fix: viditor样式失效 #586

Merge pull request #617 from CH-122/fix/mobile-invite-ui
2026-02-07 15:41:02 +08:00 · 2025-08-18 11:27:18 +08:00 · 2025-08-18 11:27:13 +08:00 · 2025-08-18 10:55:40 +08:00 · 2025-08-18 10:32:55 +08:00 · 2025-08-18 02:20:59 +08:00
417 changed files with 31868 additions and 21727 deletions
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -0,0 +1,23 @@
+name: Staging CI & CD
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    environment: Deploy
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Deploy to Server
+        uses: appleboy/ssh-action@v1.0.3
+        with:
+          host: ${{ secrets.SSH_HOST }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: bash /opt/openisle/deploy-staging.sh
+
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -1,9 +1,9 @@
 name: CI & CD

 on:
-  push:
-    branches: [main]
  workflow_dispatch:
+  schedule:
+    - cron: "0 19 * * *"   # 每天 UTC 19:00，相当于北京时间凌晨3点

 jobs:
  build-and-deploy:
@@ -11,29 +11,12 @@ jobs:
    environment: Deploy

    steps:
-    - uses: actions/checkout@v4
-
-    # - uses: actions/setup-java@v4
-    #   with:
-    #     java-version: '17'
-    #     distribution: 'temurin'
-
-    # - run: mvn -B clean package -DskipTests
-
-    # - uses: actions/setup-node@v4
-    #   with:
-    #     node-version: '20'
-
-    # - run: |
-    #     cd open-isle-cli
-    #     npm ci
-    #     npm run build
-
-    - name: Deploy to Server
-      uses: appleboy/ssh-action@v1.0.3
-      with:
-        host:   ${{ secrets.SSH_HOST }}
-        username: root
-        key:     ${{ secrets.SSH_KEY }}
-        script:  bash /opt/openisle/deploy.sh
+      - uses: actions/checkout@v4

+      - name: Deploy to Server
+        uses: appleboy/ssh-action@v1.0.3
+        with:
+          host: ${{ secrets.SSH_HOST }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: bash /opt/openisle/deploy.sh
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,6 @@
 target
 openisle.iml
 node_modules
-dist
+dist
+open-isle.env
+logs
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npx lint-staged
--- a/README.md
+++ b/README.md
@@ -10,19 +10,39 @@

 OpenIsle 是一个使用 Spring Boot 和 Vue 3 构建的全栈开源社区平台，提供用户注册、登录、贴文发布、评论交互等完整功能，可用于项目社区或直接打造自主社区站点。

-## 🚀 部署
+## 🚧 开发

 ### 后端
+
 1. 确保安装 JDK 17 及 Maven
 2. 信息配置修改 `src/main/resources/application.properties`，或通过环境变量设置数据库等参数
 3. 执行 `mvn clean package` 生成包，之后使用 `java -jar target/openisle-0.0.1-SNAPSHOT.jar`启动，或在开发时直接使用 `mvn spring-boot:run`

 ### 前端
-1. `cd open-isle-cli`
-2. 执行 `npm install`
-3. `npm run serve`可在本地启动开发服务，产品环境使用 `npm run build`生成 `dist/` 文件，配合线上网站方式部署
+
+1. 进入前端目录
+    ```bash
+    cd frontend_nuxt
+    ```
+2. 安装依赖
+    ```bash
+    npm install
+    ```
+3. 启动开发服务
+    ```bash
+    npm run dev
+    ```
+
+    生产版本使用如下命令编译：
+
+    ```bash
+    npm run build
+    ```
+
+    会在 `.output` 目录生成文件，配合线上网站方式部署

 ## ✨ 项目特点
+
 - JWT 认证以及 Google、GitHub、Discord、Twitter 等多种 OAuth 登录
 - 支持分类、标签的贴文管理以及草稿保存功能
 - 嵌套评论、指定贴文或评论的点赞/抖弹系统
@@ -31,14 +51,18 @@ OpenIsle 是一个使用 Spring Boot 和 Vue 3 构建的全栈开源社区平台
 - 集成 OpenAI 提供的 Markdown 格式化功能
 - 通过环境变量可调整密码强度、登录方式、保护码等多种配置
 - 支持图片上传，默认使用腾讯云 COS 扩展
+- 默认头像使用 DiceBear Avatars，可通过 `AVATAR_STYLE` 和 `AVATAR_SIZE` 环境变量自定义主题和大小
+- 浏览器推送通知，离开网站也能及时收到提醒

 ## 🌟 项目优势
+
 - 全面开源，便于二次开发和自定义扩展
 - Spring Boot + Vue 3 成熟技术栈，学习起点低，社区资源丰富
 - 支持多种登录方式和角色权限，容易展展到不同场景
 - 模块化设计，代码结构清晰，维护成本低
 - REST API 可接入任意前端框架，兼容多端平台
 - 配置简单，通过环境变量快速调整和部署
+- 如需推送通知，请设置 `WEBPUSH_PUBLIC_KEY` 和 `WEBPUSH_PRIVATE_KEY` 环境变量

 ## 🏘️ 社区

@@ -49,6 +73,7 @@ OpenIsle 是一个使用 Spring Boot 和 Vue 3 构建的全栈开源社区平台
 本项目以 MIT License 发布，欢迎自由使用与修改。

 ## 🙏 鼓赞
+
 - [Spring Boot](https://spring.io/projects/spring-boot)
 - [JJWT](https://github.com/jwtk/jjwt)
 - [Lombok](https://github.com/projectlombok/lombok)
--- a/backend/open-isle.env.example
+++ b/backend/open-isle.env.example
@@ -0,0 +1,39 @@
+# === Database ===
+MYSQL_URL=jdbc:mysql://<数据库地址>:<端口>/<数据库名>?useUnicode=yes&characterEncoding=UTF-8&useInformationSchema=true&useSSL=false&serverTimezone=UTC
+MYSQL_USER=<数据库用户名>
+MYSQL_PASSWORD=<数据库密码>
+
+# === JWT ===
+JWT_SECRET=<jwt secret>
+JWT_REASON_SECRET=<jwt reason secret>
+JWT_RESET_SECRET=<jwt reset secret>
+JWT_INVITE_SECRET=<jwt invite secret>
+JWT_EXPIRATION=2592000000
+
+# === Resend ===
+RESEND_API_KEY=<你的resend-api-key>
+
+# === COS ===
+# COS_BASE_URL=https://<你的cos>.cos.ap-guangzhou.myqcloud.com
+COS_BASE_URL=https://<你的cos>.cos.accelerate.myqcloud.com
+COS_SECRET_ID=<你的cos-secret-id>
+COS_SECRET_KEY=<你的cos-secret-key>
+COS_BUCKET_NAME=<你的cos-bucket-name>
+
+# === OAuth ===
+GOOGLE_CLIENT_ID=<你的google-client-id>
+GITHUB_CLIENT_ID=<你的github-client-id>
+GITHUB_CLIENT_SECRET=<你的github-client-secret>
+TWITTER_CLIENT_ID=<你的twitter-client-id>
+TWITTER_CLIENT_SECRET=<你的-twitter-client-secret>
+DISCORD_CLIENT_ID=<你的discord-client-id>
+DISCORD_CLIENT_SECRET=<你的discord-client-secret>
+
+# === OPENAI ===
+OPENAI_API_KEY=<你的openai-api-key>
+
+# === Webpush ===
+WEBPUSH_PUBLIC_KEY=<你的webpush-public-key>
+WEBPUSH_PRIVATE_KEY=<你的webpush-private-key>
+
+# LOG_LEVEL=DEBUG
--- a/backend/pom.xml
+++ b/backend/pom.xml
@@ -90,6 +90,16 @@
      <artifactId>spring-boot-starter-test</artifactId>
      <scope>test</scope>
    </dependency>
+    <dependency>
+      <groupId>nl.martijndwars</groupId>
+      <artifactId>web-push</artifactId>
+      <version>5.1.1</version>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk15on</artifactId>
+      <version>1.70</version>
+    </dependency>
  </dependencies>

  <build>
--- a/backend/src/main/java/com/openisle/OpenIsleApplication.java
+++ b/backend/src/main/java/com/openisle/OpenIsleApplication.java
@@ -2,8 +2,10 @@ package com.openisle;

 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.scheduling.annotation.EnableScheduling;

@SpringBootApplication
+@EnableScheduling
 public class OpenIsleApplication {
    public static void main(String[] args) {
        SpringApplication.run(OpenIsleApplication.class, args);
--- a/backend/src/main/java/com/openisle/config/ActivityInitializer.java
+++ b/backend/src/main/java/com/openisle/config/ActivityInitializer.java
@@ -0,0 +1,39 @@
+package com.openisle.config;
+
+import com.openisle.model.Activity;
+import com.openisle.model.ActivityType;
+import com.openisle.repository.ActivityRepository;
+import lombok.RequiredArgsConstructor;
+import org.springframework.boot.CommandLineRunner;
+import org.springframework.stereotype.Component;
+import java.time.LocalDate;
+import java.time.LocalDateTime;
+
+@Component
+@RequiredArgsConstructor
+public class ActivityInitializer implements CommandLineRunner {
+    private final ActivityRepository activityRepository;
+
+    @Override
+    public void run(String... args) {
+        if (activityRepository.findByType(ActivityType.MILK_TEA) == null) {
+            Activity a = new Activity();
+            a.setTitle("🎡建站送奶茶活动");
+            a.setType(ActivityType.MILK_TEA);
+            a.setIcon("https://icons.veryicon.com/png/o/food--drinks/delicious-food-1/coffee-36.png");
+            a.setContent("为了有利于建站推广以及激励发布内容，我们推出了建站送奶茶的活动，前50名达到level 1的用户，可以联系站长获取奶茶/咖啡一杯");
+            activityRepository.save(a);
+        }
+
+        if (activityRepository.findByType(ActivityType.INVITE_POINTS) == null) {
+            Activity a = new Activity();
+            a.setTitle("🎁邀请码送积分活动");
+            a.setType(ActivityType.INVITE_POINTS);
+            a.setIcon("https://img.icons8.com/color/96/gift.png");
+            a.setContent("使用邀请码注册或邀请好友即可获得积分奖励，快来参与吧！");
+            a.setStartTime(LocalDateTime.now());
+            a.setEndTime(LocalDate.of(LocalDate.now().getYear(), 10, 1).atStartOfDay());
+            activityRepository.save(a);
+        }
+    }
+}
--- a/backend/src/main/java/com/openisle/config/AsyncConfig.java
+++ b/backend/src/main/java/com/openisle/config/AsyncConfig.java
@@ -0,0 +1,23 @@
+package com.openisle.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.scheduling.annotation.EnableAsync;
+import org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor;
+
+import java.util.concurrent.Executor;
+
+@Configuration
+@EnableAsync
+public class AsyncConfig {
+    @Bean(name = "notificationExecutor")
+    public Executor notificationExecutor() {
+        ThreadPoolTaskExecutor executor = new ThreadPoolTaskExecutor();
+        executor.setCorePoolSize(2);
+        executor.setMaxPoolSize(10);
+        executor.setQueueCapacity(100);
+        executor.setThreadNamePrefix("notification-");
+        executor.initialize();
+        return executor;
+    }
+}
--- a/backend/src/main/java/com/openisle/config/CustomAccessDeniedHandler.java
+++ b/backend/src/main/java/com/openisle/config/CustomAccessDeniedHandler.java
--- a/backend/src/main/java/com/openisle/config/PointGoodInitializer.java
+++ b/backend/src/main/java/com/openisle/config/PointGoodInitializer.java
@@ -0,0 +1,31 @@
+package com.openisle.config;
+
+import com.openisle.model.PointGood;
+import com.openisle.repository.PointGoodRepository;
+import lombok.RequiredArgsConstructor;
+import org.springframework.boot.CommandLineRunner;
+import org.springframework.stereotype.Component;
+
+/** Initialize default point mall goods. */
+@Component
+@RequiredArgsConstructor
+public class PointGoodInitializer implements CommandLineRunner {
+    private final PointGoodRepository pointGoodRepository;
+
+    @Override
+    public void run(String... args) {
+        if (pointGoodRepository.count() == 0) {
+            PointGood g1 = new PointGood();
+            g1.setName("GPT Plus 1 个月");
+            g1.setCost(20000);
+            g1.setImage("https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/icons/chatgpt.png");
+            pointGoodRepository.save(g1);
+
+            PointGood g2 = new PointGood();
+            g2.setName("奶茶");
+            g2.setCost(5000);
+            g2.setImage("https://openisle-1307107697.cos.ap-guangzhou.myqcloud.com/assert/icons/coffee.png");
+            pointGoodRepository.save(g2);
+        }
+    }
+}
--- a/backend/src/main/java/com/openisle/config/SchedulerConfig.java
+++ b/backend/src/main/java/com/openisle/config/SchedulerConfig.java
@@ -0,0 +1,20 @@
+package com.openisle.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.scheduling.annotation.EnableScheduling;
+import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
+import org.springframework.scheduling.TaskScheduler;
+
+@Configuration
+@EnableScheduling
+public class SchedulerConfig {
+    @Bean
+    public TaskScheduler taskScheduler() {
+        ThreadPoolTaskScheduler scheduler = new ThreadPoolTaskScheduler();
+        scheduler.setPoolSize(2);
+        scheduler.setThreadNamePrefix("lottery-");
+        scheduler.initialize();
+        return scheduler;
+    }
+}
--- a/backend/src/main/java/com/openisle/config/SecurityConfig.java
+++ b/backend/src/main/java/com/openisle/config/SecurityConfig.java
@@ -74,11 +74,17 @@ public class SecurityConfig {
        CorsConfiguration cfg = new CorsConfiguration();
        cfg.setAllowedOrigins(List.of(
                "http://127.0.0.1:8080",
+                "http://127.0.0.1:3000",
+                "http://127.0.0.1:3001",
                "http://127.0.0.1",
                "http://localhost:8080",
+                "http://localhost:3000",
+                "http://localhost:3001",
                "http://localhost",
-                "http://30.211.97.254:8080",
-                "http://30.211.97.254",
+                "http://30.211.97.238:3000",
+                "http://30.211.97.238",
+                "http://192.168.7.98",
+                "http://192.168.7.98:3000",
                websiteUrl,
                websiteUrl.replace("://www.", "://")
        ));
@@ -108,11 +114,18 @@ public class SecurityConfig {
                    .requestMatchers(HttpMethod.POST,"/api/auth/reason").permitAll()
                    .requestMatchers(HttpMethod.GET, "/api/search/**").permitAll()
                    .requestMatchers(HttpMethod.GET, "/api/users/**").permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/medals/**").permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/push/public-key").permitAll()
                    .requestMatchers(HttpMethod.GET, "/api/reaction-types").permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/activities/**").permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/sitemap.xml").permitAll()
+                    .requestMatchers(HttpMethod.GET, "/api/point-goods").permitAll()
+                    .requestMatchers(HttpMethod.POST, "/api/point-goods").permitAll()
                    .requestMatchers(HttpMethod.POST, "/api/categories/**").hasAuthority("ADMIN")
                    .requestMatchers(HttpMethod.POST, "/api/tags/**").authenticated()
                    .requestMatchers(HttpMethod.DELETE, "/api/categories/**").hasAuthority("ADMIN")
                    .requestMatchers(HttpMethod.DELETE, "/api/tags/**").hasAuthority("ADMIN")
+                    .requestMatchers(HttpMethod.GET, "/api/stats/**").hasAuthority("ADMIN")
                    .requestMatchers("/api/admin/**").hasAuthority("ADMIN")
                    .anyRequest().authenticated()
            )
@@ -137,8 +150,11 @@ public class SecurityConfig {
                boolean publicGet = "GET".equalsIgnoreCase(request.getMethod()) &&
                        (uri.startsWith("/api/posts") || uri.startsWith("/api/comments") ||
                         uri.startsWith("/api/categories") || uri.startsWith("/api/tags") ||
-                         uri.startsWith("/api/search") || uri.startsWith("/api/users") ||
-                         uri.startsWith("/api/reaction-types") || uri.startsWith("/api/config"));
+                        uri.startsWith("/api/search") || uri.startsWith("/api/users") ||
+                         uri.startsWith("/api/reaction-types") || uri.startsWith("/api/config") ||
+                         uri.startsWith("/api/activities") || uri.startsWith("/api/push/public-key") ||
+                                uri.startsWith("/api/point-goods") ||
+                         uri.startsWith("/api/sitemap.xml") || uri.startsWith("/api/medals"));

                if (authHeader != null && authHeader.startsWith("Bearer ")) {
                    String token = authHeader.substring(7);
--- a/backend/src/main/java/com/openisle/controller/ActivityController.java
+++ b/backend/src/main/java/com/openisle/controller/ActivityController.java
@@ -0,0 +1,57 @@
+package com.openisle.controller;
+
+import com.openisle.dto.ActivityDto;
+import com.openisle.dto.MilkTeaInfoDto;
+import com.openisle.dto.MilkTeaRedeemRequest;
+import com.openisle.mapper.ActivityMapper;
+import com.openisle.model.Activity;
+import com.openisle.model.ActivityType;
+import com.openisle.model.User;
+import com.openisle.service.ActivityService;
+import com.openisle.service.UserService;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+@RestController
+@RequestMapping("/api/activities")
+@RequiredArgsConstructor
+public class ActivityController {
+    private final ActivityService activityService;
+    private final UserService userService;
+    private final ActivityMapper activityMapper;
+
+    @GetMapping
+    public List<ActivityDto> list() {
+        return activityService.list().stream()
+                .map(activityMapper::toDto)
+                .collect(Collectors.toList());
+    }
+
+    @GetMapping("/milk-tea")
+    public MilkTeaInfoDto milkTea() {
+        Activity a = activityService.getByType(ActivityType.MILK_TEA);
+        long count = activityService.countParticipants(a);
+        if (!a.isEnded() && count >= 50) {
+            activityService.end(a);
+        }
+        MilkTeaInfoDto info = new MilkTeaInfoDto();
+        info.setRedeemCount(count);
+        info.setEnded(a.isEnded());
+        return info;
+    }
+
+    @PostMapping("/milk-tea/redeem")
+    public java.util.Map<String, String> redeemMilkTea(@RequestBody MilkTeaRedeemRequest req, Authentication auth) {
+        User user = userService.findByIdentifier(auth.getName()).orElseThrow();
+        Activity a = activityService.getByType(ActivityType.MILK_TEA);
+        boolean first = activityService.redeem(a, user, req.getContact());
+        if (first) {
+            return java.util.Map.of("message", "redeemed");
+        }
+        return java.util.Map.of("message", "updated");
+    }
+}
--- a/backend/src/main/java/com/openisle/controller/AdminCommentController.java
+++ b/backend/src/main/java/com/openisle/controller/AdminCommentController.java
@@ -0,0 +1,29 @@
+package com.openisle.controller;
+
+import com.openisle.dto.CommentDto;
+import com.openisle.mapper.CommentMapper;
+import com.openisle.service.CommentService;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+/**
+ * Endpoints for administrators to manage comments.
+ */
+@RestController
+@RequestMapping("/api/admin/comments")
+@RequiredArgsConstructor
+public class AdminCommentController {
+    private final CommentService commentService;
+    private final CommentMapper commentMapper;
+
+    @PostMapping("/{id}/pin")
+    public CommentDto pin(@PathVariable Long id, Authentication auth) {
+        return commentMapper.toDto(commentService.pinComment(auth.getName(), id));
+    }
+
+    @PostMapping("/{id}/unpin")
+    public CommentDto unpin(@PathVariable Long id, Authentication auth) {
+        return commentMapper.toDto(commentService.unpinComment(auth.getName(), id));
+    }
+}
--- a/backend/src/main/java/com/openisle/controller/AdminConfigController.java
+++ b/backend/src/main/java/com/openisle/controller/AdminConfigController.java
@@ -1,13 +1,10 @@
 package com.openisle.controller;

-import com.openisle.model.PasswordStrength;
-import com.openisle.model.PublishMode;
+import com.openisle.dto.ConfigDto;
+import com.openisle.service.AiUsageService;
 import com.openisle.service.PasswordValidator;
 import com.openisle.service.PostService;
-import com.openisle.service.AiUsageService;
 import com.openisle.service.RegisterModeService;
-import com.openisle.model.RegisterMode;
-import lombok.Data;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.*;

@@ -47,11 +44,4 @@ public class AdminConfigController {
        return getConfig();
    }

-    @Data
-    public static class ConfigDto {
-        private PublishMode publishMode;
-        private PasswordStrength passwordStrength;
-        private Integer aiFormatLimit;
-        private RegisterMode registerMode;
-    }
 }
--- a/backend/src/main/java/com/openisle/controller/AdminController.java
+++ b/backend/src/main/java/com/openisle/controller/AdminController.java
--- a/backend/src/main/java/com/openisle/controller/AdminPostController.java
+++ b/backend/src/main/java/com/openisle/controller/AdminPostController.java
@@ -0,0 +1,48 @@
+package com.openisle.controller;
+
+import com.openisle.dto.PostSummaryDto;
+import com.openisle.mapper.PostMapper;
+import com.openisle.service.PostService;
+import lombok.RequiredArgsConstructor;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+/**
+ * Endpoints for administrators to manage posts.
+ */
+@RestController
+@RequestMapping("/api/admin/posts")
+@RequiredArgsConstructor
+public class AdminPostController {
+    private final PostService postService;
+    private final PostMapper postMapper;
+
+    @GetMapping("/pending")
+    public List<PostSummaryDto> pendingPosts() {
+        return postService.listPendingPosts().stream()
+                .map(postMapper::toSummaryDto)
+                .collect(Collectors.toList());
+    }
+
+    @PostMapping("/{id}/approve")
+    public PostSummaryDto approve(@PathVariable Long id) {
+        return postMapper.toSummaryDto(postService.approvePost(id));
+    }
+
+    @PostMapping("/{id}/reject")
+    public PostSummaryDto reject(@PathVariable Long id) {
+        return postMapper.toSummaryDto(postService.rejectPost(id));
+    }
+
+    @PostMapping("/{id}/pin")
+    public PostSummaryDto pin(@PathVariable Long id) {
+        return postMapper.toSummaryDto(postService.pinPost(id));
+    }
+
+    @PostMapping("/{id}/unpin")
+    public PostSummaryDto unpin(@PathVariable Long id) {
+        return postMapper.toSummaryDto(postService.unpinPost(id));
+    }
+}
--- a/backend/src/main/java/com/openisle/controller/AdminTagController.java
+++ b/backend/src/main/java/com/openisle/controller/AdminTagController.java
@@ -1,9 +1,10 @@
 package com.openisle.controller;

+import com.openisle.dto.TagDto;
+import com.openisle.mapper.TagMapper;
 import com.openisle.model.Tag;
-import com.openisle.service.TagService;
 import com.openisle.service.PostService;
-import lombok.Data;
+import com.openisle.service.TagService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.*;

@@ -16,11 +17,12 @@ import java.util.stream.Collectors;
 public class AdminTagController {
    private final TagService tagService;
    private final PostService postService;
+    private final TagMapper tagMapper;

    @GetMapping("/pending")
    public List<TagDto> pendingTags() {
        return tagService.listPendingTags().stream()
-                .map(t -> toDto(t, postService.countPostsByTag(t.getId())))
+                .map(t -> tagMapper.toDto(t, postService.countPostsByTag(t.getId())))
                .collect(Collectors.toList());
    }

@@ -28,27 +30,6 @@ public class AdminTagController {
    public TagDto approve(@PathVariable Long id) {
        Tag tag = tagService.approveTag(id);
        long count = postService.countPostsByTag(tag.getId());
-        return toDto(tag, count);
-    }
-
-    private TagDto toDto(Tag tag, long count) {
-        TagDto dto = new TagDto();
-        dto.setId(tag.getId());
-        dto.setName(tag.getName());
-        dto.setDescription(tag.getDescription());
-        dto.setIcon(tag.getIcon());
-        dto.setSmallIcon(tag.getSmallIcon());
-        dto.setCount(count);
-        return dto;
-    }
-
-    @Data
-    private static class TagDto {
-        private Long id;
-        private String name;
-        private String description;
-        private String icon;
-        private String smallIcon;
-        private Long count;
+        return tagMapper.toDto(tag, count);
    }
 }
--- a/backend/src/main/java/com/openisle/controller/AdminUserController.java
+++ b/backend/src/main/java/com/openisle/controller/AdminUserController.java
@@ -1,7 +1,10 @@
 package com.openisle.controller;

+import com.openisle.model.Notification;
+import com.openisle.model.NotificationType;
 import com.openisle.model.User;
 import com.openisle.service.EmailSender;
+import com.openisle.repository.NotificationRepository;
 import com.openisle.repository.UserRepository;
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Value;
@@ -13,6 +16,7 @@ import org.springframework.web.bind.annotation.*;
@RequiredArgsConstructor
 public class AdminUserController {
    private final UserRepository userRepository;
+    private final NotificationRepository notificationRepository;
    private final EmailSender emailSender;
    @Value("${app.website-url}")
    private String websiteUrl;
@@ -22,8 +26,9 @@ public class AdminUserController {
        User user = userRepository.findById(id).orElseThrow();
        user.setApproved(true);
        userRepository.save(user);
-        emailSender.sendEmail(user.getEmail(), "Registration Approved",
-                "Your account has been approved. Visit: " + websiteUrl);
+        markRegisterRequestNotificationsRead(user);
+        emailSender.sendEmail(user.getEmail(), "您的注册已审核通过",
+                "🎉您的注册已经审核通过, 点击以访问网站: " + websiteUrl);
        return ResponseEntity.ok().build();
    }

@@ -32,8 +37,18 @@ public class AdminUserController {
        User user = userRepository.findById(id).orElseThrow();
        user.setApproved(false);
        userRepository.save(user);
-        emailSender.sendEmail(user.getEmail(), "Registration Rejected",
-                "Your account request was rejected. Visit: " + websiteUrl);
+        markRegisterRequestNotificationsRead(user);
+        emailSender.sendEmail(user.getEmail(), "您的注册已被管理员拒绝",
+                "您的注册被管理员拒绝, 点击链接可以重新填写理由申请: " + websiteUrl);
        return ResponseEntity.ok().build();
    }
+
+    private void markRegisterRequestNotificationsRead(User applicant) {
+        java.util.List<Notification> notifs =
+                notificationRepository.findByTypeAndFromUser(NotificationType.REGISTER_REQUEST, applicant);
+        for (Notification n : notifs) {
+            n.setRead(true);
+        }
+        notificationRepository.saveAll(notifs);
+    }
 }
--- a/backend/src/main/java/com/openisle/controller/AiController.java
+++ b/backend/src/main/java/com/openisle/controller/AiController.java
--- a/backend/src/main/java/com/openisle/controller/AuthController.java
+++ b/backend/src/main/java/com/openisle/controller/AuthController.java
@@ -1,24 +1,16 @@
 package com.openisle.controller;

-import com.openisle.model.User;
-import com.openisle.service.EmailSender;
-import com.openisle.service.JwtService;
-import com.openisle.service.UserService;
-import com.openisle.service.CaptchaService;
-import com.openisle.service.GoogleAuthService;
-import com.openisle.service.GithubAuthService;
-import com.openisle.service.DiscordAuthService;
-import com.openisle.service.TwitterAuthService;
-import com.openisle.service.RegisterModeService;
-import com.openisle.service.NotificationService;
+import com.openisle.dto.*;
+import com.openisle.exception.FieldException;
 import com.openisle.model.RegisterMode;
+import com.openisle.model.User;
 import com.openisle.repository.UserRepository;
-import lombok.Data;
+import com.openisle.service.*;
 import lombok.RequiredArgsConstructor;
-import org.springframework.http.ResponseEntity;
-import org.springframework.security.core.Authentication;
-import org.springframework.web.bind.annotation.*;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
 import java.util.Map;
 import java.util.Optional;

@@ -37,6 +29,8 @@ public class AuthController {
    private final RegisterModeService registerModeService;
    private final NotificationService notificationService;
    private final UserRepository userRepository;
+    private final InviteService inviteService;
+

    @Value("${app.captcha.enabled:false}")
    private boolean captchaEnabled;
@@ -52,9 +46,29 @@ public class AuthController {
        if (captchaEnabled && registerCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
            return ResponseEntity.badRequest().body(Map.of("error", "Invalid captcha"));
        }
+        if (req.getInviteToken() != null && !req.getInviteToken().isEmpty()) {
+            if (!inviteService.validate(req.getInviteToken())) {
+                return ResponseEntity.badRequest().body(Map.of("error", "邀请码使用次数过多"));
+            }
+            try {
+                User user = userService.registerWithInvite(
+                        req.getUsername(), req.getEmail(), req.getPassword());
+                inviteService.consume(req.getInviteToken());
+                emailService.sendEmail(user.getEmail(), "在网站填写验证码以验证", "您的验证码是 " + user.getVerificationCode());
+                return ResponseEntity.ok(Map.of(
+                        "token", jwtService.generateToken(user.getUsername()),
+                        "reason_code", "INVITE_APPROVED"
+                ));
+            } catch (FieldException e) {
+                return ResponseEntity.badRequest().body(Map.of(
+                        "field", e.getField(),
+                        "error", e.getMessage()
+                ));
+            }
+        }
        User user = userService.register(
                req.getUsername(), req.getEmail(), req.getPassword(), "", registerModeService.getRegisterMode());
-        emailService.sendEmail(user.getEmail(), "Verification Code", "Your verification code is " + user.getVerificationCode());
+        emailService.sendEmail(user.getEmail(), "在网站填写验证码以验证", "您的验证码是 " + user.getVerificationCode());
        if (!user.isApproved()) {
            notificationService.createRegisterRequestNotifications(user, user.getRegisterReason());
        }
@@ -65,10 +79,26 @@ public class AuthController {
    public ResponseEntity<?> verify(@RequestBody VerifyRequest req) {
        boolean ok = userService.verifyCode(req.getUsername(), req.getCode());
        if (ok) {
-            return ResponseEntity.ok(Map.of(
-                    "message", "Verified",
-                    "token", jwtService.generateReasonToken(req.getUsername())
-            ));
+            Optional<User> userOpt = userService.findByUsername(req.getUsername());
+            if (userOpt.isEmpty()) {
+                return ResponseEntity.badRequest().body(Map.of("error", "Invalid credentials"));
+            }
+
+            User user = userOpt.get();
+
+            if (user.isApproved()) {
+                return ResponseEntity.ok(Map.of(
+                        "message", "Verified and isApproved",
+                        "reason_code", "VERIFIED_AND_APPROVED",
+                        "token", jwtService.generateToken(req.getUsername())
+                ));
+            } else {
+                return ResponseEntity.ok(Map.of(
+                        "message", "Verified",
+                        "reason_code", "VERIFIED",
+                        "token", jwtService.generateReasonToken(req.getUsername())
+                ));
+            }
        }
        return ResponseEntity.badRequest().body(Map.of("error", "Invalid verification code"));
    }
@@ -90,7 +120,7 @@ public class AuthController {
        User user = userOpt.get();
        if (!user.isVerified()) {
            user = userService.register(user.getUsername(), user.getEmail(), user.getPassword(), user.getRegisterReason(), registerModeService.getRegisterMode());
-            emailService.sendEmail(user.getEmail(), "Verification Code", "Your verification code is " + user.getVerificationCode());
+            emailService.sendEmail(user.getEmail(), "在网站填写验证码以验证", "您的验证码是 " + user.getVerificationCode());
            return ResponseEntity.badRequest().body(Map.of(
                    "error", "User not verified",
                    "reason_code", "NOT_VERIFIED",
@@ -113,27 +143,42 @@ public class AuthController {

    @PostMapping("/google")
    public ResponseEntity<?> loginWithGoogle(@RequestBody GoogleLoginRequest req) {
-        Optional<User> user = googleAuthService.authenticate(req.getIdToken(), registerModeService.getRegisterMode());
-        if (user.isPresent()) {
-            if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
-                return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.get().getUsername())));
+        boolean viaInvite = req.getInviteToken() != null && !req.getInviteToken().isEmpty();
+        if (viaInvite && !inviteService.validate(req.getInviteToken())) {
+            return ResponseEntity.badRequest().body(Map.of("error", "Invalid invite token"));
+        }
+        Optional<AuthResult> resultOpt = googleAuthService.authenticate(
+                req.getIdToken(),
+                registerModeService.getRegisterMode(),
+                viaInvite);
+        if (resultOpt.isPresent()) {
+            AuthResult result = resultOpt.get();
+            if (viaInvite && result.isNewUser()) {
+                inviteService.consume(req.getInviteToken());
+                return ResponseEntity.ok(Map.of(
+                        "token", jwtService.generateToken(result.getUser().getUsername()),
+                        "reason_code", "INVITE_APPROVED"
+                ));
            }
-            if (!user.get().isApproved()) {
-                if (user.get().getRegisterReason() != null && !user.get().getRegisterReason().isEmpty()) {
+            if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
+                return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
+            }
+            if (!result.getUser().isApproved()) {
+                if (result.getUser().getRegisterReason() != null && !result.getUser().getRegisterReason().isEmpty()) {
                    return ResponseEntity.badRequest().body(Map.of(
                            "error", "Account awaiting approval",
                            "reason_code", "IS_APPROVING",
-                            "token", jwtService.generateReasonToken(user.get().getUsername())
+                            "token", jwtService.generateReasonToken(result.getUser().getUsername())
                    ));
                }
                return ResponseEntity.badRequest().body(Map.of(
                        "error", "Account awaiting approval",
                        "reason_code", "NOT_APPROVED",
-                        "token", jwtService.generateReasonToken(user.get().getUsername())
+                        "token", jwtService.generateReasonToken(result.getUser().getUsername())
                ));
            }

-            return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.get().getUsername())));
+            return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
        }
        return ResponseEntity.badRequest().body(Map.of(
                "error", "Invalid google token",
@@ -153,8 +198,8 @@ public class AuthController {
            ));
        }

-        if (req.reason == null || req.reason.length() <= 20) {
-            return ResponseEntity.badRequest().body(Map.of(
+        if (req.getReason() == null || req.getReason().trim().length() <= 20) {
+             return ResponseEntity.badRequest().body(Map.of(
                    "error", "Reason's length must longer than 20",
                    "reason_code", "INVALID_CREDENTIALS"
            ));
@@ -172,28 +217,44 @@ public class AuthController {

    @PostMapping("/github")
    public ResponseEntity<?> loginWithGithub(@RequestBody GithubLoginRequest req) {
-        Optional<User> user = githubAuthService.authenticate(req.getCode(), registerModeService.getRegisterMode(), req.getRedirectUri());
-        if (user.isPresent()) {
-            if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
-                return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.get().getUsername())));
+        boolean viaInvite = req.getInviteToken() != null && !req.getInviteToken().isEmpty();
+        if (viaInvite && !inviteService.validate(req.getInviteToken())) {
+            return ResponseEntity.badRequest().body(Map.of("error", "Invalid invite token"));
+        }
+        Optional<AuthResult> resultOpt = githubAuthService.authenticate(
+                req.getCode(),
+                registerModeService.getRegisterMode(),
+                req.getRedirectUri(),
+                viaInvite);
+        if (resultOpt.isPresent()) {
+            AuthResult result = resultOpt.get();
+            if (viaInvite && result.isNewUser()) {
+                inviteService.consume(req.getInviteToken());
+                return ResponseEntity.ok(Map.of(
+                        "token", jwtService.generateToken(result.getUser().getUsername()),
+                        "reason_code", "INVITE_APPROVED"
+                ));
            }
-            if (!user.get().isApproved()) {
-                if (user.get().getRegisterReason() != null && !user.get().getRegisterReason().isEmpty()) {
+            if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
+                return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
+            }
+            if (!result.getUser().isApproved()) {
+                if (result.getUser().getRegisterReason() != null && !result.getUser().getRegisterReason().isEmpty()) {
                    // 已填写注册理由
                    return ResponseEntity.badRequest().body(Map.of(
                            "error", "Account awaiting approval",
                            "reason_code", "IS_APPROVING",
-                            "token", jwtService.generateReasonToken(user.get().getUsername())
+                            "token", jwtService.generateReasonToken(result.getUser().getUsername())
                    ));
                }
                return ResponseEntity.badRequest().body(Map.of(
                        "error", "Account awaiting approval",
                        "reason_code", "NOT_APPROVED",
-                        "token", jwtService.generateReasonToken(user.get().getUsername())
+                        "token", jwtService.generateReasonToken(result.getUser().getUsername())
                ));
            }

-            return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.get().getUsername())));
+            return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
        }
        return ResponseEntity.badRequest().body(Map.of(
                "error", "Invalid github code",
@@ -203,27 +264,43 @@ public class AuthController {

    @PostMapping("/discord")
    public ResponseEntity<?> loginWithDiscord(@RequestBody DiscordLoginRequest req) {
-        Optional<User> user = discordAuthService.authenticate(req.getCode(), registerModeService.getRegisterMode(), req.getRedirectUri());
-        if (user.isPresent()) {
-            if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
-                return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.get().getUsername())));
+        boolean viaInvite = req.getInviteToken() != null && !req.getInviteToken().isEmpty();
+        if (viaInvite && !inviteService.validate(req.getInviteToken())) {
+            return ResponseEntity.badRequest().body(Map.of("error", "Invalid invite token"));
+        }
+        Optional<AuthResult> resultOpt = discordAuthService.authenticate(
+                req.getCode(),
+                registerModeService.getRegisterMode(),
+                req.getRedirectUri(),
+                viaInvite);
+        if (resultOpt.isPresent()) {
+            AuthResult result = resultOpt.get();
+            if (viaInvite && result.isNewUser()) {
+                inviteService.consume(req.getInviteToken());
+                return ResponseEntity.ok(Map.of(
+                        "token", jwtService.generateToken(result.getUser().getUsername()),
+                        "reason_code", "INVITE_APPROVED"
+                ));
            }
-            if (!user.get().isApproved()) {
-                if (user.get().getRegisterReason() != null && !user.get().getRegisterReason().isEmpty()) {
+            if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
+                return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
+            }
+            if (!result.getUser().isApproved()) {
+                if (result.getUser().getRegisterReason() != null && !result.getUser().getRegisterReason().isEmpty()) {
                    return ResponseEntity.badRequest().body(Map.of(
                            "error", "Account awaiting approval",
                            "reason_code", "IS_APPROVING",
-                            "token", jwtService.generateReasonToken(user.get().getUsername())
+                            "token", jwtService.generateReasonToken(result.getUser().getUsername())
                    ));
                }
                return ResponseEntity.badRequest().body(Map.of(
                        "error", "Account awaiting approval",
                        "reason_code", "NOT_APPROVED",
-                        "token", jwtService.generateReasonToken(user.get().getUsername())
+                        "token", jwtService.generateReasonToken(result.getUser().getUsername())
                ));
            }

-            return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.get().getUsername())));
+            return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
        }
        return ResponseEntity.badRequest().body(Map.of(
                "error", "Invalid discord code",
@@ -233,31 +310,44 @@ public class AuthController {
      
    @PostMapping("/twitter")
    public ResponseEntity<?> loginWithTwitter(@RequestBody TwitterLoginRequest req) {
-        Optional<User> user = twitterAuthService.authenticate(
+        boolean viaInvite = req.getInviteToken() != null && !req.getInviteToken().isEmpty();
+        if (viaInvite && !inviteService.validate(req.getInviteToken())) {
+            return ResponseEntity.badRequest().body(Map.of("error", "Invalid invite token"));
+        }
+        Optional<AuthResult> resultOpt = twitterAuthService.authenticate(
                req.getCode(),
                req.getCodeVerifier(),
                registerModeService.getRegisterMode(),
-                req.getRedirectUri());
-        if (user.isPresent()) {
-            if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
-                return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.get().getUsername())));
+                req.getRedirectUri(),
+                viaInvite);
+        if (resultOpt.isPresent()) {
+            AuthResult result = resultOpt.get();
+            if (viaInvite && result.isNewUser()) {
+                inviteService.consume(req.getInviteToken());
+                return ResponseEntity.ok(Map.of(
+                        "token", jwtService.generateToken(result.getUser().getUsername()),
+                        "reason_code", "INVITE_APPROVED"
+                ));
            }
-            if (!user.get().isApproved()) {
-                if (user.get().getRegisterReason() != null && !user.get().getRegisterReason().isEmpty()) {
+            if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
+                return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
+            }
+            if (!result.getUser().isApproved()) {
+                if (result.getUser().getRegisterReason() != null && !result.getUser().getRegisterReason().isEmpty()) {
                    return ResponseEntity.badRequest().body(Map.of(
                            "error", "Account awaiting approval",
                            "reason_code", "IS_APPROVING",
-                            "token", jwtService.generateReasonToken(user.get().getUsername())
+                            "token", jwtService.generateReasonToken(result.getUser().getUsername())
                    ));
                }
                return ResponseEntity.badRequest().body(Map.of(
                        "error", "Account awaiting approval",
                        "reason_code", "NOT_APPROVED",
-                        "token", jwtService.generateReasonToken(user.get().getUsername())
+                        "token", jwtService.generateReasonToken(result.getUser().getUsername())
                ));
            }

-            return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.get().getUsername())));
+            return ResponseEntity.ok(Map.of("token", jwtService.generateToken(result.getUser().getUsername())));
        }
        return ResponseEntity.badRequest().body(Map.of(
                "error", "Invalid twitter code",
@@ -270,54 +360,40 @@ public class AuthController {
        return ResponseEntity.ok(Map.of("valid", true));
    }

-    @Data
-    private static class RegisterRequest {
-        private String username;
-        private String email;
-        private String password;
-        private String captcha;
+    @PostMapping("/forgot/send")
+    public ResponseEntity<?> sendReset(@RequestBody ForgotPasswordRequest req) {
+        Optional<User> userOpt = userService.findByEmail(req.getEmail());
+        if (userOpt.isEmpty()) {
+            return ResponseEntity.badRequest().body(Map.of("error", "User not found"));
+        }
+        String code = userService.generatePasswordResetCode(req.getEmail());
+        emailService.sendEmail(req.getEmail(), "请填写验证码以重置密码", "您的验证码是" + code);
+        return ResponseEntity.ok(Map.of("message", "Verification code sent"));
    }

-    @Data
-    private static class LoginRequest {
-        private String username;
-        private String password;
-        private String captcha;
+    @PostMapping("/forgot/verify")
+    public ResponseEntity<?> verifyReset(@RequestBody VerifyForgotRequest req) {
+        boolean ok = userService.verifyPasswordResetCode(req.getEmail(), req.getCode());
+        if (ok) {
+            String username = userService.findByEmail(req.getEmail()).get().getUsername();
+            return ResponseEntity.ok(Map.of("token", jwtService.generateResetToken(username)));
+        }
+        return ResponseEntity.badRequest().body(Map.of("error", "Invalid verification code"));
    }

-    @Data
-    private static class GoogleLoginRequest {
-        private String idToken;
+    @PostMapping("/forgot/reset")
+    public ResponseEntity<?> resetPassword(@RequestBody ResetPasswordRequest req) {
+        String username = jwtService.validateAndGetSubjectForReset(req.getToken());
+        try {
+            userService.updatePassword(username, req.getPassword());
+            return ResponseEntity.ok(Map.of("message", "Password updated"));
+        } catch (FieldException e) {
+            return ResponseEntity.badRequest().body(Map.of(
+                    "field", e.getField(),
+                    "error", e.getMessage()
+            ));
+        }
    }

-    @Data
-    private static class GithubLoginRequest {
-        private String code;
-        private String redirectUri;
-    }
-
-    @Data
-    private static class DiscordLoginRequest {
-        private String code;
-        private String redirectUri;
-    }
-  
-    @Data
-    private static class TwitterLoginRequest {
-        private String code;
-        private String redirectUri;
-        private String codeVerifier;
-    }
-
-    @Data
-    private static class VerifyRequest {
-        private String username;
-        private String code;
-    }
-
-    @Data
-    private static class MakeReasonRequest {
-        private String token;
-        private String reason;
-    }
+    // DTO classes moved to com.openisle.dto package
 }
--- a/backend/src/main/java/com/openisle/controller/CategoryController.java
+++ b/backend/src/main/java/com/openisle/controller/CategoryController.java
@@ -1,13 +1,18 @@
 package com.openisle.controller;

+import com.openisle.dto.CategoryDto;
+import com.openisle.dto.CategoryRequest;
+import com.openisle.dto.PostSummaryDto;
+import com.openisle.mapper.CategoryMapper;
+import com.openisle.mapper.PostMapper;
 import com.openisle.model.Category;
 import com.openisle.service.CategoryService;
 import com.openisle.service.PostService;
-import lombok.Data;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.*;

 import java.util.List;
+import java.util.Map;
 import java.util.stream.Collectors;

@RestController
@@ -16,19 +21,21 @@ import java.util.stream.Collectors;
 public class CategoryController {
    private final CategoryService categoryService;
    private final PostService postService;
+    private final PostMapper postMapper;
+    private final CategoryMapper categoryMapper;

    @PostMapping
    public CategoryDto create(@RequestBody CategoryRequest req) {
        Category c = categoryService.createCategory(req.getName(), req.getDescription(), req.getIcon(), req.getSmallIcon());
        long count = postService.countPostsByCategory(c.getId());
-        return toDto(c, count);
+        return categoryMapper.toDto(c, count);
    }

    @PutMapping("/{id}")
    public CategoryDto update(@PathVariable Long id, @RequestBody CategoryRequest req) {
        Category c = categoryService.updateCategory(id, req.getName(), req.getDescription(), req.getIcon(), req.getSmallIcon());
        long count = postService.countPostsByCategory(c.getId());
-        return toDto(c, count);
+        return categoryMapper.toDto(c, count);
    }

    @DeleteMapping("/{id}")
@@ -38,8 +45,11 @@ public class CategoryController {

    @GetMapping
    public List<CategoryDto> list() {
-        return categoryService.listCategories().stream()
-                .map(c -> toDto(c, postService.countPostsByCategory(c.getId())))
+        List<Category> all = categoryService.listCategories();
+        List<Long> ids = all.stream().map(Category::getId).toList();
+        Map<Long, Long> postsCntByCategoryIds = postService.countPostsByCategoryIds(ids);
+        return all.stream()
+                .map(c -> categoryMapper.toDto(c, postsCntByCategoryIds.getOrDefault(c.getId(), 0L)))
                .sorted((a, b) -> Long.compare(b.getCount(), a.getCount()))
                .collect(Collectors.toList());
    }
@@ -48,7 +58,7 @@ public class CategoryController {
    public CategoryDto get(@PathVariable Long id) {
        Category c = categoryService.getCategory(id);
        long count = postService.countPostsByCategory(c.getId());
-        return toDto(c, count);
+        return categoryMapper.toDto(c, count);
    }

    @GetMapping("/{id}/posts")
@@ -57,47 +67,7 @@ public class CategoryController {
                                                    @RequestParam(value = "pageSize", required = false) Integer pageSize) {
        return postService.listPostsByCategories(java.util.List.of(id), page, pageSize)
                .stream()
-                .map(p -> {
-                    PostSummaryDto dto = new PostSummaryDto();
-                    dto.setId(p.getId());
-                    dto.setTitle(p.getTitle());
-                    return dto;
-                })
+                .map(postMapper::toSummaryDto)
                .collect(Collectors.toList());
    }
-
-    private CategoryDto toDto(Category c, long count) {
-        CategoryDto dto = new CategoryDto();
-        dto.setId(c.getId());
-        dto.setName(c.getName());
-        dto.setIcon(c.getIcon());
-        dto.setSmallIcon(c.getSmallIcon());
-        dto.setDescription(c.getDescription());
-        dto.setCount(count);
-        return dto;
-    }
-
-    @Data
-    private static class CategoryRequest {
-        private String name;
-        private String description;
-        private String icon;
-        private String smallIcon;
-    }
-
-    @Data
-    private static class CategoryDto {
-        private Long id;
-        private String name;
-        private String description;
-        private String icon;
-        private String smallIcon;
-        private Long count;
-    }
-
-    @Data
-    private static class PostSummaryDto {
-        private Long id;
-        private String title;
-    }
 }
--- a/backend/src/main/java/com/openisle/controller/CommentController.java
+++ b/backend/src/main/java/com/openisle/controller/CommentController.java
@@ -0,0 +1,100 @@
+package com.openisle.controller;
+
+import com.openisle.model.Comment;
+import com.openisle.dto.CommentDto;
+import com.openisle.dto.CommentRequest;
+import com.openisle.mapper.CommentMapper;
+import com.openisle.service.CaptchaService;
+import com.openisle.service.CommentService;
+import com.openisle.service.LevelService;
+import com.openisle.service.PointService;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+@RestController
+@RequestMapping("/api")
+@RequiredArgsConstructor
+@Slf4j
+public class CommentController {
+    private final CommentService commentService;
+    private final LevelService levelService;
+    private final CaptchaService captchaService;
+    private final CommentMapper commentMapper;
+    private final PointService pointService;
+
+    @Value("${app.captcha.enabled:false}")
+    private boolean captchaEnabled;
+
+    @Value("${app.captcha.comment-enabled:false}")
+    private boolean commentCaptchaEnabled;
+
+    @PostMapping("/posts/{postId}/comments")
+    public ResponseEntity<CommentDto> createComment(@PathVariable Long postId,
+                                                    @RequestBody CommentRequest req,
+                                                    Authentication auth) {
+        log.debug("createComment called by user {} for post {}", auth.getName(), postId);
+        if (captchaEnabled && commentCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
+            log.debug("Captcha verification failed for user {} on post {}", auth.getName(), postId);
+            return ResponseEntity.badRequest().build();
+        }
+        Comment comment = commentService.addComment(auth.getName(), postId, req.getContent());
+        CommentDto dto = commentMapper.toDto(comment);
+        dto.setReward(levelService.awardForComment(auth.getName()));
+        dto.setPointReward(pointService.awardForComment(auth.getName(),postId));
+        log.debug("createComment succeeded for comment {}", comment.getId());
+        return ResponseEntity.ok(dto);
+    }
+
+    @PostMapping("/comments/{commentId}/replies")
+    public ResponseEntity<CommentDto> replyComment(@PathVariable Long commentId,
+                                                   @RequestBody CommentRequest req,
+                                                   Authentication auth) {
+        log.debug("replyComment called by user {} for comment {}", auth.getName(), commentId);
+        if (captchaEnabled && commentCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
+            log.debug("Captcha verification failed for user {} on comment {}", auth.getName(), commentId);
+            return ResponseEntity.badRequest().build();
+        }
+        Comment comment = commentService.addReply(auth.getName(), commentId, req.getContent());
+        CommentDto dto = commentMapper.toDto(comment);
+        dto.setReward(levelService.awardForComment(auth.getName()));
+        log.debug("replyComment succeeded for comment {}", comment.getId());
+        return ResponseEntity.ok(dto);
+    }
+
+    @GetMapping("/posts/{postId}/comments")
+    public List<CommentDto> listComments(@PathVariable Long postId,
+                                         @RequestParam(value = "sort", required = false, defaultValue = "OLDEST") com.openisle.model.CommentSort sort) {
+        log.debug("listComments called for post {} with sort {}", postId, sort);
+        List<CommentDto> list = commentService.getCommentsForPost(postId, sort).stream()
+                .map(commentMapper::toDtoWithReplies)
+                .collect(Collectors.toList());
+        log.debug("listComments returning {} comments", list.size());
+        return list;
+    }
+
+    @DeleteMapping("/comments/{id}")
+    public void deleteComment(@PathVariable Long id, Authentication auth) {
+        log.debug("deleteComment called by user {} for comment {}", auth.getName(), id);
+        commentService.deleteComment(auth.getName(), id);
+        log.debug("deleteComment completed for comment {}", id);
+    }
+
+    @PostMapping("/comments/{id}/pin")
+    public CommentDto pinComment(@PathVariable Long id, Authentication auth) {
+        log.debug("pinComment called by user {} for comment {}", auth.getName(), id);
+        return commentMapper.toDto(commentService.pinComment(auth.getName(), id));
+    }
+
+    @PostMapping("/comments/{id}/unpin")
+    public CommentDto unpinComment(@PathVariable Long id, Authentication auth) {
+        log.debug("unpinComment called by user {} for comment {}", auth.getName(), id);
+        return commentMapper.toDto(commentService.unpinComment(auth.getName(), id));
+    }
+}
--- a/backend/src/main/java/com/openisle/controller/ConfigController.java
+++ b/backend/src/main/java/com/openisle/controller/ConfigController.java
@@ -1,9 +1,8 @@
 package com.openisle.controller;

-import lombok.Data;
-import org.springframework.beans.factory.annotation.Value;
+import com.openisle.dto.SiteConfigDto;
 import com.openisle.service.RegisterModeService;
-import com.openisle.model.RegisterMode;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -34,8 +33,8 @@ public class ConfigController {
    private final RegisterModeService registerModeService;

    @GetMapping("/config")
-    public ConfigResponse getConfig() {
-        ConfigResponse resp = new ConfigResponse();
+    public SiteConfigDto getConfig() {
+        SiteConfigDto resp = new SiteConfigDto();
        resp.setCaptchaEnabled(captchaEnabled);
        resp.setRegisterCaptchaEnabled(registerCaptchaEnabled);
        resp.setLoginCaptchaEnabled(loginCaptchaEnabled);
@@ -45,15 +44,4 @@ public class ConfigController {
        resp.setRegisterMode(registerModeService.getRegisterMode());
        return resp;
    }
-
-    @Data
-    private static class ConfigResponse {
-        private boolean captchaEnabled;
-        private boolean registerCaptchaEnabled;
-        private boolean loginCaptchaEnabled;
-        private boolean postCaptchaEnabled;
-        private boolean commentCaptchaEnabled;
-        private int aiFormatLimit;
-        private RegisterMode registerMode;
-    }
 }
--- a/backend/src/main/java/com/openisle/controller/DraftController.java
+++ b/backend/src/main/java/com/openisle/controller/DraftController.java
@@ -1,32 +1,32 @@
 package com.openisle.controller;

+import com.openisle.dto.DraftDto;
+import com.openisle.dto.DraftRequest;
+import com.openisle.mapper.DraftMapper;
 import com.openisle.model.Draft;
 import com.openisle.service.DraftService;
-import lombok.Data;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;

-import java.util.List;
-import java.util.stream.Collectors;
-
@RestController
@RequestMapping("/api/drafts")
@RequiredArgsConstructor
 public class DraftController {
    private final DraftService draftService;
+    private final DraftMapper draftMapper;

    @PostMapping
    public ResponseEntity<DraftDto> saveDraft(@RequestBody DraftRequest req, Authentication auth) {
        Draft draft = draftService.saveDraft(auth.getName(), req.getCategoryId(), req.getTitle(), req.getContent(), req.getTagIds());
-        return ResponseEntity.ok(toDto(draft));
+        return ResponseEntity.ok(draftMapper.toDto(draft));
    }

    @GetMapping("/me")
    public ResponseEntity<DraftDto> getMyDraft(Authentication auth) {
        return draftService.getDraft(auth.getName())
-                .map(d -> ResponseEntity.ok(toDto(d)))
+                .map(d -> ResponseEntity.ok(draftMapper.toDto(d)))
                .orElseGet(() -> ResponseEntity.noContent().build());
    }

@@ -35,33 +35,4 @@ public class DraftController {
        draftService.deleteDraft(auth.getName());
        return ResponseEntity.ok().build();
    }
-
-    private DraftDto toDto(Draft draft) {
-        DraftDto dto = new DraftDto();
-        dto.setId(draft.getId());
-        dto.setTitle(draft.getTitle());
-        dto.setContent(draft.getContent());
-        if (draft.getCategory() != null) {
-            dto.setCategoryId(draft.getCategory().getId());
-        }
-        dto.setTagIds(draft.getTags().stream().map(com.openisle.model.Tag::getId).collect(Collectors.toList()));
-        return dto;
-    }
-
-    @Data
-    private static class DraftRequest {
-        private String title;
-        private String content;
-        private Long categoryId;
-        private List<Long> tagIds;
-    }
-
-    @Data
-    private static class DraftDto {
-        private Long id;
-        private String title;
-        private String content;
-        private Long categoryId;
-        private List<Long> tagIds;
-    }
 }
--- a/backend/src/main/java/com/openisle/controller/GlobalExceptionHandler.java
+++ b/backend/src/main/java/com/openisle/controller/GlobalExceptionHandler.java
@@ -5,6 +5,7 @@ import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RestControllerAdvice;
 import com.openisle.exception.FieldException;
 import com.openisle.exception.NotFoundException;
+import com.openisle.exception.RateLimitException;

 import java.util.Map;

@@ -22,9 +23,18 @@ public class GlobalExceptionHandler {
        return ResponseEntity.status(404).body(Map.of("error", ex.getMessage()));
    }

+    @ExceptionHandler(RateLimitException.class)
+    public ResponseEntity<?> handleRateLimitException(RateLimitException ex) {
+        return ResponseEntity.status(429).body(Map.of("error", ex.getMessage()));
+    }
+
    @ExceptionHandler(Exception.class)
    public ResponseEntity<?> handleException(Exception ex) {
-        return ResponseEntity.badRequest().body(Map.of("error", ex.getMessage()));
+        String message = ex.getMessage();
+        if (message == null) {
+            message = ex.getClass().getSimpleName();
+        }
+        return ResponseEntity.badRequest().body(Map.of("error", message));
    }
 }

--- a/backend/src/main/java/com/openisle/controller/HelloController.java
+++ b/backend/src/main/java/com/openisle/controller/HelloController.java
--- a/backend/src/main/java/com/openisle/controller/InviteController.java
+++ b/backend/src/main/java/com/openisle/controller/InviteController.java
@@ -0,0 +1,23 @@
+package com.openisle.controller;
+
+import com.openisle.service.InviteService;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.Map;
+
+@RestController
+@RequestMapping("/api/invite")
+@RequiredArgsConstructor
+public class InviteController {
+    private final InviteService inviteService;
+
+    @PostMapping("/generate")
+    public Map<String, String> generate(Authentication auth) {
+        String token = inviteService.generate(auth.getName());
+        return Map.of("token", token);
+    }
+}
--- a/backend/src/main/java/com/openisle/controller/MedalController.java
+++ b/backend/src/main/java/com/openisle/controller/MedalController.java
@@ -0,0 +1,33 @@
+package com.openisle.controller;
+
+import com.openisle.dto.MedalDto;
+import com.openisle.dto.MedalSelectRequest;
+import com.openisle.service.MedalService;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.List;
+
+@RestController
+@RequestMapping("/api/medals")
+@RequiredArgsConstructor
+public class MedalController {
+    private final MedalService medalService;
+
+    @GetMapping
+    public List<MedalDto> getMedals(@RequestParam(value = "userId", required = false) Long userId) {
+        return medalService.getMedals(userId);
+    }
+
+    @PostMapping("/select")
+    public ResponseEntity<Void> selectMedal(@RequestBody MedalSelectRequest req, Authentication auth) {
+        try {
+            medalService.selectMedal(auth.getName(), req.getType());
+            return ResponseEntity.ok().build();
+        } catch (IllegalArgumentException e) {
+            return ResponseEntity.badRequest().build();
+        }
+    }
+}
--- a/backend/src/main/java/com/openisle/controller/NotificationController.java
+++ b/backend/src/main/java/com/openisle/controller/NotificationController.java
@@ -0,0 +1,55 @@
+package com.openisle.controller;
+
+import com.openisle.dto.NotificationDto;
+import com.openisle.dto.NotificationMarkReadRequest;
+import com.openisle.dto.NotificationUnreadCountDto;
+import com.openisle.dto.NotificationPreferenceDto;
+import com.openisle.dto.NotificationPreferenceUpdateRequest;
+import com.openisle.mapper.NotificationMapper;
+import com.openisle.service.NotificationService;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+/** Endpoints for user notifications. */
+@RestController
+@RequestMapping("/api/notifications")
+@RequiredArgsConstructor
+public class NotificationController {
+    private final NotificationService notificationService;
+    private final NotificationMapper notificationMapper;
+
+    @GetMapping
+    public List<NotificationDto> list(@RequestParam(value = "read", required = false) Boolean read,
+                                      Authentication auth) {
+        return notificationService.listNotifications(auth.getName(), read).stream()
+                .map(notificationMapper::toDto)
+                .collect(Collectors.toList());
+    }
+
+    @GetMapping("/unread-count")
+    public NotificationUnreadCountDto unreadCount(Authentication auth) {
+        long count = notificationService.countUnread(auth.getName());
+        NotificationUnreadCountDto uc = new NotificationUnreadCountDto();
+        uc.setCount(count);
+        return uc;
+    }
+
+    @PostMapping("/read")
+    public void markRead(@RequestBody NotificationMarkReadRequest req, Authentication auth) {
+        notificationService.markRead(auth.getName(), req.getIds());
+    }
+
+    @GetMapping("/prefs")
+    public List<NotificationPreferenceDto> prefs(Authentication auth) {
+        return notificationService.listPreferences(auth.getName());
+    }
+
+    @PostMapping("/prefs")
+    public void updatePref(@RequestBody NotificationPreferenceUpdateRequest req, Authentication auth) {
+        notificationService.updatePreference(auth.getName(), req.getType(), req.isEnabled());
+    }
+}
--- a/backend/src/main/java/com/openisle/controller/PointMallController.java
+++ b/backend/src/main/java/com/openisle/controller/PointMallController.java
@@ -0,0 +1,39 @@
+package com.openisle.controller;
+
+import com.openisle.dto.PointGoodDto;
+import com.openisle.dto.PointRedeemRequest;
+import com.openisle.mapper.PointGoodMapper;
+import com.openisle.model.User;
+import com.openisle.service.PointMallService;
+import com.openisle.service.UserService;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+/** REST controller for point mall. */
+@RestController
+@RequestMapping("/api/point-goods")
+@RequiredArgsConstructor
+public class PointMallController {
+    private final PointMallService pointMallService;
+    private final UserService userService;
+    private final PointGoodMapper pointGoodMapper;
+
+    @GetMapping
+    public List<PointGoodDto> list() {
+        return pointMallService.listGoods().stream()
+                .map(pointGoodMapper::toDto)
+                .collect(Collectors.toList());
+    }
+
+    @PostMapping("/redeem")
+    public Map<String, Integer> redeem(@RequestBody PointRedeemRequest req, Authentication auth) {
+        User user = userService.findByIdentifier(auth.getName()).orElseThrow();
+        int point = pointMallService.redeem(user, req.getGoodId(), req.getContact());
+        return Map.of("point", point);
+    }
+}
--- a/backend/src/main/java/com/openisle/controller/PostController.java
+++ b/backend/src/main/java/com/openisle/controller/PostController.java
@@ -0,0 +1,164 @@
+package com.openisle.controller;
+
+import com.openisle.dto.PostDetailDto;
+import com.openisle.dto.PostRequest;
+import com.openisle.dto.PostSummaryDto;
+import com.openisle.mapper.PostMapper;
+import com.openisle.model.Post;
+import com.openisle.service.*;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+@RestController
+@RequestMapping("/api/posts")
+@RequiredArgsConstructor
+public class PostController {
+    private final PostService postService;
+    private final LevelService levelService;
+    private final CaptchaService captchaService;
+    private final DraftService draftService;
+    private final UserVisitService userVisitService;
+    private final PostMapper postMapper;
+    private final PointService pointService;
+
+    @Value("${app.captcha.enabled:false}")
+    private boolean captchaEnabled;
+
+    @Value("${app.captcha.post-enabled:false}")
+    private boolean postCaptchaEnabled;
+
+    @PostMapping
+    public ResponseEntity<PostDetailDto> createPost(@RequestBody PostRequest req, Authentication auth) {
+        if (captchaEnabled && postCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
+            return ResponseEntity.badRequest().build();
+        }
+        Post post = postService.createPost(auth.getName(), req.getCategoryId(),
+                req.getTitle(), req.getContent(), req.getTagIds(),
+                req.getType(), req.getPrizeDescription(), req.getPrizeIcon(),
+                req.getPrizeCount(), req.getStartTime(), req.getEndTime());
+        draftService.deleteDraft(auth.getName());
+        PostDetailDto dto = postMapper.toDetailDto(post, auth.getName());
+        dto.setReward(levelService.awardForPost(auth.getName()));
+        dto.setPointReward(pointService.awardForPost(auth.getName()));
+        return ResponseEntity.ok(dto);
+    }
+
+    @PutMapping("/{id}")
+    public ResponseEntity<PostDetailDto> updatePost(@PathVariable Long id, @RequestBody PostRequest req,
+                                              Authentication auth) {
+        Post post = postService.updatePost(id, auth.getName(), req.getCategoryId(),
+                req.getTitle(), req.getContent(), req.getTagIds());
+        return ResponseEntity.ok(postMapper.toDetailDto(post, auth.getName()));
+    }
+
+    @DeleteMapping("/{id}")
+    public void deletePost(@PathVariable Long id, Authentication auth) {
+        postService.deletePost(id, auth.getName());
+    }
+
+    @GetMapping("/{id}")
+    public ResponseEntity<PostDetailDto> getPost(@PathVariable Long id, Authentication auth) {
+        String viewer = auth != null ? auth.getName() : null;
+        Post post = postService.viewPost(id, viewer);
+        return ResponseEntity.ok(postMapper.toDetailDto(post, viewer));
+    }
+
+    @PostMapping("/{id}/lottery/join")
+    public ResponseEntity<Void> joinLottery(@PathVariable Long id, Authentication auth) {
+        postService.joinLottery(id, auth.getName());
+        return ResponseEntity.ok().build();
+    }
+
+    @GetMapping
+    public List<PostSummaryDto> listPosts(@RequestParam(value = "categoryId", required = false) Long categoryId,
+                                   @RequestParam(value = "categoryIds", required = false) List<Long> categoryIds,
+                                   @RequestParam(value = "tagId", required = false) Long tagId,
+                                   @RequestParam(value = "tagIds", required = false) List<Long> tagIds,
+                                   @RequestParam(value = "page", required = false) Integer page,
+                                   @RequestParam(value = "pageSize", required = false) Integer pageSize,
+                                   Authentication auth) {
+        List<Long> ids = categoryIds;
+        if (categoryId != null) {
+            ids = java.util.List.of(categoryId);
+        }
+        List<Long> tids = tagIds;
+        if (tagId != null) {
+            tids = java.util.List.of(tagId);
+        }
+
+        if (auth != null) {
+            userVisitService.recordVisit(auth.getName());
+        }
+
+        boolean hasCategories = ids != null && !ids.isEmpty();
+        boolean hasTags = tids != null && !tids.isEmpty();
+
+        if (hasCategories && hasTags) {
+            return postService.listPostsByCategoriesAndTags(ids, tids, page, pageSize)
+                    .stream().map(postMapper::toSummaryDto).collect(Collectors.toList());
+        }
+        if (hasTags) {
+            return postService.listPostsByTags(tids, page, pageSize)
+                .stream().map(postMapper::toSummaryDto).collect(Collectors.toList());
+        }
+
+        return postService.listPostsByCategories(ids, page, pageSize)
+                .stream().map(postMapper::toSummaryDto).collect(Collectors.toList());
+    }
+
+    @GetMapping("/ranking")
+    public List<PostSummaryDto> rankingPosts(@RequestParam(value = "categoryId", required = false) Long categoryId,
+                                      @RequestParam(value = "categoryIds", required = false) List<Long> categoryIds,
+                                      @RequestParam(value = "tagId", required = false) Long tagId,
+                                      @RequestParam(value = "tagIds", required = false) List<Long> tagIds,
+                                      @RequestParam(value = "page", required = false) Integer page,
+                                      @RequestParam(value = "pageSize", required = false) Integer pageSize,
+                                      Authentication auth) {
+        List<Long> ids = categoryIds;
+        if (categoryId != null) {
+            ids = java.util.List.of(categoryId);
+        }
+        List<Long> tids = tagIds;
+        if (tagId != null) {
+            tids = java.util.List.of(tagId);
+        }
+
+        if (auth != null) {
+            userVisitService.recordVisit(auth.getName());
+        }
+
+        return postService.listPostsByViews(ids, tids, page, pageSize)
+                .stream().map(postMapper::toSummaryDto).collect(Collectors.toList());
+    }
+
+    @GetMapping("/latest-reply")
+    public List<PostSummaryDto> latestReplyPosts(@RequestParam(value = "categoryId", required = false) Long categoryId,
+                                          @RequestParam(value = "categoryIds", required = false) List<Long> categoryIds,
+                                          @RequestParam(value = "tagId", required = false) Long tagId,
+                                          @RequestParam(value = "tagIds", required = false) List<Long> tagIds,
+                                          @RequestParam(value = "page", required = false) Integer page,
+                                          @RequestParam(value = "pageSize", required = false) Integer pageSize,
+                                          Authentication auth) {
+        List<Long> ids = categoryIds;
+        if (categoryId != null) {
+            ids = java.util.List.of(categoryId);
+        }
+        List<Long> tids = tagIds;
+        if (tagId != null) {
+            tids = java.util.List.of(tagId);
+        }
+
+        if (auth != null) {
+            userVisitService.recordVisit(auth.getName());
+        }
+
+        return postService.listPostsByLatestReply(ids, tids, page, pageSize)
+                .stream().map(postMapper::toSummaryDto).collect(Collectors.toList());
+    }
+}
--- a/backend/src/main/java/com/openisle/controller/PushSubscriptionController.java
+++ b/backend/src/main/java/com/openisle/controller/PushSubscriptionController.java
@@ -0,0 +1,30 @@
+package com.openisle.controller;
+
+import com.openisle.dto.PushPublicKeyDto;
+import com.openisle.dto.PushSubscriptionRequest;
+import com.openisle.service.PushSubscriptionService;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/push")
+@RequiredArgsConstructor
+public class PushSubscriptionController {
+    private final PushSubscriptionService pushSubscriptionService;
+    @Value("${app.webpush.public-key}")
+    private String publicKey;
+
+    @GetMapping("/public-key")
+    public PushPublicKeyDto getPublicKey() {
+        PushPublicKeyDto r = new PushPublicKeyDto();
+        r.setKey(publicKey);
+        return r;
+    }
+
+    @PostMapping("/subscribe")
+    public void subscribe(@RequestBody PushSubscriptionRequest req, Authentication auth) {
+        pushSubscriptionService.saveSubscription(auth.getName(), req.getEndpoint(), req.getP256dh(), req.getAuth());
+    }
+}
--- a/backend/src/main/java/com/openisle/controller/ReactionController.java
+++ b/backend/src/main/java/com/openisle/controller/ReactionController.java
@@ -1,9 +1,13 @@
 package com.openisle.controller;

+import com.openisle.dto.ReactionDto;
+import com.openisle.dto.ReactionRequest;
+import com.openisle.mapper.ReactionMapper;
 import com.openisle.model.Reaction;
 import com.openisle.model.ReactionType;
+import com.openisle.service.LevelService;
+import com.openisle.service.PointService;
 import com.openisle.service.ReactionService;
-import lombok.Data;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
@@ -14,6 +18,9 @@ import org.springframework.web.bind.annotation.*;
@RequiredArgsConstructor
 public class ReactionController {
    private final ReactionService reactionService;
+    private final LevelService levelService;
+    private final ReactionMapper reactionMapper;
+    private final PointService pointService;

    /**
     * Get all available reaction types.
@@ -25,51 +32,29 @@ public class ReactionController {

    @PostMapping("/posts/{postId}/reactions")
    public ResponseEntity<ReactionDto> reactToPost(@PathVariable Long postId,
-                                                  @RequestBody ReactionRequest req,
-                                                  Authentication auth) {
+                                                   @RequestBody ReactionRequest req,
+                                                   Authentication auth) {
        Reaction reaction = reactionService.reactToPost(auth.getName(), postId, req.getType());
        if (reaction == null) {
            return ResponseEntity.noContent().build();
        }
-        return ResponseEntity.ok(toDto(reaction));
+        ReactionDto dto = reactionMapper.toDto(reaction);
+        dto.setReward(levelService.awardForReaction(auth.getName()));
+        pointService.awardForReactionOfPost(auth.getName(), postId);
+        return ResponseEntity.ok(dto);
    }

    @PostMapping("/comments/{commentId}/reactions")
    public ResponseEntity<ReactionDto> reactToComment(@PathVariable Long commentId,
-                                                     @RequestBody ReactionRequest req,
-                                                     Authentication auth) {
+                                                      @RequestBody ReactionRequest req,
+                                                      Authentication auth) {
        Reaction reaction = reactionService.reactToComment(auth.getName(), commentId, req.getType());
        if (reaction == null) {
            return ResponseEntity.noContent().build();
        }
-        return ResponseEntity.ok(toDto(reaction));
-    }
-
-    private ReactionDto toDto(Reaction reaction) {
-        ReactionDto dto = new ReactionDto();
-        dto.setId(reaction.getId());
-        dto.setType(reaction.getType());
-        dto.setUser(reaction.getUser().getUsername());
-        if (reaction.getPost() != null) {
-            dto.setPostId(reaction.getPost().getId());
-        }
-        if (reaction.getComment() != null) {
-            dto.setCommentId(reaction.getComment().getId());
-        }
-        return dto;
-    }
-
-    @Data
-    private static class ReactionRequest {
-        private ReactionType type;
-    }
-
-    @Data
-    private static class ReactionDto {
-        private Long id;
-        private ReactionType type;
-        private String user;
-        private Long postId;
-        private Long commentId;
+        ReactionDto dto = reactionMapper.toDto(reaction);
+        dto.setReward(levelService.awardForReaction(auth.getName()));
+        pointService.awardForReactionOfComment(auth.getName(), commentId);
+        return ResponseEntity.ok(dto);
    }
 }
--- a/backend/src/main/java/com/openisle/controller/SearchController.java
+++ b/backend/src/main/java/com/openisle/controller/SearchController.java
@@ -1,10 +1,11 @@
 package com.openisle.controller;

-import com.openisle.model.Post;
-import com.openisle.model.Comment;
-import com.openisle.model.User;
+import com.openisle.dto.PostSummaryDto;
+import com.openisle.dto.SearchResultDto;
+import com.openisle.dto.UserDto;
+import com.openisle.mapper.PostMapper;
+import com.openisle.mapper.UserMapper;
 import com.openisle.service.SearchService;
-import lombok.Data;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -19,32 +20,34 @@ import java.util.stream.Collectors;
@RequiredArgsConstructor
 public class SearchController {
    private final SearchService searchService;
+    private final UserMapper userMapper;
+    private final PostMapper postMapper;

    @GetMapping("/users")
    public List<UserDto> searchUsers(@RequestParam String keyword) {
        return searchService.searchUsers(keyword).stream()
-                .map(this::toUserDto)
+                .map(userMapper::toDto)
                .collect(Collectors.toList());
    }

    @GetMapping("/posts")
-    public List<PostDto> searchPosts(@RequestParam String keyword) {
+    public List<PostSummaryDto> searchPosts(@RequestParam String keyword) {
        return searchService.searchPosts(keyword).stream()
-                .map(this::toPostDto)
+                .map(postMapper::toSummaryDto)
                .collect(Collectors.toList());
    }

    @GetMapping("/posts/content")
-    public List<PostDto> searchPostsByContent(@RequestParam String keyword) {
+    public List<PostSummaryDto> searchPostsByContent(@RequestParam String keyword) {
        return searchService.searchPostsByContent(keyword).stream()
-                .map(this::toPostDto)
+                .map(postMapper::toSummaryDto)
                .collect(Collectors.toList());
    }

    @GetMapping("/posts/title")
-    public List<PostDto> searchPostsByTitle(@RequestParam String keyword) {
+    public List<PostSummaryDto> searchPostsByTitle(@RequestParam String keyword) {
        return searchService.searchPostsByTitle(keyword).stream()
-                .map(this::toPostDto)
+                .map(postMapper::toSummaryDto)
                .collect(Collectors.toList());
    }

@@ -63,40 +66,4 @@ public class SearchController {
                })
                .collect(Collectors.toList());
    }
-
-    private UserDto toUserDto(User user) {
-        UserDto dto = new UserDto();
-        dto.setId(user.getId());
-        dto.setUsername(user.getUsername());
-        return dto;
-    }
-
-    private PostDto toPostDto(Post post) {
-        PostDto dto = new PostDto();
-        dto.setId(post.getId());
-        dto.setTitle(post.getTitle());
-        return dto;
-    }
-
-    @Data
-    private static class UserDto {
-        private Long id;
-        private String username;
-    }
-
-    @Data
-    private static class PostDto {
-        private Long id;
-        private String title;
-    }
-
-    @Data
-    private static class SearchResultDto {
-        private String type;
-        private Long id;
-        private String text;
-        private String subText;
-        private String extra;
-        private Long postId;
-    }
 }
--- a/backend/src/main/java/com/openisle/controller/SitemapController.java
+++ b/backend/src/main/java/com/openisle/controller/SitemapController.java
@@ -0,0 +1,69 @@
+package com.openisle.controller;
+
+import com.openisle.model.Post;
+import com.openisle.model.PostStatus;
+import com.openisle.repository.PostRepository;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.List;
+
+/**
+ * Controller for dynamic sitemap generation.
+ */
+@RestController
+@RequiredArgsConstructor
+@RequestMapping("/api")
+public class SitemapController {
+    private final PostRepository postRepository;
+
+    @Value("${app.website-url}")
+    private String websiteUrl;
+
+    @GetMapping(value = "/sitemap.xml", produces = MediaType.APPLICATION_XML_VALUE)
+    public ResponseEntity<String> sitemap() {
+        List<Post> posts = postRepository.findByStatus(PostStatus.PUBLISHED);
+
+        StringBuilder body = new StringBuilder();
+        body.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
+        body.append("<urlset xmlns=\"http://www.sitemaps.org/schemas/sitemap/0.9\">\n");
+
+        List<String> staticRoutes = List.of(
+                "/",
+                "/about",
+                "/activities",
+                "/login",
+                "/signup"
+        );
+
+        for (String path : staticRoutes) {
+            body.append("  <url><loc>")
+                .append(websiteUrl)
+                .append(path)
+                .append("</loc></url>\n");
+        }
+
+        for (Post p : posts) {
+            body.append("  <url>\n")
+                .append("    <loc>")
+                .append(websiteUrl)
+                .append("/posts/")
+                .append(p.getId())
+                .append("</loc>\n")
+                .append("    <lastmod>")
+                .append(p.getCreatedAt().toLocalDate())
+                .append("</lastmod>\n")
+                .append("  </url>\n");
+        }
+
+        body.append("</urlset>");
+        return ResponseEntity.ok()
+                .contentType(MediaType.APPLICATION_XML)
+                .body(body.toString());
+    }
+}
--- a/backend/src/main/java/com/openisle/controller/StatController.java
+++ b/backend/src/main/java/com/openisle/controller/StatController.java
@@ -0,0 +1,85 @@
+package com.openisle.controller;
+
+import com.openisle.service.UserVisitService;
+import com.openisle.service.StatService;
+import lombok.RequiredArgsConstructor;
+import org.springframework.format.annotation.DateTimeFormat;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.time.LocalDate;
+import java.util.List;
+import java.util.Map;
+
+@RestController
+@RequestMapping("/api/stats")
+@RequiredArgsConstructor
+public class StatController {
+    private final UserVisitService userVisitService;
+    private final StatService statService;
+
+    @GetMapping("/dau")
+    public Map<String, Long> dau(@RequestParam(value = "date", required = false)
+                                 @DateTimeFormat(iso = DateTimeFormat.ISO.DATE) LocalDate date) {
+        long count = userVisitService.countDau(date);
+        return Map.of("dau", count);
+    }
+
+    @GetMapping("/dau-range")
+    public List<Map<String, Object>> dauRange(@RequestParam(value = "days", defaultValue = "30") int days) {
+        if (days < 1) days = 1;
+        LocalDate end = LocalDate.now();
+        LocalDate start = end.minusDays(days - 1L);
+        var data = userVisitService.countDauRange(start, end);
+        return data.entrySet().stream()
+                .map(e -> Map.<String,Object>of(
+                        "date",  e.getKey().toString(),
+                        "value", e.getValue()
+                ))
+                .toList();
+    }
+
+    @GetMapping("/new-users-range")
+    public List<Map<String, Object>> newUsersRange(@RequestParam(value = "days", defaultValue = "30") int days) {
+        if (days < 1) days = 1;
+        LocalDate end = LocalDate.now();
+        LocalDate start = end.minusDays(days - 1L);
+        var data = statService.countNewUsersRange(start, end);
+        return data.entrySet().stream()
+                .map(e -> Map.<String,Object>of(
+                        "date", e.getKey().toString(),
+                        "value", e.getValue()
+                ))
+                .toList();
+    }
+
+    @GetMapping("/posts-range")
+    public List<Map<String, Object>> postsRange(@RequestParam(value = "days", defaultValue = "30") int days) {
+        if (days < 1) days = 1;
+        LocalDate end = LocalDate.now();
+        LocalDate start = end.minusDays(days - 1L);
+        var data = statService.countPostsRange(start, end);
+        return data.entrySet().stream()
+                .map(e -> Map.<String,Object>of(
+                        "date", e.getKey().toString(),
+                        "value", e.getValue()
+                ))
+                .toList();
+    }
+
+    @GetMapping("/comments-range")
+    public List<Map<String, Object>> commentsRange(@RequestParam(value = "days", defaultValue = "30") int days) {
+        if (days < 1) days = 1;
+        LocalDate end = LocalDate.now();
+        LocalDate start = end.minusDays(days - 1L);
+        var data = statService.countCommentsRange(start, end);
+        return data.entrySet().stream()
+                .map(e -> Map.<String,Object>of(
+                        "date", e.getKey().toString(),
+                        "value", e.getValue()
+                ))
+                .toList();
+    }
+}
--- a/backend/src/main/java/com/openisle/controller/SubscriptionController.java
+++ b/backend/src/main/java/com/openisle/controller/SubscriptionController.java
--- a/backend/src/main/java/com/openisle/controller/TagController.java
+++ b/backend/src/main/java/com/openisle/controller/TagController.java
@@ -1,16 +1,21 @@
 package com.openisle.controller;

-import com.openisle.model.Tag;
-import com.openisle.service.TagService;
-import com.openisle.service.PostService;
-import com.openisle.repository.UserRepository;
+import com.openisle.dto.PostSummaryDto;
+import com.openisle.dto.TagDto;
+import com.openisle.dto.TagRequest;
+import com.openisle.mapper.PostMapper;
+import com.openisle.mapper.TagMapper;
 import com.openisle.model.PublishMode;
 import com.openisle.model.Role;
-import lombok.Data;
+import com.openisle.model.Tag;
+import com.openisle.repository.UserRepository;
+import com.openisle.service.PostService;
+import com.openisle.service.TagService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.*;

 import java.util.List;
+import java.util.Map;
 import java.util.stream.Collectors;

@RestController
@@ -20,6 +25,8 @@ public class TagController {
    private final TagService tagService;
    private final PostService postService;
    private final UserRepository userRepository;
+    private final PostMapper postMapper;
+    private final TagMapper tagMapper;

    @PostMapping
    public TagDto create(@RequestBody TagRequest req, org.springframework.security.core.Authentication auth) {
@@ -38,14 +45,14 @@ public class TagController {
                approved,
                auth != null ? auth.getName() : null);
        long count = postService.countPostsByTag(tag.getId());
-        return toDto(tag, count);
+        return tagMapper.toDto(tag, count);
    }

    @PutMapping("/{id}")
    public TagDto update(@PathVariable Long id, @RequestBody TagRequest req) {
        Tag tag = tagService.updateTag(id, req.getName(), req.getDescription(), req.getIcon(), req.getSmallIcon());
        long count = postService.countPostsByTag(tag.getId());
-        return toDto(tag, count);
+        return tagMapper.toDto(tag, count);
    }

    @DeleteMapping("/{id}")
@@ -56,8 +63,11 @@ public class TagController {
    @GetMapping
    public List<TagDto> list(@RequestParam(value = "keyword", required = false) String keyword,
                             @RequestParam(value = "limit", required = false) Integer limit) {
-        List<TagDto> dtos = tagService.searchTags(keyword).stream()
-                .map(t -> toDto(t, postService.countPostsByTag(t.getId())))
+        List<Tag> tags = tagService.searchTags(keyword);
+        List<Long> tagIds = tags.stream().map(Tag::getId).toList();
+        Map<Long, Long> postCntByTagIds = postService.countPostsByTagIds(tagIds);
+        List<TagDto> dtos = tags.stream()
+                .map(t -> tagMapper.toDto(t, postCntByTagIds.getOrDefault(t.getId(), 0L)))
                .sorted((a, b) -> Long.compare(b.getCount(), a.getCount()))
                .collect(Collectors.toList());
        if (limit != null && limit > 0 && dtos.size() > limit) {
@@ -70,7 +80,7 @@ public class TagController {
    public TagDto get(@PathVariable Long id) {
        Tag tag = tagService.getTag(id);
        long count = postService.countPostsByTag(tag.getId());
-        return toDto(tag, count);
+        return tagMapper.toDto(tag, count);
    }

    @GetMapping("/{id}/posts")
@@ -79,47 +89,7 @@ public class TagController {
                                               @RequestParam(value = "pageSize", required = false) Integer pageSize) {
        return postService.listPostsByTags(java.util.List.of(id), page, pageSize)
                .stream()
-                .map(p -> {
-                    PostSummaryDto dto = new PostSummaryDto();
-                    dto.setId(p.getId());
-                    dto.setTitle(p.getTitle());
-                    return dto;
-                })
+                .map(postMapper::toSummaryDto)
                .collect(Collectors.toList());
    }
-
-    private TagDto toDto(Tag tag, long count) {
-        TagDto dto = new TagDto();
-        dto.setId(tag.getId());
-        dto.setName(tag.getName());
-        dto.setIcon(tag.getIcon());
-        dto.setSmallIcon(tag.getSmallIcon());
-        dto.setDescription(tag.getDescription());
-        dto.setCount(count);
-        return dto;
-    }
-
-    @Data
-    private static class TagRequest {
-        private String name;
-        private String description;
-        private String icon;
-        private String smallIcon;
-    }
-
-    @Data
-    private static class TagDto {
-        private Long id;
-        private String name;
-        private String description;
-        private String icon;
-        private String smallIcon;
-        private Long count;
-    }
-
-    @Data
-    private static class PostSummaryDto {
-        private Long id;
-        private String title;
-    }
 }
--- a/backend/src/main/java/com/openisle/controller/UploadController.java
+++ b/backend/src/main/java/com/openisle/controller/UploadController.java
@@ -74,4 +74,9 @@ public class UploadController {
            return ResponseEntity.internalServerError().body(Map.of("code", 3, "msg", "Upload failed"));
        }
    }
+
+    @GetMapping("/presign")
+    public java.util.Map<String, String> presign(@RequestParam("filename") String filename) {
+        return imageUploader.presignUpload(filename);
+    }
 }
--- a/backend/src/main/java/com/openisle/controller/UserController.java
+++ b/backend/src/main/java/com/openisle/controller/UserController.java
@@ -1,11 +1,13 @@
 package com.openisle.controller;

+import com.openisle.dto.*;
 import com.openisle.exception.NotFoundException;
+import com.openisle.mapper.TagMapper;
+import com.openisle.mapper.UserMapper;
 import com.openisle.model.User;
 import com.openisle.service.*;
-import org.springframework.beans.factory.annotation.Value;
-import lombok.Data;
 import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
@@ -25,8 +27,10 @@ public class UserController {
    private final ReactionService reactionService;
    private final TagService tagService;
    private final SubscriptionService subscriptionService;
-    private final PostReadService postReadService;
-    private final UserVisitService userVisitService;
+    private final LevelService levelService;
+    private final JwtService jwtService;
+    private final UserMapper userMapper;
+    private final TagMapper tagMapper;

    @Value("${app.upload.check-type:true}")
    private boolean checkImageType;
@@ -43,13 +47,10 @@ public class UserController {
    @Value("${app.user.tags-limit:50}")
    private int defaultTagsLimit;

-    @Value("${app.snippet-length:50}")
-    private int snippetLength;
-
    @GetMapping("/me")
    public ResponseEntity<UserDto> me(Authentication auth) {
        User user = userService.findByUsername(auth.getName()).orElseThrow();
-        return ResponseEntity.ok(toDto(user, auth));
+        return ResponseEntity.ok(userMapper.toDto(user, auth));
    }

    @PostMapping("/me/avatar")
@@ -72,17 +73,26 @@ public class UserController {
    }

    @PutMapping("/me")
-    public ResponseEntity<UserDto> updateProfile(@RequestBody UpdateProfileDto dto,
-                                                 Authentication auth) {
+    public ResponseEntity<?> updateProfile(@RequestBody UpdateProfileDto dto,
+                                           Authentication auth) {
        User user = userService.updateProfile(auth.getName(), dto.getUsername(), dto.getIntroduction());
-        return ResponseEntity.ok(toDto(user, auth));
+        return ResponseEntity.ok(Map.of(
+                "token", jwtService.generateToken(user.getUsername()),
+                "user", userMapper.toDto(user, auth)
+        ));
+    }
+
+    @PostMapping("/me/signin")
+    public Map<String, Integer> signIn(Authentication auth) {
+        int reward = levelService.awardForSignin(auth.getName());
+        return Map.of("reward", reward);
    }

    @GetMapping("/{identifier}")
    public ResponseEntity<UserDto> getUser(@PathVariable("identifier") String identifier,
                                           Authentication auth) {
        User user = userService.findByIdentifier(identifier).orElseThrow(() -> new NotFoundException("User not found"));
-        return ResponseEntity.ok(toDto(user, auth));
+        return ResponseEntity.ok(userMapper.toDto(user, auth));
    }

    @GetMapping("/{identifier}/posts")
@@ -91,7 +101,7 @@ public class UserController {
        int l = limit != null ? limit : defaultPostsLimit;
        User user = userService.findByIdentifier(identifier).orElseThrow();
        return postService.getRecentPostsByUser(user.getUsername(), l).stream()
-                .map(this::toMetaDto)
+                .map(userMapper::toMetaDto)
                .collect(java.util.stream.Collectors.toList());
    }

@@ -101,7 +111,7 @@ public class UserController {
        int l = limit != null ? limit : defaultRepliesLimit;
        User user = userService.findByIdentifier(identifier).orElseThrow();
        return commentService.getRecentCommentsByUser(user.getUsername(), l).stream()
-                .map(this::toCommentInfoDto)
+                .map(userMapper::toCommentInfoDto)
                .collect(java.util.stream.Collectors.toList());
    }

@@ -112,7 +122,7 @@ public class UserController {
        User user = userService.findByIdentifier(identifier).orElseThrow();
        java.util.List<Long> ids = reactionService.topPostIds(user.getUsername(), l);
        return postService.getPostsByIds(ids).stream()
-                .map(this::toMetaDto)
+                .map(userMapper::toMetaDto)
                .collect(java.util.stream.Collectors.toList());
    }

@@ -123,49 +133,29 @@ public class UserController {
        User user = userService.findByIdentifier(identifier).orElseThrow();
        java.util.List<Long> ids = reactionService.topCommentIds(user.getUsername(), l);
        return commentService.getCommentsByIds(ids).stream()
-                .map(this::toCommentInfoDto)
+                .map(userMapper::toCommentInfoDto)
                .collect(java.util.stream.Collectors.toList());
    }

    @GetMapping("/{identifier}/hot-tags")
-    public java.util.List<TagInfoDto> hotTags(@PathVariable("identifier") String identifier,
-                                              @RequestParam(value = "limit", required = false) Integer limit) {
+    public java.util.List<TagDto> hotTags(@PathVariable("identifier") String identifier,
+                                          @RequestParam(value = "limit", required = false) Integer limit) {
        int l = limit != null ? limit : 10;
        User user = userService.findByIdentifier(identifier).orElseThrow();
        return tagService.getTagsByUser(user.getUsername()).stream()
-                .map(t -> {
-                    TagInfoDto dto = new TagInfoDto();
-                    dto.setId(t.getId());
-                    dto.setName(t.getName());
-                    dto.setDescription(t.getDescription());
-                    dto.setIcon(t.getIcon());
-                    dto.setSmallIcon(t.getSmallIcon());
-                    dto.setCreatedAt(t.getCreatedAt());
-                    dto.setCount(postService.countPostsByTag(t.getId()));
-                    return dto;
-                })
+                .map(t -> tagMapper.toDto(t, postService.countPostsByTag(t.getId())))
                .sorted((a, b) -> Long.compare(b.getCount(), a.getCount()))
                .limit(l)
                .collect(java.util.stream.Collectors.toList());
    }

    @GetMapping("/{identifier}/tags")
-    public java.util.List<TagInfoDto> userTags(@PathVariable("identifier") String identifier,
-                                               @RequestParam(value = "limit", required = false) Integer limit) {
+    public java.util.List<TagDto> userTags(@PathVariable("identifier") String identifier,
+                                           @RequestParam(value = "limit", required = false) Integer limit) {
        int l = limit != null ? limit : defaultTagsLimit;
        User user = userService.findByIdentifier(identifier).orElseThrow();
        return tagService.getRecentTagsByUser(user.getUsername(), l).stream()
-                .map(t -> {
-                    TagInfoDto dto = new TagInfoDto();
-                    dto.setId(t.getId());
-                    dto.setName(t.getName());
-                    dto.setDescription(t.getDescription());
-                    dto.setIcon(t.getIcon());
-                    dto.setSmallIcon(t.getSmallIcon());
-                    dto.setCreatedAt(t.getCreatedAt());
-                    dto.setCount(postService.countPostsByTag(t.getId()));
-                    return dto;
-                })
+                .map(t -> tagMapper.toDto(t, postService.countPostsByTag(t.getId())))
                .collect(java.util.stream.Collectors.toList());
    }

@@ -173,7 +163,7 @@ public class UserController {
    public java.util.List<UserDto> following(@PathVariable("identifier") String identifier) {
        User user = userService.findByIdentifier(identifier).orElseThrow();
        return subscriptionService.getSubscribedUsers(user.getUsername()).stream()
-                .map(this::toDto)
+                .map(userMapper::toDto)
                .collect(java.util.stream.Collectors.toList());
    }

@@ -181,7 +171,14 @@ public class UserController {
    public java.util.List<UserDto> followers(@PathVariable("identifier") String identifier) {
        User user = userService.findByIdentifier(identifier).orElseThrow();
        return subscriptionService.getSubscribers(user.getUsername()).stream()
-                .map(this::toDto)
+                .map(userMapper::toDto)
+                .collect(java.util.stream.Collectors.toList());
+    }
+
+    @GetMapping("/admins")
+    public java.util.List<UserDto> admins() {
+        return userService.getAdmins().stream()
+                .map(userMapper::toDto)
                .collect(java.util.stream.Collectors.toList());
    }

@@ -194,149 +191,15 @@ public class UserController {
        int pLimit = postsLimit != null ? postsLimit : defaultPostsLimit;
        int rLimit = repliesLimit != null ? repliesLimit : defaultRepliesLimit;
        java.util.List<PostMetaDto> posts = postService.getRecentPostsByUser(user.getUsername(), pLimit).stream()
-                .map(this::toMetaDto)
+                .map(userMapper::toMetaDto)
                .collect(java.util.stream.Collectors.toList());
        java.util.List<CommentInfoDto> replies = commentService.getRecentCommentsByUser(user.getUsername(), rLimit).stream()
-                .map(this::toCommentInfoDto)
+                .map(userMapper::toCommentInfoDto)
                .collect(java.util.stream.Collectors.toList());
        UserAggregateDto dto = new UserAggregateDto();
-        dto.setUser(toDto(user, auth));
+        dto.setUser(userMapper.toDto(user, auth));
        dto.setPosts(posts);
        dto.setReplies(replies);
        return ResponseEntity.ok(dto);
    }
-
-    private UserDto toDto(User user, Authentication viewer) {
-        UserDto dto = new UserDto();
-        dto.setId(user.getId());
-        dto.setUsername(user.getUsername());
-        dto.setEmail(user.getEmail());
-        dto.setAvatar(user.getAvatar());
-        dto.setRole(user.getRole().name());
-        dto.setIntroduction(user.getIntroduction());
-        dto.setFollowers(subscriptionService.countSubscribers(user.getUsername()));
-        dto.setFollowing(subscriptionService.countSubscribed(user.getUsername()));
-        dto.setCreatedAt(user.getCreatedAt());
-        dto.setLastPostTime(postService.getLastPostTime(user.getUsername()));
-        dto.setTotalViews(postService.getTotalViews(user.getUsername()));
-        dto.setVisitedDays(userVisitService.countVisits(user.getUsername()));
-        dto.setReadPosts(postReadService.countReads(user.getUsername()));
-        dto.setLikesSent(reactionService.countLikesSent(user.getUsername()));
-        dto.setLikesReceived(reactionService.countLikesReceived(user.getUsername()));
-        if (viewer != null) {
-            dto.setSubscribed(subscriptionService.isSubscribed(viewer.getName(), user.getUsername()));
-        } else {
-            dto.setSubscribed(false);
-        }
-        return dto;
-    }
-
-    private UserDto toDto(User user) {
-        return toDto(user, null);
-    }
-
-    private PostMetaDto toMetaDto(com.openisle.model.Post post) {
-        PostMetaDto dto = new PostMetaDto();
-        dto.setId(post.getId());
-        dto.setTitle(post.getTitle());
-        String content = post.getContent();
-        if (content == null) {
-            content = "";
-        }
-        if (snippetLength >= 0) {
-            dto.setSnippet(content.length() > snippetLength ? content.substring(0, snippetLength) : content);
-        } else {
-            dto.setSnippet(content);
-        }
-        dto.setCreatedAt(post.getCreatedAt());
-        dto.setCategory(post.getCategory().getName());
-        dto.setViews(post.getViews());
-        return dto;
-    }
-
-    private CommentInfoDto toCommentInfoDto(com.openisle.model.Comment comment) {
-        CommentInfoDto dto = new CommentInfoDto();
-        dto.setId(comment.getId());
-        dto.setContent(comment.getContent());
-        dto.setCreatedAt(comment.getCreatedAt());
-        dto.setPost(toMetaDto(comment.getPost()));
-        if (comment.getParent() != null) {
-            ParentCommentDto pc = new ParentCommentDto();
-            pc.setId(comment.getParent().getId());
-            pc.setAuthor(comment.getParent().getAuthor().getUsername());
-            pc.setContent(comment.getParent().getContent());
-            dto.setParentComment(pc);
-        }
-        return dto;
-    }
-
-    @Data
-    private static class UserDto {
-        private Long id;
-        private String username;
-        private String email;
-        private String avatar;
-        private String role;
-        private String introduction;
-        private long followers;
-        private long following;
-        private java.time.LocalDateTime createdAt;
-        private java.time.LocalDateTime lastPostTime;
-        private long totalViews;
-        private long visitedDays;
-        private long readPosts;
-        private long likesSent;
-        private long likesReceived;
-        private boolean subscribed;
-    }
-
-    @Data
-    private static class PostMetaDto {
-        private Long id;
-        private String title;
-        private String snippet;
-        private java.time.LocalDateTime createdAt;
-        private String category;
-        private long views;
-    }
-
-    @Data
-    private static class CommentInfoDto {
-        private Long id;
-        private String content;
-        private java.time.LocalDateTime createdAt;
-        private PostMetaDto post;
-        private ParentCommentDto parentComment;
-    }
-
-    @Data
-    private static class TagInfoDto {
-        private Long id;
-        private String name;
-        private String description;
-        private String icon;
-        private String smallIcon;
-        private java.time.LocalDateTime createdAt;
-        private Long count;
-    }
-
-    @Data
-    private static class ParentCommentDto {
-        private Long id;
-        private String author;
-        private String content;
-    }
-
-    @Data
-    private static class UpdateProfileDto {
-        private String username;
-        private String introduction;
-    }
-
-    @Data
-    private static class UserAggregateDto {
-        private UserDto user;
-        private java.util.List<PostMetaDto> posts;
-        private java.util.List<CommentInfoDto> replies;
-    }
 }
--- a/backend/src/main/java/com/openisle/dto/ActivityDto.java
+++ b/backend/src/main/java/com/openisle/dto/ActivityDto.java
@@ -0,0 +1,21 @@
+package com.openisle.dto;
+
+import com.openisle.model.ActivityType;
+import lombok.Data;
+
+import java.time.LocalDateTime;
+
+/**
+ * DTO representing an activity without participant details.
+ */
+@Data
+public class ActivityDto {
+    private Long id;
+    private String title;
+    private String icon;
+    private String content;
+    private LocalDateTime startTime;
+    private LocalDateTime endTime;
+    private ActivityType type;
+    private boolean ended;
+}
--- a/backend/src/main/java/com/openisle/dto/AuthorDto.java
+++ b/backend/src/main/java/com/openisle/dto/AuthorDto.java
@@ -0,0 +1,16 @@
+package com.openisle.dto;
+
+import lombok.Data;
+import com.openisle.model.MedalType;
+
+/**
+ * DTO representing a post or comment author.
+ */
+@Data
+public class AuthorDto {
+    private Long id;
+    private String username;
+    private String avatar;
+    private MedalType displayMedal;
+}
+
--- a/backend/src/main/java/com/openisle/dto/CategoryDto.java
+++ b/backend/src/main/java/com/openisle/dto/CategoryDto.java
@@ -0,0 +1,17 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/**
+ * DTO representing a post category.
+ */
+@Data
+public class CategoryDto {
+    private Long id;
+    private String name;
+    private String description;
+    private String icon;
+    private String smallIcon;
+    private Long count;
+}
+
--- a/backend/src/main/java/com/openisle/dto/CategoryRequest.java
+++ b/backend/src/main/java/com/openisle/dto/CategoryRequest.java
@@ -0,0 +1,12 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request body for creating or updating a category. */
+@Data
+public class CategoryRequest {
+    private String name;
+    private String description;
+    private String icon;
+    private String smallIcon;
+}
--- a/backend/src/main/java/com/openisle/dto/CommentDto.java
+++ b/backend/src/main/java/com/openisle/dto/CommentDto.java
@@ -0,0 +1,23 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+import java.time.LocalDateTime;
+import java.util.List;
+
+/**
+ * DTO representing a comment and its nested replies.
+ */
+@Data
+public class CommentDto {
+    private Long id;
+    private String content;
+    private LocalDateTime createdAt;
+    private LocalDateTime pinnedAt;
+    private AuthorDto author;
+    private List<CommentDto> replies;
+    private List<ReactionDto> reactions;
+    private int reward;
+    private int pointReward;
+}
+
--- a/backend/src/main/java/com/openisle/dto/CommentInfoDto.java
+++ b/backend/src/main/java/com/openisle/dto/CommentInfoDto.java
@@ -0,0 +1,15 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+import java.time.LocalDateTime;
+
+/** DTO for comment information in user profiles. */
+@Data
+public class CommentInfoDto {
+    private Long id;
+    private String content;
+    private LocalDateTime createdAt;
+    private PostMetaDto post;
+    private ParentCommentDto parentComment;
+}
--- a/backend/src/main/java/com/openisle/dto/CommentMedalDto.java
+++ b/backend/src/main/java/com/openisle/dto/CommentMedalDto.java
@@ -0,0 +1,11 @@
+package com.openisle.dto;
+
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+
+@Data
+@EqualsAndHashCode(callSuper = true)
+public class CommentMedalDto extends MedalDto {
+    private long currentCommentCount;
+    private long targetCommentCount;
+}
--- a/backend/src/main/java/com/openisle/dto/CommentRequest.java
+++ b/backend/src/main/java/com/openisle/dto/CommentRequest.java
@@ -0,0 +1,10 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request body for creating or replying to a comment. */
+@Data
+public class CommentRequest {
+    private String content;
+    private String captcha;
+}
--- a/backend/src/main/java/com/openisle/dto/ConfigDto.java
+++ b/backend/src/main/java/com/openisle/dto/ConfigDto.java
@@ -0,0 +1,15 @@
+package com.openisle.dto;
+
+import com.openisle.model.PasswordStrength;
+import com.openisle.model.PublishMode;
+import com.openisle.model.RegisterMode;
+import lombok.Data;
+
+/** DTO for site configuration. */
+@Data
+public class ConfigDto {
+    private PublishMode publishMode;
+    private PasswordStrength passwordStrength;
+    private Integer aiFormatLimit;
+    private RegisterMode registerMode;
+}
--- a/backend/src/main/java/com/openisle/dto/ContributorMedalDto.java
+++ b/backend/src/main/java/com/openisle/dto/ContributorMedalDto.java
@@ -0,0 +1,12 @@
+package com.openisle.dto;
+
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+
+@Data
+@EqualsAndHashCode(callSuper = true)
+public class ContributorMedalDto extends MedalDto {
+    private long currentContributionLines;
+    private long targetContributionLines;
+}
+
--- a/backend/src/main/java/com/openisle/dto/DiscordLoginRequest.java
+++ b/backend/src/main/java/com/openisle/dto/DiscordLoginRequest.java
@@ -0,0 +1,11 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request for Discord OAuth login. */
+@Data
+public class DiscordLoginRequest {
+    private String code;
+    private String redirectUri;
+    private String inviteToken;
+}
--- a/backend/src/main/java/com/openisle/dto/DraftDto.java
+++ b/backend/src/main/java/com/openisle/dto/DraftDto.java
@@ -0,0 +1,15 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+import java.util.List;
+
+/** DTO representing a saved draft. */
+@Data
+public class DraftDto {
+    private Long id;
+    private String title;
+    private String content;
+    private Long categoryId;
+    private List<Long> tagIds;
+}
--- a/backend/src/main/java/com/openisle/dto/DraftRequest.java
+++ b/backend/src/main/java/com/openisle/dto/DraftRequest.java
@@ -0,0 +1,14 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+import java.util.List;
+
+/** Request body for saving a draft. */
+@Data
+public class DraftRequest {
+    private String title;
+    private String content;
+    private Long categoryId;
+    private List<Long> tagIds;
+}
--- a/backend/src/main/java/com/openisle/dto/ForgotPasswordRequest.java
+++ b/backend/src/main/java/com/openisle/dto/ForgotPasswordRequest.java
@@ -0,0 +1,9 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request to trigger a forgot password email. */
+@Data
+public class ForgotPasswordRequest {
+    private String email;
+}
--- a/backend/src/main/java/com/openisle/dto/GithubLoginRequest.java
+++ b/backend/src/main/java/com/openisle/dto/GithubLoginRequest.java
@@ -0,0 +1,11 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request for GitHub OAuth login. */
+@Data
+public class GithubLoginRequest {
+    private String code;
+    private String redirectUri;
+    private String inviteToken;
+}
--- a/backend/src/main/java/com/openisle/dto/GoogleLoginRequest.java
+++ b/backend/src/main/java/com/openisle/dto/GoogleLoginRequest.java
@@ -0,0 +1,10 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request for Google OAuth login. */
+@Data
+public class GoogleLoginRequest {
+    private String idToken;
+    private String inviteToken;
+}
--- a/backend/src/main/java/com/openisle/dto/LoginRequest.java
+++ b/backend/src/main/java/com/openisle/dto/LoginRequest.java
@@ -0,0 +1,11 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request to login. */
+@Data
+public class LoginRequest {
+    private String username;
+    private String password;
+    private String captcha;
+}
--- a/backend/src/main/java/com/openisle/dto/LotteryDto.java
+++ b/backend/src/main/java/com/openisle/dto/LotteryDto.java
@@ -0,0 +1,17 @@
+package com.openisle.dto;
+
+import lombok.Data;
+import java.time.LocalDateTime;
+import java.util.List;
+
+/** Metadata for lottery posts. */
+@Data
+public class LotteryDto {
+    private String prizeDescription;
+    private String prizeIcon;
+    private int prizeCount;
+    private LocalDateTime startTime;
+    private LocalDateTime endTime;
+    private List<AuthorDto> participants;
+    private List<AuthorDto> winners;
+}
--- a/backend/src/main/java/com/openisle/dto/MakeReasonRequest.java
+++ b/backend/src/main/java/com/openisle/dto/MakeReasonRequest.java
@@ -0,0 +1,10 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request to submit a reason (e.g., for moderation). */
+@Data
+public class MakeReasonRequest {
+    private String token;
+    private String reason;
+}
--- a/backend/src/main/java/com/openisle/dto/MedalDto.java
+++ b/backend/src/main/java/com/openisle/dto/MedalDto.java
@@ -0,0 +1,14 @@
+package com.openisle.dto;
+
+import com.openisle.model.MedalType;
+import lombok.Data;
+
+@Data
+public class MedalDto {
+    private String icon;
+    private String title;
+    private String description;
+    private MedalType type;
+    private boolean completed;
+    private boolean selected;
+}
--- a/backend/src/main/java/com/openisle/dto/MedalSelectRequest.java
+++ b/backend/src/main/java/com/openisle/dto/MedalSelectRequest.java
@@ -0,0 +1,9 @@
+package com.openisle.dto;
+
+import com.openisle.model.MedalType;
+import lombok.Data;
+
+@Data
+public class MedalSelectRequest {
+    private MedalType type;
+}
--- a/backend/src/main/java/com/openisle/dto/MilkTeaInfoDto.java
+++ b/backend/src/main/java/com/openisle/dto/MilkTeaInfoDto.java
@@ -0,0 +1,10 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Info about the milk tea activity. */
+@Data
+public class MilkTeaInfoDto {
+    private long redeemCount;
+    private boolean ended;
+}
--- a/backend/src/main/java/com/openisle/dto/MilkTeaRedeemRequest.java
+++ b/backend/src/main/java/com/openisle/dto/MilkTeaRedeemRequest.java
@@ -0,0 +1,9 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request to redeem the milk tea activity. */
+@Data
+public class MilkTeaRedeemRequest {
+    private String contact;
+}
--- a/backend/src/main/java/com/openisle/dto/NotificationDto.java
+++ b/backend/src/main/java/com/openisle/dto/NotificationDto.java
@@ -0,0 +1,23 @@
+package com.openisle.dto;
+
+import com.openisle.model.NotificationType;
+import com.openisle.model.ReactionType;
+import lombok.Data;
+
+import java.time.LocalDateTime;
+
+/** DTO representing a user notification. */
+@Data
+public class NotificationDto {
+    private Long id;
+    private NotificationType type;
+    private PostSummaryDto post;
+    private CommentDto comment;
+    private CommentDto parentComment;
+    private AuthorDto fromUser;
+    private ReactionType reactionType;
+    private String content;
+    private Boolean approved;
+    private boolean read;
+    private LocalDateTime createdAt;
+}
--- a/backend/src/main/java/com/openisle/dto/NotificationMarkReadRequest.java
+++ b/backend/src/main/java/com/openisle/dto/NotificationMarkReadRequest.java
@@ -0,0 +1,11 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+import java.util.List;
+
+/** Request to mark notifications as read. */
+@Data
+public class NotificationMarkReadRequest {
+    private List<Long> ids;
+}
--- a/backend/src/main/java/com/openisle/dto/NotificationPreferenceDto.java
+++ b/backend/src/main/java/com/openisle/dto/NotificationPreferenceDto.java
@@ -0,0 +1,11 @@
+package com.openisle.dto;
+
+import com.openisle.model.NotificationType;
+import lombok.Data;
+
+/** User notification preference DTO. */
+@Data
+public class NotificationPreferenceDto {
+    private NotificationType type;
+    private boolean enabled;
+}
--- a/backend/src/main/java/com/openisle/dto/NotificationPreferenceUpdateRequest.java
+++ b/backend/src/main/java/com/openisle/dto/NotificationPreferenceUpdateRequest.java
@@ -0,0 +1,11 @@
+package com.openisle.dto;
+
+import com.openisle.model.NotificationType;
+import lombok.Data;
+
+/** Request to update a single notification preference. */
+@Data
+public class NotificationPreferenceUpdateRequest {
+    private NotificationType type;
+    private boolean enabled;
+}
--- a/backend/src/main/java/com/openisle/dto/NotificationUnreadCountDto.java
+++ b/backend/src/main/java/com/openisle/dto/NotificationUnreadCountDto.java
@@ -0,0 +1,9 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** DTO representing unread notification count. */
+@Data
+public class NotificationUnreadCountDto {
+    private long count;
+}
--- a/backend/src/main/java/com/openisle/dto/ParentCommentDto.java
+++ b/backend/src/main/java/com/openisle/dto/ParentCommentDto.java
@@ -0,0 +1,11 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** DTO representing a parent comment. */
+@Data
+public class ParentCommentDto {
+    private Long id;
+    private String author;
+    private String content;
+}
--- a/backend/src/main/java/com/openisle/dto/PioneerMedalDto.java
+++ b/backend/src/main/java/com/openisle/dto/PioneerMedalDto.java
@@ -0,0 +1,10 @@
+package com.openisle.dto;
+
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+
+@Data
+@EqualsAndHashCode(callSuper = true)
+public class PioneerMedalDto extends MedalDto {
+    private long rank;
+}
--- a/backend/src/main/java/com/openisle/dto/PointGoodDto.java
+++ b/backend/src/main/java/com/openisle/dto/PointGoodDto.java
@@ -0,0 +1,12 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Point mall good info. */
+@Data
+public class PointGoodDto {
+    private Long id;
+    private String name;
+    private int cost;
+    private String image;
+}
--- a/backend/src/main/java/com/openisle/dto/PointRedeemRequest.java
+++ b/backend/src/main/java/com/openisle/dto/PointRedeemRequest.java
@@ -0,0 +1,10 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request to redeem a point mall good. */
+@Data
+public class PointRedeemRequest {
+    private Long goodId;
+    private String contact;
+}
--- a/backend/src/main/java/com/openisle/dto/PostDetailDto.java
+++ b/backend/src/main/java/com/openisle/dto/PostDetailDto.java
@@ -0,0 +1,16 @@
+package com.openisle.dto;
+
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+
+import java.util.List;
+
+/**
+ * Detailed DTO for a post, including comments.
+ */
+@Data
+@EqualsAndHashCode(callSuper = true)
+public class PostDetailDto extends PostSummaryDto {
+    private List<CommentDto> comments;
+}
+
--- a/backend/src/main/java/com/openisle/dto/PostMedalDto.java
+++ b/backend/src/main/java/com/openisle/dto/PostMedalDto.java
@@ -0,0 +1,11 @@
+package com.openisle.dto;
+
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+
+@Data
+@EqualsAndHashCode(callSuper = true)
+public class PostMedalDto extends MedalDto {
+    private long currentPostCount;
+    private long targetPostCount;
+}
--- a/backend/src/main/java/com/openisle/dto/PostMetaDto.java
+++ b/backend/src/main/java/com/openisle/dto/PostMetaDto.java
@@ -0,0 +1,16 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+import java.time.LocalDateTime;
+
+/** Lightweight post metadata used in user profile lists. */
+@Data
+public class PostMetaDto {
+    private Long id;
+    private String title;
+    private String snippet;
+    private LocalDateTime createdAt;
+    private String category;
+    private long views;
+}
--- a/backend/src/main/java/com/openisle/dto/PostRequest.java
+++ b/backend/src/main/java/com/openisle/dto/PostRequest.java
@@ -0,0 +1,29 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+import java.time.LocalDateTime;
+import java.util.List;
+
+import com.openisle.model.PostType;
+
+/**
+ * Request body for creating or updating a post.
+ */
+@Data
+public class PostRequest {
+    private Long categoryId;
+    private String title;
+    private String content;
+    private List<Long> tagIds;
+    private String captcha;
+
+    // optional for lottery posts
+    private PostType type;
+    private String prizeDescription;
+    private String prizeIcon;
+    private Integer prizeCount;
+    private LocalDateTime startTime;
+    private LocalDateTime endTime;
+}
+
--- a/backend/src/main/java/com/openisle/dto/PostSummaryDto.java
+++ b/backend/src/main/java/com/openisle/dto/PostSummaryDto.java
@@ -0,0 +1,35 @@
+package com.openisle.dto;
+
+import com.openisle.model.PostStatus;
+import com.openisle.model.PostType;
+import lombok.Data;
+
+import java.time.LocalDateTime;
+import java.util.List;
+
+/**
+ * Lightweight DTO for listing posts without comments.
+ */
+@Data
+public class PostSummaryDto {
+    private Long id;
+    private String title;
+    private String content;
+    private LocalDateTime createdAt;
+    private AuthorDto author;
+    private CategoryDto category;
+    private List<TagDto> tags;
+    private long views;
+    private long commentCount;
+    private PostStatus status;
+    private LocalDateTime pinnedAt;
+    private LocalDateTime lastReplyAt;
+    private List<ReactionDto> reactions;
+    private List<AuthorDto> participants;
+    private boolean subscribed;
+    private int reward;
+    private int pointReward;
+    private PostType type;
+    private LotteryDto lottery;
+}
+
--- a/backend/src/main/java/com/openisle/dto/PushPublicKeyDto.java
+++ b/backend/src/main/java/com/openisle/dto/PushPublicKeyDto.java
@@ -0,0 +1,9 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Public key response for web push. */
+@Data
+public class PushPublicKeyDto {
+    private String key;
+}
--- a/backend/src/main/java/com/openisle/dto/PushSubscriptionRequest.java
+++ b/backend/src/main/java/com/openisle/dto/PushSubscriptionRequest.java
@@ -0,0 +1,11 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request body for saving a push subscription. */
+@Data
+public class PushSubscriptionRequest {
+    private String endpoint;
+    private String p256dh;
+    private String auth;
+}
--- a/backend/src/main/java/com/openisle/dto/ReactionDto.java
+++ b/backend/src/main/java/com/openisle/dto/ReactionDto.java
@@ -0,0 +1,18 @@
+package com.openisle.dto;
+
+import com.openisle.model.ReactionType;
+import lombok.Data;
+
+/**
+ * DTO representing a reaction on a post or comment.
+ */
+@Data
+public class ReactionDto {
+    private Long id;
+    private ReactionType type;
+    private String user;
+    private Long postId;
+    private Long commentId;
+    private int reward;
+}
+
--- a/backend/src/main/java/com/openisle/dto/ReactionRequest.java
+++ b/backend/src/main/java/com/openisle/dto/ReactionRequest.java
@@ -0,0 +1,10 @@
+package com.openisle.dto;
+
+import com.openisle.model.ReactionType;
+import lombok.Data;
+
+/** Request for reacting to a post or comment. */
+@Data
+public class ReactionRequest {
+    private ReactionType type;
+}
--- a/backend/src/main/java/com/openisle/dto/RegisterRequest.java
+++ b/backend/src/main/java/com/openisle/dto/RegisterRequest.java
@@ -0,0 +1,13 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request to register a new user. */
+@Data
+public class RegisterRequest {
+    private String username;
+    private String email;
+    private String password;
+    private String captcha;
+    private String inviteToken;
+}
--- a/backend/src/main/java/com/openisle/dto/ResetPasswordRequest.java
+++ b/backend/src/main/java/com/openisle/dto/ResetPasswordRequest.java
@@ -0,0 +1,10 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request to reset password. */
+@Data
+public class ResetPasswordRequest {
+    private String token;
+    private String password;
+}
--- a/backend/src/main/java/com/openisle/dto/SearchResultDto.java
+++ b/backend/src/main/java/com/openisle/dto/SearchResultDto.java
@@ -0,0 +1,14 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** DTO representing a search result entry. */
+@Data
+public class SearchResultDto {
+    private String type;
+    private Long id;
+    private String text;
+    private String subText;
+    private String extra;
+    private Long postId;
+}
--- a/backend/src/main/java/com/openisle/dto/SeedUserMedalDto.java
+++ b/backend/src/main/java/com/openisle/dto/SeedUserMedalDto.java
@@ -0,0 +1,11 @@
+package com.openisle.dto;
+
+import java.time.LocalDateTime;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+
+@Data
+@EqualsAndHashCode(callSuper = true)
+public class SeedUserMedalDto extends MedalDto {
+    private LocalDateTime registerDate;
+}
--- a/backend/src/main/java/com/openisle/dto/SiteConfigDto.java
+++ b/backend/src/main/java/com/openisle/dto/SiteConfigDto.java
@@ -0,0 +1,16 @@
+package com.openisle.dto;
+
+import com.openisle.model.RegisterMode;
+import lombok.Data;
+
+/** Public site configuration values. */
+@Data
+public class SiteConfigDto {
+    private boolean captchaEnabled;
+    private boolean registerCaptchaEnabled;
+    private boolean loginCaptchaEnabled;
+    private boolean postCaptchaEnabled;
+    private boolean commentCaptchaEnabled;
+    private int aiFormatLimit;
+    private RegisterMode registerMode;
+}
--- a/backend/src/main/java/com/openisle/dto/TagDto.java
+++ b/backend/src/main/java/com/openisle/dto/TagDto.java
@@ -0,0 +1,20 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+import java.time.LocalDateTime;
+
+/**
+ * DTO representing a tag.
+ */
+@Data
+public class TagDto {
+    private Long id;
+    private String name;
+    private String description;
+    private String icon;
+    private String smallIcon;
+    private LocalDateTime createdAt;
+    private Long count;
+}
+
--- a/backend/src/main/java/com/openisle/dto/TagRequest.java
+++ b/backend/src/main/java/com/openisle/dto/TagRequest.java
@@ -0,0 +1,12 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request body for creating or updating a tag. */
+@Data
+public class TagRequest {
+    private String name;
+    private String description;
+    private String icon;
+    private String smallIcon;
+}
--- a/backend/src/main/java/com/openisle/dto/TwitterLoginRequest.java
+++ b/backend/src/main/java/com/openisle/dto/TwitterLoginRequest.java
@@ -0,0 +1,12 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request for Twitter OAuth login. */
+@Data
+public class TwitterLoginRequest {
+    private String code;
+    private String redirectUri;
+    private String codeVerifier;
+    private String inviteToken;
+}
--- a/backend/src/main/java/com/openisle/dto/UpdateProfileDto.java
+++ b/backend/src/main/java/com/openisle/dto/UpdateProfileDto.java
@@ -0,0 +1,10 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request body for updating user profile. */
+@Data
+public class UpdateProfileDto {
+    private String username;
+    private String introduction;
+}
--- a/backend/src/main/java/com/openisle/dto/UserAggregateDto.java
+++ b/backend/src/main/java/com/openisle/dto/UserAggregateDto.java
@@ -0,0 +1,13 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+import java.util.List;
+
+/** Aggregated user data including posts and replies. */
+@Data
+public class UserAggregateDto {
+    private UserDto user;
+    private List<PostMetaDto> posts;
+    private List<CommentInfoDto> replies;
+}
--- a/backend/src/main/java/com/openisle/dto/UserDto.java
+++ b/backend/src/main/java/com/openisle/dto/UserDto.java
@@ -0,0 +1,31 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+import java.time.LocalDateTime;
+
+/** Detailed user information. */
+@Data
+public class UserDto {
+    private Long id;
+    private String username;
+    private String email;
+    private String avatar;
+    private String role;
+    private String introduction;
+    private long followers;
+    private long following;
+    private LocalDateTime createdAt;
+    private LocalDateTime lastPostTime;
+    private LocalDateTime lastCommentTime;
+    private long totalViews;
+    private long visitedDays;
+    private long readPosts;
+    private long likesSent;
+    private long likesReceived;
+    private boolean subscribed;
+    private int experience;
+    private int point;
+    private int currentLevel;
+    private int nextLevelExp;
+}
--- a/backend/src/main/java/com/openisle/dto/VerifyForgotRequest.java
+++ b/backend/src/main/java/com/openisle/dto/VerifyForgotRequest.java
@@ -0,0 +1,10 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request to verify a forgot password code. */
+@Data
+public class VerifyForgotRequest {
+    private String email;
+    private String code;
+}
--- a/backend/src/main/java/com/openisle/dto/VerifyRequest.java
+++ b/backend/src/main/java/com/openisle/dto/VerifyRequest.java
@@ -0,0 +1,10 @@
+package com.openisle.dto;
+
+import lombok.Data;
+
+/** Request to verify a user registration. */
+@Data
+public class VerifyRequest {
+    private String username;
+    private String code;
+}
--- a/backend/src/main/java/com/openisle/exception/FieldException.java
+++ b/backend/src/main/java/com/openisle/exception/FieldException.java
--- a/backend/src/main/java/com/openisle/exception/NotFoundException.java
+++ b/backend/src/main/java/com/openisle/exception/NotFoundException.java
--- a/backend/src/main/java/com/openisle/exception/RateLimitException.java
+++ b/backend/src/main/java/com/openisle/exception/RateLimitException.java
@@ -0,0 +1,10 @@
+package com.openisle.exception;
+
+/**
+ * Exception thrown when a user exceeds allowed action rate.
+ */
+public class RateLimitException extends RuntimeException {
+    public RateLimitException(String message) {
+        super(message);
+    }
+}
--- a/Show More
+++ b/Show More