
+
+	c.Lock()
+	defer c.Unlock()
+
+	schedule, err := NewSchedule(cronExpr)
+	if err != nil {
+		return errors.Wrap(err, "failed to add new cron job")
+	}
+
+	c.jobs[jobID] = &job{
+		schedule: schedule,
+		run:      run,
+	}
+
+	return nil
+}
+
+// Remove removes a single cron job by its id.
+func (c *Cron) Remove(jobID string) {
+	c.Lock()
+	defer c.Unlock()
+
+	delete(c.jobs, jobID)
+}
+
+// RemoveAll removes all registered cron jobs.
+func (c *Cron) RemoveAll() {
+	c.Lock()
+	defer c.Unlock()
+
+	c.jobs = map[string]*job{}
+}
+
+// Total returns the current total number of registered cron jobs.
+func (c *Cron) Total() int {
+	c.RLock()
+	defer c.RUnlock()
+
+	return len(c.jobs)
+}
+
+// Stop stops the current cron ticker (if not already).
+//
+// You can resume the ticker by calling Start().
+func (c *Cron) Stop() {
+	c.Lock()
+	defer c.Unlock()
+
+	if c.ticker == nil {
+		return // already stopped
+	}
+
+	c.ticker.Stop()
+	c.ticker = nil
+}
+
+// Start starts the cron ticker.
+//
+// Calling Start() on already started cron will restart the ticker.
+func (c *Cron) Start() {
+	c.Stop()
+
+	c.Lock()
+	c.ticker = time.NewTicker(c.interval)
+	c.Unlock()
+
+	go func() {
+		for t := range c.ticker.C {
+			c.runDue(t)
+		}
+	}()
+}
+
+// HasStarted checks whether the current Cron ticker has been started.
+func (c *Cron) HasStarted() bool {
+	c.RLock()
+	defer c.RUnlock()
+
+	return c.ticker != nil
+}
+
+// runDue runs all registered jobs that are scheduled for the provided time.
+func (c *Cron) runDue(t time.Time) {
+	c.RLock()
+	defer c.RUnlock()
+
+	moment := NewMoment(t.In(c.timezone))
+
+	for _, j := range c.jobs {
+		if j.schedule.IsDue(moment) {
+			go j.run()
+		}
+	}
+}

internal/cron/cron_test.go

@@ -0,0 +1,249 @@
+package cron
+
+import (
+	"encoding/json"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCronNew(t *testing.T) {
+	c := New()
+
+	expectedInterval := 1 * time.Minute
+	if c.interval != expectedInterval {
+		t.Fatalf("Expected default interval %v, got %v", expectedInterval, c.interval)
+	}
+
+	expectedTimezone := time.UTC
+	if c.timezone.String() != expectedTimezone.String() {
+		t.Fatalf("Expected default timezone %v, got %v", expectedTimezone, c.timezone)
+	}
+
+	if len(c.jobs) != 0 {
+		t.Fatalf("Expected no jobs by default, got \n%v", c.jobs)
+	}
+
+	if c.ticker != nil {
+		t.Fatal("Expected the ticker NOT to be initialized")
+	}
+}
+
+func TestCronSetInterval(t *testing.T) {
+	c := New()
+
+	interval := 2 * time.Minute
+
+	c.SetInterval(interval)
+
+	if c.interval != interval {
+		t.Fatalf("Expected interval %v, got %v", interval, c.interval)
+	}
+}
+
+func TestCronSetTimezone(t *testing.T) {
+	c := New()
+
+	timezone, _ := time.LoadLocation("Asia/Tokyo")
+
+	c.SetTimezone(timezone)
+
+	if c.timezone.String() != timezone.String() {
+		t.Fatalf("Expected timezone %v, got %v", timezone, c.timezone)
+	}
+}
+
+func TestCronAddAndRemove(t *testing.T) {
+	c := New()
+
+	if err := c.Add("test0", "* * * * *", nil); err == nil {
+		t.Fatal("Expected nil function error")
+	}
+
+	if err := c.Add("test1", "invalid", func() {}); err == nil {
+		t.Fatal("Expected invalid cron expression error")
+	}
+
+	if err := c.Add("test2", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.Add("test3", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.Add("test4", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	// overwrite test2
+	if err := c.Add("test2", "1 2 3 4 5", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.Add("test5", "1 2 3 4 5", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	// mock job deletion
+	c.Remove("test4")
+
+	// try to remove non-existing (should be no-op)
+	c.Remove("missing")
+
+	// check job keys
+	{
+		expectedKeys := []string{"test3", "test2", "test5"}
+
+		if v := len(c.jobs); v != len(expectedKeys) {
+			t.Fatalf("Expected %d jobs, got %d", len(expectedKeys), v)
+		}
+
+		for _, k := range expectedKeys {
+			if c.jobs[k] == nil {
+				t.Fatalf("Expected job with key %s, got nil", k)
+			}
+		}
+	}
+
+	// check the jobs schedule
+	{
+		expectedSchedules := map[string]string{
+			"test2": `{"minutes":{"1":{}},"hours":{"2":{}},"days":{"3":{}},"months":{"4":{}},"daysOfWeek":{"5":{}}}`,
+			"test3": `{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+			"test5": `{"minutes":{"1":{}},"hours":{"2":{}},"days":{"3":{}},"months":{"4":{}},"daysOfWeek":{"5":{}}}`,
+		}
+		for k, v := range expectedSchedules {
+			raw, err := json.Marshal(c.jobs[k].schedule)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if string(raw) != v {
+				t.Fatalf("Expected %q schedule \n%s, \ngot \n%s", k, v, raw)
+			}
+		}
+	}
+}
+
+func TestCronMustAdd(t *testing.T) {
+	c := New()
+
+	defer func() {
+		if r := recover(); r == nil {
+			t.Errorf("test1 didn't panic")
+		}
+	}()
+
+	c.MustAdd("test1", "* * * * *", nil)
+
+	c.MustAdd("test2", "* * * * *", func() {})
+
+	if _, ok := c.jobs["test2"]; !ok {
+		t.Fatal("Couldn't find job test2")
+	}
+}
+
+func TestCronRemoveAll(t *testing.T) {
+	c := New()
+
+	if err := c.Add("test1", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.Add("test2", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.Add("test3", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if v := len(c.jobs); v != 3 {
+		t.Fatalf("Expected %d jobs, got %d", 3, v)
+	}
+
+	c.RemoveAll()
+
+	if v := len(c.jobs); v != 0 {
+		t.Fatalf("Expected %d jobs, got %d", 0, v)
+	}
+}
+
+func TestCronTotal(t *testing.T) {
+	c := New()
+
+	if v := c.Total(); v != 0 {
+		t.Fatalf("Expected 0 jobs, got %v", v)
+	}
+
+	if err := c.Add("test1", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.Add("test2", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	// overwrite
+	if err := c.Add("test1", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if v := c.Total(); v != 2 {
+		t.Fatalf("Expected 2 jobs, got %v", v)
+	}
+}
+
+func TestCronStartStop(t *testing.T) {
+	c := New()
+
+	c.SetInterval(1 * time.Second)
+
+	test1 := 0
+	test2 := 0
+
+	err := c.Add("test1", "* * * * *", func() {
+		test1++
+	})
+	require.NoError(t, err)
+
+	err = c.Add("test2", "* * * * *", func() {
+		test2++
+	})
+	require.NoError(t, err)
+
+	expectedCalls := 3
+
+	// call twice Start to check if the previous ticker will be reseted
+	c.Start()
+	c.Start()
+
+	time.Sleep(3250 * time.Millisecond)
+
+	// call twice Stop to ensure that the second stop is no-op
+	c.Stop()
+	c.Stop()
+
+	if test1 != expectedCalls {
+		t.Fatalf("Expected %d test1, got %d", expectedCalls, test1)
+	}
+	if test2 != expectedCalls {
+		t.Fatalf("Expected %d test2, got %d", expectedCalls, test2)
+	}
+
+	// resume for ~5 seconds
+	c.Start()
+	time.Sleep(5250 * time.Millisecond)
+	c.Stop()
+
+	expectedCalls += 5
+
+	if test1 != expectedCalls {
+		t.Fatalf("Expected %d test1, got %d", expectedCalls, test1)
+	}
+	if test2 != expectedCalls {
+		t.Fatalf("Expected %d test2, got %d", expectedCalls, test2)
+	}
+}

internal/cron/schedule.go

@@ -0,0 +1,194 @@
+package cron
+
+import (
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+)
+
+// Moment represents a parsed single time moment.
+type Moment struct {
+	Minute    int `json:"minute"`
+	Hour      int `json:"hour"`
+	Day       int `json:"day"`
+	Month     int `json:"month"`
+	DayOfWeek int `json:"dayOfWeek"`
+}
+
+// NewMoment creates a new Moment from the specified time.
+func NewMoment(t time.Time) *Moment {
+	return &Moment{
+		Minute:    t.Minute(),
+		Hour:      t.Hour(),
+		Day:       t.Day(),
+		Month:     int(t.Month()),
+		DayOfWeek: int(t.Weekday()),
+	}
+}
+
+// Schedule stores parsed information for each time component when a cron job should run.
+type Schedule struct {
+	Minutes    map[int]struct{} `json:"minutes"`
+	Hours      map[int]struct{} `json:"hours"`
+	Days       map[int]struct{} `json:"days"`
+	Months     map[int]struct{} `json:"months"`
+	DaysOfWeek map[int]struct{} `json:"daysOfWeek"`
+}
+
+// IsDue checks whether the provided Moment satisfies the current Schedule.
+func (s *Schedule) IsDue(m *Moment) bool {
+	if _, ok := s.Minutes[m.Minute]; !ok {
+		return false
+	}
+
+	if _, ok := s.Hours[m.Hour]; !ok {
+		return false
+	}
+
+	if _, ok := s.Days[m.Day]; !ok {
+		return false
+	}
+
+	if _, ok := s.DaysOfWeek[m.DayOfWeek]; !ok {
+		return false
+	}
+
+	if _, ok := s.Months[m.Month]; !ok {
+		return false
+	}
+
+	return true
+}
+
+// NewSchedule creates a new Schedule from a cron expression.
+//
+// A cron expression is consisted of 5 segments separated by space,
+// representing: minute, hour, day of the month, month and day of the week.
+//
+// Each segment could be in the following formats:
+//   - wildcard: *
+//   - range:    1-30
+//   - step:     */n or 1-30/n
+//   - list:     1,2,3,10-20/n
+func NewSchedule(cronExpr string) (*Schedule, error) {
+	segments := strings.Split(cronExpr, " ")
+	if len(segments) != 5 {
+		return nil, errors.New("invalid cron expression - must have exactly 5 space separated segments")
+	}
+
+	minutes, err := parseCronSegment(segments[0], 0, 59)
+	if err != nil {
+		return nil, err
+	}
+
+	hours, err := parseCronSegment(segments[1], 0, 23)
+	if err != nil {
+		return nil, err
+	}
+
+	days, err := parseCronSegment(segments[2], 1, 31)
+	if err != nil {
+		return nil, err
+	}
+
+	months, err := parseCronSegment(segments[3], 1, 12)
+	if err != nil {
+		return nil, err
+	}
+
+	daysOfWeek, err := parseCronSegment(segments[4], 0, 6)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Schedule{
+		Minutes:    minutes,
+		Hours:      hours,
+		Days:       days,
+		Months:     months,
+		DaysOfWeek: daysOfWeek,
+	}, nil
+}
+
+// parseCronSegment parses a single cron expression segment and
+// returns its time schedule slots.
+func parseCronSegment(segment string, min int, max int) (map[int]struct{}, error) {
+	slots := map[int]struct{}{}
+
+	list := strings.Split(segment, ",")
+	for _, p := range list {
+		stepParts := strings.Split(p, "/")
+
+		// step (*/n, 1-30/n)
+		var step int
+		switch len(stepParts) {
+		case 1:
+			step = 1
+		case 2:
+			parsedStep, err := strconv.Atoi(stepParts[1])
+			if err != nil {
+				return nil, err
+			}
+			if parsedStep < 1 || parsedStep > max {
+				return nil, errors.Errorf("invalid segment step boundary - the step must be between 1 and the %d", max)
+			}
+			step = parsedStep
+		default:
+			return nil, errors.New("invalid segment step format - must be in the format */n or 1-30/n")
+		}
+
+		// find the min and max range of the segment part
+		var rangeMin, rangeMax int
+		if stepParts[0] == "*" {
+			rangeMin = min
+			rangeMax = max
+		} else {
+			// single digit (1) or range (1-30)
+			rangeParts := strings.Split(stepParts[0], "-")
+			switch len(rangeParts) {
+			case 1:
+				if step != 1 {
+					return nil, errors.New("invalid segement step - step > 1 could be used only with the wildcard or range format")
+				}
+				parsed, err := strconv.Atoi(rangeParts[0])
+				if err != nil {
+					return nil, err
+				}
+				if parsed < min || parsed > max {
+					return nil, errors.New("invalid segment value - must be between the min and max of the segment")
+				}
+				rangeMin = parsed
+				rangeMax = rangeMin
+			case 2:
+				parsedMin, err := strconv.Atoi(rangeParts[0])
+				if err != nil {
+					return nil, err
+				}
+				if parsedMin < min || parsedMin > max {
+					return nil, errors.Errorf("invalid segment range minimum - must be between %d and %d", min, max)
+				}
+				rangeMin = parsedMin
+
+				parsedMax, err := strconv.Atoi(rangeParts[1])
+				if err != nil {
+					return nil, err
+				}
+				if parsedMax < parsedMin || parsedMax > max {
+					return nil, errors.Errorf("invalid segment range maximum - must be between %d and %d", rangeMin, max)
+				}
+				rangeMax = parsedMax
+			default:
+				return nil, errors.New("invalid segment range format - the range must have 1 or 2 parts")
+			}
+		}
+
+		// fill the slots
+		for i := rangeMin; i <= rangeMax; i += step {
+			slots[i] = struct{}{}
+		}
+	}
+
+	return slots, nil
+}

internal/cron/schedule_test.go

@@ -0,0 +1,361 @@
+package cron_test
+
+import (
+	"encoding/json"
+	"testing"
+	"time"
+
+	"github.com/usememos/memos/internal/cron"
+)
+
+func TestNewMoment(t *testing.T) {
+	date, err := time.Parse("2006-01-02 15:04", "2023-05-09 15:20")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	m := cron.NewMoment(date)
+
+	if m.Minute != 20 {
+		t.Fatalf("Expected m.Minute %d, got %d", 20, m.Minute)
+	}
+
+	if m.Hour != 15 {
+		t.Fatalf("Expected m.Hour %d, got %d", 15, m.Hour)
+	}
+
+	if m.Day != 9 {
+		t.Fatalf("Expected m.Day %d, got %d", 9, m.Day)
+	}
+
+	if m.Month != 5 {
+		t.Fatalf("Expected m.Month %d, got %d", 5, m.Month)
+	}
+
+	if m.DayOfWeek != 2 {
+		t.Fatalf("Expected m.DayOfWeek %d, got %d", 2, m.DayOfWeek)
+	}
+}
+
+func TestNewSchedule(t *testing.T) {
+	scenarios := []struct {
+		cronExpr       string
+		expectError    bool
+		expectSchedule string
+	}{
+		{
+			"invalid",
+			true,
+			"",
+		},
+		{
+			"* * * *",
+			true,
+			"",
+		},
+		{
+			"* * * * * *",
+			true,
+			"",
+		},
+		{
+			"2/3 * * * *",
+			true,
+			"",
+		},
+		{
+			"* * * * *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"*/2 */3 */5 */4 */2",
+			false,
+			`{"minutes":{"0":{},"10":{},"12":{},"14":{},"16":{},"18":{},"2":{},"20":{},"22":{},"24":{},"26":{},"28":{},"30":{},"32":{},"34":{},"36":{},"38":{},"4":{},"40":{},"42":{},"44":{},"46":{},"48":{},"50":{},"52":{},"54":{},"56":{},"58":{},"6":{},"8":{}},"hours":{"0":{},"12":{},"15":{},"18":{},"21":{},"3":{},"6":{},"9":{}},"days":{"1":{},"11":{},"16":{},"21":{},"26":{},"31":{},"6":{}},"months":{"1":{},"5":{},"9":{}},"daysOfWeek":{"0":{},"2":{},"4":{},"6":{}}}`,
+		},
+
+		// minute segment
+		{
+			"-1 * * * *",
+			true,
+			"",
+		},
+		{
+			"60 * * * *",
+			true,
+			"",
+		},
+		{
+			"0 * * * *",
+			false,
+			`{"minutes":{"0":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"59 * * * *",
+			false,
+			`{"minutes":{"59":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"1,2,5,7,40-50/2 * * * *",
+			false,
+			`{"minutes":{"1":{},"2":{},"40":{},"42":{},"44":{},"46":{},"48":{},"5":{},"50":{},"7":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+
+		// hour segment
+		{
+			"* -1 * * *",
+			true,
+			"",
+		},
+		{
+			"* 24 * * *",
+			true,
+			"",
+		},
+		{
+			"* 0 * * *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"* 23 * * *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"23":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"* 3,4,8-16/3,7 * * *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"11":{},"14":{},"3":{},"4":{},"7":{},"8":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+
+		// day segment
+		{
+			"* * 0 * *",
+			true,
+			"",
+		},
+		{
+			"* * 32 * *",
+			true,
+			"",
+		},
+		{
+			"* * 1 * *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"* * 31 * *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"31":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"* * 5,6,20-30/3,1 * *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"20":{},"23":{},"26":{},"29":{},"5":{},"6":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+
+		// month segment
+		{
+			"* * * 0 *",
+			true,
+			"",
+		},
+		{
+			"* * * 13 *",
+			true,
+			"",
+		},
+		{
+			"* * * 1 *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"* * * 12 *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"12":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"* * * 1,4,5-10/2 *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"4":{},"5":{},"7":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+
+		// day of week segment
+		{
+			"* * * * -1",
+			true,
+			"",
+		},
+		{
+			"* * * * 7",
+			true,
+			"",
+		},
+		{
+			"* * * * 0",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{}}}`,
+		},
+		{
+			"* * * * 6",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"6":{}}}`,
+		},
+		{
+			"* * * * 1,2-5/2",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"1":{},"2":{},"4":{}}}`,
+		},
+	}
+
+	for _, s := range scenarios {
+		schedule, err := cron.NewSchedule(s.cronExpr)
+
+		hasErr := err != nil
+		if hasErr != s.expectError {
+			t.Fatalf("[%s] Expected hasErr to be %v, got %v (%v)", s.cronExpr, s.expectError, hasErr, err)
+		}
+
+		if hasErr {
+			continue
+		}
+
+		encoded, err := json.Marshal(schedule)
+		if err != nil {
+			t.Fatalf("[%s] Failed to marshalize the result schedule: %v", s.cronExpr, err)
+		}
+		encodedStr := string(encoded)
+
+		if encodedStr != s.expectSchedule {
+			t.Fatalf("[%s] Expected \n%s, \ngot \n%s", s.cronExpr, s.expectSchedule, encodedStr)
+		}
+	}
+}
+
+func TestScheduleIsDue(t *testing.T) {
+	scenarios := []struct {
+		cronExpr string
+		moment   *cron.Moment
+		expected bool
+	}{
+		{
+			"* * * * *",
+			&cron.Moment{},
+			false,
+		},
+		{
+			"* * * * *",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      1,
+				Day:       1,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			true,
+		},
+		{
+			"5 * * * *",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      1,
+				Day:       1,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			false,
+		},
+		{
+			"5 * * * *",
+			&cron.Moment{
+				Minute:    5,
+				Hour:      1,
+				Day:       1,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			true,
+		},
+		{
+			"* 2-6 * * 2,3",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      2,
+				Day:       1,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			false,
+		},
+		{
+			"* 2-6 * * 2,3",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      2,
+				Day:       1,
+				Month:     1,
+				DayOfWeek: 3,
+			},
+			true,
+		},
+		{
+			"* * 1,2,5,15-18 * *",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      1,
+				Day:       6,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			false,
+		},
+		{
+			"* * 1,2,5,15-18/2 * *",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      1,
+				Day:       2,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			true,
+		},
+		{
+			"* * 1,2,5,15-18/2 * *",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      1,
+				Day:       18,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			false,
+		},
+		{
+			"* * 1,2,5,15-18/2 * *",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      1,
+				Day:       17,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			true,
+		},
+	}
+
+	for i, s := range scenarios {
+		schedule, err := cron.NewSchedule(s.cronExpr)
+		if err != nil {
+			t.Fatalf("[%d-%s] Unexpected cron error: %v", i, s.cronExpr, err)
+		}
+
+		result := schedule.IsDue(s.moment)
+
+		if result != s.expected {
+			t.Fatalf("[%d-%s] Expected %v, got %v", i, s.cronExpr, s.expected, result)
+		}
+	}
+}

internal/jobs/presign_link.go

@@ -0,0 +1,140 @@
+package jobs
+
+import (
+	"context"
+	"encoding/json"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+
+	apiv1 "github.com/usememos/memos/api/v1"
+	"github.com/usememos/memos/internal/log"
+	"github.com/usememos/memos/plugin/storage/s3"
+	"github.com/usememos/memos/store"
+)
+
+// RunPreSignLinks is a background job that pre-signs external links stored in the database.
+// It uses S3 client to generate presigned URLs and updates the corresponding resources in the store.
+func RunPreSignLinks(ctx context.Context, dataStore *store.Store) {
+	for {
+		started := time.Now()
+		if err := signExternalLinks(ctx, dataStore); err != nil {
+			log.Warn("failed sign external links", zap.Error(err))
+		} else {
+			log.Info("links pre-signed", zap.Duration("duration", time.Since(started)))
+		}
+		select {
+		case <-time.After(s3.LinkLifetime / 2):
+		case <-ctx.Done():
+			return
+		}
+	}
+}
+
+func signExternalLinks(ctx context.Context, dataStore *store.Store) error {
+	const pageSize = 32
+
+	objectStore, err := findObjectStorage(ctx, dataStore)
+	if err != nil {
+		return errors.Wrapf(err, "find object storage")
+	}
+	if objectStore == nil || !objectStore.Config.PreSign {
+		// object storage not set or not supported
+		return nil
+	}
+
+	var offset int
+	var limit = pageSize
+	for {
+		resources, err := dataStore.ListResources(ctx, &store.FindResource{
+			GetBlob: false,
+			Limit:   &limit,
+			Offset:  &offset,
+		})
+		if err != nil {
+			return errors.Wrapf(err, "list resources, offset %d", offset)
+		}
+
+		for _, res := range resources {
+			if res.ExternalLink == "" {
+				// not for object store
+				continue
+			}
+			if strings.Contains(res.ExternalLink, "?") && time.Since(time.Unix(res.UpdatedTs, 0)) < s3.LinkLifetime/2 {
+				// resource not signed (hack for migration)
+				// resource was recently updated - skipping
+				continue
+			}
+			newLink, err := objectStore.PreSignLink(ctx, res.ExternalLink)
+			if err != nil {
+				log.Warn("failed pre-sign link", zap.Int32("resource", res.ID), zap.String("link", res.ExternalLink), zap.Error(err))
+				continue // do not fail - we may want update left over links too
+			}
+			now := time.Now().Unix()
+			// we may want to use here transaction and batch update in the future
+			_, err = dataStore.UpdateResource(ctx, &store.UpdateResource{
+				ID:           res.ID,
+				UpdatedTs:    &now,
+				ExternalLink: &newLink,
+			})
+			if err != nil {
+				// something with DB - better to stop here
+				return errors.Wrapf(err, "update resource %d link to %q", res.ID, newLink)
+			}
+		}
+
+		offset += limit
+		if len(resources) < limit {
+			break
+		}
+	}
+	return nil
+}
+
+// findObjectStorage returns current default storage if it's S3-compatible or nil otherwise.
+// Returns error only in case of internal problems (ie: database or configuration issues).
+// May return nil client and nil error.
+func findObjectStorage(ctx context.Context, dataStore *store.Store) (*s3.Client, error) {
+	systemSettingStorageServiceID, err := dataStore.GetWorkspaceSetting(ctx, &store.FindWorkspaceSetting{Name: apiv1.SystemSettingStorageServiceIDName.String()})
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to find SystemSettingStorageServiceIDName")
+	}
+
+	storageServiceID := apiv1.DefaultStorage
+	if systemSettingStorageServiceID != nil {
+		err = json.Unmarshal([]byte(systemSettingStorageServiceID.Value), &storageServiceID)
+		if err != nil {
+			return nil, errors.Wrap(err, "Failed to unmarshal storage service id")
+		}
+	}
+	storage, err := dataStore.GetStorage(ctx, &store.FindStorage{ID: &storageServiceID})
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to find StorageServiceID")
+	}
+
+	if storage == nil {
+		return nil, nil // storage not configured - not an error, just return empty ref
+	}
+	storageMessage, err := apiv1.ConvertStorageFromStore(storage)
+
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to ConvertStorageFromStore")
+	}
+	if storageMessage.Type != apiv1.StorageS3 {
+		return nil, nil
+	}
+
+	s3Config := storageMessage.Config.S3Config
+	return s3.NewClient(ctx, &s3.Config{
+		AccessKey: s3Config.AccessKey,
+		SecretKey: s3Config.SecretKey,
+		EndPoint:  s3Config.EndPoint,
+		Region:    s3Config.Region,
+		Bucket:    s3Config.Bucket,
+		URLPrefix: s3Config.URLPrefix,
+		URLSuffix: s3Config.URLSuffix,
+		PreSign:   s3Config.PreSign,
+	})
+}

internal/log/logger.go

@@ -1,4 +1,3 @@
-// Package log implements a simple logging package.
 package log
 
 import (

internal/util/resource_name.go

@@ -0,0 +1,7 @@
+package util
+
+import "regexp"
+
+var (
+	ResourceNameMatcher = regexp.MustCompile("^[a-zA-Z0-9]([a-zA-Z0-9-]{1,30}[a-zA-Z0-9])$")
+)

internal/util/util.go

@@ -1,14 +1,24 @@
-package common
+package util
 
 import (
 	"crypto/rand"
 	"math/big"
 	"net/mail"
+	"strconv"
 	"strings"
 
 	"github.com/google/uuid"
 )
 
+// ConvertStringToInt32 converts a string to int32.
+func ConvertStringToInt32(src string) (int32, error) {
+	parsed, err := strconv.ParseInt(src, 10, 32)
+	if err != nil {
+		return 0, err
+	}
+	return int32(parsed), nil
+}
+
 // HasPrefixes returns true if the string s has any of the given prefixes.
 func HasPrefixes(src string, prefixes ...string) bool {
 	for _, prefix := range prefixes {

internal/util/util_test.go

@@ -1,4 +1,4 @@
-package common
+package util
 
 import (
 	"testing"

main.go

@@ -1,14 +0,0 @@
-package main
-
-import (
-	_ "github.com/mattn/go-sqlite3"
-
-	"github.com/usememos/memos/cmd"
-)
-
-func main() {
-	err := cmd.Execute()
-	if err != nil {
-		panic(err)
-	}
-}

plugin/gomark/README.md

@@ -1,3 +0,0 @@
-# gomark
-
-A markdown parser for memos. WIP

plugin/gomark/ast/ast.go

@@ -1,19 +0,0 @@
-package ast
-
-type Node struct {
-	Type     string
-	Text     string
-	Children []*Node
-}
-
-type Document struct {
-	Nodes []*Node
-}
-
-func NewDocument() *Document {
-	return &Document{}
-}
-
-func (d *Document) AddNode(node *Node) {
-	d.Nodes = append(d.Nodes, node)
-}