Merge pull request #12 from kmc7468/dev

v0.5.0
2025-12-14 22:08:45 +00:00 · 2025-07-12 06:01:08 +09:00
parent 361d966a59 89921ef1df
commit 0cd55a413d
78 changed files with 2780 additions and 1667 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,5 +1,6 @@
 .git
 node_modules
+/Makefile

 # Output
 .output
@@ -10,13 +11,15 @@ node_modules
 /build
 /data
 /library
+/thumbnails

 # OS
 .DS_Store
 Thumbs.db

-# VSCode
+# Editors
 /.vscode
+/.idea

 # Env
 .env
--- a/.env.example
+++ b/.env.example
@@ -11,3 +11,4 @@ SESSION_EXPIRES=
 USER_CLIENT_CHALLENGE_EXPIRES=
 SESSION_UPGRADE_CHALLENGE_EXPIRES=
 LIBRARY_PATH=
+THUMBNAILS_PATH=
--- a/.gitignore
+++ b/.gitignore
@@ -9,13 +9,15 @@ node_modules
 /build
 /data
 /library
+/thumbnails

 # OS
 .DS_Store
 Thumbs.db

-# VSCode
+# Editors
 /.vscode
+/.idea

 # Env
 .env
--- a/docker-compose.dev.yaml
+++ b/docker-compose.dev.yaml
@@ -1,7 +1,7 @@
 services:
  database:
-    image: postgres:17.2
-    restart: on-failure
+    image: postgres:17
+    restart: always
    volumes:
      - database:/var/lib/postgresql/data
    environment:
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,12 +1,13 @@
 services:
  server:
    build: .
-    restart: on-failure
+    restart: unless-stopped
    depends_on:
      - database
    user: ${CONTAINER_UID:-0}:${CONTAINER_GID:-0}
    volumes:
      - ./data/library:/app/data/library
+      - ./data/thumbnails:/app/data/thumbnails
    environment:
      # ArkVault
      - DATABASE_HOST=database
@@ -17,6 +18,7 @@ services:
      - USER_CLIENT_CHALLENGE_EXPIRES
      - SESSION_UPGRADE_CHALLENGE_EXPIRES
      - LIBRARY_PATH=/app/data/library
+      - THUMBNAILS_PATH=/app/data/thumbnails
      # SvelteKit
      - ADDRESS_HEADER=${TRUST_PROXY:+X-Forwarded-For}
      - XFF_DEPTH=${TRUST_PROXY:-}
@@ -25,8 +27,8 @@ services:
      - ${PORT:-80}:3000

  database:
-    image: postgres:17.2-alpine
-    restart: on-failure
+    image: postgres:17-alpine
+    restart: unless-stopped
    user: ${CONTAINER_UID:-0}:${CONTAINER_GID:-0}
    volumes:
      - ./data/database:/var/lib/postgresql/data
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
  "name": "arkvault",
  "private": true,
-  "version": "0.4.0",
+  "version": "0.5.0",
  "type": "module",
  "scripts": {
    "dev": "vite dev",
@@ -16,49 +16,50 @@
    "db:migrate": "kysely migrate"
  },
  "devDependencies": {
-    "@eslint/compat": "^1.2.4",
-    "@iconify-json/material-symbols": "^1.2.12",
-    "@sveltejs/adapter-node": "^5.2.11",
-    "@sveltejs/kit": "^2.15.2",
+    "@eslint/compat": "^1.3.1",
+    "@iconify-json/material-symbols": "^1.2.29",
+    "@sveltejs/adapter-node": "^5.2.13",
+    "@sveltejs/kit": "^2.22.5",
    "@sveltejs/vite-plugin-svelte": "^4.0.4",
    "@types/file-saver": "^2.0.7",
    "@types/ms": "^0.7.34",
-    "@types/node-schedule": "^2.1.7",
-    "@types/pg": "^8.11.10",
-    "autoprefixer": "^10.4.20",
-    "axios": "^1.7.9",
-    "dexie": "^4.0.10",
-    "eslint": "^9.17.0",
-    "eslint-config-prettier": "^9.1.0",
-    "eslint-plugin-svelte": "^2.46.1",
-    "eslint-plugin-tailwindcss": "^3.17.5",
-    "exifreader": "^4.26.0",
+    "@types/node-schedule": "^2.1.8",
+    "@types/pg": "^8.15.4",
+    "autoprefixer": "^10.4.21",
+    "axios": "^1.10.0",
+    "dexie": "^4.0.11",
+    "eslint": "^9.30.1",
+    "eslint-config-prettier": "^10.1.5",
+    "eslint-plugin-svelte": "^3.10.1",
+    "eslint-plugin-tailwindcss": "^3.18.0",
+    "exifreader": "^4.31.1",
    "file-saver": "^2.0.5",
-    "globals": "^15.14.0",
+    "globals": "^16.3.0",
    "heic2any": "^0.0.4",
-    "kysely-ctl": "^0.10.1",
-    "mime": "^4.0.6",
+    "kysely-ctl": "^0.13.1",
+    "lru-cache": "^11.1.0",
+    "mime": "^4.0.7",
    "p-limit": "^6.2.0",
-    "prettier": "^3.4.2",
-    "prettier-plugin-svelte": "^3.3.2",
-    "prettier-plugin-tailwindcss": "^0.6.9",
-    "svelte": "^5.19.1",
-    "svelte-check": "^4.1.3",
+    "prettier": "^3.6.2",
+    "prettier-plugin-svelte": "^3.4.0",
+    "prettier-plugin-tailwindcss": "^0.6.14",
+    "svelte": "^5.35.6",
+    "svelte-check": "^4.2.2",
    "tailwindcss": "^3.4.17",
-    "typescript": "^5.7.3",
-    "typescript-eslint": "^8.19.1",
-    "unplugin-icons": "^0.22.0",
-    "vite": "^5.4.11"
+    "typescript": "^5.8.3",
+    "typescript-eslint": "^8.36.0",
+    "unplugin-icons": "^22.1.0",
+    "vite": "^5.4.19"
  },
  "dependencies": {
    "@fastify/busboy": "^3.1.1",
-    "argon2": "^0.41.1",
-    "kysely": "^0.27.5",
+    "argon2": "^0.43.0",
+    "kysely": "^0.28.2",
    "ms": "^2.1.3",
    "node-schedule": "^2.1.1",
-    "pg": "^8.13.1",
-    "uuid": "^11.0.4",
-    "zod": "^3.24.1"
+    "pg": "^8.16.3",
+    "uuid": "^11.1.0",
+    "zod": "^3.25.76"
  },
  "engines": {
    "node": "^22.0.0",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/src/hooks.client.ts
+++ b/src/hooks.client.ts
@@ -4,6 +4,15 @@ import { prepareFileCache } from "$lib/modules/file";
 import { prepareOpfs } from "$lib/modules/opfs";
 import { clientKeyStore, masterKeyStore, hmacSecretStore } from "$lib/stores";

+const requestPersistentStorage = async () => {
+  const isPersistent = await navigator.storage.persist();
+  if (isPersistent) {
+    console.log("[ArkVault] Persistent storage granted.");
+  } else {
+    console.warn("[ArkVault] Persistent storage not granted.");
+  }
+};
+
 const prepareClientKeyStore = async () => {
  const [encryptKey, decryptKey, signKey, verifyKey] = await Promise.all([
    getClientKey("encrypt"),
@@ -32,6 +41,7 @@ const prepareHmacSecretStore = async () => {

 export const init: ClientInit = async () => {
  await Promise.all([
+    requestPersistentStorage(),
    prepareFileCache(),
    prepareClientKeyStore(),
    prepareMasterKeyStore(),
--- a/src/lib/components/atoms/divs/FullscreenDiv.svelte
+++ b/src/lib/components/atoms/divs/FullscreenDiv.svelte
@@ -1,7 +1,15 @@
 <script lang="ts">
-  let { children } = $props();
+  import type { Snippet } from "svelte";
+  import type { ClassValue } from "svelte/elements";
+
+  interface Props {
+    children: Snippet;
+    class?: ClassValue;
+  }
+
+  let { children, class: className }: Props = $props();
 </script>

-<div class="flex flex-grow flex-col justify-between px-4">
+<div class={["flex flex-grow flex-col justify-between px-4", className]}>
  {@render children()}
 </div>
--- a/src/lib/components/molecules/ActionModal.svelte
+++ b/src/lib/components/molecules/ActionModal.svelte
@@ -12,6 +12,7 @@
    confirmText: string;
    isOpen: boolean;
    onbeforeclose?: () => void;
+    oncancel?: () => void;
    onConfirmClick: ConfirmHandler;
    title: string;
  }
@@ -22,6 +23,7 @@
    confirmText,
    isOpen = $bindable(),
    onbeforeclose,
+    oncancel,
    onConfirmClick,
    title,
  }: Props = $props();
@@ -31,6 +33,11 @@
    isOpen = false;
  };

+  const cancelAction = () => {
+    oncancel?.();
+    closeModal();
+  };
+
  const confirmAction = async () => {
    if ((await onConfirmClick()) !== false) {
      closeModal();
@@ -38,13 +45,13 @@
  };
 </script>

-<Modal bind:isOpen onclose={closeModal} class="space-y-4">
+<Modal bind:isOpen onclose={cancelAction} class="space-y-4">
  <div class="flex flex-col gap-y-2 break-keep">
    <p class="text-xl font-bold">{title}</p>
    {@render children()}
  </div>
  <div class="flex gap-x-2">
-    <Button color="gray" onclick={closeModal} class="flex-1">{cancelText}</Button>
+    <Button color="gray" onclick={cancelAction} class="flex-1">{cancelText}</Button>
    <Button onclick={confirmAction} class="flex-1">{confirmText}</Button>
  </div>
 </Modal>
--- a/src/lib/components/molecules/labels/DirectoryEntryLabel.svelte
+++ b/src/lib/components/molecules/labels/DirectoryEntryLabel.svelte
@@ -10,19 +10,38 @@
    name: string;
    subtext?: string;
    textClass?: ClassValue;
+    thumbnail?: string;
    type: "directory" | "file";
  }

-  let { class: className, name, subtext, textClass: textClassName, type }: Props = $props();
+  let {
+    class: className,
+    name,
+    subtext,
+    textClass: textClassName,
+    thumbnail,
+    type,
+  }: Props = $props();
 </script>

+{#snippet iconSnippet()}
+  <div class="flex h-10 w-10 items-center justify-center text-xl">
+    {#if thumbnail}
+      <img src={thumbnail} alt={name} loading="lazy" class="aspect-square rounded object-cover" />
+    {:else if type === "directory"}
+      <IconFolder />
+    {:else}
+      <IconDraft class="text-blue-400" />
+    {/if}
+  </div>
+{/snippet}
+
 {#snippet subtextSnippet()}
  {subtext}
 {/snippet}

 <IconLabel
-  icon={type === "directory" ? IconFolder : IconDraft}
-  iconClass={type === "file" ? "text-blue-400" : undefined}
+  {iconSnippet}
  subtext={subtext ? subtextSnippet : undefined}
  class={className}
  textClass={textClassName}
--- a/src/lib/components/molecules/labels/IconLabel.svelte
+++ b/src/lib/components/molecules/labels/IconLabel.svelte
@@ -5,8 +5,9 @@
  interface Props {
    children: Snippet;
    class?: ClassValue;
-    icon: Component<SvelteHTMLElements["svg"]>;
+    icon?: Component<SvelteHTMLElements["svg"]>;
    iconClass?: ClassValue;
+    iconSnippet?: Snippet;
    subtext?: Snippet;
    textClass?: ClassValue;
  }
@@ -16,15 +17,22 @@
    class: className,
    icon: Icon,
    iconClass: iconClassName,
+    iconSnippet,
    subtext,
    textClass: textClassName,
  }: Props = $props();
 </script>

 <div class={["flex items-center gap-x-4", className]}>
-  <div class={["flex-shrink-0 text-lg", iconClassName]}>
-    <Icon />
-  </div>
+  {#if iconSnippet}
+    <div class={["flex-shrink-0", iconClassName]}>
+      {@render iconSnippet()}
+    </div>
+  {:else if Icon}
+    <div class={["flex-shrink-0 text-lg", iconClassName]}>
+      <Icon />
+    </div>
+  {/if}
  <div class="flex flex-grow flex-col overflow-x-hidden text-left">
    <p class={["truncate font-medium", textClassName]}>
      {@render children()}
--- a/src/lib/components/organisms/Category/File.svelte
+++ b/src/lib/components/organisms/Category/File.svelte
@@ -3,7 +3,7 @@
  import { ActionEntryButton } from "$lib/components/atoms";
  import { DirectoryEntryLabel } from "$lib/components/molecules";
  import type { FileInfo } from "$lib/modules/filesystem";
-  import type { SelectedFile } from "./service";
+  import { requestFileThumbnailDownload, type SelectedFile } from "./service";

  import IconClose from "~icons/material-symbols/close";

@@ -15,6 +15,8 @@

  let { info, onclick, onRemoveClick }: Props = $props();

+  let thumbnail: string | undefined = $state();
+
  const openFile = () => {
    const { id, dataKey, dataKeyVersion, name } = $info as FileInfo;
    if (!dataKey || !dataKeyVersion) return; // TODO: Error handling
@@ -28,6 +30,21 @@

    onRemoveClick!({ id, dataKey, dataKeyVersion, name });
  };
+
+  $effect(() => {
+    if ($info?.dataKey) {
+      requestFileThumbnailDownload($info.id, $info.dataKey)
+        .then((thumbnailUrl) => {
+          thumbnail = thumbnailUrl ?? undefined;
+        })
+        .catch(() => {
+          // TODO: Error Handling
+          thumbnail = undefined;
+        });
+    } else {
+      thumbnail = undefined;
+    }
+  });
 </script>

 {#if $info}
@@ -37,6 +54,6 @@
    actionButtonIcon={onRemoveClick && IconClose}
    onActionButtonClick={removeFile}
  >
-    <DirectoryEntryLabel type="file" name={$info.name} />
+    <DirectoryEntryLabel type="file" {thumbnail} name={$info.name} />
  </ActionEntryButton>
 {/if}
--- a/src/lib/components/organisms/Category/service.ts
+++ b/src/lib/components/organisms/Category/service.ts
@@ -1,3 +1,5 @@
+export { requestFileThumbnailDownload } from "$lib/services/file";
+
 export interface SelectedFile {
  id: number;
  dataKey: CryptoKey;
--- a/src/lib/components/organisms/modals/ForceLoginModal.svelte
+++ b/src/lib/components/organisms/modals/ForceLoginModal.svelte
@@ -0,0 +1,22 @@
+<script lang="ts">
+  import { ActionModal } from "$lib/components/molecules";
+
+  interface Props {
+    isOpen: boolean;
+    oncancel?: () => void;
+    onLoginClick: () => void;
+  }
+
+  let { isOpen = $bindable(), oncancel, onLoginClick }: Props = $props();
+</script>
+
+<ActionModal
+  bind:isOpen
+  title="다른 디바이스에 이미 로그인되어 있어요."
+  cancelText="아니요"
+  {oncancel}
+  confirmText="네"
+  onConfirmClick={onLoginClick}
+>
+  <p>다른 디바이스에서는 로그아웃하고, 이 디바이스에서 로그인할까요?</p>
+</ActionModal>
--- a/src/lib/components/organisms/modals/index.ts
+++ b/src/lib/components/organisms/modals/index.ts
@@ -1,3 +1,4 @@
 export { default as CategoryCreateModal } from "./CategoryCreateModal.svelte";
+export { default as ForceLoginModal } from "./ForceLoginModal.svelte";
 export { default as RenameModal } from "./RenameModal.svelte";
 export { default as TextInputModal } from "./TextInputModal.svelte";
--- a/src/lib/indexedDB/filesystem.ts
+++ b/src/lib/indexedDB/filesystem.ts
@@ -55,6 +55,10 @@ export const deleteDirectoryInfo = async (id: number) => {
  await filesystem.directory.delete(id);
 };

+export const getAllFileInfos = async () => {
+  return await filesystem.file.toArray();
+};
+
 export const getFileInfos = async (parentId: DirectoryId) => {
  return await filesystem.file.where({ parentId }).toArray();
 };
--- a/src/lib/modules/crypto/rsa.ts
+++ b/src/lib/modules/crypto/rsa.ts
@@ -46,6 +46,56 @@ export const exportRSAKeyToBase64 = async (key: CryptoKey) => {
  return encodeToBase64((await exportRSAKey(key)).key);
 };

+export const importEncryptionKeyPairFromBase64 = async (
+  encryptKeyBase64: string,
+  decryptKeyBase64: string,
+) => {
+  const algorithm: RsaHashedImportParams = {
+    name: "RSA-OAEP",
+    hash: "SHA-256",
+  };
+  const encryptKey = await window.crypto.subtle.importKey(
+    "spki",
+    decodeFromBase64(encryptKeyBase64),
+    algorithm,
+    true,
+    ["encrypt", "wrapKey"],
+  );
+  const decryptKey = await window.crypto.subtle.importKey(
+    "pkcs8",
+    decodeFromBase64(decryptKeyBase64),
+    algorithm,
+    true,
+    ["decrypt", "unwrapKey"],
+  );
+  return { encryptKey, decryptKey };
+};
+
+export const importSigningKeyPairFromBase64 = async (
+  signKeyBase64: string,
+  verifyKeyBase64: string,
+) => {
+  const algorithm: RsaHashedImportParams = {
+    name: "RSA-PSS",
+    hash: "SHA-256",
+  };
+  const signKey = await window.crypto.subtle.importKey(
+    "pkcs8",
+    decodeFromBase64(signKeyBase64),
+    algorithm,
+    true,
+    ["sign"],
+  );
+  const verifyKey = await window.crypto.subtle.importKey(
+    "spki",
+    decodeFromBase64(verifyKeyBase64),
+    algorithm,
+    true,
+    ["verify"],
+  );
+  return { signKey, verifyKey };
+};
+
 export const makeRSAKeyNonextractable = async (key: CryptoKey) => {
  const { key: exportedKey, format } = await exportRSAKey(key);
  return await window.crypto.subtle.importKey(
--- a/src/lib/modules/file/cache.ts
+++ b/src/lib/modules/file/cache.ts
@@ -1,12 +1,15 @@
+import { LRUCache } from "lru-cache";
 import {
  getFileCacheIndex as getFileCacheIndexFromIndexedDB,
  storeFileCacheIndex,
  deleteFileCacheIndex,
  type FileCacheIndex,
 } from "$lib/indexedDB";
-import { readFile, writeFile, deleteFile } from "$lib/modules/opfs";
+import { readFile, writeFile, deleteFile, deleteDirectory } from "$lib/modules/opfs";
+import { getThumbnailUrl } from "$lib/modules/thumbnail";

 const fileCacheIndex = new Map<number, FileCacheIndex>();
+const loadedThumbnails = new LRUCache<number, string>({ max: 100 });

 export const prepareFileCache = async () => {
  for (const cache of await getFileCacheIndexFromIndexedDB()) {
@@ -48,3 +51,30 @@ export const deleteFileCache = async (fileId: number) => {
  await deleteFile(`/cache/${fileId}`);
  await deleteFileCacheIndex(fileId);
 };
+
+export const getFileThumbnailCache = async (fileId: number) => {
+  const thumbnail = loadedThumbnails.get(fileId);
+  if (thumbnail) return thumbnail;
+
+  const thumbnailBuffer = await readFile(`/thumbnail/file/${fileId}`);
+  if (!thumbnailBuffer) return null;
+
+  const thumbnailUrl = getThumbnailUrl(thumbnailBuffer);
+  loadedThumbnails.set(fileId, thumbnailUrl);
+  return thumbnailUrl;
+};
+
+export const storeFileThumbnailCache = async (fileId: number, thumbnailBuffer: ArrayBuffer) => {
+  await writeFile(`/thumbnail/file/${fileId}`, thumbnailBuffer);
+  loadedThumbnails.set(fileId, getThumbnailUrl(thumbnailBuffer));
+};
+
+export const deleteFileThumbnailCache = async (fileId: number) => {
+  loadedThumbnails.delete(fileId);
+  await deleteFile(`/thumbnail/file/${fileId}`);
+};
+
+export const deleteAllFileThumbnailCaches = async () => {
+  loadedThumbnails.clear();
+  await deleteDirectory("/thumbnail/file");
+};
--- a/src/lib/modules/file/upload.ts
+++ b/src/lib/modules/file/upload.ts
@@ -11,9 +11,11 @@ import {
  digestMessage,
  signMessageHmac,
 } from "$lib/modules/crypto";
+import { generateThumbnail } from "$lib/modules/thumbnail";
 import type {
  DuplicateFileScanRequest,
  DuplicateFileScanResponse,
+  FileThumbnailUploadRequest,
  FileUploadRequest,
  FileUploadResponse,
 } from "$lib/server/schemas";
@@ -106,6 +108,10 @@ const encryptFile = limitFunction(
      createdAt && (await encryptString(createdAt.getTime().toString(), dataKey));
    const lastModifiedAtEncrypted = await encryptString(file.lastModified.toString(), dataKey);

+    const thumbnail = await generateThumbnail(fileBuffer, fileType);
+    const thumbnailBuffer = await thumbnail?.arrayBuffer();
+    const thumbnailEncrypted = thumbnailBuffer && (await encryptData(thumbnailBuffer, dataKey));
+
    status.update((value) => {
      value.status = "upload-pending";
      return value;
@@ -120,13 +126,14 @@ const encryptFile = limitFunction(
      nameEncrypted,
      createdAtEncrypted,
      lastModifiedAtEncrypted,
+      thumbnail: thumbnailEncrypted && { plaintext: thumbnailBuffer, ...thumbnailEncrypted },
    };
  },
  { concurrency: 4 },
 );

 const requestFileUpload = limitFunction(
-  async (status: Writable<FileUploadStatus>, form: FormData) => {
+  async (status: Writable<FileUploadStatus>, form: FormData, thumbnailForm: FormData | null) => {
    status.update((value) => {
      value.status = "uploading";
      return value;
@@ -144,6 +151,15 @@ const requestFileUpload = limitFunction(
    });
    const { file }: FileUploadResponse = res.data;

+    if (thumbnailForm) {
+      try {
+        await axios.post(`/api/file/${file}/thumbnail/upload`, thumbnailForm);
+      } catch (e) {
+        // TODO
+        console.error(e);
+      }
+    }
+
    status.update((value) => {
      value.status = "uploaded";
      return value;
@@ -160,7 +176,9 @@ export const uploadFile = async (
  hmacSecret: HmacSecret,
  masterKey: MasterKey,
  onDuplicate: () => Promise<boolean>,
-): Promise<{ fileId: number; fileBuffer: ArrayBuffer } | undefined> => {
+): Promise<
+  { fileId: number; fileBuffer: ArrayBuffer; thumbnailBuffer?: ArrayBuffer } | undefined
+> => {
  const status = writable<FileUploadStatus>({
    name: file.name,
    parentId,
@@ -198,6 +216,7 @@ export const uploadFile = async (
      nameEncrypted,
      createdAtEncrypted,
      lastModifiedAtEncrypted,
+      thumbnail,
    } = await encryptFile(status, file, fileBuffer, masterKey);

    const form = new FormData();
@@ -218,13 +237,26 @@ export const uploadFile = async (
        createdAtIv: createdAtEncrypted?.iv,
        lastModifiedAt: lastModifiedAtEncrypted.ciphertext,
        lastModifiedAtIv: lastModifiedAtEncrypted.iv,
-      } as FileUploadRequest),
+      } satisfies FileUploadRequest),
    );
    form.set("content", new Blob([fileEncrypted.ciphertext]));
    form.set("checksum", fileEncryptedHash);

-    const { fileId } = await requestFileUpload(status, form);
-    return { fileId, fileBuffer };
+    let thumbnailForm = null;
+    if (thumbnail) {
+      thumbnailForm = new FormData();
+      thumbnailForm.set(
+        "metadata",
+        JSON.stringify({
+          dekVersion: dataKeyVersion.toISOString(),
+          contentIv: thumbnail.iv,
+        } satisfies FileThumbnailUploadRequest),
+      );
+      thumbnailForm.set("content", new Blob([thumbnail.ciphertext]));
+    }
+
+    const { fileId } = await requestFileUpload(status, form, thumbnailForm);
+    return { fileId, fileBuffer, thumbnailBuffer: thumbnail?.plaintext };
  } catch (e) {
    status.update((value) => {
      value.status = "error";
--- a/src/lib/modules/key.ts
+++ b/src/lib/modules/key.ts
@@ -0,0 +1,65 @@
+import { z } from "zod";
+import { storeClientKey } from "$lib/indexedDB";
+import type { ClientKeys } from "$lib/stores";
+
+const serializedClientKeysSchema = z.intersection(
+  z.object({
+    generator: z.literal("ArkVault"),
+    exportedAt: z.string().datetime(),
+  }),
+  z.object({
+    version: z.literal(1),
+    encryptKey: z.string().base64().nonempty(),
+    decryptKey: z.string().base64().nonempty(),
+    signKey: z.string().base64().nonempty(),
+    verifyKey: z.string().base64().nonempty(),
+  }),
+);
+
+type SerializedClientKeys = z.infer<typeof serializedClientKeysSchema>;
+
+type DeserializedClientKeys = {
+  encryptKeyBase64: string;
+  decryptKeyBase64: string;
+  signKeyBase64: string;
+  verifyKeyBase64: string;
+};
+
+export const serializeClientKeys = ({
+  encryptKeyBase64,
+  decryptKeyBase64,
+  signKeyBase64,
+  verifyKeyBase64,
+}: DeserializedClientKeys) => {
+  return JSON.stringify({
+    version: 1,
+    generator: "ArkVault",
+    exportedAt: new Date().toISOString(),
+    encryptKey: encryptKeyBase64,
+    decryptKey: decryptKeyBase64,
+    signKey: signKeyBase64,
+    verifyKey: verifyKeyBase64,
+  } satisfies SerializedClientKeys);
+};
+
+export const deserializeClientKeys = (serialized: string) => {
+  const zodRes = serializedClientKeysSchema.safeParse(JSON.parse(serialized));
+  if (zodRes.success) {
+    return {
+      encryptKeyBase64: zodRes.data.encryptKey,
+      decryptKeyBase64: zodRes.data.decryptKey,
+      signKeyBase64: zodRes.data.signKey,
+      verifyKeyBase64: zodRes.data.verifyKey,
+    } satisfies DeserializedClientKeys;
+  }
+  return undefined;
+};
+
+export const storeClientKeys = async (clientKeys: ClientKeys) => {
+  await Promise.all([
+    storeClientKey(clientKeys.encryptKey, "encrypt"),
+    storeClientKey(clientKeys.decryptKey, "decrypt"),
+    storeClientKey(clientKeys.signKey, "sign"),
+    storeClientKey(clientKeys.verifyKey, "verify"),
+  ]);
+};
--- a/src/lib/modules/opfs.ts
+++ b/src/lib/modules/opfs.ts
@@ -59,3 +59,39 @@ export const deleteFile = async (path: string) => {

  await parentHandle.removeEntry(filename);
 };
+
+const getDirectoryHandle = async (path: string) => {
+  if (!rootHandle) {
+    throw new Error("OPFS not prepared");
+  } else if (path[0] !== "/") {
+    throw new Error("Path must be absolute");
+  }
+
+  const parts = path.split("/");
+  if (parts.length <= 1) {
+    throw new Error("Invalid path");
+  }
+
+  try {
+    let directoryHandle = rootHandle;
+    let parentHandle;
+    for (const part of parts.slice(1)) {
+      if (!part) continue;
+      parentHandle = directoryHandle;
+      directoryHandle = await directoryHandle.getDirectoryHandle(part);
+    }
+    return { directoryHandle, parentHandle };
+  } catch (e) {
+    if (e instanceof DOMException && e.name === "NotFoundError") {
+      return {};
+    }
+    throw e;
+  }
+};
+
+export const deleteDirectory = async (path: string) => {
+  const { directoryHandle, parentHandle } = await getDirectoryHandle(path);
+  if (!parentHandle) return;
+
+  await parentHandle.removeEntry(directoryHandle.name, { recursive: true });
+};
--- a/src/lib/modules/thumbnail.ts
+++ b/src/lib/modules/thumbnail.ts
@@ -0,0 +1,114 @@
+import { encodeToBase64 } from "$lib/modules/crypto";
+
+const scaleSize = (width: number, height: number, targetSize: number) => {
+  if (width <= targetSize || height <= targetSize) {
+    return { width, height };
+  }
+
+  const scale = targetSize / Math.min(width, height);
+  return {
+    width: Math.round(width * scale),
+    height: Math.round(height * scale),
+  };
+};
+
+const capture = (
+  width: number,
+  height: number,
+  drawer: (context: CanvasRenderingContext2D, width: number, height: number) => void,
+  targetSize = 250,
+) => {
+  return new Promise<Blob>((resolve, reject) => {
+    const canvas = document.createElement("canvas");
+    const { width: scaledWidth, height: scaledHeight } = scaleSize(width, height, targetSize);
+
+    canvas.width = scaledWidth;
+    canvas.height = scaledHeight;
+
+    const context = canvas.getContext("2d");
+    if (!context) {
+      return reject(new Error("Failed to generate thumbnail"));
+    }
+
+    drawer(context, scaledWidth, scaledHeight);
+    canvas.toBlob((blob) => {
+      if (blob) {
+        resolve(blob);
+      } else {
+        reject(new Error("Failed to generate thumbnail"));
+      }
+    }, "image/webp");
+  });
+};
+
+const generateImageThumbnail = (imageUrl: string) => {
+  return new Promise<Blob>((resolve, reject) => {
+    const image = new Image();
+    image.onload = () => {
+      capture(image.width, image.height, (context, width, height) => {
+        context.drawImage(image, 0, 0, width, height);
+      })
+        .then(resolve)
+        .catch(reject);
+    };
+    image.onerror = reject;
+
+    image.src = imageUrl;
+  });
+};
+
+export const captureVideoThumbnail = (video: HTMLVideoElement) => {
+  return capture(video.videoWidth, video.videoHeight, (context, width, height) => {
+    context.drawImage(video, 0, 0, width, height);
+  });
+};
+
+const generateVideoThumbnail = (videoUrl: string, time = 0) => {
+  return new Promise<Blob>((resolve, reject) => {
+    const video = document.createElement("video");
+    video.onloadedmetadata = () => {
+      video.currentTime = Math.min(time, video.duration);
+      video.requestVideoFrameCallback(() => {
+        captureVideoThumbnail(video).then(resolve).catch(reject);
+      });
+    };
+    video.onerror = reject;
+
+    video.muted = true;
+    video.playsInline = true;
+    video.src = videoUrl;
+  });
+};
+
+export const generateThumbnail = async (fileBuffer: ArrayBuffer, fileType: string) => {
+  let url;
+  try {
+    if (fileType === "image/heic") {
+      const { default: heic2any } = await import("heic2any");
+      url = URL.createObjectURL(
+        (await heic2any({
+          blob: new Blob([fileBuffer], { type: fileType }),
+          toType: "image/png",
+        })) as Blob,
+      );
+      return await generateImageThumbnail(url);
+    } else if (fileType.startsWith("image/")) {
+      url = URL.createObjectURL(new Blob([fileBuffer], { type: fileType }));
+      return await generateImageThumbnail(url);
+    } else if (fileType.startsWith("video/")) {
+      url = URL.createObjectURL(new Blob([fileBuffer], { type: fileType }));
+      return await generateVideoThumbnail(url);
+    }
+    return null;
+  } catch {
+    return null;
+  } finally {
+    if (url) {
+      URL.revokeObjectURL(url);
+    }
+  }
+};
+
+export const getThumbnailUrl = (thumbnailBuffer: ArrayBuffer) => {
+  return `data:image/webp;base64,${encodeToBase64(thumbnailBuffer)}`;
+};
--- a/src/lib/server/db/client.ts
+++ b/src/lib/server/db/client.ts
@@ -178,7 +178,7 @@ export const registerUserClientChallenge = async (
  allowedIp: string,
  expiresAt: Date,
 ) => {
-  await db
+  const { id } = await db
    .insertInto("user_client_challenge")
    .values({
      user_id: userId,
@@ -187,19 +187,25 @@ export const registerUserClientChallenge = async (
      allowed_ip: allowedIp,
      expires_at: expiresAt,
    })
-    .execute();
+    .returning("id")
+    .executeTakeFirstOrThrow();
+  return { id };
 };

-export const consumeUserClientChallenge = async (userId: number, answer: string, ip: string) => {
+export const consumeUserClientChallenge = async (
+  challengeId: number,
+  userId: number,
+  ip: string,
+) => {
  const challenge = await db
    .deleteFrom("user_client_challenge")
+    .where("id", "=", challengeId)
    .where("user_id", "=", userId)
-    .where("answer", "=", answer)
    .where("allowed_ip", "=", ip)
    .where("expires_at", ">", new Date())
-    .returning("client_id")
+    .returning(["client_id", "answer"])
    .executeTakeFirst();
-  return challenge ? { clientId: challenge.client_id } : null;
+  return challenge ? { clientId: challenge.client_id, answer: challenge.answer } : null;
 };

 export const cleanupExpiredUserClientChallenges = async () => {
--- a/src/lib/server/db/file.ts
+++ b/src/lib/server/db/file.ts
@@ -163,16 +163,24 @@ export const unregisterDirectory = async (userId: number, directoryId: number) =
    .setIsolationLevel("repeatable read") // TODO: Sufficient?
    .execute(async (trx) => {
      const unregisterFiles = async (parentId: number) => {
-        return await trx
+        const files = await trx
+          .selectFrom("file")
+          .leftJoin("thumbnail", "file.id", "thumbnail.file_id")
+          .select(["file.id", "file.path", "thumbnail.path as thumbnailPath"])
+          .where("file.parent_id", "=", parentId)
+          .where("file.user_id", "=", userId)
+          .forUpdate("file")
+          .execute();
+        await trx
          .deleteFrom("file")
          .where("parent_id", "=", parentId)
          .where("user_id", "=", userId)
-          .returning(["id", "path"])
          .execute();
+        return files;
      };
      const unregisterDirectoryRecursively = async (
        directoryId: number,
-      ): Promise<{ id: number; path: string }[]> => {
+      ): Promise<{ id: number; path: string; thumbnailPath: string | null }[]> => {
        const files = await unregisterFiles(directoryId);
        const subDirectories = await trx
          .selectFrom("directory")
@@ -327,11 +335,17 @@ export const getAllFilesByCategory = async (
    .where("user_id", "=", userId)
    .where("file_id", "is not", null)
    .$narrowType<{ file_id: NotNull }>()
-    .orderBy(["file_id", "depth"])
+    .orderBy("file_id")
+    .orderBy("depth")
    .execute();
  return files.map(({ file_id, depth }) => ({ id: file_id, isRecursive: depth > 0 }));
 };

+export const getAllFileIds = async (userId: number) => {
+  const files = await db.selectFrom("file").select("id").where("user_id", "=", userId).execute();
+  return files.map(({ id }) => id);
+};
+
 export const getAllFileIdsByContentHmac = async (
  userId: number,
  hskVersion: number,
@@ -344,7 +358,7 @@ export const getAllFileIdsByContentHmac = async (
    .where("hmac_secret_key_version", "=", hskVersion)
    .where("content_hmac", "=", contentHmac)
    .execute();
-  return files.map(({ id }) => ({ id }));
+  return files.map(({ id }) => id);
 };

 export const getFile = async (userId: number, fileId: number) => {
@@ -416,16 +430,22 @@ export const setFileEncName = async (
 };

 export const unregisterFile = async (userId: number, fileId: number) => {
-  const file = await db
-    .deleteFrom("file")
-    .where("id", "=", fileId)
-    .where("user_id", "=", userId)
-    .returning("path")
-    .executeTakeFirst();
-  if (!file) {
-    throw new IntegrityError("File not found");
-  }
-  return { path: file.path };
+  return await db.transaction().execute(async (trx) => {
+    const file = await trx
+      .selectFrom("file")
+      .leftJoin("thumbnail", "file.id", "thumbnail.file_id")
+      .select(["file.path", "thumbnail.path as thumbnailPath"])
+      .where("file.id", "=", fileId)
+      .where("file.user_id", "=", userId)
+      .forUpdate("file")
+      .executeTakeFirst();
+    if (!file) {
+      throw new IntegrityError("File not found");
+    }
+
+    await trx.deleteFrom("file").where("id", "=", fileId).execute();
+    return file;
+  });
 };

 export const addFileToCategory = async (fileId: number, categoryId: number) => {
--- a/src/lib/server/db/media.ts
+++ b/src/lib/server/db/media.ts
@@ -0,0 +1,110 @@
+import type { NotNull } from "kysely";
+import { IntegrityError } from "./error";
+import db from "./kysely";
+
+interface Thumbnail {
+  id: number;
+  path: string;
+  updatedAt: Date;
+  encContentIv: string;
+}
+
+interface FileThumbnail extends Thumbnail {
+  fileId: number;
+}
+
+export const updateFileThumbnail = async (
+  userId: number,
+  fileId: number,
+  dekVersion: Date,
+  path: string,
+  encContentIv: string,
+) => {
+  return await db.transaction().execute(async (trx) => {
+    const file = await trx
+      .selectFrom("file")
+      .select("data_encryption_key_version")
+      .where("id", "=", fileId)
+      .where("user_id", "=", userId)
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    if (!file) {
+      throw new IntegrityError("File not found");
+    } else if (file.data_encryption_key_version.getTime() !== dekVersion.getTime()) {
+      throw new IntegrityError("Invalid DEK version");
+    }
+
+    const thumbnail = await trx
+      .selectFrom("thumbnail")
+      .select("path as oldPath")
+      .where("file_id", "=", fileId)
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    const now = new Date();
+
+    await trx
+      .insertInto("thumbnail")
+      .values({
+        file_id: fileId,
+        path,
+        updated_at: now,
+        encrypted_content_iv: encContentIv,
+      })
+      .onConflict((oc) =>
+        oc.column("file_id").doUpdateSet({
+          path,
+          updated_at: now,
+          encrypted_content_iv: encContentIv,
+        }),
+      )
+      .execute();
+    return thumbnail?.oldPath ?? null;
+  });
+};
+
+export const getFileThumbnail = async (userId: number, fileId: number) => {
+  const thumbnail = await db
+    .selectFrom("thumbnail")
+    .innerJoin("file", "thumbnail.file_id", "file.id")
+    .selectAll("thumbnail")
+    .where("file.id", "=", fileId)
+    .where("file.user_id", "=", userId)
+    .$narrowType<{ file_id: NotNull }>()
+    .limit(1)
+    .executeTakeFirst();
+  return thumbnail
+    ? ({
+        id: thumbnail.id,
+        fileId: thumbnail.file_id,
+        path: thumbnail.path,
+        encContentIv: thumbnail.encrypted_content_iv,
+        updatedAt: thumbnail.updated_at,
+      } satisfies FileThumbnail)
+    : null;
+};
+
+export const getMissingFileThumbnails = async (userId: number, limit: number = 100) => {
+  const files = await db
+    .selectFrom("file")
+    .select("id")
+    .where("user_id", "=", userId)
+    .where((eb) =>
+      eb.or([eb("content_type", "like", "image/%"), eb("content_type", "like", "video/%")]),
+    )
+    .where((eb) =>
+      eb.not(
+        eb.exists(
+          eb
+            .selectFrom("thumbnail")
+            .select("thumbnail.id")
+            .whereRef("thumbnail.file_id", "=", "file.id")
+            .limit(1),
+        ),
+      ),
+    )
+    .limit(limit)
+    .execute();
+  return files.map(({ id }) => id);
+};
--- a/src/lib/server/db/migrations/1738409340-AddThumbnail.ts
+++ b/src/lib/server/db/migrations/1738409340-AddThumbnail.ts
@@ -0,0 +1,31 @@
+import { Kysely, sql } from "kysely";
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export const up = async (db: Kysely<any>) => {
+  // media.ts
+  await db.schema
+    .createTable("thumbnail")
+    .addColumn("id", "integer", (col) => col.primaryKey().generatedAlwaysAsIdentity())
+    .addColumn("directory_id", "integer", (col) =>
+      col.references("directory.id").onDelete("cascade").unique(),
+    )
+    .addColumn("file_id", "integer", (col) =>
+      col.references("file.id").onDelete("cascade").unique(),
+    )
+    .addColumn("category_id", "integer", (col) =>
+      col.references("category.id").onDelete("cascade").unique(),
+    )
+    .addColumn("path", "text", (col) => col.unique().notNull())
+    .addColumn("updated_at", "timestamp(3)", (col) => col.notNull())
+    .addColumn("encrypted_content_iv", "text", (col) => col.notNull())
+    .addCheckConstraint(
+      "thumbnail_ck01",
+      sql`(file_id IS NOT NULL)::integer + (directory_id IS NOT NULL)::integer + (category_id IS NOT NULL)::integer = 1`,
+    )
+    .execute();
+};
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export const down = async (db: Kysely<any>) => {
+  await db.schema.dropTable("thumbnail").execute();
+};
--- a/src/lib/server/db/migrations/index.ts
+++ b/src/lib/server/db/migrations/index.ts
@@ -1,7 +1,9 @@
 import * as Initial1737357000 from "./1737357000-Initial";
 import * as AddFileCategory1737422340 from "./1737422340-AddFileCategory";
+import * as AddThumbnail1738409340 from "./1738409340-AddThumbnail";

 export default {
  "1737357000-Initial": Initial1737357000,
  "1737422340-AddFileCategory": AddFileCategory1737422340,
+  "1738409340-AddThumbnail": AddThumbnail1738409340,
 };
--- a/src/lib/server/db/schema/index.ts
+++ b/src/lib/server/db/schema/index.ts
@@ -2,6 +2,7 @@ export * from "./category";
 export * from "./client";
 export * from "./file";
 export * from "./hsk";
+export * from "./media";
 export * from "./mek";
 export * from "./session";
 export * from "./user";
--- a/src/lib/server/db/schema/media.ts
+++ b/src/lib/server/db/schema/media.ts
@@ -0,0 +1,17 @@
+import type { Generated } from "kysely";
+
+interface ThumbnailTable {
+  id: Generated<number>;
+  directory_id: number | null;
+  file_id: number | null;
+  category_id: number | null;
+  path: string;
+  updated_at: Date;
+  encrypted_content_iv: string; // Base64
+}
+
+declare module "./index" {
+  interface Database {
+    thumbnail: ThumbnailTable;
+  }
+}
--- a/src/lib/server/db/session.ts
+++ b/src/lib/server/db/session.ts
@@ -5,31 +5,22 @@ import db from "./kysely";

 export const createSession = async (
  userId: number,
-  clientId: number | null,
  sessionId: string,
  ip: string | null,
  agent: string | null,
 ) => {
-  try {
-    const now = new Date();
-    await db
-      .insertInto("session")
-      .values({
-        id: sessionId,
-        user_id: userId,
-        client_id: clientId,
-        created_at: now,
-        last_used_at: now,
-        last_used_by_ip: ip || null,
-        last_used_by_agent: agent || null,
-      })
-      .execute();
-  } catch (e) {
-    if (e instanceof pg.DatabaseError && e.code === "23505") {
-      throw new IntegrityError("Session already exists");
-    }
-    throw e;
-  }
+  const now = new Date();
+  await db
+    .insertInto("session")
+    .values({
+      id: sessionId,
+      user_id: userId,
+      created_at: now,
+      last_used_at: now,
+      last_used_by_ip: ip || null,
+      last_used_by_agent: agent || null,
+    })
+    .execute();
 };

 export const refreshSession = async (
@@ -55,15 +46,37 @@ export const refreshSession = async (
  return { userId: session.user_id, clientId: session.client_id };
 };

-export const upgradeSession = async (sessionId: string, clientId: number) => {
-  const res = await db
-    .updateTable("session")
-    .set({ client_id: clientId })
-    .where("id", "=", sessionId)
-    .where("client_id", "is", null)
-    .executeTakeFirst();
-  if (res.numUpdatedRows === 0n) {
-    throw new IntegrityError("Session not found");
+export const upgradeSession = async (
+  userId: number,
+  sessionId: string,
+  clientId: number,
+  force: boolean,
+) => {
+  try {
+    await db.transaction().execute(async (trx) => {
+      if (force) {
+        await trx
+          .deleteFrom("session")
+          .where("id", "!=", sessionId)
+          .where("user_id", "=", userId)
+          .where("client_id", "=", clientId)
+          .execute();
+      }
+      const res = await trx
+        .updateTable("session")
+        .set({ client_id: clientId })
+        .where("id", "=", sessionId)
+        .where("client_id", "is", null)
+        .executeTakeFirst();
+      if (res.numUpdatedRows === 0n) {
+        throw new IntegrityError("Session not found");
+      }
+    });
+  } catch (e) {
+    if (e instanceof pg.DatabaseError && e.code === "23505") {
+      throw new IntegrityError("Session already exists");
+    }
+    throw e;
  }
 };

@@ -94,7 +107,7 @@ export const registerSessionUpgradeChallenge = async (
  expiresAt: Date,
 ) => {
  try {
-    await db
+    const { id } = await db
      .insertInto("session_upgrade_challenge")
      .values({
        session_id: sessionId,
@@ -103,7 +116,9 @@ export const registerSessionUpgradeChallenge = async (
        allowed_ip: allowedIp,
        expires_at: expiresAt,
      })
-      .execute();
+      .returning("id")
+      .executeTakeFirstOrThrow();
+    return { id };
  } catch (e) {
    if (e instanceof pg.DatabaseError && e.code === "23505") {
      throw new IntegrityError("Challenge already registered");
@@ -113,19 +128,19 @@ export const registerSessionUpgradeChallenge = async (
 };

 export const consumeSessionUpgradeChallenge = async (
+  challengeId: number,
  sessionId: string,
-  answer: string,
  ip: string,
 ) => {
  const challenge = await db
    .deleteFrom("session_upgrade_challenge")
+    .where("id", "=", challengeId)
    .where("session_id", "=", sessionId)
-    .where("answer", "=", answer)
    .where("allowed_ip", "=", ip)
    .where("expires_at", ">", new Date())
-    .returning("client_id")
+    .returning(["client_id", "answer"])
    .executeTakeFirst();
-  return challenge ? { clientId: challenge.client_id } : null;
+  return challenge ? { clientId: challenge.client_id, answer: challenge.answer } : null;
 };

 export const cleanupExpiredSessionUpgradeChallenges = async () => {
--- a/src/lib/server/loadenv.ts
+++ b/src/lib/server/loadenv.ts
@@ -25,4 +25,5 @@ export default {
    sessionUpgradeExp: ms(env.SESSION_UPGRADE_CHALLENGE_EXPIRES || "5m"),
  },
  libraryPath: env.LIBRARY_PATH || "library",
+  thumbnailsPath: env.THUMBNAILS_PATH || "thumbnails",
 };
--- a/src/lib/server/middlewares/authenticate.ts
+++ b/src/lib/server/middlewares/authenticate.ts
@@ -1,4 +1,5 @@
 import { error, redirect, type Handle } from "@sveltejs/kit";
+import env from "$lib/server/loadenv";
 import { authenticate, AuthenticationError } from "$lib/server/modules/auth";

 export const authenticateMiddleware: Handle = async ({ event, resolve }) => {
@@ -15,6 +16,12 @@ export const authenticateMiddleware: Handle = async ({ event, resolve }) => {

    const { ip, userAgent } = event.locals;
    event.locals.session = await authenticate(sessionIdSigned, ip, userAgent);
+    event.cookies.set("sessionId", sessionIdSigned, {
+      path: "/",
+      maxAge: env.session.exp / 1000,
+      secure: true,
+      sameSite: "strict",
+    });
  } catch (e) {
    if (e instanceof AuthenticationError) {
      if (pathname === "/auth/login") {
--- a/src/lib/server/modules/auth.ts
+++ b/src/lib/server/modules/auth.ts
@@ -27,7 +27,7 @@ export class AuthenticationError extends Error {

 export const startSession = async (userId: number, ip: string, userAgent: string) => {
  const { sessionId, sessionIdSigned } = await issueSessionId(32, env.session.secret);
-  await createSession(userId, null, sessionId, ip, userAgent);
+  await createSession(userId, sessionId, ip, userAgent);
  return sessionIdSigned;
 };

--- a/src/lib/server/schemas/auth.ts
+++ b/src/lib/server/schemas/auth.ts
@@ -4,27 +4,29 @@ export const passwordChangeRequest = z.object({
  oldPassword: z.string().trim().nonempty(),
  newPassword: z.string().trim().nonempty(),
 });
-export type PasswordChangeRequest = z.infer<typeof passwordChangeRequest>;
+export type PasswordChangeRequest = z.input<typeof passwordChangeRequest>;

 export const loginRequest = z.object({
  email: z.string().email(),
  password: z.string().trim().nonempty(),
 });
-export type LoginRequest = z.infer<typeof loginRequest>;
+export type LoginRequest = z.input<typeof loginRequest>;

 export const sessionUpgradeRequest = z.object({
  encPubKey: z.string().base64().nonempty(),
  sigPubKey: z.string().base64().nonempty(),
 });
-export type SessionUpgradeRequest = z.infer<typeof sessionUpgradeRequest>;
+export type SessionUpgradeRequest = z.input<typeof sessionUpgradeRequest>;

 export const sessionUpgradeResponse = z.object({
+  id: z.number().int().positive(),
  challenge: z.string().base64().nonempty(),
 });
-export type SessionUpgradeResponse = z.infer<typeof sessionUpgradeResponse>;
+export type SessionUpgradeResponse = z.output<typeof sessionUpgradeResponse>;

 export const sessionUpgradeVerifyRequest = z.object({
-  answer: z.string().base64().nonempty(),
+  id: z.number().int().positive(),
  answerSig: z.string().base64().nonempty(),
+  force: z.boolean().default(false),
 });
-export type SessionUpgradeVerifyRequest = z.infer<typeof sessionUpgradeVerifyRequest>;
+export type SessionUpgradeVerifyRequest = z.input<typeof sessionUpgradeVerifyRequest>;
--- a/src/lib/server/schemas/category.ts
+++ b/src/lib/server/schemas/category.ts
@@ -15,12 +15,12 @@ export const categoryInfoResponse = z.object({
    .optional(),
  subCategories: z.number().int().positive().array(),
 });
-export type CategoryInfoResponse = z.infer<typeof categoryInfoResponse>;
+export type CategoryInfoResponse = z.output<typeof categoryInfoResponse>;

 export const categoryFileAddRequest = z.object({
  file: z.number().int().positive(),
 });
-export type CategoryFileAddRequest = z.infer<typeof categoryFileAddRequest>;
+export type CategoryFileAddRequest = z.input<typeof categoryFileAddRequest>;

 export const categoryFileListResponse = z.object({
  files: z.array(
@@ -30,19 +30,19 @@ export const categoryFileListResponse = z.object({
    }),
  ),
 });
-export type CategoryFileListResponse = z.infer<typeof categoryFileListResponse>;
+export type CategoryFileListResponse = z.output<typeof categoryFileListResponse>;

 export const categoryFileRemoveRequest = z.object({
  file: z.number().int().positive(),
 });
-export type CategoryFileRemoveRequest = z.infer<typeof categoryFileRemoveRequest>;
+export type CategoryFileRemoveRequest = z.input<typeof categoryFileRemoveRequest>;

 export const categoryRenameRequest = z.object({
  dekVersion: z.string().datetime(),
  name: z.string().base64().nonempty(),
  nameIv: z.string().base64().nonempty(),
 });
-export type CategoryRenameRequest = z.infer<typeof categoryRenameRequest>;
+export type CategoryRenameRequest = z.input<typeof categoryRenameRequest>;

 export const categoryCreateRequest = z.object({
  parent: categoryIdSchema,
@@ -52,4 +52,4 @@ export const categoryCreateRequest = z.object({
  name: z.string().base64().nonempty(),
  nameIv: z.string().base64().nonempty(),
 });
-export type CategoryCreateRequest = z.infer<typeof categoryCreateRequest>;
+export type CategoryCreateRequest = z.input<typeof categoryCreateRequest>;
--- a/src/lib/server/schemas/client.ts
+++ b/src/lib/server/schemas/client.ts
@@ -8,28 +8,29 @@ export const clientListResponse = z.object({
    }),
  ),
 });
-export type ClientListResponse = z.infer<typeof clientListResponse>;
+export type ClientListResponse = z.output<typeof clientListResponse>;

 export const clientRegisterRequest = z.object({
  encPubKey: z.string().base64().nonempty(),
  sigPubKey: z.string().base64().nonempty(),
 });
-export type ClientRegisterRequest = z.infer<typeof clientRegisterRequest>;
+export type ClientRegisterRequest = z.input<typeof clientRegisterRequest>;

 export const clientRegisterResponse = z.object({
+  id: z.number().int().positive(),
  challenge: z.string().base64().nonempty(),
 });
-export type ClientRegisterResponse = z.infer<typeof clientRegisterResponse>;
+export type ClientRegisterResponse = z.output<typeof clientRegisterResponse>;

 export const clientRegisterVerifyRequest = z.object({
-  answer: z.string().base64().nonempty(),
+  id: z.number().int().positive(),
  answerSig: z.string().base64().nonempty(),
 });
-export type ClientRegisterVerifyRequest = z.infer<typeof clientRegisterVerifyRequest>;
+export type ClientRegisterVerifyRequest = z.input<typeof clientRegisterVerifyRequest>;

 export const clientStatusResponse = z.object({
  id: z.number().int().positive(),
  state: z.enum(["pending", "active"]),
  isInitialMekNeeded: z.boolean(),
 });
-export type ClientStatusResponse = z.infer<typeof clientStatusResponse>;
+export type ClientStatusResponse = z.output<typeof clientStatusResponse>;
--- a/src/lib/server/schemas/directory.ts
+++ b/src/lib/server/schemas/directory.ts
@@ -16,19 +16,19 @@ export const directoryInfoResponse = z.object({
  subDirectories: z.number().int().positive().array(),
  files: z.number().int().positive().array(),
 });
-export type DirectoryInfoResponse = z.infer<typeof directoryInfoResponse>;
+export type DirectoryInfoResponse = z.output<typeof directoryInfoResponse>;

 export const directoryDeleteResponse = z.object({
  deletedFiles: z.number().int().positive().array(),
 });
-export type DirectoryDeleteResponse = z.infer<typeof directoryDeleteResponse>;
+export type DirectoryDeleteResponse = z.output<typeof directoryDeleteResponse>;

 export const directoryRenameRequest = z.object({
  dekVersion: z.string().datetime(),
  name: z.string().base64().nonempty(),
  nameIv: z.string().base64().nonempty(),
 });
-export type DirectoryRenameRequest = z.infer<typeof directoryRenameRequest>;
+export type DirectoryRenameRequest = z.input<typeof directoryRenameRequest>;

 export const directoryCreateRequest = z.object({
  parent: directoryIdSchema,
@@ -38,4 +38,4 @@ export const directoryCreateRequest = z.object({
  name: z.string().base64().nonempty(),
  nameIv: z.string().base64().nonempty(),
 });
-export type DirectoryCreateRequest = z.infer<typeof directoryCreateRequest>;
+export type DirectoryCreateRequest = z.input<typeof directoryCreateRequest>;
--- a/src/lib/server/schemas/file.ts
+++ b/src/lib/server/schemas/file.ts
@@ -21,25 +21,47 @@ export const fileInfoResponse = z.object({
  lastModifiedAtIv: z.string().base64().nonempty(),
  categories: z.number().int().positive().array(),
 });
-export type FileInfoResponse = z.infer<typeof fileInfoResponse>;
+export type FileInfoResponse = z.output<typeof fileInfoResponse>;

 export const fileRenameRequest = z.object({
  dekVersion: z.string().datetime(),
  name: z.string().base64().nonempty(),
  nameIv: z.string().base64().nonempty(),
 });
-export type FileRenameRequest = z.infer<typeof fileRenameRequest>;
+export type FileRenameRequest = z.input<typeof fileRenameRequest>;
+
+export const fileThumbnailInfoResponse = z.object({
+  updatedAt: z.string().datetime(),
+  contentIv: z.string().base64().nonempty(),
+});
+export type FileThumbnailInfoResponse = z.output<typeof fileThumbnailInfoResponse>;
+
+export const fileThumbnailUploadRequest = z.object({
+  dekVersion: z.string().datetime(),
+  contentIv: z.string().base64().nonempty(),
+});
+export type FileThumbnailUploadRequest = z.input<typeof fileThumbnailUploadRequest>;
+
+export const fileListResponse = z.object({
+  files: z.number().int().positive().array(),
+});
+export type FileListResponse = z.output<typeof fileListResponse>;

 export const duplicateFileScanRequest = z.object({
  hskVersion: z.number().int().positive(),
  contentHmac: z.string().base64().nonempty(),
 });
-export type DuplicateFileScanRequest = z.infer<typeof duplicateFileScanRequest>;
+export type DuplicateFileScanRequest = z.input<typeof duplicateFileScanRequest>;

 export const duplicateFileScanResponse = z.object({
  files: z.number().int().positive().array(),
 });
-export type DuplicateFileScanResponse = z.infer<typeof duplicateFileScanResponse>;
+export type DuplicateFileScanResponse = z.output<typeof duplicateFileScanResponse>;
+
+export const missingThumbnailFileScanResponse = z.object({
+  files: z.number().int().positive().array(),
+});
+export type MissingThumbnailFileScanResponse = z.output<typeof missingThumbnailFileScanResponse>;

 export const fileUploadRequest = z.object({
  parent: directoryIdSchema,
@@ -61,9 +83,9 @@ export const fileUploadRequest = z.object({
  lastModifiedAt: z.string().base64().nonempty(),
  lastModifiedAtIv: z.string().base64().nonempty(),
 });
-export type FileUploadRequest = z.infer<typeof fileUploadRequest>;
+export type FileUploadRequest = z.input<typeof fileUploadRequest>;

 export const fileUploadResponse = z.object({
  file: z.number().int().positive(),
 });
-export type FileUploadResponse = z.infer<typeof fileUploadResponse>;
+export type FileUploadResponse = z.output<typeof fileUploadResponse>;
--- a/src/lib/server/schemas/hsk.ts
+++ b/src/lib/server/schemas/hsk.ts
@@ -10,10 +10,10 @@ export const hmacSecretListResponse = z.object({
    }),
  ),
 });
-export type HmacSecretListResponse = z.infer<typeof hmacSecretListResponse>;
+export type HmacSecretListResponse = z.output<typeof hmacSecretListResponse>;

 export const initialHmacSecretRegisterRequest = z.object({
  mekVersion: z.number().int().positive(),
  hsk: z.string().base64().nonempty(),
 });
-export type InitialHmacSecretRegisterRequest = z.infer<typeof initialHmacSecretRegisterRequest>;
+export type InitialHmacSecretRegisterRequest = z.input<typeof initialHmacSecretRegisterRequest>;
--- a/src/lib/server/schemas/mek.ts
+++ b/src/lib/server/schemas/mek.ts
@@ -10,10 +10,10 @@ export const masterKeyListResponse = z.object({
    }),
  ),
 });
-export type MasterKeyListResponse = z.infer<typeof masterKeyListResponse>;
+export type MasterKeyListResponse = z.output<typeof masterKeyListResponse>;

 export const initialMasterKeyRegisterRequest = z.object({
  mek: z.string().base64().nonempty(),
  mekSig: z.string().base64().nonempty(),
 });
-export type InitialMasterKeyRegisterRequest = z.infer<typeof initialMasterKeyRegisterRequest>;
+export type InitialMasterKeyRegisterRequest = z.input<typeof initialMasterKeyRegisterRequest>;
--- a/src/lib/server/schemas/user.ts
+++ b/src/lib/server/schemas/user.ts
@@ -4,9 +4,9 @@ export const userInfoResponse = z.object({
  email: z.string().email(),
  nickname: z.string().nonempty(),
 });
-export type UserInfoResponse = z.infer<typeof userInfoResponse>;
+export type UserInfoResponse = z.output<typeof userInfoResponse>;

 export const nicknameChangeRequest = z.object({
  newNickname: z.string().trim().min(2).max(8),
 });
-export type NicknameChangeRequest = z.infer<typeof nicknameChangeRequest>;
+export type NicknameChangeRequest = z.input<typeof nicknameChangeRequest>;
--- a/src/lib/server/services/auth.ts
+++ b/src/lib/server/services/auth.ts
@@ -51,14 +51,7 @@ export const login = async (email: string, password: string, ip: string, userAge
    error(401, "Invalid email or password");
  }

-  try {
-    return { sessionIdSigned: await startSession(user.id, ip, userAgent) };
-  } catch (e) {
-    if (e instanceof IntegrityError && e.message === "Session already exists") {
-      error(403, "Already logged in");
-    }
-    throw e;
-  }
+  return { sessionIdSigned: await startSession(user.id, ip, userAgent) };
 };

 export const logout = async (sessionId: string) => {
@@ -81,7 +74,7 @@ export const createSessionUpgradeChallenge = async (
  }

  const { answer, challenge } = await generateChallenge(32, encPubKey);
-  await registerSessionUpgradeChallenge(
+  const { id } = await registerSessionUpgradeChallenge(
    sessionId,
    client.id,
    answer.toString("base64"),
@@ -89,16 +82,18 @@ export const createSessionUpgradeChallenge = async (
    new Date(Date.now() + env.challenge.sessionUpgradeExp),
  );

-  return { challenge: challenge.toString("base64") };
+  return { id, challenge: challenge.toString("base64") };
 };

 export const verifySessionUpgradeChallenge = async (
  sessionId: string,
+  userId: number,
  ip: string,
-  answer: string,
+  challengeId: number,
  answerSig: string,
+  force: boolean,
 ) => {
-  const challenge = await consumeSessionUpgradeChallenge(sessionId, answer, ip);
+  const challenge = await consumeSessionUpgradeChallenge(challengeId, sessionId, ip);
  if (!challenge) {
    error(403, "Invalid challenge answer");
  }
@@ -106,15 +101,21 @@ export const verifySessionUpgradeChallenge = async (
  const client = await getClient(challenge.clientId);
  if (!client) {
    error(500, "Invalid challenge answer");
-  } else if (!verifySignature(Buffer.from(answer, "base64"), answerSig, client.sigPubKey)) {
+  } else if (
+    !verifySignature(Buffer.from(challenge.answer, "base64"), answerSig, client.sigPubKey)
+  ) {
    error(403, "Invalid challenge answer signature");
  }

  try {
-    await upgradeSession(sessionId, client.id);
+    await upgradeSession(userId, sessionId, client.id, force);
  } catch (e) {
-    if (e instanceof IntegrityError && e.message === "Session not found") {
-      error(500, "Invalid challenge answer");
+    if (e instanceof IntegrityError) {
+      if (e.message === "Session not found") {
+        error(500, "Invalid challenge answer");
+      } else if (!force && e.message === "Session already exists") {
+        error(409, "Already logged in");
+      }
    }
    throw e;
  }
--- a/src/lib/server/services/client.ts
+++ b/src/lib/server/services/client.ts
@@ -34,8 +34,14 @@ const createUserClientChallenge = async (
  encPubKey: string,
 ) => {
  const { answer, challenge } = await generateChallenge(32, encPubKey);
-  await registerUserClientChallenge(userId, clientId, answer.toString("base64"), ip, expiresAt());
-  return challenge.toString("base64");
+  const { id } = await registerUserClientChallenge(
+    userId,
+    clientId,
+    answer.toString("base64"),
+    ip,
+    expiresAt(),
+  );
+  return { id, challenge: challenge.toString("base64") };
 };

 export const registerUserClient = async (
@@ -48,7 +54,7 @@ export const registerUserClient = async (
  if (client) {
    try {
      await createUserClient(userId, client.id);
-      return { challenge: await createUserClientChallenge(ip, userId, client.id, encPubKey) };
+      return await createUserClientChallenge(ip, userId, client.id, encPubKey);
    } catch (e) {
      if (e instanceof IntegrityError && e.message === "User client already exists") {
        error(409, "Client already registered");
@@ -64,7 +70,7 @@ export const registerUserClient = async (

    try {
      const { id: clientId } = await createClient(encPubKey, sigPubKey, userId);
-      return { challenge: await createUserClientChallenge(ip, userId, clientId, encPubKey) };
+      return await createUserClientChallenge(ip, userId, clientId, encPubKey);
    } catch (e) {
      if (e instanceof IntegrityError && e.message === "Public key(s) already registered") {
        error(409, "Public key(s) already used");
@@ -77,10 +83,10 @@ export const registerUserClient = async (
 export const verifyUserClient = async (
  userId: number,
  ip: string,
-  answer: string,
+  challengeId: number,
  answerSig: string,
 ) => {
-  const challenge = await consumeUserClientChallenge(userId, answer, ip);
+  const challenge = await consumeUserClientChallenge(challengeId, userId, ip);
  if (!challenge) {
    error(403, "Invalid challenge answer");
  }
@@ -88,7 +94,9 @@ export const verifyUserClient = async (
  const client = await getClient(challenge.clientId);
  if (!client) {
    error(500, "Invalid challenge answer");
-  } else if (!verifySignature(Buffer.from(answer, "base64"), answerSig, client.sigPubKey)) {
+  } else if (
+    !verifySignature(Buffer.from(challenge.answer, "base64"), answerSig, client.sigPubKey)
+  ) {
    error(403, "Invalid challenge answer signature");
  }

--- a/src/lib/server/services/directory.ts
+++ b/src/lib/server/services/directory.ts
@@ -34,12 +34,19 @@ export const getDirectoryInformation = async (userId: number, directoryId: Direc
  };
 };

+const safeUnlink = async (path: string | null) => {
+  if (path) {
+    await unlink(path).catch(console.error);
+  }
+};
+
 export const deleteDirectory = async (userId: number, directoryId: number) => {
  try {
    const files = await unregisterDirectory(userId, directoryId);
    return {
-      files: files.map(({ id, path }) => {
-        unlink(path); // Intended
+      files: files.map(({ id, path, thumbnailPath }) => {
+        safeUnlink(path); // Intended
+        safeUnlink(thumbnailPath); // Intended
        return id;
      }),
    };
--- a/src/lib/server/services/file.ts
+++ b/src/lib/server/services/file.ts
@@ -9,6 +9,7 @@ import { v4 as uuidv4 } from "uuid";
 import { IntegrityError } from "$lib/server/db/error";
 import {
  registerFile,
+  getAllFileIds,
  getAllFileIdsByContentHmac,
  getFile,
  setFileEncName,
@@ -16,6 +17,11 @@ import {
  getAllFileCategories,
  type NewFile,
 } from "$lib/server/db/file";
+import {
+  updateFileThumbnail,
+  getFileThumbnail,
+  getMissingFileThumbnails,
+} from "$lib/server/db/media";
 import type { Ciphertext } from "$lib/server/db/schema";
 import env from "$lib/server/loadenv";

@@ -40,10 +46,17 @@ export const getFileInformation = async (userId: number, fileId: number) => {
  };
 };

+const safeUnlink = async (path: string | null) => {
+  if (path) {
+    await unlink(path).catch(console.error);
+  }
+};
+
 export const deleteFile = async (userId: number, fileId: number) => {
  try {
-    const { path } = await unregisterFile(userId, fileId);
-    unlink(path); // Intended
+    const { path, thumbnailPath } = await unregisterFile(userId, fileId);
+    safeUnlink(path); // Intended
+    safeUnlink(thumbnailPath); // Intended
  } catch (e) {
    if (e instanceof IntegrityError && e.message === "File not found") {
      error(404, "Invalid file id");
@@ -85,17 +98,74 @@ export const renameFile = async (
  }
 };

+export const getFileThumbnailInformation = async (userId: number, fileId: number) => {
+  const thumbnail = await getFileThumbnail(userId, fileId);
+  if (!thumbnail) {
+    error(404, "File or its thumbnail not found");
+  }
+
+  return { updatedAt: thumbnail.updatedAt, encContentIv: thumbnail.encContentIv };
+};
+
+export const getFileThumbnailStream = async (userId: number, fileId: number) => {
+  const thumbnail = await getFileThumbnail(userId, fileId);
+  if (!thumbnail) {
+    error(404, "File or its thumbnail not found");
+  }
+
+  const { size } = await stat(thumbnail.path);
+  return {
+    encContentStream: Readable.toWeb(createReadStream(thumbnail.path)),
+    encContentSize: size,
+  };
+};
+
+export const uploadFileThumbnail = async (
+  userId: number,
+  fileId: number,
+  dekVersion: Date,
+  encContentIv: string,
+  encContentStream: Readable,
+) => {
+  const path = `${env.thumbnailsPath}/${userId}/${uuidv4()}`;
+  await mkdir(dirname(path), { recursive: true });
+
+  try {
+    await pipeline(encContentStream, createWriteStream(path, { flags: "wx", mode: 0o600 }));
+
+    const oldPath = await updateFileThumbnail(userId, fileId, dekVersion, path, encContentIv);
+    safeUnlink(oldPath); // Intended
+  } catch (e) {
+    await safeUnlink(path);
+
+    if (e instanceof IntegrityError) {
+      if (e.message === "File not found") {
+        error(404, "File not found");
+      } else if (e.message === "Invalid DEK version") {
+        error(400, "Mismatched DEK version");
+      }
+    }
+    throw e;
+  }
+};
+
+export const getFileList = async (userId: number) => {
+  const fileIds = await getAllFileIds(userId);
+  return { files: fileIds };
+};
+
 export const scanDuplicateFiles = async (
  userId: number,
  hskVersion: number,
  contentHmac: string,
 ) => {
  const fileIds = await getAllFileIdsByContentHmac(userId, hskVersion, contentHmac);
-  return { files: fileIds.map(({ id }) => id) };
+  return { files: fileIds };
 };

-const safeUnlink = async (path: string) => {
-  await unlink(path).catch(console.error);
+export const scanMissingFileThumbnails = async (userId: number) => {
+  const fileIds = await getMissingFileThumbnails(userId);
+  return { files: fileIds };
 };

 export const uploadFile = async (
--- a/src/lib/services/auth.ts
+++ b/src/lib/services/auth.ts
@@ -11,20 +11,29 @@ export const requestSessionUpgrade = async (
  decryptKey: CryptoKey,
  verifyKeyBase64: string,
  signKey: CryptoKey,
+  force = false,
 ) => {
  let res = await callPostApi<SessionUpgradeRequest>("/api/auth/upgradeSession", {
    encPubKey: encryptKeyBase64,
    sigPubKey: verifyKeyBase64,
  });
-  if (!res.ok) return false;
+  if (res.status === 403) return [false, "Unregistered client"] as const;
+  else if (!res.ok) return [false] as const;

-  const { challenge }: SessionUpgradeResponse = await res.json();
+  const { id, challenge }: SessionUpgradeResponse = await res.json();
  const answer = await decryptChallenge(challenge, decryptKey);
  const answerSig = await signMessageRSA(answer, signKey);

  res = await callPostApi<SessionUpgradeVerifyRequest>("/api/auth/upgradeSession/verify", {
-    answer: encodeToBase64(answer),
+    id,
    answerSig: encodeToBase64(answerSig),
+    force,
  });
+  if (res.status === 409) return [false, "Already logged in"] as const;
+  else return [res.ok] as const;
+};
+
+export const requestLogout = async () => {
+  const res = await callPostApi("/api/auth/logout");
  return res.ok;
 };
--- a/src/lib/services/file.ts
+++ b/src/lib/services/file.ts
@@ -0,0 +1,83 @@
+import { callGetApi } from "$lib/hooks";
+import { getAllFileInfos } from "$lib/indexedDB/filesystem";
+import { decryptData } from "$lib/modules/crypto";
+import {
+  getFileCache,
+  storeFileCache,
+  deleteFileCache,
+  getFileThumbnailCache,
+  storeFileThumbnailCache,
+  deleteFileThumbnailCache,
+  downloadFile,
+} from "$lib/modules/file";
+import { getThumbnailUrl } from "$lib/modules/thumbnail";
+import type {
+  FileThumbnailInfoResponse,
+  FileThumbnailUploadRequest,
+  FileListResponse,
+} from "$lib/server/schemas";
+
+export const requestFileDownload = async (
+  fileId: number,
+  fileEncryptedIv: string,
+  dataKey: CryptoKey,
+) => {
+  const cache = await getFileCache(fileId);
+  if (cache) return cache;
+
+  const fileBuffer = await downloadFile(fileId, fileEncryptedIv, dataKey);
+  storeFileCache(fileId, fileBuffer); // Intended
+  return fileBuffer;
+};
+
+export const requestFileThumbnailUpload = async (
+  fileId: number,
+  dataKeyVersion: Date,
+  thumbnailEncrypted: { ciphertext: ArrayBuffer; iv: string },
+) => {
+  const form = new FormData();
+  form.set(
+    "metadata",
+    JSON.stringify({
+      dekVersion: dataKeyVersion.toISOString(),
+      contentIv: thumbnailEncrypted.iv,
+    } satisfies FileThumbnailUploadRequest),
+  );
+  form.set("content", new Blob([thumbnailEncrypted.ciphertext]));
+
+  return await fetch(`/api/file/${fileId}/thumbnail/upload`, { method: "POST", body: form });
+};
+
+export const requestFileThumbnailDownload = async (fileId: number, dataKey: CryptoKey) => {
+  const cache = await getFileThumbnailCache(fileId);
+  if (cache) return cache;
+
+  let res = await callGetApi(`/api/file/${fileId}/thumbnail`);
+  if (!res.ok) return null;
+
+  const { contentIv: thumbnailEncryptedIv }: FileThumbnailInfoResponse = await res.json();
+
+  res = await callGetApi(`/api/file/${fileId}/thumbnail/download`);
+  if (!res.ok) return null;
+
+  const thumbnailEncrypted = await res.arrayBuffer();
+  const thumbnailBuffer = await decryptData(thumbnailEncrypted, thumbnailEncryptedIv, dataKey);
+
+  storeFileThumbnailCache(fileId, thumbnailBuffer); // Intended
+  return getThumbnailUrl(thumbnailBuffer);
+};
+
+export const requestDeletedFilesCleanup = async () => {
+  const res = await callGetApi("/api/file/list");
+  if (!res.ok) return;
+
+  const { files: liveFiles }: FileListResponse = await res.json();
+  const liveFilesSet = new Set(liveFiles);
+  const maybeCachedFiles = await getAllFileInfos();
+
+  await Promise.all(
+    maybeCachedFiles
+      .filter(({ id }) => !liveFilesSet.has(id))
+      .flatMap(({ id }) => [deleteFileCache(id), deleteFileThumbnailCache(id)]),
+  );
+};
--- a/src/lib/services/key.ts
+++ b/src/lib/services/key.ts
@@ -2,18 +2,23 @@ import { callGetApi, callPostApi } from "$lib/hooks";
 import { storeMasterKeys } from "$lib/indexedDB";
 import {
  encodeToBase64,
+  exportRSAKeyToBase64,
  decryptChallenge,
  signMessageRSA,
  unwrapMasterKey,
+  signMasterKeyWrapped,
  verifyMasterKeyWrapped,
 } from "$lib/modules/crypto";
 import type {
  ClientRegisterRequest,
  ClientRegisterResponse,
  ClientRegisterVerifyRequest,
+  InitialHmacSecretRegisterRequest,
  MasterKeyListResponse,
+  InitialMasterKeyRegisterRequest,
 } from "$lib/server/schemas";
-import { masterKeyStore } from "$lib/stores";
+import { requestSessionUpgrade } from "$lib/services/auth";
+import { masterKeyStore, type ClientKeys } from "$lib/stores";

 export const requestClientRegistration = async (
  encryptKeyBase64: string,
@@ -27,17 +32,46 @@ export const requestClientRegistration = async (
  });
  if (!res.ok) return false;

-  const { challenge }: ClientRegisterResponse = await res.json();
+  const { id, challenge }: ClientRegisterResponse = await res.json();
  const answer = await decryptChallenge(challenge, decryptKey);
  const answerSig = await signMessageRSA(answer, signKey);

  res = await callPostApi<ClientRegisterVerifyRequest>("/api/client/register/verify", {
-    answer: encodeToBase64(answer),
+    id,
    answerSig: encodeToBase64(answerSig),
  });
  return res.ok;
 };

+export const requestClientRegistrationAndSessionUpgrade = async (
+  { encryptKey, decryptKey, signKey, verifyKey }: ClientKeys,
+  force: boolean,
+) => {
+  const encryptKeyBase64 = await exportRSAKeyToBase64(encryptKey);
+  const verifyKeyBase64 = await exportRSAKeyToBase64(verifyKey);
+  const [res, error] = await requestSessionUpgrade(
+    encryptKeyBase64,
+    decryptKey,
+    verifyKeyBase64,
+    signKey,
+    force,
+  );
+  if (error === undefined) return [res] as const;
+
+  if (
+    error === "Unregistered client" &&
+    !(await requestClientRegistration(encryptKeyBase64, decryptKey, verifyKeyBase64, signKey))
+  ) {
+    return [false] as const;
+  } else if (error === "Already logged in") {
+    return [false, force ? undefined : error] as const;
+  }
+
+  return [
+    (await requestSessionUpgrade(encryptKeyBase64, decryptKey, verifyKeyBase64, signKey))[0],
+  ] as const;
+};
+
 export const requestMasterKeyDownload = async (decryptKey: CryptoKey, verifyKey: CryptoKey) => {
  const res = await callGetApi("/api/mek/list");
  if (!res.ok) return false;
@@ -68,3 +102,23 @@ export const requestMasterKeyDownload = async (decryptKey: CryptoKey, verifyKey:

  return true;
 };
+
+export const requestInitialMasterKeyAndHmacSecretRegistration = async (
+  masterKeyWrapped: string,
+  hmacSecretWrapped: string,
+  signKey: CryptoKey,
+) => {
+  let res = await callPostApi<InitialMasterKeyRegisterRequest>("/api/mek/register/initial", {
+    mek: masterKeyWrapped,
+    mekSig: await signMasterKeyWrapped(masterKeyWrapped, 1, signKey),
+  });
+  if (!res.ok) {
+    return res.status === 403 || res.status === 409;
+  }
+
+  res = await callPostApi<InitialHmacSecretRegisterRequest>("/api/hsk/register/initial", {
+    mekVersion: 1,
+    hsk: hmacSecretWrapped,
+  });
+  return res.ok;
+};
--- a/src/routes/(fullscreen)/auth/login/+page.svelte
+++ b/src/routes/(fullscreen)/auth/login/+page.svelte
@@ -2,18 +2,57 @@
  import { goto } from "$app/navigation";
  import { BottomDiv, Button, FullscreenDiv, TextButton, TextInput } from "$lib/components/atoms";
  import { TitledDiv } from "$lib/components/molecules";
+  import { ForceLoginModal } from "$lib/components/organisms";
  import { clientKeyStore, masterKeyStore } from "$lib/stores";
-  import { requestLogin, requestSessionUpgrade, requestMasterKeyDownload } from "./service";
+  import {
+    requestLogin,
+    requestClientRegistrationAndSessionUpgrade,
+    requestMasterKeyDownload,
+    requestDeletedFilesCleanup,
+    requestLogout,
+  } from "./service";

  let { data } = $props();

  let email = $state("");
  let password = $state("");

+  let isForceLoginModalOpen = $state(false);
+
  const redirect = async (url: string) => {
    return await goto(`${url}?redirect=${encodeURIComponent(data.redirectPath)}`);
  };

+  const upgradeSession = async (force: boolean) => {
+    try {
+      const [upgradeRes, upgradeError] = await requestClientRegistrationAndSessionUpgrade(
+        $clientKeyStore!,
+        force,
+      );
+      if (!force && upgradeError === "Already logged in") {
+        isForceLoginModalOpen = true;
+        return;
+      } else if (!upgradeRes) {
+        throw new Error("Failed to upgrade session");
+      }
+
+      // TODO: Multi-user support
+
+      if (
+        $masterKeyStore ||
+        (await requestMasterKeyDownload($clientKeyStore!.decryptKey, $clientKeyStore!.verifyKey))
+      ) {
+        await requestDeletedFilesCleanup();
+        await goto(data.redirectPath);
+      } else {
+        await redirect("/client/pending");
+      }
+    } catch (e) {
+      // TODO
+      throw e;
+    }
+  };
+
  const login = async () => {
    // TODO: Validation

@@ -22,19 +61,7 @@

      if (!$clientKeyStore) return await redirect("/key/generate");

-      if (!(await requestSessionUpgrade($clientKeyStore)))
-        throw new Error("Failed to upgrade session");
-
-      // TODO: Multi-user support
-
-      if (
-        $masterKeyStore ||
-        (await requestMasterKeyDownload($clientKeyStore.decryptKey, $clientKeyStore.verifyKey))
-      ) {
-        await goto(data.redirectPath);
-      } else {
-        await redirect("/client/pending");
-      }
+      await upgradeSession(false);
    } catch (e) {
      // TODO: Alert
      throw e;
@@ -63,3 +90,9 @@
    <TextButton>계정이 없어요</TextButton>
  </BottomDiv>
 </FullscreenDiv>
+
+<ForceLoginModal
+  bind:isOpen={isForceLoginModalOpen}
+  oncancel={requestLogout}
+  onLoginClick={() => upgradeSession(true)}
+/>
--- a/src/routes/(fullscreen)/auth/login/service.ts
+++ b/src/routes/(fullscreen)/auth/login/service.ts
@@ -1,37 +1,14 @@
 import { callPostApi } from "$lib/hooks";
-import { exportRSAKeyToBase64 } from "$lib/modules/crypto";
 import type { LoginRequest } from "$lib/server/schemas";
-import { requestSessionUpgrade as requestSessionUpgradeInternal } from "$lib/services/auth";
-import { requestClientRegistration } from "$lib/services/key";
-import type { ClientKeys } from "$lib/stores";

-export { requestMasterKeyDownload } from "$lib/services/key";
+export { requestLogout } from "$lib/services/auth";
+export { requestDeletedFilesCleanup } from "$lib/services/file";
+export {
+  requestClientRegistrationAndSessionUpgrade,
+  requestMasterKeyDownload,
+} from "$lib/services/key";

 export const requestLogin = async (email: string, password: string) => {
  const res = await callPostApi<LoginRequest>("/api/auth/login", { email, password });
  return res.ok;
 };
-
-export const requestSessionUpgrade = async ({
-  encryptKey,
-  decryptKey,
-  signKey,
-  verifyKey,
-}: ClientKeys) => {
-  const encryptKeyBase64 = await exportRSAKeyToBase64(encryptKey);
-  const verifyKeyBase64 = await exportRSAKeyToBase64(verifyKey);
-  if (await requestSessionUpgradeInternal(encryptKeyBase64, decryptKey, verifyKeyBase64, signKey)) {
-    return true;
-  }
-
-  if (await requestClientRegistration(encryptKeyBase64, decryptKey, verifyKeyBase64, signKey)) {
-    return await requestSessionUpgradeInternal(
-      encryptKeyBase64,
-      decryptKey,
-      verifyKeyBase64,
-      signKey,
-    );
-  } else {
-    return false;
-  }
-};
--- a/src/routes/(fullscreen)/file/[id]/+page.svelte
+++ b/src/routes/(fullscreen)/file/[id]/+page.svelte
@@ -11,15 +11,18 @@
    type FileInfo,
    type CategoryInfo,
  } from "$lib/modules/filesystem";
+  import { captureVideoThumbnail } from "$lib/modules/thumbnail";
  import { fileDownloadStatusStore, isFileDownloading, masterKeyStore } from "$lib/stores";
  import AddToCategoryBottomSheet from "./AddToCategoryBottomSheet.svelte";
  import DownloadStatus from "./DownloadStatus.svelte";
  import {
    requestFileRemovalFromCategory,
    requestFileDownload,
+    requestThumbnailUpload,
    requestFileAdditionToCategory,
  } from "./service";

+  import IconCamera from "~icons/material-symbols/camera";
  import IconClose from "~icons/material-symbols/close";
  import IconAddCircle from "~icons/material-symbols/add-circle";

@@ -40,6 +43,7 @@
  let isDownloadRequested = $state(false);
  let viewerType: "image" | "video" | undefined = $state();
  let fileBlobUrl: string | undefined = $state();
+  let videoElement: HTMLVideoElement | undefined = $state();

  const updateViewer = async (buffer: ArrayBuffer, contentType: string) => {
    const fileBlob = new Blob([buffer], { type: contentType });
@@ -55,6 +59,11 @@
    return fileBlob;
  };

+  const updateThumbnail = async (dataKey: CryptoKey, dataKeyVersion: Date) => {
+    const thumbnail = await captureVideoThumbnail(videoElement!);
+    await requestThumbnailUpload(data.id, thumbnail, dataKey, dataKeyVersion);
+  };
+
  const addToCategory = async (categoryId: number) => {
    await requestFileAdditionToCategory(data.id, categoryId);
    isAddToCategoryBottomSheetOpen = false;
@@ -133,8 +142,17 @@
          {/if}
        {:else if viewerType === "video"}
          {#if fileBlobUrl}
-            <!-- svelte-ignore a11y_media_has_caption -->
-            <video src={fileBlobUrl} controls></video>
+            <div class="flex flex-col space-y-2">
+              <!-- svelte-ignore a11y_media_has_caption -->
+              <video bind:this={videoElement} src={fileBlobUrl} controls muted></video>
+              <IconEntryButton
+                icon={IconCamera}
+                onclick={() => updateThumbnail($info.dataKey!, $info.dataKeyVersion!)}
+                class="w-full"
+              >
+                이 장면을 썸네일로 설정하기
+              </IconEntryButton>
+            </div>
          {:else}
            {@render viewerLoading("비디오를 불러오고 있어요.")}
          {/if}
--- a/src/routes/(fullscreen)/file/[id]/service.ts
+++ b/src/routes/(fullscreen)/file/[id]/service.ts
@@ -1,20 +1,25 @@
 import { callPostApi } from "$lib/hooks";
-import { getFileCache, storeFileCache, downloadFile } from "$lib/modules/file";
+import { encryptData } from "$lib/modules/crypto";
+import { storeFileThumbnailCache } from "$lib/modules/file";
 import type { CategoryFileAddRequest } from "$lib/server/schemas";
+import { requestFileThumbnailUpload } from "$lib/services/file";

 export { requestCategoryCreation, requestFileRemovalFromCategory } from "$lib/services/category";
+export { requestFileDownload } from "$lib/services/file";

-export const requestFileDownload = async (
+export const requestThumbnailUpload = async (
  fileId: number,
-  fileEncryptedIv: string,
+  thumbnail: Blob,
  dataKey: CryptoKey,
+  dataKeyVersion: Date,
 ) => {
-  const cache = await getFileCache(fileId);
-  if (cache) return cache;
+  const thumbnailBuffer = await thumbnail.arrayBuffer();
+  const thumbnailEncrypted = await encryptData(thumbnailBuffer, dataKey);
+  const res = await requestFileThumbnailUpload(fileId, dataKeyVersion, thumbnailEncrypted);
+  if (!res.ok) return false;

-  const fileBuffer = await downloadFile(fileId, fileEncryptedIv, dataKey);
-  storeFileCache(fileId, fileBuffer); // Intended
-  return fileBuffer;
+  storeFileThumbnailCache(fileId, thumbnailBuffer); // Intended
+  return true;
 };

 export const requestFileAdditionToCategory = async (fileId: number, categoryId: number) => {
--- a/src/routes/(fullscreen)/key/export/+page.svelte
+++ b/src/routes/(fullscreen)/key/export/+page.svelte
@@ -3,13 +3,12 @@
  import { goto } from "$app/navigation";
  import { BottomDiv, Button, FullscreenDiv, TextButton } from "$lib/components/atoms";
  import { TitledDiv } from "$lib/components/molecules";
+  import { serializeClientKeys, storeClientKeys } from "$lib/modules/key";
  import { clientKeyStore } from "$lib/stores";
  import BeforeContinueBottomSheet from "./BeforeContinueBottomSheet.svelte";
  import BeforeContinueModal from "./BeforeContinueModal.svelte";
  import {
-    serializeClientKeys,
    requestClientRegistration,
-    storeClientKeys,
    requestSessionUpgrade,
    requestInitialMasterKeyAndHmacSecretRegistration,
  } from "./service";
@@ -22,15 +21,8 @@
  let isBeforeContinueBottomSheetOpen = $state(false);

  const exportClientKeys = () => {
-    const clientKeysSerialized = serializeClientKeys(
-      data.encryptKeyBase64,
-      data.decryptKeyBase64,
-      data.signKeyBase64,
-      data.verifyKeyBase64,
-    );
-    const clientKeysBlob = new Blob([JSON.stringify(clientKeysSerialized)], {
-      type: "application/json",
-    });
+    const clientKeysSerialized = serializeClientKeys(data);
+    const clientKeysBlob = new Blob([clientKeysSerialized], { type: "application/json" });
    FileSaver.saveAs(clientKeysBlob, "arkvault-clientkey.json");

    if (!isBeforeContinueBottomSheetOpen) {
@@ -59,12 +51,14 @@
      await storeClientKeys($clientKeyStore);

      if (
-        !(await requestSessionUpgrade(
-          data.encryptKeyBase64,
-          $clientKeyStore.decryptKey,
-          data.verifyKeyBase64,
-          $clientKeyStore.signKey,
-        ))
+        !(
+          await requestSessionUpgrade(
+            data.encryptKeyBase64,
+            $clientKeyStore.decryptKey,
+            data.verifyKeyBase64,
+            $clientKeyStore.signKey,
+          )
+        )[0]
      )
        throw new Error("Failed to upgrade session");

--- a/src/routes/(fullscreen)/key/export/service.ts
+++ b/src/routes/(fullscreen)/key/export/service.ts
@@ -1,68 +1,5 @@
-import { callPostApi } from "$lib/hooks";
-import { storeClientKey } from "$lib/indexedDB";
-import { signMasterKeyWrapped } from "$lib/modules/crypto";
-import type {
-  InitialMasterKeyRegisterRequest,
-  InitialHmacSecretRegisterRequest,
-} from "$lib/server/schemas";
-import type { ClientKeys } from "$lib/stores";
-
 export { requestSessionUpgrade } from "$lib/services/auth";
-export { requestClientRegistration } from "$lib/services/key";
-
-type SerializedKeyPairs = {
-  generator: "ArkVault";
-  exportedAt: Date;
-} & {
-  version: 1;
-  encryptKey: string;
-  decryptKey: string;
-  signKey: string;
-  verifyKey: string;
-};
-
-export const serializeClientKeys = (
-  encryptKeyBase64: string,
-  decryptKeyBase64: string,
-  signKeyBase64: string,
-  verifyKeyBase64: string,
-) => {
-  return {
-    version: 1,
-    generator: "ArkVault",
-    exportedAt: new Date(),
-    encryptKey: encryptKeyBase64,
-    decryptKey: decryptKeyBase64,
-    signKey: signKeyBase64,
-    verifyKey: verifyKeyBase64,
-  } satisfies SerializedKeyPairs;
-};
-
-export const storeClientKeys = async (clientKeys: ClientKeys) => {
-  await Promise.all([
-    storeClientKey(clientKeys.encryptKey, "encrypt"),
-    storeClientKey(clientKeys.decryptKey, "decrypt"),
-    storeClientKey(clientKeys.signKey, "sign"),
-    storeClientKey(clientKeys.verifyKey, "verify"),
-  ]);
-};
-
-export const requestInitialMasterKeyAndHmacSecretRegistration = async (
-  masterKeyWrapped: string,
-  hmacSecretWrapped: string,
-  signKey: CryptoKey,
-) => {
-  let res = await callPostApi<InitialMasterKeyRegisterRequest>("/api/mek/register/initial", {
-    mek: masterKeyWrapped,
-    mekSig: await signMasterKeyWrapped(masterKeyWrapped, 1, signKey),
-  });
-  if (!res.ok) {
-    return res.status === 409;
-  }
-
-  res = await callPostApi<InitialHmacSecretRegisterRequest>("/api/hsk/register/initial", {
-    mekVersion: 1,
-    hsk: hmacSecretWrapped,
-  });
-  return res.ok;
-};
+export {
+  requestClientRegistration,
+  requestInitialMasterKeyAndHmacSecretRegistration,
+} from "$lib/services/key";
--- a/src/routes/(fullscreen)/key/generate/+page.svelte
+++ b/src/routes/(fullscreen)/key/generate/+page.svelte
@@ -3,19 +3,29 @@
  import { goto } from "$app/navigation";
  import { BottomDiv, Button, FullscreenDiv, TextButton } from "$lib/components/atoms";
  import { TitledDiv } from "$lib/components/molecules";
+  import { ForceLoginModal } from "$lib/components/organisms";
  import { gotoStateful } from "$lib/hooks";
+  import { storeClientKeys } from "$lib/modules/key";
  import { clientKeyStore } from "$lib/stores";
  import Order from "./Order.svelte";
  import {
    generateClientKeys,
    generateInitialMasterKey,
    generateInitialHmacSecret,
+    importClientKeys,
+    requestClientRegistrationAndSessionUpgrade,
+    requestInitialMasterKeyAndHmacSecretRegistration,
+    requestDeletedFilesCleanup,
  } from "./service";

  import IconKey from "~icons/material-symbols/key";

  let { data } = $props();

+  let fileInput: HTMLInputElement | undefined = $state();
+
+  let isForceLoginModalOpen = $state(false);
+
  // TODO: Update
  const orders = [
    {
@@ -51,6 +61,54 @@
    });
  };

+  const upgradeSession = async (force: boolean) => {
+    const [upgradeRes, upgradeError] = await requestClientRegistrationAndSessionUpgrade(
+      $clientKeyStore!,
+      force,
+    );
+    if (!force && upgradeError === "Already logged in") {
+      isForceLoginModalOpen = true;
+      return;
+    } else if (!upgradeRes) {
+      // TODO: Error Handling
+      return;
+    }
+
+    const { masterKey, masterKeyWrapped } = await generateInitialMasterKey(
+      $clientKeyStore!.encryptKey,
+    );
+    const { hmacSecretWrapped } = await generateInitialHmacSecret(masterKey);
+
+    await storeClientKeys($clientKeyStore!);
+
+    if (
+      !(await requestInitialMasterKeyAndHmacSecretRegistration(
+        masterKeyWrapped,
+        hmacSecretWrapped,
+        $clientKeyStore!.signKey,
+      ))
+    ) {
+      // TODO: Error Handling
+      return;
+    }
+
+    await requestDeletedFilesCleanup();
+    await goto("/client/pending?redirect=" + encodeURIComponent(data.redirectPath));
+  };
+
+  const importKeys = async () => {
+    const file = fileInput?.files?.[0];
+    if (!file) return;
+
+    if (await importClientKeys(await file.text())) {
+      await upgradeSession(false);
+    } else {
+      // TODO: Error Handling
+    }
+
+    fileInput!.value = "";
+  };
+
  onMount(async () => {
    if ($clientKeyStore) {
      await goto(data.redirectPath, { replaceState: true });
@@ -62,6 +120,14 @@
  <title>암호 키 생성하기</title>
 </svelte:head>

+<input
+  bind:this={fileInput}
+  onchange={importKeys}
+  type="file"
+  accept="application/json"
+  class="hidden"
+/>
+
 <FullscreenDiv>
  <TitledDiv childrenClass="space-y-4">
    {#snippet title()}
@@ -83,6 +149,8 @@
  </TitledDiv>
  <BottomDiv class="flex flex-col items-center gap-y-2">
    <Button onclick={generateKeys} class="w-full">새 암호 키 생성하기</Button>
-    <TextButton>키를 갖고 있어요</TextButton>
+    <TextButton onclick={() => fileInput?.click()}>키를 갖고 있어요</TextButton>
  </BottomDiv>
 </FullscreenDiv>
+
+<ForceLoginModal bind:isOpen={isForceLoginModalOpen} onLoginClick={() => upgradeSession(true)} />
--- a/src/routes/(fullscreen)/key/generate/service.ts
+++ b/src/routes/(fullscreen)/key/generate/service.ts
@@ -2,6 +2,8 @@ import {
  generateEncryptionKeyPair,
  generateSigningKeyPair,
  exportRSAKeyToBase64,
+  importEncryptionKeyPairFromBase64,
+  importSigningKeyPairFromBase64,
  makeRSAKeyNonextractable,
  wrapMasterKey,
  generateMasterKey,
@@ -9,8 +11,16 @@ import {
  wrapHmacSecret,
  generateHmacSecret,
 } from "$lib/modules/crypto";
+import { deserializeClientKeys } from "$lib/modules/key";
 import { clientKeyStore } from "$lib/stores";

+export { requestLogout } from "$lib/services/auth";
+export { requestDeletedFilesCleanup } from "$lib/services/file";
+export {
+  requestClientRegistrationAndSessionUpgrade,
+  requestInitialMasterKeyAndHmacSecretRegistration,
+} from "$lib/services/key";
+
 export const generateClientKeys = async () => {
  const { encryptKey, decryptKey } = await generateEncryptionKeyPair();
  const { signKey, verifyKey } = await generateSigningKeyPair();
@@ -45,3 +55,25 @@ export const generateInitialHmacSecret = async (masterKey: CryptoKey) => {
    hmacSecretWrapped: await wrapHmacSecret(hmacSecret, masterKey),
  };
 };
+
+export const importClientKeys = async (clientKeysSerialized: string) => {
+  const clientKeys = deserializeClientKeys(clientKeysSerialized);
+  if (!clientKeys) return false;
+
+  const { encryptKey, decryptKey } = await importEncryptionKeyPairFromBase64(
+    clientKeys.encryptKeyBase64,
+    clientKeys.decryptKeyBase64,
+  );
+  const { signKey, verifyKey } = await importSigningKeyPairFromBase64(
+    clientKeys.signKeyBase64,
+    clientKeys.verifyKeyBase64,
+  );
+
+  clientKeyStore.set({
+    encryptKey,
+    decryptKey: await makeRSAKeyNonextractable(decryptKey),
+    signKey: await makeRSAKeyNonextractable(signKey),
+    verifyKey,
+  });
+  return true;
+};
--- a/src/routes/(fullscreen)/settings/cache/+page.svelte
+++ b/src/routes/(fullscreen)/settings/cache/+page.svelte
@@ -4,12 +4,11 @@
  import { FullscreenDiv } from "$lib/components/atoms";
  import { TopBar } from "$lib/components/molecules";
  import type { FileCacheIndex } from "$lib/indexedDB";
-  import { getFileCacheIndex } from "$lib/modules/file";
+  import { getFileCacheIndex, deleteFileCache as doDeleteFileCache } from "$lib/modules/file";
  import { getFileInfo, type FileInfo } from "$lib/modules/filesystem";
  import { formatFileSize } from "$lib/modules/util";
  import { masterKeyStore } from "$lib/stores";
  import File from "./File.svelte";
-  import { deleteFileCache as doDeleteFileCache } from "./service";

  interface FileCache {
    index: FileCacheIndex;
--- a/src/routes/(fullscreen)/settings/cache/service.ts
+++ b/src/routes/(fullscreen)/settings/cache/service.ts
@@ -1,5 +0,0 @@
-import { deleteFileCache as doDeleteFileCache } from "$lib/modules/file";
-
-export const deleteFileCache = async (fileId: number) => {
-  await doDeleteFileCache(fileId);
-};
--- a/src/routes/(fullscreen)/settings/thumbnail/+page.svelte
+++ b/src/routes/(fullscreen)/settings/thumbnail/+page.svelte
@@ -0,0 +1,77 @@
+<script lang="ts">
+  import { onMount } from "svelte";
+  import { get } from "svelte/store";
+  import { goto } from "$app/navigation";
+  import { BottomDiv, Button, FullscreenDiv } from "$lib/components/atoms";
+  import { IconEntryButton, TopBar } from "$lib/components/molecules";
+  import { deleteAllFileThumbnailCaches } from "$lib/modules/file";
+  import { getFileInfo } from "$lib/modules/filesystem";
+  import { masterKeyStore } from "$lib/stores";
+  import File from "./File.svelte";
+  import {
+    persistentStates,
+    getGenerationStatus,
+    requestThumbnailGeneration,
+  } from "./service.svelte";
+
+  import IconDelete from "~icons/material-symbols/delete";
+
+  let { data } = $props();
+
+  const generateAllThumbnails = () => {
+    persistentStates.files.forEach(({ info }) => {
+      const fileInfo = get(info);
+      if (fileInfo) {
+        requestThumbnailGeneration(fileInfo);
+      }
+    });
+  };
+
+  onMount(() => {
+    persistentStates.files = data.files.map((fileId) => ({
+      id: fileId,
+      info: getFileInfo(fileId, $masterKeyStore?.get(1)?.key!),
+      status: getGenerationStatus(fileId),
+    }));
+  });
+</script>
+
+<svelte:head>
+  <title>썸네일 설정</title>
+</svelte:head>
+
+<TopBar title="썸네일" />
+<FullscreenDiv class="bg-gray-100 !px-0">
+  <div class="flex flex-grow flex-col space-y-4">
+    <div class="bg-white p-4 !pt-0">
+      <IconEntryButton icon={IconDelete} onclick={deleteAllFileThumbnailCaches} class="w-full">
+        저장된 썸네일 모두 삭제하기
+      </IconEntryButton>
+    </div>
+    {#if persistentStates.files.length > 0}
+      <div class="flex-grow space-y-2 bg-white p-4">
+        <p class="text-lg font-bold text-gray-800">썸네일이 누락된 파일</p>
+        <div class="space-y-4">
+          <p class="break-keep text-gray-800">
+            {persistentStates.files.length}개 파일의 썸네일이 존재하지 않아요.
+          </p>
+          <div class="space-y-2">
+            {#each persistentStates.files as { info, status }}
+              <File
+                {info}
+                generationStatus={status}
+                onclick={({ id }) => goto(`/file/${id}`)}
+                onGenerateThumbnailClick={requestThumbnailGeneration}
+              />
+            {/each}
+          </div>
+        </div>
+      </div>
+    {/if}
+  </div>
+  {#if persistentStates.files.length > 0}
+    <BottomDiv class="px-4">
+      <Button onclick={generateAllThumbnails} class="w-full">모두 썸네일 생성하기</Button>
+    </BottomDiv>
+  {/if}
+</FullscreenDiv>
--- a/src/routes/(fullscreen)/settings/thumbnail/+page.ts
+++ b/src/routes/(fullscreen)/settings/thumbnail/+page.ts
@@ -0,0 +1,14 @@
+import { error } from "@sveltejs/kit";
+import { callPostApi } from "$lib/hooks";
+import type { MissingThumbnailFileScanResponse } from "$lib/server/schemas";
+import type { PageLoad } from "./$types";
+
+export const load: PageLoad = async ({ fetch }) => {
+  const res = await callPostApi("/api/file/scanMissingThumbnails", undefined, fetch);
+  if (!res.ok) {
+    error(500, "Internal server error");
+  }
+
+  const { files }: MissingThumbnailFileScanResponse = await res.json();
+  return { files };
+};
--- a/src/routes/(fullscreen)/settings/thumbnail/File.svelte
+++ b/src/routes/(fullscreen)/settings/thumbnail/File.svelte
@@ -0,0 +1,46 @@
+<script module lang="ts">
+  const subtexts = {
+    queued: "대기 중",
+    "generation-pending": "준비 중",
+    generating: "생성하는 중",
+    "upload-pending": "업로드를 기다리는 중",
+    uploading: "업로드하는 중",
+    error: "실패",
+  } as const;
+</script>
+
+<script lang="ts">
+  import type { Writable } from "svelte/store";
+  import { ActionEntryButton } from "$lib/components/atoms";
+  import { DirectoryEntryLabel } from "$lib/components/molecules";
+  import type { FileInfo } from "$lib/modules/filesystem";
+  import { formatDateTime } from "$lib/modules/util";
+  import type { GenerationStatus } from "./service.svelte";
+
+  import IconCamera from "~icons/material-symbols/camera";
+
+  interface Props {
+    info: Writable<FileInfo | null>;
+    onclick: (selectedFile: FileInfo) => void;
+    onGenerateThumbnailClick: (selectedFile: FileInfo) => void;
+    generationStatus?: Writable<GenerationStatus>;
+  }
+
+  let { info, onclick, onGenerateThumbnailClick, generationStatus }: Props = $props();
+</script>
+
+{#if $info}
+  <ActionEntryButton
+    class="h-14"
+    onclick={() => onclick($info)}
+    actionButtonIcon={!$generationStatus || $generationStatus === "error" ? IconCamera : undefined}
+    onActionButtonClick={() => onGenerateThumbnailClick($info)}
+    actionButtonClass="text-gray-800"
+  >
+    {@const subtext =
+      $generationStatus && $generationStatus !== "uploaded"
+        ? subtexts[$generationStatus]
+        : formatDateTime($info.createdAt ?? $info.lastModifiedAt)}
+    <DirectoryEntryLabel type="file" name={$info.name} {subtext} />
+  </ActionEntryButton>
+{/if}
--- a/src/routes/(fullscreen)/settings/thumbnail/service.svelte.ts
+++ b/src/routes/(fullscreen)/settings/thumbnail/service.svelte.ts
@@ -0,0 +1,158 @@
+import { limitFunction } from "p-limit";
+import { get, writable, type Writable } from "svelte/store";
+import { encryptData } from "$lib/modules/crypto";
+import { storeFileThumbnailCache } from "$lib/modules/file";
+import type { FileInfo } from "$lib/modules/filesystem";
+import { generateThumbnail as doGenerateThumbnail } from "$lib/modules/thumbnail";
+import { requestFileDownload, requestFileThumbnailUpload } from "$lib/services/file";
+
+export type GenerationStatus =
+  | "queued"
+  | "generation-pending"
+  | "generating"
+  | "upload-pending"
+  | "uploading"
+  | "uploaded"
+  | "error";
+
+interface File {
+  id: number;
+  info: Writable<FileInfo | null>;
+  status?: Writable<GenerationStatus>;
+}
+
+const workingFiles = new Map<number, Writable<GenerationStatus>>();
+
+let queue: (() => void)[] = [];
+let memoryUsage = 0;
+const memoryLimit = 100 * 1024 * 1024; // 100 MiB
+
+export const persistentStates = $state({
+  files: [] as File[],
+});
+
+export const getGenerationStatus = (fileId: number) => {
+  return workingFiles.get(fileId);
+};
+
+const generateThumbnail = limitFunction(
+  async (
+    status: Writable<GenerationStatus>,
+    fileBuffer: ArrayBuffer,
+    fileType: string,
+    dataKey: CryptoKey,
+  ) => {
+    status.set("generating");
+
+    const thumbnail = await doGenerateThumbnail(fileBuffer, fileType);
+    if (!thumbnail) return null;
+
+    const thumbnailBuffer = await thumbnail.arrayBuffer();
+    const thumbnailEncrypted = await encryptData(thumbnailBuffer, dataKey);
+    status.set("upload-pending");
+    return { plaintext: thumbnailBuffer, ...thumbnailEncrypted };
+  },
+  { concurrency: 4 },
+);
+
+const requestThumbnailUpload = limitFunction(
+  async (
+    status: Writable<GenerationStatus>,
+    fileId: number,
+    dataKeyVersion: Date,
+    thumbnail: { plaintext: ArrayBuffer; ciphertext: ArrayBuffer; iv: string },
+  ) => {
+    status.set("uploading");
+
+    const res = await requestFileThumbnailUpload(fileId, dataKeyVersion, thumbnail);
+    if (!res.ok) return false;
+
+    status.set("uploaded");
+    workingFiles.delete(fileId);
+    persistentStates.files = persistentStates.files.filter(({ id }) => id != fileId);
+
+    storeFileThumbnailCache(fileId, thumbnail.plaintext); // Intended
+    return true;
+  },
+  { concurrency: 4 },
+);
+
+const enqueue = async (
+  status: Writable<GenerationStatus> | undefined,
+  fileInfo: FileInfo,
+  priority = false,
+) => {
+  if (status) {
+    status.set("queued");
+  } else {
+    status = writable("queued");
+    workingFiles.set(fileInfo.id, status);
+    persistentStates.files = persistentStates.files.map((file) =>
+      file.id === fileInfo.id ? { ...file, status } : file,
+    );
+  }
+
+  let resolver;
+  const promise = new Promise((resolve) => {
+    resolver = resolve;
+  });
+
+  if (priority) {
+    queue = [resolver!, ...queue];
+  } else {
+    queue.push(resolver!);
+  }
+
+  await promise;
+};
+
+export const requestThumbnailGeneration = async (fileInfo: FileInfo) => {
+  let status = workingFiles.get(fileInfo.id);
+  if (status && get(status) !== "error") return;
+
+  if (workingFiles.values().some((status) => get(status) !== "error")) {
+    await enqueue(status, fileInfo);
+  }
+  while (memoryUsage >= memoryLimit) {
+    await enqueue(status, fileInfo, true);
+  }
+
+  if (status) {
+    status.set("generation-pending");
+  } else {
+    status = writable("generation-pending");
+    workingFiles.set(fileInfo.id, status);
+    persistentStates.files = persistentStates.files.map((file) =>
+      file.id === fileInfo.id ? { ...file, status } : file,
+    );
+  }
+
+  let fileSize = 0;
+  try {
+    const file = await requestFileDownload(fileInfo.id, fileInfo.contentIv!, fileInfo.dataKey!);
+    fileSize = file.byteLength;
+
+    memoryUsage += fileSize;
+    if (memoryUsage < memoryLimit) {
+      queue.shift()?.();
+    }
+
+    const thumbnail = await generateThumbnail(
+      status,
+      file,
+      fileInfo.contentType,
+      fileInfo.dataKey!,
+    );
+    if (
+      !thumbnail ||
+      !(await requestThumbnailUpload(status, fileInfo.id, fileInfo.dataKeyVersion!, thumbnail))
+    ) {
+      status.set("error");
+    }
+  } catch {
+    status.set("error");
+  } finally {
+    memoryUsage -= fileSize;
+    queue.shift()?.();
+  }
+};
--- a/src/routes/(main)/directory/[[id]]/DirectoryEntries/File.svelte
+++ b/src/routes/(main)/directory/[[id]]/DirectoryEntries/File.svelte
@@ -4,6 +4,7 @@
  import { DirectoryEntryLabel } from "$lib/components/molecules";
  import type { FileInfo } from "$lib/modules/filesystem";
  import { formatDateTime } from "$lib/modules/util";
+  import { requestFileThumbnailDownload } from "./service";
  import type { SelectedEntry } from "../service.svelte";

  import IconMoreVert from "~icons/material-symbols/more-vert";
@@ -16,6 +17,8 @@

  let { info, onclick, onOpenMenuClick }: Props = $props();

+  let thumbnail: string | undefined = $state();
+
  const openFile = () => {
    const { id, dataKey, dataKeyVersion, name } = $info!;
    if (!dataKey || !dataKeyVersion) return; // TODO: Error handling
@@ -29,6 +32,21 @@

    onOpenMenuClick({ type: "file", id, dataKey, dataKeyVersion, name });
  };
+
+  $effect(() => {
+    if ($info?.dataKey) {
+      requestFileThumbnailDownload($info.id, $info.dataKey)
+        .then((thumbnailUrl) => {
+          thumbnail = thumbnailUrl ?? undefined;
+        })
+        .catch(() => {
+          // TODO: Error Handling
+          thumbnail = undefined;
+        });
+    } else {
+      thumbnail = undefined;
+    }
+  });
 </script>

 {#if $info}
@@ -40,6 +58,7 @@
  >
    <DirectoryEntryLabel
      type="file"
+      {thumbnail}
      name={$info.name}
      subtext={formatDateTime($info.createdAt ?? $info.lastModifiedAt)}
    />
--- a/src/routes/(main)/directory/[[id]]/DirectoryEntries/UploadingFile.svelte
+++ b/src/routes/(main)/directory/[[id]]/DirectoryEntries/UploadingFile.svelte
@@ -13,8 +13,8 @@
 </script>

 {#if isFileUploading($status.status)}
-  <div class="flex h-14 items-center gap-x-4 p-2">
-    <div class="flex-shrink-0 text-lg">
+  <div class="flex h-14 gap-x-4 p-2">
+    <div class="flex h-10 w-10 flex-shrink-0 items-center justify-center text-xl">
      <IconDraft class="text-gray-600" />
    </div>
    <div class="flex flex-grow flex-col overflow-hidden text-gray-800">
--- a/src/routes/(main)/directory/[[id]]/DirectoryEntries/service.ts
+++ b/src/routes/(main)/directory/[[id]]/DirectoryEntries/service.ts
@@ -0,0 +1 @@
+export { requestFileThumbnailDownload } from "$lib/services/file";
--- a/src/routes/(main)/directory/[[id]]/service.svelte.ts
+++ b/src/routes/(main)/directory/[[id]]/service.svelte.ts
@@ -2,7 +2,13 @@ import { getContext, setContext } from "svelte";
 import { callGetApi, callPostApi } from "$lib/hooks";
 import { storeHmacSecrets } from "$lib/indexedDB";
 import { generateDataKey, wrapDataKey, unwrapHmacSecret, encryptString } from "$lib/modules/crypto";
-import { storeFileCache, deleteFileCache, uploadFile } from "$lib/modules/file";
+import {
+  storeFileCache,
+  deleteFileCache,
+  storeFileThumbnailCache,
+  deleteFileThumbnailCache,
+  uploadFile,
+} from "$lib/modules/file";
 import type {
  DirectoryRenameRequest,
  DirectoryCreateRequest,
@@ -81,6 +87,10 @@ export const requestFileUpload = async (
  if (!res) return false;

  storeFileCache(res.fileId, res.fileBuffer); // Intended
+  if (res.thumbnailBuffer) {
+    storeFileThumbnailCache(res.fileId, res.thumbnailBuffer); // Intended
+  }
+
  return true;
 };

@@ -110,10 +120,12 @@ export const requestEntryDeletion = async (entry: SelectedEntry) => {

  if (entry.type === "directory") {
    const { deletedFiles }: DirectoryDeleteResponse = await res.json();
-    await Promise.all(deletedFiles.map(deleteFileCache));
+    await Promise.all(
+      deletedFiles.flatMap((fileId) => [deleteFileCache(fileId), deleteFileThumbnailCache(fileId)]),
+    );
    return true;
  } else {
-    await deleteFileCache(entry.id);
+    await Promise.all([deleteFileCache(entry.id), deleteFileThumbnailCache(entry.id)]);
    return true;
  }
 };
--- a/src/routes/(main)/menu/+page.svelte
+++ b/src/routes/(main)/menu/+page.svelte
@@ -4,6 +4,7 @@
  import { requestLogout } from "./service";

  import IconStorage from "~icons/material-symbols/storage";
+  import IconImage from "~icons/material-symbols/image";
  import IconPassword from "~icons/material-symbols/password";
  import IconLogout from "~icons/material-symbols/logout";

@@ -33,6 +34,13 @@
    >
      캐시
    </MenuEntryButton>
+    <MenuEntryButton
+      onclick={() => goto("/settings/thumbnail")}
+      icon={IconImage}
+      iconColor="text-blue-500"
+    >
+      썸네일
+    </MenuEntryButton>
  </div>
  <div class="space-y-2">
    <p class="font-semibold">보안</p>
--- a/src/routes/(main)/menu/service.ts
+++ b/src/routes/(main)/menu/service.ts
@@ -1,6 +1 @@
-import { callPostApi } from "$lib/hooks";
-
-export const requestLogout = async () => {
-  const res = await callPostApi("/api/auth/logout");
-  return res.ok;
-};
+export { requestLogout } from "$lib/services/auth";
--- a/src/routes/api/auth/upgradeSession/+server.ts
+++ b/src/routes/api/auth/upgradeSession/+server.ts
@@ -15,12 +15,12 @@ export const POST: RequestHandler = async ({ locals, request }) => {
  if (!zodRes.success) error(400, "Invalid request body");
  const { encPubKey, sigPubKey } = zodRes.data;

-  const { challenge } = await createSessionUpgradeChallenge(
+  const { id, challenge } = await createSessionUpgradeChallenge(
    sessionId,
    userId,
    locals.ip,
    encPubKey,
    sigPubKey,
  );
-  return json(sessionUpgradeResponse.parse({ challenge } satisfies SessionUpgradeResponse));
+  return json(sessionUpgradeResponse.parse({ id, challenge } satisfies SessionUpgradeResponse));
 };
--- a/src/routes/api/auth/upgradeSession/verify/+server.ts
+++ b/src/routes/api/auth/upgradeSession/verify/+server.ts
@@ -5,12 +5,12 @@ import { verifySessionUpgradeChallenge } from "$lib/server/services/auth";
 import type { RequestHandler } from "./$types";

 export const POST: RequestHandler = async ({ locals, request }) => {
-  const { sessionId } = await authorize(locals, "notClient");
+  const { sessionId, userId } = await authorize(locals, "notClient");

  const zodRes = sessionUpgradeVerifyRequest.safeParse(await request.json());
  if (!zodRes.success) error(400, "Invalid request body");
-  const { answer, answerSig } = zodRes.data;
+  const { id, answerSig, force } = zodRes.data;

-  await verifySessionUpgradeChallenge(sessionId, locals.ip, answer, answerSig);
+  await verifySessionUpgradeChallenge(sessionId, userId, locals.ip, id, answerSig, force);
  return text("Session upgraded", { headers: { "Content-Type": "text/plain" } });
 };
--- a/src/routes/api/client/register/+server.ts
+++ b/src/routes/api/client/register/+server.ts
@@ -15,6 +15,6 @@ export const POST: RequestHandler = async ({ locals, request }) => {
  if (!zodRes.success) error(400, "Invalid request body");
  const { encPubKey, sigPubKey } = zodRes.data;

-  const { challenge } = await registerUserClient(userId, locals.ip, encPubKey, sigPubKey);
-  return json(clientRegisterResponse.parse({ challenge } satisfies ClientRegisterResponse));
+  const { id, challenge } = await registerUserClient(userId, locals.ip, encPubKey, sigPubKey);
+  return json(clientRegisterResponse.parse({ id, challenge } satisfies ClientRegisterResponse));
 };
--- a/src/routes/api/client/register/verify/+server.ts
+++ b/src/routes/api/client/register/verify/+server.ts
@@ -9,8 +9,8 @@ export const POST: RequestHandler = async ({ locals, request }) => {

  const zodRes = clientRegisterVerifyRequest.safeParse(await request.json());
  if (!zodRes.success) error(400, "Invalid request body");
-  const { answer, answerSig } = zodRes.data;
+  const { id, answerSig } = zodRes.data;

-  await verifyUserClient(userId, locals.ip, answer, answerSig);
+  await verifyUserClient(userId, locals.ip, id, answerSig);
  return text("Client verified", { headers: { "Content-Type": "text/plain" } });
 };
--- a/src/routes/api/file/[id]/thumbnail/+server.ts
+++ b/src/routes/api/file/[id]/thumbnail/+server.ts
@@ -0,0 +1,26 @@
+import { error, json } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { fileThumbnailInfoResponse, type FileThumbnailInfoResponse } from "$lib/server/schemas";
+import { getFileThumbnailInformation } from "$lib/server/services/file";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals, params }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const zodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!zodRes.success) error(400, "Invalid path parameters");
+  const { id } = zodRes.data;
+
+  const { updatedAt, encContentIv } = await getFileThumbnailInformation(userId, id);
+  return json(
+    fileThumbnailInfoResponse.parse({
+      updatedAt: updatedAt.toISOString(),
+      contentIv: encContentIv,
+    } satisfies FileThumbnailInfoResponse),
+  );
+};
--- a/src/routes/api/file/[id]/thumbnail/download/+server.ts
+++ b/src/routes/api/file/[id]/thumbnail/download/+server.ts
@@ -0,0 +1,25 @@
+import { error } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { getFileThumbnailStream } from "$lib/server/services/file";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals, params }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const zodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!zodRes.success) error(400, "Invalid path parameters");
+  const { id } = zodRes.data;
+
+  const { encContentStream, encContentSize } = await getFileThumbnailStream(userId, id);
+  return new Response(encContentStream as ReadableStream, {
+    headers: {
+      "Content-Type": "application/octet-stream",
+      "Content-Length": encContentSize.toString(),
+    },
+  });
+};
--- a/src/routes/api/file/[id]/thumbnail/upload/+server.ts
+++ b/src/routes/api/file/[id]/thumbnail/upload/+server.ts
@@ -0,0 +1,74 @@
+import Busboy from "@fastify/busboy";
+import { error, text } from "@sveltejs/kit";
+import { Readable, Writable } from "stream";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { fileThumbnailUploadRequest, type FileThumbnailUploadRequest } from "$lib/server/schemas";
+import { uploadFileThumbnail } from "$lib/server/services/file";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, params, request }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const zodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!zodRes.success) error(400, "Invalid path parameters");
+  const { id } = zodRes.data;
+
+  const contentType = request.headers.get("Content-Type");
+  if (!contentType?.startsWith("multipart/form-data") || !request.body) {
+    error(400, "Invalid request body");
+  }
+
+  return new Promise<Response>((resolve, reject) => {
+    const bb = Busboy({ headers: { "content-type": contentType } });
+    const handler =
+      <T extends unknown[]>(f: (...args: T) => Promise<void>) =>
+      (...args: T) => {
+        f(...args).catch(reject);
+      };
+
+    let metadata: FileThumbnailUploadRequest | null = null;
+    let content: Readable | null = null;
+    bb.on(
+      "field",
+      handler(async (fieldname, val) => {
+        if (fieldname === "metadata") {
+          // Ignore subsequent metadata fields
+          if (!metadata) {
+            const zodRes = fileThumbnailUploadRequest.safeParse(JSON.parse(val));
+            if (!zodRes.success) error(400, "Invalid request body");
+            metadata = zodRes.data;
+          }
+        } else {
+          error(400, "Invalid request body");
+        }
+      }),
+    );
+    bb.on(
+      "file",
+      handler(async (fieldname, file) => {
+        if (fieldname !== "content") error(400, "Invalid request body");
+        if (!metadata || content) error(400, "Invalid request body");
+        content = file;
+
+        await uploadFileThumbnail(
+          userId,
+          id,
+          new Date(metadata.dekVersion),
+          metadata.contentIv,
+          content,
+        );
+        resolve(text("Thumbnail uploaded", { headers: { "Content-Type": "text/plain" } }));
+      }),
+    );
+    bb.on("error", (e) => {
+      content?.emit("error", e) ?? reject(e);
+    });
+
+    request.body!.pipeTo(Writable.toWeb(bb)).catch(() => {}); // busboy will handle the error
+  });
+};
--- a/src/routes/api/file/list/+server.ts
+++ b/src/routes/api/file/list/+server.ts
@@ -0,0 +1,11 @@
+import { json } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { fileListResponse, type FileListResponse } from "$lib/server/schemas";
+import { getFileList } from "$lib/server/services/file";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals }) => {
+  const { userId } = await authorize(locals, "activeClient");
+  const { files } = await getFileList(userId);
+  return json(fileListResponse.parse({ files } satisfies FileListResponse));
+};
--- a/src/routes/api/file/scanMissingThumbnails/+server.ts
+++ b/src/routes/api/file/scanMissingThumbnails/+server.ts
@@ -0,0 +1,16 @@
+import { json } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import {
+  missingThumbnailFileScanResponse,
+  type MissingThumbnailFileScanResponse,
+} from "$lib/server/schemas/file";
+import { scanMissingFileThumbnails } from "$lib/server/services/file";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals }) => {
+  const { userId } = await authorize(locals, "activeClient");
+  const { files } = await scanMissingFileThumbnails(userId);
+  return json(
+    missingThumbnailFileScanResponse.parse({ files } satisfies MissingThumbnailFileScanResponse),
+  );
+};
				`@@ -0,0 +1 @@`
				`export { requestFileThumbnailDownload } from "$lib/services/file";`