Go mod tidy

Signed-off-by: Asai Neko <sugar@sne.moe>
Add Exchange SMTP Oauth2 Support (not verified)
2026-01-08 00:52:35 +08:00 · 2026-01-07 18:32:27 +08:00 · 2026-01-06 15:19:54 +08:00 · 2026-01-06 12:49:55 +08:00 · 2026-01-06 11:36:08 +08:00 · 2026-01-06 11:27:23 +08:00
53 changed files with 2768 additions and 1043 deletions
--- a/.env.development
+++ b/.env.development
@@ -1,32 +1 @@
-
-SERVER_APPLICATION=nixcn-cms
-SERVER_ADDRESS=:8000
-SERVER_EXTERNAL_URL=http://test.sne.moe:8080
-SERVER_DEBUG_MODE=true
-SERVER_FILE_LOGGER=false
-
-DATABASE_TYPE=postgres
-DATABASE_HOST=localhost:5432
-DATABASE_NAME=postgres
-DATABASE_USERNAME=postgres
-DATABASE_PASSWORD=postgres
-
-CACHE_HOSTS=localhost:6379
-CACHE_MASTER=
-CACHE_USERNAME=
-CACHE_PASSWORD=
-CACHE_DB=0
-
-SEARCH_HOST=localhost
-SEARCH_API_KEY=
-
-EMAIL_RESEND_API_KEY=re_BMJaPVVB_kgdf1Go7n3dWVywp6hp4WmSA
-EMAIL_FROM=NixCN CMS Email Verify <nixcn@violet.sne.moe>
-
-SECRETS_JWT_SECRET=6Wd5xkDkF4XX5q2Ckq6TY6WX
-SECRETS_TURNSTILE_SECRET=0x4AAAAAACI5pgVONOZ0rzyAYsdUcoOBF8w
-
-TTL_MAGIC_LINK_TTL=10m
-TTL_ACCESS_TTL=15s
-TTL_REFRESH_TTL=168h
-TTL_CHECKIN_COSE_TTL=10m
+TZ=Asia/Shanghai
--- a/README.md
+++ b/README.md
@@ -1,2 +1,25 @@
 # nixcn-cms

+## Contribution
+
+1. **Root docs serve the zh-CN version** _[MUST]_
+2. **Use sign-off via `git commit -s`** _[MUST]_
+3. **Do not modify the `main` branch for any reason** _[MUST]_
+4. **Do not omit the commit subject for any reason** _[MUST]_
+5. **Describe all changes in the commit message** _[MUST]_
+6. **Rebase before submitting patches** _[MUST]_
+7. **Commit message written in english** _[MUST]_
+8. **Use OpenPGP/SSH for commit signing** _[MUST]_
+9. **Split commits for large or multi-part changes** _[OPTION]_
+10. **Have fun contributing :)** _[VERY NECESSARY]_
+
+## Toolchain
+
+- Nix
+- Devenv
+- Direnv
+
+## Notice
+
+1. Client and all nix files use 2 space tab.
+2. All Golang files and other configs use 4 space tab.
--- a/client/src/components/app-sidebar.tsx
+++ b/client/src/components/app-sidebar.tsx
@@ -7,7 +7,6 @@ import * as React from 'react';
 import NixOSLogo from '@/assets/nixos.svg?react';
 import { NavMain } from '@/components/nav-main';
 import { NavSecondary } from '@/components/nav-secondary';
-import { NavUser } from '@/components/nav-user';
 import {
  Sidebar,
  SidebarContent,
@@ -17,6 +16,7 @@ import {
  SidebarMenuButton,
  SidebarMenuItem,
 } from '@/components/ui/sidebar';
+import { NavUser } from './nav-user';

 const data = {
  user: {
@@ -48,7 +48,7 @@ export function AppSidebar({ ...props }: React.ComponentProps<typeof Sidebar>) {
          <SidebarMenuItem>
            <SidebarMenuButton
              asChild
-              className="data-[slot=sidebar-menu-button]:!p-1.5"
+              className="data-[slot=sidebar-menu-button]:p-1.5!"
            >
              <a href="#">
                <NixOSLogo />
--- a/client/src/components/checkin/qr-dialog.tsx
+++ b/client/src/components/checkin/qr-dialog.tsx
@@ -1,3 +1,4 @@
+import { useState } from 'react';
 import {
  Dialog,
  DialogContent,
@@ -14,9 +15,9 @@ import { Button } from '../ui/button';
 export function QrDialog(
  { eventId }: { eventId: string },
 ) {
-  const { data } = useCheckinCode(eventId);
+  const [open, setOpen] = useState(false);
  return (
-    <Dialog>
+    <Dialog open={open} onOpenChange={setOpen}>
      <DialogTrigger asChild>
        <Button className="w-20">签到</Button>
      </DialogTrigger>
@@ -27,21 +28,41 @@ export function QrDialog(
            请工作人员扫描下面的二维码为你签到。
          </DialogDescription>
        </DialogHeader>
-        <QrDialogContent checkinCode={data.data.checkin_code} />
+        <QrSection eventId={eventId} enabled={open} />
      </DialogContent>
    </Dialog>
  );
 }

-function QrDialogContent({ checkinCode }: { checkinCode: string }) {
+function QrSection({ eventId, enabled }: { eventId: string; enabled: boolean }) {
+  const { data } = useCheckinCode(eventId, enabled);
+  return data
+    ? (
+      <>
+        <div className="border-2 px-4 py-8 border-muted rounded-xl flex flex-col items-center justify-center p-4">
+          <QRCode data={data.data.checkin_code} className="size-60" />
+        </div>
+        <DialogFooter>
+          <div className="flex flex-1 items-center ml-2 font-mono text-3xl tracking-widest text-primary/80 justify-center">
+            {data.data.checkin_code}
+          </div>
+        </DialogFooter>
+      </>
+    )
+    : (
+      <QrSectionSkeleton />
+    );
+}
+
+function QrSectionSkeleton() {
  return (
    <>
      <div className="border-2 px-4 py-8 border-muted rounded-xl flex flex-col items-center justify-center p-4">
-        <QRCode data={checkinCode} className="size-60" />
+        <QRCode data="114514" className="size-60 blur-xs" />
      </div>
      <DialogFooter>
        <div className="flex flex-1 items-center ml-2 font-mono text-3xl tracking-widest text-primary/80 justify-center">
-          {checkinCode}
+          Loading...
        </div>
      </DialogFooter>
    </>
--- a/client/src/components/hoc/with-fallback.tsx
+++ b/client/src/components/hoc/with-fallback.tsx
@@ -0,0 +1,20 @@
+import type { ReactNode } from 'react';
+import React, { Suspense } from 'react';
+
+export function withFallback<P extends object>(
+  Component: React.ComponentType<P>,
+  fallback: ReactNode,
+) {
+  const Wrapped: React.FC<P> = (props) => {
+    return (
+      <Suspense fallback={fallback}>
+        <Component {...props} />
+      </Suspense>
+    );
+  };
+
+  Wrapped.displayName = `withFallback(${Component.displayName! || Component.name || 'Component'
+    })`;
+
+  return Wrapped;
+}
--- a/client/src/components/nav-user.tsx
+++ b/client/src/components/nav-user.tsx
@@ -24,8 +24,10 @@ import {
 } from '@/components/ui/sidebar';
 import { useUserInfo } from '@/hooks/data/useUserInfo';
 import { useLogout } from '@/hooks/useLogout';
+import { withFallback } from './hoc/with-fallback';
+import { Skeleton } from './ui/skeleton';

-export function NavUser() {
+function NavUser_() {
  const { isMobile } = useSidebar();
  const { data: user } = useUserInfo();
  const { logout } = useLogout();
@@ -83,3 +85,20 @@ export function NavUser() {
    </SidebarMenu>
  );
 }
+
+function NavUserSkeleton() {
+  return (
+    <SidebarMenuButton
+      size="lg"
+    >
+      <Skeleton className="h-8 w-8 rounded-lg" />
+      <div className="flex flex-col flex-1 gap-1">
+        <Skeleton className="h-3 w-16" />
+        <Skeleton className="h-3 w-24" />
+      </div>
+      <IconDotsVertical className="ml-auto size-4" />
+    </SidebarMenuButton>
+  );
+}
+
+export const NavUser = withFallback(NavUser_, <NavUserSkeleton />);
--- a/client/src/components/workbenchCards/card-skeleton.tsx
+++ b/client/src/components/workbenchCards/card-skeleton.tsx
@@ -0,0 +1,9 @@
+import { Skeleton } from '../ui/skeleton';
+
+export function CardSkeleton() {
+  return (
+    <Skeleton
+      className="gap-6 rounded-xl py-6 h-full"
+    />
+  );
+}
--- a/client/src/components/workbenchCards/checkin.tsx
+++ b/client/src/components/workbenchCards/checkin.tsx
@@ -2,29 +2,31 @@ import { Badge } from '@/components/ui/badge';
 import { Card, CardAction, CardDescription, CardFooter, CardHeader, CardTitle } from '@/components/ui/card';
 import { useUserInfo } from '@/hooks/data/useUserInfo';
 import { QrDialog } from '../checkin/qr-dialog';
+import { withFallback } from '../hoc/with-fallback';
+import { CardSkeleton } from './card-skeleton';

-export function CheckinCard() {
+function CheckinCard_() {
  const { data } = useUserInfo();
  return (
-    <>
-      <Card className="@container/card">
-        <CardHeader>
-          <CardDescription>签到状态</CardDescription>
-          <CardTitle className="text-2xl font-semibold tabular-nums @[250px]/card:text-3xl">
-            {data.checkin !== null ? '已签到' : '未签到'}
-            {data.checkin !== null && <span className="text-sm font-medium ml-2">{`${new Date(data.checkin).toLocaleString()}`}</span>}
-          </CardTitle>
-          <CardAction>
-            <Badge variant="outline">Day 1</Badge>
-          </CardAction>
-        </CardHeader>
-        <CardFooter className="flex-col items-start gap-1.5 text-sm">
-          <QrDialog
-            eventId="019b5bf2-90ce-75f5-93a4-a66914c2ef11"
-          >
-          </QrDialog>
-        </CardFooter>
-      </Card>
-    </>
+    <Card className="@container/card">
+      <CardHeader>
+        <CardDescription>签到状态</CardDescription>
+        <CardTitle className="text-2xl font-semibold tabular-nums @[250px]/card:text-3xl">
+          {data.checkin !== null ? '已签到' : '未签到'}
+          {data.checkin !== null && <span className="text-sm font-medium ml-2">{`${new Date(data.checkin).toLocaleString()}`}</span>}
+        </CardTitle>
+        <CardAction>
+          <Badge variant="outline">Day 1</Badge>
+        </CardAction>
+      </CardHeader>
+      <CardFooter className="flex-col items-start gap-1.5 text-sm">
+        <QrDialog
+          eventId="019b5bf2-90ce-75f5-93a4-a66914c2ef11"
+        >
+        </QrDialog>
+      </CardFooter>
+    </Card>
  );
 }
+
+export const CheckinCard = withFallback(CheckinCard_, <CardSkeleton />);
--- a/client/src/hooks/data/useGetCheckInCode.ts
+++ b/client/src/hooks/data/useGetCheckInCode.ts
@@ -1,8 +1,8 @@
-import { useSuspenseQuery } from '@tanstack/react-query';
+import { useQuery } from '@tanstack/react-query';
 import { axiosClient } from '@/lib/axios';

-export function useCheckinCode(eventId: string) {
-  return useSuspenseQuery({
+export function useCheckinCode(eventId: string, enabled: boolean) {
+  return useQuery({
    queryKey: ['getCheckinCode', eventId],
    queryFn: async () => {
      return axiosClient.get<{
@@ -13,5 +13,6 @@ export function useCheckinCode(eventId: string) {
        },
      });
    },
+    enabled,
  });
 }
--- a/client/src/routes/__root.tsx
+++ b/client/src/routes/__root.tsx
@@ -4,7 +4,24 @@ import { ThemeProvider } from '@/components/theme-provider';
 import { Toaster } from '@/components/ui/sonner';
 import '@/index.css';

-const queryClient = new QueryClient();
+const queryClient = new QueryClient({
+  defaultOptions: {
+    queries: {
+      retry: (failureCount, error: any) => {
+        // eslint-disable-next-line ts/no-unsafe-assignment
+        const status
+          // eslint-disable-next-line ts/no-unsafe-member-access
+          = error?.response?.status ?? error?.status;
+
+        if (status >= 400 && status < 500) {
+          return false;
+        }
+
+        return failureCount < 3;
+      },
+    },
+  },
+});

 function RootLayout() {
  return (
--- a/client/src/routes/_sidebarLayout/index.tsx
+++ b/client/src/routes/_sidebarLayout/index.tsx
@@ -13,18 +13,16 @@ export const Route = createFileRoute('/_sidebarLayout/')({
  },
 });

-function SectionCards() {
-  return (
-    <div className="*:data-[slot=card]:from-primary/5 *:data-[slot=card]:to-card dark:*:data-[slot=card]:bg-card grid grid-cols-1 gap-4 px-4 *:data-[slot=card]:bg-gradient-to-t *:data-[slot=card]:shadow-xs lg:px-6 @xl/main:grid-cols-2 @5xl/main:grid-cols-4">
-      <CheckinCard />
-    </div>
-  );
-}
-
 function Index() {
  return (
    <div className="flex flex-col gap-4 py-4 md:gap-6 md:py-6">
-      <SectionCards />
+      {/* Section Cards */}
+      <div className="*:data-[slot=card]:from-primary/5 *:data-[slot=card]:to-card dark:*:data-[slot=card]:bg-card
+        grid grid-cols-1 gap-4 px-4 auto-rows-[minmax(175px,auto)] items-stretch
+        *:data-[slot=card]:bg-linear-to-t *:data-[slot=card]:shadow-xs lg:px-6 @xl/main:grid-cols-2 @5xl/main:grid-cols-4"
+      >
+        <CheckinCard />
+      </div>
    </div>
  );
 }
--- a/config.default.yaml
+++ b/config.default.yaml
@@ -20,13 +20,28 @@ search:
    host: 127.0.0.1
    api_key: ""
 email:
-    resend_api_key: abc
+    host:
+    port:
+    username:
+    password:
+    security:
+    insecure_skip_verify:
    from:
+    auth:
+    oauth2:
+        tenant_id:
+        client_id:
+        client_secret:
+        scope:
 secrets:
-    jwt_secret: example
    turnstile_secret: example
+    client_secret_key: aes_32_byte_string
+    kyc_info_key: aes_32_byte_string
 ttl:
-    magic_link_ttl: 10m
-    jwt_ttl: 15s
-    refresh_ttl: 7d
-    checkin_code_ttl: 5m
+    auth_code_ttl: 10m
+    access_ttl: 15s
+    refresh_ttl: 168h
+    checkin_code_ttl: 10m
+kyc:
+    ali_access_key_id: example
+    ali_access_key_secret: example
--- a/config/types.go
+++ b/config/types.go
@@ -8,14 +8,15 @@ type config struct {
 	Email    email    `yaml:"email"`
 	Secrets  secrets  `yaml:"secrets"`
 	TTL      ttl      `yaml:"ttl"`
+	KYC      kyc      `yaml:"kyc"`
 }

 type server struct {
 	Application string `yaml:"application"`
 	Address     string `yaml:"address"`
+	ExternalUrl string `yaml:"external_url"`
 	DebugMode   string `yaml:"debug_mode"`
 	FileLogger  string `yaml:"file_logger"`
-	JwtSecret   string `yaml:"jwt_secret"`
 }

 type database struct {
@@ -39,19 +40,39 @@ type search struct {
 	ApiKey string `yaml:"api_key"`
 }

+type _email_oauth2 struct {
+	Tenantid     string `yaml:"tenant_id"`
+	ClientId     string `yaml:"client_id"`
+	ClientSecret string `yaml:"client_secret"`
+	Scope        string `yaml:"scope"`
+}
+
 type email struct {
-	ResendApiKey string `yaml:"resend_api_key"`
-	From         string `yaml:"from"`
+	Host               string        `yaml:"host"`
+	Port               string        `yaml:"port"`
+	Username           string        `yaml:"username"`
+	Password           string        `yaml:"password"`
+	Security           string        `yaml:"security"`
+	InsecureSkipVerify bool          `yaml:"insecure_skip_verify"`
+	From               string        `yaml:"from"`
+	Auth               string        `yaml:"auth"`
+	Oauth2             _email_oauth2 `yaml:"oauth2"`
 }

 type secrets struct {
-	JwtSecret       string `yaml:"jwt_secret"`
 	TurnstileSecret string `yaml:"turnstile_secret"`
+	ClientSecretKey string `yaml:"client_secret_key"`
+	KycInfoKey      string `yaml:"kyc_info_key"`
 }

 type ttl struct {
-	MagicLinkTTL   string `yaml:"magic_link_ttl"`
+	AuthCodeTTL    string `yaml:"auth_code_ttl"`
 	AccessTTL      string `yaml:"access_ttl"`
 	RefreshTTL     string `yaml:"refresh_ttl"`
 	CheckinCodeTTL string `yaml:"checkin_code_ttl"`
 }
+
+type kyc struct {
+	AliAccessKeyId     string `yaml:"ali_access_key_id"`
+	AliAccessKeySecret string `yaml:"ali_access_key_secret"`
+}
--- a/data/agenda.go
+++ b/data/agenda.go
@@ -0,0 +1,13 @@
+package data
+
+import "github.com/google/uuid"
+
+type Agenda struct {
+	Id          uint      `json:"id" gorm:"primarykey;autoIncrement"`
+	UUID        uuid.UUID `json:"uuid" gorm:"type:uuid;uniqueIndex;not null"`
+	AgendaId    uuid.UUID `json:"agenda_id" gorm:"type:uuid;uniqueIndex;not null"`
+	EventId     uuid.UUID `json:"event_id" gorm:"type:uuid;uniqueIndex:unique_event_user;not null"`
+	UserId      uuid.UUID `json:"user_id" gorm:"type:uuid;uniqueIndex:unique_event_user;not null"`
+	Name        string    `json:"name" gorm:"type:varchar(255);not null"`
+	Description string    `json:"description" gorm:"type:text;not null"`
+}
--- a/data/attendance.go
+++ b/data/attendance.go
@@ -0,0 +1,265 @@
+package data
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"math/rand"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/meilisearch/meilisearch-go"
+	"github.com/spf13/viper"
+	"gorm.io/gorm"
+)
+
+type Attendance struct {
+	Id           uint      `json:"id" gorm:"primarykey;autoIncrement"`
+	UUID         uuid.UUID `json:"uuid" gorm:"type:uuid;uniqueIndex;not null"`
+	AttendanceId uuid.UUID `json:"attendance_id" gorm:"type:uuid;uniqueIndex;not null"`
+	EventId      uuid.UUID `json:"event_id" gorm:"type:uuid;uniqueIndex:unique_event_user;not null"`
+	UserId       uuid.UUID `json:"user_id" gorm:"type:uuid;uniqueIndex:unique_event_user;not null"`
+	Role         string    `json:"role" gorm:"type:varchar(255);not null"`
+	State        string    `json:"state" gorm:"type:varchar(255);not null"`
+	KycInfo      string    `json:"kyc_info" gorm:"type:text"`
+	CheckinAt    time.Time `json:"checkin_at"`
+}
+
+type AttendanceSearchDoc struct {
+	AttendanceId string    `json:"attendance_id"`
+	EventId      string    `json:"event_id"`
+	UserId       string    `json:"user_id"`
+	Role         string    `json:"role"`
+	CheckinAt    time.Time `json:"checkin_at"`
+}
+
+func (self *Attendance) GetAttendance(userId, eventId uuid.UUID) (*Attendance, error) {
+	var checkin Attendance
+
+	err := Database.
+		Where("user_id = ? AND event_id = ?", userId, eventId).
+		First(&checkin).Error
+
+	if err != nil {
+		if err == gorm.ErrRecordNotFound {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	return &checkin, err
+}
+
+type AttendanceUsers struct {
+	UserId    uuid.UUID `json:"user_id"`
+	Role      string    `json:"role"`
+	CheckinAt time.Time `json:"checkin_at"`
+}
+
+func (self *Attendance) GetUsersByEventID(eventID uuid.UUID) (*[]AttendanceUsers, error) {
+	var result []AttendanceUsers
+
+	err := Database.
+		Model(&Attendance{}).
+		Select("user_id, checkin_at").
+		Where("event_id = ?", eventID).
+		Order("checkin_at ASC").
+		Scan(&result).Error
+
+	return &result, err
+}
+
+type AttendanceEvent struct {
+	EventId   uuid.UUID `json:"event_id"`
+	CheckinAt time.Time `json:"checkin_at"`
+}
+
+func (self *Attendance) GetEventsByUserID(userID uuid.UUID) (*[]AttendanceEvent, error) {
+	var result []AttendanceEvent
+
+	err := Database.
+		Model(&Attendance{}).
+		Select("event_id, checkin_at").
+		Where("user_id = ?", userID).
+		Order("checkin_at ASC").
+		Scan(&result).Error
+
+	return &result, err
+}
+
+func (self *Attendance) Create() error {
+	self.UUID = uuid.New()
+	self.AttendanceId = uuid.New()
+
+	// DB transaction for strong consistency
+	err := Database.Transaction(func(tx *gorm.DB) error {
+		if err := tx.Create(&self).Error; err != nil {
+			return err
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	if err := self.UpdateSearchIndex(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (self *Attendance) Update(attendanceId uuid.UUID, checkinTime *time.Time) (*Attendance, error) {
+	var attendance Attendance
+
+	err := Database.Transaction(func(tx *gorm.DB) error {
+		// Lock the row for update
+		if err := tx.
+			Where("attendance_id = ?", attendanceId).
+			First(&attendance).Error; err != nil {
+			return err
+		}
+
+		updates := map[string]any{}
+
+		if checkinTime != nil {
+			updates["checkin_at"] = *checkinTime
+		}
+
+		if len(updates) == 0 {
+			return nil
+		}
+
+		if err := tx.
+			Model(&attendance).
+			Updates(updates).Error; err != nil {
+			return err
+		}
+
+		// Reload to ensure struct is up to date
+		return tx.
+			Where("attendance_id = ?", attendanceId).
+			First(&attendance).Error
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	// Sync to MeiliSearch (eventual consistency)
+	if err := attendance.UpdateSearchIndex(); err != nil {
+		return nil, err
+	}
+
+	return &attendance, nil
+}
+
+func (self *Attendance) SearchUsersByEvent(eventID string) (*meilisearch.SearchResponse, error) {
+	index := MeiliSearch.Index("attendance")
+
+	return index.Search("", &meilisearch.SearchRequest{
+		Filter: "event_id = \"" + eventID + "\"",
+		Sort:   []string{"checkin_at:asc"},
+	})
+}
+
+func (self *Attendance) SearchEventsByUser(userID string) (*meilisearch.SearchResponse, error) {
+	index := MeiliSearch.Index("attendance")
+
+	return index.Search("", &meilisearch.SearchRequest{
+		Filter: "user_id = \"" + userID + "\"",
+		Sort:   []string{"checkin_at:asc"},
+	})
+}
+
+func (self *Attendance) UpdateSearchIndex() error {
+	doc := AttendanceSearchDoc{
+		AttendanceId: self.AttendanceId.String(),
+		EventId:      self.EventId.String(),
+		UserId:       self.UserId.String(),
+		CheckinAt:    self.CheckinAt,
+	}
+
+	index := MeiliSearch.Index("attendance")
+
+	primaryKey := "attendance_id"
+	opts := &meilisearch.DocumentOptions{
+		PrimaryKey: &primaryKey,
+	}
+
+	if _, err := index.UpdateDocuments([]AttendanceSearchDoc{doc}, opts); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (self *Attendance) DeleteSearchIndex() error {
+	index := MeiliSearch.Index("attendance")
+	_, err := index.DeleteDocument(self.AttendanceId.String(), nil)
+	return err
+}
+
+func (self *Attendance) GenCheckinCode(eventId uuid.UUID) (*string, error) {
+	ctx := context.Background()
+	ttl := viper.GetDuration("ttl.checkin_code_ttl")
+	rng := rand.New(rand.NewSource(time.Now().UnixNano()))
+
+	for {
+		code := fmt.Sprintf("%06d", rng.Intn(900000)+100000)
+		ok, err := Redis.SetNX(
+			ctx,
+			"checkin_code:"+code,
+			"user_id:"+self.UserId.String()+":event_id:"+eventId.String(),
+			ttl,
+		).Result()
+		if err != nil {
+			return nil, err
+		}
+		if ok {
+			return &code, nil
+		}
+	}
+}
+
+func (self *Attendance) VerifyCheckinCode(checkinCode string) error {
+	ctx := context.Background()
+
+	val, err := Redis.Get(ctx, "checkin_code:"+checkinCode).Result()
+	if err != nil {
+		return errors.New("invalid or expired checkin code")
+	}
+
+	// Expected format: user_id:<uuid>:event_id:<uuid>
+	parts := strings.Split(val, ":")
+	if len(parts) != 4 {
+		return errors.New("invalid checkin code format")
+	}
+
+	userIdStr := parts[1]
+	eventIdStr := parts[3]
+
+	userId, err := uuid.Parse(userIdStr)
+	if err != nil {
+		return err
+	}
+
+	eventId, err := uuid.Parse(eventIdStr)
+	if err != nil {
+		return err
+	}
+
+	attendanceData, err := self.GetAttendance(userId, eventId)
+	if err != nil {
+		return err
+	}
+
+	time := time.Now()
+	_, err = self.Update(attendanceData.AttendanceId, &time)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/data/client.go
+++ b/data/client.go
@@ -0,0 +1,91 @@
+package data
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"nixcn-cms/internal/cryptography"
+	"strings"
+
+	"github.com/google/uuid"
+	"github.com/spf13/viper"
+	"gorm.io/datatypes"
+)
+
+type Client struct {
+	Id           uint           `json:"id" gorm:"primaryKey;autoIncrement"`
+	UUID         uuid.UUID      `json:"uuid" gorm:"type:uuid;uniqueIndex;not null"`
+	ClientId     string         `json:"client_id" gorm:"type:varchar(255);uniqueIndex;not null"`
+	ClientSecret string         `json:"client_secret" gorm:"type:varchar(255);not null"`
+	ClientName   string         `json:"client_name" gorm:"type:varchar(255);uniqueIndex;not null"`
+	RedirectUri  datatypes.JSON `json:"redirect_uri" gorm:"type:json;not null"`
+}
+
+func (self *Client) GetClientByClientId(clientId string) (*Client, error) {
+	var client Client
+	if err := Database.
+		Where("client_id = ?", clientId).
+		First(&client).Error; err != nil {
+		return nil, err
+	}
+	return &client, nil
+}
+
+func (self *Client) GetDecryptedSecret() (string, error) {
+	secretKey := viper.GetString("secrets.client_secret_key")
+	secret, err := cryptography.AESCBCDecrypt(self.ClientSecret, []byte(secretKey))
+	return string(secret), err
+}
+
+type ClientParams struct {
+	ClientId    string
+	ClientName  string
+	RedirectUri []string
+}
+
+func (self *Client) Create(params *ClientParams) (*Client, error) {
+	jsonRedirectUri, err := json.Marshal(params.RedirectUri)
+	if err != nil {
+		return nil, err
+	}
+
+	encKey := viper.GetString("secrets.client_secret_key")
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return nil, err
+	}
+	clientSecret := base64.RawURLEncoding.EncodeToString(b)
+	encryptedSecret, err := cryptography.AESCBCEncrypt([]byte(clientSecret), []byte(encKey))
+	if err != nil {
+		return nil, err
+	}
+
+	client := &Client{
+		UUID:         uuid.New(),
+		ClientId:     params.ClientId,
+		ClientSecret: encryptedSecret,
+		ClientName:   params.ClientName,
+		RedirectUri:  jsonRedirectUri,
+	}
+
+	if err := Database.Create(&client).Error; err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
+
+func (self *Client) ValidateRedirectURI(redirectURI string) error {
+	var uris []string
+	if err := json.Unmarshal(self.RedirectUri, &uris); err != nil {
+		return err
+	}
+
+	for _, prefix := range uris {
+		if strings.HasPrefix(redirectURI, prefix) {
+			return nil
+		}
+	}
+	return errors.New("redirect uri not match")
+}
--- a/data/data.go
+++ b/data/data.go
@@ -35,7 +35,7 @@ func Init() {
 	}

 	// Auto migrate
-	err = db.AutoMigrate(&User{}, &Event{})
+	err = db.AutoMigrate(&User{}, &Event{}, &Attendance{}, &Client{})
 	if err != nil {
 		log.Error("[Database] Error migrating database: ", err)
 	}
--- a/data/event.go
+++ b/data/event.go
@@ -1,122 +1,101 @@
 package data

 import (
-	"errors"
-	"slices"
 	"time"

 	"github.com/go-viper/mapstructure/v2"
 	"github.com/google/uuid"
 	"github.com/meilisearch/meilisearch-go"
-	"gorm.io/datatypes"
 	"gorm.io/gorm"
-	"gorm.io/gorm/clause"
 )

 type Event struct {
-	Id          uint                           `json:"id" gorm:"primarykey;autoincrement"`
-	UUID        uuid.UUID                      `json:"uuid" gorm:"type:uuid;uniqueIndex;not null"`
-	EventId     uuid.UUID                      `json:"event_id" gorm:"type:uuid;uniqueIndex;not null"`
-	Name        string                         `json:"name" gorm:"type:varchar(255);index;not null"`
-	StartTime   time.Time                      `json:"start_time" gorm:"index"`
-	EndTime     time.Time                      `json:"end_time" gorm:"index"`
-	JoinedUsers datatypes.JSONSlice[uuid.UUID] `json:"joined_users"`
+	Id          uint      `json:"id" gorm:"primarykey;autoincrement"`
+	UUID        uuid.UUID `json:"uuid" gorm:"type:uuid;uniqueIndex;not null"`
+	EventId     uuid.UUID `json:"event_id" gorm:"type:uuid;uniqueIndex;not null"`
+	Name        string    `json:"name" gorm:"type:varchar(255);index;not null"`
+	Type        string    `json:"type" gotm:"type:varchar(255);index;not null"`
+	Description string    `json:"description" gorm:"type:text;not null"`
+	StartTime   time.Time `json:"start_time" gorm:"index"`
+	EndTime     time.Time `json:"end_time" gorm:"index"`
+	Owner       uuid.UUID `json:"owner" gorm:"type:uuid;index;not null"`
+	EnableKYC   bool      `json:"enable_kyc" gorm:"not null"`
 }

 type EventSearchDoc struct {
-	EventId   string    `json:"event_id"`
-	Name      string    `json:"name"`
-	StartTime time.Time `json:"start_time"`
-	EndTime   time.Time `json:"end_time"`
+	EventId     string    `json:"event_id"`
+	Name        string    `json:"name"`
+	Type        string    `json:"type"`
+	Description string    `json:"description"`
+	StartTime   time.Time `json:"start_time"`
+	EndTime     time.Time `json:"end_time"`
 }

-func (self *Event) GetEventById(eventId uuid.UUID) error {
-	return Database.Transaction(func(tx *gorm.DB) error {
-		if err := tx.Where("event_id = ?", eventId).First(&self).Error; err != nil {
-			return err
+func (self *Event) GetEventById(eventId uuid.UUID) (*Event, error) {
+	var event Event
+
+	err := Database.
+		Where("event_id = ?", eventId).
+		First(&event).Error
+
+	if err != nil {
+		if err == gorm.ErrRecordNotFound {
+			return nil, nil
 		}
-		return nil
-	})
+		return nil, err
+	}
+
+	return &event, nil
 }

 func (self *Event) UpdateEventById(eventId uuid.UUID) error {
-	return Database.Transaction(func(tx *gorm.DB) error {
-		if err := tx.Model(&Event{}).Where("event_id = ?", eventId).Updates(&self).Error; err != nil {
-			return err
-		}
-
-		// Update event to document index
-		doc := EventSearchDoc{
-			EventId:   self.EventId.String(),
-			Name:      self.Name,
-			StartTime: self.StartTime,
-			EndTime:   self.EndTime,
-		}
-		index := MeiliSearch.Index("event")
-		docPrimaryKey := "event_id"
-		meiliOptions := &meilisearch.DocumentOptions{PrimaryKey: &docPrimaryKey}
-		if _, err := index.UpdateDocuments([]EventSearchDoc{doc}, meiliOptions); err != nil {
-			return err
-		}
-
-		return nil
-	})
-}
-
-func (self *Event) CreateEvent() error {
-	if self.UUID == uuid.Nil {
-		self.UUID = uuid.New()
-	}
-	if self.EventId == uuid.Nil {
-		self.EventId = uuid.New()
-	}
-
-	return Database.Transaction(func(tx *gorm.DB) error {
-		if err := tx.Create(&self).Error; err != nil {
-			return err
-		}
-
-		// Add event to document index
-		doc := EventSearchDoc{
-			EventId:   self.EventId.String(),
-			Name:      self.Name,
-			StartTime: self.StartTime,
-			EndTime:   self.EndTime,
-		}
-		index := MeiliSearch.Index("event")
-		docPrimaryKey := "event_id"
-		meiliOptions := &meilisearch.DocumentOptions{PrimaryKey: &docPrimaryKey}
-		if _, err := index.AddDocuments([]EventSearchDoc{doc}, meiliOptions); err != nil {
-			return err
-		}
-
-		return nil
-	})
-}
-
-func (self *Event) UserJoinEvent(userId, eventId uuid.UUID) error {
-	return Database.Transaction(func(tx *gorm.DB) error {
-		var event Event
-		if err := tx.Clauses(clause.Locking{Strength: "UPDATE"}).
+	// DB transaction
+	if err := Database.Transaction(func(tx *gorm.DB) error {
+		// Update by business key
+		if err := tx.
+			Model(&Event{}).
 			Where("event_id = ?", eventId).
-			First(&event).Error; err != nil {
+			Updates(self).Error; err != nil {
 			return err
 		}

-		// Check if user already joined
-		if slices.Contains(event.JoinedUsers, userId) {
-			return errors.New("user already joined")
-		}
+		// Reload to ensure struct is fresh
+		return tx.
+			Where("event_id = ?", eventId).
+			First(self).Error
+	}); err != nil {
+		return err
+	}

-		// Add user to list
-		event.JoinedUsers = append(event.JoinedUsers, userId)
-		if err := tx.Model(&Event{}).Where("event_id = ?", eventId).Update("joined_users", event.JoinedUsers).Error; err != nil {
+	// Sync search index
+	if err := self.UpdateSearchIndex(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (self *Event) Create() error {
+	self.UUID = uuid.New()
+	self.EventId = uuid.New()
+
+	// DB transaction only
+	if err := Database.Transaction(func(tx *gorm.DB) error {
+		if err := tx.Create(self).Error; err != nil {
 			return err
 		}
-
-		*self = event
 		return nil
-	})
+	}); err != nil {
+		return err
+	}
+
+	// Search index (eventual consistency)
+	if err := self.UpdateSearchIndex(); err != nil {
+		// TODO: async retry / log
+		return err
+	}
+
+	return nil
 }

 func (self *Event) GetFullTable() (*[]Event, error) {
@@ -130,6 +109,8 @@ func (self *Event) GetFullTable() (*[]Event, error) {

 func (self *Event) FastListEvents(limit, offset int64) (*[]EventSearchDoc, error) {
 	index := MeiliSearch.Index("event")
+
+	// Fast read from MeiliSearch (no DB involved)
 	result, err := index.Search("", &meilisearch.SearchRequest{
 		Limit:  limit,
 		Offset: offset,
@@ -137,9 +118,40 @@ func (self *Event) FastListEvents(limit, offset int64) (*[]EventSearchDoc, error
 	if err != nil {
 		return nil, err
 	}
+
 	var list []EventSearchDoc
 	if err := mapstructure.Decode(result.Hits, &list); err != nil {
 		return nil, err
 	}
+
 	return &list, nil
 }
+
+func (self *Event) UpdateSearchIndex() error {
+	doc := EventSearchDoc{
+		EventId:     self.EventId.String(),
+		Name:        self.Name,
+		Type:        self.Type,
+		Description: self.Description,
+		StartTime:   self.StartTime,
+		EndTime:     self.EndTime,
+	}
+	index := MeiliSearch.Index("event")
+
+	primaryKey := "event_id"
+	opts := &meilisearch.DocumentOptions{
+		PrimaryKey: &primaryKey,
+	}
+
+	if _, err := index.UpdateDocuments([]EventSearchDoc{doc}, opts); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (self *Event) DeleteSearchIndex() error {
+	index := MeiliSearch.Index("event")
+	_, err := index.DeleteDocument(self.EventId.String(), nil)
+	return err
+}
--- a/data/user.go
+++ b/data/user.go
@@ -1,133 +1,91 @@
 package data

 import (
-	"context"
-	"errors"
-	"fmt"
-	"math/rand"
-	"strings"
-	"time"
-
 	"github.com/go-viper/mapstructure/v2"
 	"github.com/google/uuid"
 	"github.com/meilisearch/meilisearch-go"
-	"github.com/spf13/viper"
-	"gorm.io/datatypes"
 	"gorm.io/gorm"
-	"gorm.io/gorm/clause"
 )

-// Permission Level
-// Banned User: 0
-// Normal User: 10
-// Admin User: 20
-// Super User: 30
-
 type User struct {
-	Id              uint              `json:"id" gorm:"primarykey;autoincrement"`
-	UUID            uuid.UUID         `json:"uuid" gorm:"type:uuid;uniqueindex;not null"`
-	UserId          uuid.UUID         `json:"user_id" gorm:"type:uuid;uniqueindex;not null"`
-	Email           string            `json:"email" gorm:"type:varchar(255);uniqueindex;not null"`
-	Type            string            `json:"type" gorm:"type:varchar(32);index;not null"`
-	Nickname        string            `json:"nickname"`
-	Subtitle        string            `json:"subtitle"`
-	Avatar          string            `json:"avatar"`
-	Checkin         datatypes.JSONMap `json:"checkin"`
-	PermissionLevel uint              `json:"permission_level" gorm:"default:10;not null"`
+	Id              uint      `json:"id" gorm:"primarykey;autoincrement"`
+	UUID            uuid.UUID `json:"uuid" gorm:"type:uuid;uniqueindex;not null"`
+	UserId          uuid.UUID `json:"user_id" gorm:"type:uuid;uniqueindex;not null"`
+	Email           string    `json:"email" gorm:"type:varchar(255);uniqueindex;not null"`
+	Username        string    `json:"username" gorm:"type:varchar(255);uniqueindex;not null"`
+	Nickname        string    `json:"nickname" gorm:"type:text"`
+	Subtitle        string    `json:"subtitle" gorm:"type:text"`
+	Avatar          string    `json:"avatar" gorm:"type:text"`
+	Bio             string    `json:"bio" gorm:"type:text"`
+	PermissionLevel uint      `json:"permission_level" gorm:"default:10;not null"`
+	AllowPublic     bool      `json:"allow_public" gorm:"default:false;not null"`
 }

 type UserSearchDoc struct {
-	UserId          string `json:"user_id"`
-	Email           string `json:"email"`
-	Type            string `json:"type"`
-	Nickname        string `json:"nickname"`
-	Subtitle        string `json:"subtitle"`
-	Avatar          string `json:"avatar"`
-	PermissionLevel uint   `json:"permission_level"`
+	UserId   string `json:"user_id"`
+	Email    string `json:"email"`
+	Username string `json:"username"`
+	Type     string `json:"type"`
+	Nickname string `json:"nickname"`
+	Subtitle string `json:"subtitle"`
+	Avatar   string `json:"avatar"`
 }

-func (self *User) GetByEmail(email string) error {
-	if err := Database.Where("email = ?", email).First(&self).Error; err != nil {
-		return err
+func (self *User) GetByEmail(email string) (*User, error) {
+	var user User
+
+	err := Database.
+		Where("email = ?", email).
+		First(&user).Error
+
+	if err != nil {
+		if err == gorm.ErrRecordNotFound {
+			return nil, nil
+		}
+		return nil, err
 	}
-	return nil
+
+	return &user, nil
 }

-func (self *User) GetByUserId(userId uuid.UUID) error {
-	if err := Database.Where("user_id = ?", userId).First(&self).Error; err != nil {
-		return err
+func (self *User) GetByUserId(userId uuid.UUID) (*User, error) {
+	var user User
+
+	err := Database.
+		Where("user_id = ?", userId).
+		First(&user).Error
+
+	if err != nil {
+		if err == gorm.ErrRecordNotFound {
+			return nil, nil
+		}
+		return nil, err
 	}
-	return nil
-}

-func (self *User) UpdateCheckin(userId, eventId uuid.UUID, time time.Time) error {
-	return Database.Transaction(func(tx *gorm.DB) error {
-		if err := tx.
-			Clauses(clause.Locking{Strength: "UPDATE"}).
-			Where("user_id = ?", userId).
-			First(self).Error; err != nil {
-			return err // if error then rollback
-		}
-
-		self.Checkin = datatypes.JSONMap{eventId.String(): time}
-
-		if err := tx.Save(self).Error; err != nil {
-			return err // rollback
-		}
-
-		// Update user to document index
-		doc := UserSearchDoc{
-			UserId:          self.UserId.String(),
-			Email:           self.Email,
-			Type:            self.Type,
-			Nickname:        self.Nickname,
-			Subtitle:        self.Subtitle,
-			Avatar:          self.Avatar,
-			PermissionLevel: self.PermissionLevel,
-		}
-		index := MeiliSearch.Index("user")
-		docPrimaryKey := "user_id"
-		meiliOptions := &meilisearch.DocumentOptions{PrimaryKey: &docPrimaryKey}
-		if _, err := index.UpdateDocuments([]UserSearchDoc{doc}, meiliOptions); err != nil {
-			return err
-		}
-
-		return nil // commit
-	})
+	return &user, err
 }

 func (self *User) Create() error {
-	return Database.Transaction(func(tx *gorm.DB) error {
-		if self.UUID == uuid.Nil {
-			self.UUID = uuid.New()
-		}
-		if self.UserId == uuid.Nil {
-			self.UserId = uuid.New()
-		}
+	self.UUID = uuid.New()
+	self.UserId = uuid.New()

+	// DB transaction only
+	if err := Database.Transaction(func(tx *gorm.DB) error {
 		if err := tx.Create(self).Error; err != nil {
 			return err
 		}
-
-		// Create user to document index
-		doc := UserSearchDoc{
-			UserId:          self.UserId.String(),
-			Email:           self.Email,
-			Type:            self.Type,
-			Nickname:        self.Nickname,
-			Subtitle:        self.Subtitle,
-			Avatar:          self.Avatar,
-			PermissionLevel: self.PermissionLevel,
-		}
-		index := MeiliSearch.Index("user")
-		docPrimaryKey := "user_id"
-		meiliOptions := &meilisearch.DocumentOptions{PrimaryKey: &docPrimaryKey}
-		if _, err := index.AddDocuments([]UserSearchDoc{doc}, meiliOptions); err != nil {
-			return err
-		}
-
 		return nil
-	})
+	}); err != nil {
+		return err
+	}
+
+	// Search index (eventual consistency)
+	if err := self.UpdateSearchIndex(); err != nil {
+		// TODO: async retry / log
+		return err
+	}
+
+	return nil
 }

 func (self *User) UpdateByUserID(userId uuid.UUID) error {
@@ -150,6 +108,8 @@ func (self *User) GetFullTable() (*[]User, error) {

 func (self *User) FastListUsers(limit, offset int64) (*[]UserSearchDoc, error) {
 	index := MeiliSearch.Index("user")
+
+	// Fast read from MeiliSearch, no DB involved
 	result, err := index.Search("", &meilisearch.SearchRequest{
 		Limit:  limit,
 		Offset: offset,
@@ -157,75 +117,43 @@ func (self *User) FastListUsers(limit, offset int64) (*[]UserSearchDoc, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	var list []UserSearchDoc
 	if err := mapstructure.Decode(result.Hits, &list); err != nil {
 		return nil, err
 	}
+
 	return &list, nil
 }

-func (self *User) GenCheckinCode(eventId uuid.UUID) (*string, error) {
-	ctx := context.Background()
-	ttl := viper.GetDuration("ttl.checkin_code_ttl")
-	rng := rand.New(rand.NewSource(time.Now().UnixNano()))
-
-	for {
-		code := fmt.Sprintf("%06d", rng.Intn(900000)+100000)
-		ok, err := Redis.SetNX(
-			ctx,
-			"checkin_code:"+code,
-			"user_id:"+self.UserId.String()+":event_id:"+eventId.String(),
-			ttl,
-		).Result()
-		if err != nil {
-			return nil, err
-		}
-		if ok {
-			return &code, nil
-		}
+func (self *User) UpdateSearchIndex() error {
+	doc := UserSearchDoc{
+		UserId:   self.UserId.String(),
+		Email:    self.Email,
+		Username: self.Username,
+		Nickname: self.Nickname,
+		Subtitle: self.Subtitle,
+		Avatar:   self.Avatar,
 	}
+	index := MeiliSearch.Index("user")
+
+	primaryKey := "user_id"
+	opts := &meilisearch.DocumentOptions{
+		PrimaryKey: &primaryKey,
+	}
+
+	if _, err := index.UpdateDocuments(
+		[]UserSearchDoc{doc},
+		opts,
+	); err != nil {
+		return err
+	}
+
+	return nil
 }

-func (self *User) VerifyCheckinCode(checkinCode string) (*uuid.UUID, error) {
-	ctx := context.Background()
-
-	result := Redis.Get(ctx, "checkin_code:"+checkinCode).String()
-
-	if result == "" {
-		return nil, errors.New("invalid or expired checkin code")
-	}
-
-	split := strings.Split(result, ":")
-	if len(split) < 2 {
-		return nil, errors.New("invalid checkin code format")
-	}
-
-	userId := split[0]
-	eventId := split[1]
-
-	var returnedUserId uuid.UUID
-	err := Database.Transaction(func(tx *gorm.DB) error {
-		checkinData := map[string]interface{}{
-			eventId: time.Now(),
-		}
-
-		if err := tx.Model(&User{}).Where("user_id = ?", userId).Updates(map[string]interface{}{
-			"checkin": checkinData,
-		}).Error; err != nil {
-			return err
-		}
-
-		parsedUserId, err := uuid.Parse(userId)
-		if err != nil {
-			return err
-		}
-		returnedUserId = parsedUserId
-		return nil
-	})
-
-	if err != nil {
-		return nil, err
-	}
-
-	return &returnedUserId, nil
+func (self *User) DeleteSearchIndex() error {
+	index := MeiliSearch.Index("user")
+	_, err := index.DeleteDocument(self.UserId.String(), nil)
+	return err
 }
--- a/devenv.nix
+++ b/devenv.nix
@@ -8,6 +8,7 @@
  packages = [
    pkgs.git
    pkgs.just
+    pkgs.watchexec
  ];

  dotenv = {
@@ -32,11 +33,7 @@
      exec = "bun run dev";
      cwd = "./client";
    };
-    backend.exec = "just run";
-  };
-
-  tasks = {
-    "backend:build".exec = "just clean && just build";
+    backend.exec = "just dev-back";
  };

  services = {
--- a/go.mod
+++ b/go.mod
@@ -2,70 +2,84 @@ module nixcn-cms

 go 1.25.5

+require (
+	github.com/alibabacloud-go/cloudauth-20190307/v4 v4.12.1
+	github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.13
+	github.com/alibabacloud-go/tea v1.3.13
+	github.com/alibabacloud-go/tea-utils/v2 v2.0.7
+	github.com/aliyun/credentials-go v1.4.5
+	github.com/gin-gonic/gin v1.11.0
+	github.com/go-viper/mapstructure/v2 v2.4.0
+	github.com/golang-jwt/jwt/v5 v5.3.0
+	github.com/google/uuid v1.6.0
+	github.com/meilisearch/meilisearch-go v0.35.0
+	github.com/redis/go-redis/v9 v9.17.2
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/viper v1.21.0
+	golang.org/x/crypto v0.46.0
+	golang.org/x/oauth2 v0.34.0
+	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
+	gorm.io/datatypes v1.2.7
+	gorm.io/driver/postgres v1.6.0
+	gorm.io/gorm v1.31.1
+)
+
 require (
 	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
+	github.com/alibabacloud-go/debug v1.0.1 // indirect
+	github.com/alibabacloud-go/openapi-util v0.1.1 // indirect
 	github.com/andybalholm/brotli v1.1.1 // indirect
 	github.com/bytedance/gopkg v0.1.3 // indirect
 	github.com/bytedance/sonic v1.14.2 // indirect
 	github.com/bytedance/sonic/loader v0.4.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/clbanning/mxj/v2 v2.7.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
-	github.com/gin-gonic/gin v1.11.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.29.0 // indirect
 	github.com/go-sql-driver/mysql v1.8.1 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/goccy/go-yaml v1.19.1 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
-	github.com/google/uuid v1.6.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/pgx/v5 v5.6.0 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
-	github.com/joho/godotenv v1.5.1 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/meilisearch/meilisearch-go v0.35.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.57.1 // indirect
-	github.com/redis/go-redis/v9 v9.17.2 // indirect
 	github.com/sagikazarmark/locafero v0.11.0 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
 	github.com/spf13/afero v1.15.0 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
-	github.com/spf13/viper v1.21.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.1 // indirect
 	go.uber.org/mock v0.6.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/arch v0.23.0 // indirect
-	golang.org/x/crypto v0.46.0 // indirect
-	golang.org/x/mod v0.31.0 // indirect
 	golang.org/x/net v0.48.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/text v0.32.0 // indirect
-	golang.org/x/tools v0.40.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
-	gorm.io/datatypes v1.2.7 // indirect
+	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gorm.io/driver/mysql v1.5.6 // indirect
-	gorm.io/driver/postgres v1.6.0 // indirect
-	gorm.io/gorm v1.31.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,21 +1,85 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/alibabacloud-go/alibabacloud-gateway-pop v0.0.6 h1:eIf+iGJxdU4U9ypaUfbtOWCsZSbTb8AUHvyPrxu6mAA=
+github.com/alibabacloud-go/alibabacloud-gateway-pop v0.0.6/go.mod h1:4EUIoxs/do24zMOGGqYVWgw0s9NtiylnJglOeEB5UJo=
+github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc=
+github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 h1:zE8vH9C7JiZLNJJQ5OwjU9mSi4T9ef9u3BURT6LCLC8=
+github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5/go.mod h1:tWnyE9AjF8J8qqLk645oUmVUnFybApTQWklQmi5tY6g=
+github.com/alibabacloud-go/cloudauth-20190307/v4 v4.12.1 h1:bVUYai/CnqhFMcofU8TsJGnZEf9zCB1WakLxh0zmpjQ=
+github.com/alibabacloud-go/cloudauth-20190307/v4 v4.12.1/go.mod h1:m3NrP7nlncob5/2ATBk0thsZAozpDy/+vUG4ZuXwdR8=
+github.com/alibabacloud-go/darabonba-array v0.1.0 h1:vR8s7b1fWAQIjEjWnuF0JiKsCvclSRTfDzZHTYqfufY=
+github.com/alibabacloud-go/darabonba-array v0.1.0/go.mod h1:BLKxr0brnggqOJPqT09DFJ8g3fsDshapUD3C3aOEFaI=
+github.com/alibabacloud-go/darabonba-encode-util v0.0.2 h1:1uJGrbsGEVqWcWxrS9MyC2NG0Ax+GpOM5gtupki31XE=
+github.com/alibabacloud-go/darabonba-encode-util v0.0.2/go.mod h1:JiW9higWHYXm7F4PKuMgEUETNZasrDM6vqVr/Can7H8=
+github.com/alibabacloud-go/darabonba-map v0.0.2 h1:qvPnGB4+dJbJIxOOfawxzF3hzMnIpjmafa0qOTp6udc=
+github.com/alibabacloud-go/darabonba-map v0.0.2/go.mod h1:28AJaX8FOE/ym8OUFWga+MtEzBunJwQGceGQlvaPGPc=
+github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.13 h1:Q00FU3H94Ts0ZIHDmY+fYGgB7dV9D/YX6FGsgorQPgw=
+github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.13/go.mod h1:lxFGfobinVsQ49ntjpgWghXmIF0/Sm4+wvBJ1h5RtaE=
+github.com/alibabacloud-go/darabonba-signature-util v0.0.7 h1:UzCnKvsjPFzApvODDNEYqBHMFt1w98wC7FOo0InLyxg=
+github.com/alibabacloud-go/darabonba-signature-util v0.0.7/go.mod h1:oUzCYV2fcCH797xKdL6BDH8ADIHlzrtKVjeRtunBNTQ=
+github.com/alibabacloud-go/darabonba-string v1.0.2 h1:E714wms5ibdzCqGeYJ9JCFywE5nDyvIXIIQbZVFkkqo=
+github.com/alibabacloud-go/darabonba-string v1.0.2/go.mod h1:93cTfV3vuPhhEwGGpKKqhVW4jLe7tDpo3LUM0i0g6mA=
+github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68/go.mod h1:6pb/Qy8c+lqua8cFpEy7g39NRRqOWc3rOwAy8m5Y2BY=
+github.com/alibabacloud-go/debug v1.0.0/go.mod h1:8gfgZCCAC3+SCzjWtY053FrOcd4/qlH6IHTI4QyICOc=
+github.com/alibabacloud-go/debug v1.0.1 h1:MsW9SmUtbb1Fnt3ieC6NNZi6aEwrXfDksD4QA6GSbPg=
+github.com/alibabacloud-go/debug v1.0.1/go.mod h1:8gfgZCCAC3+SCzjWtY053FrOcd4/qlH6IHTI4QyICOc=
+github.com/alibabacloud-go/endpoint-util v1.1.0 h1:r/4D3VSw888XGaeNpP994zDUaxdgTSHBbVfZlzf6b5Q=
+github.com/alibabacloud-go/endpoint-util v1.1.0/go.mod h1:O5FuCALmCKs2Ff7JFJMudHs0I5EBgecXXxZRyswlEjE=
+github.com/alibabacloud-go/openapi-util v0.1.0/go.mod h1:sQuElr4ywwFRlCCberQwKRFhRzIyG4QTP/P4y1CJ6Ws=
+github.com/alibabacloud-go/openapi-util v0.1.1 h1:ujGErJjG8ncRW6XtBBMphzHTvCxn4DjrVw4m04HsS28=
+github.com/alibabacloud-go/openapi-util v0.1.1/go.mod h1:/UehBSE2cf1gYT43GV4E+RxTdLRzURImCYY0aRmlXpw=
+github.com/alibabacloud-go/tea v1.1.0/go.mod h1:IkGyUSX4Ba1V+k4pCtJUc6jDpZLFph9QMy2VUPTwukg=
+github.com/alibabacloud-go/tea v1.1.7/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4=
+github.com/alibabacloud-go/tea v1.1.8/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4=
+github.com/alibabacloud-go/tea v1.1.11/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4=
+github.com/alibabacloud-go/tea v1.1.17/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A=
+github.com/alibabacloud-go/tea v1.1.20/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A=
+github.com/alibabacloud-go/tea v1.2.2/go.mod h1:CF3vOzEMAG+bR4WOql8gc2G9H3EkH3ZLAQdpmpXMgwk=
+github.com/alibabacloud-go/tea v1.3.13 h1:WhGy6LIXaMbBM6VBYcsDCz6K/TPsT1Ri2hPmmZffZ94=
+github.com/alibabacloud-go/tea v1.3.13/go.mod h1:A560v/JTQ1n5zklt2BEpurJzZTI8TUT+Psg2drWlxRg=
+github.com/alibabacloud-go/tea-utils v1.3.1/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE=
+github.com/alibabacloud-go/tea-utils/v2 v2.0.5/go.mod h1:dL6vbUT35E4F4bFTHL845eUloqaerYBYPsdWR2/jhe4=
+github.com/alibabacloud-go/tea-utils/v2 v2.0.6/go.mod h1:qxn986l+q33J5VkialKMqT/TTs3E+U9MJpd001iWQ9I=
+github.com/alibabacloud-go/tea-utils/v2 v2.0.7 h1:WDx5qW3Xa5ZgJ1c8NfqJkF6w+AU5wB8835UdhPr6Ax0=
+github.com/alibabacloud-go/tea-utils/v2 v2.0.7/go.mod h1:qxn986l+q33J5VkialKMqT/TTs3E+U9MJpd001iWQ9I=
+github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw=
+github.com/aliyun/credentials-go v1.3.1/go.mod h1:8jKYhQuDawt8x2+fusqa1Y6mPxemTsBEN04dgcAcYz0=
+github.com/aliyun/credentials-go v1.3.6/go.mod h1:1LxUuX7L5YrZUWzBrRyk0SwSdH4OmPrib8NVePL3fxM=
+github.com/aliyun/credentials-go v1.4.5 h1:O76WYKgdy1oQYYiJkERjlA2dxGuvLRrzuO2ScrtGWSk=
+github.com/aliyun/credentials-go v1.4.5/go.mod h1:Jm6d+xIgwJVLVWT561vy67ZRP4lPTQxMbEYRuT2Ti1U=
 github.com/andybalholm/brotli v1.1.1 h1:PR2pgnyFznKEugtsUo0xLdDop5SKXd5Qf5ysW+7XdTA=
 github.com/andybalholm/brotli v1.1.1/go.mod h1:05ib4cKhjx3OQYUY22hTVd34Bc8upXjOLL2rKwwZBoA=
+github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
+github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
+github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
+github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
 github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
 github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
 github.com/bytedance/sonic v1.14.2 h1:k1twIoe97C1DtYUo+fZQy865IuHia4PR5RPiuGPPIIE=
 github.com/bytedance/sonic v1.14.2/go.mod h1:T80iDELeHiHKSc0C9tubFygiuXoGzrkjKzX2quAx980=
 github.com/bytedance/sonic/loader v0.4.0 h1:olZ7lEqcxtZygCK9EKYKADnpQoYkRQxaeY2NYzevs+o=
 github.com/bytedance/sonic/loader v0.4.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/clbanning/mxj/v2 v2.7.0 h1:WA/La7UGCanFe5NpHF0Q3DNtnCsVoxbPKuyBNHWRyME=
+github.com/clbanning/mxj/v2 v2.7.0/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
 github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
@@ -24,6 +88,8 @@ github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
 github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
 github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
+github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
@@ -43,9 +109,33 @@ github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXe
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
 github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
+github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
+github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=
+github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
@@ -58,36 +148,56 @@ github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
-github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
-github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
+github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
+github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/meilisearch/meilisearch-go v0.35.0 h1:Gh4vO+PinVQZ58iiFdUX9Hld8uXKzKh+C7mSSsCDlI8=
 github.com/meilisearch/meilisearch-go v0.35.0/go.mod h1:cUVJZ2zMqTvvwIMEEAdsWH+zrHsrLpAw6gm8Lt1MXK0=
+github.com/microsoft/go-mssqldb v1.7.2 h1:CHkFJiObW7ItKTJfHo1QX7QBBD1iV+mn1eOyRP3b/PA=
+github.com/microsoft/go-mssqldb v1.7.2/go.mod h1:kOvZKUdrhhFQmxLZqbwUV0rHkNkZpthMITIb2Ko1IoA=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
 github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
 github.com/quic-go/quic-go v0.57.1 h1:25KAAR9QR8KZrCZRThWMKVAwGoiHIrNbT72ULHTuI10=
 github.com/quic-go/quic-go v0.57.1/go.mod h1:ly4QBAjHA2VhdnxhojRsCUOeJwKYg+taDlos92xb1+s=
 github.com/redis/go-redis/v9 v9.17.2 h1:P2EGsA4qVIM3Pp+aPocCJ7DguDHhqrXNhVcEp4ViluI=
 github.com/redis/go-redis/v9 v9.17.2/go.mod h1:u410H11HMLoB+TP67dz8rL9s6QW2j76l0//kSOd3370=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc=
 github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
+github.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
+github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=
 github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
@@ -99,48 +209,198 @@ github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3A
 github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
 github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
+github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w=
+github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho=
+github.com/tjfoc/gmsm v1.4.1/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
 github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
+github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.30/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/arch v0.23.0 h1:lKF64A2jF6Zd8L0knGltUnegD62JMFBiCPBmQpToHhg=
 golang.org/x/arch v0.23.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191219195013-becbf705a915/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
 golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
-golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
-golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
 golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200509044756-6aff5f38e54f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
 golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
 golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
-golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
-golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200509030707-2212a7e161a5/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk=
+gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df h1:n7WqCuqOuCbNr617RXOY0AWRXxgwEyPp2z+p0+hgMuE=
+gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df/go.mod h1:LRQQ+SO6ZHR7tOkpBDuZnXENFzX8qRjMDMyPD6BRkCw=
+gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
+gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/datatypes v1.2.7 h1:ww9GAhF1aGXZY3EB3cJPJ7//JiuQo7DlQA7NNlVaTdk=
 gorm.io/datatypes v1.2.7/go.mod h1:M2iO+6S3hhi4nAyYe444Pcb0dcIiOMJ7QHaUXxyiNZY=
@@ -148,6 +408,12 @@ gorm.io/driver/mysql v1.5.6 h1:Ld4mkIickM+EliaQZQx3uOJDJHtrd70MxAUqWqlx3Y8=
 gorm.io/driver/mysql v1.5.6/go.mod h1:sEtPWMiqiN1N1cMXoXmBbd8C6/l+TESwriotuRRpkDM=
 gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
 gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
+gorm.io/driver/sqlite v1.6.0 h1:WHRRrIiulaPiPFmDcod6prc4l2VGVWHz80KspNsxSfQ=
+gorm.io/driver/sqlite v1.6.0/go.mod h1:AO9V1qIQddBESngQUKWL9yoH93HIeA1X6V633rBwyT8=
+gorm.io/driver/sqlserver v1.6.0 h1:VZOBQVsVhkHU/NzNhRJKoANt5pZGQAS1Bwc6m6dgfnc=
+gorm.io/driver/sqlserver v1.6.0/go.mod h1:WQzt4IJo/WHKnckU9jXBLMJIVNMVeTu25dnOzehntWw=
 gorm.io/gorm v1.25.7/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
 gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
 gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/internal/cryptography/aes.go
+++ b/internal/cryptography/aes.go
@@ -0,0 +1,208 @@
+package cryptography
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"io"
+)
+
+func randomBytes(n int) ([]byte, error) {
+	b := make([]byte, n)
+	_, err := io.ReadFull(rand.Reader, b)
+	return b, err
+}
+
+func normalizeKey(key []byte) ([]byte, error) {
+	switch len(key) {
+	case 16, 24, 32:
+		return key, nil
+	default:
+		return nil, errors.New("AES key length must be 16, 24, or 32 bytes")
+	}
+}
+
+func AESGCMEncrypt(plaintext, key []byte) (string, error) {
+	key, err := normalizeKey(key)
+	if err != nil {
+		return "", err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", err
+	}
+
+	nonce, err := randomBytes(gcm.NonceSize())
+	if err != nil {
+		return "", err
+	}
+
+	ciphertext := gcm.Seal(nil, nonce, plaintext, nil)
+	out := append(nonce, ciphertext...)
+
+	return base64.RawURLEncoding.EncodeToString(out), nil
+}
+
+func AESGCMDecrypt(encoded string, key []byte) ([]byte, error) {
+	key, err := normalizeKey(key)
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := base64.RawURLEncoding.DecodeString(encoded)
+	if err != nil {
+		return nil, err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(data) < gcm.NonceSize() {
+		return nil, errors.New("ciphertext too short")
+	}
+
+	nonce := data[:gcm.NonceSize()]
+	ciphertext := data[gcm.NonceSize():]
+
+	return gcm.Open(nil, nonce, ciphertext, nil)
+}
+
+func pkcs7Pad(data []byte, blockSize int) []byte {
+	padding := blockSize - len(data)%blockSize
+	padtext := bytes.Repeat([]byte{byte(padding)}, padding)
+	return append(data, padtext...)
+}
+
+func pkcs7Unpad(data []byte) ([]byte, error) {
+	length := len(data)
+	if length == 0 {
+		return nil, errors.New("invalid padding")
+	}
+	padding := int(data[length-1])
+	if padding == 0 || padding > length {
+		return nil, errors.New("invalid padding")
+	}
+	return data[:length-padding], nil
+}
+
+func AESCBCEncrypt(plaintext, key []byte) (string, error) {
+	key, err := normalizeKey(key)
+	if err != nil {
+		return "", err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", err
+	}
+
+	plaintext = pkcs7Pad(plaintext, block.BlockSize())
+
+	iv, err := randomBytes(block.BlockSize())
+	if err != nil {
+		return "", err
+	}
+
+	mode := cipher.NewCBCEncrypter(block, iv)
+	mode.CryptBlocks(plaintext, plaintext)
+
+	out := append(iv, plaintext...)
+	return base64.RawURLEncoding.EncodeToString(out), nil
+}
+
+func AESCBCDecrypt(encoded string, key []byte) ([]byte, error) {
+	key, err := normalizeKey(key)
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := base64.RawURLEncoding.DecodeString(encoded)
+	if err != nil {
+		return nil, err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(data) < block.BlockSize() {
+		return nil, errors.New("ciphertext too short")
+	}
+
+	iv := data[:block.BlockSize()]
+	data = data[block.BlockSize():]
+
+	mode := cipher.NewCBCDecrypter(block, iv)
+	mode.CryptBlocks(data, data)
+
+	return pkcs7Unpad(data)
+}
+
+func AESCFBEncrypt(plaintext, key []byte) (string, error) {
+	key, err := normalizeKey(key)
+	if err != nil {
+		return "", err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", err
+	}
+
+	iv, err := randomBytes(block.BlockSize())
+	if err != nil {
+		return "", err
+	}
+
+	stream := cipher.NewCFBEncrypter(block, iv)
+	stream.XORKeyStream(plaintext, plaintext)
+
+	out := append(iv, plaintext...)
+	return base64.RawURLEncoding.EncodeToString(out), nil
+}
+
+func AESCFBDecrypt(encoded string, key []byte) ([]byte, error) {
+	key, err := normalizeKey(key)
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := base64.RawURLEncoding.DecodeString(encoded)
+	if err != nil {
+		return nil, err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(data) < block.BlockSize() {
+		return nil, errors.New("ciphertext too short")
+	}
+
+	iv := data[:block.BlockSize()]
+	data = data[block.BlockSize():]
+
+	stream := cipher.NewCFBDecrypter(block, iv)
+	stream.XORKeyStream(data, data)
+
+	return data, nil
+}
--- a/internal/cryptography/base64.go
+++ b/internal/cryptography/base64.go
@@ -0,0 +1,20 @@
+package cryptography
+
+import (
+	"encoding/base64"
+	"strings"
+)
+
+func IsBase64Std(s string) bool {
+	if s == "" {
+		return false
+	}
+
+	s = strings.TrimSpace(s)
+	if len(s)%4 != 0 {
+		return false
+	}
+
+	_, err := base64.StdEncoding.Strict().DecodeString(s)
+	return err == nil
+}
--- a/internal/cryptography/bcrypt.go
+++ b/internal/cryptography/bcrypt.go
@@ -0,0 +1,22 @@
+package cryptography
+
+import "golang.org/x/crypto/bcrypt"
+
+func BcryptHash(input string) (string, error) {
+	hash, err := bcrypt.GenerateFromPassword(
+		[]byte(input),
+		bcrypt.DefaultCost,
+	)
+	if err != nil {
+		return "", err
+	}
+	return string(hash), nil
+}
+
+func BcryptVerify(input string, hashed string) bool {
+	err := bcrypt.CompareHashAndPassword(
+		[]byte(hashed),
+		[]byte(input),
+	)
+	return err == nil
+}
--- a/internal/cryptography/token.go
+++ b/internal/cryptography/token.go
@@ -1,189 +0,0 @@
-package cryptography
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/base64"
-	"fmt"
-	"nixcn-cms/data"
-	"time"
-
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/google/uuid"
-	"github.com/spf13/viper"
-)
-
-type Token struct {
-	Application string
-}
-
-type JwtClaims struct {
-	UserID uuid.UUID `json:"user_id"`
-	jwt.RegisteredClaims
-}
-
-// Generate jwt clames
-func (self *Token) NewClaims(userId uuid.UUID) JwtClaims {
-	return JwtClaims{
-		UserID: userId,
-		RegisteredClaims: jwt.RegisteredClaims{
-			ExpiresAt: jwt.NewNumericDate(time.Now().Add(viper.GetDuration("ttl.access_ttl"))),
-			IssuedAt:  jwt.NewNumericDate(time.Now()),
-			Issuer:    self.Application,
-		},
-	}
-}
-
-// Generate access token
-func (self *Token) GenerateAccessToken(userId uuid.UUID) (string, error) {
-	claims := self.NewClaims(userId)
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	secret := viper.GetString("secrets.jwt_secret")
-	signedToken, err := token.SignedString([]byte(secret))
-	if err != nil {
-		return "", fmt.Errorf("error signing token: %v", err)
-	}
-	return signedToken, nil
-}
-
-// Generate refresh token
-func (self *Token) GenerateRefreshToken() (string, error) {
-	b := make([]byte, 32)
-	if _, err := rand.Read(b); err != nil {
-		return "", err
-	}
-	return base64.URLEncoding.EncodeToString(b), nil
-}
-
-// Issue both access and refresh token
-func (self *Token) IssueTokens(userId uuid.UUID) (string, string, error) {
-	// Gen atk
-	access, err := self.GenerateAccessToken(userId)
-	if err != nil {
-		return "", "", err
-	}
-
-	// Gen rtk
-	refresh, err := self.GenerateRefreshToken()
-	if err != nil {
-		return "", "", err
-	}
-
-	// Store to redis
-	ctx := context.Background()
-	ttl := viper.GetDuration("ttl.refresh_ttl")
-
-	// refresh -> user
-	if err := data.Redis.Set(
-		ctx,
-		"refresh:"+refresh,
-		userId.String(),
-		ttl,
-	).Err(); err != nil {
-		return "", "", err
-	}
-
-	// user -> refresh tokens
-	userSetKey := "user:" + userId.String() + ":refresh_tokens"
-
-	if err := data.Redis.SAdd(
-		ctx,
-		userSetKey,
-		refresh,
-	).Err(); err != nil {
-		return "", "", err
-	}
-
-	// set user ttl >= all refresh token
-	_ = data.Redis.Expire(ctx, userSetKey, ttl).Err()
-
-	return access, refresh, nil
-}
-
-// Refresh access token
-func (self *Token) RefreshAccessToken(refreshToken string) (string, error) {
-	// Read rtk:userid from redis
-	ctx := context.Background()
-	key := "refresh:" + refreshToken
-
-	userIdStr, err := data.Redis.Get(ctx, key).Result()
-	if err != nil {
-		return "", err
-	}
-
-	userId, err := uuid.Parse(userIdStr)
-	if err != nil {
-		return "", err
-	}
-
-	// Generate access token
-	return self.GenerateAccessToken(userId)
-}
-
-func (self *Token) RenewRefreshToken(refreshToken string) (string, error) {
-	ctx := context.Background()
-	ttl := viper.GetDuration("ttl.refresh_ttl")
-
-	key := "refresh:" + refreshToken
-	userIdStr, err := data.Redis.Get(ctx, key).Result()
-	if err != nil {
-		return "", err
-	}
-
-	refresh, err := self.GenerateRefreshToken()
-	if err != nil {
-		return "", err
-	}
-
-	err = self.RevokeRefreshToken(refreshToken)
-	if err != nil {
-		return "", err
-	}
-
-	// refresh -> user
-	if err := data.Redis.Set(
-		ctx,
-		"refresh:"+refresh,
-		userIdStr,
-		ttl,
-	).Err(); err != nil {
-		return "", err
-	}
-
-	// user -> refresh tokens
-	userSetKey := "user:" + userIdStr + ":refresh_tokens"
-
-	if err := data.Redis.SAdd(
-		ctx,
-		userSetKey,
-		refresh,
-	).Err(); err != nil {
-		return "", err
-	}
-
-	// set user ttl >= all refresh token
-	_ = data.Redis.Expire(ctx, userSetKey, ttl).Err()
-
-	return refresh, nil
-}
-
-func (self *Token) RevokeRefreshToken(refreshToken string) error {
-	ctx := context.Background()
-
-	key := "refresh:" + refreshToken
-
-	userIDStr, err := data.Redis.Get(ctx, key).Result()
-	if err != nil {
-		return nil
-	}
-
-	userSetKey := "user:" + userIDStr + ":refresh_tokens"
-
-	// Delete rtk from redis
-	pipe := data.Redis.TxPipeline()
-	pipe.Del(ctx, key)                       // rtk:userid index
-	pipe.SRem(ctx, userSetKey, refreshToken) // userid:rtk index
-	_, err = pipe.Exec(ctx)
-
-	return err
-}
--- a/10
+++ b/10
@@ -9,15 +9,14 @@ bun_cmd := `realpath $(which bun)`

 default: install clean build-back build-client run-back

-backend: install clean build-back run-back
+backend: clean build-back run-back

 install:
    cd {{ client_dir }} && {{ bun_cmd }} install

 clean:
-    rm -rf {{ output_dir }}
-    mkdir -p {{ output_dir }}
-    cp {{ join(project_dir, "config.default.yaml") }} {{ join(output_dir, "config.yaml") }}
+    mkdir -p .outputs
+    find .outputs -mindepth 1 ! -path .outputs/config.yaml -exec rm -rf {} +

 client:
    cd {{ client_dir }} && {{ bun_cmd }} dev
@@ -34,5 +33,8 @@ run-back:
 test-back:
    cd {{ output_dir }} && CONFIG_PATH={{ output_dir }} GO_ENV=test go test -C .. ./...

+dev-back: clean
+    watchexec -r -e go,yaml,tpl -i '.devenv/**' -i '.direnv/**' -i 'client/**' -i 'vendor/**' 'go build -o {{ join(output_dir, "nixcn-cms") }} . && cd {{ output_dir }} && CONFIG_PATH={{ output_dir }} {{ exec_path }}'
+
 dev:
    devenv up --verbose
--- a/middleware/jwt.go
+++ b/middleware/jwt.go
@@ -1,57 +1,30 @@
 package middleware

 import (
-	"net/http"
-	"strings"
-
-	"nixcn-cms/internal/cryptography"
+	"nixcn-cms/pkgs/authtoken"
+	"nixcn-cms/utils"

 	"github.com/gin-gonic/gin"
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/spf13/viper"
 )

-func JWTAuth() gin.HandlerFunc {
-	jwtSecret := []byte(viper.GetString("secrets.jwt_secret"))
+func JWTAuth(required bool) gin.HandlerFunc {

 	return func(c *gin.Context) {
 		auth := c.GetHeader("Authorization")
-		if auth == "" {
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
-				"error": "missing Authorization header",
-			})
+
+		authtoken := new(authtoken.Token)
+		uid, err := authtoken.HeaderVerify(auth)
+		if err != nil {
+			utils.HttpAbort(c, 401, "", "unauthorized")
 			return
 		}

-		// Split header to 2
-		parts := strings.SplitN(auth, " ", 2)
-		if len(parts) != 2 || parts[0] != "Bearer" {
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
-				"error": "invalid Authorization header format",
-			})
+		if required == true && uid == "" {
+			utils.HttpAbort(c, 401, "", "unauthorized")
 			return
 		}

-		tokenStr := parts[1]
-
-		// Verify access token
-		claims := &cryptography.JwtClaims{}
-		token, err := jwt.ParseWithClaims(
-			tokenStr,
-			claims,
-			func(token *jwt.Token) (any, error) {
-				return jwtSecret, nil
-			},
-		)
-
-		if err != nil || !token.Valid {
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
-				"error": "invalid or expired token",
-			})
-			return
-		}
-
-		c.Set("user_id", claims.UserID)
+		c.Set("user_id", uid)
 		c.Next()
 	}
 }
--- a/middleware/permission.go
+++ b/middleware/permission.go
@@ -0,0 +1,47 @@
+package middleware
+
+import (
+	"nixcn-cms/data"
+	"nixcn-cms/utils"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+func Permission(requiredLevel uint) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		var permissionLevel uint
+		permissionLevelPrev, ok := c.Get("permission_level")
+		if !ok {
+			userIdOrig, ok := c.Get("user_id")
+			if !ok || userIdOrig.(string) == "" {
+				utils.HttpAbort(c, 401, "", "missing user id")
+				return
+			}
+
+			userId, err := uuid.Parse(userIdOrig.(string))
+			if err != nil {
+				utils.HttpAbort(c, 500, "", "error parsing user id")
+				return
+			}
+
+			userData, err := new(data.User).GetByUserId(userId)
+			if err != nil {
+				utils.HttpAbort(c, 404, "", "user not found")
+				return
+			}
+
+			permissionLevel = userData.PermissionLevel
+			c.Set("permission_level", userData.PermissionLevel)
+		} else {
+			permissionLevel = permissionLevelPrev.(uint)
+		}
+
+		if permissionLevel < requiredLevel {
+			utils.HttpAbort(c, 403, "", "permission denied")
+			return
+		}
+
+		c.Next()
+	}
+}
--- a/pkgs/authcode/authcode.go
+++ b/pkgs/authcode/authcode.go
@@ -0,0 +1,68 @@
+package authcode
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"nixcn-cms/data"
+
+	"github.com/spf13/viper"
+)
+
+type Token struct {
+	ClientId string
+	Email    string
+}
+
+func NewAuthCode(clientId string, email string) (string, error) {
+	ctx := context.Background()
+
+	// generate random code
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+
+	code := base64.RawURLEncoding.EncodeToString(b)
+	key := "auth_code:" + code
+
+	ttl := viper.GetDuration("ttl.auth_code_ttl")
+
+	// store auth code metadata in Redis
+	if err := data.Redis.HSet(
+		ctx,
+		key,
+		map[string]any{
+			"client_id": clientId,
+			"email":     email,
+		},
+	).Err(); err != nil {
+		return "", err
+	}
+
+	// set expiration (one-time auth code)
+	if err := data.Redis.Expire(ctx, key, ttl).Err(); err != nil {
+		return "", err
+	}
+
+	return code, nil
+}
+
+func VerifyAuthCode(code string) (*Token, bool) {
+	ctx := context.Background()
+	key := "auth_code:" + code
+
+	// Read auth code payload
+	dataMap, err := data.Redis.HGetAll(ctx, key).Result()
+	if err != nil || len(dataMap) == 0 {
+		return nil, false
+	}
+
+	// Delete auth code immediately (one-time use)
+	_ = data.Redis.Del(ctx, key).Err()
+
+	return &Token{
+		ClientId: dataMap["client_id"],
+		Email:    dataMap["email"],
+	}, true
+}
--- a/pkgs/authtoken/authtoken.go
+++ b/pkgs/authtoken/authtoken.go
@@ -0,0 +1,295 @@
+package authtoken
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"nixcn-cms/data"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+	"github.com/spf13/viper"
+)
+
+type Token struct {
+	Application string
+}
+
+type JwtClaims struct {
+	ClientId string    `json:"client_id"`
+	UserID   uuid.UUID `json:"user_id"`
+	jwt.RegisteredClaims
+}
+
+// Generate jwt clames
+func (self *Token) NewClaims(clientId string, userId uuid.UUID) JwtClaims {
+	return JwtClaims{
+		ClientId: clientId,
+		UserID:   userId,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(viper.GetDuration("ttl.access_ttl"))),
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+			Issuer:    self.Application,
+		},
+	}
+}
+
+// Generate access token
+func (self *Token) GenerateAccessToken(clientId string, userId uuid.UUID) (string, error) {
+	claims := self.NewClaims(clientId, userId)
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+
+	clientData, err := new(data.Client).GetClientByClientId(clientId)
+	if err != nil {
+		return "", fmt.Errorf("error getting client data: %v", err)
+	}
+
+	secret, err := clientData.GetDecryptedSecret()
+	if err != nil {
+		return "", fmt.Errorf("error getting decrypted secret: %v", err)
+	}
+
+	signedToken, err := token.SignedString([]byte(secret))
+	if err != nil {
+		return "", fmt.Errorf("error signing token: %v", err)
+	}
+	return signedToken, nil
+}
+
+// Generate refresh token
+func (self *Token) GenerateRefreshToken() (string, error) {
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	return base64.URLEncoding.EncodeToString(b), nil
+}
+
+// Issue both access and refresh token
+func (self *Token) IssueTokens(clientId string, userId uuid.UUID) (string, string, error) {
+	// access token
+	access, err := self.GenerateAccessToken(clientId, userId)
+	if err != nil {
+		return "", "", err
+	}
+
+	// refresh token
+	refresh, err := self.GenerateRefreshToken()
+	if err != nil {
+		return "", "", err
+	}
+
+	ctx := context.Background()
+	ttl := viper.GetDuration("ttl.refresh_ttl")
+
+	refreshKey := "refresh:" + refresh
+
+	// refresh -> user + client
+	if err := data.Redis.HSet(
+		ctx,
+		refreshKey,
+		map[string]any{
+			"user_id":   userId.String(),
+			"client_id": clientId,
+		},
+	).Err(); err != nil {
+		return "", "", err
+	}
+
+	if err := data.Redis.Expire(ctx, refreshKey, ttl).Err(); err != nil {
+		return "", "", err
+	}
+
+	// user -> refresh tokens
+	userSetKey := "user:" + userId.String() + ":refresh_tokens"
+
+	if err := data.Redis.SAdd(ctx, userSetKey, refresh).Err(); err != nil {
+		return "", "", err
+	}
+
+	_ = data.Redis.Expire(ctx, userSetKey, ttl).Err()
+
+	// client -> refresh tokens
+	clientSetKey := "client:" + clientId + ":refresh_tokens"
+	_ = data.Redis.SAdd(ctx, clientSetKey, refresh).Err()
+	_ = data.Redis.Expire(ctx, clientSetKey, ttl).Err()
+
+	return access, refresh, nil
+}
+
+// Refresh access token
+func (self *Token) RefreshAccessToken(refreshToken string) (string, error) {
+	ctx := context.Background()
+	key := "refresh:" + refreshToken
+
+	// read refresh token bind data
+	dataMap, err := data.Redis.HGetAll(ctx, key).Result()
+	if err != nil || len(dataMap) == 0 {
+		return "", errors.New("invalid refresh token")
+	}
+
+	userIdStr := dataMap["user_id"]
+	clientId := dataMap["client_id"]
+
+	if userIdStr == "" || clientId == "" {
+		return "", errors.New("refresh token corrupted")
+	}
+
+	userId, err := uuid.Parse(userIdStr)
+	if err != nil {
+		return "", err
+	}
+
+	// Generate new access token
+	return self.GenerateAccessToken(clientId, userId)
+}
+
+func (self *Token) RenewRefreshToken(refreshToken string) (string, error) {
+	ctx := context.Background()
+	ttl := viper.GetDuration("ttl.refresh_ttl")
+
+	oldKey := "refresh:" + refreshToken
+
+	// read old refresh token bind data
+	dataMap, err := data.Redis.HGetAll(ctx, oldKey).Result()
+	if err != nil || len(dataMap) == 0 {
+		return "", errors.New("invalid refresh token")
+	}
+
+	userIdStr := dataMap["user_id"]
+	clientId := dataMap["client_id"]
+
+	if userIdStr == "" || clientId == "" {
+		return "", errors.New("refresh token corrupted")
+	}
+
+	// generate new refresh token
+	newRefresh, err := self.GenerateRefreshToken()
+	if err != nil {
+		return "", err
+	}
+
+	// revoke old refresh token
+	if err := self.RevokeRefreshToken(refreshToken); err != nil {
+		return "", err
+	}
+
+	newKey := "refresh:" + newRefresh
+
+	// refresh -> user + client
+	if err := data.Redis.HSet(
+		ctx,
+		newKey,
+		map[string]any{
+			"user_id":   userIdStr,
+			"client_id": clientId,
+		},
+	).Err(); err != nil {
+		return "", err
+	}
+
+	if err := data.Redis.Expire(ctx, newKey, ttl).Err(); err != nil {
+		return "", err
+	}
+
+	// user -> refresh tokens
+	userSetKey := "user:" + userIdStr + ":refresh_tokens"
+	if err := data.Redis.SAdd(ctx, userSetKey, newRefresh).Err(); err != nil {
+		return "", err
+	}
+	_ = data.Redis.Expire(ctx, userSetKey, ttl).Err()
+
+	// client -> refresh tokens
+	clientSetKey := "client:" + clientId + ":refresh_tokens"
+	_ = data.Redis.SAdd(ctx, clientSetKey, newRefresh).Err()
+	_ = data.Redis.Expire(ctx, clientSetKey, ttl).Err()
+
+	return newRefresh, nil
+}
+
+func (self *Token) RevokeRefreshToken(refreshToken string) error {
+	ctx := context.Background()
+
+	refreshKey := "refresh:" + refreshToken
+
+	// read refresh token metadata (user_id, client_id)
+	dataMap, err := data.Redis.HGetAll(ctx, refreshKey).Result()
+	if err != nil || len(dataMap) == 0 {
+		// Token already revoked or not found
+		return nil
+	}
+
+	userID := dataMap["user_id"]
+	clientID := dataMap["client_id"]
+
+	// build index keys
+	userSetKey := "user:" + userID + ":refresh_tokens"
+	clientSetKey := "client:" + clientID + ":refresh_tokens"
+
+	// remove refresh token and all related indexes atomically
+	pipe := data.Redis.TxPipeline()
+
+	// remove main refresh token record
+	pipe.Del(ctx, refreshKey)
+
+	// remove refresh token from user's active refresh token set
+	pipe.SRem(ctx, userSetKey, refreshToken)
+
+	// remove refresh token from client's active refresh token set
+	pipe.SRem(ctx, clientSetKey, refreshToken)
+
+	_, err = pipe.Exec(ctx)
+	return err
+}
+
+func (self *Token) HeaderVerify(header string) (string, error) {
+	if header == "" {
+		return "", nil
+	}
+
+	// Split header to 2
+	parts := strings.SplitN(header, " ", 2)
+	if len(parts) != 2 || parts[0] != "Bearer" {
+		return "", errors.New("invalid Authorization header format")
+	}
+
+	tokenStr := parts[1]
+
+	// Verify access token
+	claims := &JwtClaims{}
+	token, err := jwt.ParseWithClaims(
+		tokenStr,
+		claims,
+		func(token *jwt.Token) (any, error) {
+			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+				return nil, errors.New("unexpected signing method")
+			}
+
+			if claims.ClientId == "" {
+				return nil, errors.New("client_id missing in token")
+			}
+
+			clientData, err := new(data.Client).GetClientByClientId(claims.ClientId)
+			if err != nil {
+				return nil, fmt.Errorf("error getting client data: %v", err)
+			}
+
+			secret, err := clientData.GetDecryptedSecret()
+			if err != nil {
+				return nil, fmt.Errorf("error getting decrypted secret: %v", err)
+			}
+
+			return secret, nil
+		},
+	)
+
+	if err != nil || !token.Valid {
+		return "", errors.New("invalid or expired token")
+	}
+
+	return claims.UserID.String(), nil
+}
--- a/pkgs/email/email.go
+++ b/pkgs/email/email.go
@@ -0,0 +1,313 @@
+package email
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net"
+	"net/smtp"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/spf13/viper"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/clientcredentials"
+	gomail "gopkg.in/gomail.v2"
+)
+
+type Client struct {
+	// basic smtp
+	dialer *gomail.Dialer
+
+	// shared
+	from     string
+	host     string
+	port     int
+	username string
+
+	security string
+	insecure bool
+
+	// auth mode
+	authMode string
+
+	// oauth2
+	oauth *oauthTokenProvider
+}
+
+type oauthTokenProvider struct {
+	cfg clientcredentials.Config
+
+	mu       sync.Mutex
+	token    *oauth2.Token
+	fetchErr error
+}
+
+func (p *oauthTokenProvider) getToken(ctx context.Context) (string, error) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	if p.token != nil && p.token.Valid() && time.Until(p.token.Expiry) > 60*time.Second {
+		return p.token.AccessToken, nil
+	}
+
+	tok, err := p.cfg.Token(ctx)
+	if err != nil {
+		p.fetchErr = err
+		return "", err
+	}
+	p.token = tok
+	p.fetchErr = nil
+	return tok.AccessToken, nil
+}
+
+func NewSMTPClient() (*Client, error) {
+	host := viper.GetString("email.host")
+	port := viper.GetInt("email.port")
+	user := viper.GetString("email.username")
+	pass := viper.GetString("email.password")
+	from := viper.GetString("email.from")
+
+	security := strings.ToLower(viper.GetString("email.security"))
+	insecure := viper.GetBool("email.insecure_skip_verify")
+
+	authMode := strings.ToLower(viper.GetString("email.auth"))
+	if authMode == "" {
+		authMode = "basic"
+	}
+
+	if host == "" || port == 0 || user == "" {
+		return nil, errors.New("SMTP config not set")
+	}
+
+	c := &Client{
+		from:     from,
+		host:     host,
+		port:     port,
+		username: user,
+		security: security,
+		insecure: insecure,
+		authMode: authMode,
+	}
+
+	switch authMode {
+	case "basic":
+		if pass == "" {
+			return nil, errors.New("SMTP basic auth requires email.password")
+		}
+
+		dialer := gomail.NewDialer(host, port, user, pass)
+		dialer.TLSConfig = &tls.Config{
+			ServerName:         host,
+			InsecureSkipVerify: insecure,
+		}
+
+		switch security {
+		case "ssl":
+			dialer.SSL = true
+		case "starttls":
+			dialer.SSL = false
+		case "plain", "":
+			dialer.SSL = false
+			dialer.TLSConfig = nil
+		default:
+			return nil, errors.New("unknown smtp security mode: " + security)
+		}
+
+		c.dialer = dialer
+		return c, nil
+
+	case "oauth2":
+		if security == "" {
+			security = "starttls"
+			c.security = "starttls"
+		}
+		if security == "plain" {
+			return nil, errors.New("oauth2 requires TLS (starttls or ssl); plain is not allowed")
+		}
+
+		tenantID := viper.GetString("email.oauth2.tenant_id")
+		clientID := viper.GetString("email.oauth2.client_id")
+		clientSecret := viper.GetString("email.oauth2.client_secret")
+		scope := viper.GetString("email.oauth2.scope")
+		if scope == "" {
+			// Microsoft Learn: client credentials for SMTP uses https://outlook.office365.com/.default :contentReference[oaicite:3]{index=3}
+			scope = "https://outlook.office365.com/.default"
+		}
+
+		if tenantID == "" || clientID == "" || clientSecret == "" {
+			return nil, errors.New("oauth2 requires email.oauth2.tenant_id/client_id/client_secret")
+		}
+
+		c.oauth = &oauthTokenProvider{
+			cfg: clientcredentials.Config{
+				ClientID:     clientID,
+				ClientSecret: clientSecret,
+				TokenURL:     fmt.Sprintf("https://login.microsoftonline.com/%s/oauth2/v2.0/token", tenantID),
+				Scopes:       []string{scope},
+			},
+		}
+		return c, nil
+
+	default:
+		return nil, errors.New("unknown email.auth: " + authMode)
+	}
+}
+
+func (c *Client) Send(to, subject, html string) (string, error) {
+	m := gomail.NewMessage()
+	m.SetHeader("From", c.from)
+	m.SetHeader("To", to)
+	m.SetHeader("Subject", subject)
+	m.SetBody("text/html", html)
+
+	switch c.authMode {
+	case "basic":
+		if c.dialer == nil {
+			return "", errors.New("basic dialer not initialized")
+		}
+		if err := c.dialer.DialAndSend(m); err != nil {
+			return "", err
+		}
+		return time.Now().Format(time.RFC3339Nano), nil
+
+	case "oauth2":
+		if err := c.sendWithXOAUTH2(m, to); err != nil {
+			return "", err
+		}
+		return time.Now().Format(time.RFC3339Nano), nil
+
+	default:
+		return "", errors.New("unsupported auth mode: " + c.authMode)
+	}
+}
+
+// XOAUTH2 auth for net/smtp
+type xoauth2Auth struct {
+	username string
+	token    string
+}
+
+func (a *xoauth2Auth) Start(server *smtp.ServerInfo) (string, []byte, error) {
+	if !server.TLS {
+		return "", nil, errors.New("refusing to authenticate over insecure connection")
+	}
+
+	// Microsoft Learn XOAUTH2 Format: user=<user>\x01auth=Bearer <token>\x01\x01 :contentReference[oaicite:4]{index=4}
+	resp := fmt.Sprintf("user=%s\x01auth=Bearer %s\x01\x01", a.username, a.token)
+	return "XOAUTH2", []byte(resp), nil
+}
+
+func (a *xoauth2Auth) Next(fromServer []byte, more bool) ([]byte, error) {
+	if more {
+		return nil, errors.New("unexpected server challenge during XOAUTH2 auth")
+	}
+	return nil, nil
+}
+
+func (c *Client) sendWithXOAUTH2(m *gomail.Message, rcpt string) error {
+	if c.oauth == nil {
+		return errors.New("oauth2 provider not initialized")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+	defer cancel()
+
+	token, err := c.oauth.getToken(ctx)
+	if err != nil {
+		return fmt.Errorf("oauth2 token error: %w", err)
+	}
+
+	// write gomail.Message to RFC822
+	var buf bytes.Buffer
+	if _, err := m.WriteTo(&buf); err != nil {
+		return err
+	}
+	msg := buf.Bytes()
+
+	addr := fmt.Sprintf("%s:%d", c.host, c.port)
+	tlsCfg := &tls.Config{
+		ServerName:         c.host,
+		InsecureSkipVerify: c.insecure,
+	}
+
+	var (
+		conn net.Conn
+		cl   *smtp.Client
+	)
+
+	switch c.security {
+	case "ssl":
+		conn, err = tls.Dial("tcp", addr, tlsCfg)
+		if err != nil {
+			return err
+		}
+		cl, err = smtp.NewClient(conn, c.host)
+		if err != nil {
+			_ = conn.Close()
+			return err
+		}
+
+	case "starttls", "":
+		conn, err = net.Dial("tcp", addr)
+		if err != nil {
+			return err
+		}
+		cl, err = smtp.NewClient(conn, c.host)
+		if err != nil {
+			_ = conn.Close()
+			return err
+		}
+
+		// Upgrade with STARTTLS
+		if ok, _ := cl.Extension("STARTTLS"); ok {
+			if err := cl.StartTLS(tlsCfg); err != nil {
+				_ = cl.Close()
+				return err
+			}
+		} else {
+			_ = cl.Close()
+			return errors.New("server does not support STARTTLS")
+		}
+
+	default:
+		return errors.New("unknown smtp security mode: " + c.security)
+	}
+
+	defer func() { _ = cl.Quit() }()
+
+	// AUTH XOAUTH2
+	if err := cl.Auth(&xoauth2Auth{username: c.username, token: token}); err != nil {
+		return err
+	}
+
+	// MAIL FROM / RCPT TO / DATA
+	if err := cl.Mail(extractAddress(c.from)); err != nil {
+		return err
+	}
+	if err := cl.Rcpt(rcpt); err != nil {
+		return err
+	}
+
+	w, err := cl.Data()
+	if err != nil {
+		return err
+	}
+	if _, err := w.Write(msg); err != nil {
+		_ = w.Close()
+		return err
+	}
+	return w.Close()
+}
+
+func extractAddress(from string) string {
+	if i := strings.LastIndex(from, "<"); i >= 0 {
+		if j := strings.LastIndex(from, ">"); j > i {
+			return strings.TrimSpace(from[i+1 : j])
+		}
+	}
+	return strings.TrimSpace(from)
+}
--- a/pkgs/email/resend.go
+++ b/pkgs/email/resend.go
@@ -1,87 +0,0 @@
-package email
-
-import (
-	"bytes"
-	"encoding/json"
-	"errors"
-	"net/http"
-	"time"
-
-	"github.com/spf13/viper"
-)
-
-type Client struct {
-	apiKey string
-	http   *http.Client
-}
-
-// Resend service client
-func NewResendClient() (*Client, error) {
-	key := viper.GetString("email.resend_api_key")
-	if key == "" {
-		return nil, errors.New("RESEND_API_KEY not set")
-	}
-
-	return &Client{
-		apiKey: key,
-		http: &http.Client{
-			Timeout: 10 * time.Second,
-		},
-	}, nil
-}
-
-type sendEmailRequest struct {
-	From    string   `json:"from"`
-	To      []string `json:"to"`
-	Subject string   `json:"subject"`
-	HTML    string   `json:"html,omitempty"`
-	Text    string   `json:"text,omitempty"`
-}
-
-type sendEmailResponse struct {
-	ID string `json:"id"`
-}
-
-// Send email by resend API
-func (c *Client) Send(to, subject, html string) (string, error) {
-	reqBody := sendEmailRequest{
-		From:    viper.GetString("email.from"),
-		To:      []string{to},
-		Subject: subject,
-		HTML:    html,
-	}
-
-	body, err := json.Marshal(reqBody)
-	if err != nil {
-		return "", err
-	}
-
-	req, err := http.NewRequest(
-		http.MethodPost,
-		"https://api.resend.com/emails",
-		bytes.NewReader(body),
-	)
-	if err != nil {
-		return "", err
-	}
-
-	req.Header.Set("Authorization", "Bearer "+c.apiKey)
-	req.Header.Set("Content-Type", "application/json")
-
-	resp, err := c.http.Do(req)
-	if err != nil {
-		return "", err
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode >= 300 {
-		return "", errors.New("resend send failed")
-	}
-
-	var res sendEmailResponse
-	if err := json.NewDecoder(resp.Body).Decode(&res); err != nil {
-		return "", err
-	}
-
-	return res.ID, nil
-}
--- a/pkgs/kyc/kyc.go
+++ b/pkgs/kyc/kyc.go
@@ -0,0 +1,168 @@
+package kyc
+
+import (
+	"crypto/md5"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"nixcn-cms/internal/cryptography"
+	"unicode/utf8"
+
+	alicloudauth20190307 "github.com/alibabacloud-go/cloudauth-20190307/v4/client"
+	aliopenapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	aliutil "github.com/alibabacloud-go/tea-utils/v2/service"
+	alitea "github.com/alibabacloud-go/tea/tea"
+	alicredential "github.com/aliyun/credentials-go/credentials"
+	"github.com/spf13/viper"
+)
+
+func DecodeB64Json(b64Json string) (*KycInfo, error) {
+	rawJson, err := base64.StdEncoding.DecodeString(b64Json)
+	if err != nil {
+		return nil, errors.New("invalid base64 json")
+	}
+
+	var kyc KycInfo
+	if err := json.Unmarshal(rawJson, &kyc); err != nil {
+		return nil, errors.New("invalid json structure")
+	}
+
+	return &kyc, nil
+}
+
+func EncodeAES(kyc *KycInfo) (*string, error) {
+	plainJson, err := json.Marshal(kyc)
+	if err != nil {
+		return nil, err
+	}
+
+	aesKey := viper.GetString("secrets.kyc_info_key")
+	encrypted, err := cryptography.AESCBCEncrypt(plainJson, []byte(aesKey))
+	if err != nil {
+		return nil, err
+	}
+
+	return &encrypted, nil
+}
+
+func DecodeAES(cipherStr string) (*KycInfo, error) {
+	aesKey := viper.GetString("secrets.kyc_info_key")
+	plainBytes, err := cryptography.AESCBCDecrypt(cipherStr, []byte(aesKey))
+	if err != nil {
+		return nil, err
+	}
+
+	var kyc KycInfo
+	if err := json.Unmarshal(plainBytes, &kyc); err != nil {
+		return nil, errors.New("invalid decrypted json")
+	}
+
+	return &kyc, nil
+}
+
+func MD5AliEnc(kyc *KycInfo) (*KycAli, error) {
+	if kyc.Type != "Chinese" {
+		return nil, nil
+	}
+
+	// MD5 Legal Name rule: First Chinese char md5enc, remaining plain, at least 2 Chinese chars
+	if len(kyc.LegalName) < 2 || utf8.RuneCountInString(kyc.LegalName) < 2 {
+		return nil, fmt.Errorf("input string must have at least 2 Chinese characters")
+	}
+
+	lnFirstRune, size := utf8.DecodeRuneInString(kyc.LegalName)
+	if lnFirstRune == utf8.RuneError {
+		return nil, fmt.Errorf("invalid first character")
+	}
+
+	lnHash := md5.New()
+	lnHash.Write([]byte(string(lnFirstRune)))
+	lnFirstHash := hex.EncodeToString(lnHash.Sum(nil))
+
+	lnRemaining := kyc.LegalName[size:]
+
+	ln := lnFirstHash + lnRemaining
+
+	// MD5 Resident Id rule: First 6 char plain, middle birthdate md5enc, last 4 char plain, at least 18 chars
+	if len(kyc.ResidentId) < 18 {
+		return nil, fmt.Errorf("input string must have at least 18 characters")
+	}
+
+	ridPrefix := kyc.ResidentId[:6]
+	ridSuffix := kyc.ResidentId[len(kyc.ResidentId)-4:]
+	ridMiddle := kyc.ResidentId[6 : len(kyc.ResidentId)-4]
+
+	ridHash := md5.New()
+	ridHash.Write([]byte(ridMiddle))
+	ridMiddleHash := hex.EncodeToString(ridHash.Sum(nil))
+
+	rid := ridPrefix + ridMiddleHash + ridSuffix
+
+	// Aliyun Id2MetaVerify API Params
+	var kycAli KycAli
+	kycAli.ParamType = "md5"
+	kycAli.UserName = ln
+	kycAli.IdentifyNum = rid
+
+	return &kycAli, nil
+}
+
+func AliId2MetaVerify(kycAli *KycAli) (*string, error) {
+	// Create aliyun openapi credential
+	credentialConfig := new(alicredential.Config).
+		SetType("access_key").
+		SetAccessKeyId(viper.GetString("kyc.ali_access_key_id")).
+		SetAccessKeySecret(viper.GetString("kyc.ali_access_key_secret"))
+	credential, err := alicredential.NewCredential(credentialConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create aliyun cloudauth client
+	config := &aliopenapi.Config{
+		Credential: credential,
+	}
+	config.Endpoint = alitea.String("cloudauth.aliyuncs.com")
+	client := &alicloudauth20190307.Client{}
+	client, err = alicloudauth20190307.NewClient(config)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create Id2MetaVerify request
+	id2MetaVerifyRequest := &alicloudauth20190307.Id2MetaVerifyRequest{
+		ParamType:   &kycAli.ParamType,
+		UserName:    &kycAli.UserName,
+		IdentifyNum: &kycAli.IdentifyNum,
+	}
+
+	// Create client runtime request
+	runtime := &aliutil.RuntimeOptions{}
+	resp, tryErr := func() (*alicloudauth20190307.Id2MetaVerifyResponse, error) {
+		defer func() {
+			if r := alitea.Recover(recover()); r != nil {
+				err = r
+			}
+		}()
+		resp, err := client.Id2MetaVerifyWithOptions(id2MetaVerifyRequest, runtime)
+		if err != nil {
+			return nil, err
+		}
+		return resp, nil
+	}()
+
+	// Try error handler ??? from ali generated sdk
+	if tryErr != nil {
+		var error = &alitea.SDKError{}
+		if t, ok := tryErr.(*alitea.SDKError); ok {
+			error = t
+		} else {
+			error.Message = alitea.String(tryErr.Error())
+		}
+		return nil, error
+	}
+
+	return resp.Body.ResultObject.BizCode, err
+}
--- a/pkgs/kyc/types.go
+++ b/pkgs/kyc/types.go
@@ -0,0 +1,13 @@
+package kyc
+
+type KycInfo struct {
+	Type       string `json:"type"` // Chinese / Foreigner
+	LegalName  string `json:"legal_name"`
+	ResidentId string `json:"rsident_id"`
+}
+
+type KycAli struct {
+	ParamType   string `json:"param_type"`
+	IdentifyNum string `json:"identify_num"`
+	UserName    string `json:"user_name"`
+}
--- a/pkgs/magiclink/magiclink.go
+++ b/pkgs/magiclink/magiclink.go
@@ -1,53 +0,0 @@
-package magiclink
-
-import (
-	"crypto/rand"
-	"encoding/base64"
-	"sync"
-	"time"
-
-	"github.com/spf13/viper"
-)
-
-type Token struct {
-	Email     string
-	ExpiresAt time.Time
-}
-
-var (
-	store = sync.Map{}
-)
-
-// Generate magic token
-func NewMagicToken(email string) (string, error) {
-	b := make([]byte, 32)
-	if _, err := rand.Read(b); err != nil {
-		return "", err
-	}
-
-	token := base64.RawURLEncoding.EncodeToString(b)
-
-	store.Store(token, Token{
-		Email:     email,
-		ExpiresAt: time.Now().Add(viper.GetDuration("ttl.magic_link_ttl")),
-	})
-
-	return token, nil
-}
-
-// Verify magic token
-func VerifyMagicToken(token string) (string, bool) {
-	val, ok := store.Load(token)
-	if !ok {
-		return "", false
-	}
-
-	t := val.(Token)
-	if time.Now().After(t.ExpiresAt) {
-		store.Delete(token)
-		return "", false
-	}
-
-	store.Delete(token)
-	return t.Email, true
-}
--- a/service/auth/handler.go
+++ b/service/auth/handler.go
@@ -1,9 +1,14 @@
 package auth

-import "github.com/gin-gonic/gin"
+import (
+	"nixcn-cms/middleware"
+
+	"github.com/gin-gonic/gin"
+)

 func Handler(r *gin.RouterGroup) {
-	r.POST("/magic", RequestMagicLink)
-	r.GET("/magic/verify", VerifyMagicLink)
+	r.GET("/redirect", Redirect, middleware.JWTAuth(false))
+	r.POST("/magic", Magic)
+	r.POST("/token", Token)
 	r.POST("/refresh", Refresh)
 }
--- a/service/auth/magic.go
+++ b/service/auth/magic.go
@@ -1,116 +1,81 @@
 package auth

 import (
-	"nixcn-cms/data"
-	"nixcn-cms/internal/cryptography"
+	"net/url"
+	"nixcn-cms/pkgs/authcode"
 	"nixcn-cms/pkgs/email"
-	"nixcn-cms/pkgs/magiclink"
 	"nixcn-cms/pkgs/turnstile"
-
-	"github.com/google/uuid"
-	log "github.com/sirupsen/logrus"
-	"gorm.io/gorm"
+	"nixcn-cms/utils"

 	"github.com/gin-gonic/gin"
 	"github.com/spf13/viper"
 )

-type MagicLinkRequest struct {
-	Email          string `json:"email" binding:"required,email"`
-	TurnstileToken string `json:"turnstile_token" binding:"required"`
+type MagicRequest struct {
+	ClientId       string `json:"client_id"`
+	RedirectUri    string `json:"redirect_uri"`
+	State          string `json:"state"`
+	Email          string `json:"email"`
+	TurnstileToken string `json:"turnstile_token"`
 }

-func RequestMagicLink(c *gin.Context) {
+func Magic(c *gin.Context) {
 	// Parse request
-	var req MagicLinkRequest
+	var req MagicRequest
 	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(400, gin.H{"error": "invalid request"})
+		utils.HttpResponse(c, 400, "", "invalid request")
 		return
 	}

 	// Cloudflare turnstile
 	ok, err := turnstile.VerifyTurnstile(req.TurnstileToken, c.ClientIP())
 	if err != nil || !ok {
-		c.JSON(403, gin.H{"error": "turnstile failed"})
+		utils.HttpResponse(c, 403, "", "turnstile failed")
 		return
 	}

-	// Generate magic token
-	token, err := magiclink.NewMagicToken(req.Email)
+	code, err := authcode.NewAuthCode(req.ClientId, req.Email)
 	if err != nil {
-		c.JSON(500, gin.H{"error": "internal error"})
+		utils.HttpResponse(c, 500, "", "code gen failed")
 		return
 	}

-	link := viper.GetString("server.external_url") + "/login?ticket=" + token
-
-	// Send email using resend
-	resend, err := email.NewResendClient()
+	externalUrl := viper.GetString("server.external_url")
+	url, err := url.Parse(externalUrl)
 	if err != nil {
-		log.Error(err)
-		c.JSON(500, gin.H{"status": "invilad email config"})
-		return
-	}
-	resend.Send(
-		req.Email,
-		"NixCN CMS Email Verify",
-		"<p>Click the link below to verify your email. This link will expire in 10 minutes.</p><a href="+link+">"+link+"</a>",
-	)
-
-	c.JSON(200, gin.H{"status": "magic link sent"})
-}
-
-func VerifyMagicLink(c *gin.Context) {
-	// Get token from url
-	magicToken := c.Query("token")
-	if magicToken == "" {
-		c.JSON(400, gin.H{"error": "missing token"})
+		utils.HttpResponse(c, 500, "", "invalid external url")
 		return
 	}

-	// Verify email token
-	email, ok := magiclink.VerifyMagicToken(magicToken)
-	if !ok {
-		c.JSON(401, gin.H{"error": "invalid or expired token"})
+	url.Path = "/api/v1/auth/redirect"
+	query := url.Query()
+	query.Set("code", code)
+	query.Set("redirect_uri", req.RedirectUri)
+	query.Set("state", req.State)
+	query.Set("client_id", req.ClientId)
+	url.RawQuery = query.Encode()
+
+	debugMode := viper.GetBool("server.debug_mode")
+	if debugMode {
+		uriData := struct {
+			Uri string `json:"uri"`
+		}{url.String()}
+
+		utils.HttpResponse(c, 200, "", "magiclink sent", uriData)
 		return
-	}
-
-	// Verify if user exists
-	user := new(data.User)
-	err := user.GetByEmail(email)
-
-	if err != nil {
-		if err == gorm.ErrRecordNotFound {
-			// Create user
-			user.UUID = uuid.New()
-			user.UserId = uuid.New()
-			user.Email = email
-			user.Type = "Normal"
-			user.PermissionLevel = 10
-			if err := user.Create(); err != nil {
-				c.JSON(500, gin.H{"status": "internal server error"})
-				return
-			}
-		} else {
-			c.JSON(500, gin.H{"status": "internal server error"})
+	} else {
+		// Send email using resend
+		emailClient, err := email.NewSMTPClient()
+		if err != nil {
+			utils.HttpResponse(c, 500, "", "invalid email config")
 			return
 		}
+		emailClient.Send(
+			req.Email,
+			"NixCN CMS Email Verify",
+			"<p>Click the link below to verify your email. This link will expire in 10 minutes.</p><a href="+url.String()+">"+url.String()+"</a>",
+		)
 	}

-	// Generate jwt
-	JwtTool := cryptography.Token{
-		Application: viper.GetString("server.application"),
-	}
-	accessToken, refreshToken, err := JwtTool.IssueTokens(user.UserId)
-	if err != nil {
-		c.JSON(500, gin.H{
-			"status": "error generating tokens",
-		})
-		return
-	}
-
-	c.JSON(200, gin.H{
-		"access_token":  accessToken,
-		"refresh_token": refreshToken,
-	})
+	utils.HttpResponse(c, 200, "", "magic link sent")
 }
--- a/service/auth/redirect.go
+++ b/service/auth/redirect.go
@@ -0,0 +1,130 @@
+package auth
+
+import (
+	"net/url"
+	"nixcn-cms/data"
+	"nixcn-cms/pkgs/authcode"
+	"nixcn-cms/utils"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+func Redirect(c *gin.Context) {
+	clientId := c.Query("client_id")
+	if clientId == "" {
+		utils.HttpResponse(c, 400, "", "invalid request")
+		return
+	}
+
+	redirectUri := c.Query("redirect_uri")
+	if redirectUri == "" {
+		utils.HttpResponse(c, 400, "", "invalid request")
+		return
+	}
+
+	state := c.Query("state")
+	if state == "" {
+		utils.HttpResponse(c, 400, "", "invalid request")
+		return
+	}
+
+	code := c.Query("code")
+	if code == "" {
+		userIdOrig, ok := c.Get("user_id")
+		if !ok || userIdOrig == "" {
+			utils.HttpResponse(c, 401, "", "unauthorized")
+			return
+		}
+
+		userId, err := uuid.Parse(userIdOrig.(string))
+		if err != nil {
+			utils.HttpResponse(c, 500, "", "failed to parse uuid")
+			return
+		}
+
+		userData := new(data.User)
+		user, err := userData.GetByUserId(userId)
+		if err != nil {
+			utils.HttpResponse(c, 500, "", "failed to get user id")
+			return
+		}
+
+		code, err := authcode.NewAuthCode(clientId, user.Email)
+		if err != nil {
+			utils.HttpResponse(c, 500, "", "code gen failed")
+			return
+		}
+
+		url, err := url.Parse(redirectUri)
+		if err != nil {
+			utils.HttpResponse(c, 400, "", "invalid redirect uri")
+			return
+		}
+		query := url.Query()
+		query.Set("code", code)
+		url.RawQuery = query.Encode()
+
+		c.Redirect(302, url.String())
+	}
+
+	// Verify email token
+	authCode, ok := authcode.VerifyAuthCode(code)
+	if !ok {
+		utils.HttpResponse(c, 403, "", "invalid or expired token")
+		return
+	}
+
+	// Verify if user exists
+	userData := new(data.User)
+	user, err := userData.GetByEmail(authCode.Email)
+
+	if err != nil {
+		if err == gorm.ErrRecordNotFound {
+			// Create user
+			user.UUID = uuid.New()
+			user.UserId = uuid.New()
+			user.Email = authCode.Email
+			user.Username = user.UserId.String()
+			user.PermissionLevel = 10
+			if err := user.Create(); err != nil {
+				utils.HttpResponse(c, 500, "", "internal server error")
+				return
+			}
+		} else {
+			utils.HttpResponse(c, 500, "", "internal server error")
+			return
+		}
+	}
+
+	clientData := new(data.Client)
+	client, err := clientData.GetClientByClientId(clientId)
+	if err != nil {
+		utils.HttpResponse(c, 400, "", "client not found")
+		return
+	}
+
+	err = client.ValidateRedirectURI(redirectUri)
+	if err != nil {
+		utils.HttpResponse(c, 400, "", "redirect uri not match")
+		return
+	}
+
+	newCode, err := authcode.NewAuthCode(clientId, authCode.Email)
+	if err != nil {
+		utils.HttpResponse(c, 500, "", "internal server error")
+		return
+	}
+
+	url, err := url.Parse(redirectUri)
+	if err != nil {
+		utils.HttpResponse(c, 400, "", "invalid redirect uri")
+		return
+	}
+	query := url.Query()
+	query.Set("code", newCode)
+	url.RawQuery = query.Encode()
+
+	c.Redirect(302, url.String())
+}
--- a/service/auth/refresh.go
+++ b/service/auth/refresh.go
@@ -1,7 +1,8 @@
 package auth

 import (
-	"nixcn-cms/internal/cryptography"
+	"nixcn-cms/pkgs/authtoken"
+	"nixcn-cms/utils"

 	"github.com/gin-gonic/gin"
 	"github.com/spf13/viper"
@@ -13,27 +14,30 @@ func Refresh(c *gin.Context) {
 	}

 	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(400, gin.H{"status": "invalid request"})
+		utils.HttpResponse(c, 400, "", "invalid request")
 		return
 	}

-	JwtTool := cryptography.Token{
+	JwtTool := authtoken.Token{
 		Application: viper.GetString("server.application"),
 	}

-	access, err := JwtTool.RefreshAccessToken(req.RefreshToken)
+	accessToken, err := JwtTool.RefreshAccessToken(req.RefreshToken)
 	if err != nil {
-		c.JSON(401, gin.H{"status": "invalid refresh token"})
+		utils.HttpResponse(c, 401, "", "invalid refresh token")
 		return
 	}

-	refresh, err := JwtTool.RenewRefreshToken(req.RefreshToken)
+	refreshToken, err := JwtTool.RenewRefreshToken(req.RefreshToken)
 	if err != nil {
-		c.JSON(500, gin.H{"statis": "error renew refresh token"})
+		utils.HttpResponse(c, 500, "", "error renew refresh token")
+		return
 	}

-	c.JSON(200, gin.H{
-		"access_token":  access,
-		"refresh_token": refresh,
-	})
+	tokenResp := struct {
+		AccessToken  string `json:"access_token"`
+		RefreshToken string `json:"refresh_token"`
+	}{accessToken, refreshToken}
+
+	utils.HttpResponse(c, 200, "", "success", tokenResp)
 }
--- a/service/auth/token.go
+++ b/service/auth/token.go
@@ -0,0 +1,55 @@
+package auth
+
+import (
+	"nixcn-cms/data"
+	"nixcn-cms/pkgs/authcode"
+	"nixcn-cms/pkgs/authtoken"
+	"nixcn-cms/utils"
+
+	"github.com/gin-gonic/gin"
+	"github.com/spf13/viper"
+)
+
+type TokenRequest struct {
+	Code string `json:"code"`
+}
+
+func Token(c *gin.Context) {
+	var req TokenRequest
+
+	err := c.ShouldBindJSON(&req)
+	if err != nil {
+		utils.HttpResponse(c, 400, "", "invalid request")
+		return
+	}
+
+	authCode, ok := authcode.VerifyAuthCode(req.Code)
+	if !ok {
+		utils.HttpResponse(c, 403, "", "invalid or expired token")
+		return
+	}
+
+	userData := new(data.User)
+	user, err := userData.GetByEmail(authCode.Email)
+	if err != nil {
+		utils.HttpResponse(c, 500, "", "internal server error")
+		return
+	}
+
+	// Generate jwt
+	JwtTool := authtoken.Token{
+		Application: viper.GetString("server.application"),
+	}
+	accessToken, refreshToken, err := JwtTool.IssueTokens(authCode.ClientId, user.UserId)
+	if err != nil {
+		utils.HttpResponse(c, 500, "", "error generating tokens")
+		return
+	}
+
+	tokenResp := struct {
+		AccessToken  string `json:"access_token"`
+		RefreshToken string `json:"refresh_token"`
+	}{accessToken, refreshToken}
+
+	utils.HttpResponse(c, 200, "", "success", tokenResp)
+}
--- a/service/event/checkin.go
+++ b/service/event/checkin.go
@@ -0,0 +1,108 @@
+package event
+
+import (
+	"nixcn-cms/data"
+	"nixcn-cms/utils"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+func Checkin(c *gin.Context) {
+	data := new(data.Attendance)
+	userIdOrig, ok := c.Get("user_id")
+	if !ok {
+		utils.HttpResponse(c, 403, "", "userid error")
+		return
+	}
+	userId, err := uuid.Parse(userIdOrig.(string))
+	if err != nil {
+		utils.HttpResponse(c, 500, "", "failed to parse uuid")
+	}
+
+	// Get event id from query
+	eventIdOrig, ok := c.GetQuery("event_id")
+	if !ok {
+		utils.HttpResponse(c, 400, "", "undefinded event id")
+		return
+	}
+
+	// Parse event id to uuid
+	eventId, err := uuid.Parse(eventIdOrig)
+	if err != nil {
+		utils.HttpResponse(c, 500, "", "error parsing string to uuid")
+		return
+	}
+	data.UserId = userId
+	code, err := data.GenCheckinCode(eventId)
+	if err != nil {
+		utils.HttpResponse(c, 500, "", "error generating code")
+		return
+	}
+
+	checkinCodeResp := struct {
+		CheckinCode *string `json:"checkin_code"`
+	}{code}
+	utils.HttpResponse(c, 200, "", "success", checkinCodeResp)
+}
+
+func CheckinSubmit(c *gin.Context) {
+	var req struct {
+		ChekinCode string `json:"checkin_code"`
+	}
+	c.ShouldBindJSON(&req)
+
+	attendanceData := new(data.Attendance)
+	err := attendanceData.VerifyCheckinCode(req.ChekinCode)
+	if err != nil {
+		utils.HttpResponse(c, 400, "", "error verify checkin code")
+		return
+	}
+
+	utils.HttpResponse(c, 200, "", "success")
+}
+
+func CheckinQuery(c *gin.Context) {
+	userIdOrig, ok := c.Get("user_id")
+	if !ok {
+		utils.HttpResponse(c, 400, "", "userid error")
+		return
+	}
+	userId, err := uuid.Parse(userIdOrig.(string))
+	if err != nil {
+		utils.HttpResponse(c, 500, "", "failed to parse uuid")
+		return
+	}
+
+	eventIdOrig, ok := c.GetQuery("event_id")
+	if !ok {
+		utils.HttpResponse(c, 400, "", "could not found event_id")
+		return
+	}
+	eventId, err := uuid.Parse(eventIdOrig)
+	if err != nil {
+		utils.HttpResponse(c, 400, "", "event_id is not valid")
+		return
+	}
+
+	attendanceData := new(data.Attendance)
+	attendance, err := attendanceData.GetAttendance(userId, eventId)
+
+	if err != nil {
+		utils.HttpResponse(c, 500, "", "database error")
+		return
+	} else if attendance == nil {
+		utils.HttpResponse(c, 404, "", "event checkin record not found")
+		return
+	} else if attendance.CheckinAt.IsZero() {
+		utils.HttpResponse(c, 200, "", "success", gin.H{"checkin_at": nil})
+		return
+	}
+
+	checkInAtResp := struct {
+		CheckinAt time.Time `json:"checkin_at"`
+	}{attendance.CheckinAt}
+
+	utils.HttpResponse(c, 200, "", "success", checkInAtResp)
+}
--- a/service/event/handler.go
+++ b/service/event/handler.go
@@ -7,6 +7,9 @@ import (
 )

 func Handler(r *gin.RouterGroup) {
-	r.Use(middleware.JWTAuth())
+	r.Use(middleware.JWTAuth(true), middleware.Permission(10))
 	r.GET("/info", Info)
+	r.GET("/checkin", Checkin)
+	r.GET("/checkin/query", CheckinQuery)
+	r.POST("/checkin/submit", CheckinSubmit, middleware.Permission(20))
 }
--- a/service/event/info.go
+++ b/service/event/info.go
@@ -2,42 +2,39 @@ package event

 import (
 	"nixcn-cms/data"
+	"nixcn-cms/utils"
+	"time"

 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )

 func Info(c *gin.Context) {
-	event := new(data.Event)
+	eventData := new(data.Event)
 	eventIdOrig, ok := c.GetQuery("event_id")
 	if !ok {
-		c.JSON(400, gin.H{
-			"status": "undefinded event id",
-		})
+		utils.HttpResponse(c, 400, "", "undefinded event id")
 		return
 	}

 	// Parse event id
 	eventId, err := uuid.Parse(eventIdOrig)
 	if err != nil {
-		c.JSON(500, gin.H{
-			"status": "error parsing string to uuid",
-		})
+		utils.HttpResponse(c, 500, "", "error parsing string to uuid")
 		return
 	}

-	err = event.GetEventById(eventId)
+	event, err := eventData.GetEventById(eventId)
 	if err != nil {
-		c.JSON(404, gin.H{
-			"status": "event id not found",
-		})
+		utils.HttpResponse(c, 404, "", "event id not found")
 		return
 	}

-	c.JSON(200, gin.H{
-		"name":         event.Name,
-		"start_time":   event.StartTime,
-		"end_time":     event.EndTime,
-		"joined_users": event.JoinedUsers,
-	})
+	eventInfoResp := struct {
+		Name      string    `json:"name"`
+		StartTime time.Time `json:"start_time"`
+		EndTime   time.Time `json:"end_time"`
+	}{event.Name, event.StartTime, event.EndTime}
+
+	utils.HttpResponse(c, 200, "", "success", eventInfoResp)
 }
--- a/service/user/checkin.go
+++ b/service/user/checkin.go
@@ -1,77 +0,0 @@
-package user
-
-import (
-	"nixcn-cms/data"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
-)
-
-func Checkin(c *gin.Context) {
-	data := new(data.User)
-	userId, ok := c.Get("user_id")
-	if !ok {
-		c.JSON(401, gin.H{
-			"status": "unauthorized",
-		})
-		return
-	}
-
-	// Get event id from query
-	eventIdOrig, ok := c.GetQuery("event_id")
-	if !ok {
-		c.JSON(400, gin.H{
-			"status": "undefinded event id",
-		})
-		return
-	}
-
-	// Parse event id to uuid
-	eventId, err := uuid.Parse(eventIdOrig)
-	if err != nil {
-		c.JSON(500, gin.H{
-			"status": "error parsing string to uuid",
-		})
-		return
-	}
-
-	data.UserId = userId.(uuid.UUID)
-	code, err := data.GenCheckinCode(eventId)
-	if err != nil {
-		c.JSON(500, gin.H{
-			"status": "error generating code",
-		})
-		return
-	}
-
-	c.JSON(200, gin.H{
-		"checkin_code": code,
-	})
-}
-
-func CheckinSubmit(c *gin.Context) {
-	var req struct {
-		ChekinCode string `json:"checkin_code"`
-	}
-	c.ShouldBindJSON(&req)
-
-	data := new(data.User)
-	userId, err := data.VerifyCheckinCode(req.ChekinCode)
-	if err != nil {
-		c.JSON(400, gin.H{
-			"status": "error verify checkin code",
-		})
-		return
-	}
-
-	data.GetByUserId(*userId)
-	if data.PermissionLevel <= 20 {
-		c.JSON(403, gin.H{
-			"status": "access denied",
-		})
-	}
-
-	c.JSON(200, gin.H{
-		"status": "success",
-	})
-}
--- a/service/user/create.go
+++ b/service/user/create.go
@@ -0,0 +1,7 @@
+package user
+
+import "github.com/gin-gonic/gin"
+
+func Create(c *gin.Context) {
+
+}
--- a/service/user/full.go
+++ b/service/user/full.go
@@ -1 +1,39 @@
 package user
+
+import (
+	"nixcn-cms/data"
+	"nixcn-cms/utils"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+func Full(c *gin.Context) {
+	userIdOrig, ok := c.Get("user_id")
+	if !ok {
+		utils.HttpResponse(c, 403, "", "userid error")
+		return
+	}
+	userId, err := uuid.Parse(userIdOrig.(string))
+	if err != nil {
+		utils.HttpResponse(c, 500, "", "failed to parse uuid")
+		return
+	}
+
+	userData, err := new(data.User).GetByUserId(userId)
+	if err != nil {
+		utils.HttpResponse(c, 404, "", "user not found")
+		return
+	}
+
+	users, err := userData.GetFullTable()
+	if err != nil {
+		utils.HttpResponse(c, 500, "", "database error")
+		return
+	}
+
+	userFullResp := struct {
+		UserTable *[]data.User `json:"user_table"`
+	}{users}
+	utils.HttpResponse(c, 200, "", "success", userFullResp)
+}
--- a/service/user/handler.go
+++ b/service/user/handler.go
@@ -7,11 +7,10 @@ import (
 )

 func Handler(r *gin.RouterGroup) {
-	r.Use(middleware.JWTAuth())
+	r.Use(middleware.JWTAuth(true), middleware.Permission(5))
 	r.GET("/info", Info)
-	r.GET("/checkin", Checkin)
-	r.POST("/checkin/submit", CheckinSubmit)
 	r.PATCH("/update", Update)
-	r.GET("/list", List)
-	r.GET("/query", Query)
+	r.GET("/list", List, middleware.Permission(20))
+	r.POST("/full", Full, middleware.Permission(40))
+	r.POST("/create", Create, middleware.Permission(50))
 }
--- a/service/user/info.go
+++ b/service/user/info.go
@@ -2,46 +2,42 @@ package user

 import (
 	"nixcn-cms/data"
-	"time"
+	"nixcn-cms/utils"

 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )

 func Info(c *gin.Context) {
-	data := new(data.User)
-	userId, ok := c.Get("user_id")
+	userData := new(data.User)
+	userIdOrig, ok := c.Get("user_id")
 	if !ok {
-		c.JSON(404, gin.H{
-			"status": "user not found",
-		})
+		utils.HttpResponse(c, 403, "", "userid error")
+		return
+	}
+	userId, err := uuid.Parse(userIdOrig.(string))
+	if err != nil {
+		utils.HttpResponse(c, 500, "", "failed to parse uuid")
 		return
 	}

 	// Get user from database
-	err := data.GetByUserId(userId.(uuid.UUID))
+	user, err := userData.GetByUserId(userId)
 	if err != nil {
-		c.JSON(404, gin.H{
-			"status": "user not found",
-		})
+		utils.HttpResponse(c, 404, "", "user not found")
 		return
 	}

-	// Set time nil if time is zero
-	for k, v := range data.Checkin {
-		if t, ok := v.(time.Time); ok && t.IsZero() {
-			data.Checkin[k] = nil
-		}
-	}
+	userInfoResp := struct {
+		UserId          uuid.UUID `json:"user_id"`
+		Email           string    `json:"email"`
+		Username        string    `json:"username"`
+		Nickname        string    `json:"nickname"`
+		Subtitle        string    `json:"subtitle"`
+		Avatar          string    `json:"avatar"`
+		Bio             string    `json:"bio"`
+		PermissionLevel uint      `json:"permission_level"`
+	}{user.UserId, user.Email, user.Username, user.Nickname, user.Subtitle, user.Avatar, user.Bio, user.PermissionLevel}

-	c.JSON(200, gin.H{
-		"user_id":          data.UserId,
-		"email":            data.Email,
-		"type":             data.Type,
-		"nickname":         data.Nickname,
-		"subtitle":         data.Subtitle,
-		"avatar":           data.Avatar,
-		"checkin":          data.Checkin,
-		"permission_level": data.PermissionLevel,
-	})
+	utils.HttpResponse(c, 200, "", "success", userInfoResp)
 }
--- a/service/user/list.go
+++ b/service/user/list.go
@@ -2,14 +2,13 @@ package user

 import (
 	"nixcn-cms/data"
+	"nixcn-cms/utils"
 	"strconv"

 	"github.com/gin-gonic/gin"
 )

 func List(c *gin.Context) {
-	data := new(data.User)
-
 	// Get limit and offset from query
 	limit, ok := c.GetQuery("limit")
 	if !ok {
@@ -17,34 +16,30 @@ func List(c *gin.Context) {
 	}
 	offset, ok := c.GetQuery("offset")
 	if !ok {
-		c.JSON(400, gin.H{
-			"status": "offset not found",
-		})
+		utils.HttpResponse(c, 400, "", "offset not found")
 		return
 	}

 	// Parse string to int64
 	limitNum, err := strconv.ParseInt(limit, 10, 64)
 	if err != nil {
-		c.JSON(400, gin.H{
-			"status": "parse string to int error",
-		})
+		utils.HttpResponse(c, 400, "", "parse string to int error")
 		return
 	}
 	offsetNum, err := strconv.ParseInt(offset, 10, 64)
 	if err != nil {
-		c.JSON(400, gin.H{
-			"status": "parse string to int error",
-		})
+		utils.HttpResponse(c, 400, "", "parse string to int error")
 		return
 	}

 	// Get user list from search engine
-	list, err := data.FastListUsers(limitNum, offsetNum)
+	list, err := new(data.User).FastListUsers(limitNum, offsetNum)
 	if err != nil {
-		c.JSON(500, gin.H{
-			"status": "failed list users from meilisearch",
-		})
+		utils.HttpResponse(c, 500, "", "failed list users from meilisearch")
 	}
-	c.JSON(200, list)
+
+	userListResp := struct {
+		List *[]data.UserSearchDoc `json:"list"`
+	}{list}
+	utils.HttpResponse(c, 200, "", "success", userListResp)
 }
--- a/service/user/query.go
+++ b/service/user/query.go
@@ -1,43 +0,0 @@
-package user
-
-import (
-	"nixcn-cms/data"
-	"time"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
-)
-
-func Query(c *gin.Context) {
-	userId, ok := c.Get("user_id")
-	if !ok {
-		c.JSON(400, gin.H{"status": "could not found user_id"})
-		return
-	}
-	eventId, ok := c.GetQuery("event_id")
-	if !ok {
-		c.JSON(400, gin.H{"status": "could not found event_id"})
-		return
-	}
-
-	data := new(data.User)
-	err := data.GetByUserId(userId.(uuid.UUID))
-	if err != nil {
-		c.JSON(404, gin.H{"status": "cannot found user"})
-		return
-	}
-	if data.Checkin[eventId] == nil {
-		c.JSON(404, gin.H{"status": "cannot found user checked in"})
-		return
-	}
-
-	var checkinTime *time.Time
-	if data.Checkin[eventId].(*time.Time).IsZero() {
-		checkinTime = nil
-	} else {
-		checkinTime = data.Checkin[eventId].(*time.Time)
-	}
-	c.JSON(200, gin.H{
-		"checkin_time": checkinTime,
-	})
-}
--- a/service/user/update.go
+++ b/service/user/update.go
@@ -2,49 +2,61 @@ package user

 import (
 	"nixcn-cms/data"
+	"nixcn-cms/internal/cryptography"
+	"nixcn-cms/utils"

 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )

 func Update(c *gin.Context) {
+	// New user model
+	userIdOrig, ok := c.Get("user_id")
+	if !ok {
+		utils.HttpResponse(c, 403, "", "userid error")
+		return
+	}
+	userId, err := uuid.Parse(userIdOrig.(string))
+	if err != nil {
+		utils.HttpResponse(c, 500, "", "failed to parse uuid")
+		return
+	}
+
 	var ReqInfo data.User
 	c.BindJSON(&ReqInfo)

-	// New user model
-	user := new(data.User)
-	userId, ok := c.Get("user_id")
-	if !ok {
-		c.JSON(403, gin.H{
-			"status": "can not found user id",
-		})
-		return
-	}
-
 	// Get user info
-	user.GetByUserId(userId.(uuid.UUID))
-
-	// Reject permission 0 user
-	if user.PermissionLevel == 0 {
-		c.JSON(403, gin.H{
-			"status": "premission denied",
-		})
+	userData, err := new(data.User).GetByUserId(userId)
+	if err != nil {
+		utils.HttpResponse(c, 500, "", "failed to find user")
 		return
 	}

-	user.Avatar = ReqInfo.Avatar
-	user.Email = ReqInfo.Email
-	user.Nickname = ReqInfo.Nickname
-	user.Subtitle = ReqInfo.Subtitle
-	// Cant change user type under permission 2
-	if user.PermissionLevel >= 2 {
-		user.Type = ReqInfo.Type
+	if len(ReqInfo.Email) < 5 || len(ReqInfo.Email) >= 255 {
+		utils.HttpResponse(c, 400, "", "invilad email")
+		return
 	}
+	userData.Email = ReqInfo.Email
+
+	if len(ReqInfo.Username) < 5 || len(ReqInfo.Username) >= 255 {
+		utils.HttpResponse(c, 400, "", "invilad user name")
+		return
+	}
+	userData.Username = ReqInfo.Username
+
+	userData.Nickname = ReqInfo.Nickname
+	userData.Subtitle = ReqInfo.Subtitle
+	userData.Avatar = ReqInfo.Avatar
+
+	if ReqInfo.Bio != "" {
+		if !cryptography.IsBase64Std(ReqInfo.Bio) {
+			utils.HttpResponse(c, 400, "", "invalid base64")
+		}
+	}
+	userData.Bio = ReqInfo.Bio

 	// Update user info
-	user.UpdateByUserID(userId.(uuid.UUID))
+	userData.UpdateByUserID(userId)

-	c.JSON(200, gin.H{
-		"status": "success",
-	})
+	utils.HttpResponse(c, 200, "", "success")
 }
--- a/utils/response.go
+++ b/utils/response.go
@@ -0,0 +1,30 @@
+package utils
+
+import "github.com/gin-gonic/gin"
+
+type RespStatus struct {
+	Code    int    `json:"code"`
+	ErrorId string `json:"error_id"`
+	Status  string `json:"status"`
+	Data    any    `json:"data"`
+}
+
+func HttpResponse(c *gin.Context, code int, errorId string, status string, data ...any) {
+	var resp = RespStatus{
+		Code:    code,
+		ErrorId: errorId,
+		Status:  status,
+		Data:    data,
+	}
+	c.JSON(code, resp)
+}
+
+func HttpAbort(c *gin.Context, code int, errorId string, status string, data ...any) {
+	var resp = RespStatus{
+		Code:    code,
+		ErrorId: errorId,
+		Status:  status,
+		Data:    data,
+	}
+	c.AbortWithStatusJSON(code, resp)
+}
Author	SHA1	Message	Date
Asai Neko	67e22eb793	Go mod tidy Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-08 00:52:35 +08:00
Asai Neko	aaedddfd2f	Add Exchange SMTP Oauth2 Support (not verified) Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-07 18:32:27 +08:00
Asai Neko	f8a3d0ca45	Remove some useless comments Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-06 15:19:54 +08:00
Asai Neko	6a9c013799	Use utils.HttpResponse/Abort to replace c.JSON/Abort Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-06 12:49:55 +08:00
Asai Neko	70846e0d1e	Reorder checkin api location (move to event) Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-06 11:36:08 +08:00
Asai Neko	0710ffce72	Tune permission level Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-06 11:27:23 +08:00
Asai Neko	9e840901d1	Tune user API permission level Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-06 11:19:54 +08:00
Asai Neko	0f1c8e327e	Mod permission middleware to only request database once Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-06 10:40:48 +08:00
Asai Neko	ddffb0da23	Add permission middleware Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-06 10:36:51 +08:00
Asai Neko	b4d0959de4	Add EnableKYC for event table Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-05 22:48:27 +08:00
Asai Neko	c2fd1c5cc8	Fix missed saving file (auth/redirect service) Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-05 22:22:12 +08:00
Asai Neko	eddfa9a884	Remove jwt_secret from config Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-05 22:02:28 +08:00
Asai Neko	b0684492fa	Change authcode using redis, authtoken use client secret to sign jwt Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-05 21:59:37 +08:00
Asai Neko	aea7fddef0	Go mod tidy Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-05 21:31:42 +08:00
Asai Neko	ef64c29ea7	Add Attendance state for attendance table Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-05 16:24:35 +08:00
Asai Neko	5f7f078f02	Add description for event table Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-05 16:22:10 +08:00
Asai Neko	1adfda54a6	Add AliId2MetaVerify OpenAPI pkg Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-05 16:11:08 +08:00
Asai Neko	3510d6c1f8	Add Aliyun Id2MetaVerify encode impl Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-05 15:33:49 +08:00
Asai Neko	1fa90b15c3	Add kycinfo for attendance table ane related utils Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-05 15:06:24 +08:00
Asai Neko	aa8e57bd89	Add user full table api Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-05 14:36:10 +08:00
Asai Neko	d6acae1625	Add owner to event table Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-05 14:08:20 +08:00
Asai Neko	8dbdb58327	Add bio base64 verification Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-02 16:56:26 +08:00
Asai Neko	61d2d2aef3	Sign new code for new redirect Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-02 16:47:15 +08:00
Asai Neko	0b710fd538	Change magic_link_ttl old name to auth_code_ttl Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-02 16:37:30 +08:00
Asai Neko	d70ade4907	Change resend to using smtp Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-02 16:26:21 +08:00
Asai Neko	a98ab26fa4	Add oauth2 like auth service Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-02 15:57:42 +08:00
Asai Neko	62da1e096e	Fix default config Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-02 13:59:43 +08:00
Asai Neko	fd1c89392f	Add abort for jwt middleware Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-02 13:55:47 +08:00
Asai Neko	ae93f49691	Fix jwt middleware cnext Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-02 13:52:04 +08:00
Asai Neko	743f8373b0	Fix request return Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-02 13:34:13 +08:00
Asai Neko	4796653896	Fix jwt middleware Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-02 13:17:25 +08:00
Asai Neko	4dfd4cd529	Modify auth middleware Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-02 13:00:02 +08:00
Asai Neko	bd8eecbc7d	Fix dup err logic Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-02 12:37:27 +08:00
Asai Neko	cbec9bf2b3	Modify jwt middleware logic Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-02 12:36:07 +08:00
Asai Neko	3d685b5a86	Add hot reload for backend Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-01 20:22:55 +08:00
Asai Neko	83fe326962	Add event type for event table Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-01 14:59:57 +08:00
Asai Neko	5b6bc9ce42	Return user bio in user info service Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-01 14:54:43 +08:00
Asai Neko	e0e1abab93	Add Bio to user table, set varchar for role in attendance table Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-01 14:52:24 +08:00
Asai Neko	9f927c907a	Fix a bug Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-01 14:27:00 +08:00
Asai Neko	27ba3b7bef	Add aes cryptography library Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-01 14:25:44 +08:00
Asai Neko	63f71d3b81	Add bcrypt and aes crypto lib Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-01 14:24:41 +08:00
Asai Neko	e40d175c8e	Remove user.type from auth/magic service Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-01 14:12:05 +08:00
Asai Neko	304e1d95ed	Refactor checkin table to attendance table Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-01 14:08:59 +08:00
Asai Neko	acd3c95c80	Refactor mass data structure Signed-off-by: Asai Neko <sugar@sne.moe>	2026-01-01 13:31:28 +08:00
Noa Virellia	8973d518a2	refactor(client): qr dialog skeleton Signed-off-by: Noa Virellia <noa@requiem.garden>	2026-01-01 03:47:55 +00:00
Noa Virellia	b5b4bb9d66	refactor(client): optimize suspense components Signed-off-by: Noa Virellia <noa@requiem.garden>	2026-01-01 03:47:55 +00:00
Asai Neko	4c438cf4e4	Add contributing guide to README Signed-off-by: Asai Neko <sugar@sne.moe>	2025-12-28 19:13:45 +08:00
Noa Virellia	d44eef6bb7	chore(just): do not run frontend install in backend commands Signed-off-by: Noa Virellia <noa@requiem.garden>	2025-12-28 17:41:30 +08:00
Noa Virellia	a49450bf9e	feat(auth/magic): log to console instead of sending email in debug mode Signed-off-by: Noa Virellia <noa@requiem.garden>	2025-12-28 17:41:13 +08:00
Noa Virellia	228d838c37	fix(devenv): use correct just command Signed-off-by: Noa Virellia <noa@requiem.garden>	2025-12-28 17:11:31 +08:00