Merge pull request #13 from kmc7468/dev

v0.5.1
Merge pull request #12 from kmc7468/dev
2026-02-04 08:06:56 +00:00 · 2025-07-12 19:56:12 +09:00 · 2025-07-12 06:01:08 +09:00 · 2025-01-30 21:06:50 +09:00 · 2025-01-18 13:29:09 +09:00 · 2025-01-13 03:53:14 +09:00
99 changed files with 3162 additions and 2464 deletions
--- a/8
+++ b/8
@@ -2,7 +2,11 @@
 FROM node:22-alpine AS base
 WORKDIR /app

-RUN npm install -g pnpm@10
+RUN apk add --no-cache bash curl && \
+    curl -o /usr/local/bin/wait-for-it https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh && \
+    chmod +x /usr/local/bin/wait-for-it
+
+RUN npm install -g pnpm@9
 COPY pnpm-lock.yaml .

 # Build Stage
@@ -25,4 +29,4 @@ COPY --from=build /app/build ./build

 EXPOSE 3000
 ENV BODY_SIZE_LIMIT=Infinity
-CMD ["node", "./build/index.js"]
+CMD ["bash", "-c", "wait-for-it ${DATABASE_HOST:-localhost}:${DATABASE_PORT:-5432} -- node ./build/index.js"]
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -3,8 +3,7 @@ services:
    build: .
    restart: unless-stopped
    depends_on:
-      database:
-        condition: service_healthy
+      - database
    user: ${CONTAINER_UID:-0}:${CONTAINER_GID:-0}
    volumes:
      - ./data/library:/app/data/library
@@ -36,8 +35,3 @@ services:
    environment:
      - POSTGRES_USER=arkvault
      - POSTGRES_PASSWORD=${DATABASE_PASSWORD:?}
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER}"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
--- a/package.json
+++ b/package.json
@@ -16,56 +16,53 @@
    "db:migrate": "kysely migrate"
  },
  "devDependencies": {
-    "@eslint/compat": "^1.4.1",
-    "@iconify-json/material-symbols": "^1.2.50",
-    "@sveltejs/adapter-node": "^5.4.0",
-    "@sveltejs/kit": "^2.49.2",
-    "@sveltejs/vite-plugin-svelte": "^6.2.1",
-    "@trpc/client": "^11.8.1",
+    "@eslint/compat": "^1.3.1",
+    "@iconify-json/material-symbols": "^1.2.29",
+    "@sveltejs/adapter-node": "^5.2.13",
+    "@sveltejs/kit": "^2.22.5",
+    "@sveltejs/vite-plugin-svelte": "^4.0.4",
    "@types/file-saver": "^2.0.7",
    "@types/ms": "^0.7.34",
    "@types/node-schedule": "^2.1.8",
-    "@types/pg": "^8.16.0",
-    "autoprefixer": "^10.4.23",
-    "axios": "^1.13.2",
-    "dexie": "^4.2.1",
-    "eslint": "^9.39.2",
-    "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-svelte": "^3.13.1",
-    "eslint-plugin-tailwindcss": "^3.18.2",
-    "exifreader": "^4.33.1",
+    "@types/pg": "^8.15.4",
+    "autoprefixer": "^10.4.21",
+    "axios": "^1.10.0",
+    "dexie": "^4.0.11",
+    "eslint": "^9.30.1",
+    "eslint-config-prettier": "^10.1.5",
+    "eslint-plugin-svelte": "^3.10.1",
+    "eslint-plugin-tailwindcss": "^3.18.0",
+    "exifreader": "^4.31.1",
    "file-saver": "^2.0.5",
-    "globals": "^16.5.0",
+    "globals": "^16.3.0",
    "heic2any": "^0.0.4",
-    "kysely-ctl": "^0.19.0",
-    "lru-cache": "^11.2.4",
-    "mime": "^4.1.0",
-    "p-limit": "^7.2.0",
-    "prettier": "^3.7.4",
-    "prettier-plugin-svelte": "^3.4.1",
-    "prettier-plugin-tailwindcss": "^0.7.2",
-    "svelte": "^5.46.1",
-    "svelte-check": "^4.3.5",
-    "tailwindcss": "^3.4.19",
-    "typescript": "^5.9.3",
-    "typescript-eslint": "^8.50.1",
-    "unplugin-icons": "^22.5.0",
-    "vite": "^7.3.0"
+    "kysely-ctl": "^0.13.1",
+    "lru-cache": "^11.1.0",
+    "mime": "^4.0.7",
+    "p-limit": "^6.2.0",
+    "prettier": "^3.6.2",
+    "prettier-plugin-svelte": "^3.4.0",
+    "prettier-plugin-tailwindcss": "^0.6.14",
+    "svelte": "^5.35.6",
+    "svelte-check": "^4.2.2",
+    "tailwindcss": "^3.4.17",
+    "typescript": "^5.8.3",
+    "typescript-eslint": "^8.36.0",
+    "unplugin-icons": "^22.1.0",
+    "vite": "^5.4.19"
  },
  "dependencies": {
-    "@fastify/busboy": "^3.2.0",
-    "@trpc/server": "^11.8.1",
-    "argon2": "^0.44.0",
-    "kysely": "^0.28.9",
+    "@fastify/busboy": "^3.1.1",
+    "argon2": "^0.43.0",
+    "kysely": "^0.28.2",
    "ms": "^2.1.3",
    "node-schedule": "^2.1.1",
    "pg": "^8.16.3",
-    "superjson": "^2.2.6",
-    "uuid": "^13.0.0",
-    "zod": "^4.2.1"
+    "uuid": "^11.1.0",
+    "zod": "^3.25.76"
  },
  "engines": {
    "node": "^22.0.0",
-    "pnpm": "^10.0.0"
+    "pnpm": "^9.0.0"
  }
 }
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/src/lib/components/organisms/Category/File.svelte
+++ b/src/lib/components/organisms/Category/File.svelte
@@ -32,7 +32,7 @@
  };

  $effect(() => {
-    if ($info) {
+    if ($info?.dataKey) {
      requestFileThumbnailDownload($info.id, $info.dataKey)
        .then((thumbnailUrl) => {
          thumbnail = thumbnailUrl ?? undefined;
--- a/src/lib/hooks/callApi.ts
+++ b/src/lib/hooks/callApi.ts
@@ -0,0 +1,11 @@
+export const callGetApi = async (input: RequestInfo, fetchInternal = fetch) => {
+  return await fetchInternal(input);
+};
+
+export const callPostApi = async <T>(input: RequestInfo, payload?: T, fetchInternal = fetch) => {
+  return await fetchInternal(input, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: payload ? JSON.stringify(payload) : undefined,
+  });
+};
--- a/src/lib/hooks/gotoStateful.ts
+++ b/src/lib/hooks/gotoStateful.ts
--- a/src/lib/hooks/index.ts
+++ b/src/lib/hooks/index.ts
@@ -1 +1,2 @@
+export * from "./callApi";
 export * from "./gotoStateful";
--- a/src/lib/modules/file/upload.ts
+++ b/src/lib/modules/file/upload.ts
@@ -13,6 +13,8 @@ import {
 } from "$lib/modules/crypto";
 import { generateThumbnail } from "$lib/modules/thumbnail";
 import type {
+  DuplicateFileScanRequest,
+  DuplicateFileScanResponse,
  FileThumbnailUploadRequest,
  FileUploadRequest,
  FileUploadResponse,
@@ -23,17 +25,18 @@ import {
  type HmacSecret,
  type FileUploadStatus,
 } from "$lib/stores";
-import { trpc } from "$trpc/client";

 const requestDuplicateFileScan = limitFunction(
  async (file: File, hmacSecret: HmacSecret, onDuplicate: () => Promise<boolean>) => {
    const fileBuffer = await file.arrayBuffer();
    const fileSigned = encodeToBase64(await signMessageHmac(fileBuffer, hmacSecret.secret));

-    const files = await trpc().file.listByHash.query({
+    const res = await axios.post("/api/file/scanDuplicates", {
      hskVersion: hmacSecret.version,
      contentHmac: fileSigned,
-    });
+    } satisfies DuplicateFileScanRequest);
+    const { files }: DuplicateFileScanResponse = res.data;
+
    if (files.length === 0 || (await onDuplicate())) {
      return { fileBuffer, fileSigned };
    } else {
--- a/src/lib/modules/filesystem.ts
+++ b/src/lib/modules/filesystem.ts
@@ -1,5 +1,5 @@
-import { TRPCClientError } from "@trpc/client";
 import { get, writable, type Writable } from "svelte/store";
+import { callGetApi } from "$lib/hooks";
 import {
  getDirectoryInfos as getDirectoryInfosFromIndexedDB,
  getDirectoryInfo as getDirectoryInfoFromIndexedDB,
@@ -18,7 +18,12 @@ import {
  type CategoryId,
 } from "$lib/indexedDB";
 import { unwrapDataKey, decryptString } from "$lib/modules/crypto";
-import { trpc } from "$trpc/client";
+import type {
+  CategoryInfoResponse,
+  CategoryFileListResponse,
+  DirectoryInfoResponse,
+  FileInfoResponse,
+} from "$lib/server/schemas";

 export type DirectoryInfo =
  | {
@@ -101,19 +106,20 @@ const fetchDirectoryInfoFromServer = async (
  info: Writable<DirectoryInfo | null>,
  masterKey: CryptoKey,
 ) => {
-  let data;
-  try {
-    data = await trpc().directory.get.query({ id });
-  } catch (e) {
-    if (e instanceof TRPCClientError && e.data?.code === "NOT_FOUND") {
-      info.set(null);
-      await deleteDirectoryInfo(id as number);
-      return;
-    }
+  const res = await callGetApi(`/api/directory/${id}`);
+  if (res.status === 404) {
+    info.set(null);
+    await deleteDirectoryInfo(id as number);
+    return;
+  } else if (!res.ok) {
    throw new Error("Failed to fetch directory information");
  }

-  const { metadata, subDirectories: subDirectoryIds, files: fileIds } = data;
+  const {
+    metadata,
+    subDirectories: subDirectoryIds,
+    files: fileIds,
+  }: DirectoryInfoResponse = await res.json();

  if (id === "root") {
    info.set({ id, subDirectoryIds, fileIds });
@@ -173,17 +179,16 @@ const fetchFileInfoFromServer = async (
  info: Writable<FileInfo | null>,
  masterKey: CryptoKey,
 ) => {
-  let metadata;
-  try {
-    metadata = await trpc().file.get.query({ id });
-  } catch (e) {
-    if (e instanceof TRPCClientError && e.data?.code === "NOT_FOUND") {
-      info.set(null);
-      await deleteFileInfo(id);
-      return;
-    }
+  const res = await callGetApi(`/api/file/${id}`);
+  if (res.status === 404) {
+    info.set(null);
+    await deleteFileInfo(id);
+    return;
+  } else if (!res.ok) {
    throw new Error("Failed to fetch file information");
  }
+
+  const metadata: FileInfoResponse = await res.json();
  const { dataKey } = await unwrapDataKey(metadata.dek, masterKey);

  const name = await decryptString(metadata.name, metadata.nameIv, dataKey);
@@ -268,19 +273,16 @@ const fetchCategoryInfoFromServer = async (
  info: Writable<CategoryInfo | null>,
  masterKey: CryptoKey,
 ) => {
-  let data;
-  try {
-    data = await trpc().category.get.query({ id });
-  } catch (e) {
-    if (e instanceof TRPCClientError && e.data?.code === "NOT_FOUND") {
-      info.set(null);
-      await deleteCategoryInfo(id as number);
-      return;
-    }
+  let res = await callGetApi(`/api/category/${id}`);
+  if (res.status === 404) {
+    info.set(null);
+    await deleteCategoryInfo(id as number);
+    return;
+  } else if (!res.ok) {
    throw new Error("Failed to fetch category information");
  }

-  const { metadata, subCategories } = data;
+  const { metadata, subCategories }: CategoryInfoResponse = await res.json();

  if (id === "root") {
    info.set({ id, subCategoryIds: subCategories });
@@ -288,13 +290,12 @@ const fetchCategoryInfoFromServer = async (
    const { dataKey } = await unwrapDataKey(metadata!.dek, masterKey);
    const name = await decryptString(metadata!.name, metadata!.nameIv, dataKey);

-    let files;
-    try {
-      files = await trpc().category.files.query({ id, recurse: true });
-    } catch {
+    res = await callGetApi(`/api/category/${id}/file/list?recurse=true`);
+    if (!res.ok) {
      throw new Error("Failed to fetch category files");
    }

+    const { files }: CategoryFileListResponse = await res.json();
    const filesMapped = files.map(({ file, isRecursive }) => ({ id: file, isRecursive }));
    let isFileRecursive: boolean | undefined = undefined;

--- a/src/lib/modules/key.ts
+++ b/src/lib/modules/key.ts
@@ -5,14 +5,14 @@ import type { ClientKeys } from "$lib/stores";
 const serializedClientKeysSchema = z.intersection(
  z.object({
    generator: z.literal("ArkVault"),
-    exportedAt: z.iso.datetime(),
+    exportedAt: z.string().datetime(),
  }),
  z.object({
    version: z.literal(1),
-    encryptKey: z.base64().nonempty(),
-    decryptKey: z.base64().nonempty(),
-    signKey: z.base64().nonempty(),
-    verifyKey: z.base64().nonempty(),
+    encryptKey: z.string().base64().nonempty(),
+    decryptKey: z.string().base64().nonempty(),
+    signKey: z.string().base64().nonempty(),
+    verifyKey: z.string().base64().nonempty(),
  }),
 );

--- a/src/lib/modules/thumbnail.ts
+++ b/src/lib/modules/thumbnail.ts
@@ -67,15 +67,10 @@ const generateVideoThumbnail = (videoUrl: string, time = 0) => {
  return new Promise<Blob>((resolve, reject) => {
    const video = document.createElement("video");
    video.onloadedmetadata = () => {
-      if (video.videoWidth === 0 || video.videoHeight === 0) {
-        return reject();
-      }
-
-      const callbackId = video.requestVideoFrameCallback(() => {
-        captureVideoThumbnail(video).then(resolve).catch(reject);
-        video.cancelVideoFrameCallback(callbackId);
-      });
      video.currentTime = Math.min(time, video.duration);
+      video.requestVideoFrameCallback(() => {
+        captureVideoThumbnail(video).then(resolve).catch(reject);
+      });
    };
    video.onerror = reject;

--- a/src/lib/server/db/client.ts
+++ b/src/lib/server/db/client.ts
@@ -98,6 +98,22 @@ export const createUserClient = async (userId: number, clientId: number) => {
  }
 };

+export const getAllUserClients = async (userId: number) => {
+  const userClients = await db
+    .selectFrom("user_client")
+    .selectAll()
+    .where("user_id", "=", userId)
+    .execute();
+  return userClients.map(
+    ({ user_id, client_id, state }) =>
+      ({
+        userId: user_id,
+        clientId: client_id,
+        state,
+      }) satisfies UserClient,
+  );
+};
+
 export const getUserClient = async (userId: number, clientId: number) => {
  const userClient = await db
    .selectFrom("user_client")
--- a/src/lib/server/db/index.ts
+++ b/src/lib/server/db/index.ts
@@ -1,10 +0,0 @@
-export * as CategoryRepo from "./category";
-export * as ClientRepo from "./client";
-export * as FileRepo from "./file";
-export * as HskRepo from "./hsk";
-export * as MediaRepo from "./media";
-export * as MekRepo from "./mek";
-export * as SessionRepo from "./session";
-export * as UserRepo from "./user";
-
-export * from "./error";
--- a/src/lib/server/db/mek.ts
+++ b/src/lib/server/db/mek.ts
@@ -60,6 +60,19 @@ export const registerInitialMek = async (
  });
 };

+export const getInitialMek = async (userId: number) => {
+  const mek = await db
+    .selectFrom("master_encryption_key")
+    .selectAll()
+    .where("user_id", "=", userId)
+    .where("version", "=", 1)
+    .limit(1)
+    .executeTakeFirst();
+  return mek
+    ? ({ userId: mek.user_id, version: mek.version, state: mek.state } satisfies Mek)
+    : null;
+};
+
 export const getAllValidClientMeks = async (userId: number, clientId: number) => {
  const clientMeks = await db
    .selectFrom("client_master_encryption_key")
--- a/src/lib/server/db/user.ts
+++ b/src/lib/server/db/user.ts
@@ -27,6 +27,10 @@ export const getUserByEmail = async (email: string) => {
  return user ? (user satisfies User) : null;
 };

+export const setUserNickname = async (userId: number, nickname: string) => {
+  await db.updateTable("user").set({ nickname }).where("id", "=", userId).execute();
+};
+
 export const setUserPassword = async (userId: number, password: string) => {
  await db.updateTable("user").set({ password }).where("id", "=", userId).execute();
 };
--- a/src/lib/server/middlewares/authenticate.ts
+++ b/src/lib/server/middlewares/authenticate.ts
@@ -1,7 +1,13 @@
 import { error, redirect, type Handle } from "@sveltejs/kit";
-import { cookieOptions, authenticate, AuthenticationError } from "$lib/server/modules/auth";
+import env from "$lib/server/loadenv";
+import { authenticate, AuthenticationError } from "$lib/server/modules/auth";

 export const authenticateMiddleware: Handle = async ({ event, resolve }) => {
+  const { pathname, search } = event.url;
+  if (pathname === "/api/auth/login") {
+    return await resolve(event);
+  }
+
  try {
    const sessionIdSigned = event.cookies.get("sessionId");
    if (!sessionIdSigned) {
@@ -10,11 +16,15 @@ export const authenticateMiddleware: Handle = async ({ event, resolve }) => {

    const { ip, userAgent } = event.locals;
    event.locals.session = await authenticate(sessionIdSigned, ip, userAgent);
-    event.cookies.set("sessionId", sessionIdSigned, cookieOptions);
+    event.cookies.set("sessionId", sessionIdSigned, {
+      path: "/",
+      maxAge: env.session.exp / 1000,
+      secure: true,
+      sameSite: "strict",
+    });
  } catch (e) {
    if (e instanceof AuthenticationError) {
-      const { pathname, search } = event.url;
-      if (pathname === "/auth/login" || pathname.startsWith("/api/trpc")) {
+      if (pathname === "/auth/login") {
        return await resolve(event);
      } else if (pathname.startsWith("/api")) {
        error(e.status, e.message);
--- a/src/lib/server/modules/auth.ts
+++ b/src/lib/server/modules/auth.ts
@@ -1,25 +1,20 @@
 import { error } from "@sveltejs/kit";
-import { ClientRepo, SessionRepo, IntegrityError } from "$lib/server/db";
+import { getUserClient } from "$lib/server/db/client";
+import { IntegrityError } from "$lib/server/db/error";
+import { createSession, refreshSession } from "$lib/server/db/session";
 import env from "$lib/server/loadenv";
-import { verifySessionId } from "$lib/server/modules/crypto";
+import { issueSessionId, verifySessionId } from "$lib/server/modules/crypto";

-export interface Session {
+interface Session {
  sessionId: string;
  userId: number;
  clientId?: number;
 }

-export interface ClientSession extends Session {
+interface ClientSession extends Session {
  clientId: number;
 }

-export type SessionPermission =
-  | "any"
-  | "notClient"
-  | "anyClient"
-  | "pendingClient"
-  | "activeClient";
-
 export class AuthenticationError extends Error {
  constructor(
    public status: 400 | 401,
@@ -30,22 +25,11 @@ export class AuthenticationError extends Error {
  }
 }

-export class AuthorizationError extends Error {
-  constructor(
-    public status: 403 | 500,
-    message: string,
-  ) {
-    super(message);
-    this.name = "AuthorizationError";
-  }
-}
-
-export const cookieOptions = {
-  path: "/",
-  maxAge: env.session.exp / 1000,
-  secure: true,
-  sameSite: "strict",
-} as const;
+export const startSession = async (userId: number, ip: string, userAgent: string) => {
+  const { sessionId, sessionIdSigned } = await issueSessionId(32, env.session.secret);
+  await createSession(userId, sessionId, ip, userAgent);
+  return sessionIdSigned;
+};

 export const authenticate = async (sessionIdSigned: string, ip: string, userAgent: string) => {
  const sessionId = verifySessionId(sessionIdSigned, env.session.secret);
@@ -54,7 +38,7 @@ export const authenticate = async (sessionIdSigned: string, ip: string, userAgen
  }

  try {
-    const { userId, clientId } = await SessionRepo.refreshSession(sessionId, ip, userAgent);
+    const { userId, clientId } = await refreshSession(sessionId, ip, userAgent);
    return {
      id: sessionId,
      userId,
@@ -68,12 +52,34 @@ export const authenticate = async (sessionIdSigned: string, ip: string, userAgen
  }
 };

-export const authorizeInternal = async (
+export async function authorize(locals: App.Locals, requiredPermission: "any"): Promise<Session>;
+
+export async function authorize(
  locals: App.Locals,
-  requiredPermission: SessionPermission,
-): Promise<Session> => {
+  requiredPermission: "notClient",
+): Promise<Session>;
+
+export async function authorize(
+  locals: App.Locals,
+  requiredPermission: "anyClient",
+): Promise<ClientSession>;
+
+export async function authorize(
+  locals: App.Locals,
+  requiredPermission: "pendingClient",
+): Promise<ClientSession>;
+
+export async function authorize(
+  locals: App.Locals,
+  requiredPermission: "activeClient",
+): Promise<ClientSession>;
+
+export async function authorize(
+  locals: App.Locals,
+  requiredPermission: "any" | "notClient" | "anyClient" | "pendingClient" | "activeClient",
+): Promise<Session> {
  if (!locals.session) {
-    throw new AuthorizationError(500, "Unauthenticated");
+    error(500, "Unauthenticated");
  }

  const { id: sessionId, userId, clientId } = locals.session;
@@ -83,63 +89,39 @@ export const authorizeInternal = async (
      break;
    case "notClient":
      if (clientId) {
-        throw new AuthorizationError(403, "Forbidden");
+        error(403, "Forbidden");
      }
      break;
    case "anyClient":
      if (!clientId) {
-        throw new AuthorizationError(403, "Forbidden");
+        error(403, "Forbidden");
      }
      break;
    case "pendingClient": {
      if (!clientId) {
-        throw new AuthorizationError(403, "Forbidden");
+        error(403, "Forbidden");
      }
-      const userClient = await ClientRepo.getUserClient(userId, clientId);
+      const userClient = await getUserClient(userId, clientId);
      if (!userClient) {
-        throw new AuthorizationError(500, "Invalid session id");
+        error(500, "Invalid session id");
      } else if (userClient.state !== "pending") {
-        throw new AuthorizationError(403, "Forbidden");
+        error(403, "Forbidden");
      }
      break;
    }
    case "activeClient": {
      if (!clientId) {
-        throw new AuthorizationError(403, "Forbidden");
+        error(403, "Forbidden");
      }
-      const userClient = await ClientRepo.getUserClient(userId, clientId);
+      const userClient = await getUserClient(userId, clientId);
      if (!userClient) {
-        throw new AuthorizationError(500, "Invalid session id");
+        error(500, "Invalid session id");
      } else if (userClient.state !== "active") {
-        throw new AuthorizationError(403, "Forbidden");
+        error(403, "Forbidden");
      }
      break;
    }
  }

  return { sessionId, userId, clientId };
-};
-
-export async function authorize(
-  locals: App.Locals,
-  requiredPermission: "any" | "notClient",
-): Promise<Session>;
-
-export async function authorize(
-  locals: App.Locals,
-  requiredPermission: "anyClient" | "pendingClient" | "activeClient",
-): Promise<ClientSession>;
-
-export async function authorize(
-  locals: App.Locals,
-  requiredPermission: SessionPermission,
-): Promise<Session> {
-  try {
-    return await authorizeInternal(locals, requiredPermission);
-  } catch (e) {
-    if (e instanceof AuthorizationError) {
-      error(e.status, e.message);
-    }
-    throw e;
-  }
 }
--- a/src/lib/server/modules/filesystem.ts
+++ b/src/lib/server/modules/filesystem.ts
@@ -1,7 +0,0 @@
-import { unlink } from "fs/promises";
-
-export const safeUnlink = async (path: string | null | undefined) => {
-  if (path) {
-    await unlink(path).catch(console.error);
-  }
-};
--- a/src/lib/server/modules/mek.ts
+++ b/src/lib/server/modules/mek.ts
@@ -0,0 +1,25 @@
+import { error } from "@sveltejs/kit";
+import { getUserClientWithDetails } from "$lib/server/db/client";
+import { getInitialMek } from "$lib/server/db/mek";
+import { verifySignature } from "$lib/server/modules/crypto";
+
+export const isInitialMekNeeded = async (userId: number) => {
+  const initialMek = await getInitialMek(userId);
+  return !initialMek;
+};
+
+export const verifyClientEncMekSig = async (
+  userId: number,
+  clientId: number,
+  version: number,
+  encMek: string,
+  encMekSig: string,
+) => {
+  const userClient = await getUserClientWithDetails(userId, clientId);
+  if (!userClient) {
+    error(500, "Invalid session id");
+  }
+
+  const data = JSON.stringify({ version, key: encMek });
+  return verifySignature(Buffer.from(data), encMekSig, userClient.sigPubKey);
+};
--- a/src/lib/server/schemas/auth.ts
+++ b/src/lib/server/schemas/auth.ts
@@ -0,0 +1,32 @@
+import { z } from "zod";
+
+export const passwordChangeRequest = z.object({
+  oldPassword: z.string().trim().nonempty(),
+  newPassword: z.string().trim().nonempty(),
+});
+export type PasswordChangeRequest = z.input<typeof passwordChangeRequest>;
+
+export const loginRequest = z.object({
+  email: z.string().email(),
+  password: z.string().trim().nonempty(),
+});
+export type LoginRequest = z.input<typeof loginRequest>;
+
+export const sessionUpgradeRequest = z.object({
+  encPubKey: z.string().base64().nonempty(),
+  sigPubKey: z.string().base64().nonempty(),
+});
+export type SessionUpgradeRequest = z.input<typeof sessionUpgradeRequest>;
+
+export const sessionUpgradeResponse = z.object({
+  id: z.number().int().positive(),
+  challenge: z.string().base64().nonempty(),
+});
+export type SessionUpgradeResponse = z.output<typeof sessionUpgradeResponse>;
+
+export const sessionUpgradeVerifyRequest = z.object({
+  id: z.number().int().positive(),
+  answerSig: z.string().base64().nonempty(),
+  force: z.boolean().default(false),
+});
+export type SessionUpgradeVerifyRequest = z.input<typeof sessionUpgradeVerifyRequest>;
--- a/src/lib/server/schemas/category.ts
+++ b/src/lib/server/schemas/category.ts
@@ -1,3 +1,55 @@
 import { z } from "zod";

-export const categoryIdSchema = z.union([z.literal("root"), z.int().positive()]);
+export const categoryIdSchema = z.union([z.literal("root"), z.number().int().positive()]);
+
+export const categoryInfoResponse = z.object({
+  metadata: z
+    .object({
+      parent: categoryIdSchema,
+      mekVersion: z.number().int().positive(),
+      dek: z.string().base64().nonempty(),
+      dekVersion: z.string().datetime(),
+      name: z.string().base64().nonempty(),
+      nameIv: z.string().base64().nonempty(),
+    })
+    .optional(),
+  subCategories: z.number().int().positive().array(),
+});
+export type CategoryInfoResponse = z.output<typeof categoryInfoResponse>;
+
+export const categoryFileAddRequest = z.object({
+  file: z.number().int().positive(),
+});
+export type CategoryFileAddRequest = z.input<typeof categoryFileAddRequest>;
+
+export const categoryFileListResponse = z.object({
+  files: z.array(
+    z.object({
+      file: z.number().int().positive(),
+      isRecursive: z.boolean(),
+    }),
+  ),
+});
+export type CategoryFileListResponse = z.output<typeof categoryFileListResponse>;
+
+export const categoryFileRemoveRequest = z.object({
+  file: z.number().int().positive(),
+});
+export type CategoryFileRemoveRequest = z.input<typeof categoryFileRemoveRequest>;
+
+export const categoryRenameRequest = z.object({
+  dekVersion: z.string().datetime(),
+  name: z.string().base64().nonempty(),
+  nameIv: z.string().base64().nonempty(),
+});
+export type CategoryRenameRequest = z.input<typeof categoryRenameRequest>;
+
+export const categoryCreateRequest = z.object({
+  parent: categoryIdSchema,
+  mekVersion: z.number().int().positive(),
+  dek: z.string().base64().nonempty(),
+  dekVersion: z.string().datetime(),
+  name: z.string().base64().nonempty(),
+  nameIv: z.string().base64().nonempty(),
+});
+export type CategoryCreateRequest = z.input<typeof categoryCreateRequest>;
--- a/src/lib/server/schemas/client.ts
+++ b/src/lib/server/schemas/client.ts
@@ -0,0 +1,36 @@
+import { z } from "zod";
+
+export const clientListResponse = z.object({
+  clients: z.array(
+    z.object({
+      id: z.number().int().positive(),
+      state: z.enum(["pending", "active"]),
+    }),
+  ),
+});
+export type ClientListResponse = z.output<typeof clientListResponse>;
+
+export const clientRegisterRequest = z.object({
+  encPubKey: z.string().base64().nonempty(),
+  sigPubKey: z.string().base64().nonempty(),
+});
+export type ClientRegisterRequest = z.input<typeof clientRegisterRequest>;
+
+export const clientRegisterResponse = z.object({
+  id: z.number().int().positive(),
+  challenge: z.string().base64().nonempty(),
+});
+export type ClientRegisterResponse = z.output<typeof clientRegisterResponse>;
+
+export const clientRegisterVerifyRequest = z.object({
+  id: z.number().int().positive(),
+  answerSig: z.string().base64().nonempty(),
+});
+export type ClientRegisterVerifyRequest = z.input<typeof clientRegisterVerifyRequest>;
+
+export const clientStatusResponse = z.object({
+  id: z.number().int().positive(),
+  state: z.enum(["pending", "active"]),
+  isInitialMekNeeded: z.boolean(),
+});
+export type ClientStatusResponse = z.output<typeof clientStatusResponse>;
--- a/src/lib/server/schemas/directory.ts
+++ b/src/lib/server/schemas/directory.ts
@@ -1,3 +1,41 @@
 import { z } from "zod";

-export const directoryIdSchema = z.union([z.literal("root"), z.int().positive()]);
+export const directoryIdSchema = z.union([z.literal("root"), z.number().int().positive()]);
+
+export const directoryInfoResponse = z.object({
+  metadata: z
+    .object({
+      parent: directoryIdSchema,
+      mekVersion: z.number().int().positive(),
+      dek: z.string().base64().nonempty(),
+      dekVersion: z.string().datetime(),
+      name: z.string().base64().nonempty(),
+      nameIv: z.string().base64().nonempty(),
+    })
+    .optional(),
+  subDirectories: z.number().int().positive().array(),
+  files: z.number().int().positive().array(),
+});
+export type DirectoryInfoResponse = z.output<typeof directoryInfoResponse>;
+
+export const directoryDeleteResponse = z.object({
+  deletedFiles: z.number().int().positive().array(),
+});
+export type DirectoryDeleteResponse = z.output<typeof directoryDeleteResponse>;
+
+export const directoryRenameRequest = z.object({
+  dekVersion: z.string().datetime(),
+  name: z.string().base64().nonempty(),
+  nameIv: z.string().base64().nonempty(),
+});
+export type DirectoryRenameRequest = z.input<typeof directoryRenameRequest>;
+
+export const directoryCreateRequest = z.object({
+  parent: directoryIdSchema,
+  mekVersion: z.number().int().positive(),
+  dek: z.string().base64().nonempty(),
+  dekVersion: z.string().datetime(),
+  name: z.string().base64().nonempty(),
+  nameIv: z.string().base64().nonempty(),
+});
+export type DirectoryCreateRequest = z.input<typeof directoryCreateRequest>;
--- a/src/lib/server/schemas/file.ts
+++ b/src/lib/server/schemas/file.ts
@@ -2,35 +2,90 @@ import mime from "mime";
 import { z } from "zod";
 import { directoryIdSchema } from "./directory";

-export const fileThumbnailUploadRequest = z.object({
-  dekVersion: z.iso.datetime(),
-  contentIv: z.base64().nonempty(),
-});
-export type FileThumbnailUploadRequest = z.input<typeof fileThumbnailUploadRequest>;
-
-export const fileUploadRequest = z.object({
+export const fileInfoResponse = z.object({
  parent: directoryIdSchema,
-  mekVersion: z.int().positive(),
-  dek: z.base64().nonempty(),
-  dekVersion: z.iso.datetime(),
-  hskVersion: z.int().positive(),
-  contentHmac: z.base64().nonempty(),
+  mekVersion: z.number().int().positive(),
+  dek: z.string().base64().nonempty(),
+  dekVersion: z.string().datetime(),
  contentType: z
    .string()
    .trim()
    .nonempty()
    .refine((value) => mime.getExtension(value) !== null), // MIME type
-  contentIv: z.base64().nonempty(),
-  name: z.base64().nonempty(),
-  nameIv: z.base64().nonempty(),
-  createdAt: z.base64().nonempty().optional(),
-  createdAtIv: z.base64().nonempty().optional(),
-  lastModifiedAt: z.base64().nonempty(),
-  lastModifiedAtIv: z.base64().nonempty(),
+  contentIv: z.string().base64().nonempty(),
+  name: z.string().base64().nonempty(),
+  nameIv: z.string().base64().nonempty(),
+  createdAt: z.string().base64().nonempty().optional(),
+  createdAtIv: z.string().base64().nonempty().optional(),
+  lastModifiedAt: z.string().base64().nonempty(),
+  lastModifiedAtIv: z.string().base64().nonempty(),
+  categories: z.number().int().positive().array(),
+});
+export type FileInfoResponse = z.output<typeof fileInfoResponse>;
+
+export const fileRenameRequest = z.object({
+  dekVersion: z.string().datetime(),
+  name: z.string().base64().nonempty(),
+  nameIv: z.string().base64().nonempty(),
+});
+export type FileRenameRequest = z.input<typeof fileRenameRequest>;
+
+export const fileThumbnailInfoResponse = z.object({
+  updatedAt: z.string().datetime(),
+  contentIv: z.string().base64().nonempty(),
+});
+export type FileThumbnailInfoResponse = z.output<typeof fileThumbnailInfoResponse>;
+
+export const fileThumbnailUploadRequest = z.object({
+  dekVersion: z.string().datetime(),
+  contentIv: z.string().base64().nonempty(),
+});
+export type FileThumbnailUploadRequest = z.input<typeof fileThumbnailUploadRequest>;
+
+export const fileListResponse = z.object({
+  files: z.number().int().positive().array(),
+});
+export type FileListResponse = z.output<typeof fileListResponse>;
+
+export const duplicateFileScanRequest = z.object({
+  hskVersion: z.number().int().positive(),
+  contentHmac: z.string().base64().nonempty(),
+});
+export type DuplicateFileScanRequest = z.input<typeof duplicateFileScanRequest>;
+
+export const duplicateFileScanResponse = z.object({
+  files: z.number().int().positive().array(),
+});
+export type DuplicateFileScanResponse = z.output<typeof duplicateFileScanResponse>;
+
+export const missingThumbnailFileScanResponse = z.object({
+  files: z.number().int().positive().array(),
+});
+export type MissingThumbnailFileScanResponse = z.output<typeof missingThumbnailFileScanResponse>;
+
+export const fileUploadRequest = z.object({
+  parent: directoryIdSchema,
+  mekVersion: z.number().int().positive(),
+  dek: z.string().base64().nonempty(),
+  dekVersion: z.string().datetime(),
+  hskVersion: z.number().int().positive(),
+  contentHmac: z.string().base64().nonempty(),
+  contentType: z
+    .string()
+    .trim()
+    .nonempty()
+    .refine((value) => mime.getExtension(value) !== null), // MIME type
+  contentIv: z.string().base64().nonempty(),
+  name: z.string().base64().nonempty(),
+  nameIv: z.string().base64().nonempty(),
+  createdAt: z.string().base64().nonempty().optional(),
+  createdAtIv: z.string().base64().nonempty().optional(),
+  lastModifiedAt: z.string().base64().nonempty(),
+  lastModifiedAtIv: z.string().base64().nonempty(),
 });
 export type FileUploadRequest = z.input<typeof fileUploadRequest>;

 export const fileUploadResponse = z.object({
-  file: z.int().positive(),
+  file: z.number().int().positive(),
 });
 export type FileUploadResponse = z.output<typeof fileUploadResponse>;
--- a/src/lib/server/schemas/hsk.ts
+++ b/src/lib/server/schemas/hsk.ts
@@ -0,0 +1,19 @@
+import { z } from "zod";
+
+export const hmacSecretListResponse = z.object({
+  hsks: z.array(
+    z.object({
+      version: z.number().int().positive(),
+      state: z.enum(["active"]),
+      mekVersion: z.number().int().positive(),
+      hsk: z.string().base64().nonempty(),
+    }),
+  ),
+});
+export type HmacSecretListResponse = z.output<typeof hmacSecretListResponse>;
+
+export const initialHmacSecretRegisterRequest = z.object({
+  mekVersion: z.number().int().positive(),
+  hsk: z.string().base64().nonempty(),
+});
+export type InitialHmacSecretRegisterRequest = z.input<typeof initialHmacSecretRegisterRequest>;
--- a/src/lib/server/schemas/index.ts
+++ b/src/lib/server/schemas/index.ts
@@ -1,3 +1,8 @@
+export * from "./auth";
 export * from "./category";
+export * from "./client";
 export * from "./directory";
 export * from "./file";
+export * from "./hsk";
+export * from "./mek";
+export * from "./user";
--- a/src/lib/server/schemas/mek.ts
+++ b/src/lib/server/schemas/mek.ts
@@ -0,0 +1,19 @@
+import { z } from "zod";
+
+export const masterKeyListResponse = z.object({
+  meks: z.array(
+    z.object({
+      version: z.number().int().positive(),
+      state: z.enum(["active", "retired"]),
+      mek: z.string().base64().nonempty(),
+      mekSig: z.string().base64().nonempty(),
+    }),
+  ),
+});
+export type MasterKeyListResponse = z.output<typeof masterKeyListResponse>;
+
+export const initialMasterKeyRegisterRequest = z.object({
+  mek: z.string().base64().nonempty(),
+  mekSig: z.string().base64().nonempty(),
+});
+export type InitialMasterKeyRegisterRequest = z.input<typeof initialMasterKeyRegisterRequest>;
--- a/src/lib/server/schemas/user.ts
+++ b/src/lib/server/schemas/user.ts
@@ -0,0 +1,12 @@
+import { z } from "zod";
+
+export const userInfoResponse = z.object({
+  email: z.string().email(),
+  nickname: z.string().nonempty(),
+});
+export type UserInfoResponse = z.output<typeof userInfoResponse>;
+
+export const nicknameChangeRequest = z.object({
+  newNickname: z.string().trim().min(2).max(8),
+});
+export type NicknameChangeRequest = z.input<typeof nicknameChangeRequest>;
--- a/src/lib/server/services/auth.ts
+++ b/src/lib/server/services/auth.ts
@@ -0,0 +1,122 @@
+import { error } from "@sveltejs/kit";
+import argon2 from "argon2";
+import { getClient, getClientByPubKeys, getUserClient } from "$lib/server/db/client";
+import { IntegrityError } from "$lib/server/db/error";
+import {
+  upgradeSession,
+  deleteSession,
+  deleteAllOtherSessions,
+  registerSessionUpgradeChallenge,
+  consumeSessionUpgradeChallenge,
+} from "$lib/server/db/session";
+import { getUser, getUserByEmail, setUserPassword } from "$lib/server/db/user";
+import env from "$lib/server/loadenv";
+import { startSession } from "$lib/server/modules/auth";
+import { verifySignature, generateChallenge } from "$lib/server/modules/crypto";
+
+const hashPassword = async (password: string) => {
+  return await argon2.hash(password);
+};
+
+const verifyPassword = async (hash: string, password: string) => {
+  return await argon2.verify(hash, password);
+};
+
+export const changePassword = async (
+  userId: number,
+  sessionId: string,
+  oldPassword: string,
+  newPassword: string,
+) => {
+  if (oldPassword === newPassword) {
+    error(400, "Same passwords");
+  } else if (newPassword.length < 8) {
+    error(400, "Too short password");
+  }
+
+  const user = await getUser(userId);
+  if (!user) {
+    error(500, "Invalid session id");
+  } else if (!(await verifyPassword(user.password, oldPassword))) {
+    error(403, "Invalid password");
+  }
+
+  await setUserPassword(userId, await hashPassword(newPassword));
+  await deleteAllOtherSessions(userId, sessionId);
+};
+
+export const login = async (email: string, password: string, ip: string, userAgent: string) => {
+  const user = await getUserByEmail(email);
+  if (!user || !(await verifyPassword(user.password, password))) {
+    error(401, "Invalid email or password");
+  }
+
+  return { sessionIdSigned: await startSession(user.id, ip, userAgent) };
+};
+
+export const logout = async (sessionId: string) => {
+  await deleteSession(sessionId);
+};
+
+export const createSessionUpgradeChallenge = async (
+  sessionId: string,
+  userId: number,
+  ip: string,
+  encPubKey: string,
+  sigPubKey: string,
+) => {
+  const client = await getClientByPubKeys(encPubKey, sigPubKey);
+  const userClient = client ? await getUserClient(userId, client.id) : undefined;
+  if (!client) {
+    error(401, "Invalid public key(s)");
+  } else if (!userClient || userClient.state === "challenging") {
+    error(403, "Unregistered client");
+  }
+
+  const { answer, challenge } = await generateChallenge(32, encPubKey);
+  const { id } = await registerSessionUpgradeChallenge(
+    sessionId,
+    client.id,
+    answer.toString("base64"),
+    ip,
+    new Date(Date.now() + env.challenge.sessionUpgradeExp),
+  );
+
+  return { id, challenge: challenge.toString("base64") };
+};
+
+export const verifySessionUpgradeChallenge = async (
+  sessionId: string,
+  userId: number,
+  ip: string,
+  challengeId: number,
+  answerSig: string,
+  force: boolean,
+) => {
+  const challenge = await consumeSessionUpgradeChallenge(challengeId, sessionId, ip);
+  if (!challenge) {
+    error(403, "Invalid challenge answer");
+  }
+
+  const client = await getClient(challenge.clientId);
+  if (!client) {
+    error(500, "Invalid challenge answer");
+  } else if (
+    !verifySignature(Buffer.from(challenge.answer, "base64"), answerSig, client.sigPubKey)
+  ) {
+    error(403, "Invalid challenge answer signature");
+  }
+
+  try {
+    await upgradeSession(userId, sessionId, client.id, force);
+  } catch (e) {
+    if (e instanceof IntegrityError) {
+      if (e.message === "Session not found") {
+        error(500, "Invalid challenge answer");
+      } else if (!force && e.message === "Session already exists") {
+        error(409, "Already logged in");
+      }
+    }
+    throw e;
+  }
+};
--- a/src/lib/server/services/category.ts
+++ b/src/lib/server/services/category.ts
@@ -0,0 +1,133 @@
+import { error } from "@sveltejs/kit";
+import {
+  registerCategory,
+  getAllCategoriesByParent,
+  getCategory,
+  setCategoryEncName,
+  unregisterCategory,
+  type CategoryId,
+  type NewCategory,
+} from "$lib/server/db/category";
+import { IntegrityError } from "$lib/server/db/error";
+import {
+  getAllFilesByCategory,
+  getFile,
+  addFileToCategory,
+  removeFileFromCategory,
+} from "$lib/server/db/file";
+import type { Ciphertext } from "$lib/server/db/schema";
+
+export const getCategoryInformation = async (userId: number, categoryId: CategoryId) => {
+  const category = categoryId !== "root" ? await getCategory(userId, categoryId) : undefined;
+  if (category === null) {
+    error(404, "Invalid category id");
+  }
+
+  const categories = await getAllCategoriesByParent(userId, categoryId);
+  return {
+    metadata: category && {
+      parentId: category.parentId ?? ("root" as const),
+      mekVersion: category.mekVersion,
+      encDek: category.encDek,
+      dekVersion: category.dekVersion,
+      encName: category.encName,
+    },
+    categories: categories.map(({ id }) => id),
+  };
+};
+
+export const deleteCategory = async (userId: number, categoryId: number) => {
+  try {
+    await unregisterCategory(userId, categoryId);
+  } catch (e) {
+    if (e instanceof IntegrityError && e.message === "Category not found") {
+      error(404, "Invalid category id");
+    }
+    throw e;
+  }
+};
+
+export const addCategoryFile = async (userId: number, categoryId: number, fileId: number) => {
+  const category = await getCategory(userId, categoryId);
+  const file = await getFile(userId, fileId);
+  if (!category) {
+    error(404, "Invalid category id");
+  } else if (!file) {
+    error(404, "Invalid file id");
+  }
+
+  try {
+    await addFileToCategory(fileId, categoryId);
+  } catch (e) {
+    if (e instanceof IntegrityError && e.message === "File already added to category") {
+      error(400, "File already added");
+    }
+    throw e;
+  }
+};
+
+export const getCategoryFiles = async (userId: number, categoryId: number, recurse: boolean) => {
+  const category = await getCategory(userId, categoryId);
+  if (!category) {
+    error(404, "Invalid category id");
+  }
+
+  const files = await getAllFilesByCategory(userId, categoryId, recurse);
+  return { files };
+};
+
+export const removeCategoryFile = async (userId: number, categoryId: number, fileId: number) => {
+  const category = await getCategory(userId, categoryId);
+  const file = await getFile(userId, fileId);
+  if (!category) {
+    error(404, "Invalid category id");
+  } else if (!file) {
+    error(404, "Invalid file id");
+  }
+
+  try {
+    await removeFileFromCategory(fileId, categoryId);
+  } catch (e) {
+    if (e instanceof IntegrityError && e.message === "File not found in category") {
+      error(400, "File not added");
+    }
+    throw e;
+  }
+};
+
+export const renameCategory = async (
+  userId: number,
+  categoryId: number,
+  dekVersion: Date,
+  newEncName: Ciphertext,
+) => {
+  try {
+    await setCategoryEncName(userId, categoryId, dekVersion, newEncName);
+  } catch (e) {
+    if (e instanceof IntegrityError) {
+      if (e.message === "Category not found") {
+        error(404, "Invalid category id");
+      } else if (e.message === "Invalid DEK version") {
+        error(400, "Invalid DEK version");
+      }
+    }
+    throw e;
+  }
+};
+
+export const createCategory = async (params: NewCategory) => {
+  const oneMinuteAgo = new Date(Date.now() - 60 * 1000);
+  const oneMinuteLater = new Date(Date.now() + 60 * 1000);
+  if (params.dekVersion <= oneMinuteAgo || params.dekVersion >= oneMinuteLater) {
+    error(400, "Invalid DEK version");
+  }
+
+  try {
+    await registerCategory(params);
+  } catch (e) {
+    if (e instanceof IntegrityError && e.message === "Inactive MEK version") {
+      error(400, "Inactive MEK version");
+    }
+    throw e;
+  }
+};
--- a/src/lib/server/services/client.ts
+++ b/src/lib/server/services/client.ts
@@ -0,0 +1,116 @@
+import { error } from "@sveltejs/kit";
+import {
+  createClient,
+  getClient,
+  getClientByPubKeys,
+  createUserClient,
+  getAllUserClients,
+  getUserClient,
+  setUserClientStateToPending,
+  registerUserClientChallenge,
+  consumeUserClientChallenge,
+} from "$lib/server/db/client";
+import { IntegrityError } from "$lib/server/db/error";
+import { verifyPubKey, verifySignature, generateChallenge } from "$lib/server/modules/crypto";
+import { isInitialMekNeeded } from "$lib/server/modules/mek";
+import env from "$lib/server/loadenv";
+
+export const getUserClientList = async (userId: number) => {
+  const userClients = await getAllUserClients(userId);
+  return {
+    userClients: userClients.map(({ clientId, state }) => ({
+      id: clientId,
+      state: state as "pending" | "active",
+    })),
+  };
+};
+
+const expiresAt = () => new Date(Date.now() + env.challenge.userClientExp);
+
+const createUserClientChallenge = async (
+  ip: string,
+  userId: number,
+  clientId: number,
+  encPubKey: string,
+) => {
+  const { answer, challenge } = await generateChallenge(32, encPubKey);
+  const { id } = await registerUserClientChallenge(
+    userId,
+    clientId,
+    answer.toString("base64"),
+    ip,
+    expiresAt(),
+  );
+  return { id, challenge: challenge.toString("base64") };
+};
+
+export const registerUserClient = async (
+  userId: number,
+  ip: string,
+  encPubKey: string,
+  sigPubKey: string,
+) => {
+  const client = await getClientByPubKeys(encPubKey, sigPubKey);
+  if (client) {
+    try {
+      await createUserClient(userId, client.id);
+      return await createUserClientChallenge(ip, userId, client.id, encPubKey);
+    } catch (e) {
+      if (e instanceof IntegrityError && e.message === "User client already exists") {
+        error(409, "Client already registered");
+      }
+      throw e;
+    }
+  } else {
+    if (encPubKey === sigPubKey) {
+      error(400, "Same public keys");
+    } else if (!verifyPubKey(encPubKey) || !verifyPubKey(sigPubKey)) {
+      error(400, "Invalid public key(s)");
+    }
+
+    try {
+      const { id: clientId } = await createClient(encPubKey, sigPubKey, userId);
+      return await createUserClientChallenge(ip, userId, clientId, encPubKey);
+    } catch (e) {
+      if (e instanceof IntegrityError && e.message === "Public key(s) already registered") {
+        error(409, "Public key(s) already used");
+      }
+      throw e;
+    }
+  }
+};
+
+export const verifyUserClient = async (
+  userId: number,
+  ip: string,
+  challengeId: number,
+  answerSig: string,
+) => {
+  const challenge = await consumeUserClientChallenge(challengeId, userId, ip);
+  if (!challenge) {
+    error(403, "Invalid challenge answer");
+  }
+
+  const client = await getClient(challenge.clientId);
+  if (!client) {
+    error(500, "Invalid challenge answer");
+  } else if (
+    !verifySignature(Buffer.from(challenge.answer, "base64"), answerSig, client.sigPubKey)
+  ) {
+    error(403, "Invalid challenge answer signature");
+  }
+
+  await setUserClientStateToPending(userId, client.id);
+};
+
+export const getUserClientStatus = async (userId: number, clientId: number) => {
+  const userClient = await getUserClient(userId, clientId);
+  if (!userClient) {
+    error(500, "Invalid session id");
+  }
+
+  return {
+    state: userClient.state as "pending" | "active",
+    isInitialMekNeeded: await isInitialMekNeeded(userId),
+  };
+};
--- a/src/lib/server/services/directory.ts
+++ b/src/lib/server/services/directory.ts
@@ -0,0 +1,96 @@
+import { error } from "@sveltejs/kit";
+import { unlink } from "fs/promises";
+import { IntegrityError } from "$lib/server/db/error";
+import {
+  registerDirectory,
+  getAllDirectoriesByParent,
+  getDirectory,
+  setDirectoryEncName,
+  unregisterDirectory,
+  getAllFilesByParent,
+  type DirectoryId,
+  type NewDirectory,
+} from "$lib/server/db/file";
+import type { Ciphertext } from "$lib/server/db/schema";
+
+export const getDirectoryInformation = async (userId: number, directoryId: DirectoryId) => {
+  const directory = directoryId !== "root" ? await getDirectory(userId, directoryId) : undefined;
+  if (directory === null) {
+    error(404, "Invalid directory id");
+  }
+
+  const directories = await getAllDirectoriesByParent(userId, directoryId);
+  const files = await getAllFilesByParent(userId, directoryId);
+  return {
+    metadata: directory && {
+      parentId: directory.parentId ?? ("root" as const),
+      mekVersion: directory.mekVersion,
+      encDek: directory.encDek,
+      dekVersion: directory.dekVersion,
+      encName: directory.encName,
+    },
+    directories: directories.map(({ id }) => id),
+    files: files.map(({ id }) => id),
+  };
+};
+
+const safeUnlink = async (path: string | null) => {
+  if (path) {
+    await unlink(path).catch(console.error);
+  }
+};
+
+export const deleteDirectory = async (userId: number, directoryId: number) => {
+  try {
+    const files = await unregisterDirectory(userId, directoryId);
+    return {
+      files: files.map(({ id, path, thumbnailPath }) => {
+        safeUnlink(path); // Intended
+        safeUnlink(thumbnailPath); // Intended
+        return id;
+      }),
+    };
+  } catch (e) {
+    if (e instanceof IntegrityError && e.message === "Directory not found") {
+      error(404, "Invalid directory id");
+    }
+    throw e;
+  }
+};
+
+export const renameDirectory = async (
+  userId: number,
+  directoryId: number,
+  dekVersion: Date,
+  newEncName: Ciphertext,
+) => {
+  try {
+    await setDirectoryEncName(userId, directoryId, dekVersion, newEncName);
+  } catch (e) {
+    if (e instanceof IntegrityError) {
+      if (e.message === "Directory not found") {
+        error(404, "Invalid directory id");
+      } else if (e.message === "Invalid DEK version") {
+        error(400, "Invalid DEK version");
+      }
+    }
+    throw e;
+  }
+};
+
+export const createDirectory = async (params: NewDirectory) => {
+  const oneMinuteAgo = new Date(Date.now() - 60 * 1000);
+  const oneMinuteLater = new Date(Date.now() + 60 * 1000);
+  if (params.dekVersion <= oneMinuteAgo || params.dekVersion >= oneMinuteLater) {
+    error(400, "Invalid DEK version");
+  }
+
+  try {
+    await registerDirectory(params);
+  } catch (e) {
+    if (e instanceof IntegrityError && e.message === "Inactive MEK version") {
+      error(400, "Invalid MEK version");
+    }
+    throw e;
+  }
+};
--- a/src/lib/server/services/file.ts
+++ b/src/lib/server/services/file.ts
@@ -1,17 +1,72 @@
 import { error } from "@sveltejs/kit";
 import { createHash } from "crypto";
 import { createReadStream, createWriteStream } from "fs";
-import { mkdir, stat } from "fs/promises";
+import { mkdir, stat, unlink } from "fs/promises";
 import { dirname } from "path";
 import { Readable } from "stream";
 import { pipeline } from "stream/promises";
 import { v4 as uuidv4 } from "uuid";
-import { FileRepo, MediaRepo, IntegrityError } from "$lib/server/db";
+import { IntegrityError } from "$lib/server/db/error";
+import {
+  registerFile,
+  getAllFileIds,
+  getAllFileIdsByContentHmac,
+  getFile,
+  setFileEncName,
+  unregisterFile,
+  getAllFileCategories,
+  type NewFile,
+} from "$lib/server/db/file";
+import {
+  updateFileThumbnail,
+  getFileThumbnail,
+  getMissingFileThumbnails,
+} from "$lib/server/db/media";
+import type { Ciphertext } from "$lib/server/db/schema";
 import env from "$lib/server/loadenv";
-import { safeUnlink } from "$lib/server/modules/filesystem";
+
+export const getFileInformation = async (userId: number, fileId: number) => {
+  const file = await getFile(userId, fileId);
+  if (!file) {
+    error(404, "Invalid file id");
+  }
+
+  const categories = await getAllFileCategories(fileId);
+  return {
+    parentId: file.parentId ?? ("root" as const),
+    mekVersion: file.mekVersion,
+    encDek: file.encDek,
+    dekVersion: file.dekVersion,
+    contentType: file.contentType,
+    encContentIv: file.encContentIv,
+    encName: file.encName,
+    encCreatedAt: file.encCreatedAt,
+    encLastModifiedAt: file.encLastModifiedAt,
+    categories: categories.map(({ id }) => id),
+  };
+};
+
+const safeUnlink = async (path: string | null) => {
+  if (path) {
+    await unlink(path).catch(console.error);
+  }
+};
+
+export const deleteFile = async (userId: number, fileId: number) => {
+  try {
+    const { path, thumbnailPath } = await unregisterFile(userId, fileId);
+    safeUnlink(path); // Intended
+    safeUnlink(thumbnailPath); // Intended
+  } catch (e) {
+    if (e instanceof IntegrityError && e.message === "File not found") {
+      error(404, "Invalid file id");
+    }
+    throw e;
+  }
+};

 export const getFileStream = async (userId: number, fileId: number) => {
-  const file = await FileRepo.getFile(userId, fileId);
+  const file = await getFile(userId, fileId);
  if (!file) {
    error(404, "Invalid file id");
  }
@@ -23,8 +78,37 @@ export const getFileStream = async (userId: number, fileId: number) => {
  };
 };

+export const renameFile = async (
+  userId: number,
+  fileId: number,
+  dekVersion: Date,
+  newEncName: Ciphertext,
+) => {
+  try {
+    await setFileEncName(userId, fileId, dekVersion, newEncName);
+  } catch (e) {
+    if (e instanceof IntegrityError) {
+      if (e.message === "File not found") {
+        error(404, "Invalid file id");
+      } else if (e.message === "Invalid DEK version") {
+        error(400, "Invalid DEK version");
+      }
+    }
+    throw e;
+  }
+};
+
+export const getFileThumbnailInformation = async (userId: number, fileId: number) => {
+  const thumbnail = await getFileThumbnail(userId, fileId);
+  if (!thumbnail) {
+    error(404, "File or its thumbnail not found");
+  }
+
+  return { updatedAt: thumbnail.updatedAt, encContentIv: thumbnail.encContentIv };
+};
+
 export const getFileThumbnailStream = async (userId: number, fileId: number) => {
-  const thumbnail = await MediaRepo.getFileThumbnail(userId, fileId);
+  const thumbnail = await getFileThumbnail(userId, fileId);
  if (!thumbnail) {
    error(404, "File or its thumbnail not found");
  }
@@ -49,13 +133,7 @@ export const uploadFileThumbnail = async (
  try {
    await pipeline(encContentStream, createWriteStream(path, { flags: "wx", mode: 0o600 }));

-    const oldPath = await MediaRepo.updateFileThumbnail(
-      userId,
-      fileId,
-      dekVersion,
-      path,
-      encContentIv,
-    );
+    const oldPath = await updateFileThumbnail(userId, fileId, dekVersion, path, encContentIv);
    safeUnlink(oldPath); // Intended
  } catch (e) {
    await safeUnlink(path);
@@ -71,8 +149,27 @@ export const uploadFileThumbnail = async (
  }
 };

+export const getFileList = async (userId: number) => {
+  const fileIds = await getAllFileIds(userId);
+  return { files: fileIds };
+};
+
+export const scanDuplicateFiles = async (
+  userId: number,
+  hskVersion: number,
+  contentHmac: string,
+) => {
+  const fileIds = await getAllFileIdsByContentHmac(userId, hskVersion, contentHmac);
+  return { files: fileIds };
+};
+
+export const scanMissingFileThumbnails = async (userId: number) => {
+  const fileIds = await getMissingFileThumbnails(userId);
+  return { files: fileIds };
+};
+
 export const uploadFile = async (
-  params: Omit<FileRepo.NewFile, "path" | "encContentHash">,
+  params: Omit<NewFile, "path" | "encContentHash">,
  encContentStream: Readable,
  encContentHash: Promise<string>,
 ) => {
@@ -104,7 +201,7 @@ export const uploadFile = async (
      throw new Error("Invalid checksum");
    }

-    const { id: fileId } = await FileRepo.registerFile({
+    const { id: fileId } = await registerFile({
      ...params,
      path,
      encContentHash: hash,
--- a/src/lib/server/services/hsk.ts
+++ b/src/lib/server/services/hsk.ts
@@ -0,0 +1,31 @@
+import { error } from "@sveltejs/kit";
+import { IntegrityError } from "$lib/server/db/error";
+import { registerInitialHsk, getAllValidHsks } from "$lib/server/db/hsk";
+
+export const getHskList = async (userId: number) => {
+  const hsks = await getAllValidHsks(userId);
+  return {
+    encHsks: hsks.map(({ version, state, mekVersion, encHsk }) => ({
+      version,
+      state,
+      mekVersion,
+      encHsk,
+    })),
+  };
+};
+
+export const registerInitialActiveHsk = async (
+  userId: number,
+  createdBy: number,
+  mekVersion: number,
+  encHsk: string,
+) => {
+  try {
+    await registerInitialHsk(userId, createdBy, mekVersion, encHsk);
+  } catch (e) {
+    if (e instanceof IntegrityError && e.message === "HSK already registered") {
+      error(409, "Initial HSK already registered");
+    }
+    throw e;
+  }
+};
--- a/src/lib/server/services/mek.ts
+++ b/src/lib/server/services/mek.ts
@@ -0,0 +1,38 @@
+import { error } from "@sveltejs/kit";
+import { setUserClientStateToActive } from "$lib/server/db/client";
+import { IntegrityError } from "$lib/server/db/error";
+import { registerInitialMek, getAllValidClientMeks } from "$lib/server/db/mek";
+import { verifyClientEncMekSig } from "$lib/server/modules/mek";
+
+export const getClientMekList = async (userId: number, clientId: number) => {
+  const clientMeks = await getAllValidClientMeks(userId, clientId);
+  return {
+    encMeks: clientMeks.map(({ version, state, encMek, encMekSig }) => ({
+      version,
+      state,
+      encMek,
+      encMekSig,
+    })),
+  };
+};
+
+export const registerInitialActiveMek = async (
+  userId: number,
+  createdBy: number,
+  encMek: string,
+  encMekSig: string,
+) => {
+  if (!(await verifyClientEncMekSig(userId, createdBy, 1, encMek, encMekSig))) {
+    error(400, "Invalid signature");
+  }
+
+  try {
+    await registerInitialMek(userId, createdBy, encMek, encMekSig);
+    await setUserClientStateToActive(userId, createdBy);
+  } catch (e) {
+    if (e instanceof IntegrityError && e.message === "MEK already registered") {
+      error(409, "Initial MEK already registered");
+    }
+    throw e;
+  }
+};
--- a/src/lib/server/services/user.ts
+++ b/src/lib/server/services/user.ts
@@ -0,0 +1,15 @@
+import { error } from "@sveltejs/kit";
+import { getUser, setUserNickname } from "$lib/server/db/user";
+
+export const getUserInformation = async (userId: number) => {
+  const user = await getUser(userId);
+  if (!user) {
+    error(500, "Invalid session id");
+  }
+
+  return { email: user.email, nickname: user.nickname };
+};
+
+export const changeNickname = async (userId: number, nickname: string) => {
+  await setUserNickname(userId, nickname);
+};
--- a/src/lib/services/auth.ts
+++ b/src/lib/services/auth.ts
@@ -1,6 +1,10 @@
-import { TRPCClientError } from "@trpc/client";
+import { callPostApi } from "$lib/hooks";
 import { encodeToBase64, decryptChallenge, signMessageRSA } from "$lib/modules/crypto";
-import { trpc } from "$trpc/client";
+import type {
+  SessionUpgradeRequest,
+  SessionUpgradeResponse,
+  SessionUpgradeVerifyRequest,
+} from "$lib/server/schemas";

 export const requestSessionUpgrade = async (
  encryptKeyBase64: string,
@@ -9,43 +13,27 @@ export const requestSessionUpgrade = async (
  signKey: CryptoKey,
  force = false,
 ) => {
-  let id, challenge;
-  try {
-    ({ id, challenge } = await trpc().auth.upgrade.mutate({
-      encPubKey: encryptKeyBase64,
-      sigPubKey: verifyKeyBase64,
-    }));
-  } catch (e) {
-    if (e instanceof TRPCClientError && e.data?.code === "FORBIDDEN") {
-      return [false, "Unregistered client"] as const;
-    }
-    return [false] as const;
-  }
+  let res = await callPostApi<SessionUpgradeRequest>("/api/auth/upgradeSession", {
+    encPubKey: encryptKeyBase64,
+    sigPubKey: verifyKeyBase64,
+  });
+  if (res.status === 403) return [false, "Unregistered client"] as const;
+  else if (!res.ok) return [false] as const;
+
+  const { id, challenge }: SessionUpgradeResponse = await res.json();
  const answer = await decryptChallenge(challenge, decryptKey);
  const answerSig = await signMessageRSA(answer, signKey);

-  try {
-    await trpc().auth.verifyUpgrade.mutate({
-      id,
-      answerSig: encodeToBase64(answerSig),
-      force,
-    });
-  } catch (e) {
-    if (e instanceof TRPCClientError && e.data?.code === "CONFLICT") {
-      return [false, "Already logged in"] as const;
-    }
-    return [false] as const;
-  }
-
-  return [true] as const;
+  res = await callPostApi<SessionUpgradeVerifyRequest>("/api/auth/upgradeSession/verify", {
+    id,
+    answerSig: encodeToBase64(answerSig),
+    force,
+  });
+  if (res.status === 409) return [false, "Already logged in"] as const;
+  else return [res.ok] as const;
 };

 export const requestLogout = async () => {
-  try {
-    await trpc().auth.logout.mutate();
-    return true;
-  } catch {
-    // TODO: Error Handling
-    return false;
-  }
+  const res = await callPostApi("/api/auth/logout");
+  return res.ok;
 };
--- a/src/lib/services/category.ts
+++ b/src/lib/services/category.ts
@@ -1,6 +1,7 @@
+import { callPostApi } from "$lib/hooks";
 import { generateDataKey, wrapDataKey, encryptString } from "$lib/modules/crypto";
+import type { CategoryCreateRequest, CategoryFileRemoveRequest } from "$lib/server/schemas";
 import type { MasterKey } from "$lib/stores";
-import { trpc } from "$trpc/client";

 export const requestCategoryCreation = async (
  name: string,
@@ -10,28 +11,21 @@ export const requestCategoryCreation = async (
  const { dataKey, dataKeyVersion } = await generateDataKey();
  const nameEncrypted = await encryptString(name, dataKey);

-  try {
-    await trpc().category.create.mutate({
-      parent: parentId,
-      mekVersion: masterKey.version,
-      dek: await wrapDataKey(dataKey, masterKey.key),
-      dekVersion: dataKeyVersion,
-      name: nameEncrypted.ciphertext,
-      nameIv: nameEncrypted.iv,
-    });
-    return true;
-  } catch {
-    // TODO: Error Handling
-    return false;
-  }
+  const res = await callPostApi<CategoryCreateRequest>("/api/category/create", {
+    parent: parentId,
+    mekVersion: masterKey.version,
+    dek: await wrapDataKey(dataKey, masterKey.key),
+    dekVersion: dataKeyVersion.toISOString(),
+    name: nameEncrypted.ciphertext,
+    nameIv: nameEncrypted.iv,
+  });
+  return res.ok;
 };

 export const requestFileRemovalFromCategory = async (fileId: number, categoryId: number) => {
-  try {
-    await trpc().category.removeFile.mutate({ id: categoryId, file: fileId });
-    return true;
-  } catch {
-    // TODO: Error Handling
-    return false;
-  }
+  const res = await callPostApi<CategoryFileRemoveRequest>(
+    `/api/category/${categoryId}/file/remove`,
+    { file: fileId },
+  );
+  return res.ok;
 };
--- a/src/lib/services/file.ts
+++ b/src/lib/services/file.ts
@@ -1,3 +1,4 @@
+import { callGetApi } from "$lib/hooks";
 import { getAllFileInfos } from "$lib/indexedDB/filesystem";
 import { decryptData } from "$lib/modules/crypto";
 import {
@@ -10,8 +11,11 @@ import {
  downloadFile,
 } from "$lib/modules/file";
 import { getThumbnailUrl } from "$lib/modules/thumbnail";
-import type { FileThumbnailUploadRequest } from "$lib/server/schemas";
-import { trpc } from "$trpc/client";
+import type {
+  FileThumbnailInfoResponse,
+  FileThumbnailUploadRequest,
+  FileListResponse,
+} from "$lib/server/schemas";

 export const requestFileDownload = async (
  fileId: number,
@@ -44,20 +48,16 @@ export const requestFileThumbnailUpload = async (
  return await fetch(`/api/file/${fileId}/thumbnail/upload`, { method: "POST", body: form });
 };

-export const requestFileThumbnailDownload = async (fileId: number, dataKey?: CryptoKey) => {
+export const requestFileThumbnailDownload = async (fileId: number, dataKey: CryptoKey) => {
  const cache = await getFileThumbnailCache(fileId);
-  if (cache || !dataKey) return cache;
+  if (cache) return cache;

-  let thumbnailInfo;
-  try {
-    thumbnailInfo = await trpc().file.thumbnail.query({ id: fileId });
-  } catch {
-    // TODO: Error Handling
-    return null;
-  }
-  const { contentIv: thumbnailEncryptedIv } = thumbnailInfo;
+  let res = await callGetApi(`/api/file/${fileId}/thumbnail`);
+  if (!res.ok) return null;

-  const res = await fetch(`/api/file/${fileId}/thumbnail/download`);
+  const { contentIv: thumbnailEncryptedIv }: FileThumbnailInfoResponse = await res.json();
+
+  res = await callGetApi(`/api/file/${fileId}/thumbnail/download`);
  if (!res.ok) return null;

  const thumbnailEncrypted = await res.arrayBuffer();
@@ -68,14 +68,10 @@ export const requestFileThumbnailDownload = async (fileId: number, dataKey?: Cry
 };

 export const requestDeletedFilesCleanup = async () => {
-  let liveFiles;
-  try {
-    liveFiles = await trpc().file.list.query();
-  } catch {
-    // TODO: Error Handling
-    return;
-  }
+  const res = await callGetApi("/api/file/list");
+  if (!res.ok) return;

+  const { files: liveFiles }: FileListResponse = await res.json();
  const liveFilesSet = new Set(liveFiles);
  const maybeCachedFiles = await getAllFileInfos();

--- a/src/lib/services/key.ts
+++ b/src/lib/services/key.ts
@@ -1,4 +1,4 @@
-import { TRPCClientError } from "@trpc/client";
+import { callGetApi, callPostApi } from "$lib/hooks";
 import { storeMasterKeys } from "$lib/indexedDB";
 import {
  encodeToBase64,
@@ -9,9 +9,16 @@ import {
  signMasterKeyWrapped,
  verifyMasterKeyWrapped,
 } from "$lib/modules/crypto";
+import type {
+  ClientRegisterRequest,
+  ClientRegisterResponse,
+  ClientRegisterVerifyRequest,
+  InitialHmacSecretRegisterRequest,
+  MasterKeyListResponse,
+  InitialMasterKeyRegisterRequest,
+} from "$lib/server/schemas";
 import { requestSessionUpgrade } from "$lib/services/auth";
 import { masterKeyStore, type ClientKeys } from "$lib/stores";
-import { trpc } from "$trpc/client";

 export const requestClientRegistration = async (
  encryptKeyBase64: string,
@@ -19,22 +26,21 @@ export const requestClientRegistration = async (
  verifyKeyBase64: string,
  signKey: CryptoKey,
 ) => {
-  try {
-    const { id, challenge } = await trpc().client.register.mutate({
-      encPubKey: encryptKeyBase64,
-      sigPubKey: verifyKeyBase64,
-    });
-    const answer = await decryptChallenge(challenge, decryptKey);
-    const answerSig = await signMessageRSA(answer, signKey);
-    await trpc().client.verify.mutate({
-      id,
-      answerSig: encodeToBase64(answerSig),
-    });
-    return true;
-  } catch {
-    // TODO: Error Handling
-    return false;
-  }
+  let res = await callPostApi<ClientRegisterRequest>("/api/client/register", {
+    encPubKey: encryptKeyBase64,
+    sigPubKey: verifyKeyBase64,
+  });
+  if (!res.ok) return false;
+
+  const { id, challenge }: ClientRegisterResponse = await res.json();
+  const answer = await decryptChallenge(challenge, decryptKey);
+  const answerSig = await signMessageRSA(answer, signKey);
+
+  res = await callPostApi<ClientRegisterVerifyRequest>("/api/client/register/verify", {
+    id,
+    answerSig: encodeToBase64(answerSig),
+  });
+  return res.ok;
 };

 export const requestClientRegistrationAndSessionUpgrade = async (
@@ -67,14 +73,10 @@ export const requestClientRegistrationAndSessionUpgrade = async (
 };

 export const requestMasterKeyDownload = async (decryptKey: CryptoKey, verifyKey: CryptoKey) => {
-  let masterKeysWrapped;
-  try {
-    masterKeysWrapped = await trpc().mek.list.query();
-  } catch {
-    // TODO: Error Handling
-    return false;
-  }
+  const res = await callGetApi("/api/mek/list");
+  if (!res.ok) return false;

+  const { meks: masterKeysWrapped }: MasterKeyListResponse = await res.json();
  const masterKeys = await Promise.all(
    masterKeysWrapped.map(
      async ({ version, state, mek: masterKeyWrapped, mekSig: masterKeyWrappedSig }) => {
@@ -106,30 +108,17 @@ export const requestInitialMasterKeyAndHmacSecretRegistration = async (
  hmacSecretWrapped: string,
  signKey: CryptoKey,
 ) => {
-  try {
-    await trpc().mek.registerInitial.mutate({
-      mek: masterKeyWrapped,
-      mekSig: await signMasterKeyWrapped(masterKeyWrapped, 1, signKey),
-    });
-  } catch (e) {
-    if (
-      e instanceof TRPCClientError &&
-      (e.data?.code === "FORBIDDEN" || e.data?.code === "CONFLICT")
-    ) {
-      return true;
-    }
-    // TODO: Error Handling
-    return false;
+  let res = await callPostApi<InitialMasterKeyRegisterRequest>("/api/mek/register/initial", {
+    mek: masterKeyWrapped,
+    mekSig: await signMasterKeyWrapped(masterKeyWrapped, 1, signKey),
+  });
+  if (!res.ok) {
+    return res.status === 403 || res.status === 409;
  }

-  try {
-    await trpc().hsk.registerInitial.mutate({
-      mekVersion: 1,
-      hsk: hmacSecretWrapped,
-    });
-    return true;
-  } catch {
-    // TODO: Error Handling
-    return false;
-  }
+  res = await callPostApi<InitialHmacSecretRegisterRequest>("/api/hsk/register/initial", {
+    mekVersion: 1,
+    hsk: hmacSecretWrapped,
+  });
+  return res.ok;
 };
--- a/src/routes/(fullscreen)/auth/changePassword/service.ts
+++ b/src/routes/(fullscreen)/auth/changePassword/service.ts
@@ -1,11 +1,10 @@
-import { trpc } from "$trpc/client";
+import { callPostApi } from "$lib/hooks";
+import type { PasswordChangeRequest } from "$lib/server/schemas";

 export const requestPasswordChange = async (oldPassword: string, newPassword: string) => {
-  try {
-    await trpc().auth.changePassword.mutate({ oldPassword, newPassword });
-    return true;
-  } catch {
-    // TODO: Error Handling
-    return false;
-  }
+  const res = await callPostApi<PasswordChangeRequest>("/api/auth/changePassword", {
+    oldPassword,
+    newPassword,
+  });
+  return res.ok;
 };
--- a/src/routes/(fullscreen)/auth/login/service.ts
+++ b/src/routes/(fullscreen)/auth/login/service.ts
@@ -1,4 +1,5 @@
-import { trpc } from "$trpc/client";
+import { callPostApi } from "$lib/hooks";
+import type { LoginRequest } from "$lib/server/schemas";

 export { requestLogout } from "$lib/services/auth";
 export { requestDeletedFilesCleanup } from "$lib/services/file";
@@ -8,11 +9,6 @@ export {
 } from "$lib/services/key";

 export const requestLogin = async (email: string, password: string) => {
-  try {
-    await trpc().auth.login.mutate({ email, password });
-    return true;
-  } catch {
-    // TODO: Error Handling
-    return false;
-  }
+  const res = await callPostApi<LoginRequest>("/api/auth/login", { email, password });
+  return res.ok;
 };
--- a/src/routes/(fullscreen)/file/[id]/service.ts
+++ b/src/routes/(fullscreen)/file/[id]/service.ts
@@ -1,7 +1,8 @@
+import { callPostApi } from "$lib/hooks";
 import { encryptData } from "$lib/modules/crypto";
 import { storeFileThumbnailCache } from "$lib/modules/file";
+import type { CategoryFileAddRequest } from "$lib/server/schemas";
 import { requestFileThumbnailUpload } from "$lib/services/file";
-import { trpc } from "$trpc/client";

 export { requestCategoryCreation, requestFileRemovalFromCategory } from "$lib/services/category";
 export { requestFileDownload } from "$lib/services/file";
@@ -22,11 +23,8 @@ export const requestThumbnailUpload = async (
 };

 export const requestFileAdditionToCategory = async (fileId: number, categoryId: number) => {
-  try {
-    await trpc().category.addFile.mutate({ id: categoryId, file: fileId });
-    return true;
-  } catch {
-    // TODO: Error Handling
-    return false;
-  }
+  const res = await callPostApi<CategoryFileAddRequest>(`/api/category/${categoryId}/file/add`, {
+    file: fileId,
+  });
+  return res.ok;
 };
--- a/src/routes/(fullscreen)/key/export/+page.ts
+++ b/src/routes/(fullscreen)/key/export/+page.ts
@@ -1,5 +1,5 @@
 import { error } from "@sveltejs/kit";
-import { keyExportState } from "$lib/utils/gotoStateful";
+import { keyExportState } from "$lib/hooks/gotoStateful";
 import type { PageLoad } from "./$types";

 export const load: PageLoad = async () => {
--- a/src/routes/(fullscreen)/key/generate/+page.svelte
+++ b/src/routes/(fullscreen)/key/generate/+page.svelte
@@ -4,9 +4,9 @@
  import { BottomDiv, Button, FullscreenDiv, TextButton } from "$lib/components/atoms";
  import { TitledDiv } from "$lib/components/molecules";
  import { ForceLoginModal } from "$lib/components/organisms";
+  import { gotoStateful } from "$lib/hooks";
  import { storeClientKeys } from "$lib/modules/key";
  import { clientKeyStore } from "$lib/stores";
-  import { gotoStateful } from "$lib/utils";
  import Order from "./Order.svelte";
  import {
    generateClientKeys,
--- a/src/routes/(fullscreen)/settings/thumbnail/+page.ts
+++ b/src/routes/(fullscreen)/settings/thumbnail/+page.ts
@@ -1,13 +1,14 @@
 import { error } from "@sveltejs/kit";
-import { trpc } from "$trpc/client";
+import { callPostApi } from "$lib/hooks";
+import type { MissingThumbnailFileScanResponse } from "$lib/server/schemas";
 import type { PageLoad } from "./$types";

 export const load: PageLoad = async ({ fetch }) => {
-  try {
-    const files = await trpc(fetch).file.listWithoutThumbnail.query();
-    return { files };
-  } catch {
-    // TODO: Error Handling
+  const res = await callPostApi("/api/file/scanMissingThumbnails", undefined, fetch);
+  if (!res.ok) {
    error(500, "Internal server error");
  }
+
+  const { files }: MissingThumbnailFileScanResponse = await res.json();
+  return { files };
 };
--- a/src/routes/(main)/category/[[id]]/service.svelte.ts
+++ b/src/routes/(main)/category/[[id]]/service.svelte.ts
@@ -1,7 +1,8 @@
 import { getContext, setContext } from "svelte";
+import { callPostApi } from "$lib/hooks";
 import { encryptString } from "$lib/modules/crypto";
 import type { SelectedCategory } from "$lib/components/molecules";
-import { trpc } from "$trpc/client";
+import type { CategoryRenameRequest } from "$lib/server/schemas";

 export { requestCategoryCreation, requestFileRemovalFromCategory } from "$lib/services/category";

@@ -19,26 +20,15 @@ export const useContext = () => {
 export const requestCategoryRename = async (category: SelectedCategory, newName: string) => {
  const newNameEncrypted = await encryptString(newName, category.dataKey);

-  try {
-    await trpc().category.rename.mutate({
-      id: category.id,
-      dekVersion: category.dataKeyVersion,
-      name: newNameEncrypted.ciphertext,
-      nameIv: newNameEncrypted.iv,
-    });
-    return true;
-  } catch {
-    // TODO: Error Handling
-    return false;
-  }
+  const res = await callPostApi<CategoryRenameRequest>(`/api/category/${category.id}/rename`, {
+    dekVersion: category.dataKeyVersion.toISOString(),
+    name: newNameEncrypted.ciphertext,
+    nameIv: newNameEncrypted.iv,
+  });
+  return res.ok;
 };

 export const requestCategoryDeletion = async (category: SelectedCategory) => {
-  try {
-    await trpc().category.delete.mutate({ id: category.id });
-    return true;
-  } catch {
-    // TODO: Error Handling
-    return false;
-  }
+  const res = await callPostApi(`/api/category/${category.id}/delete`);
+  return res.ok;
 };
--- a/src/routes/(main)/directory/[[id]]/DirectoryEntries/File.svelte
+++ b/src/routes/(main)/directory/[[id]]/DirectoryEntries/File.svelte
@@ -34,7 +34,7 @@
  };

  $effect(() => {
-    if ($info) {
+    if ($info?.dataKey) {
      requestFileThumbnailDownload($info.id, $info.dataKey)
        .then((thumbnailUrl) => {
          thumbnail = thumbnailUrl ?? undefined;
--- a/src/routes/(main)/directory/[[id]]/service.svelte.ts
+++ b/src/routes/(main)/directory/[[id]]/service.svelte.ts
@@ -1,4 +1,5 @@
 import { getContext, setContext } from "svelte";
+import { callGetApi, callPostApi } from "$lib/hooks";
 import { storeHmacSecrets } from "$lib/indexedDB";
 import { generateDataKey, wrapDataKey, unwrapHmacSecret, encryptString } from "$lib/modules/crypto";
 import {
@@ -8,8 +9,14 @@ import {
  deleteFileThumbnailCache,
  uploadFile,
 } from "$lib/modules/file";
+import type {
+  DirectoryRenameRequest,
+  DirectoryCreateRequest,
+  FileRenameRequest,
+  HmacSecretListResponse,
+  DirectoryDeleteResponse,
+} from "$lib/server/schemas";
 import { hmacSecretStore, type MasterKey, type HmacSecret } from "$lib/stores";
-import { trpc } from "$trpc/client";

 export interface SelectedEntry {
  type: "directory" | "file";
@@ -33,14 +40,10 @@ export const useContext = () => {
 export const requestHmacSecretDownload = async (masterKey: CryptoKey) => {
  // TODO: MEK rotation

-  let hmacSecretsWrapped;
-  try {
-    hmacSecretsWrapped = await trpc().hsk.list.query();
-  } catch {
-    // TODO: Error Handling
-    return false;
-  }
+  const res = await callGetApi("/api/hsk/list");
+  if (!res.ok) return false;

+  const { hsks: hmacSecretsWrapped }: HmacSecretListResponse = await res.json();
  const hmacSecrets = await Promise.all(
    hmacSecretsWrapped.map(async ({ version, state, hsk: hmacSecretWrapped }) => {
      const { hmacSecret } = await unwrapHmacSecret(hmacSecretWrapped, masterKey);
@@ -62,20 +65,15 @@ export const requestDirectoryCreation = async (
  const { dataKey, dataKeyVersion } = await generateDataKey();
  const nameEncrypted = await encryptString(name, dataKey);

-  try {
-    await trpc().directory.create.mutate({
-      parent: parentId,
-      mekVersion: masterKey.version,
-      dek: await wrapDataKey(dataKey, masterKey.key),
-      dekVersion: dataKeyVersion,
-      name: nameEncrypted.ciphertext,
-      nameIv: nameEncrypted.iv,
-    });
-    return true;
-  } catch {
-    // TODO: Error Handling
-    return false;
-  }
+  const res = await callPostApi<DirectoryCreateRequest>("/api/directory/create", {
+    parent: parentId,
+    mekVersion: masterKey.version,
+    dek: await wrapDataKey(dataKey, masterKey.key),
+    dekVersion: dataKeyVersion.toISOString(),
+    name: nameEncrypted.ciphertext,
+    nameIv: nameEncrypted.iv,
+  });
+  return res.ok;
 };

 export const requestFileUpload = async (
@@ -99,46 +97,35 @@ export const requestFileUpload = async (
 export const requestEntryRename = async (entry: SelectedEntry, newName: string) => {
  const newNameEncrypted = await encryptString(newName, entry.dataKey);

-  try {
-    if (entry.type === "directory") {
-      await trpc().directory.rename.mutate({
-        id: entry.id,
-        dekVersion: entry.dataKeyVersion,
-        name: newNameEncrypted.ciphertext,
-        nameIv: newNameEncrypted.iv,
-      });
-    } else {
-      await trpc().file.rename.mutate({
-        id: entry.id,
-        dekVersion: entry.dataKeyVersion,
-        name: newNameEncrypted.ciphertext,
-        nameIv: newNameEncrypted.iv,
-      });
-    }
-    return true;
-  } catch {
-    // TODO: Error Handling
-    return false;
+  let res;
+  if (entry.type === "directory") {
+    res = await callPostApi<DirectoryRenameRequest>(`/api/directory/${entry.id}/rename`, {
+      dekVersion: entry.dataKeyVersion.toISOString(),
+      name: newNameEncrypted.ciphertext,
+      nameIv: newNameEncrypted.iv,
+    });
+  } else {
+    res = await callPostApi<FileRenameRequest>(`/api/file/${entry.id}/rename`, {
+      dekVersion: entry.dataKeyVersion.toISOString(),
+      name: newNameEncrypted.ciphertext,
+      nameIv: newNameEncrypted.iv,
+    });
  }
+  return res.ok;
 };

 export const requestEntryDeletion = async (entry: SelectedEntry) => {
-  try {
-    if (entry.type === "directory") {
-      const { deletedFiles } = await trpc().directory.delete.mutate({ id: entry.id });
-      await Promise.all(
-        deletedFiles.flatMap((fileId) => [
-          deleteFileCache(fileId),
-          deleteFileThumbnailCache(fileId),
-        ]),
-      );
-    } else {
-      await trpc().file.delete.mutate({ id: entry.id });
-      await Promise.all([deleteFileCache(entry.id), deleteFileThumbnailCache(entry.id)]);
-    }
+  const res = await callPostApi(`/api/${entry.type}/${entry.id}/delete`);
+  if (!res.ok) return false;
+
+  if (entry.type === "directory") {
+    const { deletedFiles }: DirectoryDeleteResponse = await res.json();
+    await Promise.all(
+      deletedFiles.flatMap((fileId) => [deleteFileCache(fileId), deleteFileThumbnailCache(fileId)]),
+    );
+    return true;
+  } else {
+    await Promise.all([deleteFileCache(entry.id), deleteFileThumbnailCache(entry.id)]);
    return true;
-  } catch {
-    // TODO: Error Handling
-    return false;
  }
 };
--- a/src/routes/(main)/menu/+page.ts
+++ b/src/routes/(main)/menu/+page.ts
@@ -1,13 +1,14 @@
 import { error } from "@sveltejs/kit";
-import { trpc } from "$trpc/client";
+import { callGetApi } from "$lib/hooks";
+import type { UserInfoResponse } from "$lib/server/schemas";
 import type { PageLoad } from "./$types";

 export const load: PageLoad = async ({ fetch }) => {
-  try {
-    const { nickname } = await trpc(fetch).user.get.query();
-    return { nickname };
-  } catch {
-    // TODO: Error Handling
+  const res = await callGetApi("/api/user", fetch);
+  if (!res.ok) {
    error(500, "Internal server error");
  }
+
+  const { nickname }: UserInfoResponse = await res.json();
+  return { nickname };
 };
--- a/src/routes/api/auth/changePassword/+server.ts
+++ b/src/routes/api/auth/changePassword/+server.ts
@@ -0,0 +1,16 @@
+import { error, text } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { passwordChangeRequest } from "$lib/server/schemas";
+import { changePassword } from "$lib/server/services/auth";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, request }) => {
+  const { sessionId, userId } = await authorize(locals, "any");
+
+  const zodRes = passwordChangeRequest.safeParse(await request.json());
+  if (!zodRes.success) error(400, "Invalid request body");
+  const { oldPassword, newPassword } = zodRes.data;
+
+  await changePassword(userId, sessionId, oldPassword, newPassword);
+  return text("Password changed", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/auth/login/+server.ts
+++ b/src/routes/api/auth/login/+server.ts
@@ -0,0 +1,21 @@
+import { error, text } from "@sveltejs/kit";
+import env from "$lib/server/loadenv";
+import { loginRequest } from "$lib/server/schemas";
+import { login } from "$lib/server/services/auth";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, request, cookies }) => {
+  const zodRes = loginRequest.safeParse(await request.json());
+  if (!zodRes.success) error(400, "Invalid request body");
+  const { email, password } = zodRes.data;
+
+  const { sessionIdSigned } = await login(email, password, locals.ip, locals.userAgent);
+  cookies.set("sessionId", sessionIdSigned, {
+    path: "/",
+    maxAge: env.session.exp / 1000,
+    secure: true,
+    sameSite: "strict",
+  });
+
+  return text("Logged in", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/auth/logout/+server.ts
+++ b/src/routes/api/auth/logout/+server.ts
@@ -0,0 +1,13 @@
+import { text } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { logout } from "$lib/server/services/auth";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, cookies }) => {
+  const { sessionId } = await authorize(locals, "any");
+
+  await logout(sessionId);
+  cookies.delete("sessionId", { path: "/" });
+
+  return text("Logged out", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/auth/upgradeSession/+server.ts
+++ b/src/routes/api/auth/upgradeSession/+server.ts
@@ -0,0 +1,26 @@
+import { error, json } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import {
+  sessionUpgradeRequest,
+  sessionUpgradeResponse,
+  type SessionUpgradeResponse,
+} from "$lib/server/schemas";
+import { createSessionUpgradeChallenge } from "$lib/server/services/auth";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, request }) => {
+  const { sessionId, userId } = await authorize(locals, "notClient");
+
+  const zodRes = sessionUpgradeRequest.safeParse(await request.json());
+  if (!zodRes.success) error(400, "Invalid request body");
+  const { encPubKey, sigPubKey } = zodRes.data;
+
+  const { id, challenge } = await createSessionUpgradeChallenge(
+    sessionId,
+    userId,
+    locals.ip,
+    encPubKey,
+    sigPubKey,
+  );
+  return json(sessionUpgradeResponse.parse({ id, challenge } satisfies SessionUpgradeResponse));
+};
--- a/src/routes/api/auth/upgradeSession/verify/+server.ts
+++ b/src/routes/api/auth/upgradeSession/verify/+server.ts
@@ -0,0 +1,16 @@
+import { error, text } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { sessionUpgradeVerifyRequest } from "$lib/server/schemas";
+import { verifySessionUpgradeChallenge } from "$lib/server/services/auth";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, request }) => {
+  const { sessionId, userId } = await authorize(locals, "notClient");
+
+  const zodRes = sessionUpgradeVerifyRequest.safeParse(await request.json());
+  if (!zodRes.success) error(400, "Invalid request body");
+  const { id, answerSig, force } = zodRes.data;
+
+  await verifySessionUpgradeChallenge(sessionId, userId, locals.ip, id, answerSig, force);
+  return text("Session upgraded", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/category/[id]/+server.ts
+++ b/src/routes/api/category/[id]/+server.ts
@@ -0,0 +1,33 @@
+import { error, json } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { categoryInfoResponse, type CategoryInfoResponse } from "$lib/server/schemas";
+import { getCategoryInformation } from "$lib/server/services/category";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals, params }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const zodRes = z
+    .object({
+      id: z.union([z.enum(["root"]), z.coerce.number().int().positive()]),
+    })
+    .safeParse(params);
+  if (!zodRes.success) error(400, "Invalid path parameters");
+  const { id } = zodRes.data;
+
+  const { metadata, categories } = await getCategoryInformation(userId, id);
+  return json(
+    categoryInfoResponse.parse({
+      metadata: metadata && {
+        parent: metadata.parentId,
+        mekVersion: metadata.mekVersion,
+        dek: metadata.encDek,
+        dekVersion: metadata.dekVersion.toISOString(),
+        name: metadata.encName.ciphertext,
+        nameIv: metadata.encName.iv,
+      },
+      subCategories: categories,
+    } satisfies CategoryInfoResponse),
+  );
+};
--- a/src/routes/api/category/[id]/delete/+server.ts
+++ b/src/routes/api/category/[id]/delete/+server.ts
@@ -0,0 +1,20 @@
+import { error, text } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { deleteCategory } from "$lib/server/services/category";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, params }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const zodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!zodRes.success) error(400, "Invalid path parameters");
+  const { id } = zodRes.data;
+
+  await deleteCategory(userId, id);
+  return text("Category deleted", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/category/[id]/file/add/+server.ts
+++ b/src/routes/api/category/[id]/file/add/+server.ts
@@ -0,0 +1,25 @@
+import { error, text } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { categoryFileAddRequest } from "$lib/server/schemas";
+import { addCategoryFile } from "$lib/server/services/category";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, params, request }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const paramsZodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!paramsZodRes.success) error(400, "Invalid path parameters");
+  const { id } = paramsZodRes.data;
+
+  const bodyZodRes = categoryFileAddRequest.safeParse(await request.json());
+  if (!bodyZodRes.success) error(400, "Invalid request body");
+  const { file } = bodyZodRes.data;
+
+  await addCategoryFile(userId, id, file);
+  return text("File added", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/category/[id]/file/list/+server.ts
+++ b/src/routes/api/category/[id]/file/list/+server.ts
@@ -0,0 +1,36 @@
+import { error, json } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { categoryFileListResponse, type CategoryFileListResponse } from "$lib/server/schemas";
+import { getCategoryFiles } from "$lib/server/services/category";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals, url, params }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const paramsZodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!paramsZodRes.success) error(400, "Invalid path parameters");
+  const { id } = paramsZodRes.data;
+
+  const queryZodRes = z
+    .object({
+      recurse: z
+        .enum(["true", "false"])
+        .transform((value) => value === "true")
+        .nullable(),
+    })
+    .safeParse({ recurse: url.searchParams.get("recurse") });
+  if (!queryZodRes.success) error(400, "Invalid query parameters");
+  const { recurse } = queryZodRes.data;
+
+  const { files } = await getCategoryFiles(userId, id, recurse ?? false);
+  return json(
+    categoryFileListResponse.parse({
+      files: files.map(({ id, isRecursive }) => ({ file: id, isRecursive })),
+    } satisfies CategoryFileListResponse),
+  );
+};
--- a/src/routes/api/category/[id]/file/remove/+server.ts
+++ b/src/routes/api/category/[id]/file/remove/+server.ts
@@ -0,0 +1,25 @@
+import { error, text } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { categoryFileRemoveRequest } from "$lib/server/schemas";
+import { removeCategoryFile } from "$lib/server/services/category";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, params, request }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const paramsZodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!paramsZodRes.success) error(400, "Invalid path parameters");
+  const { id } = paramsZodRes.data;
+
+  const bodyZodRes = categoryFileRemoveRequest.safeParse(await request.json());
+  if (!bodyZodRes.success) error(400, "Invalid request body");
+  const { file } = bodyZodRes.data;
+
+  await removeCategoryFile(userId, id, file);
+  return text("File removed", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/category/[id]/rename/+server.ts
+++ b/src/routes/api/category/[id]/rename/+server.ts
@@ -0,0 +1,25 @@
+import { error, text } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { categoryRenameRequest } from "$lib/server/schemas";
+import { renameCategory } from "$lib/server/services/category";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, params, request }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const paramsZodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!paramsZodRes.success) error(400, "Invalid path parameters");
+  const { id } = paramsZodRes.data;
+
+  const bodyZodRes = categoryRenameRequest.safeParse(await request.json());
+  if (!bodyZodRes.success) error(400, "Invalid request body");
+  const { dekVersion, name, nameIv } = bodyZodRes.data;
+
+  await renameCategory(userId, id, new Date(dekVersion), { ciphertext: name, iv: nameIv });
+  return text("Category renamed", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/category/create/+server.ts
+++ b/src/routes/api/category/create/+server.ts
@@ -0,0 +1,23 @@
+import { error, text } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { categoryCreateRequest } from "$lib/server/schemas";
+import { createCategory } from "$lib/server/services/category";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, request }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const zodRes = categoryCreateRequest.safeParse(await request.json());
+  if (!zodRes.success) error(400, "Invalid request body");
+  const { parent, mekVersion, dek, dekVersion, name, nameIv } = zodRes.data;
+
+  await createCategory({
+    userId,
+    parentId: parent,
+    mekVersion,
+    encDek: dek,
+    dekVersion: new Date(dekVersion),
+    encName: { ciphertext: name, iv: nameIv },
+  });
+  return text("Category created", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/client/list/+server.ts
+++ b/src/routes/api/client/list/+server.ts
@@ -0,0 +1,11 @@
+import { json } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { clientListResponse, type ClientListResponse } from "$lib/server/schemas";
+import { getUserClientList } from "$lib/server/services/client";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals }) => {
+  const { userId } = await authorize(locals, "anyClient");
+  const { userClients } = await getUserClientList(userId);
+  return json(clientListResponse.parse({ clients: userClients } satisfies ClientListResponse));
+};
--- a/src/routes/api/client/register/+server.ts
+++ b/src/routes/api/client/register/+server.ts
@@ -0,0 +1,20 @@
+import { error, json } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import {
+  clientRegisterRequest,
+  clientRegisterResponse,
+  type ClientRegisterResponse,
+} from "$lib/server/schemas";
+import { registerUserClient } from "$lib/server/services/client";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, request }) => {
+  const { userId } = await authorize(locals, "notClient");
+
+  const zodRes = clientRegisterRequest.safeParse(await request.json());
+  if (!zodRes.success) error(400, "Invalid request body");
+  const { encPubKey, sigPubKey } = zodRes.data;
+
+  const { id, challenge } = await registerUserClient(userId, locals.ip, encPubKey, sigPubKey);
+  return json(clientRegisterResponse.parse({ id, challenge } satisfies ClientRegisterResponse));
+};
--- a/src/routes/api/client/register/verify/+server.ts
+++ b/src/routes/api/client/register/verify/+server.ts
@@ -0,0 +1,16 @@
+import { error, text } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { clientRegisterVerifyRequest } from "$lib/server/schemas";
+import { verifyUserClient } from "$lib/server/services/client";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, request }) => {
+  const { userId } = await authorize(locals, "notClient");
+
+  const zodRes = clientRegisterVerifyRequest.safeParse(await request.json());
+  if (!zodRes.success) error(400, "Invalid request body");
+  const { id, answerSig } = zodRes.data;
+
+  await verifyUserClient(userId, locals.ip, id, answerSig);
+  return text("Client verified", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/client/status/+server.ts
+++ b/src/routes/api/client/status/+server.ts
@@ -0,0 +1,17 @@
+import { json } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { clientStatusResponse, type ClientStatusResponse } from "$lib/server/schemas";
+import { getUserClientStatus } from "$lib/server/services/client";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals }) => {
+  const { userId, clientId } = await authorize(locals, "anyClient");
+  const { state, isInitialMekNeeded } = await getUserClientStatus(userId, clientId);
+  return json(
+    clientStatusResponse.parse({
+      id: clientId,
+      state,
+      isInitialMekNeeded,
+    } satisfies ClientStatusResponse),
+  );
+};
--- a/src/routes/api/directory/[id]/+server.ts
+++ b/src/routes/api/directory/[id]/+server.ts
@@ -0,0 +1,34 @@
+import { error, json } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { directoryInfoResponse, type DirectoryInfoResponse } from "$lib/server/schemas";
+import { getDirectoryInformation } from "$lib/server/services/directory";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals, params }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const zodRes = z
+    .object({
+      id: z.union([z.enum(["root"]), z.coerce.number().int().positive()]),
+    })
+    .safeParse(params);
+  if (!zodRes.success) error(400, "Invalid path parameters");
+  const { id } = zodRes.data;
+
+  const { metadata, directories, files } = await getDirectoryInformation(userId, id);
+  return json(
+    directoryInfoResponse.parse({
+      metadata: metadata && {
+        parent: metadata.parentId,
+        mekVersion: metadata.mekVersion,
+        dek: metadata.encDek,
+        dekVersion: metadata.dekVersion.toISOString(),
+        name: metadata.encName.ciphertext,
+        nameIv: metadata.encName.iv,
+      },
+      subDirectories: directories,
+      files,
+    } satisfies DirectoryInfoResponse),
+  );
+};
--- a/src/routes/api/directory/[id]/delete/+server.ts
+++ b/src/routes/api/directory/[id]/delete/+server.ts
@@ -0,0 +1,23 @@
+import { error, json } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { directoryDeleteResponse, type DirectoryDeleteResponse } from "$lib/server/schemas";
+import { deleteDirectory } from "$lib/server/services/directory";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, params }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const zodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!zodRes.success) error(400, "Invalid path parameters");
+  const { id } = zodRes.data;
+
+  const { files } = await deleteDirectory(userId, id);
+  return json(
+    directoryDeleteResponse.parse({ deletedFiles: files } satisfies DirectoryDeleteResponse),
+  );
+};
--- a/src/routes/api/directory/[id]/rename/+server.ts
+++ b/src/routes/api/directory/[id]/rename/+server.ts
@@ -0,0 +1,25 @@
+import { error, text } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { directoryRenameRequest } from "$lib/server/schemas";
+import { renameDirectory } from "$lib/server/services/directory";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, params, request }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const paramsZodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!paramsZodRes.success) error(400, "Invalid path parameters");
+  const { id } = paramsZodRes.data;
+
+  const bodyZodRes = directoryRenameRequest.safeParse(await request.json());
+  if (!bodyZodRes.success) error(400, "Invalid request body");
+  const { dekVersion, name, nameIv } = bodyZodRes.data;
+
+  await renameDirectory(userId, id, new Date(dekVersion), { ciphertext: name, iv: nameIv });
+  return text("Directory renamed", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/directory/create/+server.ts
+++ b/src/routes/api/directory/create/+server.ts
@@ -0,0 +1,23 @@
+import { error, text } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { directoryCreateRequest } from "$lib/server/schemas";
+import { createDirectory } from "$lib/server/services/directory";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, request }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const zodRes = directoryCreateRequest.safeParse(await request.json());
+  if (!zodRes.success) error(400, "Invalid request body");
+  const { parent, mekVersion, dek, dekVersion, name, nameIv } = zodRes.data;
+
+  await createDirectory({
+    userId,
+    parentId: parent,
+    mekVersion,
+    encDek: dek,
+    dekVersion: new Date(dekVersion),
+    encName: { ciphertext: name, iv: nameIv },
+  });
+  return text("Directory created", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/file/[id]/+server.ts
+++ b/src/routes/api/file/[id]/+server.ts
@@ -0,0 +1,48 @@
+import { error, json } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { fileInfoResponse, type FileInfoResponse } from "$lib/server/schemas";
+import { getFileInformation } from "$lib/server/services/file";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals, params }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const zodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!zodRes.success) error(400, "Invalid path parameters");
+  const { id } = zodRes.data;
+
+  const {
+    parentId,
+    mekVersion,
+    encDek,
+    dekVersion,
+    contentType,
+    encContentIv,
+    encName,
+    encCreatedAt,
+    encLastModifiedAt,
+    categories,
+  } = await getFileInformation(userId, id);
+  return json(
+    fileInfoResponse.parse({
+      parent: parentId,
+      mekVersion,
+      dek: encDek,
+      dekVersion: dekVersion.toISOString(),
+      contentType: contentType,
+      contentIv: encContentIv,
+      name: encName.ciphertext,
+      nameIv: encName.iv,
+      createdAt: encCreatedAt?.ciphertext,
+      createdAtIv: encCreatedAt?.iv,
+      lastModifiedAt: encLastModifiedAt.ciphertext,
+      lastModifiedAtIv: encLastModifiedAt.iv,
+      categories,
+    } satisfies FileInfoResponse),
+  );
+};
--- a/src/routes/api/file/[id]/delete/+server.ts
+++ b/src/routes/api/file/[id]/delete/+server.ts
@@ -0,0 +1,20 @@
+import { error, text } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { deleteFile } from "$lib/server/services/file";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, params }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const zodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!zodRes.success) error(400, "Invalid path parameters");
+  const { id } = zodRes.data;
+
+  await deleteFile(userId, id);
+  return text("File deleted", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/file/[id]/rename/+server.ts
+++ b/src/routes/api/file/[id]/rename/+server.ts
@@ -0,0 +1,25 @@
+import { error, text } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { fileRenameRequest } from "$lib/server/schemas";
+import { renameFile } from "$lib/server/services/file";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, params, request }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const paramsZodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!paramsZodRes.success) error(400, "Invalid path parameters");
+  const { id } = paramsZodRes.data;
+
+  const bodyZodRes = fileRenameRequest.safeParse(await request.json());
+  if (!bodyZodRes.success) error(400, "Invalid request body");
+  const { dekVersion, name, nameIv } = bodyZodRes.data;
+
+  await renameFile(userId, id, new Date(dekVersion), { ciphertext: name, iv: nameIv });
+  return text("File renamed", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/file/[id]/thumbnail/+server.ts
+++ b/src/routes/api/file/[id]/thumbnail/+server.ts
@@ -0,0 +1,26 @@
+import { error, json } from "@sveltejs/kit";
+import { z } from "zod";
+import { authorize } from "$lib/server/modules/auth";
+import { fileThumbnailInfoResponse, type FileThumbnailInfoResponse } from "$lib/server/schemas";
+import { getFileThumbnailInformation } from "$lib/server/services/file";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals, params }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const zodRes = z
+    .object({
+      id: z.coerce.number().int().positive(),
+    })
+    .safeParse(params);
+  if (!zodRes.success) error(400, "Invalid path parameters");
+  const { id } = zodRes.data;
+
+  const { updatedAt, encContentIv } = await getFileThumbnailInformation(userId, id);
+  return json(
+    fileThumbnailInfoResponse.parse({
+      updatedAt: updatedAt.toISOString(),
+      contentIv: encContentIv,
+    } satisfies FileThumbnailInfoResponse),
+  );
+};
--- a/src/routes/api/file/list/+server.ts
+++ b/src/routes/api/file/list/+server.ts
@@ -0,0 +1,11 @@
+import { json } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { fileListResponse, type FileListResponse } from "$lib/server/schemas";
+import { getFileList } from "$lib/server/services/file";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals }) => {
+  const { userId } = await authorize(locals, "activeClient");
+  const { files } = await getFileList(userId);
+  return json(fileListResponse.parse({ files } satisfies FileListResponse));
+};
--- a/src/routes/api/file/scanDuplicates/+server.ts
+++ b/src/routes/api/file/scanDuplicates/+server.ts
@@ -0,0 +1,20 @@
+import { error, json } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import {
+  duplicateFileScanRequest,
+  duplicateFileScanResponse,
+  type DuplicateFileScanResponse,
+} from "$lib/server/schemas";
+import { scanDuplicateFiles } from "$lib/server/services/file";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, request }) => {
+  const { userId } = await authorize(locals, "activeClient");
+
+  const zodRes = duplicateFileScanRequest.safeParse(await request.json());
+  if (!zodRes.success) error(400, "Invalid request body");
+  const { hskVersion, contentHmac } = zodRes.data;
+
+  const { files } = await scanDuplicateFiles(userId, hskVersion, contentHmac);
+  return json(duplicateFileScanResponse.parse({ files } satisfies DuplicateFileScanResponse));
+};
--- a/src/routes/api/file/scanMissingThumbnails/+server.ts
+++ b/src/routes/api/file/scanMissingThumbnails/+server.ts
@@ -0,0 +1,16 @@
+import { json } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import {
+  missingThumbnailFileScanResponse,
+  type MissingThumbnailFileScanResponse,
+} from "$lib/server/schemas/file";
+import { scanMissingFileThumbnails } from "$lib/server/services/file";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals }) => {
+  const { userId } = await authorize(locals, "activeClient");
+  const { files } = await scanMissingFileThumbnails(userId);
+  return json(
+    missingThumbnailFileScanResponse.parse({ files } satisfies MissingThumbnailFileScanResponse),
+  );
+};
--- a/src/routes/api/hsk/list/+server.ts
+++ b/src/routes/api/hsk/list/+server.ts
@@ -0,0 +1,20 @@
+import { json } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { hmacSecretListResponse, type HmacSecretListResponse } from "$lib/server/schemas";
+import { getHskList } from "$lib/server/services/hsk";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals }) => {
+  const { userId } = await authorize(locals, "activeClient");
+  const { encHsks } = await getHskList(userId);
+  return json(
+    hmacSecretListResponse.parse({
+      hsks: encHsks.map(({ version, state, mekVersion, encHsk }) => ({
+        version,
+        state,
+        mekVersion,
+        hsk: encHsk,
+      })),
+    } satisfies HmacSecretListResponse),
+  );
+};
--- a/src/routes/api/hsk/register/initial/+server.ts
+++ b/src/routes/api/hsk/register/initial/+server.ts
@@ -0,0 +1,16 @@
+import { error, text } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { initialHmacSecretRegisterRequest } from "$lib/server/schemas";
+import { registerInitialActiveHsk } from "$lib/server/services/hsk";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, request }) => {
+  const { userId, clientId } = await authorize(locals, "activeClient");
+
+  const zodRes = initialHmacSecretRegisterRequest.safeParse(await request.json());
+  if (!zodRes.success) error(400, "Invalid request body");
+  const { mekVersion, hsk } = zodRes.data;
+
+  await registerInitialActiveHsk(userId, clientId, mekVersion, hsk);
+  return text("HSK registered", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/mek/list/+server.ts
+++ b/src/routes/api/mek/list/+server.ts
@@ -0,0 +1,20 @@
+import { json } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { masterKeyListResponse, type MasterKeyListResponse } from "$lib/server/schemas";
+import { getClientMekList } from "$lib/server/services/mek";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals }) => {
+  const { userId, clientId } = await authorize(locals, "activeClient");
+  const { encMeks } = await getClientMekList(userId, clientId);
+  return json(
+    masterKeyListResponse.parse({
+      meks: encMeks.map(({ version, state, encMek, encMekSig }) => ({
+        version,
+        state,
+        mek: encMek,
+        mekSig: encMekSig,
+      })),
+    } satisfies MasterKeyListResponse),
+  );
+};
--- a/src/routes/api/mek/register/initial/+server.ts
+++ b/src/routes/api/mek/register/initial/+server.ts
@@ -0,0 +1,16 @@
+import { error, text } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { initialMasterKeyRegisterRequest } from "$lib/server/schemas";
+import { registerInitialActiveMek } from "$lib/server/services/mek";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, request }) => {
+  const { userId, clientId } = await authorize(locals, "pendingClient");
+
+  const zodRes = initialMasterKeyRegisterRequest.safeParse(await request.json());
+  if (!zodRes.success) error(400, "Invalid request body");
+  const { mek, mekSig } = zodRes.data;
+
+  await registerInitialActiveMek(userId, clientId, mek, mekSig);
+  return text("MEK registered", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/routes/api/trpc/[trpc]/+server.ts
+++ b/src/routes/api/trpc/[trpc]/+server.ts
@@ -1,15 +0,0 @@
-import { fetchRequestHandler } from "@trpc/server/adapters/fetch";
-import { createContext } from "$trpc/init.server";
-import { appRouter } from "$trpc/router.server";
-import type { RequestHandler } from "./$types";
-
-const trpcHandler: RequestHandler = (event) =>
-  fetchRequestHandler({
-    endpoint: "/api/trpc",
-    req: event.request,
-    router: appRouter,
-    createContext: () => createContext(event),
-  });
-
-export const GET = trpcHandler;
-export const POST = trpcHandler;
--- a/src/routes/api/user/+server.ts
+++ b/src/routes/api/user/+server.ts
@@ -0,0 +1,11 @@
+import { json } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { userInfoResponse, type UserInfoResponse } from "$lib/server/schemas";
+import { getUserInformation } from "$lib/server/services/user";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async ({ locals }) => {
+  const { userId } = await authorize(locals, "any");
+  const { email, nickname } = await getUserInformation(userId);
+  return json(userInfoResponse.parse({ email, nickname } satisfies UserInfoResponse));
+};
--- a/src/routes/api/user/changeNickname/+server.ts
+++ b/src/routes/api/user/changeNickname/+server.ts
@@ -0,0 +1,16 @@
+import { error, text } from "@sveltejs/kit";
+import { authorize } from "$lib/server/modules/auth";
+import { nicknameChangeRequest } from "$lib/server/schemas";
+import { changeNickname } from "$lib/server/services/user";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ locals, request }) => {
+  const { userId } = await authorize(locals, "any");
+
+  const zodRes = nicknameChangeRequest.safeParse(await request.json());
+  if (!zodRes.success) error(400, "Invalid request body");
+  const { newNickname } = zodRes.data;
+
+  await changeNickname(userId, newNickname);
+  return text("Nickname changed", { headers: { "Content-Type": "text/plain" } });
+};
--- a/src/trpc/client.ts
+++ b/src/trpc/client.ts
@@ -1,25 +0,0 @@
-import { createTRPCClient, httpBatchLink } from "@trpc/client";
-import superjson from "superjson";
-import { browser } from "$app/environment";
-import type { AppRouter } from "./router.server";
-
-const createClient = (fetch: typeof globalThis.fetch) =>
-  createTRPCClient<AppRouter>({
-    links: [
-      httpBatchLink({
-        url: "/api/trpc",
-        transformer: superjson,
-        fetch,
-      }),
-    ],
-  });
-
-let browserClient: ReturnType<typeof createClient>;
-
-export const trpc = (fetch = globalThis.fetch) => {
-  const client = browserClient ?? createClient(fetch);
-  if (browser) {
-    browserClient ??= client;
-  }
-  return client;
-};
--- a/src/trpc/init.server.ts
+++ b/src/trpc/init.server.ts
@@ -1,26 +0,0 @@
-import type { RequestEvent } from "@sveltejs/kit";
-import { initTRPC, TRPCError } from "@trpc/server";
-import superjson from "superjson";
-import { authorizeMiddleware, authorizeClientMiddleware } from "./middlewares/authorize";
-
-export const createContext = (event: RequestEvent) => event;
-export type Context = Awaited<ReturnType<typeof createContext>>;
-
-export const t = initTRPC.context<Context>().create({ transformer: superjson });
-export const router = t.router;
-export const publicProcedure = t.procedure;
-
-const authedProcedure = publicProcedure.use(async ({ ctx, next }) => {
-  if (!ctx.locals.session) {
-    throw new TRPCError({ code: "UNAUTHORIZED" });
-  }
-  return next();
-});
-
-export const roleProcedure = {
-  any: authedProcedure.use(authorizeMiddleware("any")),
-  notClient: authedProcedure.use(authorizeMiddleware("notClient")),
-  anyClient: authedProcedure.use(authorizeClientMiddleware("anyClient")),
-  pendingClient: authedProcedure.use(authorizeClientMiddleware("pendingClient")),
-  activeClient: authedProcedure.use(authorizeClientMiddleware("activeClient")),
-};
--- a/src/trpc/middlewares/authorize.ts
+++ b/src/trpc/middlewares/authorize.ts
@@ -1,36 +0,0 @@
-import { TRPCError } from "@trpc/server";
-import {
-  AuthorizationError,
-  authorizeInternal,
-  type ClientSession,
-  type SessionPermission,
-} from "$lib/server/modules/auth";
-import { t } from "../init.server";
-
-const authorize = async (locals: App.Locals, requiredPermission: SessionPermission) => {
-  try {
-    return await authorizeInternal(locals, requiredPermission);
-  } catch (e) {
-    if (e instanceof AuthorizationError) {
-      throw new TRPCError({
-        code: e.status === 403 ? "FORBIDDEN" : "INTERNAL_SERVER_ERROR",
-        message: e.message,
-      });
-    }
-    throw e;
-  }
-};
-
-export const authorizeMiddleware = (requiredPermission: "any" | "notClient") =>
-  t.middleware(async ({ ctx, next }) => {
-    const session = await authorize(ctx.locals, requiredPermission);
-    return next({ ctx: { session } });
-  });
-
-export const authorizeClientMiddleware = (
-  requiredPermission: "anyClient" | "pendingClient" | "activeClient",
-) =>
-  t.middleware(async ({ ctx, next }) => {
-    const session = (await authorize(ctx.locals, requiredPermission)) as ClientSession;
-    return next({ ctx: { session } });
-  });
--- a/src/trpc/router.server.ts
+++ b/src/trpc/router.server.ts
@@ -1,30 +0,0 @@
-import type { RequestEvent } from "@sveltejs/kit";
-import type { inferRouterInputs, inferRouterOutputs } from "@trpc/server";
-import { createContext, router } from "./init.server";
-import {
-  authRouter,
-  categoryRouter,
-  clientRouter,
-  directoryRouter,
-  fileRouter,
-  hskRouter,
-  mekRouter,
-  userRouter,
-} from "./routers";
-
-export const appRouter = router({
-  auth: authRouter,
-  category: categoryRouter,
-  client: clientRouter,
-  directory: directoryRouter,
-  file: fileRouter,
-  hsk: hskRouter,
-  mek: mekRouter,
-  user: userRouter,
-});
-
-export const createCaller = (event: RequestEvent) => appRouter.createCaller(createContext(event));
-
-export type AppRouter = typeof appRouter;
-export type RouterInputs = inferRouterInputs<AppRouter>;
-export type RouterOutputs = inferRouterOutputs<AppRouter>;
--- a/src/trpc/routers/auth.ts
+++ b/src/trpc/routers/auth.ts
@@ -1,142 +0,0 @@
-import { TRPCError } from "@trpc/server";
-import argon2 from "argon2";
-import { z } from "zod";
-import { ClientRepo, SessionRepo, UserRepo, IntegrityError } from "$lib/server/db";
-import env from "$lib/server/loadenv";
-import { cookieOptions } from "$lib/server/modules/auth";
-import { generateChallenge, verifySignature, issueSessionId } from "$lib/server/modules/crypto";
-import { router, publicProcedure, roleProcedure } from "../init.server";
-
-const authRouter = router({
-  login: publicProcedure
-    .input(
-      z.object({
-        email: z.email(),
-        password: z.string().nonempty(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      const user = await UserRepo.getUserByEmail(input.email);
-      if (!user || !(await argon2.verify(user.password, input.password))) {
-        throw new TRPCError({ code: "UNAUTHORIZED", message: "Invalid email or password" });
-      }
-
-      const { sessionId, sessionIdSigned } = await issueSessionId(32, env.session.secret);
-      await SessionRepo.createSession(user.id, sessionId, ctx.locals.ip, ctx.locals.userAgent);
-      ctx.cookies.set("sessionId", sessionIdSigned, cookieOptions);
-    }),
-
-  logout: roleProcedure["any"].mutation(async ({ ctx }) => {
-    await SessionRepo.deleteSession(ctx.session.sessionId);
-    ctx.cookies.delete("sessionId", cookieOptions);
-  }),
-
-  changePassword: roleProcedure["any"]
-    .input(
-      z.object({
-        oldPassword: z.string().nonempty(),
-        newPassword: z.string().nonempty(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      if (input.oldPassword === input.newPassword) {
-        throw new TRPCError({ code: "BAD_REQUEST", message: "Same passwords" });
-      } else if (input.newPassword.length < 8) {
-        throw new TRPCError({ code: "BAD_REQUEST", message: "Too short password" });
-      }
-
-      const user = await UserRepo.getUser(ctx.session.userId);
-      if (!user) {
-        throw new TRPCError({ code: "INTERNAL_SERVER_ERROR", message: "Invalid session id" });
-      } else if (!(await argon2.verify(user.password, input.oldPassword))) {
-        throw new TRPCError({ code: "FORBIDDEN", message: "Invalid password" });
-      }
-
-      await UserRepo.setUserPassword(ctx.session.userId, await argon2.hash(input.newPassword));
-      await SessionRepo.deleteAllOtherSessions(ctx.session.userId, ctx.session.sessionId);
-    }),
-
-  upgrade: roleProcedure["notClient"]
-    .input(
-      z.object({
-        encPubKey: z.base64().nonempty(),
-        sigPubKey: z.base64().nonempty(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      const client = await ClientRepo.getClientByPubKeys(input.encPubKey, input.sigPubKey);
-      const userClient = client
-        ? await ClientRepo.getUserClient(ctx.session.userId, client.id)
-        : undefined;
-      if (!client) {
-        throw new TRPCError({ code: "UNAUTHORIZED", message: "Invalid public key(s)" });
-      } else if (!userClient || userClient.state === "challenging") {
-        throw new TRPCError({ code: "FORBIDDEN", message: "Unregistered client" });
-      }
-
-      const { answer, challenge } = await generateChallenge(32, input.encPubKey);
-      const { id } = await SessionRepo.registerSessionUpgradeChallenge(
-        ctx.session.sessionId,
-        client.id,
-        answer.toString("base64"),
-        ctx.locals.ip,
-        new Date(Date.now() + env.challenge.sessionUpgradeExp),
-      );
-
-      return { id, challenge: challenge.toString("base64") };
-    }),
-
-  verifyUpgrade: roleProcedure["notClient"]
-    .input(
-      z.object({
-        id: z.int().positive(),
-        answerSig: z.base64().nonempty(),
-        force: z.boolean().default(false),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      const challenge = await SessionRepo.consumeSessionUpgradeChallenge(
-        input.id,
-        ctx.session.sessionId,
-        ctx.locals.ip,
-      );
-      if (!challenge) {
-        throw new TRPCError({ code: "FORBIDDEN", message: "Invalid challenge answer" });
-      }
-
-      const client = await ClientRepo.getClient(challenge.clientId);
-      if (!client) {
-        throw new TRPCError({ code: "INTERNAL_SERVER_ERROR", message: "Invalid challenge answer" });
-      } else if (
-        !verifySignature(Buffer.from(challenge.answer, "base64"), input.answerSig, client.sigPubKey)
-      ) {
-        throw new TRPCError({
-          code: "FORBIDDEN",
-          message: "Invalid challenge answer signature",
-        });
-      }
-
-      try {
-        await SessionRepo.upgradeSession(
-          ctx.session.userId,
-          ctx.session.sessionId,
-          client.id,
-          input.force,
-        );
-      } catch (e) {
-        if (e instanceof IntegrityError) {
-          if (e.message === "Session not found") {
-            throw new TRPCError({
-              code: "INTERNAL_SERVER_ERROR",
-              message: "Invalid challenge answer",
-            });
-          } else if (!input.force && e.message === "Session already exists") {
-            throw new TRPCError({ code: "CONFLICT", message: "Already logged in" });
-          }
-        }
-        throw e;
-      }
-    }),
-});
-
-export default authRouter;
--- a/src/trpc/routers/category.ts
+++ b/src/trpc/routers/category.ts
@@ -1,194 +0,0 @@
-import { TRPCError } from "@trpc/server";
-import { z } from "zod";
-import { CategoryRepo, FileRepo, IntegrityError } from "$lib/server/db";
-import { categoryIdSchema } from "$lib/server/schemas";
-import { router, roleProcedure } from "../init.server";
-
-const categoryRouter = router({
-  get: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        id: categoryIdSchema,
-      }),
-    )
-    .query(async ({ ctx, input }) => {
-      const category =
-        input.id !== "root"
-          ? await CategoryRepo.getCategory(ctx.session.userId, input.id)
-          : undefined;
-      if (category === null) {
-        throw new TRPCError({ code: "NOT_FOUND", message: "Invalid category id" });
-      }
-
-      const categories = await CategoryRepo.getAllCategoriesByParent(ctx.session.userId, input.id);
-      return {
-        metadata: category && {
-          parent: category.parentId,
-          mekVersion: category.mekVersion,
-          dek: category.encDek,
-          dekVersion: category.dekVersion,
-          name: category.encName.ciphertext,
-          nameIv: category.encName.iv,
-        },
-        subCategories: categories.map(({ id }) => id),
-      };
-    }),
-
-  create: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        parent: categoryIdSchema,
-        mekVersion: z.int().positive(),
-        dek: z.base64().nonempty(),
-        dekVersion: z.date(),
-        name: z.base64().nonempty(),
-        nameIv: z.base64().nonempty(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      const oneMinuteAgo = new Date(Date.now() - 60 * 1000);
-      const oneMinuteLater = new Date(Date.now() + 60 * 1000);
-      if (input.dekVersion <= oneMinuteAgo || input.dekVersion >= oneMinuteLater) {
-        throw new TRPCError({ code: "BAD_REQUEST", message: "Invalid DEK version" });
-      }
-
-      try {
-        await CategoryRepo.registerCategory({
-          parentId: input.parent,
-          userId: ctx.session.userId,
-          mekVersion: input.mekVersion,
-          encDek: input.dek,
-          dekVersion: input.dekVersion,
-          encName: { ciphertext: input.name, iv: input.nameIv },
-        });
-      } catch (e) {
-        if (e instanceof IntegrityError && e.message === "Inactive MEK version") {
-          throw new TRPCError({ code: "BAD_REQUEST", message: e.message });
-        }
-        throw e;
-      }
-    }),
-
-  rename: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        id: z.int().positive(),
-        dekVersion: z.date(),
-        name: z.base64().nonempty(),
-        nameIv: z.base64().nonempty(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      try {
-        await CategoryRepo.setCategoryEncName(ctx.session.userId, input.id, input.dekVersion, {
-          ciphertext: input.name,
-          iv: input.nameIv,
-        });
-      } catch (e) {
-        if (e instanceof IntegrityError) {
-          if (e.message === "Category not found") {
-            throw new TRPCError({ code: "NOT_FOUND", message: "Invalid category id" });
-          } else if (e.message === "Invalid DEK version") {
-            throw new TRPCError({ code: "BAD_REQUEST", message: e.message });
-          }
-        }
-        throw e;
-      }
-    }),
-
-  delete: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        id: z.int().positive(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      try {
-        await CategoryRepo.unregisterCategory(ctx.session.userId, input.id);
-      } catch (e) {
-        if (e instanceof IntegrityError && e.message === "Category not found") {
-          throw new TRPCError({ code: "NOT_FOUND", message: "Invalid category id" });
-        }
-        throw e;
-      }
-    }),
-
-  files: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        id: z.int().positive(),
-        recurse: z.boolean().default(false),
-      }),
-    )
-    .query(async ({ ctx, input }) => {
-      const category = await CategoryRepo.getCategory(ctx.session.userId, input.id);
-      if (!category) {
-        throw new TRPCError({ code: "NOT_FOUND", message: "Invalid category id" });
-      }
-
-      const files = await FileRepo.getAllFilesByCategory(
-        ctx.session.userId,
-        input.id,
-        input.recurse,
-      );
-      return files.map(({ id, isRecursive }) => ({ file: id, isRecursive }));
-    }),
-
-  addFile: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        id: z.int().positive(),
-        file: z.int().positive(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      const [category, file] = await Promise.all([
-        CategoryRepo.getCategory(ctx.session.userId, input.id),
-        FileRepo.getFile(ctx.session.userId, input.file),
-      ]);
-      if (!category) {
-        throw new TRPCError({ code: "NOT_FOUND", message: "Invalid category id" });
-      } else if (!file) {
-        throw new TRPCError({ code: "NOT_FOUND", message: "Invalid file id" });
-      }
-
-      try {
-        await FileRepo.addFileToCategory(input.file, input.id);
-      } catch (e) {
-        if (e instanceof IntegrityError && e.message === "File already added to category") {
-          throw new TRPCError({ code: "BAD_REQUEST", message: "File already added" });
-        }
-        throw e;
-      }
-    }),
-
-  removeFile: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        id: z.int().positive(),
-        file: z.int().positive(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      const [category, file] = await Promise.all([
-        CategoryRepo.getCategory(ctx.session.userId, input.id),
-        FileRepo.getFile(ctx.session.userId, input.file),
-      ]);
-      if (!category) {
-        throw new TRPCError({ code: "NOT_FOUND", message: "Invalid category id" });
-      } else if (!file) {
-        throw new TRPCError({ code: "NOT_FOUND", message: "Invalid file id" });
-      }
-
-      try {
-        await FileRepo.removeFileFromCategory(input.file, input.id);
-      } catch (e) {
-        if (e instanceof IntegrityError && e.message === "File not found in category") {
-          throw new TRPCError({ code: "BAD_REQUEST", message: "File not added" });
-        }
-        throw e;
-      }
-    }),
-});
-
-export default categoryRouter;
--- a/src/trpc/routers/client.ts
+++ b/src/trpc/routers/client.ts
@@ -1,97 +0,0 @@
-import { TRPCError } from "@trpc/server";
-import { z } from "zod";
-import { ClientRepo, IntegrityError } from "$lib/server/db";
-import { verifyPubKey, verifySignature, generateChallenge } from "$lib/server/modules/crypto";
-import env from "$lib/server/loadenv";
-import { router, roleProcedure } from "../init.server";
-
-const createUserClientChallenge = async (
-  ip: string,
-  userId: number,
-  clientId: number,
-  encPubKey: string,
-) => {
-  const { answer, challenge } = await generateChallenge(32, encPubKey);
-  const { id } = await ClientRepo.registerUserClientChallenge(
-    userId,
-    clientId,
-    answer.toString("base64"),
-    ip,
-    new Date(Date.now() + env.challenge.userClientExp),
-  );
-
-  return { id, challenge: challenge.toString("base64") };
-};
-
-const clientRouter = router({
-  register: roleProcedure["notClient"]
-    .input(
-      z.object({
-        encPubKey: z.base64().nonempty(),
-        sigPubKey: z.base64().nonempty(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      const { userId } = ctx.session;
-      const { encPubKey, sigPubKey } = input;
-      const client = await ClientRepo.getClientByPubKeys(encPubKey, sigPubKey);
-      if (client) {
-        try {
-          await ClientRepo.createUserClient(userId, client.id);
-          return await createUserClientChallenge(ctx.locals.ip, userId, client.id, encPubKey);
-        } catch (e) {
-          if (e instanceof IntegrityError && e.message === "User client already exists") {
-            throw new TRPCError({ code: "CONFLICT", message: "Client already registered" });
-          }
-          throw e;
-        }
-      } else {
-        if (encPubKey === sigPubKey) {
-          throw new TRPCError({ code: "BAD_REQUEST", message: "Same public keys" });
-        } else if (!verifyPubKey(encPubKey) || !verifyPubKey(sigPubKey)) {
-          throw new TRPCError({ code: "BAD_REQUEST", message: "Invalid public key(s)" });
-        }
-
-        try {
-          const { id: clientId } = await ClientRepo.createClient(encPubKey, sigPubKey, userId);
-          return await createUserClientChallenge(ctx.locals.ip, userId, clientId, encPubKey);
-        } catch (e) {
-          if (e instanceof IntegrityError && e.message === "Public key(s) already registered") {
-            throw new TRPCError({ code: "CONFLICT", message: "Public key(s) already used" });
-          }
-          throw e;
-        }
-      }
-    }),
-
-  verify: roleProcedure["notClient"]
-    .input(
-      z.object({
-        id: z.int().positive(),
-        answerSig: z.base64().nonempty(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      const challenge = await ClientRepo.consumeUserClientChallenge(
-        input.id,
-        ctx.session.userId,
-        ctx.locals.ip,
-      );
-      if (!challenge) {
-        throw new TRPCError({ code: "FORBIDDEN", message: "Invalid challenge answer" });
-      }
-
-      const client = await ClientRepo.getClient(challenge.clientId);
-      if (!client) {
-        throw new TRPCError({ code: "INTERNAL_SERVER_ERROR", message: "Invalid challenge answer" });
-      } else if (
-        !verifySignature(Buffer.from(challenge.answer, "base64"), input.answerSig, client.sigPubKey)
-      ) {
-        throw new TRPCError({ code: "FORBIDDEN", message: "Invalid challenge answer signature" });
-      }
-
-      await ClientRepo.setUserClientStateToPending(ctx.session.userId, client.id);
-    }),
-});
-
-export default clientRouter;
--- a/src/trpc/routers/directory.ts
+++ b/src/trpc/routers/directory.ts
@@ -1,127 +0,0 @@
-import { TRPCError } from "@trpc/server";
-import { z } from "zod";
-import { FileRepo, IntegrityError } from "$lib/server/db";
-import { safeUnlink } from "$lib/server/modules/filesystem";
-import { directoryIdSchema } from "$lib/server/schemas";
-import { router, roleProcedure } from "../init.server";
-
-const directoryRouter = router({
-  get: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        id: directoryIdSchema,
-      }),
-    )
-    .query(async ({ ctx, input }) => {
-      const directory =
-        input.id !== "root" ? await FileRepo.getDirectory(ctx.session.userId, input.id) : undefined;
-      if (directory === null) {
-        throw new TRPCError({ code: "NOT_FOUND", message: "Invalid directory id" });
-      }
-
-      const [directories, files] = await Promise.all([
-        FileRepo.getAllDirectoriesByParent(ctx.session.userId, input.id),
-        FileRepo.getAllFilesByParent(ctx.session.userId, input.id),
-      ]);
-      return {
-        metadata: directory && {
-          parent: directory.parentId,
-          mekVersion: directory.mekVersion,
-          dek: directory.encDek,
-          dekVersion: directory.dekVersion,
-          name: directory.encName.ciphertext,
-          nameIv: directory.encName.iv,
-        },
-        subDirectories: directories.map(({ id }) => id),
-        files: files.map(({ id }) => id),
-      };
-    }),
-
-  create: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        parent: directoryIdSchema,
-        mekVersion: z.int().positive(),
-        dek: z.base64().nonempty(),
-        dekVersion: z.date(),
-        name: z.base64().nonempty(),
-        nameIv: z.base64().nonempty(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      const oneMinuteAgo = new Date(Date.now() - 60 * 1000);
-      const oneMinuteLater = new Date(Date.now() + 60 * 1000);
-      if (input.dekVersion <= oneMinuteAgo || input.dekVersion >= oneMinuteLater) {
-        throw new TRPCError({ code: "BAD_REQUEST", message: "Invalid DEK version" });
-      }
-
-      try {
-        await FileRepo.registerDirectory({
-          parentId: input.parent,
-          userId: ctx.session.userId,
-          mekVersion: input.mekVersion,
-          encDek: input.dek,
-          dekVersion: input.dekVersion,
-          encName: { ciphertext: input.name, iv: input.nameIv },
-        });
-      } catch (e) {
-        if (e instanceof IntegrityError && e.message === "Inactive MEK version") {
-          throw new TRPCError({ code: "BAD_REQUEST", message: e.message });
-        }
-        throw e;
-      }
-    }),
-
-  rename: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        id: z.int().positive(),
-        dekVersion: z.date(),
-        name: z.base64().nonempty(),
-        nameIv: z.base64().nonempty(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      try {
-        await FileRepo.setDirectoryEncName(ctx.session.userId, input.id, input.dekVersion, {
-          ciphertext: input.name,
-          iv: input.nameIv,
-        });
-      } catch (e) {
-        if (e instanceof IntegrityError) {
-          if (e.message === "Directory not found") {
-            throw new TRPCError({ code: "NOT_FOUND", message: "Invalid directory id" });
-          } else if (e.message === "Invalid DEK version") {
-            throw new TRPCError({ code: "BAD_REQUEST", message: e.message });
-          }
-        }
-        throw e;
-      }
-    }),
-
-  delete: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        id: z.int().positive(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      try {
-        const files = await FileRepo.unregisterDirectory(ctx.session.userId, input.id);
-        return {
-          deletedFiles: files.map((file) => {
-            safeUnlink(file.path); // Intended
-            safeUnlink(file.thumbnailPath); // Intended
-            return file.id;
-          }),
-        };
-      } catch (e) {
-        if (e instanceof IntegrityError && e.message === "Directory not found") {
-          throw new TRPCError({ code: "NOT_FOUND", message: "Invalid directory id" });
-        }
-        throw e;
-      }
-    }),
-});
-
-export default directoryRouter;
--- a/src/trpc/routers/file.ts
+++ b/src/trpc/routers/file.ts
@@ -1,123 +0,0 @@
-import { TRPCError } from "@trpc/server";
-import { z } from "zod";
-import { FileRepo, MediaRepo, IntegrityError } from "$lib/server/db";
-import { safeUnlink } from "$lib/server/modules/filesystem";
-import { router, roleProcedure } from "../init.server";
-
-const fileRouter = router({
-  get: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        id: z.int().positive(),
-      }),
-    )
-    .query(async ({ ctx, input }) => {
-      const file = await FileRepo.getFile(ctx.session.userId, input.id);
-      if (!file) {
-        throw new TRPCError({ code: "NOT_FOUND", message: "Invalid file id" });
-      }
-
-      const categories = await FileRepo.getAllFileCategories(input.id);
-      return {
-        parent: file.parentId,
-        mekVersion: file.mekVersion,
-        dek: file.encDek,
-        dekVersion: file.dekVersion,
-        contentType: file.contentType,
-        contentIv: file.encContentIv,
-        name: file.encName.ciphertext,
-        nameIv: file.encName.iv,
-        createdAt: file.encCreatedAt?.ciphertext,
-        createdAtIv: file.encCreatedAt?.iv,
-        lastModifiedAt: file.encLastModifiedAt.ciphertext,
-        lastModifiedAtIv: file.encLastModifiedAt.iv,
-        categories: categories.map(({ id }) => id),
-      };
-    }),
-
-  list: roleProcedure["activeClient"].query(async ({ ctx }) => {
-    return await FileRepo.getAllFileIds(ctx.session.userId);
-  }),
-
-  listByHash: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        hskVersion: z.int().positive(),
-        contentHmac: z.base64().nonempty(),
-      }),
-    )
-    .query(async ({ ctx, input }) => {
-      return await FileRepo.getAllFileIdsByContentHmac(
-        ctx.session.userId,
-        input.hskVersion,
-        input.contentHmac,
-      );
-    }),
-
-  listWithoutThumbnail: roleProcedure["activeClient"].query(async ({ ctx }) => {
-    return await MediaRepo.getMissingFileThumbnails(ctx.session.userId);
-  }),
-
-  rename: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        id: z.int().positive(),
-        dekVersion: z.date(),
-        name: z.base64().nonempty(),
-        nameIv: z.base64().nonempty(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      try {
-        await FileRepo.setFileEncName(ctx.session.userId, input.id, input.dekVersion, {
-          ciphertext: input.name,
-          iv: input.nameIv,
-        });
-      } catch (e) {
-        if (e instanceof IntegrityError) {
-          if (e.message === "File not found") {
-            throw new TRPCError({ code: "NOT_FOUND", message: "Invalid file id" });
-          } else if (e.message === "Invalid DEK version") {
-            throw new TRPCError({ code: "BAD_REQUEST", message: e.message });
-          }
-        }
-        throw e;
-      }
-    }),
-
-  delete: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        id: z.int().positive(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      try {
-        const { path, thumbnailPath } = await FileRepo.unregisterFile(ctx.session.userId, input.id);
-        safeUnlink(path); // Intended
-        safeUnlink(thumbnailPath); // Intended
-      } catch (e) {
-        if (e instanceof IntegrityError && e.message === "File not found") {
-          throw new TRPCError({ code: "NOT_FOUND", message: "Invalid file id" });
-        }
-        throw e;
-      }
-    }),
-
-  thumbnail: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        id: z.int().positive(),
-      }),
-    )
-    .query(async ({ ctx, input }) => {
-      const thumbnail = await MediaRepo.getFileThumbnail(ctx.session.userId, input.id);
-      if (!thumbnail) {
-        throw new TRPCError({ code: "NOT_FOUND", message: "File or its thumbnail not found" });
-      }
-
-      return { updatedAt: thumbnail.updatedAt, contentIv: thumbnail.encContentIv };
-    }),
-});
-
-export default fileRouter;
--- a/src/trpc/routers/hsk.ts
+++ b/src/trpc/routers/hsk.ts
@@ -1,41 +0,0 @@
-import { TRPCError } from "@trpc/server";
-import { z } from "zod";
-import { HskRepo, IntegrityError } from "$lib/server/db";
-import { router, roleProcedure } from "../init.server";
-
-const hskRouter = router({
-  list: roleProcedure["activeClient"].query(async ({ ctx }) => {
-    const hsks = await HskRepo.getAllValidHsks(ctx.session.userId);
-    return hsks.map(({ version, state, mekVersion, encHsk }) => ({
-      version,
-      state,
-      mekVersion,
-      hsk: encHsk,
-    }));
-  }),
-
-  registerInitial: roleProcedure["activeClient"]
-    .input(
-      z.object({
-        mekVersion: z.int().positive(),
-        hsk: z.base64().nonempty(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      try {
-        await HskRepo.registerInitialHsk(
-          ctx.session.userId,
-          ctx.session.clientId,
-          input.mekVersion,
-          input.hsk,
-        );
-      } catch (e) {
-        if (e instanceof IntegrityError && e.message === "HSK already registered") {
-          throw new TRPCError({ code: "CONFLICT", message: "Initial HSK already registered" });
-        }
-        throw e;
-      }
-    }),
-});
-
-export default hskRouter;
--- a/src/trpc/routers/index.ts
+++ b/src/trpc/routers/index.ts
@@ -1,8 +0,0 @@
-export { default as authRouter } from "./auth";
-export { default as categoryRouter } from "./category";
-export { default as clientRouter } from "./client";
-export { default as directoryRouter } from "./directory";
-export { default as fileRouter } from "./file";
-export { default as hskRouter } from "./hsk";
-export { default as mekRouter } from "./mek";
-export { default as userRouter } from "./user";
--- a/src/trpc/routers/mek.ts
+++ b/src/trpc/routers/mek.ts
@@ -1,63 +0,0 @@
-import { TRPCError } from "@trpc/server";
-import { z } from "zod";
-import { ClientRepo, MekRepo, IntegrityError } from "$lib/server/db";
-import { verifySignature } from "$lib/server/modules/crypto";
-import { router, roleProcedure } from "../init.server";
-
-const verifyClientEncMekSig = async (
-  userId: number,
-  clientId: number,
-  version: number,
-  encMek: string,
-  encMekSig: string,
-) => {
-  const userClient = await ClientRepo.getUserClientWithDetails(userId, clientId);
-  if (!userClient) {
-    throw new TRPCError({ code: "INTERNAL_SERVER_ERROR", message: "Invalid session id" });
-  }
-
-  const data = JSON.stringify({ version, key: encMek });
-  return verifySignature(Buffer.from(data), encMekSig, userClient.sigPubKey);
-};
-
-const mekRouter = router({
-  list: roleProcedure["activeClient"].query(async ({ ctx }) => {
-    const clientMeks = await MekRepo.getAllValidClientMeks(
-      ctx.session.userId,
-      ctx.session.clientId,
-    );
-    return clientMeks.map(({ version, state, encMek, encMekSig }) => ({
-      version,
-      state,
-      mek: encMek,
-      mekSig: encMekSig,
-    }));
-  }),
-
-  registerInitial: roleProcedure["pendingClient"]
-    .input(
-      z.object({
-        mek: z.base64().nonempty(),
-        mekSig: z.base64().nonempty(),
-      }),
-    )
-    .mutation(async ({ ctx, input }) => {
-      const { userId, clientId } = ctx.session;
-      const { mek, mekSig } = input;
-      if (!(await verifyClientEncMekSig(userId, clientId, 1, mek, mekSig))) {
-        throw new TRPCError({ code: "BAD_REQUEST", message: "Invalid signature" });
-      }
-
-      try {
-        await MekRepo.registerInitialMek(userId, clientId, mek, mekSig);
-        await ClientRepo.setUserClientStateToActive(userId, clientId);
-      } catch (e) {
-        if (e instanceof IntegrityError && e.message === "MEK already registered") {
-          throw new TRPCError({ code: "CONFLICT", message: "Initial MEK already registered" });
-        }
-        throw e;
-      }
-    }),
-});
-
-export default mekRouter;
--- a/src/trpc/routers/user.ts
+++ b/src/trpc/routers/user.ts
@@ -1,16 +0,0 @@
-import { TRPCError } from "@trpc/server";
-import { UserRepo } from "$lib/server/db";
-import { router, roleProcedure } from "../init.server";
-
-const userRouter = router({
-  get: roleProcedure["any"].query(async ({ ctx }) => {
-    const user = await UserRepo.getUser(ctx.session.userId);
-    if (!user) {
-      throw new TRPCError({ code: "INTERNAL_SERVER_ERROR", message: "Invalid session id" });
-    }
-
-    return { email: user.email, nickname: user.nickname };
-  }),
-});
-
-export default userRouter;
--- a/svelte.config.js
+++ b/svelte.config.js
@@ -3,12 +3,15 @@ import { vitePreprocess } from "@sveltejs/vite-plugin-svelte";

 /** @type {import('@sveltejs/kit').Config} */
 const config = {
+  // Consult https://svelte.dev/docs/kit/integrations
+  // for more information about preprocessors
  preprocess: vitePreprocess(),
+
  kit: {
+    // adapter-auto only supports some environments, see https://svelte.dev/docs/kit/adapter-auto for a list.
+    // If your environment is not supported, or you settled on a specific environment, switch out the adapter.
+    // See https://svelte.dev/docs/kit/adapters for more information about adapters.
    adapter: adapter(),
-    alias: {
-      $trpc: "./src/trpc",
-    },
  },
 };
Author	SHA1	Message	Date
static	dfffa004ac	Merge pull request #13 from kmc7468/dev v0.5.1	2025-07-12 19:56:12 +09:00
static	0cd55a413d	Merge pull request #12 from kmc7468/dev v0.5.0	2025-07-12 06:01:08 +09:00
static	361d966a59	Merge pull request #10 from kmc7468/dev v0.4.0	2025-01-30 21:06:50 +09:00
static	aef43b8bfa	Merge pull request #6 from kmc7468/dev v0.3.0	2025-01-18 13:29:09 +09:00
static	7f128cccf6	Merge pull request #5 from kmc7468/dev v0.2.0	2025-01-13 03:53:14 +09:00
static	a198e5f6dc	Merge pull request #2 from kmc7468/dev v0.1.0	2025-01-09 06:24:31 +09:00