fix: 修改ffmpeg路径

2026-03-04 02:50:59 +08:00 · 2025-09-11 14:27:57 +08:00
420 changed files with 16590 additions and 20848 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,118 +0,0 @@
 # === Core Service Ports ===
 SERVER_PORT=8080
 FRONTEND_PORT=3000
 WEBSOCKET_PORT=8082
 MYSQL_PORT=3306
 REDIS_PORT=6379
 RABBITMQ_PORT=5672
 RABBITMQ_MANAGEMENT_PORT=15672
 # === OpenSearch Configuration ===
 OPENSEARCH_PORT=9200
 OPENSEARCH_METRICS_PORT=9600
 OPENSEARCH_DASHBOARDS_PORT=5601
 OPENSEARCH_ENABLED=true
 OPENSEARCH_SCHEME=http
 OPENSEARCH_USERNAME=
 OPENSEARCH_PASSWORD=
 OPENSEARCH_HOST=opensearch
 # === Database Configuration ===
 MYSQL_DATABASE=openisle
 MYSQL_ROOT_PASSWORD=openisle
 MYSQL_USER=openisle
 MYSQL_PASSWORD=openisle
 MYSQL_HOST=mysql
 # === Redis Configuration ===
 REDIS_HOST=redis
 REDIS_DATABASE=0
 # === RabbitMQ Configuration ===
 RABBITMQ_HOST=rabbitmq
 RABBITMQ_USERNAME=nagisa
 RABBITMQ_PASSWORD=nagisa
 # === Backend Application Secrets ===
 JWT_SECRET=change-me-jwt-secret
 JWT_REASON_SECRET=change-me-jwt-reason-secret
 JWT_RESET_SECRET=change-me-jwt-reset-secret
 JWT_INVITE_SECRET=change-me-jwt-invite-secret
 JWT_EXPIRATION=2592000000
 PASSWORD_STRENGTH=LOW
 POST_PUBLISH_MODE=DIRECT
 REGISTER_MODE=WHITELIST
 UPLOAD_CHECK_TYPE=true
 UPLOAD_MAX_SIZE=5242880
 AVATAR_STYLE=pixel-art-neutral
 AVATAR_SIZE=128
 AVATAR_BASE_URL=https://api.dicebear.com/6.x
 USER_POSTS_LIMIT=10
 USER_REPLIES_LIMIT=50
 SNIPPET_LENGTH=200
 SEARCH_INDEX_PREFIX=openisle
 SEARCH_HIGHLIGHT_FRAGMENT_SIZE=200
 SEARCH_REINDEX_ON_STARTUP=true
 SEARCH_REINDEX_BATCH_SIZE=500
 CAPTCHA_ENABLED=false
 RECAPTCHA_SECRET_KEY=
 CAPTCHA_REGISTER_ENABLED=false
 CAPTCHA_LOGIN_ENABLED=false
 CAPTCHA_POST_ENABLED=false
 CAPTCHA_COMMENT_ENABLED=false
 RESEND_API_KEY=
 RESEND_FROM_EMAIL=
 COS_BASE_URL=https://<你的cos>.cos.accelerate.myqcloud.com
 COS_SECRET_ID=
 COS_SECRET_KEY=
 COS_REGION=ap-guangzhou
 COS_BUCKET_NAME=
 GITHUB_CLIENT_SECRET=
 DISCORD_CLIENT_SECRET=
 TWITTER_CLIENT_SECRET=
 TELEGRAM_BOT_TOKEN=
 OPENAI_API_KEY=
 OPENAI_MODEL=gpt-4o
 AI_FORMAT_LIMIT=3
 WEBSITE_URL=http://localhost:3000
 WEBPUSH_PUBLIC_KEY=
 WEBPUSH_PRIVATE_KEY=
 LOG_LEVEL=INFO
 # === Frontend (Nuxt) ===
 # 本地开发
 NUXT_PUBLIC_API_BASE_URL=http://localhost:8080
 # 线上环境
 # NUXT_PUBLIC_API_BASE_URL=https://www.open-isle.com
 # 测试环境
 # NUXT_PUBLIC_API_BASE_URL=https://www.staging.open-isle.com
 # 本地开发
 NUXT_PUBLIC_WEBSOCKET_URL=http://localhost:8082
 # 线上环境
 # NUXT_PUBLIC_WEBSOCKET_URL=https://www.open-isle.com/websocket
 # 测试环境 
 # NUXT_PUBLIC_WEBSOCKET_URL=https://www.staging.open-isle.com/websocket
 # 本地开发
 NUXT_PUBLIC_WEBSITE_BASE_URL=http://localhost:3000
 # 线上 & 测试 (www.staging.open-isle.com) & 本地均可使用
 NUXT_PUBLIC_GOOGLE_CLIENT_ID=777830451304-nt8afkkap18gui4f9entcha99unal744.apps.googleusercontent.com
 # 线上
 NUXT_PUBLIC_GITHUB_CLIENT_ID=Ov23liVkO1NPAX5JyWxJ
 # 测试环境 (www.staging.open-isle.com)
 # NUXT_PUBLIC_GITHUB_CLIENT_ID=Ov23li6GHPxx4MwipWnM
 # 本地
 # NUXT_PUBLIC_GITHUB_CLIENT_ID=Ov23liOlrZnPKRF7s7NN
 # 线上 & 本地均可使用
 NUXT_PUBLIC_DISCORD_CLIENT_ID=1394985417044000779
 # 线上 & 本地均可使用
 NUXT_PUBLIC_TWITTER_CLIENT_ID=ZTRTU05KSk9KTTJrTTdrVC1tc1E6MTpjaQ
 # 线上
 NUXT_PUBLIC_TELEGRAM_BOT_ID=8450237135
 # 测试环境 (www.staging.open-isle.com)
 # NUXT_PUBLIC_TELEGRAM_BOT_ID=7832207011
--- a/.github/ISSUE_TEMPLATE/新功能建议.md
+++ b/.github/ISSUE_TEMPLATE/新功能建议.md
@@ -1,9 +1,10 @@
 ---
 name: 新功能建议
 about: 请为该项目提出一个想法
-title: ""
+title: ''
-labels: ""
+labels: ''
-assignees: ""
+assignees: ''
 ---
 **你的功能请求是否与某个问题相关？请描述。**
--- a/.github/ISSUE_TEMPLATE/错误-bug报告.md
+++ b/.github/ISSUE_TEMPLATE/错误-bug报告.md
@@ -1,9 +1,10 @@
 ---
 name: 错误/Bug报告
 about: 创建报告以帮助我们改进
-title: ""
+title: ''
-labels: ""
+labels: ''
-assignees: ""
+assignees: ''
 ---
 **描述 Bug**
@@ -25,16 +26,16 @@ assignees: ""
 **桌面端（请完成以下信息）：**
- 操作系统：\[例如 iOS]
+* 操作系统：\[例如 iOS]
- 浏览器：\[例如 Chrome、Safari]
+* 浏览器：\[例如 Chrome、Safari]
- 版本：\[例如 22]
+* 版本：\[例如 22]
 **移动端（请完成以下信息）：**
- 设备：\[例如 iPhone6]
+* 设备：\[例如 iPhone6]
- 操作系统：\[例如 iOS8.1]
+* 操作系统：\[例如 iOS8.1]
- 浏览器：\[例如 系统自带浏览器、Safari]
+* 浏览器：\[例如 系统自带浏览器、Safari]
- 版本：\[例如 22]
+* 版本：\[例如 22]
 **附加上下文**
 在此添加与问题相关的其他上下文信息。
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -12,7 +12,6 @@ jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    environment: Deploy
    if: ${{ !github.event.repository.fork }} # 只有非 fork 才执行
    steps:
      - uses: actions/checkout@v4
@@ -23,7 +22,7 @@ jobs:
          host: ${{ secrets.SSH_HOST }}
          username: root
          key: ${{ secrets.SSH_KEY }}
-          script: bash /opt/openisle/OpenIsle/deploy/deploy_staging.sh
+          script: bash /opt/openisle/deploy-staging.sh
  deploy-docs:
    needs: build-and-deploy
@@ -32,3 +31,4 @@ jobs:
    secrets: inherit
    with:
      build-id: ${{ github.run_id }}
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -2,8 +2,8 @@ name: CI & CD
 on:
  workflow_dispatch:
-  # schedule:
+  schedule:
-  #   - cron: "0 19 * * *" # 每天 UTC 19:00，相当于北京时间凌晨3点
+    - cron: "0 19 * * *"   # 每天 UTC 19:00，相当于北京时间凌晨3点
 jobs:
  build-and-deploy:
@@ -19,4 +19,4 @@ jobs:
          host: ${{ secrets.SSH_HOST }}
          username: root
          key: ${{ secrets.SSH_KEY }}
-          script: bash /opt/openisle/OpenIsle/deploy/deploy.sh
+          script: bash /opt/openisle/deploy.sh
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,19 +1,16 @@
 - [前置工作](#前置工作)
 - [前端极速调试（Docker 全量环境）](#前端极速调试docker-全量环境)
 - [启动后端服务](#启动后端服务)
    - [本地 IDEA](#本地-idea)
        - [配置环境变量](#配置环境变量)
        - [配置 IDEA 参数](#配置-idea-参数)
        - [配置 MySQL](#配置-mysql)
    - [Docker 环境](#docker-环境)
        - [配置环境变量](#配置环境变量-1)
        - [构建并启动镜像](#构建并启动镜像)
 - [启动前端服务](#启动前端服务)
-  - [连接预发或正式环境](#连接预发或正式环境)
+    - [配置环境变量](#配置环境变量-2)
    - [安装依赖和运行](#安装依赖和运行)
 - [其他配置](#其他配置)
  - [配置第三方登录以GitHub为例](#配置第三方登录以github为例)
  - [配置Resend邮箱服务](#配置resend邮箱服务)
 - [API文档](#api文档)
  - [OpenAPI文档](#openapi文档)
  - [部署时间线以及文档时效性](#部署时间线以及文档时效性)
  - [OpenAPI文档使用](#openapi文档使用)
  - [OpenAPI文档应用场景](#openapi文档应用场景)
 ## 前置工作
@@ -29,52 +26,6 @@ cd OpenIsle
 - 前端开发环境
    - Node.JS 20+
 ## 前端极速调试（Docker 全量环境）
 想要最快速地同时体验前端和后端，可直接使用仓库提供的 Docker Compose。该方案会一次性拉起数据库、消息队列、搜索、后端、WebSocket 以及前端 Dev Server，适合需要全链路联调的场景。
 1. 准备环境变量文件：
   ```shell
   cp .env.example .env
   ```
   `.env.example` 是模板，可在 `.env` 中按需覆盖如端口、密钥等配置。确保 `NUXT_PUBLIC_API_BASE_URL`、`NUXT_PUBLIC_WEBSOCKET_URL` 等仍指向 `localhost`，方便前端直接访问容器映射端口。
 2. 启动 Dev Profile：
   ```shell
   docker compose \
     -f docker/docker-compose.yaml \
     --env-file .env \
     --profile dev build
   ```
   ```shell
   docker compose \
     -f docker/docker-compose.yaml \
     --env-file .env \
     --profile dev up -d
   ```
   该命令会创建名为 `frontend_dev` 的容器并运行 `npm run dev`，浏览器访问 http://127.0.0.1:3000 即可查看页面。
   修改代码后，可以强制重新创建所有容器，执行：
   ```shell
   docker compose \
     -f docker/docker-compose.yaml \
     --env-file .env \
     --profile dev up -d --force-recreate
   ```
 3. 查看服务状态：
   ```shell
   docker compose -f docker/docker-compose.yaml --env-file .env ps
   docker compose -f docker/docker-compose.yaml --env-file .env logs -f frontend_dev
   ```
 4. 停止所有容器：
   ```shell
   docker compose -f docker/docker-compose.yaml --env-file .env --profile dev down
   ```
 如需自定义 Node 依赖缓存、数据库持久化等，可参考 `docker/docker-compose.yaml` 中各卷的定义进行调整。
 ## 启动后端服务
 启动后端服务有多种方式，选择一种即可。
@@ -92,26 +43,37 @@ IDEA 打开 `backend/` 文件夹。
 #### 配置环境变量
-1. 生成环境变量文件：
+1. 生成环境变量文件
    ```shell
    cp open-isle.env.example open-isle.env
    ```
-   `open-isle.env` 才是实际被读取的文件。可在其中补充数据库、第三方服务等配置，`open-isle.env` 已被 Git 忽略，放心修改。
+
-2. 在 IDEA 中配置「Environment file」：将 `Run/Debug Configuration` 的 `Environment variables` 指向刚刚复制的 `open-isle.env`，即可让 IDE 读取该文件。
+    `open-isle.env.example` 是环境变量模板，`open-isle.env` 才是真正读取的内容
-3. 需要调整端口或功能开关时，优先修改 `open-isle.env`，例如：
+
 2. 修改环境变量，留下需要的，比如你要开发 Google 登录业务，就需要谷歌相关的变量，数据库是一定要的
    ![环境变量](assets/contributing/backend_img_7.png)
 3. 应用环境文件，选择刚刚的 `open-isle.env`
 可以在 `open-isle.env` 按需填写个性化的配置，该文件不会被 Git 追踪。比如你想把服务跑在 `8082`（默认为 `8080`），那么直接改 `open-isle.env` 即可：
 ```ini
-   SERVER_PORT=8081
+SERVER_PORT=8082
   LOG_LEVEL=DEBUG
 ```
-也可以修改 `src/main/resources/application.properties`，但该文件会被 Git 追踪，通常不推荐。
+另一种方式是修改 `.properities` 文件（但不建议），位于 `src/main/application.properties`，该配置同样来源于 `open-isle.env`，但修改 `.properties` 文件会被 Git 追踪。
 ![配置数据库](assets/contributing/backend_img_5.png)
 #### 配置 IDEA 参数
- 设置 JDK 版本为 Java 17。
+- 设置 JDK 版本为 java 17
- 设置 VM Option，最好运行在其他端口（例如 `8081`）。若已经在 `open-isle.env` 中调整端口，可省略此步骤。
+
 - 设置 VM Option，最好运行在其他端口，非 `8080`，这里设置 `8081`
    若上面在环境变量中设置了端口，那这里就不需要再额外设置
    ```shell
    -Dserver.port=8081
    ```
@@ -120,26 +82,135 @@ IDEA 打开 `backend/` 文件夹。
 ![配置2](assets/contributing/backend_img_2.png)
-完成环境变量和运行参数设置后，即可启动 Spring Boot 应用。
+#### 配置 MySQL
 > [!TIP]
 > 如果不知道怎么配置数据库可以参考 [Docker 环境](#docker-环境) 章节
 1. 本机配置 MySQL 服务（网上很多教程，忽略）
    + 可以用 Laragon，自带 MySQL 包括 Nodejs，版本建议 `6.x`，`7` 以后需要 Lisence
    + [下载地址](https://github.com/leokhoa/laragon/releases)
 2. 填写环境变量
    ![环境变量](assets/contributing/backend_img_6.png)
    ```ini
    MYSQL_URL=jdbc:mysql://<数据库地址>:<端口>/<数据库名>?useUnicode=yes&characterEncoding=UTF-8&useInformationSchema=true&useSSL=false&serverTimezone=UTC
    MYSQL_USER=<数据库用户名>
    MYSQL_PASSWORD=<数据库密码>
    ```
 3. 执行 [`db/init/init_script.sql`](backend/src/main/resources/db/init/init_script.sql) 脚本，导入基本的数据
    管理员：**admin/123456**
    普通用户1：**user1/123456**
    普通用户2：**user2/123456**
    ![初始化脚本](assets/contributing/resources_img.png)
 #### 配置 Redis
 填写环境变量 `.env` 中的 Redis 相关配置并启动 Redis
 ```ini
 REDIS_HOST=<Redis 地址>
 REDIS_PORT=<Redis 端口>
 ```
 处理完环境问题直接跑起来就能通了
 ![运行画面](assets/contributing/backend_img_4.png)
-## 前端连接预发或正式环境
+### Docker 环境
-前端默认读取 `.env` 中的接口地址，可通过修改以下变量快速切换到预发或正式环境：
+#### 配置环境变量
-1. 按需覆盖关键变量：
+```shell
 cd docker/
 ```
 主要配置两个 `.env` 文件
 - `backend/open-isle.env`：后端环境变量，配置同上，见 [配置环境变量](#配置环境变量)。
 - `docker/.env`：Docker Compose 环境变量，主要配置 MySQL 相关
    ```shell
    cp .env.example .env
    ```
 > [!TIP]
 > 使用单独的 `.env` 文件是为了兼容线上环境或已启用 MySQL 服务的情况，如果只是想快速体验或者启动统一的环境，则推荐使用本方式。
 在指定 `docker/.env` 后，`backend/open-isle.env` 中以下配置会被覆盖，这样就确保使用了同一份配置。
 ```ini
-   NUXT_PUBLIC_API_BASE_URL=https://www.staging.open-isle.com
+MYSQL_URL=
-   NUXT_PUBLIC_WEBSOCKET_URL=https://www.staging.open-isle.com
+MYSQL_USER=
 MYSQL_PASSWORD=
 ```
   将 `staging` 替换为 `www` 即可连接正式环境。其他变量（如 OAuth Client ID、站点地址等）可根据需求调整。
 #### 构建并启动镜像
 ```shell
 docker compose up -d
 ```
 如果想了解启动过程发生了什么可以查看日志
 ```shell
 docker compose logs
 ```
 ## 启动前端服务
 > [!IMPORTANT]
 > **⚠️ 环境要求：Node.js 版本最低 20.0.0（因为 Nuxt 框架要求）**
 ```shell
 cd frontend_nuxt/
 ```
 ### 配置环境变量
 前端可以依赖本机部署的后端，也可以直接调用线上的后端接口。
 - 利用预发环境：**（⚠️ 强烈推荐只开发前端的朋友使用该环境）**
    ```shell
    cp .env.staging.example .env
    ```
 - 利用生产环境
    ```shell
    cp .env.production.example .env
    ```
 - 利用本地环境
    ```shell
    cp .env.dev.example .env
    ```
 若依赖本机部署的后端，需要修改 `.env` 中的 `NUXT_PUBLIC_API_BASE_URL` 值与后端服务端口一致
 ### 安装依赖和运行
 前端安装依赖并启动服务。
 ```shell
 # 安装依赖
 npm install --verbose
 # 运行前端服务
 npm run dev
 ```
 如此一来，浏览器访问 http://127.0.0.1:3000 即可访问前端页面。
 ## 其他配置
-### 配置第三方登录以GitHub为例
+### 配置第三方登录，这里以 GitHub 为例：
 - 修改 `application.properties` 配置
@@ -176,42 +247,8 @@ https://resend.com/emails 创建账号并登录
  `RESEND_API_KEY`：**刚刚复制的 Key**
  ![image-20250906151218330](assets/contributing/image-20250906151218330.png)
-## API文档
+## 开源共建和API文档
 ### OpenAPI文档
 https://docs.open-isle.com
 ### 部署时间线以及文档时效性
 我已经将API Docs的部署融合进本站CI & CD中，目前如下
 - 每次合入main之后，都会构建预发环境 http://staging.open-isle.com/ ,现在文档是紧随其后进行部署，也就是说代码合入main之后，如果是新增后台接口，就可以立即通过OpenAPI文档页面进行查看和调试，但是如果想通过OpenAPI调试需要选择预发环境的
 - 每日凌晨三点会构建并重新部署正式环境，届时当日合入main的新后台API也可以通过OpenAPI文档页面调试
 ![CleanShot 2025-09-10 at 12 .04.48@2x.png](https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/168303009f4047ca828344957e911ff1.png)
 👆如图是合入main之后构建预发+docs的情形，总大约耗时4分钟左右
 ### OpenAPI文档使用
 - 预发环境/正式环境切换，以通过如下位置切换API环境
 ![CleanShot 2025-09-10 at 12 .08.00@2x.png](https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/f9fb7a0f020d4a0e94159d7820783224.png)
 - API分两种，一种是需要鉴权（需登录后的token），另一种是直接访问，可以直接访问的GET请求，直接点击Send即可调试，如下👇，比如本站的推荐流rss: /api/rss: https://docs.open-isle.com/openapi/feed
 ![CleanShot 2025-09-10 at 12 .09.48@2x.png](https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/2afb42e0c96340559dd42854905ca5fc.png)
 - 需要登陆的API，比如关注，取消关注，发帖等，则需要提供token，目前在“API与调试”可获取自身token，可点击link看看👉 https://www.open-isle.com/about?tab=api
 ![CleanShot 2025-09-10 at 12 .11.07@2x.png](https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/74033f1b9cc14f2fab3cbe3b7fe306d8.png)
 copy完token之后，粘贴到Bear之后, 即可发送调试， 如下👇，大家亦可自行尝试：https://docs.open-isle.com/openapi/me
 ![CleanShot 2025-09-10 at 12 .13.00@2x.png](https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/63913fe2e70541a486651e35c723765e.png)
 #### OpenAPI文档应用场景
 - 方便大部分前端调试的需求，如果有只想做前端/客户端的同学参与本项目，该平台会大大提高效率
 - 自动化：有自动化发帖/自动化操作的需求，亦可通过该平台实现或调试
 - API文档: https://docs.open-isle.com/openapi
--- a/backend/.prettierrc
+++ b/backend/.prettierrc
@@ -1,23 +0,0 @@
 {
  "printWidth": 100,
  "tabWidth": 2,
  "useTabs": false,
  "semi": false,
  "singleQuote": true,
  "trailingComma": "all",
  "endOfLine": "lf",
  "proseWrap": "preserve",
  "plugins": ["prettier-plugin-java"],
  "overrides": [
    {
      "files": "*.java",
      "options": {
        "printWidth": 100,
        "tabWidth": 2,
        "semi": true,
        "singleQuote": false,
        "trailingComma": "es5"
      }
    }
  ]
 }
--- a/backend/open-isle.env.example
+++ b/backend/open-isle.env.example
@@ -1,6 +1,3 @@
 # 所有环境变量已集中在仓库根目录的 .env.*.example 文件。
 # 此文件保留作参考用途，如需在 Docker 之外手动配置，可按需复制。
 # === Spring Boot ===
 SERVER_PORT=8080
--- a/backend/pom.xml
+++ b/backend/pom.xml
@@ -132,23 +132,6 @@
      <artifactId>springdoc-openapi-starter-webmvc-api</artifactId>
      <version>2.2.0</version>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-actuator</artifactId>
    </dependency>
    <!-- 高阶 Java 客户端 -->
    <dependency>
      <groupId>org.opensearch.client</groupId>
      <artifactId>opensearch-java</artifactId>
      <version>3.2.0</version>
    </dependency>
    <!-- 低阶 RestClient，提供 org.opensearch.client.RestClient 给你的 RestClientTransport 用 -->
    <dependency>
      <groupId>org.opensearch.client</groupId>
      <artifactId>opensearch-rest-client</artifactId>
      <version>3.2.0</version>
    </dependency>
  </dependencies>
  <build>
--- a/backend/src/main/java/com/openisle/OpenIsleApplication.java
+++ b/backend/src/main/java/com/openisle/OpenIsleApplication.java
@@ -7,7 +7,6 @@ import org.springframework.scheduling.annotation.EnableScheduling;
@SpringBootApplication
@EnableScheduling
 public class OpenIsleApplication {
    public static void main(String[] args) {
        SpringApplication.run(OpenIsleApplication.class, args);
    }
--- a/backend/src/main/java/com/openisle/config/ActivityInitializer.java
+++ b/backend/src/main/java/com/openisle/config/ActivityInitializer.java
@@ -3,16 +3,15 @@ package com.openisle.config;
 import com.openisle.model.Activity;
 import com.openisle.model.ActivityType;
 import com.openisle.repository.ActivityRepository;
 import java.time.LocalDate;
 import java.time.LocalDateTime;
 import lombok.RequiredArgsConstructor;
 import org.springframework.boot.CommandLineRunner;
 import org.springframework.stereotype.Component;
 import java.time.LocalDate;
 import java.time.LocalDateTime;
@Component
@RequiredArgsConstructor
 public class ActivityInitializer implements CommandLineRunner {
    private final ActivityRepository activityRepository;
    @Override
@@ -22,9 +21,7 @@ public class ActivityInitializer implements CommandLineRunner {
            a.setTitle("🎡建站送奶茶活动");
            a.setType(ActivityType.MILK_TEA);
            a.setIcon("https://icons.veryicon.com/png/o/food--drinks/delicious-food-1/coffee-36.png");
-      a.setContent(
+            a.setContent("为了有利于建站推广以及激励发布内容，我们推出了建站送奶茶的活动，前50名达到level 1的用户，可以联系站长获取奶茶/咖啡一杯");
        "为了有利于建站推广以及激励发布内容，我们推出了建站送奶茶的活动，前50名达到level 1的用户，可以联系站长获取奶茶/咖啡一杯"
      );
            activityRepository.save(a);
        }
--- a/backend/src/main/java/com/openisle/config/AsyncConfig.java
+++ b/backend/src/main/java/com/openisle/config/AsyncConfig.java
@@ -1,15 +1,15 @@
 package com.openisle.config;
 import java.util.concurrent.Executor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.scheduling.annotation.EnableAsync;
 import org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor;
 import java.util.concurrent.Executor;
@Configuration
@EnableAsync
 public class AsyncConfig {
    @Bean(name = "notificationExecutor")
    public Executor notificationExecutor() {
        ThreadPoolTaskExecutor executor = new ThreadPoolTaskExecutor();
--- a/backend/src/main/java/com/openisle/config/CachingConfig.java
+++ b/backend/src/main/java/com/openisle/config/CachingConfig.java
@@ -7,9 +7,6 @@ import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.jsontype.impl.LaissezFaireSubTypeValidator;
 import com.fasterxml.jackson.datatype.hibernate6.Hibernate6Module;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import java.time.Duration;
 import java.util.HashMap;
 import java.util.Map;
 import org.springframework.cache.CacheManager;
 import org.springframework.cache.annotation.EnableCaching;
 import org.springframework.context.annotation.Bean;
@@ -24,6 +21,10 @@ import org.springframework.data.redis.serializer.RedisSerializationContext;
 import org.springframework.data.redis.serializer.RedisSerializer;
 import org.springframework.data.redis.serializer.StringRedisSerializer;
 import java.time.Duration;
 import java.util.HashMap;
 import java.util.Map;
 /**
 * Redis 缓存配置类
 * @author smallclover
@@ -45,14 +46,12 @@ public class CachingConfig {
    public static final String LIMIT_CACHE_NAME="openisle_limit";
    // 用户访问统计
    public static final String VISIT_CACHE_NAME="openisle_visit";
  // 文章缓存
  public static final String POST_CACHE_NAME = "openisle_posts";
    /**
     * 自定义Redis的序列化器
     * @return
     */
-  @Bean
+    @Bean()
    @Primary
    public RedisSerializer<Object> redisSerializer() {
        // 注册 JavaTimeModule 來支持 Java 8 的日期和时间 API,否则回报一下错误，同时还要引入jsr310
@@ -65,13 +64,8 @@ public class CachingConfig {
        objectMapper.registerModule(new JavaTimeModule());
        // Hibernate6Module 可以自动处理懒加载代理对象。
        // Tag对象的creator是FetchType.LAZY
-    objectMapper.registerModule(
+        objectMapper.registerModule(new Hibernate6Module()
-      new Hibernate6Module()
+                .disable(Hibernate6Module.Feature.USE_TRANSIENT_ANNOTATION));
        .disable(Hibernate6Module.Feature.USE_TRANSIENT_ANNOTATION)
        // 将 Hibernate 特有的集合类型转换为标准 Java 集合类型
        // 避免序列化时出现 org.hibernate.collection.spi.PersistentSet 这样的类型信息
        .configure(Hibernate6Module.Feature.REPLACE_PERSISTENT_COLLECTIONS, true)
    );
        // service的时候带上类型信息
        // 启用类型信息，避免 LinkedHashMap 问题
        objectMapper.activateDefaultTyping(
@@ -87,27 +81,19 @@ public class CachingConfig {
     * 配置 Spring Cache 使用 RedisCacheManager
     */
    @Bean
-  public CacheManager cacheManager(
+    public CacheManager cacheManager(RedisConnectionFactory connectionFactory, RedisSerializer<Object> redisSerializer) {
-    RedisConnectionFactory connectionFactory,
+
    RedisSerializer<Object> redisSerializer
  ) {
        RedisCacheConfiguration config = RedisCacheConfiguration.defaultCacheConfig()
                .entryTtl(Duration.ZERO) // 默认缓存不过期
-      .serializeKeysWith(
+                .serializeKeysWith(RedisSerializationContext.SerializationPair.fromSerializer(new StringRedisSerializer()))
-        RedisSerializationContext.SerializationPair.fromSerializer(new StringRedisSerializer())
+                .serializeValuesWith(RedisSerializationContext.SerializationPair.fromSerializer(redisSerializer))
      )
      .serializeValuesWith(
        RedisSerializationContext.SerializationPair.fromSerializer(redisSerializer)
      )
                .disableCachingNullValues(); // 禁止缓存 null 值
        // 个别缓存单独设置 TTL 时间
        Map<String, RedisCacheConfiguration> cacheConfigs = new HashMap<>();
        RedisCacheConfiguration oneHourConfig = config.entryTtl(Duration.ofHours(1));
    RedisCacheConfiguration tenMinutesConfig = config.entryTtl(Duration.ofMinutes(10));
        cacheConfigs.put(TAG_CACHE_NAME, oneHourConfig);
        cacheConfigs.put(CATEGORY_CACHE_NAME, oneHourConfig);
    cacheConfigs.put(POST_CACHE_NAME, tenMinutesConfig);
        return RedisCacheManager.builder(connectionFactory)
                .cacheDefaults(config)
@@ -119,10 +105,7 @@ public class CachingConfig {
     * 配置 RedisTemplate，支持直接操作 Redis
     */
    @Bean
-  public RedisTemplate<String, Object> redisTemplate(
+    public RedisTemplate<String, Object> redisTemplate(RedisConnectionFactory connectionFactory,  RedisSerializer<Object> redisSerializer) {
    RedisConnectionFactory connectionFactory,
    RedisSerializer<Object> redisSerializer
  ) {
        RedisTemplate<String, Object> template = new RedisTemplate<>();
        template.setConnectionFactory(connectionFactory);
--- a/backend/src/main/java/com/openisle/config/ChannelInitializer.java
+++ b/backend/src/main/java/com/openisle/config/ChannelInitializer.java
@@ -9,7 +9,6 @@ import org.springframework.stereotype.Component;
@Component
@RequiredArgsConstructor
 public class ChannelInitializer implements CommandLineRunner {
    private final MessageConversationRepository conversationRepository;
    @Override
@@ -19,18 +18,14 @@ public class ChannelInitializer implements CommandLineRunner {
            chat.setChannel(true);
            chat.setName("吹水群");
            chat.setDescription("吹水聊天");
-      chat.setAvatar(
+            chat.setAvatar("https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/32647273e2334d14adfd4a6ce9db0643.jpeg");
        "https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/32647273e2334d14adfd4a6ce9db0643.jpeg"
      );
            conversationRepository.save(chat);
            MessageConversation tech = new MessageConversation();
            tech.setChannel(true);
            tech.setName("技术讨论群");
            tech.setDescription("讨论技术相关话题");
-      tech.setAvatar(
+            tech.setAvatar("https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/5edde9a5864e471caa32491dbcdaa8b2.png");
        "https://openisle-1307107697.cos.accelerate.myqcloud.com/dynamic_assert/5edde9a5864e471caa32491dbcdaa8b2.png"
      );
            conversationRepository.save(tech);
        }
    }
--- a/backend/src/main/java/com/openisle/config/CustomAccessDeniedHandler.java
+++ b/backend/src/main/java/com/openisle/config/CustomAccessDeniedHandler.java
@@ -3,23 +3,21 @@ package com.openisle.config;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.stereotype.Component;
 import java.io.IOException;
 /**
 * Returns 401 Unauthorized when an authenticated user lacks required privileges.
 */
@Component
 public class CustomAccessDeniedHandler implements AccessDeniedHandler {
    @Override
-  public void handle(
+    public void handle(HttpServletRequest request,
    HttpServletRequest request,
                       HttpServletResponse response,
-    AccessDeniedException accessDeniedException
+                       AccessDeniedException accessDeniedException) throws IOException, ServletException {
  ) throws IOException, ServletException {
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        response.setContentType("application/json");
        response.getWriter().write("{\"error\": \"Unauthorized\"}");
--- a/backend/src/main/java/com/openisle/config/OpenApiConfig.java
+++ b/backend/src/main/java/com/openisle/config/OpenApiConfig.java
@@ -6,6 +6,7 @@ import io.swagger.v3.oas.models.info.Info;
 import io.swagger.v3.oas.models.security.SecurityRequirement;
 import io.swagger.v3.oas.models.security.SecurityScheme;
 import io.swagger.v3.oas.models.servers.Server;
 import java.util.List;
 import java.util.stream.Collectors;
 import lombok.RequiredArgsConstructor;
@@ -43,15 +44,16 @@ public class OpenApiConfig {
                        .in(SecurityScheme.In.HEADER)
                        .name(header);
-    List<Server> servers = springDocProperties
+        List<Server> servers = springDocProperties.getServers().stream()
      .getServers()
      .stream()
                .map(s -> new Server().url(s.getUrl()).description(s.getDescription()))
                .collect(Collectors.toList());
        return new OpenAPI()
                .servers(servers)
-      .info(new Info().title(title).description(description).version(version))
+                .info(new Info()
                        .title(title)
                        .description(description)
                        .version(version))
                .components(new Components().addSecuritySchemes("JWT", securityScheme))
                .addSecurityItem(new SecurityRequirement().addList("JWT"));
    }
--- a/backend/src/main/java/com/openisle/config/PointGoodInitializer.java
+++ b/backend/src/main/java/com/openisle/config/PointGoodInitializer.java
@@ -10,7 +10,6 @@ import org.springframework.stereotype.Component;
@Component
@RequiredArgsConstructor
 public class PointGoodInitializer implements CommandLineRunner {
    private final PointGoodRepository pointGoodRepository;
    @Override
@@ -19,17 +18,13 @@ public class PointGoodInitializer implements CommandLineRunner {
            PointGood g1 = new PointGood();
            g1.setName("GPT Plus 1 个月");
            g1.setCost(20000);
-      g1.setImage(
+            g1.setImage("https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/icons/chatgpt.png");
        "https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/icons/chatgpt.png"
      );
            pointGoodRepository.save(g1);
            PointGood g2 = new PointGood();
            g2.setName("奶茶");
            g2.setCost(5000);
-      g2.setImage(
+            g2.setImage("https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/icons/coffee.png");
        "https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/icons/coffee.png"
      );
            pointGoodRepository.save(g2);
        }
    }
--- a/backend/src/main/java/com/openisle/config/RabbitMQConfig.java
+++ b/backend/src/main/java/com/openisle/config/RabbitMQConfig.java
@@ -1,9 +1,5 @@
 package com.openisle.config;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.annotation.PostConstruct;
 import java.util.ArrayList;
 import java.util.List;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.amqp.core.Binding;
@@ -11,16 +7,21 @@ import org.springframework.amqp.core.BindingBuilder;
 import org.springframework.amqp.core.Queue;
 import org.springframework.amqp.core.TopicExchange;
 import org.springframework.amqp.rabbit.connection.ConnectionFactory;
 import org.springframework.amqp.rabbit.core.RabbitAdmin;
 import org.springframework.amqp.rabbit.core.RabbitTemplate;
 import org.springframework.amqp.support.converter.Jackson2JsonMessageConverter;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.CommandLineRunner;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.springframework.amqp.rabbit.core.RabbitAdmin;
 import org.springframework.boot.CommandLineRunner;
 import org.springframework.context.annotation.DependsOn;
 import jakarta.annotation.PostConstruct;
 import java.util.ArrayList;
 import java.util.List;
@Configuration
@RequiredArgsConstructor
@Slf4j
@@ -70,10 +71,7 @@ public class RabbitMQConfig {
     * 创建所有分片绑定, 使用十六进制路由键 (notifications.shard.0 - notifications.shard.f)
     */
    @Bean
-  public List<Binding> shardedBindings(
+    public List<Binding> shardedBindings(TopicExchange exchange, @Qualifier("shardedQueues") List<Queue> shardedQueues) {
    TopicExchange exchange,
    @Qualifier("shardedQueues") List<Queue> shardedQueues
  ) {
        log.info("开始创建分片绑定 Bean...");
        List<Binding> bindings = new ArrayList<>();
        if (shardedQueues != null) {
@@ -110,9 +108,7 @@ public class RabbitMQConfig {
    public Jackson2JsonMessageConverter messageConverter() {
        ObjectMapper objectMapper = new ObjectMapper();
        objectMapper.registerModule(new com.fasterxml.jackson.datatype.jsr310.JavaTimeModule());
-    objectMapper.disable(
+        objectMapper.disable(com.fasterxml.jackson.databind.SerializationFeature.WRITE_DATES_AS_TIMESTAMPS);
      com.fasterxml.jackson.databind.SerializationFeature.WRITE_DATES_AS_TIMESTAMPS
    );
        return new Jackson2JsonMessageConverter(objectMapper);
    }
@@ -134,14 +130,12 @@ public class RabbitMQConfig {
     */
    @Bean
    @DependsOn({"rabbitAdmin", "shardedQueues", "exchange"})
-  public CommandLineRunner queueDeclarationRunner(
+    public CommandLineRunner queueDeclarationRunner(RabbitAdmin rabbitAdmin,
    RabbitAdmin rabbitAdmin,
                                                   @Qualifier("shardedQueues") List<Queue> shardedQueues,
                                                   TopicExchange exchange,
                                                   Queue legacyQueue,
                                                   @Qualifier("shardedBindings") List<Binding> shardedBindings,
-    Binding legacyBinding
+                                                   Binding legacyBinding) {
  ) {
        return args -> {
            log.info("=== 开始主动声明 RabbitMQ 组件 ===");
@@ -163,21 +157,14 @@ public class RabbitMQConfig {
                        rabbitAdmin.declareQueue(queue);
                        successCount++;
                    } catch (org.springframework.amqp.AmqpIOException e) {
-            if (
+                        if (e.getMessage().contains("PRECONDITION_FAILED") && e.getMessage().contains("durable")) {
              e.getMessage().contains("PRECONDITION_FAILED") && e.getMessage().contains("durable")
            ) {
                            skippedCount++;
                        }
                    } catch (Exception e) {
                        log.error("队列声明失败: {}, 错误: {}", queueName, e.getMessage());
                    }
                }
-        log.info(
+                log.info("分片队列处理完成: 成功 {}, 跳过 {}, 总数 {}", successCount, skippedCount, shardedQueues.size());
          "分片队列处理完成: 成功 {}, 跳过 {}, 总数 {}",
          successCount,
          skippedCount,
          shardedQueues.size()
        );
                // 声明分片绑定
                log.info("开始声明 {} 个分片绑定...", shardedBindings.size());
@@ -198,9 +185,7 @@ public class RabbitMQConfig {
                    rabbitAdmin.declareBinding(legacyBinding);
                    log.info("遗留队列和绑定就绪: {} (已存在或新创建)", QUEUE_NAME);
                } catch (org.springframework.amqp.AmqpIOException e) {
-          if (
+                    if (e.getMessage().contains("PRECONDITION_FAILED") && e.getMessage().contains("durable")) {
            e.getMessage().contains("PRECONDITION_FAILED") && e.getMessage().contains("durable")
          ) {
                        log.warn("遗留队列已存在但 durable 设置不匹配: {}, 保持现有队列", QUEUE_NAME);
                    } else {
                        log.error("遗留队列声明失败: {}, 错误: {}", QUEUE_NAME, e.getMessage());
@@ -211,6 +196,7 @@ public class RabbitMQConfig {
                log.info("=== RabbitMQ 组件声明完成 ===");
                log.info("请检查 RabbitMQ 管理界面确认队列已正确创建");
            } catch (Exception e) {
                log.error("RabbitMQ 组件声明过程中发生严重错误", e);
            }
--- a/backend/src/main/java/com/openisle/config/SchedulerConfig.java
+++ b/backend/src/main/java/com/openisle/config/SchedulerConfig.java
@@ -2,14 +2,13 @@ package com.openisle.config;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.scheduling.TaskScheduler;
 import org.springframework.scheduling.annotation.EnableScheduling;
 import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
 import org.springframework.scheduling.TaskScheduler;
@Configuration
@EnableScheduling
 public class SchedulerConfig {
    @Bean
    public TaskScheduler taskScheduler() {
        ThreadPoolTaskScheduler scheduler = new ThreadPoolTaskScheduler();
--- a/backend/src/main/java/com/openisle/config/SecurityConfig.java
+++ b/backend/src/main/java/com/openisle/config/SecurityConfig.java
@@ -1,17 +1,9 @@
 package com.openisle.config;
 import com.openisle.repository.UserRepository;
 import com.openisle.service.JwtService;
 import com.openisle.service.UserVisitService;
-import jakarta.servlet.FilterChain;
+import com.openisle.repository.UserRepository;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.time.LocalDate;
 import java.util.List;
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.data.redis.core.RedisTemplate;
@@ -30,20 +22,28 @@ import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
-import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.beans.factory.annotation.Value;
 import java.time.LocalDate;
 import java.util.List;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
@Configuration
@RequiredArgsConstructor
 public class SecurityConfig {
    private final JwtService jwtService;
    private final UserRepository userRepository;
    private final AccessDeniedHandler customAccessDeniedHandler;
    private final UserVisitService userVisitService;
    @Value("${app.website-url}")
    private String websiteUrl;
@@ -56,26 +56,18 @@ public class SecurityConfig {
    @Bean
    public UserDetailsService userDetailsService() {
-    return username ->
+        return username -> userRepository.findByUsername(username)
-      userRepository
+                .<UserDetails>map(user -> org.springframework.security.core.userdetails.User
-        .findByUsername(username)
+                        .withUsername(user.getUsername())
        .<UserDetails>map(user ->
          org.springframework.security.core.userdetails.User.withUsername(user.getUsername())
                        .password(user.getPassword())
                        .authorities(user.getRole().name())
-            .build()
+                        .build())
        )
                .orElseThrow(() -> new UsernameNotFoundException("User not found"));
    }
    @Bean
-  public AuthenticationManager authenticationManager(
+    public AuthenticationManager authenticationManager(HttpSecurity http, PasswordEncoder passwordEncoder, UserDetailsService userDetailsService) throws Exception {
-    HttpSecurity http,
+        return http.getSharedObject(AuthenticationManagerBuilder.class)
    PasswordEncoder passwordEncoder,
    UserDetailsService userDetailsService
  ) throws Exception {
    return http
      .getSharedObject(AuthenticationManagerBuilder.class)
                .userDetailsService(userDetailsService)
                .passwordEncoder(passwordEncoder)
                .and()
@@ -85,8 +77,7 @@ public class SecurityConfig {
    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration cfg = new CorsConfiguration();
-    cfg.setAllowedOrigins(
+        cfg.setAllowedOrigins(List.of(
      List.of(
                "http://127.0.0.1:8080",
                "http://127.0.0.1:8081",
                "http://127.0.0.1:8082",
@@ -97,22 +88,19 @@ public class SecurityConfig {
                "http://localhost:8081",
                "http://localhost:8082",
                "http://localhost:3000",
        "http://frontend_dev:3000",
        "http://frontend_service:3000",
                "http://localhost:3001",
                "http://localhost",
                "http://30.211.97.238:3000",
                "http://30.211.97.238",
-        "http://192.168.7.90",
+                "http://192.168.7.98",
-        "http://192.168.7.90:3000",
+                "http://192.168.7.98:3000",
                "https://petstore.swagger.io",
                // 允许自建OpenAPI地址
                "https://docs.open-isle.com",
                "https://www.docs.open-isle.com",
                websiteUrl,
                websiteUrl.replace("://www.", "://")
-      )
+        ));
    );
        cfg.setAllowedMethods(List.of("GET","POST","PUT","DELETE","OPTIONS"));
        cfg.setAllowedHeaders(List.of("*"));
        cfg.setAllowCredentials(true);
@@ -123,78 +111,43 @@ public class SecurityConfig {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-    http
+        http.csrf(csrf -> csrf.disable())
      .csrf(csrf -> csrf.disable())
                .cors(Customizer.withDefaults())
                .headers(h -> h.frameOptions(f -> f.sameOrigin()))
                .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .exceptionHandling(eh -> eh.accessDeniedHandler(customAccessDeniedHandler))
-      .authorizeHttpRequests(auth ->
+            .authorizeHttpRequests(auth -> auth
-        auth
+                    .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
-          .requestMatchers(HttpMethod.OPTIONS, "/**")
+                    .requestMatchers("/api/ws/**", "/api/sockjs/**").permitAll()
-          .permitAll()
+                    .requestMatchers("/api/v3/api-docs/**").permitAll()
-          .requestMatchers("/api/ws/**", "/api/sockjs/**")
+                    .requestMatchers(HttpMethod.POST, "/api/auth/**").permitAll()
-          .permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/posts/**").permitAll()
-          .requestMatchers("/api/v3/api-docs/**")
+                    .requestMatchers(HttpMethod.GET, "/api/comments/**").permitAll()
-          .permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/categories/**").permitAll()
-          .requestMatchers(HttpMethod.POST, "/api/auth/**")
+                    .requestMatchers(HttpMethod.GET, "/api/tags/**").permitAll()
-          .permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/config/**").permitAll()
-          .requestMatchers(HttpMethod.GET, "/api/posts/**")
+                    .requestMatchers(HttpMethod.POST,"/api/auth/google").permitAll()
-          .permitAll()
+                    .requestMatchers(HttpMethod.POST,"/api/auth/reason").permitAll()
-          .requestMatchers(HttpMethod.GET, "/api/comments/**")
+                    .requestMatchers(HttpMethod.GET, "/api/search/**").permitAll()
-          .permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/users/**").permitAll()
-          .requestMatchers(HttpMethod.GET, "/api/categories/**")
+                    .requestMatchers(HttpMethod.GET, "/api/medals/**").permitAll()
-          .permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/push/public-key").permitAll()
-          .requestMatchers(HttpMethod.GET, "/api/tags/**")
+                    .requestMatchers(HttpMethod.GET, "/api/reaction-types").permitAll()
-          .permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/activities/**").permitAll()
-          .requestMatchers(HttpMethod.GET, "/api/config/**")
+                    .requestMatchers(HttpMethod.GET, "/api/sitemap.xml").permitAll()
-          .permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/channels").permitAll()
-          .requestMatchers(HttpMethod.POST, "/api/auth/google")
+                    .requestMatchers(HttpMethod.GET, "/api/rss").permitAll()
-          .permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/online/**").permitAll()
-          .requestMatchers(HttpMethod.POST, "/api/auth/reason")
+                    .requestMatchers(HttpMethod.POST, "/api/online/**").permitAll()
-          .permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/point-goods").permitAll()
-          .requestMatchers(HttpMethod.GET, "/api/search/**")
+                    .requestMatchers(HttpMethod.POST, "/api/point-goods").permitAll()
-          .permitAll()
+                    .requestMatchers(HttpMethod.POST, "/api/categories/**").hasAuthority("ADMIN")
-          .requestMatchers(HttpMethod.GET, "/api/users/**")
+                    .requestMatchers(HttpMethod.POST, "/api/tags/**").authenticated()
-          .permitAll()
+                    .requestMatchers(HttpMethod.DELETE, "/api/categories/**").hasAuthority("ADMIN")
-          .requestMatchers(HttpMethod.GET, "/api/medals/**")
+                    .requestMatchers(HttpMethod.DELETE, "/api/tags/**").hasAuthority("ADMIN")
-          .permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/stats/**").hasAuthority("ADMIN")
-          .requestMatchers(HttpMethod.GET, "/api/push/public-key")
+                    .requestMatchers("/api/admin/**").hasAuthority("ADMIN")
-          .permitAll()
+                    .anyRequest().authenticated()
          .requestMatchers(HttpMethod.GET, "/api/reaction-types")
          .permitAll()
          .requestMatchers(HttpMethod.GET, "/api/activities/**")
          .permitAll()
          .requestMatchers(HttpMethod.GET, "/api/sitemap.xml")
          .permitAll()
          .requestMatchers(HttpMethod.GET, "/api/channels")
          .permitAll()
          .requestMatchers(HttpMethod.GET, "/api/rss")
          .permitAll()
          .requestMatchers(HttpMethod.GET, "/api/online/**")
          .permitAll()
          .requestMatchers(HttpMethod.POST, "/api/online/**")
          .permitAll()
          .requestMatchers(HttpMethod.GET, "/api/point-goods")
          .permitAll()
          .requestMatchers(HttpMethod.POST, "/api/point-goods")
          .permitAll()
          .requestMatchers("/actuator/**")
          .permitAll()
          .requestMatchers(HttpMethod.POST, "/api/categories/**")
          .hasAuthority("ADMIN")
          .requestMatchers(HttpMethod.POST, "/api/tags/**")
          .authenticated()
          .requestMatchers(HttpMethod.DELETE, "/api/categories/**")
          .hasAuthority("ADMIN")
          .requestMatchers(HttpMethod.DELETE, "/api/tags/**")
          .hasAuthority("ADMIN")
          .requestMatchers(HttpMethod.GET, "/api/stats/**")
          .hasAuthority("ADMIN")
          .requestMatchers("/api/admin/**")
          .hasAuthority("ADMIN")
          .anyRequest()
          .authenticated()
            )
            .addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
            .addFilterAfter(userVisitFilter(), UsernamePasswordAuthenticationFilter.class);
@@ -205,11 +158,7 @@ public class SecurityConfig {
    public OncePerRequestFilter jwtAuthenticationFilter() {
        return new OncePerRequestFilter() {
            @Override
-      protected void doFilterInternal(
+            protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        HttpServletRequest request,
        HttpServletResponse response,
        FilterChain filterChain
      ) throws ServletException, IOException {
                // 让预检请求直接通过
                if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
                    filterChain.doFilter(request, response);
@@ -218,23 +167,14 @@ public class SecurityConfig {
                String authHeader = request.getHeader("Authorization");
                String uri = request.getRequestURI();
-        boolean publicGet =
+                boolean publicGet = "GET".equalsIgnoreCase(request.getMethod()) &&
-          "GET".equalsIgnoreCase(request.getMethod()) &&
+                        (uri.startsWith("/api/posts") || uri.startsWith("/api/comments") ||
-          (uri.startsWith("/api/posts") ||
+                         uri.startsWith("/api/categories") || uri.startsWith("/api/tags") ||
-            uri.startsWith("/api/comments") ||
+                        uri.startsWith("/api/search") || uri.startsWith("/api/users") ||
-            uri.startsWith("/api/categories") ||
+                         uri.startsWith("/api/reaction-types") || uri.startsWith("/api/config") ||
-            uri.startsWith("/api/tags") ||
+                         uri.startsWith("/api/activities") || uri.startsWith("/api/push/public-key") ||
-            uri.startsWith("/api/search") ||
+                                uri.startsWith("/api/point-goods") || uri.startsWith("/api/channels") ||
-            uri.startsWith("/api/users") ||
+                         uri.startsWith("/api/sitemap.xml") || uri.startsWith("/api/medals") ||
            uri.startsWith("/api/reaction-types") ||
            uri.startsWith("/api/config") ||
            uri.startsWith("/api/activities") ||
            uri.startsWith("/api/push/public-key") ||
            uri.startsWith("/api/point-goods") ||
            uri.startsWith("/api/channels") ||
            uri.startsWith("/api/sitemap.xml") ||
            uri.startsWith("/api/medals") ||
            uri.startsWith("/actuator") ||
                         uri.startsWith("/api/rss"));
                if (authHeader != null && authHeader.startsWith("Bearer ")) {
@@ -243,27 +183,18 @@ public class SecurityConfig {
                        String username = jwtService.validateAndGetSubject(token);
                        UserDetails userDetails = userDetailsService().loadUserByUsername(username);
                        UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(
-              userDetails,
+                                userDetails, null, userDetails.getAuthorities());
-              null,
+                        org.springframework.security.core.context.SecurityContextHolder.getContext().setAuthentication(authToken);
              userDetails.getAuthorities()
            );
            org.springframework.security.core.context.SecurityContextHolder.getContext().setAuthentication(
              authToken
            );
                    } catch (Exception e) {
                        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                        response.setContentType("application/json");
                        response.getWriter().write("{\"error\": \"Invalid or expired token\"}");
                        return;
                    }
-        } else if (
+                } else if (!uri.startsWith("/api/auth") && !publicGet
-          !uri.startsWith("/api/auth") &&
+                        && !uri.startsWith("/api/ws") && !uri.startsWith("/api/sockjs")
-          !publicGet &&
+                        && !uri.startsWith("/api/v3/api-docs")
-          !uri.startsWith("/api/ws") &&
+                        && !uri.startsWith("/api/online")) {
          !uri.startsWith("/api/sockjs") &&
          !uri.startsWith("/api/v3/api-docs") &&
          !uri.startsWith("/api/online")
        ) {
                    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                    response.setContentType("application/json");
                    response.getWriter().write("{\"error\": \"Missing token\"}");
@@ -279,19 +210,9 @@ public class SecurityConfig {
    public OncePerRequestFilter userVisitFilter() {
        return new OncePerRequestFilter() {
            @Override
-      protected void doFilterInternal(
+            protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
-        HttpServletRequest request,
+                var auth = org.springframework.security.core.context.SecurityContextHolder.getContext().getAuthentication();
-        HttpServletResponse response,
+                if (auth != null && auth.isAuthenticated() && !(auth instanceof org.springframework.security.authentication.AnonymousAuthenticationToken)) {
        FilterChain filterChain
      ) throws ServletException, IOException {
        var auth =
          org.springframework.security.core.context.SecurityContextHolder.getContext().getAuthentication();
        if (
          auth != null &&
          auth.isAuthenticated() &&
          !(auth instanceof
              org.springframework.security.authentication.AnonymousAuthenticationToken)
        ) {
                    String key = CachingConfig.VISIT_CACHE_NAME+":"+ LocalDate.now();
                    redisTemplate.opsForSet().add(key, auth.getName());
                }
--- a/backend/src/main/java/com/openisle/config/ShardInfo.java
+++ b/backend/src/main/java/com/openisle/config/ShardInfo.java
@@ -8,7 +8,6 @@ import lombok.NoArgsConstructor;
@AllArgsConstructor
@NoArgsConstructor
 public class ShardInfo {
    private int shardIndex;
    private String queueName;
    private String routingKey;
--- a/backend/src/main/java/com/openisle/config/ShardingStrategy.java
+++ b/backend/src/main/java/com/openisle/config/ShardingStrategy.java
@@ -1,13 +1,14 @@
 package com.openisle.config;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.stream.Collectors;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.Map;
 import java.util.stream.Collectors;
@Component
@Slf4j
 public class ShardingStrategy {
@@ -37,13 +38,8 @@ public class ShardingStrategy {
        int shard = getShardFromHexChar(firstChar);
        recordShardUsage(shard);
-    log.debug(
+        log.debug("Username '{}' -> hash '{}' -> firstChar '{}' -> shard {}", 
-      "Username '{}' -> hash '{}' -> firstChar '{}' -> shard {}",
+                 username, hash, firstChar, shard);
      username,
      hash,
      firstChar,
      shard
    );
        return getShardInfoByIndex(shard);
    }
@@ -84,4 +80,5 @@ public class ShardingStrategy {
    private void recordShardUsage(int shard) {
        shardCounts.computeIfAbsent(shard, k -> new AtomicLong(0)).incrementAndGet();
    }
 }
--- a/backend/src/main/java/com/openisle/config/SpringDocProperties.java
+++ b/backend/src/main/java/com/openisle/config/SpringDocProperties.java
@@ -10,12 +10,10 @@ import org.springframework.stereotype.Component;
@Component
@ConfigurationProperties(prefix = "springdoc.api-docs")
 public class SpringDocProperties {
    private List<ServerConfig> servers = new ArrayList<>();
    @Data
    public static class ServerConfig {
        private String url;
        private String description;
    }
--- a/backend/src/main/java/com/openisle/config/SystemUserInitializer.java
+++ b/backend/src/main/java/com/openisle/config/SystemUserInitializer.java
@@ -14,15 +14,12 @@ import org.springframework.stereotype.Component;
@Component
@RequiredArgsConstructor
 public class SystemUserInitializer implements CommandLineRunner {
    private final UserRepository userRepository;
    private final PasswordEncoder passwordEncoder;
    @Override
    public void run(String... args) {
-    userRepository
+        userRepository.findByUsername("system").orElseGet(() -> {
      .findByUsername("system")
      .orElseGet(() -> {
            User system = new User();
            system.setUsername("system");
            system.setEmail("system@openisle.local");
@@ -31,10 +28,9 @@ public class SystemUserInitializer implements CommandLineRunner {
            system.setRole(Role.USER);
            system.setVerified(true);
            system.setApproved(true);
-        system.setAvatar(
+            system.setAvatar("https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/image.png");
          "https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/image.png"
        );
            return userRepository.save(system);
        });
    }
 }
--- a/backend/src/main/java/com/openisle/controller/ActivityController.java
+++ b/backend/src/main/java/com/openisle/controller/ActivityController.java
@@ -9,45 +9,41 @@ import com.openisle.model.ActivityType;
 import com.openisle.model.User;
 import com.openisle.service.ActivityService;
 import com.openisle.service.UserService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.List;
 import java.util.stream.Collectors;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/api/activities")
@RequiredArgsConstructor
 public class ActivityController {
    private final ActivityService activityService;
    private final UserService userService;
    private final ActivityMapper activityMapper;
    @GetMapping
    @Operation(summary = "List activities", description = "Retrieve all activities")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "List of activities",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = ActivityDto.class))))
    description = "List of activities",
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = ActivityDto.class)))
  )
    public List<ActivityDto> list() {
-    return activityService.list().stream().map(activityMapper::toDto).collect(Collectors.toList());
+        return activityService.list().stream()
                .map(activityMapper::toDto)
                .collect(Collectors.toList());
    }
    @GetMapping("/milk-tea")
    @Operation(summary = "Milk tea info", description = "Get milk tea activity information")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Milk tea info",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = MilkTeaInfoDto.class)))
    description = "Milk tea info",
    content = @Content(schema = @Schema(implementation = MilkTeaInfoDto.class))
  )
    public MilkTeaInfoDto milkTea() {
        Activity a = activityService.getByType(ActivityType.MILK_TEA);
        long count = activityService.countParticipants(a);
@@ -62,16 +58,10 @@ public class ActivityController {
    @PostMapping("/milk-tea/redeem")
    @Operation(summary = "Redeem milk tea", description = "Redeem milk tea activity reward")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Redeem result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = java.util.Map.class)))
    description = "Redeem result",
    content = @Content(schema = @Schema(implementation = java.util.Map.class))
  )
    @SecurityRequirement(name = "JWT")
-  public java.util.Map<String, String> redeemMilkTea(
+    public java.util.Map<String, String> redeemMilkTea(@RequestBody MilkTeaRedeemRequest req, Authentication auth) {
    @RequestBody MilkTeaRedeemRequest req,
    Authentication auth
  ) {
        User user = userService.findByIdentifier(auth.getName()).orElseThrow();
        Activity a = activityService.getByType(ActivityType.MILK_TEA);
        boolean first = activityService.redeem(a, user, req.getContact());
--- a/backend/src/main/java/com/openisle/controller/AdminCommentController.java
+++ b/backend/src/main/java/com/openisle/controller/AdminCommentController.java
@@ -19,18 +19,14 @@ import org.springframework.web.bind.annotation.*;
@RequestMapping("/api/admin/comments")
@RequiredArgsConstructor
 public class AdminCommentController {
    private final CommentService commentService;
    private final CommentMapper commentMapper;
    @PostMapping("/{id}/pin")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Pin comment", description = "Pin a comment by its id")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Pinned comment",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = CommentDto.class)))
    description = "Pinned comment",
    content = @Content(schema = @Schema(implementation = CommentDto.class))
  )
    public CommentDto pin(@PathVariable Long id, Authentication auth) {
        return commentMapper.toDto(commentService.pinComment(auth.getName(), id));
    }
@@ -38,11 +34,8 @@ public class AdminCommentController {
    @PostMapping("/{id}/unpin")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Unpin comment", description = "Remove pin from a comment")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Unpinned comment",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = CommentDto.class)))
    description = "Unpinned comment",
    content = @Content(schema = @Schema(implementation = CommentDto.class))
  )
    public CommentDto unpin(@PathVariable Long id, Authentication auth) {
        return commentMapper.toDto(commentService.unpinComment(auth.getName(), id));
    }
--- a/backend/src/main/java/com/openisle/controller/AdminConfigController.java
+++ b/backend/src/main/java/com/openisle/controller/AdminConfigController.java
@@ -17,7 +17,6 @@ import org.springframework.web.bind.annotation.*;
@RequestMapping("/api/admin/config")
@RequiredArgsConstructor
 public class AdminConfigController {
    private final PostService postService;
    private final PasswordValidator passwordValidator;
    private final AiUsageService aiUsageService;
@@ -25,15 +24,9 @@ public class AdminConfigController {
    @GetMapping
    @SecurityRequirement(name = "JWT")
-  @Operation(
+    @Operation(summary = "Get configuration", description = "Retrieve application configuration settings")
-    summary = "Get configuration",
+    @ApiResponse(responseCode = "200", description = "Current configuration",
-    description = "Retrieve application configuration settings"
+            content = @Content(schema = @Schema(implementation = ConfigDto.class)))
  )
  @ApiResponse(
    responseCode = "200",
    description = "Current configuration",
    content = @Content(schema = @Schema(implementation = ConfigDto.class))
  )
    public ConfigDto getConfig() {
        ConfigDto dto = new ConfigDto();
        dto.setPublishMode(postService.getPublishMode());
@@ -45,15 +38,9 @@ public class AdminConfigController {
    @PostMapping
    @SecurityRequirement(name = "JWT")
-  @Operation(
+    @Operation(summary = "Update configuration", description = "Update application configuration settings")
-    summary = "Update configuration",
+    @ApiResponse(responseCode = "200", description = "Updated configuration",
-    description = "Update application configuration settings"
+            content = @Content(schema = @Schema(implementation = ConfigDto.class)))
  )
  @ApiResponse(
    responseCode = "200",
    description = "Updated configuration",
    content = @Content(schema = @Schema(implementation = ConfigDto.class))
  )
    public ConfigDto updateConfig(@RequestBody ConfigDto dto) {
        if (dto.getPublishMode() != null) {
            postService.setPublishMode(dto.getPublishMode());
@@ -69,4 +56,5 @@ public class AdminConfigController {
        }
        return getConfig();
    }
 }
--- a/backend/src/main/java/com/openisle/controller/AdminController.java
+++ b/backend/src/main/java/com/openisle/controller/AdminController.java
@@ -5,24 +5,20 @@ import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.Map;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 import java.util.Map;
 /**
 * Simple admin demo endpoint.
 */
@RestController
 public class AdminController {
    @GetMapping("/api/admin/hello")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Admin greeting", description = "Returns a greeting for admin users")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Greeting payload",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Greeting payload",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public Map<String, String> adminHello() {
        return Map.of("message", "Hello, Admin User");
    }
--- a/backend/src/main/java/com/openisle/controller/AdminPostController.java
+++ b/backend/src/main/java/com/openisle/controller/AdminPostController.java
@@ -9,11 +9,12 @@ import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.List;
 import java.util.stream.Collectors;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.*;
 import java.util.List;
 import java.util.stream.Collectors;
 /**
 * Endpoints for administrators to manage posts.
 */
@@ -21,24 +22,16 @@ import org.springframework.web.bind.annotation.*;
@RequestMapping("/api/admin/posts")
@RequiredArgsConstructor
 public class AdminPostController {
    private final PostService postService;
    private final PostMapper postMapper;
    @GetMapping("/pending")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "List pending posts", description = "Retrieve posts awaiting approval")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Pending posts",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))))
    description = "Pending posts",
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
    )
  )
    public List<PostSummaryDto> pendingPosts() {
-    return postService
+        return postService.listPendingPosts().stream()
      .listPendingPosts()
      .stream()
                .map(postMapper::toSummaryDto)
                .collect(Collectors.toList());
    }
@@ -46,11 +39,8 @@ public class AdminPostController {
    @PostMapping("/{id}/approve")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Approve post", description = "Approve a pending post")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Approved post",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = PostSummaryDto.class)))
    description = "Approved post",
    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
  )
    public PostSummaryDto approve(@PathVariable Long id) {
        return postMapper.toSummaryDto(postService.approvePost(id));
    }
@@ -58,11 +48,8 @@ public class AdminPostController {
    @PostMapping("/{id}/reject")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Reject post", description = "Reject a pending post")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Rejected post",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = PostSummaryDto.class)))
    description = "Rejected post",
    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
  )
    public PostSummaryDto reject(@PathVariable Long id) {
        return postMapper.toSummaryDto(postService.rejectPost(id));
    }
@@ -70,60 +57,36 @@ public class AdminPostController {
    @PostMapping("/{id}/pin")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Pin post", description = "Pin a post to the top")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Pinned post",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = PostSummaryDto.class)))
-    description = "Pinned post",
+    public PostSummaryDto pin(@PathVariable Long id, org.springframework.security.core.Authentication auth) {
    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
  )
  public PostSummaryDto pin(
    @PathVariable Long id,
    org.springframework.security.core.Authentication auth
  ) {
        return postMapper.toSummaryDto(postService.pinPost(id, auth.getName()));
    }
    @PostMapping("/{id}/unpin")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Unpin post", description = "Remove a post from the top")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Unpinned post",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = PostSummaryDto.class)))
-    description = "Unpinned post",
+    public PostSummaryDto unpin(@PathVariable Long id, org.springframework.security.core.Authentication auth) {
    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
  )
  public PostSummaryDto unpin(
    @PathVariable Long id,
    org.springframework.security.core.Authentication auth
  ) {
        return postMapper.toSummaryDto(postService.unpinPost(id, auth.getName()));
    }
    @PostMapping("/{id}/rss-exclude")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Exclude from RSS", description = "Exclude a post from RSS feed")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Updated post",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = PostSummaryDto.class)))
-    description = "Updated post",
+    public PostSummaryDto excludeFromRss(@PathVariable Long id, org.springframework.security.core.Authentication auth) {
    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
  )
  public PostSummaryDto excludeFromRss(
    @PathVariable Long id,
    org.springframework.security.core.Authentication auth
  ) {
        return postMapper.toSummaryDto(postService.excludeFromRss(id, auth.getName()));
    }
    @PostMapping("/{id}/rss-include")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Include in RSS", description = "Include a post in the RSS feed")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Updated post",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = PostSummaryDto.class)))
-    description = "Updated post",
+    public PostSummaryDto includeInRss(@PathVariable Long id, org.springframework.security.core.Authentication auth) {
    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
  )
  public PostSummaryDto includeInRss(
    @PathVariable Long id,
    org.springframework.security.core.Authentication auth
  ) {
        return postMapper.toSummaryDto(postService.includeInRss(id, auth.getName()));
    }
 }
--- a/backend/src/main/java/com/openisle/controller/AdminTagController.java
+++ b/backend/src/main/java/com/openisle/controller/AdminTagController.java
@@ -11,16 +11,16 @@ import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.List;
 import java.util.stream.Collectors;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.*;
 import java.util.List;
 import java.util.stream.Collectors;
@RestController
@RequestMapping("/api/admin/tags")
@RequiredArgsConstructor
 public class AdminTagController {
    private final TagService tagService;
    private final PostService postService;
    private final TagMapper tagMapper;
@@ -28,15 +28,10 @@ public class AdminTagController {
    @GetMapping("/pending")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "List pending tags", description = "Retrieve tags awaiting approval")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Pending tags",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = TagDto.class))))
    description = "Pending tags",
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = TagDto.class)))
  )
    public List<TagDto> pendingTags() {
-    return tagService
+        return tagService.listPendingTags().stream()
      .listPendingTags()
      .stream()
                .map(t -> tagMapper.toDto(t, postService.countPostsByTag(t.getId())))
                .collect(Collectors.toList());
    }
@@ -44,11 +39,8 @@ public class AdminTagController {
    @PostMapping("/{id}/approve")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Approve tag", description = "Approve a pending tag")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Approved tag",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = TagDto.class)))
    description = "Approved tag",
    content = @Content(schema = @Schema(implementation = TagDto.class))
  )
    public TagDto approve(@PathVariable Long id) {
        Tag tag = tagService.approveTag(id);
        long count = postService.countPostsByTag(tag.getId());
--- a/backend/src/main/java/com/openisle/controller/AdminUserController.java
+++ b/backend/src/main/java/com/openisle/controller/AdminUserController.java
@@ -3,9 +3,9 @@ package com.openisle.controller;
 import com.openisle.model.Notification;
 import com.openisle.model.NotificationType;
 import com.openisle.model.User;
 import com.openisle.service.EmailSender;
 import com.openisle.repository.NotificationRepository;
 import com.openisle.repository.UserRepository;
 import com.openisle.service.EmailSender;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
@@ -18,11 +18,9 @@ import org.springframework.web.bind.annotation.*;
@RequestMapping("/api/admin/users")
@RequiredArgsConstructor
 public class AdminUserController {
    private final UserRepository userRepository;
    private final NotificationRepository notificationRepository;
    private final EmailSender emailSender;
    @Value("${app.website-url}")
    private String websiteUrl;
@@ -35,11 +33,8 @@ public class AdminUserController {
        user.setApproved(true);
        userRepository.save(user);
        markRegisterRequestNotificationsRead(user);
-    emailSender.sendEmail(
+        emailSender.sendEmail(user.getEmail(), "您的注册已审核通过",
-      user.getEmail(),
+                "🎉您的注册已经审核通过, 点击以访问网站: " + websiteUrl);
      "您的注册已审核通过",
      "🎉您的注册已经审核通过, 点击以访问网站: " + websiteUrl
    );
        return ResponseEntity.ok().build();
    }
@@ -52,19 +47,14 @@ public class AdminUserController {
        user.setApproved(false);
        userRepository.save(user);
        markRegisterRequestNotificationsRead(user);
-    emailSender.sendEmail(
+        emailSender.sendEmail(user.getEmail(), "您的注册已被管理员拒绝",
-      user.getEmail(),
+                "您的注册被管理员拒绝, 点击链接可以重新填写理由申请: " + websiteUrl);
      "您的注册已被管理员拒绝",
      "您的注册被管理员拒绝, 点击链接可以重新填写理由申请: " + websiteUrl
    );
        return ResponseEntity.ok().build();
    }
    private void markRegisterRequestNotificationsRead(User applicant) {
-    java.util.List<Notification> notifs = notificationRepository.findByTypeAndFromUser(
+        java.util.List<Notification> notifs =
-      NotificationType.REGISTER_REQUEST,
+                notificationRepository.findByTypeAndFromUser(NotificationType.REGISTER_REQUEST, applicant);
      applicant
    );
        for (Notification n : notifs) {
            n.setRead(true);
        }
--- a/backend/src/main/java/com/openisle/controller/AiController.java
+++ b/backend/src/main/java/com/openisle/controller/AiController.java
@@ -1,13 +1,7 @@
 package com.openisle.controller;
 import com.openisle.service.AiUsageService;
 import com.openisle.service.OpenAiService;
-import io.swagger.v3.oas.annotations.Operation;
+import com.openisle.service.AiUsageService;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.Map;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
@@ -15,6 +9,13 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.Map;
@RestController
@RequestMapping("/api/ai")
@@ -26,16 +27,11 @@ public class AiController {
    @PostMapping("/format")
    @Operation(summary = "Format markdown", description = "Format text via AI")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Formatted content",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Formatted content",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    @SecurityRequirement(name = "JWT")
-  public ResponseEntity<Map<String, String>> format(
+    public ResponseEntity<Map<String, String>> format(@RequestBody Map<String, String> req,
-    @RequestBody Map<String, String> req,
+                                                     Authentication auth) {
    Authentication auth
  ) {
        String text = req.get("text");
        if (text == null) {
            return ResponseEntity.badRequest().build();
@@ -46,8 +42,7 @@ public class AiController {
            return ResponseEntity.status(429).build();
        }
        aiUsageService.incrementAndGetCount(auth.getName());
-    return openAiService
+        return openAiService.formatMarkdown(text)
      .formatMarkdown(text)
                .map(t -> ResponseEntity.ok(Map.of("content", t)))
                .orElse(ResponseEntity.status(500).build());
    }
--- a/backend/src/main/java/com/openisle/controller/AuthController.java
+++ b/backend/src/main/java/com/openisle/controller/AuthController.java
@@ -13,20 +13,20 @@ import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.data.redis.core.RedisTemplate;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
 import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.TimeUnit;
@RestController
@RequestMapping("/api/auth")
@RequiredArgsConstructor
 public class AuthController {
    private final UserService userService;
    private final JwtService jwtService;
    private final EmailSender emailService;
@@ -41,6 +41,7 @@ public class AuthController {
    private final UserRepository userRepository;
    private final InviteService inviteService;
    @Value("${app.captcha.enabled:false}")
    private boolean captchaEnabled;
@@ -52,11 +53,8 @@ public class AuthController {
    @PostMapping("/register")
    @Operation(summary = "Register user", description = "Register a new user account")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Registration result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Registration result",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public ResponseEntity<?> register(@RequestBody RegisterRequest req) {
        if (captchaEnabled && registerCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
            return ResponseEntity.badRequest().body(Map.of("error", "Invalid captcha"));
@@ -68,34 +66,23 @@ public class AuthController {
            }
            try {
                User user = userService.registerWithInvite(
-          req.getUsername(),
+                        req.getUsername(), req.getEmail(), req.getPassword());
          req.getEmail(),
          req.getPassword()
        );
                inviteService.consume(req.getInviteToken(), user.getUsername());
                // 发送确认邮件
                userService.sendVerifyMail(user, VerifyType.REGISTER);
-        return ResponseEntity.ok(
+                return ResponseEntity.ok(Map.of(
-          Map.of(
+                        "token", jwtService.generateToken(user.getUsername()),
-            "token",
+                        "reason_code", "INVITE_APPROVED"
-            jwtService.generateToken(user.getUsername()),
+                ));
            "reason_code",
            "INVITE_APPROVED"
          )
        );
            } catch (FieldException e) {
-        return ResponseEntity.badRequest().body(
+                return ResponseEntity.badRequest().body(Map.of(
-          Map.of("field", e.getField(), "error", e.getMessage())
+                        "field", e.getField(),
-        );
+                        "error", e.getMessage()
                ));
            }
        }
        User user = userService.register(
-      req.getUsername(),
+                req.getUsername(), req.getEmail(), req.getPassword(), "", registerModeService.getRegisterMode());
      req.getEmail(),
      req.getPassword(),
      "",
      registerModeService.getRegisterMode()
    );
        // 发送确认邮件
        userService.sendVerifyMail(user, VerifyType.REGISTER);
        if (!user.isApproved()) {
@@ -106,11 +93,8 @@ public class AuthController {
    @PostMapping("/verify")
    @Operation(summary = "Verify account", description = "Verify registration code")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Verification result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Verification result",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public ResponseEntity<?> verify(@RequestBody VerifyRequest req) {
        Optional<User> userOpt = userService.findByUsername(req.getUsername());
        if (userOpt.isEmpty()) {
@@ -121,27 +105,17 @@ public class AuthController {
            User user = userOpt.get();
            if (user.isApproved()) {
-        return ResponseEntity.ok(
+                return ResponseEntity.ok(Map.of(
-          Map.of(
+                        "message", "Verified and isApproved",
-            "message",
+                        "reason_code", "VERIFIED_AND_APPROVED",
-            "Verified and isApproved",
+                        "token", jwtService.generateToken(req.getUsername())
-            "reason_code",
+                ));
            "VERIFIED_AND_APPROVED",
            "token",
            jwtService.generateToken(req.getUsername())
          )
        );
            } else {
-        return ResponseEntity.ok(
+                return ResponseEntity.ok(Map.of(
-          Map.of(
+                        "message", "Verified",
-            "message",
+                        "reason_code", "VERIFIED",
-            "Verified",
+                        "token", jwtService.generateReasonToken(req.getUsername())
-            "reason_code",
+                ));
            "VERIFIED",
            "token",
            jwtService.generateReasonToken(req.getUsername())
          )
        );
            }
        }
        return ResponseEntity.badRequest().body(Map.of("error", "Invalid verification code"));
@@ -149,11 +123,8 @@ public class AuthController {
    @PostMapping("/login")
    @Operation(summary = "Login", description = "Authenticate with username/email and password")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Authentication result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Authentication result",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public ResponseEntity<?> login(@RequestBody LoginRequest req) {
        if (captchaEnabled && loginCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
            return ResponseEntity.badRequest().body(Map.of("error", "Invalid captcha"));
@@ -163,154 +134,103 @@ public class AuthController {
            userOpt = userService.findByEmail(req.getUsername());
        }
        if (userOpt.isEmpty() || !userService.matchesPassword(userOpt.get(), req.getPassword())) {
-      return ResponseEntity.badRequest().body(
+            return ResponseEntity.badRequest().body(Map.of(
-        Map.of("error", "Invalid credentials", "reason_code", "INVALID_CREDENTIALS")
+                    "error", "Invalid credentials",
-      );
+                    "reason_code", "INVALID_CREDENTIALS"));
        }
        User user = userOpt.get();
        if (!user.isVerified()) {
-      user = userService.register(
+            user = userService.register(user.getUsername(), user.getEmail(), user.getPassword(), user.getRegisterReason(), registerModeService.getRegisterMode());
        user.getUsername(),
        user.getEmail(),
        user.getPassword(),
        user.getRegisterReason(),
        registerModeService.getRegisterMode()
      );
            userService.sendVerifyMail(user, VerifyType.REGISTER);
-      return ResponseEntity.badRequest().body(
+            return ResponseEntity.badRequest().body(Map.of(
-        Map.of(
+                    "error", "User not verified",
-          "error",
+                    "reason_code", "NOT_VERIFIED",
-          "User not verified",
+                    "user_name", user.getUsername()));
          "reason_code",
          "NOT_VERIFIED",
          "user_name",
          user.getUsername()
        )
      );
        }
-    if (
+        if (RegisterMode.WHITELIST.equals(registerModeService.getRegisterMode()) && !user.isApproved()) {
      RegisterMode.WHITELIST.equals(registerModeService.getRegisterMode()) && !user.isApproved()
    ) {
            if (user.getRegisterReason() != null && !user.getRegisterReason().isEmpty()) {
-        return ResponseEntity.badRequest().body(
+                return ResponseEntity.badRequest().body(Map.of(
-          Map.of("error", "Account awaiting approval", "reason_code", "IS_APPROVING")
+                        "error", "Account awaiting approval",
-        );
+                        "reason_code", "IS_APPROVING"
                ));
            }
-      return ResponseEntity.badRequest().body(
+            return ResponseEntity.badRequest().body(Map.of(
-        Map.of(
+                    "error", "Register reason not approved",
-          "error",
+                    "reason_code", "NOT_APPROVED",
-          "Register reason not approved",
+                    "token", jwtService.generateReasonToken(user.getUsername())));
          "reason_code",
          "NOT_APPROVED",
          "token",
          jwtService.generateReasonToken(user.getUsername())
        )
      );
        }
        return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.getUsername())));
    }
    @PostMapping("/google")
    @Operation(summary = "Login with Google", description = "Authenticate using Google account")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Authentication result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Authentication result",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public ResponseEntity<?> loginWithGoogle(@RequestBody GoogleLoginRequest req) {
        boolean viaInvite = req.getInviteToken() != null && !req.getInviteToken().isEmpty();
-    InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(
+        InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(req.getInviteToken());
      req.getInviteToken()
    );
        if (viaInvite && !inviteValidateResult.isValidate()) {
            return ResponseEntity.badRequest().body(Map.of("error", "Invalid invite token"));
        }
        Optional<AuthResult> resultOpt = googleAuthService.authenticate(
                req.getIdToken(),
                registerModeService.getRegisterMode(),
-      viaInvite
+                viaInvite);
    );
        if (resultOpt.isPresent()) {
            AuthResult result = resultOpt.get();
            if (viaInvite && result.isNewUser()) {
-        inviteService.consume(
+                inviteService.consume(req.getInviteToken(), inviteValidateResult.getInviteToken().getInviter().getUsername());
-          req.getInviteToken(),
+                return ResponseEntity.ok(Map.of(
-          inviteValidateResult.getInviteToken().getInviter().getUsername()
+                        "token", jwtService.generateToken(result.getUser().getUsername()),
-        );
+                        "reason_code", "INVITE_APPROVED"
-        return ResponseEntity.ok(
+                ));
          Map.of(
            "token",
            jwtService.generateToken(result.getUser().getUsername()),
            "reason_code",
            "INVITE_APPROVED"
          )
        );
            }
            if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
-        return ResponseEntity.ok(
+                return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
          Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
        );
            }
            if (!result.getUser().isApproved()) {
-        if (
+                if (result.getUser().getRegisterReason() != null && !result.getUser().getRegisterReason().isEmpty()) {
-          result.getUser().getRegisterReason() != null &&
+                    return ResponseEntity.badRequest().body(Map.of(
-          !result.getUser().getRegisterReason().isEmpty()
+                            "error", "Account awaiting approval",
-        ) {
+                            "reason_code", "IS_APPROVING",
-          return ResponseEntity.badRequest().body(
+                            "token", jwtService.generateReasonToken(result.getUser().getUsername())
-            Map.of(
+                    ));
              "error",
              "Account awaiting approval",
              "reason_code",
              "IS_APPROVING",
              "token",
              jwtService.generateReasonToken(result.getUser().getUsername())
            )
          );
                }
-        return ResponseEntity.badRequest().body(
+                return ResponseEntity.badRequest().body(Map.of(
-          Map.of(
+                        "error", "Account awaiting approval",
-            "error",
+                        "reason_code", "NOT_APPROVED",
-            "Account awaiting approval",
+                        "token", jwtService.generateReasonToken(result.getUser().getUsername())
-            "reason_code",
+                ));
            "NOT_APPROVED",
            "token",
            jwtService.generateReasonToken(result.getUser().getUsername())
          )
        );
            }
-      return ResponseEntity.ok(
+            return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
        Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
      );
        }
-    return ResponseEntity.badRequest().body(
+        return ResponseEntity.badRequest().body(Map.of(
-      Map.of("error", "Invalid google token", "reason_code", "INVALID_CREDENTIALS")
+                "error", "Invalid google token",
-    );
+                "reason_code", "INVALID_CREDENTIALS"
        ));
    }
    @PostMapping("/reason")
-  @Operation(
+    @Operation(summary = "Submit register reason", description = "Submit registration reason for approval")
-    summary = "Submit register reason",
+    @ApiResponse(responseCode = "200", description = "Submission result",
-    description = "Submit registration reason for approval"
+            content = @Content(schema = @Schema(implementation = Map.class)))
  )
  @ApiResponse(
    responseCode = "200",
    description = "Submission result",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public ResponseEntity<?> reason(@RequestBody MakeReasonRequest req) {
        String username = jwtService.validateAndGetSubjectForReason(req.getToken());
        Optional<User> userOpt = userService.findByUsername(username);
        if (userOpt.isEmpty()) {
-      return ResponseEntity.badRequest().body(
+            return ResponseEntity.badRequest().body(Map.of(
-        Map.of("error", "Invalid token, Please re-login", "reason_code", "INVALID_CREDENTIALS")
+                    "error", "Invalid token, Please re-login",
-      );
+                    "reason_code", "INVALID_CREDENTIALS"
            ));
        }
        if (req.getReason() == null || req.getReason().trim().length() <= 20) {
-      return ResponseEntity.badRequest().body(
+             return ResponseEntity.badRequest().body(Map.of(
-        Map.of("error", "Reason's length must longer than 20", "reason_code", "INVALID_CREDENTIALS")
+                    "error", "Reason's length must longer than 20",
-      );
+                    "reason_code", "INVALID_CREDENTIALS"
            ));
        }
        User user = userOpt.get();
@@ -325,16 +245,11 @@ public class AuthController {
    @PostMapping("/github")
    @Operation(summary = "Login with GitHub", description = "Authenticate using GitHub account")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Authentication result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Authentication result",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public ResponseEntity<?> loginWithGithub(@RequestBody GithubLoginRequest req) {
        boolean viaInvite = req.getInviteToken() != null && !req.getInviteToken().isEmpty();
-    InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(
+        InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(req.getInviteToken());
      req.getInviteToken()
    );
        if (viaInvite && !inviteValidateResult.isValidate()) {
            return ResponseEntity.badRequest().body(Map.of("error", "Invalid invite token"));
        }
@@ -342,79 +257,50 @@ public class AuthController {
                req.getCode(),
                registerModeService.getRegisterMode(),
                req.getRedirectUri(),
-      viaInvite
+                viaInvite);
    );
        if (resultOpt.isPresent()) {
            AuthResult result = resultOpt.get();
            if (viaInvite && result.isNewUser()) {
-        inviteService.consume(
+                inviteService.consume(req.getInviteToken(), inviteValidateResult.getInviteToken().getInviter().getUsername());
-          req.getInviteToken(),
+                return ResponseEntity.ok(Map.of(
-          inviteValidateResult.getInviteToken().getInviter().getUsername()
+                        "token", jwtService.generateToken(result.getUser().getUsername()),
-        );
+                        "reason_code", "INVITE_APPROVED"
-        return ResponseEntity.ok(
+                ));
          Map.of(
            "token",
            jwtService.generateToken(result.getUser().getUsername()),
            "reason_code",
            "INVITE_APPROVED"
          )
        );
            }
            if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
-        return ResponseEntity.ok(
+                return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
          Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
        );
            }
            if (!result.getUser().isApproved()) {
-        if (
+                if (result.getUser().getRegisterReason() != null && !result.getUser().getRegisterReason().isEmpty()) {
          result.getUser().getRegisterReason() != null &&
          !result.getUser().getRegisterReason().isEmpty()
        ) {
                    // 已填写注册理由
-          return ResponseEntity.badRequest().body(
+                    return ResponseEntity.badRequest().body(Map.of(
-            Map.of(
+                            "error", "Account awaiting approval",
-              "error",
+                            "reason_code", "IS_APPROVING",
-              "Account awaiting approval",
+                            "token", jwtService.generateReasonToken(result.getUser().getUsername())
-              "reason_code",
+                    ));
              "IS_APPROVING",
              "token",
              jwtService.generateReasonToken(result.getUser().getUsername())
            )
          );
                }
-        return ResponseEntity.badRequest().body(
+                return ResponseEntity.badRequest().body(Map.of(
-          Map.of(
+                        "error", "Account awaiting approval",
-            "error",
+                        "reason_code", "NOT_APPROVED",
-            "Account awaiting approval",
+                        "token", jwtService.generateReasonToken(result.getUser().getUsername())
-            "reason_code",
+                ));
            "NOT_APPROVED",
            "token",
            jwtService.generateReasonToken(result.getUser().getUsername())
          )
        );
            }
-      return ResponseEntity.ok(
+            return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
        Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
      );
        }
-    return ResponseEntity.badRequest().body(
+        return ResponseEntity.badRequest().body(Map.of(
-      Map.of("error", "Invalid github code", "reason_code", "INVALID_CREDENTIALS")
+                "error", "Invalid github code",
-    );
+                "reason_code", "INVALID_CREDENTIALS"
        ));
    }
    @PostMapping("/discord")
    @Operation(summary = "Login with Discord", description = "Authenticate using Discord account")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Authentication result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Authentication result",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public ResponseEntity<?> loginWithDiscord(@RequestBody DiscordLoginRequest req) {
        boolean viaInvite = req.getInviteToken() != null && !req.getInviteToken().isEmpty();
-    InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(
+        InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(req.getInviteToken());
      req.getInviteToken()
    );
        if (viaInvite && !inviteValidateResult.isValidate()) {
            return ResponseEntity.badRequest().body(Map.of("error", "Invalid invite token"));
        }
@@ -422,78 +308,49 @@ public class AuthController {
                req.getCode(),
                registerModeService.getRegisterMode(),
                req.getRedirectUri(),
-      viaInvite
+                viaInvite);
    );
        if (resultOpt.isPresent()) {
            AuthResult result = resultOpt.get();
            if (viaInvite && result.isNewUser()) {
-        inviteService.consume(
+                inviteService.consume(req.getInviteToken(), inviteValidateResult.getInviteToken().getInviter().getUsername());
-          req.getInviteToken(),
+                return ResponseEntity.ok(Map.of(
-          inviteValidateResult.getInviteToken().getInviter().getUsername()
+                        "token", jwtService.generateToken(result.getUser().getUsername()),
-        );
+                        "reason_code", "INVITE_APPROVED"
-        return ResponseEntity.ok(
+                ));
          Map.of(
            "token",
            jwtService.generateToken(result.getUser().getUsername()),
            "reason_code",
            "INVITE_APPROVED"
          )
        );
            }
            if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
-        return ResponseEntity.ok(
+                return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
          Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
        );
            }
            if (!result.getUser().isApproved()) {
-        if (
+                if (result.getUser().getRegisterReason() != null && !result.getUser().getRegisterReason().isEmpty()) {
-          result.getUser().getRegisterReason() != null &&
+                    return ResponseEntity.badRequest().body(Map.of(
-          !result.getUser().getRegisterReason().isEmpty()
+                            "error", "Account awaiting approval",
-        ) {
+                            "reason_code", "IS_APPROVING",
-          return ResponseEntity.badRequest().body(
+                            "token", jwtService.generateReasonToken(result.getUser().getUsername())
-            Map.of(
+                    ));
              "error",
              "Account awaiting approval",
              "reason_code",
              "IS_APPROVING",
              "token",
              jwtService.generateReasonToken(result.getUser().getUsername())
            )
          );
                }
-        return ResponseEntity.badRequest().body(
+                return ResponseEntity.badRequest().body(Map.of(
-          Map.of(
+                        "error", "Account awaiting approval",
-            "error",
+                        "reason_code", "NOT_APPROVED",
-            "Account awaiting approval",
+                        "token", jwtService.generateReasonToken(result.getUser().getUsername())
-            "reason_code",
+                ));
            "NOT_APPROVED",
            "token",
            jwtService.generateReasonToken(result.getUser().getUsername())
          )
        );
            }
-      return ResponseEntity.ok(
+            return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
        Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
      );
        }
-    return ResponseEntity.badRequest().body(
+        return ResponseEntity.badRequest().body(Map.of(
-      Map.of("error", "Invalid discord code", "reason_code", "INVALID_CREDENTIALS")
+                "error", "Invalid discord code",
-    );
+                "reason_code", "INVALID_CREDENTIALS"
        ));
    }
    @PostMapping("/twitter")
    @Operation(summary = "Login with Twitter", description = "Authenticate using Twitter account")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Authentication result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Authentication result",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public ResponseEntity<?> loginWithTwitter(@RequestBody TwitterLoginRequest req) {
        boolean viaInvite = req.getInviteToken() != null && !req.getInviteToken().isEmpty();
-    InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(
+        InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(req.getInviteToken());
      req.getInviteToken()
    );
        if (viaInvite && !inviteValidateResult.isValidate()) {
            return ResponseEntity.badRequest().body(Map.of("error", "Invalid invite token"));
        }
@@ -502,162 +359,103 @@ public class AuthController {
                req.getCodeVerifier(),
                registerModeService.getRegisterMode(),
                req.getRedirectUri(),
-      viaInvite
+                viaInvite);
    );
        if (resultOpt.isPresent()) {
            AuthResult result = resultOpt.get();
            if (viaInvite && result.isNewUser()) {
-        inviteService.consume(
+                inviteService.consume(req.getInviteToken(), inviteValidateResult.getInviteToken().getInviter().getUsername());
-          req.getInviteToken(),
+                return ResponseEntity.ok(Map.of(
-          inviteValidateResult.getInviteToken().getInviter().getUsername()
+                        "token", jwtService.generateToken(result.getUser().getUsername()),
-        );
+                        "reason_code", "INVITE_APPROVED"
-        return ResponseEntity.ok(
+                ));
          Map.of(
            "token",
            jwtService.generateToken(result.getUser().getUsername()),
            "reason_code",
            "INVITE_APPROVED"
          )
        );
            }
            if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
-        return ResponseEntity.ok(
+                return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
          Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
        );
            }
            if (!result.getUser().isApproved()) {
-        if (
+                if (result.getUser().getRegisterReason() != null && !result.getUser().getRegisterReason().isEmpty()) {
-          result.getUser().getRegisterReason() != null &&
+                    return ResponseEntity.badRequest().body(Map.of(
-          !result.getUser().getRegisterReason().isEmpty()
+                            "error", "Account awaiting approval",
-        ) {
+                            "reason_code", "IS_APPROVING",
-          return ResponseEntity.badRequest().body(
+                            "token", jwtService.generateReasonToken(result.getUser().getUsername())
-            Map.of(
+                    ));
              "error",
              "Account awaiting approval",
              "reason_code",
              "IS_APPROVING",
              "token",
              jwtService.generateReasonToken(result.getUser().getUsername())
            )
          );
                }
-        return ResponseEntity.badRequest().body(
+                return ResponseEntity.badRequest().body(Map.of(
-          Map.of(
+                        "error", "Account awaiting approval",
-            "error",
+                        "reason_code", "NOT_APPROVED",
-            "Account awaiting approval",
+                        "token", jwtService.generateReasonToken(result.getUser().getUsername())
-            "reason_code",
+                ));
            "NOT_APPROVED",
            "token",
            jwtService.generateReasonToken(result.getUser().getUsername())
          )
        );
            }
-      return ResponseEntity.ok(
+            return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
        Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
      );
        }
-    return ResponseEntity.badRequest().body(
+        return ResponseEntity.badRequest().body(Map.of(
-      Map.of("error", "Invalid twitter code", "reason_code", "INVALID_CREDENTIALS")
+                "error", "Invalid twitter code",
-    );
+                "reason_code", "INVALID_CREDENTIALS"
        ));
    }
    @PostMapping("/telegram")
    @Operation(summary = "Login with Telegram", description = "Authenticate using Telegram data")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Authentication result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Authentication result",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public ResponseEntity<?> loginWithTelegram(@RequestBody TelegramLoginRequest req) {
        boolean viaInvite = req.getInviteToken() != null && !req.getInviteToken().isEmpty();
-    InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(
+        InviteService.InviteValidateResult inviteValidateResult = inviteService.validate(req.getInviteToken());
      req.getInviteToken()
    );
        if (viaInvite && !inviteValidateResult.isValidate()) {
            return ResponseEntity.badRequest().body(Map.of("error", "Invalid invite token"));
        }
        Optional<AuthResult> resultOpt = telegramAuthService.authenticate(
                req,
                registerModeService.getRegisterMode(),
-      viaInvite
+                viaInvite);
    );
        if (resultOpt.isPresent()) {
            AuthResult result = resultOpt.get();
            if (viaInvite && result.isNewUser()) {
-        inviteService.consume(
+                inviteService.consume(req.getInviteToken(), inviteValidateResult.getInviteToken().getInviter().getUsername());
-          req.getInviteToken(),
+                return ResponseEntity.ok(Map.of(
-          inviteValidateResult.getInviteToken().getInviter().getUsername()
+                        "token", jwtService.generateToken(result.getUser().getUsername()),
-        );
+                        "reason_code", "INVITE_APPROVED"
-        return ResponseEntity.ok(
+                ));
          Map.of(
            "token",
            jwtService.generateToken(result.getUser().getUsername()),
            "reason_code",
            "INVITE_APPROVED"
          )
        );
            }
            if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
-        return ResponseEntity.ok(
+                return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
          Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
        );
            }
            if (!result.getUser().isApproved()) {
-        if (
+                if (result.getUser().getRegisterReason() != null && !result.getUser().getRegisterReason().isEmpty()) {
-          result.getUser().getRegisterReason() != null &&
+                    return ResponseEntity.badRequest().body(Map.of(
-          !result.getUser().getRegisterReason().isEmpty()
+                            "error", "Account awaiting approval",
-        ) {
+                            "reason_code", "IS_APPROVING",
-          return ResponseEntity.badRequest().body(
+                            "token", jwtService.generateReasonToken(result.getUser().getUsername())
-            Map.of(
+                    ));
              "error",
              "Account awaiting approval",
              "reason_code",
              "IS_APPROVING",
              "token",
              jwtService.generateReasonToken(result.getUser().getUsername())
            )
          );
                }
-        return ResponseEntity.badRequest().body(
+                return ResponseEntity.badRequest().body(Map.of(
-          Map.of(
+                        "error", "Account awaiting approval",
-            "error",
+                        "reason_code", "NOT_APPROVED",
-            "Account awaiting approval",
+                        "token", jwtService.generateReasonToken(result.getUser().getUsername())
-            "reason_code",
+                ));
            "NOT_APPROVED",
            "token",
            jwtService.generateReasonToken(result.getUser().getUsername())
          )
        );
            }
-      return ResponseEntity.ok(
+            return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
        Map.of("token", jwtService.generateToken(result.getUser().getUsername()))
      );
        }
-    return ResponseEntity.badRequest().body(
+        return ResponseEntity.badRequest().body(Map.of(
-      Map.of("error", "Invalid telegram data", "reason_code", "INVALID_CREDENTIALS")
+                "error", "Invalid telegram data",
-    );
+                "reason_code", "INVALID_CREDENTIALS"
        ));
    }
    @GetMapping("/check")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Check token", description = "Validate JWT token")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Token valid",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Token valid",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public ResponseEntity<?> checkToken() {
        return ResponseEntity.ok(Map.of("valid", true));
    }
    @PostMapping("/forgot/send")
    @Operation(summary = "Send reset code", description = "Send verification code for password reset")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Sending result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Sending result",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public ResponseEntity<?> sendReset(@RequestBody ForgotPasswordRequest req) {
        Optional<User> userOpt = userService.findByEmail(req.getEmail());
        if (userOpt.isEmpty()) {
@@ -669,11 +467,8 @@ public class AuthController {
    @PostMapping("/forgot/verify")
    @Operation(summary = "Verify reset code", description = "Verify password reset code")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Verification result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Verification result",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public ResponseEntity<?> verifyReset(@RequestBody VerifyForgotRequest req) {
        Optional<User> userOpt = userService.findByEmail(req.getEmail());
        if (userOpt.isEmpty()) {
@@ -689,20 +484,18 @@ public class AuthController {
    @PostMapping("/forgot/reset")
    @Operation(summary = "Reset password", description = "Reset user password after verification")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Reset result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Reset result",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public ResponseEntity<?> resetPassword(@RequestBody ResetPasswordRequest req) {
        String username = jwtService.validateAndGetSubjectForReset(req.getToken());
        try {
            userService.updatePassword(username, req.getPassword());
            return ResponseEntity.ok(Map.of("message", "Password updated"));
        } catch (FieldException e) {
-      return ResponseEntity.badRequest().body(
+            return ResponseEntity.badRequest().body(Map.of(
-        Map.of("field", e.getField(), "error", e.getMessage())
+                    "field", e.getField(),
-      );
+                    "error", e.getMessage()
            ));
        }
    }
--- a/backend/src/main/java/com/openisle/controller/CategoryController.java
+++ b/backend/src/main/java/com/openisle/controller/CategoryController.java
@@ -8,22 +8,22 @@ import com.openisle.mapper.PostMapper;
 import com.openisle.model.Category;
 import com.openisle.service.CategoryService;
 import com.openisle.service.PostService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/api/categories")
@RequiredArgsConstructor
 public class CategoryController {
    private final CategoryService categoryService;
    private final PostService postService;
    private final PostMapper postMapper;
@@ -31,37 +31,20 @@ public class CategoryController {
    @PostMapping
    @Operation(summary = "Create category", description = "Create a new category")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Created category",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = CategoryDto.class)))
    description = "Created category",
    content = @Content(schema = @Schema(implementation = CategoryDto.class))
  )
    public CategoryDto create(@RequestBody CategoryRequest req) {
-    Category c = categoryService.createCategory(
+        Category c = categoryService.createCategory(req.getName(), req.getDescription(), req.getIcon(), req.getSmallIcon());
      req.getName(),
      req.getDescription(),
      req.getIcon(),
      req.getSmallIcon()
    );
        long count = postService.countPostsByCategory(c.getId());
        return categoryMapper.toDto(c, count);
    }
    @PutMapping("/{id}")
    @Operation(summary = "Update category", description = "Update an existing category")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Updated category",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = CategoryDto.class)))
    description = "Updated category",
    content = @Content(schema = @Schema(implementation = CategoryDto.class))
  )
    public CategoryDto update(@PathVariable Long id, @RequestBody CategoryRequest req) {
-    Category c = categoryService.updateCategory(
+        Category c = categoryService.updateCategory(id, req.getName(), req.getDescription(), req.getIcon(), req.getSmallIcon());
      id,
      req.getName(),
      req.getDescription(),
      req.getIcon(),
      req.getSmallIcon()
    );
        long count = postService.countPostsByCategory(c.getId());
        return categoryMapper.toDto(c, count);
    }
@@ -75,17 +58,13 @@ public class CategoryController {
    @GetMapping
    @Operation(summary = "List categories", description = "Get all categories")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "List of categories",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = CategoryDto.class))))
    description = "List of categories",
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = CategoryDto.class)))
  )
    public List<CategoryDto> list() {
        List<Category> all = categoryService.listCategories();
        List<Long> ids = all.stream().map(Category::getId).toList();
        Map<Long, Long> postsCntByCategoryIds = postService.countPostsByCategoryIds(ids);
-    return all
+        return all.stream()
      .stream()
                .map(c -> categoryMapper.toDto(c, postsCntByCategoryIds.getOrDefault(c.getId(), 0L)))
                .sorted((a, b) -> Long.compare(b.getCount(), a.getCount()))
                .collect(Collectors.toList());
@@ -93,11 +72,8 @@ public class CategoryController {
    @GetMapping("/{id}")
    @Operation(summary = "Get category", description = "Get category by id")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Category detail",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = CategoryDto.class)))
    description = "Category detail",
    content = @Content(schema = @Schema(implementation = CategoryDto.class))
  )
    public CategoryDto get(@PathVariable Long id) {
        Category c = categoryService.getCategory(id);
        long count = postService.countPostsByCategory(c.getId());
@@ -106,20 +82,12 @@ public class CategoryController {
    @GetMapping("/{id}/posts")
    @Operation(summary = "List posts by category", description = "Get posts under a category")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "List of posts",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))))
-    description = "List of posts",
+    public List<PostSummaryDto> listPostsByCategory(@PathVariable Long id,
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
    )
  )
  public List<PostSummaryDto> listPostsByCategory(
    @PathVariable Long id,
                                                    @RequestParam(value = "page", required = false) Integer page,
-    @RequestParam(value = "pageSize", required = false) Integer pageSize
+                                                    @RequestParam(value = "pageSize", required = false) Integer pageSize) {
-  ) {
+        return postService.listPostsByCategories(java.util.List.of(id), page, pageSize)
    return postService
      .listPostsByCategories(java.util.List.of(id), page, pageSize)
                .stream()
                .map(postMapper::toSummaryDto)
                .collect(Collectors.toList());
--- a/backend/src/main/java/com/openisle/controller/ChannelController.java
+++ b/backend/src/main/java/com/openisle/controller/ChannelController.java
@@ -5,40 +5,36 @@ import com.openisle.model.User;
 import com.openisle.repository.UserRepository;
 import com.openisle.service.ChannelService;
 import com.openisle.service.MessageService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.List;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/api/channels")
@RequiredArgsConstructor
 public class ChannelController {
    private final ChannelService channelService;
    private final MessageService messageService;
    private final UserRepository userRepository;
    private Long getCurrentUserId(Authentication auth) {
-    User user = userRepository
+        User user = userRepository.findByUsername(auth.getName())
      .findByUsername(auth.getName())
                .orElseThrow(() -> new IllegalArgumentException("User not found"));
        return user.getId();
    }
    @GetMapping
    @Operation(summary = "List channels", description = "List channels for the current user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Channels",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = ChannelDto.class))))
    description = "Channels",
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = ChannelDto.class)))
  )
    @SecurityRequirement(name = "JWT")
    public List<ChannelDto> listChannels(Authentication auth) {
        return channelService.listChannels(getCurrentUserId(auth));
@@ -46,11 +42,8 @@ public class ChannelController {
    @PostMapping("/{channelId}/join")
    @Operation(summary = "Join channel", description = "Join a channel")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Joined channel",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = ChannelDto.class)))
    description = "Joined channel",
    content = @Content(schema = @Schema(implementation = ChannelDto.class))
  )
    @SecurityRequirement(name = "JWT")
    public ChannelDto joinChannel(@PathVariable Long channelId, Authentication auth) {
        return channelService.joinChannel(channelId, getCurrentUserId(auth));
@@ -58,11 +51,8 @@ public class ChannelController {
    @GetMapping("/unread-count")
    @Operation(summary = "Unread count", description = "Get unread channel count")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Unread count",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Long.class)))
    description = "Unread count",
    content = @Content(schema = @Schema(implementation = Long.class))
  )
    @SecurityRequirement(name = "JWT")
    public long unreadCount(Authentication auth) {
        return messageService.getUnreadChannelCount(getCurrentUserId(auth));
--- a/backend/src/main/java/com/openisle/controller/CommentController.java
+++ b/backend/src/main/java/com/openisle/controller/CommentController.java
@@ -1,45 +1,39 @@
 package com.openisle.controller;
 import com.openisle.model.Comment;
 import com.openisle.dto.CommentDto;
 import com.openisle.dto.CommentRequest;
 import com.openisle.dto.PostChangeLogDto;
 import com.openisle.dto.TimelineItemDto;
 import com.openisle.mapper.CommentMapper;
-import com.openisle.mapper.PostChangeLogMapper;
+import com.openisle.service.CaptchaService;
-import com.openisle.model.Comment;
+import com.openisle.service.CommentService;
-import com.openisle.model.CommentSort;
+import com.openisle.service.LevelService;
-import com.openisle.service.*;
+import com.openisle.service.PointService;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.time.LocalDateTime;
 import java.util.ArrayList;
 import java.util.Comparator;
 import java.util.List;
 import java.util.stream.Collectors;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.List;
 import java.util.stream.Collectors;
@RestController
@RequestMapping("/api")
@RequiredArgsConstructor
@Slf4j
 public class CommentController {
    private final CommentService commentService;
    private final LevelService levelService;
    private final CaptchaService captchaService;
    private final CommentMapper commentMapper;
    private final PointService pointService;
  private final PostChangeLogService changeLogService;
  private final PostChangeLogMapper postChangeLogMapper;
    @Value("${app.captcha.enabled:false}")
    private boolean captchaEnabled;
@@ -49,17 +43,12 @@ public class CommentController {
    @PostMapping("/posts/{postId}/comments")
    @Operation(summary = "Create comment", description = "Add a comment to a post")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Created comment",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = CommentDto.class)))
    description = "Created comment",
    content = @Content(schema = @Schema(implementation = CommentDto.class))
  )
    @SecurityRequirement(name = "JWT")
-  public ResponseEntity<CommentDto> createComment(
+    public ResponseEntity<CommentDto> createComment(@PathVariable Long postId,
    @PathVariable Long postId,
                                                    @RequestBody CommentRequest req,
-    Authentication auth
+                                                    Authentication auth) {
  ) {
        log.debug("createComment called by user {} for post {}", auth.getName(), postId);
        if (captchaEnabled && commentCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
            log.debug("Captcha verification failed for user {} on post {}", auth.getName(), postId);
@@ -75,17 +64,12 @@ public class CommentController {
    @PostMapping("/comments/{commentId}/replies")
    @Operation(summary = "Reply to comment", description = "Reply to an existing comment")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Reply created",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = CommentDto.class)))
    description = "Reply created",
    content = @Content(schema = @Schema(implementation = CommentDto.class))
  )
    @SecurityRequirement(name = "JWT")
-  public ResponseEntity<CommentDto> replyComment(
+    public ResponseEntity<CommentDto> replyComment(@PathVariable Long commentId,
    @PathVariable Long commentId,
                                                   @RequestBody CommentRequest req,
-    Authentication auth
+                                                   Authentication auth) {
  ) {
        log.debug("replyComment called by user {} for comment {}", auth.getName(), commentId);
        if (captchaEnabled && commentCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
            log.debug("Captcha verification failed for user {} on comment {}", auth.getName(), commentId);
@@ -100,88 +84,16 @@ public class CommentController {
    @GetMapping("/posts/{postId}/comments")
    @Operation(summary = "List comments", description = "List comments for a post")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Comments",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = CommentDto.class))))
-    description = "Comments",
+    public List<CommentDto> listComments(@PathVariable Long postId,
-    content = @Content(
+                                         @RequestParam(value = "sort", required = false, defaultValue = "OLDEST") com.openisle.model.CommentSort sort) {
      array = @ArraySchema(schema = @Schema(implementation = TimelineItemDto.class))
    )
  )
  public List<TimelineItemDto<?>> listComments(
    @PathVariable Long postId,
    @RequestParam(value = "sort", required = false, defaultValue = "OLDEST") CommentSort sort
  ) {
        log.debug("listComments called for post {} with sort {}", postId, sort);
-    List<CommentDto> commentDtoList = commentService
+        List<CommentDto> list = commentService.getCommentsForPost(postId, sort).stream()
      .getCommentsForPost(postId, sort)
      .stream()
                .map(commentMapper::toDtoWithReplies)
                .collect(Collectors.toList());
-    List<PostChangeLogDto> postChangeLogDtoList = changeLogService
+        log.debug("listComments returning {} comments", list.size());
-      .listLogs(postId)
+        return list;
      .stream()
      .map(postChangeLogMapper::toDto)
      .collect(Collectors.toList());
    List<TimelineItemDto<?>> itemDtoList = new ArrayList<>();
    itemDtoList.addAll(
      commentDtoList
        .stream()
        .map(c ->
          new TimelineItemDto<>(
            c.getId(),
            "comment",
            c.getCreatedAt(),
            c.getPinnedAt(),
            c // payload 是 CommentDto
          )
        )
        .toList()
    );
    itemDtoList.addAll(
      postChangeLogDtoList
        .stream()
        .map(l ->
          new TimelineItemDto<>(
            l.getId(),
            "log",
            l.getTime(), // 注意字段名不一样
            null,
            l // payload 是 PostChangeLogDto
          )
        )
        .toList()
    );
    // 排序
    Comparator<TimelineItemDto<?>> pinnedOrderComparator = (a, b) -> {
      LocalDateTime aPinned = a.getPinnedAt();
      LocalDateTime bPinned = b.getPinnedAt();
      if (aPinned == null && bPinned == null) {
        return 0;
      }
      if (aPinned == null) {
        return 1;
      }
      if (bPinned == null) {
        return -1;
      }
      return bPinned.compareTo(aPinned);
    };
    Comparator<TimelineItemDto<?>> comparator = Comparator.<TimelineItemDto<?>, Boolean>comparing(
      item -> item.getPinnedAt() == null
    ).thenComparing(pinnedOrderComparator);
    Comparator<TimelineItemDto<?>> createdAtComparator = Comparator.comparing(
      TimelineItemDto::getCreatedAt
    );
    if (CommentSort.NEWEST.equals(sort)) {
      createdAtComparator = createdAtComparator.reversed();
    }
    itemDtoList.sort(comparator.thenComparing(createdAtComparator));
    log.debug("listComments returning {} comments", itemDtoList.size());
    return itemDtoList;
    }
    @DeleteMapping("/comments/{id}")
@@ -196,11 +108,8 @@ public class CommentController {
    @PostMapping("/comments/{id}/pin")
    @Operation(summary = "Pin comment", description = "Pin a comment")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Pinned comment",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = CommentDto.class)))
    description = "Pinned comment",
    content = @Content(schema = @Schema(implementation = CommentDto.class))
  )
    @SecurityRequirement(name = "JWT")
    public CommentDto pinComment(@PathVariable Long id, Authentication auth) {
        log.debug("pinComment called by user {} for comment {}", auth.getName(), id);
@@ -209,11 +118,8 @@ public class CommentController {
    @PostMapping("/comments/{id}/unpin")
    @Operation(summary = "Unpin comment", description = "Unpin a comment")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Unpinned comment",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = CommentDto.class)))
    description = "Unpinned comment",
    content = @Content(schema = @Schema(implementation = CommentDto.class))
  )
    @SecurityRequirement(name = "JWT")
    public CommentDto unpinComment(@PathVariable Long id, Authentication auth) {
        log.debug("unpinComment called by user {} for comment {}", auth.getName(), id);
--- a/backend/src/main/java/com/openisle/controller/ConfigController.java
+++ b/backend/src/main/java/com/openisle/controller/ConfigController.java
@@ -2,14 +2,14 @@ package com.openisle.controller;
 import com.openisle.dto.SiteConfigDto;
 import com.openisle.service.RegisterModeService;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
@RestController
@RequestMapping("/api")
@@ -38,11 +38,8 @@ public class ConfigController {
    @GetMapping("/config")
    @Operation(summary = "Site config", description = "Get site configuration")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Site configuration",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = SiteConfigDto.class)))
    description = "Site configuration",
    content = @Content(schema = @Schema(implementation = SiteConfigDto.class))
  )
    public SiteConfigDto getConfig() {
        SiteConfigDto resp = new SiteConfigDto();
        resp.setCaptchaEnabled(captchaEnabled);
--- a/backend/src/main/java/com/openisle/controller/DraftController.java
+++ b/backend/src/main/java/com/openisle/controller/DraftController.java
@@ -5,54 +5,40 @@ import com.openisle.dto.DraftRequest;
 import com.openisle.mapper.DraftMapper;
 import com.openisle.model.Draft;
 import com.openisle.service.DraftService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/api/drafts")
@RequiredArgsConstructor
 public class DraftController {
    private final DraftService draftService;
    private final DraftMapper draftMapper;
    @PostMapping
    @Operation(summary = "Save draft", description = "Save a draft for current user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Draft saved",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = DraftDto.class)))
    description = "Draft saved",
    content = @Content(schema = @Schema(implementation = DraftDto.class))
  )
    @SecurityRequirement(name = "JWT")
    public ResponseEntity<DraftDto> saveDraft(@RequestBody DraftRequest req, Authentication auth) {
-    Draft draft = draftService.saveDraft(
+        Draft draft = draftService.saveDraft(auth.getName(), req.getCategoryId(), req.getTitle(), req.getContent(), req.getTagIds());
      auth.getName(),
      req.getCategoryId(),
      req.getTitle(),
      req.getContent(),
      req.getTagIds()
    );
        return ResponseEntity.ok(draftMapper.toDto(draft));
    }
    @GetMapping("/me")
    @Operation(summary = "Get my draft", description = "Get current user's draft")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Draft details",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = DraftDto.class)))
    description = "Draft details",
    content = @Content(schema = @Schema(implementation = DraftDto.class))
  )
    @SecurityRequirement(name = "JWT")
    public ResponseEntity<DraftDto> getMyDraft(Authentication auth) {
-    return draftService
+        return draftService.getDraft(auth.getName())
      .getDraft(auth.getName())
                .map(d -> ResponseEntity.ok(draftMapper.toDto(d)))
                .orElseGet(() -> ResponseEntity.noContent().build());
    }
--- a/backend/src/main/java/com/openisle/controller/GlobalExceptionHandler.java
+++ b/backend/src/main/java/com/openisle/controller/GlobalExceptionHandler.java
@@ -1,21 +1,21 @@
 package com.openisle.controller;
 import com.openisle.exception.FieldException;
 import com.openisle.exception.NotFoundException;
 import com.openisle.exception.RateLimitException;
 import java.util.Map;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RestControllerAdvice;
 import com.openisle.exception.FieldException;
 import com.openisle.exception.NotFoundException;
 import com.openisle.exception.RateLimitException;
 import java.util.Map;
@RestControllerAdvice
 public class GlobalExceptionHandler {
    @ExceptionHandler(FieldException.class)
    public ResponseEntity<?> handleFieldException(FieldException ex) {
-    return ResponseEntity.badRequest().body(
+        return ResponseEntity.badRequest()
-      Map.of("error", ex.getMessage(), "field", ex.getField())
+                .body(Map.of("error", ex.getMessage(), "field", ex.getField()));
    );
    }
    @ExceptionHandler(NotFoundException.class)
@@ -37,3 +37,4 @@ public class GlobalExceptionHandler {
        return ResponseEntity.badRequest().body(Map.of("error", message));
    }
 }
--- a/backend/src/main/java/com/openisle/controller/HelloController.java
+++ b/backend/src/main/java/com/openisle/controller/HelloController.java
@@ -5,21 +5,17 @@ import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.Map;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 import java.util.Map;
@RestController
 public class HelloController {
    @GetMapping("/api/hello")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Hello endpoint", description = "Returns a greeting for authenticated users")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Greeting payload",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Greeting payload",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public Map<String, String> hello() {
        return Map.of("message", "Hello, Authenticated User");
    }
--- a/backend/src/main/java/com/openisle/controller/InviteController.java
+++ b/backend/src/main/java/com/openisle/controller/InviteController.java
@@ -1,32 +1,29 @@
 package com.openisle.controller;
 import com.openisle.service.InviteService;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.Map;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.Map;
@RestController
@RequestMapping("/api/invite")
@RequiredArgsConstructor
 public class InviteController {
    private final InviteService inviteService;
    @PostMapping("/generate")
    @Operation(summary = "Generate invite", description = "Generate an invite token")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Invite token",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Invite token",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    @SecurityRequirement(name = "JWT")
    public Map<String, String> generate(Authentication auth) {
        String token = inviteService.generate(auth.getName());
--- a/backend/src/main/java/com/openisle/controller/MedalController.java
+++ b/backend/src/main/java/com/openisle/controller/MedalController.java
@@ -3,32 +3,29 @@ package com.openisle.controller;
 import com.openisle.dto.MedalDto;
 import com.openisle.dto.MedalSelectRequest;
 import com.openisle.service.MedalService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.List;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/api/medals")
@RequiredArgsConstructor
 public class MedalController {
    private final MedalService medalService;
    @GetMapping
    @Operation(summary = "List medals", description = "List medals for user or globally")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "List of medals",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = MedalDto.class))))
    description = "List of medals",
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = MedalDto.class)))
  )
    public List<MedalDto> getMedals(@RequestParam(value = "userId", required = false) Long userId) {
        return medalService.getMedals(userId);
    }
@@ -37,10 +34,7 @@ public class MedalController {
    @Operation(summary = "Select medal", description = "Select a medal for current user")
    @ApiResponse(responseCode = "200", description = "Medal selected")
    @SecurityRequirement(name = "JWT")
-  public ResponseEntity<Void> selectMedal(
+    public ResponseEntity<Void> selectMedal(@RequestBody MedalSelectRequest req, Authentication auth) {
    @RequestBody MedalSelectRequest req,
    Authentication auth
  ) {
        try {
            medalService.selectMedal(auth.getName(), req.getType());
            return ResponseEntity.ok().build();
--- a/backend/src/main/java/com/openisle/controller/MessageController.java
+++ b/backend/src/main/java/com/openisle/controller/MessageController.java
@@ -10,13 +10,6 @@ import com.openisle.model.MessageConversation;
 import com.openisle.model.User;
 import com.openisle.repository.UserRepository;
 import com.openisle.service.MessageService;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.List;
 import lombok.RequiredArgsConstructor;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.PageRequest;
@@ -25,6 +18,14 @@ import org.springframework.data.domain.Sort;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.List;
@RestController
@RequestMapping("/api/messages")
@@ -36,22 +37,15 @@ public class MessageController {
    // This is a placeholder for getting the current user's ID
    private Long getCurrentUserId(Authentication auth) {
-    User user = userRepository
+        User user = userRepository.findByUsername(auth.getName()).orElseThrow(() -> new IllegalArgumentException("Sender not found"));
      .findByUsername(auth.getName())
      .orElseThrow(() -> new IllegalArgumentException("Sender not found"));
        // In a real application, you would get this from the Authentication object
        return user.getId();
    }
    @GetMapping("/conversations")
    @Operation(summary = "List conversations", description = "Get all conversations of current user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "List of conversations",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = ConversationDto.class))))
    description = "List of conversations",
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = ConversationDto.class))
    )
  )
    @SecurityRequirement(name = "JWT")
    public ResponseEntity<List<ConversationDto>> getConversations(Authentication auth) {
        List<ConversationDto> conversations = messageService.getConversations(getCurrentUserId(auth));
@@ -60,75 +54,42 @@ public class MessageController {
    @GetMapping("/conversations/{conversationId}")
    @Operation(summary = "Get conversation", description = "Get messages of a conversation")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Conversation detail",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = ConversationDetailDto.class)))
    description = "Conversation detail",
    content = @Content(schema = @Schema(implementation = ConversationDetailDto.class))
  )
    @SecurityRequirement(name = "JWT")
-  public ResponseEntity<ConversationDetailDto> getMessages(
+    public ResponseEntity<ConversationDetailDto> getMessages(@PathVariable Long conversationId,
    @PathVariable Long conversationId,
                                                               @RequestParam(defaultValue = "0") int page,
                                                               @RequestParam(defaultValue = "20") int size,
-    Authentication auth
+                                                               Authentication auth) {
  ) {
        Pageable pageable = PageRequest.of(page, size, Sort.by("createdAt").descending());
-    ConversationDetailDto conversationDetails = messageService.getConversationDetails(
+        ConversationDetailDto conversationDetails = messageService.getConversationDetails(conversationId, getCurrentUserId(auth), pageable);
      conversationId,
      getCurrentUserId(auth),
      pageable
    );
        return ResponseEntity.ok(conversationDetails);
    }
    @PostMapping
    @Operation(summary = "Send message", description = "Send a direct message to a user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Message sent",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = MessageDto.class)))
    description = "Message sent",
    content = @Content(schema = @Schema(implementation = MessageDto.class))
  )
    @SecurityRequirement(name = "JWT")
-  public ResponseEntity<MessageDto> sendMessage(
+    public ResponseEntity<MessageDto> sendMessage(@RequestBody MessageRequest req, Authentication auth) {
-    @RequestBody MessageRequest req,
+        Message message = messageService.sendMessage(getCurrentUserId(auth), req.getRecipientId(), req.getContent(), req.getReplyToId());
    Authentication auth
  ) {
    Message message = messageService.sendMessage(
      getCurrentUserId(auth),
      req.getRecipientId(),
      req.getContent(),
      req.getReplyToId()
    );
        return ResponseEntity.ok(messageService.toDto(message));
    }
    @PostMapping("/conversations/{conversationId}/messages")
    @Operation(summary = "Send message to conversation", description = "Reply within a conversation")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Message sent",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = MessageDto.class)))
    description = "Message sent",
    content = @Content(schema = @Schema(implementation = MessageDto.class))
  )
    @SecurityRequirement(name = "JWT")
-  public ResponseEntity<MessageDto> sendMessageToConversation(
+    public ResponseEntity<MessageDto> sendMessageToConversation(@PathVariable Long conversationId,
    @PathVariable Long conversationId,
                                                                @RequestBody ChannelMessageRequest req,
-    Authentication auth
+                                                                Authentication auth) {
-  ) {
+        Message message = messageService.sendMessageToConversation(getCurrentUserId(auth), conversationId, req.getContent(), req.getReplyToId());
    Message message = messageService.sendMessageToConversation(
      getCurrentUserId(auth),
      conversationId,
      req.getContent(),
      req.getReplyToId()
    );
        return ResponseEntity.ok(messageService.toDto(message));
    }
    @PostMapping("/conversations/{conversationId}/read")
-  @Operation(
+    @Operation(summary = "Mark conversation read", description = "Mark messages in conversation as read")
    summary = "Mark conversation read",
    description = "Mark messages in conversation as read"
  )
    @ApiResponse(responseCode = "200", description = "Marked as read")
    @SecurityRequirement(name = "JWT")
    public ResponseEntity<Void> markAsRead(@PathVariable Long conversationId, Authentication auth) {
@@ -137,37 +98,19 @@ public class MessageController {
    }
    @PostMapping("/conversations")
-  @Operation(
+    @Operation(summary = "Find or create conversation", description = "Find existing or create new conversation with recipient")
-    summary = "Find or create conversation",
+    @ApiResponse(responseCode = "200", description = "Conversation id",
-    description = "Find existing or create new conversation with recipient"
+            content = @Content(schema = @Schema(implementation = CreateConversationResponse.class)))
  )
  @ApiResponse(
    responseCode = "200",
    description = "Conversation id",
    content = @Content(schema = @Schema(implementation = CreateConversationResponse.class))
  )
    @SecurityRequirement(name = "JWT")
-  public ResponseEntity<CreateConversationResponse> findOrCreateConversation(
+    public ResponseEntity<CreateConversationResponse> findOrCreateConversation(@RequestBody CreateConversationRequest req, Authentication auth) {
-    @RequestBody CreateConversationRequest req,
+        MessageConversation conversation = messageService.findOrCreateConversation(getCurrentUserId(auth), req.getRecipientId());
    Authentication auth
  ) {
    MessageConversation conversation = messageService.findOrCreateConversation(
      getCurrentUserId(auth),
      req.getRecipientId()
    );
        return ResponseEntity.ok(new CreateConversationResponse(conversation.getId()));
    }
    @GetMapping("/unread-count")
-  @Operation(
+    @Operation(summary = "Unread message count", description = "Get unread message count for current user")
-    summary = "Unread message count",
+    @ApiResponse(responseCode = "200", description = "Unread count",
-    description = "Get unread message count for current user"
+            content = @Content(schema = @Schema(implementation = Long.class)))
  )
  @ApiResponse(
    responseCode = "200",
    description = "Unread count",
    content = @Content(schema = @Schema(implementation = Long.class))
  )
    @SecurityRequirement(name = "JWT")
    public ResponseEntity<Long> getUnreadCount(Authentication auth) {
        return ResponseEntity.ok(messageService.getUnreadMessageCount(getCurrentUserId(auth)));
@@ -175,7 +118,6 @@ public class MessageController {
    // A simple request DTO
    static class MessageRequest {
        private Long recipientId;
        private String content;
        private Long replyToId;
@@ -206,7 +148,6 @@ public class MessageController {
    }
    static class ChannelMessageRequest {
        private String content;
        private Long replyToId;
--- a/backend/src/main/java/com/openisle/controller/NotificationController.java
+++ b/backend/src/main/java/com/openisle/controller/NotificationController.java
@@ -2,89 +2,62 @@ package com.openisle.controller;
 import com.openisle.dto.NotificationDto;
 import com.openisle.dto.NotificationMarkReadRequest;
 import com.openisle.dto.NotificationUnreadCountDto;
 import com.openisle.dto.NotificationPreferenceDto;
 import com.openisle.dto.NotificationPreferenceUpdateRequest;
 import com.openisle.dto.NotificationUnreadCountDto;
 import com.openisle.mapper.NotificationMapper;
 import com.openisle.service.NotificationService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.List;
 import java.util.stream.Collectors;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 /** Endpoints for user notifications. */
@RestController
@RequestMapping("/api/notifications")
@RequiredArgsConstructor
 public class NotificationController {
    private final NotificationService notificationService;
    private final NotificationMapper notificationMapper;
    @GetMapping
-  @Operation(
+    @Operation(summary = "List notifications", description = "Retrieve notifications for the current user")
-    summary = "List notifications",
+    @ApiResponse(responseCode = "200", description = "Notifications",
-    description = "Retrieve notifications for the current user"
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = NotificationDto.class))))
  )
  @ApiResponse(
    responseCode = "200",
    description = "Notifications",
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = NotificationDto.class))
    )
  )
    @SecurityRequirement(name = "JWT")
-  public List<NotificationDto> list(
+    public List<NotificationDto> list(@RequestParam(value = "page", defaultValue = "0") int page,
    @RequestParam(value = "page", defaultValue = "0") int page,
                                      @RequestParam(value = "size", defaultValue = "30") int size,
-    Authentication auth
+                                      Authentication auth) {
-  ) {
+        return notificationService.listNotifications(auth.getName(), null, page, size).stream()
    return notificationService
      .listNotifications(auth.getName(), null, page, size)
      .stream()
                .map(notificationMapper::toDto)
                .collect(Collectors.toList());
    }
    @GetMapping("/unread")
-  @Operation(
+    @Operation(summary = "List unread notifications", description = "Retrieve unread notifications for the current user")
-    summary = "List unread notifications",
+    @ApiResponse(responseCode = "200", description = "Unread notifications",
-    description = "Retrieve unread notifications for the current user"
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = NotificationDto.class))))
  )
  @ApiResponse(
    responseCode = "200",
    description = "Unread notifications",
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = NotificationDto.class))
    )
  )
    @SecurityRequirement(name = "JWT")
-  public List<NotificationDto> listUnread(
+    public List<NotificationDto> listUnread(@RequestParam(value = "page", defaultValue = "0") int page,
    @RequestParam(value = "page", defaultValue = "0") int page,
                                            @RequestParam(value = "size", defaultValue = "30") int size,
-    Authentication auth
+                                            Authentication auth) {
-  ) {
+        return notificationService.listNotifications(auth.getName(), false, page, size).stream()
    return notificationService
      .listNotifications(auth.getName(), false, page, size)
      .stream()
                .map(notificationMapper::toDto)
                .collect(Collectors.toList());
    }
    @GetMapping("/unread-count")
    @Operation(summary = "Unread count", description = "Get count of unread notifications")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Unread count",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = NotificationUnreadCountDto.class)))
    description = "Unread count",
    content = @Content(schema = @Schema(implementation = NotificationUnreadCountDto.class))
  )
    @SecurityRequirement(name = "JWT")
    public NotificationUnreadCountDto unreadCount(Authentication auth) {
        long count = notificationService.countUnread(auth.getName());
@@ -103,13 +76,8 @@ public class NotificationController {
    @GetMapping("/prefs")
    @Operation(summary = "List preferences", description = "List notification preferences")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Preferences",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = NotificationPreferenceDto.class))))
    description = "Preferences",
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = NotificationPreferenceDto.class))
    )
  )
    @SecurityRequirement(name = "JWT")
    public List<NotificationPreferenceDto> prefs(Authentication auth) {
        return notificationService.listPreferences(auth.getName());
@@ -119,41 +87,24 @@ public class NotificationController {
    @Operation(summary = "Update preference", description = "Update notification preference")
    @ApiResponse(responseCode = "200", description = "Preference updated")
    @SecurityRequirement(name = "JWT")
-  public void updatePref(
+    public void updatePref(@RequestBody NotificationPreferenceUpdateRequest req, Authentication auth) {
    @RequestBody NotificationPreferenceUpdateRequest req,
    Authentication auth
  ) {
        notificationService.updatePreference(auth.getName(), req.getType(), req.isEnabled());
    }
    @GetMapping("/email-prefs")
-  @Operation(
+    @Operation(summary = "List email preferences", description = "List email notification preferences")
-    summary = "List email preferences",
+    @ApiResponse(responseCode = "200", description = "Email preferences",
-    description = "List email notification preferences"
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = NotificationPreferenceDto.class))))
  )
  @ApiResponse(
    responseCode = "200",
    description = "Email preferences",
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = NotificationPreferenceDto.class))
    )
  )
    @SecurityRequirement(name = "JWT")
    public List<NotificationPreferenceDto> emailPrefs(Authentication auth) {
        return notificationService.listEmailPreferences(auth.getName());
    }
    @PostMapping("/email-prefs")
-  @Operation(
+    @Operation(summary = "Update email preference", description = "Update email notification preference")
    summary = "Update email preference",
    description = "Update email notification preference"
  )
    @ApiResponse(responseCode = "200", description = "Email preference updated")
    @SecurityRequirement(name = "JWT")
-  public void updateEmailPref(
+    public void updateEmailPref(@RequestBody NotificationPreferenceUpdateRequest req, Authentication auth) {
    @RequestBody NotificationPreferenceUpdateRequest req,
    Authentication auth
  ) {
        notificationService.updateEmailPreference(auth.getName(), req.getType(), req.isEnabled());
    }
 }
--- a/backend/src/main/java/com/openisle/controller/OnlineController.java
+++ b/backend/src/main/java/com/openisle/controller/OnlineController.java
@@ -1,15 +1,16 @@
 package com.openisle.controller;
 import com.openisle.config.CachingConfig;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import java.time.Duration;
 import lombok.RequiredArgsConstructor;
 import org.springframework.data.redis.core.RedisTemplate;
 import org.springframework.data.redis.core.StringRedisTemplate;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import java.time.Duration;
 /**
 * @author smallclover
@@ -33,11 +34,8 @@ public class OnlineController {
    @GetMapping("/count")
    @Operation(summary = "Online count", description = "Get current online user count")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Online count",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Long.class)))
    description = "Online count",
    content = @Content(schema = @Schema(implementation = Long.class))
  )
    public long count(){
        return redisTemplate.keys(ONLINE_KEY+"*").size();
    }
--- a/backend/src/main/java/com/openisle/controller/PointHistoryController.java
+++ b/backend/src/main/java/com/openisle/controller/PointHistoryController.java
@@ -3,60 +3,48 @@ package com.openisle.controller;
 import com.openisle.dto.PointHistoryDto;
 import com.openisle.mapper.PointHistoryMapper;
 import com.openisle.service.PointService;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
@RestController
@RequestMapping("/api/point-histories")
@RequiredArgsConstructor
 public class PointHistoryController {
    private final PointService pointService;
    private final PointHistoryMapper pointHistoryMapper;
    @GetMapping
    @Operation(summary = "Point history", description = "List point history for current user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "List of point histories",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PointHistoryDto.class))))
    description = "List of point histories",
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = PointHistoryDto.class))
    )
  )
    @SecurityRequirement(name = "JWT")
    public List<PointHistoryDto> list(Authentication auth) {
-    return pointService
+        return pointService.listHistory(auth.getName()).stream()
      .listHistory(auth.getName())
      .stream()
                .map(pointHistoryMapper::toDto)
                .collect(Collectors.toList());
    }
    @GetMapping("/trend")
    @Operation(summary = "Point trend", description = "Get point trend data for current user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Trend data",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class))))
    description = "Trend data",
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class)))
  )
    @SecurityRequirement(name = "JWT")
-  public List<Map<String, Object>> trend(
+    public List<Map<String, Object>> trend(Authentication auth,
-    Authentication auth,
+                                          @RequestParam(value = "days", defaultValue = "30") int days) {
    @RequestParam(value = "days", defaultValue = "30") int days
  ) {
        return pointService.trend(auth.getName(), days);
    }
 }
--- a/backend/src/main/java/com/openisle/controller/PointMallController.java
+++ b/backend/src/main/java/com/openisle/controller/PointMallController.java
@@ -6,51 +6,43 @@ import com.openisle.mapper.PointGoodMapper;
 import com.openisle.model.User;
 import com.openisle.service.PointMallService;
 import com.openisle.service.UserService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 /** REST controller for point mall. */
@RestController
@RequestMapping("/api/point-goods")
@RequiredArgsConstructor
 public class PointMallController {
    private final PointMallService pointMallService;
    private final UserService userService;
    private final PointGoodMapper pointGoodMapper;
    @GetMapping
    @Operation(summary = "List goods", description = "List all point goods")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "List of goods",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PointGoodDto.class))))
    description = "List of goods",
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = PointGoodDto.class)))
  )
    public List<PointGoodDto> list() {
-    return pointMallService
+        return pointMallService.listGoods().stream()
      .listGoods()
      .stream()
                .map(pointGoodMapper::toDto)
                .collect(Collectors.toList());
    }
    @PostMapping("/redeem")
    @Operation(summary = "Redeem good", description = "Redeem a point good")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Remaining points",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = java.util.Map.class)))
    description = "Remaining points",
    content = @Content(schema = @Schema(implementation = java.util.Map.class))
  )
    @SecurityRequirement(name = "JWT")
    public Map<String, Integer> redeem(@RequestBody PointRedeemRequest req, Authentication auth) {
        User user = userService.findByIdentifier(auth.getName()).orElseThrow();
--- a/backend/src/main/java/com/openisle/controller/PostChangeLogController.java
+++ b/backend/src/main/java/com/openisle/controller/PostChangeLogController.java
@@ -3,34 +3,31 @@ package com.openisle.controller;
 import com.openisle.dto.PostChangeLogDto;
 import com.openisle.mapper.PostChangeLogMapper;
 import com.openisle.service.PostChangeLogService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import java.util.List;
 import java.util.stream.Collectors;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/api/posts")
@RequiredArgsConstructor
 public class PostChangeLogController {
    private final PostChangeLogService changeLogService;
    private final PostChangeLogMapper mapper;
    @GetMapping("/{id}/change-logs")
    @Operation(summary = "Post change logs", description = "List change logs for a post")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Change logs",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostChangeLogDto.class))))
    description = "Change logs",
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = PostChangeLogDto.class))
    )
  )
    public List<PostChangeLogDto> listLogs(@PathVariable Long id) {
-    return changeLogService.listLogs(id).stream().map(mapper::toDto).collect(Collectors.toList());
+        return changeLogService.listLogs(id).stream()
                .map(mapper::toDto)
                .collect(Collectors.toList());
    }
 }
--- a/backend/src/main/java/com/openisle/controller/PostController.java
+++ b/backend/src/main/java/com/openisle/controller/PostController.java
@@ -1,10 +1,9 @@
 package com.openisle.controller;
 import com.openisle.config.CachingConfig;
 import com.openisle.dto.PollDto;
 import com.openisle.dto.PostDetailDto;
 import com.openisle.dto.PostRequest;
 import com.openisle.dto.PostSummaryDto;
 import com.openisle.dto.PollDto;
 import com.openisle.mapper.PostMapper;
 import com.openisle.model.Post;
 import com.openisle.service.*;
@@ -14,23 +13,20 @@ import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.List;
 import java.util.stream.Collectors;
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.cache.annotation.Cacheable;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 import java.util.List;
 import java.util.stream.Collectors;
@RestController
@RequestMapping("/api/posts")
@RequiredArgsConstructor
 public class PostController {
    private final PostService postService;
  private final CategoryService categoryService;
  private final TagService tagService;
    private final LevelService levelService;
    private final CaptchaService captchaService;
    private final DraftService draftService;
@@ -47,34 +43,18 @@ public class PostController {
    @PostMapping
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Create post", description = "Create a new post")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Created post",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = PostDetailDto.class)))
-    description = "Created post",
+    public ResponseEntity<PostDetailDto> createPost(@RequestBody PostRequest req, Authentication auth) {
    content = @Content(schema = @Schema(implementation = PostDetailDto.class))
  )
  public ResponseEntity<PostDetailDto> createPost(
    @RequestBody PostRequest req,
    Authentication auth
  ) {
        if (captchaEnabled && postCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
            return ResponseEntity.badRequest().build();
        }
-    Post post = postService.createPost(
+        Post post = postService.createPost(auth.getName(), req.getCategoryId(),
-      auth.getName(),
+                req.getTitle(), req.getContent(), req.getTagIds(),
-      req.getCategoryId(),
+                req.getType(), req.getPrizeDescription(), req.getPrizeIcon(),
-      req.getTitle(),
+                req.getPrizeCount(), req.getPointCost(),
-      req.getContent(),
+                req.getStartTime(), req.getEndTime(),
-      req.getTagIds(),
+                req.getOptions(), req.getMultiple());
      req.getType(),
      req.getPrizeDescription(),
      req.getPrizeIcon(),
      req.getPrizeCount(),
      req.getPointCost(),
      req.getStartTime(),
      req.getEndTime(),
      req.getOptions(),
      req.getMultiple()
    );
        draftService.deleteDraft(auth.getName());
        PostDetailDto dto = postMapper.toDetailDto(post, auth.getName());
        dto.setReward(levelService.awardForPost(auth.getName()));
@@ -85,24 +65,12 @@ public class PostController {
    @PutMapping("/{id}")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Update post", description = "Update an existing post")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Updated post",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = PostDetailDto.class)))
-    description = "Updated post",
+    public ResponseEntity<PostDetailDto> updatePost(@PathVariable Long id, @RequestBody PostRequest req,
-    content = @Content(schema = @Schema(implementation = PostDetailDto.class))
+                                              Authentication auth) {
-  )
+        Post post = postService.updatePost(id, auth.getName(), req.getCategoryId(),
-  public ResponseEntity<PostDetailDto> updatePost(
+                req.getTitle(), req.getContent(), req.getTagIds());
    @PathVariable Long id,
    @RequestBody PostRequest req,
    Authentication auth
  ) {
    Post post = postService.updatePost(
      id,
      auth.getName(),
      req.getCategoryId(),
      req.getTitle(),
      req.getContent(),
      req.getTagIds()
    );
        return ResponseEntity.ok(postMapper.toDetailDto(post, auth.getName()));
    }
@@ -117,11 +85,8 @@ public class PostController {
    @PostMapping("/{id}/close")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Close post", description = "Close a post to prevent further replies")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Closed post",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = PostSummaryDto.class)))
    description = "Closed post",
    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
  )
    public PostSummaryDto close(@PathVariable Long id, Authentication auth) {
        return postMapper.toSummaryDto(postService.closePost(id, auth.getName()));
    }
@@ -129,22 +94,16 @@ public class PostController {
    @PostMapping("/{id}/reopen")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Reopen post", description = "Reopen a closed post")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Reopened post",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = PostSummaryDto.class)))
    description = "Reopened post",
    content = @Content(schema = @Schema(implementation = PostSummaryDto.class))
  )
    public PostSummaryDto reopen(@PathVariable Long id, Authentication auth) {
        return postMapper.toSummaryDto(postService.reopenPost(id, auth.getName()));
    }
    @GetMapping("/{id}")
    @Operation(summary = "Get post", description = "Get post details by id")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Post detail",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = PostDetailDto.class)))
    description = "Post detail",
    content = @Content(schema = @Schema(implementation = PostDetailDto.class))
  )
    public ResponseEntity<PostDetailDto> getPost(@PathVariable Long id, Authentication auth) {
        String viewer = auth != null ? auth.getName() : null;
        Post post = postService.viewPost(id, viewer);
@@ -162,11 +121,8 @@ public class PostController {
    @GetMapping("/{id}/poll/progress")
    @Operation(summary = "Poll progress", description = "Get poll progress for a post")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Poll progress",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = PollDto.class)))
    description = "Poll progress",
    content = @Content(schema = @Schema(implementation = PollDto.class))
  )
    public ResponseEntity<PollDto> pollProgress(@PathVariable Long id) {
        return ResponseEntity.ok(postMapper.toSummaryDto(postService.getPoll(id)).getPoll());
    }
@@ -175,144 +131,131 @@ public class PostController {
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Vote poll", description = "Vote on a poll option")
    @ApiResponse(responseCode = "200", description = "Vote recorded")
-  public ResponseEntity<Void> vote(
+    public ResponseEntity<Void> vote(@PathVariable Long id, @RequestParam("option") List<Integer> option, Authentication auth) {
    @PathVariable Long id,
    @RequestParam("option") List<Integer> option,
    Authentication auth
  ) {
        postService.votePoll(id, auth.getName(), option);
        return ResponseEntity.ok().build();
    }
    @GetMapping
    @Operation(summary = "List posts", description = "List posts by various filters")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "List of posts",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))))
-    description = "List of posts",
+    public List<PostSummaryDto> listPosts(@RequestParam(value = "categoryId", required = false) Long categoryId,
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
    )
  )
  @Cacheable(
    value = CachingConfig.POST_CACHE_NAME,
    key = "new org.springframework.cache.interceptor.SimpleKey('default', #categoryId, #categoryIds, #tagId, #tagIds, #page, #pageSize)"
  )
  public List<PostSummaryDto> listPosts(
    @RequestParam(value = "categoryId", required = false) Long categoryId,
                                   @RequestParam(value = "categoryIds", required = false) List<Long> categoryIds,
                                   @RequestParam(value = "tagId", required = false) Long tagId,
                                   @RequestParam(value = "tagIds", required = false) List<Long> tagIds,
                                   @RequestParam(value = "page", required = false) Integer page,
                                   @RequestParam(value = "pageSize", required = false) Integer pageSize,
-    Authentication auth
+                                   Authentication auth) {
-  ) {
+        List<Long> ids = categoryIds;
-    List<Long> ids = categoryService.getSearchCategoryIds(categoryIds, categoryId);
+        if (categoryId != null) {
-    List<Long> tids = tagService.getSearchTagIds(tagIds, tagId);
+            ids = java.util.List.of(categoryId);
        }
        List<Long> tids = tagIds;
        if (tagId != null) {
            tids = java.util.List.of(tagId);
        }
 // 只需要在请求的一开始统计一次
 //        if (auth != null) {
 //            userVisitService.recordVisit(auth.getName());
 //        }
-    return postService
+        boolean hasCategories = ids != null && !ids.isEmpty();
-      .defaultListPosts(ids, tids, page, pageSize)
+        boolean hasTags = tids != null && !tids.isEmpty();
-      .stream()
+
-      .map(postMapper::toSummaryDto)
+        if (hasCategories && hasTags) {
-      .collect(Collectors.toList());
+            return postService.listPostsByCategoriesAndTags(ids, tids, page, pageSize)
                    .stream().map(postMapper::toSummaryDto).collect(Collectors.toList());
        }
        if (hasTags) {
            return postService.listPostsByTags(tids, page, pageSize)
                .stream().map(postMapper::toSummaryDto).collect(Collectors.toList());
        }
        return postService.listPostsByCategories(ids, page, pageSize)
                .stream().map(postMapper::toSummaryDto).collect(Collectors.toList());
    }
    @GetMapping("/ranking")
    @Operation(summary = "Ranking posts", description = "List posts by view rankings")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Ranked posts",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))))
-    description = "Ranked posts",
+    public List<PostSummaryDto> rankingPosts(@RequestParam(value = "categoryId", required = false) Long categoryId,
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
    )
  )
  public List<PostSummaryDto> rankingPosts(
    @RequestParam(value = "categoryId", required = false) Long categoryId,
                                      @RequestParam(value = "categoryIds", required = false) List<Long> categoryIds,
                                      @RequestParam(value = "tagId", required = false) Long tagId,
                                      @RequestParam(value = "tagIds", required = false) List<Long> tagIds,
                                      @RequestParam(value = "page", required = false) Integer page,
                                      @RequestParam(value = "pageSize", required = false) Integer pageSize,
-    Authentication auth
+                                      Authentication auth) {
-  ) {
+        List<Long> ids = categoryIds;
-    List<Long> ids = categoryService.getSearchCategoryIds(categoryIds, categoryId);
+        if (categoryId != null) {
-    List<Long> tids = tagService.getSearchTagIds(tagIds, tagId);
+            ids = java.util.List.of(categoryId);
        }
        List<Long> tids = tagIds;
        if (tagId != null) {
            tids = java.util.List.of(tagId);
        }
 // 只需要在请求的一开始统计一次
 //        if (auth != null) {
 //            userVisitService.recordVisit(auth.getName());
 //        }
-    return postService
+        return postService.listPostsByViews(ids, tids, page, pageSize)
-      .listPostsByViews(ids, tids, page, pageSize)
+                .stream().map(postMapper::toSummaryDto).collect(Collectors.toList());
      .stream()
      .map(postMapper::toSummaryDto)
      .collect(Collectors.toList());
    }
    @GetMapping("/latest-reply")
    @Operation(summary = "Latest reply posts", description = "List posts by latest replies")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Posts sorted by latest reply",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))))
-    description = "Posts sorted by latest reply",
+    public List<PostSummaryDto> latestReplyPosts(@RequestParam(value = "categoryId", required = false) Long categoryId,
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
    )
  )
  @Cacheable(
    value = CachingConfig.POST_CACHE_NAME,
    key = "new org.springframework.cache.interceptor.SimpleKey('latest_reply', #categoryId, #categoryIds, #tagIds, #page, #pageSize)"
  )
  public List<PostSummaryDto> latestReplyPosts(
    @RequestParam(value = "categoryId", required = false) Long categoryId,
                                          @RequestParam(value = "categoryIds", required = false) List<Long> categoryIds,
                                          @RequestParam(value = "tagId", required = false) Long tagId,
                                          @RequestParam(value = "tagIds", required = false) List<Long> tagIds,
                                          @RequestParam(value = "page", required = false) Integer page,
                                          @RequestParam(value = "pageSize", required = false) Integer pageSize,
-    Authentication auth
+                                          Authentication auth) {
-  ) {
+        List<Long> ids = categoryIds;
-    List<Long> ids = categoryService.getSearchCategoryIds(categoryIds, categoryId);
+        if (categoryId != null) {
-    List<Long> tids = tagService.getSearchTagIds(tagIds, tagId);
+            ids = java.util.List.of(categoryId);
        }
        List<Long> tids = tagIds;
        if (tagId != null) {
            tids = java.util.List.of(tagId);
        }
 // 只需要在请求的一开始统计一次
 //        if (auth != null) {
 //            userVisitService.recordVisit(auth.getName());
 //        }
-    List<Post> posts = postService.listPostsByLatestReply(ids, tids, page, pageSize);
+        return postService.listPostsByLatestReply(ids, tids, page, pageSize)
-    return posts.stream().map(postMapper::toSummaryDto).collect(Collectors.toList());
+                .stream().map(postMapper::toSummaryDto).collect(Collectors.toList());
    }
    @GetMapping("/featured")
    @Operation(summary = "Featured posts", description = "List featured posts")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Featured posts",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))))
-    description = "Featured posts",
+    public List<PostSummaryDto> featuredPosts(@RequestParam(value = "categoryId", required = false) Long categoryId,
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
    )
  )
  public List<PostSummaryDto> featuredPosts(
    @RequestParam(value = "categoryId", required = false) Long categoryId,
                                       @RequestParam(value = "categoryIds", required = false) List<Long> categoryIds,
                                       @RequestParam(value = "tagId", required = false) Long tagId,
                                       @RequestParam(value = "tagIds", required = false) List<Long> tagIds,
                                       @RequestParam(value = "page", required = false) Integer page,
                                       @RequestParam(value = "pageSize", required = false) Integer pageSize,
-    Authentication auth
+                                       Authentication auth) {
-  ) {
+        List<Long> ids = categoryIds;
-    List<Long> ids = categoryService.getSearchCategoryIds(categoryIds, categoryId);
+        if (categoryId != null) {
-    List<Long> tids = tagService.getSearchTagIds(tagIds, tagId);
+            ids = java.util.List.of(categoryId);
        }
        List<Long> tids = tagIds;
        if (tagId != null) {
            tids = java.util.List.of(tagId);
        }
 // 只需要在请求的一开始统计一次
 //        if (auth != null) {
 //            userVisitService.recordVisit(auth.getName());
 //        }
-    return postService
+        return postService.listFeaturedPosts(ids, tids, page, pageSize)
-      .listFeaturedPosts(ids, tids, page, pageSize)
+                .stream().map(postMapper::toSummaryDto).collect(Collectors.toList());
      .stream()
      .map(postMapper::toSummaryDto)
      .collect(Collectors.toList());
    }
 }
--- a/backend/src/main/java/com/openisle/controller/PushSubscriptionController.java
+++ b/backend/src/main/java/com/openisle/controller/PushSubscriptionController.java
@@ -3,33 +3,28 @@ package com.openisle.controller;
 import com.openisle.dto.PushPublicKeyDto;
 import com.openisle.dto.PushSubscriptionRequest;
 import com.openisle.service.PushSubscriptionService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/api/push")
@RequiredArgsConstructor
 public class PushSubscriptionController {
    private final PushSubscriptionService pushSubscriptionService;
    @Value("${app.webpush.public-key}")
    private String publicKey;
    @GetMapping("/public-key")
    @Operation(summary = "Get public key", description = "Retrieve web push public key")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Public key",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = PushPublicKeyDto.class)))
    description = "Public key",
    content = @Content(schema = @Schema(implementation = PushPublicKeyDto.class))
  )
    public PushPublicKeyDto getPublicKey() {
        PushPublicKeyDto r = new PushPublicKeyDto();
        r.setKey(publicKey);
@@ -41,11 +36,6 @@ public class PushSubscriptionController {
    @ApiResponse(responseCode = "200", description = "Subscribed")
    @SecurityRequirement(name = "JWT")
    public void subscribe(@RequestBody PushSubscriptionRequest req, Authentication auth) {
-    pushSubscriptionService.saveSubscription(
+        pushSubscriptionService.saveSubscription(auth.getName(), req.getEndpoint(), req.getP256dh(), req.getAuth());
      auth.getName(),
      req.getEndpoint(),
      req.getP256dh(),
      req.getAuth()
    );
    }
 }
--- a/backend/src/main/java/com/openisle/controller/ReactionController.java
+++ b/backend/src/main/java/com/openisle/controller/ReactionController.java
@@ -8,21 +8,20 @@ import com.openisle.model.ReactionType;
 import com.openisle.service.LevelService;
 import com.openisle.service.PointService;
 import com.openisle.service.ReactionService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/api")
@RequiredArgsConstructor
 public class ReactionController {
    private final ReactionService reactionService;
    private final LevelService levelService;
    private final ReactionMapper reactionMapper;
@@ -33,28 +32,20 @@ public class ReactionController {
     */
    @GetMapping("/reaction-types")
    @Operation(summary = "List reaction types", description = "Get all available reaction types")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Reaction types",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = ReactionType[].class)))
    description = "Reaction types",
    content = @Content(schema = @Schema(implementation = ReactionType[].class))
  )
    public ReactionType[] listReactionTypes() {
        return ReactionType.values();
    }
    @PostMapping("/posts/{postId}/reactions")
    @Operation(summary = "React to post", description = "React to a post")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Reaction result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = ReactionDto.class)))
    description = "Reaction result",
    content = @Content(schema = @Schema(implementation = ReactionDto.class))
  )
    @SecurityRequirement(name = "JWT")
-  public ResponseEntity<ReactionDto> reactToPost(
+    public ResponseEntity<ReactionDto> reactToPost(@PathVariable Long postId,
    @PathVariable Long postId,
                                                   @RequestBody ReactionRequest req,
-    Authentication auth
+                                                   Authentication auth) {
  ) {
        Reaction reaction = reactionService.reactToPost(auth.getName(), postId, req.getType());
        if (reaction == null) {
            pointService.deductForReactionOfPost(auth.getName(), postId);
@@ -68,17 +59,12 @@ public class ReactionController {
    @PostMapping("/comments/{commentId}/reactions")
    @Operation(summary = "React to comment", description = "React to a comment")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Reaction result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = ReactionDto.class)))
    description = "Reaction result",
    content = @Content(schema = @Schema(implementation = ReactionDto.class))
  )
    @SecurityRequirement(name = "JWT")
-  public ResponseEntity<ReactionDto> reactToComment(
+    public ResponseEntity<ReactionDto> reactToComment(@PathVariable Long commentId,
    @PathVariable Long commentId,
                                                      @RequestBody ReactionRequest req,
-    Authentication auth
+                                                      Authentication auth) {
  ) {
        Reaction reaction = reactionService.reactToComment(auth.getName(), commentId, req.getType());
        if (reaction == null) {
            pointService.deductForReactionOfComment(auth.getName(), commentId);
@@ -92,17 +78,12 @@ public class ReactionController {
    @PostMapping("/messages/{messageId}/reactions")
    @Operation(summary = "React to message", description = "React to a message")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Reaction result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = ReactionDto.class)))
    description = "Reaction result",
    content = @Content(schema = @Schema(implementation = ReactionDto.class))
  )
    @SecurityRequirement(name = "JWT")
-  public ResponseEntity<ReactionDto> reactToMessage(
+    public ResponseEntity<ReactionDto> reactToMessage(@PathVariable Long messageId,
    @PathVariable Long messageId,
                                                      @RequestBody ReactionRequest req,
-    Authentication auth
+                                                      Authentication auth) {
  ) {
        Reaction reaction = reactionService.reactToMessage(auth.getName(), messageId, req.getType());
        if (reaction == null) {
            return ResponseEntity.noContent().build();
--- a/backend/src/main/java/com/openisle/controller/RssController.java
+++ b/backend/src/main/java/com/openisle/controller/RssController.java
@@ -1,28 +1,10 @@
 package com.openisle.controller;
 import com.openisle.model.Post;
 import com.openisle.model.Comment;
 import com.openisle.model.CommentSort;
 import com.openisle.model.Post;
 import com.openisle.service.CommentService;
 import com.openisle.service.PostService;
-import com.vladsch.flexmark.ext.autolink.AutolinkExtension;
+import com.openisle.service.CommentService;
 import com.vladsch.flexmark.ext.gfm.strikethrough.StrikethroughExtension;
 import com.vladsch.flexmark.ext.gfm.tasklist.TaskListExtension;
 import com.vladsch.flexmark.ext.tables.TablesExtension;
 import com.vladsch.flexmark.html.HtmlRenderer;
 import com.vladsch.flexmark.parser.Parser;
 import com.vladsch.flexmark.util.data.MutableDataSet;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import java.net.URI;
 import java.time.ZoneId;
 import java.time.ZonedDateTime;
 import java.time.format.DateTimeFormatter;
 import java.util.*;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import lombok.RequiredArgsConstructor;
 import org.jsoup.Jsoup;
 import org.jsoup.nodes.Document;
@@ -31,11 +13,30 @@ import org.jsoup.safety.Safelist;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import com.vladsch.flexmark.ext.autolink.AutolinkExtension;
 import com.vladsch.flexmark.ext.tables.TablesExtension;
 import com.vladsch.flexmark.ext.gfm.strikethrough.StrikethroughExtension;
 import com.vladsch.flexmark.ext.gfm.tasklist.TaskListExtension;
 import com.vladsch.flexmark.html.HtmlRenderer;
 import com.vladsch.flexmark.parser.Parser;
 import com.vladsch.flexmark.util.data.MutableDataSet;
 import java.net.URI;
 import java.time.ZoneId;
 import java.time.ZonedDateTime;
 import java.time.format.DateTimeFormatter;
 import java.util.*;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@RestController
@RequiredArgsConstructor
 public class RssController {
    private final PostService postService;
    private final CommentService commentService;
@@ -44,27 +45,21 @@ public class RssController {
    // 兼容 Markdown/HTML 两类图片写法（用于 enclosure）
    private static final Pattern MD_IMAGE = Pattern.compile("!\\[[^\\]]*\\]\\(([^)]+)\\)");
-  private static final Pattern HTML_IMAGE = Pattern.compile(
+    private static final Pattern HTML_IMAGE = Pattern.compile("<BaseImage[^>]+src=[\"']?([^\"'>]+)[\"']?[^>]*>");
    "<BaseImage[^>]+src=[\"']?([^\"'>]+)[\"']?[^>]*>"
  );
    private static final DateTimeFormatter RFC1123 = DateTimeFormatter.RFC_1123_DATE_TIME;
    // flexmark：Markdown -> HTML
    private static final Parser MD_PARSER;
    private static final HtmlRenderer MD_RENDERER;
    static {
        MutableDataSet opts = new MutableDataSet();
-    opts.set(
+        opts.set(Parser.EXTENSIONS, Arrays.asList(
      Parser.EXTENSIONS,
      Arrays.asList(
                TablesExtension.create(),
                AutolinkExtension.create(),
                StrikethroughExtension.create(),
                TaskListExtension.create()
-      )
+        ));
    );
        // 允许内联 HTML（下游再做 sanitize）
        opts.set(Parser.HTML_BLOCK_PARSER, true);
        MD_PARSER = Parser.builder(opts).build();
@@ -73,11 +68,7 @@ public class RssController {
    @GetMapping(value = "/api/rss", produces = "application/rss+xml;charset=UTF-8")
    @Operation(summary = "RSS feed", description = "Generate RSS feed for latest posts")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "RSS XML", content = @Content(schema = @Schema(implementation = String.class)))
    responseCode = "200",
    description = "RSS XML",
    content = @Content(schema = @Schema(implementation = String.class))
  )
    public String feed() {
        // 建议 20；你现在是 10，这里保留你的 10
        List<Post> posts = postService.listLatestRssPosts(10);
@@ -90,8 +81,7 @@ public class RssController {
        elem(sb, "title", cdata("OpenIsle RSS"));
        elem(sb, "link", base + "/");
        elem(sb, "description", cdata("Latest posts"));
-    ZonedDateTime updated = posts
+        ZonedDateTime updated = posts.stream()
      .stream()
                .map(p -> p.getCreatedAt().atZone(ZoneId.systemDefault()))
                .max(Comparator.naturalOrder())
                .orElse(ZonedDateTime.now());
@@ -124,10 +114,8 @@ public class RssController {
            }
            // 6) 构造优雅的附加区块（原文链接 + 精选评论），编入 <content:encoded>
-      List<Comment> topComments = commentService.getCommentsForPost(
+            List<Comment> topComments = commentService
-        p.getId(),
+                    .getCommentsForPost(p.getId(), CommentSort.MOST_INTERACTIONS);
        CommentSort.MOST_INTERACTIONS
      );
            topComments = topComments.subList(0, Math.min(10, topComments.size()));
            String footerHtml = buildFooterHtml(base, link, topComments);
@@ -139,19 +127,14 @@ public class RssController {
            // 摘要
            elem(sb, "description", cdata(plain));
            // 全文（HTML）：正文 + 优雅的 Markdown 区块（已转 HTML）
-      sb
+            sb.append("<content:encoded><![CDATA[")
        .append("<content:encoded><![CDATA[")
                    .append(absHtml)
                    .append(footerHtml)
                    .append("]]></content:encoded>");
            // 首图 enclosure（图片类型）
            if (enclosure != null) {
-        sb
+                sb.append("<enclosure url=\"").append(escapeXml(enclosure)).append("\" type=\"")
-          .append("<enclosure url=\"")
+                        .append(getMimeType(enclosure)).append("\" />");
          .append(escapeXml(enclosure))
          .append("\" type=\"")
          .append(getMimeType(enclosure))
          .append("\" />");
            }
            sb.append("</item>");
        }
@@ -173,26 +156,10 @@ public class RssController {
        if (html == null) return "";
        Safelist wl = Safelist.relaxed()
                .addTags(
-        "pre",
+                        "pre","code","figure","figcaption","picture","source",
-        "code",
+                        "table","thead","tbody","tr","th","td",
-        "figure",
+                        "h1","h2","h3","h4","h5","h6",
-        "figcaption",
+                        "hr","blockquote"
        "picture",
        "source",
        "table",
        "thead",
        "tbody",
        "tr",
        "th",
        "td",
        "h1",
        "h2",
        "h3",
        "h4",
        "h5",
        "h6",
        "hr",
        "blockquote"
                )
                .addAttributes("a", "href", "title", "target", "rel")
                .addAttributes("img", "src", "alt", "title", "width", "height")
@@ -308,24 +275,15 @@ public class RssController {
     * 将“原文链接 + 精选评论（最多 10 条）”以优雅的 Markdown 形式渲染为 HTML，
     * 并做 sanitize + 绝对化，然后拼入 content:encoded 尾部。
     */
-  private static String buildFooterHtml(
+    private static String buildFooterHtml(String baseUrl, String originalLink, List<Comment> topComments) {
    String baseUrl,
    String originalLink,
    List<Comment> topComments
  ) {
        StringBuilder md = new StringBuilder(256);
        // 分割线
        md.append("\n\n---\n\n");
        // 原文链接（强调 + 可点击）
-    md
+        md.append("**原文链接：** ")
-      .append("**原文链接：** ")
+                .append("[").append(originalLink).append("](").append(originalLink).append(")")
      .append("[")
      .append(originalLink)
      .append("](")
      .append(originalLink)
      .append(")")
                .append("\n\n");
        // 精选评论（仅当有评论时展示）
@@ -382,12 +340,8 @@ public class RssController {
    private static String escapeXml(String s) {
        if (s == null) return "";
-    return s
+        return s.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")
-      .replace("&", "&amp;")
+                .replace("\"", "&quot;").replace("'", "&apos;");
      .replace("<", "&lt;")
      .replace(">", "&gt;")
      .replace("\"", "&quot;")
      .replace("'", "&apos;");
    }
    private static String trimTrailingSlash(String s) {
@@ -400,7 +354,5 @@ public class RssController {
        return s.endsWith("/") ? s : s + "/";
    }
-  private static String nullSafe(String s) {
+    private static String nullSafe(String s) { return s == null ? "" : s; }
    return s == null ? "" : s;
  }
 }
--- a/backend/src/main/java/com/openisle/controller/SearchController.java
+++ b/backend/src/main/java/com/openisle/controller/SearchController.java
@@ -6,107 +6,74 @@ import com.openisle.dto.UserDto;
 import com.openisle.mapper.PostMapper;
 import com.openisle.mapper.UserMapper;
 import com.openisle.service.SearchService;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import java.util.List;
 import java.util.stream.Collectors;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import java.util.List;
 import java.util.stream.Collectors;
@RestController
@RequestMapping("/api/search")
@RequiredArgsConstructor
 public class SearchController {
    private final SearchService searchService;
    private final UserMapper userMapper;
    private final PostMapper postMapper;
    @GetMapping("/users")
    @Operation(summary = "Search users", description = "Search users by keyword")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "List of users",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = UserDto.class))))
    description = "List of users",
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = UserDto.class)))
  )
    public List<UserDto> searchUsers(@RequestParam String keyword) {
-    return searchService
+        return searchService.searchUsers(keyword).stream()
      .searchUsers(keyword)
      .stream()
                .map(userMapper::toDto)
                .collect(Collectors.toList());
    }
    @GetMapping("/posts")
    @Operation(summary = "Search posts", description = "Search posts by keyword")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "List of posts",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))))
    description = "List of posts",
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
    )
  )
    public List<PostSummaryDto> searchPosts(@RequestParam String keyword) {
-    return searchService
+        return searchService.searchPosts(keyword).stream()
      .searchPosts(keyword)
      .stream()
                .map(postMapper::toSummaryDto)
                .collect(Collectors.toList());
    }
    @GetMapping("/posts/content")
    @Operation(summary = "Search posts by content", description = "Search posts by content keyword")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "List of posts",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))))
    description = "List of posts",
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
    )
  )
    public List<PostSummaryDto> searchPostsByContent(@RequestParam String keyword) {
-    return searchService
+        return searchService.searchPostsByContent(keyword).stream()
      .searchPostsByContent(keyword)
      .stream()
                .map(postMapper::toSummaryDto)
                .collect(Collectors.toList());
    }
    @GetMapping("/posts/title")
    @Operation(summary = "Search posts by title", description = "Search posts by title keyword")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "List of posts",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))))
    description = "List of posts",
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
    )
  )
    public List<PostSummaryDto> searchPostsByTitle(@RequestParam String keyword) {
-    return searchService
+        return searchService.searchPostsByTitle(keyword).stream()
      .searchPostsByTitle(keyword)
      .stream()
                .map(postMapper::toSummaryDto)
                .collect(Collectors.toList());
    }
    @GetMapping("/global")
    @Operation(summary = "Global search", description = "Search users and posts globally")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Search results",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = SearchResultDto.class))))
    description = "Search results",
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = SearchResultDto.class))
    )
  )
    public List<SearchResultDto> global(@RequestParam String keyword) {
-    return searchService
+        return searchService.globalSearch(keyword).stream()
      .globalSearch(keyword)
      .stream()
                .map(r -> {
                    SearchResultDto dto = new SearchResultDto();
                    dto.setType(r.type());
@@ -115,9 +82,6 @@ public class SearchController {
                    dto.setSubText(r.subText());
                    dto.setExtra(r.extra());
                    dto.setPostId(r.postId());
        dto.setHighlightedText(r.highlightedText());
        dto.setHighlightedSubText(r.highlightedSubText());
        dto.setHighlightedExtra(r.highlightedExtra());
                    return dto;
                })
                .collect(Collectors.toList());
--- a/backend/src/main/java/com/openisle/controller/SitemapController.java
+++ b/backend/src/main/java/com/openisle/controller/SitemapController.java
@@ -3,11 +3,6 @@ package com.openisle.controller;
 import com.openisle.model.Post;
 import com.openisle.model.PostStatus;
 import com.openisle.repository.PostRepository;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import java.util.List;
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
@@ -15,6 +10,12 @@ import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import java.util.List;
 /**
 * Controller for dynamic sitemap generation.
@@ -23,7 +24,6 @@ import org.springframework.web.bind.annotation.RestController;
@RequiredArgsConstructor
@RequestMapping("/api")
 public class SitemapController {
    private final PostRepository postRepository;
    @Value("${app.website-url}")
@@ -31,11 +31,8 @@ public class SitemapController {
    @GetMapping(value = "/sitemap.xml", produces = MediaType.APPLICATION_XML_VALUE)
    @Operation(summary = "Sitemap", description = "Generate sitemap xml")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Sitemap xml",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = String.class)))
    description = "Sitemap xml",
    content = @Content(schema = @Schema(implementation = String.class))
  )
    public ResponseEntity<String> sitemap() {
        List<Post> posts = postRepository.findByStatus(PostStatus.PUBLISHED);
@@ -43,15 +40,23 @@ public class SitemapController {
        body.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
        body.append("<urlset xmlns=\"http://www.sitemaps.org/schemas/sitemap/0.9\">\n");
-    List<String> staticRoutes = List.of("/", "/about", "/activities", "/login", "/signup");
+        List<String> staticRoutes = List.of(
                "/",
                "/about",
                "/activities",
                "/login",
                "/signup"
        );
        for (String path : staticRoutes) {
-      body.append("  <url><loc>").append(websiteUrl).append(path).append("</loc></url>\n");
+            body.append("  <url><loc>")
                .append(websiteUrl)
                .append(path)
                .append("</loc></url>\n");
        }
        for (Post p : posts) {
-      body
+            body.append("  <url>\n")
        .append("  <url>\n")
                .append("    <loc>")
                .append(websiteUrl)
                .append("/posts/")
@@ -64,6 +69,8 @@ public class SitemapController {
        }
        body.append("</urlset>");
-    return ResponseEntity.ok().contentType(MediaType.APPLICATION_XML).body(body.toString());
+        return ResponseEntity.ok()
                .contentType(MediaType.APPLICATION_XML)
                .body(body.toString());
    }
 }
--- a/backend/src/main/java/com/openisle/controller/StatController.java
+++ b/backend/src/main/java/com/openisle/controller/StatController.java
@@ -1,127 +1,105 @@
 package com.openisle.controller;
 import com.openisle.service.StatService;
 import com.openisle.service.UserVisitService;
-import io.swagger.v3.oas.annotations.Operation;
+import com.openisle.service.StatService;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import java.time.LocalDate;
 import java.util.List;
 import java.util.Map;
 import lombok.RequiredArgsConstructor;
 import org.springframework.format.annotation.DateTimeFormat;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import java.time.LocalDate;
 import java.util.List;
 import java.util.Map;
@RestController
@RequestMapping("/api/stats")
@RequiredArgsConstructor
 public class StatController {
    private final UserVisitService userVisitService;
    private final StatService statService;
    @GetMapping("/dau")
    @Operation(summary = "Daily active users", description = "Get daily active user count")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "DAU count",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = java.util.Map.class)))
-    description = "DAU count",
+    public Map<String, Long> dau(@RequestParam(value = "date", required = false)
-    content = @Content(schema = @Schema(implementation = java.util.Map.class))
+                                 @DateTimeFormat(iso = DateTimeFormat.ISO.DATE) LocalDate date) {
  )
  public Map<String, Long> dau(
    @RequestParam(value = "date", required = false) @DateTimeFormat(
      iso = DateTimeFormat.ISO.DATE
    ) LocalDate date
  ) {
        long count = userVisitService.countDau(date);
        return Map.of("dau", count);
    }
    @GetMapping("/dau-range")
    @Operation(summary = "DAU range", description = "Get daily active users over range of days")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "DAU data",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class))))
-    description = "DAU data",
+    public List<Map<String, Object>> dauRange(@RequestParam(value = "days", defaultValue = "30") int days) {
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class)))
  )
  public List<Map<String, Object>> dauRange(
    @RequestParam(value = "days", defaultValue = "30") int days
  ) {
        if (days < 1) days = 1;
        LocalDate end = LocalDate.now();
        LocalDate start = end.minusDays(days - 1L);
        var data = userVisitService.countDauRange(start, end);
-    return data
+        return data.entrySet().stream()
-      .entrySet()
+                .map(e -> Map.<String,Object>of(
-      .stream()
+                        "date",  e.getKey().toString(),
-      .map(e -> Map.<String, Object>of("date", e.getKey().toString(), "value", e.getValue()))
+                        "value", e.getValue()
                ))
                .toList();
    }
    @GetMapping("/new-users-range")
    @Operation(summary = "New users range", description = "Get new users over range of days")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "New user data",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class))))
-    description = "New user data",
+    public List<Map<String, Object>> newUsersRange(@RequestParam(value = "days", defaultValue = "30") int days) {
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class)))
  )
  public List<Map<String, Object>> newUsersRange(
    @RequestParam(value = "days", defaultValue = "30") int days
  ) {
        if (days < 1) days = 1;
        LocalDate end = LocalDate.now();
        LocalDate start = end.minusDays(days - 1L);
        var data = statService.countNewUsersRange(start, end);
-    return data
+        return data.entrySet().stream()
-      .entrySet()
+                .map(e -> Map.<String,Object>of(
-      .stream()
+                        "date", e.getKey().toString(),
-      .map(e -> Map.<String, Object>of("date", e.getKey().toString(), "value", e.getValue()))
+                        "value", e.getValue()
                ))
                .toList();
    }
    @GetMapping("/posts-range")
    @Operation(summary = "Posts range", description = "Get posts count over range of days")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Post data",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class))))
-    description = "Post data",
+    public List<Map<String, Object>> postsRange(@RequestParam(value = "days", defaultValue = "30") int days) {
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class)))
  )
  public List<Map<String, Object>> postsRange(
    @RequestParam(value = "days", defaultValue = "30") int days
  ) {
        if (days < 1) days = 1;
        LocalDate end = LocalDate.now();
        LocalDate start = end.minusDays(days - 1L);
        var data = statService.countPostsRange(start, end);
-    return data
+        return data.entrySet().stream()
-      .entrySet()
+                .map(e -> Map.<String,Object>of(
-      .stream()
+                        "date", e.getKey().toString(),
-      .map(e -> Map.<String, Object>of("date", e.getKey().toString(), "value", e.getValue()))
+                        "value", e.getValue()
                ))
                .toList();
    }
    @GetMapping("/comments-range")
    @Operation(summary = "Comments range", description = "Get comments count over range of days")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Comment data",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class))))
-    description = "Comment data",
+    public List<Map<String, Object>> commentsRange(@RequestParam(value = "days", defaultValue = "30") int days) {
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = java.util.Map.class)))
  )
  public List<Map<String, Object>> commentsRange(
    @RequestParam(value = "days", defaultValue = "30") int days
  ) {
        if (days < 1) days = 1;
        LocalDate end = LocalDate.now();
        LocalDate start = end.minusDays(days - 1L);
        var data = statService.countCommentsRange(start, end);
-    return data
+        return data.entrySet().stream()
-      .entrySet()
+                .map(e -> Map.<String,Object>of(
-      .stream()
+                        "date", e.getKey().toString(),
-      .map(e -> Map.<String, Object>of("date", e.getKey().toString(), "value", e.getValue()))
+                        "value", e.getValue()
                ))
                .toList();
    }
 }
--- a/backend/src/main/java/com/openisle/controller/SubscriptionController.java
+++ b/backend/src/main/java/com/openisle/controller/SubscriptionController.java
@@ -1,19 +1,18 @@
 package com.openisle.controller;
 import com.openisle.service.SubscriptionService;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 /** Endpoints for subscribing to posts, comments and users. */
@RestController
@RequestMapping("/api/subscriptions")
@RequiredArgsConstructor
 public class SubscriptionController {
    private final SubscriptionService subscriptionService;
    @PostMapping("/posts/{postId}")
--- a/backend/src/main/java/com/openisle/controller/TagController.java
+++ b/backend/src/main/java/com/openisle/controller/TagController.java
@@ -11,23 +11,23 @@ import com.openisle.model.Tag;
 import com.openisle.repository.UserRepository;
 import com.openisle.service.PostService;
 import com.openisle.service.TagService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.*;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/api/tags")
@RequiredArgsConstructor
 public class TagController {
    private final TagService tagService;
    private final PostService postService;
    private final UserRepository userRepository;
@@ -36,16 +36,10 @@ public class TagController {
    @PostMapping
    @Operation(summary = "Create tag", description = "Create a new tag")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Created tag",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = TagDto.class)))
    description = "Created tag",
    content = @Content(schema = @Schema(implementation = TagDto.class))
  )
    @SecurityRequirement(name = "JWT")
-  public TagDto create(
+    public TagDto create(@RequestBody TagRequest req, org.springframework.security.core.Authentication auth) {
    @RequestBody TagRequest req,
    org.springframework.security.core.Authentication auth
  ) {
        boolean approved = true;
        if (postService.getPublishMode() == PublishMode.REVIEW && auth != null) {
            com.openisle.model.User user = userRepository.findByUsername(auth.getName()).orElseThrow();
@@ -59,27 +53,17 @@ public class TagController {
                req.getIcon(),
                req.getSmallIcon(),
                approved,
-      auth != null ? auth.getName() : null
+                auth != null ? auth.getName() : null);
    );
        long count = postService.countPostsByTag(tag.getId());
        return tagMapper.toDto(tag, count);
    }
    @PutMapping("/{id}")
    @Operation(summary = "Update tag", description = "Update an existing tag")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Updated tag",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = TagDto.class)))
    description = "Updated tag",
    content = @Content(schema = @Schema(implementation = TagDto.class))
  )
    public TagDto update(@PathVariable Long id, @RequestBody TagRequest req) {
-    Tag tag = tagService.updateTag(
+        Tag tag = tagService.updateTag(id, req.getName(), req.getDescription(), req.getIcon(), req.getSmallIcon());
      id,
      req.getName(),
      req.getDescription(),
      req.getIcon(),
      req.getSmallIcon()
    );
        long count = postService.countPostsByTag(tag.getId());
        return tagMapper.toDto(tag, count);
    }
@@ -93,50 +77,27 @@ public class TagController {
    @GetMapping
    @Operation(summary = "List tags", description = "List tags with optional keyword")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "List of tags",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = TagDto.class))))
-    description = "List of tags",
+    public List<TagDto> list(@RequestParam(value = "keyword", required = false) String keyword,
-    content = @Content(array = @ArraySchema(schema = @Schema(implementation = TagDto.class)))
+                             @RequestParam(value = "limit", required = false) Integer limit) {
  )
  public List<TagDto> list(
    @RequestParam(value = "keyword", required = false) String keyword,
    @RequestParam(value = "page", required = false) Integer page,
    @RequestParam(value = "pageSize", required = false) Integer pageSize,
    @RequestParam(value = "limit", required = false) Integer limit
  ) {
        List<Tag> tags = tagService.searchTags(keyword);
        List<Long> tagIds = tags.stream().map(Tag::getId).toList();
        Map<Long, Long> postCntByTagIds = postService.countPostsByTagIds(tagIds);
-    if (postCntByTagIds == null) {
+        List<TagDto> dtos = tags.stream()
-      postCntByTagIds = java.util.Collections.emptyMap();
+                .map(t -> tagMapper.toDto(t, postCntByTagIds.getOrDefault(t.getId(), 0L)))
    }
    Map<Long, Long> finalPostCntByTagIds = postCntByTagIds;
    List<TagDto> dtos = tags
      .stream()
      .map(t -> tagMapper.toDto(t, finalPostCntByTagIds.getOrDefault(t.getId(), 0L)))
                .sorted((a, b) -> Long.compare(b.getCount(), a.getCount()))
                .collect(Collectors.toList());
    if (page != null && pageSize != null && page >= 0 && pageSize > 0) {
      int fromIndex = page * pageSize;
      if (fromIndex >= dtos.size()) {
        return java.util.Collections.emptyList();
      }
      int toIndex = Math.min(fromIndex + pageSize, dtos.size());
      return new java.util.ArrayList<>(dtos.subList(fromIndex, toIndex));
    }
        if (limit != null && limit > 0 && dtos.size() > limit) {
-      return new java.util.ArrayList<>(dtos.subList(0, limit));
+            return dtos.subList(0, limit);
        }
        return dtos;
    }
    @GetMapping("/{id}")
    @Operation(summary = "Get tag", description = "Get tag by id")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Tag detail",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = TagDto.class)))
    description = "Tag detail",
    content = @Content(schema = @Schema(implementation = TagDto.class))
  )
    public TagDto get(@PathVariable Long id) {
        Tag tag = tagService.getTag(id);
        long count = postService.countPostsByTag(tag.getId());
@@ -145,20 +106,12 @@ public class TagController {
    @GetMapping("/{id}/posts")
    @Operation(summary = "List posts by tag", description = "Get posts with specific tag")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "List of posts",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))))
-    description = "List of posts",
+    public List<PostSummaryDto> listPostsByTag(@PathVariable Long id,
    content = @Content(
      array = @ArraySchema(schema = @Schema(implementation = PostSummaryDto.class))
    )
  )
  public List<PostSummaryDto> listPostsByTag(
    @PathVariable Long id,
                                               @RequestParam(value = "page", required = false) Integer page,
-    @RequestParam(value = "pageSize", required = false) Integer pageSize
+                                               @RequestParam(value = "pageSize", required = false) Integer pageSize) {
-  ) {
+        return postService.listPostsByTags(java.util.List.of(id), page, pageSize)
    return postService
      .listPostsByTags(java.util.List.of(id), page, pageSize)
                .stream()
                .map(postMapper::toSummaryDto)
                .collect(Collectors.toList());
--- a/backend/src/main/java/com/openisle/controller/UploadController.java
+++ b/backend/src/main/java/com/openisle/controller/UploadController.java
@@ -1,27 +1,27 @@
 package com.openisle.controller;
 import com.openisle.service.ImageUploader;
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.net.URI;
 import java.net.URL;
 import java.net.URLConnection;
 import java.util.Map;
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
@RestController
@RequestMapping("/api/upload")
@RequiredArgsConstructor
 public class UploadController {
    private final ImageUploader imageUploader;
    @Value("${app.upload.check-type:true}")
@@ -32,16 +32,10 @@ public class UploadController {
    @PostMapping
    @Operation(summary = "Upload file", description = "Upload image file")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Upload result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = java.util.Map.class)))
    description = "Upload result",
    content = @Content(schema = @Schema(implementation = java.util.Map.class))
  )
    public ResponseEntity<?> upload(@RequestParam("file") MultipartFile file) {
-    if (
+        if (checkImageType && (file.getContentType() == null || !file.getContentType().startsWith("image/"))) {
      checkImageType &&
      (file.getContentType() == null || !file.getContentType().startsWith("image/"))
    ) {
            return ResponseEntity.badRequest().body(Map.of("code", 1, "msg", "File is not an image"));
        }
        if (file.getSize() > maxUploadSize) {
@@ -53,16 +47,17 @@ public class UploadController {
        } catch (IOException e) {
            return ResponseEntity.internalServerError().body(Map.of("code", 3, "msg", "Upload failed"));
        }
-    return ResponseEntity.ok(Map.of("code", 0, "msg", "ok", "data", Map.of("url", url)));
+        return ResponseEntity.ok(Map.of(
                "code", 0,
                "msg", "ok",
                "data", Map.of("url", url)
        ));
    }
    @PostMapping("/url")
    @Operation(summary = "Upload from URL", description = "Upload image from remote URL")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Upload result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = java.util.Map.class)))
    description = "Upload result",
    content = @Content(schema = @Schema(implementation = java.util.Map.class))
  )
    public ResponseEntity<?> uploadUrl(@RequestBody Map<String, String> body) {
        String link = body.get("url");
        if (link == null || link.isBlank()) {
@@ -80,7 +75,11 @@ public class UploadController {
                return ResponseEntity.badRequest().body(Map.of("code", 1, "msg", "File is not an image"));
            }
            String url = imageUploader.upload(data, filename).join();
-      return ResponseEntity.ok(Map.of("code", 0, "msg", "ok", "data", Map.of("url", url)));
+            return ResponseEntity.ok(Map.of(
                    "code", 0,
                    "msg", "ok",
                    "data", Map.of("url", url)
            ));
        } catch (Exception e) {
            return ResponseEntity.internalServerError().body(Map.of("code", 3, "msg", "Upload failed"));
        }
@@ -88,11 +87,8 @@ public class UploadController {
    @GetMapping("/presign")
    @Operation(summary = "Presign upload", description = "Get presigned upload URL")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Presigned URL",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = java.util.Map.class)))
    description = "Presigned URL",
    content = @Content(schema = @Schema(implementation = java.util.Map.class))
  )
    public java.util.Map<String, String> presign(@RequestParam("filename") String filename) {
        return imageUploader.presignUpload(filename);
    }
--- a/backend/src/main/java/com/openisle/controller/UserController.java
+++ b/backend/src/main/java/com/openisle/controller/UserController.java
@@ -12,8 +12,6 @@ import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import java.io.IOException;
 import java.util.Map;
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
@@ -21,11 +19,13 @@ import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 import java.io.IOException;
 import java.util.Map;
@RestController
@RequestMapping("/api/users")
@RequiredArgsConstructor
 public class UserController {
    private final UserService userService;
    private final ImageUploader imageUploader;
    private final PostService postService;
@@ -56,11 +56,8 @@ public class UserController {
    @GetMapping("/me")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Current user", description = "Get current authenticated user information")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "User detail",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = UserDto.class)))
    description = "User detail",
    content = @Content(schema = @Schema(implementation = UserDto.class))
  )
    public ResponseEntity<UserDto> me(Authentication auth) {
        User user = userService.findByUsername(auth.getName()).orElseThrow();
        return ResponseEntity.ok(userMapper.toDto(user, auth));
@@ -69,19 +66,11 @@ public class UserController {
    @PostMapping("/me/avatar")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Upload avatar", description = "Upload avatar for current user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Upload result",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
-    description = "Upload result",
+    public ResponseEntity<?> uploadAvatar(@RequestParam("file") MultipartFile file,
-    content = @Content(schema = @Schema(implementation = Map.class))
+                                          Authentication auth) {
-  )
+        if (checkImageType && (file.getContentType() == null || !file.getContentType().startsWith("image/"))) {
  public ResponseEntity<?> uploadAvatar(
    @RequestParam("file") MultipartFile file,
    Authentication auth
  ) {
    if (
      checkImageType &&
      (file.getContentType() == null || !file.getContentType().startsWith("image/"))
    ) {
            return ResponseEntity.badRequest().body(Map.of("error", "File is not an image"));
        }
        if (file.getSize() > maxUploadSize) {
@@ -100,32 +89,23 @@ public class UserController {
    @PutMapping("/me")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Update profile", description = "Update current user's profile")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Updated profile",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
-    description = "Updated profile",
+    public ResponseEntity<?> updateProfile(@RequestBody UpdateProfileDto dto,
-    content = @Content(schema = @Schema(implementation = Map.class))
+                                           Authentication auth) {
  )
  public ResponseEntity<?> updateProfile(@RequestBody UpdateProfileDto dto, Authentication auth) {
        User user = userService.updateProfile(auth.getName(), dto.getUsername(), dto.getIntroduction());
-    return ResponseEntity.ok(
+        return ResponseEntity.ok(Map.of(
-      Map.of(
+                "token", jwtService.generateToken(user.getUsername()),
-        "token",
+                "user", userMapper.toDto(user, auth)
-        jwtService.generateToken(user.getUsername()),
+        ));
        "user",
        userMapper.toDto(user, auth)
      )
    );
    }
    // 这个方法似乎没有使用？
    @PostMapping("/me/signin")
    @SecurityRequirement(name = "JWT")
    @Operation(summary = "Daily sign in", description = "Sign in to receive rewards")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Sign in reward",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = Map.class)))
    description = "Sign in reward",
    content = @Content(schema = @Schema(implementation = Map.class))
  )
    public Map<String, Integer> signIn(Authentication auth) {
        int reward = levelService.awardForSignin(auth.getName());
        return Map.of("reward", reward);
@@ -133,57 +113,36 @@ public class UserController {
    @GetMapping("/{identifier}")
    @Operation(summary = "Get user", description = "Get user by identifier")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "User detail",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = UserDto.class)))
-    description = "User detail",
+    public ResponseEntity<UserDto> getUser(@PathVariable("identifier") String identifier,
-    content = @Content(schema = @Schema(implementation = UserDto.class))
+                                           Authentication auth) {
-  )
+        User user = userService.findByIdentifier(identifier).orElseThrow(() -> new NotFoundException("User not found"));
  public ResponseEntity<UserDto> getUser(
    @PathVariable("identifier") String identifier,
    Authentication auth
  ) {
    User user = userService
      .findByIdentifier(identifier)
      .orElseThrow(() -> new NotFoundException("User not found"));
        return ResponseEntity.ok(userMapper.toDto(user, auth));
    }
    @GetMapping("/{identifier}/posts")
    @Operation(summary = "User posts", description = "Get recent posts by user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "User posts",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostMetaDto.class))))
-    description = "User posts",
+    public java.util.List<PostMetaDto> userPosts(@PathVariable("identifier") String identifier,
-    content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostMetaDto.class)))
+                                                 @RequestParam(value = "limit", required = false) Integer limit) {
  )
  public java.util.List<PostMetaDto> userPosts(
    @PathVariable("identifier") String identifier,
    @RequestParam(value = "limit", required = false) Integer limit
  ) {
        int l = limit != null ? limit : defaultPostsLimit;
        User user = userService.findByIdentifier(identifier).orElseThrow();
-    return postService
+        return postService.getRecentPostsByUser(user.getUsername(), l).stream()
      .getRecentPostsByUser(user.getUsername(), l)
      .stream()
                .map(userMapper::toMetaDto)
                .collect(java.util.stream.Collectors.toList());
    }
    @GetMapping("/{identifier}/subscribed-posts")
    @Operation(summary = "Subscribed posts", description = "Get posts the user subscribed to")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Subscribed posts",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostMetaDto.class))))
-    description = "Subscribed posts",
+    public java.util.List<PostMetaDto> subscribedPosts(@PathVariable("identifier") String identifier,
-    content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostMetaDto.class)))
+                                                       @RequestParam(value = "limit", required = false) Integer limit) {
  )
  public java.util.List<PostMetaDto> subscribedPosts(
    @PathVariable("identifier") String identifier,
    @RequestParam(value = "limit", required = false) Integer limit
  ) {
        int l = limit != null ? limit : defaultPostsLimit;
        User user = userService.findByIdentifier(identifier).orElseThrow();
-    return subscriptionService
+        return subscriptionService.getSubscribedPosts(user.getUsername()).stream()
      .getSubscribedPosts(user.getUsername())
      .stream()
                .limit(l)
                .map(userMapper::toMetaDto)
                .collect(java.util.stream.Collectors.toList());
@@ -191,86 +150,54 @@ public class UserController {
    @GetMapping("/{identifier}/replies")
    @Operation(summary = "User replies", description = "Get recent replies by user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "User replies",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = CommentInfoDto.class))))
-    description = "User replies",
+    public java.util.List<CommentInfoDto> userReplies(@PathVariable("identifier") String identifier,
-    content = @Content(
+                                                      @RequestParam(value = "limit", required = false) Integer limit) {
      array = @ArraySchema(schema = @Schema(implementation = CommentInfoDto.class))
    )
  )
  public java.util.List<CommentInfoDto> userReplies(
    @PathVariable("identifier") String identifier,
    @RequestParam(value = "limit", required = false) Integer limit
  ) {
        int l = limit != null ? limit : defaultRepliesLimit;
        User user = userService.findByIdentifier(identifier).orElseThrow();
-    return commentService
+        return commentService.getRecentCommentsByUser(user.getUsername(), l).stream()
      .getRecentCommentsByUser(user.getUsername(), l)
      .stream()
                .map(userMapper::toCommentInfoDto)
                .collect(java.util.stream.Collectors.toList());
    }
    @GetMapping("/{identifier}/hot-posts")
    @Operation(summary = "User hot posts", description = "Get most reacted posts by user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Hot posts",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostMetaDto.class))))
-    description = "Hot posts",
+    public java.util.List<PostMetaDto> hotPosts(@PathVariable("identifier") String identifier,
-    content = @Content(array = @ArraySchema(schema = @Schema(implementation = PostMetaDto.class)))
+                                                @RequestParam(value = "limit", required = false) Integer limit) {
  )
  public java.util.List<PostMetaDto> hotPosts(
    @PathVariable("identifier") String identifier,
    @RequestParam(value = "limit", required = false) Integer limit
  ) {
        int l = limit != null ? limit : 10;
        User user = userService.findByIdentifier(identifier).orElseThrow();
        java.util.List<Long> ids = reactionService.topPostIds(user.getUsername(), l);
-    return postService
+        return postService.getPostsByIds(ids).stream()
      .getPostsByIds(ids)
      .stream()
                .map(userMapper::toMetaDto)
                .collect(java.util.stream.Collectors.toList());
    }
    @GetMapping("/{identifier}/hot-replies")
    @Operation(summary = "User hot replies", description = "Get most reacted replies by user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Hot replies",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = CommentInfoDto.class))))
-    description = "Hot replies",
+    public java.util.List<CommentInfoDto> hotReplies(@PathVariable("identifier") String identifier,
-    content = @Content(
+                                                     @RequestParam(value = "limit", required = false) Integer limit) {
      array = @ArraySchema(schema = @Schema(implementation = CommentInfoDto.class))
    )
  )
  public java.util.List<CommentInfoDto> hotReplies(
    @PathVariable("identifier") String identifier,
    @RequestParam(value = "limit", required = false) Integer limit
  ) {
        int l = limit != null ? limit : 10;
        User user = userService.findByIdentifier(identifier).orElseThrow();
        java.util.List<Long> ids = reactionService.topCommentIds(user.getUsername(), l);
-    return commentService
+        return commentService.getCommentsByIds(ids).stream()
      .getCommentsByIds(ids)
      .stream()
                .map(userMapper::toCommentInfoDto)
                .collect(java.util.stream.Collectors.toList());
    }
    @GetMapping("/{identifier}/hot-tags")
    @Operation(summary = "User hot tags", description = "Get tags frequently used by user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Hot tags",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = TagDto.class))))
-    description = "Hot tags",
+    public java.util.List<TagDto> hotTags(@PathVariable("identifier") String identifier,
-    content = @Content(array = @ArraySchema(schema = @Schema(implementation = TagDto.class)))
+                                          @RequestParam(value = "limit", required = false) Integer limit) {
  )
  public java.util.List<TagDto> hotTags(
    @PathVariable("identifier") String identifier,
    @RequestParam(value = "limit", required = false) Integer limit
  ) {
        int l = limit != null ? limit : 10;
        User user = userService.findByIdentifier(identifier).orElseThrow();
-    return tagService
+        return tagService.getTagsByUser(user.getUsername()).stream()
      .getTagsByUser(user.getUsername())
      .stream()
                .map(t -> tagMapper.toDto(t, postService.countPostsByTag(t.getId())))
                .sorted((a, b) -> Long.compare(b.getCount(), a.getCount()))
                .limit(l)
@@ -279,95 +206,64 @@ public class UserController {
    @GetMapping("/{identifier}/tags")
    @Operation(summary = "User tags", description = "Get recent tags used by user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "User tags",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = TagDto.class))))
-    description = "User tags",
+    public java.util.List<TagDto> userTags(@PathVariable("identifier") String identifier,
-    content = @Content(array = @ArraySchema(schema = @Schema(implementation = TagDto.class)))
+                                           @RequestParam(value = "limit", required = false) Integer limit) {
  )
  public java.util.List<TagDto> userTags(
    @PathVariable("identifier") String identifier,
    @RequestParam(value = "limit", required = false) Integer limit
  ) {
        int l = limit != null ? limit : defaultTagsLimit;
        User user = userService.findByIdentifier(identifier).orElseThrow();
-    return tagService
+        return tagService.getRecentTagsByUser(user.getUsername(), l).stream()
      .getRecentTagsByUser(user.getUsername(), l)
      .stream()
                .map(t -> tagMapper.toDto(t, postService.countPostsByTag(t.getId())))
                .collect(java.util.stream.Collectors.toList());
    }
    @GetMapping("/{identifier}/following")
    @Operation(summary = "Following users", description = "Get users that this user is following")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Following list",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = UserDto.class))))
    description = "Following list",
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = UserDto.class)))
  )
    public java.util.List<UserDto> following(@PathVariable("identifier") String identifier) {
        User user = userService.findByIdentifier(identifier).orElseThrow();
-    return subscriptionService
+        return subscriptionService.getSubscribedUsers(user.getUsername()).stream()
      .getSubscribedUsers(user.getUsername())
      .stream()
                .map(userMapper::toDto)
                .collect(java.util.stream.Collectors.toList());
    }
    @GetMapping("/{identifier}/followers")
    @Operation(summary = "Followers", description = "Get followers of this user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Followers list",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = UserDto.class))))
    description = "Followers list",
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = UserDto.class)))
  )
    public java.util.List<UserDto> followers(@PathVariable("identifier") String identifier) {
        User user = userService.findByIdentifier(identifier).orElseThrow();
-    return subscriptionService
+        return subscriptionService.getSubscribers(user.getUsername()).stream()
      .getSubscribers(user.getUsername())
      .stream()
                .map(userMapper::toDto)
                .collect(java.util.stream.Collectors.toList());
    }
    @GetMapping("/admins")
    @Operation(summary = "Admin users", description = "List administrator users")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "Admin users",
-    responseCode = "200",
+            content = @Content(array = @ArraySchema(schema = @Schema(implementation = UserDto.class))))
    description = "Admin users",
    content = @Content(array = @ArraySchema(schema = @Schema(implementation = UserDto.class)))
  )
    public java.util.List<UserDto> admins() {
-    return userService
+        return userService.getAdmins().stream()
      .getAdmins()
      .stream()
                .map(userMapper::toDto)
                .collect(java.util.stream.Collectors.toList());
    }
    @GetMapping("/{identifier}/all")
    @Operation(summary = "User aggregate", description = "Get aggregate information for user")
-  @ApiResponse(
+    @ApiResponse(responseCode = "200", description = "User aggregate",
-    responseCode = "200",
+            content = @Content(schema = @Schema(implementation = UserAggregateDto.class)))
-    description = "User aggregate",
+    public ResponseEntity<UserAggregateDto> userAggregate(@PathVariable("identifier") String identifier,
    content = @Content(schema = @Schema(implementation = UserAggregateDto.class))
  )
  public ResponseEntity<UserAggregateDto> userAggregate(
    @PathVariable("identifier") String identifier,
                                                          @RequestParam(value = "postsLimit", required = false) Integer postsLimit,
                                                          @RequestParam(value = "repliesLimit", required = false) Integer repliesLimit,
-    Authentication auth
+                                                          Authentication auth) {
  ) {
        User user = userService.findByIdentifier(identifier).orElseThrow();
        int pLimit = postsLimit != null ? postsLimit : defaultPostsLimit;
        int rLimit = repliesLimit != null ? repliesLimit : defaultRepliesLimit;
-    java.util.List<PostMetaDto> posts = postService
+        java.util.List<PostMetaDto> posts = postService.getRecentPostsByUser(user.getUsername(), pLimit).stream()
      .getRecentPostsByUser(user.getUsername(), pLimit)
      .stream()
                .map(userMapper::toMetaDto)
                .collect(java.util.stream.Collectors.toList());
-    java.util.List<CommentInfoDto> replies = commentService
+        java.util.List<CommentInfoDto> replies = commentService.getRecentCommentsByUser(user.getUsername(), rLimit).stream()
      .getRecentCommentsByUser(user.getUsername(), rLimit)
      .stream()
                .map(userMapper::toCommentInfoDto)
                .collect(java.util.stream.Collectors.toList());
        UserAggregateDto dto = new UserAggregateDto();
--- a/backend/src/main/java/com/openisle/dto/ActivityDto.java
+++ b/backend/src/main/java/com/openisle/dto/ActivityDto.java
@@ -1,15 +1,15 @@
 package com.openisle.dto;
 import com.openisle.model.ActivityType;
 import java.time.LocalDateTime;
 import lombok.Data;
 import java.time.LocalDateTime;
 /**
 * DTO representing an activity without participant details.
 */
@Data
 public class ActivityDto {
    private Long id;
    private String title;
    private String icon;
--- a/backend/src/main/java/com/openisle/dto/AuthorDto.java
+++ b/backend/src/main/java/com/openisle/dto/AuthorDto.java
@@ -1,16 +1,16 @@
 package com.openisle.dto;
 import com.openisle.model.MedalType;
 import lombok.Data;
 import com.openisle.model.MedalType;
 /**
 * DTO representing a post or comment author.
 */
@Data
 public class AuthorDto {
    private Long id;
    private String username;
    private String avatar;
    private MedalType displayMedal;
 }
--- a/backend/src/main/java/com/openisle/dto/CategoryDto.java
+++ b/backend/src/main/java/com/openisle/dto/CategoryDto.java
@@ -7,7 +7,6 @@ import lombok.Data;
 */
@Data
 public class CategoryDto {
    private Long id;
    private String name;
    private String description;
@@ -15,3 +14,4 @@ public class CategoryDto {
    private String smallIcon;
    private Long count;
 }
--- a/backend/src/main/java/com/openisle/dto/CategoryRequest.java
+++ b/backend/src/main/java/com/openisle/dto/CategoryRequest.java
@@ -5,7 +5,6 @@ import lombok.Data;
 /** Request body for creating or updating a category. */
@Data
 public class CategoryRequest {
    private String name;
    private String description;
    private String icon;
--- a/backend/src/main/java/com/openisle/dto/ChannelDto.java
+++ b/backend/src/main/java/com/openisle/dto/ChannelDto.java
@@ -6,7 +6,6 @@ import lombok.Setter;
@Getter
@Setter
 public class ChannelDto {
    private Long id;
    private String name;
    private String description;
--- a/backend/src/main/java/com/openisle/dto/CommentDto.java
+++ b/backend/src/main/java/com/openisle/dto/CommentDto.java
@@ -1,15 +1,15 @@
 package com.openisle.dto;
 import lombok.Data;
 import java.time.LocalDateTime;
 import java.util.List;
 import lombok.Data;
 /**
 * DTO representing a comment and its nested replies.
 */
@Data
 public class CommentDto {
    private Long id;
    private String content;
    private LocalDateTime createdAt;
@@ -20,3 +20,4 @@ public class CommentDto {
    private int reward;
    private int pointReward;
 }
--- a/backend/src/main/java/com/openisle/dto/CommentInfoDto.java
+++ b/backend/src/main/java/com/openisle/dto/CommentInfoDto.java
@@ -1,12 +1,12 @@
 package com.openisle.dto;
 import java.time.LocalDateTime;
 import lombok.Data;
 import java.time.LocalDateTime;
 /** DTO for comment information in user profiles. */
@Data
 public class CommentInfoDto {
    private Long id;
    private String content;
    private LocalDateTime createdAt;
--- a/backend/src/main/java/com/openisle/dto/CommentMedalDto.java
+++ b/backend/src/main/java/com/openisle/dto/CommentMedalDto.java
@@ -6,7 +6,6 @@ import lombok.EqualsAndHashCode;
@Data
@EqualsAndHashCode(callSuper = true)
 public class CommentMedalDto extends MedalDto {
    private long currentCommentCount;
    private long targetCommentCount;
 }
--- a/backend/src/main/java/com/openisle/dto/CommentRequest.java
+++ b/backend/src/main/java/com/openisle/dto/CommentRequest.java
@@ -5,7 +5,6 @@ import lombok.Data;
 /** Request body for creating or replying to a comment. */
@Data
 public class CommentRequest {
    private String content;
    private String captcha;
 }
--- a/backend/src/main/java/com/openisle/dto/ConfigDto.java
+++ b/backend/src/main/java/com/openisle/dto/ConfigDto.java
@@ -8,7 +8,6 @@ import lombok.Data;
 /** DTO for site configuration. */
@Data
 public class ConfigDto {
    private PublishMode publishMode;
    private PasswordStrength passwordStrength;
    private Integer aiFormatLimit;
--- a/backend/src/main/java/com/openisle/dto/ContributorMedalDto.java
+++ b/backend/src/main/java/com/openisle/dto/ContributorMedalDto.java
@@ -6,7 +6,7 @@ import lombok.EqualsAndHashCode;
@Data
@EqualsAndHashCode(callSuper = true)
 public class ContributorMedalDto extends MedalDto {
    private long currentContributionLines;
    private long targetContributionLines;
 }
--- a/backend/src/main/java/com/openisle/dto/ConversationDetailDto.java
+++ b/backend/src/main/java/com/openisle/dto/ConversationDetailDto.java
@@ -1,12 +1,12 @@
 package com.openisle.dto;
 import java.util.List;
 import lombok.Data;
 import org.springframework.data.domain.Page;
 import java.util.List;
@Data
 public class ConversationDetailDto {
    private Long id;
    private String name;
    private boolean channel;
--- a/backend/src/main/java/com/openisle/dto/ConversationDto.java
+++ b/backend/src/main/java/com/openisle/dto/ConversationDto.java
@@ -1,14 +1,14 @@
 package com.openisle.dto;
 import lombok.Getter;
 import lombok.Setter;
 import java.time.LocalDateTime;
 import java.util.List;
 import lombok.Getter;
 import lombok.Setter;
@Getter
@Setter
 public class ConversationDto {
    private Long id;
    private String name;
    private boolean channel;
--- a/backend/src/main/java/com/openisle/dto/CreateConversationRequest.java
+++ b/backend/src/main/java/com/openisle/dto/CreateConversationRequest.java
@@ -4,6 +4,5 @@ import lombok.Data;
@Data
 public class CreateConversationRequest {
    private Long recipientId;
 }
--- a/backend/src/main/java/com/openisle/dto/CreateConversationResponse.java
+++ b/backend/src/main/java/com/openisle/dto/CreateConversationResponse.java
@@ -8,6 +8,5 @@ import lombok.NoArgsConstructor;
@AllArgsConstructor
@NoArgsConstructor
 public class CreateConversationResponse {
    private Long conversationId;
 }
--- a/backend/src/main/java/com/openisle/dto/DiscordLoginRequest.java
+++ b/backend/src/main/java/com/openisle/dto/DiscordLoginRequest.java
@@ -5,7 +5,6 @@ import lombok.Data;
 /** Request for Discord OAuth login. */
@Data
 public class DiscordLoginRequest {
    private String code;
    private String redirectUri;
    private String inviteToken;
--- a/backend/src/main/java/com/openisle/dto/DraftDto.java
+++ b/backend/src/main/java/com/openisle/dto/DraftDto.java
@@ -1,12 +1,12 @@
 package com.openisle.dto;
 import java.util.List;
 import lombok.Data;
 import java.util.List;
 /** DTO representing a saved draft. */
@Data
 public class DraftDto {
    private Long id;
    private String title;
    private String content;
--- a/backend/src/main/java/com/openisle/dto/DraftRequest.java
+++ b/backend/src/main/java/com/openisle/dto/DraftRequest.java
@@ -1,12 +1,12 @@
 package com.openisle.dto;
 import java.util.List;
 import lombok.Data;
 import java.util.List;
 /** Request body for saving a draft. */
@Data
 public class DraftRequest {
    private String title;
    private String content;
    private Long categoryId;
--- a/backend/src/main/java/com/openisle/dto/FeaturedMedalDto.java
+++ b/backend/src/main/java/com/openisle/dto/FeaturedMedalDto.java
@@ -6,7 +6,7 @@ import lombok.EqualsAndHashCode;
@Data
@EqualsAndHashCode(callSuper = true)
 public class FeaturedMedalDto extends MedalDto {
    private long currentFeaturedCount;
    private long targetFeaturedCount;
 }
--- a/backend/src/main/java/com/openisle/dto/ForgotPasswordRequest.java
+++ b/backend/src/main/java/com/openisle/dto/ForgotPasswordRequest.java
@@ -5,6 +5,5 @@ import lombok.Data;
 /** Request to trigger a forgot password email. */
@Data
 public class ForgotPasswordRequest {
    private String email;
 }
--- a/backend/src/main/java/com/openisle/dto/GithubLoginRequest.java
+++ b/backend/src/main/java/com/openisle/dto/GithubLoginRequest.java
@@ -5,7 +5,6 @@ import lombok.Data;
 /** Request for GitHub OAuth login. */
@Data
 public class GithubLoginRequest {
    private String code;
    private String redirectUri;
    private String inviteToken;
--- a/backend/src/main/java/com/openisle/dto/GoogleLoginRequest.java
+++ b/backend/src/main/java/com/openisle/dto/GoogleLoginRequest.java
@@ -5,7 +5,6 @@ import lombok.Data;
 /** Request for Google OAuth login. */
@Data
 public class GoogleLoginRequest {
    private String idToken;
    private String inviteToken;
 }
--- a/backend/src/main/java/com/openisle/dto/LoginRequest.java
+++ b/backend/src/main/java/com/openisle/dto/LoginRequest.java
@@ -5,7 +5,6 @@ import lombok.Data;
 /** Request to login. */
@Data
 public class LoginRequest {
    private String username;
    private String password;
    private String captcha;
--- a/backend/src/main/java/com/openisle/dto/LotteryDto.java
+++ b/backend/src/main/java/com/openisle/dto/LotteryDto.java
@@ -1,13 +1,12 @@
 package com.openisle.dto;
 import lombok.Data;
 import java.time.LocalDateTime;
 import java.util.List;
 import lombok.Data;
 /** Metadata for lottery posts. */
@Data
 public class LotteryDto {
    private String prizeDescription;
    private String prizeIcon;
    private int prizeCount;
--- a/backend/src/main/java/com/openisle/dto/MakeReasonRequest.java
+++ b/backend/src/main/java/com/openisle/dto/MakeReasonRequest.java
@@ -5,7 +5,6 @@ import lombok.Data;
 /** Request to submit a reason (e.g., for moderation). */
@Data
 public class MakeReasonRequest {
    private String token;
    private String reason;
 }
--- a/backend/src/main/java/com/openisle/dto/MedalDto.java
+++ b/backend/src/main/java/com/openisle/dto/MedalDto.java
@@ -5,7 +5,6 @@ import lombok.Data;
@Data
 public class MedalDto {
    private String icon;
    private String title;
    private String description;
--- a/backend/src/main/java/com/openisle/dto/MedalSelectRequest.java
+++ b/backend/src/main/java/com/openisle/dto/MedalSelectRequest.java
@@ -5,6 +5,5 @@ import lombok.Data;
@Data
 public class MedalSelectRequest {
    private MedalType type;
 }
--- a/backend/src/main/java/com/openisle/dto/MessageDto.java
+++ b/backend/src/main/java/com/openisle/dto/MessageDto.java
@@ -1,12 +1,11 @@
 package com.openisle.dto;
 import lombok.Data;
 import java.time.LocalDateTime;
 import java.util.List;
 import lombok.Data;
@Data
 public class MessageDto {
    private Long id;
    private String content;
    private UserSummaryDto sender;
--- a/backend/src/main/java/com/openisle/dto/MessageNotificationPayload.java
+++ b/backend/src/main/java/com/openisle/dto/MessageNotificationPayload.java
@@ -1,15 +1,15 @@
 package com.openisle.dto;
 import java.io.Serializable;
 import lombok.AllArgsConstructor;
 import lombok.Data;
 import lombok.NoArgsConstructor;
 import java.io.Serializable;
@Data
@NoArgsConstructor
@AllArgsConstructor
 public class MessageNotificationPayload implements Serializable {
    private String targetUsername;
    private Object payload;
 }
--- a/backend/src/main/java/com/openisle/dto/MilkTeaInfoDto.java
+++ b/backend/src/main/java/com/openisle/dto/MilkTeaInfoDto.java
@@ -5,7 +5,6 @@ import lombok.Data;
 /** Info about the milk tea activity. */
@Data
 public class MilkTeaInfoDto {
    private long redeemCount;
    private boolean ended;
 }
--- a/backend/src/main/java/com/openisle/dto/MilkTeaRedeemRequest.java
+++ b/backend/src/main/java/com/openisle/dto/MilkTeaRedeemRequest.java
@@ -5,6 +5,5 @@ import lombok.Data;
 /** Request to redeem the milk tea activity. */
@Data
 public class MilkTeaRedeemRequest {
    private String contact;
 }
--- a/backend/src/main/java/com/openisle/dto/NotificationDto.java
+++ b/backend/src/main/java/com/openisle/dto/NotificationDto.java
@@ -2,13 +2,13 @@ package com.openisle.dto;
 import com.openisle.model.NotificationType;
 import com.openisle.model.ReactionType;
 import java.time.LocalDateTime;
 import lombok.Data;
 import java.time.LocalDateTime;
 /** DTO representing a user notification. */
@Data
 public class NotificationDto {
    private Long id;
    private NotificationType type;
    private PostSummaryDto post;
--- a/backend/src/main/java/com/openisle/dto/NotificationMarkReadRequest.java
+++ b/backend/src/main/java/com/openisle/dto/NotificationMarkReadRequest.java
@@ -1,11 +1,11 @@
 package com.openisle.dto;
 import java.util.List;
 import lombok.Data;
 import java.util.List;
 /** Request to mark notifications as read. */
@Data
 public class NotificationMarkReadRequest {
    private List<Long> ids;
 }
--- a/backend/src/main/java/com/openisle/dto/NotificationPreferenceDto.java
+++ b/backend/src/main/java/com/openisle/dto/NotificationPreferenceDto.java
@@ -6,7 +6,6 @@ import lombok.Data;
 /** User notification preference DTO. */
@Data
 public class NotificationPreferenceDto {
    private NotificationType type;
    private boolean enabled;
 }
--- a/backend/src/main/java/com/openisle/dto/NotificationPreferenceUpdateRequest.java
+++ b/backend/src/main/java/com/openisle/dto/NotificationPreferenceUpdateRequest.java
@@ -6,7 +6,6 @@ import lombok.Data;
 /** Request to update a single notification preference. */
@Data
 public class NotificationPreferenceUpdateRequest {
    private NotificationType type;
    private boolean enabled;
 }
--- a/backend/src/main/java/com/openisle/dto/NotificationUnreadCountDto.java
+++ b/backend/src/main/java/com/openisle/dto/NotificationUnreadCountDto.java
@@ -5,6 +5,5 @@ import lombok.Data;
 /** DTO representing unread notification count. */
@Data
 public class NotificationUnreadCountDto {
    private long count;
 }
--- a/backend/src/main/java/com/openisle/dto/ParentCommentDto.java
+++ b/backend/src/main/java/com/openisle/dto/ParentCommentDto.java
@@ -5,7 +5,6 @@ import lombok.Data;
 /** DTO representing a parent comment. */
@Data
 public class ParentCommentDto {
    private Long id;
    private String author;
    private String content;
--- a/backend/src/main/java/com/openisle/dto/PioneerMedalDto.java
+++ b/backend/src/main/java/com/openisle/dto/PioneerMedalDto.java
@@ -6,6 +6,5 @@ import lombok.EqualsAndHashCode;
@Data
@EqualsAndHashCode(callSuper = true)
 public class PioneerMedalDto extends MedalDto {
    private long rank;
 }
--- a/backend/src/main/java/com/openisle/dto/PointGoodDto.java
+++ b/backend/src/main/java/com/openisle/dto/PointGoodDto.java
@@ -5,7 +5,6 @@ import lombok.Data;
 /** Point mall good info. */
@Data
 public class PointGoodDto {
    private Long id;
    private String name;
    private int cost;
--- a/backend/src/main/java/com/openisle/dto/PointHistoryDto.java
+++ b/backend/src/main/java/com/openisle/dto/PointHistoryDto.java
@@ -1,14 +1,14 @@
 package com.openisle.dto;
 import com.openisle.model.PointHistoryType;
 import java.time.LocalDateTime;
 import lombok.Getter;
 import lombok.Setter;
 import java.time.LocalDateTime;
@Getter
@Setter
 public class PointHistoryDto {
    private Long id;
    private PointHistoryType type;
    private int amount;
--- a/backend/src/main/java/com/openisle/dto/PointRedeemRequest.java
+++ b/backend/src/main/java/com/openisle/dto/PointRedeemRequest.java
@@ -5,7 +5,6 @@ import lombok.Data;
 /** Request to redeem a point mall good. */
@Data
 public class PointRedeemRequest {
    private Long goodId;
    private String contact;
 }
--- a/Show More
+++ b/Show More