diff --git a/.gitignore b/.gitignore
index a683cefa..15ddae57 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ config.yaml
 */*_modules/
 .coverage
 .cache
+docker-compose.yml
diff --git a/.travis.yml b/.travis.yml
index 0e675329..9c249186 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -9,24 +9,30 @@ matrix:
   include:
     - language: python
       python:
-        - "3.5"
+        - "3.6"
       before_install:
         - sudo apt-get -y install software-properties-common
         - sudo add-apt-repository -y ppa:mc3man/trusty-media
         - sudo apt-get update
         - sudo apt-get -y --allow-unauthenticated install ffmpeg
-        - cp config.yaml.dist config.yaml
-        - sed -i -e 's/^database:$/database:\ postgres:\/\/szuru:dog@localhost:5432\/szuru_test/' config.yaml
         - sudo -i -u postgres createuser szuru -D -R -S
         - sudo -i -u postgres createdb szuru_test
         - sudo -i -u postgres psql -c "ALTER USER szuru PASSWORD 'dog';"
-        - sed -i -e 's/^api_url:/api_url:\ http:\/\/localhost\/api\//' config.yaml
-        - sed -i -e 's/^base_url:/base_url:\ http:\/\/localhost\//' config.yaml
-        - sed -i -e 's/^data_url:/data_url:\ http:\/\/localhost\/data\//' config.yaml
-        - sed -i -e 's/^data_dir:/data_dir:\ \/data\//' config.yaml
-      install:
         - cd server
+        - cp config.yaml.dist ../config.yaml.dist
+        - cp config.yaml.dist ../config.yaml
+        - sed -i -e 's/^#debug:/debug:/' ../config.yaml
+        - sed -i -e 's/^#show_sql:/show_sql:/' ../config.yaml
+        - sed -i -e 's/^#data_url:/data_url:/' ../config.yaml
+        - sed -i -e 's/^#data_dir:/data_dir:/' ../config.yaml
+        - sed -i -e 's/^#database:$/database:\ postgres:\/\/szuru:dog@localhost:5432\/szuru_test/' ../config.yaml
+        - sed -i -e 's/^#elasticsearch:/elasticsearch:/' ../config.yaml
+        - sed -i -e 's/^#    /    /' ../config.yaml
+      install:
         - pip install -r requirements.txt
+        - pip install -r dev-requirements.txt
       script:
+        - pycodestyle wait-for-es generate-thumb szurubooru/
+        - ./wait-for-es
         - alembic upgrade head
         - py.test
diff --git a/API.md b/API.md
index b060e92c..c23f0454 100644
--- a/API.md
+++ b/API.md
@@ -7,6 +7,7 @@
 1. [General rules](#general-rules)
 
    - [Authentication](#authentication)
+   - [User token authentication](#user-token-authentication)
    - [Basic requests](#basic-requests)
    - [File uploads](#file-uploads)
    - [Error handling](#error-handling)
@@ -56,6 +57,11 @@
         - [Updating user](#updating-user)
         - [Getting user](#getting-user)
         - [Deleting user](#deleting-user)
+    - User Tokens
+        - [Listing user tokens](#listing-user-tokens)
+        - [Creating user token](#creating-user-token)
+        - [Updating user token](#updating-user-token)
+        - [Deleting user token](#deleting-user-token)
     - Password reset
         - [Password reset - step 1: mail request](#password-reset---step-2-confirmation)
         - [Password reset - step 2: confirmation](#password-reset---step-2-confirmation)
@@ -70,8 +76,10 @@
 
    - [User](#user)
    - [Micro user](#micro-user)
+   - [User token](#user-token)
    - [Tag category](#tag-category)
    - [Tag](#tag)
+   - [Micro tag](#micro-tag)
    - [Post](#post)
    - [Micro post](#micro-post)
    - [Note](#note)
@@ -90,7 +98,8 @@
 ## Authentication
 
 Authentication is achieved by means of [basic HTTP
-auth](https://en.wikipedia.org/wiki/Basic_access_authentication). For this
+auth](https://en.wikipedia.org/wiki/Basic_access_authentication) or through the
+use of [user token authentication](#user-token-authentication). For this
 reason, it is recommended to connect through HTTPS. There are no sessions, so
 every privileged request must be authenticated. Available privileges depend on
 the user's rank. The way how rank translates to privileges is defined in the
@@ -100,6 +109,24 @@ It is recommended to add `?bump-login` GET parameter to the first request in a
 client "session" (where the definition of a session is up to the client), so
 that the user's last login time is kept up to date.
 
+## User token authentication
+
+User token authentication works similarly to [basic HTTP
+auth](https://en.wikipedia.org/wiki/Basic_access_authentication). Because it
+operates similarly to ***basic HTTP auth*** it is still recommended to connect
+through HTTPS. The authorization header uses the type of `Token` and the
+username and token are encoded as Base64 and sent as the second parameter.
+
+Example header for user1:token-is-more-secure
+```
+Authorization: Token dXNlcjE6dG9rZW4taXMtbW9yZS1zZWN1cmU=
+```
+
+The benefit of token authentication is that beyond the initial login to acquire
+the first token, there is no need to transmit the user password in plaintext
+via basic auth. Additionally tokens can be revoked at anytime allowing a
+cleaner interface for isolating clients from user credentials.
+
 ## Basic requests
 
 Every request must use `Content-Type: application/json` and `Accept:
@@ -254,12 +281,6 @@ data.
 
     Lists all tag categories. Doesn't use paging.
 
-    **Note**: independently, the server exports current tag category list
-    snapshots to the data directory under `tags.json` name. Its purpose is to
-    reduce the trips frontend needs to make when doing autocompletion, and ease
-    caching. The data directory and its URL are controlled with `data_dir` and
-    `data_url` variables in server's configuration.
-
 ## Creating tag category
 - **Request**
 
@@ -404,7 +425,7 @@ data.
 ## Listing tags
 - **Request**
 
-    `GET /tags/?page=<page>&pageSize=<page-size>&query=<query>`
+    `GET /tags/?offset=<initial-pos>&limit=<page-size>&query=<query>`
 
 - **Output**
 
@@ -419,33 +440,27 @@ data.
 
     Searches for tags.
 
-    **Note**: independently, the server exports current tag list snapshots to
-    the data directory under `tags.json` name. Its purpose is to reduce the
-    trips frontend needs to make when doing autocompletion, and ease caching.
-    The data directory and its URL are controlled with `data_dir` and
-    `data_url` variables in server's configuration.
-
     **Anonymous tokens**
 
     Same as `name` token.
 
     **Named tokens**
 
-    | `<key>`             | Description                           |
-    | ------------------- | ------------------------------------- |
-    | `name`              | having given name (accepts wildcards) |
-    | `category`          | having given category                 |
-    | `creation-date`     | created at given date                 |
-    | `creation-time`     | alias of `creation-date`              |
-    | `last-edit-date`    | edited at given date                  |
-    | `last-edit-time`    | alias of `last-edit-date`             |
-    | `edit-date`         | alias of `last-edit-date`             |
-    | `edit-time`         | alias of `last-edit-date`             |
-    | `usages`            | used in given number of posts         |
-    | `usage-count`       | alias of `usages`                     |
-    | `post-count`        | alias of `usages`                     |
-    | `suggestion-count`  | with given number of suggestions      |
-    | `implication-count` | with given number of implications     |
+    | `<key>`             | Description                               |
+    | ------------------- | ----------------------------------------- |
+    | `name`              | having given name (accepts wildcards)     |
+    | `category`          | having given category (accepts wildcards) |
+    | `creation-date`     | created at given date                     |
+    | `creation-time`     | alias of `creation-date`                  |
+    | `last-edit-date`    | edited at given date                      |
+    | `last-edit-time`    | alias of `last-edit-date`                 |
+    | `edit-date`         | alias of `last-edit-date`                 |
+    | `edit-time`         | alias of `last-edit-date`                 |
+    | `usages`            | used in given number of posts             |
+    | `usage-count`       | alias of `usages`                         |
+    | `post-count`        | alias of `usages`                         |
+    | `suggestion-count`  | with given number of suggestions          |
+    | `implication-count` | with given number of implications         |
 
     **Sort style tokens**
 
@@ -675,7 +690,7 @@ data.
 ## Listing posts
 - **Request**
 
-    `GET /posts/?page=<page>&pageSize=<page-size>&query=<query>`
+    `GET /posts/?offset=<initial-pos>&limit=<page-size>&query=<query>`
 
 - **Output**
 
@@ -696,47 +711,52 @@ data.
 
     **Named tokens**
 
-    | `<key>`            | Description                                                |
-    | ------------------ | ---------------------------------------------------------- |
-    | `id`               | having given post number                                   |
-    | `tag`              | having given tag                                           |
-    | `score`            | having given score                                         |
-    | `uploader`         | uploaded by given user                                     |
-    | `upload`           | alias of upload                                            |
-    | `submit`           | alias of upload                                            |
-    | `comment`          | commented by given user                                    |
-    | `fav`              | favorited by given user                                    |
-    | `tag-count`        | having given number of tags                                |
-    | `comment-count`    | having given number of comments                            |
-    | `fav-count`        | favorited by given number of users                         |
-    | `note-count`       | having given number of annotations                         |
-    | `relation-count`   | having given number of relations                           |
-    | `feature-count`    | having been featured given number of times                 |
-    | `type`             | given type of posts. `<value>` can be either `image`, `animation` (or `animated` or `anim`), `flash` (or `swf`) or `video` (or `webm`). |
-    | `content-checksum` | having given SHA1 checksum                                 |
-    | `file-size`        | having given file size (in bytes)                          |
-    | `image-width`      | having given image width (where applicable)                |
-    | `image-height`     | having given image height (where applicable)               |
-    | `image-area`       | having given number of pixels (image width * image height) |
-    | `width`            | alias of `image-width`                                     |
-    | `height`           | alias of `image-height`                                    |
-    | `area`             | alias of `image-area`                                      |
-    | `creation-date`    | posted at given date                                       |
-    | `creation-time`    | alias of `creation-date`                                   |
-    | `date`             | alias of `creation-date`                                   |
-    | `time`             | alias of `creation-date`                                   |
-    | `last-edit-date`   | edited at given date                                       |
-    | `last-edit-time`   | alias of `last-edit-date`                                  |
-    | `edit-date`        | alias of `last-edit-date`                                  |
-    | `edit-time`        | alias of `last-edit-date`                                  |
-    | `comment-date`     | commented at given date                                    |
-    | `comment-time`     | alias of `comment-date`                                    |
-    | `fav-date`         | last favorited at given date                               |
-    | `fav-time`         | alias of `fav-date`                                        |
-    | `feature-date`     | featured at given date                                     |
-    | `feature-time`     | alias of `feature-time`                                    |
-    | `safety`           | having given safety. `<value>` can be either `safe`, `sketchy` (or `questionable`) or `unsafe`. |
-    | `rating`           | alias of `safety`                                          |
+    | `<key>`              | Description                                                                                                                             |
+    | -------------------- | ----------------------------------------------------------                                                                              |
+    | `id`                 | having given post number                                                                                                                |
+    | `tag`                | having given tag (accepts wildcards)                                                                                                    |
+    | `score`              | having given score                                                                                                                      |
+    | `uploader`           | uploaded by given user (accepts wildcards)                                                                                              |
+    | `upload`             | alias of upload                                                                                                                         |
+    | `submit`             | alias of upload                                                                                                                         |
+    | `comment`            | commented by given user (accepts wildcards)                                                                                             |
+    | `fav`                | favorited by given user (accepts wildcards)                                                                                             |
+    | `tag-count`          | having given number of tags                                                                                                             |
+    | `comment-count`      | having given number of comments                                                                                                         |
+    | `fav-count`          | favorited by given number of users                                                                                                      |
+    | `note-count`         | having given number of annotations                                                                                                      |
+    | `note-text`          | having given note text (accepts wildcards)                                                                                              |
+    | `relation-count`     | having given number of relations                                                                                                        |
+    | `feature-count`      | having been featured given number of times                                                                                              |
+    | `type`               | given type of posts. `<value>` can be either `image`, `animation` (or `animated` or `anim`), `flash` (or `swf`) or `video` (or `webm`). |
+    | `content-checksum`   | having given SHA1 checksum                                                                                                              |
+    | `file-size`          | having given file size (in bytes)                                                                                                       |
+    | `image-width`        | having given image width (where applicable)                                                                                             |
+    | `image-height`       | having given image height (where applicable)                                                                                            |
+    | `image-area`         | having given number of pixels (image width * image height)                                                                              |
+    | `image-aspect-ratio` | having given aspect ratio (image width / image height)                                                                                  |
+    | `image-ar`           | alias of `image-aspect-ratio`                                                                                                           |
+    | `width`              | alias of `image-width`                                                                                                                  |
+    | `height`             | alias of `image-height`                                                                                                                 |
+    | `area`               | alias of `image-area`                                                                                                                   |
+    | `ar`                 | alias of `image-aspect-ratio`                                                                                                           |
+    | `aspect-ratio`       | alias of `image-aspect-ratio`                                                                                                           |
+    | `creation-date`      | posted at given date                                                                                                                    |
+    | `creation-time`      | alias of `creation-date`                                                                                                                |
+    | `date`               | alias of `creation-date`                                                                                                                |
+    | `time`               | alias of `creation-date`                                                                                                                |
+    | `last-edit-date`     | edited at given date                                                                                                                    |
+    | `last-edit-time`     | alias of `last-edit-date`                                                                                                               |
+    | `edit-date`          | alias of `last-edit-date`                                                                                                               |
+    | `edit-time`          | alias of `last-edit-date`                                                                                                               |
+    | `comment-date`       | commented at given date                                                                                                                 |
+    | `comment-time`       | alias of `comment-date`                                                                                                                 |
+    | `fav-date`           | last favorited at given date                                                                                                            |
+    | `fav-time`           | alias of `fav-date`                                                                                                                     |
+    | `feature-date`       | featured at given date                                                                                                                  |
+    | `feature-time`       | alias of `feature-time`                                                                                                                 |
+    | `safety`             | having given safety. `<value>` can be either `safe`, `sketchy` (or `questionable`) or `unsafe`.                                         |
+    | `rating`             | alias of `safety`                                                                                                                       |
 
     **Sort style tokens**
 
@@ -1097,7 +1117,7 @@ data.
 ## Listing comments
 - **Request**
 
-    `GET /comments/?page=<page>&pageSize=<page-size>&query=<query>`
+    `GET /comments/?offset=<initial-pos>&limit=<page-size>&query=<query>`
 
 - **Output**
 
@@ -1286,7 +1306,7 @@ data.
 ## Listing users
 - **Request**
 
-    `GET /users/?page=<page>&pageSize=<page-size>&query=<query>`
+    `GET /users/?offset=<initial-pos>&limit=<page-size>&query=<query>`
 
 - **Output**
 
@@ -1475,6 +1495,112 @@ data.
 
     Deletes existing user.
 
+## Listing user tokens
+- **Request**
+
+    `GET /user-tokens/<user_name>`
+
+- **Output**
+
+    An [unpaged search result resource](#unpaged-search-result), for which
+    `<resource>` is a [user token resource](#user-token).
+
+- **Errors**
+
+    - privileges are too low
+
+- **Description**
+
+    Searches for user tokens for the given user.
+
+## Creating user token
+- **Request**
+
+    `POST /user-token/<user_name>`
+
+- **Input**
+
+    ```json5
+    {
+        "enabled":        <enabled>,        // optional
+        "note":           <note>,           // optional
+        "expirationTime": <expiration-time> // optional
+    }
+    ```
+
+- **Output**
+
+    A [user token resource](#user-token).
+
+- **Errors**
+
+    - privileges are too low
+
+- **Description**
+
+    Creates a new user token that can be used for authentication of API
+    endpoints instead of a password.
+
+## Updating user token
+- **Request**
+
+    `PUT /user-token/<user_name>/<token>`
+
+- **Input**
+
+    ```json5
+    {
+        "version":        <version>,
+        "enabled":        <enabled>,        // optional
+        "note":           <note>,           // optional
+        "expirationTime": <expiration-time> // optional
+    }
+    ```
+
+- **Output**
+
+    A [user token resource](#user-token).
+
+- **Errors**
+
+    - the version is outdated
+    - the user token does not exist
+    - privileges are too low
+
+- **Description**
+
+    Updates an existing user token using specified parameters. All fields
+    except the [`version`](#versioning) are optional - update concerns only
+    provided fields.
+
+## Deleting user token
+- **Request**
+
+    `DELETE /user-token/<user_name>/<token>`
+
+- **Input**
+
+    ```json5
+    {
+        "version": <version>
+    }
+    ```
+
+- **Output**
+
+    ```json5
+    {}
+    ```
+
+- **Errors**
+
+    - the token does not exist
+    - privileges are too low
+
+- **Description**
+
+    Deletes existing user token.
+
 ## Password reset - step 1: mail request
 - **Request**
 
@@ -1534,7 +1660,7 @@ data.
 ## Listing snapshots
 - **Request**
 
-    `GET /snapshots/?page=<page>&pageSize=<page-size>&query=<query>`
+    `GET /snapshots/?offset=<initial-pos>&limit=<page-size>&query=<query>`
 
 - **Output**
 
@@ -1555,14 +1681,14 @@ data.
 
     **Named tokens**
 
-    | `<key>`           | Description                                   |
-    | ----------------- | --------------------------------------------- |
-    | `type`            | involving given resource type                 |
-    | `id`              | involving given resource id                   |
-    | `date`            | created at given date                         |
-    | `time`            | alias of `date`                               |
-    | `operation`       | `modified`, `created`, `deleted` or `merged`  |
-    | `user`            | name of the user that created given snapshot  |
+    | `<key>`           | Description                                                      |
+    | ----------------- | ---------------------------------------------------------------- |
+    | `type`            | involving given resource type                                    |
+    | `id`              | involving given resource id                                      |
+    | `date`            | created at given date                                            |
+    | `time`            | alias of `date`                                                  |
+    | `operation`       | `modified`, `created`, `deleted` or `merged`                     |
+    | `user`            | name of the user that created given snapshot (accepts wildcards) |
 
     **Sort style tokens**
 
@@ -1707,6 +1833,38 @@ A single user.
 
 A [user resource](#user) stripped down to `name` and `avatarUrl` fields.
 
+## User token
+**Description**
+
+A single user token.
+
+**Structure**
+
+```json5
+{
+    "user":           <user>,
+    "token":          <token>,
+    "note":           <token>,
+    "enabled":        <enabled>,
+    "expirationTime": <expiration-time>,
+    "version":        <version>,
+    "creationTime":   <creation-time>,
+    "lastEditTime":   <last-edit-time>,
+    "lastUsageTime":  <last-usage-time>
+}
+```
+
+**Field meaning**
+- `<user>`: micro user. See [micro user](#micro-user).
+- `<token>`: the token that can be used to authenticate the user.
+- `<note>`: a note that describes the token.
+- `<enabled>`: whether the token is still valid for authentication.
+- `<expiration-time>`: time when the token expires. It must include the timezone as per RFC 3339.
+- `<version>`: resource version. See [versioning](#versioning).
+- `<creation-time>`: time the user token was created, formatted as per RFC 3339.
+- `<last-edit-time>`: time the user token was edited, formatted as per RFC 3339.
+- `<last-usage-time>`: the last time this token was used during a login involving `?bump-login`, formatted as per RFC 3339.
+
 ## Tag category
 **Description**
 
@@ -1761,16 +1919,23 @@ A single tag. Tags are used to let users search for posts.
 - `<names>`: a list of tag names (aliases). Tagging a post with any name will
   automatically assign the first name from this list.
 - `<category>`: the name of the category the given tag belongs to.
-- `<implications>`: a list of implied tag names. Implied tags are automatically
-  appended by the web client on usage.
-- `<suggestions>`: a list of suggested tag names. Suggested tags are shown to
-  the user by the web client on usage.
+- `<implications>`: a list of implied tags, serialized as [micro
+  tag resource](#micro-tag). Implied tags are automatically appended by the web
+  client on usage.
+- `<suggestions>`: a list of suggested tags, serialized as [micro
+  tag resource](#micro-tag). Suggested tags are shown to the user by the web
+  client on usage.
 - `<creation-time>`: time the tag was created, formatted as per RFC 3339.
 - `<last-edit-time>`: time the tag was edited, formatted as per RFC 3339.
 - `<usage-count>`: the number of posts the tag was used in.
 - `<description>`: the tag description (instructions how to use, history etc.)
   The client should render is as Markdown.
 
+## Micro tag
+**Description**
+
+A [tag resource](#tag) stripped down to `names`, `category` and `usages` fields.
+
 ## Post
 **Description**
 
@@ -1809,12 +1974,12 @@ One file together with its metadata posted to the site.
     "lastFeatureTime":    <last-feature-time>,
     "favoritedBy":        <favorited-by>,
     "hasCustomThumbnail": <has-custom-thumbnail>,
-    "mimeType":           <mime-type>
-    "comments": {
+    "mimeType":           <mime-type>,
+    "comments": [
         <comment>,
         <comment>,
         <comment>
-    }
+    ]
 }
 ```
 
@@ -1851,7 +2016,8 @@ One file together with its metadata posted to the site.
 - `<thumbnail-url>`: where the post thumbnail is located.
 - `<flags>`: various flags such as whether the post is looped, represented as
   array of plain strings.
-- `<tags>`: list of tag names the post is tagged with.
+- `<tags>`: list of tags the post is tagged with, serialized as [micro
+  tag resource](#micro-tag).
 - `<relations>`: a list of related posts, serialized as [micro post
   resources](#micro-post). Links to related posts are shown
   to the user by the web client.
@@ -2161,9 +2327,9 @@ A result of search operation that involves paging.
 
 ```json5
 {
-    "query":    <query>, // same as in input
-    "page":     <page>,  // same as in input
-    "pageSize": <page-size>,
+    "query":    <query>,  // same as in input
+    "offset":   <offset>, // same as in input
+    "limit":    <page-size>,
     "total":    <total-count>,
     "results": [
         <resource>,
@@ -2176,7 +2342,7 @@ A result of search operation that involves paging.
 **Field meaning**
 - `<query>`: the query passed in the original request that contains standard
   [search query](#search).
-- `<page>`: the page number, passed in the original request.
+- `<offset>`: the record starting offset, passed in the original request.
 - `<page-size>`: number of records on one page.
 - `<total-count>`: how many resources were found. To get the page count, divide
   this number by `<page-size>`.
@@ -2253,6 +2419,9 @@ Date/time values can be of following form:
 
 Some fields, such as user names, can take wildcards (`*`).
 
+You can escape special characters such as `:` and `-` by prepending them with a
+backslash: `\\`.
+
 **Example**
 
 Searching for posts with following query:
@@ -2261,3 +2430,8 @@ Searching for posts with following query:
 
 will show flash files tagged as sea, that were liked by seven people at most,
 uploaded by user Pirate.
+
+Searching for posts with `re:zero` will show an error message about unknown
+named token.
+
+Searching for posts with `re\:zero` will show posts tagged with `re:zero`.
diff --git a/INSTALL-OLD.md b/INSTALL-OLD.md
new file mode 100644
index 00000000..f67796b2
--- /dev/null
+++ b/INSTALL-OLD.md
@@ -0,0 +1,212 @@
+**This installation guide is deprecated and might be out
+of date! It is recommended that you deploy using
+[Docker](https://github.com/rr-/szurubooru/blob/master/INSTALL.md)
+instead.**
+
+This guide assumes Arch Linux. Although exact instructions for other
+distributions are different, the steps stay roughly the same.
+
+### Installing hard dependencies
+
+```console
+user@host:~$ sudo pacman -S postgresql
+user@host:~$ sudo pacman -S python
+user@host:~$ sudo pacman -S python-pip
+user@host:~$ sudo pacman -S ffmpeg
+user@host:~$ sudo pacman -S npm
+user@host:~$ sudo pacman -S elasticsearch
+user@host:~$ sudo pip install virtualenv
+user@host:~$ python --version
+Python 3.5.1
+```
+
+The reason `ffmpeg` is used over, say, `ImageMagick` or even `PIL` is because of
+Flash and video posts.
+
+
+
+### Setting up a database
+
+First, basic `postgres` configuration:
+
+```console
+user@host:~$ sudo -i -u postgres initdb --locale en_US.UTF-8 -E UTF8 -D /var/lib/postgres/data
+user@host:~$ sudo systemctl start postgresql
+user@host:~$ sudo systemctl enable postgresql
+```
+
+Then creating a database:
+
+```console
+user@host:~$ sudo -i -u postgres createuser --interactive
+Enter name of role to add: szuru
+Shall the new role be a superuser? (y/n) n
+Shall the new role be allowed to create databases? (y/n) n
+Shall the new role be allowed to create more new roles? (y/n) n
+user@host:~$ sudo -i -u postgres createdb szuru
+user@host:~$ sudo -i -u postgres psql -c "ALTER USER szuru PASSWORD 'dog';"
+```
+
+
+
+### Setting up elasticsearch
+
+```console
+user@host:~$ sudo systemctl start elasticsearch
+user@host:~$ sudo systemctl enable elasticsearch
+```
+
+### Preparing environment
+
+Getting `szurubooru`:
+
+```console
+user@host:~$ git clone https://github.com/rr-/szurubooru.git szuru
+user@host:~$ cd szuru
+```
+
+Installing frontend dependencies:
+
+```console
+user@host:szuru$ cd client
+user@host:szuru/client$ npm install
+```
+
+`npm` sandboxes dependencies by default, i.e. installs them to
+`./node_modules`. This is good, because it avoids polluting the system with the
+project's dependencies. To make Python work the same way, we'll use
+`virtualenv`. Installing backend dependencies with `virtualenv` looks like
+this:
+
+```console
+user@host:szuru/client$ cd ../server
+user@host:szuru/server$ virtualenv python_modules # consistent with node_modules
+user@host:szuru/server$ source python_modules/bin/activate # enters the sandbox
+(python_modules) user@host:szuru/server$ pip install -r requirements.txt # installs the dependencies
+```
+
+
+
+### Preparing `szurubooru` for first run
+
+1. Compile the frontend:
+
+    ```console
+    user@host:szuru$ cd client
+    user@host:szuru/client$ node build.js
+    ```
+
+    You can include the flags `--no-transpile` to disable the JavaScript
+    transpiler, which provides compatibility with older browsers, and
+    `--debug` to generate JS source mappings.
+
+2. Configure things:
+
+    ```console
+    user@host:szuru/client$ cd ..
+    user@host:szuru$ mv server/config.yaml.dist .
+    user@host:szuru$ cp config.yaml.dist config.yaml
+    user@host:szuru$ vim config.yaml
+    ```
+
+    Pay extra attention to these fields:
+
+    - data directory,
+    - data URL,
+    - database,
+    - the `smtp` section.
+
+3. Upgrade the database:
+
+    ```console
+    user@host:szuru/client$ cd ../server
+    user@host:szuru/server$ source python_modules/bin/activate
+    (python_modules) user@host:szuru/server$ alembic upgrade head
+    ```
+
+    `alembic` should have been installed during installation of `szurubooru`'s
+    dependencies.
+
+4. Run the tests:
+
+    ```console
+    (python_modules) user@host:szuru/server$ pytest
+    ```
+
+It is recommended to rebuild the frontend after each change to configuration.
+
+
+
+### Wiring `szurubooru` to the web server
+
+`szurubooru` is divided into two parts: public static files, and the API. It
+tries not to impose any networking configurations on the user, so it is the
+user's responsibility to wire these to their web server.
+
+The static files are located in the `client/public/data` directory and are
+meant to be exposed directly to the end users.
+
+The API should be exposed using WSGI server such as `waitress`, `gunicorn` or
+similar. Other configurations might be possible but I didn't pursue them.
+
+API calls are made to the relative URL `/api/`. Your HTTP server should be
+configured to proxy this URL format to the WSGI server. Some users may prefer
+to use a dedicated reverse proxy for this, to incorporate additional features
+such as load balancing and SSL.
+
+Note that the API URL in the virtual host configuration needs to be the same as
+the one in the `config.yaml`, so that client knows how to access the backend!
+
+#### Example
+
+In this example:
+
+- The booru is accessed from `http://example.com/`
+- The API is accessed from `http://example.com/api`
+- The API server listens locally on port 6666, and is proxied by nginx
+- The static files are served from `/srv/www/booru/client/public/data`
+
+**nginx configuration**:
+
+```nginx
+server {
+    listen 80;
+    server_name example.com;
+
+    location ~ ^/api$ {
+        return 302 /api/;
+    }
+    location ~ ^/api/(.*)$ {
+        if ($request_uri ~* "/api/(.*)") { # preserve PATH_INFO as-is
+            proxy_pass http://127.0.0.1:6666/$1;
+        }
+    }
+    location / {
+        root /srv/www/booru/client/public;
+        try_files $uri /index.htm;
+    }
+}
+```
+
+**`config.yaml`**:
+
+```yaml
+data_url: 'http://example.com/data/'
+data_dir: '/srv/www/booru/client/public/data'
+```
+
+To run the server using `waitress`:
+
+```console
+user@host:szuru/server$ source python_modules/bin/activate
+(python_modules) user@host:szuru/server$ pip install waitress
+(python_modules) user@host:szuru/server$ waitress-serve --port 6666 szurubooru.facade:app
+```
+
+or `gunicorn`:
+
+```console
+user@host:szuru/server$ source python_modules/bin/activate
+(python_modules) user@host:szuru/server$ pip install gunicorn
+(python_modules) user@host:szuru/server$ gunicorn szurubooru.facade:app -b 127.0.0.1:6666
+```
diff --git a/INSTALL.md b/INSTALL.md
index c4ccdcc3..b67dd25f 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -1,187 +1,64 @@
-This guide assumes Arch Linux. Although exact instructions for other
-distributions are different, the steps stay roughly the same.
+This assumes that you have Docker and Docker Compose already installed.
 
-### Installing hard dependencies
+### Prepare things
 
-```console
-user@host:~$ sudo pacman -S postgresql
-user@host:~$ sudo pacman -S python
-user@host:~$ sudo pacman -S python-pip
-user@host:~$ sudo pacman -S ffmpeg
-user@host:~$ sudo pacman -S npm
-user@host:~$ sudo pacman -S elasticsearch
-user@host:~$ sudo pip install virtualenv
-user@host:~$ python --version
-Python 3.5.1
-```
-
-The reason `ffmpeg` is used over, say, `ImageMagick` or even `PIL` is because of
-Flash and video posts.
-
-
-
-### Setting up a database
-
-First, basic `postgres` configuration:
-
-```console
-user@host:~$ sudo -i -u postgres initdb --locale en_US.UTF-8 -E UTF8 -D /var/lib/postgres/data
-user@host:~$ sudo systemctl start postgresql
-user@host:~$ sudo systemctl enable postgresql
-```
-
-Then creating a database:
-
-```console
-user@host:~$ sudo -i -u postgres createuser --interactive
-Enter name of role to add: szuru
-Shall the new role be a superuser? (y/n) n
-Shall the new role be allowed to create databases? (y/n) n
-Shall the new role be allowed to create more new roles? (y/n) n
-user@host:~$ sudo -i -u postgres createdb szuru
-user@host:~$ sudo -i -u postgres psql -c "ALTER USER szuru PASSWORD 'dog';"
-```
-
-
-
-### Setting up elasticsearch
-
-```console
-user@host:~$ sudo systemctl start elasticsearch
-user@host:~$ sudo systemctl enable elasticsearch
-```
-
-### Preparing environment
-
-Getting `szurubooru`:
-
-```console
-user@host:~$ git clone https://github.com/rr-/szurubooru.git szuru
-user@host:~$ cd szuru
-```
-
-Installing frontend dependencies:
-
-```console
-user@host:szuru$ cd client
-user@host:szuru/client$ npm install
-```
-
-`npm` sandboxes dependencies by default, i.e. installs them to
-`./node_modules`. This is good, because it avoids polluting the system with the
-project's dependencies. To make Python work the same way, we'll use
-`virtualenv`. Installing backend dependencies with `virtualenv` looks like
-this:
-
-```console
-user@host:szuru/client$ cd ../server
-user@host:szuru/server$ virtualenv python_modules # consistent with node_modules
-user@host:szuru/server$ source python_modules/bin/activate # enters the sandbox
-(python_modules) user@host:szuru/server$ pip install -r requirements.txt # installs the dependencies
-```
-
-
-
-### Preparing `szurubooru` for first run
-
-1. Configure things:
+1. Getting `szurubooru`:
 
     ```console
-    user@host:szuru$ cp config.yaml.dist config.yaml
-    user@host:szuru$ vim config.yaml
+    user@host:~$ git clone https://github.com/rr-/szurubooru.git szuru
+    user@host:~$ cd szuru
+    ```
+2. Configure the application:
+
+    ```console
+    user@host:szuru$ cp server/config.yaml.dist config.yaml
+    user@host:szuru$ edit config.yaml
     ```
 
     Pay extra attention to these fields:
 
-    - base URL,
-    - API URL,
-    - data directory,
-    - data URL,
-    - database,
+    - secret
     - the `smtp` section.
 
-2. Compile the frontend:
+    You can omit lines when you want to use the defaults of that field.
+
+3. Configure Docker Compose:
 
     ```console
-    user@host:szuru$ cd client
-    user@host:szuru/client$ npm run build
+    user@host:szuru$ cp docker-compose.yml.example docker-compose.yml
+    user@host:szuru$ edit docker-compose.yml
     ```
 
-3. Upgrade the database:
+    Read the comments to guide you. For production use, it is *important*
+    that you configure the volumes appropriately to avoid data loss.
+
+### Running the Application
+
+1. Configurations for ElasticSearch:
+
+    You may need to raise the `vm.max_map_count`
+    parameter to at least `262144` in order for the
+    ElasticSearch container to function. Instructions
+    on how to do so are provided
+    [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html#docker-cli-run-prod-mode).
+
+2. Build or update the containers:
 
     ```console
-    user@host:szuru/client$ cd ../server
-    user@host:szuru/server$ source python_modules/bin/activate
-    (python_modules) user@host:szuru/server$ alembic upgrade head
+    user@host:szuru$ docker-compose pull
+    user@host:szuru$ docker-compose build --pull
     ```
 
-    `alembic` should have been installed during installation of `szurubooru`'s
-    dependencies.
+    This will build both the frontend and backend containers, and may take
+    some time.
 
-4. Run the tests:
+3. Start and stop the the application
 
     ```console
-    (python_modules) user@host:szuru/server$ ./test
+    # To start:
+    user@host:szuru$ docker-compose up -d
+    # To monitor (CTRL+C to exit):
+    user@host:szuru$ docker-compose logs -f
+    # To stop
+    user@host:szuru$ docker-compose down
     ```
-
-It is recommended to rebuild the frontend after each change to configuration.
-
-
-
-### Wiring `szurubooru` to the web server
-
-`szurubooru` is divided into two parts: public static files, and the API. It
-tries not to impose any networking configurations on the user, so it is the
-user's responsibility to wire these to their web server.
-
-Below are described the methods to integrate the API into a web server:
-
-1. Run API locally with `waitress`, and bind it with a reverse proxy. In this
-   approach, the user needs to (from within `virtualenv`) install `waitress`
-   with `pip install waitress` and then start `szurubooru` with `./host-waitress`
-   from within the `server/` directory (see `--help` for details). Then the
-   user needs to add a virtual host that delegates the API requests to the
-   local API server, and the browser requests to the `client/public/`
-   directory.
-2. Alternatively, Apache users can use `mod_wsgi`.
-3. Alternatively, users can use other WSGI frontends such as `gunicorn` or
-   `uwsgi`, but they'll need to write wrapper scripts themselves.
-
-Note that the API URL in the virtual host configuration needs to be the same as
-the one in the `config.yaml`, so that client knows how to access the backend!
-
-#### Example
-
-**nginx configuration** - wiring API `http://great.dude/api/` to
-`localhost:6666` to avoid fiddling with CORS:
-
-```nginx
-server {
-    listen 80;
-    server_name great.dude;
-    merge_slashes off;  # to support post tags such as ///
-
-    location ~ ^/api$ {
-        return 302 /api/;
-    }
-    location ~ ^/api/(.*)$ {
-        proxy_pass http://127.0.0.1:6666/$1$is_args$args;
-    }
-    location / {
-        root /home/rr-/src/maintained/szurubooru/client/public;
-        try_files $uri /index.htm;
-    }
-}
-```
-
-**`config.yaml`**:
-
-```yaml
-api_url: 'http://big.dude/api/'
-base_url: 'http://big.dude/'
-data_url: 'http://big.dude/data/'
-data_dir: '/home/rr-/src/maintained/szurubooru/client/public/data'
-```
-
-Then the backend is started with `host-waitress` from within `virtualenv` and
-`./server/` directory.
diff --git a/README.md b/README.md
index 92b694ea..4f9c0f74 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,7 @@ scrubbing](http://sjp.pwn.pl/sjp/;2527372). It is pronounced as *shoorubooru*.
 - Post comments
 - Post notes / annotations, including arbitrary polygons
 - Rich JSON REST API ([see documentation](https://github.com/rr-/szurubooru/blob/master/API.md))
+- Token based authentication for clients
 - Rich search system
 - Rich privilege system
 - Autocomplete in search and while editing tags
@@ -33,6 +34,7 @@ scrubbing](http://sjp.pwn.pl/sjp/;2527372). It is pronounced as *shoorubooru*.
 - FFmpeg
 - node.js
 
+It is recommended that you use Docker for deployment.
 [See installation instructions.](https://github.com/rr-/szurubooru/blob/master/INSTALL.md)
 
 ## Screenshots
diff --git a/client/.babelrc b/client/.babelrc
index 9d8d5165..684fff67 100644
--- a/client/.babelrc
+++ b/client/.babelrc
@@ -1 +1 @@
-{ "presets": ["es2015"] }
+{ "presets": ["env"] }
diff --git a/client/.dockerignore b/client/.dockerignore
new file mode 100644
index 00000000..1313ed68
--- /dev/null
+++ b/client/.dockerignore
@@ -0,0 +1,6 @@
+node_modules/*
+package-lock.json
+
+Dockerfile
+.dockerignore
+**/.gitignore
diff --git a/client/Dockerfile b/client/Dockerfile
new file mode 100644
index 00000000..49e0ab63
--- /dev/null
+++ b/client/Dockerfile
@@ -0,0 +1,31 @@
+FROM node:9 as builder
+WORKDIR /opt/app
+
+COPY package.json ./
+RUN npm install
+
+COPY . ./
+
+ARG BUILD_INFO="docker-latest"
+ARG CLIENT_BUILD_ARGS=""
+RUN node build.js ${CLIENT_BUILD_ARGS}
+
+RUN find public/ -type f -size +5k -print0 | xargs -0 -- gzip -6 -k
+
+
+FROM nginx:alpine
+WORKDIR /var/www
+
+RUN \
+    # Create init file
+    echo "#!/bin/sh" >> /init && \
+    echo 'sed -i "s|__BACKEND__|${BACKEND_HOST}|" /etc/nginx/nginx.conf' \
+        >> /init && \
+    echo 'exec nginx -g "daemon off;"' >> /init && \
+    chmod a+x /init
+
+CMD ["/init"]
+VOLUME ["/data"]
+
+COPY nginx.conf.docker /etc/nginx/nginx.conf
+COPY --from=builder /opt/app/public/ .
diff --git a/client/build.js b/client/build.js
index a803acba..e5513842 100644
--- a/client/build.js
+++ b/client/build.js
@@ -5,20 +5,6 @@ const glob = require('glob');
 const path = require('path');
 const util = require('util');
 const execSync = require('child_process').execSync;
-const camelcase = require('camelcase');
-
-function convertKeysToCamelCase(input) {
-    let result = {};
-    Object.keys(input).map((key, _) => {
-        const value = input[key];
-        if (value !== null && value.constructor == Object) {
-            result[camelcase(key)] = convertKeysToCamelCase(value);
-        } else {
-            result[camelcase(key)] = value;
-        }
-    });
-    return result;
-}
 
 function readTextFile(path) {
     return fs.readFileSync(path, 'utf-8');
@@ -29,37 +15,27 @@ function writeFile(path, content) {
 }
 
 function getVersion() {
-    return execSync('git describe --always --dirty --long --tags')
-        .toString()
-        .trim();
+    let build_info = process.env.BUILD_INFO;
+    if (build_info) {
+        return build_info.trim();
+    } else {
+        try {
+            build_info = execSync('git describe --always --dirty --long --tags')
+                .toString();
+        } catch (e) {
+            console.warn('Cannot find build version');
+            return 'unknown';
+        }
+        return build_info.trim();
+    }
 }
 
 function getConfig() {
-    const yaml = require('js-yaml');
-    const merge = require('merge');
-    const camelcaseKeys = require('camelcase-keys');
-
-    function parseConfigFile(path) {
-        let result = yaml.load(readTextFile(path, 'utf-8'));
-        return convertKeysToCamelCase(result);
-    }
-
-    let config = parseConfigFile('../config.yaml.dist');
-
-    try {
-        const localConfig = parseConfigFile('../config.yaml');
-        config = merge.recursive(config, localConfig);
-    } catch (e) {
-        console.warn('Local config does not exist, ignoring');
-    }
-
-    config.canSendMails = !!config.smtp.host;
-    delete config.secret;
-    delete config.smtp;
-    delete config.database;
-    config.meta = {
-        version: getVersion(),
-        buildDate: new Date().toUTCString(),
+    let config = {
+        meta: {
+          version: getVersion(),
+          buildDate: new Date().toUTCString()
+        }
     };
 
     return config;
@@ -70,11 +46,11 @@ function copyFile(source, target) {
 }
 
 function minifyJs(path) {
-    return require('uglify-js').minify(path, {compress: {unused: false}}).code;
+    return require('terser').minify(fs.readFileSync(path, 'utf-8'), {compress: {unused: false}}).code;
 }
 
 function minifyCss(css) {
-    return require('csso').minify(css);
+    return require('csso').minify(css).css;
 }
 
 function minifyHtml(html) {
@@ -85,15 +61,11 @@ function minifyHtml(html) {
     }).trim();
 }
 
-function bundleHtml(config) {
+function bundleHtml() {
     const underscore = require('underscore');
     const babelify = require('babelify');
     const baseHtml = readTextFile('./html/index.htm', 'utf-8');
-    const finalHtml = baseHtml
-        .replace(
-            /(<title>)(.*)(<\/title>)/,
-            util.format('$1%s$3', config.name));
-    writeFile('./public/index.htm', minifyHtml(finalHtml));
+    writeFile('./public/index.htm', minifyHtml(baseHtml));
 
     glob('./html/**/*.tpl', {}, (er, files) => {
         let compiledTemplateJs = '\'use strict\'\n';
@@ -143,7 +115,7 @@ function bundleCss() {
     });
 }
 
-function bundleJs(config) {
+function bundleJs() {
     const browserify = require('browserify');
     const external = [
         'underscore',
@@ -170,7 +142,7 @@ function bundleJs(config) {
             for (let lib of external) {
                 b.require(lib);
             }
-            if (config.transpile) {
+            if (!process.argv.includes('--no-transpile')) {
                 b.add(require.resolve('babel-polyfill'));
             }
             writeJsBundle(
@@ -179,15 +151,15 @@ function bundleJs(config) {
 
         if (!process.argv.includes('--no-app-js')) {
             let outputFile = fs.createWriteStream('./public/js/app.min.js');
-            let b = browserify({debug: config.debug});
-            if (config.transpile) {
+            let b = browserify({debug: process.argv.includes('--debug')});
+            if (!process.argv.includes('--no-transpile')) {
                 b = b.transform('babelify');
             }
             writeJsBundle(
                 b.external(external).add(files),
                 './public/js/app.min.js',
                 'Bundled app JS',
-                !config.debug);
+                !process.argv.includes('--debug'));
         }
     });
 }
@@ -217,11 +189,11 @@ const config = getConfig();
 bundleConfig(config);
 bundleBinaryAssets();
 if (!process.argv.includes('--no-html')) {
-    bundleHtml(config);
+    bundleHtml();
 }
 if (!process.argv.includes('--no-css')) {
     bundleCss();
 }
 if (!process.argv.includes('--no-js')) {
-    bundleJs(config);
+    bundleJs();
 }
diff --git a/client/css/colors.styl b/client/css/colors.styl
index ed68e410..3be05fe3 100644
--- a/client/css/colors.styl
+++ b/client/css/colors.styl
@@ -55,3 +55,5 @@ $hovered-first-note-point-color = red
 $safety-safe = #88D488
 $safety-sketchy = #F3D75F
 $safety-unsafe = #F3985F
+$scrollbar-thumb-color = $main-color
+$scrollbar-bg-color = $input-enabled-background-color
diff --git a/client/css/comment-control.styl b/client/css/comment-control.styl
index 6b730172..7e98171f 100644
--- a/client/css/comment-control.styl
+++ b/client/css/comment-control.styl
@@ -3,7 +3,6 @@ $comment-header-background-color = $top-navigation-color
 $comment-border-color = #DDD
 
 .comment-container
-    margin: 0 0 1em 0
     padding: 0 0 0 60px
 
     .avatar
@@ -124,7 +123,7 @@ $comment-border-color = #DDD
         font-family: 'MS PGothic', 'ＭＳ Ｐゴシック', 'IPAMonaPGothic', 'Trebuchet MS', Verdana, Futura, Arial, Helvetica, sans-serif
         background: #fbfbfb
         color: #111
-        font-size: 12pt
+        font-size: 1em
         line-height: 1
         margin: 0
         padding: 4px
diff --git a/client/css/comment-list-control.styl b/client/css/comment-list-control.styl
index 63459d64..fe847245 100644
--- a/client/css/comment-list-control.styl
+++ b/client/css/comment-list-control.styl
@@ -2,3 +2,8 @@
     list-style-type: none
     margin: 0
     padding: 0
+
+    >li
+        margin-bottom: 1em
+        &:last-child
+            margin-bottom: 0
diff --git a/client/css/comment-list-view.styl b/client/css/comment-list-view.styl
index 697b372b..bd50beb8 100644
--- a/client/css/comment-list-view.styl
+++ b/client/css/comment-list-view.styl
@@ -1,15 +1,24 @@
+@import colors
+$comment-border-color = $top-navigation-color
+
 .global-comment-list
     text-align: left
 
     &>ul
         list-style-type: none
-        margin: 1em 0
+        margin: 1em 0 0
         padding: 0
 
+        &>li
+            margin-top: 2em
+            padding-top: 2em
+            border-top: 3px solid $comment-border-color
+            &:first-child
+                margin-top: 0
+                padding-top: 0
+                border-top: none
+
         @media (max-width: 700px)
-            &>li
-                margin-bottom: 5em
-                padding: 1vw
             .post-thumbnail
                 margin-bottom: 1em
                 .thumbnail
@@ -19,7 +28,6 @@
         @media (min-width: 700px)
             &>li
                 padding-left: 13em
-                margin-bottom: 2em
             .post-thumbnail
                 float: left
                 margin: 0 0 1em -13em
diff --git a/client/css/core-forms.styl b/client/css/core-forms.styl
index 8323d16e..bed63e3b 100644
--- a/client/css/core-forms.styl
+++ b/client/css/core-forms.styl
@@ -17,6 +17,8 @@ form
     .input li:first-child
         padding-top: 0
         margin-top: 0
+
+form:not(.horizontal)
     .hint
         margin-top: 0.2em
         margin-bottom: 0
@@ -29,13 +31,22 @@ form.horizontal
     margin-bottom: 1em
     .input, .buttons, ul
         display: inline-block
-        vertical-align: middle
+        vertical-align: top
         margin: 0
         padding: 0
         input
-            vertical-align: middle
+            vertical-align: top
     .buttons
         margin-right: 0.5em
+    @media (max-width: 1000px)
+        display: block
+        .input, .buttons, ul
+            display: block
+            margin-top: 0.5em
+            &:first-child
+                margin-top: 0
+        .buttons
+            margin-right: 0
 
 
 
@@ -126,6 +137,38 @@ input[type=checkbox]:focus + .checkbox:before
 
 
 
+/*
+ * Date and time inputs
+ */
+
+input[type=date],
+input[type=time]
+    vertical-align: top
+    font-family: 'Droid Sans', sans-serif
+    font-size: 100%
+    padding: 0.2em 0.3em
+    box-sizing: border-box
+    border: 2px solid $input-enabled-border-color
+    background: $input-enabled-background-color
+    color: $input-enabled-text-color
+    box-shadow: none /* :-moz-submit-invalid on FF */
+    transition: border-color 0.1s linear, background-color 0.1s linear
+
+    &:disabled
+        border: 2px solid $input-disabled-border-color
+        background: $input-disabled-background-color
+        color: $input-disabled-text-color
+
+    &:focus
+        border-color: $main-color
+
+    &[readonly]
+        border: 2px solid $input-disabled-border-color
+        background: $input-disabled-background-color
+        color: $input-disabled-text-color
+
+
+
 /*
  * Regular inputs
  */
@@ -170,13 +213,25 @@ input:disabled
     cursor: not-allowed
 
 label.color
+    white-space: nowrap
     position: relative
+    display: flex
     input[type=text]
+        margin-right: 0.25em
+        width: auto
+    .preview
+        display: inline-block
         text-align: center
-        pointer-events: none
-    input[type=color]
-        position: absolute
-        opacity: 0
+        padding: 0 0.5em
+        border: 2px solid black
+        &:after
+            content: 'A'
+    .background-preview
+        border-right: 0
+        color: transparent
+    .text-preview
+        border-left: 0
+
 
 form.show-validation .input
     input:invalid
@@ -199,10 +254,13 @@ input[type=submit]
     cursor: pointer
     font-size: 100%
     padding: 0.2em 0.7em
+    border-radius: 0
     border: 2px solid $button-enabled-background-color
     background: $button-enabled-background-color
     color: $button-enabled-text-color
     outline: 0 /* something on Chrome */
+    -moz-appearance: none
+    -webkit-appearance: none
 
     &:disabled
         cursor: default
@@ -231,25 +289,26 @@ input::-moz-focus-inner
  * File dropper
  */
 .file-dropper-holder
-    display: flex
-    flex-wrap: wrap
     .file-dropper
         display: block
-        width: 100%
         background: $window-color
         border: 3px dashed #eee
         padding: 0.3em 0.5em
         line-height: 140%
         text-align: center
         cursor: pointer
+        overflow: hidden
         word-wrap: break-word
-    input
+    .url-holder
+        display: flex
         margin-top: 0.5em
-        width: auto
-        flex: 1
-    button
-        margin-top: 0.5em
-        width: 8em
+        input, button
+            min-width: 0 /* firefox being sassy */
+            width: auto !important /* don't inherit anything weird */
+        input
+            flex: 1
+        button
+            margin-left: 0.5em
 
 input[type=file]:disabled+.file-dropper
     cursor: default
diff --git a/client/css/core-general.styl b/client/css/core-general.styl
index 9209bc30..75e82241 100644
--- a/client/css/core-general.styl
+++ b/client/css/core-general.styl
@@ -21,19 +21,28 @@ body
     margin: 0
     color: $text-color
     font-family: 'Open Sans', sans-serif
-    font-size: 12pt
-    line-height: 18pt
+    font-size: 1em
+    line-height: 1.4
     @media (max-width: 800px)
-        font-size: 10pt
-        line-height: 15pt
+        font-size: 0.875em
     @media (max-width: 1200px)
-        font-size: 11pt
-        line-height: 16.5pt
+        font-size: 0.95em
 
 h1, h2, h3
     font-weight: normal
     margin-bottom: 1em
 
+h1
+    font-size: 2em
+
+h2
+    font-size: 1.5em
+
+p,
+ol,
+ul
+    margin: 1em 0
+
 th
     font-weight: normal
 
@@ -61,8 +70,10 @@ form .fa-question-circle-o
     vertical-align: middle
 
 #content-holder
-    padding: 1.5vw
+    padding: 1.5em
     text-align: center
+    @media (max-width: 1000px)
+        padding: 1em
     >.content-wrapper
         box-sizing: border-box /* make max-width: 100% on this element include padding */
         text-align: left
@@ -70,9 +81,26 @@ form .fa-question-circle-o
         margin: 0 auto
         >*:first-child, form h1
             margin-top: 0
+        nav.buttons
+            ul
+                display: block
+                max-width: 100%
+                white-space: nowrap
+                overflow-x: auto
+                &::-webkit-scrollbar
+                    height: 6px
+                    background-color: $scrollbar-bg-color
+                &::-webkit-scrollbar-thumb
+                    background-color: $scrollbar-thumb-color
     >.content-wrapper:not(.transparent)
         background: $top-navigation-color
-        padding: 2vw
+        padding: 1.8em
+        @media (max-width: 1000px)
+            padding: 1.5em
+        .content,
+        .content .subcontent
+            >*:last-child
+                margin-bottom: 0
 
 hr
     border: 0
@@ -125,6 +153,39 @@ nav
             li
                 display: inline-block
                 float: left
+                a
+                    padding: 0 1.5em
+            #mobile-navigation-toggle
+                display: none
+                width: 100%
+                padding: 0 1em
+                line-height: 2.3em
+                font-family: inherit
+                border: none
+                background: none
+                color: $active-tab-text-color
+                .site-name
+                    display: block
+                    float: left
+                    max-width: 50vw
+                    overflow: hidden
+                    text-overflow: ellipsis
+                .toggle-icon
+                    display: block
+                    float: right
+            @media (max-width: 1000px)
+                text-align: left
+                li
+                    display: none
+                    float: none
+                    a
+                        display: block
+                        padding: 0 1em
+                #mobile-navigation-toggle
+                    display: block
+                &.opened
+                    li
+                        display: block
         ul li[data-name=account],
         ul li[data-name=register],
         ul li[data-name=login],
@@ -141,6 +202,8 @@ nav
             margin-right: 0.6em
             margin-left: calc(0.6em - 1.2em)
             float: left
+            @media (max-width: 1000px)
+                display: none
 
 a .access-key
     text-decoration: underline
@@ -194,6 +257,14 @@ a .access-key
     margin-top: 0 !important
     margin-bottom: 0 !important
 
+.table-wrap
+    overflow-x: auto
+    &::-webkit-scrollbar
+        height: 6px
+        background-color: $scrollbar-bg-color
+    &::-webkit-scrollbar-thumb
+        background-color: $scrollbar-thumb-color
+
 /* hack to prevent text from being copied */
 [data-pseudo-content]:before {
     content: attr(data-pseudo-content)
diff --git a/client/css/expander-control.styl b/client/css/expander-control.styl
index 7f2e0b7b..620ec250 100644
--- a/client/css/expander-control.styl
+++ b/client/css/expander-control.styl
@@ -16,7 +16,7 @@
             color: mix($text-color, $inactive-link-color)
             font-size: 120%
             i
-                font-size: 12pt
+                font-size: 1em
                 color: $inactive-link-color
                 float: right
                 line-height: 2em
diff --git a/client/css/help-view.styl b/client/css/help-view.styl
index d90e0c57..0c98d59a 100644
--- a/client/css/help-view.styl
+++ b/client/css/help-view.styl
@@ -16,6 +16,10 @@
         font-size: 1.6em
         &:first-child
             margin-top: 0
+        @media (max-width: 1000px)
+            margin-top: 1.5em
+            &:first-child
+                margin-top: 0
     nav
         ul
             margin: 0 auto
diff --git a/client/css/home-view.styl b/client/css/home-view.styl
index e17e4bb5..729fac0c 100644
--- a/client/css/home-view.styl
+++ b/client/css/home-view.styl
@@ -6,13 +6,16 @@
         margin-bottom: 1em
         h1
             line-height: initial
-            font-size: 30pt
+            font-size: 2.5em
             margin: 0
 
-    .message
-        margin-bottom: 2em
+    .messages
+        text-align: center
+        .message
+            margin: 0 auto 2em auto
 
     form
+        display: inline-block
         width: auto
         vertical-align: middle
         margin: 0 0 2em 0
@@ -31,6 +34,8 @@
         display: flex
         align-items: center
         justify-content: center
+        &:empty
+            margin-bottom: 0
 
     nav
         a
@@ -50,6 +55,8 @@
             li
                 display: inline
                 white-space: nowrap
+                @media (max-width: 800px)
+                    display: block
             .sep
                 word-spacing: 1.1em
                 background-repeat: no-repeat
diff --git a/client/css/pager.styl b/client/css/pager.styl
index df35f3e8..3976404c 100644
--- a/client/css/pager.styl
+++ b/client/css/pager.styl
@@ -8,7 +8,7 @@
     .page
         position: relative
         .page-header
-            margin: 0.5em 0.5em 0.5em 0
+            margin: 0.5em 0
             position: relative
             &:before
                 display: block
diff --git a/client/css/password-reset.styl b/client/css/password-reset.styl
new file mode 100644
index 00000000..47e32f3f
--- /dev/null
+++ b/client/css/password-reset.styl
@@ -0,0 +1,2 @@
+#password-reset
+    max-width: 30em
diff --git a/client/css/post-list-view.styl b/client/css/post-list-view.styl
index 4e797e0c..03806b88 100644
--- a/client/css/post-list-view.styl
+++ b/client/css/post-list-view.styl
@@ -54,33 +54,66 @@
                     .icon:not(:first-of-type)
                         margin-left: 1em
 
-            .masstag
+            .edit-overlay
                 position: absolute
                 top: 0.5em
                 left: 0.5em
-                display: inline-block
-                padding: 0.5em
-                box-sizing: border-box
-                border: 0
-                &:after
+
+                .tag-flipper
                     display: inline-block
-                    width: 1em
-                    height: 1em
+                    padding: 0.5em
+                    box-sizing: border-box
+                    border: 0
+                    &:after
+                        display: inline-block
+                        width: 1em
+                        height: 1em
+                        text-align: center
+                        line-height: 1em
+                        font-size: 1.6em
+                    &.tagged
+                        background: rgba(0, 230, 0, 0.7)
+                        &:after
+                            color: white
+                            content: '-'
+                    &:not(.tagged)
+                        background: rgba(255, 0, 0, 0.7)
+                        &:after
+                            color: white
+                            content: '+'
+                    &[data-disabled]
+                        background: rgba(200, 200, 200, 0.7)
+
+                .safety-flipper a
+                    display: inline-block
+                    margin: 0.1em
+                    box-sizing: border-box
+                    border: 0
+                    display: inline-block
+                    width: 1.2em
+                    height: 1.2em
                     text-align: center
                     line-height: 1em
-                    font-size: 20pt
-                &.tagged
-                    background: rgba(0, 230, 0, 0.7)
-                    &:after
-                        color: white
-                        content: '-'
-                &:not(.tagged)
-                    background: rgba(255, 0, 0, 0.7)
-                    &:after
-                        color: white
-                        content: '+'
-                &[data-disabled]
-                    background: rgba(200, 200, 200, 0.7)
+                    font-size: 1.6em
+                    border: 3px solid
+                    &.safety-safe
+                        background-color: darken($safety-safe, 5%)
+                        border-color: @background-color
+                        &:not(.active)
+                            background-color: alpha(@background-color, 0.3)
+                    &.safety-sketchy
+                        background-color: $safety-sketchy
+                        border-color: @background-color
+                        &:not(.active)
+                            background-color: alpha(@background-color, 0.3)
+                    &.safety-unsafe
+                        background-color: $safety-unsafe
+                        border-color: @background-color
+                        &:not(.active)
+                            background-color: alpha(@background-color, 0.3)
+                    &[data-disabled]
+                        background: rgba(200, 200, 200, 0.7)
+
 
             .thumbnail
                 background-position: 50% 30%
@@ -112,29 +145,59 @@
         margin-bottom: 0.75em
         *
             vertical-align: top
+        @media (max-width: 1000px)
+            display: block
     input
         margin-bottom: 0.25em
         margin-right: 0.25em
     input[name=search-text]
         width: 25em
-    input[name=masstag]
-        width: 12em
-    .masstag-hint, .open-masstag
-        margin-right: 1em
+        @media (max-width: 1000px)
+            display: block
+            width: 100%
+            margin-bottom: 0.5em
     .append
+        vertical-align: middle
         font-size: 0.95em
         color: $inactive-link-color
-    .masstag
-        &:not(.active)
+    .bulk-edit
+        &:not(.opened)
+            .close
+                display: none
+        &.opened
+            .open
+                display: none
+        &.hidden
+            display: none
+    .bulk-edit-tags
+        &.opened
+            .hint
+                @media (max-width: 1000px)
+                    display: block
+                    margin-bottom: 0.5em
+        &:not(.opened)
             [type=text],
-            .start-tagging,
-            .stop-tagging
+            .start
                 display: none
-            .masstag-hint
-                display: none
-        &.active
-            .open-masstag
+            .hint
                 display: none
+        input[name=tag]
+            width: 12em
+            @media (max-width: 1000px)
+                display: block
+                width: 100%
+                margin-bottom: 0.5em
+        .append
+            &.open,
+            &.hint
+                @media (max-width: 1000px)
+                    margin-left: 0
+        .hint
+            margin-right: 1em
+    .bulk-edit-safety
+        .append
+            @media (max-width: 1000px)
+                margin-left: 0
 
     .safety
         margin-right: 0.25em
diff --git a/client/css/post-main-view.styl b/client/css/post-main-view.styl
index 689ec73c..9e596417 100644
--- a/client/css/post-main-view.styl
+++ b/client/css/post-main-view.styl
@@ -33,6 +33,8 @@
                 i
                     font-size: 140%
                 text-align: center
+            @media (max-width: 800px)
+                margin-top: 2em
 
     >.content
         width: 100%
@@ -50,6 +52,7 @@
             order: 2
             min-width: 100%
             max-width: 0
+            margin-right: 0
         >.content
             order: 1
 
@@ -130,10 +133,18 @@
             display: inline-block
 
     .management
-        li
+        ul
+            list-style-type: none
             margin: 0
+            padding: 0
+            li
+                margin: 0
+                padding: 0
 
-    label
+    form
+        width: auto
+
+    label:not(.file-dropper)
         margin-bottom: 0.3em
         display: block
 
diff --git a/client/css/post-upload.styl b/client/css/post-upload.styl
index 4da53a77..147df6bc 100644
--- a/client/css/post-upload.styl
+++ b/client/css/post-upload.styl
@@ -22,6 +22,8 @@ $cancel-button-color = tomato
         .file-dropper
             font-size: 150%
             padding: 2em
+            small
+                font-size: 60%
 
     input[type=submit]
         margin-top: 1em
diff --git a/client/css/snapshots-list-view.styl b/client/css/snapshots-list-view.styl
index a858a07d..b059a64a 100644
--- a/client/css/snapshots-list-view.styl
+++ b/client/css/snapshots-list-view.styl
@@ -8,11 +8,16 @@ $snapshot-merged-background-color = #FEC
 
     ul
         margin: 0 auto
+        padding: 0
         width: 100%
         max-width: 35em
         list-style-type: none
 
         li
+            margin-bottom: 1em
+            &:last-child
+                margin-bottom: 0
+
             .time
                 float: right
 
@@ -39,6 +44,3 @@ $snapshot-merged-background-color = #FEC
                 background: $snapshot-merged-background-color
                 &+.details
                     background: lighten($snapshot-merged-background-color, 50%)
-
-            div.details
-                margin-bottom: 2em
diff --git a/client/css/tag-categories-view.styl b/client/css/tag-categories-view.styl
index 31c58380..b8a91802 100644
--- a/client/css/tag-categories-view.styl
+++ b/client/css/tag-categories-view.styl
@@ -2,7 +2,7 @@
 
 .content-wrapper.tag-categories
     width: 100%
-    max-width: 40em
+    max-width: 45em
     table
         border-spacing: 0
         width: 100%
@@ -11,11 +11,18 @@
         td, th
             padding: .4em
             &.color
-                text-align: center
+                input[type=text]
+                    width: 8em
             &.usages
                 text-align: center
             &.remove, &.set-default
                 white-space: pre
+        th
+            white-space: nowrap
+            &:first-child
+                padding-left: 0
+            &:last-child
+                padding-right: 0
         tfoot
             display: none
     form
diff --git a/client/css/tag-list-view.styl b/client/css/tag-list-view.styl
index 8ae7bcb8..4fd167f5 100644
--- a/client/css/tag-list-view.styl
+++ b/client/css/tag-list-view.styl
@@ -11,6 +11,7 @@
         th, td
             padding: 0.1em 0.5em
         th
+            white-space: nowrap
             background: $top-navigation-color
         .names
             width: 28%
@@ -46,7 +47,10 @@
     form
         width: auto
     input[name=search-text]
-        max-width: 15em
+        width: 25em
+        @media (max-width: 1000px)
+            width: 100%
     .append
+        vertical-align: middle
         font-size: 0.95em
         color: $inactive-link-color
diff --git a/client/css/user-list-view.styl b/client/css/user-list-view.styl
index 3d49d941..1fba50b5 100644
--- a/client/css/user-list-view.styl
+++ b/client/css/user-list-view.styl
@@ -33,7 +33,10 @@
     form
         width: auto
     input[name=search-text]
-        max-width: 15em
+        width: 25em
+        @media (max-width: 1000px)
+            width: 100%
     .append
+        vertical-align: middle
         font-size: 0.95em
         color: $inactive-link-color
diff --git a/client/css/user-view.styl b/client/css/user-view.styl
index 12cba75e..3cdd29cb 100644
--- a/client/css/user-view.styl
+++ b/client/css/user-view.styl
@@ -1,3 +1,6 @@
+@import colors
+$token-border-color = $active-tab-background-color
+
 #user
     width: 100%
     max-width: 35em
@@ -37,7 +40,43 @@
                 height: 1px
                 clear: both
 
+    #user-tokens
+
+        .token-flex-container
+            width: 100%
+            display: flex;
+            flex-direction column;
+            padding-bottom: 0.5em;
+
+            .full-width
+                width: 100%
+
+            .token-flex-row
+                display: flex;
+                flex-direction: row;
+                justify-content: space-between;
+                padding: 0.2em;
+
+                .no-wrap
+                  white-space: nowrap;
+
+                .token-input
+                    min-height: 2em;
+                    line-height: 2em;
+                    text-align: center;
+
+            .token-flex-column
+                display: flex;
+                flex-direction: column;
+
+            .token-flex-labels
+                padding-right: 0.5em
+
+            hr
+                border-top: 3px solid $token-border-color
+
+        form
+            width: 100%;
+
     #user-delete form
         width: 100%
-
-
diff --git a/client/html/comment.tpl b/client/html/comment.tpl
index 04469c9a..6bea7045 100644
--- a/client/html/comment.tpl
+++ b/client/html/comment.tpl
@@ -1,7 +1,7 @@
 <div class='comment-container'>
     <div class='avatar'>
         <% if (ctx.user && ctx.user.name && ctx.canViewUsers) { %>
-            <a href='/user/<%- encodeURIComponent(ctx.user.name) %>'>
+            <a href='<%- ctx.formatClientLink('user', ctx.user.name) %>'>
         <% } %>
 
         <%= ctx.makeThumbnail(ctx.user ? ctx.user.avatarUrl : null) %>
@@ -23,7 +23,7 @@
             <nav class='readonly'><%
                 %><strong><span class='nickname'><%
                     %><% if (ctx.user && ctx.user.name && ctx.canViewUsers) { %><%
-                        %><a href='/user/<%- encodeURIComponent(ctx.user.name) %>'><%
+                        %><a href='<%- ctx.formatClientLink('user', ctx.user.name) %>'><%
                     %><% } %><%
 
                     %><%- ctx.user ? ctx.user.name : 'Deleted user' %><%
diff --git a/client/html/comments_page.tpl b/client/html/comments_page.tpl
index 4f956d42..27d7011d 100644
--- a/client/html/comments_page.tpl
+++ b/client/html/comments_page.tpl
@@ -1,10 +1,10 @@
 <div class='global-comment-list'>
     <ul><!--
-        --><% for (let post of ctx.results) { %><!--
+        --><% for (let post of ctx.response.results) { %><!--
             --><li><!--
                 --><div class='post-thumbnail'><!--
                     --><% if (ctx.canViewPosts) { %><!--
-                        --><a href='/post/<%- encodeURIComponent(post.id) %>'><!--
+                        --><a href='<%- ctx.formatClientLink('post', post.id) %>'><!--
                     --><% } %><!--
                         --><%= ctx.makeThumbnail(post.thumbnailUrl) %><!--
                     --><% if (ctx.canViewPosts) { %><!--
diff --git a/client/html/endless_pager.tpl b/client/html/endless_pager.tpl
index 6870f9a5..4812f96d 100644
--- a/client/html/endless_pager.tpl
+++ b/client/html/endless_pager.tpl
@@ -1,5 +1,7 @@
 <div class='pager'>
     <div class='page-header-holder'></div>
     <div class='messages'></div>
+    <div class='page-guard top'></div>
     <div class='pages-holder'></div>
+    <div class='page-guard bottom'></div>
 </div>
diff --git a/client/html/file_dropper.tpl b/client/html/file_dropper.tpl
index 9c662010..3123cd01 100644
--- a/client/html/file_dropper.tpl
+++ b/client/html/file_dropper.tpl
@@ -8,9 +8,19 @@
         <% } %>
         <br/>
         Or just click on this box.
+        <% if (ctx.extraText) { %>
+            <br/>
+            <small><%= ctx.extraText %></small>
+        <% } %>
     </label>
     <% if (ctx.allowUrls) { %>
-        <input type='text' name='url' placeholder='Alternatively, paste an URL here.'/>
-        <button>Add URL</button>
+        <div class='url-holder'>
+            <input type='text' name='url' placeholder='<%- ctx.urlPlaceholder %>'/>
+            <% if (ctx.lock) { %>
+                <button>Confirm</button>
+            <% } else { %>
+                <button>Add URL</button>
+            <% } %>
+        </div>
     <% } %>
 </div>
diff --git a/client/html/help.tpl b/client/html/help.tpl
index 5e80725e..995ab0bd 100644
--- a/client/html/help.tpl
+++ b/client/html/help.tpl
@@ -1,11 +1,11 @@
 <div class='content-wrapper' id='help'>
     <nav class='buttons primary'><!--
         --><ul><!--
-            --><li data-name='about'><a href='/help/about'>About</a></li><!--
-            --><li data-name='keyboard'><a href='/help/keyboard'>Keyboard</a></li><!--
-            --><li data-name='search'><a href='/help/search'>Search syntax</a></li><!--
-            --><li data-name='comments'><a href='/help/comments'>Comments</a></li><!--
-            --><li data-name='tos'><a href='/help/tos'>Terms of service</a></li><!--
+            --><li data-name='about'><a href='<%- ctx.formatClientLink('help', 'about') %>'>About</a></li><!--
+            --><li data-name='keyboard'><a href='<%- ctx.formatClientLink('help', 'keyboard') %>'>Keyboard</a></li><!--
+            --><li data-name='search'><a href='<%- ctx.formatClientLink('help', 'search') %>'>Search syntax</a></li><!--
+            --><li data-name='comments'><a href='<%- ctx.formatClientLink('help', 'comments') %>'>Comments</a></li><!--
+            --><li data-name='tos'><a href='<%- ctx.formatClientLink('help', 'tos') %>'>Terms of service</a></li><!--
         --></ul><!--
     --></nav>
 
diff --git a/client/html/help_keyboard.tpl b/client/html/help_keyboard.tpl
index 5b12324b..f200ce02 100644
--- a/client/html/help_keyboard.tpl
+++ b/client/html/help_keyboard.tpl
@@ -33,10 +33,15 @@ shortcuts:</p>
             <td><kbd>P</kbd></td>
             <td>Focus first post in post list</td>
         </tr>
+
+        <tr>
+            <td><kbd>Delete</kbd></td>
+            <td>Delete post (while in edit mode)</td>
+        </tr>
     </tbody>
 </table>
 
-<p>Additionally, each item in top navigation can be accessed using feature
-called &ldquo;access keys&rdquo;. Pressing underlined letter while holding
-Shfit or Alt+Shift (depending on your browser) will go to the desired page
-(most browsers) or focus the link (IE).</p>
+<p>Additionally, each item in the top navigation can be accessed using a
+feature called &ldquo;access keys&rdquo;. Pressing the underlined letter while
+holding Shift or Alt+Shift (depending on your browser) will go to the desired
+page (most browsers) or focus the link (IE).</p>
diff --git a/client/html/help_search.tpl b/client/html/help_search.tpl
index 8c22d73e..70737893 100644
--- a/client/html/help_search.tpl
+++ b/client/html/help_search.tpl
@@ -1,9 +1,9 @@
 <nav class='buttons secondary'><!--
     --><ul><!--
-        --><li data-name='default'><a href='/help/search'>General</a></li><!--
-        --><li data-name='posts'><a href='/help/search/posts'>Posts</a></li><!--
-        --><li data-name='users'><a href='/help/search/users'>Users</a></li><!--
-        --><li data-name='tags'><a href='/help/search/tags'>Tags</a></li><!--
+        --><li data-name='default'><a href='<%- ctx.formatClientLink('help', 'search') %>'>General</a></li><!--
+        --><li data-name='posts'><a href='<%- ctx.formatClientLink('help', 'search', 'posts') %>'>Posts</a></li><!--
+        --><li data-name='users'><a href='<%- ctx.formatClientLink('help', 'search', 'users') %>'>Users</a></li><!--
+        --><li data-name='tags'><a href='<%- ctx.formatClientLink('help', 'search', 'tags') %>'>Tags</a></li><!--
     --></ul><!--
 --></nav>
 
diff --git a/client/html/help_search_general.tpl b/client/html/help_search_general.tpl
index a7b05d83..6a5cfd58 100644
--- a/client/html/help_search_general.tpl
+++ b/client/html/help_search_general.tpl
@@ -80,6 +80,9 @@ take following form:</p>
 <code>,desc</code> to control the sort direction, which can be also controlled
 by negating the whole token.</p>
 
+<p>You can escape special characters such as <code>:</code> and <code>-</code>
+by prepending them with a backslash: <code>\\</code>.</p>
+
 <h1>Example</h1>
 
 <p>Searching for posts with following query:</p>
@@ -89,3 +92,8 @@ by negating the whole token.</p>
 <p>will show flash files tagged as sea, that were liked by seven people at
 most, uploaded by user Pirate.</p>
 
+<p>Searching for posts with <code>re:zero</code> will show an error message
+about unknown named token.</p>
+
+<p>Searching for posts with <code>re\:zero</code> will show posts tagged with
+<code>re:zero</code>.</p>
diff --git a/client/html/help_search_posts.tpl b/client/html/help_search_posts.tpl
index 074819f9..a9e1a8e0 100644
--- a/client/html/help_search_posts.tpl
+++ b/client/html/help_search_posts.tpl
@@ -12,7 +12,7 @@
         </tr>
         <tr>
             <td><code>tag</code></td>
-            <td>having given tag</td>
+            <td>having given tag (accepts wildcards)</td>
         </tr>
         <tr>
             <td><code>score</code></td>
@@ -20,7 +20,7 @@
         </tr>
         <tr>
             <td><code>uploader</code></td>
-            <td>uploaded by given user</td>
+            <td>uploaded by given use (accepts wildcards)r</td>
         </tr>
         <tr>
             <td><code>upload</code></td>
@@ -32,11 +32,11 @@
         </tr>
         <tr>
             <td><code>comment</code></td>
-            <td>commented by given user</td>
+            <td>commented by given user (accepts wildcards)</td>
         </tr>
         <tr>
             <td><code>fav</code></td>
-            <td>favorited by given user</td>
+            <td>favorited by given user (accepts wildcards)</td>
         </tr>
         <tr>
             <td><code>tag-count</code></td>
@@ -54,6 +54,10 @@
             <td><code>note-count</code></td>
             <td>having given number of annotations</td>
         </tr>
+        <tr>
+            <td><code>note-text</code></td>
+            <td>having given note text (accepts wildcards)</td>
+        </tr>
         <tr>
             <td><code>relation-count</code></td>
             <td>having given number of relations</td>
@@ -86,6 +90,14 @@
             <td><code>image-area</code></td>
             <td>having given number of pixels (image width * image height)</td>
         </tr>
+        <tr>
+            <td><code>image-aspect-ratio</code></td>
+            <td>having given aspect ratio (image width / image height)</td>
+        </tr>
+        <tr>
+            <td><code>image-ar</code></td>
+            <td>alias of <code>image-aspect-ratio</code></td>
+        </tr>
         <tr>
             <td><code>width</code></td>
             <td>alias of <code>image-width</code></td>
@@ -98,6 +110,14 @@
             <td><code>area</code></td>
             <td>alias of <code>image-area</code></td>
         </tr>
+        <tr>
+            <td><code>aspect-ratio</code></td>
+            <td>alias of <code>image-aspect-ratio</code></td>
+        </tr>
+        <tr>
+            <td><code>ar</code></td>
+            <td>alias of <code>image-aspect-ratio</code></td>
+        </tr>
         <tr>
             <td><code>creation-date</code></td>
             <td>posted at given date</td>
diff --git a/client/html/help_search_tags.tpl b/client/html/help_search_tags.tpl
index 38697341..b6fbeccd 100644
--- a/client/html/help_search_tags.tpl
+++ b/client/html/help_search_tags.tpl
@@ -12,7 +12,7 @@
         </tr>
         <tr>
             <td><code>category</code></td>
-            <td>having given category</td>
+            <td>having given category (accepts wildcards)</td>
         </tr>
         <tr>
             <td><code>creation-date</code></td>
diff --git a/client/html/home.tpl b/client/html/home.tpl
index f1d9b1c1..1e51b12b 100644
--- a/client/html/home.tpl
+++ b/client/html/home.tpl
@@ -8,7 +8,7 @@
             <%= ctx.makeTextInput({name: 'search-text', placeholder: 'enter some tags'}) %>
             <input type='submit' value='Search'/>
             <span class=sep>or</span>
-            <a href='/posts'>browse all posts</a>
+            <a href='<%- ctx.formatClientLink('posts') %>'>browse all posts</a>
         </form>
     <% } %>
     <div class='post-info-container'></div>
diff --git a/client/html/home_footer.tpl b/client/html/home_footer.tpl
index 9ab9cd0c..8f9cb10a 100644
--- a/client/html/home_footer.tpl
+++ b/client/html/home_footer.tpl
@@ -2,6 +2,6 @@
     <li><%- ctx.postCount %> posts</li><span class='sep'>
     </span><li><%= ctx.makeFileSize(ctx.diskUsage) %></li><span class='sep'>
     </span><li>Build <a class='version' href='https://github.com/rr-/szurubooru/commits/master'><%- ctx.version %></a> from <%= ctx.makeRelativeTime(ctx.buildDate) %></li><span class='sep'>
-    </span><% if (ctx.canListSnapshots) { %><li><a href='/history'>History</a></li><span class='sep'>
+    </span><% if (ctx.canListSnapshots) { %><li><a href='<%- ctx.formatClientLink('history') %>'>History</a></li><span class='sep'>
     </span><% } %>
 </ul>
diff --git a/client/html/index.htm b/client/html/index.htm
index f20ad461..5df8e6dd 100644
--- a/client/html/index.htm
+++ b/client/html/index.htm
@@ -3,7 +3,7 @@
 <head>
     <meta charset='utf-8'/>
     <meta name='viewport' content='width=device-width, initial-scale=1, maximum-scale=1'>
-    <title><!-- configured in the config file --></title>
+    <title>Loading...</title>
     <link href='/css/app.min.css' rel='stylesheet' type='text/css'/>
     <link href='/css/vendor.min.css' rel='stylesheet' type='text/css'/>
     <link rel='shortcut icon' type='image/png' href='/img/favicon.png'/>
diff --git a/client/html/login.tpl b/client/html/login.tpl
index cc2a6805..186a5489 100644
--- a/client/html/login.tpl
+++ b/client/html/login.tpl
@@ -30,9 +30,7 @@
 
         <div class='buttons'>
             <input type='submit' value='Log in'/>
-            <% if (ctx.canSendMails) { %>
-                <a class='append' href='/password-reset'>Forgot the password?</a>
-            <% } %>
+            <a class='append' href='<%- ctx.formatClientLink('password-reset') %>'>Forgot the password?</a>
         </div>
     </form>
 </div>
diff --git a/client/html/manual_pager_nav.tpl b/client/html/manual_pager_nav.tpl
index d47df141..35908503 100644
--- a/client/html/manual_pager_nav.tpl
+++ b/client/html/manual_pager_nav.tpl
@@ -1,17 +1,17 @@
 <nav class='buttons'>
     <ul>
         <li>
-            <% if (ctx.prevLinkActive) { %>
-                <a class='prev' href='<%- ctx.prevLink %>'>
+            <% if (ctx.prevPage !== ctx.currentPage) { %>
+                <a rel='prev' class='prev' href='<%- ctx.getClientUrlForPage(ctx.pages.get(ctx.prevPage).offset, ctx.pages.get(ctx.prevPage).limit) %>'>
             <% } else { %>
-                <a class='prev disabled'>
+                <a rel='prev' class='prev disabled'>
             <% } %>
                 <i class='fa fa-chevron-left'></i>
                 <span class='vim-nav-hint'>&lt; Previous page</span>
             </a>
         </li>
 
-        <% for (let page of ctx.pages) { %>
+        <% for (let page of ctx.pages.values()) { %>
             <% if (page.ellipsis) { %>
                 <li>&hellip;</li>
             <% } else { %>
@@ -20,16 +20,16 @@
                 <% } else { %>
                     <li>
                 <% } %>
-                    <a href='<%- page.link %>'><%- page.number %></a>
+                    <a href='<%- ctx.getClientUrlForPage(page.offset, page.limit) %>'><%- page.number %></a>
                 </li>
             <% } %>
         <% } %>
 
         <li>
-            <% if (ctx.nextLinkActive) { %>
-                <a class='next' href='<%- ctx.nextLink %>'>
+            <% if (ctx.nextPage !== ctx.currentPage) { %>
+                <a rel='next' class='next' href='<%- ctx.getClientUrlForPage(ctx.pages.get(ctx.nextPage).offset, ctx.pages.get(ctx.nextPage).limit) %>'>
             <% } else { %>
-                <a class='next disabled'>
+                <a rel='next' class='next disabled'>
             <% } %>
                 <i class='fa fa-chevron-right'></i>
                 <span class='vim-nav-hint'>Next page &gt;</span>
diff --git a/client/html/not_found.tpl b/client/html/not_found.tpl
index 15a7dfed..53bcdcd7 100644
--- a/client/html/not_found.tpl
+++ b/client/html/not_found.tpl
@@ -1,5 +1,5 @@
 <div class='not-found'>
     <h1>Not found</h1>
     <p><%- ctx.path %> is not a valid URL.</p>
-    <p><a href='/'>Back to main page</a></p>
+    <p><a href='<%- ctx.formatClientLink() %>'>Back to main page</a></p>
 </div>
diff --git a/client/html/password_reset.tpl b/client/html/password_reset.tpl
index b50b48ee..5671379e 100644
--- a/client/html/password_reset.tpl
+++ b/client/html/password_reset.tpl
@@ -1,23 +1,30 @@
 <div class='content-wrapper' id='password-reset'>
     <h1>Password reset</h1>
-    <form autocomplete='off'>
-        <ul class='input'>
-            <li>
-                <%= ctx.makeTextInput({
-                    text: 'User name or e-mail address',
-                    name: 'user-name',
-                    required: true,
-                }) %>
-            </li>
-        </ul>
+    <% if (ctx.canSendMails) { %>
+        <form autocomplete='off'>
+            <ul class='input'>
+                <li>
+                    <%= ctx.makeTextInput({
+                        text: 'User name or e-mail address',
+                        name: 'user-name',
+                        required: true,
+                    }) %>
+                </li>
+            </ul>
 
-        <p><small>Proceeding will send an e-mail that contains a password reset
-        link. Clicking it is going to generate a new password for your account.
-        It is recommended to change that password to something else.</small></p>
+            <p><small>Proceeding will send an e-mail that contains a password reset
+            link. Clicking it is going to generate a new password for your account.
+            It is recommended to change that password to something else.</small></p>
 
-        <div class='messages'></div>
-        <div class='buttons'>
-            <input type='submit' value='Proceed'/>
-        </div>
-    </form>
+            <div class='messages'></div>
+            <div class='buttons'>
+                <input type='submit' value='Proceed'/>
+            </div>
+        </form>
+    <% } else { %>
+        <p>We do not support automatic password resetting.</p>
+        <% if (ctx.contactEmail) { %>
+            <p>Please send an e-mail to <a href='mailto:<%- ctx.contactEmail %>'><%- ctx.contactEmail %></a> to go through a manual procedure.</p>
+        <% } %>
+    <% } %>
 </div>
diff --git a/client/html/post_detail.tpl b/client/html/post_detail.tpl
index 5e04ab22..65ff7868 100644
--- a/client/html/post_detail.tpl
+++ b/client/html/post_detail.tpl
@@ -2,9 +2,9 @@
     <h1>Post #<%- ctx.post.id %></h1>
     <nav class='buttons'><!--
         --><ul><!--
-            --><li><a href='/post/<%- ctx.post.id %>'><i class='fa fa-reply'></i> Main view</a></li><!--
+            --><li><a href='<%- ctx.formatClientLink('post', ctx.post.id) %>'><i class='fa fa-reply'></i> Main view</a></li><!--
             --><% if (ctx.canMerge) { %><!--
-                --><li data-name='merge'><a href='/post/<%- ctx.post.id %>/merge'>Merge with&hellip;</a></li><!--
+                --><li data-name='merge'><a href='<%- ctx.formatClientLink('post', ctx.post.id, 'merge') %>'>Merge with&hellip;</a></li><!--
             --><% } %><!--
         --></ul><!--
     --></nav>
diff --git a/client/html/post_edit_sidebar.tpl b/client/html/post_edit_sidebar.tpl
index d36a0e4e..4c055618 100644
--- a/client/html/post_edit_sidebar.tpl
+++ b/client/html/post_edit_sidebar.tpl
@@ -4,7 +4,7 @@
 
         <div class='messages'></div>
 
-        <% if (ctx.canEditPostSafety) { %>
+        <% if (ctx.enableSafety && ctx.canEditPostSafety) { %>
             <section class='safety'>
                 <label>Safety</label>
                 <div class='radio-wrapper'>
@@ -55,9 +55,7 @@
 
         <% if (ctx.canEditPostTags) { %>
             <section class='tags'>
-                <%= ctx.makeTextInput({
-                    value: ctx.post.tags.join(' '),
-                }) %>
+                <%= ctx.makeTextInput({}) %>
             </section>
         <% } %>
 
@@ -66,6 +64,12 @@
                 <a href class='add'>Add a note</a>
                 <%= ctx.makeTextarea({disabled: true, text: 'Content (supports Markdown)', rows: '8'}) %>
                 <a href class='delete inactive'>Delete selected note</a>
+                <% if (ctx.hasClipboard) { %>
+                    <br/>
+                    <a href class='copy'>Export notes to clipboard</a>
+                    <br/>
+                    <a href class='paste'>Import notes from clipboard</a>
+                <% } %>
             </section>
         <% } %>
 
diff --git a/client/html/post_main.tpl b/client/html/post_main.tpl
index 07ade0bb..54c57333 100644
--- a/client/html/post_main.tpl
+++ b/client/html/post_main.tpl
@@ -4,12 +4,12 @@
             <article class='previous-post'>
                 <% if (ctx.prevPostId) { %>
                     <% if (ctx.editMode) { %>
-                        <a href='<%= ctx.getPostEditUrl(ctx.prevPostId, ctx.parameters) %>'>
+                        <a rel='prev' href='<%= ctx.getPostEditUrl(ctx.prevPostId, ctx.parameters) %>'>
                     <% } else { %>
-                        <a href='<%= ctx.getPostUrl(ctx.prevPostId, ctx.parameters) %>'>
+                        <a rel='prev' href='<%= ctx.getPostUrl(ctx.prevPostId, ctx.parameters) %>'>
                     <% } %>
                 <% } else { %>
-                    <a class='inactive'>
+                    <a rel='prev' class='inactive'>
                 <% } %>
                     <i class='fa fa-chevron-left'></i>
                     <span class='vim-nav-hint'>&lt; Previous post</span>
@@ -18,12 +18,12 @@
             <article class='next-post'>
                 <% if (ctx.nextPostId) { %>
                     <% if (ctx.editMode) { %>
-                        <a href='<%= ctx.getPostEditUrl(ctx.nextPostId, ctx.parameters) %>'>
+                        <a rel='next' href='<%= ctx.getPostEditUrl(ctx.nextPostId, ctx.parameters) %>'>
                     <% } else { %>
-                        <a href='<%= ctx.getPostUrl(ctx.nextPostId, ctx.parameters) %>'>
+                        <a rel='next' href='<%= ctx.getPostUrl(ctx.nextPostId, ctx.parameters) %>'>
                     <% } %>
                 <% } else { %>
-                    <a class='inactive'>
+                    <a rel='next' class='inactive'>
                 <% } %>
                     <i class='fa fa-chevron-right'></i>
                     <span class='vim-nav-hint'>Next post &gt;</span>
diff --git a/client/html/post_readonly_sidebar.tpl b/client/html/post_readonly_sidebar.tpl
index 32dafd6c..1209cf16 100644
--- a/client/html/post_readonly_sidebar.tpl
+++ b/client/html/post_readonly_sidebar.tpl
@@ -20,10 +20,12 @@
             <%= ctx.makeRelativeTime(ctx.post.creationTime) %>
         </section>
 
-        <section class='safety'>
-            <i class='fa fa-circle safety-<%- ctx.post.safety %>'></i><!--
-            --><%- ctx.post.safety[0].toUpperCase() + ctx.post.safety.slice(1) %>
-        </section>
+        <% if (ctx.enableSafety) { %>
+            <section class='safety'>
+                <i class='fa fa-circle safety-<%- ctx.post.safety %>'></i><!--
+                --><%- ctx.post.safety[0].toUpperCase() + ctx.post.safety.slice(1) %>
+            </section>
+        <% } %>
 
         <section class='zoom'>
             <a href class='fit-original'>Original zoom</a> &middot;
@@ -34,8 +36,8 @@
 
         <section class='search'>
             Search on
-            <a href='http://iqdb.org/?url=<%- encodeURIComponent(ctx.post.contentUrl) %>'>IQDB</a> &middot;
-            <a href='https://www.google.com/searchbyimage?&image_url=<%- encodeURIComponent(ctx.post.contentUrl) %>'>Google Images</a>
+            <a href='http://iqdb.org/?url=<%- encodeURIComponent(ctx.post.fullContentUrl) %>'>IQDB</a> &middot;
+            <a href='https://www.google.com/searchbyimage?&image_url=<%- encodeURIComponent(ctx.post.fullContentUrl) %>'>Google Images</a>
         </section>
 
         <section class='social'>
@@ -67,20 +69,20 @@
                 --><% for (let tag of ctx.post.tags) { %><!--
                     --><li><!--
                         --><% if (ctx.canViewTags) { %><!--
-                        --><a href='/tag/<%- encodeURIComponent(tag) %>' class='<%= ctx.makeCssName(ctx.getTagCategory(tag), 'tag') %>'><!--
+                        --><a href='<%- ctx.formatClientLink('tag', tag.names[0]) %>' class='<%= ctx.makeCssName(tag.category, 'tag') %>'><!--
                             --><i class='fa fa-tag'></i><!--
                         --><% } %><!--
                         --><% if (ctx.canViewTags) { %><!--
                             --></a><!--
                         --><% } %><!--
                         --><% if (ctx.canListPosts) { %><!--
-                            --><a href='/posts/query=<%- encodeURIComponent(tag) %>' class='<%= ctx.makeCssName(ctx.getTagCategory(tag), 'tag') %>'><!--
+                            --><a href='<%- ctx.formatClientLink('posts', {query: tag.names[0]}) %>' class='<%= ctx.makeCssName(tag.category, 'tag') %>'><!--
                         --><% } %><!--
-                            --><%- tag %>&#32;<!--
+                            --><%- tag.names[0] %>&#32;<!--
                         --><% if (ctx.canListPosts) { %><!--
                             --></a><!--
                         --><% } %><!--
-                        --><span class='tag-usages' data-pseudo-content='<%- ctx.getTagUsages(tag) %>'></span><!--
+                        --><span class='tag-usages' data-pseudo-content='<%- tag.postCount %>'></span><!--
                     --></li><!--
                 --><% } %><!--
             --></ul>
diff --git a/client/html/post_upload_row.tpl b/client/html/post_upload_row.tpl
index d62ecaf3..a1ea46bb 100644
--- a/client/html/post_upload_row.tpl
+++ b/client/html/post_upload_row.tpl
@@ -41,16 +41,18 @@
         </header>
 
         <div class='body'>
-            <div class='safety'>
-                <% for (let safety of ['safe', 'sketchy', 'unsafe']) { %>
-                    <%= ctx.makeRadio({
-                        name: 'safety-' + ctx.uploadable.key,
-                        value: safety,
-                        text: safety[0].toUpperCase() + safety.substr(1),
-                        selectedValue: ctx.uploadable.safety,
-                    }) %>
-                <% } %>
-            </div>
+            <% if (ctx.enableSafety) { %>
+                <div class='safety'>
+                    <% for (let safety of ['safe', 'sketchy', 'unsafe']) { %>
+                        <%= ctx.makeRadio({
+                            name: 'safety-' + ctx.uploadable.key,
+                            value: safety,
+                            text: safety[0].toUpperCase() + safety.substr(1),
+                            selectedValue: ctx.uploadable.safety,
+                        }) %>
+                    <% } %>
+                </div>
+            <% } %>
 
             <div class='options'>
                 <% if (ctx.canUploadAnonymously) { %>
diff --git a/client/html/posts_header.tpl b/client/html/posts_header.tpl
index e34f0610..e0ba0eae 100644
--- a/client/html/posts_header.tpl
+++ b/client/html/posts_header.tpl
@@ -1,24 +1,31 @@
 <div class='post-list-header'><%
-    %><form class='horizontal'><%
+    %><form class='horizontal search'><%
         %><%= ctx.makeTextInput({text: 'Search query', id: 'search-text', name: 'search-text', value: ctx.parameters.query}) %><%
         %><wbr/><%
         %><input class='mousetrap' type='submit' value='Search'/><%
         %><wbr/><%
-        %><input data-safety=safe type='button' class='mousetrap safety safety-safe <%- ctx.settings.listPosts.safe ? '' : 'disabled' %>'/><%
-        %><input data-safety=sketchy type='button' class='mousetrap safety safety-sketchy <%- ctx.settings.listPosts.sketchy ? '' : 'disabled' %>'/><%
-        %><input data-safety=unsafe type='button' class='mousetrap safety safety-unsafe <%- ctx.settings.listPosts.unsafe ? '' : 'disabled' %>'/><%
-        %><wbr/><%
-        %><a class='mousetrap button append' href='/help/search/posts'>Syntax help</a><%
-        %><% if (ctx.canMassTag) { %><%
-            %><wbr/><%
-            %><span class='masstag'><%
-                %><span class='append masstag-hint'>Tagging with:</span><%
-                %><a href class='mousetrap button append open-masstag'>Mass tag</a><%
-                %><wbr/><%
-                %><%= ctx.makeTextInput({name: 'masstag', value: ctx.parameters.tag}) %><%
-                %><input class='mousetrap start-tagging' type='submit' value='Start tagging'/><%
-                %><a href class='mousetrap button append stop-tagging'>Stop tagging</a><%
-            %></span><%
+        %><% if (ctx.enableSafety) { %><%
+            %><input data-safety=safe type='button' class='mousetrap safety safety-safe <%- ctx.settings.listPosts.safe ? '' : 'disabled' %>'/><%
+            %><input data-safety=sketchy type='button' class='mousetrap safety safety-sketchy <%- ctx.settings.listPosts.sketchy ? '' : 'disabled' %>'/><%
+            %><input data-safety=unsafe type='button' class='mousetrap safety safety-unsafe <%- ctx.settings.listPosts.unsafe ? '' : 'disabled' %>'/><%
         %><% } %><%
+        %><wbr/><%
+        %><a class='mousetrap button append' href='<%- ctx.formatClientLink('help', 'search', 'posts') %>'>Syntax help</a><%
     %></form><%
+    %><% if (ctx.canBulkEditTags) { %><%
+        %><form class='horizontal bulk-edit bulk-edit-tags'><%
+            %><span class='append hint'>Tagging with:</span><%
+            %><a href class='mousetrap button append open'>Mass tag</a><%
+            %><wbr/><%
+            %><%= ctx.makeTextInput({name: 'tag', value: ctx.parameters.tag}) %><%
+            %><input class='mousetrap start' type='submit' value='Start tagging'/><%
+            %><a href class='mousetrap button append close'>Stop tagging</a><%
+        %></form><%
+    %><% } %><%
+    %><% if (ctx.enableSafety && ctx.canBulkEditSafety) { %><%
+        %><form class='horizontal bulk-edit bulk-edit-safety'><%
+            %><a href class='mousetrap button append open'>Mass edit safety</a><%
+            %><a href class='mousetrap button append close'>Stop editing safety</a><%
+        %></form><%
+    %><% } %><%
 %></div>
diff --git a/client/html/posts_page.tpl b/client/html/posts_page.tpl
index e6e56127..6f0665c9 100644
--- a/client/html/posts_page.tpl
+++ b/client/html/posts_page.tpl
@@ -1,11 +1,11 @@
 <div class='post-list'>
-    <% if (ctx.results.length) { %>
+    <% if (ctx.response.results.length) { %>
         <ul>
-            <% for (let post of ctx.results) { %>
-                <li>
+            <% for (let post of ctx.response.results) { %>
+                <li data-post-id='<%= post.id %>'>
                     <a class='thumbnail-wrapper <%= post.tags.length > 0 ? "tags" : "no-tags" %>'
-                            title='@<%- post.id %> (<%- post.type %>)&#10;&#10;Tags: <%- post.tags.map(tag => '#' + tag).join(' ') || 'none' %>'
-                            href='<%= ctx.canViewPosts ? ctx.getPostUrl(post.id, ctx.parameters) : "" %>'>
+                            title='@<%- post.id %> (<%- post.type %>)&#10;&#10;Tags: <%- post.tags.map(tag => '#' + tag.names[0]).join(' ') || 'none' %>'
+                            href='<%= ctx.canViewPosts ? ctx.getPostUrl(post.id, ctx.parameters) : '' %>'>
                         <%= ctx.makeThumbnail(post.thumbnailUrl) %>
                         <span class='type' data-type='<%- post.type %>'>
                             <%- post.type %>
@@ -33,10 +33,20 @@
                             </span>
                         <% } %>
                     </a>
-                    <% if (ctx.canMassTag && ctx.parameters && ctx.parameters.tag) { %>
-                        <a href data-post-id='<%= post.id %>' class='masstag'>
-                        </a>
-                    <% } %>
+                    <span class='edit-overlay'>
+                        <% if (ctx.canBulkEditTags && ctx.parameters && ctx.parameters.tag) { %>
+                            <a href class='tag-flipper'>
+                            </a>
+                        <% } %>
+                        <% if (ctx.canBulkEditSafety && ctx.parameters && ctx.parameters.safety) { %>
+                            <span class='safety-flipper'>
+                                <% for (let safety of ['safe', 'sketchy', 'unsafe']) { %>
+                                    <a href data-safety='<%- safety %>' class='safety-<%- safety %><%- post.safety === safety ? ' active' : '' %>'>
+                                    </a>
+                                <% } %>
+                            </span>
+                        <% } %>
+                    </span>
                 </li>
             <% } %>
             <%= ctx.makeFlexboxAlign() %>
diff --git a/client/html/settings.tpl b/client/html/settings.tpl
index 258b941b..6d65d01e 100644
--- a/client/html/settings.tpl
+++ b/client/html/settings.tpl
@@ -5,7 +5,7 @@
         <ul class='input'>
             <li>
                 <%= ctx.makeCheckbox({
-                    text: "Enable keyboard shortcuts <a class='append icon' href='/help/keyboard'><i class='fa fa-question-circle-o'></i></a>",
+                    text: "Enable keyboard shortcuts <a class='append icon' href='" + ctx.formatClientLink('help', 'keyboard') + "'><i class='fa fa-question-circle-o'></i></a>",
                     name: 'keyboard-shortcuts',
                     checked: ctx.browsingSettings.keyboardShortcuts,
                 }) %>
diff --git a/client/html/snapshots_page.tpl b/client/html/snapshots_page.tpl
index c84e19f7..6650d651 100644
--- a/client/html/snapshots_page.tpl
+++ b/client/html/snapshots_page.tpl
@@ -1,7 +1,7 @@
 <div class='snapshot-list'>
-    <% if (ctx.results.length) { %>
+    <% if (ctx.response.results.length) { %>
         <ul>
-            <% for (let item of ctx.results) { %>
+            <% for (let item of ctx.response.results) { %>
                 <li>
                     <div class='header operation-<%= item.operation %>'>
                         <span class='time'>
diff --git a/client/html/tag.tpl b/client/html/tag.tpl
index 52f754db..497790eb 100644
--- a/client/html/tag.tpl
+++ b/client/html/tag.tpl
@@ -2,15 +2,15 @@
     <h1><%- ctx.tag.names[0] %></h1>
     <nav class='buttons'><!--
         --><ul><!--
-            --><li data-name='summary'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>'>Summary</a></li><!--
+            --><li data-name='summary'><a href='<%- ctx.formatClientLink('tag', ctx.tag.names[0]) %>'>Summary</a></li><!--
             --><% if (ctx.canEditAnything) { %><!--
-                --><li data-name='edit'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>/edit'>Edit</a></li><!--
+                --><li data-name='edit'><a href='<%- ctx.formatClientLink('tag', ctx.tag.names[0], 'edit') %>'>Edit</a></li><!--
             --><% } %><!--
             --><% if (ctx.canMerge) { %><!--
-                --><li data-name='merge'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>/merge'>Merge with&hellip;</a></li><!--
+                --><li data-name='merge'><a href='<%- ctx.formatClientLink('tag', ctx.tag.names[0], 'merge') %>'>Merge with&hellip;</a></li><!--
             --><% } %><!--
             --><% if (ctx.canDelete) { %><!--
-                --><li data-name='delete'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>/delete'>Delete</a></li><!--
+                --><li data-name='delete'><a href='<%- ctx.formatClientLink('tag', ctx.tag.names[0], 'delete') %>'>Delete</a></li><!--
             --><% } %><!--
         --></ul><!--
     --></nav>
diff --git a/client/html/tag_categories.tpl b/client/html/tag_categories.tpl
index f401d515..fe6b8987 100644
--- a/client/html/tag_categories.tpl
+++ b/client/html/tag_categories.tpl
@@ -1,17 +1,19 @@
 <div class='content-wrapper tag-categories'>
     <form>
         <h1>Tag categories</h1>
-        <table>
-            <thead>
-                <tr>
-                    <th class='name'>Category name</th>
-                    <th class='color'>CSS color</th>
-                    <th class='usages'>Usages</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-        </table>
+        <div class="table-wrap">
+            <table>
+                <thead>
+                    <tr>
+                        <th class='name'>Category name</th>
+                        <th class='color'>CSS color</th>
+                        <th class='usages'>Usages</th>
+                    </tr>
+                </thead>
+                <tbody>
+                </tbody>
+            </table>
+        </div>
 
         <% if (ctx.canCreate) { %>
             <p><a href class='add'>Add new category</a></p>
diff --git a/client/html/tag_category_row.tpl b/client/html/tag_category_row.tpl
index 3ec199c1..dcc8c16a 100644
--- a/client/html/tag_category_row.tpl
+++ b/client/html/tag_category_row.tpl
@@ -19,7 +19,7 @@
     </td>
     <td class='usages'>
         <% if (ctx.tagCategory.name) { %>
-            <a href='/tags/query=category:<%- encodeURIComponent(ctx.tagCategory.name) %>'>
+            <a href='<%- ctx.formatClientLink('tags', {query: 'category:' + ctx.tagCategory.name}) %>'>
                 <%- ctx.tagCategory.tagCount %>
             </a>
         <% } else { %>
diff --git a/client/html/tag_delete.tpl b/client/html/tag_delete.tpl
index 7dbfc1e6..e7be8cf2 100644
--- a/client/html/tag_delete.tpl
+++ b/client/html/tag_delete.tpl
@@ -1,6 +1,6 @@
 <div class='tag-delete'>
     <form>
-        <p>This tag has <a href='/posts/query=<%- encodeURIComponent(ctx.tag.names[0]) %>'><%- ctx.tag.postCount %> usage(s)</a>.</p>
+        <p>This tag has <a href='<%- ctx.formatClientLink('posts', {query: ctx.tag.names[0]}) %>'><%- ctx.tag.postCount %> usage(s)</a>.</p>
 
         <ul class='input'>
             <li>
diff --git a/client/html/tag_edit.tpl b/client/html/tag_edit.tpl
index a58c529e..49842852 100644
--- a/client/html/tag_edit.tpl
+++ b/client/html/tag_edit.tpl
@@ -22,18 +22,12 @@
             </li>
             <li class='implications'>
                 <% if (ctx.canEditImplications) { %>
-                    <%= ctx.makeTextInput({
-                        text: 'Implications',
-                        value: ctx.tag.implications.join(' '),
-                    }) %>
+                    <%= ctx.makeTextInput({text: 'Implications'}) %>
                 <% } %>
             </li>
             <li class='suggestions'>
                 <% if (ctx.canEditSuggestions) { %>
-                    <%= ctx.makeTextInput({
-                        text: 'Suggestions',
-                        value: ctx.tag.suggestions.join(' '),
-                    }) %>
+                    <%= ctx.makeTextInput({text: 'Suggestions'}) %>
                 <% } %>
             </li>
             <li class='description'>
diff --git a/client/html/tag_merge.tpl b/client/html/tag_merge.tpl
index 90d8aa63..0ffbdd2b 100644
--- a/client/html/tag_merge.tpl
+++ b/client/html/tag_merge.tpl
@@ -2,12 +2,14 @@
     <form>
         <ul class='input'>
             <li class='target'>
-                <%= ctx.makeTextInput({required: true, text: 'Target tag', pattern: ctx.tagNamePattern}) %>
+                <%= ctx.makeTextInput({name: 'target-tag', required: true, text: 'Target tag', pattern: ctx.tagNamePattern}) %>
             </li>
 
             <li>
                 <p>Usages in posts, suggestions and implications will be
-                merged. Category and aliases need to be handled manually.</p>
+                merged. Category needs to be handled manually.</p>
+
+                <%= ctx.makeCheckbox({name: 'alias', text: 'Make this tag an alias of the target tag.'}) %>
 
                 <%= ctx.makeCheckbox({required: true, text: 'I confirm that I want to merge this tag.'}) %>
             </li>
diff --git a/client/html/tag_summary.tpl b/client/html/tag_summary.tpl
index 6938e344..ad000841 100644
--- a/client/html/tag_summary.tpl
+++ b/client/html/tag_summary.tpl
@@ -9,7 +9,7 @@
         Aliases:<br/>
         <ul><!--
             --><% for (let name of ctx.tag.names.slice(1)) { %><!--
-                --><li><%= ctx.makeTagLink(name) %></li><!--
+                --><li><%= ctx.makeTagLink(name, false, false, ctx.tag) %></li><!--
             --><% } %><!--
         --></ul>
         </section>
@@ -18,7 +18,7 @@
         Implications:<br/>
         <ul><!--
             --><% for (let tag of ctx.tag.implications) { %><!--
-                --><li><%= ctx.makeTagLink(tag) %></li><!--
+                --><li><%= ctx.makeTagLink(tag.names[0], false, false, tag) %></li><!--
             --><% } %><!--
         --></ul>
         </section>
@@ -27,7 +27,7 @@
         Suggestions:<br/>
         <ul><!--
             --><% for (let tag of ctx.tag.suggestions) { %><!--
-                --><li><%= ctx.makeTagLink(tag) %></li><!--
+                --><li><%= ctx.makeTagLink(tag.names[0], false, false, tag) %></li><!--
             --><% } %><!--
         --></ul>
         </section>
@@ -36,6 +36,6 @@
     <section class='description'>
         <hr/>
         <%= ctx.makeMarkdown(ctx.tag.description || 'This tag has no description yet.') %>
-        <p>This tag has <a href='/posts/query=<%- encodeURIComponent(ctx.tag.names[0]) %>'><%- ctx.tag.postCount %> usage(s)</a>.</p>
+        <p>This tag has <a href='<%- ctx.formatClientLink('posts', {query: ctx.tag.names[0]}) %>'><%- ctx.tag.postCount %> usage(s)</a>.</p>
     </section>
 </div>
diff --git a/client/html/tags_header.tpl b/client/html/tags_header.tpl
index ed641279..59c5bcbc 100644
--- a/client/html/tags_header.tpl
+++ b/client/html/tags_header.tpl
@@ -8,9 +8,9 @@
 
         <div class='buttons'>
             <input type='submit' value='Search'/>
-            <a class='button append' href='/help/search/tags'>Syntax help</a>
+            <a class='button append' href='<%- ctx.formatClientLink('help', 'search', 'tags') %>'>Syntax help</a>
             <% if (ctx.canEditTagCategories) { %>
-                <a class='append' href='/tag-categories'>Tag categories</a>
+                <a class='append' href='<%- ctx.formatClientLink('tag-categories') %>'>Tag categories</a>
             <% } %>
         </div>
     </form>
diff --git a/client/html/tags_page.tpl b/client/html/tags_page.tpl
index d66b342e..8c973984 100644
--- a/client/html/tags_page.tpl
+++ b/client/html/tags_page.tpl
@@ -1,58 +1,58 @@
-<div class='tag-list'>
-    <% if (ctx.results.length) { %>
+<div class='tag-list table-wrap'>
+    <% if (ctx.response.results.length) { %>
         <table>
             <thead>
                 <th class='names'>
                     <% if (ctx.query == 'sort:name' || !ctx.query) { %>
-                        <a href='/tags/query=-sort:name'>Tag name(s)</a>
+                        <a href='<%- ctx.formatClientLink('tags', {query: '-sort:name'}) %>'>Tag name(s)</a>
                     <% } else { %>
-                        <a href='/tags/query=sort:name'>Tag name(s)</a>
+                        <a href='<%- ctx.formatClientLink('tags', {query: 'sort:name'}) %>'>Tag name(s)</a>
                     <% } %>
                 </th>
                 <th class='implications'>
                     <% if (ctx.query == 'sort:implication-count') { %>
-                        <a href='/tags/query=-sort:implication-count'>Implications</a>
+                        <a href='<%- ctx.formatClientLink('tags', {query: '-sort:implication-count'}) %>'>Implications</a>
                     <% } else { %>
-                        <a href='/tags/query=sort:implication-count'>Implications</a>
+                        <a href='<%- ctx.formatClientLink('tags', {query: 'sort:implication-count'}) %>'>Implications</a>
                     <% } %>
                 </th>
                 <th class='suggestions'>
                     <% if (ctx.query == 'sort:suggestion-count') { %>
-                        <a href='/tags/query=-sort:suggestion-count'>Suggestions</a>
+                        <a href='<%- ctx.formatClientLink('tags', {query: '-sort:suggestion-count'}) %>'>Suggestions</a>
                     <% } else { %>
-                        <a href='/tags/query=sort:suggestion-count'>Suggestions</a>
+                        <a href='<%- ctx.formatClientLink('tags', {query: 'sort:suggestion-count'}) %>'>Suggestions</a>
                     <% } %>
                 </th>
                 <th class='usages'>
                     <% if (ctx.query == 'sort:usages') { %>
-                        <a href='/tags/query=-sort:usages'>Usages</a>
+                        <a href='<%- ctx.formatClientLink('tags', {query: '-sort:usages'}) %>'>Usages</a>
                     <% } else { %>
-                        <a href='/tags/query=sort:usages'>Usages</a>
+                        <a href='<%- ctx.formatClientLink('tags', {query: 'sort:usages'}) %>'>Usages</a>
                     <% } %>
                 </th>
                 <th class='creation-time'>
                     <% if (ctx.query == 'sort:creation-time') { %>
-                        <a href='/tags/query=-sort:creation-time'>Created on</a>
+                        <a href='<%- ctx.formatClientLink('tags', {query: '-sort:creation-time'}) %>'>Created on</a>
                     <% } else { %>
-                        <a href='/tags/query=sort:creation-time'>Created on</a>
+                        <a href='<%- ctx.formatClientLink('tags', {query: 'sort:creation-time'}) %>'>Created on</a>
                     <% } %>
                 </th>
             </thead>
             <tbody>
-                <% for (let tag of ctx.results) { %>
+                <% for (let tag of ctx.response.results) { %>
                     <tr>
                         <td class='names'>
                             <ul>
                                 <% for (let name of tag.names) { %>
-                                    <li><%= ctx.makeTagLink(name) %></li>
+                                    <li><%= ctx.makeTagLink(name, false, false, tag) %></li>
                                 <% } %>
                             </ul>
                         </td>
                         <td class='implications'>
                             <% if (tag.implications.length) { %>
                                 <ul>
-                                    <% for (let name of tag.implications) { %>
-                                        <li><%= ctx.makeTagLink(name) %></li>
+                                    <% for (let relation of tag.implications) { %>
+                                        <li><%= ctx.makeTagLink(relation.names[0], false, false, relation) %></li>
                                     <% } %>
                                 </ul>
                             <% } else { %>
@@ -62,8 +62,8 @@
                         <td class='suggestions'>
                             <% if (tag.suggestions.length) { %>
                                 <ul>
-                                    <% for (let name of tag.suggestions) { %>
-                                        <li><%= ctx.makeTagLink(name) %></li>
+                                    <% for (let relation of tag.suggestions) { %>
+                                        <li><%= ctx.makeTagLink(relation.names[0], false, false, relation) %></li>
                                     <% } %>
                                 </ul>
                             <% } else { %>
diff --git a/client/html/top_navigation.tpl b/client/html/top_navigation.tpl
index b0689820..f1af4610 100644
--- a/client/html/top_navigation.tpl
+++ b/client/html/top_navigation.tpl
@@ -1,5 +1,9 @@
 <nav id='top-navigation' class='buttons'><!--
     --><ul><!--
+        --><button id="mobile-navigation-toggle"><!--
+            --><span class="site-name"><%- ctx.name %></span><!--
+            --><span class="toggle-icon"><i class="fa fa-bars"></i></span><!--
+        --></button><!--
         --><% for (let item of ctx.items) { %><!--
             --><% if (item.available) { %><!--
                 --><li data-name='<%- item.key %>'><!--
diff --git a/client/html/user.tpl b/client/html/user.tpl
index 4e7d00ae..75c721f3 100644
--- a/client/html/user.tpl
+++ b/client/html/user.tpl
@@ -2,12 +2,15 @@
     <h1><%- ctx.user.name %></h1>
     <nav class='buttons'><!--
         --><ul><!--
-            --><li data-name='summary'><a href='/user/<%- encodeURIComponent(ctx.user.name) %>'>Summary</a></li><!--
+            --><li data-name='summary'><a href='<%- ctx.formatClientLink('user', ctx.user.name) %>'>Summary</a></li><!--
             --><% if (ctx.canEditAnything) { %><!--
-                --><li data-name='edit'><a href='/user/<%- encodeURIComponent(ctx.user.name) %>/edit'>Account settings</a></li><!--
+                --><li data-name='edit'><a href='<%- ctx.formatClientLink('user', ctx.user.name, 'edit') %>'>Settings</a></li><!--
+            --><% } %><!--
+            --><% if (ctx.canListTokens) { %><!--
+                --><li data-name='list-tokens'><a href='<%- ctx.formatClientLink('user', ctx.user.name, 'list-tokens') %>'>Login tokens</a></li><!--
             --><% } %><!--
             --><% if (ctx.canDelete) { %><!--
-                --><li data-name='delete'><a href='/user/<%- encodeURIComponent(ctx.user.name) %>/delete'>Account deletion</a></li><!--
+                --><li data-name='delete'><a href='<%- ctx.formatClientLink('user', ctx.user.name, 'delete') %>'>Delete</a></li><!--
             --><% } %><!--
         --></ul><!--
     --></nav>
diff --git a/client/html/user_registration.tpl b/client/html/user_registration.tpl
index e0e0f81c..a6d291f4 100644
--- a/client/html/user_registration.tpl
+++ b/client/html/user_registration.tpl
@@ -51,6 +51,6 @@
             <li><i class='fa fa-star-half-o'></i> vote up/down on posts and comments</li>
         </ul>
         <hr/>
-        <p>By creating an account, you are agreeing to the <a href='/help/tos'>Terms of Service</a>.</p>
+        <p>By creating an account, you are agreeing to the <a href='<%- ctx.formatClientLink('help', 'tos') %>'>Terms of Service</a>.</p>
     </div>
 </div>
diff --git a/client/html/user_summary.tpl b/client/html/user_summary.tpl
index b2d40ace..1a33a57f 100644
--- a/client/html/user_summary.tpl
+++ b/client/html/user_summary.tpl
@@ -10,9 +10,9 @@
         <nav>
             <p><strong>Quick links</strong></p>
             <ul>
-                <li><a href='/posts/query=submit:<%- encodeURIComponent(ctx.user.name) %>'><%- ctx.user.uploadedPostCount %> uploads</a></li>
-                <li><a href='/posts/query=fav:<%- encodeURIComponent(ctx.user.name) %>'><%- ctx.user.favoritePostCount %> favorites</a></li>
-                <li><a href='/posts/query=comment:<%- encodeURIComponent(ctx.user.name) %>'><%- ctx.user.commentCount %> comments</a></li>
+                <li><a href='<%- ctx.formatClientLink('posts', {query: 'submit:' + ctx.user.name}) %>'><%- ctx.user.uploadedPostCount %> uploads</a></li>
+                <li><a href='<%- ctx.formatClientLink('posts', {query: 'fav:' + ctx.user.name}) %>'><%- ctx.user.favoritePostCount %> favorites</a></li>
+                <li><a href='<%- ctx.formatClientLink('posts', {query: 'comment:' + ctx.user.name}) %>'><%- ctx.user.commentCount %> comments</a></li>
             </ul>
         </nav>
 
@@ -20,8 +20,8 @@
             <nav>
                 <p><strong>Only visible to you</strong></p>
                 <ul>
-                    <li><a href='/posts/query=special:liked'><%- ctx.user.likedPostCount %> liked posts</a></li>
-                    <li><a href='/posts/query=special:disliked'><%- ctx.user.dislikedPostCount %> disliked posts</a></li>
+                    <li><a href='<%- ctx.formatClientLink('posts', {query: 'special:liked'}) %>'><%- ctx.user.likedPostCount %> liked posts</a></li>
+                    <li><a href='<%- ctx.formatClientLink('posts', {query: 'special:disliked'}) %>'><%- ctx.user.dislikedPostCount %> disliked posts</a></li>
                 </ul>
             </nav>
         <% } %>
diff --git a/client/html/user_tokens.tpl b/client/html/user_tokens.tpl
new file mode 100644
index 00000000..73db7a17
--- /dev/null
+++ b/client/html/user_tokens.tpl
@@ -0,0 +1,74 @@
+<div id='user-tokens'>
+    <div class='messages'></div>
+    <% if (ctx.tokens.length > 0) { %>
+    <div class='token-flex-container'>
+        <% _.each(ctx.tokens, function(token, index) { %>
+        <div class='token-flex-row'>
+            <div class='token-flex-column token-flex-labels'>
+                <div class='token-flex-row'>Token:</div>
+                <div class='token-flex-row'>Note:</div>
+                <div class='token-flex-row'>Created:</div>
+                <div class='token-flex-row'>Expires:</div>
+                <div class='token-flex-row no-wrap'>Last used:</div>
+            </div>
+            <div class='token-flex-column full-width'>
+                <div class='token-flex-row'><%= token.token %></div>
+                <div class='token-flex-row'>
+                    <% if (token.note !== null) { %>
+                        <%= token.note %>
+                    <% } else { %>
+                        No note
+                    <% } %>
+                    <a class='token-change-note' data-token-id='<%= index %>' href='#'>(change)</a>
+                </div>
+                <div class='token-flex-row'><%= ctx.makeRelativeTime(token.creationTime) %></div>
+                <div class='token-flex-row'>
+                    <% if (token.expirationTime) { %>
+                        <%= ctx.makeRelativeTime(token.expirationTime) %>
+                    <% } else { %>
+                        No expiration
+                    <% } %>
+                </div>
+                <div class='token-flex-row'><%= ctx.makeRelativeTime(token.lastUsageTime) %></div>
+            </div>
+        </div>
+        <div class='token-flex-row'>
+            <div class='token-flex-column full-width'>
+                <div class='token-flex-row'>
+                    <form class='token' data-token-id='<%= index %>'>
+                        <% if (token.isCurrentAuthToken) { %>
+                            <input type='submit' value='Delete and logout'
+                                title='This token is used to authenticate this client, deleting it will force a logout.'/>
+                        <% } else { %>
+                            <input type='submit' value='Delete'/>
+                        <% } %>
+                    </form>
+                </div>
+            </div>
+        </div>
+        <hr/>
+        <% }); %>
+    </div>
+    <% } else { %>
+        <h2>No Registered Tokens</h2>
+    <% } %>
+    <form id='create-token-form'>
+        <ul class='input'>
+            <li class='note'>
+                <%= ctx.makeTextInput({
+                    text: 'Note',
+                    id: 'note',
+                }) %>
+            </li>
+            <li class='expirationTime'>
+                <%= ctx.makeDateInput({
+                    text: 'Expires',
+                    id: 'expirationTime',
+                }) %>
+            </li>
+        </ul>
+        <div class='buttons'>
+            <input type='submit' value='Create token'/>
+        </div>
+    </form>
+</div>
diff --git a/client/html/users_header.tpl b/client/html/users_header.tpl
index 6cefe556..7faab8ea 100644
--- a/client/html/users_header.tpl
+++ b/client/html/users_header.tpl
@@ -8,7 +8,7 @@
 
         <div class='buttons'>
             <input type='submit' value='Search'/>
-            <a class='append' href='/help/search/users'>Syntax help</a>
+            <a class='append' href='<%- ctx.formatClientLink('help', 'search', 'users') %>'>Syntax help</a>
         </div>
     </form>
 </div>
diff --git a/client/html/users_page.tpl b/client/html/users_page.tpl
index 61b07f84..f09c2077 100644
--- a/client/html/users_page.tpl
+++ b/client/html/users_page.tpl
@@ -1,10 +1,10 @@
 <div class='user-list'>
     <ul><!--
-        --><% for (let user of ctx.results) { %><!--
+        --><% for (let user of ctx.response.results) { %><!--
             --><li>
                 <div class='wrapper'>
                     <% if (ctx.canViewUsers) { %>
-                        <a class='image' href='/user/<%- encodeURIComponent(user.name) %>'>
+                        <a class='image' href='<%- ctx.formatClientLink('user', user.name) %>'>
                     <% } %>
                         <%= ctx.makeThumbnail(user.avatarUrl) %>
                     <% if (ctx.canViewUsers) { %>
@@ -12,7 +12,7 @@
                     <% } %>
                     <div class='details'>
                         <% if (ctx.canViewUsers) { %>
-                            <a href='/user/<%- encodeURIComponent(user.name) %>'>
+                            <a href='<%- ctx.formatClientLink('user', user.name) %>'>
                         <% } %>
                             <%- user.name %>
                         <% if (ctx.canViewUsers) { %>
diff --git a/client/js/api.js b/client/js/api.js
index 0b0ed541..de612f0d 100644
--- a/client/js/api.js
+++ b/client/js/api.js
@@ -2,11 +2,12 @@
 
 const cookies = require('js-cookie');
 const request = require('superagent');
-const config = require('./config.js');
 const events = require('./events.js');
 const progress = require('./util/progress.js');
+const uri = require('./util/uri.js');
 
 let fileTokens = {};
+let remoteConfig = null;
 
 class Api extends events.EventTarget {
     constructor() {
@@ -14,6 +15,7 @@ class Api extends events.EventTarget {
         this.user = null;
         this.userName = null;
         this.userPassword = null;
+        this.token = null;
         this.cache = {};
         this.allRanks = [
             'anonymous',
@@ -63,14 +65,53 @@ class Api extends events.EventTarget {
         return this._wrappedRequest(url, request.delete, data, {}, options);
     }
 
+    fetchConfig() {
+        if (remoteConfig === null) {
+            return this.get(uri.formatApiLink('info'))
+                .then(response => {
+                    remoteConfig = response.config;
+                });
+        } else {
+            return Promise.resolve();
+        }
+    }
+
+    getName() {
+        return remoteConfig.name;
+    }
+
+    getTagNameRegex() {
+        return remoteConfig.tagNameRegex;
+    }
+
+    getPasswordRegex() {
+        return remoteConfig.passwordRegex;
+    }
+
+    getUserNameRegex() {
+        return remoteConfig.userNameRegex;
+    }
+
+    getContactEmail() {
+        return remoteConfig.contactEmail;
+    }
+
+    canSendMails() {
+        return !!remoteConfig.canSendMails;
+    }
+
+    safetyEnabled() {
+        return !!remoteConfig.enableSafety;
+    }
+
     hasPrivilege(lookup) {
         let minViableRank = null;
-        for (let privilege of Object.keys(config.privileges)) {
-            if (!privilege.startsWith(lookup)) {
+        for (let p of Object.keys(remoteConfig.privileges)) {
+            if (!p.startsWith(lookup)) {
                 continue;
             }
-            const rankName = config.privileges[privilege];
-            const rankIndex = this.allRanks.indexOf(rankName);
+            const rankIndex = this.allRanks.indexOf(
+                remoteConfig.privileges[p]);
             if (minViableRank === null || rankIndex < minViableRank) {
                 minViableRank = rankIndex;
             }
@@ -86,11 +127,76 @@ class Api extends events.EventTarget {
 
     loginFromCookies() {
         const auth = cookies.getJSON('auth');
-        return auth && auth.user && auth.password ?
-            this.login(auth.user, auth.password, true) :
+        return auth && auth.user && auth.token ?
+            this.loginWithToken(auth.user, auth.token, true) :
             Promise.resolve();
     }
 
+    loginWithToken(userName, token, doRemember) {
+        this.cache = {};
+        return new Promise((resolve, reject) => {
+            this.userName = userName;
+            this.token = token;
+            this.get('/user/' + userName + '?bump-login=true')
+                .then(response => {
+                    const options = {};
+                    if (doRemember) {
+                        options.expires = 365;
+                    }
+                    cookies.set(
+                        'auth',
+                        {'user': userName, 'token': token},
+                        options);
+                    this.user = response;
+                    resolve();
+                    this.dispatchEvent(new CustomEvent('login'));
+                }, error => {
+                    reject(error);
+                    this.logout();
+                });
+        });
+    }
+
+    createToken(userName, options) {
+        let userTokenRequest = {
+            enabled: true,
+            note: 'Web Login Token'
+        };
+        if (typeof options.expires !== 'undefined') {
+            userTokenRequest.expirationTime = new Date().addDays(options.expires).toISOString()
+        }
+        return new Promise((resolve, reject) => {
+            this.post('/user-token/' + userName, userTokenRequest)
+                .then(response => {
+                    cookies.set(
+                        'auth',
+                        {'user': userName, 'token': response.token},
+                        options);
+                    this.userName = userName;
+                    this.token = response.token;
+                    this.userPassword = null;
+                }, error => {
+                    reject(error);
+                });
+        });
+    }
+
+    deleteToken(userName, userToken) {
+        return new Promise((resolve, reject) => {
+            this.delete('/user-token/' + userName + '/' + userToken, {})
+                .then(response => {
+                    const options = {};
+                    cookies.set(
+                        'auth',
+                        {'user': userName, 'token': null},
+                        options);
+                    resolve();
+                }, error => {
+                    reject(error);
+                });
+        });
+    }
+
     login(userName, userPassword, doRemember) {
         this.cache = {};
         return new Promise((resolve, reject) => {
@@ -102,10 +208,7 @@ class Api extends events.EventTarget {
                     if (doRemember) {
                         options.expires = 365;
                     }
-                    cookies.set(
-                        'auth',
-                        {'user': userName, 'password': userPassword},
-                        options);
+                    this.createToken(this.userName, options);
                     this.user = response;
                     resolve();
                     this.dispatchEvent(new CustomEvent('login'));
@@ -117,9 +220,20 @@ class Api extends events.EventTarget {
     }
 
     logout() {
+        let self = this;
+        this.deleteToken(this.userName, this.token)
+            .then(response => {
+                self._logout();
+            }, error => {
+                self._logout();
+            });
+    }
+
+    _logout() {
         this.user = null;
         this.userName = null;
         this.userPassword = null;
+        this.token = null;
         this.dispatchEvent(new CustomEvent('logout'));
     }
 
@@ -136,9 +250,13 @@ class Api extends events.EventTarget {
         }
     }
 
+    isCurrentAuthToken(userToken) {
+        return userToken.token === this.token;
+    }
+
     _getFullUrl(url) {
         const fullUrl =
-            (config.apiUrl + '/' + url).replace(/([^:])\/+/g, '$1/');
+            ('/api/' + url).replace(/([^:])\/+/g, '$1/');
         const matches = fullUrl.match(/^([^?]*)\??(.*)$/);
         const baseUrl = matches[1];
         const request = matches[2];
@@ -257,7 +375,11 @@ class Api extends events.EventTarget {
             }
 
             try {
-                if (this.userName && this.userPassword) {
+                if (this.userName && this.token) {
+                    req.auth = null;
+                    req.set('Authorization', 'Token '
+                        + new Buffer(this.userName + ":" + this.token).toString('base64'))
+                } else if (this.userName && this.userPassword) {
                     req.auth(
                         this.userName,
                         encodeURIComponent(this.userPassword)
diff --git a/client/js/controllers/auth_controller.js b/client/js/controllers/auth_controller.js
index 42e6c0a2..2838e531 100644
--- a/client/js/controllers/auth_controller.js
+++ b/client/js/controllers/auth_controller.js
@@ -2,6 +2,7 @@
 
 const router = require('../router.js');
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const topNavigation = require('../models/top_navigation.js');
 const LoginView = require('../views/login_view.js');
 
@@ -21,7 +22,7 @@ class LoginController {
         api.forget();
         api.login(e.detail.name, e.detail.password, e.detail.remember)
             .then(() => {
-                const ctx = router.show('/');
+                const ctx = router.show(uri.formatClientLink());
                 ctx.controller.showSuccess('Logged in');
             }, error => {
                 this._loginView.showError(error.message);
@@ -34,16 +35,16 @@ class LogoutController {
     constructor() {
         api.forget();
         api.logout();
-        const ctx = router.show('/');
+        const ctx = router.show(uri.formatClientLink());
         ctx.controller.showSuccess('Logged out');
     }
 }
 
 module.exports = router => {
-    router.enter('/login', (ctx, next) => {
+    router.enter(['login'], (ctx, next) => {
         ctx.controller = new LoginController();
     });
-    router.enter('/logout', (ctx, next) => {
+    router.enter(['logout'], (ctx, next) => {
         ctx.controller = new LogoutController();
     });
 };
diff --git a/client/js/controllers/comments_controller.js b/client/js/controllers/comments_controller.js
index a7cb76ea..2de638cb 100644
--- a/client/js/controllers/comments_controller.js
+++ b/client/js/controllers/comments_controller.js
@@ -1,7 +1,7 @@
 'use strict';
 
 const api = require('../api.js');
-const misc = require('../util/misc.js');
+const uri = require('../util/uri.js');
 const PostList = require('../models/post_list.js');
 const topNavigation = require('../models/top_navigation.js');
 const PageController = require('../controllers/page_controller.js');
@@ -25,14 +25,16 @@ class CommentsController {
         this._pageController = new PageController();
         this._pageController.run({
             parameters: ctx.parameters,
-            getClientUrlForPage: page => {
+            defaultLimit: 10,
+            getClientUrlForPage: (offset, limit) => {
                 const parameters = Object.assign(
-                    {}, ctx.parameters, {page: page});
-                return '/comments/' + misc.formatUrlParameters(parameters);
+                    {}, ctx.parameters, {offset: offset, limit: limit});
+                return uri.formatClientLink('comments', parameters);
             },
-            requestPage: page => {
+            requestPage: (offset, limit) => {
                 return PostList.search(
-                    'sort:comment-date comment-count-min:1', page, 10, fields);
+                    'sort:comment-date comment-count-min:1',
+                    offset, limit, fields);
             },
             pageRenderer: pageCtx => {
                 Object.assign(pageCtx, {
@@ -69,7 +71,6 @@ class CommentsController {
 };
 
 module.exports = router => {
-    router.enter('/comments/:parameters?',
-        (ctx, next) => { misc.parseUrlParametersRoute(ctx, next); },
+    router.enter(['comments'],
         (ctx, next) => { new CommentsController(ctx); });
 };
diff --git a/client/js/controllers/help_controller.js b/client/js/controllers/help_controller.js
index 2010176d..8e65346b 100644
--- a/client/js/controllers/help_controller.js
+++ b/client/js/controllers/help_controller.js
@@ -12,13 +12,13 @@ class HelpController {
 }
 
 module.exports = router => {
-    router.enter('/help', (ctx, next) => {
+    router.enter(['help'], (ctx, next) => {
         new HelpController();
     });
-    router.enter('/help/:section', (ctx, next) => {
+    router.enter(['help', ':section'], (ctx, next) => {
         new HelpController(ctx.parameters.section);
     });
-    router.enter('/help/:section/:subsection', (ctx, next) => {
+    router.enter(['help', ':section', ':subsection'], (ctx, next) => {
         new HelpController(ctx.parameters.section, ctx.parameters.subsection);
     });
 };
diff --git a/client/js/controllers/home_controller.js b/client/js/controllers/home_controller.js
index 8619c1ad..cc22ca95 100644
--- a/client/js/controllers/home_controller.js
+++ b/client/js/controllers/home_controller.js
@@ -12,7 +12,7 @@ class HomeController {
         topNavigation.setTitle('Home');
 
         this._homeView = new HomeView({
-            name: config.name,
+            name: api.getName(),
             version: config.meta.version,
             buildDate: config.meta.buildDate,
             canListSnapshots: api.hasPrivilege('snapshots:list'),
@@ -44,7 +44,7 @@ class HomeController {
 };
 
 module.exports = router => {
-    router.enter('/', (ctx, next) => {
+    router.enter([], (ctx, next) => {
         ctx.controller = new HomeController();
     });
 };
diff --git a/client/js/controllers/not_found_controller.js b/client/js/controllers/not_found_controller.js
index 1d54b219..66f52e92 100644
--- a/client/js/controllers/not_found_controller.js
+++ b/client/js/controllers/not_found_controller.js
@@ -12,7 +12,7 @@ class NotFoundController {
 };
 
 module.exports = router => {
-    router.enter('*', (ctx, next) => {
+    router.enter(null, (ctx, next) => {
         ctx.controller = new NotFoundController(ctx.canonicalPath);
     });
 };
diff --git a/client/js/controllers/page_controller.js b/client/js/controllers/page_controller.js
index 6f86e0ca..ae55804f 100644
--- a/client/js/controllers/page_controller.js
+++ b/client/js/controllers/page_controller.js
@@ -18,12 +18,6 @@ class PageController {
     }
 
     run(ctx) {
-        const extendedContext = {
-            getClientUrlForPage: ctx.getClientUrlForPage,
-            parameters: ctx.parameters,
-        };
-
-        ctx.pageContext = Object.assign({}, extendedContext);
         this._view.run(ctx);
     }
 
diff --git a/client/js/controllers/password_reset_controller.js b/client/js/controllers/password_reset_controller.js
index 3bd77fd5..e0a9801f 100644
--- a/client/js/controllers/password_reset_controller.js
+++ b/client/js/controllers/password_reset_controller.js
@@ -2,6 +2,7 @@
 
 const router = require('../router.js');
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const topNavigation = require('../models/top_navigation.js');
 const PasswordResetView = require('../views/password_reset_view.js');
 
@@ -20,7 +21,7 @@ class PasswordResetController {
         this._passwordResetView.disableForm();
         api.forget();
         api.logout();
-        api.get('/password-reset/' + e.detail.userNameOrEmail)
+        api.get(uri.formatApiLink('password-reset', e.detail.userNameOrEmail))
             .then(() => {
                 this._passwordResetView.showSuccess(
                     'E-mail has been sent. To finish the procedure, ' +
@@ -37,26 +38,26 @@ class PasswordResetFinishController {
         api.forget();
         api.logout();
         let password = null;
-        api.post('/password-reset/' + name, {token: token})
+        api.post(uri.formatApiLink('password-reset', name), {token: token})
             .then(response => {
                 password = response.password;
                 return api.login(name, password, false);
             }).then(() => {
-                const ctx = router.show('/');
+                const ctx = router.show(uri.formatClientLink());
                 ctx.controller.showSuccess('New password: ' + password);
             }, error => {
-                const ctx = router.show('/');
+                const ctx = router.show(uri.formatClientLink());
                 ctx.controller.showError(error.message);
             });
     }
 }
 
 module.exports = router => {
-    router.enter('/password-reset', (ctx, next) => {
+    router.enter(['password-reset'], (ctx, next) => {
         ctx.controller = new PasswordResetController();
     });
-    router.enter(/\/password-reset\/([^:]+):([^:]+)$/, (ctx, next) => {
-        ctx.controller = new PasswordResetFinishController(
-            ctx.parameters[0], ctx.parameters[1]);
+    router.enter(['password-reset', ':descriptor'], (ctx, next) => {
+        const [name, token] = ctx.parameters.descriptor.split(':', 2);
+        ctx.controller = new PasswordResetFinishController(name, token);
     });
 };
diff --git a/client/js/controllers/post_detail_controller.js b/client/js/controllers/post_detail_controller.js
index 3930b5e2..47d5430c 100644
--- a/client/js/controllers/post_detail_controller.js
+++ b/client/js/controllers/post_detail_controller.js
@@ -3,6 +3,7 @@
 const router = require('../router.js');
 const api = require('../api.js');
 const misc = require('../util/misc.js');
+const uri = require('../util/uri.js');
 const settings = require('../models/settings.js');
 const Post = require('../models/post.js');
 const PostList = require('../models/post_list.js');
@@ -55,7 +56,8 @@ class PostDetailController extends BasePostController {
         misc.disableExitConfirmation();
         if (this._id !== e.detail.post.id) {
             router.replace(
-                '/post/' + e.detail.post.id + '/' + section, null, false);
+                uri.formatClientLink('post', e.detail.post.id, section),
+                null, false);
         }
     }
 
@@ -67,7 +69,9 @@ class PostDetailController extends BasePostController {
                 this._installView(e.detail.post, 'merge');
                 this._view.showSuccess('Post merged.');
                 router.replace(
-                    '/post/' + e.detail.targetPost.id + '/merge', null, false);
+                    uri.formatClientLink(
+                        'post', e.detail.targetPost.id, 'merge'),
+                    null, false);
             }, error => {
                 this._view.showError(error.message);
                 this._view.enableForm();
@@ -77,7 +81,7 @@ class PostDetailController extends BasePostController {
 
 module.exports = router => {
     router.enter(
-        '/post/:id/merge',
+        ['post', ':id', 'merge'],
         (ctx, next) => {
             ctx.controller = new PostDetailController(ctx, 'merge');
         });
diff --git a/client/js/controllers/post_list_controller.js b/client/js/controllers/post_list_controller.js
index f7928b07..fd1adfea 100644
--- a/client/js/controllers/post_list_controller.js
+++ b/client/js/controllers/post_list_controller.js
@@ -1,8 +1,9 @@
 'use strict';
 
+const router = require('../router.js');
 const api = require('../api.js');
 const settings = require('../models/settings.js');
-const misc = require('../util/misc.js');
+const uri = require('../util/uri.js');
 const PostList = require('../models/post_list.js');
 const topNavigation = require('../models/top_navigation.js');
 const PageController = require('../controllers/page_controller.js');
@@ -11,7 +12,7 @@ const PostsPageView = require('../views/posts_page_view.js');
 const EmptyView = require('../views/empty_view.js');
 
 const fields = [
-    'id', 'thumbnailUrl', 'type',
+    'id', 'thumbnailUrl', 'type', 'safety',
     'score', 'favoriteCount', 'commentCount', 'tags', 'version'];
 
 class PostListController {
@@ -31,8 +32,12 @@ class PostListController {
         this._headerView = new PostsHeaderView({
             hostNode: this._pageController.view.pageHeaderHolderNode,
             parameters: ctx.parameters,
-            canMassTag: api.hasPrivilege('tags:masstag'),
-            massTagTags: this._massTagTags,
+            enableSafety: api.safetyEnabled(),
+            canBulkEditTags: api.hasPrivilege('posts:bulk-edit:tags'),
+            canBulkEditSafety: api.hasPrivilege('posts:bulk-edit:safety'),
+            bulkEdit: {
+                tags: this._bulkEditTags
+            },
         });
         this._headerView.addEventListener(
             'navigate', e => this._evtNavigate(e));
@@ -44,68 +49,65 @@ class PostListController {
         this._pageController.showSuccess(message);
     }
 
-    get _massTagTags() {
+    get _bulkEditTags() {
         return (this._ctx.parameters.tag || '').split(/\s+/).filter(s => s);
     }
 
     _evtNavigate(e) {
-        history.pushState(
-            null,
-            window.title,
-            '/posts/' + misc.formatUrlParameters(e.detail.parameters));
+        router.showNoDispatch(
+            uri.formatClientLink('posts', e.detail.parameters));
         Object.assign(this._ctx.parameters, e.detail.parameters);
         this._syncPageController();
     }
 
     _evtTag(e) {
-        for (let tag of this._massTagTags) {
-            e.detail.post.addTag(tag);
-        }
-        e.detail.post.save().catch(error => window.alert(error.message));
+        Promise.all(
+            this._bulkEditTags.map(tag =>
+                e.detail.post.tags.addByName(tag)))
+            .then(e.detail.post.save())
+            .catch(error => window.alert(error.message));
     }
 
     _evtUntag(e) {
-        for (let tag of this._massTagTags) {
-            e.detail.post.removeTag(tag);
+        for (let tag of this._bulkEditTags) {
+            e.detail.post.tags.removeByName(tag);
         }
         e.detail.post.save().catch(error => window.alert(error.message));
     }
 
-    _decorateSearchQuery(text) {
-        const browsingSettings = settings.get();
-        let disabledSafety = [];
-        for (let key of Object.keys(browsingSettings.listPosts)) {
-            if (browsingSettings.listPosts[key] === false) {
-                disabledSafety.push(key);
-            }
-        }
-        if (disabledSafety.length) {
-            text = `-rating:${disabledSafety.join(',')} ${text}`;
-        }
-        return text.trim();
+    _evtChangeSafety(e) {
+        e.detail.post.safety = e.detail.safety;
+        e.detail.post.save().catch(error => window.alert(error.message));
     }
 
     _syncPageController() {
         this._pageController.run({
             parameters: this._ctx.parameters,
-            getClientUrlForPage: page => {
-                return '/posts/' + misc.formatUrlParameters(
-                    Object.assign({}, this._ctx.parameters, {page: page}));
+            defaultLimit: parseInt(settings.get().postsPerPage),
+            getClientUrlForPage: (offset, limit) => {
+                const parameters = Object.assign(
+                    {}, this._ctx.parameters, {offset: offset, limit: limit});
+                return uri.formatClientLink('posts', parameters);
             },
-            requestPage: page => {
+            requestPage: (offset, limit) => {
                 return PostList.search(
-                    this._decorateSearchQuery(this._ctx.parameters.query),
-                    page, settings.get().postsPerPage, fields);
+                    this._ctx.parameters.query, offset, limit, fields);
             },
             pageRenderer: pageCtx => {
                 Object.assign(pageCtx, {
                     canViewPosts: api.hasPrivilege('posts:view'),
-                    canMassTag: api.hasPrivilege('tags:masstag'),
-                    massTagTags: this._massTagTags,
+                    canBulkEditTags: api.hasPrivilege('posts:bulk-edit:tags'),
+                    canBulkEditSafety:
+                        api.hasPrivilege('posts:bulk-edit:safety'),
+                    bulkEdit: {
+                        tags: this._bulkEditTags,
+                    },
                 });
                 const view = new PostsPageView(pageCtx);
                 view.addEventListener('tag', e => this._evtTag(e));
                 view.addEventListener('untag', e => this._evtUntag(e));
+                view.addEventListener(
+                    'changeSafety', e => this._evtChangeSafety(e));
                 return view;
             },
         });
@@ -114,7 +116,6 @@ class PostListController {
 
 module.exports = router => {
     router.enter(
-        '/posts/:parameters(.*)?',
-        (ctx, next) => { misc.parseUrlParametersRoute(ctx, next); },
+        ['posts'],
         (ctx, next) => { ctx.controller = new PostListController(ctx); });
 };
diff --git a/client/js/controllers/post_main_controller.js b/client/js/controllers/post_main_controller.js
index 920ce758..a482b844 100644
--- a/client/js/controllers/post_main_controller.js
+++ b/client/js/controllers/post_main_controller.js
@@ -2,6 +2,7 @@
 
 const router = require('../router.js');
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const misc = require('../util/misc.js');
 const settings = require('../models/settings.js');
 const Comment = require('../models/comment.js');
@@ -19,8 +20,8 @@ class PostMainController extends BasePostController {
         Promise.all([
                 Post.get(ctx.parameters.id),
                 PostList.getAround(
-                    ctx.parameters.id, this._decorateSearchQuery(
-                        parameters ? parameters.query : '')),
+                    ctx.parameters.id,
+                    parameters ? parameters.query : null),
         ]).then(responses => {
             const [post, aroundResponse] = responses;
 
@@ -29,8 +30,8 @@ class PostMainController extends BasePostController {
             if (parameters.query) {
                 ctx.state.parameters = parameters;
                 const url = editMode ?
-                    '/post/' + ctx.parameters.id + '/edit' :
-                    '/post/' + ctx.parameters.id;
+                    uri.formatClientLink('post', ctx.parameters.id, 'edit') :
+                    uri.formatClientLink('post', ctx.parameters.id);
                 router.replace(url, ctx.state, false);
             }
 
@@ -90,20 +91,6 @@ class PostMainController extends BasePostController {
         });
     }
 
-    _decorateSearchQuery(text) {
-        const browsingSettings = settings.get();
-        let disabledSafety = [];
-        for (let key of Object.keys(browsingSettings.listPosts)) {
-            if (browsingSettings.listPosts[key] === false) {
-                disabledSafety.push(key);
-            }
-        }
-        if (disabledSafety.length) {
-            text = `-rating:${disabledSafety.join(',')} ${text}`;
-        }
-        return text.trim();
-    }
-
     _evtFitModeChange(e) {
         const browsingSettings = settings.get();
         browsingSettings.fitMode = e.detail.mode;
@@ -124,7 +111,7 @@ class PostMainController extends BasePostController {
     }
 
     _evtMergePost(e) {
-        router.show('/post/' + e.detail.post.id + '/merge');
+        router.show(uri.formatClientLink('post', e.detail.post.id, 'merge'));
     }
 
     _evtDeletePost(e) {
@@ -133,7 +120,7 @@ class PostMainController extends BasePostController {
         e.detail.post.delete()
             .then(() => {
                 misc.disableExitConfirmation();
-                const ctx = router.show('/posts');
+                const ctx = router.show(uri.formatClientLink('posts'));
                 ctx.controller.showSuccess('Post deleted.');
             }, error => {
                 this._view.sidebarControl.showError(error.message);
@@ -145,9 +132,6 @@ class PostMainController extends BasePostController {
         this._view.sidebarControl.disableForm();
         this._view.sidebarControl.clearMessages();
         const post = e.detail.post;
-        if (e.detail.tags !== undefined) {
-            post.tags = e.detail.tags;
-        }
         if (e.detail.safety !== undefined) {
             post.safety = e.detail.safety;
         }
@@ -244,8 +228,7 @@ class PostMainController extends BasePostController {
 }
 
 module.exports = router => {
-    router.enter('/post/:id/edit/:parameters(.*)?',
-        (ctx, next) => { misc.parseUrlParametersRoute(ctx, next); },
+    router.enter(['post', ':id', 'edit'],
         (ctx, next) => {
             // restore parameters from history state
             if (ctx.state.parameters) {
@@ -254,8 +237,7 @@ module.exports = router => {
             ctx.controller = new PostMainController(ctx, true);
         });
     router.enter(
-        '/post/:id/:parameters(.*)?',
-        (ctx, next) => { misc.parseUrlParametersRoute(ctx, next); },
+        ['post', ':id'],
         (ctx, next) => {
             // restore parameters from history state
             if (ctx.state.parameters) {
diff --git a/client/js/controllers/post_upload_controller.js b/client/js/controllers/post_upload_controller.js
index cba0918b..ccd6f94c 100644
--- a/client/js/controllers/post_upload_controller.js
+++ b/client/js/controllers/post_upload_controller.js
@@ -2,10 +2,12 @@
 
 const api = require('../api.js');
 const router = require('../router.js');
+const uri = require('../util/uri.js');
 const misc = require('../util/misc.js');
 const progress = require('../util/progress.js');
 const topNavigation = require('../models/top_navigation.js');
 const Post = require('../models/post.js');
+const Tag = require('../models/tag.js');
 const PostUploadView = require('../views/post_upload_view.js');
 const EmptyView = require('../views/empty_view.js');
 
@@ -28,6 +30,7 @@ class PostUploadController {
         this._view = new PostUploadView({
             canUploadAnonymously: api.hasPrivilege('posts:create:anonymous'),
             canViewPosts: api.hasPrivilege('posts:view'),
+            enableSafety: api.safetyEnabled(),
         });
         this._view.addEventListener('change', e => this._evtChange(e));
         this._view.addEventListener('submit', e => this._evtSubmit(e));
@@ -61,7 +64,7 @@ class PostUploadController {
                 .then(() => {
                     this._view.clearMessages();
                     misc.disableExitConfirmation();
-                    const ctx = router.show('/posts');
+                    const ctx = router.show(uri.formatClientLink('posts'));
                     ctx.controller.showSuccess('Posts uploaded.');
                 }, error => {
                     if (error.uploadable) {
@@ -95,16 +98,20 @@ class PostUploadController {
         return reverseSearchPromise.then(searchResult => {
             if (searchResult) {
                 // notify about exact duplicate
-                if (searchResult.exactPost && !skipDuplicates) {
-                    let error = new Error('Post already uploaded ' +
-                        `(@${searchResult.exactPost.id})`);
-                    error.uploadable = uploadable;
-                    return Promise.reject(error);
+                if (searchResult.exactPost) {
+                    if (skipDuplicates) {
+                        this._view.removeUploadable(uploadable);
+                        return Promise.resolve();
+                    } else {
+                        let error = new Error('Post already uploaded ' +
+                            `(@${searchResult.exactPost.id})`);
+                        error.uploadable = uploadable;
+                        return Promise.reject(error);
+                    }
                 }
 
                 // notify about similar posts
-                if (!searchResult.exactPost &&
-                        searchResult.similarPosts.length) {
+                if (searchResult.similarPosts.length) {
                     let error = new Error(
                         `Found ${searchResult.similarPosts.length} similar ` +
                         'posts.\nYou can resume or discard this upload.');
@@ -137,7 +144,11 @@ class PostUploadController {
         let post = new Post();
         post.safety = uploadable.safety;
         post.flags = uploadable.flags;
-        post.tags = uploadable.tags;
+        for (let tagName of uploadable.tags) {
+            const tag = new Tag();
+            tag.names = [tagName];
+            post.tags.add(tag);
+        }
         post.relations = uploadable.relations;
         post.newContent = uploadable.url || uploadable.file;
         return post;
@@ -145,7 +156,7 @@ class PostUploadController {
 }
 
 module.exports = router => {
-    router.enter('/upload', (ctx, next) => {
+    router.enter(['upload'], (ctx, next) => {
         ctx.controller = new PostUploadController();
     });
 };
diff --git a/client/js/controllers/settings_controller.js b/client/js/controllers/settings_controller.js
index 2b087ebf..224b2059 100644
--- a/client/js/controllers/settings_controller.js
+++ b/client/js/controllers/settings_controller.js
@@ -22,7 +22,7 @@ class SettingsController {
 };
 
 module.exports = router => {
-    router.enter('/settings', (ctx, next) => {
+    router.enter(['settings'], (ctx, next) => {
         ctx.controller = new SettingsController();
     });
 };
diff --git a/client/js/controllers/snapshots_controller.js b/client/js/controllers/snapshots_controller.js
index 3aa3f89e..e64b9db1 100644
--- a/client/js/controllers/snapshots_controller.js
+++ b/client/js/controllers/snapshots_controller.js
@@ -1,7 +1,7 @@
 'use strict';
 
 const api = require('../api.js');
-const misc = require('../util/misc.js');
+const uri = require('../util/uri.js');
 const SnapshotList = require('../models/snapshot_list.js');
 const PageController = require('../controllers/page_controller.js');
 const topNavigation = require('../models/top_navigation.js');
@@ -22,13 +22,14 @@ class SnapshotsController {
         this._pageController = new PageController();
         this._pageController.run({
             parameters: ctx.parameters,
-            getClientUrlForPage: page => {
+            defaultLimit: 25,
+            getClientUrlForPage: (offset, limit) => {
                 const parameters = Object.assign(
-                    {}, ctx.parameters, {page: page});
-                return '/history/' + misc.formatUrlParameters(parameters);
+                    {}, ctx.parameters, {offset: offset, limit: limit});
+                return uri.formatClientLink('history', parameters);
             },
-            requestPage: page => {
-                return SnapshotList.search('', page, 25);
+            requestPage: (offset, limit) => {
+                return SnapshotList.search('', offset, limit);
             },
             pageRenderer: pageCtx => {
                 Object.assign(pageCtx, {
@@ -43,7 +44,6 @@ class SnapshotsController {
 }
 
 module.exports = router => {
-    router.enter('/history/:parameters?',
-        (ctx, next) => { misc.parseUrlParametersRoute(ctx, next); },
+    router.enter(['history'],
         (ctx, next) => { ctx.controller = new SnapshotsController(ctx); });
 };
diff --git a/client/js/controllers/tag_categories_controller.js b/client/js/controllers/tag_categories_controller.js
index 0dd7a77b..49600cf3 100644
--- a/client/js/controllers/tag_categories_controller.js
+++ b/client/js/controllers/tag_categories_controller.js
@@ -40,7 +40,7 @@ class TagCategoriesController {
         this._view.disableForm();
         this._tagCategories.save()
             .then(() => {
-                tags.refreshExport();
+                tags.refreshCategoryColorMap();
                 this._view.enableForm();
                 this._view.showSuccess('Changes saved.');
             }, error => {
@@ -51,7 +51,7 @@ class TagCategoriesController {
 }
 
 module.exports = router => {
-    router.enter('/tag-categories', (ctx, next) => {
+    router.enter(['tag-categories'], (ctx, next) => {
         ctx.controller = new TagCategoriesController(ctx, next);
     });
 };
diff --git a/client/js/controllers/tag_controller.js b/client/js/controllers/tag_controller.js
index 939b8f04..e5908405 100644
--- a/client/js/controllers/tag_controller.js
+++ b/client/js/controllers/tag_controller.js
@@ -3,8 +3,9 @@
 const router = require('../router.js');
 const api = require('../api.js');
 const misc = require('../util/misc.js');
-const tags = require('../tags.js');
+const uri = require('../util/uri.js');
 const Tag = require('../models/tag.js');
+const TagCategoryList = require('../models/tag_category_list.js');
 const topNavigation = require('../models/top_navigation.js');
 const TagView = require('../views/tag_view.js');
 const EmptyView = require('../views/empty_view.js');
@@ -17,7 +18,12 @@ class TagController {
             return;
         }
 
-        Tag.get(ctx.parameters.name).then(tag => {
+        Promise.all([
+            TagCategoryList.get(),
+            Tag.get(ctx.parameters.name),
+        ]).then(responses => {
+            const [tagCategoriesResponse, tag] = responses;
+
             topNavigation.activate('tags');
             topNavigation.setTitle('Tag #' + tag.names[0]);
 
@@ -25,7 +31,7 @@ class TagController {
             tag.addEventListener('change', e => this._evtSaved(e, section));
 
             const categories = {};
-            for (let category of tags.getAllCategories()) {
+            for (let category of tagCategoriesResponse.results) {
                 categories[category.name] = category.name;
             }
 
@@ -61,7 +67,8 @@ class TagController {
         misc.disableExitConfirmation();
         if (this._name !== e.detail.tag.names[0]) {
             router.replace(
-                '/tag/' + e.detail.tag.names[0] + '/' + section, null, false);
+                uri.formatClientLink('tag', e.detail.tag.names[0], section),
+                null, false);
         }
     }
 
@@ -74,12 +81,6 @@ class TagController {
         if (e.detail.category !== undefined) {
             e.detail.tag.category = e.detail.category;
         }
-        if (e.detail.implications !== undefined) {
-            e.detail.tag.implications = e.detail.implications;
-        }
-        if (e.detail.suggestions !== undefined) {
-            e.detail.tag.suggestions = e.detail.suggestions;
-        }
         if (e.detail.description !== undefined) {
             e.detail.tag.description = e.detail.description;
         }
@@ -95,15 +96,19 @@ class TagController {
     _evtMerge(e) {
         this._view.clearMessages();
         this._view.disableForm();
-        e.detail.tag.merge(e.detail.targetTagName).then(() => {
-            this._view.showSuccess('Tag merged.');
-            this._view.enableForm();
-            router.replace(
-                '/tag/' + e.detail.targetTagName + '/merge', null, false);
-        }, error => {
-            this._view.showError(error.message);
-            this._view.enableForm();
-        });
+        e.detail.tag
+            .merge(e.detail.targetTagName, e.detail.addAlias)
+            .then(() => {
+                this._view.showSuccess('Tag merged.');
+                this._view.enableForm();
+                router.replace(
+                    uri.formatClientLink(
+                        'tag', e.detail.targetTagName, 'merge'),
+                    null, false);
+            }, error => {
+                this._view.showError(error.message);
+                this._view.enableForm();
+            });
     }
 
     _evtDelete(e) {
@@ -111,7 +116,7 @@ class TagController {
         this._view.disableForm();
         e.detail.tag.delete()
             .then(() => {
-                const ctx = router.show('/tags/');
+                const ctx = router.show(uri.formatClientLink('tags'));
                 ctx.controller.showSuccess('Tag deleted.');
             }, error => {
                 this._view.showError(error.message);
@@ -121,16 +126,16 @@ class TagController {
 }
 
 module.exports = router => {
-    router.enter('/tag/:name(.+?)/edit', (ctx, next) => {
+    router.enter(['tag', ':name', 'edit'], (ctx, next) => {
         ctx.controller = new TagController(ctx, 'edit');
     });
-    router.enter('/tag/:name(.+?)/merge', (ctx, next) => {
+    router.enter(['tag', ':name', 'merge'], (ctx, next) => {
         ctx.controller = new TagController(ctx, 'merge');
     });
-    router.enter('/tag/:name(.+?)/delete', (ctx, next) => {
+    router.enter(['tag', ':name', 'delete'], (ctx, next) => {
         ctx.controller = new TagController(ctx, 'delete');
     });
-    router.enter('/tag/:name(.+)', (ctx, next) => {
+    router.enter(['tag', ':name'], (ctx, next) => {
         ctx.controller = new TagController(ctx, 'summary');
     });
 };
diff --git a/client/js/controllers/tag_list_controller.js b/client/js/controllers/tag_list_controller.js
index d61d8f71..8bc7dbba 100644
--- a/client/js/controllers/tag_list_controller.js
+++ b/client/js/controllers/tag_list_controller.js
@@ -1,7 +1,8 @@
 'use strict';
 
+const router = require('../router.js');
 const api = require('../api.js');
-const misc = require('../util/misc.js');
+const uri = require('../util/uri.js');
 const TagList = require('../models/tag_list.js');
 const topNavigation = require('../models/top_navigation.js');
 const PageController = require('../controllers/page_controller.js');
@@ -10,7 +11,12 @@ const TagsPageView = require('../views/tags_page_view.js');
 const EmptyView = require('../views/empty_view.js');
 
 const fields = [
-    'names', 'suggestions', 'implications', 'creationTime', 'usages'];
+    'names',
+    'suggestions',
+    'implications',
+    'creationTime',
+    'usages',
+    'category'];
 
 class TagListController {
     constructor(ctx) {
@@ -46,10 +52,8 @@ class TagListController {
     }
 
     _evtNavigate(e) {
-        history.pushState(
-            null,
-            window.title,
-            '/tags/' + misc.formatUrlParameters(e.detail.parameters));
+        router.showNoDispatch(
+            uri.formatClientLink('tags', e.detail.parameters));
         Object.assign(this._ctx.parameters, e.detail.parameters);
         this._syncPageController();
     }
@@ -57,14 +61,15 @@ class TagListController {
     _syncPageController() {
         this._pageController.run({
             parameters: this._ctx.parameters,
-            getClientUrlForPage: page => {
+            defaultLimit: 50,
+            getClientUrlForPage: (offset, limit) => {
                 const parameters = Object.assign(
-                    {}, this._ctx.parameters, {page: page});
-                return '/tags/' + misc.formatUrlParameters(parameters);
+                    {}, this._ctx.parameters, {offset: offset, limit: limit});
+                return uri.formatClientLink('tags', parameters);
             },
-            requestPage: page => {
+            requestPage: (offset, limit) => {
                 return TagList.search(
-                    this._ctx.parameters.query, page, 50, fields);
+                    this._ctx.parameters.query, offset, limit, fields);
             },
             pageRenderer: pageCtx => {
                 return new TagsPageView(pageCtx);
@@ -75,7 +80,6 @@ class TagListController {
 
 module.exports = router => {
     router.enter(
-        '/tags/:parameters(.*)?',
-        (ctx, next) => { misc.parseUrlParametersRoute(ctx, next); },
+        ['tags'],
         (ctx, next) => { ctx.controller = new TagListController(ctx); });
 };
diff --git a/client/js/controllers/top_navigation_controller.js b/client/js/controllers/top_navigation_controller.js
index b1de03ec..fdf8117a 100644
--- a/client/js/controllers/top_navigation_controller.js
+++ b/client/js/controllers/top_navigation_controller.js
@@ -6,15 +6,17 @@ const TopNavigationView = require('../views/top_navigation_view.js');
 
 class TopNavigationController {
     constructor() {
-        this._topNavigationView = new TopNavigationView();
+        api.fetchConfig().then(() => {
+            this._topNavigationView = new TopNavigationView();
 
-        topNavigation.addEventListener(
-            'activate', e => this._evtActivate(e));
+            topNavigation.addEventListener(
+                'activate', e => this._evtActivate(e));
 
-        api.addEventListener('login', e => this._evtAuthChange(e));
-        api.addEventListener('logout', e => this._evtAuthChange(e));
+            api.addEventListener('login', e => this._evtAuthChange(e));
+            api.addEventListener('logout', e => this._evtAuthChange(e));
 
-        this._render();
+            this._render();
+        });
     }
 
     _evtAuthChange(e) {
@@ -47,10 +49,12 @@ class TopNavigationController {
             topNavigation.hide('users');
         }
         if (api.isLoggedIn()) {
-            topNavigation.hide('register');
+            if (!api.hasPrivilege('users:create:any')) {
+                topNavigation.hide('register');
+            }
             topNavigation.hide('login');
         } else {
-            if (!api.hasPrivilege('users:create')) {
+            if (!api.hasPrivilege('users:create:self')) {
                 topNavigation.hide('register');
             }
             topNavigation.hide('account');
@@ -62,6 +66,7 @@ class TopNavigationController {
         this._updateNavigationFromPrivileges();
         this._topNavigationView.render({
             items: topNavigation.getAll(),
+            name: api.getName()
         });
         this._topNavigationView.activate(
             topNavigation.activeItem ? topNavigation.activeItem.key : '');
diff --git a/client/js/controllers/user_controller.js b/client/js/controllers/user_controller.js
index e9c1fb39..48989af3 100644
--- a/client/js/controllers/user_controller.js
+++ b/client/js/controllers/user_controller.js
@@ -2,10 +2,11 @@
 
 const router = require('../router.js');
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const misc = require('../util/misc.js');
-const config = require('../config.js');
 const views = require('../util/views.js');
 const User = require('../models/user.js');
+const UserToken = require('../models/user_token.js');
 const topNavigation = require('../models/top_navigation.js');
 const UserView = require('../views/user_view.js');
 const EmptyView = require('../views/empty_view.js');
@@ -20,8 +21,28 @@ class UserController {
             return;
         }
 
+        this._successMessages = [];
+        this._errorMessages = [];
+
+        let userTokenPromise = Promise.resolve([]);
+        if (section === 'list-tokens') {
+            userTokenPromise = UserToken.get(userName)
+                .then(userTokens => {
+                    return userTokens.map(token => {
+                        token.isCurrentAuthToken = api.isCurrentAuthToken(token);
+                        return token;
+                    });
+                }, error => {
+                    return [];
+                });
+        }
+
         topNavigation.setTitle('User ' + userName);
-        User.get(userName).then(user => {
+        Promise.all([
+            userTokenPromise,
+            User.get(userName)
+        ]).then(responses => {
+            const [userTokens, user]  = responses;
             const isLoggedIn = api.isLoggedIn(user);
             const infix = isLoggedIn ? 'self' : 'any';
 
@@ -47,6 +68,7 @@ class UserController {
             } else {
                 topNavigation.activate('users');
             }
+
             this._view = new UserView({
                 user: user,
                 section: section,
@@ -57,18 +79,51 @@ class UserController {
                 canEditRank: api.hasPrivilege(`users:edit:${infix}:rank`),
                 canEditAvatar: api.hasPrivilege(`users:edit:${infix}:avatar`),
                 canEditAnything: api.hasPrivilege(`users:edit:${infix}`),
+                canListTokens: api.hasPrivilege(`userTokens:list:${infix}`),
+                canCreateToken: api.hasPrivilege(`userTokens:create:${infix}`),
+                canEditToken: api.hasPrivilege(`userTokens:edit:${infix}`),
+                canDeleteToken: api.hasPrivilege(`userTokens:delete:${infix}`),
                 canDelete: api.hasPrivilege(`users:delete:${infix}`),
                 ranks: ranks,
+                tokens: userTokens,
             });
             this._view.addEventListener('change', e => this._evtChange(e));
             this._view.addEventListener('submit', e => this._evtUpdate(e));
             this._view.addEventListener('delete', e => this._evtDelete(e));
+            this._view.addEventListener('create-token', e => this._evtCreateToken(e));
+            this._view.addEventListener('delete-token', e => this._evtDeleteToken(e));
+            this._view.addEventListener('update-token', e => this._evtUpdateToken(e));
+
+            for (let message of this._successMessages) {
+                this.showSuccess(message);
+            }
+
+            for (let message of this._errorMessages) {
+                this.showError(message);
+            }
+
         }, error => {
             this._view = new EmptyView();
             this._view.showError(error.message);
         });
     }
 
+    showSuccess(message) {
+        if (typeof this._view === 'undefined') {
+            this._successMessages.push(message)
+        } else {
+            this._view.showSuccess(message);
+        }
+    }
+
+    showError(message) {
+        if (typeof this._view === 'undefined') {
+            this._errorMessages.push(message)
+        } else {
+            this._view.showError(message);
+        }
+    }
+
     _evtChange(e) {
         misc.enableExitConfirmation();
     }
@@ -77,7 +132,8 @@ class UserController {
         misc.disableExitConfirmation();
         if (this._name !== e.detail.user.name) {
             router.replace(
-                '/user/' + e.detail.user.name + '/' + section, null, false);
+                uri.formatClientLink('user', e.detail.user.name, section),
+                null, false);
         }
     }
 
@@ -135,10 +191,10 @@ class UserController {
                     api.logout();
                 }
                 if (api.hasPrivilege('users:list')) {
-                    const ctx = router.show('/users');
+                    const ctx = router.show(uri.formatClientLink('users'));
                     ctx.controller.showSuccess('Account deleted.');
                 } else {
-                    const ctx = router.show('/');
+                    const ctx = router.show(uri.formatClientLink());
                     ctx.controller.showSuccess('Account deleted.');
                 }
             }, error => {
@@ -146,16 +202,66 @@ class UserController {
                 this._view.enableForm();
             });
     }
+
+    _evtCreateToken(e) {
+        this._view.clearMessages();
+        this._view.disableForm();
+        UserToken.create(e.detail.user.name, e.detail.note, e.detail.expirationTime)
+            .then(response => {
+                const ctx = router.show(uri.formatClientLink('user', e.detail.user.name, 'list-tokens'));
+                ctx.controller.showSuccess('Token ' + response.token + ' created.');
+            }, error => {
+                this._view.showError(error.message);
+                this._view.enableForm();
+            });
+    }
+
+    _evtDeleteToken(e) {
+        this._view.clearMessages();
+        this._view.disableForm();
+        if (api.isCurrentAuthToken(e.detail.userToken)) {
+            router.show(uri.formatClientLink('logout'));
+        } else {
+            e.detail.userToken.delete(e.detail.user.name)
+                .then(() => {
+                    const ctx = router.show(uri.formatClientLink('user', e.detail.user.name, 'list-tokens'));
+                    ctx.controller.showSuccess('Token ' + e.detail.userToken.token + ' deleted.');
+                }, error => {
+                    this._view.showError(error.message);
+                    this._view.enableForm();
+                });
+        }
+    }
+
+    _evtUpdateToken(e) {
+        this._view.clearMessages();
+        this._view.disableForm();
+
+        if (e.detail.note !== undefined) {
+            e.detail.userToken.note = e.detail.note;
+        }
+
+        e.detail.userToken.save(e.detail.user.name).then(response => {
+            const ctx = router.show(uri.formatClientLink('user', e.detail.user.name, 'list-tokens'));
+            ctx.controller.showSuccess('Token ' + response.token + ' updated.');
+        }, error => {
+            this._view.showError(error.message);
+            this._view.enableForm();
+        });
+    }
 }
 
 module.exports = router => {
-    router.enter('/user/:name', (ctx, next) => {
+    router.enter(['user', ':name'], (ctx, next) => {
         ctx.controller = new UserController(ctx, 'summary');
     });
-    router.enter('/user/:name/edit', (ctx, next) => {
+    router.enter(['user', ':name', 'edit'], (ctx, next) => {
         ctx.controller = new UserController(ctx, 'edit');
     });
-    router.enter('/user/:name/delete', (ctx, next) => {
+    router.enter(['user', ':name', 'list-tokens'], (ctx, next) => {
+        ctx.controller = new UserController(ctx, 'list-tokens');
+    });
+    router.enter(['user', ':name', 'delete'], (ctx, next) => {
         ctx.controller = new UserController(ctx, 'delete');
     });
 };
diff --git a/client/js/controllers/user_list_controller.js b/client/js/controllers/user_list_controller.js
index 98e70031..fa878d85 100644
--- a/client/js/controllers/user_list_controller.js
+++ b/client/js/controllers/user_list_controller.js
@@ -1,7 +1,8 @@
 'use strict';
 
 const api = require('../api.js');
-const misc = require('../util/misc.js');
+const router = require('../router.js');
+const uri = require('../util/uri.js');
 const UserList = require('../models/user_list.js');
 const topNavigation = require('../models/top_navigation.js');
 const PageController = require('../controllers/page_controller.js');
@@ -38,10 +39,8 @@ class UserListController {
     }
 
     _evtNavigate(e) {
-        history.pushState(
-            null,
-            window.title,
-            '/users/' + misc.formatUrlParameters(e.detail.parameters));
+        router.showNoDispatch(
+            uri.formatClientLink('users', e.detail.parameters));
         Object.assign(this._ctx.parameters, e.detail.parameters);
         this._syncPageController();
     }
@@ -49,13 +48,15 @@ class UserListController {
     _syncPageController() {
         this._pageController.run({
             parameters: this._ctx.parameters,
-            getClientUrlForPage: page => {
+            defaultLimit: 30,
+            getClientUrlForPage: (offset, limit) => {
                 const parameters = Object.assign(
-                    {}, this._ctx.parameters, {page: page});
-                return '/users/' + misc.formatUrlParameters(parameters);
+                    {}, this._ctx.parameters, {offset, offset, limit: limit});
+                return uri.formatClientLink('users', parameters);
             },
-            requestPage: page => {
-                return UserList.search(this._ctx.parameters.query, page);
+            requestPage: (offset, limit) => {
+                return UserList.search(
+                    this._ctx.parameters.query, offset, limit);
             },
             pageRenderer: pageCtx => {
                 Object.assign(pageCtx, {
@@ -69,7 +70,6 @@ class UserListController {
 
 module.exports = router => {
     router.enter(
-        '/users/:parameters(.*)?',
-        (ctx, next) => { misc.parseUrlParametersRoute(ctx, next); },
+        ['users'],
         (ctx, next) => { ctx.controller = new UserListController(ctx); });
 };
diff --git a/client/js/controllers/user_registration_controller.js b/client/js/controllers/user_registration_controller.js
index 47165d60..78b94024 100644
--- a/client/js/controllers/user_registration_controller.js
+++ b/client/js/controllers/user_registration_controller.js
@@ -2,6 +2,7 @@
 
 const router = require('../router.js');
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const User = require('../models/user.js');
 const topNavigation = require('../models/top_navigation.js');
 const RegistrationView = require('../views/registration_view.js');
@@ -9,7 +10,7 @@ const EmptyView = require('../views/empty_view.js');
 
 class UserRegistrationController {
     constructor() {
-        if (!api.hasPrivilege('users:create')) {
+        if (!api.hasPrivilege('users:create:self')) {
             this._view = new EmptyView();
             this._view.showError('Registration is closed.');
             return;
@@ -28,12 +29,22 @@ class UserRegistrationController {
         user.name = e.detail.name;
         user.email = e.detail.email;
         user.password = e.detail.password;
+        const isLoggedIn = api.isLoggedIn();
         user.save().then(() => {
-            api.forget();
-            return api.login(e.detail.name, e.detail.password, false);
+            if (isLoggedIn) {
+                return Promise.resolve();
+            } else {
+                api.forget();
+                return api.login(e.detail.name, e.detail.password, false);
+            }
         }).then(() => {
-            const ctx = router.show('/');
-            ctx.controller.showSuccess('Welcome aboard!');
+            if (isLoggedIn) {
+                const ctx = router.show(uri.formatClientLink('users'));
+                ctx.controller.showSuccess('User added!');
+            } else {
+                const ctx = router.show(uri.formatClientLink());
+                ctx.controller.showSuccess('Welcome aboard!');
+            }
         }, error => {
             this._view.showError(error.message);
             this._view.enableForm();
@@ -42,7 +53,7 @@ class UserRegistrationController {
 }
 
 module.exports = router => {
-    router.enter('/register', (ctx, next) => {
+    router.enter(['register'], (ctx, next) => {
         new UserRegistrationController();
     });
 };
diff --git a/client/js/controls/auto_complete_control.js b/client/js/controls/auto_complete_control.js
index 3f46ab5b..5ce3bb2e 100644
--- a/client/js/controls/auto_complete_control.js
+++ b/client/js/controls/auto_complete_control.js
@@ -28,10 +28,7 @@ class AutoCompleteControl {
         this._sourceInputNode = sourceInputNode;
         this._options = {};
         Object.assign(this._options, {
-            transform: null,
             verticalShift: 2,
-            source: null,
-            addSpace: false,
             maxResults: 15,
             getTextToFind: () => {
                 const value = sourceInputNode.value;
@@ -56,7 +53,7 @@ class AutoCompleteControl {
         this._isVisible = false;
     }
 
-    defaultConfirmStrategy(text) {
+    replaceSelectedText(result, addSpace) {
         const start = _getSelectionStart(this._sourceInputNode);
         let prefix = '';
         let suffix = this._sourceInputNode.value.substring(start);
@@ -66,30 +63,25 @@ class AutoCompleteControl {
             prefix = this._sourceInputNode.value.substring(0, index + 1);
             middle = this._sourceInputNode.value.substring(index + 1);
         }
-        this._sourceInputNode.value = prefix + text + ' ' + suffix.trimLeft();
-        if (!this._options.addSpace) {
+        this._sourceInputNode.value = (
+            prefix + result.toString() + ' ' + suffix.trimLeft());
+        if (!addSpace) {
             this._sourceInputNode.value = this._sourceInputNode.value.trim();
         }
         this._sourceInputNode.focus();
     }
 
-    _delete(text) {
-        if (this._options.transform) {
-            text = this._options.transform(text);
-        }
+    _delete(result) {
         if (this._options.delete) {
-            this._options.delete(text);
+            this._options.delete(result);
         }
     }
 
-    _confirm(text) {
-        if (this._options.transform) {
-            text = this._options.transform(text);
-        }
+    _confirm(result) {
         if (this._options.confirm) {
-            this._options.confirm(text);
+            this._options.confirm(result);
         } else {
-            this.defaultConfirmStrategy(text);
+            this.defaultConfirmStrategy(result);
         }
     }
 
@@ -104,7 +96,6 @@ class AutoCompleteControl {
             this.hide();
         } else {
             this._updateResults(textToFind);
-            this._refreshList();
         }
     }
 
@@ -209,15 +200,16 @@ class AutoCompleteControl {
     }
 
     _updateResults(textToFind) {
-        const oldResults = this._results.slice();
-        this._results =
-            this._options.getMatches(textToFind)
-            .slice(0, this._options.maxResults);
-        const oldResultsHash = JSON.stringify(oldResults);
-        const newResultsHash = JSON.stringify(this._results);
-        if (oldResultsHash !== newResultsHash) {
-            this._activeResult = -1;
-        }
+        this._options.getMatches(textToFind).then(matches => {
+            const oldResults = this._results.slice();
+            this._results = matches.slice(0, this._options.maxResults);
+            const oldResultsHash = JSON.stringify(oldResults);
+            const newResultsHash = JSON.stringify(this._results);
+            if (oldResultsHash !== newResultsHash) {
+                this._activeResult = -1;
+            }
+            this._refreshList();
+        });
     }
 
     _refreshList() {
diff --git a/client/js/controls/file_dropper_control.js b/client/js/controls/file_dropper_control.js
index 113e7aca..f725ee01 100644
--- a/client/js/controls/file_dropper_control.js
+++ b/client/js/controls/file_dropper_control.js
@@ -5,15 +5,21 @@ const views = require('../util/views.js');
 
 const template = views.getTemplate('file-dropper');
 
+const KEY_RETURN = 13;
+
 class FileDropperControl extends events.EventTarget {
     constructor(target, options) {
         super();
 
         this._options = options;
         const source = template({
-            allowMultiple: this._options.allowMultiple,
-            allowUrls: this._options.allowUrls,
+            extraText: options.extraText,
+            allowMultiple: options.allowMultiple,
+            allowUrls: options.allowUrls,
+            lock: options.lock,
             id: 'file-' + Math.random().toString(36).substring(7),
+            urlPlaceholder:
+                options.urlPlaceholder || 'Alternatively, paste an URL here.',
         });
 
         this._dropperNode = source.querySelector('.file-dropper');
@@ -21,7 +27,7 @@ class FileDropperControl extends events.EventTarget {
         this._urlConfirmButtonNode = source.querySelector('button');
         this._fileInputNode = source.querySelector('input[type=file]');
         this._fileInputNode.style.display = 'none';
-        this._fileInputNode.multiple = this._options.allowMultiple || false;
+        this._fileInputNode.multiple = options.allowMultiple || false;
 
         this._counter = 0;
         this._dropperNode.addEventListener(
@@ -36,8 +42,12 @@ class FileDropperControl extends events.EventTarget {
             'change', e => this._evtFileChange(e));
 
         if (this._urlInputNode) {
+            this._urlInputNode.addEventListener(
+                'keydown', e => this._evtUrlInputKeyDown(e));
+        }
+        if (this._urlConfirmButtonNode) {
             this._urlConfirmButtonNode.addEventListener(
-                'click', e => this._evtUrlConfirm(e));
+                'click', e => this._evtUrlConfirmButtonClick(e));
         }
 
         this._originalHtml = this._dropperNode.innerHTML;
@@ -61,6 +71,10 @@ class FileDropperControl extends events.EventTarget {
 
     _emitUrls(urls) {
         urls = Array.from(urls).map(url => url.trim());
+        if (this._options.lock) {
+            this._dropperNode.innerText =
+                urls.map(url => url.split(/\//).reverse()[0]).join(', ');
+        }
         for (let url of urls) {
             if (!url) {
                 return;
@@ -105,7 +119,17 @@ class FileDropperControl extends events.EventTarget {
         this._emitFiles(e.dataTransfer.files);
     }
 
-    _evtUrlConfirm(e) {
+    _evtUrlInputKeyDown(e) {
+        if (e.which !== KEY_RETURN) {
+            return;
+        }
+        e.preventDefault();
+        this._dropperNode.classList.remove('active');
+        this._emitUrls(this._urlInputNode.value.split(/[\r\n]/));
+        this._urlInputNode.value = '';
+    }
+
+    _evtUrlConfirmButtonClick(e) {
         e.preventDefault();
         this._dropperNode.classList.remove('active');
         this._emitUrls(this._urlInputNode.value.split(/[\r\n]/));
diff --git a/client/js/controls/post_content_control.js b/client/js/controls/post_content_control.js
index ca2fca85..856fb775 100644
--- a/client/js/controls/post_content_control.js
+++ b/client/js/controls/post_content_control.js
@@ -5,18 +5,23 @@ const views = require('../util/views.js');
 const optimizedResize = require('../util/optimized_resize.js');
 
 class PostContentControl {
-    constructor(hostNode, post, viewportSizeCalculator) {
+    constructor(hostNode, post, viewportSizeCalculator, fitFunctionOverride) {
         this._post = post;
         this._viewportSizeCalculator = viewportSizeCalculator;
         this._hostNode = hostNode;
         this._template = views.getTemplate('post-content');
 
+        let fitMode = settings.get().fitMode;
+        if (typeof fitFunctionOverride !== 'undefined') {
+            fitMode = fitFunctionOverride;
+        }
+
         this._currentFitFunction = {
             'fit-both': this.fitBoth,
             'fit-original': this.fitOriginal,
             'fit-width': this.fitWidth,
             'fit-height': this.fitHeight,
-        }[settings.get().fitMode] || this.fitBoth;
+        }[fitMode] || this.fitBoth;
 
         this._install();
 
diff --git a/client/js/controls/post_edit_sidebar_control.js b/client/js/controls/post_edit_sidebar_control.js
index 7ba37d3d..dd8b66da 100644
--- a/client/js/controls/post_edit_sidebar_control.js
+++ b/client/js/controls/post_edit_sidebar_control.js
@@ -4,6 +4,8 @@ const api = require('../api.js');
 const events = require('../events.js');
 const misc = require('../util/misc.js');
 const views = require('../util/views.js');
+const Note = require('../models/note.js');
+const Point = require('../models/point.js');
 const TagInputControl = require('./tag_input_control.js');
 const ExpanderControl = require('../controls/expander_control.js');
 const FileDropperControl = require('../controls/file_dropper_control.js');
@@ -23,6 +25,8 @@ class PostEditSidebarControl extends events.EventTarget {
 
         views.replaceContent(this._hostNode, template({
             post: this._post,
+            enableSafety: api.safetyEnabled(),
+            hasClipboard: document.queryCommandSupported('copy'),
             canEditPostSafety: api.hasPrivilege('posts:edit:safety'),
             canEditPostSource: api.hasPrivilege('posts:edit:source'),
             canEditPostTags: api.hasPrivilege('posts:edit:tags'),
@@ -67,15 +71,22 @@ class PostEditSidebarControl extends events.EventTarget {
         }
 
         if (this._tagInputNode) {
-            this._tagControl = new TagInputControl(this._tagInputNode);
+            this._tagControl = new TagInputControl(
+                this._tagInputNode, post.tags);
         }
 
         if (this._contentInputNode) {
             this._contentFileDropper = new FileDropperControl(
-                this._contentInputNode, {lock: true});
+                this._contentInputNode, {
+                    allowUrls: true,
+                    lock: true,
+                    urlPlaceholder: '...or paste an URL here.'});
             this._contentFileDropper.addEventListener('fileadd', e => {
                 this._newPostContent = e.detail.files[0];
             });
+            this._contentFileDropper.addEventListener('urladd', e => {
+                this._newPostContent = e.detail.urls[0];
+            });
         }
 
         if (this._thumbnailInputNode) {
@@ -99,6 +110,16 @@ class PostEditSidebarControl extends events.EventTarget {
                 'click', e => this._evtAddNoteClick(e));
         }
 
+        if (this._copyNotesLinkNode) {
+            this._copyNotesLinkNode.addEventListener(
+                'click', e => this._evtCopyNotesClick(e));
+        }
+
+        if (this._pasteNotesLinkNode) {
+            this._pasteNotesLinkNode.addEventListener(
+                'click', e => this._evtPasteNotesClick(e));
+        }
+
         if (this._deleteNoteLinkNode) {
             this._deleteNoteLinkNode.addEventListener(
                 'click', e => this._evtDeleteNoteClick(e));
@@ -150,10 +171,11 @@ class PostEditSidebarControl extends events.EventTarget {
             });
         }
 
-        this._tagControl.addEventListener('change', e => {
-            this._post.tags = this._tagControl.tags;
-            this._syncExpanderTitles();
-        });
+        this._tagControl.addEventListener(
+            'change', e => {
+                this.dispatchEvent(new CustomEvent('change'));
+                this._syncExpanderTitles();
+            });
 
         if (this._noteTextareaNode) {
             this._noteTextareaNode.addEventListener(
@@ -244,6 +266,50 @@ class PostEditSidebarControl extends events.EventTarget {
         this._postNotesOverlayControl.switchToDrawing();
     }
 
+    _evtCopyNotesClick(e) {
+        e.preventDefault();
+        let textarea = document.createElement('textarea');
+        textarea.style.position = 'fixed';
+        textarea.style.opacity = '0';
+        textarea.value = JSON.stringify([...this._post.notes].map(note => ({
+            polygon: [...note.polygon].map(
+                point => [point.x, point.y]),
+            text: note.text,
+        })));
+        document.body.appendChild(textarea);
+        textarea.select();
+
+        let success = false;
+        try {
+            success = document.execCommand('copy');
+        } catch (err) {
+        }
+        textarea.blur();
+        document.body.removeChild(textarea);
+        alert(success
+            ? 'Notes copied to clipboard.'
+            : 'Failed to copy the text to clipboard. Sorry.');
+    }
+
+    _evtPasteNotesClick(e) {
+        e.preventDefault();
+        const text = window.prompt(
+            'Please enter the exported notes snapshot:');
+        if (!text) {
+            return;
+        }
+        const notesObj = JSON.parse(text);
+        this._post.notes.clear();
+        for (let noteObj of notesObj) {
+            let note = new Note();
+            for (let pointObj of noteObj.polygon) {
+                note.polygon.add(new Point(pointObj[0], pointObj[1]));
+            }
+            note.text = noteObj.text;
+            this._post.notes.add(note);
+        }
+    }
+
     _evtDeleteNoteClick(e) {
         e.preventDefault();
         if (e.target.classList.contains('inactive')) {
@@ -274,7 +340,8 @@ class PostEditSidebarControl extends events.EventTarget {
                     undefined,
 
                 relations: this._relationsInputNode ?
-                    misc.splitByWhitespace(this._relationsInputNode.value) :
+                    misc.splitByWhitespace(this._relationsInputNode.value)
+                        .map(x => parseInt(x)) :
                     undefined,
 
                 content: this._newPostContent ?
@@ -341,6 +408,14 @@ class PostEditSidebarControl extends events.EventTarget {
         return this._formNode.querySelector('.notes .add');
     }
 
+    get _copyNotesLinkNode() {
+        return this._formNode.querySelector('.notes .copy');
+    }
+
+    get _pasteNotesLinkNode() {
+        return this._formNode.querySelector('.notes .paste');
+    }
+
     get _deleteNoteLinkNode() {
         return this._formNode.querySelector('.notes .delete');
     }
diff --git a/client/js/controls/post_notes_overlay_control.js b/client/js/controls/post_notes_overlay_control.js
index 43e8bf69..bbea0956 100644
--- a/client/js/controls/post_notes_overlay_control.js
+++ b/client/js/controls/post_notes_overlay_control.js
@@ -72,10 +72,8 @@ function _getNoteSize(note) {
 }
 
 class State {
-    constructor(control) {
+    constructor(control, stateName) {
         this._control = control;
-        const stateName = misc.decamelize(
-            this.constructor.name.replace(/State/, ''));
         _setNodeState(control._hostNode, stateName);
         _setNodeState(control._textNode, stateName);
     }
@@ -132,7 +130,7 @@ class State {
 
 class ReadOnlyState extends State {
     constructor(control) {
-        super(control);
+        super(control, 'read-only');
         if (_clearEditedNote(control._hostNode)) {
             this._control.dispatchEvent(new CustomEvent('blur'));
         }
@@ -146,7 +144,7 @@ class ReadOnlyState extends State {
 
 class PassiveState extends State {
     constructor(control) {
-        super(control);
+        super(control, 'passive');
         if (_clearEditedNote(control._hostNode)) {
             this._control.dispatchEvent(new CustomEvent('blur'));
         }
@@ -163,13 +161,13 @@ class PassiveState extends State {
 }
 
 class ActiveState extends State {
-    constructor(control, note) {
-        super(control);
+    constructor(control, note, stateName) {
+        super(control, stateName);
         if (_clearEditedNote(control._hostNode)) {
             this._control.dispatchEvent(new CustomEvent('blur'));
         }
         keyboard.pause();
-        if (note !== undefined) {
+        if (note !== null) {
             this._note = note;
             this._control.dispatchEvent(
                 new CustomEvent('focus', {
@@ -182,7 +180,7 @@ class ActiveState extends State {
 
 class SelectedState extends ActiveState {
     constructor(control, note) {
-        super(control, note);
+        super(control, note, 'selected');
         this._clickTimeout = null;
         this._control._hideNoteText();
     }
@@ -299,7 +297,7 @@ class SelectedState extends ActiveState {
 
 class MovingPointState extends ActiveState {
     constructor(control, note, notePoint, mousePoint) {
-        super(control, note);
+        super(control, note, 'moving-point');
         this._notePoint = notePoint;
         this._originalNotePoint = {x: notePoint.x, y: notePoint.y};
         this._originalPosition = mousePoint;
@@ -328,7 +326,7 @@ class MovingPointState extends ActiveState {
 
 class MovingNoteState extends ActiveState {
     constructor(control, note, mousePoint) {
-        super(control, note);
+        super(control, note, 'moving-note');
         this._originalPolygon = [...note.polygon].map(
             point => ({x: point.x, y: point.y}));
         this._originalPosition = mousePoint;
@@ -360,7 +358,7 @@ class MovingNoteState extends ActiveState {
 
 class ScalingNoteState extends ActiveState {
     constructor(control, note, mousePoint) {
-        super(control, note);
+        super(control, note, 'scaling-note');
         this._originalPolygon = [...note.polygon].map(
             point => ({x: point.x, y: point.y}));
         this._originalMousePoint = mousePoint;
@@ -402,7 +400,7 @@ class ScalingNoteState extends ActiveState {
 
 class ReadyToDrawState extends ActiveState {
     constructor(control) {
-        super(control);
+        super(control, null, 'ready-to-draw');
     }
 
     evtNoteMouseDown(e, hoveredNote) {
@@ -423,7 +421,7 @@ class ReadyToDrawState extends ActiveState {
 
 class DrawingRectangleState extends ActiveState {
     constructor(control, mousePoint) {
-        super(control);
+        super(control, null, 'drawing-rectangle');
         this._note = this._createNote();
         this._note.polygon.add(new Point(mousePoint.x, mousePoint.y));
         this._note.polygon.add(new Point(mousePoint.x, mousePoint.y));
@@ -460,7 +458,7 @@ class DrawingRectangleState extends ActiveState {
 
 class DrawingPolygonState extends ActiveState {
     constructor(control, mousePoint) {
-        super(control);
+        super(control, null, 'drawing-polygon');
         this._note = this._createNote();
         this._note.polygon.add(new Point(mousePoint.x, mousePoint.y));
         this._note.polygon.add(new Point(mousePoint.x, mousePoint.y));
diff --git a/client/js/controls/post_readonly_sidebar_control.js b/client/js/controls/post_readonly_sidebar_control.js
index 2be4d6be..129f48d3 100644
--- a/client/js/controls/post_readonly_sidebar_control.js
+++ b/client/js/controls/post_readonly_sidebar_control.js
@@ -2,7 +2,6 @@
 
 const api = require('../api.js');
 const events = require('../events.js');
-const tags = require('../tags.js');
 const views = require('../util/views.js');
 
 const template = views.getTemplate('post-readonly-sidebar');
@@ -21,8 +20,7 @@ class PostReadonlySidebarControl extends events.EventTarget {
 
         views.replaceContent(this._hostNode, template({
             post: this._post,
-            getTagCategory: this._getTagCategory,
-            getTagUsages: this._getTagUsages,
+            enableSafety: api.safetyEnabled(),
             canListPosts: api.hasPrivilege('posts:list'),
             canEditPosts: api.hasPrivilege('posts:edit'),
             canViewTags: api.hasPrivilege('tags:view'),
@@ -159,16 +157,6 @@ class PostReadonlySidebarControl extends events.EventTarget {
         newNode.classList.add('active');
     }
 
-    _getTagUsages(name) {
-        const tag = tags.getTagByName(name);
-        return tag ? tag.usages : 0;
-    }
-
-    _getTagCategory(name) {
-        const tag = tags.getTagByName(name);
-        return tag ? tag.category : 'unknown';
-    }
-
     _evtAddToFavoritesClick(e) {
         e.preventDefault();
         this.dispatchEvent(new CustomEvent('favorite', {
diff --git a/client/js/controls/tag_auto_complete_control.js b/client/js/controls/tag_auto_complete_control.js
index 47434c7d..3d9130ec 100644
--- a/client/js/controls/tag_auto_complete_control.js
+++ b/client/js/controls/tag_auto_complete_control.js
@@ -1,9 +1,29 @@
 'use strict';
 
-const tags = require('../tags.js');
 const misc = require('../util/misc.js');
+const views = require('../util/views.js');
+const TagList = require('../models/tag_list.js');
 const AutoCompleteControl = require('./auto_complete_control.js');
 
+function _tagListToMatches(tags, options) {
+    return [...tags].sort((tag1, tag2) => {
+        return tag2.usages - tag1.usages;
+    }).map(tag => {
+        let cssName = misc.makeCssName(tag.category, 'tag');
+        if (options.isTaggedWith(tag.names[0])) {
+            cssName += ' disabled';
+        }
+        const caption = (
+            '<span class="' + cssName + '">'
+            + misc.escapeHtml(tag.names[0] + ' (' + tag.postCount + ')')
+            + '</span>');
+        return {
+            caption: caption,
+            value: tag,
+        };
+    });
+}
+
 class TagAutoCompleteControl extends AutoCompleteControl {
     constructor(input, options) {
         const minLengthForPartialSearch = 3;
@@ -13,32 +33,21 @@ class TagAutoCompleteControl extends AutoCompleteControl {
         }, options);
 
         options.getMatches = text => {
-            const transform = x => x.toLowerCase();
-            const match = text.length < minLengthForPartialSearch ?
-                (a, b) => a.startsWith(b) :
-                (a, b) => a.includes(b);
-            text = transform(text);
-            return Array.from(tags.getNameToTagMap().entries())
-                .filter(kv => match(transform(kv[0]), text))
-                .sort((kv1, kv2) => {
-                    return kv2[1].usages - kv1[1].usages;
-                })
-                .map(kv => {
-                    const origName = tags.getOriginalTagName(kv[0]);
-                    const category = kv[1].category;
-                    const usages = kv[1].usages;
-                    let cssName = misc.makeCssName(category, 'tag');
-                    if (options.isTaggedWith(kv[0])) {
-                        cssName += ' disabled';
-                    }
-                    return {
-                        caption: misc.unindent`
-                            <span class="${cssName}">
-                                ${misc.escapeHtml(origName)} (${usages})
-                            </span>`,
-                        value: origName,
-                    };
-                });
+            const term = misc.escapeSearchTerm(text);
+            const query = (
+                text.length < minLengthForPartialSearch
+                ? term + '*'
+                : '*' + term + '*') + ' sort:usages';
+
+            return new Promise((resolve, reject) => {
+                TagList.search(
+                    query, 0, this._options.maxResults,
+                    ['names', 'category', 'usages'])
+                .then(
+                    response => resolve(
+                        _tagListToMatches(response.results, this._options)),
+                    reject);
+            });
         };
 
         super(input, options);
diff --git a/client/js/controls/tag_input_control.js b/client/js/controls/tag_input_control.js
index 2912b0fc..13994374 100644
--- a/client/js/controls/tag_input_control.js
+++ b/client/js/controls/tag_input_control.js
@@ -3,6 +3,8 @@
 const api = require('../api.js');
 const tags = require('../tags.js');
 const misc = require('../util/misc.js');
+const uri = require('../util/uri.js');
+const Tag = require('../models/tag.js');
 const settings = require('../models/settings.js');
 const events = require('../events.js');
 const views = require('../util/views.js');
@@ -79,11 +81,12 @@ class SuggestionList {
 }
 
 class TagInputControl extends events.EventTarget {
-    constructor(hostNode) {
+    constructor(hostNode, tagList) {
         super();
-        this.tags = [];
+        this.tags = tagList;
         this._hostNode = hostNode;
         this._suggestions = new SuggestionList();
+        this._tagToListItemNode = new Map();
 
         // dom
         const editAreaNode = template();
@@ -97,16 +100,18 @@ class TagInputControl extends events.EventTarget {
                 getTextToFind: () => {
                     return this._tagInputNode.value;
                 },
-                confirm: text => {
+                confirm: tag => {
                     this._tagInputNode.value = '';
-                    this.addTag(text, SOURCE_USER_INPUT);
+                    // XXX: tags from autocomplete don't contain implications
+                    // so they need to be looked up in API
+                    this.addTagByName(tag.names[0], SOURCE_USER_INPUT);
                 },
-                delete: text => {
+                delete: tag => {
                     this._tagInputNode.value = '';
-                    this.deleteTag(text);
+                    this.deleteTag(tag);
                 },
                 verticalShift: -2,
-                isTaggedWith: tagName => this.isTaggedWith(tagName),
+                isTaggedWith: tagName => this.tags.isTaggedWith(tagName),
             });
 
         // dom events
@@ -126,114 +131,81 @@ class TagInputControl extends events.EventTarget {
         this._hostNode.parentNode.insertBefore(
             this._editAreaNode, hostNode.nextSibling);
 
-        this.addEventListener('change', e => this._evtTagsChanged(e));
-        this.addEventListener('add', e => this._evtTagAdded(e));
-        this.addEventListener('remove', e => this._evtTagRemoved(e));
-
         // add existing tags
-        this.addMultipleTags(this._hostNode.value, SOURCE_INIT);
+        for (let tag of [...this.tags]) {
+            const listItemNode = this._createListItemNode(tag);
+            this._tagListNode.appendChild(listItemNode);
+        }
     }
 
-    isTaggedWith(tagName) {
-        let actualTag = null;
-        [tagName, actualTag] = this._transformTagName(tagName);
-        return this.tags
-            .map(t => t.toLowerCase())
-            .includes(tagName.toLowerCase());
-    }
-
-    addMultipleTags(text, source) {
+    addTagByText(text, source) {
         for (let tagName of text.split(/\s+/).filter(word => word).reverse()) {
-            this.addTag(tagName, source);
+            this.addTagByName(tagName, source);
         }
     }
 
-    addTag(tagName, source) {
-        tagName = tags.getOriginalTagName(tagName);
-
-        if (!tagName) {
+    addTagByName(name, source) {
+        name = name.trim();
+        if (!name) {
             return;
         }
-
-        let actualTag = null;
-        [tagName, actualTag] = this._transformTagName(tagName);
-        if (!this.isTaggedWith(tagName)) {
-            this.tags.push(tagName);
-        }
-        this.dispatchEvent(new CustomEvent('add', {
-            detail: {
-                tagName: tagName,
-                source: source,
-            },
-        }));
-        this.dispatchEvent(new CustomEvent('change'));
-
-        // XXX: perhaps we should aggregate suggestions from all implications
-        // for call to the _suggestRelations
-        if (source !== SOURCE_INIT && source !== SOURCE_CLIPBOARD) {
-            for (let otherTagName of tags.getAllImplications(tagName)) {
-                this.addTag(otherTagName, SOURCE_IMPLICATION);
-            }
-        }
+        return Tag.get(name).then(tag => {
+            return this.addTag(tag, source);
+        }, () => {
+            const tag = new Tag();
+            tag.names = [name];
+            tag.category = null;
+            return this.addTag(tag, source);
+        });
     }
 
-    deleteTag(tagName) {
-        if (!tagName) {
-            return;
-        }
-        let actualTag = null;
-        [tagName, actualTag] = this._transformTagName(tagName);
-        if (!this.isTaggedWith(tagName)) {
-            return;
-        }
-        this._hideAutoComplete();
-        this.tags = this.tags.filter(
-            t => t.toLowerCase() != tagName.toLowerCase());
-        this.dispatchEvent(new CustomEvent('remove', {
-            detail: {
-                tagName: tagName,
-            },
-        }));
-        this.dispatchEvent(new CustomEvent('change'));
-    }
-
-    _evtTagsChanged(e) {
-        this._hostNode.value = this.tags.join(' ');
-        this._hostNode.dispatchEvent(new CustomEvent('change'));
-    }
-
-    _evtTagAdded(e) {
-        const tagName = e.detail.tagName;
-        const actualTag = tags.getTagByName(tagName);
-        let listItemNode = this._getListItemNodeFromTagName(tagName);
-        const alreadyAdded = !!listItemNode;
-        if (alreadyAdded) {
-            if (e.detail.source !== SOURCE_IMPLICATION) {
+    addTag(tag, source) {
+        if (source != SOURCE_INIT && this.tags.isTaggedWith(tag.names[0])) {
+            const listItemNode = this._getListItemNode(tag);
+            if (source !== SOURCE_IMPLICATION) {
                 listItemNode.classList.add('duplicate');
+                _fadeOutListItemNodeStatus(listItemNode);
             }
-        } else {
-            listItemNode = this._createListItemNode(tagName);
-            if (!actualTag) {
+            return Promise.resolve();
+        }
+
+        return this.tags.addByName(tag.names[0], false).then(() => {
+            const listItemNode = this._createListItemNode(tag);
+            if (!tag.category) {
                 listItemNode.classList.add('new');
             }
-            if (e.detail.source === SOURCE_IMPLICATION) {
+            if (source === SOURCE_IMPLICATION) {
                 listItemNode.classList.add('implication');
             }
             this._tagListNode.prependChild(listItemNode);
-        }
-        _fadeOutListItemNodeStatus(listItemNode);
+            _fadeOutListItemNodeStatus(listItemNode);
 
-        if ([SOURCE_USER_INPUT, SOURCE_SUGGESTION].includes(e.detail.source) &&
-                actualTag) {
-            this._loadSuggestions(actualTag);
-        }
+            return Promise.all(
+                tag.implications.map(
+                    implication => this.addTagByName(
+                        implication.names[0], SOURCE_IMPLICATION)));
+        }).then(() => {
+            this.dispatchEvent(new CustomEvent('add', {
+                detail: {tag: tag, source: source},
+            }));
+            this.dispatchEvent(new CustomEvent('change'));
+            return Promise.resolve();
+        });
     }
 
-    _evtTagRemoved(e) {
-        const listItemNode = this._getListItemNodeFromTagName(e.detail.tagName);
-        if (listItemNode) {
-            listItemNode.parentNode.removeChild(listItemNode);
+    deleteTag(tag) {
+        if (!this.tags.isTaggedWith(tag.names[0])) {
+            return;
         }
+        this.tags.removeByName(tag.names[0]);
+        this._hideAutoComplete();
+
+        this._deleteListItemNode(tag);
+
+        this.dispatchEvent(new CustomEvent('remove', {
+            detail: {tag: tag},
+        }));
+        this.dispatchEvent(new CustomEvent('change'));
     }
 
     _evtInputPaste(e) {
@@ -247,7 +219,7 @@ class TagInputControl extends events.EventTarget {
             return;
         }
         this._hideAutoComplete();
-        this.addMultipleTags(pastedText, SOURCE_CLIPBOARD);
+        this.addTagByText(pastedText, SOURCE_CLIPBOARD);
         this._tagInputNode.value = '';
     }
 
@@ -258,7 +230,7 @@ class TagInputControl extends events.EventTarget {
 
     _evtAddTagButtonClick(e) {
         e.preventDefault();
-        this.addTag(this._tagInputNode.value, SOURCE_USER_INPUT);
+        this.addTagByName(this._tagInputNode.value, SOURCE_USER_INPUT);
         this._tagInputNode.value = '';
     }
 
@@ -271,36 +243,14 @@ class TagInputControl extends events.EventTarget {
         if (e.which == KEY_RETURN || e.which == KEY_SPACE) {
             e.preventDefault();
             this._hideAutoComplete();
-            this.addMultipleTags(this._tagInputNode.value, SOURCE_USER_INPUT);
+            this.addTagByText(this._tagInputNode.value, SOURCE_USER_INPUT);
             this._tagInputNode.value = '';
         }
     }
 
-    _transformTagName(tagName) {
-        const actualTag = tags.getTagByName(tagName);
-        if (actualTag) {
-            tagName = actualTag.names[0];
-        }
-        return [tagName, actualTag];
-    }
-
-    _getListItemNodeFromTagName(tagName) {
-        let actualTag = null;
-        [tagName, actualTag] = this._transformTagName(tagName);
-        for (let listItemNode of this._tagListNode.querySelectorAll('li')) {
-            if (listItemNode.getAttribute('data-tag').toLowerCase() ===
-                    tagName.toLowerCase()) {
-                return listItemNode;
-            }
-        }
-        return null;
-    }
-
-    _createListItemNode(tagName) {
-        let actualTag = null;
-        [tagName, actualTag] = this._transformTagName(tagName);
-        const className = actualTag ?
-            misc.makeCssName(actualTag.category, 'tag') :
+    _createListItemNode(tag) {
+        const className = tag.category ?
+            misc.makeCssName(tag.category, 'tag') :
             null;
 
         const tagLinkNode = document.createElement('a');
@@ -308,7 +258,8 @@ class TagInputControl extends events.EventTarget {
             tagLinkNode.classList.add(className);
         }
         tagLinkNode.setAttribute(
-            'href',  '/tag/' + encodeURIComponent(tagName));
+            'href', uri.formatClientLink('tag', tag.names[0]));
+
         const tagIconNode = document.createElement('i');
         tagIconNode.classList.add('fa');
         tagIconNode.classList.add('fa-tag');
@@ -319,13 +270,13 @@ class TagInputControl extends events.EventTarget {
             searchLinkNode.classList.add(className);
         }
         searchLinkNode.setAttribute(
-            'href', '/posts/query=' + encodeURIComponent(tagName));
-        searchLinkNode.textContent = tagName + ' ';
+            'href', uri.formatClientLink('posts', {query: tag.names[0]}));
+        searchLinkNode.textContent = tag.names[0] + ' ';
         searchLinkNode.addEventListener('click', e => {
             e.preventDefault();
-            if (actualTag) {
-                this._suggestions.clear();
-                this._loadSuggestions(actualTag);
+            this._suggestions.clear();
+            if (tag.postCount > 0) {
+                this._loadSuggestions(tag);
                 this._removeSuggestionsPopupOpacity();
             } else {
                 this._closeSuggestionsPopup();
@@ -334,8 +285,7 @@ class TagInputControl extends events.EventTarget {
 
         const usagesNode = document.createElement('span');
         usagesNode.classList.add('tag-usages');
-        usagesNode.setAttribute(
-            'data-pseudo-content', actualTag ? actualTag.usages : 0);
+        usagesNode.setAttribute('data-pseudo-content', tag.postCount);
 
         const removalLinkNode = document.createElement('a');
         removalLinkNode.classList.add('remove-tag');
@@ -343,24 +293,42 @@ class TagInputControl extends events.EventTarget {
         removalLinkNode.setAttribute('data-pseudo-content', '×');
         removalLinkNode.addEventListener('click', e => {
             e.preventDefault();
-            this.deleteTag(tagName);
+            this.deleteTag(tag);
         });
 
         const listItemNode = document.createElement('li');
-        listItemNode.setAttribute('data-tag', tagName);
         listItemNode.appendChild(removalLinkNode);
         listItemNode.appendChild(tagLinkNode);
         listItemNode.appendChild(searchLinkNode);
         listItemNode.appendChild(usagesNode);
+        for (let name of tag.names) {
+            this._tagToListItemNode.set(name, listItemNode);
+        }
         return listItemNode;
     }
 
+    _deleteListItemNode(tag) {
+        const listItemNode = this._getListItemNode(tag);
+        if (listItemNode) {
+            listItemNode.parentNode.removeChild(listItemNode);
+        }
+        for (let name of tag.names) {
+            this._tagToListItemNode.delete(name);
+        }
+    }
+
+    _getListItemNode(tag) {
+        return this._tagToListItemNode.get(tag.names[0]);
+    }
+
     _loadSuggestions(tag) {
         const browsingSettings = settings.get();
         if (!browsingSettings.tagSuggestions) {
             return;
         }
-        api.get('/tag-siblings/' + tag.names[0], {noProgress: true})
+        api.get(
+                uri.formatApiLink('tag-siblings', tag.names[0]),
+                {noProgress: true})
             .then(response => {
                 return Promise.resolve(response.results);
             }, response => {
@@ -396,23 +364,22 @@ class TagInputControl extends events.EventTarget {
         for (let tuple of this._suggestions.getAll()) {
             const tagName = tuple.tagName;
             const weight = tuple.weight;
-            if (this.isTaggedWith(tagName)) {
+            if (this.tags.isTaggedWith(tagName)) {
                 continue;
             }
 
-            const actualTag = tags.getTagByName(tagName);
             const addLinkNode = document.createElement('a');
             addLinkNode.textContent = tagName;
             addLinkNode.classList.add('add-tag');
             addLinkNode.setAttribute('href', '');
-            if (actualTag) {
+            Tag.get(tagName).then(tag => {
                 addLinkNode.classList.add(
-                    misc.makeCssName(actualTag.category, 'tag'));
-            }
+                    misc.makeCssName(tag.category, 'tag'));
+            });
             addLinkNode.addEventListener('click', e => {
                 e.preventDefault();
                 listNode.removeChild(listItemNode);
-                this.addTag(tagName, SOURCE_SUGGESTION);
+                this.addTagByName(tagName, SOURCE_SUGGESTION);
             });
 
             const weightNode = document.createElement('span');
diff --git a/client/js/main.js b/client/js/main.js
index 27c14e88..5ddf26fe 100644
--- a/client/js/main.js
+++ b/client/js/main.js
@@ -8,7 +8,7 @@ const router = require('./router.js');
 history.scrollRestoration = 'manual';
 
 router.exit(
-    /.*/,
+    null,
     (ctx, next) => {
         ctx.state.scrollX = window.scrollX;
         ctx.state.scrollY = window.scrollY;
@@ -20,52 +20,57 @@ router.exit(
 
 const mousetrap = require('mousetrap');
 router.enter(
-    /.*/,
+    null,
     (ctx, next) => {
         mousetrap.reset();
         next();
     });
 
-// register controller routes
-let controllers = [];
-controllers.push(require('./controllers/home_controller.js'));
-controllers.push(require('./controllers/help_controller.js'));
-controllers.push(require('./controllers/auth_controller.js'));
-controllers.push(require('./controllers/password_reset_controller.js'));
-controllers.push(require('./controllers/comments_controller.js'));
-controllers.push(require('./controllers/snapshots_controller.js'));
-controllers.push(require('./controllers/post_detail_controller.js'));
-controllers.push(require('./controllers/post_main_controller.js'));
-controllers.push(require('./controllers/post_list_controller.js'));
-controllers.push(require('./controllers/post_upload_controller.js'));
-controllers.push(require('./controllers/tag_controller.js'));
-controllers.push(require('./controllers/tag_list_controller.js'));
-controllers.push(require('./controllers/tag_categories_controller.js'));
-controllers.push(require('./controllers/settings_controller.js'));
-controllers.push(require('./controllers/user_controller.js'));
-controllers.push(require('./controllers/user_list_controller.js'));
-controllers.push(require('./controllers/user_registration_controller.js'));
-
-// 404 controller needs to be registered last
-controllers.push(require('./controllers/not_found_controller.js'));
-
-for (let controller of controllers) {
-    controller(router);
-}
-
 const tags = require('./tags.js');
 const api = require('./api.js');
-tags.refreshExport(); // we don't care about errors
-api.loginFromCookies().then(() => {
-        router.start();
-    }, error => {
-        if (window.location.href.indexOf('login') !== -1) {
-            api.forget();
+tags.refreshCategoryColorMap(); // we don't care about errors
+
+api.fetchConfig().then(() => {
+    // register controller routes
+    let controllers = [];
+    controllers.push(require('./controllers/home_controller.js'));
+    controllers.push(require('./controllers/help_controller.js'));
+    controllers.push(require('./controllers/auth_controller.js'));
+    controllers.push(require('./controllers/password_reset_controller.js'));
+    controllers.push(require('./controllers/comments_controller.js'));
+    controllers.push(require('./controllers/snapshots_controller.js'));
+    controllers.push(require('./controllers/post_detail_controller.js'));
+    controllers.push(require('./controllers/post_main_controller.js'));
+    controllers.push(require('./controllers/post_list_controller.js'));
+    controllers.push(require('./controllers/post_upload_controller.js'));
+    controllers.push(require('./controllers/tag_controller.js'));
+    controllers.push(require('./controllers/tag_list_controller.js'));
+    controllers.push(require('./controllers/tag_categories_controller.js'));
+    controllers.push(require('./controllers/settings_controller.js'));
+    controllers.push(require('./controllers/user_controller.js'));
+    controllers.push(require('./controllers/user_list_controller.js'));
+    controllers.push(require('./controllers/user_registration_controller.js'));
+
+    // 404 controller needs to be registered last
+    controllers.push(require('./controllers/not_found_controller.js'));
+
+    for (let controller of controllers) {
+        controller(router);
+    }
+}, error => {
+    window.alert('Could not fetch basic configuration from server');
+}).then(() => {
+    api.loginFromCookies().then(() => {
             router.start();
-        } else {
-            const ctx = router.start('/');
-            ctx.controller.showError(
-                'An error happened while trying to log you in: ' +
-                    error.message);
-        }
-    });
+        }, error => {
+            if (window.location.href.indexOf('login') !== -1) {
+                api.forget();
+                router.start();
+            } else {
+                const ctx = router.start('/');
+                ctx.controller.showError(
+                    'An error happened while trying to log you in: ' +
+                        error.message);
+            }
+        });
+});
diff --git a/client/js/models/abstract_list.js b/client/js/models/abstract_list.js
index 6544ed29..10edd612 100644
--- a/client/js/models/abstract_list.js
+++ b/client/js/models/abstract_list.js
@@ -27,6 +27,13 @@ class AbstractList extends events.EventTarget {
         return ret;
     }
 
+    sync(plainList) {
+        this.clear();
+        for (let item of (plainList || [])) {
+            this.add(this.constructor._itemClass.fromResponse(item));
+        }
+    }
+
     add(item) {
         if (item.addEventListener) {
             item.addEventListener('delete', e => {
@@ -75,6 +82,10 @@ class AbstractList extends events.EventTarget {
         return this._list[index];
     }
 
+    map(...args) {
+        return this._list.map(...args);
+    }
+
     [Symbol.iterator]() {
         return this._list[Symbol.iterator]();
     }
diff --git a/client/js/models/comment.js b/client/js/models/comment.js
index 623fd7e3..e10e83cb 100644
--- a/client/js/models/comment.js
+++ b/client/js/models/comment.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const events = require('../events.js');
 
 class Comment extends events.EventTarget {
@@ -38,9 +39,9 @@ class Comment extends events.EventTarget {
             text: this._text,
         };
         let promise = this._id ?
-            api.put('/comment/' + this._id, detail) :
-            api.post(
-                '/comments', Object.assign({postId: this._postId}, detail));
+            api.put(uri.formatApiLink('comment', this.id), detail) :
+            api.post(uri.formatApiLink('comments'),
+                Object.assign({postId: this._postId}, detail));
 
         return promise.then(response => {
             this._updateFromResponse(response);
@@ -55,7 +56,7 @@ class Comment extends events.EventTarget {
 
     delete() {
         return api.delete(
-                '/comment/' + this._id,
+                uri.formatApiLink('comment', this.id),
                 {version: this._version})
             .then(response => {
                 this.dispatchEvent(new CustomEvent('delete', {
@@ -68,7 +69,9 @@ class Comment extends events.EventTarget {
     }
 
     setScore(score) {
-        return api.put('/comment/' + this._id + '/score', {score: score})
+        return api.put(
+                uri.formatApiLink('comment', this.id, 'score'),
+                {score: score})
             .then(response => {
                 this._updateFromResponse(response);
                 this.dispatchEvent(new CustomEvent('changeScore', {
diff --git a/client/js/models/info.js b/client/js/models/info.js
index 3b196dd4..35ba867a 100644
--- a/client/js/models/info.js
+++ b/client/js/models/info.js
@@ -1,11 +1,12 @@
 'use strict';
 
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const Post = require('./post.js');
 
 class Info {
     static get() {
-        return api.get('/info')
+        return api.get(uri.formatApiLink('info'))
             .then(response => {
                 return Promise.resolve(Object.assign(
                     {},
diff --git a/client/js/models/post.js b/client/js/models/post.js
index 8b767a2e..be0230c7 100644
--- a/client/js/models/post.js
+++ b/client/js/models/post.js
@@ -1,25 +1,21 @@
 'use strict';
 
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const tags = require('../tags.js');
 const events = require('../events.js');
+const TagList = require('./tag_list.js');
 const NoteList = require('./note_list.js');
 const CommentList = require('./comment_list.js');
 const misc = require('../util/misc.js');
 
-function _syncObservableCollection(target, plainList) {
-    target.clear();
-    for (let item of (plainList || [])) {
-        target.add(target.constructor._itemClass.fromResponse(item));
-    }
-}
-
 class Post extends events.EventTarget {
     constructor() {
         super();
         this._orig = {};
 
         for (let obj of [this, this._orig]) {
+            obj._tags = new TagList();
             obj._notes = new NoteList();
             obj._comments = new CommentList();
         }
@@ -34,6 +30,7 @@ class Post extends events.EventTarget {
     get user()               { return this._user; }
     get safety()             { return this._safety; }
     get contentUrl()         { return this._contentUrl; }
+    get fullContentUrl()     { return this._fullContentUrl; }
     get thumbnailUrl()       { return this._thumbnailUrl; }
     get canvasWidth()        { return this._canvasWidth || 800; }
     get canvasHeight()       { return this._canvasHeight || 450; }
@@ -43,6 +40,7 @@ class Post extends events.EventTarget {
 
     get flags()              { return this._flags; }
     get tags()               { return this._tags; }
+    get tagNames()           { return this._tags.map(tag => tag.names[0]); }
     get notes()              { return this._notes; }
     get comments()           { return this._comments; }
     get relations()          { return this._relations; }
@@ -55,7 +53,6 @@ class Post extends events.EventTarget {
     get hasCustomThumbnail() { return this._hasCustomThumbnail; }
 
     set flags(value)         { this._flags = value; }
-    set tags(value)          { this._tags = value; }
     set safety(value)        { this._safety = value; }
     set relations(value)     { this._relations = value; }
     set newContent(value)    { this._newContent = value; }
@@ -69,7 +66,9 @@ class Post extends events.EventTarget {
 
     static reverseSearch(content) {
         let apiPromise = api.post(
-            '/posts/reverse-search', {}, {content: content});
+            uri.formatApiLink('posts', 'reverse-search'),
+            {},
+            {content: content});
         let returnedPromise = apiPromise
             .then(response => {
                 if (response.exactPost) {
@@ -85,35 +84,12 @@ class Post extends events.EventTarget {
     }
 
     static get(id) {
-        return api.get('/post/' + id)
+        return api.get(uri.formatApiLink('post', id))
             .then(response => {
                 return Promise.resolve(Post.fromResponse(response));
             });
     }
 
-    isTaggedWith(tagName) {
-        return this._tags
-            .map(s => s.toLowerCase())
-            .includes(tagName.toLowerCase());
-    }
-
-    addTag(tagName, addImplications) {
-        if (this.isTaggedWith(tagName)) {
-            return;
-        }
-        this._tags.push(tagName);
-        if (addImplications !== false) {
-            for (let otherTag of tags.getAllImplications(tagName)) {
-                this.addTag(otherTag, addImplications);
-            }
-        }
-    }
-
-    removeTag(tagName) {
-        this._tags = this._tags.filter(
-            s => s.toLowerCase() != tagName.toLowerCase());
-    }
-
     save(anonymous) {
         const files = {};
         const detail = {version: this._version};
@@ -129,15 +105,14 @@ class Post extends events.EventTarget {
             detail.flags = this._flags;
         }
         if (misc.arraysDiffer(this._tags, this._orig._tags)) {
-            detail.tags = this._tags;
+            detail.tags = this._tags.map(tag => tag.names[0]);
         }
         if (misc.arraysDiffer(this._relations, this._orig._relations)) {
             detail.relations = this._relations;
         }
         if (misc.arraysDiffer(this._notes, this._orig._notes)) {
-            detail.notes = [...this._notes].map(note => ({
-                polygon: [...note.polygon].map(
-                    point => [point.x, point.y]),
+            detail.notes = this._notes.map(note => ({
+                polygon: note.polygon.map(point => [point.x, point.y]),
                 text: note.text,
             }));
         }
@@ -149,8 +124,8 @@ class Post extends events.EventTarget {
         }
 
         let apiPromise = this._id ?
-            api.put('/post/' + this._id, detail, files) :
-            api.post('/posts', detail, files);
+            api.put(uri.formatApiLink('post', this.id), detail, files) :
+            api.post(uri.formatApiLink('posts'), detail, files);
 
         return apiPromise.then(response => {
             this._updateFromResponse(response);
@@ -176,14 +151,18 @@ class Post extends events.EventTarget {
     }
 
     feature() {
-        return api.post('/featured-post', {id: this._id})
+        return api.post(
+                uri.formatApiLink('featured-post'),
+                {id: this._id})
             .then(response => {
                 return Promise.resolve();
             });
     }
 
     delete() {
-        return api.delete('/post/' + this._id, {version: this._version})
+        return api.delete(
+                uri.formatApiLink('post', this.id),
+                {version: this._version})
             .then(response => {
                 this.dispatchEvent(new CustomEvent('delete', {
                     detail: {
@@ -195,9 +174,9 @@ class Post extends events.EventTarget {
     }
 
     merge(targetId, useOldContent) {
-        return api.get('/post/' + encodeURIComponent(targetId))
+        return api.get(uri.formatApiLink('post', targetId))
             .then(response => {
-                return api.post('/post-merge/', {
+                return api.post(uri.formatApiLink('post-merge'), {
                     removeVersion: this._version,
                     remove: this._id,
                     mergeToVersion: response.version,
@@ -216,7 +195,9 @@ class Post extends events.EventTarget {
     }
 
     setScore(score) {
-        return api.put('/post/' + this._id + '/score', {score: score})
+        return api.put(
+                uri.formatApiLink('post', this.id, 'score'),
+                {score: score})
             .then(response => {
                 const prevFavorite = this._ownFavorite;
                 this._updateFromResponse(response);
@@ -237,7 +218,7 @@ class Post extends events.EventTarget {
     }
 
     addToFavorites() {
-        return api.post('/post/' + this.id + '/favorite')
+        return api.post(uri.formatApiLink('post', this.id, 'favorite'))
             .then(response => {
                 const prevScore = this._ownScore;
                 this._updateFromResponse(response);
@@ -258,7 +239,7 @@ class Post extends events.EventTarget {
     }
 
     removeFromFavorites() {
-        return api.delete('/post/' + this.id + '/favorite')
+        return api.delete(uri.formatApiLink('post', this.id, 'favorite'))
             .then(response => {
                 const prevScore = this._ownScore;
                 this._updateFromResponse(response);
@@ -295,13 +276,13 @@ class Post extends events.EventTarget {
             _user:          response.user,
             _safety:        response.safety,
             _contentUrl:    response.contentUrl,
+            _fullContentUrl: new URL(response.contentUrl, window.location.href).href,
             _thumbnailUrl:  response.thumbnailUrl,
             _canvasWidth:   response.canvasWidth,
             _canvasHeight:  response.canvasHeight,
             _fileSize:      response.fileSize,
 
             _flags:         [...response.flags || []],
-            _tags:          [...response.tags || []],
             _relations:     [...response.relations || []],
 
             _score:         response.score,
@@ -313,8 +294,9 @@ class Post extends events.EventTarget {
         });
 
         for (let obj of [this, this._orig]) {
-            _syncObservableCollection(obj._notes, response.notes);
-            _syncObservableCollection(obj._comments, response.comments);
+            obj._tags.sync(response.tags);
+            obj._notes.sync(response.notes);
+            obj._comments.sync(response.comments);
         }
 
         Object.assign(this, map());
diff --git a/client/js/models/post_list.js b/client/js/models/post_list.js
index 312afc86..74f089f3 100644
--- a/client/js/models/post_list.js
+++ b/client/js/models/post_list.js
@@ -1,30 +1,54 @@
 'use strict';
 
+const settings = require('../models/settings.js');
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const AbstractList = require('./abstract_list.js');
 const Post = require('./post.js');
 
 class PostList extends AbstractList {
     static getAround(id, searchQuery) {
-        const url =
-            `/post/${id}/around?fields=id` +
-            `&query=${encodeURIComponent(searchQuery)}`;
-        return api.get(url);
+        return api.get(
+            uri.formatApiLink(
+                'post', id, 'around', {
+                    query: PostList._decorateSearchQuery(searchQuery || ''),
+                    fields: 'id',
+                }));
     }
 
-    static search(text, page, pageSize, fields) {
-        const url =
-            `/posts/?query=${encodeURIComponent(text)}` +
-            `&page=${page}` +
-            `&pageSize=${pageSize}` +
-            `&fields=${fields.join(',')}`;
-        return api.get(url).then(response => {
-            return Promise.resolve(Object.assign(
-                {},
-                response,
-                {results: PostList.fromResponse(response.results)}));
-        });
+    static search(text, offset, limit, fields) {
+        return api.get(
+                uri.formatApiLink(
+                    'posts', {
+                        query: PostList._decorateSearchQuery(text || ''),
+                        offset: offset,
+                        limit: limit,
+                        fields: fields.join(','),
+                    }))
+            .then(response => {
+                return Promise.resolve(Object.assign(
+                    {},
+                    response,
+                    {results: PostList.fromResponse(response.results)}));
+            });
     }
+
+    static _decorateSearchQuery(text) {
+        const browsingSettings = settings.get();
+        const disabledSafety = [];
+        if (api.safetyEnabled()) {
+            for (let key of Object.keys(browsingSettings.listPosts)) {
+                if (browsingSettings.listPosts[key] === false) {
+                    disabledSafety.push(key);
+                }
+            }
+            if (disabledSafety.length) {
+                text = `-rating:${disabledSafety.join(',')} ${text}`;
+            }
+        }
+        return text.trim();
+    }
+
 }
 
 PostList._itemClass = Post;
diff --git a/client/js/models/snapshot_list.js b/client/js/models/snapshot_list.js
index 22348f4a..3263a6af 100644
--- a/client/js/models/snapshot_list.js
+++ b/client/js/models/snapshot_list.js
@@ -1,21 +1,20 @@
 'use strict';
 
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const AbstractList = require('./abstract_list.js');
 const Snapshot = require('./snapshot.js');
 
 class SnapshotList extends AbstractList {
-    static search(text, page, pageSize) {
-        const url =
-            `/snapshots/?query=${encodeURIComponent(text)}` +
-            `&page=${page}` +
-            `&pageSize=${pageSize}`;
-        return api.get(url).then(response => {
-            return Promise.resolve(Object.assign(
-                {},
-                response,
-                {results: SnapshotList.fromResponse(response.results)}));
-        });
+    static search(text, offset, limit) {
+        return api.get(uri.formatApiLink(
+                'snapshots', {query: text, offset: offset, limit: limit}))
+            .then(response => {
+                return Promise.resolve(Object.assign(
+                    {},
+                    response,
+                    {results: SnapshotList.fromResponse(response.results)}));
+            });
     }
 }
 
diff --git a/client/js/models/tag.js b/client/js/models/tag.js
index 07bbf7ff..c7435540 100644
--- a/client/js/models/tag.js
+++ b/client/js/models/tag.js
@@ -1,13 +1,22 @@
 'use strict';
 
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const events = require('../events.js');
 const misc = require('../util/misc.js');
 
 class Tag extends events.EventTarget {
     constructor() {
+        const TagList = require('./tag_list.js');
+
         super();
         this._orig = {};
+
+        for (let obj of [this, this._orig]) {
+            obj._suggestions = new TagList();
+            obj._implications = new TagList();
+        }
+
         this._updateFromResponse({});
     }
 
@@ -23,8 +32,6 @@ class Tag extends events.EventTarget {
     set names(value)        { this._names = value; }
     set category(value)     { this._category = value; }
     set description(value)  { this._description = value; }
-    set implications(value) { this._implications = value; }
-    set suggestions(value)  { this._suggestions = value; }
 
     static fromResponse(response) {
         const ret = new Tag();
@@ -33,7 +40,7 @@ class Tag extends events.EventTarget {
     }
 
     static get(name) {
-        return api.get('/tag/' + encodeURIComponent(name))
+        return api.get(uri.formatApiLink('tag', name))
             .then(response => {
                 return Promise.resolve(Tag.fromResponse(response));
             });
@@ -53,15 +60,17 @@ class Tag extends events.EventTarget {
             detail.description = this._description;
         }
         if (misc.arraysDiffer(this._implications, this._orig._implications)) {
-            detail.implications = this._implications;
+            detail.implications = this._implications.map(
+                relation => relation.names[0]);
         }
         if (misc.arraysDiffer(this._suggestions, this._orig._suggestions)) {
-            detail.suggestions = this._suggestions;
+            detail.suggestions = this._suggestions.map(
+                relation => relation.names[0]);
         }
 
         let promise = this._origName ?
-            api.put('/tag/' + encodeURIComponent(this._origName), detail) :
-            api.post('/tags', detail);
+            api.put(uri.formatApiLink('tag', this._origName), detail) :
+            api.post(uri.formatApiLink('tags'), detail);
         return promise
             .then(response => {
                 this._updateFromResponse(response);
@@ -74,15 +83,23 @@ class Tag extends events.EventTarget {
             });
     }
 
-    merge(targetName) {
-        return api.get('/tag/' + encodeURIComponent(targetName))
+    merge(targetName, addAlias) {
+        return api.get(uri.formatApiLink('tag', targetName))
             .then(response => {
-                return api.post('/tag-merge/', {
+                return api.post(uri.formatApiLink('tag-merge'), {
                     removeVersion: this._version,
                     remove: this._origName,
                     mergeToVersion: response.version,
                     mergeTo: targetName,
                 });
+            }).then(response => {
+                if (!addAlias) {
+                    return Promise.resolve(response);
+                }
+                return api.put(uri.formatApiLink('tag', targetName), {
+                    version: response.version,
+                    names: response.names.concat(this._names),
+                });
             }).then(response => {
                 this._updateFromResponse(response);
                 this.dispatchEvent(new CustomEvent('change', {
@@ -96,7 +113,7 @@ class Tag extends events.EventTarget {
 
     delete() {
         return api.delete(
-                '/tag/' + encodeURIComponent(this._origName),
+                uri.formatApiLink('tag', this._origName),
                 {version: this._version})
             .then(response => {
                 this.dispatchEvent(new CustomEvent('delete', {
@@ -115,13 +132,16 @@ class Tag extends events.EventTarget {
             _names:        response.names,
             _category:     response.category,
             _description:  response.description,
-            _implications: response.implications,
-            _suggestions:  response.suggestions,
             _creationTime: response.creationTime,
             _lastEditTime: response.lastEditTime,
-            _postCount:    response.usages,
+            _postCount:    response.usages || 0,
         };
 
+        for (let obj of [this, this._orig]) {
+            obj._suggestions.sync(response.suggestions);
+            obj._implications.sync(response.implications);
+        }
+
         Object.assign(this, map);
         Object.assign(this._orig, map);
     }
diff --git a/client/js/models/tag_category.js b/client/js/models/tag_category.js
index cc08d345..04bd8fe6 100644
--- a/client/js/models/tag_category.js
+++ b/client/js/models/tag_category.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const events = require('../events.js');
 
 class TagCategory extends events.EventTarget {
@@ -45,9 +46,9 @@ class TagCategory extends events.EventTarget {
 
         let promise = this._origName ?
             api.put(
-                '/tag-category/' + encodeURIComponent(this._origName),
+                uri.formatApiLink('tag-category', this._origName),
                 detail) :
-            api.post('/tag-categories', detail);
+            api.post(uri.formatApiLink('tag-categories'), detail);
 
         return promise
             .then(response => {
@@ -63,7 +64,7 @@ class TagCategory extends events.EventTarget {
 
     delete() {
         return api.delete(
-                '/tag-category/' + encodeURIComponent(this._origName),
+                uri.formatApiLink('tag-category', this._origName),
                 {version: this._version})
             .then(response => {
                 this.dispatchEvent(new CustomEvent('delete', {
diff --git a/client/js/models/tag_category_list.js b/client/js/models/tag_category_list.js
index 812d6959..6c1182fb 100644
--- a/client/js/models/tag_category_list.js
+++ b/client/js/models/tag_category_list.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const AbstractList = require('./abstract_list.js');
 const TagCategory = require('./tag_category.js');
 
@@ -26,12 +27,13 @@ class TagCategoryList extends AbstractList {
     }
 
     static get() {
-        return api.get('/tag-categories/').then(response => {
-            return Promise.resolve(Object.assign(
-                {},
-                response,
-                {results: TagCategoryList.fromResponse(response.results)}));
-        });
+        return api.get(uri.formatApiLink('tag-categories'))
+            .then(response => {
+                return Promise.resolve(Object.assign(
+                    {},
+                    response,
+                    {results: TagCategoryList.fromResponse(response.results)}));
+            });
     }
 
     get defaultCategory() {
@@ -54,7 +56,10 @@ class TagCategoryList extends AbstractList {
         if (this._defaultCategory !== this._origDefaultCategory) {
             promises.push(
                 api.put(
-                    `/tag-category/${this._defaultCategory.name}/default`));
+                    uri.formatApiLink(
+                        'tag-category',
+                        this._defaultCategory.name,
+                        'default')));
         }
 
         return Promise.all(promises)
diff --git a/client/js/models/tag_list.js b/client/js/models/tag_list.js
index 268bcd80..d87b694e 100644
--- a/client/js/models/tag_list.js
+++ b/client/js/models/tag_list.js
@@ -1,22 +1,68 @@
 'use strict';
 
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const AbstractList = require('./abstract_list.js');
 const Tag = require('./tag.js');
 
 class TagList extends AbstractList {
-    static search(text, page, pageSize, fields) {
-        const url =
-            `/tags/?query=${encodeURIComponent(text)}` +
-            `&page=${page}` +
-            `&pageSize=${pageSize}` +
-            `&fields=${fields.join(',')}`;
-        return api.get(url).then(response => {
-            return Promise.resolve(Object.assign(
-                {},
-                response,
-                {results: TagList.fromResponse(response.results)}));
-        });
+    static search(text, offset, limit, fields) {
+        return api.get(
+                uri.formatApiLink(
+                    'tags', {
+                        query: text,
+                        offset: offset,
+                        limit: limit,
+                        fields: fields.join(','),
+                    }))
+            .then(response => {
+                return Promise.resolve(Object.assign(
+                    {},
+                    response,
+                    {results: TagList.fromResponse(response.results)}));
+            });
+    }
+
+    isTaggedWith(testName) {
+        for (let tag of this._list) {
+            for (let tagName of tag.names) {
+                if (tagName.toLowerCase() === testName.toLowerCase()) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    addByName(tagName, addImplications) {
+        if (this.isTaggedWith(tagName)) {
+            return Promise.resolve();
+        }
+
+        const tag = new Tag();
+        tag.names = [tagName];
+
+        this.add(tag);
+
+        if (addImplications !== false) {
+            return Tag.get(tagName).then(actualTag => {
+                return Promise.all(
+                    actualTag.implications.map(
+                        relation => this.addByName(relation.names[0], true)));
+            });
+        }
+
+        return Promise.resolve();
+    }
+
+    removeByName(testName) {
+        for (let tag of this._list) {
+            for (let tagName of tag.names) {
+                if (tagName.toLowerCase() === testName.toLowerCase()) {
+                    this.remove(tag);
+                }
+            }
+        }
     }
 }
 
diff --git a/client/js/models/top_navigation.js b/client/js/models/top_navigation.js
index ebb3753e..a7c726db 100644
--- a/client/js/models/top_navigation.js
+++ b/client/js/models/top_navigation.js
@@ -1,7 +1,7 @@
 'use strict';
 
-const config = require('../config.js');
 const events = require('../events.js');
+const api = require('../api.js');
 
 class TopNavigationItem {
     constructor(accessKey, title, url, available, imageUrl) {
@@ -53,8 +53,10 @@ class TopNavigation extends events.EventTarget {
     }
 
     setTitle(title) {
-        document.oldTitle = null;
-        document.title = config.name + (title ? (' – ' + title) : '');
+        api.fetchConfig().then(() => {
+            document.oldTitle = null;
+            document.title = api.getName() + (title ? (' – ' + title) : '');
+        });
     }
 
     showAll() {
diff --git a/client/js/models/user.js b/client/js/models/user.js
index ab19bef3..abb5f57f 100644
--- a/client/js/models/user.js
+++ b/client/js/models/user.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const events = require('../events.js');
 
 class User extends events.EventTarget {
@@ -40,7 +41,7 @@ class User extends events.EventTarget {
     }
 
     static get(name) {
-        return api.get('/user/' + encodeURIComponent(name))
+        return api.get(uri.formatApiLink('user', name))
             .then(response => {
                 return Promise.resolve(User.fromResponse(response));
             });
@@ -73,10 +74,8 @@ class User extends events.EventTarget {
 
         let promise = this._orig._name ?
             api.put(
-                '/user/' + encodeURIComponent(this._orig._name),
-                detail,
-                files) :
-            api.post('/users', detail, files);
+                uri.formatApiLink('user', this._orig._name), detail, files) :
+            api.post(uri.formatApiLink('users'), detail, files);
 
         return promise
             .then(response => {
@@ -92,7 +91,7 @@ class User extends events.EventTarget {
 
     delete() {
         return api.delete(
-                '/user/' + encodeURIComponent(this._orig._name),
+                uri.formatApiLink('user', this._orig._name),
                 {version: this._version})
             .then(response => {
                 this.dispatchEvent(new CustomEvent('delete', {
diff --git a/client/js/models/user_list.js b/client/js/models/user_list.js
index 4ca430d5..c48fc883 100644
--- a/client/js/models/user_list.js
+++ b/client/js/models/user_list.js
@@ -1,20 +1,21 @@
 'use strict';
 
 const api = require('../api.js');
+const uri = require('../util/uri.js');
 const AbstractList = require('./abstract_list.js');
 const User = require('./user.js');
 
 class UserList extends AbstractList {
-    static search(text, page) {
-        const url =
-            `/users/?query=${encodeURIComponent(text)}` +
-            `&page=${page}&pageSize=30`;
-        return api.get(url).then(response => {
-            return Promise.resolve(Object.assign(
-                {},
-                response,
-                {results: UserList.fromResponse(response.results)}));
-        });
+    static search(text, offset, limit) {
+        return api.get(
+                uri.formatApiLink(
+                    'users', {query: text, offset: offset, limit: limit}))
+            .then(response => {
+                return Promise.resolve(Object.assign(
+                    {},
+                    response,
+                    {results: UserList.fromResponse(response.results)}));
+            });
     }
 }
 
diff --git a/client/js/models/user_token.js b/client/js/models/user_token.js
new file mode 100644
index 00000000..6e70a94b
--- /dev/null
+++ b/client/js/models/user_token.js
@@ -0,0 +1,116 @@
+'use strict';
+
+const api = require('../api.js');
+const uri = require('../util/uri.js');
+const events = require('../events.js');
+
+class UserToken extends events.EventTarget {
+    constructor() {
+        super();
+        this._orig = {};
+        this._updateFromResponse({});
+    }
+
+    get token()          { return this._token; }
+    get note()           { return this._note; }
+    get enabled()        { return this._enabled; }
+    get version()        { return this._version; }
+    get expirationTime() { return this._expirationTime; }
+    get creationTime()   { return this._creationTime; }
+    get lastEditTime()   { return this._lastEditTime; }
+    get lastUsageTime()  { return this._lastUsageTime; }
+
+    set note(value)      { this._note = value; }
+
+    static fromResponse(response) {
+        if (typeof response.results !== 'undefined') {
+            let tokenList = [];
+            for (let responseToken of response.results) {
+                const token = new UserToken();
+                token._updateFromResponse(responseToken);
+                tokenList.push(token)
+            }
+            return tokenList;
+        } else {
+            const ret = new UserToken();
+            ret._updateFromResponse(response);
+            return ret;
+        }
+    }
+
+    static get(userName) {
+        return api.get(uri.formatApiLink('user-tokens', userName))
+            .then(response => {
+                return Promise.resolve(UserToken.fromResponse(response));
+            });
+    }
+
+    static create(userName, note, expirationTime) {
+        let userTokenRequest = {
+            enabled: true
+        };
+        if (note) {
+            userTokenRequest.note = note;
+        }
+        if (expirationTime) {
+            userTokenRequest.expirationTime = expirationTime;
+        }
+        return api.post(uri.formatApiLink('user-token', userName), userTokenRequest)
+            .then(response => {
+                return Promise.resolve(UserToken.fromResponse(response))
+            });
+    }
+
+    save(userName) {
+        const detail = {version: this._version};
+
+        if (this._note !== this._orig._note) {
+            detail.note = this._note;
+        }
+
+        return api.put(
+            uri.formatApiLink('user-token', userName, this._orig._token),
+            detail)
+            .then(response => {
+                this._updateFromResponse(response);
+                this.dispatchEvent(new CustomEvent('change', {
+                    detail: {
+                        userToken: this,
+                    },
+                }));
+                return Promise.resolve(this);
+            });
+    }
+
+    delete(userName) {
+        return api.delete(
+            uri.formatApiLink('user-token', userName, this._orig._token),
+            {version: this._version})
+            .then(response => {
+                this.dispatchEvent(new CustomEvent('delete', {
+                    detail: {
+                        userToken: this,
+                    },
+                }));
+                return Promise.resolve();
+            });
+    }
+
+    _updateFromResponse(response) {
+        const map = {
+            _token:           response.token,
+            _note:            response.note,
+            _enabled:         response.enabled,
+            _expirationTime:  response.expirationTime,
+            _version:         response.version,
+            _creationTime:    response.creationTime,
+            _lastEditTime:    response.lastEditTime,
+            _lastUsageTime:   response.lastUsageTime,
+        };
+
+        Object.assign(this, map);
+        Object.assign(this._orig, map);
+    }
+}
+
+module.exports = UserToken;
diff --git a/client/js/router.js b/client/js/router.js
index 570fb3ef..a8bd4c38 100644
--- a/client/js/router.js
+++ b/client/js/router.js
@@ -1,6 +1,7 @@
 'use strict';
 
 // modified page.js by visionmedia
+// - changed regexes to components
 // - removed unused crap
 // - refactored to classes
 // - simplified method chains
@@ -9,19 +10,12 @@
 // - rename .save() to .replaceState()
 // - offer .url
 
-const pathToRegexp = require('path-to-regexp');
 const clickEvent = document.ontouchstart ? 'touchstart' : 'click';
+const uri = require('./util/uri.js');
 let location = window.history.location || window.location;
 
 const base = '';
 
-function _decodeURLEncodedURIComponent(val) {
-    if (typeof val !== 'string') {
-        return val;
-    }
-    return decodeURIComponent(val.replace(/\+/g, ' '));
-}
-
 function _isSameOrigin(href) {
     let origin = location.protocol + '//' + location.hostname;
     if (location.port) {
@@ -55,11 +49,28 @@ class Context {
 };
 
 class Route {
-    constructor(path, options) {
-        options = options || {};
-        this.path = (path === '*') ? '(.*)' : path;
+    constructor(path) {
         this.method = 'GET';
-        this.regexp = pathToRegexp(this.path, this.keys = [], options);
+        this.path = path;
+
+        this.parameterNames = [];
+        if (this.path === null) {
+            this.regex = /.*/;
+        } else {
+            let parts = [];
+            for (let component of this.path) {
+                if (component[0] === ':') {
+                    parts.push('([^/]+)');
+                    this.parameterNames.push(component.substr(1));
+                } else { // assert [a-z]+
+                    parts.push(component);
+                }
+            }
+            let regexString = '^/' + parts.join('/');
+            regexString += '(?:/*|/((?:(?:[a-z]+=[^/]+);)*(?:[a-z]+=[^/]+)))$';
+            this.parameterNames.push('variable');
+            this.regex = new RegExp(regexString);
+        }
     }
 
     middleware(fn) {
@@ -72,22 +83,33 @@ class Route {
     }
 
     match(path, parameters) {
-        const keys = this.keys;
         const qsIndex = path.indexOf('?');
         const pathname = ~qsIndex ? path.slice(0, qsIndex) : path;
-        const m = this.regexp.exec(pathname);
+        const match = this.regex.exec(pathname);
 
-        if (!m) {
+        if (!match) {
             return false;
         }
 
-        for (let i = 1, len = m.length; i < len; ++i) {
-            const key = keys[i - 1];
-            const val = _decodeURLEncodedURIComponent(m[i]);
-            if (val !== undefined ||
-                    !(hasOwnProperty.call(parameters, key.name))) {
-                parameters[key.name] = val;
+        try {
+            for (let i = 1; i < match.length; i++) {
+                const name = this.parameterNames[i - 1];
+                const value = match[i];
+                if (value === undefined) {
+                    continue;
+                }
+
+                if (name === 'variable') {
+                    for (let word of (value || '').split(/;/)) {
+                        const [key, subvalue] = word.split(/=/, 2);
+                        parameters[key] = uri.unescapeParam(subvalue);
+                    }
+                } else {
+                    parameters[name] = uri.unescapeParam(value);
+                }
             }
+        } catch (e) {
+            return false;
         }
 
         return true;
@@ -136,6 +158,13 @@ class Router {
         window.removeEventListener('popstate', this._onPopState, false);
     }
 
+    showNoDispatch(path, state) {
+        const ctx = new Context(path, state);
+        ctx.pushState();
+        this.ctx = ctx;
+        return ctx;
+    }
+
     show(path, state, push) {
         const ctx = new Context(path, state);
         const oldPath = this.ctx ? this.ctx.path : ctx.path;
diff --git a/client/js/tags.js b/client/js/tags.js
index c0c301b5..c037f6f6 100644
--- a/client/js/tags.js
+++ b/client/js/tags.js
@@ -1,125 +1,26 @@
 'use strict';
 
 const misc = require('./util/misc.js');
-const request = require('superagent');
+const TagCategoryList = require('./models/tag_category_list.js');
 
-let _tags = new Map();
-let _categories = new Map();
 let _stylesheet = null;
 
-function getTagByName(name) {
-    return _tags.get(name.toLowerCase());
-}
-
-function getCategoryByName(name) {
-    return _categories.get(name.toLowerCase());
-}
-
-function getNameToTagMap() {
-    return _tags;
-}
-
-function getAllTags() {
-    return _tags.values();
-}
-
-function getAllCategories() {
-    return _categories.values();
-}
-
-function getOriginalTagName(name) {
-    const actualTag = getTagByName(name);
-    if (actualTag) {
-        for (let originalName of actualTag.names) {
-            if (originalName.toLowerCase() == name.toLowerCase()) {
-                return originalName;
-            }
+function refreshCategoryColorMap() {
+    return TagCategoryList.get().then(response => {
+        if (_stylesheet) {
+            document.head.removeChild(_stylesheet);
         }
-    }
-    return name;
-}
-
-function _tagsToMap(tags) {
-    let map = new Map();
-    for (let tag of tags) {
-        for (let name of tag.names) {
-            map.set(name.toLowerCase(), tag);
+        _stylesheet = document.createElement('style');
+        document.head.appendChild(_stylesheet);
+        for (let category of response.results) {
+            const ruleName = misc.makeCssName(category.name, 'tag');
+            _stylesheet.sheet.insertRule(
+                `.${ruleName} { color: ${category.color} }`,
+                _stylesheet.sheet.cssRules.length);
         }
-    }
-    return map;
-}
-
-function _tagCategoriesToMap(categories) {
-    let map = new Map();
-    for (let category of categories) {
-        map.set(category.name.toLowerCase(), category);
-    }
-    return map;
-}
-
-function _refreshStylesheet() {
-    if (_stylesheet) {
-        document.head.removeChild(_stylesheet);
-    }
-    _stylesheet = document.createElement('style');
-    document.head.appendChild(_stylesheet);
-    for (let category of getAllCategories()) {
-        const ruleName = misc.makeCssName(category.name, 'tag');
-        _stylesheet.sheet.insertRule(
-            `.${ruleName} { color: ${category.color} }`,
-            _stylesheet.sheet.cssRules.length);
-    }
-}
-
-function refreshExport() {
-    return new Promise((resolve, reject) => {
-        request.get('/data/tags.json').end((error, response) => {
-            if (error) {
-                _tags = new Map();
-                _categories = new Map();
-                reject(error);
-                return;
-            }
-            _tags = _tagsToMap(
-                response.body ? response.body.tags : []);
-            _categories = _tagCategoriesToMap(
-                response.body ? response.body.categories : []);
-            _refreshStylesheet();
-            resolve();
-        });
     });
 }
 
-function getAllImplications(tagName) {
-    let implications = [];
-    let check = [tagName];
-    while (check.length) {
-        let tagName = check.pop();
-        const actualTag = getTagByName(tagName) || {};
-        for (let implication of actualTag.implications || []) {
-            if (implications.includes(implication)) {
-                continue;
-            }
-            implications.push(implication);
-            check.push(implication);
-        }
-    }
-    return Array.from(implications);
-}
-
-function getSuggestions(tagName) {
-    const actualTag = getTagByName(tagName) || {};
-    return actualTag.suggestions || [];
-}
-
 module.exports = {
-    getAllCategories:   getAllCategories,
-    getAllTags:         getAllTags,
-    getTagByName:       getTagByName,
-    getCategoryByName:  getCategoryByName,
-    getNameToTagMap:    getNameToTagMap,
-    getOriginalTagName: getOriginalTagName,
-    refreshExport:      refreshExport,
-    getAllImplications: getAllImplications,
-    getSuggestions:     getSuggestions,
+    refreshCategoryColorMap: refreshCategoryColorMap,
 };
diff --git a/client/js/util/markdown.js b/client/js/util/markdown.js
index f43a5369..f326ebb7 100644
--- a/client/js/util/markdown.js
+++ b/client/js/util/markdown.js
@@ -1,7 +1,6 @@
 'use strict';
 
 const marked = require('marked');
-const config = require('../config.js');
 
 class BaseMarkdownWrapper {
     preprocess(text) {
@@ -64,15 +63,12 @@ class TagPermalinkFixWrapper extends BaseMarkdownWrapper {
 class EntityPermalinkWrapper extends BaseMarkdownWrapper {
     preprocess(text) {
         // URL-based permalinks
-        let baseUrl = config.baseUrl.replace(/\/+$/, '');
         text = text.replace(
-            new RegExp('\\b' + baseUrl + '/post/(\\d+)/?\\b', 'g'), '@$1');
+            new RegExp('\\b/post/(\\d+)/?\\b', 'g'), '@$1');
         text = text.replace(
-            new RegExp('\\b' + baseUrl + '/tag/([a-zA-Z0-9_-]+?)/?', 'g'),
-            '#$1');
+            new RegExp('\\b/tag/([a-zA-Z0-9_-]+?)/?', 'g'), '#$1');
         text = text.replace(
-            new RegExp('\\b' + baseUrl + '/user/([a-zA-Z0-9_-]+?)/?', 'g'),
-            '+$1');
+            new RegExp('\\b/user/([a-zA-Z0-9_-]+?)/?', 'g'), '+$1');
 
         text = text.replace(
             /(^|^\(|(?:[^\]])\(|[\s<>\[\]\)])([+#@][a-zA-Z0-9_-]+)/g,
diff --git a/client/js/util/misc.js b/client/js/util/misc.js
index 3037b103..d825d996 100644
--- a/client/js/util/misc.js
+++ b/client/js/util/misc.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const markdown = require('./markdown.js');
+const uri = require('./uri.js');
 
 function decamelize(str, sep) {
     sep = sep === undefined ? '-' : sep;
@@ -99,44 +100,10 @@ function formatInlineMarkdown(text) {
     return markdown.formatInlineMarkdown(text);
 }
 
-function formatUrlParameters(dict) {
-    let result = [];
-    for (let key of Object.keys(dict)) {
-        const value = dict[key];
-        if (key === 'parameters') {
-            continue;
-        }
-        if (value) {
-            result.push(`${key}=${encodeURIComponent(value)}`);
-        }
-    }
-    return result.join(';');
-}
-
 function splitByWhitespace(str) {
     return str.split(/\s+/).filter(s => s);
 }
 
-function parseUrlParameters(query) {
-    let result = {};
-    for (let word of (query || '').split(/;/)) {
-        const [key, value] = word.split(/=/, 2);
-        result[key] = value;
-    }
-    result.query = result.query || '';
-    result.page = parseInt(result.page || '1');
-    return result;
-}
-
-function parseUrlParametersRoute(ctx, next) {
-    // ctx.parameters = {"user":...,"action":...} from /users/:user/:action
-    // ctx.parameters.parameters = value of :parameters as per /url/:parameters
-    Object.assign(
-        ctx.parameters,
-        parseUrlParameters(ctx.parameters.parameters));
-    next();
-}
-
 function unindent(callSite, ...args) {
     function format(str) {
         let size = -1;
@@ -232,9 +199,6 @@ function dataURItoBlob(dataURI) {
 
 module.exports = {
     range:                   range,
-    formatUrlParameters:     formatUrlParameters,
-    parseUrlParameters:      parseUrlParameters,
-    parseUrlParametersRoute: parseUrlParametersRoute,
     formatRelativeTime:      formatRelativeTime,
     formatFileSize:          formatFileSize,
     formatMarkdown:          formatMarkdown,
diff --git a/client/js/util/polyfill.js b/client/js/util/polyfill.js
index 91186b2a..71ee9724 100644
--- a/client/js/util/polyfill.js
+++ b/client/js/util/polyfill.js
@@ -59,3 +59,10 @@ Number.prototype.between = function(a, b, inclusive) {
 
 // non standard
 Promise.prototype.abort = () => {};
+
+// non standard
+Date.prototype.addDays = function(days) {
+    let dat = new Date(this.valueOf());
+    dat.setDate(dat.getDate() + days);
+    return dat;
+};
diff --git a/client/js/util/uri.js b/client/js/util/uri.js
new file mode 100644
index 00000000..a0482280
--- /dev/null
+++ b/client/js/util/uri.js
@@ -0,0 +1,62 @@
+'use strict';
+
+function formatApiLink(...values) {
+    let parts = [];
+    for (let value of values) {
+        if (value.constructor === Object) {
+            // assert this is the last piece
+            let variableParts = [];
+            for (let key of Object.keys(value)) {
+                if (value[key]) {
+                    variableParts.push(
+                        key + '=' + encodeURIComponent(value[key].toString()));
+                }
+            }
+            if (variableParts.length) {
+                parts.push('?' + variableParts.join('&'));
+            }
+            break;
+        } else {
+            parts.push(encodeURIComponent(value.toString()));
+        }
+    }
+    return '/' + parts.join('/');
+}
+
+function escapeParam(text) {
+    return encodeURIComponent(text);
+}
+
+function unescapeParam(text) {
+    return decodeURIComponent(text);
+}
+
+function formatClientLink(...values) {
+    let parts = [];
+    for (let value of values) {
+        if (value.constructor === Object) {
+            // assert this is the last piece
+            let variableParts = [];
+            for (let key of Object.keys(value)) {
+                if (value[key]) {
+                    variableParts.push(
+                        key + '=' + escapeParam(value[key].toString()));
+                }
+            }
+            if (variableParts.length) {
+                parts.push(variableParts.join(';'));
+            }
+            break;
+        } else {
+            parts.push(escapeParam(value.toString()));
+        }
+    }
+    return '/' + parts.join('/');
+}
+
+module.exports = {
+    formatClientLink: formatClientLink,
+    formatApiLink:    formatApiLink,
+    escapeParam:      escapeParam,
+    unescapeParam:    unescapeParam,
+};
diff --git a/client/js/util/views.js b/client/js/util/views.js
index fbf00a3b..9f238b1e 100644
--- a/client/js/util/views.js
+++ b/client/js/util/views.js
@@ -3,9 +3,9 @@
 require('../util/polyfill.js');
 const api = require('../api.js');
 const templates = require('../templates.js');
-const tags = require('../tags.js');
 const domParser = new DOMParser();
 const misc = require('./misc.js');
+const uri = require('./uri.js');
 
 function _imbueId(options) {
     if (!options.id) {
@@ -138,12 +138,29 @@ function makeColorInput(options) {
             type: 'text',
             value: options.value || '',
             required: options.required,
-            style: 'color: ' + options.value,
-            disabled: true,
+            class: 'color',
         });
-    const colorInput = makeElement(
-        'input', {type: 'color', value: options.value || ''});
-    return makeElement('label', {class: 'color'}, colorInput, textInput);
+    const backgroundPreviewNode = makeElement(
+        'div',
+        {
+            class: 'preview background-preview',
+            style:
+                `border-color: ${options.value};
+                background-color: ${options.value}`,
+        });
+    const textPreviewNode = makeElement(
+        'div',
+        {
+            class: 'preview text-preview',
+            style:
+                `border-color: ${options.value};
+                color: ${options.value}`,
+        });
+    return makeElement(
+        'label', {class: 'color'},
+        textInput,
+        backgroundPreviewNode,
+        textPreviewNode);
 }
 
 function makeNumericInput(options) {
@@ -151,20 +168,21 @@ function makeNumericInput(options) {
     return makeInput(options);
 }
 
+function makeDateInput(options) {
+    options.type = 'date';
+    return makeInput(options)
+}
+
 function getPostUrl(id, parameters) {
-    let url = '/post/' + encodeURIComponent(id);
-    if (parameters && parameters.query) {
-        url += '/query=' + encodeURIComponent(parameters.query);
-    }
-    return url;
+    return uri.formatClientLink(
+        'post', id,
+        parameters ? {query: parameters.query} : {});
 }
 
 function getPostEditUrl(id, parameters) {
-    let url = '/post/' + encodeURIComponent(id) + '/edit';
-    if (parameters && parameters.query) {
-        url += '/query=' + encodeURIComponent(parameters.query);
-    }
-    return url;
+    return uri.formatClientLink(
+        'post', id, 'edit',
+        parameters ? {query: parameters.query} : {});
 }
 
 function makePostLink(id, includeHash) {
@@ -175,29 +193,31 @@ function makePostLink(id, includeHash) {
     return api.hasPrivilege('posts:view') ?
         makeElement(
             'a',
-            {'href': '/post/' + encodeURIComponent(id)},
+            {href: uri.formatClientLink('post', id)},
             misc.escapeHtml(text)) :
         misc.escapeHtml(text);
 }
 
-function makeTagLink(name, includeHash) {
-    const tag = tags.getTagByName(name);
+function makeTagLink(name, includeHash, includeCount, tag) {
     const category = tag ? tag.category : 'unknown';
     let text = name;
     if (includeHash === true) {
         text = '#' + text;
     }
+    if (includeCount === true) {
+        text += ' (' + (tag ? tag.postCount : 0) + ')';
+    }
     return api.hasPrivilege('tags:view') ?
         makeElement(
             'a',
             {
-                'href': '/tag/' + encodeURIComponent(name),
-                'class': misc.makeCssName(category, 'tag'),
+                href: uri.formatClientLink('tag', name),
+                class: misc.makeCssName(category, 'tag'),
             },
             misc.escapeHtml(text)) :
         makeElement(
             'span',
-            {'class': misc.makeCssName(category, 'tag')},
+            {class: misc.makeCssName(category, 'tag')},
             misc.escapeHtml(text));
 }
 
@@ -206,7 +226,7 @@ function makeUserLink(user) {
     text += user && user.name ? misc.escapeHtml(user.name) : 'Anonymous';
     const link = user && api.hasPrivilege('users:view') ?
         makeElement(
-            'a', {'href': '/user/' + encodeURIComponent(user.name)}, text) :
+            'a', {href: uri.formatClientLink('user', user.name)}, text) :
         text;
     return makeElement('span', {class: 'user'}, link);
 }
@@ -377,6 +397,7 @@ function getTemplate(templatePath) {
             makePasswordInput: makePasswordInput,
             makeEmailInput:    makeEmailInput,
             makeColorInput:    makeColorInput,
+            makeDateInput:     makeDateInput,
             makePostLink:      makePostLink,
             makeTagLink:       makeTagLink,
             makeUserLink:      makeUserLink,
@@ -385,6 +406,7 @@ function getTemplate(templatePath) {
             makeElement:       makeElement,
             makeCssName:       misc.makeCssName,
             makeNumericInput:  makeNumericInput,
+            formatClientLink:  uri.formatClientLink
         });
         return htmlToDom(templateFactory(ctx));
     };
@@ -480,11 +502,13 @@ function monitorNodeRemoval(monitoredNode, callback) {
 }
 
 document.addEventListener('input', e => {
-    const type = e.target.getAttribute('type');
-    if (type && type.toLowerCase() === 'color') {
-        const textInput = e.target.parentNode.querySelector('input[type=text]');
-        textInput.style.color = e.target.value;
-        textInput.value = e.target.value;
+    if (e.target.classList.contains('color')) {
+        let bkNode = e.target.parentNode.querySelector('.background-preview');
+        let textNode = e.target.parentNode.querySelector('.text-preview');
+        bkNode.style.backgroundColor = e.target.value;
+        bkNode.style.borderColor = e.target.value;
+        textNode.style.color = e.target.value;
+        textNode.style.borderColor = e.target.value;
     }
 });
 
diff --git a/client/js/views/comments_page_view.js b/client/js/views/comments_page_view.js
index 2722bd6f..d5bb294c 100644
--- a/client/js/views/comments_page_view.js
+++ b/client/js/views/comments_page_view.js
@@ -13,7 +13,7 @@ class CommentsPageView extends events.EventTarget {
 
         const sourceNode = template(ctx);
 
-        for (let post of ctx.results) {
+        for (let post of ctx.response.results) {
             const commentListControl = new CommentListControl(
                 sourceNode.querySelector(
                     `.comments-container[data-for="${post.id}"]`),
diff --git a/client/js/views/endless_page_view.js b/client/js/views/endless_page_view.js
index c70d417c..ab406623 100644
--- a/client/js/views/endless_page_view.js
+++ b/client/js/views/endless_page_view.js
@@ -6,6 +6,17 @@ const views = require('../util/views.js');
 const holderTemplate = views.getTemplate('endless-pager');
 const pageTemplate = views.getTemplate('endless-pager-page');
 
+function isScrolledIntoView(element) {
+    let top = 0;
+    do {
+        top += element.offsetTop || 0;
+        element = element.offsetParent;
+    } while(element);
+    return (
+        (top >= window.scrollY) &&
+        (top <= window.scrollY + window.innerHeight));
+}
+
 class EndlessPageView {
     constructor(ctx) {
         this._hostNode = document.getElementById('content-holder');
@@ -13,25 +24,35 @@ class EndlessPageView {
     }
 
     run(ctx) {
+        this._destroy();
+
         this._active = true;
-        this._working = 0;
-        this._init = false;
+        this._runningRequests = 0;
+        this._initialPageLoad = true;
 
         this.clearMessages();
         views.emptyContent(this._pagesHolderNode);
 
-        this.threshold = window.innerHeight / 3;
-        this.minPageShown = null;
-        this.maxPageShown = null;
-        this.totalPages = null;
-        this.currentPage = null;
+        this.minOffsetShown = null;
+        this.maxOffsetShown = null;
+        this.totalRecords = null;
+        this.currentOffset = 0;
+        this.defaultLimit = parseInt(ctx.parameters.limit || ctx.defaultLimit);
 
-        this._loadPage(ctx, ctx.parameters.page, true).then(pageNode => {
-            if (ctx.parameters.page !== 1) {
-                pageNode.scrollIntoView();
-            }
-        });
-        this._probePageLoad(ctx);
+        const initialOffset = parseInt(ctx.parameters.offset || 0);
+        this._loadPage(ctx, initialOffset, this.defaultLimit, true)
+            .then(pageNode => {
+                if (initialOffset !== 0) {
+                    pageNode.scrollIntoView();
+                }
+            });
+
+        this._timeout = window.setInterval(() => {
+            window.requestAnimationFrame(() => {
+                this._probePageLoad(ctx);
+                this._syncUrl(ctx);
+            });
+        }, 250);
 
         views.monitorNodeRemoval(this._pagesHolderNode, () => this._destroy());
     }
@@ -40,27 +61,24 @@ class EndlessPageView {
         return this._hostNode.querySelector('.page-header-holder');
     }
 
+    get topPageGuardNode() {
+        return this._hostNode.querySelector('.page-guard.top');
+    }
+
+    get bottomPageGuardNode() {
+        return this._hostNode.querySelector('.page-guard.bottom');
+    }
+
     get _pagesHolderNode() {
         return this._hostNode.querySelector('.pages-holder');
     }
 
     _destroy() {
+        window.clearInterval(this._timeout);
         this._active = false;
     }
 
-    _probePageLoad(ctx) {
-        if (this._active) {
-            window.setTimeout(() => {
-                window.requestAnimationFrame(() => {
-                    this._probePageLoad(ctx);
-                });
-            }, 250);
-        }
-
-        if (this._working) {
-            return;
-        }
-
+    _syncUrl(ctx) {
         let topPageNode = null;
         let element = document.elementFromPoint(
             window.innerWidth / 2,
@@ -75,80 +93,106 @@ class EndlessPageView {
         if (!topPageNode) {
             return;
         }
-        let topPageNumber = parseInt(topPageNode.getAttribute('data-page'));
-        if (topPageNumber !== this.currentPage) {
+        let topOffset = parseInt(topPageNode.getAttribute('data-offset'));
+        let topLimit = parseInt(topPageNode.getAttribute('data-limit'));
+        if (topOffset !== this.currentOffset) {
             router.replace(
-                ctx.getClientUrlForPage(topPageNumber),
+                ctx.getClientUrlForPage(
+                    topOffset,
+                    topLimit === ctx.defaultLimit ? null : topLimit),
                 ctx.state,
                 false);
-            this.currentPage = topPageNumber;
-        }
-
-        if (this.totalPages === null) {
-            return;
-        }
-        let scrollHeight =
-            document.documentElement.scrollHeight -
-            document.documentElement.clientHeight;
-
-        if (this.minPageShown > 1 && window.scrollY < this.threshold) {
-            this._loadPage(ctx, this.minPageShown - 1, false);
-        } else if (this.maxPageShown < this.totalPages &&
-                window.scrollY + this.threshold > scrollHeight) {
-            this._loadPage(ctx, this.maxPageShown + 1, true);
+            this.currentOffset = topOffset;
         }
     }
 
-    _loadPage(ctx, pageNumber, append) {
-        this._working++;
+    _probePageLoad(ctx) {
+        if (!this._active || this._runningRequests) {
+            return;
+        }
+
+        if (this.totalRecords === null) {
+            return;
+        }
+
+        if (this.minOffsetShown > 0 &&
+                isScrolledIntoView(this.topPageGuardNode)) {
+            this._loadPage(
+                ctx,
+                this.minOffsetShown - this.defaultLimit,
+                this.defaultLimit,
+                false);
+        }
+
+        if (this.maxOffsetShown < this.totalRecords &&
+                isScrolledIntoView(this.bottomPageGuardNode)) {
+            this._loadPage(
+                ctx,
+                this.maxOffsetShown,
+                this.defaultLimit,
+                true);
+        }
+    }
+
+    _loadPage(ctx, offset, limit, append) {
+        this._runningRequests++;
         return new Promise((resolve, reject) => {
-            ctx.requestPage(pageNumber).then(response => {
+            ctx.requestPage(offset, limit).then(response => {
                 if (!this._active) {
-                    this._working--;
+                    this._runningRequests--;
                     return Promise.reject();
                 }
-                this.totalPages = Math.ceil(response.total / response.pageSize);
                 window.requestAnimationFrame(() => {
-                    let pageNode = this._renderPage(
-                        ctx, pageNumber, append, response);
-                    this._working--;
+                    let pageNode = this._renderPage(ctx, append, response);
+                    this._runningRequests--;
                     resolve(pageNode);
                 });
             }, error => {
                 this.showError(error.message);
-                this._working--;
+                this._runningRequests--;
                 reject();
             });
         });
     }
 
-    _renderPage(ctx, pageNumber, append, response) {
+    _renderPage(ctx, append, response) {
         let pageNode = null;
 
         if (response.total) {
             pageNode = pageTemplate({
-                page: pageNumber,
-                totalPages: this.totalPages,
+                totalPages: Math.ceil(response.total / response.limit),
+                page: Math.ceil(
+                    (response.offset + response.limit) / response.limit),
             });
-            pageNode.setAttribute('data-page', pageNumber);
+            pageNode.setAttribute('data-offset', response.offset);
+            pageNode.setAttribute('data-limit', response.limit);
 
-            Object.assign(ctx.pageContext, response);
-            ctx.pageContext.hostNode = pageNode.querySelector(
-                '.page-content-holder');
-            ctx.pageRenderer(ctx.pageContext);
+            ctx.pageRenderer({
+                parameters: ctx.parameters,
+                response: response,
+                hostNode: pageNode.querySelector('.page-content-holder'),
+            });
 
-            if (pageNumber < this.minPageShown ||
-                    this.minPageShown === null) {
-                this.minPageShown = pageNumber;
+            this.totalRecords = response.total;
+
+            if (response.offset < this.minOffsetShown ||
+                    this.minOffsetShown === null) {
+                this.minOffsetShown = response.offset;
             }
-            if (pageNumber > this.maxPageShown ||
-                    this.maxPageShown === null) {
-                this.maxPageShown = pageNumber;
+            if (response.offset + response.results.length
+                    > this.maxOffsetShown ||
+                    this.maxOffsetShown === null) {
+                this.maxOffsetShown =
+                    response.offset + response.results.length;
             }
+            response.results.addEventListener('remove', e => {
+                this.maxOffsetShown--;
+                this.totalRecords--;
+            });
 
             if (append) {
                 this._pagesHolderNode.appendChild(pageNode);
-                if (!this._init && pageNumber !== 1) {
+                if (this._initialPageLoad && response.offset > 0) {
                     window.scroll(0, pageNode.getBoundingClientRect().top);
                 }
             } else {
@@ -158,11 +202,11 @@ class EndlessPageView {
                     window.scrollX,
                     window.scrollY + pageNode.offsetHeight);
             }
-        } else if (response.total <= (pageNumber - 1) * response.pageSize) {
+        } else if (!response.results.length) {
             this.showInfo('No data to show');
         }
 
-        this._init = true;
+        this._initialPageLoad = false;
         return pageNode;
     }
 
diff --git a/client/js/views/help_view.js b/client/js/views/help_view.js
index 61a13300..11f6a39a 100644
--- a/client/js/views/help_view.js
+++ b/client/js/views/help_view.js
@@ -1,6 +1,6 @@
 'use strict';
 
-const config = require('../config.js');
+const api = require('../api.js');
 const views = require('../util/views.js');
 
 const template = views.getTemplate('help');
@@ -26,7 +26,7 @@ class HelpView {
 
         const sourceNode = template();
         const ctx = {
-            name: config.name,
+            name: api.getName(),
         };
 
         section = section || 'about';
@@ -44,11 +44,18 @@ class HelpView {
                 subsectionTemplates[section][subsection](ctx));
         }
 
+        views.replaceContent(this._hostNode, sourceNode);
+
         for (let itemNode of
                 sourceNode.querySelectorAll('.primary [data-name]')) {
             itemNode.classList.toggle(
                 'active',
                 itemNode.getAttribute('data-name') === section);
+            if (itemNode.getAttribute('data-name') === section) {
+                itemNode.parentNode.scrollLeft =
+                    itemNode.getBoundingClientRect().left -
+                    itemNode.parentNode.getBoundingClientRect().left
+            }
         }
 
         for (let itemNode of
@@ -56,9 +63,13 @@ class HelpView {
             itemNode.classList.toggle(
                 'active',
                 itemNode.getAttribute('data-name') === subsection);
+            if (itemNode.getAttribute('data-name') === subsection) {
+                itemNode.parentNode.scrollLeft =
+                    itemNode.getBoundingClientRect().left -
+                    itemNode.parentNode.getBoundingClientRect().left
+            }
         }
 
-        views.replaceContent(this._hostNode, sourceNode);
         views.syncScrollPosition();
     }
 }
diff --git a/client/js/views/home_view.js b/client/js/views/home_view.js
index af3d2ddc..c9267053 100644
--- a/client/js/views/home_view.js
+++ b/client/js/views/home_view.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const router = require('../router.js');
+const uri = require('../util/uri.js');
 const misc = require('../util/misc.js');
 const views = require('../util/views.js');
 const PostContentControl = require('../controls/post_content_control.js');
@@ -23,12 +24,16 @@ class HomeView {
         views.syncScrollPosition();
 
         if (this._formNode) {
-            this._tagAutoCompleteControl = new TagAutoCompleteControl(
-                this._searchInputNode);
+            this._autoCompleteControl = new TagAutoCompleteControl(
+                this._searchInputNode,
+                {
+                    confirm: tag =>
+                        this._autoCompleteControl.replaceSelectedText(
+                            misc.escapeSearchTerm(tag.names[0]), true),
+                });
             this._formNode.addEventListener(
                 'submit', e => this._evtFormSubmit(e));
         }
-
     }
 
     showSuccess(text) {
@@ -57,11 +62,17 @@ class HomeView {
                         window.innerWidth * 0.8,
                         window.innerHeight * 0.7,
                     ];
-                });
+                },
+                'fit-both');
 
             this._postNotesOverlay = new PostNotesOverlayControl(
                 this._postContainerNode.querySelector('.post-overlay'),
                 postInfo.featuredPost);
+
+            if (postInfo.featuredPost.type === 'video'
+            || postInfo.featuredPost.type === 'flash') {
+                this._postContentControl.disableOverlay();
+            }
         }
     }
 
@@ -88,7 +99,7 @@ class HomeView {
     _evtFormSubmit(e) {
         e.preventDefault();
         this._searchInputNode.blur();
-        router.show('/posts/' + misc.formatUrlParameters({
+        router.show(uri.formatClientLink('posts', {
             query: this._searchInputNode.value}));
     }
 }
diff --git a/client/js/views/login_view.js b/client/js/views/login_view.js
index 7d97982c..2c05332c 100644
--- a/client/js/views/login_view.js
+++ b/client/js/views/login_view.js
@@ -1,7 +1,7 @@
 'use strict';
 
-const config = require('../config.js');
 const events = require('../events.js');
+const api = require('../api.js');
 const views = require('../util/views.js');
 
 const template = views.getTemplate('login');
@@ -12,15 +12,15 @@ class LoginView extends events.EventTarget {
         this._hostNode = document.getElementById('content-holder');
 
         views.replaceContent(this._hostNode, template({
-            userNamePattern: config.userNameRegex,
-            passwordPattern: config.passwordRegex,
-            canSendMails: config.canSendMails,
+            userNamePattern: api.getUserNameRegex(),
+            passwordPattern: api.getPasswordRegex(),
+            canSendMails: api.canSendMails(),
         }));
         views.syncScrollPosition();
 
         views.decorateValidator(this._formNode);
-        this._userNameInputNode.setAttribute('pattern', config.userNameRegex);
-        this._passwordInputNode.setAttribute('pattern', config.passwordRegex);
+        this._userNameInputNode.setAttribute('pattern', api.getUserNameRegex());
+        this._passwordInputNode.setAttribute('pattern', api.getPasswordRegex());
         this._formNode.addEventListener('submit', e => {
             e.preventDefault();
             this.dispatchEvent(new CustomEvent('submit', {
diff --git a/client/js/views/manual_page_view.js b/client/js/views/manual_page_view.js
index 3507fd7b..94394a33 100644
--- a/client/js/views/manual_page_view.js
+++ b/client/js/views/manual_page_view.js
@@ -2,7 +2,6 @@
 
 const router = require('../router.js');
 const keyboard = require('../util/keyboard.js');
-const misc = require('../util/misc.js');
 const views = require('../util/views.js');
 
 const holderTemplate = views.getTemplate('manual-pager');
@@ -36,19 +35,23 @@ function _getVisiblePageNumbers(currentPage, totalPages) {
     return pagesVisible;
 }
 
-function _getPages(currentPage, pageNumbers, ctx) {
-    const pages = [];
-    let lastPage = 0;
+function _getPages(
+        currentPage, pageNumbers, limit, defaultLimit, removedItems) {
+    const pages = new Map();
+    let prevPage = 0;
     for (let page of pageNumbers) {
-        if (page !== lastPage + 1) {
-            pages.push({ellipsis: true});
+        if (page !== prevPage + 1) {
+            pages.set(page - 1, {ellipsis: true});
         }
-        pages.push({
+        pages.set(page, {
             number: page,
-            link: ctx.getClientUrlForPage(page),
+            offset:
+                (page - 1) * limit -
+                (page > currentPage ? removedItems : 0),
+            limit: limit === defaultLimit ? null : limit,
             active: currentPage === page,
         });
-        lastPage = page;
+        prevPage = page;
     }
     return pages;
 }
@@ -60,49 +63,44 @@ class ManualPageView {
     }
 
     run(ctx) {
-        const currentPage = ctx.parameters.page;
+        const offset = parseInt(ctx.parameters.offset || 0);
+        const limit = parseInt(ctx.parameters.limit || ctx.defaultLimit);
         this.clearMessages();
         views.emptyContent(this._pageNavNode);
 
-        ctx.requestPage(currentPage).then(response => {
-            Object.assign(ctx.pageContext, response);
-            ctx.pageContext.hostNode = this._pageContentHolderNode;
-            ctx.pageRenderer(ctx.pageContext);
-
-            const totalPages = Math.ceil(response.total / response.pageSize);
-            const pageNumbers = _getVisiblePageNumbers(currentPage, totalPages);
-            const pages = _getPages(currentPage, pageNumbers, ctx);
+        ctx.requestPage(offset, limit).then(response => {
+            ctx.pageRenderer({
+                parameters: ctx.parameters,
+                response: response,
+                hostNode: this._pageContentHolderNode,
+            });
 
             keyboard.bind(['a', 'left'], () => {
-                if (currentPage > 1) {
-                    router.show(ctx.getClientUrlForPage(currentPage - 1));
-                }
+                this._navigateToPrevNextPage('prev');
             });
             keyboard.bind(['d', 'right'], () => {
-                if (currentPage < totalPages) {
-                    router.show(ctx.getClientUrlForPage(currentPage + 1));
-                }
+                this._navigateToPrevNextPage('next');
             });
 
+            let removedItems = 0;
             if (response.total) {
-                views.replaceContent(
-                    this._pageNavNode,
-                    navTemplate({
-                        prevLink: ctx.getClientUrlForPage(currentPage - 1),
-                        nextLink: ctx.getClientUrlForPage(currentPage + 1),
-                        prevLinkActive: currentPage > 1,
-                        nextLinkActive: currentPage < totalPages,
-                        pages: pages,
-                    }));
+                this._refreshNav(
+                    offset, limit, response.total, removedItems, ctx);
             }
 
-            if (response.total <= (currentPage - 1) * response.pageSize) {
+            if (!response.results.length) {
                 this.showInfo('No data to show');
             }
 
+            response.results.addEventListener('remove', e => {
+                removedItems++;
+                this._refreshNav(
+                    offset, limit, response.total, removedItems, ctx);
+            });
+
             views.syncScrollPosition();
         }, response => {
-            this.showError(response.description);
+            this.showError(response.message);
         });
     }
 
@@ -133,6 +131,33 @@ class ManualPageView {
     showInfo(message) {
         views.showInfo(this._hostNode, message);
     }
+
+    _navigateToPrevNextPage(className) {
+        const linkNode = this._hostNode.querySelector('a.' + className);
+        if (linkNode.classList.contains('disabled')) {
+            return;
+        }
+        router.show(linkNode.getAttribute('href'));
+    }
+
+    _refreshNav(offset, limit, total, removedItems, ctx) {
+        const currentPage = Math.floor((offset + limit - 1) / limit) + 1;
+        const totalPages = Math.ceil((total - removedItems) / limit);
+        const pageNumbers = _getVisiblePageNumbers(currentPage, totalPages);
+        const pages = _getPages(
+            currentPage, pageNumbers, limit, ctx.defaultLimit, removedItems);
+
+        views.replaceContent(
+            this._pageNavNode,
+            navTemplate({
+                getClientUrlForPage: ctx.getClientUrlForPage,
+                prevPage: Math.min(totalPages, Math.max(1, currentPage - 1)),
+                nextPage: Math.min(totalPages, Math.max(1, currentPage + 1)),
+                currentPage: currentPage,
+                totalPages: totalPages,
+                pages: pages,
+            }));
+    }
 }
 
 module.exports = ManualPageView;
diff --git a/client/js/views/not_found_view.js b/client/js/views/not_found_view.js
index 8b5a1039..487613b5 100644
--- a/client/js/views/not_found_view.js
+++ b/client/js/views/not_found_view.js
@@ -1,6 +1,5 @@
 'use strict';
 
-const config = require('../config.js');
 const views = require('../util/views.js');
 
 const template = views.getTemplate('not-found');
diff --git a/client/js/views/password_reset_view.js b/client/js/views/password_reset_view.js
index 38ac719b..685fe5a0 100644
--- a/client/js/views/password_reset_view.js
+++ b/client/js/views/password_reset_view.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const events = require('../events.js');
+const api = require('../api.js');
 const views = require('../util/views.js');
 
 const template = views.getTemplate('password-reset');
@@ -10,7 +11,10 @@ class PasswordResetView extends events.EventTarget {
         super();
         this._hostNode = document.getElementById('content-holder');
 
-        views.replaceContent(this._hostNode, template());
+        views.replaceContent(this._hostNode, template({
+            canSendMails: api.canSendMails(),
+            contactEmail: api.getContactEmail(),
+        }));
         views.syncScrollPosition();
 
         views.decorateValidator(this._formNode);
diff --git a/client/js/views/post_detail_view.js b/client/js/views/post_detail_view.js
index 4c19059f..14786d3f 100644
--- a/client/js/views/post_detail_view.js
+++ b/client/js/views/post_detail_view.js
@@ -26,6 +26,11 @@ class PostDetailView extends events.EventTarget {
         for (let item of this._hostNode.querySelectorAll('[data-name]')) {
             item.classList.toggle(
                 'active', item.getAttribute('data-name') === ctx.section);
+            if (item.getAttribute('data-name') === ctx.section) {
+                item.parentNode.scrollLeft =
+                    item.getBoundingClientRect().left -
+                    item.parentNode.getBoundingClientRect().left
+            }
         }
 
         ctx.hostNode = this._hostNode.querySelector('.post-content-holder');
diff --git a/client/js/views/post_main_view.js b/client/js/views/post_main_view.js
index 7c115dbd..141de712 100644
--- a/client/js/views/post_main_view.js
+++ b/client/js/views/post_main_view.js
@@ -1,7 +1,9 @@
 'use strict';
 
+const iosCorrectedInnerHeight = require('ios-inner-height');
 const router = require('../router.js');
 const views = require('../util/views.js');
+const uri = require('../util/uri.js');
 const keyboard = require('../util/keyboard.js');
 const PostContentControl = require('../controls/post_content_control.js');
 const PostNotesOverlayControl =
@@ -25,23 +27,20 @@ class PostMainView {
         views.replaceContent(this._hostNode, sourceNode);
         views.syncScrollPosition();
 
-        const postViewNode = document.body.querySelector('.content-wrapper');
         const topNavigationNode =
             document.body.querySelector('#top-navigation');
 
-        const margin = (
-            postViewNode.getBoundingClientRect().top -
-            topNavigationNode.getBoundingClientRect().height);
-
         this._postContentControl = new PostContentControl(
             postContainerNode,
             ctx.post,
             () => {
+                const margin = sidebarNode.getBoundingClientRect().left;
+
                 return [
                     window.innerWidth -
                         postContainerNode.getBoundingClientRect().left -
                         margin,
-                    window.innerHeight -
+                    iosCorrectedInnerHeight() -
                         topNavigationNode.getBoundingClientRect().height -
                         margin * 2,
                 ];
@@ -61,19 +60,24 @@ class PostMainView {
 
         keyboard.bind('e', () => {
             if (ctx.editMode) {
-                router.show('/post/' + ctx.post.id);
+                router.show(uri.formatClientLink('post', ctx.post.id));
             } else {
-                router.show('/post/' + ctx.post.id + '/edit');
+                router.show(uri.formatClientLink('post', ctx.post.id, 'edit'));
             }
         });
         keyboard.bind(['a', 'left'], () => {
             if (ctx.prevPostId) {
-                router.show('/post/' + ctx.prevPostId);
+                router.show(ctx.getPostUrl(ctx.prevPostId, ctx.parameters));
             }
         });
         keyboard.bind(['d', 'right'], () => {
             if (ctx.nextPostId) {
-                router.show('/post/' + ctx.nextPostId);
+                router.show(ctx.getPostUrl(ctx.nextPostId, ctx.parameters));
+            }
+        });
+        keyboard.bind('del', (e) => {
+            if (ctx.editMode) {
+                this.sidebarControl._evtDeleteClick(e);
             }
         });
     }
diff --git a/client/js/views/post_merge_view.js b/client/js/views/post_merge_view.js
index 04ed21da..3e987b36 100644
--- a/client/js/views/post_merge_view.js
+++ b/client/js/views/post_merge_view.js
@@ -1,6 +1,5 @@
 'use strict';
 
-const config = require('../config.js');
 const events = require('../events.js');
 const views = require('../util/views.js');
 
diff --git a/client/js/views/post_upload_view.js b/client/js/views/post_upload_view.js
index 144526be..b4d0c409 100644
--- a/client/js/views/post_upload_view.js
+++ b/client/js/views/post_upload_view.js
@@ -156,6 +156,8 @@ class PostUploadView extends events.EventTarget {
         this._contentFileDropper = new FileDropperControl(
             this._contentInputNode,
             {
+                extraText:
+                    'Allowed extensions: .jpg, .png, .gif, .webm, .mp4, .swf',
                 allowUrls: true,
                 allowMultiple: true,
                 lock: false,
@@ -275,21 +277,29 @@ class PostUploadView extends events.EventTarget {
 
     _updateUploadableFromDom(uploadable) {
         const rowNode = uploadable.rowNode;
-        uploadable.safety =
-            rowNode.querySelector('.safety input:checked').value;
-        uploadable.anonymous =
-            rowNode.querySelector('.anonymous input').checked;
+
+        const safetyNode = rowNode.querySelector('.safety input:checked');
+        if (safetyNode) {
+            uploadable.safety = safetyNode.value;
+        }
+
+        const anonymousNode = rowNode.querySelector('.anonymous input:checked');
+        if (anonymousNode) {
+            uploadable.anonymous = true;
+        }
+
         uploadable.flags = [];
         if (rowNode.querySelector('.loop-video input:checked')) {
             uploadable.flags.push('loop');
         }
+
         uploadable.tags = [];
         uploadable.relations = [];
         for (let [i, lookalike] of uploadable.lookalikes.entries()) {
             let lookalikeNode = rowNode.querySelector(
                 `.lookalikes li:nth-child(${i + 1})`);
             if (lookalikeNode.querySelector('[name=copy-tags]').checked) {
-                uploadable.tags = uploadable.tags.concat(lookalike.post.tags);
+                uploadable.tags = uploadable.tags.concat(lookalike.post.tagNames);
             }
             if (lookalikeNode.querySelector('[name=add-relation]').checked) {
                 uploadable.relations.push(lookalike.post.id);
diff --git a/client/js/views/posts_header_view.js b/client/js/views/posts_header_view.js
index 04764c1e..6b697c4f 100644
--- a/client/js/views/posts_header_view.js
+++ b/client/js/views/posts_header_view.js
@@ -11,6 +11,115 @@ const TagAutoCompleteControl =
 
 const template = views.getTemplate('posts-header');
 
+class BulkEditor extends events.EventTarget {
+    constructor(hostNode) {
+        super();
+        this._hostNode = hostNode;
+        this._openLinkNode.addEventListener(
+            'click', e => this._evtOpenLinkClick(e));
+        this._closeLinkNode.addEventListener(
+            'click', e => this._evtCloseLinkClick(e));
+    }
+
+    get opened() {
+        return this._hostNode.classList.contains('opened') &&
+            !this._hostNode.classList.contains('hidden');
+    }
+
+    get _openLinkNode() {
+        return this._hostNode.querySelector('.open');
+    }
+
+    get _closeLinkNode() {
+        return this._hostNode.querySelector('.close');
+    }
+
+    toggleOpen(state) {
+        this._hostNode.classList.toggle('opened', state);
+    }
+
+    toggleHide(state) {
+        this._hostNode.classList.toggle('hidden', state);
+    }
+
+    _evtOpenLinkClick(e) {
+        throw new Error('Not implemented');
+    }
+
+    _evtCloseLinkClick(e) {
+        throw new Error('Not implemented');
+    }
+}
+
+class BulkSafetyEditor extends BulkEditor {
+    constructor(hostNode) {
+        super(hostNode);
+    }
+
+    _evtOpenLinkClick(e) {
+        e.preventDefault();
+        this.toggleOpen(true);
+        this.dispatchEvent(new CustomEvent('open', {detail: {}}));
+    }
+
+    _evtCloseLinkClick(e) {
+        e.preventDefault();
+        this.toggleOpen(false);
+        this.dispatchEvent(new CustomEvent('close', {detail: {}}));
+    }
+}
+
+class BulkTagEditor extends BulkEditor {
+    constructor(hostNode) {
+        super(hostNode);
+        this._autoCompleteControl = new TagAutoCompleteControl(
+            this._inputNode,
+            {
+                confirm: tag =>
+                    this._autoCompleteControl.replaceSelectedText(
+                        tag.names[0], false),
+            });
+        this._hostNode.addEventListener('submit', e => this._evtFormSubmit(e));
+    }
+
+    get value() {
+        return this._inputNode.value;
+    }
+
+    get _inputNode() {
+        return this._hostNode.querySelector('input[name=tag]');
+    }
+
+    focus() {
+        this._inputNode.focus();
+    }
+
+    blur() {
+        this._autoCompleteControl.hide();
+        this._inputNode.blur();
+    }
+
+    _evtFormSubmit(e) {
+        e.preventDefault();
+        this.dispatchEvent(new CustomEvent('submit', {detail: {}}));
+    }
+
+    _evtOpenLinkClick(e) {
+        e.preventDefault();
+        this.toggleOpen(true);
+        this.focus();
+        this.dispatchEvent(new CustomEvent('open', {detail: {}}));
+    }
+
+    _evtCloseLinkClick(e) {
+        e.preventDefault();
+        this._inputNode.value = '';
+        this.toggleOpen(false);
+        this.blur();
+        this.dispatchEvent(new CustomEvent('close', {detail: {}}));
+    }
+}
+
 class PostsHeaderView extends events.EventTarget {
     constructor(ctx) {
         super();
@@ -20,13 +129,13 @@ class PostsHeaderView extends events.EventTarget {
         this._hostNode = ctx.hostNode;
         views.replaceContent(this._hostNode, template(ctx));
 
-        this._queryAutoCompleteControl = new TagAutoCompleteControl(
+        this._autoCompleteControl = new TagAutoCompleteControl(
             this._queryInputNode,
-            {addSpace: true, transform: misc.escapeSearchTerm});
-        if (this._massTagInputNode) {
-            this._masstagAutoCompleteControl = new TagAutoCompleteControl(
-                this._massTagInputNode, {addSpace: false});
-        }
+            {
+                confirm: tag =>
+                    this._autoCompleteControl.replaceSelectedText(
+                        misc.escapeSearchTerm(tag.names[0]), true),
+            });
 
         keyboard.bind('p', () => this._focusFirstPostNode());
         search.searchInputNodeFocusHelper(this._queryInputNode);
@@ -35,27 +144,43 @@ class PostsHeaderView extends events.EventTarget {
             safetyButtonNode.addEventListener(
                 'click', e => this._evtSafetyButtonClick(e));
         }
-        this._formNode.addEventListener(
-            'submit', e => this._evtFormSubmit(e));
+        this._formNode.addEventListener('submit', e => this._evtFormSubmit(e));
 
-        if (this._massTagInputNode) {
-            if (this._openMassTagLinkNode) {
-                this._openMassTagLinkNode.addEventListener(
-                    'click', e => this._evtMassTagClick(e));
-            }
-            this._stopMassTagLinkNode.addEventListener(
-                'click', e => this._evtStopTaggingClick(e));
-            this._toggleMassTagVisibility(!!ctx.parameters.tag);
+        this._bulkEditors = [];
+        if (this._bulkEditTagsNode) {
+            this._bulkTagEditor = new BulkTagEditor(this._bulkEditTagsNode);
+            this._bulkEditors.push(this._bulkTagEditor);
+        }
+
+        if (this._bulkEditSafetyNode) {
+            this._bulkSafetyEditor = new BulkSafetyEditor(
+                this._bulkEditSafetyNode);
+            this._bulkEditors.push(this._bulkSafetyEditor);
+        }
+
+        for (let editor of this._bulkEditors) {
+            editor.addEventListener('submit', e => {
+                this._navigate();
+            });
+            editor.addEventListener('open', e => {
+                this._hideBulkEditorsExcept(editor);
+                this._navigate();
+            });
+            editor.addEventListener('close', e => {
+                this._closeAndShowAllBulkEditors();
+                this._navigate();
+            });
+        }
+
+        if (ctx.parameters.tag && this._bulkTagEditor) {
+            this._openBulkEditor(this._bulkTagEditor);
+        } else if (ctx.parameters.safety && this._bulkSafetyEditor) {
+            this._openBulkEditor(this._bulkSafetyEditor);
         }
     }
 
-    _toggleMassTagVisibility(state) {
-        this._formNode.querySelector('.masstag')
-            .classList.toggle('active', state);
-    }
-
     get _formNode() {
-        return this._hostNode.querySelector('form');
+        return this._hostNode.querySelector('form.search');
     }
 
     get _safetyButtonNodes() {
@@ -66,32 +191,33 @@ class PostsHeaderView extends events.EventTarget {
         return this._hostNode.querySelector('form [name=search-text]');
     }
 
-    get _massTagInputNode() {
-        return this._hostNode.querySelector('form [name=masstag]');
+    get _bulkEditTagsNode() {
+        return this._hostNode.querySelector('.bulk-edit-tags');
     }
 
-    get _openMassTagLinkNode() {
-        return this._hostNode.querySelector('form .open-masstag');
+    get _bulkEditSafetyNode() {
+        return this._hostNode.querySelector('.bulk-edit-safety');
     }
 
-    get _stopMassTagLinkNode() {
-        return this._hostNode.querySelector('form .stop-tagging');
+    _openBulkEditor(editor) {
+        editor.toggleOpen(true);
+        this._hideBulkEditorsExcept(editor);
     }
 
-    _evtMassTagClick(e) {
-        e.preventDefault();
-        this._toggleMassTagVisibility(true);
+    _hideBulkEditorsExcept(editor) {
+        for (let otherEditor of this._bulkEditors) {
+            if (otherEditor !== editor) {
+                otherEditor.toggleOpen(false);
+                otherEditor.toggleHide(true);
+            }
+        }
     }
 
-    _evtStopTaggingClick(e) {
-        e.preventDefault();
-        this._massTagInputNode.value = '';
-        this._toggleMassTagVisibility(false);
-        this.dispatchEvent(new CustomEvent('navigate', {detail: {parameters: {
-            query: this._ctx.parameters.query,
-            page: this._ctx.parameters.page,
-            tag: null,
-        }}}));
+    _closeAndShowAllBulkEditors() {
+        for (let otherEditor of this._bulkEditors) {
+            otherEditor.toggleOpen(false);
+            otherEditor.toggleHide(false);
+        }
     }
 
     _evtSafetyButtonClick(e, url) {
@@ -107,26 +233,30 @@ class PostsHeaderView extends events.EventTarget {
                 'navigate', {
                     detail: {
                         parameters: Object.assign(
-                            {}, this._ctx.parameters, {tag: null, page: 1}),
+                            {}, this._ctx.parameters, {tag: null, offset: 0}),
                     },
                 }));
     }
 
     _evtFormSubmit(e) {
         e.preventDefault();
-        this._queryAutoCompleteControl.hide();
-        if (this._masstagAutoCompleteControl) {
-            this._masstagAutoCompleteControl.hide();
-        }
+        this._navigate();
+    }
+
+    _navigate() {
+        this._autoCompleteControl.hide();
         let parameters = {query: this._queryInputNode.value};
-        parameters.page = parameters.query === this._ctx.parameters.query ?
-            this._ctx.parameters.page : 1;
-        if (this._massTagInputNode) {
-            parameters.tag = this._massTagInputNode.value;
-            this._massTagInputNode.blur();
+        parameters.offset = parameters.query === this._ctx.parameters.query ?
+            this._ctx.parameters.offset : 0;
+        if (this._bulkTagEditor && this._bulkTagEditor.opened) {
+            parameters.tag = this._bulkTagEditor.value;
+            this._bulkTagEditor.blur();
         } else {
             parameters.tag = null;
         }
+        parameters.safety = (
+            this._bulkSafetyEditor &&
+            this._bulkSafetyEditor.opened ? '1' : null);
         this.dispatchEvent(
             new CustomEvent('navigate', {detail: {parameters: parameters}}));
     }
diff --git a/client/js/views/posts_page_view.js b/client/js/views/posts_page_view.js
index 686adcfe..292c6175 100644
--- a/client/js/views/posts_page_view.js
+++ b/client/js/views/posts_page_view.js
@@ -13,42 +13,56 @@ class PostsPageView extends events.EventTarget {
         views.replaceContent(this._hostNode, template(ctx));
 
         this._postIdToPost = {};
-        for (let post of ctx.results) {
+        for (let post of ctx.response.results) {
             this._postIdToPost[post.id] = post;
             post.addEventListener('change', e => this._evtPostChange(e));
         }
 
-        this._postIdToLinkNode = {};
-        for (let linkNode of this._hostNode.querySelectorAll('.masstag')) {
-            const postId = linkNode.getAttribute('data-post-id');
+        this._postIdToListItemNode = {};
+        for (let listItemNode of this._listItemNodes) {
+            const postId = listItemNode.getAttribute('data-post-id');
             const post = this._postIdToPost[postId];
-            this._postIdToLinkNode[postId] = linkNode;
-            linkNode.addEventListener(
-                'click', e => this._evtMassTagClick(e, post));
+            this._postIdToListItemNode[postId] = listItemNode;
+
+            const tagFlipperNode = this._getTagFlipperNode(listItemNode);
+            if (tagFlipperNode) {
+                tagFlipperNode.addEventListener(
+                    'click', e => this._evtBulkEditTagsClick(e, post));
+            }
+
+            const safetyFlipperNode = this._getSafetyFlipperNode(listItemNode);
+            if (safetyFlipperNode) {
+                for (let linkNode of safetyFlipperNode.querySelectorAll('a')) {
+                    linkNode.addEventListener(
+                        'click', e => this._evtBulkEditSafetyClick(e, post));
+                }
+            }
         }
 
-        this._syncMassTagHighlights();
+        this._syncBulkEditorsHighlights();
+    }
+
+    get _listItemNodes() {
+        return this._hostNode.querySelectorAll('li');
+    }
+
+    _getTagFlipperNode(listItemNode) {
+        return listItemNode.querySelector('.tag-flipper');
+    }
+
+    _getSafetyFlipperNode(listItemNode) {
+        return listItemNode.querySelector('.safety-flipper');
     }
 
     _evtPostChange(e) {
-        const linkNode = this._postIdToLinkNode[e.detail.post.id];
-        linkNode.removeAttribute('data-disabled');
-        this._syncMassTagHighlights();
-    }
-
-    _syncMassTagHighlights() {
-        for (let linkNode of this._hostNode.querySelectorAll('.masstag')) {
-            const postId = linkNode.getAttribute('data-post-id');
-            const post = this._postIdToPost[postId];
-            let tagged = true;
-            for (let tag of this._ctx.massTagTags) {
-                tagged = tagged & post.isTaggedWith(tag);
-            }
-            linkNode.classList.toggle('tagged', tagged);
+        const listItemNode = this._postIdToListItemNode[e.detail.post.id];
+        for (let node of listItemNode.querySelectorAll('[data-disabled]')) {
+            node.removeAttribute('data-disabled');
         }
+        this._syncBulkEditorsHighlights();
     }
 
-    _evtMassTagClick(e, post) {
+    _evtBulkEditTagsClick(e, post) {
         e.preventDefault();
         const linkNode = e.target;
         if (linkNode.getAttribute('data-disabled')) {
@@ -60,6 +74,46 @@ class PostsPageView extends events.EventTarget {
                 linkNode.classList.contains('tagged') ? 'untag' : 'tag',
                 {detail: {post: post}}));
     }
+
+    _evtBulkEditSafetyClick(e, post) {
+        e.preventDefault();
+        const linkNode = e.target;
+        if (linkNode.getAttribute('data-disabled')) {
+            return;
+        }
+        const newSafety = linkNode.getAttribute('data-safety');
+        if (post.safety === newSafety) {
+            return;
+        }
+        linkNode.setAttribute('data-disabled', true);
+        this.dispatchEvent(
+            new CustomEvent(
+                'changeSafety', {detail: {post: post, safety: newSafety}}));
+    }
+
+    _syncBulkEditorsHighlights() {
+        for (let listItemNode of this._listItemNodes) {
+            const postId = listItemNode.getAttribute('data-post-id');
+            const post = this._postIdToPost[postId];
+
+            const tagFlipperNode = this._getTagFlipperNode(listItemNode);
+            if (tagFlipperNode) {
+                let tagged = true;
+                for (let tag of this._ctx.bulkEdit.tags) {
+                    tagged = tagged & post.tags.isTaggedWith(tag);
+                }
+                tagFlipperNode.classList.toggle('tagged', tagged);
+            }
+
+            const safetyFlipperNode = this._getSafetyFlipperNode(listItemNode);
+            if (safetyFlipperNode) {
+                for (let linkNode of safetyFlipperNode.querySelectorAll('a')) {
+                    const safety = linkNode.getAttribute('data-safety');
+                    linkNode.classList.toggle('active', post.safety == safety);
+                }
+            }
+        }
+    }
 }
 
 module.exports = PostsPageView;
diff --git a/client/js/views/registration_view.js b/client/js/views/registration_view.js
index fb924c2f..48034ddf 100644
--- a/client/js/views/registration_view.js
+++ b/client/js/views/registration_view.js
@@ -1,7 +1,7 @@
 'use strict';
 
-const config = require('../config.js');
 const events = require('../events.js');
+const api = require('../api.js');
 const views = require('../util/views.js');
 
 const template = views.getTemplate('user-registration');
@@ -11,8 +11,8 @@ class RegistrationView extends events.EventTarget {
         super();
         this._hostNode = document.getElementById('content-holder');
         views.replaceContent(this._hostNode, template({
-            userNamePattern: config.userNameRegex,
-            passwordPattern: config.passwordRegex,
+            userNamePattern: api.getUserNameRegex(),
+            passwordPattern: api.getPasswordRegex(),
         }));
         views.syncScrollPosition();
         views.decorateValidator(this._formNode);
diff --git a/client/js/views/tag_edit_view.js b/client/js/views/tag_edit_view.js
index 600cebc9..5b517d46 100644
--- a/client/js/views/tag_edit_view.js
+++ b/client/js/views/tag_edit_view.js
@@ -1,7 +1,7 @@
 'use strict';
 
-const config = require('../config.js');
 const events = require('../events.js');
+const api = require('../api.js');
 const misc = require('../util/misc.js');
 const views = require('../util/views.js');
 const TagInputControl = require('../controls/tag_input_control.js');
@@ -24,10 +24,12 @@ class TagEditView extends events.EventTarget {
         }
 
         if (this._implicationsFieldNode) {
-            new TagInputControl(this._implicationsFieldNode);
+            new TagInputControl(
+                this._implicationsFieldNode, this._tag.implications);
         }
         if (this._suggestionsFieldNode) {
-            new TagInputControl(this._suggestionsFieldNode);
+            new TagInputControl(
+                this._suggestionsFieldNode, this._tag.suggestions);
         }
 
         for (let node of this._formNode.querySelectorAll(
@@ -62,7 +64,7 @@ class TagEditView extends events.EventTarget {
     }
 
     _evtNameInput(e) {
-        const regex = new RegExp(config.tagNameRegex);
+        const regex = new RegExp(api.getTagNameRegex());
         const list = misc.splitByWhitespace(this._namesFieldNode.value);
 
         if (!list.length) {
diff --git a/client/js/views/tag_merge_view.js b/client/js/views/tag_merge_view.js
index 711716c0..c975a50e 100644
--- a/client/js/views/tag_merge_view.js
+++ b/client/js/views/tag_merge_view.js
@@ -1,7 +1,7 @@
 'use strict';
 
-const config = require('../config.js');
 const events = require('../events.js');
+const api = require('../api.js');
 const views = require('../util/views.js');
 const TagAutoCompleteControl =
     require('../controls/tag_auto_complete_control.js');
@@ -14,12 +14,18 @@ class TagMergeView extends events.EventTarget {
 
         this._tag = ctx.tag;
         this._hostNode = ctx.hostNode;
-        ctx.tagNamePattern = config.tagNameRegex;
+        ctx.tagNamePattern = api.getTagNameRegex();
         views.replaceContent(this._hostNode, template(ctx));
 
         views.decorateValidator(this._formNode);
         if (this._targetTagFieldNode) {
-            new TagAutoCompleteControl(this._targetTagFieldNode);
+            this._autoCompleteControl = new TagAutoCompleteControl(
+                this._targetTagFieldNode,
+                {
+                    confirm: tag =>
+                        this._autoCompleteControl.replaceSelectedText(
+                            tag.names[0], false),
+                });
         }
 
         this._formNode.addEventListener('submit', e => this._evtSubmit(e));
@@ -51,6 +57,7 @@ class TagMergeView extends events.EventTarget {
             detail: {
                 tag: this._tag,
                 targetTagName: this._targetTagFieldNode.value,
+                addAlias: this._addAliasCheckboxNode.checked,
             },
         }));
     }
@@ -60,7 +67,11 @@ class TagMergeView extends events.EventTarget {
     }
 
     get _targetTagFieldNode() {
-        return this._formNode.querySelector('.target input');
+        return this._formNode.querySelector('input[name=target-tag]');
+    }
+
+    get _addAliasCheckboxNode() {
+        return this._formNode.querySelector('input[name=alias]');
     }
 }
 
diff --git a/client/js/views/tag_view.js b/client/js/views/tag_view.js
index fe9d4c1f..c3457bc6 100644
--- a/client/js/views/tag_view.js
+++ b/client/js/views/tag_view.js
@@ -29,6 +29,11 @@ class TagView extends events.EventTarget {
         for (let item of this._hostNode.querySelectorAll('[data-name]')) {
             item.classList.toggle(
                 'active', item.getAttribute('data-name') === ctx.section);
+            if (item.getAttribute('data-name') === ctx.section) {
+                item.parentNode.scrollLeft =
+                    item.getBoundingClientRect().left -
+                    item.parentNode.getBoundingClientRect().left
+            }
         }
 
         ctx.hostNode = this._hostNode.querySelector('.tag-content-holder');
diff --git a/client/js/views/tags_header_view.js b/client/js/views/tags_header_view.js
index 8b1b4767..05b32f32 100644
--- a/client/js/views/tags_header_view.js
+++ b/client/js/views/tags_header_view.js
@@ -17,8 +17,13 @@ class TagsHeaderView extends events.EventTarget {
         views.replaceContent(this._hostNode, template(ctx));
 
         if (this._queryInputNode) {
-            new TagAutoCompleteControl(
-                this._queryInputNode, {transform: misc.escapeSearchTerm});
+            this._autoCompleteControl = new TagAutoCompleteControl(
+                this._queryInputNode,
+                {
+                    confirm: tag =>
+                        this._autoCompleteControl.replaceSelectedText(
+                            misc.escapeSearchTerm(tag.names[0]), true),
+                });
         }
 
         search.searchInputNodeFocusHelper(this._queryInputNode);
diff --git a/client/js/views/top_navigation_view.js b/client/js/views/top_navigation_view.js
index be703fc6..2f991870 100644
--- a/client/js/views/top_navigation_view.js
+++ b/client/js/views/top_navigation_view.js
@@ -9,8 +9,22 @@ class TopNavigationView {
         this._hostNode = document.getElementById('top-navigation-holder');
     }
 
+    get _mobileNavigationToggleNode() {
+        return this._hostNode.querySelector('#mobile-navigation-toggle');
+    }
+
+    get _navigationListNode() {
+        return this._hostNode.querySelector('nav > ul');
+    }
+
+    get _navigationLinkNodes() {
+        return this._navigationListNode.querySelectorAll('li > a');
+    }
+
     render(ctx) {
         views.replaceContent(this._hostNode, template(ctx));
+
+        this._bindMobileNavigationEvents();
     }
 
     activate(key) {
@@ -19,6 +33,24 @@ class TopNavigationView {
                 'active', itemNode.getAttribute('data-name') === key);
         }
     }
+
+    _bindMobileNavigationEvents() {
+        this._mobileNavigationToggleNode.addEventListener(
+            'click', e => this._mobileNavigationToggleClick(e));
+
+        for (let navigationLinkNode of this._navigationLinkNodes) {
+            navigationLinkNode.addEventListener(
+                'click', e => this._navigationLinkClick(e));
+        }
+    }
+
+    _mobileNavigationToggleClick(e) {
+        this._navigationListNode.classList.toggle('opened');
+    }
+
+    _navigationLinkClick(e) {
+        this._navigationListNode.classList.remove('opened');
+    }
 }
 
 module.exports = TopNavigationView;
diff --git a/client/js/views/user_edit_view.js b/client/js/views/user_edit_view.js
index 28208ead..8a6f1a4a 100644
--- a/client/js/views/user_edit_view.js
+++ b/client/js/views/user_edit_view.js
@@ -1,7 +1,7 @@
 'use strict';
 
-const config = require('../config.js');
 const events = require('../events.js');
+const api = require('../api.js');
 const views = require('../util/views.js');
 const FileDropperControl = require('../controls/file_dropper_control.js');
 
@@ -11,8 +11,8 @@ class UserEditView extends events.EventTarget {
     constructor(ctx) {
         super();
 
-        ctx.userNamePattern = config.userNameRegex + /|^$/.source;
-        ctx.passwordPattern = config.passwordRegex + /|^$/.source;
+        ctx.userNamePattern = api.getUserNameRegex() + /|^$/.source;
+        ctx.passwordPattern = api.getPasswordRegex() + /|^$/.source;
 
         this._user = ctx.user;
         this._hostNode = ctx.hostNode;
diff --git a/client/js/views/user_tokens_view.js b/client/js/views/user_tokens_view.js
new file mode 100644
index 00000000..f6c84800
--- /dev/null
+++ b/client/js/views/user_tokens_view.js
@@ -0,0 +1,134 @@
+'use strict';
+
+const events = require('../events.js');
+const views = require('../util/views.js');
+
+const template = views.getTemplate('user-tokens');
+
+class UserTokenView extends events.EventTarget {
+    constructor(ctx) {
+        super();
+
+        this._user = ctx.user;
+        this._tokens = ctx.tokens;
+        this._hostNode = ctx.hostNode;
+        this._tokenFormNodes = [];
+        views.replaceContent(this._hostNode, template(ctx));
+        views.decorateValidator(this._formNode);
+
+        this._formNode.addEventListener('submit', e => this._evtSubmit(e));
+
+        this._decorateTokenForms();
+        this._decorateTokenNoteChangeLinks();
+    }
+
+    _decorateTokenForms() {
+        this._tokenFormNodes = [];
+        for (let i = 0; i < this._tokens.length; i++) {
+            let formNode = this._hostNode.querySelector(
+                '.token[data-token-id=\"' + i + '\"]');
+            formNode.addEventListener('submit', e => this._evtDelete(e));
+            this._tokenFormNodes.push(formNode);
+        }
+    }
+
+    _decorateTokenNoteChangeLinks() {
+        for (let i = 0; i < this._tokens.length; i++) {
+            let linkNode = this._hostNode.querySelector(
+                '.token-change-note[data-token-id=\"' + i + '\"]');
+            linkNode.addEventListener(
+                'click', e => this._evtChangeNoteClick(e));
+        }
+    }
+
+    clearMessages() {
+        views.clearMessages(this._hostNode);
+    }
+
+    showSuccess(message) {
+        views.showSuccess(this._hostNode, message);
+    }
+
+    showError(message) {
+        views.showError(this._hostNode, message);
+    }
+
+    enableForm() {
+        views.enableForm(this._formNode);
+        for (let formNode of this._tokenFormNodes) {
+            views.enableForm(formNode);
+        }
+    }
+
+    disableForm() {
+        views.disableForm(this._formNode);
+        for (let formNode of this._tokenFormNodes) {
+            views.disableForm(formNode);
+        }
+    }
+
+    _evtDelete(e) {
+        e.preventDefault();
+        const userToken = this._tokens[parseInt(
+            e.target.getAttribute('data-token-id'))];
+        this.dispatchEvent(new CustomEvent('delete', {
+            detail: {
+                user: this._user,
+                userToken: userToken,
+            },
+        }));
+    }
+
+    _evtSubmit(e) {
+        e.preventDefault();
+        this.dispatchEvent(new CustomEvent('submit', {
+            detail: {
+                user: this._user,
+
+                note: this._userTokenNoteInputNode ?
+                    this._userTokenNoteInputNode.value :
+                    undefined,
+
+                expirationTime:
+                    (this._userTokenExpirationTimeInputNode
+                        && this._userTokenExpirationTimeInputNode.value) ?
+                    new Date(this._userTokenExpirationTimeInputNode.value)
+                        .toISOString() :
+                    undefined,
+            },
+        }));
+    }
+
+    _evtChangeNoteClick(e) {
+        e.preventDefault();
+        const userToken = this._tokens[
+            parseInt(e.target.getAttribute('data-token-id'))];
+        const text = window.prompt(
+            'Please enter the new name:',
+            userToken.note !== null ? userToken.note : undefined);
+        if (!text) {
+            return;
+        }
+        this.dispatchEvent(new CustomEvent('update', {
+            detail: {
+                user: this._user,
+                userToken: userToken,
+                note: text ? text : undefined,
+            },
+        }));
+    }
+
+    get _formNode() {
+        return this._hostNode.querySelector('#create-token-form');
+    }
+
+    get _userTokenNoteInputNode() {
+        return this._formNode.querySelector('.note input');
+    }
+
+    get _userTokenExpirationTimeInputNode() {
+        return this._formNode.querySelector('.expirationTime input');
+    }
+}
+
+module.exports = UserTokenView;
diff --git a/client/js/views/user_view.js b/client/js/views/user_view.js
index 685e662c..75fd154d 100644
--- a/client/js/views/user_view.js
+++ b/client/js/views/user_view.js
@@ -3,6 +3,7 @@
 const events = require('../events.js');
 const views = require('../util/views.js');
 const UserDeleteView = require('./user_delete_view.js');
+const UserTokensView = require('./user_tokens_view.js');
 const UserSummaryView = require('./user_summary_view.js');
 const UserEditView = require('./user_edit_view.js');
 const EmptyView = require('../views/empty_view.js');
@@ -24,11 +25,14 @@ class UserView extends events.EventTarget {
     _install() {
         const ctx = this._ctx;
         views.replaceContent(this._hostNode, template(ctx));
+
         for (let item of this._hostNode.querySelectorAll('[data-name]')) {
+            item.classList.toggle(
+                'active', item.getAttribute('data-name') === ctx.section);
             if (item.getAttribute('data-name') === ctx.section) {
-                item.className = 'active';
-            } else {
-                item.className = '';
+                item.parentNode.scrollLeft =
+                    item.getBoundingClientRect().left -
+                    item.parentNode.getBoundingClientRect().left
             }
         }
 
@@ -42,7 +46,17 @@ class UserView extends events.EventTarget {
                 this._view = new UserEditView(ctx);
                 events.proxyEvent(this._view, this, 'submit');
             }
-
+        } else if (ctx.section == 'list-tokens') {
+            if (!this._ctx.canListTokens) {
+                this._view = new EmptyView();
+                this._view.showError(
+                    'You don\'t have privileges to view user tokens.');
+            } else {
+                this._view = new UserTokensView(ctx);
+                events.proxyEvent(this._view, this, 'delete', 'delete-token');
+                events.proxyEvent(this._view, this, 'submit', 'create-token');
+                events.proxyEvent(this._view, this, 'update', 'update-token');
+            }
         } else if (ctx.section == 'delete') {
             if (!this._ctx.canDelete) {
                 this._view = new EmptyView();
diff --git a/client/js/views/users_header_view.js b/client/js/views/users_header_view.js
index e4f1c149..08b7620c 100644
--- a/client/js/views/users_header_view.js
+++ b/client/js/views/users_header_view.js
@@ -1,7 +1,6 @@
 'use strict';
 
 const events = require('../events.js');
-const misc = require('../util/misc.js');
 const search = require('../util/search.js');
 const views = require('../util/views.js');
 
diff --git a/client/nginx.conf.docker b/client/nginx.conf.docker
new file mode 100644
index 00000000..6af40958
--- /dev/null
+++ b/client/nginx.conf.docker
@@ -0,0 +1,56 @@
+worker_processes 1;
+
+error_log /dev/stderr warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr -> $request [$status] - '
+                    'referer: $http_referer $http_x_forwarded_for';
+    access_log /dev/stdout main;
+
+    sendfile on;
+    keepalive_timeout 65;
+    client_max_body_size 100M;
+
+    upstream backend {
+        server __BACKEND__:6666;
+    }
+
+    server {
+        listen 80 default_server;
+
+        location ~ ^/api$ {
+            return 302 /api/;
+        }
+
+        location ~ ^/api/(.*)$ {
+            if ($request_uri ~* "/api/(.*)") {
+                proxy_pass http://backend/$1;
+            }
+            gzip on;
+            gzip_comp_level 3;
+            gzip_min_length 20;
+            gzip_proxied expired no-cache no-store private auth;
+            gzip_types text/plain application/json;
+        }
+
+        location /data/ {
+            rewrite ^/data/(.*) /$1 break;
+            root /data;
+        }
+
+        location / {
+            root /var/www;
+            try_files $uri /index.htm;
+            gzip_static on;
+            gzip_proxied expired no-cache no-store private auth;
+        }
+    }
+}
diff --git a/client/package-lock.json b/client/package-lock.json
new file mode 100644
index 00000000..6d9dea88
--- /dev/null
+++ b/client/package-lock.json
@@ -0,0 +1,2558 @@
+{
+  "name": "szurubooru",
+  "requires": true,
+  "lockfileVersion": 1,
+  "dependencies": {
+    "JSONStream": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/JSONStream/-/JSONStream-1.3.3.tgz",
+      "integrity": "sha512-3Sp6WZZ/lXl+nTDoGpGWHEpTnnC6X5fnkolYZR6nwIfzbxxvA8utPWe1gCt7i0m9uVGsSz2IS8K8mJ7HmlduMg==",
+      "dev": true,
+      "requires": {
+        "jsonparse": "^1.2.0",
+        "through": ">=2.2.7 <3"
+      }
+    },
+    "acorn": {
+      "version": "5.7.1",
+      "resolved": "https://registry.npmjs.org/acorn/-/acorn-5.7.1.tgz",
+      "integrity": "sha512-d+nbxBUGKg7Arpsvbnlq61mc12ek3EY8EQldM3GPAhWJ1UVxC6TDGbIvUMNU6obBX3i1+ptCIzV4vq0gFPEGVQ==",
+      "dev": true
+    },
+    "acorn-dynamic-import": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/acorn-dynamic-import/-/acorn-dynamic-import-3.0.0.tgz",
+      "integrity": "sha512-zVWV8Z8lislJoOKKqdNMOB+s6+XV5WERty8MnKBeFgwA+19XJjJHs2RP5dzM57FftIs+jQnRToLiWazKr6sSWg==",
+      "dev": true,
+      "requires": {
+        "acorn": "^5.0.0"
+      }
+    },
+    "acorn-node": {
+      "version": "1.5.2",
+      "resolved": "https://registry.npmjs.org/acorn-node/-/acorn-node-1.5.2.tgz",
+      "integrity": "sha512-krFKvw/d1F17AN3XZbybIUzEY4YEPNiGo05AfP3dBlfVKrMHETKpgjpuZkSF8qDNt9UkQcqj7am8yJLseklCMg==",
+      "dev": true,
+      "requires": {
+        "acorn": "^5.7.1",
+        "acorn-dynamic-import": "^3.0.0",
+        "xtend": "^4.0.1"
+      }
+    },
+    "amdefine": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/amdefine/-/amdefine-1.0.1.tgz",
+      "integrity": "sha1-SlKCrBZHKek2Gbz9OtFR+BfOkfU=",
+      "dev": true
+    },
+    "ansi-regex": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz",
+      "integrity": "sha1-w7M6te42DYbg5ijwRorn7yfWVN8=",
+      "dev": true
+    },
+    "ansi-styles": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-2.2.1.tgz",
+      "integrity": "sha1-tDLdM1i2NM914eRmQ2gkBTPB3b4=",
+      "dev": true
+    },
+    "array-filter": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/array-filter/-/array-filter-0.0.1.tgz",
+      "integrity": "sha1-fajPLiZijtcygDWB/SH2fKzS7uw=",
+      "dev": true
+    },
+    "array-map": {
+      "version": "0.0.0",
+      "resolved": "https://registry.npmjs.org/array-map/-/array-map-0.0.0.tgz",
+      "integrity": "sha1-iKK6tz0c97zVwbEYoAP2b2ZfpmI=",
+      "dev": true
+    },
+    "array-reduce": {
+      "version": "0.0.0",
+      "resolved": "https://registry.npmjs.org/array-reduce/-/array-reduce-0.0.0.tgz",
+      "integrity": "sha1-FziZ0//Rx9k4PkR5Ul2+J4yrXys=",
+      "dev": true
+    },
+    "asn1.js": {
+      "version": "4.10.1",
+      "resolved": "https://registry.npmjs.org/asn1.js/-/asn1.js-4.10.1.tgz",
+      "integrity": "sha512-p32cOF5q0Zqs9uBiONKYLm6BClCoBCM5O9JfeUSlnQLBTxYdTK+pW+nXflm8UkKd2UYlEbYz5qEi0JuZR9ckSw==",
+      "dev": true,
+      "requires": {
+        "bn.js": "^4.0.0",
+        "inherits": "^2.0.1",
+        "minimalistic-assert": "^1.0.0"
+      }
+    },
+    "assert": {
+      "version": "1.4.1",
+      "resolved": "https://registry.npmjs.org/assert/-/assert-1.4.1.tgz",
+      "integrity": "sha1-mZEtWRg2tab1s0XA8H7vwI/GXZE=",
+      "dev": true,
+      "requires": {
+        "util": "0.10.3"
+      },
+      "dependencies": {
+        "inherits": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.1.tgz",
+          "integrity": "sha1-sX0I0ya0Qj5Wjv9xn5GwscvfafE=",
+          "dev": true
+        },
+        "util": {
+          "version": "0.10.3",
+          "resolved": "https://registry.npmjs.org/util/-/util-0.10.3.tgz",
+          "integrity": "sha1-evsa/lCAUkZInj23/g7TeTNqwPk=",
+          "dev": true,
+          "requires": {
+            "inherits": "2.0.1"
+          }
+        }
+      }
+    },
+    "asynckit": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
+      "integrity": "sha1-x57Zf380y48robyXkLzDZkdLS3k="
+    },
+    "babel-code-frame": {
+      "version": "6.26.0",
+      "resolved": "https://registry.npmjs.org/babel-code-frame/-/babel-code-frame-6.26.0.tgz",
+      "integrity": "sha1-Y/1D99weO7fONZR9uP42mj9Yx0s=",
+      "dev": true,
+      "requires": {
+        "chalk": "^1.1.3",
+        "esutils": "^2.0.2",
+        "js-tokens": "^3.0.2"
+      }
+    },
+    "babel-core": {
+      "version": "6.26.3",
+      "resolved": "https://registry.npmjs.org/babel-core/-/babel-core-6.26.3.tgz",
+      "integrity": "sha512-6jyFLuDmeidKmUEb3NM+/yawG0M2bDZ9Z1qbZP59cyHLz8kYGKYwpJP0UwUKKUiTRNvxfLesJnTedqczP7cTDA==",
+      "dev": true,
+      "requires": {
+        "babel-code-frame": "^6.26.0",
+        "babel-generator": "^6.26.0",
+        "babel-helpers": "^6.24.1",
+        "babel-messages": "^6.23.0",
+        "babel-register": "^6.26.0",
+        "babel-runtime": "^6.26.0",
+        "babel-template": "^6.26.0",
+        "babel-traverse": "^6.26.0",
+        "babel-types": "^6.26.0",
+        "babylon": "^6.18.0",
+        "convert-source-map": "^1.5.1",
+        "debug": "^2.6.9",
+        "json5": "^0.5.1",
+        "lodash": "^4.17.4",
+        "minimatch": "^3.0.4",
+        "path-is-absolute": "^1.0.1",
+        "private": "^0.1.8",
+        "slash": "^1.0.0",
+        "source-map": "^0.5.7"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "2.6.9",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+          "dev": true,
+          "requires": {
+            "ms": "2.0.0"
+          }
+        }
+      }
+    },
+    "babel-generator": {
+      "version": "6.26.1",
+      "resolved": "https://registry.npmjs.org/babel-generator/-/babel-generator-6.26.1.tgz",
+      "integrity": "sha512-HyfwY6ApZj7BYTcJURpM5tznulaBvyio7/0d4zFOeMPUmfxkCjHocCuoLa2SAGzBI8AREcH3eP3758F672DppA==",
+      "dev": true,
+      "requires": {
+        "babel-messages": "^6.23.0",
+        "babel-runtime": "^6.26.0",
+        "babel-types": "^6.26.0",
+        "detect-indent": "^4.0.0",
+        "jsesc": "^1.3.0",
+        "lodash": "^4.17.4",
+        "source-map": "^0.5.7",
+        "trim-right": "^1.0.1"
+      }
+    },
+    "babel-helper-builder-binary-assignment-operator-visitor": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-helper-builder-binary-assignment-operator-visitor/-/babel-helper-builder-binary-assignment-operator-visitor-6.24.1.tgz",
+      "integrity": "sha1-zORReto1b0IgvK6KAsKzRvmlZmQ=",
+      "dev": true,
+      "requires": {
+        "babel-helper-explode-assignable-expression": "^6.24.1",
+        "babel-runtime": "^6.22.0",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-helper-call-delegate": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-helper-call-delegate/-/babel-helper-call-delegate-6.24.1.tgz",
+      "integrity": "sha1-7Oaqzdx25Bw0YfiL/Fdb0Nqi340=",
+      "dev": true,
+      "requires": {
+        "babel-helper-hoist-variables": "^6.24.1",
+        "babel-runtime": "^6.22.0",
+        "babel-traverse": "^6.24.1",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-helper-define-map": {
+      "version": "6.26.0",
+      "resolved": "https://registry.npmjs.org/babel-helper-define-map/-/babel-helper-define-map-6.26.0.tgz",
+      "integrity": "sha1-pfVtq0GiX5fstJjH66ypgZ+Vvl8=",
+      "dev": true,
+      "requires": {
+        "babel-helper-function-name": "^6.24.1",
+        "babel-runtime": "^6.26.0",
+        "babel-types": "^6.26.0",
+        "lodash": "^4.17.4"
+      }
+    },
+    "babel-helper-explode-assignable-expression": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-helper-explode-assignable-expression/-/babel-helper-explode-assignable-expression-6.24.1.tgz",
+      "integrity": "sha1-8luCz33BBDPFX3BZLVdGQArCLKo=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0",
+        "babel-traverse": "^6.24.1",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-helper-function-name": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-helper-function-name/-/babel-helper-function-name-6.24.1.tgz",
+      "integrity": "sha1-00dbjAPtmCQqJbSDUasYOZ01gKk=",
+      "dev": true,
+      "requires": {
+        "babel-helper-get-function-arity": "^6.24.1",
+        "babel-runtime": "^6.22.0",
+        "babel-template": "^6.24.1",
+        "babel-traverse": "^6.24.1",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-helper-get-function-arity": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-helper-get-function-arity/-/babel-helper-get-function-arity-6.24.1.tgz",
+      "integrity": "sha1-j3eCqpNAfEHTqlCQj4mwMbG2hT0=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-helper-hoist-variables": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-helper-hoist-variables/-/babel-helper-hoist-variables-6.24.1.tgz",
+      "integrity": "sha1-HssnaJydJVE+rbyZFKc/VAi+enY=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-helper-optimise-call-expression": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-helper-optimise-call-expression/-/babel-helper-optimise-call-expression-6.24.1.tgz",
+      "integrity": "sha1-96E0J7qfc/j0+pk8VKl4gtEkQlc=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-helper-regex": {
+      "version": "6.26.0",
+      "resolved": "https://registry.npmjs.org/babel-helper-regex/-/babel-helper-regex-6.26.0.tgz",
+      "integrity": "sha1-MlxZ+QL4LyS3T6zu0DY5VPZJXnI=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.26.0",
+        "babel-types": "^6.26.0",
+        "lodash": "^4.17.4"
+      }
+    },
+    "babel-helper-remap-async-to-generator": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-helper-remap-async-to-generator/-/babel-helper-remap-async-to-generator-6.24.1.tgz",
+      "integrity": "sha1-XsWBgnrXI/7N04HxySg5BnbkVRs=",
+      "dev": true,
+      "requires": {
+        "babel-helper-function-name": "^6.24.1",
+        "babel-runtime": "^6.22.0",
+        "babel-template": "^6.24.1",
+        "babel-traverse": "^6.24.1",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-helper-replace-supers": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-helper-replace-supers/-/babel-helper-replace-supers-6.24.1.tgz",
+      "integrity": "sha1-v22/5Dk40XNpohPKiov3S2qQqxo=",
+      "dev": true,
+      "requires": {
+        "babel-helper-optimise-call-expression": "^6.24.1",
+        "babel-messages": "^6.23.0",
+        "babel-runtime": "^6.22.0",
+        "babel-template": "^6.24.1",
+        "babel-traverse": "^6.24.1",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-helpers": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-helpers/-/babel-helpers-6.24.1.tgz",
+      "integrity": "sha1-NHHenK7DiOXIUOWX5Yom3fN2ArI=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0",
+        "babel-template": "^6.24.1"
+      }
+    },
+    "babel-messages": {
+      "version": "6.23.0",
+      "resolved": "https://registry.npmjs.org/babel-messages/-/babel-messages-6.23.0.tgz",
+      "integrity": "sha1-8830cDhYA1sqKVHG7F7fbGLyYw4=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0"
+      }
+    },
+    "babel-plugin-check-es2015-constants": {
+      "version": "6.22.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-check-es2015-constants/-/babel-plugin-check-es2015-constants-6.22.0.tgz",
+      "integrity": "sha1-NRV7EBQm/S/9PaP3XH0ekYNbv4o=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0"
+      }
+    },
+    "babel-plugin-syntax-async-functions": {
+      "version": "6.13.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-syntax-async-functions/-/babel-plugin-syntax-async-functions-6.13.0.tgz",
+      "integrity": "sha1-ytnK0RkbWtY0vzCuCHI5HgZHvpU=",
+      "dev": true
+    },
+    "babel-plugin-syntax-exponentiation-operator": {
+      "version": "6.13.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-syntax-exponentiation-operator/-/babel-plugin-syntax-exponentiation-operator-6.13.0.tgz",
+      "integrity": "sha1-nufoM3KQ2pUoggGmpX9BcDF4MN4=",
+      "dev": true
+    },
+    "babel-plugin-syntax-trailing-function-commas": {
+      "version": "6.22.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-syntax-trailing-function-commas/-/babel-plugin-syntax-trailing-function-commas-6.22.0.tgz",
+      "integrity": "sha1-ugNgk3+NBuQBgKQ/4NVhb/9TLPM=",
+      "dev": true
+    },
+    "babel-plugin-transform-async-to-generator": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-async-to-generator/-/babel-plugin-transform-async-to-generator-6.24.1.tgz",
+      "integrity": "sha1-ZTbjeK/2yx1VF6wOQOs+n8jQh2E=",
+      "dev": true,
+      "requires": {
+        "babel-helper-remap-async-to-generator": "^6.24.1",
+        "babel-plugin-syntax-async-functions": "^6.8.0",
+        "babel-runtime": "^6.22.0"
+      }
+    },
+    "babel-plugin-transform-es2015-arrow-functions": {
+      "version": "6.22.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-arrow-functions/-/babel-plugin-transform-es2015-arrow-functions-6.22.0.tgz",
+      "integrity": "sha1-RSaSy3EdX3ncf4XkQM5BufJE0iE=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0"
+      }
+    },
+    "babel-plugin-transform-es2015-block-scoped-functions": {
+      "version": "6.22.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-block-scoped-functions/-/babel-plugin-transform-es2015-block-scoped-functions-6.22.0.tgz",
+      "integrity": "sha1-u8UbSflk1wy42OC5ToICRs46YUE=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0"
+      }
+    },
+    "babel-plugin-transform-es2015-block-scoping": {
+      "version": "6.26.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-block-scoping/-/babel-plugin-transform-es2015-block-scoping-6.26.0.tgz",
+      "integrity": "sha1-1w9SmcEwjQXBL0Y4E7CgnnOxiV8=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.26.0",
+        "babel-template": "^6.26.0",
+        "babel-traverse": "^6.26.0",
+        "babel-types": "^6.26.0",
+        "lodash": "^4.17.4"
+      }
+    },
+    "babel-plugin-transform-es2015-classes": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-classes/-/babel-plugin-transform-es2015-classes-6.24.1.tgz",
+      "integrity": "sha1-WkxYpQyclGHlZLSyo7+ryXolhNs=",
+      "dev": true,
+      "requires": {
+        "babel-helper-define-map": "^6.24.1",
+        "babel-helper-function-name": "^6.24.1",
+        "babel-helper-optimise-call-expression": "^6.24.1",
+        "babel-helper-replace-supers": "^6.24.1",
+        "babel-messages": "^6.23.0",
+        "babel-runtime": "^6.22.0",
+        "babel-template": "^6.24.1",
+        "babel-traverse": "^6.24.1",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-plugin-transform-es2015-computed-properties": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-computed-properties/-/babel-plugin-transform-es2015-computed-properties-6.24.1.tgz",
+      "integrity": "sha1-b+Ko0WiV1WNPTNmZttNICjCBWbM=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0",
+        "babel-template": "^6.24.1"
+      }
+    },
+    "babel-plugin-transform-es2015-destructuring": {
+      "version": "6.23.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-destructuring/-/babel-plugin-transform-es2015-destructuring-6.23.0.tgz",
+      "integrity": "sha1-mXux8auWf2gtKwh2/jWNYOdlxW0=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0"
+      }
+    },
+    "babel-plugin-transform-es2015-duplicate-keys": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-duplicate-keys/-/babel-plugin-transform-es2015-duplicate-keys-6.24.1.tgz",
+      "integrity": "sha1-c+s9MQypaePvnskcU3QabxV2Qj4=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-plugin-transform-es2015-for-of": {
+      "version": "6.23.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-for-of/-/babel-plugin-transform-es2015-for-of-6.23.0.tgz",
+      "integrity": "sha1-9HyVsrYT3x0+zC/bdXNiPHUkhpE=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0"
+      }
+    },
+    "babel-plugin-transform-es2015-function-name": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-function-name/-/babel-plugin-transform-es2015-function-name-6.24.1.tgz",
+      "integrity": "sha1-g0yJhTvDaxrw86TF26qU/Y6sqos=",
+      "dev": true,
+      "requires": {
+        "babel-helper-function-name": "^6.24.1",
+        "babel-runtime": "^6.22.0",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-plugin-transform-es2015-literals": {
+      "version": "6.22.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-literals/-/babel-plugin-transform-es2015-literals-6.22.0.tgz",
+      "integrity": "sha1-T1SgLWzWbPkVKAAZox0xklN3yi4=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0"
+      }
+    },
+    "babel-plugin-transform-es2015-modules-amd": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-modules-amd/-/babel-plugin-transform-es2015-modules-amd-6.24.1.tgz",
+      "integrity": "sha1-Oz5UAXI5hC1tGcMBHEvS8AoA0VQ=",
+      "dev": true,
+      "requires": {
+        "babel-plugin-transform-es2015-modules-commonjs": "^6.24.1",
+        "babel-runtime": "^6.22.0",
+        "babel-template": "^6.24.1"
+      }
+    },
+    "babel-plugin-transform-es2015-modules-commonjs": {
+      "version": "6.26.2",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-modules-commonjs/-/babel-plugin-transform-es2015-modules-commonjs-6.26.2.tgz",
+      "integrity": "sha512-CV9ROOHEdrjcwhIaJNBGMBCodN+1cfkwtM1SbUHmvyy35KGT7fohbpOxkE2uLz1o6odKK2Ck/tz47z+VqQfi9Q==",
+      "dev": true,
+      "requires": {
+        "babel-plugin-transform-strict-mode": "^6.24.1",
+        "babel-runtime": "^6.26.0",
+        "babel-template": "^6.26.0",
+        "babel-types": "^6.26.0"
+      }
+    },
+    "babel-plugin-transform-es2015-modules-systemjs": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-modules-systemjs/-/babel-plugin-transform-es2015-modules-systemjs-6.24.1.tgz",
+      "integrity": "sha1-/4mhQrkRmpBhlfXxBuzzBdlAfSM=",
+      "dev": true,
+      "requires": {
+        "babel-helper-hoist-variables": "^6.24.1",
+        "babel-runtime": "^6.22.0",
+        "babel-template": "^6.24.1"
+      }
+    },
+    "babel-plugin-transform-es2015-modules-umd": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-modules-umd/-/babel-plugin-transform-es2015-modules-umd-6.24.1.tgz",
+      "integrity": "sha1-rJl+YoXNGO1hdq22B9YCNErThGg=",
+      "dev": true,
+      "requires": {
+        "babel-plugin-transform-es2015-modules-amd": "^6.24.1",
+        "babel-runtime": "^6.22.0",
+        "babel-template": "^6.24.1"
+      }
+    },
+    "babel-plugin-transform-es2015-object-super": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-object-super/-/babel-plugin-transform-es2015-object-super-6.24.1.tgz",
+      "integrity": "sha1-JM72muIcuDp/hgPa0CH1cusnj40=",
+      "dev": true,
+      "requires": {
+        "babel-helper-replace-supers": "^6.24.1",
+        "babel-runtime": "^6.22.0"
+      }
+    },
+    "babel-plugin-transform-es2015-parameters": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-parameters/-/babel-plugin-transform-es2015-parameters-6.24.1.tgz",
+      "integrity": "sha1-V6w1GrScrxSpfNE7CfZv3wpiXys=",
+      "dev": true,
+      "requires": {
+        "babel-helper-call-delegate": "^6.24.1",
+        "babel-helper-get-function-arity": "^6.24.1",
+        "babel-runtime": "^6.22.0",
+        "babel-template": "^6.24.1",
+        "babel-traverse": "^6.24.1",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-plugin-transform-es2015-shorthand-properties": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-shorthand-properties/-/babel-plugin-transform-es2015-shorthand-properties-6.24.1.tgz",
+      "integrity": "sha1-JPh11nIch2YbvZmkYi5R8U3jiqA=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-plugin-transform-es2015-spread": {
+      "version": "6.22.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-spread/-/babel-plugin-transform-es2015-spread-6.22.0.tgz",
+      "integrity": "sha1-1taKmfia7cRTbIGlQujdnxdG+NE=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0"
+      }
+    },
+    "babel-plugin-transform-es2015-sticky-regex": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-sticky-regex/-/babel-plugin-transform-es2015-sticky-regex-6.24.1.tgz",
+      "integrity": "sha1-AMHNsaynERLN8M9hJsLta0V8zbw=",
+      "dev": true,
+      "requires": {
+        "babel-helper-regex": "^6.24.1",
+        "babel-runtime": "^6.22.0",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-plugin-transform-es2015-template-literals": {
+      "version": "6.22.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-template-literals/-/babel-plugin-transform-es2015-template-literals-6.22.0.tgz",
+      "integrity": "sha1-qEs0UPfp+PH2g51taH2oS7EjbY0=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0"
+      }
+    },
+    "babel-plugin-transform-es2015-typeof-symbol": {
+      "version": "6.23.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-typeof-symbol/-/babel-plugin-transform-es2015-typeof-symbol-6.23.0.tgz",
+      "integrity": "sha1-3sCfHN3/lLUqxz1QXITfWdzOs3I=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0"
+      }
+    },
+    "babel-plugin-transform-es2015-unicode-regex": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-unicode-regex/-/babel-plugin-transform-es2015-unicode-regex-6.24.1.tgz",
+      "integrity": "sha1-04sS9C6nMj9yk4fxinxa4frrNek=",
+      "dev": true,
+      "requires": {
+        "babel-helper-regex": "^6.24.1",
+        "babel-runtime": "^6.22.0",
+        "regexpu-core": "^2.0.0"
+      }
+    },
+    "babel-plugin-transform-exponentiation-operator": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-exponentiation-operator/-/babel-plugin-transform-exponentiation-operator-6.24.1.tgz",
+      "integrity": "sha1-KrDJx/MJj6SJB3cruBP+QejeOg4=",
+      "dev": true,
+      "requires": {
+        "babel-helper-builder-binary-assignment-operator-visitor": "^6.24.1",
+        "babel-plugin-syntax-exponentiation-operator": "^6.8.0",
+        "babel-runtime": "^6.22.0"
+      }
+    },
+    "babel-plugin-transform-regenerator": {
+      "version": "6.26.0",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-regenerator/-/babel-plugin-transform-regenerator-6.26.0.tgz",
+      "integrity": "sha1-4HA2lvveJ/Cj78rPi03KL3s6jy8=",
+      "dev": true,
+      "requires": {
+        "regenerator-transform": "^0.10.0"
+      }
+    },
+    "babel-plugin-transform-strict-mode": {
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/babel-plugin-transform-strict-mode/-/babel-plugin-transform-strict-mode-6.24.1.tgz",
+      "integrity": "sha1-1fr3qleKZbvlkc9e2uBKDGcCB1g=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.22.0",
+        "babel-types": "^6.24.1"
+      }
+    },
+    "babel-polyfill": {
+      "version": "6.26.0",
+      "resolved": "https://registry.npmjs.org/babel-polyfill/-/babel-polyfill-6.26.0.tgz",
+      "integrity": "sha1-N5k3q8Z9eJWXCtxiHyhM2WbPIVM=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.26.0",
+        "core-js": "^2.5.0",
+        "regenerator-runtime": "^0.10.5"
+      },
+      "dependencies": {
+        "regenerator-runtime": {
+          "version": "0.10.5",
+          "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.10.5.tgz",
+          "integrity": "sha1-M2w+/BIgrc7dosn6tntaeVWjNlg=",
+          "dev": true
+        }
+      }
+    },
+    "babel-preset-env": {
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/babel-preset-env/-/babel-preset-env-1.7.0.tgz",
+      "integrity": "sha512-9OR2afuKDneX2/q2EurSftUYM0xGu4O2D9adAhVfADDhrYDaxXV0rBbevVYoY9n6nyX1PmQW/0jtpJvUNr9CHg==",
+      "dev": true,
+      "requires": {
+        "babel-plugin-check-es2015-constants": "^6.22.0",
+        "babel-plugin-syntax-trailing-function-commas": "^6.22.0",
+        "babel-plugin-transform-async-to-generator": "^6.22.0",
+        "babel-plugin-transform-es2015-arrow-functions": "^6.22.0",
+        "babel-plugin-transform-es2015-block-scoped-functions": "^6.22.0",
+        "babel-plugin-transform-es2015-block-scoping": "^6.23.0",
+        "babel-plugin-transform-es2015-classes": "^6.23.0",
+        "babel-plugin-transform-es2015-computed-properties": "^6.22.0",
+        "babel-plugin-transform-es2015-destructuring": "^6.23.0",
+        "babel-plugin-transform-es2015-duplicate-keys": "^6.22.0",
+        "babel-plugin-transform-es2015-for-of": "^6.23.0",
+        "babel-plugin-transform-es2015-function-name": "^6.22.0",
+        "babel-plugin-transform-es2015-literals": "^6.22.0",
+        "babel-plugin-transform-es2015-modules-amd": "^6.22.0",
+        "babel-plugin-transform-es2015-modules-commonjs": "^6.23.0",
+        "babel-plugin-transform-es2015-modules-systemjs": "^6.23.0",
+        "babel-plugin-transform-es2015-modules-umd": "^6.23.0",
+        "babel-plugin-transform-es2015-object-super": "^6.22.0",
+        "babel-plugin-transform-es2015-parameters": "^6.23.0",
+        "babel-plugin-transform-es2015-shorthand-properties": "^6.22.0",
+        "babel-plugin-transform-es2015-spread": "^6.22.0",
+        "babel-plugin-transform-es2015-sticky-regex": "^6.22.0",
+        "babel-plugin-transform-es2015-template-literals": "^6.22.0",
+        "babel-plugin-transform-es2015-typeof-symbol": "^6.23.0",
+        "babel-plugin-transform-es2015-unicode-regex": "^6.22.0",
+        "babel-plugin-transform-exponentiation-operator": "^6.22.0",
+        "babel-plugin-transform-regenerator": "^6.22.0",
+        "browserslist": "^3.2.6",
+        "invariant": "^2.2.2",
+        "semver": "^5.3.0"
+      }
+    },
+    "babel-register": {
+      "version": "6.26.0",
+      "resolved": "https://registry.npmjs.org/babel-register/-/babel-register-6.26.0.tgz",
+      "integrity": "sha1-btAhFz4vy0htestFxgCahW9kcHE=",
+      "dev": true,
+      "requires": {
+        "babel-core": "^6.26.0",
+        "babel-runtime": "^6.26.0",
+        "core-js": "^2.5.0",
+        "home-or-tmp": "^2.0.0",
+        "lodash": "^4.17.4",
+        "mkdirp": "^0.5.1",
+        "source-map-support": "^0.4.15"
+      }
+    },
+    "babel-runtime": {
+      "version": "6.26.0",
+      "resolved": "https://registry.npmjs.org/babel-runtime/-/babel-runtime-6.26.0.tgz",
+      "integrity": "sha1-llxwWGaOgrVde/4E/yM3vItWR/4=",
+      "dev": true,
+      "requires": {
+        "core-js": "^2.4.0",
+        "regenerator-runtime": "^0.11.0"
+      }
+    },
+    "babel-template": {
+      "version": "6.26.0",
+      "resolved": "https://registry.npmjs.org/babel-template/-/babel-template-6.26.0.tgz",
+      "integrity": "sha1-3gPi0WOWsGn0bdn/+FIfsaDjXgI=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.26.0",
+        "babel-traverse": "^6.26.0",
+        "babel-types": "^6.26.0",
+        "babylon": "^6.18.0",
+        "lodash": "^4.17.4"
+      }
+    },
+    "babel-traverse": {
+      "version": "6.26.0",
+      "resolved": "https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.26.0.tgz",
+      "integrity": "sha1-RqnL1+3MYsjlwGTi0tjQ9ANXZu4=",
+      "dev": true,
+      "requires": {
+        "babel-code-frame": "^6.26.0",
+        "babel-messages": "^6.23.0",
+        "babel-runtime": "^6.26.0",
+        "babel-types": "^6.26.0",
+        "babylon": "^6.18.0",
+        "debug": "^2.6.8",
+        "globals": "^9.18.0",
+        "invariant": "^2.2.2",
+        "lodash": "^4.17.4"
+      },
+      "dependencies": {
+        "debug": {
+          "version": "2.6.9",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+          "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+          "dev": true,
+          "requires": {
+            "ms": "2.0.0"
+          }
+        }
+      }
+    },
+    "babel-types": {
+      "version": "6.26.0",
+      "resolved": "https://registry.npmjs.org/babel-types/-/babel-types-6.26.0.tgz",
+      "integrity": "sha1-o7Bz+Uq0nrb6Vc1lInozQ4BjJJc=",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.26.0",
+        "esutils": "^2.0.2",
+        "lodash": "^4.17.4",
+        "to-fast-properties": "^1.0.3"
+      }
+    },
+    "babelify": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/babelify/-/babelify-8.0.0.tgz",
+      "integrity": "sha512-xVr63fKEvMWUrrIbqlHYsMcc5Zdw4FSVesAHgkgajyCE1W8gbm9rbMakqavhxKvikGYMhEcqxTwB/gQmQ6lBtw==",
+      "dev": true
+    },
+    "babylon": {
+      "version": "6.18.0",
+      "resolved": "https://registry.npmjs.org/babylon/-/babylon-6.18.0.tgz",
+      "integrity": "sha512-q/UEjfGJ2Cm3oKV71DJz9d25TPnq5rhBVL2Q4fA5wcC3jcrdn7+SssEybFIxwAvvP+YCsCYNKughoF33GxgycQ==",
+      "dev": true
+    },
+    "balanced-match": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz",
+      "integrity": "sha1-ibTRmasr7kneFk6gK4nORi1xt2c=",
+      "dev": true
+    },
+    "base64-js": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.3.0.tgz",
+      "integrity": "sha512-ccav/yGvoa80BQDljCxsmmQ3Xvx60/UpBIij5QN21W3wBi/hhIC9OoO+KLpu9IJTS9j4DRVJ3aDDF9cMSoa2lw==",
+      "dev": true
+    },
+    "bn.js": {
+      "version": "4.11.8",
+      "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.11.8.tgz",
+      "integrity": "sha512-ItfYfPLkWHUjckQCk8xC+LwxgK8NYcXywGigJgSwOP8Y2iyWT4f2vsZnoOXTTbo+o5yXmIUJ4gn5538SO5S3gA==",
+      "dev": true
+    },
+    "brace-expansion": {
+      "version": "1.1.11",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
+      "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
+      "dev": true,
+      "requires": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
+    "brorand": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/brorand/-/brorand-1.1.0.tgz",
+      "integrity": "sha1-EsJe/kCkXjwyPrhnWgoM5XsiNx8=",
+      "dev": true
+    },
+    "browser-pack": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/browser-pack/-/browser-pack-6.1.0.tgz",
+      "integrity": "sha512-erYug8XoqzU3IfcU8fUgyHqyOXqIE4tUTTQ+7mqUjQlvnXkOO6OlT9c/ZoJVHYoAaqGxr09CN53G7XIsO4KtWA==",
+      "dev": true,
+      "requires": {
+        "JSONStream": "^1.0.3",
+        "combine-source-map": "~0.8.0",
+        "defined": "^1.0.0",
+        "safe-buffer": "^5.1.1",
+        "through2": "^2.0.0",
+        "umd": "^3.0.0"
+      }
+    },
+    "browser-resolve": {
+      "version": "1.11.3",
+      "resolved": "https://registry.npmjs.org/browser-resolve/-/browser-resolve-1.11.3.tgz",
+      "integrity": "sha512-exDi1BYWB/6raKHmDTCicQfTkqwN5fioMFV4j8BsfMU4R2DK/QfZfK7kOVkmWCNANf0snkBzqGqAJBao9gZMdQ==",
+      "dev": true,
+      "requires": {
+        "resolve": "1.1.7"
+      },
+      "dependencies": {
+        "resolve": {
+          "version": "1.1.7",
+          "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.1.7.tgz",
+          "integrity": "sha1-IDEU2CrSxe2ejgQRs5ModeiJ6Xs=",
+          "dev": true
+        }
+      }
+    },
+    "browserify": {
+      "version": "16.2.2",
+      "resolved": "https://registry.npmjs.org/browserify/-/browserify-16.2.2.tgz",
+      "integrity": "sha512-fMES05wq1Oukts6ksGUU2TMVHHp06LyQt0SIwbXIHm7waSrQmNBZePsU0iM/4f94zbvb/wHma+D1YrdzWYnF/A==",
+      "dev": true,
+      "requires": {
+        "JSONStream": "^1.0.3",
+        "assert": "^1.4.0",
+        "browser-pack": "^6.0.1",
+        "browser-resolve": "^1.11.0",
+        "browserify-zlib": "~0.2.0",
+        "buffer": "^5.0.2",
+        "cached-path-relative": "^1.0.0",
+        "concat-stream": "^1.6.0",
+        "console-browserify": "^1.1.0",
+        "constants-browserify": "~1.0.0",
+        "crypto-browserify": "^3.0.0",
+        "defined": "^1.0.0",
+        "deps-sort": "^2.0.0",
+        "domain-browser": "^1.2.0",
+        "duplexer2": "~0.1.2",
+        "events": "^2.0.0",
+        "glob": "^7.1.0",
+        "has": "^1.0.0",
+        "htmlescape": "^1.1.0",
+        "https-browserify": "^1.0.0",
+        "inherits": "~2.0.1",
+        "insert-module-globals": "^7.0.0",
+        "labeled-stream-splicer": "^2.0.0",
+        "mkdirp": "^0.5.0",
+        "module-deps": "^6.0.0",
+        "os-browserify": "~0.3.0",
+        "parents": "^1.0.1",
+        "path-browserify": "~0.0.0",
+        "process": "~0.11.0",
+        "punycode": "^1.3.2",
+        "querystring-es3": "~0.2.0",
+        "read-only-stream": "^2.0.0",
+        "readable-stream": "^2.0.2",
+        "resolve": "^1.1.4",
+        "shasum": "^1.0.0",
+        "shell-quote": "^1.6.1",
+        "stream-browserify": "^2.0.0",
+        "stream-http": "^2.0.0",
+        "string_decoder": "^1.1.1",
+        "subarg": "^1.0.0",
+        "syntax-error": "^1.1.1",
+        "through2": "^2.0.0",
+        "timers-browserify": "^1.0.1",
+        "tty-browserify": "0.0.1",
+        "url": "~0.11.0",
+        "util": "~0.10.1",
+        "vm-browserify": "^1.0.0",
+        "xtend": "^4.0.0"
+      }
+    },
+    "browserify-aes": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/browserify-aes/-/browserify-aes-1.2.0.tgz",
+      "integrity": "sha512-+7CHXqGuspUn/Sl5aO7Ea0xWGAtETPXNSAjHo48JfLdPWcMng33Xe4znFvQweqc/uzk5zSOI3H52CYnjCfb5hA==",
+      "dev": true,
+      "requires": {
+        "buffer-xor": "^1.0.3",
+        "cipher-base": "^1.0.0",
+        "create-hash": "^1.1.0",
+        "evp_bytestokey": "^1.0.3",
+        "inherits": "^2.0.1",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "browserify-cipher": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/browserify-cipher/-/browserify-cipher-1.0.1.tgz",
+      "integrity": "sha512-sPhkz0ARKbf4rRQt2hTpAHqn47X3llLkUGn+xEJzLjwY8LRs2p0v7ljvI5EyoRO/mexrNunNECisZs+gw2zz1w==",
+      "dev": true,
+      "requires": {
+        "browserify-aes": "^1.0.4",
+        "browserify-des": "^1.0.0",
+        "evp_bytestokey": "^1.0.0"
+      }
+    },
+    "browserify-des": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/browserify-des/-/browserify-des-1.0.1.tgz",
+      "integrity": "sha512-zy0Cobe3hhgpiOM32Tj7KQ3Vl91m0njwsjzZQK1L+JDf11dzP9qIvjreVinsvXrgfjhStXwUWAEpB9D7Gwmayw==",
+      "dev": true,
+      "requires": {
+        "cipher-base": "^1.0.1",
+        "des.js": "^1.0.0",
+        "inherits": "^2.0.1"
+      }
+    },
+    "browserify-rsa": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/browserify-rsa/-/browserify-rsa-4.0.1.tgz",
+      "integrity": "sha1-IeCr+vbyApzy+vsTNWenAdQTVSQ=",
+      "dev": true,
+      "requires": {
+        "bn.js": "^4.1.0",
+        "randombytes": "^2.0.1"
+      }
+    },
+    "browserify-sign": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.0.4.tgz",
+      "integrity": "sha1-qk62jl17ZYuqa/alfmMMvXqT0pg=",
+      "dev": true,
+      "requires": {
+        "bn.js": "^4.1.1",
+        "browserify-rsa": "^4.0.0",
+        "create-hash": "^1.1.0",
+        "create-hmac": "^1.1.2",
+        "elliptic": "^6.0.0",
+        "inherits": "^2.0.1",
+        "parse-asn1": "^5.0.0"
+      }
+    },
+    "browserify-zlib": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/browserify-zlib/-/browserify-zlib-0.2.0.tgz",
+      "integrity": "sha512-Z942RysHXmJrhqk88FmKBVq/v5tqmSkDz7p54G/MGyjMnCFFnC79XWNbg+Vta8W6Wb2qtSZTSxIGkJrRpCFEiA==",
+      "dev": true,
+      "requires": {
+        "pako": "~1.0.5"
+      }
+    },
+    "browserslist": {
+      "version": "3.2.8",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-3.2.8.tgz",
+      "integrity": "sha512-WHVocJYavUwVgVViC0ORikPHQquXwVh939TaelZ4WDqpWgTX/FsGhl/+P4qBUAGcRvtOgDgC+xftNWWp2RUTAQ==",
+      "dev": true,
+      "requires": {
+        "caniuse-lite": "^1.0.30000844",
+        "electron-to-chromium": "^1.3.47"
+      }
+    },
+    "buffer": {
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.1.0.tgz",
+      "integrity": "sha512-YkIRgwsZwJWTnyQrsBTWefizHh+8GYj3kbL1BTiAQ/9pwpino0G7B2gp5tx/FUBqUlvtxV85KNR3mwfAtv15Yw==",
+      "dev": true,
+      "requires": {
+        "base64-js": "^1.0.2",
+        "ieee754": "^1.1.4"
+      }
+    },
+    "buffer-from": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.0.tgz",
+      "integrity": "sha512-c5mRlguI/Pe2dSZmpER62rSCu0ryKmWddzRYsuXc50U2/g8jMOulc31VZMa4mYx31U5xsmSOpDCgH88Vl9cDGQ==",
+      "dev": true
+    },
+    "buffer-xor": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/buffer-xor/-/buffer-xor-1.0.3.tgz",
+      "integrity": "sha1-JuYe0UIvtw3ULm42cp7VHYVf6Nk=",
+      "dev": true
+    },
+    "builtin-status-codes": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/builtin-status-codes/-/builtin-status-codes-3.0.0.tgz",
+      "integrity": "sha1-hZgoeOIbmOHGZCXgPQF0eI9Wnug=",
+      "dev": true
+    },
+    "cached-path-relative": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/cached-path-relative/-/cached-path-relative-1.0.1.tgz",
+      "integrity": "sha1-0JxLUoAKpMB44t2BqGmqyQ0uVOc=",
+      "dev": true
+    },
+    "camel-case": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/camel-case/-/camel-case-3.0.0.tgz",
+      "integrity": "sha1-yjw2iKTpzzpM2nd9xNy8cTJJz3M=",
+      "dev": true,
+      "requires": {
+        "no-case": "^2.2.0",
+        "upper-case": "^1.1.1"
+      }
+    },
+    "caniuse-lite": {
+      "version": "1.0.30000864",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30000864.tgz",
+      "integrity": "sha512-8fuGh8n3MIQ7oBkO/ck7J4LXhV5Sz5aLyFmfpChWpK+rJhqYrOsGDdbBVDdyKIRBWamZpy6iM4OmLCFVudOOhg==",
+      "dev": true
+    },
+    "chalk": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/chalk/-/chalk-1.1.3.tgz",
+      "integrity": "sha1-qBFcVeSnAv5NFQq9OHKCKn4J/Jg=",
+      "dev": true,
+      "requires": {
+        "ansi-styles": "^2.2.1",
+        "escape-string-regexp": "^1.0.2",
+        "has-ansi": "^2.0.0",
+        "strip-ansi": "^3.0.0",
+        "supports-color": "^2.0.0"
+      }
+    },
+    "cipher-base": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/cipher-base/-/cipher-base-1.0.4.tgz",
+      "integrity": "sha512-Kkht5ye6ZGmwv40uUDZztayT2ThLQGfnj/T71N/XzeZeo3nf8foyW7zGTsPYkEya3m5f3cAypH+qe7YOrM1U2Q==",
+      "dev": true,
+      "requires": {
+        "inherits": "^2.0.1",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "clean-css": {
+      "version": "4.1.11",
+      "resolved": "https://registry.npmjs.org/clean-css/-/clean-css-4.1.11.tgz",
+      "integrity": "sha1-Ls3xRaujj1R0DybO/Q/z4D4SXWo=",
+      "dev": true,
+      "requires": {
+        "source-map": "0.5.x"
+      }
+    },
+    "combine-source-map": {
+      "version": "0.8.0",
+      "resolved": "https://registry.npmjs.org/combine-source-map/-/combine-source-map-0.8.0.tgz",
+      "integrity": "sha1-pY0N8ELBhvz4IqjoAV9UUNLXmos=",
+      "dev": true,
+      "requires": {
+        "convert-source-map": "~1.1.0",
+        "inline-source-map": "~0.6.0",
+        "lodash.memoize": "~3.0.3",
+        "source-map": "~0.5.3"
+      },
+      "dependencies": {
+        "convert-source-map": {
+          "version": "1.1.3",
+          "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-1.1.3.tgz",
+          "integrity": "sha1-SCnId+n+SbMWHzvzZziI4gRpmGA=",
+          "dev": true
+        }
+      }
+    },
+    "combined-stream": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.6.tgz",
+      "integrity": "sha1-cj599ugBrFYTETp+RFqbactjKBg=",
+      "requires": {
+        "delayed-stream": "~1.0.0"
+      }
+    },
+    "commander": {
+      "version": "2.16.0",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-2.16.0.tgz",
+      "integrity": "sha512-sVXqklSaotK9at437sFlFpyOcJonxe0yST/AG9DkQKUdIE6IqGIMv4SfAQSKaJbSdVEJYItASCrBiVQHq1HQew==",
+      "dev": true
+    },
+    "component-emitter": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/component-emitter/-/component-emitter-1.2.1.tgz",
+      "integrity": "sha1-E3kY1teCg/ffemt8WmPhQOaUJeY="
+    },
+    "concat-map": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
+      "integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=",
+      "dev": true
+    },
+    "concat-stream": {
+      "version": "1.6.2",
+      "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.2.tgz",
+      "integrity": "sha512-27HBghJxjiZtIk3Ycvn/4kbJk/1uZuJFfuPEns6LaEvpvG1f0hTea8lilrouyo9mVc2GWdcEZ8OLoGmSADlrCw==",
+      "dev": true,
+      "requires": {
+        "buffer-from": "^1.0.0",
+        "inherits": "^2.0.3",
+        "readable-stream": "^2.2.2",
+        "typedarray": "^0.0.6"
+      }
+    },
+    "console-browserify": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/console-browserify/-/console-browserify-1.1.0.tgz",
+      "integrity": "sha1-8CQcRXMKn8YyOyBtvzjtx0HQuxA=",
+      "dev": true,
+      "requires": {
+        "date-now": "^0.1.4"
+      }
+    },
+    "constants-browserify": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/constants-browserify/-/constants-browserify-1.0.0.tgz",
+      "integrity": "sha1-wguW2MYXdIqvHBYCF2DNJ/y4y3U=",
+      "dev": true
+    },
+    "convert-source-map": {
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-1.5.1.tgz",
+      "integrity": "sha1-uCeAl7m8IpNl3lxiz1/K7YtVmeU=",
+      "dev": true
+    },
+    "cookiejar": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.2.tgz",
+      "integrity": "sha512-Mw+adcfzPxcPeI+0WlvRrr/3lGVO0bD75SxX6811cxSh1Wbxx7xZBGK1eVtDf6si8rg2lhnUjsVLMFMfbRIuwA=="
+    },
+    "core-js": {
+      "version": "2.5.7",
+      "resolved": "https://registry.npmjs.org/core-js/-/core-js-2.5.7.tgz",
+      "integrity": "sha512-RszJCAxg/PP6uzXVXL6BsxSXx/B05oJAQ2vkJRjyjrEcNVycaqOmNb5OTxZPE3xa5gwZduqza6L9JOCenh/Ecw==",
+      "dev": true
+    },
+    "core-util-is": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz",
+      "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac="
+    },
+    "create-ecdh": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/create-ecdh/-/create-ecdh-4.0.3.tgz",
+      "integrity": "sha512-GbEHQPMOswGpKXM9kCWVrremUcBmjteUaQ01T9rkKCPDXfUHX0IoP9LpHYo2NPFampa4e+/pFDc3jQdxrxQLaw==",
+      "dev": true,
+      "requires": {
+        "bn.js": "^4.1.0",
+        "elliptic": "^6.0.0"
+      }
+    },
+    "create-hash": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/create-hash/-/create-hash-1.2.0.tgz",
+      "integrity": "sha512-z00bCGNHDG8mHAkP7CtT1qVu+bFQUPjYq/4Iv3C3kWjTFV10zIjfSoeqXo9Asws8gwSHDGj/hl2u4OGIjapeCg==",
+      "dev": true,
+      "requires": {
+        "cipher-base": "^1.0.1",
+        "inherits": "^2.0.1",
+        "md5.js": "^1.3.4",
+        "ripemd160": "^2.0.1",
+        "sha.js": "^2.4.0"
+      }
+    },
+    "create-hmac": {
+      "version": "1.1.7",
+      "resolved": "https://registry.npmjs.org/create-hmac/-/create-hmac-1.1.7.tgz",
+      "integrity": "sha512-MJG9liiZ+ogc4TzUwuvbER1JRdgvUFSB5+VR/g5h82fGaIRWMWddtKBHi7/sVhfjQZ6SehlyhvQYrcYkaUIpLg==",
+      "dev": true,
+      "requires": {
+        "cipher-base": "^1.0.3",
+        "create-hash": "^1.1.0",
+        "inherits": "^2.0.1",
+        "ripemd160": "^2.0.0",
+        "safe-buffer": "^5.0.1",
+        "sha.js": "^2.4.8"
+      }
+    },
+    "crypto-browserify": {
+      "version": "3.12.0",
+      "resolved": "https://registry.npmjs.org/crypto-browserify/-/crypto-browserify-3.12.0.tgz",
+      "integrity": "sha512-fz4spIh+znjO2VjL+IdhEpRJ3YN6sMzITSBijk6FK2UvTqruSQW+/cCZTSNsMiZNvUeq0CqurF+dAbyiGOY6Wg==",
+      "dev": true,
+      "requires": {
+        "browserify-cipher": "^1.0.0",
+        "browserify-sign": "^4.0.0",
+        "create-ecdh": "^4.0.0",
+        "create-hash": "^1.1.0",
+        "create-hmac": "^1.1.0",
+        "diffie-hellman": "^5.0.0",
+        "inherits": "^2.0.1",
+        "pbkdf2": "^3.0.3",
+        "public-encrypt": "^4.0.0",
+        "randombytes": "^2.0.0",
+        "randomfill": "^1.0.3"
+      }
+    },
+    "css-parse": {
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/css-parse/-/css-parse-1.7.0.tgz",
+      "integrity": "sha1-Mh9s9zeCpv91ERE5D8BeLGV9jJs=",
+      "dev": true
+    },
+    "css-tree": {
+      "version": "1.0.0-alpha.29",
+      "resolved": "https://registry.npmjs.org/css-tree/-/css-tree-1.0.0-alpha.29.tgz",
+      "integrity": "sha512-sRNb1XydwkW9IOci6iB2xmy8IGCj6r/fr+JWitvJ2JxQRPzN3T4AGGVWCMlVmVwM1gtgALJRmGIlWv5ppnGGkg==",
+      "dev": true,
+      "requires": {
+        "mdn-data": "~1.1.0",
+        "source-map": "^0.5.3"
+      }
+    },
+    "csso": {
+      "version": "3.5.1",
+      "resolved": "https://registry.npmjs.org/csso/-/csso-3.5.1.tgz",
+      "integrity": "sha512-vrqULLffYU1Q2tLdJvaCYbONStnfkfimRxXNaGjxMldI0C7JPBC4rB1RyjhfdZ4m1frm8pM9uRPKH3d2knZ8gg==",
+      "dev": true,
+      "requires": {
+        "css-tree": "1.0.0-alpha.29"
+      }
+    },
+    "date-now": {
+      "version": "0.1.4",
+      "resolved": "https://registry.npmjs.org/date-now/-/date-now-0.1.4.tgz",
+      "integrity": "sha1-6vQ5/U1ISK105cx9vvIAZyueNFs=",
+      "dev": true
+    },
+    "debug": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz",
+      "integrity": "sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==",
+      "requires": {
+        "ms": "2.0.0"
+      }
+    },
+    "defined": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/defined/-/defined-1.0.0.tgz",
+      "integrity": "sha1-yY2bzvdWdBiOEQlpFRGZ45sfppM=",
+      "dev": true
+    },
+    "delayed-stream": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
+      "integrity": "sha1-3zrhmayt+31ECqrgsp4icrJOxhk="
+    },
+    "deps-sort": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/deps-sort/-/deps-sort-2.0.0.tgz",
+      "integrity": "sha1-CRckkC6EZYJg65EHSMzNGvbiH7U=",
+      "dev": true,
+      "requires": {
+        "JSONStream": "^1.0.3",
+        "shasum": "^1.0.0",
+        "subarg": "^1.0.0",
+        "through2": "^2.0.0"
+      }
+    },
+    "des.js": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/des.js/-/des.js-1.0.0.tgz",
+      "integrity": "sha1-wHTS4qpqipoH29YfmhXCzYPsjsw=",
+      "dev": true,
+      "requires": {
+        "inherits": "^2.0.1",
+        "minimalistic-assert": "^1.0.0"
+      }
+    },
+    "detect-indent": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/detect-indent/-/detect-indent-4.0.0.tgz",
+      "integrity": "sha1-920GQ1LN9Docts5hnE7jqUdd4gg=",
+      "dev": true,
+      "requires": {
+        "repeating": "^2.0.0"
+      }
+    },
+    "detective": {
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/detective/-/detective-5.1.0.tgz",
+      "integrity": "sha512-TFHMqfOvxlgrfVzTEkNBSh9SvSNX/HfF4OFI2QFGCyPm02EsyILqnUeb5P6q7JZ3SFNTBL5t2sePRgrN4epUWQ==",
+      "dev": true,
+      "requires": {
+        "acorn-node": "^1.3.0",
+        "defined": "^1.0.0",
+        "minimist": "^1.1.1"
+      },
+      "dependencies": {
+        "minimist": {
+          "version": "1.2.0",
+          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
+          "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
+          "dev": true
+        }
+      }
+    },
+    "diffie-hellman": {
+      "version": "5.0.3",
+      "resolved": "https://registry.npmjs.org/diffie-hellman/-/diffie-hellman-5.0.3.tgz",
+      "integrity": "sha512-kqag/Nl+f3GwyK25fhUMYj81BUOrZ9IuJsjIcDE5icNM9FJHAVm3VcUDxdLPoQtTuUylWm6ZIknYJwwaPxsUzg==",
+      "dev": true,
+      "requires": {
+        "bn.js": "^4.1.0",
+        "miller-rabin": "^4.0.0",
+        "randombytes": "^2.0.0"
+      }
+    },
+    "domain-browser": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/domain-browser/-/domain-browser-1.2.0.tgz",
+      "integrity": "sha512-jnjyiM6eRyZl2H+W8Q/zLMA481hzi0eszAaBUzIVnmYVDBbnLxVNnfu1HgEBvCbL+71FrxMl3E6lpKH7Ge3OXA==",
+      "dev": true
+    },
+    "duplexer2": {
+      "version": "0.1.4",
+      "resolved": "https://registry.npmjs.org/duplexer2/-/duplexer2-0.1.4.tgz",
+      "integrity": "sha1-ixLauHjA1p4+eJEFFmKjL8a93ME=",
+      "dev": true,
+      "requires": {
+        "readable-stream": "^2.0.2"
+      }
+    },
+    "electron-to-chromium": {
+      "version": "1.3.51",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.3.51.tgz",
+      "integrity": "sha1-akK0nar38ipbN7mR2vlJ8029ubU=",
+      "dev": true
+    },
+    "elliptic": {
+      "version": "6.4.0",
+      "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz",
+      "integrity": "sha1-ysmvh2LIWDYYcAPI3+GT5eLq5d8=",
+      "dev": true,
+      "requires": {
+        "bn.js": "^4.4.0",
+        "brorand": "^1.0.1",
+        "hash.js": "^1.0.0",
+        "hmac-drbg": "^1.0.0",
+        "inherits": "^2.0.1",
+        "minimalistic-assert": "^1.0.0",
+        "minimalistic-crypto-utils": "^1.0.0"
+      }
+    },
+    "escape-string-regexp": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz",
+      "integrity": "sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ=",
+      "dev": true
+    },
+    "esutils": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.2.tgz",
+      "integrity": "sha1-Cr9PHKpbyx96nYrMbepPqqBLrJs=",
+      "dev": true
+    },
+    "events": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/events/-/events-2.1.0.tgz",
+      "integrity": "sha512-3Zmiobend8P9DjmKAty0Era4jV8oJ0yGYe2nJJAxgymF9+N8F2m0hhZiMoWtcfepExzNKZumFU3ksdQbInGWCg==",
+      "dev": true
+    },
+    "evp_bytestokey": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/evp_bytestokey/-/evp_bytestokey-1.0.3.tgz",
+      "integrity": "sha512-/f2Go4TognH/KvCISP7OUsHn85hT9nUkxxA9BEWxFn+Oj9o8ZNLm/40hdlgSLyuOimsrTKLUMEorQexp/aPQeA==",
+      "dev": true,
+      "requires": {
+        "md5.js": "^1.3.4",
+        "safe-buffer": "^5.1.1"
+      }
+    },
+    "extend": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.1.tgz",
+      "integrity": "sha1-p1Xqe8Gt/MWjHOfnYtuq3F5jZEQ="
+    },
+    "font-awesome": {
+      "version": "4.7.0",
+      "resolved": "https://registry.npmjs.org/font-awesome/-/font-awesome-4.7.0.tgz",
+      "integrity": "sha1-j6jPBBGhoxr9B7BtKQK7n8gVoTM="
+    },
+    "form-data": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.2.tgz",
+      "integrity": "sha1-SXBJi+YEwgwAXU9cI67NIda0kJk=",
+      "requires": {
+        "asynckit": "^0.4.0",
+        "combined-stream": "1.0.6",
+        "mime-types": "^2.1.12"
+      }
+    },
+    "formidable": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/formidable/-/formidable-1.2.1.tgz",
+      "integrity": "sha512-Fs9VRguL0gqGHkXS5GQiMCr1VhZBxz0JnJs4JmMp/2jL18Fmbzvv7vOFRU+U8TBkHEE/CX1qDXzJplVULgsLeg=="
+    },
+    "fs.realpath": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
+      "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8=",
+      "dev": true
+    },
+    "function-bind": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.1.tgz",
+      "integrity": "sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==",
+      "dev": true
+    },
+    "get-assigned-identifiers": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/get-assigned-identifiers/-/get-assigned-identifiers-1.2.0.tgz",
+      "integrity": "sha512-mBBwmeGTrxEMO4pMaaf/uUEFHnYtwr8FTe8Y/mer4rcV/bye0qGm6pw1bGZFGStxC5O76c5ZAVBGnqHmOaJpdQ==",
+      "dev": true
+    },
+    "glob": {
+      "version": "7.1.2",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.2.tgz",
+      "integrity": "sha512-MJTUg1kjuLeQCJ+ccE4Vpa6kKVXkPYJ2mOCQyUuKLcLQsdrMCpBPUi8qVE6+YuaJkozeA9NusTAw3hLr8Xe5EQ==",
+      "dev": true,
+      "requires": {
+        "fs.realpath": "^1.0.0",
+        "inflight": "^1.0.4",
+        "inherits": "2",
+        "minimatch": "^3.0.4",
+        "once": "^1.3.0",
+        "path-is-absolute": "^1.0.0"
+      }
+    },
+    "globals": {
+      "version": "9.18.0",
+      "resolved": "https://registry.npmjs.org/globals/-/globals-9.18.0.tgz",
+      "integrity": "sha512-S0nG3CLEQiY/ILxqtztTWH/3iRRdyBLw6KMDxnKMchrtbj2OFmehVh0WUCfW3DUrIgx/qFrJPICrq4Z4sTR9UQ==",
+      "dev": true
+    },
+    "has": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/has/-/has-1.0.3.tgz",
+      "integrity": "sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==",
+      "dev": true,
+      "requires": {
+        "function-bind": "^1.1.1"
+      }
+    },
+    "has-ansi": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/has-ansi/-/has-ansi-2.0.0.tgz",
+      "integrity": "sha1-NPUEnOHs3ysGSa8+8k5F7TVBbZE=",
+      "dev": true,
+      "requires": {
+        "ansi-regex": "^2.0.0"
+      }
+    },
+    "hash-base": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/hash-base/-/hash-base-3.0.4.tgz",
+      "integrity": "sha1-X8hoaEfs1zSZQDMZprCj8/auSRg=",
+      "dev": true,
+      "requires": {
+        "inherits": "^2.0.1",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "hash.js": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/hash.js/-/hash.js-1.1.4.tgz",
+      "integrity": "sha512-A6RlQvvZEtFS5fLU43IDu0QUmBy+fDO9VMdTXvufKwIkt/rFfvICAViCax5fbDO4zdNzaC3/27ZhKUok5bAJyw==",
+      "dev": true,
+      "requires": {
+        "inherits": "^2.0.3",
+        "minimalistic-assert": "^1.0.0"
+      }
+    },
+    "he": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/he/-/he-1.1.1.tgz",
+      "integrity": "sha1-k0EP0hsAlzUVH4howvJx80J+I/0=",
+      "dev": true
+    },
+    "hmac-drbg": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/hmac-drbg/-/hmac-drbg-1.0.1.tgz",
+      "integrity": "sha1-0nRXAQJabHdabFRXk+1QL8DGSaE=",
+      "dev": true,
+      "requires": {
+        "hash.js": "^1.0.3",
+        "minimalistic-assert": "^1.0.0",
+        "minimalistic-crypto-utils": "^1.0.1"
+      }
+    },
+    "home-or-tmp": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/home-or-tmp/-/home-or-tmp-2.0.0.tgz",
+      "integrity": "sha1-42w/LSyufXRqhX440Y1fMqeILbg=",
+      "dev": true,
+      "requires": {
+        "os-homedir": "^1.0.0",
+        "os-tmpdir": "^1.0.1"
+      }
+    },
+    "html-minifier": {
+      "version": "3.5.18",
+      "resolved": "https://registry.npmjs.org/html-minifier/-/html-minifier-3.5.18.tgz",
+      "integrity": "sha512-sczoq/9zeXiKZMj8tsQzHJE7EyjrpMHvblTLuh9o8h5923a6Ts5uQ/3YdY+xIqJYRjzHQPlrHjfjh0BtwPJG0g==",
+      "dev": true,
+      "requires": {
+        "camel-case": "3.0.x",
+        "clean-css": "4.1.x",
+        "commander": "2.16.x",
+        "he": "1.1.x",
+        "param-case": "2.1.x",
+        "relateurl": "0.2.x",
+        "uglify-js": "3.4.x"
+      }
+    },
+    "htmlescape": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/htmlescape/-/htmlescape-1.1.1.tgz",
+      "integrity": "sha1-OgPtwiFLyjtmQko+eVk0lQnLA1E=",
+      "dev": true
+    },
+    "https-browserify": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/https-browserify/-/https-browserify-1.0.0.tgz",
+      "integrity": "sha1-7AbBDgo0wPL68Zn3/X/Hj//QPHM=",
+      "dev": true
+    },
+    "ieee754": {
+      "version": "1.1.12",
+      "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.1.12.tgz",
+      "integrity": "sha512-GguP+DRY+pJ3soyIiGPTvdiVXjZ+DbXOxGpXn3eMvNW4x4irjqXm4wHKscC+TfxSJ0yw/S1F24tqdMNsMZTiLA==",
+      "dev": true
+    },
+    "inflight": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
+      "integrity": "sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk=",
+      "dev": true,
+      "requires": {
+        "once": "^1.3.0",
+        "wrappy": "1"
+      }
+    },
+    "inherits": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz",
+      "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4="
+    },
+    "inline-source-map": {
+      "version": "0.6.2",
+      "resolved": "https://registry.npmjs.org/inline-source-map/-/inline-source-map-0.6.2.tgz",
+      "integrity": "sha1-+Tk0ccGKedFyT4Y/o4tYY3Ct4qU=",
+      "dev": true,
+      "requires": {
+        "source-map": "~0.5.3"
+      }
+    },
+    "insert-module-globals": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/insert-module-globals/-/insert-module-globals-7.2.0.tgz",
+      "integrity": "sha512-VE6NlW+WGn2/AeOMd496AHFYmE7eLKkUY6Ty31k4og5vmA3Fjuwe9v6ifH6Xx/Hz27QvdoMoviw1/pqWRB09Sw==",
+      "dev": true,
+      "requires": {
+        "JSONStream": "^1.0.3",
+        "acorn-node": "^1.5.2",
+        "combine-source-map": "^0.8.0",
+        "concat-stream": "^1.6.1",
+        "is-buffer": "^1.1.0",
+        "path-is-absolute": "^1.0.1",
+        "process": "~0.11.0",
+        "through2": "^2.0.0",
+        "undeclared-identifiers": "^1.1.2",
+        "xtend": "^4.0.0"
+      }
+    },
+    "invariant": {
+      "version": "2.2.4",
+      "resolved": "https://registry.npmjs.org/invariant/-/invariant-2.2.4.tgz",
+      "integrity": "sha512-phJfQVBuaJM5raOpJjSfkiD6BpbCE4Ns//LaXl6wGYtUBY83nWS6Rf9tXm2e8VaK60JEjYldbPif/A2B1C2gNA==",
+      "dev": true,
+      "requires": {
+        "loose-envify": "^1.0.0"
+      }
+    },
+    "ios-inner-height": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/ios-inner-height/-/ios-inner-height-1.0.3.tgz",
+      "integrity": "sha512-GayJWoFxYHDx/gkfz4nIxNdsqB3nAJQHKV5pDBvig6he8+NxBSYxN+D7oarbqZfW2p6uera3q9NDr4Jgdafiog=="
+    },
+    "is-buffer": {
+      "version": "1.1.6",
+      "resolved": "https://registry.npmjs.org/is-buffer/-/is-buffer-1.1.6.tgz",
+      "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==",
+      "dev": true
+    },
+    "is-finite": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/is-finite/-/is-finite-1.0.2.tgz",
+      "integrity": "sha1-zGZ3aVYCvlUO8R6LSqYwU0K20Ko=",
+      "dev": true,
+      "requires": {
+        "number-is-nan": "^1.0.0"
+      }
+    },
+    "isarray": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz",
+      "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE="
+    },
+    "js-cookie": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-2.2.0.tgz",
+      "integrity": "sha1-Gywnmm7s44ChIWi5JIUmWzWx7/s="
+    },
+    "js-tokens": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-3.0.2.tgz",
+      "integrity": "sha1-mGbfOVECEw449/mWvOtlRDIJwls=",
+      "dev": true
+    },
+    "jsesc": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-1.3.0.tgz",
+      "integrity": "sha1-RsP+yMGJKxKwgz25vHYiF226s0s=",
+      "dev": true
+    },
+    "json-stable-stringify": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/json-stable-stringify/-/json-stable-stringify-0.0.1.tgz",
+      "integrity": "sha1-YRwj6BTbN1Un34URk9tZ3Sryf0U=",
+      "dev": true,
+      "requires": {
+        "jsonify": "~0.0.0"
+      }
+    },
+    "json5": {
+      "version": "0.5.1",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-0.5.1.tgz",
+      "integrity": "sha1-Hq3nrMASA0rYTiOWdn6tn6VJWCE=",
+      "dev": true
+    },
+    "jsonify": {
+      "version": "0.0.0",
+      "resolved": "https://registry.npmjs.org/jsonify/-/jsonify-0.0.0.tgz",
+      "integrity": "sha1-LHS27kHZPKUbe1qu6PUDYx0lKnM=",
+      "dev": true
+    },
+    "jsonparse": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/jsonparse/-/jsonparse-1.3.1.tgz",
+      "integrity": "sha1-P02uSpH6wxX3EGL4UhzCOfE2YoA=",
+      "dev": true
+    },
+    "labeled-stream-splicer": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/labeled-stream-splicer/-/labeled-stream-splicer-2.0.1.tgz",
+      "integrity": "sha512-MC94mHZRvJ3LfykJlTUipBqenZz1pacOZEMhhQ8dMGcDHs0SBE5GbsavUXV7YtP3icBW17W0Zy1I0lfASmo9Pg==",
+      "dev": true,
+      "requires": {
+        "inherits": "^2.0.1",
+        "isarray": "^2.0.4",
+        "stream-splicer": "^2.0.0"
+      },
+      "dependencies": {
+        "isarray": {
+          "version": "2.0.4",
+          "resolved": "https://registry.npmjs.org/isarray/-/isarray-2.0.4.tgz",
+          "integrity": "sha512-GMxXOiUirWg1xTKRipM0Ek07rX+ubx4nNVElTJdNLYmNO/2YrDkgJGw9CljXn+r4EWiDQg/8lsRdHyg2PJuUaA==",
+          "dev": true
+        }
+      }
+    },
+    "lodash": {
+      "version": "4.17.10",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz",
+      "integrity": "sha512-UejweD1pDoXu+AD825lWwp4ZGtSwgnpZxb3JDViD7StjQz+Nb/6l093lx4OQ0foGWNRoc19mWy7BzL+UAK2iVg==",
+      "dev": true
+    },
+    "lodash.memoize": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/lodash.memoize/-/lodash.memoize-3.0.4.tgz",
+      "integrity": "sha1-LcvSwofLwKVcxCMovQxzYVDVPj8=",
+      "dev": true
+    },
+    "loose-envify": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/loose-envify/-/loose-envify-1.3.1.tgz",
+      "integrity": "sha1-0aitM/qc4OcT1l/dCsi3SNR4yEg=",
+      "dev": true,
+      "requires": {
+        "js-tokens": "^3.0.0"
+      }
+    },
+    "lower-case": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/lower-case/-/lower-case-1.1.4.tgz",
+      "integrity": "sha1-miyr0bno4K6ZOkv31YdcOcQujqw=",
+      "dev": true
+    },
+    "marked": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/marked/-/marked-0.4.0.tgz",
+      "integrity": "sha512-tMsdNBgOsrUophCAFQl0XPe6Zqk/uy9gnue+jIIKhykO51hxyu6uNx7zBPy0+y/WKYVZZMspV9YeXLNdKk+iYw=="
+    },
+    "md5.js": {
+      "version": "1.3.4",
+      "resolved": "https://registry.npmjs.org/md5.js/-/md5.js-1.3.4.tgz",
+      "integrity": "sha1-6b296UogpawYsENA/Fdk1bCdkB0=",
+      "dev": true,
+      "requires": {
+        "hash-base": "^3.0.0",
+        "inherits": "^2.0.1"
+      }
+    },
+    "mdn-data": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/mdn-data/-/mdn-data-1.1.4.tgz",
+      "integrity": "sha512-FSYbp3lyKjyj3E7fMl6rYvUdX0FBXaluGqlFoYESWQlyUTq8R+wp0rkFxoYFqZlHCvsUXGjyJmLQSnXToYhOSA==",
+      "dev": true
+    },
+    "methods": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
+      "integrity": "sha1-VSmk1nZUE07cxSZmVoNbD4Ua/O4="
+    },
+    "miller-rabin": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/miller-rabin/-/miller-rabin-4.0.1.tgz",
+      "integrity": "sha512-115fLhvZVqWwHPbClyntxEVfVDfl9DLLTuJvq3g2O/Oxi8AiNouAHvDSzHS0viUJc+V5vm3eq91Xwqn9dp4jRA==",
+      "dev": true,
+      "requires": {
+        "bn.js": "^4.0.0",
+        "brorand": "^1.0.1"
+      }
+    },
+    "mime": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
+      "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg=="
+    },
+    "mime-db": {
+      "version": "1.33.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.33.0.tgz",
+      "integrity": "sha512-BHJ/EKruNIqJf/QahvxwQZXKygOQ256myeN/Ew+THcAa5q+PjyTTMMeNQC4DZw5AwfvelsUrA6B67NKMqXDbzQ=="
+    },
+    "mime-types": {
+      "version": "2.1.18",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.18.tgz",
+      "integrity": "sha512-lc/aahn+t4/SWV/qcmumYjymLsWfN3ELhpmVuUFjgsORruuZPVSwAQryq+HHGvO/SI2KVX26bx+En+zhM8g8hQ==",
+      "requires": {
+        "mime-db": "~1.33.0"
+      }
+    },
+    "minimalistic-assert": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz",
+      "integrity": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==",
+      "dev": true
+    },
+    "minimalistic-crypto-utils": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz",
+      "integrity": "sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo=",
+      "dev": true
+    },
+    "minimatch": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
+      "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
+      "dev": true,
+      "requires": {
+        "brace-expansion": "^1.1.7"
+      }
+    },
+    "minimist": {
+      "version": "0.0.8",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz",
+      "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=",
+      "dev": true
+    },
+    "mkdirp": {
+      "version": "0.5.1",
+      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
+      "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=",
+      "dev": true,
+      "requires": {
+        "minimist": "0.0.8"
+      }
+    },
+    "module-deps": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/module-deps/-/module-deps-6.1.0.tgz",
+      "integrity": "sha512-NPs5N511VD1rrVJihSso/LiBShRbJALYBKzDW91uZYy7BpjnO4bGnZL3HjZ9yKcFdZUWwaYjDz9zxbuP7vKMuQ==",
+      "dev": true,
+      "requires": {
+        "JSONStream": "^1.0.3",
+        "browser-resolve": "^1.7.0",
+        "cached-path-relative": "^1.0.0",
+        "concat-stream": "~1.6.0",
+        "defined": "^1.0.0",
+        "detective": "^5.0.2",
+        "duplexer2": "^0.1.2",
+        "inherits": "^2.0.1",
+        "parents": "^1.0.0",
+        "readable-stream": "^2.0.2",
+        "resolve": "^1.4.0",
+        "stream-combiner2": "^1.1.1",
+        "subarg": "^1.0.0",
+        "through2": "^2.0.0",
+        "xtend": "^4.0.0"
+      }
+    },
+    "mousetrap": {
+      "version": "1.6.2",
+      "resolved": "https://registry.npmjs.org/mousetrap/-/mousetrap-1.6.2.tgz",
+      "integrity": "sha512-jDjhi7wlHwdO6q6DS7YRmSHcuI+RVxadBkLt3KHrhd3C2b+w5pKefg3oj5beTcHZyVFA9Aksf+yEE1y5jxUjVA=="
+    },
+    "ms": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+      "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
+    },
+    "no-case": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/no-case/-/no-case-2.3.2.tgz",
+      "integrity": "sha512-rmTZ9kz+f3rCvK2TD1Ue/oZlns7OGoIWP4fc3llxxRXlOkHKoWPPWJOfFYpITabSow43QJbRIoHQXtt10VldyQ==",
+      "dev": true,
+      "requires": {
+        "lower-case": "^1.1.1"
+      }
+    },
+    "nprogress": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/nprogress/-/nprogress-0.2.0.tgz",
+      "integrity": "sha1-y480xTIT2JVyP8urkH6UIq28r7E="
+    },
+    "number-is-nan": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/number-is-nan/-/number-is-nan-1.0.1.tgz",
+      "integrity": "sha1-CXtgK1NCKlIsGvuHkDGDNpQaAR0=",
+      "dev": true
+    },
+    "once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
+      "integrity": "sha1-WDsap3WWHUsROsF9nFC6753Xa9E=",
+      "dev": true,
+      "requires": {
+        "wrappy": "1"
+      }
+    },
+    "os-browserify": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/os-browserify/-/os-browserify-0.3.0.tgz",
+      "integrity": "sha1-hUNzx/XCMVkU/Jv8a9gjj92h7Cc=",
+      "dev": true
+    },
+    "os-homedir": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/os-homedir/-/os-homedir-1.0.2.tgz",
+      "integrity": "sha1-/7xJiDNuDoM94MFox+8VISGqf7M=",
+      "dev": true
+    },
+    "os-tmpdir": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/os-tmpdir/-/os-tmpdir-1.0.2.tgz",
+      "integrity": "sha1-u+Z0BseaqFxc/sdm/lc0VV36EnQ=",
+      "dev": true
+    },
+    "pako": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/pako/-/pako-1.0.6.tgz",
+      "integrity": "sha512-lQe48YPsMJAig+yngZ87Lus+NF+3mtu7DVOBu6b/gHO1YpKwIj5AWjZ/TOS7i46HD/UixzWb1zeWDZfGZ3iYcg==",
+      "dev": true
+    },
+    "param-case": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/param-case/-/param-case-2.1.1.tgz",
+      "integrity": "sha1-35T9jPZTHs915r75oIWPvHK+Ikc=",
+      "dev": true,
+      "requires": {
+        "no-case": "^2.2.0"
+      }
+    },
+    "parents": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/parents/-/parents-1.0.1.tgz",
+      "integrity": "sha1-/t1NK/GTp3dF/nHjcdc8MwfZx1E=",
+      "dev": true,
+      "requires": {
+        "path-platform": "~0.11.15"
+      }
+    },
+    "parse-asn1": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/parse-asn1/-/parse-asn1-5.1.1.tgz",
+      "integrity": "sha512-KPx7flKXg775zZpnp9SxJlz00gTd4BmJ2yJufSc44gMCRrRQ7NSzAcSJQfifuOLgW6bEi+ftrALtsgALeB2Adw==",
+      "dev": true,
+      "requires": {
+        "asn1.js": "^4.0.0",
+        "browserify-aes": "^1.0.0",
+        "create-hash": "^1.1.0",
+        "evp_bytestokey": "^1.0.0",
+        "pbkdf2": "^3.0.3"
+      }
+    },
+    "path-browserify": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/path-browserify/-/path-browserify-0.0.1.tgz",
+      "integrity": "sha512-BapA40NHICOS+USX9SN4tyhq+A2RrN/Ws5F0Z5aMHDp98Fl86lX8Oti8B7uN93L4Ifv4fHOEA+pQw87gmMO/lQ==",
+      "dev": true
+    },
+    "path-is-absolute": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
+      "integrity": "sha1-F0uSaHNVNP+8es5r9TpanhtcX18=",
+      "dev": true
+    },
+    "path-parse": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.5.tgz",
+      "integrity": "sha1-PBrfhx6pzWyUMbbqK9dKD/BVxME=",
+      "dev": true
+    },
+    "path-platform": {
+      "version": "0.11.15",
+      "resolved": "https://registry.npmjs.org/path-platform/-/path-platform-0.11.15.tgz",
+      "integrity": "sha1-6GQhf3TDaFDwhSt43Hv31KVyG/I=",
+      "dev": true
+    },
+    "pbkdf2": {
+      "version": "3.0.16",
+      "resolved": "https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.0.16.tgz",
+      "integrity": "sha512-y4CXP3thSxqf7c0qmOF+9UeOTrifiVTIM+u7NWlq+PRsHbr7r7dpCmvzrZxa96JJUNi0Y5w9VqG5ZNeCVMoDcA==",
+      "dev": true,
+      "requires": {
+        "create-hash": "^1.1.2",
+        "create-hmac": "^1.1.4",
+        "ripemd160": "^2.0.1",
+        "safe-buffer": "^5.0.1",
+        "sha.js": "^2.4.8"
+      }
+    },
+    "private": {
+      "version": "0.1.8",
+      "resolved": "https://registry.npmjs.org/private/-/private-0.1.8.tgz",
+      "integrity": "sha512-VvivMrbvd2nKkiG38qjULzlc+4Vx4wm/whI9pQD35YrARNnhxeiRktSOhSukRLFNlzg6Br/cJPet5J/u19r/mg==",
+      "dev": true
+    },
+    "process": {
+      "version": "0.11.10",
+      "resolved": "https://registry.npmjs.org/process/-/process-0.11.10.tgz",
+      "integrity": "sha1-czIwDoQBYb2j5podHZGn1LwW8YI=",
+      "dev": true
+    },
+    "process-nextick-args": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.0.tgz",
+      "integrity": "sha512-MtEC1TqN0EU5nephaJ4rAtThHtC86dNN9qCuEhtshvpVBkAW5ZO7BASN9REnF9eoXGcRub+pFuKEpOHE+HbEMw=="
+    },
+    "public-encrypt": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/public-encrypt/-/public-encrypt-4.0.2.tgz",
+      "integrity": "sha512-4kJ5Esocg8X3h8YgJsKAuoesBgB7mqH3eowiDzMUPKiRDDE7E/BqqZD1hnTByIaAFiwAw246YEltSq7tdrOH0Q==",
+      "dev": true,
+      "requires": {
+        "bn.js": "^4.1.0",
+        "browserify-rsa": "^4.0.0",
+        "create-hash": "^1.1.0",
+        "parse-asn1": "^5.0.0",
+        "randombytes": "^2.0.1"
+      }
+    },
+    "punycode": {
+      "version": "1.4.1",
+      "resolved": "https://registry.npmjs.org/punycode/-/punycode-1.4.1.tgz",
+      "integrity": "sha1-wNWmOycYgArY4esPpSachN1BhF4=",
+      "dev": true
+    },
+    "qs": {
+      "version": "6.5.2",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.2.tgz",
+      "integrity": "sha512-N5ZAX4/LxJmF+7wN74pUD6qAh9/wnvdQcjq9TZjevvXzSUo7bfmw91saqMjzGS2xq91/odN2dW/WOl7qQHNDGA=="
+    },
+    "querystring": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/querystring/-/querystring-0.2.0.tgz",
+      "integrity": "sha1-sgmEkgO7Jd+CDadW50cAWHhSFiA=",
+      "dev": true
+    },
+    "querystring-es3": {
+      "version": "0.2.1",
+      "resolved": "https://registry.npmjs.org/querystring-es3/-/querystring-es3-0.2.1.tgz",
+      "integrity": "sha1-nsYfeQSYdXB9aUFFlv2Qek1xHnM=",
+      "dev": true
+    },
+    "randombytes": {
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.0.6.tgz",
+      "integrity": "sha512-CIQ5OFxf4Jou6uOKe9t1AOgqpeU5fd70A8NPdHSGeYXqXsPe6peOwI0cUl88RWZ6sP1vPMV3avd/R6cZ5/sP1A==",
+      "dev": true,
+      "requires": {
+        "safe-buffer": "^5.1.0"
+      }
+    },
+    "randomfill": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/randomfill/-/randomfill-1.0.4.tgz",
+      "integrity": "sha512-87lcbR8+MhcWcUiQ+9e+Rwx8MyR2P7qnt15ynUlbm3TU/fjbgz4GsvfSUDTemtCCtVCqb4ZcEFlyPNTh9bBTLw==",
+      "dev": true,
+      "requires": {
+        "randombytes": "^2.0.5",
+        "safe-buffer": "^5.1.0"
+      }
+    },
+    "read-only-stream": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/read-only-stream/-/read-only-stream-2.0.0.tgz",
+      "integrity": "sha1-JyT9aoET1zdkrCiNQ4YnDB2/F/A=",
+      "dev": true,
+      "requires": {
+        "readable-stream": "^2.0.2"
+      }
+    },
+    "readable-stream": {
+      "version": "2.3.6",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.6.tgz",
+      "integrity": "sha512-tQtKA9WIAhBF3+VLAseyMqZeBjW0AHJoxOtYqSUZNJxauErmLbVm2FW1y+J/YA9dUrAC39ITejlZWhVIwawkKw==",
+      "requires": {
+        "core-util-is": "~1.0.0",
+        "inherits": "~2.0.3",
+        "isarray": "~1.0.0",
+        "process-nextick-args": "~2.0.0",
+        "safe-buffer": "~5.1.1",
+        "string_decoder": "~1.1.1",
+        "util-deprecate": "~1.0.1"
+      }
+    },
+    "regenerate": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/regenerate/-/regenerate-1.4.0.tgz",
+      "integrity": "sha512-1G6jJVDWrt0rK99kBjvEtziZNCICAuvIPkSiUFIQxVP06RCVpq3dmDo2oi6ABpYaDYaTRr67BEhL8r1wgEZZKg==",
+      "dev": true
+    },
+    "regenerator-runtime": {
+      "version": "0.11.1",
+      "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.11.1.tgz",
+      "integrity": "sha512-MguG95oij0fC3QV3URf4V2SDYGJhJnJGqvIIgdECeODCT98wSWDAJ94SSuVpYQUoTcGUIL6L4yNB7j1DFFHSBg==",
+      "dev": true
+    },
+    "regenerator-transform": {
+      "version": "0.10.1",
+      "resolved": "https://registry.npmjs.org/regenerator-transform/-/regenerator-transform-0.10.1.tgz",
+      "integrity": "sha512-PJepbvDbuK1xgIgnau7Y90cwaAmO/LCLMI2mPvaXq2heGMR3aWW5/BQvYrhJ8jgmQjXewXvBjzfqKcVOmhjZ6Q==",
+      "dev": true,
+      "requires": {
+        "babel-runtime": "^6.18.0",
+        "babel-types": "^6.19.0",
+        "private": "^0.1.6"
+      }
+    },
+    "regexpu-core": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/regexpu-core/-/regexpu-core-2.0.0.tgz",
+      "integrity": "sha1-SdA4g3uNz4v6W5pCE5k45uoq4kA=",
+      "dev": true,
+      "requires": {
+        "regenerate": "^1.2.1",
+        "regjsgen": "^0.2.0",
+        "regjsparser": "^0.1.4"
+      }
+    },
+    "regjsgen": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/regjsgen/-/regjsgen-0.2.0.tgz",
+      "integrity": "sha1-bAFq3qxVT3WCP+N6wFuS1aTtsfc=",
+      "dev": true
+    },
+    "regjsparser": {
+      "version": "0.1.5",
+      "resolved": "https://registry.npmjs.org/regjsparser/-/regjsparser-0.1.5.tgz",
+      "integrity": "sha1-fuj4Tcb6eS0/0K4ijSS9lJ6tIFw=",
+      "dev": true,
+      "requires": {
+        "jsesc": "~0.5.0"
+      },
+      "dependencies": {
+        "jsesc": {
+          "version": "0.5.0",
+          "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-0.5.0.tgz",
+          "integrity": "sha1-597mbjXW/Bb3EP6R1c9p9w8IkR0=",
+          "dev": true
+        }
+      }
+    },
+    "relateurl": {
+      "version": "0.2.7",
+      "resolved": "https://registry.npmjs.org/relateurl/-/relateurl-0.2.7.tgz",
+      "integrity": "sha1-VNvzd+UUQKypCkzSdGANP/LYiKk=",
+      "dev": true
+    },
+    "repeating": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/repeating/-/repeating-2.0.1.tgz",
+      "integrity": "sha1-UhTFOpJtNVJwdSf7q0FdvAjQbdo=",
+      "dev": true,
+      "requires": {
+        "is-finite": "^1.0.0"
+      }
+    },
+    "resolve": {
+      "version": "1.8.1",
+      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.8.1.tgz",
+      "integrity": "sha512-AicPrAC7Qu1JxPCZ9ZgCZlY35QgFnNqc+0LtbRNxnVw4TXvjQ72wnuL9JQcEBgXkI9JM8MsT9kaQoHcpCRJOYA==",
+      "dev": true,
+      "requires": {
+        "path-parse": "^1.0.5"
+      }
+    },
+    "ripemd160": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/ripemd160/-/ripemd160-2.0.2.tgz",
+      "integrity": "sha512-ii4iagi25WusVoiC4B4lq7pbXfAp3D9v5CwfkY33vffw2+pkDjY1D8GaN7spsxvCSx8dkPqOZCEZyfxcmJG2IA==",
+      "dev": true,
+      "requires": {
+        "hash-base": "^3.0.0",
+        "inherits": "^2.0.1"
+      }
+    },
+    "safe-buffer": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
+      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
+    },
+    "sax": {
+      "version": "0.5.8",
+      "resolved": "https://registry.npmjs.org/sax/-/sax-0.5.8.tgz",
+      "integrity": "sha1-1HLbIo6zMcJQaw6MFVJK25OdEsE=",
+      "dev": true
+    },
+    "semver": {
+      "version": "5.5.0",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-5.5.0.tgz",
+      "integrity": "sha512-4SJ3dm0WAwWy/NVeioZh5AntkdJoWKxHxcmyP622fOkgHa4z3R0TdBJICINyaSDE6uNwVc8gZr+ZinwZAH4xIA==",
+      "dev": true
+    },
+    "sha.js": {
+      "version": "2.4.11",
+      "resolved": "https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz",
+      "integrity": "sha512-QMEp5B7cftE7APOjk5Y6xgrbWu+WkLVQwk8JNjZ8nKRciZaByEW6MubieAiToS7+dwvrjGhH8jRXz3MVd0AYqQ==",
+      "dev": true,
+      "requires": {
+        "inherits": "^2.0.1",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "shasum": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/shasum/-/shasum-1.0.2.tgz",
+      "integrity": "sha1-5wEjENj0F/TetXEhUOVni4euVl8=",
+      "dev": true,
+      "requires": {
+        "json-stable-stringify": "~0.0.0",
+        "sha.js": "~2.4.4"
+      }
+    },
+    "shell-quote": {
+      "version": "1.6.1",
+      "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz",
+      "integrity": "sha1-9HgZSczkAmlxJ0MOo7PFR29IF2c=",
+      "dev": true,
+      "requires": {
+        "array-filter": "~0.0.0",
+        "array-map": "~0.0.0",
+        "array-reduce": "~0.0.0",
+        "jsonify": "~0.0.0"
+      }
+    },
+    "simple-concat": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/simple-concat/-/simple-concat-1.0.0.tgz",
+      "integrity": "sha1-c0TLuLbib7J9ZrL8hvn21Zl1IcY=",
+      "dev": true
+    },
+    "slash": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/slash/-/slash-1.0.0.tgz",
+      "integrity": "sha1-xB8vbDn8FtHNF61LXYlhFK5HDVU=",
+      "dev": true
+    },
+    "source-map": {
+      "version": "0.5.7",
+      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz",
+      "integrity": "sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w=",
+      "dev": true
+    },
+    "source-map-support": {
+      "version": "0.4.18",
+      "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.4.18.tgz",
+      "integrity": "sha512-try0/JqxPLF9nOjvSta7tVondkP5dwgyLDjVoyMDlmjugT2lRZ1OfsrYTkCd2hkDnJTKRbO/Rl3orm8vlsUzbA==",
+      "dev": true,
+      "requires": {
+        "source-map": "^0.5.6"
+      }
+    },
+    "stream-browserify": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/stream-browserify/-/stream-browserify-2.0.1.tgz",
+      "integrity": "sha1-ZiZu5fm9uZQKTkUUyvtDu3Hlyds=",
+      "dev": true,
+      "requires": {
+        "inherits": "~2.0.1",
+        "readable-stream": "^2.0.2"
+      }
+    },
+    "stream-combiner2": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/stream-combiner2/-/stream-combiner2-1.1.1.tgz",
+      "integrity": "sha1-+02KFCDqNidk4hrUeAOXvry0HL4=",
+      "dev": true,
+      "requires": {
+        "duplexer2": "~0.1.0",
+        "readable-stream": "^2.0.2"
+      }
+    },
+    "stream-http": {
+      "version": "2.8.3",
+      "resolved": "https://registry.npmjs.org/stream-http/-/stream-http-2.8.3.tgz",
+      "integrity": "sha512-+TSkfINHDo4J+ZobQLWiMouQYB+UVYFttRA94FpEzzJ7ZdqcL4uUUQ7WkdkI4DSozGmgBUE/a47L+38PenXhUw==",
+      "dev": true,
+      "requires": {
+        "builtin-status-codes": "^3.0.0",
+        "inherits": "^2.0.1",
+        "readable-stream": "^2.3.6",
+        "to-arraybuffer": "^1.0.0",
+        "xtend": "^4.0.0"
+      }
+    },
+    "stream-splicer": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/stream-splicer/-/stream-splicer-2.0.0.tgz",
+      "integrity": "sha1-G2O+Q4oTPktnHMGTUZdgAXWRDYM=",
+      "dev": true,
+      "requires": {
+        "inherits": "^2.0.1",
+        "readable-stream": "^2.0.2"
+      }
+    },
+    "string_decoder": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
+      "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
+      "requires": {
+        "safe-buffer": "~5.1.0"
+      }
+    },
+    "strip-ansi": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-3.0.1.tgz",
+      "integrity": "sha1-ajhfuIU9lS1f8F0Oiq+UJ43GPc8=",
+      "dev": true,
+      "requires": {
+        "ansi-regex": "^2.0.0"
+      }
+    },
+    "stylus": {
+      "version": "0.54.5",
+      "resolved": "https://registry.npmjs.org/stylus/-/stylus-0.54.5.tgz",
+      "integrity": "sha1-QrlWCTHKcJDOhRWnmLqeaqPW3Hk=",
+      "dev": true,
+      "requires": {
+        "css-parse": "1.7.x",
+        "debug": "*",
+        "glob": "7.0.x",
+        "mkdirp": "0.5.x",
+        "sax": "0.5.x",
+        "source-map": "0.1.x"
+      },
+      "dependencies": {
+        "glob": {
+          "version": "7.0.6",
+          "resolved": "https://registry.npmjs.org/glob/-/glob-7.0.6.tgz",
+          "integrity": "sha1-IRuvr0nlJbjNkyYNFKsTYVKz9Xo=",
+          "dev": true,
+          "requires": {
+            "fs.realpath": "^1.0.0",
+            "inflight": "^1.0.4",
+            "inherits": "2",
+            "minimatch": "^3.0.2",
+            "once": "^1.3.0",
+            "path-is-absolute": "^1.0.0"
+          }
+        },
+        "source-map": {
+          "version": "0.1.43",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.1.43.tgz",
+          "integrity": "sha1-wkvBRspRfBRx9drL4lcbK3+eM0Y=",
+          "dev": true,
+          "requires": {
+            "amdefine": ">=0.0.4"
+          }
+        }
+      }
+    },
+    "subarg": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/subarg/-/subarg-1.0.0.tgz",
+      "integrity": "sha1-9izxdYHplrSPyWVpn1TAauJouNI=",
+      "dev": true,
+      "requires": {
+        "minimist": "^1.1.0"
+      },
+      "dependencies": {
+        "minimist": {
+          "version": "1.2.0",
+          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
+          "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
+          "dev": true
+        }
+      }
+    },
+    "superagent": {
+      "version": "3.8.3",
+      "resolved": "https://registry.npmjs.org/superagent/-/superagent-3.8.3.tgz",
+      "integrity": "sha512-GLQtLMCoEIK4eDv6OGtkOoSMt3D+oq0y3dsxMuYuDvaNUvuT8eFBuLmfR0iYYzHC1e8hpzC6ZsxbuP6DIalMFA==",
+      "requires": {
+        "component-emitter": "^1.2.0",
+        "cookiejar": "^2.1.0",
+        "debug": "^3.1.0",
+        "extend": "^3.0.0",
+        "form-data": "^2.3.1",
+        "formidable": "^1.2.0",
+        "methods": "^1.1.1",
+        "mime": "^1.4.1",
+        "qs": "^6.5.1",
+        "readable-stream": "^2.3.5"
+      }
+    },
+    "supports-color": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-2.0.0.tgz",
+      "integrity": "sha1-U10EXOa2Nj+kARcIRimZXp3zJMc=",
+      "dev": true
+    },
+    "syntax-error": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/syntax-error/-/syntax-error-1.4.0.tgz",
+      "integrity": "sha512-YPPlu67mdnHGTup2A8ff7BC2Pjq0e0Yp/IyTFN03zWO0RcK07uLcbi7C2KpGR2FvWbaB0+bfE27a+sBKebSo7w==",
+      "dev": true,
+      "requires": {
+        "acorn-node": "^1.2.0"
+      }
+    },
+    "terser": {
+      "version": "3.7.7",
+      "resolved": "https://registry.npmjs.org/terser/-/terser-3.7.7.tgz",
+      "integrity": "sha512-RRLIxE7S52vSOI9cEbOaisgBd2y6MNgfg2ihUkidsFnuP1eDmZ79+lBWbyvgfFTAc/r8nSjL0k3cpZDDIYiYiA==",
+      "dev": true,
+      "requires": {
+        "commander": "~2.14.1",
+        "source-map": "~0.6.1",
+        "source-map-support": "~0.5.6"
+      },
+      "dependencies": {
+        "commander": {
+          "version": "2.14.1",
+          "resolved": "https://registry.npmjs.org/commander/-/commander-2.14.1.tgz",
+          "integrity": "sha512-+YR16o3rK53SmWHU3rEM3tPAh2rwb1yPcQX5irVn7mb0gXbwuCCrnkbV5+PBfETdfg1vui07nM6PCG1zndcjQw==",
+          "dev": true
+        },
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true
+        },
+        "source-map-support": {
+          "version": "0.5.6",
+          "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.6.tgz",
+          "integrity": "sha512-N4KXEz7jcKqPf2b2vZF11lQIz9W5ZMuUcIOGj243lduidkf2fjkVKJS9vNxVWn3u/uxX38AcE8U9nnH9FPcq+g==",
+          "dev": true,
+          "requires": {
+            "buffer-from": "^1.0.0",
+            "source-map": "^0.6.0"
+          }
+        }
+      }
+    },
+    "through": {
+      "version": "2.3.8",
+      "resolved": "https://registry.npmjs.org/through/-/through-2.3.8.tgz",
+      "integrity": "sha1-DdTJ/6q8NXlgsbckEV1+Doai4fU=",
+      "dev": true
+    },
+    "through2": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/through2/-/through2-2.0.3.tgz",
+      "integrity": "sha1-AARWmzfHx0ujnEPzzteNGtlBQL4=",
+      "dev": true,
+      "requires": {
+        "readable-stream": "^2.1.5",
+        "xtend": "~4.0.1"
+      }
+    },
+    "timers-browserify": {
+      "version": "1.4.2",
+      "resolved": "https://registry.npmjs.org/timers-browserify/-/timers-browserify-1.4.2.tgz",
+      "integrity": "sha1-ycWLV1voQHN1y14kYtrO50NZ9B0=",
+      "dev": true,
+      "requires": {
+        "process": "~0.11.0"
+      }
+    },
+    "to-arraybuffer": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/to-arraybuffer/-/to-arraybuffer-1.0.1.tgz",
+      "integrity": "sha1-fSKbH8xjfkZsoIEYCDanqr/4P0M=",
+      "dev": true
+    },
+    "to-fast-properties": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/to-fast-properties/-/to-fast-properties-1.0.3.tgz",
+      "integrity": "sha1-uDVx+k2MJbguIxsG46MFXeTKGkc=",
+      "dev": true
+    },
+    "trim-right": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/trim-right/-/trim-right-1.0.1.tgz",
+      "integrity": "sha1-yy4SAwZ+DI3h9hQJS5/kVwTqYAM=",
+      "dev": true
+    },
+    "tty-browserify": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/tty-browserify/-/tty-browserify-0.0.1.tgz",
+      "integrity": "sha512-C3TaO7K81YvjCgQH9Q1S3R3P3BtN3RIM8n+OvX4il1K1zgE8ZhI0op7kClgkxtutIE8hQrcrHBXvIheqKUUCxw==",
+      "dev": true
+    },
+    "typedarray": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz",
+      "integrity": "sha1-hnrHTjhkGHsdPUfZlqeOxciDB3c=",
+      "dev": true
+    },
+    "uglify-js": {
+      "version": "3.4.3",
+      "resolved": "https://registry.npmjs.org/uglify-js/-/uglify-js-3.4.3.tgz",
+      "integrity": "sha512-RbOgGjF04sFUNSi8xGOTB9AmtVmMmVVAL5a7lxIgJ8urejJen+priq0ooRIHHa8AXI/dSvNF9yYMz9OP4PhybQ==",
+      "dev": true,
+      "requires": {
+        "commander": "~2.16.0",
+        "source-map": "~0.6.1"
+      },
+      "dependencies": {
+        "source-map": {
+          "version": "0.6.1",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+          "dev": true
+        }
+      }
+    },
+    "umd": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/umd/-/umd-3.0.3.tgz",
+      "integrity": "sha512-4IcGSufhFshvLNcMCV80UnQVlZ5pMOC8mvNPForqwA4+lzYQuetTESLDQkeLmihq8bRcnpbQa48Wb8Lh16/xow==",
+      "dev": true
+    },
+    "undeclared-identifiers": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/undeclared-identifiers/-/undeclared-identifiers-1.1.2.tgz",
+      "integrity": "sha512-13EaeocO4edF/3JKime9rD7oB6QI8llAGhgn5fKOPyfkJbRb6NFv9pYV6dFEmpa4uRjKeBqLZP8GpuzqHlKDMQ==",
+      "dev": true,
+      "requires": {
+        "acorn-node": "^1.3.0",
+        "get-assigned-identifiers": "^1.2.0",
+        "simple-concat": "^1.0.0",
+        "xtend": "^4.0.1"
+      }
+    },
+    "underscore": {
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz",
+      "integrity": "sha512-5/4etnCkd9c8gwgowi5/om/mYO5ajCaOgdzj/oW+0eQV9WxKBDZw5+ycmKmeaTXjInS/W0BzpGLo2xR2aBwZdg==",
+      "dev": true
+    },
+    "upper-case": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/upper-case/-/upper-case-1.1.3.tgz",
+      "integrity": "sha1-9rRQHC7EzdJrp4vnIilh3ndiFZg=",
+      "dev": true
+    },
+    "url": {
+      "version": "0.11.0",
+      "resolved": "https://registry.npmjs.org/url/-/url-0.11.0.tgz",
+      "integrity": "sha1-ODjpfPxgUh63PFJajlW/3Z4uKPE=",
+      "dev": true,
+      "requires": {
+        "punycode": "1.3.2",
+        "querystring": "0.2.0"
+      },
+      "dependencies": {
+        "punycode": {
+          "version": "1.3.2",
+          "resolved": "https://registry.npmjs.org/punycode/-/punycode-1.3.2.tgz",
+          "integrity": "sha1-llOgNvt8HuQjQvIyXM7v6jkmxI0=",
+          "dev": true
+        }
+      }
+    },
+    "util": {
+      "version": "0.10.4",
+      "resolved": "https://registry.npmjs.org/util/-/util-0.10.4.tgz",
+      "integrity": "sha512-0Pm9hTQ3se5ll1XihRic3FDIku70C+iHUdT/W926rSgHV5QgXsYbKZN8MSC3tJtSkhuROzvsQjAaFENRXr+19A==",
+      "dev": true,
+      "requires": {
+        "inherits": "2.0.3"
+      }
+    },
+    "util-deprecate": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
+      "integrity": "sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8="
+    },
+    "vm-browserify": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/vm-browserify/-/vm-browserify-1.1.0.tgz",
+      "integrity": "sha512-iq+S7vZJE60yejDYM0ek6zg308+UZsdtPExWP9VZoCFCz1zkJoXFnAX7aZfd/ZwrkidzdUZL0C/ryW+JwAiIGw==",
+      "dev": true
+    },
+    "wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=",
+      "dev": true
+    },
+    "xtend": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.1.tgz",
+      "integrity": "sha1-pcbVMr5lbiPbgg77lDofBJmNY68=",
+      "dev": true
+    }
+  }
+}
diff --git a/client/package.json b/client/package.json
index add6de7f..99d1d7ba 100644
--- a/client/package.json
+++ b/client/package.json
@@ -6,26 +6,25 @@
     "watch": "c1=\"\";while :;do c2=$(find html js css img -type f -and -not -iname '*autogen*'|sort|xargs cat|md5sum);[[ $c1 != $c2 ]]&&npm run build -- --no-vendor-js;c1=$c2;sleep 1;done"
   },
   "dependencies": {
-    "babel-polyfill": "^6.7.4",
-    "babel-preset-es2015": "^6.6.0",
-    "babelify": "^7.2.0",
-    "browserify": "^13.0.0",
-    "camelcase": "^2.1.1",
-    "camelcase-keys": "*",
-    "csso": "^1.8.0",
-    "font-awesome": "^4.6.1",
-    "glob": "^7.0.3",
-    "html-minifier": "^1.3.1",
-    "js-cookie": "^2.1.0",
-    "js-yaml": "^3.5.5",
-    "marked": "~0.3.2",
-    "merge": "^1.2.0",
-    "mousetrap": "^1.5.3",
+    "font-awesome": "^4.7.0",
+    "ios-inner-height": "^1.0.3",
+    "js-cookie": "^2.2.0",
+    "marked": "^0.4.0",
+    "mousetrap": "^1.6.2",
     "nprogress": "^0.2.0",
-    "path-to-regexp": "^1.5.1",
-    "stylus": "^0.54.2",
-    "superagent": "^1.8.3",
-    "uglify-js": "git://github.com/mishoo/UglifyJS2.git#harmony",
-    "underscore": "^1.8.3"
+    "superagent": "^3.8.3"
+  },
+  "devDependencies": {
+    "babel-core": "^6.26.3",
+    "babel-polyfill": "^6.26.0",
+    "babel-preset-env": "^1.7.0",
+    "babelify": "^8.0.0",
+    "browserify": "^16.2.2",
+    "csso": "^3.5.1",
+    "glob": "^7.1.2",
+    "html-minifier": "^3.5.18",
+    "stylus": "^0.54.5",
+    "terser": "^3.7.7",
+    "underscore": "^1.9.1"
   }
 }
diff --git a/docker-compose.yml.example b/docker-compose.yml.example
new file mode 100644
index 00000000..501a478c
--- /dev/null
+++ b/docker-compose.yml.example
@@ -0,0 +1,102 @@
+## Example Docker Compose configuration
+##
+## Use this as a template to set up docker-compose, or as guide to set up other
+## orchestration services
+
+version: '3.1'
+services:
+
+  ## Python3 container for backend API
+  backend:
+    build:
+      context: ./server
+    depends_on:
+      - sql
+      - elasticsearch
+    environment: # Commented Values are Default
+      ## These should be the names of the dependent containers listed above, or
+      ## accessible hostnames/IP addresses if these services are running
+      ## outside of Docker
+      POSTGRES_HOST: sql
+      ESEARCH_HOST: elasticsearch
+      ## Credentials for database
+      POSTGRES_USER: szuru
+      POSTGRES_PASSWORD: badpass
+      ## Leave commented if using the official postgres container,
+      ## it will default to the value in POSTGRES_USER
+      #POSTGRES_DB:
+      ## Leave commented if using the default port 5432
+      #POSTGRES_PORT: 5432
+      ## Leave commented if using the default port 9200
+      #ESEARCH_PORT: 9200
+      ## Uncomment and change if you want to use a different index
+      #ESEARCH_INDEX: szurubooru
+      ## Leave commented unless you want verbose SQL in the container logs
+      #LOG_SQL: 1
+    volumes:
+      - data:/data
+      ## If more customizations that are not covered in `config.yaml.dist` are needed
+      ## Comment this line if you are not going
+      ## to supply a YAML file
+      - ./config.yaml:/opt/config.yaml
+
+  ## HTTP container for frontend
+  frontend:
+    build:
+      context: ./client
+      args:
+        ## This shows up on the homescreen, indicating build information
+        ## Change as desired
+        BUILD_INFO: docker-example
+    depends_on:
+      - backend
+    environment:
+      ## This should be the name of the previous container
+      BACKEND_HOST: backend
+    volumes:
+      - data:/data:ro
+    ports:
+      ## If you want to expose the website on another port like 80,
+      ## change to 80:80
+      - 8080:80
+
+  ## PostgreSQL container for database
+  sql:
+    image: postgres:alpine
+    restart: unless-stopped
+    environment:
+      ## These should equal the same credentials as used on the first container
+      POSTGRES_USER: szuru
+      POSTGRES_PASSWORD: badpass
+    volumes:
+      - database:/var/lib/postgresql/data
+
+  ## ElasticSearch container for image indexing
+  elasticsearch:
+    image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.3.1
+    environment:
+      ## Specifies the Java heap size used
+      ## Read
+      ##  https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html
+      ## for more info
+      ES_JAVA_OPTS: -Xms512m -Xmx512m
+    volumes:
+      - index:/usr/share/elasticsearch/data
+
+volumes:
+## IMPORTANT FOR PRODUCTION USE:
+##   To avoid data loss, you should read and understand how Docker volumes work
+##   before proceeding. Information can be found on
+##     https://docs.docker.com/storage/volumes/
+##   These mounts should be configured with drivers apporpriate for your system.
+##   For small deployments, bind mounts or using the local-persist driver should
+##   be fine. Make sure you mount to a directory that is safe and backed up.
+##   local-persist driver can be found at:
+##     https://github.com/CWSpear/local-persist
+## It is okay to leave these as-is for development or testing purposes
+
+  data: # This volume will hold persistant Image and User data for the board
+
+  database: # This holds the SQL database
+
+  index: # Scratch space for ElasticSearch Index
diff --git a/server/.dockerignore b/server/.dockerignore
new file mode 100644
index 00000000..a20ffa91
--- /dev/null
+++ b/server/.dockerignore
@@ -0,0 +1,8 @@
+szurubooru/tests/*
+setup.cfg
+.pylintrc
+mypi.ini
+
+Dockerfile
+.dockerignore
+**/.gitignore
diff --git a/server/Dockerfile b/server/Dockerfile
new file mode 100644
index 00000000..3aa5ab31
--- /dev/null
+++ b/server/Dockerfile
@@ -0,0 +1,46 @@
+FROM scratch as approot
+WORKDIR /opt/app
+
+COPY alembic.ini wait-for-es generate-thumb ./
+COPY szurubooru/ ./szurubooru/
+COPY config.yaml.dist ../
+
+
+FROM python:3.6-slim
+WORKDIR /opt/app
+
+ARG PUID=1000
+ARG PGID=1000
+ARG PORT=6666
+RUN \
+    # Set users
+    mkdir -p /opt/app /data && \
+    groupadd -g ${PGID} app && \
+    useradd -d /opt/app -M -c '' -g app -r -u ${PUID} app && \
+    chown -R app:app /opt/app /data && \
+    # Create init file
+    echo "#!/bin/sh" >> /init && \
+    echo "set -e" >> /init && \
+    echo "cd /opt/app" >> /init && \
+    echo "./wait-for-es" >> /init && \
+    echo "alembic upgrade head" >> /init && \
+    echo "exec waitress-serve --port ${PORT} szurubooru.facade:app" \
+        >> /init && \
+    chmod a+x /init && \
+    # Install ffmpeg
+    apt-get -yqq update && \
+    apt-get -yq install --no-install-recommends ffmpeg && \
+    rm -rf /var/lib/apt/lists/* && \
+    # Install waitress
+    pip3 install --no-cache-dir waitress
+
+COPY --chown=app:app requirements.txt ./requirements.txt
+RUN pip3 install --no-cache-dir -r ./requirements.txt
+
+# done to minimize number of layers in final image
+COPY --chown=app:app --from=approot / /
+
+VOLUME ["/data/"]
+EXPOSE ${PORT}
+USER app
+CMD ["/init"]
diff --git a/config.yaml.dist b/server/config.yaml.dist
similarity index 61%
rename from config.yaml.dist
rename to server/config.yaml.dist
index a38393a0..8a3a8b0b 100644
--- a/config.yaml.dist
+++ b/server/config.yaml.dist
@@ -1,23 +1,19 @@
 # rather than editing this file, it is strongly suggested to create config.yaml
 # and override only what you need.
 
+# shown in the website title and on the front page
 name: szurubooru
-debug: 0 # generate source maps for JS debugging?
-show_sql: 0 # show sql in server logs?
-transpile: 1 # generate bigger JS to support older browsers?
+# user agent name used to download files from the web on behalf of the api users
+user_agent:
+# used to salt the users' password hashes
 secret: change
-api_url: # where frontend connects to, example: http://api.example.com/
-base_url: # used to form links to frontend, example: http://example.com/
-data_url: # used to form links to posts and avatars, example: http://example.com/data/
-data_dir: # absolute path for posts and avatars storage, example: /srv/www/booru/client/public/data/
-
-
-# usage: schema://user:password@host:port/database_name
-# example: postgres://szuru:dog@localhost:5432/szuru_test
-# example (useful for tests): sqlite:///:memory:
-database:
-test_database: 'sqlite:///:memory:' # required for runing the test suite
+# required for running the test suite
+test_database: 'sqlite:///:memory:'
 
+# Delete thumbnails and source files on post delete
+# Original functionality is no, to mitigate the impacts of admins going
+# on unchecked post purges.
+delete_source_files: no
 
 thumbnails:
     avatar_width: 300
@@ -25,36 +21,37 @@ thumbnails:
     post_width: 300
     post_height: 300
 
-# used to send password reminders
+convert:
+   gif:
+     to_webm: false
+     to_mp4: false
+
+# used to send password reset e-mails
 smtp:
     host: # example: localhost
     port: # example: 25
     user: # example: bot
     pass: # example: groovy123
+    # host can be left empty, in which case it is recommended to fill contactEmail.
 
-# used for reverse image search
-elasticsearch:
-    host: localhost
-    port: 9200
+contact_email: # example: bob@example.com. Meant for manual password reset procedures
 
-limits:
-    users_per_page: 20
-    posts_per_page: 40
-    max_comment_length: 5000
+enable_safety: yes
 
 tag_name_regex: ^\S+$
 tag_category_name_regex: ^[^\s%+#/]+$
 
-default_rank: regular
-
-# don't change these, unless you want to annoy people. if you do customize
-# them though, make sure to update the instructions in the registration form
+# don't make these more restrictive unless you want to annoy people; if you do
+# customize them, make sure to update the instructions in the registration form
 # template as well.
 password_regex: '^.{5,}$'
 user_name_regex: '^[a-zA-Z0-9_-]{1,32}$'
 
+default_rank: regular
+
 privileges:
-    'users:create':                 anonymous
+    'users:create:self':            anonymous # Registration permission
+    'users:create:any':             administrator
     'users:list':                   regular
     'users:view':                   regular
     'users:edit:any:name':          moderator
@@ -70,11 +67,21 @@ privileges:
     'users:delete:any':             administrator
     'users:delete:self':            regular
 
+    'user_tokens:list:any':         administrator
+    'user_tokens:list:self':        regular
+    'user_tokens:create:any':       administrator
+    'user_tokens:create:self':      regular
+    'user_tokens:edit:any':         administrator
+    'user_tokens:edit:self':        regular
+    'user_tokens:delete:any':       administrator
+    'user_tokens:delete:self':      regular
+
     'posts:create:anonymous':       regular
     'posts:create:identified':      regular
     'posts:list':                   anonymous
     'posts:reverse_search':         regular
     'posts:view':                   anonymous
+    'posts:view:featured':          anonymous
     'posts:edit:content':           power
     'posts:edit:flags':             regular
     'posts:edit:notes':             regular
@@ -88,6 +95,8 @@ privileges:
     'posts:score':                  regular
     'posts:merge':                  moderator
     'posts:favorite':               regular
+    'posts:bulk-edit:tags':         power
+    'posts:bulk-edit:safety':       power
 
     'tags:create':                  regular
     'tags:edit:names':              power
@@ -95,16 +104,15 @@ privileges:
     'tags:edit:description':        power
     'tags:edit:implications':       power
     'tags:edit:suggestions':        power
-    'tags:list':                    regular # note: will be available as data_url/tags.json anyway
+    'tags:list':                    regular
     'tags:view':                    anonymous
-    'tags:masstag':                 power
     'tags:merge':                   moderator
     'tags:delete':                  moderator
 
     'tag_categories:create':        moderator
     'tag_categories:edit:name':     moderator
     'tag_categories:edit:color':    moderator
-    'tag_categories:list':          anonymous # note: will be available as data_url/tags.json anyway
+    'tag_categories:list':          anonymous
     'tag_categories:view':          anonymous
     'tag_categories:delete':        moderator
     'tag_categories:set_default':   moderator
@@ -121,3 +129,16 @@ privileges:
     'snapshots:list':               power
 
     'uploads:create':               regular
+
+## ONLY SET THESE IF DEPLOYING OUTSIDE OF DOCKER
+#debug: 0 # generate server logs?
+#show_sql: 0 # show sql in server logs?
+#data_url: /data/
+#data_dir: /var/www/data
+## usage: schema://user:password@host:port/database_name
+## example: postgres://szuru:dog@localhost:5432/szuru_test
+#database:
+#elasticsearch: # used for reverse image search
+#    host: localhost
+#    port: 9200
+#    index: szurubooru
diff --git a/server/dev-requirements.txt b/server/dev-requirements.txt
new file mode 100644
index 00000000..c9dc2348
--- /dev/null
+++ b/server/dev-requirements.txt
@@ -0,0 +1,4 @@
+pytest>=2.9.1
+pytest-cov>=2.2.1
+freezegun>=0.3.6
+pycodestyle>=2.0.0
diff --git a/server/host-waitress b/server/host-waitress
deleted file mode 100755
index 75980818..00000000
--- a/server/host-waitress
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/usr/bin/env python3
-
-'''
-Script facade for direct execution with waitress WSGI server.
-Note that szurubooru can be also run using ``python -m szurubooru``, when in
-the repository's root directory.
-'''
-
-import argparse
-import os.path
-import sys
-import waitress
-from szurubooru.facade import create_app
-
-def main():
-    parser = argparse.ArgumentParser('Starts szurubooru using waitress.')
-    parser.add_argument(
-        '-p', '--port', type=int, help='port to listen on', default=6666)
-    parser.add_argument('--host', help='IP to listen on', default='0.0.0.0')
-    args = parser.parse_args()
-
-    app = create_app()
-    waitress.serve(app, host=args.host, port=args.port)
-
-if __name__ == '__main__':
-    main()
diff --git a/server/lint b/server/lint
deleted file mode 100755
index b53f74f4..00000000
--- a/server/lint
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-pylint szurubooru
-pycodestyle szurubooru --ignore=E128,E131,W503
diff --git a/server/migrate-v1 b/server/migrate-v1
deleted file mode 100755
index 0fdf9e4f..00000000
--- a/server/migrate-v1
+++ /dev/null
@@ -1,387 +0,0 @@
-#!/usr/bin/env python3
-import os
-import sys
-import datetime
-import argparse
-import json
-import zlib
-import concurrent.futures
-import logging
-import coloredlogs
-import sqlalchemy
-from szurubooru import config, db
-from szurubooru.func import files, images, posts, comments
-
-coloredlogs.install(fmt='[%(asctime)-15s] %(message)s')
-logger = logging.getLogger(__name__)
-
-def read_file(path):
-    with open(path, 'rb') as handle:
-        return handle.read()
-
-def translate_note_polygon(row):
-    x, y = row['x'], row['y']
-    w, h = row.get('width', row.get('w')), row.get('height', row.get('h'))
-    x /= 100.0
-    y /= 100.0
-    w /= 100.0
-    h /= 100.0
-    return [
-        (x,     y    ),
-        (x + w, y    ),
-        (x + w, y + h),
-        (x,     y + h),
-    ]
-
-def get_v1_session(args):
-    dsn = '{schema}://{user}:{password}@{host}:{port}/{name}?charset=utf8'.format(
-            schema='mysql+pymysql',
-            user=args.user,
-            password=args.password,
-            host=args.host,
-            port=args.port,
-            name=args.name)
-    logger.info('Connecting to %r...', dsn)
-    engine = sqlalchemy.create_engine(dsn)
-    session_maker = sqlalchemy.orm.sessionmaker(bind=engine)
-    return session_maker()
-
-def parse_args():
-    parser = argparse.ArgumentParser(
-        description='Migrate database from szurubooru v1.x to v2.x.\n\n')
-
-    parser.add_argument(
-        '--data-dir',
-        metavar='PATH', required=True,
-        help='root directory of v1.x deploy')
-
-    parser.add_argument(
-        '--host',
-        metavar='HOST', required=True,
-        help='name of v1.x database host')
-
-    parser.add_argument(
-        '--port',
-        metavar='NUM', type=int, default=3306,
-        help='port to v1.x database host')
-
-    parser.add_argument(
-        '--name',
-        metavar='HOST', required=True,
-        help='v1.x database name')
-
-    parser.add_argument(
-        '--user',
-        metavar='NAME', required=True,
-        help='v1.x database user')
-
-    parser.add_argument(
-        '--password',
-        metavar='PASSWORD', required=True,
-        help='v1.x database password')
-
-    parser.add_argument(
-        '--no-data',
-        action='store_true',
-        help='don\'t migrate post data')
-
-    return parser.parse_args()
-
-def exec_query(session, query):
-    for row in list(session.execute(query)):
-        row = dict(zip(row.keys(), row))
-        yield row
-
-def exec_scalar(session, query):
-    rows = list(exec_query(session, query))
-    first_row = rows[0]
-    return list(first_row.values())[0]
-
-def import_users(v1_data_dir, v1_session, v2_session, no_data=False):
-    for row in exec_query(v1_session, 'SELECT * FROM users'):
-        logger.info('Importing user %s...', row['name'])
-        user = db.User()
-        user.user_id = row['id']
-        user.name = row['name']
-        user.password_salt = row['passwordSalt']
-        user.password_hash = row['passwordHash']
-        user.email = row['email']
-        user.rank = {
-            6: db.User.RANK_ADMINISTRATOR,
-            5: db.User.RANK_MODERATOR,
-            4: db.User.RANK_POWER,
-            3: db.User.RANK_REGULAR,
-            2: db.User.RANK_RESTRICTED,
-            1: db.User.RANK_ANONYMOUS,
-        }[row['accessRank']]
-        user.creation_time = row['creationTime']
-        user.last_login_time = row['lastLoginTime']
-        user.avatar_style = {
-            2: db.User.AVATAR_MANUAL,
-            1: db.User.AVATAR_GRAVATAR,
-            0: db.User.AVATAR_GRAVATAR,
-        }[row['avatarStyle']]
-        v2_session.add(user)
-
-        if user.avatar_style == db.User.AVATAR_MANUAL:
-            source_avatar_path = os.path.join(
-                v1_data_dir, 'public_html', 'data', 'avatars', str(user.user_id))
-            target_avatar_path = 'avatars/' + user.name.lower() + '.png'
-            if not no_data and not files.has(target_avatar_path):
-                avatar_content = read_file(source_avatar_path)
-                image = images.Image(avatar_content)
-                image.resize_fill(
-                    int(config.config['thumbnails']['avatar_width']),
-                    int(config.config['thumbnails']['avatar_height']))
-                files.save(target_avatar_path, image.to_png())
-    counter = exec_scalar(v1_session, 'SELECT MAX(id) FROM users') + 1
-    v2_session.execute('ALTER SEQUENCE user_id_seq RESTART WITH %d' % counter)
-    v2_session.commit()
-
-def import_tag_categories(v1_session, v2_session):
-    category_to_id_map = {}
-    for row in exec_query(v1_session, 'SELECT DISTINCT category FROM tags'):
-        logger.info('Importing tag category %s...', row['category'])
-        category = db.TagCategory()
-        category.tag_category_id = len(category_to_id_map) + 1
-        category.name = row['category']
-        category.color = 'default'
-        v2_session.add(category)
-        category_to_id_map[category.name] = category.tag_category_id
-    v2_session.execute(
-        'ALTER SEQUENCE tag_category_id_seq RESTART WITH %d' % (
-            len(category_to_id_map) + 1,))
-    return category_to_id_map
-
-def import_tags(category_to_id_map, v1_session, v2_session):
-    unused_tag_ids = []
-    for row in exec_query(v1_session, 'SELECT * FROM tags'):
-        logger.info('Importing tag %s...', row['name'])
-        if row['banned']:
-            logger.info('Ignored banned tag %s', row['name'])
-            unused_tag_ids.append(row['id'])
-            continue
-        tag = db.Tag()
-        tag.tag_id = row['id']
-        tag.names = [db.TagName(name=row['name'])]
-        tag.category_id = category_to_id_map[row['category']]
-        tag.creation_time = row['creationTime']
-        tag.last_edit_time = row['lastEditTime']
-        v2_session.add(tag)
-    counter = exec_scalar(v1_session, 'SELECT MAX(id) FROM tags') + 1
-    v2_session.execute('ALTER SEQUENCE tag_id_seq RESTART WITH %d' % counter)
-    v2_session.commit()
-    return unused_tag_ids
-
-def import_tag_relations(unused_tag_ids, v1_session, v2_session):
-    logger.info('Importing tag relations...')
-    for row in exec_query(v1_session, 'SELECT * FROM tagRelations'):
-        if row['tag1id'] in unused_tag_ids or row['tag2id'] in unused_tag_ids:
-            continue
-        if row['type'] == 1:
-            v2_session.add(
-                db.TagImplication(
-                    parent_id=row['tag1id'], child_id=row['tag2id']))
-        else:
-            v2_session.add(
-                db.TagSuggestion(
-                    parent_id=row['tag1id'], child_id=row['tag2id']))
-    v2_session.commit()
-
-def import_posts(v1_session, v2_session):
-    unused_post_ids = []
-    for row in exec_query(v1_session, 'SELECT * FROM posts'):
-        logger.info('Importing post %d...', row['id'])
-        if row['contentType'] == 4:
-            logger.warn('Ignoring youtube post %d', row['id'])
-            unused_post_ids.append(row['id'])
-            continue
-        post = db.Post()
-        post.post_id = row['id']
-        post.user_id = row['userId']
-        post.type = {
-            1: db.Post.TYPE_IMAGE,
-            2: db.Post.TYPE_FLASH,
-            3: db.Post.TYPE_VIDEO,
-            5: db.Post.TYPE_ANIMATION,
-        }[row['contentType']]
-        post.source = row['source']
-        post.canvas_width = row['imageWidth']
-        post.canvas_height = row['imageHeight']
-        post.file_size = row['originalFileSize']
-        post.creation_time = row['creationTime']
-        post.last_edit_time = row['lastEditTime']
-        post.checksum = row['contentChecksum']
-        post.mime_type = row['contentMimeType']
-        post.safety = {
-            1: db.Post.SAFETY_SAFE,
-            2: db.Post.SAFETY_SKETCHY,
-            3: db.Post.SAFETY_UNSAFE,
-        }[row['safety']]
-        if row['flags'] & 1:
-            post.flags = [db.Post.FLAG_LOOP]
-        v2_session.add(post)
-    counter = exec_scalar(v1_session, 'SELECT MAX(id) FROM posts') + 1
-    v2_session.execute('ALTER SEQUENCE post_id_seq RESTART WITH %d' % counter)
-    v2_session.commit()
-    return unused_post_ids
-
-def _import_post_content_for_post(
-        unused_post_ids, v1_data_dir, v1_session, v2_session, row, post):
-    logger.info('Importing post %d content...', row['id'])
-    if row['id'] in unused_post_ids:
-        logger.warn('Ignoring unimported post %d', row['id'])
-        return
-    assert post
-    source_content_path = os.path.join(
-        v1_data_dir,
-        'public_html',
-        'data',
-        'posts',
-        row['name'])
-    source_thumb_path = os.path.join(
-        v1_data_dir,
-        'public_html',
-        'data',
-        'posts',
-        row['name'] + '-custom-thumb')
-    target_content_path = posts.get_post_content_path(post)
-    target_thumb_path = posts.get_post_thumbnail_backup_path(post)
-    if not files.has(target_content_path):
-        post_content = read_file(source_content_path)
-        files.save(target_content_path, post_content)
-    if os.path.exists(source_thumb_path) and not files.has(target_thumb_path):
-        thumb_content = read_file(source_thumb_path)
-        files.save(target_thumb_path, thumb_content)
-    if not files.has(posts.get_post_thumbnail_path(post)):
-        posts.generate_post_thumbnail(post)
-
-def import_post_content(unused_post_ids, v1_data_dir, v1_session, v2_session):
-    rows = list(exec_query(v1_session, 'SELECT * FROM posts'))
-    posts = {post.post_id: post for post in v2_session.query(db.Post).all()}
-    with concurrent.futures.ThreadPoolExecutor(max_workers=10) as executor:
-        for row in rows:
-            post = posts.get(row['id'])
-            executor.submit(
-                _import_post_content_for_post,
-                unused_post_ids, v1_data_dir, v1_session, v2_session, row, post)
-
-def import_post_tags(unused_post_ids, v1_session, v2_session):
-    logger.info('Importing post tags...')
-    for row in exec_query(v1_session, 'SELECT * FROM postTags'):
-        if row['postId'] in unused_post_ids:
-            continue
-        v2_session.add(db.PostTag(post_id=row['postId'], tag_id=row['tagId']))
-    v2_session.commit()
-
-def import_post_notes(unused_post_ids, v1_session, v2_session):
-    logger.info('Importing post notes...')
-    for row in exec_query(v1_session, 'SELECT * FROM postNotes'):
-        if row['postId'] in unused_post_ids:
-            continue
-        post_note = db.PostNote()
-        post_note.post_id = row['postId']
-        post_note.text = row['text']
-        post_note.polygon = translate_note_polygon(row)
-        v2_session.add(post_note)
-    v2_session.commit()
-
-def import_post_relations(unused_post_ids, v1_session, v2_session):
-    logger.info('Importing post relations...')
-    for row in exec_query(v1_session, 'SELECT * FROM postRelations'):
-        if row['post1id'] in unused_post_ids or row['post2id'] in unused_post_ids:
-            continue
-        v2_session.add(
-            db.PostRelation(
-                parent_id=row['post1id'], child_id=row['post2id']))
-        v2_session.add(
-            db.PostRelation(
-                parent_id=row['post2id'], child_id=row['post1id']))
-    v2_session.commit()
-
-def import_post_favorites(unused_post_ids, v1_session, v2_session):
-    logger.info('Importing post favorites...')
-    for row in exec_query(v1_session, 'SELECT * FROM favorites'):
-        if row['postId'] in unused_post_ids:
-            continue
-        v2_session.add(
-            db.PostFavorite(
-                post_id=row['postId'],
-                user_id=row['userId'],
-                time=row['time'] or datetime.datetime.min))
-    v2_session.commit()
-
-def import_comments(unused_post_ids, v1_session, v2_session):
-    for row in exec_query(v1_session, 'SELECT * FROM comments'):
-        logger.info('Importing comment %d...', row['id'])
-        if row['postId'] in unused_post_ids:
-            logger.warn('Ignoring comment for unimported post %d', row['postId'])
-            continue
-        if not posts.try_get_post_by_id(row['postId']):
-            logger.warn('Ignoring comment for non existing post %d', row['postId'])
-            continue
-        comment = db.Comment()
-        comment.comment_id = row['id']
-        comment.user_id = row['userId']
-        comment.post_id = row['postId']
-        comment.creation_time = row['creationTime']
-        comment.last_edit_time = row['lastEditTime']
-        comment.text = row['text']
-        v2_session.add(comment)
-    counter = exec_scalar(v1_session, 'SELECT MAX(id) FROM comments') + 1
-    v2_session.execute('ALTER SEQUENCE comment_id_seq RESTART WITH %d' % counter)
-    v2_session.commit()
-
-def import_scores(v1_session, v2_session):
-    logger.info('Importing scores...')
-    for row in exec_query(v1_session, 'SELECT * FROM scores'):
-        if row['postId']:
-            post = posts.try_get_post_by_id(row['postId'])
-            if not post:
-                logger.warn('Ignoring score for unimported post %d', row['postId'])
-                continue
-            score = db.PostScore()
-            score.post = post
-        elif row['commentId']:
-            comment = comments.try_get_comment_by_id(row['commentId'])
-            if not comment:
-                logger.warn('Ignoring score for unimported comment %d', row['commentId'])
-                continue
-            score = db.CommentScore()
-            score.comment = comment
-        score.score = row['score']
-        score.time = row['time'] or datetime.datetime.min
-        score.user_id = row['userId']
-        v2_session.add(score)
-    v2_session.commit()
-
-def main():
-    args = parse_args()
-
-    v1_data_dir = args.data_dir
-    v1_session = get_v1_session(args)
-    v2_session = db.session
-
-    if v2_session.query(db.Tag).count() \
-            or v2_session.query(db.Post).count() \
-            or v2_session.query(db.Comment).count() \
-            or v2_session.query(db.User).count():
-        logger.error('v2.x database is dirty! Aborting.')
-        sys.exit(1)
-
-    import_users(v1_data_dir, v1_session, v2_session, args.no_data)
-    category_to_id_map = import_tag_categories(v1_session, v2_session)
-    unused_tag_ids = import_tags(category_to_id_map, v1_session, v2_session)
-    import_tag_relations(unused_tag_ids, v1_session, v2_session)
-    unused_post_ids = import_posts(v1_session, v2_session)
-    if not args.no_data:
-        import_post_content(unused_post_ids, v1_data_dir, v1_session, v2_session)
-    import_post_tags(unused_post_ids, v1_session, v2_session)
-    import_post_notes(unused_post_ids, v1_session, v2_session)
-    import_post_relations(unused_post_ids, v1_session, v2_session)
-    import_post_favorites(unused_post_ids, v1_session, v2_session)
-    import_comments(unused_post_ids, v1_session, v2_session)
-    import_scores(v1_session, v2_session)
-
-if __name__ == '__main__':
-    main()
diff --git a/server/mypy.ini b/server/mypy.ini
new file mode 100644
index 00000000..a0300b7a
--- /dev/null
+++ b/server/mypy.ini
@@ -0,0 +1,14 @@
+[mypy]
+ignore_missing_imports = True
+follow_imports = skip
+disallow_untyped_calls = True
+disallow_untyped_defs = True
+check_untyped_defs = True
+disallow_subclassing_any = False
+warn_redundant_casts = True
+warn_unused_ignores = True
+strict_optional = True
+strict_boolean = False
+
+[mypy-szurubooru.tests.*]
+ignore_errors=True
diff --git a/server/requirements.txt b/server/requirements.txt
index c200222d..a1ef52ec 100644
--- a/server/requirements.txt
+++ b/server/requirements.txt
@@ -1,13 +1,12 @@
 alembic>=0.8.5
 pyyaml>=3.11
-psycopg2>=2.6.1
+psycopg2-binary>=2.6.1
 SQLAlchemy>=1.0.12
-pytest>=2.9.1
-pytest-cov>=2.2.1
-freezegun>=0.3.6
 coloredlogs==5.0
-pycodestyle>=2.0.0
-image-match>=1.1.0
-scipy>=0.18.1
 elasticsearch>=5.0.0
 elasticsearch-dsl>=5.0.0
+numpy>=1.8.2
+pillow>=4.3.0
+pynacl>=1.2.1
+pytz>=2018.3
+pyRFC3339>=1.0
diff --git a/server/setup.cfg b/server/setup.cfg
new file mode 100644
index 00000000..7e835b45
--- /dev/null
+++ b/server/setup.cfg
@@ -0,0 +1,3 @@
+[tool:pytest]
+testpaths=szurubooru
+addopts=--cov-report=term-missing --cov=szurubooru --tb=short
diff --git a/server/szurubooru/api/__init__.py b/server/szurubooru/api/__init__.py
index 2a2d5af7..0d7f75f8 100644
--- a/server/szurubooru/api/__init__.py
+++ b/server/szurubooru/api/__init__.py
@@ -1,5 +1,6 @@
 import szurubooru.api.info_api
 import szurubooru.api.user_api
+import szurubooru.api.user_token_api
 import szurubooru.api.post_api
 import szurubooru.api.tag_api
 import szurubooru.api.tag_category_api
diff --git a/server/szurubooru/api/comment_api.py b/server/szurubooru/api/comment_api.py
index 51058160..cc8350a6 100644
--- a/server/szurubooru/api/comment_api.py
+++ b/server/szurubooru/api/comment_api.py
@@ -1,31 +1,44 @@
-import datetime
-from szurubooru import search
-from szurubooru.rest import routes
-from szurubooru.func import auth, comments, posts, scores, util, versions
+from typing import Dict
+from datetime import datetime
+from szurubooru import search, rest, model
+from szurubooru.func import (
+    auth, comments, posts, scores, versions, serialization)
 
 
 _search_executor = search.Executor(search.configs.CommentSearchConfig())
 
 
-def _serialize(ctx, comment, **kwargs):
+def _get_comment(params: Dict[str, str]) -> model.Comment:
+    try:
+        comment_id = int(params['comment_id'])
+    except TypeError:
+        raise comments.InvalidCommentIdError(
+            'Invalid comment ID: %r.' % params['comment_id'])
+    return comments.get_comment_by_id(comment_id)
+
+
+def _serialize(
+        ctx: rest.Context, comment: model.Comment) -> rest.Response:
     return comments.serialize_comment(
         comment,
         ctx.user,
-        options=util.get_serialization_options(ctx), **kwargs)
+        options=serialization.get_serialization_options(ctx))
 
 
-@routes.get('/comments/?')
-def get_comments(ctx, _params=None):
+@rest.routes.get('/comments/?')
+def get_comments(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
     auth.verify_privilege(ctx.user, 'comments:list')
     return _search_executor.execute_and_serialize(
         ctx, lambda comment: _serialize(ctx, comment))
 
 
-@routes.post('/comments/?')
-def create_comment(ctx, _params=None):
+@rest.routes.post('/comments/?')
+def create_comment(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
     auth.verify_privilege(ctx.user, 'comments:create')
-    text = ctx.get_param_as_string('text', required=True)
-    post_id = ctx.get_param_as_int('postId', required=True)
+    text = ctx.get_param_as_string('text')
+    post_id = ctx.get_param_as_int('postId')
     post = posts.get_post_by_id(post_id)
     comment = comments.create_comment(ctx.user, post, text)
     ctx.session.add(comment)
@@ -33,30 +46,30 @@ def create_comment(ctx, _params=None):
     return _serialize(ctx, comment)
 
 
-@routes.get('/comment/(?P<comment_id>[^/]+)/?')
-def get_comment(ctx, params):
+@rest.routes.get('/comment/(?P<comment_id>[^/]+)/?')
+def get_comment(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     auth.verify_privilege(ctx.user, 'comments:view')
-    comment = comments.get_comment_by_id(params['comment_id'])
+    comment = _get_comment(params)
     return _serialize(ctx, comment)
 
 
-@routes.put('/comment/(?P<comment_id>[^/]+)/?')
-def update_comment(ctx, params):
-    comment = comments.get_comment_by_id(params['comment_id'])
+@rest.routes.put('/comment/(?P<comment_id>[^/]+)/?')
+def update_comment(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
+    comment = _get_comment(params)
     versions.verify_version(comment, ctx)
     versions.bump_version(comment)
     infix = 'own' if ctx.user.user_id == comment.user_id else 'any'
-    text = ctx.get_param_as_string('text', required=True)
+    text = ctx.get_param_as_string('text')
     auth.verify_privilege(ctx.user, 'comments:edit:%s' % infix)
     comments.update_comment_text(comment, text)
-    comment.last_edit_time = datetime.datetime.utcnow()
+    comment.last_edit_time = datetime.utcnow()
     ctx.session.commit()
     return _serialize(ctx, comment)
 
 
-@routes.delete('/comment/(?P<comment_id>[^/]+)/?')
-def delete_comment(ctx, params):
-    comment = comments.get_comment_by_id(params['comment_id'])
+@rest.routes.delete('/comment/(?P<comment_id>[^/]+)/?')
+def delete_comment(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
+    comment = _get_comment(params)
     versions.verify_version(comment, ctx)
     infix = 'own' if ctx.user.user_id == comment.user_id else 'any'
     auth.verify_privilege(ctx.user, 'comments:delete:%s' % infix)
@@ -65,20 +78,22 @@ def delete_comment(ctx, params):
     return {}
 
 
-@routes.put('/comment/(?P<comment_id>[^/]+)/score/?')
-def set_comment_score(ctx, params):
+@rest.routes.put('/comment/(?P<comment_id>[^/]+)/score/?')
+def set_comment_score(
+        ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     auth.verify_privilege(ctx.user, 'comments:score')
-    score = ctx.get_param_as_int('score', required=True)
-    comment = comments.get_comment_by_id(params['comment_id'])
+    score = ctx.get_param_as_int('score')
+    comment = _get_comment(params)
     scores.set_score(comment, ctx.user, score)
     ctx.session.commit()
     return _serialize(ctx, comment)
 
 
-@routes.delete('/comment/(?P<comment_id>[^/]+)/score/?')
-def delete_comment_score(ctx, params):
+@rest.routes.delete('/comment/(?P<comment_id>[^/]+)/score/?')
+def delete_comment_score(
+        ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     auth.verify_privilege(ctx.user, 'comments:score')
-    comment = comments.get_comment_by_id(params['comment_id'])
+    comment = _get_comment(params)
     scores.delete_score(comment, ctx.user)
     ctx.session.commit()
     return _serialize(ctx, comment)
diff --git a/server/szurubooru/api/info_api.py b/server/szurubooru/api/info_api.py
index d815485a..19b2be7c 100644
--- a/server/szurubooru/api/info_api.py
+++ b/server/szurubooru/api/info_api.py
@@ -1,19 +1,20 @@
-import datetime
 import os
-from szurubooru import config
-from szurubooru.rest import routes
-from szurubooru.func import posts, users, util
+from typing import Optional, Dict
+from datetime import datetime, timedelta
+from szurubooru import config, rest
+from szurubooru.func import auth, posts, users, util
 
 
-_cache_time = None
-_cache_result = None
+_cache_time = None  # type: Optional[datetime]
+_cache_result = None  # type: Optional[int]
 
 
-def _get_disk_usage():
+def _get_disk_usage() -> int:
     global _cache_time, _cache_result  # pylint: disable=global-statement
-    threshold = datetime.timedelta(hours=48)
-    now = datetime.datetime.utcnow()
+    threshold = timedelta(hours=48)
+    now = datetime.utcnow()
     if _cache_time and _cache_time > now - threshold:
+        assert _cache_result is not None
         return _cache_result
     total_size = 0
     for dir_path, _, file_names in os.walk(config.config['data_dir']):
@@ -25,28 +26,35 @@ def _get_disk_usage():
     return total_size
 
 
-@routes.get('/info/?')
-def get_info(ctx, _params=None):
+@rest.routes.get('/info/?')
+def get_info(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
     post_feature = posts.try_get_current_post_feature()
-    return {
+    ret = {
         'postCount': posts.get_post_count(),
         'diskUsage': _get_disk_usage(),
-        'featuredPost':
-            posts.serialize_post(post_feature.post, ctx.user)
-                if post_feature else None,
-        'featuringTime': post_feature.time if post_feature else None,
-        'featuringUser':
-            users.serialize_user(post_feature.user, ctx.user)
-                if post_feature else None,
-        'serverTime': datetime.datetime.utcnow(),
+        'serverTime': datetime.utcnow(),
         'config': {
+            'name': config.config['name'],
             'userNameRegex': config.config['user_name_regex'],
             'passwordRegex': config.config['password_regex'],
             'tagNameRegex': config.config['tag_name_regex'],
             'tagCategoryNameRegex': config.config['tag_category_name_regex'],
             'defaultUserRank': config.config['default_rank'],
+            'enableSafety': config.config['enable_safety'],
+            'contactEmail': config.config['contact_email'],
+            'canSendMails': bool(config.config['smtp']['host']),
             'privileges':
                 util.snake_case_to_lower_camel_case_keys(
                     config.config['privileges']),
         },
     }
+    if auth.has_privilege(ctx.user, 'posts:view:featured'):
+        ret['featuredPost'] = (
+            posts.serialize_post(post_feature.post, ctx.user)
+            if post_feature else None)
+        ret['featuringUser'] = (
+            users.serialize_user(post_feature.user, ctx.user)
+            if post_feature else None)
+        ret['featuringTime'] = post_feature.time if post_feature else None
+    return ret
diff --git a/server/szurubooru/api/password_reset_api.py b/server/szurubooru/api/password_reset_api.py
index 7e5864c9..887d2f0d 100644
--- a/server/szurubooru/api/password_reset_api.py
+++ b/server/szurubooru/api/password_reset_api.py
@@ -1,18 +1,19 @@
-from szurubooru import config, errors
-from szurubooru.rest import routes
+from typing import Dict
+from szurubooru import config, errors, rest
 from szurubooru.func import auth, mailer, users, versions
+from hashlib import md5
 
 
 MAIL_SUBJECT = 'Password reset for {name}'
-MAIL_BODY = \
-    'You (or someone else) requested to reset your password on {name}.\n' \
-    'If you wish to proceed, click this link: {url}\n' \
-    'Otherwise, please ignore this email.'
+MAIL_BODY = (
+    'You (or someone else) requested to reset your password on {name}.\n'
+    'If you wish to proceed, click this link: {url}\n'
+    'Otherwise, please ignore this email.')
 
 
-@routes.get('/password-reset/(?P<user_name>[^/]+)/?')
-def start_password_reset(_ctx, params):
-    ''' Send a mail with secure token to the correlated user. '''
+@rest.routes.get('/password-reset/(?P<user_name>[^/]+)/?')
+def start_password_reset(
+        ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     user_name = params['user_name']
     user = users.get_user_by_name_or_email(user_name)
     if not user.email:
@@ -20,24 +21,34 @@ def start_password_reset(_ctx, params):
             'User %r hasn\'t supplied email. Cannot reset password.' % (
                 user_name))
     token = auth.generate_authentication_token(user)
-    url = '%s/password-reset/%s:%s' % (
-        config.config['base_url'].rstrip('/'), user.name, token)
+
+    if 'HTTP_ORIGIN' in ctx.env:
+        url = ctx.env['HTTP_ORIGIN'].rstrip('/')
+    else:
+        url = ''
+    url += '/password-reset/%s:%s' % (user.name, token)
+
     mailer.send_mail(
         'noreply@%s' % config.config['name'],
         user.email,
         MAIL_SUBJECT.format(name=config.config['name']),
         MAIL_BODY.format(name=config.config['name'], url=url))
+
     return {}
 
 
-@routes.post('/password-reset/(?P<user_name>[^/]+)/?')
-def finish_password_reset(ctx, params):
-    ''' Verify token from mail, generate a new password and return it. '''
+def _hash(token: str) -> str:
+    return md5(token.encode('utf-8')).hexdigest()
+
+
+@rest.routes.post('/password-reset/(?P<user_name>[^/]+)/?')
+def finish_password_reset(
+        ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     user_name = params['user_name']
     user = users.get_user_by_name_or_email(user_name)
     good_token = auth.generate_authentication_token(user)
-    token = ctx.get_param_as_string('token', required=True)
-    if token != good_token:
+    token = ctx.get_param_as_string('token')
+    if _hash(token) != _hash(good_token):
         raise errors.ValidationError('Invalid password reset token.')
     new_password = users.reset_user_password(user)
     versions.bump_version(user)
diff --git a/server/szurubooru/api/post_api.py b/server/szurubooru/api/post_api.py
index 5b38b18e..aaa7437f 100644
--- a/server/szurubooru/api/post_api.py
+++ b/server/szurubooru/api/post_api.py
@@ -1,44 +1,60 @@
-import datetime
-from szurubooru import search, db
-from szurubooru.rest import routes
+from typing import Optional, Dict, List
+from datetime import datetime
+from szurubooru import db, model, errors, rest, search
 from szurubooru.func import (
-    auth, tags, posts, snapshots, favorites, scores, util, versions)
+    auth, tags, posts, snapshots, favorites, scores, serialization, versions)
 
 
-_search_executor = search.Executor(search.configs.PostSearchConfig())
+_search_executor_config = search.configs.PostSearchConfig()
+_search_executor = search.Executor(_search_executor_config)
 
 
-def _serialize_post(ctx, post):
+def _get_post_id(params: Dict[str, str]) -> int:
+    try:
+        return int(params['post_id'])
+    except TypeError:
+        raise posts.InvalidPostIdError(
+            'Invalid post ID: %r.' % params['post_id'])
+
+
+def _get_post(params: Dict[str, str]) -> model.Post:
+    return posts.get_post_by_id(_get_post_id(params))
+
+
+def _serialize_post(
+        ctx: rest.Context, post: Optional[model.Post]) -> rest.Response:
     return posts.serialize_post(
         post,
         ctx.user,
-        options=util.get_serialization_options(ctx))
+        options=serialization.get_serialization_options(ctx))
 
 
-@routes.get('/posts/?')
-def get_posts(ctx, _params=None):
+@rest.routes.get('/posts/?')
+def get_posts(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
     auth.verify_privilege(ctx.user, 'posts:list')
-    _search_executor.config.user = ctx.user
+    _search_executor_config.user = ctx.user
     return _search_executor.execute_and_serialize(
         ctx, lambda post: _serialize_post(ctx, post))
 
 
-@routes.post('/posts/?')
-def create_post(ctx, _params=None):
+@rest.routes.post('/posts/?')
+def create_post(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
     anonymous = ctx.get_param_as_bool('anonymous', default=False)
     if anonymous:
         auth.verify_privilege(ctx.user, 'posts:create:anonymous')
     else:
         auth.verify_privilege(ctx.user, 'posts:create:identified')
-    content = ctx.get_file('content', required=True)
-    tag_names = ctx.get_param_as_list('tags', required=False, default=[])
-    safety = ctx.get_param_as_string('safety', required=True)
-    source = ctx.get_param_as_string('source', required=False, default=None)
+    content = ctx.get_file('content')
+    tag_names = ctx.get_param_as_string_list('tags', default=[])
+    safety = ctx.get_param_as_string('safety')
+    source = ctx.get_param_as_string('source', default='')
     if ctx.has_param('contentUrl') and not source:
-        source = ctx.get_param_as_string('contentUrl')
-    relations = ctx.get_param_as_list('relations', required=False) or []
-    notes = ctx.get_param_as_list('notes', required=False) or []
-    flags = ctx.get_param_as_list('flags', required=False) or []
+        source = ctx.get_param_as_string('contentUrl', default='')
+    relations = ctx.get_param_as_int_list('relations', default=[])
+    notes = ctx.get_param_as_list('notes', default=[])
+    flags = ctx.get_param_as_string_list('flags', default=[])
 
     post, new_tags = posts.create_post(
         content, tag_names, None if anonymous else ctx.user)
@@ -53,24 +69,36 @@ def create_post(ctx, _params=None):
         posts.update_post_thumbnail(post, ctx.get_file('thumbnail'))
     ctx.session.add(post)
     ctx.session.flush()
-    snapshots.create(post, None if anonymous else ctx.user)
-    for tag in new_tags:
-        snapshots.create(tag, None if anonymous else ctx.user)
+    create_snapshots_for_post(post, new_tags, None if anonymous else ctx.user)
+    alternate_format_posts = posts.generate_alternate_formats(post, content)
+    for alternate_post, alternate_post_new_tags in alternate_format_posts:
+        create_snapshots_for_post(
+            alternate_post,
+            alternate_post_new_tags,
+            None if anonymous else ctx.user)
     ctx.session.commit()
-    tags.export_to_json()
     return _serialize_post(ctx, post)
 
 
-@routes.get('/post/(?P<post_id>[^/]+)/?')
-def get_post(ctx, params):
+def create_snapshots_for_post(
+        post: model.Post,
+        new_tags: List[model.Tag],
+        user: Optional[model.User]):
+    snapshots.create(post, user)
+    for tag in new_tags:
+        snapshots.create(tag, user)
+
+
+@rest.routes.get('/post/(?P<post_id>[^/]+)/?')
+def get_post(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     auth.verify_privilege(ctx.user, 'posts:view')
-    post = posts.get_post_by_id(params['post_id'])
+    post = _get_post(params)
     return _serialize_post(ctx, post)
 
 
-@routes.put('/post/(?P<post_id>[^/]+)/?')
-def update_post(ctx, params):
-    post = posts.get_post_by_id(params['post_id'])
+@rest.routes.put('/post/(?P<post_id>[^/]+)/?')
+def update_post(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
+    post = _get_post(params)
     versions.verify_version(post, ctx)
     versions.bump_version(post)
     if ctx.has_file('content'):
@@ -78,7 +106,8 @@ def update_post(ctx, params):
         posts.update_post_content(post, ctx.get_file('content'))
     if ctx.has_param('tags'):
         auth.verify_privilege(ctx.user, 'posts:edit:tags')
-        new_tags = posts.update_post_tags(post, ctx.get_param_as_list('tags'))
+        new_tags = posts.update_post_tags(
+            post, ctx.get_param_as_string_list('tags'))
         if len(new_tags):
             auth.verify_privilege(ctx.user, 'tags:create')
             db.session.flush()
@@ -94,43 +123,43 @@ def update_post(ctx, params):
         posts.update_post_source(post, ctx.get_param_as_string('contentUrl'))
     if ctx.has_param('relations'):
         auth.verify_privilege(ctx.user, 'posts:edit:relations')
-        posts.update_post_relations(post, ctx.get_param_as_list('relations'))
+        posts.update_post_relations(
+            post, ctx.get_param_as_int_list('relations'))
     if ctx.has_param('notes'):
         auth.verify_privilege(ctx.user, 'posts:edit:notes')
         posts.update_post_notes(post, ctx.get_param_as_list('notes'))
     if ctx.has_param('flags'):
         auth.verify_privilege(ctx.user, 'posts:edit:flags')
-        posts.update_post_flags(post, ctx.get_param_as_list('flags'))
+        posts.update_post_flags(post, ctx.get_param_as_string_list('flags'))
     if ctx.has_file('thumbnail'):
         auth.verify_privilege(ctx.user, 'posts:edit:thumbnail')
         posts.update_post_thumbnail(post, ctx.get_file('thumbnail'))
-    post.last_edit_time = datetime.datetime.utcnow()
+    post.last_edit_time = datetime.utcnow()
     ctx.session.flush()
     snapshots.modify(post, ctx.user)
     ctx.session.commit()
-    tags.export_to_json()
     return _serialize_post(ctx, post)
 
 
-@routes.delete('/post/(?P<post_id>[^/]+)/?')
-def delete_post(ctx, params):
+@rest.routes.delete('/post/(?P<post_id>[^/]+)/?')
+def delete_post(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     auth.verify_privilege(ctx.user, 'posts:delete')
-    post = posts.get_post_by_id(params['post_id'])
+    post = _get_post(params)
     versions.verify_version(post, ctx)
     snapshots.delete(post, ctx.user)
     posts.delete(post)
     ctx.session.commit()
-    tags.export_to_json()
     return {}
 
 
-@routes.post('/post-merge/?')
-def merge_posts(ctx, _params=None):
-    source_post_id = ctx.get_param_as_string('remove', required=True) or ''
-    target_post_id = ctx.get_param_as_string('mergeTo', required=True) or ''
-    replace_content = ctx.get_param_as_bool('replaceContent')
+@rest.routes.post('/post-merge/?')
+def merge_posts(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
+    source_post_id = ctx.get_param_as_int('remove')
+    target_post_id = ctx.get_param_as_int('mergeTo')
     source_post = posts.get_post_by_id(source_post_id)
     target_post = posts.get_post_by_id(target_post_id)
+    replace_content = ctx.get_param_as_bool('replaceContent')
     versions.verify_version(source_post, ctx, 'removeVersion')
     versions.verify_version(target_post, ctx, 'mergeToVersion')
     versions.bump_version(target_post)
@@ -141,16 +170,19 @@ def merge_posts(ctx, _params=None):
     return _serialize_post(ctx, target_post)
 
 
-@routes.get('/featured-post/?')
-def get_featured_post(ctx, _params=None):
+@rest.routes.get('/featured-post/?')
+def get_featured_post(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
+    auth.verify_privilege(ctx.user, 'posts:view:featured')
     post = posts.try_get_featured_post()
     return _serialize_post(ctx, post)
 
 
-@routes.post('/featured-post/?')
-def set_featured_post(ctx, _params=None):
+@rest.routes.post('/featured-post/?')
+def set_featured_post(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
     auth.verify_privilege(ctx.user, 'posts:feature')
-    post_id = ctx.get_param_as_int('id', required=True)
+    post_id = ctx.get_param_as_int('id')
     post = posts.get_post_by_id(post_id)
     featured_post = posts.try_get_featured_post()
     if featured_post and featured_post.post_id == post.post_id:
@@ -162,55 +194,67 @@ def set_featured_post(ctx, _params=None):
     return _serialize_post(ctx, post)
 
 
-@routes.put('/post/(?P<post_id>[^/]+)/score/?')
-def set_post_score(ctx, params):
+@rest.routes.put('/post/(?P<post_id>[^/]+)/score/?')
+def set_post_score(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     auth.verify_privilege(ctx.user, 'posts:score')
-    post = posts.get_post_by_id(params['post_id'])
-    score = ctx.get_param_as_int('score', required=True)
+    post = _get_post(params)
+    score = ctx.get_param_as_int('score')
     scores.set_score(post, ctx.user, score)
     ctx.session.commit()
     return _serialize_post(ctx, post)
 
 
-@routes.delete('/post/(?P<post_id>[^/]+)/score/?')
-def delete_post_score(ctx, params):
+@rest.routes.delete('/post/(?P<post_id>[^/]+)/score/?')
+def delete_post_score(
+        ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     auth.verify_privilege(ctx.user, 'posts:score')
-    post = posts.get_post_by_id(params['post_id'])
+    post = _get_post(params)
     scores.delete_score(post, ctx.user)
     ctx.session.commit()
     return _serialize_post(ctx, post)
 
 
-@routes.post('/post/(?P<post_id>[^/]+)/favorite/?')
-def add_post_to_favorites(ctx, params):
+@rest.routes.post('/post/(?P<post_id>[^/]+)/favorite/?')
+def add_post_to_favorites(
+        ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     auth.verify_privilege(ctx.user, 'posts:favorite')
-    post = posts.get_post_by_id(params['post_id'])
+    post = _get_post(params)
     favorites.set_favorite(post, ctx.user)
     ctx.session.commit()
     return _serialize_post(ctx, post)
 
 
-@routes.delete('/post/(?P<post_id>[^/]+)/favorite/?')
-def delete_post_from_favorites(ctx, params):
+@rest.routes.delete('/post/(?P<post_id>[^/]+)/favorite/?')
+def delete_post_from_favorites(
+        ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     auth.verify_privilege(ctx.user, 'posts:favorite')
-    post = posts.get_post_by_id(params['post_id'])
+    post = _get_post(params)
     favorites.unset_favorite(post, ctx.user)
     ctx.session.commit()
     return _serialize_post(ctx, post)
 
 
-@routes.get('/post/(?P<post_id>[^/]+)/around/?')
-def get_posts_around(ctx, params):
+@rest.routes.get('/post/(?P<post_id>[^/]+)/around/?')
+def get_posts_around(
+        ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     auth.verify_privilege(ctx.user, 'posts:list')
-    _search_executor.config.user = ctx.user
+    _search_executor_config.user = ctx.user
+    post_id = _get_post_id(params)
     return _search_executor.get_around_and_serialize(
-        ctx, params['post_id'], lambda post: _serialize_post(ctx, post))
+        ctx, post_id, lambda post: _serialize_post(ctx, post))
 
 
-@routes.post('/posts/reverse-search/?')
-def get_posts_by_image(ctx, _params=None):
+@rest.routes.post('/posts/reverse-search/?')
+def get_posts_by_image(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
     auth.verify_privilege(ctx.user, 'posts:reverse_search')
-    content = ctx.get_file('content', required=True)
+    content = ctx.get_file('content')
+
+    try:
+        lookalikes = posts.search_by_image(content)
+    except (errors.ThirdPartyError, errors.ProcessingError):
+        lookalikes = []
+
     return {
         'exactPost':
             _serialize_post(ctx, posts.search_by_image_exact(content)),
@@ -220,6 +264,6 @@ def get_posts_by_image(ctx, _params=None):
                     'distance': lookalike.distance,
                     'post': _serialize_post(ctx, lookalike.post),
                 }
-                for lookalike in posts.search_by_image(content)
+                for lookalike in lookalikes
             ],
     }
diff --git a/server/szurubooru/api/snapshot_api.py b/server/szurubooru/api/snapshot_api.py
index 009d8c97..469be7f6 100644
--- a/server/szurubooru/api/snapshot_api.py
+++ b/server/szurubooru/api/snapshot_api.py
@@ -1,13 +1,14 @@
-from szurubooru import search
-from szurubooru.rest import routes
+from typing import Dict
+from szurubooru import search, rest
 from szurubooru.func import auth, snapshots
 
 
 _search_executor = search.Executor(search.configs.SnapshotSearchConfig())
 
 
-@routes.get('/snapshots/?')
-def get_snapshots(ctx, _params=None):
+@rest.routes.get('/snapshots/?')
+def get_snapshots(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
     auth.verify_privilege(ctx.user, 'snapshots:list')
     return _search_executor.execute_and_serialize(
         ctx, lambda snapshot: snapshots.serialize_snapshot(snapshot, ctx.user))
diff --git a/server/szurubooru/api/tag_api.py b/server/szurubooru/api/tag_api.py
index a69673ad..f9a15e76 100644
--- a/server/szurubooru/api/tag_api.py
+++ b/server/szurubooru/api/tag_api.py
@@ -1,18 +1,22 @@
-import datetime
-from szurubooru import db, search
-from szurubooru.rest import routes
-from szurubooru.func import auth, tags, snapshots, util, versions
+from typing import Optional, List, Dict
+from datetime import datetime
+from szurubooru import db, model, search, rest
+from szurubooru.func import auth, tags, snapshots, serialization, versions
 
 
 _search_executor = search.Executor(search.configs.TagSearchConfig())
 
 
-def _serialize(ctx, tag):
+def _serialize(ctx: rest.Context, tag: model.Tag) -> rest.Response:
     return tags.serialize_tag(
-        tag, options=util.get_serialization_options(ctx))
+        tag, options=serialization.get_serialization_options(ctx))
 
 
-def _create_if_needed(tag_names, user):
+def _get_tag(params: Dict[str, str]) -> model.Tag:
+    return tags.get_tag_by_name(params['tag_name'])
+
+
+def _create_if_needed(tag_names: List[str], user: model.User) -> None:
     if not tag_names:
         return
     _existing_tags, new_tags = tags.get_or_create_tags_by_names(tag_names)
@@ -23,25 +27,23 @@ def _create_if_needed(tag_names, user):
         snapshots.create(tag, user)
 
 
-@routes.get('/tags/?')
-def get_tags(ctx, _params=None):
+@rest.routes.get('/tags/?')
+def get_tags(ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
     auth.verify_privilege(ctx.user, 'tags:list')
     return _search_executor.execute_and_serialize(
         ctx, lambda tag: _serialize(ctx, tag))
 
 
-@routes.post('/tags/?')
-def create_tag(ctx, _params=None):
+@rest.routes.post('/tags/?')
+def create_tag(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
     auth.verify_privilege(ctx.user, 'tags:create')
 
-    names = ctx.get_param_as_list('names', required=True)
-    category = ctx.get_param_as_string('category', required=True)
-    description = ctx.get_param_as_string(
-        'description', required=False, default=None)
-    suggestions = ctx.get_param_as_list(
-        'suggestions', required=False, default=[])
-    implications = ctx.get_param_as_list(
-        'implications', required=False, default=[])
+    names = ctx.get_param_as_string_list('names')
+    category = ctx.get_param_as_string('category')
+    description = ctx.get_param_as_string('description', default='')
+    suggestions = ctx.get_param_as_string_list('suggestions', default=[])
+    implications = ctx.get_param_as_string_list('implications', default=[])
 
     _create_if_needed(suggestions, ctx.user)
     _create_if_needed(implications, ctx.user)
@@ -52,25 +54,24 @@ def create_tag(ctx, _params=None):
     ctx.session.flush()
     snapshots.create(tag, ctx.user)
     ctx.session.commit()
-    tags.export_to_json()
     return _serialize(ctx, tag)
 
 
-@routes.get('/tag/(?P<tag_name>.+)')
-def get_tag(ctx, params):
+@rest.routes.get('/tag/(?P<tag_name>.+)')
+def get_tag(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     auth.verify_privilege(ctx.user, 'tags:view')
-    tag = tags.get_tag_by_name(params['tag_name'])
+    tag = _get_tag(params)
     return _serialize(ctx, tag)
 
 
-@routes.put('/tag/(?P<tag_name>.+)')
-def update_tag(ctx, params):
-    tag = tags.get_tag_by_name(params['tag_name'])
+@rest.routes.put('/tag/(?P<tag_name>.+)')
+def update_tag(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
+    tag = _get_tag(params)
     versions.verify_version(tag, ctx)
     versions.bump_version(tag)
     if ctx.has_param('names'):
         auth.verify_privilege(ctx.user, 'tags:edit:names')
-        tags.update_tag_names(tag, ctx.get_param_as_list('names'))
+        tags.update_tag_names(tag, ctx.get_param_as_string_list('names'))
     if ctx.has_param('category'):
         auth.verify_privilege(ctx.user, 'tags:edit:category')
         tags.update_tag_category_name(
@@ -78,41 +79,40 @@ def update_tag(ctx, params):
     if ctx.has_param('description'):
         auth.verify_privilege(ctx.user, 'tags:edit:description')
         tags.update_tag_description(
-            tag, ctx.get_param_as_string('description', default=None))
+            tag, ctx.get_param_as_string('description'))
     if ctx.has_param('suggestions'):
         auth.verify_privilege(ctx.user, 'tags:edit:suggestions')
-        suggestions = ctx.get_param_as_list('suggestions')
+        suggestions = ctx.get_param_as_string_list('suggestions')
         _create_if_needed(suggestions, ctx.user)
         tags.update_tag_suggestions(tag, suggestions)
     if ctx.has_param('implications'):
         auth.verify_privilege(ctx.user, 'tags:edit:implications')
-        implications = ctx.get_param_as_list('implications')
+        implications = ctx.get_param_as_string_list('implications')
         _create_if_needed(implications, ctx.user)
         tags.update_tag_implications(tag, implications)
-    tag.last_edit_time = datetime.datetime.utcnow()
+    tag.last_edit_time = datetime.utcnow()
     ctx.session.flush()
     snapshots.modify(tag, ctx.user)
     ctx.session.commit()
-    tags.export_to_json()
     return _serialize(ctx, tag)
 
 
-@routes.delete('/tag/(?P<tag_name>.+)')
-def delete_tag(ctx, params):
-    tag = tags.get_tag_by_name(params['tag_name'])
+@rest.routes.delete('/tag/(?P<tag_name>.+)')
+def delete_tag(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
+    tag = _get_tag(params)
     versions.verify_version(tag, ctx)
     auth.verify_privilege(ctx.user, 'tags:delete')
     snapshots.delete(tag, ctx.user)
     tags.delete(tag)
     ctx.session.commit()
-    tags.export_to_json()
     return {}
 
 
-@routes.post('/tag-merge/?')
-def merge_tags(ctx, _params=None):
-    source_tag_name = ctx.get_param_as_string('remove', required=True) or ''
-    target_tag_name = ctx.get_param_as_string('mergeTo', required=True) or ''
+@rest.routes.post('/tag-merge/?')
+def merge_tags(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
+    source_tag_name = ctx.get_param_as_string('remove')
+    target_tag_name = ctx.get_param_as_string('mergeTo')
     source_tag = tags.get_tag_by_name(source_tag_name)
     target_tag = tags.get_tag_by_name(target_tag_name)
     versions.verify_version(source_tag, ctx, 'removeVersion')
@@ -122,14 +122,14 @@ def merge_tags(ctx, _params=None):
     tags.merge_tags(source_tag, target_tag)
     snapshots.merge(source_tag, target_tag, ctx.user)
     ctx.session.commit()
-    tags.export_to_json()
     return _serialize(ctx, target_tag)
 
 
-@routes.get('/tag-siblings/(?P<tag_name>.+)')
-def get_tag_siblings(ctx, params):
+@rest.routes.get('/tag-siblings/(?P<tag_name>.+)')
+def get_tag_siblings(
+        ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     auth.verify_privilege(ctx.user, 'tags:view')
-    tag = tags.get_tag_by_name(params['tag_name'])
+    tag = _get_tag(params)
     result = tags.get_tag_siblings(tag)
     serialized_siblings = []
     for sibling, occurrences in result:
diff --git a/server/szurubooru/api/tag_category_api.py b/server/szurubooru/api/tag_category_api.py
index 139da1d8..07da9993 100644
--- a/server/szurubooru/api/tag_category_api.py
+++ b/server/szurubooru/api/tag_category_api.py
@@ -1,15 +1,18 @@
-from szurubooru.rest import routes
+from typing import Dict
+from szurubooru import model, rest
 from szurubooru.func import (
-    auth, tags, tag_categories, snapshots, util, versions)
+    auth, tags, tag_categories, snapshots, serialization, versions)
 
 
-def _serialize(ctx, category):
+def _serialize(
+        ctx: rest.Context, category: model.TagCategory) -> rest.Response:
     return tag_categories.serialize_category(
-        category, options=util.get_serialization_options(ctx))
+        category, options=serialization.get_serialization_options(ctx))
 
 
-@routes.get('/tag-categories/?')
-def get_tag_categories(ctx, _params=None):
+@rest.routes.get('/tag-categories/?')
+def get_tag_categories(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
     auth.verify_privilege(ctx.user, 'tag_categories:list')
     categories = tag_categories.get_all_categories()
     return {
@@ -17,29 +20,31 @@ def get_tag_categories(ctx, _params=None):
     }
 
 
-@routes.post('/tag-categories/?')
-def create_tag_category(ctx, _params=None):
+@rest.routes.post('/tag-categories/?')
+def create_tag_category(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
     auth.verify_privilege(ctx.user, 'tag_categories:create')
-    name = ctx.get_param_as_string('name', required=True)
-    color = ctx.get_param_as_string('color', required=True)
+    name = ctx.get_param_as_string('name')
+    color = ctx.get_param_as_string('color')
     category = tag_categories.create_category(name, color)
     ctx.session.add(category)
     ctx.session.flush()
     snapshots.create(category, ctx.user)
     ctx.session.commit()
-    tags.export_to_json()
     return _serialize(ctx, category)
 
 
-@routes.get('/tag-category/(?P<category_name>[^/]+)/?')
-def get_tag_category(ctx, params):
+@rest.routes.get('/tag-category/(?P<category_name>[^/]+)/?')
+def get_tag_category(
+        ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     auth.verify_privilege(ctx.user, 'tag_categories:view')
     category = tag_categories.get_category_by_name(params['category_name'])
     return _serialize(ctx, category)
 
 
-@routes.put('/tag-category/(?P<category_name>[^/]+)/?')
-def update_tag_category(ctx, params):
+@rest.routes.put('/tag-category/(?P<category_name>[^/]+)/?')
+def update_tag_category(
+        ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     category = tag_categories.get_category_by_name(
         params['category_name'], lock=True)
     versions.verify_version(category, ctx)
@@ -55,12 +60,12 @@ def update_tag_category(ctx, params):
     ctx.session.flush()
     snapshots.modify(category, ctx.user)
     ctx.session.commit()
-    tags.export_to_json()
     return _serialize(ctx, category)
 
 
-@routes.delete('/tag-category/(?P<category_name>[^/]+)/?')
-def delete_tag_category(ctx, params):
+@rest.routes.delete('/tag-category/(?P<category_name>[^/]+)/?')
+def delete_tag_category(
+        ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     category = tag_categories.get_category_by_name(
         params['category_name'], lock=True)
     versions.verify_version(category, ctx)
@@ -68,12 +73,12 @@ def delete_tag_category(ctx, params):
     tag_categories.delete_category(category)
     snapshots.delete(category, ctx.user)
     ctx.session.commit()
-    tags.export_to_json()
     return {}
 
 
-@routes.put('/tag-category/(?P<category_name>[^/]+)/default/?')
-def set_tag_category_as_default(ctx, params):
+@rest.routes.put('/tag-category/(?P<category_name>[^/]+)/default/?')
+def set_tag_category_as_default(
+        ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     auth.verify_privilege(ctx.user, 'tag_categories:set_default')
     category = tag_categories.get_category_by_name(
         params['category_name'], lock=True)
@@ -81,5 +86,4 @@ def set_tag_category_as_default(ctx, params):
     ctx.session.flush()
     snapshots.modify(category, ctx.user)
     ctx.session.commit()
-    tags.export_to_json()
     return _serialize(ctx, category)
diff --git a/server/szurubooru/api/upload_api.py b/server/szurubooru/api/upload_api.py
index eaf2880b..6a6ecfef 100644
--- a/server/szurubooru/api/upload_api.py
+++ b/server/szurubooru/api/upload_api.py
@@ -1,10 +1,12 @@
-from szurubooru.rest import routes
+from typing import Dict
+from szurubooru import rest
 from szurubooru.func import auth, file_uploads
 
 
-@routes.post('/uploads/?')
-def create_temporary_file(ctx, _params=None):
+@rest.routes.post('/uploads/?')
+def create_temporary_file(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
     auth.verify_privilege(ctx.user, 'uploads:create')
-    content = ctx.get_file('content', required=True, allow_tokens=False)
+    content = ctx.get_file('content', allow_tokens=False)
     token = file_uploads.save(content)
     return {'token': token}
diff --git a/server/szurubooru/api/user_api.py b/server/szurubooru/api/user_api.py
index 187e4686..5e14fabe 100644
--- a/server/szurubooru/api/user_api.py
+++ b/server/szurubooru/api/user_api.py
@@ -1,56 +1,63 @@
-from szurubooru import search
-from szurubooru.rest import routes
-from szurubooru.func import auth, users, util, versions
+from typing import Any, Dict
+from szurubooru import model, search, rest
+from szurubooru.func import auth, users, serialization, versions
 
 
 _search_executor = search.Executor(search.configs.UserSearchConfig())
 
 
-def _serialize(ctx, user, **kwargs):
+def _serialize(
+        ctx: rest.Context, user: model.User, **kwargs: Any) -> rest.Response:
     return users.serialize_user(
         user,
         ctx.user,
-        options=util.get_serialization_options(ctx),
+        options=serialization.get_serialization_options(ctx),
         **kwargs)
 
 
-@routes.get('/users/?')
-def get_users(ctx, _params=None):
+@rest.routes.get('/users/?')
+def get_users(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
     auth.verify_privilege(ctx.user, 'users:list')
     return _search_executor.execute_and_serialize(
         ctx, lambda user: _serialize(ctx, user))
 
 
-@routes.post('/users/?')
-def create_user(ctx, _params=None):
-    auth.verify_privilege(ctx.user, 'users:create')
-    name = ctx.get_param_as_string('name', required=True)
-    password = ctx.get_param_as_string('password', required=True)
-    email = ctx.get_param_as_string('email', required=False, default='')
+@rest.routes.post('/users/?')
+def create_user(
+        ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
+    if ctx.user.user_id is None:
+        auth.verify_privilege(ctx.user, 'users:create:self')
+    else:
+        auth.verify_privilege(ctx.user, 'users:create:any')
+
+    name = ctx.get_param_as_string('name')
+    password = ctx.get_param_as_string('password')
+    email = ctx.get_param_as_string('email', default='')
     user = users.create_user(name, password, email)
     if ctx.has_param('rank'):
-        users.update_user_rank(
-            user, ctx.get_param_as_string('rank'), ctx.user)
+        users.update_user_rank(user, ctx.get_param_as_string('rank'), ctx.user)
     if ctx.has_param('avatarStyle'):
         users.update_user_avatar(
             user,
             ctx.get_param_as_string('avatarStyle'),
-            ctx.get_file('avatar'))
+            ctx.get_file('avatar', default=b''))
     ctx.session.add(user)
     ctx.session.commit()
+
     return _serialize(ctx, user, force_show_email=True)
 
 
-@routes.get('/user/(?P<user_name>[^/]+)/?')
-def get_user(ctx, params):
+@rest.routes.get('/user/(?P<user_name>[^/]+)/?')
+def get_user(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     user = users.get_user_by_name(params['user_name'])
     if ctx.user.user_id != user.user_id:
         auth.verify_privilege(ctx.user, 'users:view')
     return _serialize(ctx, user)
 
 
-@routes.put('/user/(?P<user_name>[^/]+)/?')
-def update_user(ctx, params):
+@rest.routes.put('/user/(?P<user_name>[^/]+)/?')
+def update_user(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     user = users.get_user_by_name(params['user_name'])
     versions.verify_version(user, ctx)
     versions.bump_version(user)
@@ -74,13 +81,13 @@ def update_user(ctx, params):
         users.update_user_avatar(
             user,
             ctx.get_param_as_string('avatarStyle'),
-            ctx.get_file('avatar'))
+            ctx.get_file('avatar', default=b''))
     ctx.session.commit()
     return _serialize(ctx, user)
 
 
-@routes.delete('/user/(?P<user_name>[^/]+)/?')
-def delete_user(ctx, params):
+@rest.routes.delete('/user/(?P<user_name>[^/]+)/?')
+def delete_user(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     user = users.get_user_by_name(params['user_name'])
     versions.verify_version(user, ctx)
     infix = 'self' if ctx.user.user_id == user.user_id else 'any'
diff --git a/server/szurubooru/api/user_token_api.py b/server/szurubooru/api/user_token_api.py
new file mode 100644
index 00000000..77398239
--- /dev/null
+++ b/server/szurubooru/api/user_token_api.py
@@ -0,0 +1,83 @@
+from typing import Dict
+from szurubooru import model, rest
+from szurubooru.func import auth, users, user_tokens, serialization, versions
+
+
+def _serialize(
+        ctx: rest.Context, user_token: model.UserToken) -> rest.Response:
+    return user_tokens.serialize_user_token(
+        user_token,
+        ctx.user,
+        options=serialization.get_serialization_options(ctx))
+
+
+@rest.routes.get('/user-tokens/(?P<user_name>[^/]+)/?')
+def get_user_tokens(
+        ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Response:
+    user = users.get_user_by_name(params['user_name'])
+    infix = 'self' if ctx.user.user_id == user.user_id else 'any'
+    auth.verify_privilege(ctx.user, 'user_tokens:list:%s' % infix)
+    user_token_list = user_tokens.get_user_tokens(user)
+    return {
+        'results': [_serialize(ctx, token) for token in user_token_list]
+    }
+
+
+@rest.routes.post('/user-token/(?P<user_name>[^/]+)/?')
+def create_user_token(
+        ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Response:
+    user = users.get_user_by_name(params['user_name'])
+    infix = 'self' if ctx.user.user_id == user.user_id else 'any'
+    auth.verify_privilege(ctx.user, 'user_tokens:create:%s' % infix)
+    enabled = ctx.get_param_as_bool('enabled', True)
+    user_token = user_tokens.create_user_token(user, enabled)
+    if ctx.has_param('note'):
+        note = ctx.get_param_as_string('note')
+        user_tokens.update_user_token_note(user_token, note)
+    if ctx.has_param('expirationTime'):
+        expiration_time = ctx.get_param_as_string('expirationTime')
+        user_tokens.update_user_token_expiration_time(
+            user_token, expiration_time)
+    ctx.session.add(user_token)
+    ctx.session.commit()
+    return _serialize(ctx, user_token)
+
+
+@rest.routes.put('/user-token/(?P<user_name>[^/]+)/(?P<user_token>[^/]+)/?')
+def update_user_token(
+        ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Response:
+    user = users.get_user_by_name(params['user_name'])
+    infix = 'self' if ctx.user.user_id == user.user_id else 'any'
+    auth.verify_privilege(ctx.user, 'user_tokens:edit:%s' % infix)
+    user_token = user_tokens.get_by_user_and_token(user, params['user_token'])
+    versions.verify_version(user_token, ctx)
+    versions.bump_version(user_token)
+    if ctx.has_param('enabled'):
+        auth.verify_privilege(ctx.user, 'user_tokens:edit:%s' % infix)
+        user_tokens.update_user_token_enabled(
+            user_token, ctx.get_param_as_bool('enabled'))
+    if ctx.has_param('note'):
+        auth.verify_privilege(ctx.user, 'user_tokens:edit:%s' % infix)
+        note = ctx.get_param_as_string('note')
+        user_tokens.update_user_token_note(user_token, note)
+    if ctx.has_param('expirationTime'):
+        auth.verify_privilege(ctx.user, 'user_tokens:edit:%s' % infix)
+        expiration_time = ctx.get_param_as_string('expirationTime')
+        user_tokens.update_user_token_expiration_time(
+            user_token, expiration_time)
+    user_tokens.update_user_token_edit_time(user_token)
+    ctx.session.commit()
+    return _serialize(ctx, user_token)
+
+
+@rest.routes.delete('/user-token/(?P<user_name>[^/]+)/(?P<user_token>[^/]+)/?')
+def delete_user_token(
+        ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
+    user = users.get_user_by_name(params['user_name'])
+    infix = 'self' if ctx.user.user_id == user.user_id else 'any'
+    auth.verify_privilege(ctx.user, 'user_tokens:delete:%s' % infix)
+    user_token = user_tokens.get_by_user_and_token(user, params['user_token'])
+    if user_token is not None:
+        ctx.session.delete(user_token)
+        ctx.session.commit()
+    return {}
diff --git a/server/szurubooru/config.py b/server/szurubooru/config.py
index e5693117..f79937bf 100644
--- a/server/szurubooru/config.py
+++ b/server/szurubooru/config.py
@@ -1,8 +1,10 @@
+from typing import Dict
 import os
 import yaml
+from szurubooru import errors
 
 
-def merge(left, right):
+def merge(left: Dict, right: Dict) -> Dict:
     for key in right:
         if key in left:
             if isinstance(left[key], dict) and isinstance(right[key], dict):
@@ -14,12 +16,44 @@ def merge(left, right):
     return left
 
 
-def read_config():
+def docker_config() -> Dict:
+    for key in [
+            'POSTGRES_USER',
+            'POSTGRES_PASSWORD',
+            'POSTGRES_HOST',
+            'ESEARCH_HOST'
+    ]:
+        if not os.getenv(key, False):
+            raise errors.ConfigError(f'Environment variable "{key}" not set')
+    return {
+        'debug': True,
+        'show_sql': int(os.getenv('LOG_SQL', 0)),
+        'data_url': os.getenv('DATA_URL', '/data/'),
+        'data_dir': '/data/',
+        'database': 'postgres://%(user)s:%(pass)s@%(host)s:%(port)d/%(db)s' % {
+            'user': os.getenv('POSTGRES_USER'),
+            'pass': os.getenv('POSTGRES_PASSWORD'),
+            'host': os.getenv('POSTGRES_HOST'),
+            'port': int(os.getenv('POSTGRES_PORT', 5432)),
+            'db': os.getenv('POSTGRES_DB', os.getenv('POSTGRES_USER'))
+        },
+        'elasticsearch': {
+            'host': os.getenv('ESEARCH_HOST'),
+            'port': int(os.getenv('ESEARCH_PORT', 9200)),
+            'index': os.getenv('ESEARCH_INDEX', 'szurubooru')
+        }
+    }
+
+
+def read_config() -> Dict:
     with open('../config.yaml.dist') as handle:
         ret = yaml.load(handle.read())
         if os.path.exists('../config.yaml'):
             with open('../config.yaml') as handle:
                 ret = merge(ret, yaml.load(handle.read()))
+        elif os.path.exists('/.dockerenv') and os.getenv('CI') != 'true':
+            ret = merge(ret, docker_config())
+
         return ret
 
 
diff --git a/server/szurubooru/db.py b/server/szurubooru/db.py
new file mode 100644
index 00000000..f90bfaf9
--- /dev/null
+++ b/server/szurubooru/db.py
@@ -0,0 +1,36 @@
+from typing import Any
+import threading
+import sqlalchemy as sa
+import sqlalchemy.orm
+from szurubooru import config
+
+# pylint: disable=invalid-name
+_data = threading.local()
+_engine = sa.create_engine(config.config['database'])  # type: Any
+sessionmaker = sa.orm.sessionmaker(bind=_engine, autoflush=False)  # type: Any
+session = sa.orm.scoped_session(sessionmaker)  # type: Any
+
+
+def get_session() -> Any:
+    global session
+    return session
+
+
+def set_sesssion(new_session: Any) -> None:
+    global session
+    session = new_session
+
+
+def reset_query_count() -> None:
+    _data.query_count = 0
+
+
+def get_query_count() -> int:
+    return _data.query_count
+
+
+def _bump_query_count() -> None:
+    _data.query_count = getattr(_data, 'query_count', 0) + 1
+
+
+sa.event.listen(_engine, 'after_execute', lambda *args: _bump_query_count())
diff --git a/server/szurubooru/db/__init__.py b/server/szurubooru/db/__init__.py
deleted file mode 100644
index 3eb18833..00000000
--- a/server/szurubooru/db/__init__.py
+++ /dev/null
@@ -1,17 +0,0 @@
-from szurubooru.db.base import Base
-from szurubooru.db.user import User
-from szurubooru.db.tag_category import TagCategory
-from szurubooru.db.tag import (Tag, TagName, TagSuggestion, TagImplication)
-from szurubooru.db.post import (
-    Post,
-    PostTag,
-    PostRelation,
-    PostFavorite,
-    PostScore,
-    PostNote,
-    PostFeature)
-from szurubooru.db.comment import (Comment, CommentScore)
-from szurubooru.db.snapshot import Snapshot
-from szurubooru.db.session import (
-    session, sessionmaker, reset_query_count, get_query_count)
-import szurubooru.db.util
diff --git a/server/szurubooru/db/comment.py b/server/szurubooru/db/comment.py
deleted file mode 100644
index bf325859..00000000
--- a/server/szurubooru/db/comment.py
+++ /dev/null
@@ -1,61 +0,0 @@
-from sqlalchemy import Column, Integer, DateTime, UnicodeText, ForeignKey
-from sqlalchemy.orm import relationship, backref
-from sqlalchemy.sql.expression import func
-from szurubooru.db.base import Base
-
-
-class CommentScore(Base):
-    __tablename__ = 'comment_score'
-
-    comment_id = Column(
-        'comment_id',
-        Integer,
-        ForeignKey('comment.id'),
-        nullable=False,
-        primary_key=True)
-    user_id = Column(
-        'user_id',
-        Integer,
-        ForeignKey('user.id'),
-        nullable=False,
-        primary_key=True,
-        index=True)
-    time = Column('time', DateTime, nullable=False)
-    score = Column('score', Integer, nullable=False)
-
-    comment = relationship('Comment')
-    user = relationship(
-        'User',
-        backref=backref('comment_scores', cascade='all, delete-orphan'))
-
-
-class Comment(Base):
-    __tablename__ = 'comment'
-
-    comment_id = Column('id', Integer, primary_key=True)
-    post_id = Column(
-        'post_id', Integer, ForeignKey('post.id'), nullable=False, index=True)
-    user_id = Column(
-        'user_id', Integer, ForeignKey('user.id'), nullable=True, index=True)
-    version = Column('version', Integer, default=1, nullable=False)
-    creation_time = Column('creation_time', DateTime, nullable=False)
-    last_edit_time = Column('last_edit_time', DateTime)
-    text = Column('text', UnicodeText, default=None)
-
-    user = relationship('User')
-    post = relationship('Post')
-    scores = relationship(
-        'CommentScore', cascade='all, delete-orphan', lazy='joined')
-
-    @property
-    def score(self):
-        from szurubooru.db import session
-        return session \
-            .query(func.sum(CommentScore.score)) \
-            .filter(CommentScore.comment_id == self.comment_id) \
-            .one()[0] or 0
-
-    __mapper_args__ = {
-        'version_id_col': version,
-        'version_id_generator': False,
-    }
diff --git a/server/szurubooru/db/post.py b/server/szurubooru/db/post.py
deleted file mode 100644
index 8be7e8b5..00000000
--- a/server/szurubooru/db/post.py
+++ /dev/null
@@ -1,262 +0,0 @@
-from sqlalchemy.sql.expression import func, select
-from sqlalchemy import (
-    Column, Integer, DateTime, Unicode, UnicodeText, PickleType, ForeignKey)
-from sqlalchemy.orm import (
-    relationship, column_property, object_session, backref)
-from szurubooru.db.base import Base
-from szurubooru.db.comment import Comment
-
-
-class PostFeature(Base):
-    __tablename__ = 'post_feature'
-
-    post_feature_id = Column('id', Integer, primary_key=True)
-    post_id = Column(
-        'post_id', Integer, ForeignKey('post.id'), nullable=False, index=True)
-    user_id = Column(
-        'user_id', Integer, ForeignKey('user.id'), nullable=False, index=True)
-    time = Column('time', DateTime, nullable=False)
-
-    post = relationship('Post')
-    user = relationship(
-        'User',
-        backref=backref('post_features', cascade='all, delete-orphan'))
-
-
-class PostScore(Base):
-    __tablename__ = 'post_score'
-
-    post_id = Column(
-        'post_id',
-        Integer,
-        ForeignKey('post.id'),
-        primary_key=True,
-        nullable=False,
-        index=True)
-    user_id = Column(
-        'user_id',
-        Integer,
-        ForeignKey('user.id'),
-        primary_key=True,
-        nullable=False,
-        index=True)
-    time = Column('time', DateTime, nullable=False)
-    score = Column('score', Integer, nullable=False)
-
-    post = relationship('Post')
-    user = relationship(
-        'User',
-        backref=backref('post_scores', cascade='all, delete-orphan'))
-
-
-class PostFavorite(Base):
-    __tablename__ = 'post_favorite'
-
-    post_id = Column(
-        'post_id',
-        Integer,
-        ForeignKey('post.id'),
-        primary_key=True,
-        nullable=False,
-        index=True)
-    user_id = Column(
-        'user_id',
-        Integer,
-        ForeignKey('user.id'),
-        primary_key=True,
-        nullable=False,
-        index=True)
-    time = Column('time', DateTime, nullable=False)
-
-    post = relationship('Post')
-    user = relationship(
-        'User',
-        backref=backref('post_favorites', cascade='all, delete-orphan'))
-
-
-class PostNote(Base):
-    __tablename__ = 'post_note'
-
-    post_note_id = Column('id', Integer, primary_key=True)
-    post_id = Column(
-        'post_id', Integer, ForeignKey('post.id'), nullable=False, index=True)
-    polygon = Column('polygon', PickleType, nullable=False)
-    text = Column('text', UnicodeText, nullable=False)
-
-    post = relationship('Post')
-
-
-class PostRelation(Base):
-    __tablename__ = 'post_relation'
-
-    parent_id = Column(
-        'parent_id',
-        Integer,
-        ForeignKey('post.id'),
-        primary_key=True,
-        nullable=False,
-        index=True)
-    child_id = Column(
-        'child_id',
-        Integer,
-        ForeignKey('post.id'),
-        primary_key=True,
-        nullable=False,
-        index=True)
-
-    def __init__(self, parent_id, child_id):
-        self.parent_id = parent_id
-        self.child_id = child_id
-
-
-class PostTag(Base):
-    __tablename__ = 'post_tag'
-
-    post_id = Column(
-        'post_id',
-        Integer,
-        ForeignKey('post.id'),
-        primary_key=True,
-        nullable=False,
-        index=True)
-    tag_id = Column(
-        'tag_id',
-        Integer,
-        ForeignKey('tag.id'),
-        primary_key=True,
-        nullable=False,
-        index=True)
-
-    def __init__(self, post_id, tag_id):
-        self.post_id = post_id
-        self.tag_id = tag_id
-
-
-class Post(Base):
-    __tablename__ = 'post'
-
-    SAFETY_SAFE = 'safe'
-    SAFETY_SKETCHY = 'sketchy'
-    SAFETY_UNSAFE = 'unsafe'
-
-    TYPE_IMAGE = 'image'
-    TYPE_ANIMATION = 'animation'
-    TYPE_VIDEO = 'video'
-    TYPE_FLASH = 'flash'
-
-    FLAG_LOOP = 'loop'
-
-    # basic meta
-    post_id = Column('id', Integer, primary_key=True)
-    user_id = Column(
-        'user_id',
-        Integer,
-        ForeignKey('user.id', ondelete='SET NULL'),
-        nullable=True,
-        index=True)
-    version = Column('version', Integer, default=1, nullable=False)
-    creation_time = Column('creation_time', DateTime, nullable=False)
-    last_edit_time = Column('last_edit_time', DateTime)
-    safety = Column('safety', Unicode(32), nullable=False)
-    source = Column('source', Unicode(200))
-    flags = Column('flags', PickleType, default=None)
-
-    # content description
-    type = Column('type', Unicode(32), nullable=False)
-    checksum = Column('checksum', Unicode(64), nullable=False)
-    file_size = Column('file_size', Integer)
-    canvas_width = Column('image_width', Integer)
-    canvas_height = Column('image_height', Integer)
-    mime_type = Column('mime-type', Unicode(32), nullable=False)
-
-    # foreign tables
-    user = relationship('User')
-    tags = relationship('Tag', backref='posts', secondary='post_tag')
-    relations = relationship(
-        'Post',
-        secondary='post_relation',
-        primaryjoin=post_id == PostRelation.parent_id,
-        secondaryjoin=post_id == PostRelation.child_id, lazy='joined',
-        backref='related_by')
-    features = relationship(
-        'PostFeature', cascade='all, delete-orphan', lazy='joined')
-    scores = relationship(
-        'PostScore', cascade='all, delete-orphan', lazy='joined')
-    favorited_by = relationship(
-        'PostFavorite', cascade='all, delete-orphan', lazy='joined')
-    notes = relationship(
-        'PostNote', cascade='all, delete-orphan', lazy='joined')
-    comments = relationship('Comment', cascade='all, delete-orphan')
-
-    # dynamic columns
-    tag_count = column_property(
-        select([func.count(PostTag.tag_id)])
-        .where(PostTag.post_id == post_id)
-        .correlate_except(PostTag))
-
-    canvas_area = column_property(canvas_width * canvas_height)
-
-    @property
-    def is_featured(self):
-        featured_post = object_session(self) \
-            .query(PostFeature) \
-            .order_by(PostFeature.time.desc()) \
-            .first()
-        return featured_post and featured_post.post_id == self.post_id
-
-    score = column_property(
-        select([func.coalesce(func.sum(PostScore.score), 0)])
-        .where(PostScore.post_id == post_id)
-        .correlate_except(PostScore))
-
-    favorite_count = column_property(
-        select([func.count(PostFavorite.post_id)])
-        .where(PostFavorite.post_id == post_id)
-        .correlate_except(PostFavorite))
-
-    last_favorite_time = column_property(
-        select([func.max(PostFavorite.time)])
-        .where(PostFavorite.post_id == post_id)
-        .correlate_except(PostFavorite))
-
-    feature_count = column_property(
-        select([func.count(PostFeature.post_id)])
-        .where(PostFeature.post_id == post_id)
-        .correlate_except(PostFeature))
-
-    last_feature_time = column_property(
-        select([func.max(PostFeature.time)])
-        .where(PostFeature.post_id == post_id)
-        .correlate_except(PostFeature))
-
-    comment_count = column_property(
-        select([func.count(Comment.post_id)])
-        .where(Comment.post_id == post_id)
-        .correlate_except(Comment))
-
-    last_comment_creation_time = column_property(
-        select([func.max(Comment.creation_time)])
-        .where(Comment.post_id == post_id)
-        .correlate_except(Comment))
-
-    last_comment_edit_time = column_property(
-        select([func.max(Comment.last_edit_time)])
-        .where(Comment.post_id == post_id)
-        .correlate_except(Comment))
-
-    note_count = column_property(
-        select([func.count(PostNote.post_id)])
-        .where(PostNote.post_id == post_id)
-        .correlate_except(PostNote))
-
-    relation_count = column_property(
-        select([func.count(PostRelation.child_id)])
-        .where(
-            (PostRelation.parent_id == post_id)
-            | (PostRelation.child_id == post_id))
-        .correlate_except(PostRelation))
-
-    __mapper_args__ = {
-        'version_id_col': version,
-        'version_id_generator': False,
-    }
diff --git a/server/szurubooru/db/session.py b/server/szurubooru/db/session.py
deleted file mode 100644
index fd77b4c2..00000000
--- a/server/szurubooru/db/session.py
+++ /dev/null
@@ -1,27 +0,0 @@
-import threading
-import sqlalchemy
-from szurubooru import config
-
-
-# pylint: disable=invalid-name
-_engine = sqlalchemy.create_engine(config.config['database'])
-sessionmaker = sqlalchemy.orm.sessionmaker(bind=_engine, autoflush=False)
-session = sqlalchemy.orm.scoped_session(sessionmaker)
-
-_data = threading.local()
-
-
-def reset_query_count():
-    _data.query_count = 0
-
-
-def get_query_count():
-    return _data.query_count
-
-
-def _bump_query_count():
-    _data.query_count = getattr(_data, 'query_count', 0) + 1
-
-
-sqlalchemy.event.listen(
-    _engine, 'after_execute', lambda *args: _bump_query_count())
diff --git a/server/szurubooru/db/snapshot.py b/server/szurubooru/db/snapshot.py
deleted file mode 100644
index 4b211f61..00000000
--- a/server/szurubooru/db/snapshot.py
+++ /dev/null
@@ -1,31 +0,0 @@
-from sqlalchemy.orm import relationship
-from sqlalchemy import (
-    Column, Integer, DateTime, Unicode, PickleType, ForeignKey)
-from szurubooru.db.base import Base
-
-
-class Snapshot(Base):
-    __tablename__ = 'snapshot'
-
-    OPERATION_CREATED = 'created'
-    OPERATION_MODIFIED = 'modified'
-    OPERATION_DELETED = 'deleted'
-    OPERATION_MERGED = 'merged'
-
-    snapshot_id = Column('id', Integer, primary_key=True)
-    creation_time = Column('creation_time', DateTime, nullable=False)
-    operation = Column('operation', Unicode(16), nullable=False)
-    resource_type = Column(
-        'resource_type', Unicode(32), nullable=False, index=True)
-    resource_pkey = Column(
-        'resource_pkey', Integer, nullable=False, index=True)
-    resource_name = Column(
-        'resource_name', Unicode(64), nullable=False)
-    user_id = Column(
-        'user_id',
-        Integer,
-        ForeignKey('user.id', ondelete='set null'),
-        nullable=True)
-    data = Column('data', PickleType)
-
-    user = relationship('User')
diff --git a/server/szurubooru/db/tag.py b/server/szurubooru/db/tag.py
deleted file mode 100644
index e0861312..00000000
--- a/server/szurubooru/db/tag.py
+++ /dev/null
@@ -1,131 +0,0 @@
-from sqlalchemy import (
-    Column, Integer, DateTime, Unicode, UnicodeText, ForeignKey)
-from sqlalchemy.orm import relationship, column_property
-from sqlalchemy.sql.expression import func, select
-from szurubooru.db.base import Base
-from szurubooru.db.post import PostTag
-
-
-class TagSuggestion(Base):
-    __tablename__ = 'tag_suggestion'
-
-    parent_id = Column(
-        'parent_id',
-        Integer,
-        ForeignKey('tag.id'),
-        nullable=False,
-        primary_key=True,
-        index=True)
-    child_id = Column(
-        'child_id',
-        Integer,
-        ForeignKey('tag.id'),
-        nullable=False,
-        primary_key=True,
-        index=True)
-
-    def __init__(self, parent_id, child_id):
-        self.parent_id = parent_id
-        self.child_id = child_id
-
-
-class TagImplication(Base):
-    __tablename__ = 'tag_implication'
-
-    parent_id = Column(
-        'parent_id',
-        Integer,
-        ForeignKey('tag.id'),
-        nullable=False,
-        primary_key=True,
-        index=True)
-    child_id = Column(
-        'child_id',
-        Integer,
-        ForeignKey('tag.id'),
-        nullable=False,
-        primary_key=True,
-        index=True)
-
-    def __init__(self, parent_id, child_id):
-        self.parent_id = parent_id
-        self.child_id = child_id
-
-
-class TagName(Base):
-    __tablename__ = 'tag_name'
-
-    tag_name_id = Column('tag_name_id', Integer, primary_key=True)
-    tag_id = Column(
-        'tag_id', Integer, ForeignKey('tag.id'), nullable=False, index=True)
-    name = Column('name', Unicode(64), nullable=False, unique=True)
-    order = Column('ord', Integer, nullable=False, index=True)
-
-    def __init__(self, name, order):
-        self.name = name
-        self.order = order
-
-
-class Tag(Base):
-    __tablename__ = 'tag'
-
-    tag_id = Column('id', Integer, primary_key=True)
-    category_id = Column(
-        'category_id',
-        Integer,
-        ForeignKey('tag_category.id'),
-        nullable=False,
-        index=True)
-    version = Column('version', Integer, default=1, nullable=False)
-    creation_time = Column('creation_time', DateTime, nullable=False)
-    last_edit_time = Column('last_edit_time', DateTime)
-    description = Column('description', UnicodeText, default=None)
-
-    category = relationship('TagCategory', lazy='joined')
-    names = relationship(
-        'TagName',
-        cascade='all,delete-orphan',
-        lazy='joined',
-        order_by='TagName.order')
-    suggestions = relationship(
-        'Tag',
-        secondary='tag_suggestion',
-        primaryjoin=tag_id == TagSuggestion.parent_id,
-        secondaryjoin=tag_id == TagSuggestion.child_id,
-        lazy='joined')
-    implications = relationship(
-        'Tag',
-        secondary='tag_implication',
-        primaryjoin=tag_id == TagImplication.parent_id,
-        secondaryjoin=tag_id == TagImplication.child_id,
-        lazy='joined')
-
-    post_count = column_property(
-        select([func.count(PostTag.post_id)])
-        .where(PostTag.tag_id == tag_id)
-        .correlate_except(PostTag))
-
-    first_name = column_property(
-        select([TagName.name])
-            .where(TagName.tag_id == tag_id)
-            .order_by(TagName.order)
-            .limit(1)
-            .as_scalar(),
-        deferred=True)
-
-    suggestion_count = column_property(
-        select([func.count(TagSuggestion.child_id)])
-            .where(TagSuggestion.parent_id == tag_id)
-            .as_scalar(),
-        deferred=True)
-
-    implication_count = column_property(
-        select([func.count(TagImplication.child_id)])
-            .where(TagImplication.parent_id == tag_id)
-            .as_scalar(),
-        deferred=True)
-
-    __mapper_args__ = {
-        'version_id_col': version,
-        'version_id_generator': False,
-    }
diff --git a/server/szurubooru/db/tag_category.py b/server/szurubooru/db/tag_category.py
deleted file mode 100644
index 907910ba..00000000
--- a/server/szurubooru/db/tag_category.py
+++ /dev/null
@@ -1,28 +0,0 @@
-from sqlalchemy import Column, Integer, Unicode, Boolean, table
-from sqlalchemy.orm import column_property
-from sqlalchemy.sql.expression import func, select
-from szurubooru.db.base import Base
-from szurubooru.db.tag import Tag
-
-
-class TagCategory(Base):
-    __tablename__ = 'tag_category'
-
-    tag_category_id = Column('id', Integer, primary_key=True)
-    version = Column('version', Integer, default=1, nullable=False)
-    name = Column('name', Unicode(32), nullable=False)
-    color = Column('color', Unicode(32), nullable=False, default='#000000')
-    default = Column('default', Boolean, nullable=False, default=False)
-
-    def __init__(self, name=None):
-        self.name = name
-
-    tag_count = column_property(
-        select([func.count('Tag.tag_id')])
-        .where(Tag.category_id == tag_category_id)
-        .correlate_except(table('Tag')))
-
-    __mapper_args__ = {
-        'version_id_col': version,
-        'version_id_generator': False,
-    }
diff --git a/server/szurubooru/db/user.py b/server/szurubooru/db/user.py
deleted file mode 100644
index 082adcff..00000000
--- a/server/szurubooru/db/user.py
+++ /dev/null
@@ -1,82 +0,0 @@
-from sqlalchemy import Column, Integer, Unicode, DateTime
-from sqlalchemy.orm import relationship
-from sqlalchemy.sql.expression import func
-from szurubooru.db.base import Base
-from szurubooru.db.post import Post, PostScore, PostFavorite
-from szurubooru.db.comment import Comment
-
-
-class User(Base):
-    __tablename__ = 'user'
-
-    AVATAR_GRAVATAR = 'gravatar'
-    AVATAR_MANUAL = 'manual'
-
-    RANK_ANONYMOUS = 'anonymous'
-    RANK_RESTRICTED = 'restricted'
-    RANK_REGULAR = 'regular'
-    RANK_POWER = 'power'
-    RANK_MODERATOR = 'moderator'
-    RANK_ADMINISTRATOR = 'administrator'
-    RANK_NOBODY = 'nobody'  # unattainable, used for privileges
-
-    user_id = Column('id', Integer, primary_key=True)
-    creation_time = Column('creation_time', DateTime, nullable=False)
-    last_login_time = Column('last_login_time', DateTime)
-    version = Column('version', Integer, default=1, nullable=False)
-    name = Column('name', Unicode(50), nullable=False, unique=True)
-    password_hash = Column('password_hash', Unicode(64), nullable=False)
-    password_salt = Column('password_salt', Unicode(32))
-    email = Column('email', Unicode(64), nullable=True)
-    rank = Column('rank', Unicode(32), nullable=False)
-    avatar_style = Column(
-        'avatar_style', Unicode(32), nullable=False, default=AVATAR_GRAVATAR)
-
-    comments = relationship('Comment')
-
-    @property
-    def post_count(self):
-        from szurubooru.db import session
-        return (session
-            .query(func.sum(1))
-            .filter(Post.user_id == self.user_id)
-            .one()[0] or 0)
-
-    @property
-    def comment_count(self):
-        from szurubooru.db import session
-        return (session
-            .query(func.sum(1))
-            .filter(Comment.user_id == self.user_id)
-            .one()[0] or 0)
-
-    @property
-    def favorite_post_count(self):
-        from szurubooru.db import session
-        return (session
-            .query(func.sum(1))
-            .filter(PostFavorite.user_id == self.user_id)
-            .one()[0] or 0)
-
-    @property
-    def liked_post_count(self):
-        from szurubooru.db import session
-        return (session
-            .query(func.sum(1))
-            .filter(PostScore.user_id == self.user_id)
-            .filter(PostScore.score == 1)
-            .one()[0] or 0)
-
-    @property
-    def disliked_post_count(self):
-        from szurubooru.db import session
-        return (session
-            .query(func.sum(1))
-            .filter(PostScore.user_id == self.user_id)
-            .filter(PostScore.score == -1)
-            .one()[0] or 0)
-
-    __mapper_args__ = {
-        'version_id_col': version,
-        'version_id_generator': False,
-    }
diff --git a/server/szurubooru/db/util.py b/server/szurubooru/db/util.py
deleted file mode 100644
index d6edf188..00000000
--- a/server/szurubooru/db/util.py
+++ /dev/null
@@ -1,34 +0,0 @@
-from sqlalchemy.inspection import inspect
-
-
-def get_resource_info(entity):
-    serializers = {
-        'tag': lambda tag: tag.first_name,
-        'tag_category': lambda category: category.name,
-        'comment': lambda comment: comment.comment_id,
-        'post': lambda post: post.post_id,
-    }
-
-    resource_type = entity.__table__.name
-    assert resource_type in serializers
-
-    primary_key = inspect(entity).identity
-    assert primary_key is not None
-    assert len(primary_key) == 1
-
-    resource_name = serializers[resource_type](entity)
-    assert resource_name
-
-    resource_pkey = primary_key[0]
-    assert resource_pkey
-
-    return (resource_type, resource_pkey, resource_name)
-
-
-def get_aux_entity(session, get_table_info, entity, user):
-    table, get_column = get_table_info(entity)
-    return session \
-        .query(table) \
-        .filter(get_column(table) == get_column(entity)) \
-        .filter(table.user_id == user.user_id) \
-        .one_or_none()
diff --git a/server/szurubooru/errors.py b/server/szurubooru/errors.py
index f7edf85d..beeb469c 100644
--- a/server/szurubooru/errors.py
+++ b/server/szurubooru/errors.py
@@ -1,5 +1,11 @@
+from typing import Dict
+
+
 class BaseError(RuntimeError):
-    def __init__(self, message='Unknown error', extra_fields=None):
+    def __init__(
+            self,
+            message: str = 'Unknown error',
+            extra_fields: Dict[str, str] = None) -> None:
         super().__init__(message)
         self.extra_fields = extra_fields
 
@@ -46,3 +52,7 @@ class MissingRequiredParameterError(ValidationError):
 
 class InvalidParameterError(ValidationError):
     pass
+
+
+class ThirdPartyError(BaseError):
+    pass
diff --git a/server/szurubooru/facade.py b/server/szurubooru/facade.py
index e29aae13..90709f97 100644
--- a/server/szurubooru/facade.py
+++ b/server/szurubooru/facade.py
@@ -1,18 +1,22 @@
-''' Exports create_app. '''
-
 import os
 import time
 import logging
 import threading
+from typing import Callable, Any, Type
+
 import coloredlogs
+import sqlalchemy as sa
 import sqlalchemy.orm.exc
-from szurubooru import config, errors, rest
+from szurubooru import config, db, errors, rest
 from szurubooru.func import posts, file_uploads
 # pylint: disable=unused-import
 from szurubooru import api, middleware
 
 
-def _map_error(ex, target_class, title):
+def _map_error(
+        ex: Exception,
+        target_class: Type[rest.errors.BaseHttpError],
+        title: str) -> rest.errors.BaseHttpError:
     return target_class(
         name=type(ex).__name__,
         title=title,
@@ -20,31 +24,38 @@ def _map_error(ex, target_class, title):
         extra_fields=getattr(ex, 'extra_fields', {}))
 
 
-def _on_auth_error(ex):
+def _on_auth_error(ex: Exception) -> None:
     raise _map_error(ex, rest.errors.HttpForbidden, 'Authentication error')
 
 
-def _on_validation_error(ex):
+def _on_validation_error(ex: Exception) -> None:
     raise _map_error(ex, rest.errors.HttpBadRequest, 'Validation error')
 
 
-def _on_search_error(ex):
+def _on_search_error(ex: Exception) -> None:
     raise _map_error(ex, rest.errors.HttpBadRequest, 'Search error')
 
 
-def _on_integrity_error(ex):
+def _on_integrity_error(ex: Exception) -> None:
     raise _map_error(ex, rest.errors.HttpConflict, 'Integrity violation')
 
 
-def _on_not_found_error(ex):
+def _on_not_found_error(ex: Exception) -> None:
     raise _map_error(ex, rest.errors.HttpNotFound, 'Not found')
 
 
-def _on_processing_error(ex):
+def _on_processing_error(ex: Exception) -> None:
     raise _map_error(ex, rest.errors.HttpBadRequest, 'Processing error')
 
 
-def _on_stale_data_error(_ex):
+def _on_third_party_error(ex: Exception) -> None:
+    raise _map_error(
+        ex,
+        rest.errors.HttpInternalServerError,
+        'Server configuration error')
+
+
+def _on_stale_data_error(_ex: Exception) -> None:
     raise rest.errors.HttpConflict(
         name='IntegrityError',
         title='Integrity violation',
@@ -53,7 +64,7 @@ def _on_stale_data_error(_ex):
             'Please try again.'))
 
 
-def validate_config():
+def validate_config() -> None:
     '''
     Check whether config doesn't contain errors that might prove
     lethal at runtime.
@@ -68,7 +79,7 @@ def validate_config():
             'Default rank %r is not on the list of known ranks' % (
                 config.config['default_rank']))
 
-    for key in ['base_url', 'api_url', 'data_url', 'data_dir']:
+    for key in ['data_url', 'data_dir']:
         if not config.config[key]:
             raise errors.ConfigError(
                 'Service is not configured: %r is missing' % key)
@@ -81,7 +92,7 @@ def validate_config():
         raise errors.ConfigError('Database is not configured')
 
 
-def purge_old_uploads():
+def purge_old_uploads() -> None:
     while True:
         try:
             file_uploads.purge_old_uploads()
@@ -90,10 +101,11 @@ def purge_old_uploads():
         time.sleep(60 * 5)
 
 
-def create_app():
+def create_app() -> Callable[[Any, Any], Any]:
     ''' Create a WSGI compatible App object. '''
     validate_config()
     coloredlogs.install(fmt='[%(asctime)-15s] %(name)s %(message)s')
+    logging.getLogger('elasticsearch').disabled = True
     if config.config['debug']:
         logging.getLogger('szurubooru').setLevel(logging.INFO)
     if config.config['show_sql']:
@@ -102,7 +114,12 @@ def create_app():
     purge_thread = threading.Thread(target=purge_old_uploads)
     purge_thread.daemon = True
     purge_thread.start()
-    posts.populate_reverse_search()
+
+    try:
+        posts.populate_reverse_search()
+        db.session.commit()
+    except errors.ThirdPartyError:
+        pass
 
     rest.errors.handle(errors.AuthError, _on_auth_error)
     rest.errors.handle(errors.ValidationError, _on_validation_error)
@@ -110,6 +127,10 @@ def create_app():
     rest.errors.handle(errors.IntegrityError, _on_integrity_error)
     rest.errors.handle(errors.NotFoundError, _on_not_found_error)
     rest.errors.handle(errors.ProcessingError, _on_processing_error)
-    rest.errors.handle(sqlalchemy.orm.exc.StaleDataError, _on_stale_data_error)
+    rest.errors.handle(errors.ThirdPartyError, _on_third_party_error)
+    rest.errors.handle(sa.orm.exc.StaleDataError, _on_stale_data_error)
 
     return rest.application
+
+
+app = create_app()  # pylint: disable=invalid-name
diff --git a/server/szurubooru/func/auth.py b/server/szurubooru/func/auth.py
index d71c8f9d..65be79ac 100644
--- a/server/szurubooru/func/auth.py
+++ b/server/szurubooru/func/auth.py
@@ -1,40 +1,53 @@
+from typing import Tuple, Optional
 import hashlib
 import random
+import uuid
 from collections import OrderedDict
-from szurubooru import config, db, errors
+from datetime import datetime
+from nacl import pwhash
+from nacl.exceptions import InvalidkeyError
+from szurubooru import config, db, model, errors
 from szurubooru.func import util
 
 
 RANK_MAP = OrderedDict([
-    (db.User.RANK_ANONYMOUS, 'anonymous'),
-    (db.User.RANK_RESTRICTED, 'restricted'),
-    (db.User.RANK_REGULAR, 'regular'),
-    (db.User.RANK_POWER, 'power'),
-    (db.User.RANK_MODERATOR, 'moderator'),
-    (db.User.RANK_ADMINISTRATOR, 'administrator'),
-    (db.User.RANK_NOBODY, 'nobody'),
+    (model.User.RANK_ANONYMOUS, 'anonymous'),
+    (model.User.RANK_RESTRICTED, 'restricted'),
+    (model.User.RANK_REGULAR, 'regular'),
+    (model.User.RANK_POWER, 'power'),
+    (model.User.RANK_MODERATOR, 'moderator'),
+    (model.User.RANK_ADMINISTRATOR, 'administrator'),
+    (model.User.RANK_NOBODY, 'nobody'),
 ])
 
 
-def get_password_hash(salt, password):
-    ''' Retrieve new-style password hash. '''
+def get_password_hash(salt: str, password: str) -> Tuple[str, int]:
+    ''' Retrieve argon2id password hash. '''
+    return pwhash.argon2id.str(
+        (config.config['secret'] + salt + password).encode('utf8')
+    ).decode('utf8'), 3
+
+
+def get_sha256_legacy_password_hash(
+        salt: str, password: str) -> Tuple[str, int]:
+    ''' Retrieve old-style sha256 password hash. '''
     digest = hashlib.sha256()
     digest.update(config.config['secret'].encode('utf8'))
     digest.update(salt.encode('utf8'))
     digest.update(password.encode('utf8'))
-    return digest.hexdigest()
+    return digest.hexdigest(), 2
 
 
-def get_legacy_password_hash(salt, password):
-    ''' Retrieve old-style password hash. '''
+def get_sha1_legacy_password_hash(salt: str, password: str) -> Tuple[str, int]:
+    ''' Retrieve old-style sha1 password hash. '''
     digest = hashlib.sha1()
     digest.update(b'1A2/$_4xVa')
     digest.update(salt.encode('utf8'))
     digest.update(password.encode('utf8'))
-    return digest.hexdigest()
+    return digest.hexdigest(), 1
 
 
-def create_password():
+def create_password() -> str:
     alphabet = {
         'c': list('bcdfghijklmnpqrstvwxyz'),
         'v': list('aeiou'),
@@ -44,17 +57,46 @@ def create_password():
     return ''.join(random.choice(alphabet[l]) for l in list(pattern))
 
 
-def is_valid_password(user, password):
+def is_valid_password(user: model.User, password: str) -> bool:
     assert user
     salt, valid_hash = user.password_salt, user.password_hash
-    possible_hashes = [
-        get_password_hash(salt, password),
-        get_legacy_password_hash(salt, password)
-    ]
-    return valid_hash in possible_hashes
+
+    try:
+        return pwhash.verify(
+            user.password_hash.encode('utf8'),
+            (config.config['secret'] + salt + password).encode('utf8'))
+    except InvalidkeyError:
+        possible_hashes = [
+            get_sha256_legacy_password_hash(salt, password)[0],
+            get_sha1_legacy_password_hash(salt, password)[0]
+        ]
+        if valid_hash in possible_hashes:
+            # Convert the user password hash to the new hash
+            new_hash, revision = get_password_hash(salt, password)
+            user.password_hash = new_hash
+            user.password_revision = revision
+            db.session.commit()
+            return True
+
+    return False
 
 
-def has_privilege(user, privilege_name):
+def is_valid_token(user_token: Optional[model.UserToken]) -> bool:
+    '''
+    Token must be enabled and if it has an expiration, it must be
+    greater than now.
+    '''
+    if user_token is None:
+        return False
+    if not user_token.enabled:
+        return False
+    if (user_token.expiration_time is not None
+            and user_token.expiration_time < datetime.utcnow()):
+        return False
+    return True
+
+
+def has_privilege(user: model.User, privilege_name: str) -> bool:
     assert user
     all_ranks = list(RANK_MAP.keys())
     assert privilege_name in config.config['privileges']
@@ -65,16 +107,20 @@ def has_privilege(user, privilege_name):
     return user.rank in good_ranks
 
 
-def verify_privilege(user, privilege_name):
+def verify_privilege(user: model.User, privilege_name: str) -> None:
     assert user
     if not has_privilege(user, privilege_name):
         raise errors.AuthError('Insufficient privileges to do this.')
 
 
-def generate_authentication_token(user):
+def generate_authentication_token(user: model.User) -> str:
     ''' Generate nonguessable challenge (e.g. links in password reminder). '''
     assert user
     digest = hashlib.md5()
     digest.update(config.config['secret'].encode('utf8'))
     digest.update(user.password_salt.encode('utf8'))
     return digest.hexdigest()
+
+
+def generate_authorization_token() -> str:
+    return uuid.uuid4().__str__()
diff --git a/server/szurubooru/func/cache.py b/server/szurubooru/func/cache.py
index 4b775548..01e46592 100644
--- a/server/szurubooru/func/cache.py
+++ b/server/szurubooru/func/cache.py
@@ -1,29 +1,29 @@
+from typing import Any, List, Dict
 from datetime import datetime
 
 
 class LruCacheItem:
-    def __init__(self, key, value):
+    def __init__(self, key: object, value: Any) -> None:
         self.key = key
         self.value = value
         self.timestamp = datetime.utcnow()
 
 
 class LruCache:
-    def __init__(self, length, delta=None):
+    def __init__(self, length: int) -> None:
         self.length = length
-        self.delta = delta
-        self.hash = {}
-        self.item_list = []
+        self.hash = {}  # type: Dict[object, LruCacheItem]
+        self.item_list = []  # type: List[LruCacheItem]
 
-    def insert_item(self, item):
+    def insert_item(self, item: LruCacheItem) -> None:
         if item.key in self.hash:
             item_index = next(
                 i
                 for i, v in enumerate(self.item_list)
                 if v.key == item.key)
-            self.item_list[:] \
-                = self.item_list[:item_index] \
-                + self.item_list[item_index + 1:]
+            self.item_list[:] = (
+                self.item_list[:item_index] +
+                self.item_list[item_index + 1:])
             self.item_list.insert(0, item)
         else:
             if len(self.item_list) > self.length:
@@ -31,11 +31,11 @@ class LruCache:
             self.hash[item.key] = item
             self.item_list.insert(0, item)
 
-    def remove_all(self):
+    def remove_all(self) -> None:
         self.hash = {}
         self.item_list = []
 
-    def remove_item(self, item):
+    def remove_item(self, item: LruCacheItem) -> None:
         del self.hash[item.key]
         del self.item_list[self.item_list.index(item)]
 
@@ -43,22 +43,22 @@ class LruCache:
 _CACHE = LruCache(length=100)
 
 
-def purge():
+def purge() -> None:
     _CACHE.remove_all()
 
 
-def has(key):
+def has(key: object) -> bool:
     return key in _CACHE.hash
 
 
-def get(key):
+def get(key: object) -> Any:
     return _CACHE.hash[key].value
 
 
-def remove(key):
+def remove(key: object) -> None:
     if has(key):
         del _CACHE.hash[key]
 
 
-def put(key, value):
+def put(key: object, value: Any) -> None:
     _CACHE.insert_item(LruCacheItem(key, value))
diff --git a/server/szurubooru/func/comments.py b/server/szurubooru/func/comments.py
index 6b7def85..9f882831 100644
--- a/server/szurubooru/func/comments.py
+++ b/server/szurubooru/func/comments.py
@@ -1,6 +1,7 @@
-import datetime
-from szurubooru import db, errors
-from szurubooru.func import users, scores, util
+from datetime import datetime
+from typing import Any, Optional, List, Dict, Callable
+from szurubooru import db, model, errors, rest
+from szurubooru.func import users, scores, serialization
 
 
 class InvalidCommentIdError(errors.ValidationError):
@@ -15,52 +16,88 @@ class EmptyCommentTextError(errors.ValidationError):
     pass
 
 
-def serialize_comment(comment, auth_user, options=None):
-    return util.serialize_entity(
-        comment,
-        {
-            'id': lambda: comment.comment_id,
-            'user':
-                lambda: users.serialize_micro_user(comment.user, auth_user),
-            'postId': lambda: comment.post.post_id,
-            'version': lambda: comment.version,
-            'text': lambda: comment.text,
-            'creationTime': lambda: comment.creation_time,
-            'lastEditTime': lambda: comment.last_edit_time,
-            'score': lambda: comment.score,
-            'ownScore': lambda: scores.get_score(comment, auth_user),
-        },
-        options)
+class CommentSerializer(serialization.BaseSerializer):
+    def __init__(self, comment: model.Comment, auth_user: model.User) -> None:
+        self.comment = comment
+        self.auth_user = auth_user
+
+    def _serializers(self) -> Dict[str, Callable[[], Any]]:
+        return {
+            'id': self.serialize_id,
+            'user': self.serialize_user,
+            'postId': self.serialize_post_id,
+            'version': self.serialize_version,
+            'text': self.serialize_text,
+            'creationTime': self.serialize_creation_time,
+            'lastEditTime': self.serialize_last_edit_time,
+            'score': self.serialize_score,
+            'ownScore': self.serialize_own_score,
+        }
+
+    def serialize_id(self) -> Any:
+        return self.comment.comment_id
+
+    def serialize_user(self) -> Any:
+        return users.serialize_micro_user(self.comment.user, self.auth_user)
+
+    def serialize_post_id(self) -> Any:
+        return self.comment.post.post_id
+
+    def serialize_version(self) -> Any:
+        return self.comment.version
+
+    def serialize_text(self) -> Any:
+        return self.comment.text
+
+    def serialize_creation_time(self) -> Any:
+        return self.comment.creation_time
+
+    def serialize_last_edit_time(self) -> Any:
+        return self.comment.last_edit_time
+
+    def serialize_score(self) -> Any:
+        return self.comment.score
+
+    def serialize_own_score(self) -> Any:
+        return scores.get_score(self.comment, self.auth_user)
 
 
-def try_get_comment_by_id(comment_id):
-    try:
-        comment_id = int(comment_id)
-    except ValueError:
-        raise InvalidCommentIdError('Invalid comment ID: %r.' % comment_id)
-    return db.session \
-        .query(db.Comment) \
-        .filter(db.Comment.comment_id == comment_id) \
-        .one_or_none()
+def serialize_comment(
+        comment: model.Comment,
+        auth_user: model.User,
+        options: List[str] = []) -> rest.Response:
+    if comment is None:
+        return None
+    return CommentSerializer(comment, auth_user).serialize(options)
 
 
-def get_comment_by_id(comment_id):
+def try_get_comment_by_id(comment_id: int) -> Optional[model.Comment]:
+    comment_id = int(comment_id)
+    return (
+        db.session
+        .query(model.Comment)
+        .filter(model.Comment.comment_id == comment_id)
+        .one_or_none())
+
+
+def get_comment_by_id(comment_id: int) -> model.Comment:
     comment = try_get_comment_by_id(comment_id)
     if comment:
         return comment
     raise CommentNotFoundError('Comment %r not found.' % comment_id)
 
 
-def create_comment(user, post, text):
-    comment = db.Comment()
+def create_comment(
+        user: model.User, post: model.Post, text: str) -> model.Comment:
+    comment = model.Comment()
     comment.user = user
     comment.post = post
     update_comment_text(comment, text)
-    comment.creation_time = datetime.datetime.utcnow()
+    comment.creation_time = datetime.utcnow()
     return comment
 
 
-def update_comment_text(comment, text):
+def update_comment_text(comment: model.Comment, text: str) -> None:
     assert comment
     if not text:
         raise EmptyCommentTextError('Comment text cannot be empty.')
diff --git a/server/szurubooru/func/diff.py b/server/szurubooru/func/diff.py
index 0950f0f0..90014f7e 100644
--- a/server/szurubooru/func/diff.py
+++ b/server/szurubooru/func/diff.py
@@ -1,21 +1,26 @@
-def get_list_diff(old, new):
-    value = {'type': 'list change', 'added': [], 'removed': []}
+from typing import List, Dict, Any
+
+
+def get_list_diff(old: List[Any], new: List[Any]) -> Any:
     equal = True
+    removed = []  # type: List[Any]
+    added = []  # type: List[Any]
 
     for item in old:
         if item not in new:
             equal = False
-            value['removed'].append(item)
+            removed.append(item)
 
     for item in new:
         if item not in old:
             equal = False
-            value['added'].append(item)
+            added.append(item)
 
-    return None if equal else value
+    return None if equal else {
+        'type': 'list change', 'added': added, 'removed': removed}
 
 
-def get_dict_diff(old, new):
+def get_dict_diff(old: Dict[str, Any], new: Dict[str, Any]) -> Any:
     value = {}
     equal = True
 
diff --git a/server/szurubooru/func/favorites.py b/server/szurubooru/func/favorites.py
index 00952de7..f567bfad 100644
--- a/server/szurubooru/func/favorites.py
+++ b/server/szurubooru/func/favorites.py
@@ -1,32 +1,34 @@
-import datetime
-from szurubooru import db, errors
+from typing import Any, Optional, Callable, Tuple
+from datetime import datetime
+from szurubooru import db, model, errors
 
 
 class InvalidFavoriteTargetError(errors.ValidationError):
     pass
 
 
-def _get_table_info(entity):
+def _get_table_info(
+        entity: model.Base) -> Tuple[model.Base, Callable[[model.Base], Any]]:
     assert entity
-    resource_type, _, _ = db.util.get_resource_info(entity)
+    resource_type, _, _ = model.util.get_resource_info(entity)
     if resource_type == 'post':
-        return db.PostFavorite, lambda table: table.post_id
+        return model.PostFavorite, lambda table: table.post_id
     raise InvalidFavoriteTargetError()
 
 
-def _get_fav_entity(entity, user):
+def _get_fav_entity(entity: model.Base, user: model.User) -> model.Base:
     assert entity
     assert user
-    return db.util.get_aux_entity(db.session, _get_table_info, entity, user)
+    return model.util.get_aux_entity(db.session, _get_table_info, entity, user)
 
 
-def has_favorited(entity, user):
+def has_favorited(entity: model.Base, user: model.User) -> bool:
     assert entity
     assert user
     return _get_fav_entity(entity, user) is not None
 
 
-def unset_favorite(entity, user):
+def unset_favorite(entity: model.Base, user: Optional[model.User]) -> None:
     assert entity
     assert user
     fav_entity = _get_fav_entity(entity, user)
@@ -34,7 +36,7 @@ def unset_favorite(entity, user):
         db.session.delete(fav_entity)
 
 
-def set_favorite(entity, user):
+def set_favorite(entity: model.Base, user: Optional[model.User]) -> None:
     from szurubooru.func import scores
     assert entity
     assert user
@@ -48,5 +50,5 @@ def set_favorite(entity, user):
         fav_entity = table()
         setattr(fav_entity, get_column(table).name, get_column(entity))
         fav_entity.user = user
-        fav_entity.time = datetime.datetime.utcnow()
+        fav_entity.time = datetime.utcnow()
         db.session.add(fav_entity)
diff --git a/server/szurubooru/func/file_uploads.py b/server/szurubooru/func/file_uploads.py
index 95698e36..e7f93d83 100644
--- a/server/szurubooru/func/file_uploads.py
+++ b/server/szurubooru/func/file_uploads.py
@@ -1,27 +1,28 @@
-import datetime
+from typing import Optional
+from datetime import datetime, timedelta
 from szurubooru.func import files, util
 
 
 MAX_MINUTES = 60
 
 
-def _get_path(checksum):
+def _get_path(checksum: str) -> str:
     return 'temporary-uploads/%s.dat' % checksum
 
 
-def purge_old_uploads():
-    now = datetime.datetime.now()
+def purge_old_uploads() -> None:
+    now = datetime.now()
     for file in files.scan('temporary-uploads'):
-        file_time = datetime.datetime.fromtimestamp(file.stat().st_ctime)
-        if now - file_time > datetime.timedelta(minutes=MAX_MINUTES):
+        file_time = datetime.fromtimestamp(file.stat().st_ctime)
+        if now - file_time > timedelta(minutes=MAX_MINUTES):
             files.delete('temporary-uploads/%s' % file.name)
 
 
-def get(checksum):
+def get(checksum: str) -> Optional[bytes]:
     return files.get('temporary-uploads/%s.dat' % checksum)
 
 
-def save(content):
+def save(content: bytes) -> str:
     checksum = util.get_sha1(content)
     path = _get_path(checksum)
     if not files.has(path):
diff --git a/server/szurubooru/func/files.py b/server/szurubooru/func/files.py
index 3ca87776..fa9f36fd 100644
--- a/server/szurubooru/func/files.py
+++ b/server/szurubooru/func/files.py
@@ -1,32 +1,33 @@
+from typing import Any, Optional, List
 import os
 from szurubooru import config
 
 
-def _get_full_path(path):
+def _get_full_path(path: str) -> str:
     return os.path.join(config.config['data_dir'], path)
 
 
-def delete(path):
+def delete(path: str) -> None:
     full_path = _get_full_path(path)
     if os.path.exists(full_path):
         os.unlink(full_path)
 
 
-def has(path):
+def has(path: str) -> bool:
     return os.path.exists(_get_full_path(path))
 
 
-def scan(path):
+def scan(path: str) -> List[Any]:
     if has(path):
-        return os.scandir(_get_full_path(path))
+        return list(os.scandir(_get_full_path(path)))
     return []
 
 
-def move(source_path, target_path):
-    return os.rename(_get_full_path(source_path), _get_full_path(target_path))
+def move(source_path: str, target_path: str) -> None:
+    os.rename(_get_full_path(source_path), _get_full_path(target_path))
 
 
-def get(path):
+def get(path: str) -> Optional[bytes]:
     full_path = _get_full_path(path)
     if not os.path.exists(full_path):
         return None
@@ -34,7 +35,7 @@ def get(path):
         return handle.read()
 
 
-def save(path, content):
+def save(path: str, content: bytes) -> None:
     full_path = _get_full_path(path)
     os.makedirs(os.path.dirname(full_path), exist_ok=True)
     with open(full_path, 'wb') as handle:
diff --git a/server/szurubooru/func/image_hash.py b/server/szurubooru/func/image_hash.py
index ebd96cd5..b89b2187 100644
--- a/server/szurubooru/func/image_hash.py
+++ b/server/szurubooru/func/image_hash.py
@@ -1,70 +1,351 @@
+import logging
+from io import BytesIO
+from datetime import datetime
+from typing import Any, Optional, Tuple, Set, List, Callable
 import elasticsearch
 import elasticsearch_dsl
-from image_match.elasticsearch_driver import SignatureES
-from szurubooru import config
-
+import numpy as np
+from PIL import Image
+from szurubooru import config, errors
 
 # pylint: disable=invalid-name
-es = elasticsearch.Elasticsearch([{
-    'host': config.config['elasticsearch']['host'],
-    'port': config.config['elasticsearch']['port'],
-}])
-session = SignatureES(es, index='szurubooru')
+logger = logging.getLogger(__name__)
+
+# Math based on paper from H. Chi Wong, Marshall Bern and David Goldberg
+# Math code taken from https://github.com/ascribe/image-match
+# (which is licensed under Apache 2 license)
+
+LOWER_PERCENTILE = 5
+UPPER_PERCENTILE = 95
+IDENTICAL_TOLERANCE = 2 / 255.
+DISTANCE_CUTOFF = 0.45
+N_LEVELS = 2
+N = 9
+P = None
+SAMPLE_WORDS = 16
+MAX_WORDS = 63
+ES_DOC_TYPE = 'image'
+ES_MAX_RESULTS = 100
+
+Window = Tuple[Tuple[float, float], Tuple[float, float]]
+NpMatrix = Any
+
+
+def _get_session() -> elasticsearch.Elasticsearch:
+    return elasticsearch.Elasticsearch([{
+        'host': config.config['elasticsearch']['host'],
+        'port': config.config['elasticsearch']['port'],
+    }])
+
+
+def _preprocess_image(content: bytes) -> NpMatrix:
+    img = Image.open(BytesIO(content))
+    return np.asarray(img.convert('L'), dtype=np.uint8)
+
+
+def _crop_image(
+        image: NpMatrix,
+        lower_percentile: float,
+        upper_percentile: float) -> Window:
+    rw = np.cumsum(np.sum(np.abs(np.diff(image, axis=1)), axis=1))
+    cw = np.cumsum(np.sum(np.abs(np.diff(image, axis=0)), axis=0))
+    upper_column_limit = np.searchsorted(
+        cw, np.percentile(cw, upper_percentile), side='left')
+    lower_column_limit = np.searchsorted(
+        cw, np.percentile(cw, lower_percentile), side='right')
+    upper_row_limit = np.searchsorted(
+        rw, np.percentile(rw, upper_percentile), side='left')
+    lower_row_limit = np.searchsorted(
+        rw, np.percentile(rw, lower_percentile), side='right')
+    if lower_row_limit > upper_row_limit:
+        lower_row_limit = int(lower_percentile / 100. * image.shape[0])
+        upper_row_limit = int(upper_percentile / 100. * image.shape[0])
+    if lower_column_limit > upper_column_limit:
+        lower_column_limit = int(lower_percentile / 100. * image.shape[1])
+        upper_column_limit = int(upper_percentile / 100. * image.shape[1])
+    return (
+        (lower_row_limit, upper_row_limit),
+        (lower_column_limit, upper_column_limit))
+
+
+def _normalize_and_threshold(
+        diff_array: NpMatrix,
+        identical_tolerance: float,
+        n_levels: int) -> None:
+    mask = np.abs(diff_array) < identical_tolerance
+    diff_array[mask] = 0.
+    if np.all(mask):
+        return
+    positive_cutoffs = np.percentile(
+        diff_array[diff_array > 0.], np.linspace(0, 100, n_levels + 1))
+    negative_cutoffs = np.percentile(
+        diff_array[diff_array < 0.], np.linspace(100, 0, n_levels + 1))
+    for level, interval in enumerate(
+            positive_cutoffs[i:i + 2]
+            for i in range(positive_cutoffs.shape[0] - 1)):
+        diff_array[
+            (diff_array >= interval[0]) & (diff_array <= interval[1])] = \
+            level + 1
+    for level, interval in enumerate(
+            negative_cutoffs[i:i + 2]
+            for i in range(negative_cutoffs.shape[0] - 1)):
+        diff_array[
+            (diff_array <= interval[0]) & (diff_array >= interval[1])] = \
+            -(level + 1)
+
+
+def _compute_grid_points(
+        image: NpMatrix,
+        n: float,
+        window: Window = None) -> Tuple[NpMatrix, NpMatrix]:
+    if window is None:
+        window = ((0, image.shape[0]), (0, image.shape[1]))
+    x_coords = np.linspace(window[0][0], window[0][1], n + 2, dtype=int)[1:-1]
+    y_coords = np.linspace(window[1][0], window[1][1], n + 2, dtype=int)[1:-1]
+    return x_coords, y_coords
+
+
+def _compute_mean_level(
+        image: NpMatrix,
+        x_coords: NpMatrix,
+        y_coords: NpMatrix,
+        p: Optional[float]) -> NpMatrix:
+    if p is None:
+        p = max([2.0, int(0.5 + min(image.shape) / 20.)])
+    avg_grey = np.zeros((x_coords.shape[0], y_coords.shape[0]))
+    for i, x in enumerate(x_coords):
+        lower_x_lim = int(max([x - p / 2, 0]))
+        upper_x_lim = int(min([lower_x_lim + p, image.shape[0]]))
+        for j, y in enumerate(y_coords):
+            lower_y_lim = int(max([y - p / 2, 0]))
+            upper_y_lim = int(min([lower_y_lim + p, image.shape[1]]))
+            avg_grey[i, j] = np.mean(
+                image[lower_x_lim:upper_x_lim, lower_y_lim:upper_y_lim])
+    return avg_grey
+
+
+def _compute_differentials(grey_level_matrix: NpMatrix) -> NpMatrix:
+    flipped = np.fliplr(grey_level_matrix)
+    right_neighbors = -np.concatenate(
+        (
+            np.diff(grey_level_matrix),
+            (
+                np.zeros(grey_level_matrix.shape[0])
+                .reshape((grey_level_matrix.shape[0], 1))
+            )
+        ), axis=1)
+    down_neighbors = -np.concatenate(
+        (
+            np.diff(grey_level_matrix, axis=0),
+            (
+                np.zeros(grey_level_matrix.shape[1])
+                .reshape((1, grey_level_matrix.shape[1]))
+            )
+        ))
+    left_neighbors = -np.concatenate(
+        (right_neighbors[:, -1:], right_neighbors[:, :-1]), axis=1)
+    up_neighbors = -np.concatenate((down_neighbors[-1:], down_neighbors[:-1]))
+    diagonals = np.arange(
+        -grey_level_matrix.shape[0] + 1, grey_level_matrix.shape[0])
+    upper_left_neighbors = sum([
+        np.diagflat(np.insert(np.diff(np.diag(grey_level_matrix, i)), 0, 0), i)
+        for i in diagonals])
+    upper_right_neighbors = sum([
+        np.diagflat(np.insert(np.diff(np.diag(flipped, i)), 0, 0), i)
+        for i in diagonals])
+    lower_right_neighbors = -np.pad(
+        upper_left_neighbors[1:, 1:], (0, 1), mode='constant')
+    lower_left_neighbors = -np.pad(
+        upper_right_neighbors[1:, 1:], (0, 1), mode='constant')
+    return np.dstack(np.array([
+        upper_left_neighbors,
+        up_neighbors,
+        np.fliplr(upper_right_neighbors),
+        left_neighbors,
+        right_neighbors,
+        np.fliplr(lower_left_neighbors),
+        down_neighbors,
+        lower_right_neighbors]))
+
+
+def _generate_signature(content: bytes) -> NpMatrix:
+    im_array = _preprocess_image(content)
+    image_limits = _crop_image(
+        im_array,
+        lower_percentile=LOWER_PERCENTILE,
+        upper_percentile=UPPER_PERCENTILE)
+    x_coords, y_coords = _compute_grid_points(
+        im_array, n=N, window=image_limits)
+    avg_grey = _compute_mean_level(im_array, x_coords, y_coords, p=P)
+    diff_matrix = _compute_differentials(avg_grey)
+    _normalize_and_threshold(
+        diff_matrix,
+        identical_tolerance=IDENTICAL_TOLERANCE,
+        n_levels=N_LEVELS)
+    return np.ravel(diff_matrix).astype('int8')
+
+
+def _get_words(array: NpMatrix, k: int, n: int) -> NpMatrix:
+    word_positions = np.linspace(
+        0, array.shape[0], n, endpoint=False).astype('int')
+    assert k <= array.shape[0]
+    assert word_positions.shape[0] <= array.shape[0]
+    words = np.zeros((n, k)).astype('int8')
+    for i, pos in enumerate(word_positions):
+        if pos + k <= array.shape[0]:
+            words[i] = array[pos:pos + k]
+        else:
+            temp = array[pos:].copy()
+            temp.resize(k)
+            words[i] = temp
+    _max_contrast(words)
+    words = _words_to_int(words)
+    return words
+
+
+def _words_to_int(word_array: NpMatrix) -> NpMatrix:
+    width = word_array.shape[1]
+    coding_vector = 3**np.arange(width)
+    return np.dot(word_array + 1, coding_vector)
+
+
+def _max_contrast(array: NpMatrix) -> None:
+    array[array > 0] = 1
+    array[array < 0] = -1
+
+
+def _normalized_distance(
+        target_array: NpMatrix,
+        vec: NpMatrix,
+        nan_value: float = 1.0) -> List[float]:
+    target_array = target_array.astype(int)
+    vec = vec.astype(int)
+    topvec = np.linalg.norm(vec - target_array, axis=1)
+    norm1 = np.linalg.norm(vec, axis=0)
+    norm2 = np.linalg.norm(target_array, axis=1)
+    finvec = topvec / (norm1 + norm2)
+    finvec[np.isnan(finvec)] = nan_value
+    return finvec
+
+
+def _safety_blanket(default_param_factory: Callable[[], Any]) -> Callable:
+    def wrapper_outer(target_function: Callable) -> Callable:
+        def wrapper_inner(*args: Any, **kwargs: Any) -> Any:
+            try:
+                return target_function(*args, **kwargs)
+            except elasticsearch.exceptions.NotFoundError:
+                # index not yet created, will be created dynamically by
+                # add_image()
+                return default_param_factory()
+            except elasticsearch.exceptions.ElasticsearchException as ex:
+                logger.warning('Problem with elastic search: %s', ex)
+                raise errors.ThirdPartyError(
+                    'Error connecting to elastic search.')
+            except IOError:
+                raise errors.ProcessingError('Not an image.')
+            except Exception as ex:
+                raise errors.ThirdPartyError('Unknown error (%s).' % ex)
+        return wrapper_inner
+    return wrapper_outer
 
 
 class Lookalike:
-    def __init__(self, score, distance, path):
+    def __init__(self, score: int, distance: float, path: Any) -> None:
         self.score = score
         self.distance = distance
         self.path = path
 
 
-def add_image(path, image_content):
-    if not path or not image_content:
-        return
-    session.add_image(path=path, img=image_content, bytestream=True)
+@_safety_blanket(lambda: None)
+def add_image(path: str, image_content: bytes) -> None:
+    assert path
+    assert image_content
+    signature = _generate_signature(image_content)
+    words = _get_words(signature, k=SAMPLE_WORDS, n=MAX_WORDS)
+
+    record = {
+        'signature': signature.tolist(),
+        'path': path,
+        'timestamp': datetime.now(),
+    }
+    for i in range(MAX_WORDS):
+        record['simple_word_' + str(i)] = words[i].tolist()
+
+    _get_session().index(
+        index=config.config['elasticsearch']['index'],
+        doc_type=ES_DOC_TYPE,
+        body=record,
+        refresh=True)
 
 
-def delete_image(path):
-    if not path:
-        return
-    try:
-        es.delete_by_query(
-            index=session.index,
-            doc_type=session.doc_type,
-            body={'query': {'term': {'path': path}}})
-    except elasticsearch.exceptions.NotFoundError:
-        pass
+@_safety_blanket(lambda: None)
+def delete_image(path: str) -> None:
+    assert path
+    _get_session().delete_by_query(
+        index=config.config['elasticsearch']['index'],
+        doc_type=ES_DOC_TYPE,
+        body={'query': {'term': {'path': path}}})
 
 
-def search_by_image(image_content):
-    try:
-        for result in session.search_image(
-                path=image_content,  # sic
-                bytestream=True):
-            yield Lookalike(
-                score=result['score'],
-                distance=result['dist'],
-                path=result['path'])
-    except elasticsearch.exceptions.ElasticsearchException:
-        raise
-    except Exception:
-        yield from []
+@_safety_blanket(lambda: [])
+def search_by_image(image_content: bytes) -> List[Lookalike]:
+    signature = _generate_signature(image_content)
+    words = _get_words(signature, k=SAMPLE_WORDS, n=MAX_WORDS)
+
+    res = _get_session().search(
+        index=config.config['elasticsearch']['index'],
+        doc_type=ES_DOC_TYPE,
+        body={
+            'query':
+            {
+                'bool':
+                {
+                    'should':
+                    [
+                        {'term': {'simple_word_%d' % i: word.tolist()}}
+                        for i, word in enumerate(words)
+                    ]
+                }
+            },
+            '_source': {'excludes': ['simple_word_*']}},
+        size=ES_MAX_RESULTS,
+        timeout='10s')['hits']['hits']
+
+    if len(res) == 0:
+        return []
+
+    sigs = np.array([x['_source']['signature'] for x in res])
+    dists = _normalized_distance(sigs, np.array(signature))
+
+    ids = set()  # type: Set[int]
+    ret = []
+    for item, dist in zip(res, dists):
+        id = item['_id']
+        score = item['_score']
+        path = item['_source']['path']
+        if id in ids:
+            continue
+        ids.add(id)
+        if dist < DISTANCE_CUTOFF:
+            ret.append(Lookalike(score=score, distance=dist, path=path))
+    return ret
 
 
-def purge():
-    es.delete_by_query(
-        index=session.index,
-        doc_type=session.doc_type,
-        body={'query': {'match_all': {}}})
+@_safety_blanket(lambda: None)
+def purge() -> None:
+    _get_session().delete_by_query(
+        index=config.config['elasticsearch']['index'],
+        doc_type=ES_DOC_TYPE,
+        body={'query': {'match_all': {}}},
+        refresh=True)
 
 
-def get_all_paths():
-    try:
-        search = (
-            elasticsearch_dsl.Search(
-                using=es, index=session.index, doc_type=session.doc_type)
-            .source(['path']))
-        return set(h.path for h in search.scan())
-    except elasticsearch.exceptions.NotFoundError:
-        return set()
+@_safety_blanket(lambda: set())
+def get_all_paths() -> Set[str]:
+    search = (
+        elasticsearch_dsl.Search(
+            using=_get_session(),
+            index=config.config['elasticsearch']['index'],
+            doc_type=ES_DOC_TYPE)
+        .source(['path']))
+    return set(h.path for h in search.scan())
diff --git a/server/szurubooru/func/images.py b/server/szurubooru/func/images.py
index c7dfb34e..b3df55e7 100644
--- a/server/szurubooru/func/images.py
+++ b/server/szurubooru/func/images.py
@@ -1,3 +1,4 @@
+from typing import List
 import logging
 import json
 import shlex
@@ -10,32 +11,33 @@ from szurubooru.func import mime, util
 logger = logging.getLogger(__name__)
 
 
-_SCALE_FIT_FMT = \
-    r'scale=iw*max({width}/iw\,{height}/ih):ih*max({width}/iw\,{height}/ih)'
-
-
 class Image:
-    def __init__(self, content):
+    def __init__(self, content: bytes) -> None:
         self.content = content
         self._reload_info()
 
     @property
-    def width(self):
+    def width(self) -> int:
         return self.info['streams'][0]['width']
 
     @property
-    def height(self):
+    def height(self) -> int:
         return self.info['streams'][0]['height']
 
     @property
-    def frames(self):
+    def frames(self) -> int:
         return self.info['streams'][0]['nb_read_frames']
 
-    def resize_fill(self, width, height):
+    def resize_fill(self, width: int, height: int) -> None:
+        width_greater = self.width > self.height
+        width, height = (-1, height) if width_greater else (width, -1)
+
         cli = [
             '-i', '{path}',
             '-f', 'image2',
-            '-vf', _SCALE_FIT_FMT.format(width=width, height=height),
+            '-filter:v', "scale='{width}:{height}'".format(
+                width=width, height=height),
+            '-map', '0:v:0',
             '-vframes', '1',
             '-vcodec', 'png',
             '-',
@@ -48,32 +50,102 @@ class Image:
                     '-ss',
                     '%d' % math.floor(duration * 0.3),
                 ] + cli
-        self.content = self._execute(cli)
-        assert self.content
+        content = self._execute(cli, ignore_error_if_data=True)
+        if not content:
+            raise errors.ProcessingError('Error while resizing image.')
+        self.content = content
         self._reload_info()
 
-    def to_png(self):
+    def to_png(self) -> bytes:
         return self._execute([
             '-i', '{path}',
             '-f', 'image2',
+            '-map', '0:v:0',
             '-vframes', '1',
             '-vcodec', 'png',
             '-',
         ])
 
-    def to_jpeg(self):
+    def to_jpeg(self) -> bytes:
         return self._execute([
             '-f', 'lavfi',
             '-i', 'color=white:s=%dx%d' % (self.width, self.height),
             '-i', '{path}',
             '-f', 'image2',
             '-filter_complex', 'overlay',
+            '-map', '0:v:0',
             '-vframes', '1',
             '-vcodec', 'mjpeg',
             '-',
         ])
 
-    def _execute(self, cli, program='ffmpeg'):
+    def to_webm(self) -> bytes:
+        with util.create_temp_file_path(suffix='.log') as phase_log_path:
+            # Pass 1
+            self._execute([
+                '-i', '{path}',
+                '-pass', '1',
+                '-passlogfile', phase_log_path,
+                '-vcodec', 'libvpx-vp9',
+                '-crf', '4',
+                '-b:v', '2500K',
+                '-acodec', 'libvorbis',
+                '-f', 'webm',
+                '-y', '/dev/null'
+            ])
+
+            # Pass 2
+            return self._execute([
+                '-i', '{path}',
+                '-pass', '2',
+                '-passlogfile', phase_log_path,
+                '-vcodec', 'libvpx-vp9',
+                '-crf', '4',
+                '-b:v', '2500K',
+                '-acodec', 'libvorbis',
+                '-f', 'webm',
+                '-'
+            ])
+
+    def to_mp4(self) -> bytes:
+        with util.create_temp_file_path(suffix='.dat') as mp4_temp_path:
+            width = self.width
+            height = self.height
+            altered_dimensions = False
+
+            if self.width % 2 != 0:
+                width = self.width - 1
+                altered_dimensions = True
+
+            if self.height % 2 != 0:
+                height = self.height - 1
+                altered_dimensions = True
+
+            args = [
+                '-i', '{path}',
+                '-vcodec', 'libx264',
+                '-preset', 'slow',
+                '-crf', '22',
+                '-b:v', '200K',
+                '-profile:v', 'main',
+                '-pix_fmt', 'yuv420p',
+                '-acodec', 'aac',
+                '-f', 'mp4'
+            ]
+
+            if altered_dimensions:
+                args += ['-filter:v', 'scale=\'%d:%d\'' % (width, height)]
+
+            self._execute(args + ['-y', mp4_temp_path])
+
+            with open(mp4_temp_path, 'rb') as mp4_temp:
+                return mp4_temp.read()
+
+    def _execute(
+            self,
+            cli: List[str],
+            program: str = 'ffmpeg',
+            ignore_error_if_data: bool = False) -> bytes:
         extension = mime.get_extension(mime.get_mime_type(self.content))
         assert extension
         with util.create_temp_file(suffix='.' + extension) as handle:
@@ -92,11 +164,14 @@ class Image:
                     'Failed to execute ffmpeg command (cli=%r, err=%r)',
                     ' '.join(shlex.quote(arg) for arg in cli),
                     err)
-                raise errors.ProcessingError(
-                    'Error while processing image.\n' + err.decode('utf-8'))
+                if ((len(out) > 0 and not ignore_error_if_data)
+                        or len(out) == 0):
+                    raise errors.ProcessingError(
+                        'Error while processing image.\n'
+                        + err.decode('utf-8'))
             return out
 
-    def _reload_info(self):
+    def _reload_info(self) -> None:
         self.info = json.loads(self._execute([
             '-i', '{path}',
             '-of', 'json',
@@ -106,5 +181,7 @@ class Image:
         ], program='ffprobe').decode('utf-8'))
         assert 'format' in self.info
         assert 'streams' in self.info
-        if len(self.info['streams']) != 1:
-            raise errors.ProcessingError('Multiple video streams detected.')
+        if len(self.info['streams']) < 1:
+            logger.warning('The video contains no video streams.')
+            raise errors.ProcessingError(
+                'The video contains no video streams.')
diff --git a/server/szurubooru/func/mailer.py b/server/szurubooru/func/mailer.py
index 94f9c506..76682f11 100644
--- a/server/szurubooru/func/mailer.py
+++ b/server/szurubooru/func/mailer.py
@@ -3,7 +3,7 @@ import email.mime.text
 from szurubooru import config
 
 
-def send_mail(sender, recipient, subject, body):
+def send_mail(sender: str, recipient: str, subject: str, body: str) -> None:
     msg = email.mime.text.MIMEText(body)
     msg['Subject'] = subject
     msg['From'] = sender
diff --git a/server/szurubooru/func/mime.py b/server/szurubooru/func/mime.py
index 2277ed64..c83f744e 100644
--- a/server/szurubooru/func/mime.py
+++ b/server/szurubooru/func/mime.py
@@ -1,7 +1,8 @@
 import re
+from typing import Optional
 
 
-def get_mime_type(content):
+def get_mime_type(content: bytes) -> str:
     if not content:
         return 'application/octet-stream'
 
@@ -26,7 +27,7 @@ def get_mime_type(content):
     return 'application/octet-stream'
 
 
-def get_extension(mime_type):
+def get_extension(mime_type: str) -> Optional[str]:
     extension_map = {
         'application/x-shockwave-flash': 'swf',
         'image/gif': 'gif',
@@ -39,19 +40,19 @@ def get_extension(mime_type):
     return extension_map.get((mime_type or '').strip().lower(), None)
 
 
-def is_flash(mime_type):
+def is_flash(mime_type: str) -> bool:
     return mime_type.lower() == 'application/x-shockwave-flash'
 
 
-def is_video(mime_type):
+def is_video(mime_type: str) -> bool:
     return mime_type.lower() in ('application/ogg', 'video/mp4', 'video/webm')
 
 
-def is_image(mime_type):
+def is_image(mime_type: str) -> bool:
     return mime_type.lower() in ('image/jpeg', 'image/png', 'image/gif')
 
 
-def is_animated_gif(content):
+def is_animated_gif(content: bytes) -> bool:
     pattern = b'\x21\xF9\x04[\x00-\xFF]{4}\x00[\x2C\x21]'
     return get_mime_type(content) == 'image/gif' \
         and len(re.findall(pattern, content)) > 1
diff --git a/server/szurubooru/func/net.py b/server/szurubooru/func/net.py
index fb0c427a..e6326c06 100644
--- a/server/szurubooru/func/net.py
+++ b/server/szurubooru/func/net.py
@@ -1,10 +1,13 @@
 import urllib.request
+from szurubooru import config
 from szurubooru import errors
 
 
-def download(url):
+def download(url: str) -> bytes:
     assert url
     request = urllib.request.Request(url)
+    if config.config['user_agent']:
+        request.add_header('User-Agent', config.config['user_agent'])
     request.add_header('Referer', url)
     try:
         with urllib.request.urlopen(request) as handle:
diff --git a/server/szurubooru/func/posts.py b/server/szurubooru/func/posts.py
index 755090d7..9589a30f 100644
--- a/server/szurubooru/func/posts.py
+++ b/server/szurubooru/func/posts.py
@@ -1,14 +1,17 @@
-import datetime
-import sqlalchemy
-from szurubooru import config, db, errors
+import hmac
+from typing import Any, Optional, Tuple, List, Dict, Callable
+from datetime import datetime
+import sqlalchemy as sa
+from szurubooru import config, db, model, errors, rest
 from szurubooru.func import (
-    users, scores, comments, tags, util, mime, images, files, image_hash)
+    users, scores, comments, tags, util,
+    mime, images, files, image_hash, serialization, snapshots)
 
 
-EMPTY_PIXEL = \
-    b'\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x01\x00\x00\x00\x00' \
-    b'\xff\xff\xff\x21\xf9\x04\x01\x00\x00\x01\x00\x2c\x00\x00\x00\x00' \
-    b'\x01\x00\x01\x00\x00\x02\x02\x4c\x01\x00\x3b'
+EMPTY_PIXEL = (
+    b'\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x01\x00\x00\x00\x00'
+    b'\xff\xff\xff\x21\xf9\x04\x01\x00\x00\x01\x00\x2c\x00\x00\x00\x00'
+    b'\x01\x00\x01\x00\x00\x02\x02\x4c\x01\x00\x3b')
 
 
 class PostNotFoundError(errors.NotFoundError):
@@ -20,7 +23,7 @@ class PostAlreadyFeaturedError(errors.ValidationError):
 
 
 class PostAlreadyUploadedError(errors.ValidationError):
-    def __init__(self, other_post):
+    def __init__(self, other_post: model.Post) -> None:
         super().__init__(
             'Post already uploaded (%d)' % other_post.post_id,
             {
@@ -58,62 +61,75 @@ class InvalidPostFlagError(errors.ValidationError):
 
 
 class PostLookalike(image_hash.Lookalike):
-    def __init__(self, score, distance, post):
+    def __init__(self, score: int, distance: float, post: model.Post) -> None:
         super().__init__(score, distance, post.post_id)
         self.post = post
 
 
 SAFETY_MAP = {
-    db.Post.SAFETY_SAFE: 'safe',
-    db.Post.SAFETY_SKETCHY: 'sketchy',
-    db.Post.SAFETY_UNSAFE: 'unsafe',
+    model.Post.SAFETY_SAFE: 'safe',
+    model.Post.SAFETY_SKETCHY: 'sketchy',
+    model.Post.SAFETY_UNSAFE: 'unsafe',
 }
 
 TYPE_MAP = {
-    db.Post.TYPE_IMAGE: 'image',
-    db.Post.TYPE_ANIMATION: 'animation',
-    db.Post.TYPE_VIDEO: 'video',
-    db.Post.TYPE_FLASH: 'flash',
+    model.Post.TYPE_IMAGE: 'image',
+    model.Post.TYPE_ANIMATION: 'animation',
+    model.Post.TYPE_VIDEO: 'video',
+    model.Post.TYPE_FLASH: 'flash',
 }
 
 FLAG_MAP = {
-    db.Post.FLAG_LOOP: 'loop',
+    model.Post.FLAG_LOOP: 'loop',
 }
 
 
-def get_post_content_url(post):
+def get_post_security_hash(id: int) -> str:
+    return hmac.new(
+        config.config['secret'].encode('utf8'),
+        str(id).encode('utf-8')).hexdigest()[0:16]
+
+
+def get_post_content_url(post: model.Post) -> str:
     assert post
-    return '%s/posts/%d.%s' % (
+    return '%s/posts/%d_%s.%s' % (
         config.config['data_url'].rstrip('/'),
         post.post_id,
+        get_post_security_hash(post.post_id),
         mime.get_extension(post.mime_type) or 'dat')
 
 
-def get_post_thumbnail_url(post):
+def get_post_thumbnail_url(post: model.Post) -> str:
     assert post
-    return '%s/generated-thumbnails/%d.jpg' % (
+    return '%s/generated-thumbnails/%d_%s.jpg' % (
         config.config['data_url'].rstrip('/'),
-        post.post_id)
+        post.post_id,
+        get_post_security_hash(post.post_id))
 
 
-def get_post_content_path(post):
+def get_post_content_path(post: model.Post) -> str:
     assert post
     assert post.post_id
-    return 'posts/%d.%s' % (
-        post.post_id, mime.get_extension(post.mime_type) or 'dat')
+    return 'posts/%d_%s.%s' % (
+        post.post_id,
+        get_post_security_hash(post.post_id),
+        mime.get_extension(post.mime_type) or 'dat')
 
 
-def get_post_thumbnail_path(post):
+def get_post_thumbnail_path(post: model.Post) -> str:
     assert post
-    return 'generated-thumbnails/%d.jpg' % (post.post_id)
+    return 'generated-thumbnails/%d_%s.jpg' % (
+        post.post_id,
+        get_post_security_hash(post.post_id))
 
 
-def get_post_thumbnail_backup_path(post):
+def get_post_thumbnail_backup_path(post: model.Post) -> str:
     assert post
-    return 'posts/custom-thumbnails/%d.dat' % (post.post_id)
+    return 'posts/custom-thumbnails/%d_%s.dat' % (
+        post.post_id, get_post_security_hash(post.post_id))
 
 
-def serialize_note(note):
+def serialize_note(note: model.PostNote) -> rest.Response:
     assert note
     return {
         'polygon': note.polygon,
@@ -121,113 +137,224 @@ def serialize_note(note):
     }
 
 
-def serialize_post(post, auth_user, options=None):
-    return util.serialize_entity(
-        post,
-        {
-            'id': lambda: post.post_id,
-            'version': lambda: post.version,
-            'creationTime': lambda: post.creation_time,
-            'lastEditTime': lambda: post.last_edit_time,
-            'safety': lambda: SAFETY_MAP[post.safety],
-            'source': lambda: post.source,
-            'type': lambda: TYPE_MAP[post.type],
-            'mimeType': lambda: post.mime_type,
-            'checksum': lambda: post.checksum,
-            'fileSize': lambda: post.file_size,
-            'canvasWidth': lambda: post.canvas_width,
-            'canvasHeight': lambda: post.canvas_height,
-            'contentUrl': lambda: get_post_content_url(post),
-            'thumbnailUrl': lambda: get_post_thumbnail_url(post),
-            'flags': lambda: post.flags,
-            'tags': lambda: [
-                tag.names[0].name for tag in tags.sort_tags(post.tags)],
-            'relations': lambda: sorted(
-                {
-                    post['id']:
-                        post for post in [
-                            serialize_micro_post(rel, auth_user)
-                            for rel in post.relations]
-                }.values(),
-                key=lambda post: post['id']),
-            'user': lambda: users.serialize_micro_user(post.user, auth_user),
-            'score': lambda: post.score,
-            'ownScore': lambda: scores.get_score(post, auth_user),
-            'ownFavorite': lambda: len([
-                user for user in post.favorited_by
-                if user.user_id == auth_user.user_id]
-            ) > 0,
-            'tagCount': lambda: post.tag_count,
-            'favoriteCount': lambda: post.favorite_count,
-            'commentCount': lambda: post.comment_count,
-            'noteCount': lambda: post.note_count,
-            'relationCount': lambda: post.relation_count,
-            'featureCount': lambda: post.feature_count,
-            'lastFeatureTime': lambda: post.last_feature_time,
-            'favoritedBy': lambda: [
-                users.serialize_micro_user(rel.user, auth_user)
-                for rel in post.favorited_by
-            ],
-            'hasCustomThumbnail':
-                lambda: files.has(get_post_thumbnail_backup_path(post)),
-            'notes': lambda: sorted(
-                [serialize_note(note) for note in post.notes],
-                key=lambda x: x['polygon']),
-            'comments': lambda: [
-                comments.serialize_comment(comment, auth_user)
-                for comment in sorted(
-                    post.comments,
-                    key=lambda comment: comment.creation_time)],
-        },
-        options)
+class PostSerializer(serialization.BaseSerializer):
+    def __init__(self, post: model.Post, auth_user: model.User) -> None:
+        self.post = post
+        self.auth_user = auth_user
+
+    def _serializers(self) -> Dict[str, Callable[[], Any]]:
+        return {
+            'id': self.serialize_id,
+            'version': self.serialize_version,
+            'creationTime': self.serialize_creation_time,
+            'lastEditTime': self.serialize_last_edit_time,
+            'safety': self.serialize_safety,
+            'source': self.serialize_source,
+            'type': self.serialize_type,
+            'mimeType': self.serialize_mime,
+            'checksum': self.serialize_checksum,
+            'fileSize': self.serialize_file_size,
+            'canvasWidth': self.serialize_canvas_width,
+            'canvasHeight': self.serialize_canvas_height,
+            'contentUrl': self.serialize_content_url,
+            'thumbnailUrl': self.serialize_thumbnail_url,
+            'flags': self.serialize_flags,
+            'tags': self.serialize_tags,
+            'relations': self.serialize_relations,
+            'user': self.serialize_user,
+            'score': self.serialize_score,
+            'ownScore': self.serialize_own_score,
+            'ownFavorite': self.serialize_own_favorite,
+            'tagCount': self.serialize_tag_count,
+            'favoriteCount': self.serialize_favorite_count,
+            'commentCount': self.serialize_comment_count,
+            'noteCount': self.serialize_note_count,
+            'relationCount': self.serialize_relation_count,
+            'featureCount': self.serialize_feature_count,
+            'lastFeatureTime': self.serialize_last_feature_time,
+            'favoritedBy': self.serialize_favorited_by,
+            'hasCustomThumbnail': self.serialize_has_custom_thumbnail,
+            'notes': self.serialize_notes,
+            'comments': self.serialize_comments,
+        }
+
+    def serialize_id(self) -> Any:
+        return self.post.post_id
+
+    def serialize_version(self) -> Any:
+        return self.post.version
+
+    def serialize_creation_time(self) -> Any:
+        return self.post.creation_time
+
+    def serialize_last_edit_time(self) -> Any:
+        return self.post.last_edit_time
+
+    def serialize_safety(self) -> Any:
+        return SAFETY_MAP[self.post.safety]
+
+    def serialize_source(self) -> Any:
+        return self.post.source
+
+    def serialize_type(self) -> Any:
+        return TYPE_MAP[self.post.type]
+
+    def serialize_mime(self) -> Any:
+        return self.post.mime_type
+
+    def serialize_checksum(self) -> Any:
+        return self.post.checksum
+
+    def serialize_file_size(self) -> Any:
+        return self.post.file_size
+
+    def serialize_canvas_width(self) -> Any:
+        return self.post.canvas_width
+
+    def serialize_canvas_height(self) -> Any:
+        return self.post.canvas_height
+
+    def serialize_content_url(self) -> Any:
+        return get_post_content_url(self.post)
+
+    def serialize_thumbnail_url(self) -> Any:
+        return get_post_thumbnail_url(self.post)
+
+    def serialize_flags(self) -> Any:
+        return self.post.flags
+
+    def serialize_tags(self) -> Any:
+        return [
+            {
+                'names': [name.name for name in tag.names],
+                'category': tag.category.name,
+                'usages': tag.post_count,
+            }
+            for tag in tags.sort_tags(self.post.tags)]
+
+    def serialize_relations(self) -> Any:
+        return sorted(
+            {
+                post['id']: post
+                for post in [
+                    serialize_micro_post(rel, self.auth_user)
+                    for rel in self.post.relations]
+            }.values(),
+            key=lambda post: post['id'])
+
+    def serialize_user(self) -> Any:
+        return users.serialize_micro_user(self.post.user, self.auth_user)
+
+    def serialize_score(self) -> Any:
+        return self.post.score
+
+    def serialize_own_score(self) -> Any:
+        return scores.get_score(self.post, self.auth_user)
+
+    def serialize_own_favorite(self) -> Any:
+        return len([
+            user for user in self.post.favorited_by
+            if user.user_id == self.auth_user.user_id]
+        ) > 0
+
+    def serialize_tag_count(self) -> Any:
+        return self.post.tag_count
+
+    def serialize_favorite_count(self) -> Any:
+        return self.post.favorite_count
+
+    def serialize_comment_count(self) -> Any:
+        return self.post.comment_count
+
+    def serialize_note_count(self) -> Any:
+        return self.post.note_count
+
+    def serialize_relation_count(self) -> Any:
+        return self.post.relation_count
+
+    def serialize_feature_count(self) -> Any:
+        return self.post.feature_count
+
+    def serialize_last_feature_time(self) -> Any:
+        return self.post.last_feature_time
+
+    def serialize_favorited_by(self) -> Any:
+        return [
+            users.serialize_micro_user(rel.user, self.auth_user)
+            for rel in self.post.favorited_by
+        ]
+
+    def serialize_has_custom_thumbnail(self) -> Any:
+        return files.has(get_post_thumbnail_backup_path(self.post))
+
+    def serialize_notes(self) -> Any:
+        return sorted(
+            [serialize_note(note) for note in self.post.notes],
+            key=lambda x: x['polygon'])
+
+    def serialize_comments(self) -> Any:
+        return [
+            comments.serialize_comment(comment, self.auth_user)
+            for comment in sorted(
+                self.post.comments,
+                key=lambda comment: comment.creation_time)]
 
 
-def serialize_micro_post(post, auth_user):
+def serialize_post(
+        post: Optional[model.Post],
+        auth_user: model.User,
+        options: List[str] = []) -> Optional[rest.Response]:
+    if not post:
+        return None
+    return PostSerializer(post, auth_user).serialize(options)
+
+
+def serialize_micro_post(
+        post: model.Post, auth_user: model.User) -> Optional[rest.Response]:
     return serialize_post(
-        post,
-        auth_user=auth_user,
-        options=['id', 'thumbnailUrl'])
+        post, auth_user=auth_user, options=['id', 'thumbnailUrl'])
 
 
-def get_post_count():
-    return db.session.query(sqlalchemy.func.count(db.Post.post_id)).one()[0]
+def get_post_count() -> int:
+    return db.session.query(sa.func.count(model.Post.post_id)).one()[0]
 
 
-def try_get_post_by_id(post_id):
-    try:
-        post_id = int(post_id)
-    except ValueError:
-        raise InvalidPostIdError('Invalid post ID: %r.' % post_id)
-    return db.session \
-        .query(db.Post) \
-        .filter(db.Post.post_id == post_id) \
-        .one_or_none()
+def try_get_post_by_id(post_id: int) -> Optional[model.Post]:
+    return (
+        db.session
+        .query(model.Post)
+        .filter(model.Post.post_id == post_id)
+        .one_or_none())
 
 
-def get_post_by_id(post_id):
+def get_post_by_id(post_id: int) -> model.Post:
     post = try_get_post_by_id(post_id)
     if not post:
         raise PostNotFoundError('Post %r not found.' % post_id)
     return post
 
 
-def try_get_current_post_feature():
-    return db.session \
-        .query(db.PostFeature) \
-        .order_by(db.PostFeature.time.desc()) \
-        .first()
+def try_get_current_post_feature() -> Optional[model.PostFeature]:
+    return (
+        db.session
+        .query(model.PostFeature)
+        .order_by(model.PostFeature.time.desc())
+        .first())
 
 
-def try_get_featured_post():
+def try_get_featured_post() -> Optional[model.Post]:
     post_feature = try_get_current_post_feature()
     return post_feature.post if post_feature else None
 
 
-def create_post(content, tag_names, user):
-    post = db.Post()
-    post.safety = db.Post.SAFETY_SAFE
+def create_post(
+        content: bytes,
+        tag_names: List[str],
+        user: Optional[model.User]) -> Tuple[model.Post, List[model.Tag]]:
+    post = model.Post()
+    post.safety = model.Post.SAFETY_SAFE
     post.user = user
-    post.creation_time = datetime.datetime.utcnow()
+    post.creation_time = datetime.utcnow()
     post.flags = []
 
     post.type = ''
@@ -237,10 +364,10 @@ def create_post(content, tag_names, user):
 
     update_post_content(post, content)
     new_tags = update_post_tags(post, tag_names)
-    return (post, new_tags)
+    return post, new_tags
 
 
-def update_post_safety(post, safety):
+def update_post_safety(post: model.Post, safety: str) -> None:
     assert post
     safety = util.flip(SAFETY_MAP).get(safety, None)
     if not safety:
@@ -249,29 +376,36 @@ def update_post_safety(post, safety):
     post.safety = safety
 
 
-def update_post_source(post, source):
+def update_post_source(post: model.Post, source: Optional[str]) -> None:
     assert post
-    if util.value_exceeds_column_size(source, db.Post.source):
+    if util.value_exceeds_column_size(source, model.Post.source):
         raise InvalidPostSourceError('Source is too long.')
-    post.source = source
+    post.source = source or None
 
 
-@sqlalchemy.events.event.listens_for(db.Post, 'after_insert')
-def _after_post_insert(_mapper, _connection, post):
+@sa.events.event.listens_for(model.Post, 'after_insert')
+def _after_post_insert(
+        _mapper: Any, _connection: Any, post: model.Post) -> None:
     _sync_post_content(post)
 
 
-@sqlalchemy.events.event.listens_for(db.Post, 'after_update')
-def _after_post_update(_mapper, _connection, post):
+@sa.events.event.listens_for(model.Post, 'after_update')
+def _after_post_update(
+        _mapper: Any, _connection: Any, post: model.Post) -> None:
     _sync_post_content(post)
 
 
-@sqlalchemy.events.event.listens_for(db.Post, 'before_delete')
-def _before_post_delete(_mapper, _connection, post):
-    image_hash.delete_image(post.post_id)
+@sa.events.event.listens_for(model.Post, 'before_delete')
+def _before_post_delete(
+        _mapper: Any, _connection: Any, post: model.Post) -> None:
+    if post.post_id:
+        image_hash.delete_image(post.post_id)
+        if config.config['delete_source_files']:
+            files.delete(get_post_content_path(post))
+            files.delete(get_post_thumbnail_path(post))
 
 
-def _sync_post_content(post):
+def _sync_post_content(post: model.Post) -> None:
     regenerate_thumb = False
 
     if hasattr(post, '__content'):
@@ -279,7 +413,8 @@ def _sync_post_content(post):
         files.save(get_post_content_path(post), content)
         delattr(post, '__content')
         regenerate_thumb = True
-        if post.type in (db.Post.TYPE_IMAGE, db.Post.TYPE_ANIMATION):
+        if post.post_id and post.type in (
+                model.Post.TYPE_IMAGE, model.Post.TYPE_ANIMATION):
             image_hash.delete_image(post.post_id)
             image_hash.add_image(post.post_id, content)
 
@@ -297,30 +432,72 @@ def _sync_post_content(post):
         generate_post_thumbnail(post)
 
 
-def update_post_content(post, content):
+def generate_alternate_formats(post: model.Post, content: bytes) \
+        -> List[Tuple[model.Post, List[model.Tag]]]:
+    assert post
+    assert content
+    new_posts = []
+    if mime.is_animated_gif(content):
+        tag_names = [
+            tag_name.name
+            for tag_name in [tag.names for tag in post.tags]]
+
+        if config.config['convert']['gif']['to_mp4']:
+            mp4_post, new_tags = create_post(
+                images.Image(content).to_mp4(),
+                tag_names,
+                post.user)
+            update_post_flags(mp4_post, ['loop'])
+            update_post_safety(mp4_post, post.safety)
+            update_post_source(mp4_post, post.source)
+            new_posts += [(mp4_post, new_tags)]
+
+        if config.config['convert']['gif']['to_webm']:
+            webm_post, new_tags = create_post(
+                images.Image(content).to_webm(),
+                tag_names,
+                post.user)
+            update_post_flags(webm_post, ['loop'])
+            update_post_safety(webm_post, post.safety)
+            update_post_source(webm_post, post.source)
+            new_posts += [(webm_post, new_tags)]
+
+        db.session.flush()
+
+        new_posts = [p for p in new_posts if p[0] is not None]
+
+        new_relations = [p[0].post_id for p in new_posts]
+        if len(new_relations) > 0:
+            update_post_relations(post, new_relations)
+
+    return new_posts
+
+
+def update_post_content(post: model.Post, content: Optional[bytes]) -> None:
     assert post
     if not content:
         raise InvalidPostContentError('Post content missing.')
     post.mime_type = mime.get_mime_type(content)
     if mime.is_flash(post.mime_type):
-        post.type = db.Post.TYPE_FLASH
+        post.type = model.Post.TYPE_FLASH
     elif mime.is_image(post.mime_type):
         if mime.is_animated_gif(content):
-            post.type = db.Post.TYPE_ANIMATION
+            post.type = model.Post.TYPE_ANIMATION
         else:
-            post.type = db.Post.TYPE_IMAGE
+            post.type = model.Post.TYPE_IMAGE
     elif mime.is_video(post.mime_type):
-        post.type = db.Post.TYPE_VIDEO
+        post.type = model.Post.TYPE_VIDEO
     else:
         raise InvalidPostContentError(
             'Unhandled file type: %r' % post.mime_type)
 
     post.checksum = util.get_sha1(content)
-    other_post = db.session \
-        .query(db.Post) \
-        .filter(db.Post.checksum == post.checksum) \
-        .filter(db.Post.post_id != post.post_id) \
-        .one_or_none()
+    other_post = (
+        db.session
+        .query(model.Post)
+        .filter(model.Post.checksum == post.checksum)
+        .filter(model.Post.post_id != post.post_id)
+        .one_or_none())
     if other_post \
             and other_post.post_id \
             and other_post.post_id != post.post_id:
@@ -334,24 +511,27 @@ def update_post_content(post, content):
     except errors.ProcessingError:
         post.canvas_width = None
         post.canvas_height = None
-    if post.canvas_width <= 0 or post.canvas_height <= 0:
+    if (post.canvas_width is not None and post.canvas_width <= 0) \
+            or (post.canvas_height is not None and post.canvas_height <= 0):
         post.canvas_width = None
         post.canvas_height = None
     setattr(post, '__content', content)
 
 
-def update_post_thumbnail(post, content=None):
+def update_post_thumbnail(
+        post: model.Post, content: Optional[bytes] = None) -> None:
     assert post
     setattr(post, '__thumbnail', content)
 
 
-def generate_post_thumbnail(post):
+def generate_post_thumbnail(post: model.Post) -> None:
     assert post
     if files.has(get_post_thumbnail_backup_path(post)):
         content = files.get(get_post_thumbnail_backup_path(post))
     else:
         content = files.get(get_post_content_path(post))
     try:
+        assert content
         image = images.Image(content)
         image.resize_fill(
             int(config.config['thumbnails']['post_width']),
@@ -361,14 +541,15 @@ def generate_post_thumbnail(post):
         files.save(get_post_thumbnail_path(post), EMPTY_PIXEL)
 
 
-def update_post_tags(post, tag_names):
+def update_post_tags(
+        post: model.Post, tag_names: List[str]) -> List[model.Tag]:
     assert post
     existing_tags, new_tags = tags.get_or_create_tags_by_names(tag_names)
     post.tags = existing_tags + new_tags
     return new_tags
 
 
-def update_post_relations(post, new_post_ids):
+def update_post_relations(post: model.Post, new_post_ids: List[int]) -> None:
     assert post
     try:
         new_post_ids = [int(id) for id in new_post_ids]
@@ -377,10 +558,14 @@ def update_post_relations(post, new_post_ids):
             'A relation must be numeric post ID.')
     old_posts = post.relations
     old_post_ids = [int(p.post_id) for p in old_posts]
-    new_posts = db.session \
-        .query(db.Post) \
-        .filter(db.Post.post_id.in_(new_post_ids)) \
-        .all()
+    if new_post_ids:
+        new_posts = (
+            db.session
+            .query(model.Post)
+            .filter(model.Post.post_id.in_(new_post_ids))
+            .all())
+    else:
+        new_posts = []
     if len(new_posts) != len(new_post_ids):
         raise InvalidPostRelationError('One of relations does not exist.')
     if post.post_id in new_post_ids:
@@ -396,7 +581,7 @@ def update_post_relations(post, new_post_ids):
         relation.relations.append(post)
 
 
-def update_post_notes(post, notes):
+def update_post_notes(post: model.Post, notes: Any) -> None:
     assert post
     post.notes = []
     for note in notes:
@@ -427,13 +612,13 @@ def update_post_notes(post, notes):
             except ValueError:
                 raise InvalidPostNoteError(
                     'A point in note\'s polygon must be numeric.')
-        if util.value_exceeds_column_size(note['text'], db.PostNote.text):
+        if util.value_exceeds_column_size(note['text'], model.PostNote.text):
             raise InvalidPostNoteError('Note text is too long.')
         post.notes.append(
-            db.PostNote(polygon=note['polygon'], text=str(note['text'])))
+            model.PostNote(polygon=note['polygon'], text=str(note['text'])))
 
 
-def update_post_flags(post, flags):
+def update_post_flags(post: model.Post, flags: List[str]) -> None:
     assert post
     target_flags = []
     for flag in flags:
@@ -445,81 +630,95 @@ def update_post_flags(post, flags):
     post.flags = target_flags
 
 
-def feature_post(post, user):
+def feature_post(post: model.Post, user: Optional[model.User]) -> None:
     assert post
-    post_feature = db.PostFeature()
-    post_feature.time = datetime.datetime.utcnow()
+    post_feature = model.PostFeature()
+    post_feature.time = datetime.utcnow()
     post_feature.post = post
     post_feature.user = user
     db.session.add(post_feature)
 
 
-def delete(post):
+def delete(post: model.Post) -> None:
     assert post
     db.session.delete(post)
 
 
-def merge_posts(source_post, target_post, replace_content):
+def merge_posts(
+        source_post: model.Post,
+        target_post: model.Post,
+        replace_content: bool) -> None:
     assert source_post
     assert target_post
     if source_post.post_id == target_post.post_id:
         raise InvalidPostRelationError('Cannot merge post with itself.')
 
-    def merge_tables(table, anti_dup_func, source_post_id, target_post_id):
+    def merge_tables(
+            table: model.Base,
+            anti_dup_func: Optional[Callable[[model.Base, model.Base], bool]],
+            source_post_id: int,
+            target_post_id: int) -> None:
         alias1 = table
-        alias2 = sqlalchemy.orm.util.aliased(table)
-        update_stmt = (sqlalchemy.sql.expression.update(alias1)
+        alias2 = sa.orm.util.aliased(table)
+        update_stmt = (
+            sa.sql.expression.update(alias1)
             .where(alias1.post_id == source_post_id))
 
         if anti_dup_func is not None:
-            update_stmt = (update_stmt
-                .where(~sqlalchemy.exists()
+            update_stmt = (
+                update_stmt
+                .where(
+                    ~sa.exists()
                     .where(anti_dup_func(alias1, alias2))
                     .where(alias2.post_id == target_post_id)))
 
         update_stmt = update_stmt.values(post_id=target_post_id)
         db.session.execute(update_stmt)
 
-    def merge_tags(source_post_id, target_post_id):
+    def merge_tags(source_post_id: int, target_post_id: int) -> None:
         merge_tables(
-            db.PostTag,
+            model.PostTag,
             lambda alias1, alias2: alias1.tag_id == alias2.tag_id,
             source_post_id,
             target_post_id)
 
-    def merge_scores(source_post_id, target_post_id):
+    def merge_scores(source_post_id: int, target_post_id: int) -> None:
         merge_tables(
-            db.PostScore,
+            model.PostScore,
             lambda alias1, alias2: alias1.user_id == alias2.user_id,
             source_post_id,
             target_post_id)
 
-    def merge_favorites(source_post_id, target_post_id):
+    def merge_favorites(source_post_id: int, target_post_id: int) -> None:
         merge_tables(
-            db.PostFavorite,
+            model.PostFavorite,
             lambda alias1, alias2: alias1.user_id == alias2.user_id,
             source_post_id,
             target_post_id)
 
-    def merge_comments(source_post_id, target_post_id):
-        merge_tables(db.Comment, None, source_post_id, target_post_id)
+    def merge_comments(source_post_id: int, target_post_id: int) -> None:
+        merge_tables(model.Comment, None, source_post_id, target_post_id)
 
-    def merge_relations(source_post_id, target_post_id):
-        alias1 = db.PostRelation
-        alias2 = sqlalchemy.orm.util.aliased(db.PostRelation)
-        update_stmt = (sqlalchemy.sql.expression.update(alias1)
+    def merge_relations(source_post_id: int, target_post_id: int) -> None:
+        alias1 = model.PostRelation
+        alias2 = sa.orm.util.aliased(model.PostRelation)
+        update_stmt = (
+            sa.sql.expression.update(alias1)
             .where(alias1.parent_id == source_post_id)
             .where(alias1.child_id != target_post_id)
-            .where(~sqlalchemy.exists()
+            .where(
+                ~sa.exists()
                 .where(alias2.child_id == alias1.child_id)
                 .where(alias2.parent_id == target_post_id))
             .values(parent_id=target_post_id))
         db.session.execute(update_stmt)
 
-        update_stmt = (sqlalchemy.sql.expression.update(alias1)
+        update_stmt = (
+            sa.sql.expression.update(alias1)
             .where(alias1.child_id == source_post_id)
             .where(alias1.parent_id != target_post_id)
-            .where(~sqlalchemy.exists()
+            .where(
+                ~sa.exists()
                 .where(alias2.parent_id == alias1.parent_id)
                 .where(alias2.child_id == target_post_id))
             .values(child_id=target_post_id))
@@ -531,47 +730,56 @@ def merge_posts(source_post, target_post, replace_content):
     merge_favorites(source_post.post_id, target_post.post_id)
     merge_relations(source_post.post_id, target_post.post_id)
 
-    delete(source_post)
-
-    db.session.flush()
-
+    content = None
     if replace_content:
         content = files.get(get_post_content_path(source_post))
+
+    delete(source_post)
+    db.session.flush()
+
+    if content is not None:
         update_post_content(target_post, content)
 
 
-def search_by_image_exact(image_content):
+def search_by_image_exact(image_content: bytes) -> Optional[model.Post]:
     checksum = util.get_sha1(image_content)
-    return db.session \
-        .query(db.Post) \
-        .filter(db.Post.checksum == checksum) \
-        .one_or_none()
+    return (
+        db.session
+        .query(model.Post)
+        .filter(model.Post.checksum == checksum)
+        .one_or_none())
 
 
-def search_by_image(image_content):
+def search_by_image(image_content: bytes) -> List[PostLookalike]:
+    ret = []
     for result in image_hash.search_by_image(image_content):
-        yield PostLookalike(
-            score=result.score,
-            distance=result.distance,
-            post=get_post_by_id(result.path))
+        post = try_get_post_by_id(result.path)
+        if post:
+            ret.append(PostLookalike(
+                score=result.score,
+                distance=result.distance,
+                post=post))
+    return ret
 
 
-def populate_reverse_search():
+def populate_reverse_search() -> None:
     excluded_post_ids = image_hash.get_all_paths()
 
-    post_ids_to_hash = (db.session
-        .query(db.Post.post_id)
+    post_ids_to_hash = (
+        db.session
+        .query(model.Post.post_id)
         .filter(
-            (db.Post.type == db.Post.TYPE_IMAGE) |
-            (db.Post.type == db.Post.TYPE_ANIMATION))
-        .filter(~db.Post.post_id.in_(excluded_post_ids))
-        .order_by(db.Post.post_id.asc())
+            (model.Post.type == model.Post.TYPE_IMAGE) |
+            (model.Post.type == model.Post.TYPE_ANIMATION))
+        .filter(~model.Post.post_id.in_(excluded_post_ids))
+        .order_by(model.Post.post_id.asc())
         .all())
 
     for post_ids_chunk in util.chunks(post_ids_to_hash, 100):
-        posts_chunk = (db.session
-            .query(db.Post)
-            .filter(db.Post.post_id.in_(post_ids_chunk))
+        posts_chunk = (
+            db.session
+            .query(model.Post)
+            .filter(model.Post.post_id.in_(post_ids_chunk))
             .all())
         for post in posts_chunk:
             content_path = get_post_content_path(post)
diff --git a/server/szurubooru/func/scores.py b/server/szurubooru/func/scores.py
index a42961f2..615fd981 100644
--- a/server/szurubooru/func/scores.py
+++ b/server/szurubooru/func/scores.py
@@ -1,5 +1,6 @@
 import datetime
-from szurubooru import db, errors
+from typing import Any, Tuple, Callable
+from szurubooru import db, model, errors
 
 
 class InvalidScoreTargetError(errors.ValidationError):
@@ -10,22 +11,23 @@ class InvalidScoreValueError(errors.ValidationError):
     pass
 
 
-def _get_table_info(entity):
+def _get_table_info(
+        entity: model.Base) -> Tuple[model.Base, Callable[[model.Base], Any]]:
     assert entity
-    resource_type, _, _ = db.util.get_resource_info(entity)
+    resource_type, _, _ = model.util.get_resource_info(entity)
     if resource_type == 'post':
-        return db.PostScore, lambda table: table.post_id
+        return model.PostScore, lambda table: table.post_id
     elif resource_type == 'comment':
-        return db.CommentScore, lambda table: table.comment_id
+        return model.CommentScore, lambda table: table.comment_id
     raise InvalidScoreTargetError()
 
 
-def _get_score_entity(entity, user):
+def _get_score_entity(entity: model.Base, user: model.User) -> model.Base:
     assert user
-    return db.util.get_aux_entity(db.session, _get_table_info, entity, user)
+    return model.util.get_aux_entity(db.session, _get_table_info, entity, user)
 
 
-def delete_score(entity, user):
+def delete_score(entity: model.Base, user: model.User) -> None:
     assert entity
     assert user
     score_entity = _get_score_entity(entity, user)
@@ -33,19 +35,20 @@ def delete_score(entity, user):
         db.session.delete(score_entity)
 
 
-def get_score(entity, user):
+def get_score(entity: model.Base, user: model.User) -> int:
     assert entity
     assert user
     table, get_column = _get_table_info(entity)
-    row = db.session \
-        .query(table.score) \
-        .filter(get_column(table) == get_column(entity)) \
-        .filter(table.user_id == user.user_id) \
-        .one_or_none()
+    row = (
+        db.session
+        .query(table.score)
+        .filter(get_column(table) == get_column(entity))
+        .filter(table.user_id == user.user_id)
+        .one_or_none())
     return row[0] if row else 0
 
 
-def set_score(entity, user, score):
+def set_score(entity: model.Base, user: model.User, score: int) -> None:
     from szurubooru.func import favorites
     assert entity
     assert user
diff --git a/server/szurubooru/func/serialization.py b/server/szurubooru/func/serialization.py
new file mode 100644
index 00000000..699fb473
--- /dev/null
+++ b/server/szurubooru/func/serialization.py
@@ -0,0 +1,27 @@
+from typing import Any, List, Dict, Callable
+from szurubooru import model, rest, errors
+
+
+def get_serialization_options(ctx: rest.Context) -> List[str]:
+    return ctx.get_param_as_list('fields', default=[])
+
+
+class BaseSerializer:
+    _fields = {}  # type: Dict[str, Callable[[model.Base], Any]]
+
+    def serialize(self, options: List[str]) -> Any:
+        field_factories = self._serializers()
+        if not options:
+            options = list(field_factories.keys())
+        ret = {}
+        for key in options:
+            if key not in field_factories:
+                raise errors.ValidationError(
+                    'Invalid key: %r. Valid keys: %r.' % (
+                        key, list(sorted(field_factories.keys()))))
+            factory = field_factories[key]
+            ret[key] = factory()
+        return ret
+
+    def _serializers(self) -> Dict[str, Callable[[], Any]]:
+        raise NotImplementedError()
diff --git a/server/szurubooru/func/snapshots.py b/server/szurubooru/func/snapshots.py
index 4c236bb5..240c3bce 100644
--- a/server/szurubooru/func/snapshots.py
+++ b/server/szurubooru/func/snapshots.py
@@ -1,9 +1,10 @@
+from typing import Any, Optional, Dict, Callable
 from datetime import datetime
-from szurubooru import db
+from szurubooru import db, model
 from szurubooru.func import diff, users
 
 
-def get_tag_category_snapshot(category):
+def get_tag_category_snapshot(category: model.TagCategory) -> Dict[str, Any]:
     assert category
     return {
         'name': category.name,
@@ -12,7 +13,7 @@ def get_tag_category_snapshot(category):
     }
 
 
-def get_tag_snapshot(tag):
+def get_tag_snapshot(tag: model.Tag) -> Dict[str, Any]:
     assert tag
     return {
         'names': [tag_name.name for tag_name in tag.names],
@@ -22,7 +23,7 @@ def get_tag_snapshot(tag):
     }
 
 
-def get_post_snapshot(post):
+def get_post_snapshot(post: model.Post) -> Dict[str, Any]:
     assert post
     return {
         'source': post.source,
@@ -45,10 +46,11 @@ _snapshot_factories = {
     'tag_category': lambda entity: get_tag_category_snapshot(entity),
     'tag': lambda entity: get_tag_snapshot(entity),
     'post': lambda entity: get_post_snapshot(entity),
-}
+}  # type: Dict[model.Base, Callable[[model.Base], Dict[str ,Any]]]
 
 
-def serialize_snapshot(snapshot, auth_user):
+def serialize_snapshot(
+        snapshot: model.Snapshot, auth_user: model.User) -> Dict[str, Any]:
     assert snapshot
     return {
         'operation': snapshot.operation,
@@ -60,11 +62,14 @@ def serialize_snapshot(snapshot, auth_user):
     }
 
 
-def _create(operation, entity, auth_user):
+def _create(
+        operation: str,
+        entity: model.Base,
+        auth_user: Optional[model.User]) -> model.Snapshot:
     resource_type, resource_pkey, resource_name = (
-        db.util.get_resource_info(entity))
+        model.util.get_resource_info(entity))
 
-    snapshot = db.Snapshot()
+    snapshot = model.Snapshot()
     snapshot.creation_time = datetime.utcnow()
     snapshot.operation = operation
     snapshot.resource_type = resource_type
@@ -74,30 +79,33 @@ def _create(operation, entity, auth_user):
     return snapshot
 
 
-def create(entity, auth_user):
+def create(entity: model.Base, auth_user: Optional[model.User]) -> None:
     assert entity
-    snapshot = _create(db.Snapshot.OPERATION_CREATED, entity, auth_user)
+    snapshot = _create(model.Snapshot.OPERATION_CREATED, entity, auth_user)
     snapshot_factory = _snapshot_factories[snapshot.resource_type]
     snapshot.data = snapshot_factory(entity)
     db.session.add(snapshot)
 
 
 # pylint: disable=protected-access
-def modify(entity, auth_user):
+def modify(entity: model.Base, auth_user: Optional[model.User]) -> None:
     assert entity
 
-    model = next((model
-        for model in db.Base._decl_class_registry.values()
-        if hasattr(model, '__table__')
-            and model.__table__.fullname == entity.__table__.fullname),
+    table = next(
+        (
+            cls
+            for cls in model.Base._decl_class_registry.values()
+            if hasattr(cls, '__table__')
+            and cls.__table__.fullname == entity.__table__.fullname
+        ),
         None)
-    assert model
+    assert table
 
-    snapshot = _create(db.Snapshot.OPERATION_MODIFIED, entity, auth_user)
+    snapshot = _create(model.Snapshot.OPERATION_MODIFIED, entity, auth_user)
     snapshot_factory = _snapshot_factories[snapshot.resource_type]
 
     detached_session = db.sessionmaker()
-    detached_entity = detached_session.query(model).get(snapshot.resource_pkey)
+    detached_entity = detached_session.query(table).get(snapshot.resource_pkey)
     assert detached_entity, 'Entity not found in DB, have you committed it?'
     detached_snapshot = snapshot_factory(detached_entity)
     detached_session.close()
@@ -110,19 +118,23 @@ def modify(entity, auth_user):
     db.session.add(snapshot)
 
 
-def delete(entity, auth_user):
+def delete(entity: model.Base, auth_user: Optional[model.User]) -> None:
     assert entity
-    snapshot = _create(db.Snapshot.OPERATION_DELETED, entity, auth_user)
+    snapshot = _create(model.Snapshot.OPERATION_DELETED, entity, auth_user)
     snapshot_factory = _snapshot_factories[snapshot.resource_type]
     snapshot.data = snapshot_factory(entity)
     db.session.add(snapshot)
 
 
-def merge(source_entity, target_entity, auth_user):
+def merge(
+        source_entity: model.Base,
+        target_entity: model.Base,
+        auth_user: Optional[model.User]) -> None:
     assert source_entity
     assert target_entity
-    snapshot = _create(db.Snapshot.OPERATION_MERGED, source_entity, auth_user)
+    snapshot = _create(
+        model.Snapshot.OPERATION_MERGED, source_entity, auth_user)
     resource_type, _resource_pkey, resource_name = (
-        db.util.get_resource_info(target_entity))
+        model.util.get_resource_info(target_entity))
     snapshot.data = [resource_type, resource_name]
     db.session.add(snapshot)
diff --git a/server/szurubooru/func/tag_categories.py b/server/szurubooru/func/tag_categories.py
index bca15df2..bec2f0de 100644
--- a/server/szurubooru/func/tag_categories.py
+++ b/server/szurubooru/func/tag_categories.py
@@ -1,7 +1,8 @@
 import re
-import sqlalchemy
-from szurubooru import config, db, errors
-from szurubooru.func import util, cache
+from typing import Any, Optional, Dict, List, Callable
+import sqlalchemy as sa
+from szurubooru import config, db, model, errors, rest
+from szurubooru.func import util, serialization, cache
 
 
 DEFAULT_CATEGORY_NAME_CACHE_KEY = 'default-tag-category'
@@ -27,28 +28,52 @@ class InvalidTagCategoryColorError(errors.ValidationError):
     pass
 
 
-def _verify_name_validity(name):
+def _verify_name_validity(name: str) -> None:
     name_regex = config.config['tag_category_name_regex']
     if not re.match(name_regex, name):
         raise InvalidTagCategoryNameError(
             'Name must satisfy regex %r.' % name_regex)
 
 
-def serialize_category(category, options=None):
-    return util.serialize_entity(
-        category,
-        {
-            'name': lambda: category.name,
-            'version': lambda: category.version,
-            'color': lambda: category.color,
-            'usages': lambda: category.tag_count,
-            'default': lambda: category.default,
-        },
-        options)
+class TagCategorySerializer(serialization.BaseSerializer):
+    def __init__(self, category: model.TagCategory) -> None:
+        self.category = category
+
+    def _serializers(self) -> Dict[str, Callable[[], Any]]:
+        return {
+            'name': self.serialize_name,
+            'version': self.serialize_version,
+            'color': self.serialize_color,
+            'usages': self.serialize_usages,
+            'default': self.serialize_default,
+        }
+
+    def serialize_name(self) -> Any:
+        return self.category.name
+
+    def serialize_version(self) -> Any:
+        return self.category.version
+
+    def serialize_color(self) -> Any:
+        return self.category.color
+
+    def serialize_usages(self) -> Any:
+        return self.category.tag_count
+
+    def serialize_default(self) -> Any:
+        return self.category.default
 
 
-def create_category(name, color):
-    category = db.TagCategory()
+def serialize_category(
+        category: Optional[model.TagCategory],
+        options: List[str] = []) -> Optional[rest.Response]:
+    if not category:
+        return None
+    return TagCategorySerializer(category).serialize(options)
+
+
+def create_category(name: str, color: str) -> model.TagCategory:
+    category = model.TagCategory()
     update_category_name(category, name)
     update_category_color(category, color)
     if not get_all_categories():
@@ -56,96 +81,102 @@ def create_category(name, color):
     return category
 
 
-def update_category_name(category, name):
+def update_category_name(category: model.TagCategory, name: str) -> None:
     assert category
     if not name:
         raise InvalidTagCategoryNameError('Name cannot be empty.')
-    expr = sqlalchemy.func.lower(db.TagCategory.name) == name.lower()
+    expr = sa.func.lower(model.TagCategory.name) == name.lower()
     if category.tag_category_id:
         expr = expr & (
-            db.TagCategory.tag_category_id != category.tag_category_id)
-    already_exists = db.session.query(db.TagCategory).filter(expr).count() > 0
+            model.TagCategory.tag_category_id != category.tag_category_id)
+    already_exists = (
+        db.session.query(model.TagCategory).filter(expr).count() > 0)
     if already_exists:
         raise TagCategoryAlreadyExistsError(
             'A category with this name already exists.')
-    if util.value_exceeds_column_size(name, db.TagCategory.name):
+    if util.value_exceeds_column_size(name, model.TagCategory.name):
         raise InvalidTagCategoryNameError('Name is too long.')
     _verify_name_validity(name)
     category.name = name
     cache.remove(DEFAULT_CATEGORY_NAME_CACHE_KEY)
 
 
-def update_category_color(category, color):
+def update_category_color(category: model.TagCategory, color: str) -> None:
     assert category
     if not color:
         raise InvalidTagCategoryColorError('Color cannot be empty.')
     if not re.match(r'^#?[0-9a-z]+$', color):
         raise InvalidTagCategoryColorError('Invalid color.')
-    if util.value_exceeds_column_size(color, db.TagCategory.color):
+    if util.value_exceeds_column_size(color, model.TagCategory.color):
         raise InvalidTagCategoryColorError('Color is too long.')
     category.color = color
 
 
-def try_get_category_by_name(name, lock=False):
-    query = db.session \
-        .query(db.TagCategory) \
-        .filter(sqlalchemy.func.lower(db.TagCategory.name) == name.lower())
+def try_get_category_by_name(
+        name: str, lock: bool = False) -> Optional[model.TagCategory]:
+    query = (
+        db.session
+        .query(model.TagCategory)
+        .filter(sa.func.lower(model.TagCategory.name) == name.lower()))
     if lock:
         query = query.with_lockmode('update')
     return query.one_or_none()
 
 
-def get_category_by_name(name, lock=False):
+def get_category_by_name(name: str, lock: bool = False) -> model.TagCategory:
     category = try_get_category_by_name(name, lock)
     if not category:
         raise TagCategoryNotFoundError('Tag category %r not found.' % name)
     return category
 
 
-def get_all_category_names():
-    return [row[0] for row in db.session.query(db.TagCategory.name).all()]
+def get_all_category_names() -> List[str]:
+    return [row[0] for row in db.session.query(model.TagCategory.name).all()]
 
 
-def get_all_categories():
-    return db.session.query(db.TagCategory).all()
+def get_all_categories() -> List[model.TagCategory]:
+    return db.session.query(model.TagCategory).all()
 
 
-def try_get_default_category(lock=False):
-    query = db.session \
-        .query(db.TagCategory) \
-        .filter(db.TagCategory.default)
+def try_get_default_category(
+        lock: bool = False) -> Optional[model.TagCategory]:
+    query = (
+        db.session
+        .query(model.TagCategory)
+        .filter(model.TagCategory.default))
     if lock:
         query = query.with_lockmode('update')
     category = query.first()
     # if for some reason (e.g. as a result of migration) there's no default
     # category, get the first record available.
     if not category:
-        query = db.session \
-            .query(db.TagCategory) \
-            .order_by(db.TagCategory.tag_category_id.asc())
+        query = (
+            db.session
+            .query(model.TagCategory)
+            .order_by(model.TagCategory.tag_category_id.asc()))
         if lock:
             query = query.with_lockmode('update')
         category = query.first()
     return category
 
 
-def get_default_category(lock=False):
+def get_default_category(lock: bool = False) -> model.TagCategory:
     category = try_get_default_category(lock)
     if not category:
         raise TagCategoryNotFoundError('No tag category created yet.')
     return category
 
 
-def get_default_category_name():
+def get_default_category_name() -> str:
     if cache.has(DEFAULT_CATEGORY_NAME_CACHE_KEY):
         return cache.get(DEFAULT_CATEGORY_NAME_CACHE_KEY)
-    default_category = try_get_default_category()
-    default_category_name = default_category.name if default_category else None
+    default_category = get_default_category()
+    default_category_name = default_category.name
     cache.put(DEFAULT_CATEGORY_NAME_CACHE_KEY, default_category_name)
     return default_category_name
 
 
-def set_default_category(category):
+def set_default_category(category: model.TagCategory) -> None:
     assert category
     old_category = try_get_default_category(lock=True)
     if old_category:
@@ -156,7 +187,7 @@ def set_default_category(category):
     cache.remove(DEFAULT_CATEGORY_NAME_CACHE_KEY)
 
 
-def delete_category(category):
+def delete_category(category: model.TagCategory) -> None:
     assert category
     if len(get_all_category_names()) == 1:
         raise TagCategoryIsInUseError('Cannot delete the last category.')
diff --git a/server/szurubooru/func/tags.py b/server/szurubooru/func/tags.py
index ece1231d..7d92f1e7 100644
--- a/server/szurubooru/func/tags.py
+++ b/server/szurubooru/func/tags.py
@@ -1,10 +1,11 @@
-import datetime
 import json
 import os
 import re
-import sqlalchemy
-from szurubooru import config, db, errors
-from szurubooru.func import util, tag_categories
+from typing import Any, Optional, Tuple, List, Dict, Callable
+from datetime import datetime
+import sqlalchemy as sa
+from szurubooru import config, db, model, errors, rest
+from szurubooru.func import util, tag_categories, serialization
 
 
 class TagNotFoundError(errors.NotFoundError):
@@ -35,31 +36,32 @@ class InvalidTagDescriptionError(errors.ValidationError):
     pass
 
 
-def _verify_name_validity(name):
-    if util.value_exceeds_column_size(name, db.TagName.name):
+def _verify_name_validity(name: str) -> None:
+    if util.value_exceeds_column_size(name, model.TagName.name):
         raise InvalidTagNameError('Name is too long.')
     name_regex = config.config['tag_name_regex']
     if not re.match(name_regex, name):
         raise InvalidTagNameError('Name must satisfy regex %r.' % name_regex)
 
 
-def _get_names(tag):
+def _get_names(tag: model.Tag) -> List[str]:
     assert tag
     return [tag_name.name for tag_name in tag.names]
 
 
-def _lower_list(names):
+def _lower_list(names: List[str]) -> List[str]:
     return [name.lower() for name in names]
 
 
-def _check_name_intersection(names1, names2, case_sensitive):
+def _check_name_intersection(
+        names1: List[str], names2: List[str], case_sensitive: bool) -> bool:
     if not case_sensitive:
         names1 = _lower_list(names1)
         names2 = _lower_list(names2)
     return len(set(names1).intersection(names2)) > 0
 
 
-def sort_tags(tags):
+def sort_tags(tags: List[model.Tag]) -> List[model.Tag]:
     default_category_name = tag_categories.get_default_category_name()
     return sorted(
         tags,
@@ -70,107 +72,102 @@ def sort_tags(tags):
     )
 
 
-def serialize_tag(tag, options=None):
-    return util.serialize_entity(
-        tag,
-        {
-            'names': lambda: [tag_name.name for tag_name in tag.names],
-            'category': lambda: tag.category.name,
-            'version': lambda: tag.version,
-            'description': lambda: tag.description,
-            'creationTime': lambda: tag.creation_time,
-            'lastEditTime': lambda: tag.last_edit_time,
-            'usages': lambda: tag.post_count,
-            'suggestions': lambda: [
-                relation.names[0].name
-                for relation in sort_tags(tag.suggestions)],
-            'implications': lambda: [
-                relation.names[0].name
-                for relation in sort_tags(tag.implications)],
-        },
-        options)
-
-
-def export_to_json():
-    tags = {}
-    categories = {}
-
-    for result in db.session.query(
-            db.TagCategory.tag_category_id,
-            db.TagCategory.name,
-            db.TagCategory.color).all():
-        categories[result[0]] = {
-            'name': result[1],
-            'color': result[2],
-        }
-
-    for result in (db.session
-            .query(db.TagName.tag_id, db.TagName.name)
-            .order_by(db.TagName.order)
-            .all()):
-        if not result[0] in tags:
-            tags[result[0]] = {'names': []}
-        tags[result[0]]['names'].append(result[1])
-
-    for result in (db.session
-            .query(db.TagSuggestion.parent_id, db.TagName.name)
-            .join(db.TagName, db.TagName.tag_id == db.TagSuggestion.child_id)
-            .all()):
-        if 'suggestions' not in tags[result[0]]:
-            tags[result[0]]['suggestions'] = []
-        tags[result[0]]['suggestions'].append(result[1])
-
-    for result in (db.session
-            .query(db.TagImplication.parent_id, db.TagName.name)
-            .join(db.TagName, db.TagName.tag_id == db.TagImplication.child_id)
-            .all()):
-        if 'implications' not in tags[result[0]]:
-            tags[result[0]]['implications'] = []
-        tags[result[0]]['implications'].append(result[1])
-
-    for result in db.session.query(
-            db.Tag.tag_id,
-            db.Tag.category_id,
-            db.Tag.post_count).all():
-        tags[result[0]]['category'] = categories[result[1]]['name']
-        tags[result[0]]['usages'] = result[2]
-
-    output = {
-        'categories': list(categories.values()),
-        'tags': list(tags.values()),
+def serialize_relation(tag):
+    return {
+        'names': [tag_name.name for tag_name in tag.names],
+        'category': tag.category.name,
+        'usages': tag.post_count,
     }
 
-    export_path = os.path.join(config.config['data_dir'], 'tags.json')
-    with open(export_path, 'w') as handle:
-        handle.write(json.dumps(output, separators=(',', ':')))
+
+class TagSerializer(serialization.BaseSerializer):
+    def __init__(self, tag: model.Tag) -> None:
+        self.tag = tag
+
+    def _serializers(self) -> Dict[str, Callable[[], Any]]:
+        return {
+            'names': self.serialize_names,
+            'category': self.serialize_category,
+            'version': self.serialize_version,
+            'description': self.serialize_description,
+            'creationTime': self.serialize_creation_time,
+            'lastEditTime': self.serialize_last_edit_time,
+            'usages': self.serialize_usages,
+            'suggestions': self.serialize_suggestions,
+            'implications': self.serialize_implications,
+        }
+
+    def serialize_names(self) -> Any:
+        return [tag_name.name for tag_name in self.tag.names]
+
+    def serialize_category(self) -> Any:
+        return self.tag.category.name
+
+    def serialize_version(self) -> Any:
+        return self.tag.version
+
+    def serialize_description(self) -> Any:
+        return self.tag.description
+
+    def serialize_creation_time(self) -> Any:
+        return self.tag.creation_time
+
+    def serialize_last_edit_time(self) -> Any:
+        return self.tag.last_edit_time
+
+    def serialize_usages(self) -> Any:
+        return self.tag.post_count
+
+    def serialize_suggestions(self) -> Any:
+        return [
+            serialize_relation(relation)
+            for relation in sort_tags(self.tag.suggestions)]
+
+    def serialize_implications(self) -> Any:
+        return [
+            serialize_relation(relation)
+            for relation in sort_tags(self.tag.implications)]
 
 
-def try_get_tag_by_name(name):
-    return (db.session
-        .query(db.Tag)
-        .join(db.TagName)
-        .filter(sqlalchemy.func.lower(db.TagName.name) == name.lower())
+def serialize_tag(
+        tag: model.Tag, options: List[str] = []) -> Optional[rest.Response]:
+    if not tag:
+        return None
+    return TagSerializer(tag).serialize(options)
+
+
+def try_get_tag_by_name(name: str) -> Optional[model.Tag]:
+    return (
+        db.session
+        .query(model.Tag)
+        .join(model.TagName)
+        .filter(sa.func.lower(model.TagName.name) == name.lower())
         .one_or_none())
 
 
-def get_tag_by_name(name):
+def get_tag_by_name(name: str) -> model.Tag:
     tag = try_get_tag_by_name(name)
     if not tag:
         raise TagNotFoundError('Tag %r not found.' % name)
     return tag
 
 
-def get_tags_by_names(names):
+def get_tags_by_names(names: List[str]) -> List[model.Tag]:
     names = util.icase_unique(names)
     if len(names) == 0:
         return []
-    expr = sqlalchemy.sql.false()
-    for name in names:
-        expr = expr | (sqlalchemy.func.lower(db.TagName.name) == name.lower())
-    return db.session.query(db.Tag).join(db.TagName).filter(expr).all()
+    return (
+        db.session.query(model.Tag)
+        .join(model.TagName)
+        .filter(
+            sa.sql.or_(
+                sa.func.lower(model.TagName.name) == name.lower()
+                for name in names))
+        .all())
 
 
-def get_or_create_tags_by_names(names):
+def get_or_create_tags_by_names(
+        names: List[str]) -> Tuple[List[model.Tag], List[model.Tag]]:
     names = util.icase_unique(names)
     existing_tags = get_tags_by_names(names)
     new_tags = []
@@ -193,78 +190,88 @@ def get_or_create_tags_by_names(names):
     return existing_tags, new_tags
 
 
-def get_tag_siblings(tag):
+def get_tag_siblings(tag: model.Tag) -> List[model.Tag]:
     assert tag
-    tag_alias = sqlalchemy.orm.aliased(db.Tag)
-    pt_alias1 = sqlalchemy.orm.aliased(db.PostTag)
-    pt_alias2 = sqlalchemy.orm.aliased(db.PostTag)
-    result = (db.session
-        .query(tag_alias, sqlalchemy.func.count(pt_alias2.post_id))
+    tag_alias = sa.orm.aliased(model.Tag)
+    pt_alias1 = sa.orm.aliased(model.PostTag)
+    pt_alias2 = sa.orm.aliased(model.PostTag)
+    result = (
+        db.session
+        .query(tag_alias, sa.func.count(pt_alias2.post_id))
         .join(pt_alias1, pt_alias1.tag_id == tag_alias.tag_id)
         .join(pt_alias2, pt_alias2.post_id == pt_alias1.post_id)
         .filter(pt_alias2.tag_id == tag.tag_id)
         .filter(pt_alias1.tag_id != tag.tag_id)
         .group_by(tag_alias.tag_id)
-        .order_by(sqlalchemy.func.count(pt_alias2.post_id).desc())
+        .order_by(sa.func.count(pt_alias2.post_id).desc())
+        .order_by(tag_alias.first_name)
         .limit(50))
     return result
 
 
-def delete(source_tag):
+def delete(source_tag: model.Tag) -> None:
     assert source_tag
     db.session.execute(
-        sqlalchemy.sql.expression.delete(db.TagSuggestion)
-            .where(db.TagSuggestion.child_id == source_tag.tag_id))
+        sa.sql.expression.delete(model.TagSuggestion)
+        .where(model.TagSuggestion.child_id == source_tag.tag_id))
     db.session.execute(
-        sqlalchemy.sql.expression.delete(db.TagImplication)
-            .where(db.TagImplication.child_id == source_tag.tag_id))
+        sa.sql.expression.delete(model.TagImplication)
+        .where(model.TagImplication.child_id == source_tag.tag_id))
     db.session.delete(source_tag)
 
 
-def merge_tags(source_tag, target_tag):
+def merge_tags(source_tag: model.Tag, target_tag: model.Tag) -> None:
     assert source_tag
     assert target_tag
     if source_tag.tag_id == target_tag.tag_id:
         raise InvalidTagRelationError('Cannot merge tag with itself.')
 
-    def merge_posts(source_tag_id, target_tag_id):
-        alias1 = db.PostTag
-        alias2 = sqlalchemy.orm.util.aliased(db.PostTag)
-        update_stmt = (sqlalchemy.sql.expression.update(alias1)
+    def merge_posts(source_tag_id: int, target_tag_id: int) -> None:
+        alias1 = model.PostTag
+        alias2 = sa.orm.util.aliased(model.PostTag)
+        update_stmt = (
+            sa.sql.expression.update(alias1)
             .where(alias1.tag_id == source_tag_id))
-        update_stmt = (update_stmt
-            .where(~sqlalchemy.exists()
+        update_stmt = (
+            update_stmt
+            .where(
+                ~sa.exists()
                 .where(alias1.post_id == alias2.post_id)
                 .where(alias2.tag_id == target_tag_id)))
         update_stmt = update_stmt.values(tag_id=target_tag_id)
         db.session.execute(update_stmt)
 
-    def merge_relations(table, source_tag_id, target_tag_id):
+    def merge_relations(
+            table: model.Base, source_tag_id: int, target_tag_id: int) -> None:
         alias1 = table
-        alias2 = sqlalchemy.orm.util.aliased(table)
-        update_stmt = (sqlalchemy.sql.expression.update(alias1)
+        alias2 = sa.orm.util.aliased(table)
+        update_stmt = (
+            sa.sql.expression.update(alias1)
             .where(alias1.parent_id == source_tag_id)
             .where(alias1.child_id != target_tag_id)
-            .where(~sqlalchemy.exists()
+            .where(
+                ~sa.exists()
                 .where(alias2.child_id == alias1.child_id)
                 .where(alias2.parent_id == target_tag_id))
             .values(parent_id=target_tag_id))
         db.session.execute(update_stmt)
 
-        update_stmt = (sqlalchemy.sql.expression.update(alias1)
+        update_stmt = (
+            sa.sql.expression.update(alias1)
             .where(alias1.child_id == source_tag_id)
             .where(alias1.parent_id != target_tag_id)
-            .where(~sqlalchemy.exists()
+            .where(
+                ~sa.exists()
                 .where(alias2.parent_id == alias1.parent_id)
                 .where(alias2.child_id == target_tag_id))
             .values(child_id=target_tag_id))
         db.session.execute(update_stmt)
 
-    def merge_suggestions(source_tag_id, target_tag_id):
-        merge_relations(db.TagSuggestion, source_tag_id, target_tag_id)
+    def merge_suggestions(source_tag_id: int, target_tag_id: int) -> None:
+        merge_relations(model.TagSuggestion, source_tag_id, target_tag_id)
 
-    def merge_implications(source_tag_id, target_tag_id):
-        merge_relations(db.TagImplication, source_tag_id, target_tag_id)
+    def merge_implications(source_tag_id: int, target_tag_id: int) -> None:
+        merge_relations(model.TagImplication, source_tag_id, target_tag_id)
 
     merge_posts(source_tag.tag_id, target_tag.tag_id)
     merge_suggestions(source_tag.tag_id, target_tag.tag_id)
@@ -272,9 +279,13 @@ def merge_tags(source_tag, target_tag):
     delete(source_tag)
 
 
-def create_tag(names, category_name, suggestions, implications):
-    tag = db.Tag()
-    tag.creation_time = datetime.datetime.utcnow()
+def create_tag(
+        names: List[str],
+        category_name: str,
+        suggestions: List[str],
+        implications: List[str]) -> model.Tag:
+    tag = model.Tag()
+    tag.creation_time = datetime.utcnow()
     update_tag_names(tag, names)
     update_tag_category_name(tag, category_name)
     update_tag_suggestions(tag, suggestions)
@@ -282,12 +293,12 @@ def create_tag(names, category_name, suggestions, implications):
     return tag
 
 
-def update_tag_category_name(tag, category_name):
+def update_tag_category_name(tag: model.Tag, category_name: str) -> None:
     assert tag
     tag.category = tag_categories.get_category_by_name(category_name)
 
 
-def update_tag_names(tag, names):
+def update_tag_names(tag: model.Tag, names: List[str]) -> None:
     # sanitize
     assert tag
     names = util.icase_unique([name for name in names if name])
@@ -297,12 +308,12 @@ def update_tag_names(tag, names):
         _verify_name_validity(name)
 
     # check for existing tags
-    expr = sqlalchemy.sql.false()
+    expr = sa.sql.false()
     for name in names:
-        expr = expr | (sqlalchemy.func.lower(db.TagName.name) == name.lower())
+        expr = expr | (sa.func.lower(model.TagName.name) == name.lower())
     if tag.tag_id:
-        expr = expr & (db.TagName.tag_id != tag.tag_id)
-    existing_tags = db.session.query(db.TagName).filter(expr).all()
+        expr = expr & (model.TagName.tag_id != tag.tag_id)
+    existing_tags = db.session.query(model.TagName).filter(expr).all()
     if len(existing_tags):
         raise TagAlreadyExistsError(
             'One of names is already used by another tag.')
@@ -314,7 +325,7 @@ def update_tag_names(tag, names):
     # add wanted items
     for name in names:
         if not _check_name_intersection(_get_names(tag), [name], True):
-            tag.names.append(db.TagName(name, None))
+            tag.names.append(model.TagName(name, -1))
 
     # set alias order to match the request
     for i, name in enumerate(names):
@@ -324,7 +335,7 @@ def update_tag_names(tag, names):
 
 
 # TODO: what to do with relations that do not yet exist?
-def update_tag_implications(tag, relations):
+def update_tag_implications(tag: model.Tag, relations: List[str]) -> None:
     assert tag
     if _check_name_intersection(_get_names(tag), relations, False):
         raise InvalidTagRelationError('Tag cannot imply itself.')
@@ -332,15 +343,15 @@ def update_tag_implications(tag, relations):
 
 
 # TODO: what to do with relations that do not yet exist?
-def update_tag_suggestions(tag, relations):
+def update_tag_suggestions(tag: model.Tag, relations: List[str]) -> None:
     assert tag
     if _check_name_intersection(_get_names(tag), relations, False):
         raise InvalidTagRelationError('Tag cannot suggest itself.')
     tag.suggestions = get_tags_by_names(relations)
 
 
-def update_tag_description(tag, description):
+def update_tag_description(tag: model.Tag, description: str) -> None:
     assert tag
-    if util.value_exceeds_column_size(description, db.Tag.description):
+    if util.value_exceeds_column_size(description, model.Tag.description):
         raise InvalidTagDescriptionError('Description is too long.')
-    tag.description = description
+    tag.description = description or None
diff --git a/server/szurubooru/func/user_tokens.py b/server/szurubooru/func/user_tokens.py
new file mode 100644
index 00000000..c0f4badb
--- /dev/null
+++ b/server/szurubooru/func/user_tokens.py
@@ -0,0 +1,146 @@
+from datetime import datetime
+from typing import Any, Optional, List, Dict, Callable
+from pyrfc3339 import parser as rfc3339_parser
+import pytz
+from szurubooru import db, model, rest, errors
+from szurubooru.func import auth, serialization, users, util
+
+
+class InvalidExpirationError(errors.ValidationError):
+    pass
+
+
+class InvalidNoteError(errors.ValidationError):
+    pass
+
+
+class UserTokenSerializer(serialization.BaseSerializer):
+    def __init__(
+            self,
+            user_token: model.UserToken,
+            auth_user: model.User) -> None:
+        self.user_token = user_token
+        self.auth_user = auth_user
+
+    def _serializers(self) -> Dict[str, Callable[[], Any]]:
+        return {
+            'user': self.serialize_user,
+            'token': self.serialize_token,
+            'note': self.serialize_note,
+            'enabled': self.serialize_enabled,
+            'expirationTime': self.serialize_expiration_time,
+            'creationTime': self.serialize_creation_time,
+            'lastEditTime': self.serialize_last_edit_time,
+            'lastUsageTime': self.serialize_last_usage_time,
+            'version': self.serialize_version,
+        }
+
+    def serialize_user(self) -> Any:
+        return users.serialize_micro_user(self.user_token.user, self.auth_user)
+
+    def serialize_creation_time(self) -> Any:
+        return self.user_token.creation_time
+
+    def serialize_last_edit_time(self) -> Any:
+        return self.user_token.last_edit_time
+
+    def serialize_last_usage_time(self) -> Any:
+        return self.user_token.last_usage_time
+
+    def serialize_token(self) -> Any:
+        return self.user_token.token
+
+    def serialize_note(self) -> Any:
+        return self.user_token.note
+
+    def serialize_enabled(self) -> Any:
+        return self.user_token.enabled
+
+    def serialize_expiration_time(self) -> Any:
+        return self.user_token.expiration_time
+
+    def serialize_version(self) -> Any:
+        return self.user_token.version
+
+
+def serialize_user_token(
+        user_token: Optional[model.UserToken],
+        auth_user: model.User,
+        options: List[str] = []) -> Optional[rest.Response]:
+    if not user_token:
+        return None
+    return UserTokenSerializer(user_token, auth_user).serialize(options)
+
+
+def get_by_user_and_token(
+        user: model.User, token: str) -> model.UserToken:
+    return (
+        db.session
+        .query(model.UserToken)
+        .filter(model.UserToken.user_id == user.user_id)
+        .filter(model.UserToken.token == token)
+        .one_or_none())
+
+
+def get_user_tokens(user: model.User) -> List[model.UserToken]:
+    assert user
+    return (
+        db.session
+        .query(model.UserToken)
+        .filter(model.UserToken.user_id == user.user_id)
+        .all())
+
+
+def create_user_token(user: model.User, enabled: bool) -> model.UserToken:
+    assert user
+    user_token = model.UserToken()
+    user_token.user = user
+    user_token.token = auth.generate_authorization_token()
+    user_token.enabled = enabled
+    user_token.creation_time = datetime.utcnow()
+    user_token.last_usage_time = datetime.utcnow()
+    return user_token
+
+
+def update_user_token_enabled(
+        user_token: model.UserToken, enabled: bool) -> None:
+    assert user_token
+    user_token.enabled = enabled
+    update_user_token_edit_time(user_token)
+
+
+def update_user_token_edit_time(user_token: model.UserToken) -> None:
+    assert user_token
+    user_token.last_edit_time = datetime.utcnow()
+
+
+def update_user_token_expiration_time(
+        user_token: model.UserToken, expiration_time_str: str) -> None:
+    assert user_token
+    try:
+        expiration_time = rfc3339_parser.parse(expiration_time_str, utc=True)
+        expiration_time = expiration_time.astimezone(pytz.UTC)
+        if expiration_time < datetime.utcnow().replace(tzinfo=pytz.UTC):
+            raise InvalidExpirationError(
+                'Expiration cannot happen in the past')
+        user_token.expiration_time = expiration_time
+        update_user_token_edit_time(user_token)
+    except ValueError:
+        raise InvalidExpirationError(
+            'Expiration is in an invalid format {}'.format(
+                expiration_time_str))
+
+
+def update_user_token_note(user_token: model.UserToken, note: str) -> None:
+    assert user_token
+    note = note.strip() if note is not None else ''
+    note = None if len(note) == 0 else note
+    if util.value_exceeds_column_size(note, model.UserToken.note):
+        raise InvalidNoteError('Note is too long.')
+    user_token.note = note
+    update_user_token_edit_time(user_token)
+
+
+def bump_usage_time(user_token: model.UserToken) -> None:
+    assert user_token
+    user_token.last_usage_time = datetime.utcnow()
diff --git a/server/szurubooru/func/users.py b/server/szurubooru/func/users.py
index c644d4a2..e5946dc9 100644
--- a/server/szurubooru/func/users.py
+++ b/server/szurubooru/func/users.py
@@ -1,8 +1,9 @@
-import datetime
+from datetime import datetime
+from typing import Any, Optional, Union, List, Dict, Callable
 import re
-from sqlalchemy import func
-from szurubooru import config, db, errors
-from szurubooru.func import auth, util, files, images
+import sqlalchemy as sa
+from szurubooru import config, db, model, errors, rest
+from szurubooru.func import auth, util, serialization, files, images
 
 
 class UserNotFoundError(errors.NotFoundError):
@@ -33,24 +34,26 @@ class InvalidAvatarError(errors.ValidationError):
     pass
 
 
-def get_avatar_path(user_name):
+def get_avatar_path(user_name: str) -> str:
     return 'avatars/' + user_name.lower() + '.png'
 
 
-def get_avatar_url(user):
+def get_avatar_url(user: model.User) -> str:
     assert user
     if user.avatar_style == user.AVATAR_GRAVATAR:
         assert user.email or user.name
         return 'https://gravatar.com/avatar/%s?d=retro&s=%d' % (
             util.get_md5((user.email or user.name).lower()),
             config.config['thumbnails']['avatar_width'])
-    else:
-        assert user.name
-        return '%s/avatars/%s.png' % (
-            config.config['data_url'].rstrip('/'), user.name.lower())
+    assert user.name
+    return '%s/avatars/%s.png' % (
+        config.config['data_url'].rstrip('/'), user.name.lower())
 
 
-def get_email(user, auth_user, force_show_email):
+def get_email(
+        user: model.User,
+        auth_user: model.User,
+        force_show_email: bool) -> Union[bool, str]:
     assert user
     assert auth_user
     if not force_show_email \
@@ -60,7 +63,8 @@ def get_email(user, auth_user, force_show_email):
     return user.email
 
 
-def get_liked_post_count(user, auth_user):
+def get_liked_post_count(
+        user: model.User, auth_user: model.User) -> Union[bool, int]:
     assert user
     assert auth_user
     if auth_user.user_id != user.user_id:
@@ -68,7 +72,8 @@ def get_liked_post_count(user, auth_user):
     return user.liked_post_count
 
 
-def get_disliked_post_count(user, auth_user):
+def get_disliked_post_count(
+        user: model.User, auth_user: model.User) -> Union[bool, int]:
     assert user
     assert auth_user
     if auth_user.user_id != user.user_id:
@@ -76,90 +81,145 @@ def get_disliked_post_count(user, auth_user):
     return user.disliked_post_count
 
 
-def serialize_user(user, auth_user, options=None, force_show_email=False):
-    return util.serialize_entity(
-        user,
-        {
-            'name': lambda: user.name,
-            'creationTime': lambda: user.creation_time,
-            'lastLoginTime': lambda: user.last_login_time,
-            'version': lambda: user.version,
-            'rank': lambda: user.rank,
-            'avatarStyle': lambda: user.avatar_style,
-            'avatarUrl': lambda: get_avatar_url(user),
-            'commentCount': lambda: user.comment_count,
-            'uploadedPostCount': lambda: user.post_count,
-            'favoritePostCount': lambda: user.favorite_post_count,
-            'likedPostCount':
-                lambda: get_liked_post_count(user, auth_user),
-            'dislikedPostCount':
-                lambda: get_disliked_post_count(user, auth_user),
-            'email':
-                lambda: get_email(user, auth_user, force_show_email),
-        },
-        options)
+class UserSerializer(serialization.BaseSerializer):
+    def __init__(
+            self,
+            user: model.User,
+            auth_user: model.User,
+            force_show_email: bool = False) -> None:
+        self.user = user
+        self.auth_user = auth_user
+        self.force_show_email = force_show_email
+
+    def _serializers(self) -> Dict[str, Callable[[], Any]]:
+        return {
+            'name': self.serialize_name,
+            'creationTime': self.serialize_creation_time,
+            'lastLoginTime': self.serialize_last_login_time,
+            'version': self.serialize_version,
+            'rank': self.serialize_rank,
+            'avatarStyle': self.serialize_avatar_style,
+            'avatarUrl': self.serialize_avatar_url,
+            'commentCount': self.serialize_comment_count,
+            'uploadedPostCount': self.serialize_uploaded_post_count,
+            'favoritePostCount': self.serialize_favorite_post_count,
+            'likedPostCount': self.serialize_liked_post_count,
+            'dislikedPostCount': self.serialize_disliked_post_count,
+            'email': self.serialize_email,
+        }
+
+    def serialize_name(self) -> Any:
+        return self.user.name
+
+    def serialize_creation_time(self) -> Any:
+        return self.user.creation_time
+
+    def serialize_last_login_time(self) -> Any:
+        return self.user.last_login_time
+
+    def serialize_version(self) -> Any:
+        return self.user.version
+
+    def serialize_rank(self) -> Any:
+        return self.user.rank
+
+    def serialize_avatar_style(self) -> Any:
+        return self.user.avatar_style
+
+    def serialize_avatar_url(self) -> Any:
+        return get_avatar_url(self.user)
+
+    def serialize_comment_count(self) -> Any:
+        return self.user.comment_count
+
+    def serialize_uploaded_post_count(self) -> Any:
+        return self.user.post_count
+
+    def serialize_favorite_post_count(self) -> Any:
+        return self.user.favorite_post_count
+
+    def serialize_liked_post_count(self) -> Any:
+        return get_liked_post_count(self.user, self.auth_user)
+
+    def serialize_disliked_post_count(self) -> Any:
+        return get_disliked_post_count(self.user, self.auth_user)
+
+    def serialize_email(self) -> Any:
+        return get_email(self.user, self.auth_user, self.force_show_email)
 
 
-def serialize_micro_user(user, auth_user):
+def serialize_user(
+        user: Optional[model.User],
+        auth_user: model.User,
+        options: List[str] = [],
+        force_show_email: bool = False) -> Optional[rest.Response]:
+    if not user:
+        return None
+    return UserSerializer(user, auth_user, force_show_email).serialize(options)
+
+
+def serialize_micro_user(
+        user: Optional[model.User],
+        auth_user: model.User) -> Optional[rest.Response]:
     return serialize_user(
-        user,
-        auth_user=auth_user,
-        options=['name', 'avatarUrl'])
+        user, auth_user=auth_user, options=['name', 'avatarUrl'])
 
 
-def get_user_count():
-    return db.session.query(db.User).count()
+def get_user_count() -> int:
+    return db.session.query(model.User).count()
 
 
-def try_get_user_by_name(name):
-    return db.session \
-        .query(db.User) \
-        .filter(func.lower(db.User.name) == func.lower(name)) \
-        .one_or_none()
+def try_get_user_by_name(name: str) -> Optional[model.User]:
+    return (
+        db.session
+        .query(model.User)
+        .filter(sa.func.lower(model.User.name) == sa.func.lower(name))
+        .one_or_none())
 
 
-def get_user_by_name(name):
+def get_user_by_name(name: str) -> model.User:
     user = try_get_user_by_name(name)
     if not user:
         raise UserNotFoundError('User %r not found.' % name)
     return user
 
 
-def try_get_user_by_name_or_email(name_or_email):
-    return (db.session
-        .query(db.User)
+def try_get_user_by_name_or_email(name_or_email: str) -> Optional[model.User]:
+    return (
+        db.session
+        .query(model.User)
         .filter(
-            (func.lower(db.User.name) == func.lower(name_or_email)) |
-            (func.lower(db.User.email) == func.lower(name_or_email)))
+            (sa.func.lower(model.User.name) == sa.func.lower(name_or_email)) |
+            (sa.func.lower(model.User.email) == sa.func.lower(name_or_email)))
         .one_or_none())
 
 
-def get_user_by_name_or_email(name_or_email):
+def get_user_by_name_or_email(name_or_email: str) -> model.User:
     user = try_get_user_by_name_or_email(name_or_email)
     if not user:
         raise UserNotFoundError('User %r not found.' % name_or_email)
     return user
 
 
-def create_user(name, password, email):
-    user = db.User()
+def create_user(name: str, password: str, email: str) -> model.User:
+    user = model.User()
     update_user_name(user, name)
     update_user_password(user, password)
     update_user_email(user, email)
     if get_user_count() > 0:
         user.rank = util.flip(auth.RANK_MAP)[config.config['default_rank']]
     else:
-        user.rank = db.User.RANK_ADMINISTRATOR
-    user.creation_time = datetime.datetime.utcnow()
-    user.avatar_style = db.User.AVATAR_GRAVATAR
+        user.rank = model.User.RANK_ADMINISTRATOR
+    user.creation_time = datetime.utcnow()
+    user.avatar_style = model.User.AVATAR_GRAVATAR
     return user
 
 
-def update_user_name(user, name):
+def update_user_name(user: model.User, name: str) -> None:
     assert user
     if not name:
         raise InvalidUserNameError('Name cannot be empty.')
-    if util.value_exceeds_column_size(name, db.User.name):
+    if util.value_exceeds_column_size(name, model.User.name):
         raise InvalidUserNameError('User name is too long.')
     name = name.strip()
     name_regex = config.config['user_name_regex']
@@ -174,7 +234,7 @@ def update_user_name(user, name):
     user.name = name
 
 
-def update_user_password(user, password):
+def update_user_password(user: model.User, password: str) -> None:
     assert user
     if not password:
         raise InvalidPasswordError('Password cannot be empty.')
@@ -183,23 +243,24 @@ def update_user_password(user, password):
         raise InvalidPasswordError(
             'Password must satisfy regex %r.' % password_regex)
     user.password_salt = auth.create_password()
-    user.password_hash = auth.get_password_hash(user.password_salt, password)
+    password_hash, revision = auth.get_password_hash(
+        user.password_salt, password)
+    user.password_hash = password_hash
+    user.password_revision = revision
 
 
-def update_user_email(user, email):
+def update_user_email(user: model.User, email: str) -> None:
     assert user
-    if email:
-        email = email.strip()
-    if not email:
-        email = None
-    if email and util.value_exceeds_column_size(email, db.User.email):
+    email = email.strip()
+    if util.value_exceeds_column_size(email, model.User.email):
         raise InvalidEmailError('Email is too long.')
     if not util.is_valid_email(email):
         raise InvalidEmailError('E-mail is invalid.')
-    user.email = email
+    user.email = email or None
 
 
-def update_user_rank(user, rank, auth_user):
+def update_user_rank(
+        user: model.User, rank: str, auth_user: model.User) -> None:
     assert user
     if not rank:
         raise InvalidRankError('Rank cannot be empty.')
@@ -208,7 +269,7 @@ def update_user_rank(user, rank, auth_user):
     if not rank:
         raise InvalidRankError(
             'Rank can be either of %r.' % all_ranks)
-    if rank in (db.User.RANK_ANONYMOUS, db.User.RANK_NOBODY):
+    if rank in (model.User.RANK_ANONYMOUS, model.User.RANK_NOBODY):
         raise InvalidRankError('Rank %r cannot be used.' % auth.RANK_MAP[rank])
     if all_ranks.index(auth_user.rank) \
             < all_ranks.index(rank) and get_user_count() > 0:
@@ -216,7 +277,10 @@ def update_user_rank(user, rank, auth_user):
     user.rank = rank
 
 
-def update_user_avatar(user, avatar_style, avatar_content=None):
+def update_user_avatar(
+        user: model.User,
+        avatar_style: str,
+        avatar_content: Optional[bytes] = None) -> None:
     assert user
     if avatar_style == 'gravatar':
         user.avatar_style = user.AVATAR_GRAVATAR
@@ -238,14 +302,17 @@ def update_user_avatar(user, avatar_style, avatar_content=None):
                 avatar_style, ['gravatar', 'manual']))
 
 
-def bump_user_login_time(user):
+def bump_user_login_time(user: model.User) -> None:
     assert user
-    user.last_login_time = datetime.datetime.utcnow()
+    user.last_login_time = datetime.utcnow()
 
 
-def reset_user_password(user):
+def reset_user_password(user: model.User) -> str:
     assert user
     password = auth.create_password()
     user.password_salt = auth.create_password()
-    user.password_hash = auth.get_password_hash(user.password_salt, password)
+    password_hash, revision = auth.get_password_hash(
+        user.password_salt, password)
+    user.password_hash = password_hash
+    user.password_revision = revision
     return password
diff --git a/server/szurubooru/func/util.py b/server/szurubooru/func/util.py
index 497878ee..5e822866 100644
--- a/server/szurubooru/func/util.py
+++ b/server/szurubooru/func/util.py
@@ -2,52 +2,38 @@ import os
 import hashlib
 import re
 import tempfile
+from typing import Any, Optional, Union, Tuple, List, Dict, Generator, TypeVar
 from datetime import datetime, timedelta
 from contextlib import contextmanager
 from szurubooru import errors
 
 
-def snake_case_to_lower_camel_case(text):
+T = TypeVar('T')
+
+
+def snake_case_to_lower_camel_case(text: str) -> str:
     components = text.split('_')
     return components[0].lower() + \
         ''.join(word[0].upper() + word[1:].lower() for word in components[1:])
 
 
-def snake_case_to_upper_train_case(text):
+def snake_case_to_upper_train_case(text: str) -> str:
     return '-'.join(
         word[0].upper() + word[1:].lower() for word in text.split('_'))
 
 
-def snake_case_to_lower_camel_case_keys(source):
+def snake_case_to_lower_camel_case_keys(
+        source: Dict[str, Any]) -> Dict[str, Any]:
     target = {}
     for key, value in source.items():
         target[snake_case_to_lower_camel_case(key)] = value
     return target
 
 
-def get_serialization_options(ctx):
-    return ctx.get_param_as_list('fields', required=False, default=None)
-
-
-def serialize_entity(entity, field_factories, options):
-    if not entity:
-        return None
-    if not options or len(options) == 0:
-        options = field_factories.keys()
-    ret = {}
-    for key in options:
-        if key not in field_factories:
-            raise errors.ValidationError('Invalid key: %r. Valid keys: %r.' % (
-                key, list(sorted(field_factories.keys()))))
-        factory = field_factories[key]
-        ret[key] = factory()
-    return ret
-
-
 @contextmanager
-def create_temp_file(**kwargs):
-    (handle, path) = tempfile.mkstemp(**kwargs)
-    os.close(handle)
+def create_temp_file(**kwargs: Any) -> Generator:
+    (descriptor, path) = tempfile.mkstemp(**kwargs)
+    os.close(descriptor)
     try:
         with open(path, 'r+b') as handle:
             yield handle
@@ -55,17 +41,25 @@ def create_temp_file(**kwargs):
         os.remove(path)
 
 
-def unalias_dict(input_dict):
-    output_dict = {}
-    for key_list, value in input_dict.items():
-        if isinstance(key_list, str):
-            key_list = [key_list]
-        for key in key_list:
-            output_dict[key] = value
+@contextmanager
+def create_temp_file_path(**kwargs: Any) -> Generator:
+    (descriptor, path) = tempfile.mkstemp(**kwargs)
+    os.close(descriptor)
+    try:
+        yield path
+    finally:
+        os.remove(path)
+
+
+def unalias_dict(source: List[Tuple[List[str], T]]) -> Dict[str, T]:
+    output_dict = {}  # type: Dict[str, T]
+    for aliases, value in source:
+        for alias in aliases:
+            output_dict[alias] = value
     return output_dict
 
 
-def get_md5(source):
+def get_md5(source: Union[str, bytes]) -> str:
     if not isinstance(source, bytes):
         source = source.encode('utf-8')
     md5 = hashlib.md5()
@@ -73,7 +67,7 @@ def get_md5(source):
     return md5.hexdigest()
 
 
-def get_sha1(source):
+def get_sha1(source: Union[str, bytes]) -> str:
     if not isinstance(source, bytes):
         source = source.encode('utf-8')
     sha1 = hashlib.sha1()
@@ -81,27 +75,29 @@ def get_sha1(source):
     return sha1.hexdigest()
 
 
-def flip(source):
+def flip(source: Dict[Any, Any]) -> Dict[Any, Any]:
     return {v: k for k, v in source.items()}
 
 
-def is_valid_email(email):
+def is_valid_email(email: Optional[str]) -> bool:
     ''' Return whether given email address is valid or empty. '''
-    return not email or re.match(r'^[^@]*@[^@]*\.[^@]*$', email)
+    return not email or re.match(r'^[^@]*@[^@]*\.[^@]*$', email) is not None
 
 
 class dotdict(dict):  # pylint: disable=invalid-name
     ''' dot.notation access to dictionary attributes. '''
-    def __getattr__(self, attr):
+    def __getattr__(self, attr: str) -> Any:
         return self.get(attr)
+
     __setattr__ = dict.__setitem__
     __delattr__ = dict.__delitem__
 
 
-def parse_time_range(value):
+def parse_time_range(value: str) -> Tuple[datetime, datetime]:
     ''' Return tuple containing min/max time for given text representation. '''
     one_day = timedelta(days=1)
     one_second = timedelta(seconds=1)
+    almost_one_day = one_day - one_second
 
     value = value.lower()
     if not value:
@@ -111,8 +107,8 @@ def parse_time_range(value):
         now = datetime.utcnow()
         return (
             datetime(now.year, now.month, now.day, 0, 0, 0),
-            datetime(now.year, now.month, now.day, 0, 0, 0)
-                + one_day - one_second)
+            datetime(now.year, now.month, now.day, 0, 0, 0) + almost_one_day
+        )
 
     if value == 'yesterday':
         now = datetime.utcnow()
@@ -145,9 +141,9 @@ def parse_time_range(value):
     raise errors.ValidationError('Invalid date format: %r.' % value)
 
 
-def icase_unique(source):
-    target = []
-    target_low = []
+def icase_unique(source: List[str]) -> List[str]:
+    target = []  # type: List[str]
+    target_low = []  # type: List[str]
     for source_item in source:
         if source_item.lower() not in target_low:
             target.append(source_item)
@@ -155,7 +151,7 @@ def icase_unique(source):
     return target
 
 
-def value_exceeds_column_size(value, column):
+def value_exceeds_column_size(value: Optional[str], column: Any) -> bool:
     if not value:
         return False
     max_length = column.property.columns[0].type.length
@@ -164,6 +160,12 @@ def value_exceeds_column_size(value, column):
     return len(value) > max_length
 
 
-def chunks(source_list, part_size):
+def get_column_size(column: Any) -> Optional[int]:
+    if not column:
+        return None
+    return column.property.columns[0].type.length
+
+
+def chunks(source_list: List[Any], part_size: int) -> Generator:
     for i in range(0, len(source_list), part_size):
         yield source_list[i:i + part_size]
diff --git a/server/szurubooru/func/versions.py b/server/szurubooru/func/versions.py
index ee84407b..6e5a3670 100644
--- a/server/szurubooru/func/versions.py
+++ b/server/szurubooru/func/versions.py
@@ -1,8 +1,11 @@
-from szurubooru import errors
+from szurubooru import errors, rest, model
 
 
-def verify_version(entity, context, field_name='version'):
-    actual_version = context.get_param_as_int(field_name, required=True)
+def verify_version(
+        entity: model.Base,
+        context: rest.Context,
+        field_name: str = 'version') -> None:
+    actual_version = context.get_param_as_int(field_name)
     expected_version = entity.version
     if actual_version != expected_version:
         raise errors.IntegrityError(
@@ -10,5 +13,5 @@ def verify_version(entity, context, field_name='version'):
             'Please try again.')
 
 
-def bump_version(entity):
+def bump_version(entity: model.Base) -> None:
     entity.version = entity.version + 1
diff --git a/server/szurubooru/middleware/authenticator.py b/server/szurubooru/middleware/authenticator.py
index f6b7853f..4340ec94 100644
--- a/server/szurubooru/middleware/authenticator.py
+++ b/server/szurubooru/middleware/authenticator.py
@@ -1,11 +1,11 @@
 import base64
-from szurubooru import db, errors
-from szurubooru.func import auth, users
-from szurubooru.rest import middleware
+from typing import Optional, Tuple
+from szurubooru import model, errors, rest
+from szurubooru.func import auth, users, user_tokens
 from szurubooru.rest.errors import HttpBadRequest
 
 
-def _authenticate(username, password):
+def _authenticate_basic_auth(username: str, password: str) -> model.User:
     ''' Try to authenticate user. Throw AuthError for invalid users. '''
     user = users.get_user_by_name(username)
     if not auth.is_valid_password(user, password):
@@ -13,38 +13,61 @@ def _authenticate(username, password):
     return user
 
 
-def _create_anonymous_user():
-    user = db.User()
-    user.name = None
-    user.rank = 'anonymous'
-    return user
+def _authenticate_token(
+        username: str, token: str) -> Tuple[model.User, model.UserToken]:
+    ''' Try to authenticate user. Throw AuthError for invalid users. '''
+    user = users.get_user_by_name(username)
+    user_token = user_tokens.get_by_user_and_token(user, token)
+    if not auth.is_valid_token(user_token):
+        raise errors.AuthError('Invalid token.')
+    return user, user_token
 
 
-def _get_user(ctx):
+def _get_user(ctx: rest.Context, bump_login: bool) -> Optional[model.User]:
     if not ctx.has_header('Authorization'):
-        return _create_anonymous_user()
+        return None
+
+    auth_token = None
 
     try:
         auth_type, credentials = ctx.get_header('Authorization').split(' ', 1)
-        if auth_type.lower() != 'basic':
+        if auth_type.lower() == 'basic':
+            username, password = base64.decodebytes(
+                credentials.encode('ascii')).decode('utf8').split(':', 1)
+            auth_user = _authenticate_basic_auth(username, password)
+        elif auth_type.lower() == 'token':
+            username, token = base64.decodebytes(
+                credentials.encode('ascii')).decode('utf8').split(':', 1)
+            auth_user, auth_token = _authenticate_token(username, token)
+        else:
             raise HttpBadRequest(
                 'ValidationError',
-                'Only basic HTTP authentication is supported.')
-        username, password = base64.decodebytes(
-            credentials.encode('ascii')).decode('utf8').split(':')
-        return _authenticate(username, password)
+                'Only basic or token HTTP authentication is supported.')
     except ValueError as err:
-        msg = 'Basic authentication header value are not properly formed. ' \
-            + 'Supplied header {0}. Got error: {1}'
+        msg = (
+            'Authorization header values are not properly formed. '
+            'Supplied header {0}. Got error: {1}')
         raise HttpBadRequest(
             'ValidationError',
             msg.format(ctx.get_header('Authorization'), str(err)))
 
-
-@middleware.pre_hook
-def process_request(ctx):
-    ''' Bind the user to request. Update last login time if needed. '''
-    ctx.user = _get_user(ctx)
-    if ctx.get_param_as_bool('bump-login') and ctx.user.user_id:
-        users.bump_user_login_time(ctx.user)
+    if bump_login and auth_user.user_id:
+        users.bump_user_login_time(auth_user)
+        if auth_token is not None:
+            user_tokens.bump_usage_time(auth_token)
         ctx.session.commit()
+
+    return auth_user
+
+
+def process_request(ctx: rest.Context) -> None:
+    ''' Bind the user to request. Update last login time if needed. '''
+    bump_login = ctx.get_param_as_bool('bump-login', default=False)
+    auth_user = _get_user(ctx, bump_login)
+    if auth_user:
+        ctx.user = auth_user
+
+
+@rest.middleware.pre_hook
+def process_request_hook(ctx: rest.Context) -> None:
+    process_request(ctx)
diff --git a/server/szurubooru/middleware/cache_purger.py b/server/szurubooru/middleware/cache_purger.py
index e26b3bae..d83fb845 100644
--- a/server/szurubooru/middleware/cache_purger.py
+++ b/server/szurubooru/middleware/cache_purger.py
@@ -1,8 +1,9 @@
+from szurubooru import rest
 from szurubooru.func import cache
 from szurubooru.rest import middleware
 
 
 @middleware.pre_hook
-def process_request(ctx):
+def process_request(ctx: rest.Context) -> None:
     if ctx.method != 'GET':
         cache.purge()
diff --git a/server/szurubooru/middleware/request_logger.py b/server/szurubooru/middleware/request_logger.py
index 47b43ab5..54e40e4a 100644
--- a/server/szurubooru/middleware/request_logger.py
+++ b/server/szurubooru/middleware/request_logger.py
@@ -1,5 +1,5 @@
 import logging
-from szurubooru import db
+from szurubooru import db, rest
 from szurubooru.rest import middleware
 
 
@@ -7,12 +7,12 @@ logger = logging.getLogger(__name__)
 
 
 @middleware.pre_hook
-def process_request(_ctx):
+def process_request(_ctx: rest.Context) -> None:
     db.reset_query_count()
 
 
 @middleware.post_hook
-def process_response(ctx):
+def process_response(ctx: rest.Context) -> None:
     logger.info(
         '%s %s (user=%s, queries=%d)',
         ctx.method,
diff --git a/server/szurubooru/migrations/env.py b/server/szurubooru/migrations/env.py
index 1359ab8a..59d031f6 100644
--- a/server/szurubooru/migrations/env.py
+++ b/server/szurubooru/migrations/env.py
@@ -2,14 +2,14 @@ import os
 import sys
 
 import alembic
-import sqlalchemy
+import sqlalchemy as sa
 import logging.config
 
 # make szurubooru module importable
 dir_to_self = os.path.dirname(os.path.realpath(__file__))
 sys.path.append(os.path.join(dir_to_self, *[os.pardir] * 2))
 
-import szurubooru.db.base
+import szurubooru.model.base
 import szurubooru.config
 
 alembic_config = alembic.context.config
@@ -18,7 +18,7 @@ logging.config.fileConfig(alembic_config.config_file_name)
 szuru_config = szurubooru.config.config
 alembic_config.set_main_option('sqlalchemy.url', szuru_config['database'])
 
-target_metadata = szurubooru.db.Base.metadata
+target_metadata = szurubooru.model.Base.metadata
 
 
 def run_migrations_offline():
@@ -35,7 +35,10 @@ def run_migrations_offline():
     '''
     url = alembic_config.get_main_option('sqlalchemy.url')
     alembic.context.configure(
-        url=url, target_metadata=target_metadata, literal_binds=True)
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        compare_type=True)
 
     with alembic.context.begin_transaction():
         alembic.context.run_migrations()
@@ -48,15 +51,16 @@ def run_migrations_online():
     In this scenario we need to create an Engine
     and associate a connection with the context.
     '''
-    connectable = sqlalchemy.engine_from_config(
+    connectable = sa.engine_from_config(
         alembic_config.get_section(alembic_config.config_ini_section),
         prefix='sqlalchemy.',
-        poolclass=sqlalchemy.pool.NullPool)
+        poolclass=sa.pool.NullPool)
 
     with connectable.connect() as connection:
         alembic.context.configure(
             connection=connection,
-            target_metadata=target_metadata)
+            target_metadata=target_metadata,
+            compare_type=True)
 
         with alembic.context.begin_transaction():
             alembic.context.run_migrations()
diff --git a/server/szurubooru/migrations/versions/02ef5f73f4ab_add_hashes_to_post_file_names.py b/server/szurubooru/migrations/versions/02ef5f73f4ab_add_hashes_to_post_file_names.py
new file mode 100644
index 00000000..c7e5d01a
--- /dev/null
+++ b/server/szurubooru/migrations/versions/02ef5f73f4ab_add_hashes_to_post_file_names.py
@@ -0,0 +1,43 @@
+'''
+Add hashes to post file names
+
+Revision ID: 02ef5f73f4ab
+Created at: 2017-08-24 13:30:46.766928
+'''
+
+import os
+import re
+from szurubooru.func import files, posts
+
+revision = '02ef5f73f4ab'
+down_revision = '5f00af3004a4'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    for name in ['posts', 'posts/custom-thumbnails', 'generated-thumbnails']:
+        for entry in list(files.scan(name)):
+            match = re.match(r'^(?P<name>\d+)\.(?P<ext>\w+)$', entry.name)
+            if match:
+                post_id = int(match.group('name'))
+                security_hash = posts.get_post_security_hash(post_id)
+                ext = match.group('ext')
+                new_name = '%s_%s.%s' % (post_id, security_hash, ext)
+                new_path = os.path.join(os.path.dirname(entry.path), new_name)
+                os.rename(entry.path, new_path)
+
+
+def downgrade():
+    for name in ['posts', 'posts/custom-thumbnails', 'generated-thumbnails']:
+        for entry in list(files.scan(name)):
+            match = re.match(
+                r'^(?P<name>\d+)_(?P<hash>[0-9A-Fa-f]+)\.(?P<ext>\w+)$',
+                entry.name)
+            if match:
+                post_id = int(match.group('name'))
+                security_hash = match.group('hash')
+                ext = match.group('ext')
+                new_name = '%s.%s' % (post_id, ext)
+                new_path = os.path.join(os.path.dirname(entry.path), new_name)
+                os.rename(entry.path, new_path)
diff --git a/server/szurubooru/migrations/versions/055d0e048fb3_add_default_column_to_tag_categories.py b/server/szurubooru/migrations/versions/055d0e048fb3_add_default_column_to_tag_categories.py
index e6a37e6d..1ced1596 100644
--- a/server/szurubooru/migrations/versions/055d0e048fb3_add_default_column_to_tag_categories.py
+++ b/server/szurubooru/migrations/versions/055d0e048fb3_add_default_column_to_tag_categories.py
@@ -19,8 +19,8 @@ def upgrade():
         'tag_category', sa.Column('default', sa.Boolean(), nullable=True))
     op.execute(
         sa.table('tag_category', sa.column('default'))
-            .update()
-            .values(default=False))
+        .update()
+        .values(default=False))
     op.alter_column('tag_category', 'default', nullable=False)
 
 
diff --git a/server/szurubooru/migrations/versions/5f00af3004a4_add_default_tag_category.py b/server/szurubooru/migrations/versions/5f00af3004a4_add_default_tag_category.py
new file mode 100644
index 00000000..e097e675
--- /dev/null
+++ b/server/szurubooru/migrations/versions/5f00af3004a4_add_default_tag_category.py
@@ -0,0 +1,63 @@
+'''
+Add default tag category
+
+Revision ID: 5f00af3004a4
+Created at: 2017-02-02 20:06:13.336380
+'''
+
+import sqlalchemy as sa
+from alembic import op
+import sqlalchemy.ext.declarative
+import sqlalchemy.orm.session
+
+
+revision = '5f00af3004a4'
+down_revision = '9837fc981ec7'
+branch_labels = None
+depends_on = None
+
+
+Base = sa.ext.declarative.declarative_base()
+
+
+class TagCategory(Base):
+    __tablename__ = 'tag_category'
+    __table_args__ = {'extend_existing': True}
+
+    tag_category_id = sa.Column('id', sa.Integer, primary_key=True)
+    version = sa.Column('version', sa.Integer, nullable=False)
+    name = sa.Column('name', sa.Unicode(32), nullable=False)
+    color = sa.Column('color', sa.Unicode(32), nullable=False)
+    default = sa.Column('default', sa.Boolean, nullable=False)
+
+    __mapper_args__ = {
+        'version_id_col': version,
+        'version_id_generator': False,
+    }
+
+
+def upgrade():
+    session = sa.orm.session.Session(bind=op.get_bind())
+    if session.query(TagCategory).count() == 0:
+        category = TagCategory()
+        category.name = 'default'
+        category.color = 'default'
+        category.version = 1
+        category.default = True
+        session.add(category)
+    session.commit()
+
+
+def downgrade():
+    session = sa.orm.session.Session(bind=op.get_bind())
+    default_category = (
+        session
+        .query(TagCategory)
+        .filter(TagCategory.name == 'default')
+        .filter(TagCategory.color == 'default')
+        .filter(TagCategory.version == 1)
+        .filter(TagCategory.default == 1)
+        .one_or_none())
+    if default_category:
+        session.delete(default_category)
+    session.commit()
diff --git a/server/szurubooru/migrations/versions/7f6baf38c27c_add_versions.py b/server/szurubooru/migrations/versions/7f6baf38c27c_add_versions.py
index 71e6bcb0..22360260 100644
--- a/server/szurubooru/migrations/versions/7f6baf38c27c_add_versions.py
+++ b/server/szurubooru/migrations/versions/7f6baf38c27c_add_versions.py
@@ -21,8 +21,8 @@ def upgrade():
         op.add_column(table, sa.Column('version', sa.Integer(), nullable=True))
         op.execute(
             sa.table(table, sa.column('version'))
-                .update()
-                .values(version=1))
+            .update()
+            .values(version=1))
         op.alter_column(table, 'version', nullable=False)
 
 
diff --git a/server/szurubooru/migrations/versions/9837fc981ec7_add_order_to_tag_names.py b/server/szurubooru/migrations/versions/9837fc981ec7_add_order_to_tag_names.py
index 10969fe6..39f9edff 100644
--- a/server/szurubooru/migrations/versions/9837fc981ec7_add_order_to_tag_names.py
+++ b/server/szurubooru/migrations/versions/9837fc981ec7_add_order_to_tag_names.py
@@ -7,6 +7,7 @@ Created at: 2016-08-28 19:03:59.831527
 
 import sqlalchemy as sa
 from alembic import op
+import sqlalchemy.ext.declarative
 
 
 revision = '9837fc981ec7'
diff --git a/server/szurubooru/migrations/versions/9ef1a1643c2a_update_user_table_for_hardened_passwords.py b/server/szurubooru/migrations/versions/9ef1a1643c2a_update_user_table_for_hardened_passwords.py
new file mode 100644
index 00000000..38057728
--- /dev/null
+++ b/server/szurubooru/migrations/versions/9ef1a1643c2a_update_user_table_for_hardened_passwords.py
@@ -0,0 +1,89 @@
+'''
+Alter the password_hash field to work with larger output.
+Particularly libsodium output for greater password security.
+
+Revision ID: 9ef1a1643c2a
+Created at: 2018-02-24 23:00:32.848575
+'''
+
+import sqlalchemy as sa
+import sqlalchemy.ext.declarative
+import sqlalchemy.orm.session
+from alembic import op
+
+
+revision = '9ef1a1643c2a'
+down_revision = '02ef5f73f4ab'
+branch_labels = None
+depends_on = None
+
+Base = sa.ext.declarative.declarative_base()
+
+
+class User(Base):
+    __tablename__ = 'user'
+
+    AVATAR_GRAVATAR = 'gravatar'
+
+    user_id = sa.Column('id', sa.Integer, primary_key=True)
+    creation_time = sa.Column('creation_time', sa.DateTime, nullable=False)
+    last_login_time = sa.Column('last_login_time', sa.DateTime)
+    version = sa.Column('version', sa.Integer, default=1, nullable=False)
+    name = sa.Column('name', sa.Unicode(50), nullable=False, unique=True)
+    password_hash = sa.Column('password_hash', sa.Unicode(128), nullable=False)
+    password_salt = sa.Column('password_salt', sa.Unicode(32))
+    password_revision = sa.Column(
+        'password_revision', sa.SmallInteger, default=0, nullable=False)
+    email = sa.Column('email', sa.Unicode(64), nullable=True)
+    rank = sa.Column('rank', sa.Unicode(32), nullable=False)
+    avatar_style = sa.Column(
+        'avatar_style', sa.Unicode(32), nullable=False,
+        default=AVATAR_GRAVATAR)
+
+    __mapper_args__ = {
+        'version_id_col': version,
+        'version_id_generator': False,
+    }
+
+
+def upgrade():
+    op.alter_column(
+        'user',
+        'password_hash',
+        existing_type=sa.VARCHAR(length=64),
+        type_=sa.Unicode(length=128),
+        existing_nullable=False)
+    op.add_column('user', sa.Column(
+        'password_revision',
+        sa.SmallInteger(),
+        nullable=True,
+        default=0))
+
+    session = sa.orm.session.Session(bind=op.get_bind())
+    if session.query(User).count() >= 0:
+        for user in session.query(User).all():
+            password_hash_length = len(user.password_hash)
+            if password_hash_length == 40:
+                user.password_revision = 1
+            elif password_hash_length == 64:
+                user.password_revision = 2
+            else:
+                user.password_revision = 0
+        session.flush()
+    session.commit()
+
+    op.alter_column(
+        'user',
+        'password_revision',
+        existing_nullable=True,
+        nullable=False)
+
+
+def downgrade():
+    op.alter_column(
+        'user',
+        'password_hash',
+        existing_type=sa.Unicode(length=128),
+        type_=sa.VARCHAR(length=64),
+        existing_nullable=False)
+    op.drop_column('user', 'password_revision')
diff --git a/server/szurubooru/migrations/versions/a39c7f98a7fa_add_user_token_table.py b/server/szurubooru/migrations/versions/a39c7f98a7fa_add_user_token_table.py
new file mode 100644
index 00000000..899eaa70
--- /dev/null
+++ b/server/szurubooru/migrations/versions/a39c7f98a7fa_add_user_token_table.py
@@ -0,0 +1,39 @@
+'''
+Added a user_token table for API authorization
+
+Revision ID: a39c7f98a7fa
+Created at: 2018-02-25 01:31:27.345595
+'''
+
+import sqlalchemy as sa
+from alembic import op
+
+
+revision = 'a39c7f98a7fa'
+down_revision = '9ef1a1643c2a'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.create_table(
+        'user_token',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('user_id', sa.Integer(), nullable=False),
+        sa.Column('token', sa.Unicode(length=36), nullable=False),
+        sa.Column('note', sa.Unicode(length=128), nullable=True),
+        sa.Column('enabled', sa.Boolean(), nullable=False),
+        sa.Column('expiration_time', sa.DateTime(), nullable=True),
+        sa.Column('creation_time', sa.DateTime(), nullable=False),
+        sa.Column('last_edit_time', sa.DateTime(), nullable=True),
+        sa.Column('last_usage_time', sa.DateTime(), nullable=True),
+        sa.Column('version', sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(['user_id'], ['user.id'], ondelete='CASCADE'),
+        sa.PrimaryKeyConstraint('id'))
+    op.create_index(
+        op.f('ix_user_token_user_id'), 'user_token', ['user_id'], unique=False)
+
+
+def downgrade():
+    op.drop_index(op.f('ix_user_token_user_id'), table_name='user_token')
+    op.drop_table('user_token')
diff --git a/server/szurubooru/model/__init__.py b/server/szurubooru/model/__init__.py
new file mode 100644
index 00000000..4892b974
--- /dev/null
+++ b/server/szurubooru/model/__init__.py
@@ -0,0 +1,15 @@
+from szurubooru.model.base import Base
+from szurubooru.model.user import User, UserToken
+from szurubooru.model.tag_category import TagCategory
+from szurubooru.model.tag import Tag, TagName, TagSuggestion, TagImplication
+from szurubooru.model.post import (
+    Post,
+    PostTag,
+    PostRelation,
+    PostFavorite,
+    PostScore,
+    PostNote,
+    PostFeature)
+from szurubooru.model.comment import Comment, CommentScore
+from szurubooru.model.snapshot import Snapshot
+import szurubooru.model.util
diff --git a/server/szurubooru/db/base.py b/server/szurubooru/model/base.py
similarity index 100%
rename from server/szurubooru/db/base.py
rename to server/szurubooru/model/base.py
diff --git a/server/szurubooru/model/comment.py b/server/szurubooru/model/comment.py
new file mode 100644
index 00000000..17b76a05
--- /dev/null
+++ b/server/szurubooru/model/comment.py
@@ -0,0 +1,68 @@
+import sqlalchemy as sa
+from szurubooru.db import get_session
+from szurubooru.model.base import Base
+
+
+class CommentScore(Base):
+    __tablename__ = 'comment_score'
+
+    comment_id = sa.Column(
+        'comment_id',
+        sa.Integer,
+        sa.ForeignKey('comment.id'),
+        nullable=False,
+        primary_key=True)
+    user_id = sa.Column(
+        'user_id',
+        sa.Integer,
+        sa.ForeignKey('user.id'),
+        nullable=False,
+        primary_key=True,
+        index=True)
+    time = sa.Column('time', sa.DateTime, nullable=False)
+    score = sa.Column('score', sa.Integer, nullable=False)
+
+    comment = sa.orm.relationship('Comment')
+    user = sa.orm.relationship(
+        'User',
+        backref=sa.orm.backref('comment_scores', cascade='all, delete-orphan'))
+
+
+class Comment(Base):
+    __tablename__ = 'comment'
+
+    comment_id = sa.Column('id', sa.Integer, primary_key=True)
+    post_id = sa.Column(
+        'post_id',
+        sa.Integer,
+        sa.ForeignKey('post.id'),
+        nullable=False,
+        index=True)
+    user_id = sa.Column(
+        'user_id',
+        sa.Integer,
+        sa.ForeignKey('user.id'),
+        nullable=True,
+        index=True)
+    version = sa.Column('version', sa.Integer, default=1, nullable=False)
+    creation_time = sa.Column('creation_time', sa.DateTime, nullable=False)
+    last_edit_time = sa.Column('last_edit_time', sa.DateTime)
+    text = sa.Column('text', sa.UnicodeText, default=None)
+
+    user = sa.orm.relationship('User')
+    post = sa.orm.relationship('Post')
+    scores = sa.orm.relationship(
+        'CommentScore', cascade='all, delete-orphan', lazy='joined')
+
+    @property
+    def score(self) -> int:
+        return (
+            get_session()
+            .query(sa.sql.expression.func.sum(CommentScore.score))
+            .filter(CommentScore.comment_id == self.comment_id)
+            .one()[0] or 0)
+
+    __mapper_args__ = {
+        'version_id_col': version,
+        'version_id_generator': False,
+    }
diff --git a/server/szurubooru/model/post.py b/server/szurubooru/model/post.py
new file mode 100644
index 00000000..f04ffb53
--- /dev/null
+++ b/server/szurubooru/model/post.py
@@ -0,0 +1,287 @@
+import sqlalchemy as sa
+from szurubooru.model.base import Base
+from szurubooru.model.comment import Comment
+
+
+class PostFeature(Base):
+    __tablename__ = 'post_feature'
+
+    post_feature_id = sa.Column('id', sa.Integer, primary_key=True)
+    post_id = sa.Column(
+        'post_id',
+        sa.Integer,
+        sa.ForeignKey('post.id'),
+        nullable=False,
+        index=True)
+    user_id = sa.Column(
+        'user_id',
+        sa.Integer,
+        sa.ForeignKey('user.id'),
+        nullable=False,
+        index=True)
+    time = sa.Column('time', sa.DateTime, nullable=False)
+
+    post = sa.orm.relationship('Post')  # type: Post
+    user = sa.orm.relationship(
+        'User',
+        backref=sa.orm.backref(
+            'post_features', cascade='all, delete-orphan'))
+
+
+class PostScore(Base):
+    __tablename__ = 'post_score'
+
+    post_id = sa.Column(
+        'post_id',
+        sa.Integer,
+        sa.ForeignKey('post.id'),
+        primary_key=True,
+        nullable=False,
+        index=True)
+    user_id = sa.Column(
+        'user_id',
+        sa.Integer,
+        sa.ForeignKey('user.id'),
+        primary_key=True,
+        nullable=False,
+        index=True)
+    time = sa.Column('time', sa.DateTime, nullable=False)
+    score = sa.Column('score', sa.Integer, nullable=False)
+
+    post = sa.orm.relationship('Post')
+    user = sa.orm.relationship(
+        'User',
+        backref=sa.orm.backref('post_scores', cascade='all, delete-orphan'))
+
+
+class PostFavorite(Base):
+    __tablename__ = 'post_favorite'
+
+    post_id = sa.Column(
+        'post_id',
+        sa.Integer,
+        sa.ForeignKey('post.id'),
+        primary_key=True,
+        nullable=False,
+        index=True)
+    user_id = sa.Column(
+        'user_id',
+        sa.Integer,
+        sa.ForeignKey('user.id'),
+        primary_key=True,
+        nullable=False,
+        index=True)
+    time = sa.Column('time', sa.DateTime, nullable=False)
+
+    post = sa.orm.relationship('Post')
+    user = sa.orm.relationship(
+        'User',
+        backref=sa.orm.backref('post_favorites', cascade='all, delete-orphan'))
+
+
+class PostNote(Base):
+    __tablename__ = 'post_note'
+
+    post_note_id = sa.Column('id', sa.Integer, primary_key=True)
+    post_id = sa.Column(
+        'post_id',
+        sa.Integer,
+        sa.ForeignKey('post.id'),
+        nullable=False,
+        index=True)
+    polygon = sa.Column('polygon', sa.PickleType, nullable=False)
+    text = sa.Column('text', sa.UnicodeText, nullable=False)
+
+    post = sa.orm.relationship('Post')
+
+
+class PostRelation(Base):
+    __tablename__ = 'post_relation'
+
+    parent_id = sa.Column(
+        'parent_id',
+        sa.Integer,
+        sa.ForeignKey('post.id'),
+        primary_key=True,
+        nullable=False,
+        index=True)
+    child_id = sa.Column(
+        'child_id',
+        sa.Integer,
+        sa.ForeignKey('post.id'),
+        primary_key=True,
+        nullable=False,
+        index=True)
+
+    def __init__(self, parent_id: int, child_id: int) -> None:
+        self.parent_id = parent_id
+        self.child_id = child_id
+
+
+class PostTag(Base):
+    __tablename__ = 'post_tag'
+
+    post_id = sa.Column(
+        'post_id',
+        sa.Integer,
+        sa.ForeignKey('post.id'),
+        primary_key=True,
+        nullable=False,
+        index=True)
+    tag_id = sa.Column(
+        'tag_id',
+        sa.Integer,
+        sa.ForeignKey('tag.id'),
+        primary_key=True,
+        nullable=False,
+        index=True)
+
+    def __init__(self, post_id: int, tag_id: int) -> None:
+        self.post_id = post_id
+        self.tag_id = tag_id
+
+
+class Post(Base):
+    __tablename__ = 'post'
+
+    SAFETY_SAFE = 'safe'
+    SAFETY_SKETCHY = 'sketchy'
+    SAFETY_UNSAFE = 'unsafe'
+
+    TYPE_IMAGE = 'image'
+    TYPE_ANIMATION = 'animation'
+    TYPE_VIDEO = 'video'
+    TYPE_FLASH = 'flash'
+
+    FLAG_LOOP = 'loop'
+
+    # basic meta
+    post_id = sa.Column('id', sa.Integer, primary_key=True)
+    user_id = sa.Column(
+        'user_id',
+        sa.Integer,
+        sa.ForeignKey('user.id', ondelete='SET NULL'),
+        nullable=True,
+        index=True)
+    version = sa.Column('version', sa.Integer, default=1, nullable=False)
+    creation_time = sa.Column('creation_time', sa.DateTime, nullable=False)
+    last_edit_time = sa.Column('last_edit_time', sa.DateTime)
+    safety = sa.Column('safety', sa.Unicode(32), nullable=False)
+    source = sa.Column('source', sa.Unicode(200))
+    flags = sa.Column('flags', sa.PickleType, default=None)
+
+    # content description
+    type = sa.Column('type', sa.Unicode(32), nullable=False)
+    checksum = sa.Column('checksum', sa.Unicode(64), nullable=False)
+    file_size = sa.Column('file_size', sa.Integer)
+    canvas_width = sa.Column('image_width', sa.Integer)
+    canvas_height = sa.Column('image_height', sa.Integer)
+    mime_type = sa.Column('mime-type', sa.Unicode(32), nullable=False)
+
+    # foreign tables
+    user = sa.orm.relationship('User')
+    tags = sa.orm.relationship('Tag', backref='posts', secondary='post_tag')
+    relations = sa.orm.relationship(
+        'Post',
+        secondary='post_relation',
+        primaryjoin=post_id == PostRelation.parent_id,
+        secondaryjoin=post_id == PostRelation.child_id, lazy='joined',
+        backref='related_by')
+    features = sa.orm.relationship(
+        'PostFeature', cascade='all, delete-orphan', lazy='joined')
+    scores = sa.orm.relationship(
+        'PostScore', cascade='all, delete-orphan', lazy='joined')
+    favorited_by = sa.orm.relationship(
+        'PostFavorite', cascade='all, delete-orphan', lazy='joined')
+    notes = sa.orm.relationship(
+        'PostNote', cascade='all, delete-orphan', lazy='joined')
+    comments = sa.orm.relationship('Comment', cascade='all, delete-orphan')
+
+    # dynamic columns
+    tag_count = sa.orm.column_property(
+        sa.sql.expression.select(
+            [sa.sql.expression.func.count(PostTag.tag_id)])
+        .where(PostTag.post_id == post_id)
+        .correlate_except(PostTag))
+
+    canvas_area = sa.orm.column_property(canvas_width * canvas_height)
+    canvas_aspect_ratio = sa.orm.column_property(
+        sa.sql.expression.func.cast(canvas_width, sa.Float) /
+        sa.sql.expression.func.cast(canvas_height, sa.Float))
+
+    @property
+    def is_featured(self) -> bool:
+        featured_post = (
+            sa.orm.object_session(self)
+            .query(PostFeature)
+            .order_by(PostFeature.time.desc())
+            .first())
+        return featured_post and featured_post.post_id == self.post_id
+
+    score = sa.orm.column_property(
+        sa.sql.expression.select(
+            [sa.sql.expression.func.coalesce(
+                sa.sql.expression.func.sum(PostScore.score), 0)])
+        .where(PostScore.post_id == post_id)
+        .correlate_except(PostScore))
+
+    favorite_count = sa.orm.column_property(
+        sa.sql.expression.select(
+            [sa.sql.expression.func.count(PostFavorite.post_id)])
+        .where(PostFavorite.post_id == post_id)
+        .correlate_except(PostFavorite))
+
+    last_favorite_time = sa.orm.column_property(
+        sa.sql.expression.select(
+            [sa.sql.expression.func.max(PostFavorite.time)])
+        .where(PostFavorite.post_id == post_id)
+        .correlate_except(PostFavorite))
+
+    feature_count = sa.orm.column_property(
+        sa.sql.expression.select(
+            [sa.sql.expression.func.count(PostFeature.post_id)])
+        .where(PostFeature.post_id == post_id)
+        .correlate_except(PostFeature))
+
+    last_feature_time = sa.orm.column_property(
+        sa.sql.expression.select(
+            [sa.sql.expression.func.max(PostFeature.time)])
+        .where(PostFeature.post_id == post_id)
+        .correlate_except(PostFeature))
+
+    comment_count = sa.orm.column_property(
+        sa.sql.expression.select(
+            [sa.sql.expression.func.count(Comment.post_id)])
+        .where(Comment.post_id == post_id)
+        .correlate_except(Comment))
+
+    last_comment_creation_time = sa.orm.column_property(
+        sa.sql.expression.select(
+            [sa.sql.expression.func.max(Comment.creation_time)])
+        .where(Comment.post_id == post_id)
+        .correlate_except(Comment))
+
+    last_comment_edit_time = sa.orm.column_property(
+        sa.sql.expression.select(
+            [sa.sql.expression.func.max(Comment.last_edit_time)])
+        .where(Comment.post_id == post_id)
+        .correlate_except(Comment))
+
+    note_count = sa.orm.column_property(
+        sa.sql.expression.select(
+            [sa.sql.expression.func.count(PostNote.post_id)])
+        .where(PostNote.post_id == post_id)
+        .correlate_except(PostNote))
+
+    relation_count = sa.orm.column_property(
+        sa.sql.expression.select(
+            [sa.sql.expression.func.count(PostRelation.child_id)])
+        .where(
+            (PostRelation.parent_id == post_id) |
+            (PostRelation.child_id == post_id))
+        .correlate_except(PostRelation))
+
+    __mapper_args__ = {
+        'version_id_col': version,
+        'version_id_generator': False,
+    }
diff --git a/server/szurubooru/model/snapshot.py b/server/szurubooru/model/snapshot.py
new file mode 100644
index 00000000..7f8bbdf0
--- /dev/null
+++ b/server/szurubooru/model/snapshot.py
@@ -0,0 +1,29 @@
+import sqlalchemy as sa
+from szurubooru.model.base import Base
+
+
+class Snapshot(Base):
+    __tablename__ = 'snapshot'
+
+    OPERATION_CREATED = 'created'
+    OPERATION_MODIFIED = 'modified'
+    OPERATION_DELETED = 'deleted'
+    OPERATION_MERGED = 'merged'
+
+    snapshot_id = sa.Column('id', sa.Integer, primary_key=True)
+    creation_time = sa.Column('creation_time', sa.DateTime, nullable=False)
+    operation = sa.Column('operation', sa.Unicode(16), nullable=False)
+    resource_type = sa.Column(
+        'resource_type', sa.Unicode(32), nullable=False, index=True)
+    resource_pkey = sa.Column(
+        'resource_pkey', sa.Integer, nullable=False, index=True)
+    resource_name = sa.Column(
+        'resource_name', sa.Unicode(64), nullable=False)
+    user_id = sa.Column(
+        'user_id',
+        sa.Integer,
+        sa.ForeignKey('user.id', ondelete='set null'),
+        nullable=True)
+    data = sa.Column('data', sa.PickleType)
+
+    user = sa.orm.relationship('User')
diff --git a/server/szurubooru/model/tag.py b/server/szurubooru/model/tag.py
new file mode 100644
index 00000000..51059007
--- /dev/null
+++ b/server/szurubooru/model/tag.py
@@ -0,0 +1,141 @@
+import sqlalchemy as sa
+from szurubooru.model.base import Base
+from szurubooru.model.post import PostTag
+
+
+class TagSuggestion(Base):
+    __tablename__ = 'tag_suggestion'
+
+    parent_id = sa.Column(
+        'parent_id',
+        sa.Integer,
+        sa.ForeignKey('tag.id'),
+        nullable=False,
+        primary_key=True,
+        index=True)
+    child_id = sa.Column(
+        'child_id',
+        sa.Integer,
+        sa.ForeignKey('tag.id'),
+        nullable=False,
+        primary_key=True,
+        index=True)
+
+    def __init__(self, parent_id: int, child_id: int) -> None:
+        self.parent_id = parent_id
+        self.child_id = child_id
+
+
+class TagImplication(Base):
+    __tablename__ = 'tag_implication'
+
+    parent_id = sa.Column(
+        'parent_id',
+        sa.Integer,
+        sa.ForeignKey('tag.id'),
+        nullable=False,
+        primary_key=True,
+        index=True)
+    child_id = sa.Column(
+        'child_id',
+        sa.Integer,
+        sa.ForeignKey('tag.id'),
+        nullable=False,
+        primary_key=True,
+        index=True)
+
+    def __init__(self, parent_id: int, child_id: int) -> None:
+        self.parent_id = parent_id
+        self.child_id = child_id
+
+
+class TagName(Base):
+    __tablename__ = 'tag_name'
+
+    tag_name_id = sa.Column('tag_name_id', sa.Integer, primary_key=True)
+    tag_id = sa.Column(
+        'tag_id',
+        sa.Integer,
+        sa.ForeignKey('tag.id'),
+        nullable=False,
+        index=True)
+    name = sa.Column('name', sa.Unicode(64), nullable=False, unique=True)
+    order = sa.Column('ord', sa.Integer, nullable=False, index=True)
+
+    def __init__(self, name: str, order: int) -> None:
+        self.name = name
+        self.order = order
+
+
+class Tag(Base):
+    __tablename__ = 'tag'
+
+    tag_id = sa.Column('id', sa.Integer, primary_key=True)
+    category_id = sa.Column(
+        'category_id',
+        sa.Integer,
+        sa.ForeignKey('tag_category.id'),
+        nullable=False,
+        index=True)
+    version = sa.Column('version', sa.Integer, default=1, nullable=False)
+    creation_time = sa.Column('creation_time', sa.DateTime, nullable=False)
+    last_edit_time = sa.Column('last_edit_time', sa.DateTime)
+    description = sa.Column('description', sa.UnicodeText, default=None)
+
+    category = sa.orm.relationship('TagCategory', lazy='joined')
+    names = sa.orm.relationship(
+        'TagName',
+        cascade='all,delete-orphan',
+        lazy='joined',
+        order_by='TagName.order')
+    suggestions = sa.orm.relationship(
+        'Tag',
+        secondary='tag_suggestion',
+        primaryjoin=tag_id == TagSuggestion.parent_id,
+        secondaryjoin=tag_id == TagSuggestion.child_id,
+        lazy='joined')
+    implications = sa.orm.relationship(
+        'Tag',
+        secondary='tag_implication',
+        primaryjoin=tag_id == TagImplication.parent_id,
+        secondaryjoin=tag_id == TagImplication.child_id,
+        lazy='joined')
+
+    post_count = sa.orm.column_property(
+        sa.sql.expression.select(
+            [sa.sql.expression.func.count(PostTag.post_id)])
+        .where(PostTag.tag_id == tag_id)
+        .correlate_except(PostTag))
+
+    first_name = sa.orm.column_property(
+        (
+            sa.sql.expression.select([TagName.name])
+            .where(TagName.tag_id == tag_id)
+            .order_by(TagName.order)
+            .limit(1)
+            .as_scalar()
+        ),
+        deferred=True)
+
+    suggestion_count = sa.orm.column_property(
+        (
+            sa.sql.expression.select(
+                [sa.sql.expression.func.count(TagSuggestion.child_id)])
+            .where(TagSuggestion.parent_id == tag_id)
+            .as_scalar()
+        ),
+        deferred=True)
+
+    implication_count = sa.orm.column_property(
+        (
+            sa.sql.expression.select(
+                [sa.sql.expression.func.count(TagImplication.child_id)])
+            .where(TagImplication.parent_id == tag_id)
+            .as_scalar()
+        ),
+        deferred=True)
+
+    __mapper_args__ = {
+        'version_id_col': version,
+        'version_id_generator': False,
+    }
diff --git a/server/szurubooru/model/tag_category.py b/server/szurubooru/model/tag_category.py
new file mode 100644
index 00000000..2c961ed6
--- /dev/null
+++ b/server/szurubooru/model/tag_category.py
@@ -0,0 +1,28 @@
+from typing import Optional
+import sqlalchemy as sa
+from szurubooru.model.base import Base
+from szurubooru.model.tag import Tag
+
+
+class TagCategory(Base):
+    __tablename__ = 'tag_category'
+
+    tag_category_id = sa.Column('id', sa.Integer, primary_key=True)
+    version = sa.Column('version', sa.Integer, default=1, nullable=False)
+    name = sa.Column('name', sa.Unicode(32), nullable=False)
+    color = sa.Column(
+        'color', sa.Unicode(32), nullable=False, default='#000000')
+    default = sa.Column('default', sa.Boolean, nullable=False, default=False)
+
+    def __init__(self, name: Optional[str] = None) -> None:
+        self.name = name
+
+    tag_count = sa.orm.column_property(
+        sa.sql.expression.select([sa.sql.expression.func.count('Tag.tag_id')])
+        .where(Tag.category_id == tag_category_id)
+        .correlate_except(sa.table('Tag')))
+
+    __mapper_args__ = {
+        'version_id_col': version,
+        'version_id_generator': False,
+    }
diff --git a/server/szurubooru/model/user.py b/server/szurubooru/model/user.py
new file mode 100644
index 00000000..2d599e85
--- /dev/null
+++ b/server/szurubooru/model/user.py
@@ -0,0 +1,110 @@
+import sqlalchemy as sa
+from szurubooru.model.base import Base
+from szurubooru.model.post import Post, PostScore, PostFavorite
+from szurubooru.model.comment import Comment
+
+
+class User(Base):
+    __tablename__ = 'user'
+
+    AVATAR_GRAVATAR = 'gravatar'
+    AVATAR_MANUAL = 'manual'
+
+    RANK_ANONYMOUS = 'anonymous'
+    RANK_RESTRICTED = 'restricted'
+    RANK_REGULAR = 'regular'
+    RANK_POWER = 'power'
+    RANK_MODERATOR = 'moderator'
+    RANK_ADMINISTRATOR = 'administrator'
+    RANK_NOBODY = 'nobody'  # unattainable, used for privileges
+
+    user_id = sa.Column('id', sa.Integer, primary_key=True)
+    creation_time = sa.Column('creation_time', sa.DateTime, nullable=False)
+    last_login_time = sa.Column('last_login_time', sa.DateTime)
+    version = sa.Column('version', sa.Integer, default=1, nullable=False)
+    name = sa.Column('name', sa.Unicode(50), nullable=False, unique=True)
+    password_hash = sa.Column('password_hash', sa.Unicode(128), nullable=False)
+    password_salt = sa.Column('password_salt', sa.Unicode(32))
+    password_revision = sa.Column(
+        'password_revision', sa.SmallInteger, default=0, nullable=False)
+    email = sa.Column('email', sa.Unicode(64), nullable=True)
+    rank = sa.Column('rank', sa.Unicode(32), nullable=False)
+    avatar_style = sa.Column(
+        'avatar_style', sa.Unicode(32), nullable=False,
+        default=AVATAR_GRAVATAR)
+
+    comments = sa.orm.relationship('Comment')
+
+    @property
+    def post_count(self) -> int:
+        from szurubooru.db import session
+        return (
+            session
+            .query(sa.sql.expression.func.sum(1))
+            .filter(Post.user_id == self.user_id)
+            .one()[0] or 0)
+
+    @property
+    def comment_count(self) -> int:
+        from szurubooru.db import session
+        return (
+            session
+            .query(sa.sql.expression.func.sum(1))
+            .filter(Comment.user_id == self.user_id)
+            .one()[0] or 0)
+
+    @property
+    def favorite_post_count(self) -> int:
+        from szurubooru.db import session
+        return (
+            session
+            .query(sa.sql.expression.func.sum(1))
+            .filter(PostFavorite.user_id == self.user_id)
+            .one()[0] or 0)
+
+    @property
+    def liked_post_count(self) -> int:
+        from szurubooru.db import session
+        return (
+            session
+            .query(sa.sql.expression.func.sum(1))
+            .filter(PostScore.user_id == self.user_id)
+            .filter(PostScore.score == 1)
+            .one()[0] or 0)
+
+    @property
+    def disliked_post_count(self) -> int:
+        from szurubooru.db import session
+        return (
+            session
+            .query(sa.sql.expression.func.sum(1))
+            .filter(PostScore.user_id == self.user_id)
+            .filter(PostScore.score == -1)
+            .one()[0] or 0)
+
+    __mapper_args__ = {
+        'version_id_col': version,
+        'version_id_generator': False,
+    }
+
+
+class UserToken(Base):
+    __tablename__ = 'user_token'
+
+    user_token_id = sa.Column('id', sa.Integer, primary_key=True)
+    user_id = sa.Column(
+        'user_id',
+        sa.Integer,
+        sa.ForeignKey('user.id', ondelete='CASCADE'),
+        nullable=False,
+        index=True)
+    token = sa.Column('token', sa.Unicode(36), nullable=False)
+    note = sa.Column('note', sa.Unicode(128), nullable=True)
+    enabled = sa.Column('enabled', sa.Boolean, nullable=False, default=True)
+    expiration_time = sa.Column('expiration_time', sa.DateTime, nullable=True)
+    creation_time = sa.Column('creation_time', sa.DateTime, nullable=False)
+    last_edit_time = sa.Column('last_edit_time', sa.DateTime)
+    last_usage_time = sa.Column('last_usage_time', sa.DateTime)
+    version = sa.Column('version', sa.Integer, default=1, nullable=False)
+
+    user = sa.orm.relationship('User')
diff --git a/server/szurubooru/model/util.py b/server/szurubooru/model/util.py
new file mode 100644
index 00000000..e82539f1
--- /dev/null
+++ b/server/szurubooru/model/util.py
@@ -0,0 +1,42 @@
+from typing import Tuple, Any, Dict, Callable, Union, Optional
+import sqlalchemy as sa
+from szurubooru.model.base import Base
+from szurubooru.model.user import User
+
+
+def get_resource_info(entity: Base) -> Tuple[Any, Any, Union[str, int]]:
+    serializers = {
+        'tag': lambda tag: tag.first_name,
+        'tag_category': lambda category: category.name,
+        'comment': lambda comment: comment.comment_id,
+        'post': lambda post: post.post_id,
+    }  # type: Dict[str, Callable[[Base], Any]]
+
+    resource_type = entity.__table__.name
+    assert resource_type in serializers
+
+    primary_key = sa.inspection.inspect(entity).identity  # type: Any
+    assert primary_key is not None
+    assert len(primary_key) == 1
+
+    resource_name = serializers[resource_type](entity)  # type: Union[str, int]
+    assert resource_name
+
+    resource_pkey = primary_key[0]  # type: Any
+    assert resource_pkey
+
+    return (resource_type, resource_pkey, resource_name)
+
+
+def get_aux_entity(
+        session: Any,
+        get_table_info: Callable[[Base], Tuple[Base, Callable[[Base], Any]]],
+        entity: Base,
+        user: User) -> Optional[Base]:
+    table, get_column = get_table_info(entity)
+    return (
+        session
+        .query(table)
+        .filter(get_column(table) == get_column(entity))
+        .filter(table.user_id == user.user_id)
+        .one_or_none())
diff --git a/server/szurubooru/rest/__init__.py b/server/szurubooru/rest/__init__.py
index ac9958a5..d6b3ef28 100644
--- a/server/szurubooru/rest/__init__.py
+++ b/server/szurubooru/rest/__init__.py
@@ -1,2 +1,3 @@
 from szurubooru.rest.app import application
-from szurubooru.rest.context import Context
+from szurubooru.rest.context import Context, Response
+import szurubooru.rest.routes
diff --git a/server/szurubooru/rest/app.py b/server/szurubooru/rest/app.py
index 0823e6e3..8c9efba1 100644
--- a/server/szurubooru/rest/app.py
+++ b/server/szurubooru/rest/app.py
@@ -2,13 +2,14 @@ import urllib.parse
 import cgi
 import json
 import re
+from typing import Dict, Any, Callable, Tuple
 from datetime import datetime
 from szurubooru import db
 from szurubooru.func import util
 from szurubooru.rest import errors, middleware, routes, context
 
 
-def _json_serializer(obj):
+def _json_serializer(obj: Any) -> str:
     ''' JSON serializer for objects not serializable by default JSON code '''
     if isinstance(obj, datetime):
         serial = obj.isoformat('T') + 'Z'
@@ -16,12 +17,12 @@ def _json_serializer(obj):
     raise TypeError('Type not serializable')
 
 
-def _dump_json(obj):
+def _dump_json(obj: Any) -> str:
     return json.dumps(obj, default=_json_serializer, indent=2)
 
 
-def _get_headers(env):
-    headers = {}
+def _get_headers(env: Dict[str, Any]) -> Dict[str, str]:
+    headers = {}  # type: Dict[str, str]
     for key, value in env.items():
         if key.startswith('HTTP_'):
             key = util.snake_case_to_upper_train_case(key[5:])
@@ -29,9 +30,10 @@ def _get_headers(env):
     return headers
 
 
-def _create_context(env):
+def _create_context(env: Dict[str, Any]) -> context.Context:
     method = env['REQUEST_METHOD']
-    path = urllib.parse.unquote('/' + env['PATH_INFO'].lstrip('/'))
+    path = '/' + env['PATH_INFO'].lstrip('/')
+    path = path.encode('latin-1').decode('utf-8')  # PEP-3333
     headers = _get_headers(env)
 
     files = {}
@@ -61,10 +63,12 @@ def _create_context(env):
                 'Could not decode the request body. The JSON '
                 'was incorrect or was not encoded as UTF-8.')
 
-    return context.Context(method, path, headers, params, files)
+    return context.Context(env, method, path, headers, params, files)
 
 
-def application(env, start_response):
+def application(
+        env: Dict[str, Any],
+        start_response: Callable[[str, Any], Any]) -> Tuple[bytes]:
     try:
         ctx = _create_context(env)
         if 'application/json' not in ctx.get_header('Accept'):
@@ -93,6 +97,9 @@ def application(env, start_response):
                     hook(ctx)
                 try:
                     response = handler(ctx, match.groupdict())
+                except Exception:
+                    ctx.session.rollback()
+                    raise
                 finally:
                     for hook in middleware.post_hooks:
                         hook(ctx)
@@ -103,9 +110,9 @@ def application(env, start_response):
             return (_dump_json(response).encode('utf-8'),)
 
         except Exception as ex:
-            for exception_type, handler in errors.error_handlers.items():
+            for exception_type, ex_handler in errors.error_handlers.items():
                 if isinstance(ex, exception_type):
-                    handler(ex)
+                    ex_handler(ex)
             raise
 
     except errors.BaseHttpError as ex:
diff --git a/server/szurubooru/rest/context.py b/server/szurubooru/rest/context.py
index 081064ed..2aad101a 100644
--- a/server/szurubooru/rest/context.py
+++ b/server/szurubooru/rest/context.py
@@ -1,110 +1,182 @@
-from szurubooru import errors
+from typing import Any, Union, List, Dict, Optional, cast
+from szurubooru import model, errors
 from szurubooru.func import net, file_uploads
 
 
-def _lower_first(source):
-    return source[0].lower() + source[1:]
-
-
-def _param_wrapper(func):
-    def wrapper(self, name, required=False, default=None, **kwargs):
-        # pylint: disable=protected-access
-        if name in self._params:
-            value = self._params[name]
-            try:
-                value = func(self, value, **kwargs)
-            except errors.InvalidParameterError as ex:
-                raise errors.InvalidParameterError(
-                    'Parameter %r is invalid: %s' % (
-                        name, _lower_first(str(ex))))
-            return value
-        if not required:
-            return default
-        raise errors.MissingRequiredParameterError(
-            'Required parameter %r is missing.' % name)
-    return wrapper
+MISSING = object()
+Request = Dict[str, Any]
+Response = Optional[Dict[str, Any]]
 
 
 class Context:
-    def __init__(self, method, url, headers=None, params=None, files=None):
+    def __init__(
+            self,
+            env: Dict[str, Any],
+            method: str,
+            url: str,
+            headers: Dict[str, str] = None,
+            params: Request = None,
+            files: Dict[str, bytes] = None) -> None:
+        self.env = env
         self.method = method
         self.url = url
         self._headers = headers or {}
         self._params = params or {}
         self._files = files or {}
 
-        # provided by middleware
-        # self.session = None
-        # self.user = None
+        self.user = model.User()
+        self.user.name = None
+        self.user.rank = 'anonymous'
 
-    def has_header(self, name):
+        self.session = None  # type: Any
+
+    def has_header(self, name: str) -> bool:
         return name in self._headers
 
-    def get_header(self, name):
-        return self._headers.get(name, None)
+    def get_header(self, name: str) -> str:
+        return self._headers.get(name, '')
 
-    def has_file(self, name, allow_tokens=True):
-        return (name in self._files
-            or name + 'Url' in self._params
-            or (allow_tokens and name + 'Token' in self._params))
+    def has_file(self, name: str, allow_tokens: bool = True) -> bool:
+        return (
+            name in self._files or
+            name + 'Url' in self._params or
+            (allow_tokens and name + 'Token' in self._params))
 
-    def get_file(self, name, required=False, allow_tokens=True):
-        ret = None
-        if name in self._files:
-            ret = self._files[name]
-        elif name + 'Url' in self._params:
-            ret = net.download(self._params[name + 'Url'])
-        elif allow_tokens and name + 'Token' in self._params:
+    def get_file(
+            self,
+            name: str,
+            default: Union[object, bytes] = MISSING,
+            allow_tokens: bool = True) -> bytes:
+        if name in self._files and self._files[name]:
+            return self._files[name]
+
+        if name + 'Url' in self._params:
+            return net.download(self._params[name + 'Url'])
+
+        if allow_tokens and name + 'Token' in self._params:
             ret = file_uploads.get(self._params[name + 'Token'])
-            if required and not ret:
+            if ret:
+                return ret
+            elif default is not MISSING:
                 raise errors.MissingOrExpiredRequiredFileError(
                     'Required file %r is missing or has expired.' % name)
-        if required and not ret:
-            raise errors.MissingRequiredFileError(
-                'Required file %r is missing.' % name)
-        return ret
 
-    def has_param(self, name):
+        if default is not MISSING:
+            return cast(bytes, default)
+        raise errors.MissingRequiredFileError(
+            'Required file %r is missing.' % name)
+
+    def has_param(self, name: str) -> bool:
         return name in self._params
 
-    @_param_wrapper
-    def get_param_as_list(self, value):
-        if not isinstance(value, list):
+    def get_param_as_list(
+            self,
+            name: str,
+            default: Union[object, List[Any]] = MISSING) -> List[Any]:
+        if name not in self._params:
+            if default is not MISSING:
+                return cast(List[Any], default)
+            raise errors.MissingRequiredParameterError(
+                'Required parameter %r is missing.' % name)
+        value = self._params[name]
+        if type(value) is str:
             if ',' in value:
                 return value.split(',')
             return [value]
-        return value
+        if type(value) is list:
+            return value
+        raise errors.InvalidParameterError(
+            'Parameter %r must be a list.' % name)
 
-    @_param_wrapper
-    def get_param_as_string(self, value):
-        if isinstance(value, list):
-            try:
-                value = ','.join(value)
-            except:
-                raise errors.InvalidParameterError('Expected simple string.')
-        return value
+    def get_param_as_int_list(
+            self,
+            name: str,
+            default: Union[object, List[int]] = MISSING) -> List[int]:
+        ret = self.get_param_as_list(name, default)
+        for item in ret:
+            if type(item) is not int:
+                raise errors.InvalidParameterError(
+                    'Parameter %r must be a list of integer values.' % name)
+        return ret
 
-    @_param_wrapper
-    def get_param_as_int(self, value, min=None, max=None):
+    def get_param_as_string_list(
+            self,
+            name: str,
+            default: Union[object, List[str]] = MISSING) -> List[str]:
+        ret = self.get_param_as_list(name, default)
+        for item in ret:
+            if type(item) is not str:
+                raise errors.InvalidParameterError(
+                    'Parameter %r must be a list of string values.' % name)
+        return ret
+
+    def get_param_as_string(
+            self,
+            name: str,
+            default: Union[object, str] = MISSING) -> str:
+        if name not in self._params:
+            if default is not MISSING:
+                return cast(str, default)
+            raise errors.MissingRequiredParameterError(
+                'Required parameter %r is missing.' % name)
+        value = self._params[name]
+        try:
+            if value is None:
+                return ''
+            if type(value) is list:
+                return ','.join(value)
+            if type(value) is int or type(value) is float:
+                return str(value)
+            if type(value) is str:
+                return value
+        except TypeError:
+            pass
+        raise errors.InvalidParameterError(
+            'Parameter %r must be a string value.' % name)
+
+    def get_param_as_int(
+            self,
+            name: str,
+            default: Union[object, int] = MISSING,
+            min: Optional[int] = None,
+            max: Optional[int] = None) -> int:
+        if name not in self._params:
+            if default is not MISSING:
+                return cast(int, default)
+            raise errors.MissingRequiredParameterError(
+                'Required parameter %r is missing.' % name)
+        value = self._params[name]
         try:
             value = int(value)
+            if min is not None and value < min:
+                raise errors.InvalidParameterError(
+                    'Parameter %r must be at least %r.' % (name, min))
+            if max is not None and value > max:
+                raise errors.InvalidParameterError(
+                    'Parameter %r may not exceed %r.' % (name, max))
+            return value
         except (ValueError, TypeError):
-            raise errors.InvalidParameterError(
-                'The value must be an integer.')
-        if min is not None and value < min:
-            raise errors.InvalidParameterError(
-                'The value must be at least %r.' % min)
-        if max is not None and value > max:
-            raise errors.InvalidParameterError(
-                'The value may not exceed %r.' % max)
-        return value
+            pass
+        raise errors.InvalidParameterError(
+            'Parameter %r must be an integer value.' % name)
 
-    @_param_wrapper
-    def get_param_as_bool(self, value):
-        value = str(value).lower()
+    def get_param_as_bool(
+            self,
+            name: str,
+            default: Union[object, bool] = MISSING) -> bool:
+        if name not in self._params:
+            if default is not MISSING:
+                return cast(bool, default)
+            raise errors.MissingRequiredParameterError(
+                'Required parameter %r is missing.' % name)
+        value = self._params[name]
+        try:
+            value = str(value).lower()
+        except TypeError:
+            pass
         if value in ['1', 'y', 'yes', 'yeah', 'yep', 'yup', 't', 'true']:
             return True
         if value in ['0', 'n', 'no', 'nope', 'f', 'false']:
             return False
         raise errors.InvalidParameterError(
-            'The value must be a boolean value.')
+            'Parameter %r must be a boolean value.' % name)
diff --git a/server/szurubooru/rest/errors.py b/server/szurubooru/rest/errors.py
index 3c40b4c5..f90ac252 100644
--- a/server/szurubooru/rest/errors.py
+++ b/server/szurubooru/rest/errors.py
@@ -1,11 +1,19 @@
+from typing import Optional, Callable, Type, Dict
+
+
 error_handlers = {}  # pylint: disable=invalid-name
 
 
 class BaseHttpError(RuntimeError):
-    code = None
-    reason = None
+    code = -1
+    reason = ''
 
-    def __init__(self, name, description, title=None, extra_fields=None):
+    def __init__(
+            self,
+            name: str,
+            description: str,
+            title: Optional[str] = None,
+            extra_fields: Optional[Dict[str, str]] = None) -> None:
         super().__init__()
         # error name for programmers
         self.name = name
@@ -47,5 +55,12 @@ class HttpMethodNotAllowed(BaseHttpError):
     reason = 'Method Not Allowed'
 
 
-def handle(exception_type, handler):
+class HttpInternalServerError(BaseHttpError):
+    code = 500
+    reason = 'Internal Server Error'
+
+
+def handle(
+        exception_type: Type[Exception],
+        handler: Callable[[Exception], None]) -> None:
     error_handlers[exception_type] = handler
diff --git a/server/szurubooru/rest/middleware.py b/server/szurubooru/rest/middleware.py
index 7cf07296..ce457e0c 100644
--- a/server/szurubooru/rest/middleware.py
+++ b/server/szurubooru/rest/middleware.py
@@ -1,11 +1,15 @@
+from typing import List, Callable
+from szurubooru.rest.context import Context
+
+
 # pylint: disable=invalid-name
-pre_hooks = []
-post_hooks = []
+pre_hooks = []  # type: List[Callable[[Context], None]]
+post_hooks = []  # type: List[Callable[[Context], None]]
 
 
-def pre_hook(handler):
+def pre_hook(handler: Callable) -> None:
     pre_hooks.append(handler)
 
 
-def post_hook(handler):
+def post_hook(handler: Callable) -> None:
     post_hooks.insert(0, handler)
diff --git a/server/szurubooru/rest/routes.py b/server/szurubooru/rest/routes.py
index ffa95f56..569cbe1f 100644
--- a/server/szurubooru/rest/routes.py
+++ b/server/szurubooru/rest/routes.py
@@ -1,32 +1,36 @@
+from typing import Callable, Dict
 from collections import defaultdict
+from szurubooru.rest.context import Context, Response
 
 
-routes = defaultdict(dict)  # pylint: disable=invalid-name
+# pylint: disable=invalid-name
+RouteHandler = Callable[[Context, Dict[str, str]], Response]
+routes = defaultdict(dict)  # type: Dict[str, Dict[str, RouteHandler]]
 
 
-def get(url):
-    def wrapper(handler):
+def get(url: str) -> Callable[[RouteHandler], RouteHandler]:
+    def wrapper(handler: RouteHandler) -> RouteHandler:
         routes[url]['GET'] = handler
         return handler
     return wrapper
 
 
-def put(url):
-    def wrapper(handler):
+def put(url: str) -> Callable[[RouteHandler], RouteHandler]:
+    def wrapper(handler: RouteHandler) -> RouteHandler:
         routes[url]['PUT'] = handler
         return handler
     return wrapper
 
 
-def post(url):
-    def wrapper(handler):
+def post(url: str) -> Callable[[RouteHandler], RouteHandler]:
+    def wrapper(handler: RouteHandler) -> RouteHandler:
         routes[url]['POST'] = handler
         return handler
     return wrapper
 
 
-def delete(url):
-    def wrapper(handler):
+def delete(url: str) -> Callable[[RouteHandler], RouteHandler]:
+    def wrapper(handler: RouteHandler) -> RouteHandler:
         routes[url]['DELETE'] = handler
         return handler
     return wrapper
diff --git a/server/szurubooru/search/configs/base_search_config.py b/server/szurubooru/search/configs/base_search_config.py
index adc50d30..0cb814d4 100644
--- a/server/szurubooru/search/configs/base_search_config.py
+++ b/server/szurubooru/search/configs/base_search_config.py
@@ -1,38 +1,47 @@
-from szurubooru.search import tokens
+from typing import Optional, Tuple, Dict, Callable
+from szurubooru.search import tokens, criteria
+from szurubooru.search.query import SearchQuery
+from szurubooru.search.typing import SaColumn, SaQuery
+
+Filter = Callable[[SaQuery, Optional[criteria.BaseCriterion], bool], SaQuery]
 
 
 class BaseSearchConfig:
+    SORT_NONE = tokens.SortToken.SORT_NONE
     SORT_ASC = tokens.SortToken.SORT_ASC
     SORT_DESC = tokens.SortToken.SORT_DESC
 
-    def on_search_query_parsed(self, search_query):
+    def on_search_query_parsed(self, search_query: SearchQuery) -> None:
         pass
 
-    def create_filter_query(self, _disable_eager_loads):
+    def create_filter_query(self, _disable_eager_loads: bool) -> SaQuery:
         raise NotImplementedError()
 
-    def create_count_query(self, disable_eager_loads):
+    def create_count_query(self, disable_eager_loads: bool) -> SaQuery:
         raise NotImplementedError()
 
-    def create_around_query(self):
+    def create_around_query(self) -> SaQuery:
         raise NotImplementedError()
 
+    def finalize_query(self, query: SaQuery) -> SaQuery:
+        return query
+
     @property
-    def id_column(self):
+    def id_column(self) -> SaColumn:
         return None
 
     @property
-    def anonymous_filter(self):
+    def anonymous_filter(self) -> Optional[Filter]:
         return None
 
     @property
-    def special_filters(self):
+    def special_filters(self) -> Dict[str, Filter]:
         return {}
 
     @property
-    def named_filters(self):
+    def named_filters(self) -> Dict[str, Filter]:
         return {}
 
     @property
-    def sort_columns(self):
+    def sort_columns(self) -> Dict[str, Tuple[SaColumn, str]]:
         return {}
diff --git a/server/szurubooru/search/configs/comment_search_config.py b/server/szurubooru/search/configs/comment_search_config.py
index 9b2515e8..8b154460 100644
--- a/server/szurubooru/search/configs/comment_search_config.py
+++ b/server/szurubooru/search/configs/comment_search_config.py
@@ -1,59 +1,62 @@
-from sqlalchemy.sql.expression import func
-from szurubooru import db
+from typing import Tuple, Dict
+import sqlalchemy as sa
+from szurubooru import db, model
+from szurubooru.search.typing import SaColumn, SaQuery
 from szurubooru.search.configs import util as search_util
-from szurubooru.search.configs.base_search_config import BaseSearchConfig
+from szurubooru.search.configs.base_search_config import (
+    BaseSearchConfig, Filter)
 
 
 class CommentSearchConfig(BaseSearchConfig):
-    def create_filter_query(self, _disable_eager_loads):
-        return db.session.query(db.Comment).join(db.User)
+    def create_filter_query(self, _disable_eager_loads: bool) -> SaQuery:
+        return db.session.query(model.Comment).join(model.User)
 
-    def create_count_query(self, disable_eager_loads):
+    def create_count_query(self, disable_eager_loads: bool) -> SaQuery:
         return self.create_filter_query(disable_eager_loads)
 
-    def create_around_query(self):
+    def create_around_query(self) -> SaQuery:
         raise NotImplementedError()
 
-    def finalize_query(self, query):
-        return query.order_by(db.Comment.creation_time.desc())
+    def finalize_query(self, query: SaQuery) -> SaQuery:
+        return query.order_by(model.Comment.creation_time.desc())
 
     @property
-    def anonymous_filter(self):
-        return search_util.create_str_filter(db.Comment.text)
+    def anonymous_filter(self) -> SaQuery:
+        return search_util.create_str_filter(model.Comment.text)
 
     @property
-    def named_filters(self):
+    def named_filters(self) -> Dict[str, Filter]:
         return {
-            'id': search_util.create_num_filter(db.Comment.comment_id),
-            'post': search_util.create_num_filter(db.Comment.post_id),
-            'user': search_util.create_str_filter(db.User.name),
-            'author': search_util.create_str_filter(db.User.name),
-            'text': search_util.create_str_filter(db.Comment.text),
+            'id': search_util.create_num_filter(model.Comment.comment_id),
+            'post': search_util.create_num_filter(model.Comment.post_id),
+            'user': search_util.create_str_filter(model.User.name),
+            'author': search_util.create_str_filter(model.User.name),
+            'text': search_util.create_str_filter(model.Comment.text),
             'creation-date':
-                search_util.create_date_filter(db.Comment.creation_time),
+                search_util.create_date_filter(model.Comment.creation_time),
             'creation-time':
-                search_util.create_date_filter(db.Comment.creation_time),
+                search_util.create_date_filter(model.Comment.creation_time),
             'last-edit-date':
-                search_util.create_date_filter(db.Comment.last_edit_time),
+                search_util.create_date_filter(model.Comment.last_edit_time),
             'last-edit-time':
-                search_util.create_date_filter(db.Comment.last_edit_time),
+                search_util.create_date_filter(model.Comment.last_edit_time),
             'edit-date':
-                search_util.create_date_filter(db.Comment.last_edit_time),
+                search_util.create_date_filter(model.Comment.last_edit_time),
             'edit-time':
-                search_util.create_date_filter(db.Comment.last_edit_time),
+                search_util.create_date_filter(model.Comment.last_edit_time),
         }
 
     @property
-    def sort_columns(self):
+    def sort_columns(self) -> Dict[str, Tuple[SaColumn, str]]:
         return {
-            'random': (func.random(), None),
-            'user': (db.User.name, self.SORT_ASC),
-            'author': (db.User.name, self.SORT_ASC),
-            'post': (db.Comment.post_id, self.SORT_DESC),
-            'creation-date': (db.Comment.creation_time, self.SORT_DESC),
-            'creation-time': (db.Comment.creation_time, self.SORT_DESC),
-            'last-edit-date': (db.Comment.last_edit_time, self.SORT_DESC),
-            'last-edit-time': (db.Comment.last_edit_time, self.SORT_DESC),
-            'edit-date': (db.Comment.last_edit_time, self.SORT_DESC),
-            'edit-time': (db.Comment.last_edit_time, self.SORT_DESC),
+            'random': (sa.sql.expression.func.random(), self.SORT_NONE),
+            'user': (model.User.name, self.SORT_ASC),
+            'author': (model.User.name, self.SORT_ASC),
+            'post': (model.Comment.post_id, self.SORT_DESC),
+            'creation-date': (model.Comment.creation_time, self.SORT_DESC),
+            'creation-time': (model.Comment.creation_time, self.SORT_DESC),
+            'last-edit-date': (model.Comment.last_edit_time, self.SORT_DESC),
+            'last-edit-time': (model.Comment.last_edit_time, self.SORT_DESC),
+            'edit-date': (model.Comment.last_edit_time, self.SORT_DESC),
+            'edit-time': (model.Comment.last_edit_time, self.SORT_DESC),
         }
diff --git a/server/szurubooru/search/configs/post_search_config.py b/server/szurubooru/search/configs/post_search_config.py
index b0ea3300..8baa0dd2 100644
--- a/server/szurubooru/search/configs/post_search_config.py
+++ b/server/szurubooru/search/configs/post_search_config.py
@@ -1,86 +1,102 @@
-from sqlalchemy.orm import subqueryload, lazyload, defer, aliased
-from sqlalchemy.sql.expression import func
-from szurubooru import db, errors
+from typing import Any, Optional, Tuple, Dict
+import sqlalchemy as sa
+from szurubooru import db, model, errors
 from szurubooru.func import util
 from szurubooru.search import criteria, tokens
+from szurubooru.search.typing import SaColumn, SaQuery
+from szurubooru.search.query import SearchQuery
 from szurubooru.search.configs import util as search_util
-from szurubooru.search.configs.base_search_config import BaseSearchConfig
+from szurubooru.search.configs.base_search_config import (
+    BaseSearchConfig, Filter)
 
 
-def _enum_transformer(available_values, value):
-    try:
-        return available_values[value.lower()]
-    except KeyError:
-        raise errors.SearchError(
-            'Invalid value: %r. Possible values: %r.' % (
-                value, list(sorted(available_values.keys()))))
-
-
-def _type_transformer(value):
+def _type_transformer(value: str) -> str:
     available_values = {
-        'image': db.Post.TYPE_IMAGE,
-        'animation': db.Post.TYPE_ANIMATION,
-        'animated': db.Post.TYPE_ANIMATION,
-        'anim': db.Post.TYPE_ANIMATION,
-        'gif': db.Post.TYPE_ANIMATION,
-        'video': db.Post.TYPE_VIDEO,
-        'webm': db.Post.TYPE_VIDEO,
-        'flash': db.Post.TYPE_FLASH,
-        'swf': db.Post.TYPE_FLASH,
+        'image': model.Post.TYPE_IMAGE,
+        'animation': model.Post.TYPE_ANIMATION,
+        'animated': model.Post.TYPE_ANIMATION,
+        'anim': model.Post.TYPE_ANIMATION,
+        'gif': model.Post.TYPE_ANIMATION,
+        'video': model.Post.TYPE_VIDEO,
+        'webm': model.Post.TYPE_VIDEO,
+        'flash': model.Post.TYPE_FLASH,
+        'swf': model.Post.TYPE_FLASH,
     }
-    return _enum_transformer(available_values, value)
+    return search_util.enum_transformer(available_values, value)
 
 
-def _safety_transformer(value):
+def _safety_transformer(value: str) -> str:
     available_values = {
-        'safe': db.Post.SAFETY_SAFE,
-        'sketchy': db.Post.SAFETY_SKETCHY,
-        'questionable': db.Post.SAFETY_SKETCHY,
-        'unsafe': db.Post.SAFETY_UNSAFE,
+        'safe': model.Post.SAFETY_SAFE,
+        'sketchy': model.Post.SAFETY_SKETCHY,
+        'questionable': model.Post.SAFETY_SKETCHY,
+        'unsafe': model.Post.SAFETY_UNSAFE,
     }
-    return _enum_transformer(available_values, value)
+    return search_util.enum_transformer(available_values, value)
 
 
-def _create_score_filter(score):
-    def wrapper(query, criterion, negated):
+def _create_score_filter(score: int) -> Filter:
+    def wrapper(
+            query: SaQuery,
+            criterion: Optional[criteria.BaseCriterion],
+            negated: bool) -> SaQuery:
+        assert criterion
         if not getattr(criterion, 'internal', False):
             raise errors.SearchError(
                 'Votes cannot be seen publicly. Did you mean %r?'
-                    % 'special:liked')
-        user_alias = aliased(db.User)
-        score_alias = aliased(db.PostScore)
+                % 'special:liked')
+        user_alias = sa.orm.aliased(model.User)
+        score_alias = sa.orm.aliased(model.PostScore)
         expr = score_alias.score == score
         expr = expr & search_util.apply_str_criterion_to_column(
             user_alias.name, criterion)
         if negated:
             expr = ~expr
-        ret = query \
-            .join(score_alias, score_alias.post_id == db.Post.post_id) \
-            .join(user_alias, user_alias.user_id == score_alias.user_id) \
-            .filter(expr)
+        ret = (
+            query
+            .join(score_alias, score_alias.post_id == model.Post.post_id)
+            .join(user_alias, user_alias.user_id == score_alias.user_id)
+            .filter(expr))
         return ret
     return wrapper
 
 
-def _create_user_filter():
-    def wrapper(query, criterion, negated):
-        if isinstance(criterion, criteria.PlainCriterion) \
-                and not criterion.value:
-            # pylint: disable=singleton-comparison
-            expr = db.Post.user_id == None
-            if negated:
-                expr = ~expr
-            return query.filter(expr)
-        return search_util.create_subquery_filter(
-            db.Post.user_id,
-            db.User.user_id,
-            db.User.name,
-            search_util.create_str_filter)(query, criterion, negated)
-    return wrapper
+def _user_filter(
+        query: SaQuery,
+        criterion: Optional[criteria.BaseCriterion],
+        negated: bool) -> SaQuery:
+    assert criterion
+    if isinstance(criterion, criteria.PlainCriterion) \
+            and not criterion.value:
+        # pylint: disable=singleton-comparison
+        expr = model.Post.user_id == None
+        if negated:
+            expr = ~expr
+        return query.filter(expr)
+    return search_util.create_subquery_filter(
+        model.Post.user_id,
+        model.User.user_id,
+        model.User.name,
+        search_util.create_str_filter)(query, criterion, negated)
+
+
+def _note_filter(
+        query: SaQuery,
+        criterion: Optional[criteria.BaseCriterion],
+        negated: bool) -> SaQuery:
+    assert criterion
+    return search_util.create_subquery_filter(
+        model.Post.post_id,
+        model.PostNote.post_id,
+        model.PostNote.text,
+        search_util.create_str_filter)(query, criterion, negated)
 
 
 class PostSearchConfig(BaseSearchConfig):
-    def on_search_query_parsed(self, search_query):
+    def __init__(self) -> None:
+        self.user = None  # type: Optional[model.User]
+
+    def on_search_query_parsed(self, search_query: SearchQuery) -> SaQuery:
         new_special_tokens = []
         for token in search_query.special_tokens:
             if token.value in ('fav', 'liked', 'disliked'):
@@ -91,7 +107,7 @@ class PostSearchConfig(BaseSearchConfig):
                 criterion = criteria.PlainCriterion(
                     original_text=self.user.name,
                     value=self.user.name)
-                criterion.internal = True
+                setattr(criterion, 'internal', True)
                 search_query.named_tokens.append(
                     tokens.NamedToken(
                         name=token.value,
@@ -101,160 +117,337 @@ class PostSearchConfig(BaseSearchConfig):
                 new_special_tokens.append(token)
         search_query.special_tokens = new_special_tokens
 
-    def create_around_query(self):
-        return db.session.query(db.Post.post_id)
+    def create_around_query(self) -> SaQuery:
+        return db.session.query(model.Post).options(sa.orm.lazyload('*'))
 
-    def create_filter_query(self, disable_eager_loads):
-        strategy = lazyload if disable_eager_loads else subqueryload
-        return db.session.query(db.Post) \
+    def create_filter_query(self, disable_eager_loads: bool) -> SaQuery:
+        strategy = (
+            sa.orm.lazyload
+            if disable_eager_loads
+            else sa.orm.subqueryload)
+        return (
+            db.session.query(model.Post)
             .options(
-                lazyload('*'),
+                sa.orm.lazyload('*'),
                 # use config optimized for official client
-                # defer(db.Post.score),
-                # defer(db.Post.favorite_count),
-                # defer(db.Post.comment_count),
-                defer(db.Post.last_favorite_time),
-                defer(db.Post.feature_count),
-                defer(db.Post.last_feature_time),
-                defer(db.Post.last_comment_creation_time),
-                defer(db.Post.last_comment_edit_time),
-                defer(db.Post.note_count),
-                defer(db.Post.tag_count),
-                strategy(db.Post.tags).subqueryload(db.Tag.names),
-                strategy(db.Post.tags).defer(db.Tag.post_count),
-                strategy(db.Post.tags).lazyload(db.Tag.implications),
-                strategy(db.Post.tags).lazyload(db.Tag.suggestions))
+                # sa.orm.defer(model.Post.score),
+                # sa.orm.defer(model.Post.favorite_count),
+                # sa.orm.defer(model.Post.comment_count),
+                sa.orm.defer(model.Post.last_favorite_time),
+                sa.orm.defer(model.Post.feature_count),
+                sa.orm.defer(model.Post.last_feature_time),
+                sa.orm.defer(model.Post.last_comment_creation_time),
+                sa.orm.defer(model.Post.last_comment_edit_time),
+                sa.orm.defer(model.Post.note_count),
+                sa.orm.defer(model.Post.tag_count),
+                strategy(model.Post.tags).subqueryload(model.Tag.names),
+                strategy(model.Post.tags).defer(model.Tag.post_count),
+                strategy(model.Post.tags).lazyload(model.Tag.implications),
+                strategy(model.Post.tags).lazyload(model.Tag.suggestions)))
 
-    def create_count_query(self, _disable_eager_loads):
-        return db.session.query(db.Post)
+    def create_count_query(self, _disable_eager_loads: bool) -> SaQuery:
+        return db.session.query(model.Post)
 
-    def finalize_query(self, query):
-        return query.order_by(db.Post.post_id.desc())
+    def finalize_query(self, query: SaQuery) -> SaQuery:
+        return query.order_by(model.Post.post_id.desc())
 
     @property
-    def id_column(self):
-        return db.Post.post_id
+    def id_column(self) -> SaColumn:
+        return model.Post.post_id
 
     @property
-    def anonymous_filter(self):
+    def anonymous_filter(self) -> Optional[Filter]:
         return search_util.create_subquery_filter(
-            db.Post.post_id,
-            db.PostTag.post_id,
-            db.TagName.name,
+            model.Post.post_id,
+            model.PostTag.post_id,
+            model.TagName.name,
             search_util.create_str_filter,
-            lambda subquery: subquery.join(db.Tag).join(db.TagName))
+            lambda subquery: subquery.join(model.Tag).join(model.TagName))
 
     @property
-    def named_filters(self):
-        return util.unalias_dict({
-            'id': search_util.create_num_filter(db.Post.post_id),
-            'tag': search_util.create_subquery_filter(
-                db.Post.post_id,
-                db.PostTag.post_id,
-                db.TagName.name,
-                search_util.create_str_filter,
-                lambda subquery: subquery.join(db.Tag).join(db.TagName)),
-            'score': search_util.create_num_filter(db.Post.score),
-            ('uploader', 'upload', 'submit'):
-                _create_user_filter(),
-            'comment': search_util.create_subquery_filter(
-                db.Post.post_id,
-                db.Comment.post_id,
-                db.User.name,
-                search_util.create_str_filter,
-                lambda subquery: subquery.join(db.User)),
-            'fav': search_util.create_subquery_filter(
-                db.Post.post_id,
-                db.PostFavorite.post_id,
-                db.User.name,
-                search_util.create_str_filter,
-                lambda subquery: subquery.join(db.User)),
-            'liked': _create_score_filter(1),
-            'disliked': _create_score_filter(-1),
-            'tag-count': search_util.create_num_filter(db.Post.tag_count),
-            'comment-count':
-                search_util.create_num_filter(db.Post.comment_count),
-            'fav-count':
-                search_util.create_num_filter(db.Post.favorite_count),
-            'note-count': search_util.create_num_filter(db.Post.note_count),
-            'relation-count':
-                search_util.create_num_filter(db.Post.relation_count),
-            'feature-count':
-                search_util.create_num_filter(db.Post.feature_count),
-            'type':
+    def named_filters(self) -> Dict[str, Filter]:
+        return util.unalias_dict([
+            (
+                ['id'],
+                search_util.create_num_filter(model.Post.post_id)
+            ),
+
+            (
+                ['tag'],
+                search_util.create_subquery_filter(
+                    model.Post.post_id,
+                    model.PostTag.post_id,
+                    model.TagName.name,
+                    search_util.create_str_filter,
+                    lambda subquery:
+                        subquery.join(model.Tag).join(model.TagName))
+            ),
+
+            (
+                ['score'],
+                search_util.create_num_filter(model.Post.score)
+            ),
+
+            (
+                ['uploader', 'upload', 'submit'],
+                _user_filter
+            ),
+
+            (
+                ['comment'],
+                search_util.create_subquery_filter(
+                    model.Post.post_id,
+                    model.Comment.post_id,
+                    model.User.name,
+                    search_util.create_str_filter,
+                    lambda subquery: subquery.join(model.User))
+            ),
+
+            (
+                ['fav'],
+                search_util.create_subquery_filter(
+                    model.Post.post_id,
+                    model.PostFavorite.post_id,
+                    model.User.name,
+                    search_util.create_str_filter,
+                    lambda subquery: subquery.join(model.User))
+            ),
+
+            (
+                ['liked'],
+                _create_score_filter(1)
+            ),
+            (
+                ['disliked'],
+                _create_score_filter(-1)
+            ),
+
+            (
+                ['tag-count'],
+                search_util.create_num_filter(model.Post.tag_count)
+            ),
+
+            (
+                ['comment-count'],
+                search_util.create_num_filter(model.Post.comment_count)
+            ),
+
+            (
+                ['fav-count'],
+                search_util.create_num_filter(model.Post.favorite_count)
+            ),
+
+            (
+                ['note-count'],
+                search_util.create_num_filter(model.Post.note_count)
+            ),
+
+            (
+                ['relation-count'],
+                search_util.create_num_filter(model.Post.relation_count)
+            ),
+
+            (
+                ['feature-count'],
+                search_util.create_num_filter(model.Post.feature_count)
+            ),
+
+            (
+                ['type'],
                 search_util.create_str_filter(
-                    db.Post.type, _type_transformer),
-            'content-checksum': search_util.create_str_filter(
-                db.Post.checksum),
-            'file-size': search_util.create_num_filter(db.Post.file_size),
-            ('image-width', 'width'):
-                search_util.create_num_filter(db.Post.canvas_width),
-            ('image-height', 'height'):
-                search_util.create_num_filter(db.Post.canvas_height),
-            ('image-area', 'area'):
-                search_util.create_num_filter(db.Post.canvas_area),
-            ('creation-date', 'creation-time', 'date', 'time'):
-                search_util.create_date_filter(db.Post.creation_time),
-            ('last-edit-date', 'last-edit-time', 'edit-date', 'edit-time'):
-                search_util.create_date_filter(db.Post.last_edit_time),
-            ('comment-date', 'comment-time'):
+                    model.Post.type, _type_transformer)
+            ),
+
+            (
+                ['content-checksum'],
+                search_util.create_str_filter(model.Post.checksum)
+            ),
+
+            (
+                ['file-size'],
+                search_util.create_num_filter(model.Post.file_size)
+            ),
+
+            (
+                ['image-width', 'width'],
+                search_util.create_num_filter(model.Post.canvas_width)
+            ),
+
+            (
+                ['image-height', 'height'],
+                search_util.create_num_filter(model.Post.canvas_height)
+            ),
+
+            (
+                ['image-area', 'area'],
+                search_util.create_num_filter(model.Post.canvas_area)
+            ),
+
+            (
+                ['image-aspect-ratio', 'image-ar', 'aspect-ratio', 'ar'],
+                search_util.create_num_filter(
+                    model.Post.canvas_aspect_ratio,
+                    transformer=search_util.float_transformer)
+            ),
+
+            (
+                ['creation-date', 'creation-time', 'date', 'time'],
+                search_util.create_date_filter(model.Post.creation_time)
+            ),
+
+            (
+                ['last-edit-date', 'last-edit-time', 'edit-date', 'edit-time'],
+                search_util.create_date_filter(model.Post.last_edit_time)
+            ),
+
+            (
+                ['comment-date', 'comment-time'],
                 search_util.create_date_filter(
-                    db.Post.last_comment_creation_time),
-            ('fav-date', 'fav-time'):
-                search_util.create_date_filter(db.Post.last_favorite_time),
-            ('feature-date', 'feature-time'):
-                search_util.create_date_filter(db.Post.last_feature_time),
-            ('safety', 'rating'):
+                    model.Post.last_comment_creation_time)
+            ),
+
+            (
+                ['fav-date', 'fav-time'],
+                search_util.create_date_filter(model.Post.last_favorite_time)
+            ),
+
+            (
+                ['feature-date', 'feature-time'],
+                search_util.create_date_filter(model.Post.last_feature_time)
+            ),
+
+            (
+                ['safety', 'rating'],
                 search_util.create_str_filter(
-                    db.Post.safety, _safety_transformer),
-        })
+                    model.Post.safety, _safety_transformer)
+            ),
+
+            (
+                ['note-text'],
+                _note_filter
+            ),
+        ])
 
     @property
-    def sort_columns(self):
-        return util.unalias_dict({
-            'random': (func.random(), None),
-            'id': (db.Post.post_id, self.SORT_DESC),
-            'score': (db.Post.score, self.SORT_DESC),
-            'tag-count': (db.Post.tag_count, self.SORT_DESC),
-            'comment-count': (db.Post.comment_count, self.SORT_DESC),
-            'fav-count': (db.Post.favorite_count, self.SORT_DESC),
-            'note-count': (db.Post.note_count, self.SORT_DESC),
-            'relation-count': (db.Post.relation_count, self.SORT_DESC),
-            'feature-count': (db.Post.feature_count, self.SORT_DESC),
-            'file-size': (db.Post.file_size, self.SORT_DESC),
-            ('image-width', 'width'):
-                (db.Post.canvas_width, self.SORT_DESC),
-            ('image-height', 'height'):
-                (db.Post.canvas_height, self.SORT_DESC),
-            ('image-area', 'area'):
-                (db.Post.canvas_area, self.SORT_DESC),
-            ('creation-date', 'creation-time', 'date', 'time'):
-                (db.Post.creation_time, self.SORT_DESC),
-            ('last-edit-date', 'last-edit-time', 'edit-date', 'edit-time'):
-                (db.Post.last_edit_time, self.SORT_DESC),
-            ('comment-date', 'comment-time'):
-                (db.Post.last_comment_creation_time, self.SORT_DESC),
-            ('fav-date', 'fav-time'):
-                (db.Post.last_favorite_time, self.SORT_DESC),
-            ('feature-date', 'feature-time'):
-                (db.Post.last_feature_time, self.SORT_DESC),
-        })
+    def sort_columns(self) -> Dict[str, Tuple[SaColumn, str]]:
+        return util.unalias_dict([
+            (
+                ['random'],
+                (sa.sql.expression.func.random(), self.SORT_NONE)
+            ),
+
+            (
+                ['id'],
+                (model.Post.post_id, self.SORT_DESC)
+            ),
+
+            (
+                ['score'],
+                (model.Post.score, self.SORT_DESC)
+            ),
+
+            (
+                ['tag-count'],
+                (model.Post.tag_count, self.SORT_DESC)
+            ),
+
+            (
+                ['comment-count'],
+                (model.Post.comment_count, self.SORT_DESC)
+            ),
+
+            (
+                ['fav-count'],
+                (model.Post.favorite_count, self.SORT_DESC)
+            ),
+
+            (
+                ['note-count'],
+                (model.Post.note_count, self.SORT_DESC)
+            ),
+
+            (
+                ['relation-count'],
+                (model.Post.relation_count, self.SORT_DESC)
+            ),
+
+            (
+                ['feature-count'],
+                (model.Post.feature_count, self.SORT_DESC)
+            ),
+
+            (
+                ['file-size'],
+                (model.Post.file_size, self.SORT_DESC)
+            ),
+
+            (
+                ['image-width', 'width'],
+                (model.Post.canvas_width, self.SORT_DESC)
+            ),
+
+            (
+                ['image-height', 'height'],
+                (model.Post.canvas_height, self.SORT_DESC)
+            ),
+
+            (
+                ['image-area', 'area'],
+                (model.Post.canvas_area, self.SORT_DESC)
+            ),
+
+            (
+                ['creation-date', 'creation-time', 'date', 'time'],
+                (model.Post.creation_time, self.SORT_DESC)
+            ),
+
+            (
+                ['last-edit-date', 'last-edit-time', 'edit-date', 'edit-time'],
+                (model.Post.last_edit_time, self.SORT_DESC)
+            ),
+
+            (
+                ['comment-date', 'comment-time'],
+                (model.Post.last_comment_creation_time, self.SORT_DESC)
+            ),
+
+            (
+                ['fav-date', 'fav-time'],
+                (model.Post.last_favorite_time, self.SORT_DESC)
+            ),
+
+            (
+                ['feature-date', 'feature-time'],
+                (model.Post.last_feature_time, self.SORT_DESC)
+            ),
+        ])
 
     @property
-    def special_filters(self):
+    def special_filters(self) -> Dict[str, Filter]:
         return {
-            # handled by parsed
-            'fav': None,
-            'liked': None,
-            'disliked': None,
+            # handled by parser
+            'fav': self.noop_filter,
+            'liked': self.noop_filter,
+            'disliked': self.noop_filter,
             'tumbleweed': self.tumbleweed_filter,
         }
 
-    def tumbleweed_filter(self, query, negated):
-        expr = \
-            (db.Post.comment_count == 0) \
-            & (db.Post.favorite_count == 0) \
-            & (db.Post.score == 0)
+    def noop_filter(
+            self,
+            query: SaQuery,
+            _criterion: Optional[criteria.BaseCriterion],
+            _negated: bool) -> SaQuery:
+        return query
+
+    def tumbleweed_filter(
+            self,
+            query: SaQuery,
+            _criterion: Optional[criteria.BaseCriterion],
+            negated: bool) -> SaQuery:
+        expr = (
+            (model.Post.comment_count == 0)
+            & (model.Post.favorite_count == 0)
+            & (model.Post.score == 0))
         if negated:
             expr = ~expr
         return query.filter(expr)
diff --git a/server/szurubooru/search/configs/snapshot_search_config.py b/server/szurubooru/search/configs/snapshot_search_config.py
index 4ea7280a..0fdb69d0 100644
--- a/server/szurubooru/search/configs/snapshot_search_config.py
+++ b/server/szurubooru/search/configs/snapshot_search_config.py
@@ -1,28 +1,37 @@
-from szurubooru import db
+from typing import Dict
+from szurubooru import db, model
+from szurubooru.search.typing import SaQuery
 from szurubooru.search.configs import util as search_util
-from szurubooru.search.configs.base_search_config import BaseSearchConfig
+from szurubooru.search.configs.base_search_config import (
+    BaseSearchConfig, Filter)
 
 
 class SnapshotSearchConfig(BaseSearchConfig):
-    def create_filter_query(self, _disable_eager_loads):
-        return db.session.query(db.Snapshot)
+    def create_filter_query(self, _disable_eager_loads: bool) -> SaQuery:
+        return db.session.query(model.Snapshot)
 
-    def create_count_query(self, _disable_eager_loads):
-        return db.session.query(db.Snapshot)
+    def create_count_query(self, _disable_eager_loads: bool) -> SaQuery:
+        return db.session.query(model.Snapshot)
 
-    def create_around_query(self):
+    def create_around_query(self) -> SaQuery:
         raise NotImplementedError()
 
-    def finalize_query(self, query):
-        return query.order_by(db.Snapshot.creation_time.desc())
+    def finalize_query(self, query: SaQuery) -> SaQuery:
+        return query.order_by(model.Snapshot.creation_time.desc())
 
     @property
-    def named_filters(self):
+    def named_filters(self) -> Dict[str, Filter]:
         return {
-            'type': search_util.create_str_filter(db.Snapshot.resource_type),
-            'id': search_util.create_str_filter(db.Snapshot.resource_name),
-            'date': search_util.create_date_filter(db.Snapshot.creation_time),
-            'time': search_util.create_date_filter(db.Snapshot.creation_time),
-            'operation': search_util.create_str_filter(db.Snapshot.operation),
-            'user': search_util.create_str_filter(db.User.name),
+            'type':
+                search_util.create_str_filter(model.Snapshot.resource_type),
+            'id':
+                search_util.create_str_filter(model.Snapshot.resource_name),
+            'date':
+                search_util.create_date_filter(model.Snapshot.creation_time),
+            'time':
+                search_util.create_date_filter(model.Snapshot.creation_time),
+            'operation':
+                search_util.create_str_filter(model.Snapshot.operation),
+            'user':
+                search_util.create_str_filter(model.User.name),
         }
diff --git a/server/szurubooru/search/configs/tag_search_config.py b/server/szurubooru/search/configs/tag_search_config.py
index 4595d82f..db3b4b2c 100644
--- a/server/szurubooru/search/configs/tag_search_config.py
+++ b/server/szurubooru/search/configs/tag_search_config.py
@@ -1,79 +1,135 @@
-from sqlalchemy.orm import subqueryload, lazyload, defer
-from sqlalchemy.sql.expression import func
-from szurubooru import db
+from typing import Tuple, Dict
+import sqlalchemy as sa
+from szurubooru import db, model
 from szurubooru.func import util
+from szurubooru.search.typing import SaColumn, SaQuery
 from szurubooru.search.configs import util as search_util
-from szurubooru.search.configs.base_search_config import BaseSearchConfig
+from szurubooru.search.configs.base_search_config import (
+    BaseSearchConfig, Filter)
 
 
 class TagSearchConfig(BaseSearchConfig):
-    def create_filter_query(self, _disable_eager_loads):
-        strategy = lazyload if _disable_eager_loads else subqueryload
-        return db.session.query(db.Tag) \
-            .join(db.TagCategory) \
+    def create_filter_query(self, _disable_eager_loads: bool) -> SaQuery:
+        strategy = (
+            sa.orm.lazyload
+            if _disable_eager_loads
+            else sa.orm.subqueryload)
+        return (
+            db.session.query(model.Tag)
+            .join(model.TagCategory)
             .options(
-                defer(db.Tag.first_name),
-                defer(db.Tag.suggestion_count),
-                defer(db.Tag.implication_count),
-                defer(db.Tag.post_count),
-                strategy(db.Tag.names),
-                strategy(db.Tag.suggestions).joinedload(db.Tag.names),
-                strategy(db.Tag.implications).joinedload(db.Tag.names))
+                sa.orm.defer(model.Tag.first_name),
+                sa.orm.defer(model.Tag.suggestion_count),
+                sa.orm.defer(model.Tag.implication_count),
+                sa.orm.defer(model.Tag.post_count),
+                strategy(model.Tag.names),
+                strategy(model.Tag.suggestions).joinedload(model.Tag.names),
+                strategy(model.Tag.implications).joinedload(model.Tag.names)))
 
-    def create_count_query(self, _disable_eager_loads):
-        return db.session.query(db.Tag)
+    def create_count_query(self, _disable_eager_loads: bool) -> SaQuery:
+        return db.session.query(model.Tag)
 
-    def create_around_query(self):
+    def create_around_query(self) -> SaQuery:
         raise NotImplementedError()
 
-    def finalize_query(self, query):
-        return query.order_by(db.Tag.first_name.asc())
+    def finalize_query(self, query: SaQuery) -> SaQuery:
+        return query.order_by(model.Tag.first_name.asc())
 
     @property
-    def anonymous_filter(self):
+    def anonymous_filter(self) -> Filter:
         return search_util.create_subquery_filter(
-            db.Tag.tag_id,
-            db.TagName.tag_id,
-            db.TagName.name,
+            model.Tag.tag_id,
+            model.TagName.tag_id,
+            model.TagName.name,
             search_util.create_str_filter)
 
     @property
-    def named_filters(self):
-        return util.unalias_dict({
-            'name': search_util.create_subquery_filter(
-                db.Tag.tag_id,
-                db.TagName.tag_id,
-                db.TagName.name,
-                search_util.create_str_filter),
-            'category': search_util.create_subquery_filter(
-                db.Tag.category_id,
-                db.TagCategory.tag_category_id,
-                db.TagCategory.name,
-                search_util.create_str_filter),
-            ('creation-date', 'creation-time'):
-                search_util.create_date_filter(db.Tag.creation_time),
-            ('last-edit-date', 'last-edit-time', 'edit-date', 'edit-time'):
-                search_util.create_date_filter(db.Tag.last_edit_time),
-            ('usage-count', 'post-count', 'usages'):
-                search_util.create_num_filter(db.Tag.post_count),
-            'suggestion-count':
-                search_util.create_num_filter(db.Tag.suggestion_count),
-            'implication-count':
-                search_util.create_num_filter(db.Tag.implication_count),
-        })
+    def named_filters(self) -> Dict[str, Filter]:
+        return util.unalias_dict([
+            (
+                ['name'],
+                search_util.create_subquery_filter(
+                    model.Tag.tag_id,
+                    model.TagName.tag_id,
+                    model.TagName.name,
+                    search_util.create_str_filter)
+            ),
+
+            (
+                ['category'],
+                search_util.create_subquery_filter(
+                    model.Tag.category_id,
+                    model.TagCategory.tag_category_id,
+                    model.TagCategory.name,
+                    search_util.create_str_filter)
+            ),
+
+            (
+                ['creation-date', 'creation-time'],
+                search_util.create_date_filter(model.Tag.creation_time)
+            ),
+
+            (
+                ['last-edit-date', 'last-edit-time', 'edit-date', 'edit-time'],
+                search_util.create_date_filter(model.Tag.last_edit_time)
+            ),
+
+            (
+                ['usage-count', 'post-count', 'usages'],
+                search_util.create_num_filter(model.Tag.post_count)
+            ),
+
+            (
+                ['suggestion-count'],
+                search_util.create_num_filter(model.Tag.suggestion_count)
+            ),
+
+            (
+                ['implication-count'],
+                search_util.create_num_filter(model.Tag.implication_count)
+            ),
+        ])
 
     @property
-    def sort_columns(self):
-        return util.unalias_dict({
-            'random': (func.random(), None),
-            'name': (db.Tag.first_name, self.SORT_ASC),
-            'category': (db.TagCategory.name, self.SORT_ASC),
-            ('creation-date', 'creation-time'):
-                (db.Tag.creation_time, self.SORT_DESC),
-            ('last-edit-date', 'last-edit-time', 'edit-date', 'edit-time'):
-                (db.Tag.last_edit_time, self.SORT_DESC),
-            ('usage-count', 'post-count', 'usages'):
-                (db.Tag.post_count, self.SORT_DESC),
-            'suggestion-count': (db.Tag.suggestion_count, self.SORT_DESC),
-            'implication-count': (db.Tag.implication_count, self.SORT_DESC),
-        })
+    def sort_columns(self) -> Dict[str, Tuple[SaColumn, str]]:
+        return util.unalias_dict([
+            (
+                ['random'],
+                (sa.sql.expression.func.random(), self.SORT_NONE)
+            ),
+
+            (
+                ['name'],
+                (model.Tag.first_name, self.SORT_ASC)
+            ),
+
+            (
+                ['category'],
+                (model.TagCategory.name, self.SORT_ASC)
+            ),
+
+            (
+                ['creation-date', 'creation-time'],
+                (model.Tag.creation_time, self.SORT_DESC)
+            ),
+
+            (
+                ['last-edit-date', 'last-edit-time', 'edit-date', 'edit-time'],
+                (model.Tag.last_edit_time, self.SORT_DESC)
+            ),
+
+            (
+                ['usage-count', 'post-count', 'usages'],
+                (model.Tag.post_count, self.SORT_DESC)
+            ),
+
+            (
+                ['suggestion-count'],
+                (model.Tag.suggestion_count, self.SORT_DESC)
+            ),
+
+            (
+                ['implication-count'],
+                (model.Tag.implication_count, self.SORT_DESC)
+            ),
+        ])
diff --git a/server/szurubooru/search/configs/user_search_config.py b/server/szurubooru/search/configs/user_search_config.py
index c7e727e6..64534009 100644
--- a/server/szurubooru/search/configs/user_search_config.py
+++ b/server/szurubooru/search/configs/user_search_config.py
@@ -1,53 +1,57 @@
-from sqlalchemy.sql.expression import func
-from szurubooru import db
+from typing import Tuple, Dict
+import sqlalchemy as sa
+from szurubooru import db, model
+from szurubooru.search.typing import SaColumn, SaQuery
 from szurubooru.search.configs import util as search_util
-from szurubooru.search.configs.base_search_config import BaseSearchConfig
+from szurubooru.search.configs.base_search_config import (
+    BaseSearchConfig, Filter)
 
 
 class UserSearchConfig(BaseSearchConfig):
-    def create_filter_query(self, _disable_eager_loads):
-        return db.session.query(db.User)
+    def create_filter_query(self, _disable_eager_loads: bool) -> SaQuery:
+        return db.session.query(model.User)
 
-    def create_count_query(self, _disable_eager_loads):
-        return db.session.query(db.User)
+    def create_count_query(self, _disable_eager_loads: bool) -> SaQuery:
+        return db.session.query(model.User)
 
-    def create_around_query(self):
+    def create_around_query(self) -> SaQuery:
         raise NotImplementedError()
 
-    def finalize_query(self, query):
-        return query.order_by(db.User.name.asc())
+    def finalize_query(self, query: SaQuery) -> SaQuery:
+        return query.order_by(model.User.name.asc())
 
     @property
-    def anonymous_filter(self):
-        return search_util.create_str_filter(db.User.name)
+    def anonymous_filter(self) -> Filter:
+        return search_util.create_str_filter(model.User.name)
 
     @property
-    def named_filters(self):
+    def named_filters(self) -> Dict[str, Filter]:
         return {
-            'name': search_util.create_str_filter(db.User.name),
+            'name':
+                search_util.create_str_filter(model.User.name),
             'creation-date':
-                search_util.create_date_filter(db.User.creation_time),
+                search_util.create_date_filter(model.User.creation_time),
             'creation-time':
-                search_util.create_date_filter(db.User.creation_time),
+                search_util.create_date_filter(model.User.creation_time),
             'last-login-date':
-                search_util.create_date_filter(db.User.last_login_time),
+                search_util.create_date_filter(model.User.last_login_time),
             'last-login-time':
-                search_util.create_date_filter(db.User.last_login_time),
+                search_util.create_date_filter(model.User.last_login_time),
             'login-date':
-                search_util.create_date_filter(db.User.last_login_time),
+                search_util.create_date_filter(model.User.last_login_time),
             'login-time':
-                search_util.create_date_filter(db.User.last_login_time),
+                search_util.create_date_filter(model.User.last_login_time),
         }
 
     @property
-    def sort_columns(self):
+    def sort_columns(self) -> Dict[str, Tuple[SaColumn, str]]:
         return {
-            'random': (func.random(), None),
-            'name': (db.User.name, self.SORT_ASC),
-            'creation-date': (db.User.creation_time, self.SORT_DESC),
-            'creation-time': (db.User.creation_time, self.SORT_DESC),
-            'last-login-date': (db.User.last_login_time, self.SORT_DESC),
-            'last-login-time': (db.User.last_login_time, self.SORT_DESC),
-            'login-date': (db.User.last_login_time, self.SORT_DESC),
-            'login-time': (db.User.last_login_time, self.SORT_DESC),
+            'random': (sa.sql.expression.func.random(), self.SORT_NONE),
+            'name': (model.User.name, self.SORT_ASC),
+            'creation-date': (model.User.creation_time, self.SORT_DESC),
+            'creation-time': (model.User.creation_time, self.SORT_DESC),
+            'last-login-date': (model.User.last_login_time, self.SORT_DESC),
+            'last-login-time': (model.User.last_login_time, self.SORT_DESC),
+            'login-date': (model.User.last_login_time, self.SORT_DESC),
+            'login-time': (model.User.last_login_time, self.SORT_DESC),
         }
diff --git a/server/szurubooru/search/configs/util.py b/server/szurubooru/search/configs/util.py
index 451179b9..9c4d3aee 100644
--- a/server/szurubooru/search/configs/util.py
+++ b/server/szurubooru/search/configs/util.py
@@ -1,35 +1,90 @@
-import sqlalchemy
+from typing import Any, Optional, Union, Dict, Callable
+import sqlalchemy as sa
 from szurubooru import db, errors
 from szurubooru.func import util
 from szurubooru.search import criteria
+from szurubooru.search.typing import SaColumn, SaQuery
+from szurubooru.search.configs.base_search_config import Filter
 
 
-def wildcard_transformer(value):
-    return (value
-        .replace('%', r'\%')
-        .replace('_', r'\_')
-        .replace('*', '%'))
+Number = Union[int, float]
+WILDCARD = '(--wildcard--)'  # something unlikely to be used by the users
 
 
-def apply_num_criterion_to_column(column, criterion):
-    '''
-    Decorate SQLAlchemy filter on given column using supplied criterion.
-    '''
+def unescape(text: str, make_wildcards_special: bool = False) -> str:
+    output = ''
+    i = 0
+    while i < len(text):
+        if text[i] == '\\':
+            try:
+                char = text[i+1]
+                i += 1
+            except IndexError:
+                raise errors.SearchError(
+                    'Unterminated escape sequence (did you forget to escape '
+                    'the ending backslash?)')
+            if char not in '*\\:-.,':
+                raise errors.SearchError(
+                    'Unknown escape sequence (did you forget to escape '
+                    'the backslash?)')
+        elif text[i] == '*' and make_wildcards_special:
+            char = WILDCARD
+        else:
+            char = text[i]
+        output += char
+        i += 1
+    return output
+
+
+def wildcard_transformer(value: str) -> str:
+    return (
+        unescape(value, make_wildcards_special=True)
+        .replace('\\', '\\\\')
+        .replace('%', '\\%')
+        .replace('_', '\\_')
+        .replace(WILDCARD, '%'))
+
+
+def enum_transformer(available_values: Dict[str, Any], value: str) -> str:
+    try:
+        return available_values[unescape(value.lower())]
+    except KeyError:
+        raise errors.SearchError(
+            'Invalid value: %r. Possible values: %r.' % (
+                value, list(sorted(available_values.keys()))))
+
+
+def integer_transformer(value: str) -> int:
+    return int(unescape(value))
+
+
+def float_transformer(value: str) -> float:
+    for sep in list('/:'):
+        if sep in value:
+            a, b = value.split(sep, 1)
+            return float(unescape(a)) / float(unescape(b))
+    return float(unescape(value))
+
+
+def apply_num_criterion_to_column(
+        column: Any,
+        criterion: criteria.BaseCriterion,
+        transformer: Callable[[str], Number] = integer_transformer) -> SaQuery:
     try:
         if isinstance(criterion, criteria.PlainCriterion):
-            expr = column == int(criterion.value)
+            expr = column == transformer(criterion.value)
         elif isinstance(criterion, criteria.ArrayCriterion):
-            expr = column.in_(int(value) for value in criterion.values)
+            expr = column.in_(transformer(value) for value in criterion.values)
         elif isinstance(criterion, criteria.RangedCriterion):
-            assert criterion.min_value != '' \
-                or criterion.max_value != ''
-            if criterion.min_value != '' and criterion.max_value != '':
+            assert criterion.min_value or criterion.max_value
+            if criterion.min_value and criterion.max_value:
                 expr = column.between(
-                    int(criterion.min_value), int(criterion.max_value))
-            elif criterion.min_value != '':
-                expr = column >= int(criterion.min_value)
-            elif criterion.max_value != '':
-                expr = column <= int(criterion.max_value)
+                    transformer(criterion.min_value),
+                    transformer(criterion.max_value))
+            elif criterion.min_value:
+                expr = column >= transformer(criterion.min_value)
+            elif criterion.max_value:
+                expr = column <= transformer(criterion.max_value)
         else:
             assert False
     except ValueError:
@@ -38,10 +93,15 @@ def apply_num_criterion_to_column(column, criterion):
     return expr
 
 
-def create_num_filter(column):
-    def wrapper(query, criterion, negated):
-        expr = apply_num_criterion_to_column(
-            column, criterion)
+def create_num_filter(
+        column: Any,
+        transformer: Callable[[str], Number] = integer_transformer) -> SaQuery:
+    def wrapper(
+            query: SaQuery,
+            criterion: Optional[criteria.BaseCriterion],
+            negated: bool) -> SaQuery:
+        assert criterion
+        expr = apply_num_criterion_to_column(column, criterion, transformer)
         if negated:
             expr = ~expr
         return query.filter(expr)
@@ -49,43 +109,46 @@ def create_num_filter(column):
 
 
 def apply_str_criterion_to_column(
-        column, criterion, transformer=wildcard_transformer):
-    '''
-    Decorate SQLAlchemy filter on given column using supplied criterion.
-    '''
+        column: SaColumn,
+        criterion: criteria.BaseCriterion,
+        transformer: Callable[[str], str] = wildcard_transformer) -> SaQuery:
     if isinstance(criterion, criteria.PlainCriterion):
         expr = column.ilike(transformer(criterion.value))
     elif isinstance(criterion, criteria.ArrayCriterion):
-        expr = sqlalchemy.sql.false()
+        expr = sa.sql.false()
         for value in criterion.values:
             expr = expr | column.ilike(transformer(value))
     elif isinstance(criterion, criteria.RangedCriterion):
-        expr = column.ilike(transformer(criterion.original_text))
+        raise errors.SearchError(
+            'Ranged criterion is invalid in this context. '
+            'Did you forget to escape the dots?')
     else:
         assert False
     return expr
 
 
-def create_str_filter(column, transformer=wildcard_transformer):
-    def wrapper(query, criterion, negated):
-        expr = apply_str_criterion_to_column(
-            column, criterion, transformer)
+def create_str_filter(
+        column: SaColumn,
+        transformer: Callable[[str], str] = wildcard_transformer) -> Filter:
+    def wrapper(
+            query: SaQuery,
+            criterion: Optional[criteria.BaseCriterion],
+            negated: bool) -> SaQuery:
+        assert criterion
+        expr = apply_str_criterion_to_column(column, criterion, transformer)
         if negated:
             expr = ~expr
         return query.filter(expr)
     return wrapper
 
 
-def apply_date_criterion_to_column(column, criterion):
-    '''
-    Decorate SQLAlchemy filter on given column using supplied criterion.
-    Parse the datetime inside the criterion.
-    '''
+def apply_date_criterion_to_column(
+        column: SaQuery, criterion: criteria.BaseCriterion) -> SaQuery:
     if isinstance(criterion, criteria.PlainCriterion):
         min_date, max_date = util.parse_time_range(criterion.value)
         expr = column.between(min_date, max_date)
     elif isinstance(criterion, criteria.ArrayCriterion):
-        expr = sqlalchemy.sql.false()
+        expr = sa.sql.false()
         for value in criterion.values:
             min_date, max_date = util.parse_time_range(value)
             expr = expr | column.between(min_date, max_date)
@@ -106,10 +169,13 @@ def apply_date_criterion_to_column(column, criterion):
     return expr
 
 
-def create_date_filter(column):
-    def wrapper(query, criterion, negated):
-        expr = apply_date_criterion_to_column(
-            column, criterion)
+def create_date_filter(column: SaColumn) -> Filter:
+    def wrapper(
+            query: SaQuery,
+            criterion: Optional[criteria.BaseCriterion],
+            negated: bool) -> SaQuery:
+        assert criterion
+        expr = apply_date_criterion_to_column(column, criterion)
         if negated:
             expr = ~expr
         return query.filter(expr)
@@ -117,18 +183,22 @@ def create_date_filter(column):
 
 
 def create_subquery_filter(
-        left_id_column,
-        right_id_column,
-        filter_column,
-        filter_factory,
-        subquery_decorator=None):
+        left_id_column: SaColumn,
+        right_id_column: SaColumn,
+        filter_column: SaColumn,
+        filter_factory: SaColumn,
+        subquery_decorator: Callable[[SaQuery], None] = None) -> Filter:
     filter_func = filter_factory(filter_column)
 
-    def wrapper(query, criterion, negated):
+    def wrapper(
+            query: SaQuery,
+            criterion: Optional[criteria.BaseCriterion],
+            negated: bool) -> SaQuery:
+        assert criterion
         subquery = db.session.query(right_id_column.label('foreign_id'))
         if subquery_decorator:
             subquery = subquery_decorator(subquery)
-        subquery = subquery.options(sqlalchemy.orm.lazyload('*'))
+        subquery = subquery.options(sa.orm.lazyload('*'))
         subquery = filter_func(subquery, criterion, False)
         subquery = subquery.subquery('t')
         expression = left_id_column.in_(subquery)
diff --git a/server/szurubooru/search/criteria.py b/server/szurubooru/search/criteria.py
index 9d4dc664..4512b0fa 100644
--- a/server/szurubooru/search/criteria.py
+++ b/server/szurubooru/search/criteria.py
@@ -1,34 +1,42 @@
-class _BaseCriterion:
-    def __init__(self, original_text):
+from typing import Optional, List
+from szurubooru.search.typing import SaQuery
+
+
+class BaseCriterion:
+    def __init__(self, original_text: str) -> None:
         self.original_text = original_text
 
-    def __repr__(self):
+    def __repr__(self) -> str:
         return self.original_text
 
 
-class RangedCriterion(_BaseCriterion):
-    def __init__(self, original_text, min_value, max_value):
+class RangedCriterion(BaseCriterion):
+    def __init__(
+            self,
+            original_text: str,
+            min_value: Optional[str],
+            max_value: Optional[str]) -> None:
         super().__init__(original_text)
         self.min_value = min_value
         self.max_value = max_value
 
-    def __hash__(self):
+    def __hash__(self) -> int:
         return hash(('range', self.min_value, self.max_value))
 
 
-class PlainCriterion(_BaseCriterion):
-    def __init__(self, original_text, value):
+class PlainCriterion(BaseCriterion):
+    def __init__(self, original_text: str, value: str) -> None:
         super().__init__(original_text)
         self.value = value
 
-    def __hash__(self):
+    def __hash__(self) -> int:
         return hash(self.value)
 
 
-class ArrayCriterion(_BaseCriterion):
-    def __init__(self, original_text, values):
+class ArrayCriterion(BaseCriterion):
+    def __init__(self, original_text: str, values: List[str]) -> None:
         super().__init__(original_text)
         self.values = values
 
-    def __hash__(self):
+    def __hash__(self) -> int:
         return hash(tuple(['array'] + self.values))
diff --git a/server/szurubooru/search/executor.py b/server/szurubooru/search/executor.py
index e1ee53ad..10b34b1c 100644
--- a/server/szurubooru/search/executor.py
+++ b/server/szurubooru/search/executor.py
@@ -1,14 +1,18 @@
-import sqlalchemy
-from szurubooru import db, errors
+from typing import Union, Tuple, List, Dict, Callable
+import sqlalchemy as sa
+from szurubooru import db, model, errors, rest
 from szurubooru.func import cache
 from szurubooru.search import tokens, parser
+from szurubooru.search.typing import SaQuery
+from szurubooru.search.query import SearchQuery
+from szurubooru.search.configs.base_search_config import BaseSearchConfig
 
 
-def _format_dict_keys(source):
+def _format_dict_keys(source: Dict) -> List[str]:
     return list(sorted(source.keys()))
 
 
-def _get_order(order, default_order):
+def _get_order(order: str, default_order: str) -> Union[bool, str]:
     if order == tokens.SortToken.SORT_DEFAULT:
         return default_order or tokens.SortToken.SORT_ASC
     if order == tokens.SortToken.SORT_NEGATED_DEFAULT:
@@ -26,139 +30,158 @@ class Executor:
     delegates sqlalchemy filter decoration to SearchConfig instances.
     '''
 
-    def __init__(self, search_config):
+    def __init__(self, search_config: BaseSearchConfig) -> None:
         self.config = search_config
         self.parser = parser.Parser()
 
-    def get_around(self, query_text, entity_id):
+    def get_around(
+            self,
+            query_text: str,
+            entity_id: int) -> Tuple[model.Base, model.Base]:
         search_query = self.parser.parse(query_text)
         self.config.on_search_query_parsed(search_query)
         filter_query = (
             self.config
                 .create_around_query()
-                .options(sqlalchemy.orm.lazyload('*')))
+                .options(sa.orm.lazyload('*')))
         filter_query = self._prepare_db_query(
             filter_query, search_query, False)
         prev_filter_query = (
             filter_query
-                .filter(self.config.id_column > entity_id)
-                .order_by(None)
-                .order_by(sqlalchemy.func.abs(
-                    self.config.id_column - entity_id).asc())
-                .limit(1))
+            .filter(self.config.id_column > entity_id)
+            .order_by(None)
+            .order_by(sa.func.abs(self.config.id_column - entity_id).asc())
+            .limit(1))
         next_filter_query = (
             filter_query
-                .filter(self.config.id_column < entity_id)
-                .order_by(None)
-                .order_by(sqlalchemy.func.abs(
-                    self.config.id_column - entity_id).asc())
-                .limit(1))
-        return [
+            .filter(self.config.id_column < entity_id)
+            .order_by(None)
+            .order_by(sa.func.abs(self.config.id_column - entity_id).asc())
+            .limit(1))
+        return (
             prev_filter_query.one_or_none(),
-            next_filter_query.one_or_none()]
+            next_filter_query.one_or_none())
 
-    def get_around_and_serialize(self, ctx, entity_id, serializer):
-        entities = self.get_around(ctx.get_param_as_string('query'), entity_id)
+    def get_around_and_serialize(
+        self,
+        ctx: rest.Context,
+        entity_id: int,
+        serializer: Callable[[model.Base], rest.Response]
+    ) -> rest.Response:
+        entities = self.get_around(
+            ctx.get_param_as_string('query', default=''), entity_id)
         return {
             'prev': serializer(entities[0]),
             'next': serializer(entities[1]),
         }
 
-    def execute(self, query_text, page, page_size):
-        '''
-        Parse input and return tuple containing total record count and filtered
-        entities.
-        '''
-
+    def execute(
+        self,
+        query_text: str,
+        offset: int,
+        limit: int
+    ) -> Tuple[int, List[model.Base]]:
         search_query = self.parser.parse(query_text)
         self.config.on_search_query_parsed(search_query)
 
+        if offset < 0:
+            limit = max(0, limit + offset)
+            offset = 0
+
         disable_eager_loads = False
         for token in search_query.sort_tokens:
             if token.name == 'random':
                 disable_eager_loads = True
 
-        key = (id(self.config), hash(search_query), page, page_size)
+        key = (id(self.config), hash(search_query), offset, limit)
         if cache.has(key):
             return cache.get(key)
 
         filter_query = self.config.create_filter_query(disable_eager_loads)
-        filter_query = filter_query.options(sqlalchemy.orm.lazyload('*'))
+        filter_query = filter_query.options(sa.orm.lazyload('*'))
         filter_query = self._prepare_db_query(filter_query, search_query, True)
-        entities = filter_query \
-            .offset(max(page - 1, 0) * page_size) \
-            .limit(page_size) \
-            .all()
+        entities = (
+            filter_query
+            .offset(offset)
+            .limit(limit)
+            .all())
 
         count_query = self.config.create_count_query(disable_eager_loads)
-        count_query = count_query.options(sqlalchemy.orm.lazyload('*'))
+        count_query = count_query.options(sa.orm.lazyload('*'))
         count_query = self._prepare_db_query(count_query, search_query, False)
-        count_statement = count_query \
-            .statement \
-            .with_only_columns([sqlalchemy.func.count()]) \
-            .order_by(None)
+        count_statement = (
+            count_query
+            .statement
+            .with_only_columns([sa.func.count()])
+            .order_by(None))
         count = db.session.execute(count_statement).scalar()
 
         ret = (count, entities)
         cache.put(key, ret)
         return ret
 
-    def execute_and_serialize(self, ctx, serializer):
-        query = ctx.get_param_as_string('query')
-        page = ctx.get_param_as_int('page', default=1, min=1)
-        page_size = ctx.get_param_as_int(
-            'pageSize', default=100, min=1, max=100)
-        count, entities = self.execute(query, page, page_size)
+    def execute_and_serialize(
+        self,
+        ctx: rest.Context,
+        serializer: Callable[[model.Base], rest.Response]
+    ) -> rest.Response:
+        query = ctx.get_param_as_string('query', default='')
+        offset = ctx.get_param_as_int('offset', default=0, min=0)
+        limit = ctx.get_param_as_int('limit', default=100, min=1, max=100)
+        count, entities = self.execute(query, offset, limit)
         return {
             'query': query,
-            'page': page,
-            'pageSize': page_size,
+            'offset': offset,
+            'limit': limit,
             'total': count,
-            'results': [serializer(entity) for entity in entities],
+            'results': list([serializer(entity) for entity in entities]),
         }
 
-    def _prepare_db_query(self, db_query, search_query, use_sort):
-        ''' Parse input and return SQLAlchemy query. '''
-
-        for token in search_query.anonymous_tokens:
+    def _prepare_db_query(
+            self,
+            db_query: SaQuery,
+            search_query: SearchQuery,
+            use_sort: bool) -> SaQuery:
+        for anon_token in search_query.anonymous_tokens:
             if not self.config.anonymous_filter:
                 raise errors.SearchError(
                     'Anonymous tokens are not valid in this context.')
             db_query = self.config.anonymous_filter(
-                db_query, token.criterion, token.negated)
+                db_query, anon_token.criterion, anon_token.negated)
 
-        for token in search_query.named_tokens:
-            if token.name not in self.config.named_filters:
+        for named_token in search_query.named_tokens:
+            if named_token.name not in self.config.named_filters:
                 raise errors.SearchError(
                     'Unknown named token: %r. Available named tokens: %r.' % (
-                        token.name,
+                        named_token.name,
                         _format_dict_keys(self.config.named_filters)))
-            db_query = self.config.named_filters[token.name](
-                db_query, token.criterion, token.negated)
+            db_query = self.config.named_filters[named_token.name](
+                db_query, named_token.criterion, named_token.negated)
 
-        for token in search_query.special_tokens:
-            if token.value not in self.config.special_filters:
+        for sp_token in search_query.special_tokens:
+            if sp_token.value not in self.config.special_filters:
                 raise errors.SearchError(
                     'Unknown special token: %r. '
                     'Available special tokens: %r.' % (
-                        token.value,
+                        sp_token.value,
                         _format_dict_keys(self.config.special_filters)))
-            db_query = self.config.special_filters[token.value](
-                db_query, token.negated)
+            db_query = self.config.special_filters[sp_token.value](
+                db_query, None, sp_token.negated)
 
         if use_sort:
-            for token in search_query.sort_tokens:
-                if token.name not in self.config.sort_columns:
+            for sort_token in search_query.sort_tokens:
+                if sort_token.name not in self.config.sort_columns:
                     raise errors.SearchError(
                         'Unknown sort token: %r. '
                         'Available sort tokens: %r.' % (
-                            token.name,
+                            sort_token.name,
                             _format_dict_keys(self.config.sort_columns)))
-                column, default_order = self.config.sort_columns[token.name]
-                order = _get_order(token.order, default_order)
-                if order == token.SORT_ASC:
+                column, default_order = (
+                    self.config.sort_columns[sort_token.name])
+                order = _get_order(sort_token.order, default_order)
+                if order == sort_token.SORT_ASC:
                     db_query = db_query.order_by(column.asc())
-                elif order == token.SORT_DESC:
+                elif order == sort_token.SORT_DESC:
                     db_query = db_query.order_by(column.desc())
 
         db_query = self.config.finalize_query(db_query)
diff --git a/server/szurubooru/search/parser.py b/server/szurubooru/search/parser.py
index 33b41173..79cf968e 100644
--- a/server/szurubooru/search/parser.py
+++ b/server/szurubooru/search/parser.py
@@ -1,26 +1,31 @@
 import re
 from szurubooru import errors
 from szurubooru.search import criteria, tokens
+from szurubooru.search.query import SearchQuery
+from szurubooru.search.configs import util
 
 
-def _create_criterion(original_value, value):
-    if ',' in value:
-        return criteria.ArrayCriterion(
-            original_value, value.split(','))
-    if '..' in value:
-        low, high = value.split('..', 1)
+def _create_criterion(
+        original_value: str, value: str) -> criteria.BaseCriterion:
+    if re.search(r'(?<!\\),', value):
+        values = re.split(r'(?<!\\),', value)
+        if any(not term.strip() for term in values):
+            raise errors.SearchError('Empty compound value')
+        return criteria.ArrayCriterion(original_value, values)
+    if re.search(r'(?<!\\)\.(?<!\\)\.', value):
+        low, high = re.split(r'(?<!\\)\.(?<!\\)\.', value, 1)
         if not low and not high:
             raise errors.SearchError('Empty ranged value')
         return criteria.RangedCriterion(original_value, low, high)
     return criteria.PlainCriterion(original_value, value)
 
 
-def _parse_anonymous(value, negated):
+def _parse_anonymous(value: str, negated: bool) -> tokens.AnonymousToken:
     criterion = _create_criterion(value, value)
     return tokens.AnonymousToken(criterion, negated)
 
 
-def _parse_named(key, value, negated):
+def _parse_named(key: str, value: str, negated: bool) -> tokens.NamedToken:
     original_value = value
     if key.endswith('-min'):
         key = key[:-4]
@@ -32,11 +37,11 @@ def _parse_named(key, value, negated):
     return tokens.NamedToken(key, criterion, negated)
 
 
-def _parse_special(value, negated):
+def _parse_special(value: str, negated: bool) -> tokens.SpecialToken:
     return tokens.SpecialToken(value, negated)
 
 
-def _parse_sort(value, negated):
+def _parse_sort(value: str, negated: bool) -> tokens.SortToken:
     if value.count(',') == 0:
         order_str = None
     elif value.count(',') == 1:
@@ -67,34 +72,22 @@ def _parse_sort(value, negated):
     return tokens.SortToken(value, order)
 
 
-class SearchQuery:
-    def __init__(self):
-        self.anonymous_tokens = []
-        self.named_tokens = []
-        self.special_tokens = []
-        self.sort_tokens = []
-
-    def __hash__(self):
-        return hash((
-            tuple(self.anonymous_tokens),
-            tuple(self.named_tokens),
-            tuple(self.special_tokens),
-            tuple(self.sort_tokens)))
-
-
 class Parser:
-    def parse(self, query_text):
+    def parse(self, query_text: str) -> SearchQuery:
         query = SearchQuery()
         for chunk in re.split(r'\s+', (query_text or '').lower()):
             if not chunk:
                 continue
             negated = False
-            while chunk[0] == '-':
+            if chunk[0] == '-':
                 chunk = chunk[1:]
-                negated = not negated
-            match = re.match('([a-z_-]+):(.*)', chunk)
+                negated = True
+            if not chunk:
+                raise errors.SearchError('Empty negated token.')
+            match = re.match(r'^(.*?)(?<!\\):(.*)$', chunk)
             if match:
                 key, value = list(match.groups())
+                key = util.unescape(key)
                 if key == 'sort':
                     query.sort_tokens.append(
                         _parse_sort(value, negated))
diff --git a/server/szurubooru/search/query.py b/server/szurubooru/search/query.py
new file mode 100644
index 00000000..3d304f87
--- /dev/null
+++ b/server/szurubooru/search/query.py
@@ -0,0 +1,17 @@
+from szurubooru.search import tokens
+from typing import List
+
+
+class SearchQuery:
+    def __init__(self) -> None:
+        self.anonymous_tokens = []  # type: List[tokens.AnonymousToken]
+        self.named_tokens = []  # type: List[tokens.NamedToken]
+        self.special_tokens = []  # type: List[tokens.SpecialToken]
+        self.sort_tokens = []  # type: List[tokens.SortToken]
+
+    def __hash__(self) -> int:
+        return hash((
+            tuple(self.anonymous_tokens),
+            tuple(self.named_tokens),
+            tuple(self.special_tokens),
+            tuple(self.sort_tokens)))
diff --git a/server/szurubooru/search/tokens.py b/server/szurubooru/search/tokens.py
index cff7dc5f..0cd7fd7d 100644
--- a/server/szurubooru/search/tokens.py
+++ b/server/szurubooru/search/tokens.py
@@ -1,39 +1,44 @@
+from szurubooru.search.criteria import BaseCriterion
+
+
 class AnonymousToken:
-    def __init__(self, criterion, negated):
+    def __init__(self, criterion: BaseCriterion, negated: bool) -> None:
         self.criterion = criterion
         self.negated = negated
 
-    def __hash__(self):
+    def __hash__(self) -> int:
         return hash((self.criterion, self.negated))
 
 
 class NamedToken(AnonymousToken):
-    def __init__(self, name, criterion, negated):
+    def __init__(
+            self, name: str, criterion: BaseCriterion, negated: bool) -> None:
         super().__init__(criterion, negated)
         self.name = name
 
-    def __hash__(self):
+    def __hash__(self) -> int:
         return hash((self.name, self.criterion, self.negated))
 
 
 class SortToken:
     SORT_DESC = 'desc'
     SORT_ASC = 'asc'
+    SORT_NONE = ''
     SORT_DEFAULT = 'default'
     SORT_NEGATED_DEFAULT = 'negated default'
 
-    def __init__(self, name, order):
+    def __init__(self, name: str, order: str) -> None:
         self.name = name
         self.order = order
 
-    def __hash__(self):
+    def __hash__(self) -> int:
         return hash((self.name, self.order))
 
 
 class SpecialToken:
-    def __init__(self, value, negated):
+    def __init__(self, value: str, negated: bool) -> None:
         self.value = value
         self.negated = negated
 
-    def __hash__(self):
+    def __hash__(self) -> int:
         return hash((self.value, self.negated))
diff --git a/server/szurubooru/search/typing.py b/server/szurubooru/search/typing.py
new file mode 100644
index 00000000..ebb1b30d
--- /dev/null
+++ b/server/szurubooru/search/typing.py
@@ -0,0 +1,6 @@
+from typing import Any, Callable
+
+
+SaColumn = Any
+SaQuery = Any
+SaQueryFactory = Callable[[], SaQuery]
diff --git a/server/szurubooru/tests/api/test_comment_creating.py b/server/szurubooru/tests/api/test_comment_creating.py
index c7d0b0f6..ad243661 100644
--- a/server/szurubooru/tests/api/test_comment_creating.py
+++ b/server/szurubooru/tests/api/test_comment_creating.py
@@ -1,19 +1,20 @@
 from datetime import datetime
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import comments, posts
 
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
-    config_injector({'privileges': {'comments:create': db.User.RANK_REGULAR}})
+    config_injector(
+        {'privileges': {'comments:create': model.User.RANK_REGULAR}})
 
 
 def test_creating_comment(
         user_factory, post_factory, context_factory, fake_datetime):
     post = post_factory()
-    user = user_factory(rank=db.User.RANK_REGULAR)
+    user = user_factory(rank=model.User.RANK_REGULAR)
     db.session.add_all([post, user])
     db.session.flush()
     with patch('szurubooru.func.comments.serialize_comment'), \
@@ -24,7 +25,7 @@ def test_creating_comment(
                 params={'text': 'input', 'postId': post.post_id},
                 user=user))
         assert result == 'serialized comment'
-        comment = db.session.query(db.Comment).one()
+        comment = db.session.query(model.Comment).one()
         assert comment.text == 'input'
         assert comment.creation_time == datetime(1997, 1, 1)
         assert comment.last_edit_time is None
@@ -41,7 +42,7 @@ def test_creating_comment(
 def test_trying_to_pass_invalid_params(
         user_factory, post_factory, context_factory, params):
     post = post_factory()
-    user = user_factory(rank=db.User.RANK_REGULAR)
+    user = user_factory(rank=model.User.RANK_REGULAR)
     db.session.add_all([post, user])
     db.session.flush()
     real_params = {'text': 'input', 'postId': post.post_id}
@@ -63,11 +64,11 @@ def test_trying_to_omit_mandatory_field(user_factory, context_factory, field):
         api.comment_api.create_comment(
             context_factory(
                 params={},
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
 
 
 def test_trying_to_comment_non_existing(user_factory, context_factory):
-    user = user_factory(rank=db.User.RANK_REGULAR)
+    user = user_factory(rank=model.User.RANK_REGULAR)
     db.session.add_all([user])
     db.session.flush()
     with pytest.raises(posts.PostNotFoundError):
@@ -81,4 +82,4 @@ def test_trying_to_create_without_privileges(user_factory, context_factory):
         api.comment_api.create_comment(
             context_factory(
                 params={},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)))
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)))
diff --git a/server/szurubooru/tests/api/test_comment_deleting.py b/server/szurubooru/tests/api/test_comment_deleting.py
index efb432a6..e1d1baa0 100644
--- a/server/szurubooru/tests/api/test_comment_deleting.py
+++ b/server/szurubooru/tests/api/test_comment_deleting.py
@@ -1,5 +1,5 @@
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import comments
 
 
@@ -7,8 +7,8 @@ from szurubooru.func import comments
 def inject_config(config_injector):
     config_injector({
         'privileges': {
-            'comments:delete:own': db.User.RANK_REGULAR,
-            'comments:delete:any': db.User.RANK_MODERATOR,
+            'comments:delete:own': model.User.RANK_REGULAR,
+            'comments:delete:any': model.User.RANK_MODERATOR,
         },
     })
 
@@ -22,26 +22,26 @@ def test_deleting_own_comment(user_factory, comment_factory, context_factory):
         context_factory(params={'version': 1}, user=user),
         {'comment_id': comment.comment_id})
     assert result == {}
-    assert db.session.query(db.Comment).count() == 0
+    assert db.session.query(model.Comment).count() == 0
 
 
 def test_deleting_someones_else_comment(
         user_factory, comment_factory, context_factory):
-    user1 = user_factory(rank=db.User.RANK_REGULAR)
-    user2 = user_factory(rank=db.User.RANK_MODERATOR)
+    user1 = user_factory(rank=model.User.RANK_REGULAR)
+    user2 = user_factory(rank=model.User.RANK_MODERATOR)
     comment = comment_factory(user=user1)
     db.session.add(comment)
     db.session.commit()
     api.comment_api.delete_comment(
         context_factory(params={'version': 1}, user=user2),
         {'comment_id': comment.comment_id})
-    assert db.session.query(db.Comment).count() == 0
+    assert db.session.query(model.Comment).count() == 0
 
 
 def test_trying_to_delete_someones_else_comment_without_privileges(
         user_factory, comment_factory, context_factory):
-    user1 = user_factory(rank=db.User.RANK_REGULAR)
-    user2 = user_factory(rank=db.User.RANK_REGULAR)
+    user1 = user_factory(rank=model.User.RANK_REGULAR)
+    user2 = user_factory(rank=model.User.RANK_REGULAR)
     comment = comment_factory(user=user1)
     db.session.add(comment)
     db.session.commit()
@@ -49,7 +49,7 @@ def test_trying_to_delete_someones_else_comment_without_privileges(
         api.comment_api.delete_comment(
             context_factory(params={'version': 1}, user=user2),
             {'comment_id': comment.comment_id})
-    assert db.session.query(db.Comment).count() == 1
+    assert db.session.query(model.Comment).count() == 1
 
 
 def test_trying_to_delete_non_existing(user_factory, context_factory):
@@ -57,5 +57,5 @@ def test_trying_to_delete_non_existing(user_factory, context_factory):
         api.comment_api.delete_comment(
             context_factory(
                 params={'version': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'comment_id': 1})
diff --git a/server/szurubooru/tests/api/test_comment_rating.py b/server/szurubooru/tests/api/test_comment_rating.py
index 981e0dd8..aae5e241 100644
--- a/server/szurubooru/tests/api/test_comment_rating.py
+++ b/server/szurubooru/tests/api/test_comment_rating.py
@@ -1,17 +1,18 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import comments
 
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
-    config_injector({'privileges': {'comments:score': db.User.RANK_REGULAR}})
+    config_injector(
+        {'privileges': {'comments:score': model.User.RANK_REGULAR}})
 
 
 def test_simple_rating(
         user_factory, comment_factory, context_factory, fake_datetime):
-    user = user_factory(rank=db.User.RANK_REGULAR)
+    user = user_factory(rank=model.User.RANK_REGULAR)
     comment = comment_factory(user=user)
     db.session.add(comment)
     db.session.commit()
@@ -22,14 +23,14 @@ def test_simple_rating(
             context_factory(params={'score': 1}, user=user),
             {'comment_id': comment.comment_id})
         assert result == 'serialized comment'
-        assert db.session.query(db.CommentScore).count() == 1
+        assert db.session.query(model.CommentScore).count() == 1
         assert comment is not None
         assert comment.score == 1
 
 
 def test_updating_rating(
         user_factory, comment_factory, context_factory, fake_datetime):
-    user = user_factory(rank=db.User.RANK_REGULAR)
+    user = user_factory(rank=model.User.RANK_REGULAR)
     comment = comment_factory(user=user)
     db.session.add(comment)
     db.session.commit()
@@ -42,14 +43,14 @@ def test_updating_rating(
             api.comment_api.set_comment_score(
                 context_factory(params={'score': -1}, user=user),
                 {'comment_id': comment.comment_id})
-        comment = db.session.query(db.Comment).one()
-        assert db.session.query(db.CommentScore).count() == 1
+        comment = db.session.query(model.Comment).one()
+        assert db.session.query(model.CommentScore).count() == 1
         assert comment.score == -1
 
 
 def test_updating_rating_to_zero(
         user_factory, comment_factory, context_factory, fake_datetime):
-    user = user_factory(rank=db.User.RANK_REGULAR)
+    user = user_factory(rank=model.User.RANK_REGULAR)
     comment = comment_factory(user=user)
     db.session.add(comment)
     db.session.commit()
@@ -62,14 +63,14 @@ def test_updating_rating_to_zero(
             api.comment_api.set_comment_score(
                 context_factory(params={'score': 0}, user=user),
                 {'comment_id': comment.comment_id})
-        comment = db.session.query(db.Comment).one()
-        assert db.session.query(db.CommentScore).count() == 0
+        comment = db.session.query(model.Comment).one()
+        assert db.session.query(model.CommentScore).count() == 0
         assert comment.score == 0
 
 
 def test_deleting_rating(
         user_factory, comment_factory, context_factory, fake_datetime):
-    user = user_factory(rank=db.User.RANK_REGULAR)
+    user = user_factory(rank=model.User.RANK_REGULAR)
     comment = comment_factory(user=user)
     db.session.add(comment)
     db.session.commit()
@@ -82,15 +83,15 @@ def test_deleting_rating(
             api.comment_api.delete_comment_score(
                 context_factory(user=user),
                 {'comment_id': comment.comment_id})
-        comment = db.session.query(db.Comment).one()
-        assert db.session.query(db.CommentScore).count() == 0
+        comment = db.session.query(model.Comment).one()
+        assert db.session.query(model.CommentScore).count() == 0
         assert comment.score == 0
 
 
 def test_ratings_from_multiple_users(
         user_factory, comment_factory, context_factory, fake_datetime):
-    user1 = user_factory(rank=db.User.RANK_REGULAR)
-    user2 = user_factory(rank=db.User.RANK_REGULAR)
+    user1 = user_factory(rank=model.User.RANK_REGULAR)
+    user2 = user_factory(rank=model.User.RANK_REGULAR)
     comment = comment_factory()
     db.session.add_all([user1, user2, comment])
     db.session.commit()
@@ -103,8 +104,8 @@ def test_ratings_from_multiple_users(
             api.comment_api.set_comment_score(
                 context_factory(params={'score': -1}, user=user2),
                 {'comment_id': comment.comment_id})
-        comment = db.session.query(db.Comment).one()
-        assert db.session.query(db.CommentScore).count() == 2
+        comment = db.session.query(model.Comment).one()
+        assert db.session.query(model.CommentScore).count() == 2
         assert comment.score == 0
 
 
@@ -125,7 +126,7 @@ def test_trying_to_update_non_existing(user_factory, context_factory):
         api.comment_api.set_comment_score(
             context_factory(
                 params={'score': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'comment_id': 5})
 
 
@@ -138,5 +139,5 @@ def test_trying_to_rate_without_privileges(
         api.comment_api.set_comment_score(
             context_factory(
                 params={'score': 1},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)),
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)),
             {'comment_id': comment.comment_id})
diff --git a/server/szurubooru/tests/api/test_comment_retrieving.py b/server/szurubooru/tests/api/test_comment_retrieving.py
index 908e9eb8..5c846bbf 100644
--- a/server/szurubooru/tests/api/test_comment_retrieving.py
+++ b/server/szurubooru/tests/api/test_comment_retrieving.py
@@ -1,6 +1,6 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import comments
 
 
@@ -8,8 +8,8 @@ from szurubooru.func import comments
 def inject_config(config_injector):
     config_injector({
         'privileges': {
-            'comments:list': db.User.RANK_REGULAR,
-            'comments:view': db.User.RANK_REGULAR,
+            'comments:list': model.User.RANK_REGULAR,
+            'comments:view': model.User.RANK_REGULAR,
         },
     })
 
@@ -23,12 +23,12 @@ def test_retrieving_multiple(user_factory, comment_factory, context_factory):
         comments.serialize_comment.return_value = 'serialized comment'
         result = api.comment_api.get_comments(
             context_factory(
-                params={'query': '', 'page': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                params={'query': '', 'offset': 0},
+                user=user_factory(rank=model.User.RANK_REGULAR)))
         assert result == {
             'query': '',
-            'page': 1,
-            'pageSize': 100,
+            'offset': 0,
+            'limit': 100,
             'total': 2,
             'results': ['serialized comment', 'serialized comment'],
         }
@@ -39,8 +39,8 @@ def test_trying_to_retrieve_multiple_without_privileges(
     with pytest.raises(errors.AuthError):
         api.comment_api.get_comments(
             context_factory(
-                params={'query': '', 'page': 1},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)))
+                params={'query': '', 'offset': 0},
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)))
 
 
 def test_retrieving_single(user_factory, comment_factory, context_factory):
@@ -51,7 +51,7 @@ def test_retrieving_single(user_factory, comment_factory, context_factory):
         comments.serialize_comment.return_value = 'serialized comment'
         result = api.comment_api.get_comment(
             context_factory(
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'comment_id': comment.comment_id})
         assert result == 'serialized comment'
 
@@ -60,7 +60,7 @@ def test_trying_to_retrieve_single_non_existing(user_factory, context_factory):
     with pytest.raises(comments.CommentNotFoundError):
         api.comment_api.get_comment(
             context_factory(
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'comment_id': 5})
 
 
@@ -68,5 +68,5 @@ def test_trying_to_retrieve_single_without_privileges(
         user_factory, context_factory):
     with pytest.raises(errors.AuthError):
         api.comment_api.get_comment(
-            context_factory(user=user_factory(rank=db.User.RANK_ANONYMOUS)),
+            context_factory(user=user_factory(rank=model.User.RANK_ANONYMOUS)),
             {'comment_id': 5})
diff --git a/server/szurubooru/tests/api/test_comment_updating.py b/server/szurubooru/tests/api/test_comment_updating.py
index 5f3d12b0..761b1ce0 100644
--- a/server/szurubooru/tests/api/test_comment_updating.py
+++ b/server/szurubooru/tests/api/test_comment_updating.py
@@ -1,7 +1,7 @@
 from datetime import datetime
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import comments
 
 
@@ -9,15 +9,15 @@ from szurubooru.func import comments
 def inject_config(config_injector):
     config_injector({
         'privileges': {
-            'comments:edit:own': db.User.RANK_REGULAR,
-            'comments:edit:any': db.User.RANK_MODERATOR,
+            'comments:edit:own': model.User.RANK_REGULAR,
+            'comments:edit:any': model.User.RANK_MODERATOR,
         },
     })
 
 
 def test_simple_updating(
         user_factory, comment_factory, context_factory, fake_datetime):
-    user = user_factory(rank=db.User.RANK_REGULAR)
+    user = user_factory(rank=model.User.RANK_REGULAR)
     comment = comment_factory(user=user)
     db.session.add(comment)
     db.session.commit()
@@ -73,14 +73,14 @@ def test_trying_to_update_non_existing(user_factory, context_factory):
         api.comment_api.update_comment(
             context_factory(
                 params={'text': 'new text'},
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'comment_id': 5})
 
 
 def test_trying_to_update_someones_comment_without_privileges(
         user_factory, comment_factory, context_factory):
-    user = user_factory(rank=db.User.RANK_REGULAR)
-    user2 = user_factory(rank=db.User.RANK_REGULAR)
+    user = user_factory(rank=model.User.RANK_REGULAR)
+    user2 = user_factory(rank=model.User.RANK_REGULAR)
     comment = comment_factory(user=user)
     db.session.add(comment)
     db.session.commit()
@@ -93,8 +93,8 @@ def test_trying_to_update_someones_comment_without_privileges(
 
 def test_updating_someones_comment_with_privileges(
         user_factory, comment_factory, context_factory):
-    user = user_factory(rank=db.User.RANK_REGULAR)
-    user2 = user_factory(rank=db.User.RANK_MODERATOR)
+    user = user_factory(rank=model.User.RANK_REGULAR)
+    user2 = user_factory(rank=model.User.RANK_MODERATOR)
     comment = comment_factory(user=user)
     db.session.add(comment)
     db.session.commit()
diff --git a/server/szurubooru/tests/api/test_info.py b/server/szurubooru/tests/api/test_info.py
index be8c941b..cd157273 100644
--- a/server/szurubooru/tests/api/test_info.py
+++ b/server/szurubooru/tests/api/test_info.py
@@ -1,12 +1,18 @@
 from datetime import datetime
-from szurubooru import api, db
+from szurubooru import api, db, model
 
 
 def test_info_api(
-        tmpdir, config_injector, context_factory, post_factory, fake_datetime):
+        tmpdir, config_injector, context_factory, post_factory, user_factory,
+        fake_datetime):
     directory = tmpdir.mkdir('data')
     directory.join('test.txt').write('abc')
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
+    anon_user = user_factory(rank=model.User.RANK_ANONYMOUS)
     config_injector({
+        'name': 'test installation',
+        'contact_email': 'test@example.com',
+        'enable_safety': True,
         'data_dir': str(directory),
         'user_name_regex': '1',
         'password_regex': '2',
@@ -16,12 +22,19 @@ def test_info_api(
         'privileges': {
             'test_key1': 'test_value1',
             'test_key2': 'test_value2',
+            'posts:view:featured': 'regular',
         },
+        'smtp': {
+            'host': 'example.com',
+        }
     })
     db.session.add_all([post_factory(), post_factory()])
     db.session.flush()
 
     expected_config_key = {
+        'name': 'test installation',
+        'contactEmail': 'test@example.com',
+        'enableSafety': True,
         'userNameRegex': '1',
         'passwordRegex': '2',
         'tagNameRegex': '3',
@@ -30,11 +43,13 @@ def test_info_api(
         'privileges': {
             'testKey1': 'test_value1',
             'testKey2': 'test_value2',
+            'posts:view:featured': 'regular',
         },
+        'canSendMails': True
     }
 
     with fake_datetime('2016-01-01 13:00'):
-        assert api.info_api.get_info(context_factory()) == {
+        assert api.info_api.get_info(context_factory(user=auth_user)) == {
             'postCount': 2,
             'diskUsage': 3,
             'featuredPost': None,
@@ -45,7 +60,7 @@ def test_info_api(
         }
     directory.join('test2.txt').write('abc')
     with fake_datetime('2016-01-03 12:59'):
-        assert api.info_api.get_info(context_factory()) == {
+        assert api.info_api.get_info(context_factory(user=auth_user)) == {
             'postCount': 2,
             'diskUsage': 3,  # still 3 - it's cached
             'featuredPost': None,
@@ -55,7 +70,7 @@ def test_info_api(
             'config': expected_config_key,
         }
     with fake_datetime('2016-01-03 13:01'):
-        assert api.info_api.get_info(context_factory()) == {
+        assert api.info_api.get_info(context_factory(user=auth_user)) == {
             'postCount': 2,
             'diskUsage': 6,  # cache expired
             'featuredPost': None,
@@ -64,3 +79,10 @@ def test_info_api(
             'serverTime': datetime(2016, 1, 3, 13, 1),
             'config': expected_config_key,
         }
+    with fake_datetime('2016-01-03 13:01'):
+        assert api.info_api.get_info(context_factory(user=anon_user)) == {
+            'postCount': 2,
+            'diskUsage': 6,  # cache expired
+            'serverTime': datetime(2016, 1, 3, 13, 1),
+            'config': expected_config_key,
+        }
diff --git a/server/szurubooru/tests/api/test_password_reset.py b/server/szurubooru/tests/api/test_password_reset.py
index 52b568da..e46dbbec 100644
--- a/server/szurubooru/tests/api/test_password_reset.py
+++ b/server/szurubooru/tests/api/test_password_reset.py
@@ -1,6 +1,6 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import auth, mailer
 
 
@@ -15,7 +15,7 @@ def inject_config(config_injector):
 
 def test_reset_sending_email(context_factory, user_factory):
     db.session.add(user_factory(
-        name='u1', rank=db.User.RANK_REGULAR, email='user@example.com'))
+        name='u1', rank=model.User.RANK_REGULAR, email='user@example.com'))
     db.session.flush()
     for initiating_user in ['u1', 'user@example.com']:
         with patch('szurubooru.func.mailer.send_mail'):
@@ -39,7 +39,7 @@ def test_trying_to_reset_non_existing(context_factory):
 
 def test_trying_to_reset_without_email(context_factory, user_factory):
     db.session.add(
-        user_factory(name='u1', rank=db.User.RANK_REGULAR, email=None))
+        user_factory(name='u1', rank=model.User.RANK_REGULAR, email=None))
     db.session.flush()
     with pytest.raises(errors.ValidationError):
         api.password_reset_api.start_password_reset(
@@ -48,7 +48,7 @@ def test_trying_to_reset_without_email(context_factory, user_factory):
 
 def test_confirming_with_good_token(context_factory, user_factory):
     user = user_factory(
-        name='u1', rank=db.User.RANK_REGULAR, email='user@example.com')
+        name='u1', rank=model.User.RANK_REGULAR, email='user@example.com')
     old_hash = user.password_hash
     db.session.add(user)
     db.session.flush()
@@ -68,7 +68,7 @@ def test_trying_to_confirm_non_existing(context_factory):
 
 def test_trying_to_confirm_without_token(context_factory, user_factory):
     db.session.add(user_factory(
-        name='u1', rank=db.User.RANK_REGULAR, email='user@example.com'))
+        name='u1', rank=model.User.RANK_REGULAR, email='user@example.com'))
     db.session.flush()
     with pytest.raises(errors.ValidationError):
         api.password_reset_api.finish_password_reset(
@@ -77,7 +77,7 @@ def test_trying_to_confirm_without_token(context_factory, user_factory):
 
 def test_trying_to_confirm_with_bad_token(context_factory, user_factory):
     db.session.add(user_factory(
-        name='u1', rank=db.User.RANK_REGULAR, email='user@example.com'))
+        name='u1', rank=model.User.RANK_REGULAR, email='user@example.com'))
     db.session.flush()
     with pytest.raises(errors.ValidationError):
         api.password_reset_api.finish_password_reset(
diff --git a/server/szurubooru/tests/api/test_post_creating.py b/server/szurubooru/tests/api/test_post_creating.py
index 341990c8..6edcdd36 100644
--- a/server/szurubooru/tests/api/test_post_creating.py
+++ b/server/szurubooru/tests/api/test_post_creating.py
@@ -1,6 +1,6 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import posts, tags, snapshots, net
 
 
@@ -8,16 +8,16 @@ from szurubooru.func import posts, tags, snapshots, net
 def inject_config(config_injector):
     config_injector({
         'privileges': {
-            'posts:create:anonymous': db.User.RANK_REGULAR,
-            'posts:create:identified': db.User.RANK_REGULAR,
-            'tags:create': db.User.RANK_REGULAR,
+            'posts:create:anonymous': model.User.RANK_REGULAR,
+            'posts:create:identified': model.User.RANK_REGULAR,
+            'tags:create': model.User.RANK_REGULAR,
         },
     })
 
 
 def test_creating_minimal_posts(
         context_factory, post_factory, user_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     post = post_factory()
     db.session.add(post)
     db.session.flush()
@@ -30,7 +30,6 @@ def test_creating_minimal_posts(
             patch('szurubooru.func.posts.update_post_flags'), \
             patch('szurubooru.func.posts.update_post_thumbnail'), \
             patch('szurubooru.func.posts.serialize_post'), \
-            patch('szurubooru.func.tags.export_to_json'), \
             patch('szurubooru.func.snapshots.create'):
         posts.create_post.return_value = (post, [])
         posts.serialize_post.return_value = 'serialized post'
@@ -53,20 +52,19 @@ def test_creating_minimal_posts(
         posts.update_post_thumbnail.assert_called_once_with(
             post, 'post-thumbnail')
         posts.update_post_safety.assert_called_once_with(post, 'safe')
-        posts.update_post_source.assert_called_once_with(post, None)
+        posts.update_post_source.assert_called_once_with(post, '')
         posts.update_post_relations.assert_called_once_with(post, [])
         posts.update_post_notes.assert_called_once_with(post, [])
         posts.update_post_flags.assert_called_once_with(post, [])
         posts.update_post_thumbnail.assert_called_once_with(
             post, 'post-thumbnail')
         posts.serialize_post.assert_called_once_with(
-            post, auth_user, options=None)
+            post, auth_user, options=[])
         snapshots.create.assert_called_once_with(post, auth_user)
-        tags.export_to_json.assert_called_once_with()
 
 
 def test_creating_full_posts(context_factory, post_factory, user_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     post = post_factory()
     db.session.add(post)
     db.session.flush()
@@ -78,7 +76,6 @@ def test_creating_full_posts(context_factory, post_factory, user_factory):
             patch('szurubooru.func.posts.update_post_notes'), \
             patch('szurubooru.func.posts.update_post_flags'), \
             patch('szurubooru.func.posts.serialize_post'), \
-            patch('szurubooru.func.tags.export_to_json'), \
             patch('szurubooru.func.snapshots.create'):
         posts.create_post.return_value = (post, [])
         posts.serialize_post.return_value = 'serialized post'
@@ -109,24 +106,22 @@ def test_creating_full_posts(context_factory, post_factory, user_factory):
         posts.update_post_flags.assert_called_once_with(
             post, ['flag1', 'flag2'])
         posts.serialize_post.assert_called_once_with(
-            post, auth_user, options=None)
+            post, auth_user, options=[])
         snapshots.create.assert_called_once_with(post, auth_user)
-        tags.export_to_json.assert_called_once_with()
 
 
 def test_anonymous_uploads(
         config_injector, context_factory, post_factory, user_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     post = post_factory()
     db.session.add(post)
     db.session.flush()
 
-    with patch('szurubooru.func.tags.export_to_json'), \
-            patch('szurubooru.func.posts.serialize_post'), \
+    with patch('szurubooru.func.posts.serialize_post'), \
             patch('szurubooru.func.posts.create_post'), \
             patch('szurubooru.func.posts.update_post_source'):
         config_injector({
-            'privileges': {'posts:create:anonymous': db.User.RANK_REGULAR},
+            'privileges': {'posts:create:anonymous': model.User.RANK_REGULAR},
         })
         posts.create_post.return_value = [post, []]
         api.post_api.create_post(
@@ -146,18 +141,17 @@ def test_anonymous_uploads(
 
 def test_creating_from_url_saves_source(
         config_injector, context_factory, post_factory, user_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     post = post_factory()
     db.session.add(post)
     db.session.flush()
 
     with patch('szurubooru.func.net.download'), \
-            patch('szurubooru.func.tags.export_to_json'), \
             patch('szurubooru.func.posts.serialize_post'), \
             patch('szurubooru.func.posts.create_post'), \
             patch('szurubooru.func.posts.update_post_source'):
         config_injector({
-            'privileges': {'posts:create:identified': db.User.RANK_REGULAR},
+            'privileges': {'posts:create:identified': model.User.RANK_REGULAR},
         })
         net.download.return_value = b'content'
         posts.create_post.return_value = [post, []]
@@ -177,18 +171,17 @@ def test_creating_from_url_saves_source(
 
 def test_creating_from_url_with_source_specified(
         config_injector, context_factory, post_factory, user_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     post = post_factory()
     db.session.add(post)
     db.session.flush()
 
     with patch('szurubooru.func.net.download'), \
-            patch('szurubooru.func.tags.export_to_json'), \
             patch('szurubooru.func.posts.serialize_post'), \
             patch('szurubooru.func.posts.create_post'), \
             patch('szurubooru.func.posts.update_post_source'):
         config_injector({
-            'privileges': {'posts:create:identified': db.User.RANK_REGULAR},
+            'privileges': {'posts:create:identified': model.User.RANK_REGULAR},
         })
         net.download.return_value = b'content'
         posts.create_post.return_value = [post, []]
@@ -218,14 +211,14 @@ def test_trying_to_omit_mandatory_field(context_factory, user_factory, field):
             context_factory(
                 params=params,
                 files={'content': '...'},
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
 
 
 @pytest.mark.parametrize(
     'field', ['tags', 'relations', 'source', 'notes', 'flags'])
 def test_omitting_optional_field(
         field, context_factory, post_factory, user_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     post = post_factory()
     db.session.add(post)
     db.session.flush()
@@ -245,7 +238,6 @@ def test_omitting_optional_field(
             patch('szurubooru.func.posts.update_post_notes'), \
             patch('szurubooru.func.posts.update_post_flags'), \
             patch('szurubooru.func.posts.serialize_post'), \
-            patch('szurubooru.func.tags.export_to_json'), \
             patch('szurubooru.func.snapshots.create'):
         posts.create_post.return_value = (post, [])
         posts.serialize_post.return_value = 'serialized post'
@@ -258,7 +250,8 @@ def test_omitting_optional_field(
 
 
 def test_errors_not_spending_ids(
-        config_injector, tmpdir, context_factory, read_asset, user_factory):
+        config_injector, tmpdir, context_factory, read_asset, user_factory,
+        skip_post_hashing):
     config_injector({
         'data_dir': str(tmpdir.mkdir('data')),
         'data_url': 'example.com',
@@ -267,10 +260,11 @@ def test_errors_not_spending_ids(
             'post_height': 300,
         },
         'privileges': {
-            'posts:create:identified': db.User.RANK_REGULAR,
+            'posts:create:identified': model.User.RANK_REGULAR,
         },
+        'secret': 'test',
     })
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
 
     # successful request
     with patch('szurubooru.func.posts.serialize_post'), \
@@ -315,7 +309,7 @@ def test_trying_to_omit_content(context_factory, user_factory):
                     'safety': 'safe',
                     'tags': ['tag1', 'tag2'],
                 },
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
 
 
 def test_trying_to_create_post_without_privileges(
@@ -323,16 +317,16 @@ def test_trying_to_create_post_without_privileges(
     with pytest.raises(errors.AuthError):
         api.post_api.create_post(context_factory(
             params='whatever',
-            user=user_factory(rank=db.User.RANK_ANONYMOUS)))
+            user=user_factory(rank=model.User.RANK_ANONYMOUS)))
 
 
 def test_trying_to_create_tags_without_privileges(
         config_injector, context_factory, user_factory):
     config_injector({
         'privileges': {
-            'posts:create:anonymous': db.User.RANK_REGULAR,
-            'posts:create:identified': db.User.RANK_REGULAR,
-            'tags:create': db.User.RANK_ADMINISTRATOR,
+            'posts:create:anonymous': model.User.RANK_REGULAR,
+            'posts:create:identified': model.User.RANK_REGULAR,
+            'tags:create': model.User.RANK_ADMINISTRATOR,
         },
     })
     with pytest.raises(errors.AuthError), \
@@ -348,4 +342,4 @@ def test_trying_to_create_tags_without_privileges(
                 files={
                     'content': posts.EMPTY_PIXEL,
                 },
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
diff --git a/server/szurubooru/tests/api/test_post_deleting.py b/server/szurubooru/tests/api/test_post_deleting.py
index c4187ed4..bb5f9ced 100644
--- a/server/szurubooru/tests/api/test_post_deleting.py
+++ b/server/szurubooru/tests/api/test_post_deleting.py
@@ -1,34 +1,39 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
-from szurubooru.func import posts, tags, snapshots
+from szurubooru import api, db, model, errors
+from szurubooru.func import posts, snapshots
 
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
-    config_injector({'privileges': {'posts:delete': db.User.RANK_REGULAR}})
+    config_injector({
+        'secret': 'secret',
+        'data_dir': '',
+        'delete_source_files': False,
+        'privileges': {
+            'posts:delete': model.User.RANK_REGULAR
+        }
+    })
 
 
 def test_deleting(user_factory, post_factory, context_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     post = post_factory(id=1)
     db.session.add(post)
     db.session.flush()
-    with patch('szurubooru.func.tags.export_to_json'), \
-            patch('szurubooru.func.snapshots.delete'):
+    with patch('szurubooru.func.snapshots.delete'):
         result = api.post_api.delete_post(
             context_factory(params={'version': 1}, user=auth_user),
             {'post_id': 1})
         assert result == {}
-        assert db.session.query(db.Post).count() == 0
+        assert db.session.query(model.Post).count() == 0
         snapshots.delete.assert_called_once_with(post, auth_user)
-        tags.export_to_json.assert_called_once_with()
 
 
 def test_trying_to_delete_non_existing(user_factory, context_factory):
     with pytest.raises(posts.PostNotFoundError):
         api.post_api.delete_post(
-            context_factory(user=user_factory(rank=db.User.RANK_REGULAR)),
+            context_factory(user=user_factory(rank=model.User.RANK_REGULAR)),
             {'post_id': 999})
 
 
@@ -38,6 +43,6 @@ def test_trying_to_delete_without_privileges(
     db.session.commit()
     with pytest.raises(errors.AuthError):
         api.post_api.delete_post(
-            context_factory(user=user_factory(rank=db.User.RANK_ANONYMOUS)),
+            context_factory(user=user_factory(rank=model.User.RANK_ANONYMOUS)),
             {'post_id': 1})
-    assert db.session.query(db.Post).count() == 1
+    assert db.session.query(model.Post).count() == 1
diff --git a/server/szurubooru/tests/api/test_post_favoriting.py b/server/szurubooru/tests/api/test_post_favoriting.py
index d78d199e..ce91a028 100644
--- a/server/szurubooru/tests/api/test_post_favoriting.py
+++ b/server/szurubooru/tests/api/test_post_favoriting.py
@@ -1,13 +1,14 @@
 from datetime import datetime
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import posts
 
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
-    config_injector({'privileges': {'posts:favorite': db.User.RANK_REGULAR}})
+    config_injector(
+        {'privileges': {'posts:favorite': model.User.RANK_REGULAR}})
 
 
 def test_adding_to_favorites(
@@ -23,8 +24,8 @@ def test_adding_to_favorites(
             context_factory(user=user_factory()),
             {'post_id': post.post_id})
         assert result == 'serialized post'
-        post = db.session.query(db.Post).one()
-        assert db.session.query(db.PostFavorite).count() == 1
+        post = db.session.query(model.Post).one()
+        assert db.session.query(model.PostFavorite).count() == 1
         assert post is not None
         assert post.favorite_count == 1
         assert post.score == 1
@@ -47,9 +48,9 @@ def test_removing_from_favorites(
             api.post_api.delete_post_from_favorites(
                 context_factory(user=user),
                 {'post_id': post.post_id})
-        post = db.session.query(db.Post).one()
+        post = db.session.query(model.Post).one()
         assert post.score == 1
-        assert db.session.query(db.PostFavorite).count() == 0
+        assert db.session.query(model.PostFavorite).count() == 0
         assert post.favorite_count == 0
 
 
@@ -68,8 +69,8 @@ def test_favoriting_twice(
             api.post_api.add_post_to_favorites(
                 context_factory(user=user),
                 {'post_id': post.post_id})
-        post = db.session.query(db.Post).one()
-        assert db.session.query(db.PostFavorite).count() == 1
+        post = db.session.query(model.Post).one()
+        assert db.session.query(model.PostFavorite).count() == 1
         assert post.favorite_count == 1
 
 
@@ -92,8 +93,8 @@ def test_removing_twice(
             api.post_api.delete_post_from_favorites(
                 context_factory(user=user),
                 {'post_id': post.post_id})
-        post = db.session.query(db.Post).one()
-        assert db.session.query(db.PostFavorite).count() == 0
+        post = db.session.query(model.Post).one()
+        assert db.session.query(model.PostFavorite).count() == 0
         assert post.favorite_count == 0
 
 
@@ -113,8 +114,8 @@ def test_favorites_from_multiple_users(
             api.post_api.add_post_to_favorites(
                 context_factory(user=user2),
                 {'post_id': post.post_id})
-        post = db.session.query(db.Post).one()
-        assert db.session.query(db.PostFavorite).count() == 2
+        post = db.session.query(model.Post).one()
+        assert db.session.query(model.PostFavorite).count() == 2
         assert post.favorite_count == 2
         assert post.last_favorite_time == datetime(1997, 12, 2)
 
@@ -133,5 +134,5 @@ def test_trying_to_rate_without_privileges(
     db.session.commit()
     with pytest.raises(errors.AuthError):
         api.post_api.add_post_to_favorites(
-            context_factory(user=user_factory(rank=db.User.RANK_ANONYMOUS)),
+            context_factory(user=user_factory(rank=model.User.RANK_ANONYMOUS)),
             {'post_id': post.post_id})
diff --git a/server/szurubooru/tests/api/test_post_featuring.py b/server/szurubooru/tests/api/test_post_featuring.py
index a0a82c75..6e9e7569 100644
--- a/server/szurubooru/tests/api/test_post_featuring.py
+++ b/server/szurubooru/tests/api/test_post_featuring.py
@@ -1,6 +1,6 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import posts, snapshots
 
 
@@ -8,14 +8,15 @@ from szurubooru.func import posts, snapshots
 def inject_config(config_injector):
     config_injector({
         'privileges': {
-            'posts:feature': db.User.RANK_REGULAR,
-            'posts:view': db.User.RANK_REGULAR,
+            'posts:feature': model.User.RANK_REGULAR,
+            'posts:view': model.User.RANK_REGULAR,
+            'posts:view:featured': model.User.RANK_REGULAR,
         },
     })
 
 
 def test_featuring(user_factory, post_factory, context_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     post = post_factory(id=1)
     db.session.add(post)
     db.session.flush()
@@ -31,7 +32,7 @@ def test_featuring(user_factory, post_factory, context_factory):
         assert posts.get_post_by_id(1).is_featured
         result = api.post_api.get_featured_post(
             context_factory(
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
         assert result == 'serialized post'
         snapshots.modify.assert_called_once_with(post, auth_user)
 
@@ -40,7 +41,7 @@ def test_trying_to_omit_required_parameter(user_factory, context_factory):
     with pytest.raises(errors.MissingRequiredParameterError):
         api.post_api.set_featured_post(
             context_factory(
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
 
 
 def test_trying_to_feature_the_same_post_twice(
@@ -51,12 +52,12 @@ def test_trying_to_feature_the_same_post_twice(
         api.post_api.set_featured_post(
             context_factory(
                 params={'id': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
         with pytest.raises(posts.PostAlreadyFeaturedError):
             api.post_api.set_featured_post(
                 context_factory(
                     params={'id': 1},
-                    user=user_factory(rank=db.User.RANK_REGULAR)))
+                    user=user_factory(rank=model.User.RANK_REGULAR)))
 
 
 def test_featuring_one_post_after_another(
@@ -72,12 +73,12 @@ def test_featuring_one_post_after_another(
             api.post_api.set_featured_post(
                 context_factory(
                     params={'id': 1},
-                    user=user_factory(rank=db.User.RANK_REGULAR)))
+                    user=user_factory(rank=model.User.RANK_REGULAR)))
         with fake_datetime('1998'):
             api.post_api.set_featured_post(
                 context_factory(
                     params={'id': 2},
-                    user=user_factory(rank=db.User.RANK_REGULAR)))
+                    user=user_factory(rank=model.User.RANK_REGULAR)))
         assert posts.try_get_featured_post() is not None
         assert posts.try_get_featured_post().post_id == 2
         assert not posts.get_post_by_id(1).is_featured
@@ -89,18 +90,17 @@ def test_trying_to_feature_non_existing(user_factory, context_factory):
         api.post_api.set_featured_post(
             context_factory(
                 params={'id': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
+
+
+def test_trying_to_retrieve_without_privileges(
+        user_factory, context_factory):
+    with pytest.raises(errors.AuthError):
+        api.post_api.get_featured_post(
+            context_factory(user=user_factory(rank=model.User.RANK_ANONYMOUS)))
 
 
 def test_trying_to_feature_without_privileges(user_factory, context_factory):
     with pytest.raises(errors.AuthError):
         api.post_api.set_featured_post(
-            context_factory(
-                params={'id': 1},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)))
-
-
-def test_getting_featured_post_without_privileges_to_view(
-        user_factory, context_factory):
-    api.post_api.get_featured_post(
-        context_factory(user=user_factory(rank=db.User.RANK_ANONYMOUS)))
+            context_factory(user=user_factory(rank=model.User.RANK_ANONYMOUS)))
diff --git a/server/szurubooru/tests/api/test_post_merging.py b/server/szurubooru/tests/api/test_post_merging.py
index e6540904..eb8464f8 100644
--- a/server/szurubooru/tests/api/test_post_merging.py
+++ b/server/szurubooru/tests/api/test_post_merging.py
@@ -1,16 +1,16 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import posts, snapshots
 
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
-    config_injector({'privileges': {'posts:merge': db.User.RANK_REGULAR}})
+    config_injector({'privileges': {'posts:merge': model.User.RANK_REGULAR}})
 
 
 def test_merging(user_factory, context_factory, post_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     source_post = post_factory()
     target_post = post_factory()
     db.session.add_all([source_post, target_post])
@@ -25,6 +25,7 @@ def test_merging(user_factory, context_factory, post_factory):
                     'mergeToVersion': 1,
                     'remove': source_post.post_id,
                     'mergeTo': target_post.post_id,
+                    'replaceContent': False,
                 },
                 user=auth_user))
         posts.merge_posts.called_once_with(source_post, target_post)
@@ -45,13 +46,14 @@ def test_trying_to_omit_mandatory_field(
         'mergeToVersion': 1,
         'remove': source_post.post_id,
         'mergeTo': target_post.post_id,
+        'replaceContent': False,
     }
     del params[field]
     with pytest.raises(errors.ValidationError):
         api.post_api.merge_posts(
             context_factory(
                 params=params,
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
 
 
 def test_trying_to_merge_non_existing(
@@ -63,12 +65,12 @@ def test_trying_to_merge_non_existing(
         api.post_api.merge_posts(
             context_factory(
                 params={'remove': post.post_id, 'mergeTo': 999},
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
     with pytest.raises(posts.PostNotFoundError):
         api.post_api.merge_posts(
             context_factory(
                 params={'remove': 999, 'mergeTo': post.post_id},
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
 
 
 def test_trying_to_merge_without_privileges(
@@ -85,5 +87,6 @@ def test_trying_to_merge_without_privileges(
                     'mergeToVersion': 1,
                     'remove': source_post.post_id,
                     'mergeTo': target_post.post_id,
+                    'replaceContent': False,
                 },
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)))
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)))
diff --git a/server/szurubooru/tests/api/test_post_rating.py b/server/szurubooru/tests/api/test_post_rating.py
index 18e823e7..0fca2f56 100644
--- a/server/szurubooru/tests/api/test_post_rating.py
+++ b/server/szurubooru/tests/api/test_post_rating.py
@@ -1,12 +1,12 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import posts
 
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
-    config_injector({'privileges': {'posts:score': db.User.RANK_REGULAR}})
+    config_injector({'privileges': {'posts:score': model.User.RANK_REGULAR}})
 
 
 def test_simple_rating(
@@ -22,8 +22,8 @@ def test_simple_rating(
                 params={'score': 1}, user=user_factory()),
             {'post_id': post.post_id})
         assert result == 'serialized post'
-        post = db.session.query(db.Post).one()
-        assert db.session.query(db.PostScore).count() == 1
+        post = db.session.query(model.Post).one()
+        assert db.session.query(model.PostScore).count() == 1
         assert post is not None
         assert post.score == 1
 
@@ -43,8 +43,8 @@ def test_updating_rating(
             api.post_api.set_post_score(
                 context_factory(params={'score': -1}, user=user),
                 {'post_id': post.post_id})
-        post = db.session.query(db.Post).one()
-        assert db.session.query(db.PostScore).count() == 1
+        post = db.session.query(model.Post).one()
+        assert db.session.query(model.PostScore).count() == 1
         assert post.score == -1
 
 
@@ -63,8 +63,8 @@ def test_updating_rating_to_zero(
             api.post_api.set_post_score(
                 context_factory(params={'score': 0}, user=user),
                 {'post_id': post.post_id})
-        post = db.session.query(db.Post).one()
-        assert db.session.query(db.PostScore).count() == 0
+        post = db.session.query(model.Post).one()
+        assert db.session.query(model.PostScore).count() == 0
         assert post.score == 0
 
 
@@ -83,8 +83,8 @@ def test_deleting_rating(
             api.post_api.delete_post_score(
                 context_factory(user=user),
                 {'post_id': post.post_id})
-        post = db.session.query(db.Post).one()
-        assert db.session.query(db.PostScore).count() == 0
+        post = db.session.query(model.Post).one()
+        assert db.session.query(model.PostScore).count() == 0
         assert post.score == 0
 
 
@@ -104,8 +104,8 @@ def test_ratings_from_multiple_users(
             api.post_api.set_post_score(
                 context_factory(params={'score': -1}, user=user2),
                 {'post_id': post.post_id})
-        post = db.session.query(db.Post).one()
-        assert db.session.query(db.PostScore).count() == 2
+        post = db.session.query(model.Post).one()
+        assert db.session.query(model.PostScore).count() == 2
         assert post.score == 0
 
 
@@ -136,5 +136,5 @@ def test_trying_to_rate_without_privileges(
         api.post_api.set_post_score(
             context_factory(
                 params={'score': 1},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)),
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)),
             {'post_id': post.post_id})
diff --git a/server/szurubooru/tests/api/test_post_retrieving.py b/server/szurubooru/tests/api/test_post_retrieving.py
index a33d60a3..7270547e 100644
--- a/server/szurubooru/tests/api/test_post_retrieving.py
+++ b/server/szurubooru/tests/api/test_post_retrieving.py
@@ -1,7 +1,7 @@
 from datetime import datetime
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import posts
 
 
@@ -9,8 +9,8 @@ from szurubooru.func import posts
 def inject_config(config_injector):
     config_injector({
         'privileges': {
-            'posts:list': db.User.RANK_REGULAR,
-            'posts:view': db.User.RANK_REGULAR,
+            'posts:list': model.User.RANK_REGULAR,
+            'posts:view': model.User.RANK_REGULAR,
         },
     })
 
@@ -24,37 +24,36 @@ def test_retrieving_multiple(user_factory, post_factory, context_factory):
         posts.serialize_post.return_value = 'serialized post'
         result = api.post_api.get_posts(
             context_factory(
-                params={'query': '', 'page': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                params={'query': '', 'offset': 0},
+                user=user_factory(rank=model.User.RANK_REGULAR)))
         assert result == {
             'query': '',
-            'page': 1,
-            'pageSize': 100,
+            'offset': 0,
+            'limit': 100,
             'total': 2,
             'results': ['serialized post', 'serialized post'],
         }
 
 
 def test_using_special_tokens(user_factory, post_factory, context_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     post1 = post_factory(id=1)
     post2 = post_factory(id=2)
-    post1.favorited_by = [db.PostFavorite(
+    post1.favorited_by = [model.PostFavorite(
         user=auth_user, time=datetime.utcnow())]
     db.session.add_all([post1, post2, auth_user])
     db.session.flush()
     with patch('szurubooru.func.posts.serialize_post'):
-        posts.serialize_post.side_effect = \
-            lambda post, *_args, **_kwargs: \
-                'serialized post %d' % post.post_id
+        posts.serialize_post.side_effect = lambda post, *_args, **_kwargs: \
+            'serialized post %d' % post.post_id
         result = api.post_api.get_posts(
             context_factory(
-                params={'query': 'special:fav', 'page': 1},
+                params={'query': 'special:fav', 'offset': 0},
                 user=auth_user))
         assert result == {
             'query': 'special:fav',
-            'page': 1,
-            'pageSize': 100,
+            'offset': 0,
+            'limit': 100,
             'total': 1,
             'results': ['serialized post 1'],
         }
@@ -68,8 +67,8 @@ def test_trying_to_use_special_tokens_without_logging_in(
     with pytest.raises(errors.SearchError):
         api.post_api.get_posts(
             context_factory(
-                params={'query': 'special:fav', 'page': 1},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)))
+                params={'query': 'special:fav', 'offset': 0},
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)))
 
 
 def test_trying_to_retrieve_multiple_without_privileges(
@@ -77,8 +76,8 @@ def test_trying_to_retrieve_multiple_without_privileges(
     with pytest.raises(errors.AuthError):
         api.post_api.get_posts(
             context_factory(
-                params={'query': '', 'page': 1},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)))
+                params={'query': '', 'offset': 0},
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)))
 
 
 def test_retrieving_single(user_factory, post_factory, context_factory):
@@ -87,7 +86,7 @@ def test_retrieving_single(user_factory, post_factory, context_factory):
     with patch('szurubooru.func.posts.serialize_post'):
         posts.serialize_post.return_value = 'serialized post'
         result = api.post_api.get_post(
-            context_factory(user=user_factory(rank=db.User.RANK_REGULAR)),
+            context_factory(user=user_factory(rank=model.User.RANK_REGULAR)),
             {'post_id': 1})
         assert result == 'serialized post'
 
@@ -95,7 +94,7 @@ def test_retrieving_single(user_factory, post_factory, context_factory):
 def test_trying_to_retrieve_single_non_existing(user_factory, context_factory):
     with pytest.raises(posts.PostNotFoundError):
         api.post_api.get_post(
-            context_factory(user=user_factory(rank=db.User.RANK_REGULAR)),
+            context_factory(user=user_factory(rank=model.User.RANK_REGULAR)),
             {'post_id': 999})
 
 
@@ -103,5 +102,5 @@ def test_trying_to_retrieve_single_without_privileges(
         user_factory, context_factory):
     with pytest.raises(errors.AuthError):
         api.post_api.get_post(
-            context_factory(user=user_factory(rank=db.User.RANK_ANONYMOUS)),
+            context_factory(user=user_factory(rank=model.User.RANK_ANONYMOUS)),
             {'post_id': 999})
diff --git a/server/szurubooru/tests/api/test_post_updating.py b/server/szurubooru/tests/api/test_post_updating.py
index 790e835e..fa298eaa 100644
--- a/server/szurubooru/tests/api/test_post_updating.py
+++ b/server/szurubooru/tests/api/test_post_updating.py
@@ -1,7 +1,7 @@
 from datetime import datetime
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import posts, tags, snapshots, net
 
 
@@ -9,22 +9,22 @@ from szurubooru.func import posts, tags, snapshots, net
 def inject_config(config_injector):
     config_injector({
         'privileges': {
-            'posts:edit:tags': db.User.RANK_REGULAR,
-            'posts:edit:content': db.User.RANK_REGULAR,
-            'posts:edit:safety': db.User.RANK_REGULAR,
-            'posts:edit:source': db.User.RANK_REGULAR,
-            'posts:edit:relations': db.User.RANK_REGULAR,
-            'posts:edit:notes': db.User.RANK_REGULAR,
-            'posts:edit:flags': db.User.RANK_REGULAR,
-            'posts:edit:thumbnail': db.User.RANK_REGULAR,
-            'tags:create': db.User.RANK_MODERATOR,
+            'posts:edit:tags': model.User.RANK_REGULAR,
+            'posts:edit:content': model.User.RANK_REGULAR,
+            'posts:edit:safety': model.User.RANK_REGULAR,
+            'posts:edit:source': model.User.RANK_REGULAR,
+            'posts:edit:relations': model.User.RANK_REGULAR,
+            'posts:edit:notes': model.User.RANK_REGULAR,
+            'posts:edit:flags': model.User.RANK_REGULAR,
+            'posts:edit:thumbnail': model.User.RANK_REGULAR,
+            'tags:create': model.User.RANK_MODERATOR,
         },
     })
 
 
 def test_post_updating(
         context_factory, post_factory, user_factory, fake_datetime):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     post = post_factory()
     db.session.add(post)
     db.session.flush()
@@ -39,7 +39,6 @@ def test_post_updating(
             patch('szurubooru.func.posts.update_post_notes'), \
             patch('szurubooru.func.posts.update_post_flags'), \
             patch('szurubooru.func.posts.serialize_post'), \
-            patch('szurubooru.func.tags.export_to_json'), \
             patch('szurubooru.func.snapshots.modify'), \
             fake_datetime('1997-01-01'):
         posts.serialize_post.return_value = 'serialized post'
@@ -76,9 +75,8 @@ def test_post_updating(
         posts.update_post_flags.assert_called_once_with(
             post, ['flag1', 'flag2'])
         posts.serialize_post.assert_called_once_with(
-            post, auth_user, options=None)
+            post, auth_user, options=[])
         snapshots.modify.assert_called_once_with(post, auth_user)
-        tags.export_to_json.assert_called_once_with()
         assert post.last_edit_time == datetime(1997, 1, 1)
 
 
@@ -88,7 +86,6 @@ def test_uploading_from_url_saves_source(
     db.session.add(post)
     db.session.flush()
     with patch('szurubooru.func.net.download'), \
-            patch('szurubooru.func.tags.export_to_json'), \
             patch('szurubooru.func.posts.serialize_post'), \
             patch('szurubooru.func.posts.update_post_content'), \
             patch('szurubooru.func.posts.update_post_source'), \
@@ -97,7 +94,7 @@ def test_uploading_from_url_saves_source(
         api.post_api.update_post(
             context_factory(
                 params={'contentUrl': 'example.com', 'version': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'post_id': post.post_id})
         net.download.assert_called_once_with('example.com')
         posts.update_post_content.assert_called_once_with(post, b'content')
@@ -110,7 +107,6 @@ def test_uploading_from_url_with_source_specified(
     db.session.add(post)
     db.session.flush()
     with patch('szurubooru.func.net.download'), \
-            patch('szurubooru.func.tags.export_to_json'), \
             patch('szurubooru.func.posts.serialize_post'), \
             patch('szurubooru.func.posts.update_post_content'), \
             patch('szurubooru.func.posts.update_post_source'), \
@@ -122,7 +118,7 @@ def test_uploading_from_url_with_source_specified(
                     'contentUrl': 'example.com',
                     'source': 'example2.com',
                     'version': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'post_id': post.post_id})
         net.download.assert_called_once_with('example.com')
         posts.update_post_content.assert_called_once_with(post, b'content')
@@ -134,7 +130,7 @@ def test_trying_to_update_non_existing(context_factory, user_factory):
         api.post_api.update_post(
             context_factory(
                 params='whatever',
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'post_id': 1})
 
 
@@ -158,7 +154,7 @@ def test_trying_to_update_field_without_privileges(
             context_factory(
                 params={**params, **{'version': 1}},
                 files=files,
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)),
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)),
             {'post_id': post.post_id})
 
 
@@ -173,5 +169,5 @@ def test_trying_to_create_tags_without_privileges(
         api.post_api.update_post(
             context_factory(
                 params={'tags': ['tag1', 'tag2'], 'version': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'post_id': post.post_id})
diff --git a/server/szurubooru/tests/api/test_snapshot_retrieving.py b/server/szurubooru/tests/api/test_snapshot_retrieving.py
index 73b6f060..41f0bebc 100644
--- a/server/szurubooru/tests/api/test_snapshot_retrieving.py
+++ b/server/szurubooru/tests/api/test_snapshot_retrieving.py
@@ -1,10 +1,10 @@
 from datetime import datetime
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 
 
 def snapshot_factory():
-    snapshot = db.Snapshot()
+    snapshot = model.Snapshot()
     snapshot.creation_time = datetime(1999, 1, 1)
     snapshot.resource_type = 'dummy'
     snapshot.resource_pkey = 1
@@ -17,7 +17,7 @@ def snapshot_factory():
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
     config_injector({
-        'privileges': {'snapshots:list': db.User.RANK_REGULAR},
+        'privileges': {'snapshots:list': model.User.RANK_REGULAR},
     })
 
 
@@ -28,11 +28,11 @@ def test_retrieving_multiple(user_factory, context_factory):
     db.session.flush()
     result = api.snapshot_api.get_snapshots(
         context_factory(
-            params={'query': '', 'page': 1},
-            user=user_factory(rank=db.User.RANK_REGULAR)))
+            params={'query': '', 'offset': 0},
+            user=user_factory(rank=model.User.RANK_REGULAR)))
     assert result['query'] == ''
-    assert result['page'] == 1
-    assert result['pageSize'] == 100
+    assert result['offset'] == 0
+    assert result['limit'] == 100
     assert result['total'] == 2
     assert len(result['results']) == 2
 
@@ -42,5 +42,5 @@ def test_trying_to_retrieve_multiple_without_privileges(
     with pytest.raises(errors.AuthError):
         api.snapshot_api.get_snapshots(
             context_factory(
-                params={'query': '', 'page': 1},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)))
+                params={'query': '', 'offset': 0},
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)))
diff --git a/server/szurubooru/tests/api/test_tag_category_creating.py b/server/szurubooru/tests/api/test_tag_category_creating.py
index 96afc390..47e8405c 100644
--- a/server/szurubooru/tests/api/test_tag_category_creating.py
+++ b/server/szurubooru/tests/api/test_tag_category_creating.py
@@ -1,6 +1,6 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import tag_categories, tags, snapshots
 
 
@@ -11,21 +11,20 @@ def _update_category_name(category, name):
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
     config_injector({
-        'privileges': {'tag_categories:create': db.User.RANK_REGULAR},
+        'privileges': {'tag_categories:create': model.User.RANK_REGULAR},
     })
 
 
 def test_creating_category(
         tag_category_factory, user_factory, context_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     category = tag_category_factory(name='meta')
     db.session.add(category)
 
     with patch('szurubooru.func.tag_categories.create_category'), \
             patch('szurubooru.func.tag_categories.serialize_category'), \
             patch('szurubooru.func.tag_categories.update_category_name'), \
-            patch('szurubooru.func.snapshots.create'), \
-            patch('szurubooru.func.tags.export_to_json'):
+            patch('szurubooru.func.snapshots.create'):
         tag_categories.create_category.return_value = category
         tag_categories.update_category_name.side_effect = _update_category_name
         tag_categories.serialize_category.return_value = 'serialized category'
@@ -35,7 +34,6 @@ def test_creating_category(
         assert result == 'serialized category'
         tag_categories.create_category.assert_called_once_with('meta', 'black')
         snapshots.create.assert_called_once_with(category, auth_user)
-        tags.export_to_json.assert_called_once_with()
 
 
 @pytest.mark.parametrize('field', ['name', 'color'])
@@ -49,7 +47,7 @@ def test_trying_to_omit_mandatory_field(user_factory, context_factory, field):
         api.tag_category_api.create_tag_category(
             context_factory(
                 params=params,
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
 
 
 def test_trying_to_create_without_privileges(user_factory, context_factory):
@@ -57,4 +55,4 @@ def test_trying_to_create_without_privileges(user_factory, context_factory):
         api.tag_category_api.create_tag_category(
             context_factory(
                 params={'name': 'meta', 'color': 'black'},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)))
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)))
diff --git a/server/szurubooru/tests/api/test_tag_category_deleting.py b/server/szurubooru/tests/api/test_tag_category_deleting.py
index 1f1cde4c..2bee5137 100644
--- a/server/szurubooru/tests/api/test_tag_category_deleting.py
+++ b/server/szurubooru/tests/api/test_tag_category_deleting.py
@@ -1,32 +1,30 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import tag_categories, tags, snapshots
 
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
     config_injector({
-        'privileges': {'tag_categories:delete': db.User.RANK_REGULAR},
+        'privileges': {'tag_categories:delete': model.User.RANK_REGULAR},
     })
 
 
 def test_deleting(user_factory, tag_category_factory, context_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     category = tag_category_factory(name='category')
     db.session.add(tag_category_factory(name='root'))
     db.session.add(category)
     db.session.flush()
-    with patch('szurubooru.func.snapshots.delete'), \
-            patch('szurubooru.func.tags.export_to_json'):
+    with patch('szurubooru.func.snapshots.delete'):
         result = api.tag_category_api.delete_tag_category(
             context_factory(params={'version': 1}, user=auth_user),
             {'category_name': 'category'})
         assert result == {}
-        assert db.session.query(db.TagCategory).count() == 1
-        assert db.session.query(db.TagCategory).one().name == 'root'
+        assert db.session.query(model.TagCategory).count() == 1
+        assert db.session.query(model.TagCategory).one().name == 'root'
         snapshots.delete.assert_called_once_with(category, auth_user)
-        tags.export_to_json.assert_called_once_with()
 
 
 def test_trying_to_delete_used(
@@ -41,9 +39,9 @@ def test_trying_to_delete_used(
         api.tag_category_api.delete_tag_category(
             context_factory(
                 params={'version': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'category_name': 'category'})
-    assert db.session.query(db.TagCategory).count() == 1
+    assert db.session.query(model.TagCategory).count() == 1
 
 
 def test_trying_to_delete_last(
@@ -54,14 +52,14 @@ def test_trying_to_delete_last(
         api.tag_category_api.delete_tag_category(
             context_factory(
                 params={'version': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'category_name': 'root'})
 
 
 def test_trying_to_delete_non_existing(user_factory, context_factory):
     with pytest.raises(tag_categories.TagCategoryNotFoundError):
         api.tag_category_api.delete_tag_category(
-            context_factory(user=user_factory(rank=db.User.RANK_REGULAR)),
+            context_factory(user=user_factory(rank=model.User.RANK_REGULAR)),
             {'category_name': 'bad'})
 
 
@@ -73,6 +71,6 @@ def test_trying_to_delete_without_privileges(
         api.tag_category_api.delete_tag_category(
             context_factory(
                 params={'version': 1},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)),
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)),
             {'category_name': 'category'})
-    assert db.session.query(db.TagCategory).count() == 1
+    assert db.session.query(model.TagCategory).count() == 1
diff --git a/server/szurubooru/tests/api/test_tag_category_retrieving.py b/server/szurubooru/tests/api/test_tag_category_retrieving.py
index 4f6610b3..0b98d743 100644
--- a/server/szurubooru/tests/api/test_tag_category_retrieving.py
+++ b/server/szurubooru/tests/api/test_tag_category_retrieving.py
@@ -1,5 +1,5 @@
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import tag_categories
 
 
@@ -7,8 +7,8 @@ from szurubooru.func import tag_categories
 def inject_config(config_injector):
     config_injector({
         'privileges': {
-            'tag_categories:list': db.User.RANK_REGULAR,
-            'tag_categories:view': db.User.RANK_REGULAR,
+            'tag_categories:list': model.User.RANK_REGULAR,
+            'tag_categories:view': model.User.RANK_REGULAR,
         },
     })
 
@@ -21,7 +21,7 @@ def test_retrieving_multiple(
     ])
     db.session.flush()
     result = api.tag_category_api.get_tag_categories(
-        context_factory(user=user_factory(rank=db.User.RANK_REGULAR)))
+        context_factory(user=user_factory(rank=model.User.RANK_REGULAR)))
     assert [cat['name'] for cat in result['results']] == ['c1', 'c2']
 
 
@@ -30,7 +30,7 @@ def test_retrieving_single(
     db.session.add(tag_category_factory(name='cat'))
     db.session.flush()
     result = api.tag_category_api.get_tag_category(
-        context_factory(user=user_factory(rank=db.User.RANK_REGULAR)),
+        context_factory(user=user_factory(rank=model.User.RANK_REGULAR)),
         {'category_name': 'cat'})
     assert result == {
         'name': 'cat',
@@ -44,7 +44,7 @@ def test_retrieving_single(
 def test_trying_to_retrieve_single_non_existing(user_factory, context_factory):
     with pytest.raises(tag_categories.TagCategoryNotFoundError):
         api.tag_category_api.get_tag_category(
-            context_factory(user=user_factory(rank=db.User.RANK_REGULAR)),
+            context_factory(user=user_factory(rank=model.User.RANK_REGULAR)),
             {'category_name': '-'})
 
 
@@ -52,5 +52,5 @@ def test_trying_to_retrieve_single_without_privileges(
         user_factory, context_factory):
     with pytest.raises(errors.AuthError):
         api.tag_category_api.get_tag_category(
-            context_factory(user=user_factory(rank=db.User.RANK_ANONYMOUS)),
+            context_factory(user=user_factory(rank=model.User.RANK_ANONYMOUS)),
             {'category_name': '-'})
diff --git a/server/szurubooru/tests/api/test_tag_category_updating.py b/server/szurubooru/tests/api/test_tag_category_updating.py
index 9dd0f6bb..24a9f6ed 100644
--- a/server/szurubooru/tests/api/test_tag_category_updating.py
+++ b/server/szurubooru/tests/api/test_tag_category_updating.py
@@ -1,6 +1,6 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import tag_categories, tags, snapshots
 
 
@@ -12,23 +12,22 @@ def _update_category_name(category, name):
 def inject_config(config_injector):
     config_injector({
         'privileges': {
-            'tag_categories:edit:name': db.User.RANK_REGULAR,
-            'tag_categories:edit:color': db.User.RANK_REGULAR,
-            'tag_categories:set_default': db.User.RANK_REGULAR,
+            'tag_categories:edit:name': model.User.RANK_REGULAR,
+            'tag_categories:edit:color': model.User.RANK_REGULAR,
+            'tag_categories:set_default': model.User.RANK_REGULAR,
         },
     })
 
 
 def test_simple_updating(user_factory, tag_category_factory, context_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     category = tag_category_factory(name='name', color='black')
     db.session.add(category)
     db.session.flush()
     with patch('szurubooru.func.tag_categories.serialize_category'), \
             patch('szurubooru.func.tag_categories.update_category_name'), \
             patch('szurubooru.func.tag_categories.update_category_color'), \
-            patch('szurubooru.func.snapshots.modify'), \
-            patch('szurubooru.func.tags.export_to_json'):
+            patch('szurubooru.func.snapshots.modify'):
         tag_categories.update_category_name.side_effect = _update_category_name
         tag_categories.serialize_category.return_value = 'serialized category'
         result = api.tag_category_api.update_tag_category(
@@ -42,7 +41,6 @@ def test_simple_updating(user_factory, tag_category_factory, context_factory):
         tag_categories.update_category_color.assert_called_once_with(
             category, 'white')
         snapshots.modify.assert_called_once_with(category, auth_user)
-        tags.export_to_json.assert_called_once_with()
 
 
 @pytest.mark.parametrize('field', ['name', 'color'])
@@ -56,12 +54,11 @@ def test_omitting_optional_field(
     }
     del params[field]
     with patch('szurubooru.func.tag_categories.serialize_category'), \
-            patch('szurubooru.func.tag_categories.update_category_name'), \
-            patch('szurubooru.func.tags.export_to_json'):
+            patch('szurubooru.func.tag_categories.update_category_name'):
         api.tag_category_api.update_tag_category(
             context_factory(
                 params={**params, **{'version': 1}},
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'category_name': 'name'})
 
 
@@ -70,7 +67,7 @@ def test_trying_to_update_non_existing(user_factory, context_factory):
         api.tag_category_api.update_tag_category(
             context_factory(
                 params={'name': ['dummy']},
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'category_name': 'bad'})
 
 
@@ -86,7 +83,7 @@ def test_trying_to_update_without_privileges(
         api.tag_category_api.update_tag_category(
             context_factory(
                 params={**params, **{'version': 1}},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)),
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)),
             {'category_name': 'dummy'})
 
 
@@ -95,8 +92,7 @@ def test_set_as_default(user_factory, tag_category_factory, context_factory):
     db.session.add(category)
     db.session.commit()
     with patch('szurubooru.func.tag_categories.serialize_category'), \
-            patch('szurubooru.func.tag_categories.set_default_category'), \
-            patch('szurubooru.func.tags.export_to_json'):
+            patch('szurubooru.func.tag_categories.set_default_category'):
         tag_categories.update_category_name.side_effect = _update_category_name
         tag_categories.serialize_category.return_value = 'serialized category'
         result = api.tag_category_api.set_tag_category_as_default(
@@ -106,7 +102,7 @@ def test_set_as_default(user_factory, tag_category_factory, context_factory):
                     'color': 'white',
                     'version': 1,
                 },
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'category_name': 'name'})
         assert result == 'serialized category'
         tag_categories.set_default_category.assert_called_once_with(category)
diff --git a/server/szurubooru/tests/api/test_tag_creating.py b/server/szurubooru/tests/api/test_tag_creating.py
index dc056280..4cee7101 100644
--- a/server/szurubooru/tests/api/test_tag_creating.py
+++ b/server/szurubooru/tests/api/test_tag_creating.py
@@ -1,22 +1,21 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, model, errors
 from szurubooru.func import tags, snapshots
 
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
-    config_injector({'privileges': {'tags:create': db.User.RANK_REGULAR}})
+    config_injector({'privileges': {'tags:create': model.User.RANK_REGULAR}})
 
 
 def test_creating_simple_tags(tag_factory, user_factory, context_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     tag = tag_factory()
     with patch('szurubooru.func.tags.create_tag'), \
             patch('szurubooru.func.tags.get_or_create_tags_by_names'), \
             patch('szurubooru.func.tags.serialize_tag'), \
-            patch('szurubooru.func.snapshots.create'), \
-            patch('szurubooru.func.tags.export_to_json'):
+            patch('szurubooru.func.snapshots.create'):
         tags.get_or_create_tags_by_names.return_value = ([], [])
         tags.create_tag.return_value = tag
         tags.serialize_tag.return_value = 'serialized tag'
@@ -34,7 +33,6 @@ def test_creating_simple_tags(tag_factory, user_factory, context_factory):
         tags.create_tag.assert_called_once_with(
             ['tag1', 'tag2'], 'meta', ['sug1', 'sug2'], ['imp1', 'imp2'])
         snapshots.create.assert_called_once_with(tag, auth_user)
-        tags.export_to_json.assert_called_once_with()
 
 
 @pytest.mark.parametrize('field', ['names', 'category'])
@@ -50,7 +48,7 @@ def test_trying_to_omit_mandatory_field(user_factory, context_factory, field):
         api.tag_api.create_tag(
             context_factory(
                 params=params,
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
 
 
 @pytest.mark.parametrize('field', ['implications', 'suggestions'])
@@ -64,13 +62,12 @@ def test_omitting_optional_field(
     }
     del params[field]
     with patch('szurubooru.func.tags.create_tag'), \
-            patch('szurubooru.func.tags.serialize_tag'), \
-            patch('szurubooru.func.tags.export_to_json'):
+            patch('szurubooru.func.tags.serialize_tag'):
         tags.create_tag.return_value = tag_factory()
         api.tag_api.create_tag(
             context_factory(
                 params=params,
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
 
 
 def test_trying_to_create_tag_without_privileges(
@@ -84,4 +81,4 @@ def test_trying_to_create_tag_without_privileges(
                     'suggestions': ['tag'],
                     'implications': [],
                 },
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)))
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)))
diff --git a/server/szurubooru/tests/api/test_tag_deleting.py b/server/szurubooru/tests/api/test_tag_deleting.py
index a657b02e..a0367f22 100644
--- a/server/szurubooru/tests/api/test_tag_deleting.py
+++ b/server/szurubooru/tests/api/test_tag_deleting.py
@@ -1,28 +1,26 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import tags, snapshots
 
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
-    config_injector({'privileges': {'tags:delete': db.User.RANK_REGULAR}})
+    config_injector({'privileges': {'tags:delete': model.User.RANK_REGULAR}})
 
 
 def test_deleting(user_factory, tag_factory, context_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     tag = tag_factory(names=['tag'])
     db.session.add(tag)
     db.session.commit()
-    with patch('szurubooru.func.tags.export_to_json'), \
-            patch('szurubooru.func.snapshots.delete'):
+    with patch('szurubooru.func.snapshots.delete'):
         result = api.tag_api.delete_tag(
             context_factory(params={'version': 1}, user=auth_user),
             {'tag_name': 'tag'})
         assert result == {}
-        assert db.session.query(db.Tag).count() == 0
+        assert db.session.query(model.Tag).count() == 0
         snapshots.delete.assert_called_once_with(tag, auth_user)
-        tags.export_to_json.assert_called_once_with()
 
 
 def test_deleting_used(
@@ -32,21 +30,20 @@ def test_deleting_used(
     post.tags.append(tag)
     db.session.add_all([tag, post])
     db.session.commit()
-    with patch('szurubooru.func.tags.export_to_json'):
-        api.tag_api.delete_tag(
-            context_factory(
-                params={'version': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)),
-            {'tag_name': 'tag'})
-        db.session.refresh(post)
-        assert db.session.query(db.Tag).count() == 0
-        assert post.tags == []
+    api.tag_api.delete_tag(
+        context_factory(
+            params={'version': 1},
+            user=user_factory(rank=model.User.RANK_REGULAR)),
+        {'tag_name': 'tag'})
+    db.session.refresh(post)
+    assert db.session.query(model.Tag).count() == 0
+    assert post.tags == []
 
 
 def test_trying_to_delete_non_existing(user_factory, context_factory):
     with pytest.raises(tags.TagNotFoundError):
         api.tag_api.delete_tag(
-            context_factory(user=user_factory(rank=db.User.RANK_REGULAR)),
+            context_factory(user=user_factory(rank=model.User.RANK_REGULAR)),
             {'tag_name': 'bad'})
 
 
@@ -58,6 +55,6 @@ def test_trying_to_delete_without_privileges(
         api.tag_api.delete_tag(
             context_factory(
                 params={'version': 1},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)),
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)),
             {'tag_name': 'tag'})
-    assert db.session.query(db.Tag).count() == 1
+    assert db.session.query(model.Tag).count() == 1
diff --git a/server/szurubooru/tests/api/test_tag_merging.py b/server/szurubooru/tests/api/test_tag_merging.py
index a448c9c4..671e2e45 100644
--- a/server/szurubooru/tests/api/test_tag_merging.py
+++ b/server/szurubooru/tests/api/test_tag_merging.py
@@ -1,16 +1,16 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import tags, snapshots
 
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
-    config_injector({'privileges': {'tags:merge': db.User.RANK_REGULAR}})
+    config_injector({'privileges': {'tags:merge': model.User.RANK_REGULAR}})
 
 
 def test_merging(user_factory, tag_factory, context_factory, post_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     source_tag = tag_factory(names=['source'])
     target_tag = tag_factory(names=['target'])
     db.session.add_all([source_tag, target_tag])
@@ -25,8 +25,7 @@ def test_merging(user_factory, tag_factory, context_factory, post_factory):
     assert target_tag.post_count == 0
     with patch('szurubooru.func.tags.serialize_tag'), \
             patch('szurubooru.func.tags.merge_tags'), \
-            patch('szurubooru.func.snapshots.merge'), \
-            patch('szurubooru.func.tags.export_to_json'):
+            patch('szurubooru.func.snapshots.merge'):
         api.tag_api.merge_tags(
             context_factory(
                 params={
@@ -39,7 +38,6 @@ def test_merging(user_factory, tag_factory, context_factory, post_factory):
         tags.merge_tags.called_once_with(source_tag, target_tag)
         snapshots.merge.assert_called_once_with(
             source_tag, target_tag, auth_user)
-        tags.export_to_json.assert_called_once_with()
 
 
 @pytest.mark.parametrize(
@@ -62,7 +60,7 @@ def test_trying_to_omit_mandatory_field(
         api.tag_api.merge_tags(
             context_factory(
                 params=params,
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
 
 
 def test_trying_to_merge_non_existing(
@@ -73,12 +71,12 @@ def test_trying_to_merge_non_existing(
         api.tag_api.merge_tags(
             context_factory(
                 params={'remove': 'good', 'mergeTo': 'bad'},
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
     with pytest.raises(tags.TagNotFoundError):
         api.tag_api.merge_tags(
             context_factory(
                 params={'remove': 'bad', 'mergeTo': 'good'},
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
 
 
 def test_trying_to_merge_without_privileges(
@@ -97,4 +95,4 @@ def test_trying_to_merge_without_privileges(
                     'remove': 'source',
                     'mergeTo': 'target',
                 },
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)))
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)))
diff --git a/server/szurubooru/tests/api/test_tag_retrieving.py b/server/szurubooru/tests/api/test_tag_retrieving.py
index 86837f97..43a0766d 100644
--- a/server/szurubooru/tests/api/test_tag_retrieving.py
+++ b/server/szurubooru/tests/api/test_tag_retrieving.py
@@ -1,6 +1,6 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import tags
 
 
@@ -8,8 +8,8 @@ from szurubooru.func import tags
 def inject_config(config_injector):
     config_injector({
         'privileges': {
-            'tags:list': db.User.RANK_REGULAR,
-            'tags:view': db.User.RANK_REGULAR,
+            'tags:list': model.User.RANK_REGULAR,
+            'tags:view': model.User.RANK_REGULAR,
         },
     })
 
@@ -23,12 +23,12 @@ def test_retrieving_multiple(user_factory, tag_factory, context_factory):
         tags.serialize_tag.return_value = 'serialized tag'
         result = api.tag_api.get_tags(
             context_factory(
-                params={'query': '', 'page': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                params={'query': '', 'offset': 0},
+                user=user_factory(rank=model.User.RANK_REGULAR)))
         assert result == {
             'query': '',
-            'page': 1,
-            'pageSize': 100,
+            'offset': 0,
+            'limit': 100,
             'total': 2,
             'results': ['serialized tag', 'serialized tag'],
         }
@@ -39,8 +39,8 @@ def test_trying_to_retrieve_multiple_without_privileges(
     with pytest.raises(errors.AuthError):
         api.tag_api.get_tags(
             context_factory(
-                params={'query': '', 'page': 1},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)))
+                params={'query': '', 'offset': 0},
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)))
 
 
 def test_retrieving_single(user_factory, tag_factory, context_factory):
@@ -50,7 +50,7 @@ def test_retrieving_single(user_factory, tag_factory, context_factory):
         tags.serialize_tag.return_value = 'serialized tag'
         result = api.tag_api.get_tag(
             context_factory(
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'tag_name': 'tag'})
         assert result == 'serialized tag'
 
@@ -59,7 +59,7 @@ def test_trying_to_retrieve_single_non_existing(user_factory, context_factory):
     with pytest.raises(tags.TagNotFoundError):
         api.tag_api.get_tag(
             context_factory(
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'tag_name': '-'})
 
 
@@ -68,5 +68,5 @@ def test_trying_to_retrieve_single_without_privileges(
     with pytest.raises(errors.AuthError):
         api.tag_api.get_tag(
             context_factory(
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)),
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)),
             {'tag_name': '-'})
diff --git a/server/szurubooru/tests/api/test_tag_siblings_retrieving.py b/server/szurubooru/tests/api/test_tag_siblings_retrieving.py
index 6ba00868..fc2f5aaa 100644
--- a/server/szurubooru/tests/api/test_tag_siblings_retrieving.py
+++ b/server/szurubooru/tests/api/test_tag_siblings_retrieving.py
@@ -1,12 +1,12 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import tags
 
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
-    config_injector({'privileges': {'tags:view': db.User.RANK_REGULAR}})
+    config_injector({'privileges': {'tags:view': model.User.RANK_REGULAR}})
 
 
 def test_get_tag_siblings(user_factory, tag_factory, context_factory):
@@ -14,15 +14,14 @@ def test_get_tag_siblings(user_factory, tag_factory, context_factory):
     db.session.flush()
     with patch('szurubooru.func.tags.serialize_tag'), \
             patch('szurubooru.func.tags.get_tag_siblings'):
-        tags.serialize_tag.side_effect = \
-            lambda tag, *args, **kwargs: \
-                'serialized tag %s' % tag.names[0].name
+        tags.serialize_tag.side_effect = lambda tag, *args, **kwargs: \
+            'serialized tag %s' % tag.names[0].name
         tags.get_tag_siblings.return_value = [
             (tag_factory(names=['sib1']), 1),
             (tag_factory(names=['sib2']), 3),
         ]
         result = api.tag_api.get_tag_siblings(
-            context_factory(user=user_factory(rank=db.User.RANK_REGULAR)),
+            context_factory(user=user_factory(rank=model.User.RANK_REGULAR)),
             {'tag_name': 'tag'})
         assert result == {
             'results': [
@@ -41,12 +40,12 @@ def test_get_tag_siblings(user_factory, tag_factory, context_factory):
 def test_trying_to_retrieve_non_existing(user_factory, context_factory):
     with pytest.raises(tags.TagNotFoundError):
         api.tag_api.get_tag_siblings(
-            context_factory(user=user_factory(rank=db.User.RANK_REGULAR)),
+            context_factory(user=user_factory(rank=model.User.RANK_REGULAR)),
             {'tag_name': '-'})
 
 
 def test_trying_to_retrieve_without_privileges(user_factory, context_factory):
     with pytest.raises(errors.AuthError):
         api.tag_api.get_tag_siblings(
-            context_factory(user=user_factory(rank=db.User.RANK_ANONYMOUS)),
+            context_factory(user=user_factory(rank=model.User.RANK_ANONYMOUS)),
             {'tag_name': '-'})
diff --git a/server/szurubooru/tests/api/test_tag_updating.py b/server/szurubooru/tests/api/test_tag_updating.py
index 3fe69bd8..0b8aa703 100644
--- a/server/szurubooru/tests/api/test_tag_updating.py
+++ b/server/szurubooru/tests/api/test_tag_updating.py
@@ -1,6 +1,6 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import tags, snapshots
 
 
@@ -8,18 +8,18 @@ from szurubooru.func import tags, snapshots
 def inject_config(config_injector):
     config_injector({
         'privileges': {
-            'tags:create': db.User.RANK_REGULAR,
-            'tags:edit:names': db.User.RANK_REGULAR,
-            'tags:edit:category': db.User.RANK_REGULAR,
-            'tags:edit:description': db.User.RANK_REGULAR,
-            'tags:edit:suggestions': db.User.RANK_REGULAR,
-            'tags:edit:implications': db.User.RANK_REGULAR,
+            'tags:create': model.User.RANK_REGULAR,
+            'tags:edit:names': model.User.RANK_REGULAR,
+            'tags:edit:category': model.User.RANK_REGULAR,
+            'tags:edit:description': model.User.RANK_REGULAR,
+            'tags:edit:suggestions': model.User.RANK_REGULAR,
+            'tags:edit:implications': model.User.RANK_REGULAR,
         },
     })
 
 
 def test_simple_updating(user_factory, tag_factory, context_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     tag = tag_factory(names=['tag1', 'tag2'])
     db.session.add(tag)
     db.session.commit()
@@ -31,8 +31,7 @@ def test_simple_updating(user_factory, tag_factory, context_factory):
             patch('szurubooru.func.tags.update_tag_suggestions'), \
             patch('szurubooru.func.tags.update_tag_implications'), \
             patch('szurubooru.func.tags.serialize_tag'), \
-            patch('szurubooru.func.snapshots.modify'), \
-            patch('szurubooru.func.tags.export_to_json'):
+            patch('szurubooru.func.snapshots.modify'):
         tags.get_or_create_tags_by_names.return_value = ([], [])
         tags.serialize_tag.return_value = 'serialized tag'
         result = api.tag_api.update_tag(
@@ -56,10 +55,8 @@ def test_simple_updating(user_factory, tag_factory, context_factory):
             tag, ['sug1', 'sug2'])
         tags.update_tag_implications.assert_called_once_with(
             tag, ['imp1', 'imp2'])
-        tags.serialize_tag.assert_called_once_with(
-            tag, options=None)
+        tags.serialize_tag.assert_called_once_with(tag, options=[])
         snapshots.modify.assert_called_once_with(tag, auth_user)
-        tags.export_to_json.assert_called_once_with()
 
 
 @pytest.mark.parametrize(
@@ -85,12 +82,11 @@ def test_omitting_optional_field(
     with patch('szurubooru.func.tags.create_tag'), \
             patch('szurubooru.func.tags.update_tag_names'), \
             patch('szurubooru.func.tags.update_tag_category_name'), \
-            patch('szurubooru.func.tags.serialize_tag'), \
-            patch('szurubooru.func.tags.export_to_json'):
+            patch('szurubooru.func.tags.serialize_tag'):
         api.tag_api.update_tag(
             context_factory(
                 params={**params, **{'version': 1}},
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'tag_name': 'tag'})
 
 
@@ -99,7 +95,7 @@ def test_trying_to_update_non_existing(user_factory, context_factory):
         api.tag_api.update_tag(
             context_factory(
                 params={'names': ['dummy']},
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'tag_name': 'tag1'})
 
 
@@ -117,7 +113,7 @@ def test_trying_to_update_without_privileges(
         api.tag_api.update_tag(
             context_factory(
                 params={**params, **{'version': 1}},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)),
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)),
             {'tag_name': 'tag'})
 
 
@@ -127,9 +123,9 @@ def test_trying_to_create_tags_without_privileges(
     db.session.add(tag)
     db.session.commit()
     config_injector({'privileges': {
-        'tags:create': db.User.RANK_ADMINISTRATOR,
-        'tags:edit:suggestions': db.User.RANK_REGULAR,
-        'tags:edit:implications': db.User.RANK_REGULAR,
+        'tags:create': model.User.RANK_ADMINISTRATOR,
+        'tags:edit:suggestions': model.User.RANK_REGULAR,
+        'tags:edit:implications': model.User.RANK_REGULAR,
     }})
     with patch('szurubooru.func.tags.get_or_create_tags_by_names'):
         tags.get_or_create_tags_by_names.return_value = ([], ['new-tag'])
@@ -137,12 +133,12 @@ def test_trying_to_create_tags_without_privileges(
             api.tag_api.update_tag(
                 context_factory(
                     params={'suggestions': ['tag1', 'tag2'], 'version': 1},
-                    user=user_factory(rank=db.User.RANK_REGULAR)),
+                    user=user_factory(rank=model.User.RANK_REGULAR)),
                 {'tag_name': 'tag'})
         db.session.rollback()
         with pytest.raises(errors.AuthError):
             api.tag_api.update_tag(
                 context_factory(
                     params={'implications': ['tag1', 'tag2'], 'version': 1},
-                    user=user_factory(rank=db.User.RANK_REGULAR)),
+                    user=user_factory(rank=model.User.RANK_REGULAR)),
                 {'tag_name': 'tag'})
diff --git a/server/szurubooru/tests/api/test_user_creating.py b/server/szurubooru/tests/api/test_user_creating.py
index 8b583b6e..699bfefb 100644
--- a/server/szurubooru/tests/api/test_user_creating.py
+++ b/server/szurubooru/tests/api/test_user_creating.py
@@ -1,12 +1,12 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, model, errors
 from szurubooru.func import users
 
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
-    config_injector({'privileges': {'users:create': 'regular'}})
+    config_injector({'privileges': {'users:create:self': 'regular'}})
 
 
 def test_creating_user(user_factory, context_factory, fake_datetime):
@@ -31,7 +31,7 @@ def test_creating_user(user_factory, context_factory, fake_datetime):
                     'avatarStyle': 'manual',
                 },
                 files={'avatar': b'...'},
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
         assert result == 'serialized user'
         users.create_user.assert_called_once_with(
             'chewie1', 'oks', 'asd@asd.asd')
@@ -50,7 +50,7 @@ def test_trying_to_omit_mandatory_field(user_factory, context_factory, field):
         'password': 'oks',
     }
     user = user_factory()
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     del params[field]
     with patch('szurubooru.func.users.create_user'), \
             pytest.raises(errors.MissingRequiredParameterError):
@@ -70,7 +70,7 @@ def test_omitting_optional_field(user_factory, context_factory, field):
     }
     del params[field]
     user = user_factory()
-    auth_user = user_factory(rank=db.User.RANK_MODERATOR)
+    auth_user = user_factory(rank=model.User.RANK_MODERATOR)
     with patch('szurubooru.func.users.create_user'), \
             patch('szurubooru.func.users.update_user_avatar'), \
             patch('szurubooru.func.users.serialize_user'):
@@ -84,4 +84,4 @@ def test_trying_to_create_user_without_privileges(
     with pytest.raises(errors.AuthError):
         api.user_api.create_user(context_factory(
             params='whatever',
-            user=user_factory(rank=db.User.RANK_ANONYMOUS)))
+            user=user_factory(rank=model.User.RANK_ANONYMOUS)))
diff --git a/server/szurubooru/tests/api/test_user_deleting.py b/server/szurubooru/tests/api/test_user_deleting.py
index 9dd87764..2bd53e2b 100644
--- a/server/szurubooru/tests/api/test_user_deleting.py
+++ b/server/szurubooru/tests/api/test_user_deleting.py
@@ -1,5 +1,5 @@
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import users
 
 
@@ -7,45 +7,45 @@ from szurubooru.func import users
 def inject_config(config_injector):
     config_injector({
         'privileges': {
-            'users:delete:self': db.User.RANK_REGULAR,
-            'users:delete:any': db.User.RANK_MODERATOR,
+            'users:delete:self': model.User.RANK_REGULAR,
+            'users:delete:any': model.User.RANK_MODERATOR,
         },
     })
 
 
 def test_deleting_oneself(user_factory, context_factory):
-    user = user_factory(name='u', rank=db.User.RANK_REGULAR)
+    user = user_factory(name='u', rank=model.User.RANK_REGULAR)
     db.session.add(user)
     db.session.commit()
     result = api.user_api.delete_user(
         context_factory(
             params={'version': 1}, user=user), {'user_name': 'u'})
     assert result == {}
-    assert db.session.query(db.User).count() == 0
+    assert db.session.query(model.User).count() == 0
 
 
 def test_deleting_someone_else(user_factory, context_factory):
-    user1 = user_factory(name='u1', rank=db.User.RANK_REGULAR)
-    user2 = user_factory(name='u2', rank=db.User.RANK_MODERATOR)
+    user1 = user_factory(name='u1', rank=model.User.RANK_REGULAR)
+    user2 = user_factory(name='u2', rank=model.User.RANK_MODERATOR)
     db.session.add_all([user1, user2])
     db.session.commit()
     api.user_api.delete_user(
         context_factory(
             params={'version': 1}, user=user2), {'user_name': 'u1'})
-    assert db.session.query(db.User).count() == 1
+    assert db.session.query(model.User).count() == 1
 
 
 def test_trying_to_delete_someone_else_without_privileges(
         user_factory, context_factory):
-    user1 = user_factory(name='u1', rank=db.User.RANK_REGULAR)
-    user2 = user_factory(name='u2', rank=db.User.RANK_REGULAR)
+    user1 = user_factory(name='u1', rank=model.User.RANK_REGULAR)
+    user2 = user_factory(name='u2', rank=model.User.RANK_REGULAR)
     db.session.add_all([user1, user2])
     db.session.commit()
     with pytest.raises(errors.AuthError):
         api.user_api.delete_user(
             context_factory(
                 params={'version': 1}, user=user2), {'user_name': 'u1'})
-    assert db.session.query(db.User).count() == 2
+    assert db.session.query(model.User).count() == 2
 
 
 def test_trying_to_delete_non_existing(user_factory, context_factory):
@@ -53,5 +53,5 @@ def test_trying_to_delete_non_existing(user_factory, context_factory):
         api.user_api.delete_user(
             context_factory(
                 params={'version': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)),
+                user=user_factory(rank=model.User.RANK_REGULAR)),
             {'user_name': 'bad'})
diff --git a/server/szurubooru/tests/api/test_user_retrieving.py b/server/szurubooru/tests/api/test_user_retrieving.py
index 6400e0d4..2e797e87 100644
--- a/server/szurubooru/tests/api/test_user_retrieving.py
+++ b/server/szurubooru/tests/api/test_user_retrieving.py
@@ -1,6 +1,6 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import users
 
 
@@ -8,16 +8,16 @@ from szurubooru.func import users
 def inject_config(config_injector):
     config_injector({
         'privileges': {
-            'users:list': db.User.RANK_REGULAR,
-            'users:view': db.User.RANK_REGULAR,
-            'users:edit:any:email': db.User.RANK_MODERATOR,
+            'users:list': model.User.RANK_REGULAR,
+            'users:view': model.User.RANK_REGULAR,
+            'users:edit:any:email': model.User.RANK_MODERATOR,
         },
     })
 
 
 def test_retrieving_multiple(user_factory, context_factory):
-    user1 = user_factory(name='u1', rank=db.User.RANK_MODERATOR)
-    user2 = user_factory(name='u2', rank=db.User.RANK_MODERATOR)
+    user1 = user_factory(name='u1', rank=model.User.RANK_MODERATOR)
+    user2 = user_factory(name='u2', rank=model.User.RANK_MODERATOR)
     db.session.add_all([user1, user2])
     db.session.flush()
     with patch('szurubooru.func.users.serialize_user'):
@@ -25,11 +25,11 @@ def test_retrieving_multiple(user_factory, context_factory):
         result = api.user_api.get_users(
             context_factory(
                 params={'query': '', 'page': 1},
-                user=user_factory(rank=db.User.RANK_REGULAR)))
+                user=user_factory(rank=model.User.RANK_REGULAR)))
         assert result == {
             'query': '',
-            'page': 1,
-            'pageSize': 100,
+            'offset': 0,
+            'limit': 100,
             'total': 2,
             'results': ['serialized user', 'serialized user'],
         }
@@ -41,12 +41,12 @@ def test_trying_to_retrieve_multiple_without_privileges(
         api.user_api.get_users(
             context_factory(
                 params={'query': '', 'page': 1},
-                user=user_factory(rank=db.User.RANK_ANONYMOUS)))
+                user=user_factory(rank=model.User.RANK_ANONYMOUS)))
 
 
 def test_retrieving_single(user_factory, context_factory):
-    user = user_factory(name='u1', rank=db.User.RANK_REGULAR)
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    user = user_factory(name='u1', rank=model.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     db.session.add(user)
     db.session.flush()
     with patch('szurubooru.func.users.serialize_user'):
@@ -57,7 +57,7 @@ def test_retrieving_single(user_factory, context_factory):
 
 
 def test_trying_to_retrieve_single_non_existing(user_factory, context_factory):
-    auth_user = user_factory(rank=db.User.RANK_REGULAR)
+    auth_user = user_factory(rank=model.User.RANK_REGULAR)
     with pytest.raises(users.UserNotFoundError):
         api.user_api.get_user(
             context_factory(user=auth_user), {'user_name': '-'})
@@ -65,8 +65,8 @@ def test_trying_to_retrieve_single_non_existing(user_factory, context_factory):
 
 def test_trying_to_retrieve_single_without_privileges(
         user_factory, context_factory):
-    auth_user = user_factory(rank=db.User.RANK_ANONYMOUS)
-    db.session.add(user_factory(name='u1', rank=db.User.RANK_REGULAR))
+    auth_user = user_factory(rank=model.User.RANK_ANONYMOUS)
+    db.session.add(user_factory(name='u1', rank=model.User.RANK_REGULAR))
     db.session.flush()
     with pytest.raises(errors.AuthError):
         api.user_api.get_user(
diff --git a/server/szurubooru/tests/api/test_user_token_creating.py b/server/szurubooru/tests/api/test_user_token_creating.py
new file mode 100644
index 00000000..f550f63f
--- /dev/null
+++ b/server/szurubooru/tests/api/test_user_token_creating.py
@@ -0,0 +1,29 @@
+from unittest.mock import patch
+import pytest
+from szurubooru import api
+from szurubooru.func import user_tokens, users
+
+
+@pytest.fixture(autouse=True)
+def inject_config(config_injector):
+    config_injector({'privileges': {'user_tokens:create:self': 'regular'}})
+
+
+def test_creating_user_token(
+        user_token_factory, context_factory, fake_datetime):
+    user_token = user_token_factory()
+    with patch('szurubooru.func.user_tokens.create_user_token'), \
+            patch('szurubooru.func.user_tokens.serialize_user_token'), \
+            patch('szurubooru.func.users.get_user_by_name'), \
+            fake_datetime('1969-02-12'):
+        users.get_user_by_name.return_value = user_token.user
+        user_tokens.serialize_user_token.return_value = 'serialized user token'
+        user_tokens.create_user_token.return_value = user_token
+        result = api.user_token_api.create_user_token(
+            context_factory(user=user_token.user),
+            {
+                'user_name': user_token.user.name
+            })
+        assert result == 'serialized user token'
+        user_tokens.create_user_token.assert_called_once_with(
+            user_token.user, True)
diff --git a/server/szurubooru/tests/api/test_user_token_deleting.py b/server/szurubooru/tests/api/test_user_token_deleting.py
new file mode 100644
index 00000000..85341522
--- /dev/null
+++ b/server/szurubooru/tests/api/test_user_token_deleting.py
@@ -0,0 +1,30 @@
+from unittest.mock import patch
+import pytest
+from szurubooru import api, db
+from szurubooru.func import user_tokens, users
+
+
+@pytest.fixture(autouse=True)
+def inject_config(config_injector):
+    config_injector({'privileges': {'user_tokens:delete:self': 'regular'}})
+
+
+def test_deleting_user_token(
+        user_token_factory, context_factory, fake_datetime):
+    user_token = user_token_factory()
+    db.session.add(user_token)
+    db.session.commit()
+    with patch('szurubooru.func.user_tokens.get_by_user_and_token'), \
+            patch('szurubooru.func.users.get_user_by_name'), \
+            fake_datetime('1969-02-12'):
+        users.get_user_by_name.return_value = user_token.user
+        user_tokens.get_by_user_and_token.return_value = user_token
+        result = api.user_token_api.delete_user_token(
+            context_factory(user=user_token.user),
+            {
+                'user_name': user_token.user.name,
+                'user_token': user_token.token
+            })
+        assert result == {}
+        user_tokens.get_by_user_and_token.assert_called_once_with(
+            user_token.user, user_token.token)
diff --git a/server/szurubooru/tests/api/test_user_token_retrieving.py b/server/szurubooru/tests/api/test_user_token_retrieving.py
new file mode 100644
index 00000000..01b25342
--- /dev/null
+++ b/server/szurubooru/tests/api/test_user_token_retrieving.py
@@ -0,0 +1,31 @@
+from unittest.mock import patch
+import pytest
+from szurubooru import api
+from szurubooru.func import user_tokens, users
+
+
+@pytest.fixture(autouse=True)
+def inject_config(config_injector):
+    config_injector({'privileges': {'user_tokens:list:self': 'regular'}})
+
+
+def test_retrieving_user_tokens(
+        user_token_factory, context_factory, fake_datetime):
+    user_token1 = user_token_factory()
+    user_token2 = user_token_factory(user=user_token1.user)
+    user_token3 = user_token_factory(user=user_token1.user)
+    with patch('szurubooru.func.user_tokens.get_user_tokens'), \
+            patch('szurubooru.func.user_tokens.serialize_user_token'), \
+            patch('szurubooru.func.users.get_user_by_name'), \
+            fake_datetime('1969-02-12'):
+        users.get_user_by_name.return_value = user_token1.user
+        user_tokens.serialize_user_token.return_value = 'serialized user token'
+        user_tokens.get_user_tokens.return_value = [user_token1, user_token2,
+                                                    user_token3]
+        result = api.user_token_api.get_user_tokens(
+            context_factory(user=user_token1.user),
+            {
+                'user_name': user_token1.user.name
+            })
+        assert result == {'results': ['serialized user token'] * 3}
+        user_tokens.get_user_tokens.assert_called_once_with(user_token1.user)
diff --git a/server/szurubooru/tests/api/test_user_token_updating.py b/server/szurubooru/tests/api/test_user_token_updating.py
new file mode 100644
index 00000000..bf725a35
--- /dev/null
+++ b/server/szurubooru/tests/api/test_user_token_updating.py
@@ -0,0 +1,42 @@
+from unittest.mock import patch
+import pytest
+from szurubooru import api, db
+from szurubooru.func import user_tokens, users
+
+
+@pytest.fixture(autouse=True)
+def inject_config(config_injector):
+    config_injector({'privileges': {'user_tokens:edit:self': 'regular'}})
+
+
+def test_edit_user_token(user_token_factory, context_factory, fake_datetime):
+    user_token = user_token_factory()
+    db.session.add(user_token)
+    db.session.commit()
+    with patch('szurubooru.func.user_tokens.get_by_user_and_token'), \
+            patch('szurubooru.func.user_tokens.update_user_token_enabled'), \
+            patch('szurubooru.func.user_tokens.update_user_token_edit_time'), \
+            patch('szurubooru.func.user_tokens.serialize_user_token'), \
+            patch('szurubooru.func.users.get_user_by_name'), \
+            fake_datetime('1969-02-12'):
+        users.get_user_by_name.return_value = user_token.user
+        user_tokens.serialize_user_token.return_value = 'serialized user token'
+        user_tokens.get_by_user_and_token.return_value = user_token
+        result = api.user_token_api.update_user_token(
+            context_factory(
+                params={
+                    'version': user_token.version,
+                    'enabled': False,
+                },
+                user=user_token.user),
+            {
+                'user_name': user_token.user.name,
+                'user_token': user_token.token
+            })
+        assert result == 'serialized user token'
+        user_tokens.get_by_user_and_token.assert_called_once_with(
+            user_token.user, user_token.token)
+        user_tokens.update_user_token_enabled.assert_called_once_with(
+            user_token, False)
+        user_tokens.update_user_token_edit_time.assert_called_once_with(
+            user_token)
diff --git a/server/szurubooru/tests/api/test_user_updating.py b/server/szurubooru/tests/api/test_user_updating.py
index 921b2697..af750493 100644
--- a/server/szurubooru/tests/api/test_user_updating.py
+++ b/server/szurubooru/tests/api/test_user_updating.py
@@ -1,6 +1,6 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import api, db, errors
+from szurubooru import api, db, model, errors
 from szurubooru.func import users
 
 
@@ -8,23 +8,23 @@ from szurubooru.func import users
 def inject_config(config_injector):
     config_injector({
         'privileges': {
-            'users:edit:self:name': db.User.RANK_REGULAR,
-            'users:edit:self:pass': db.User.RANK_REGULAR,
-            'users:edit:self:email': db.User.RANK_REGULAR,
-            'users:edit:self:rank': db.User.RANK_MODERATOR,
-            'users:edit:self:avatar': db.User.RANK_MODERATOR,
-            'users:edit:any:name': db.User.RANK_MODERATOR,
-            'users:edit:any:pass': db.User.RANK_MODERATOR,
-            'users:edit:any:email': db.User.RANK_MODERATOR,
-            'users:edit:any:rank': db.User.RANK_ADMINISTRATOR,
-            'users:edit:any:avatar': db.User.RANK_ADMINISTRATOR,
+            'users:edit:self:name': model.User.RANK_REGULAR,
+            'users:edit:self:pass': model.User.RANK_REGULAR,
+            'users:edit:self:email': model.User.RANK_REGULAR,
+            'users:edit:self:rank': model.User.RANK_MODERATOR,
+            'users:edit:self:avatar': model.User.RANK_MODERATOR,
+            'users:edit:any:name': model.User.RANK_MODERATOR,
+            'users:edit:any:pass': model.User.RANK_MODERATOR,
+            'users:edit:any:email': model.User.RANK_MODERATOR,
+            'users:edit:any:rank': model.User.RANK_ADMINISTRATOR,
+            'users:edit:any:avatar': model.User.RANK_ADMINISTRATOR,
         },
     })
 
 
 def test_updating_user(context_factory, user_factory):
-    user = user_factory(name='u1', rank=db.User.RANK_ADMINISTRATOR)
-    auth_user = user_factory(rank=db.User.RANK_ADMINISTRATOR)
+    user = user_factory(name='u1', rank=model.User.RANK_ADMINISTRATOR)
+    auth_user = user_factory(rank=model.User.RANK_ADMINISTRATOR)
     db.session.add(user)
     db.session.flush()
 
@@ -63,13 +63,13 @@ def test_updating_user(context_factory, user_factory):
         users.update_user_avatar.assert_called_once_with(
             user, 'manual', b'...')
         users.serialize_user.assert_called_once_with(
-            user, auth_user, options=None)
+            user, auth_user, options=[])
 
 
 @pytest.mark.parametrize(
     'field', ['name', 'email', 'password', 'rank', 'avatarStyle'])
 def test_omitting_optional_field(user_factory, context_factory, field):
-    user = user_factory(name='u1', rank=db.User.RANK_ADMINISTRATOR)
+    user = user_factory(name='u1', rank=model.User.RANK_ADMINISTRATOR)
     db.session.add(user)
     db.session.flush()
     params = {
@@ -96,7 +96,7 @@ def test_omitting_optional_field(user_factory, context_factory, field):
 
 
 def test_trying_to_update_non_existing(user_factory, context_factory):
-    user = user_factory(name='u1', rank=db.User.RANK_ADMINISTRATOR)
+    user = user_factory(name='u1', rank=model.User.RANK_ADMINISTRATOR)
     db.session.add(user)
     db.session.flush()
     with pytest.raises(users.UserNotFoundError):
@@ -113,8 +113,8 @@ def test_trying_to_update_non_existing(user_factory, context_factory):
 ])
 def test_trying_to_update_field_without_privileges(
         user_factory, context_factory, params):
-    user1 = user_factory(name='u1', rank=db.User.RANK_REGULAR)
-    user2 = user_factory(name='u2', rank=db.User.RANK_REGULAR)
+    user1 = user_factory(name='u1', rank=model.User.RANK_REGULAR)
+    user2 = user_factory(name='u2', rank=model.User.RANK_REGULAR)
     db.session.add_all([user1, user2])
     db.session.flush()
     with pytest.raises(errors.AuthError):
diff --git a/server/szurubooru/tests/assets/jpeg-similar.jpg b/server/szurubooru/tests/assets/jpeg-similar.jpg
new file mode 100644
index 00000000..af612092
Binary files /dev/null and b/server/szurubooru/tests/assets/jpeg-similar.jpg differ
diff --git a/server/szurubooru/tests/conftest.py b/server/szurubooru/tests/conftest.py
index 5dd47576..27a107aa 100644
--- a/server/szurubooru/tests/conftest.py
+++ b/server/szurubooru/tests/conftest.py
@@ -7,8 +7,8 @@ from unittest.mock import patch
 from datetime import datetime
 import pytest
 import freezegun
-import sqlalchemy
-from szurubooru import config, db, rest
+import sqlalchemy as sa
+from szurubooru import config, db, model, rest
 
 
 class QueryCounter:
@@ -36,10 +36,10 @@ if not config.config['test_database']:
     raise RuntimeError('Test database not configured.')
 
 _query_counter = QueryCounter()
-_engine = sqlalchemy.create_engine(config.config['test_database'])
-db.Base.metadata.drop_all(bind=_engine)
-db.Base.metadata.create_all(bind=_engine)
-sqlalchemy.event.listen(
+_engine = sa.create_engine(config.config['test_database'])
+model.Base.metadata.drop_all(bind=_engine)
+model.Base.metadata.create_all(bind=_engine)
+sa.event.listen(
     _engine,
     'before_cursor_execute',
     _query_counter.create_before_cursor_execute())
@@ -79,29 +79,30 @@ def query_logger():
 
 @pytest.yield_fixture(scope='function', autouse=True)
 def session(query_logger):  # pylint: disable=unused-argument
-    db.sessionmaker = sqlalchemy.orm.sessionmaker(
+    db.sessionmaker = sa.orm.sessionmaker(
         bind=_engine, autoflush=False)
-    db.session = sqlalchemy.orm.scoped_session(db.sessionmaker)
+    db.session = sa.orm.scoped_session(db.sessionmaker)
     try:
         yield db.session
     finally:
         db.session.remove()
-        for table in reversed(db.Base.metadata.sorted_tables):
+        for table in reversed(model.Base.metadata.sorted_tables):
             db.session.execute(table.delete())
         db.session.commit()
 
 
 @pytest.fixture
 def context_factory(session):
-    def factory(params=None, files=None, user=None):
+    def factory(params=None, files=None, user=None, headers=None):
         ctx = rest.Context(
+            env={'HTTP_ORIGIN': 'http://example.com'},
             method=None,
             url=None,
-            headers={},
+            headers=headers or {},
             params=params or {},
             files=files or {})
         ctx.session = session
-        ctx.user = user or db.User()
+        ctx.user = user or model.User()
         return ctx
     return factory
 
@@ -115,23 +116,49 @@ def config_injector():
 
 @pytest.fixture
 def user_factory():
-    def factory(name=None, rank=db.User.RANK_REGULAR, email='dummy'):
-        user = db.User()
+    def factory(
+            name=None,
+            rank=model.User.RANK_REGULAR,
+            email='dummy',
+            password_salt=None,
+            password_hash=None):
+        user = model.User()
         user.name = name or get_unique_name()
-        user.password_salt = 'dummy'
-        user.password_hash = 'dummy'
+        user.password_salt = password_salt or 'dummy'
+        user.password_hash = password_hash or 'dummy'
         user.email = email
         user.rank = rank
         user.creation_time = datetime(1997, 1, 1)
-        user.avatar_style = db.User.AVATAR_GRAVATAR
+        user.avatar_style = model.User.AVATAR_GRAVATAR
         return user
     return factory
 
 
+@pytest.fixture
+def user_token_factory(user_factory):
+    def factory(
+            user=None,
+            token=None,
+            expiration_time=None,
+            enabled=None,
+            creation_time=None):
+        if user is None:
+            user = user_factory()
+            db.session.add(user)
+        user_token = model.UserToken()
+        user_token.user = user
+        user_token.token = token or 'dummy'
+        user_token.expiration_time = expiration_time
+        user_token.enabled = enabled if enabled is not None else True
+        user_token.creation_time = creation_time or datetime(1997, 1, 1)
+        return user_token
+    return factory
+
+
 @pytest.fixture
 def tag_category_factory():
     def factory(name=None, color='dummy', default=False):
-        category = db.TagCategory()
+        category = model.TagCategory()
         category.name = name or get_unique_name()
         category.color = color
         category.default = default
@@ -143,19 +170,19 @@ def tag_category_factory():
 def tag_factory():
     def factory(names=None, category=None):
         if not category:
-            category = db.TagCategory(get_unique_name())
+            category = model.TagCategory(get_unique_name())
             db.session.add(category)
-        tag = db.Tag()
+        tag = model.Tag()
         tag.names = []
         for i, name in enumerate(names or [get_unique_name()]):
-            tag.names.append(db.TagName(name, i))
+            tag.names.append(model.TagName(name, i))
         tag.category = category
         tag.creation_time = datetime(1996, 1, 1)
         return tag
     return factory
 
 
-@pytest.yield_fixture(autouse=True)
+@pytest.yield_fixture
 def skip_post_hashing():
     with patch('szurubooru.func.image_hash.add_image'), \
             patch('szurubooru.func.image_hash.delete_image'):
@@ -163,14 +190,14 @@ def skip_post_hashing():
 
 
 @pytest.fixture
-def post_factory():
+def post_factory(skip_post_hashing):
     # pylint: disable=invalid-name
     def factory(
             id=None,
-            safety=db.Post.SAFETY_SAFE,
-            type=db.Post.TYPE_IMAGE,
+            safety=model.Post.SAFETY_SAFE,
+            type=model.Post.TYPE_IMAGE,
             checksum='...'):
-        post = db.Post()
+        post = model.Post()
         post.post_id = id
         post.safety = safety
         post.type = type
@@ -191,7 +218,7 @@ def comment_factory(user_factory, post_factory):
         if not post:
             post = post_factory()
             db.session.add(post)
-        comment = db.Comment()
+        comment = model.Comment()
         comment.user = user
         comment.post = post
         comment.text = text
@@ -207,7 +234,7 @@ def post_score_factory(user_factory, post_factory):
             user = user_factory()
         if post is None:
             post = post_factory()
-        return db.PostScore(
+        return model.PostScore(
             post=post, user=user, score=score, time=datetime(1999, 1, 1))
     return factory
 
@@ -219,7 +246,7 @@ def post_favorite_factory(user_factory, post_factory):
             user = user_factory()
         if post is None:
             post = post_factory()
-        return db.PostFavorite(
+        return model.PostFavorite(
             post=post, user=user, time=datetime(1999, 1, 1))
     return factory
 
diff --git a/server/szurubooru/tests/func/test_auth.py b/server/szurubooru/tests/func/test_auth.py
new file mode 100644
index 00000000..6dc79bb5
--- /dev/null
+++ b/server/szurubooru/tests/func/test_auth.py
@@ -0,0 +1,65 @@
+from datetime import datetime, timedelta
+import pytest
+from szurubooru.func import auth
+
+
+@pytest.fixture(autouse=True)
+def inject_config(config_injector):
+    config_injector({'secret': 'testSecret'})
+
+
+def test_get_password_hash():
+    salt, password = ('testSalt', 'pass')
+    result, revision = auth.get_password_hash(salt, password)
+    assert result
+    assert revision == 3
+    hash_parts = list(
+        filter(lambda e: e is not None and e != '', result.split('$')))
+    assert len(hash_parts) == 5
+    assert hash_parts[0] == 'argon2id'
+
+
+def test_get_sha256_legacy_password_hash():
+    salt, password = ('testSalt', 'pass')
+    result, revision = auth.get_sha256_legacy_password_hash(salt, password)
+    hash = '2031ac9631353ac9303719a7f808a24f79aa1d71712c98523e4bb4cce579428a'
+    assert result == hash
+    assert revision == 2
+
+
+def test_get_sha1_legacy_password_hash():
+    salt, password = ('testSalt', 'pass')
+    result, revision = auth.get_sha1_legacy_password_hash(salt, password)
+    assert result == '1eb1f953d9be303a1b54627e903e6124cfb1245b'
+    assert revision == 1
+
+
+def test_is_valid_password_auto_upgrades_user_password_hash(user_factory):
+    salt, password = ('testSalt', 'pass')
+    hash, revision = auth.get_sha256_legacy_password_hash(salt, password)
+    user = user_factory(password_salt=salt, password_hash=hash)
+    result = auth.is_valid_password(user, password)
+    assert result is True
+    assert user.password_hash != hash
+    assert user.password_revision > revision
+
+
+def test_is_valid_token(user_token_factory):
+    user_token = user_token_factory()
+    assert auth.is_valid_token(user_token)
+
+
+def test_expired_token_is_invalid(user_token_factory):
+    past_expiration = (datetime.utcnow() - timedelta(minutes=30))
+    user_token = user_token_factory(expiration_time=past_expiration)
+    assert not auth.is_valid_token(user_token)
+
+
+def test_disabled_token_is_invalid(user_token_factory):
+    user_token = user_token_factory(enabled=False)
+    assert not auth.is_valid_token(user_token)
+
+
+def test_generate_authorization_token():
+    result = auth.generate_authorization_token()
+    assert result != auth.generate_authorization_token()
diff --git a/server/szurubooru/tests/func/test_comments.py b/server/szurubooru/tests/func/test_comments.py
index c3c2fde1..f1e5d0f1 100644
--- a/server/szurubooru/tests/func/test_comments.py
+++ b/server/szurubooru/tests/func/test_comments.py
@@ -38,8 +38,6 @@ def test_try_get_comment(comment_factory):
     db.session.flush()
     assert comments.try_get_comment_by_id(comment.comment_id + 1) is None
     assert comments.try_get_comment_by_id(comment.comment_id) is comment
-    with pytest.raises(comments.InvalidCommentIdError):
-        comments.try_get_comment_by_id('-')
 
 
 def test_get_comment(comment_factory):
@@ -49,8 +47,6 @@ def test_get_comment(comment_factory):
     with pytest.raises(comments.CommentNotFoundError):
         comments.get_comment_by_id(comment.comment_id + 1)
     assert comments.get_comment_by_id(comment.comment_id) is comment
-    with pytest.raises(comments.InvalidCommentIdError):
-        comments.get_comment_by_id('-')
 
 
 def test_create_comment(user_factory, post_factory, fake_datetime):
diff --git a/server/szurubooru/tests/func/test_image_hash.py b/server/szurubooru/tests/func/test_image_hash.py
new file mode 100644
index 00000000..1b6efd21
--- /dev/null
+++ b/server/szurubooru/tests/func/test_image_hash.py
@@ -0,0 +1,28 @@
+from szurubooru.func import image_hash
+
+
+def test_hashing(read_asset, config_injector):
+    config_injector({
+        'elasticsearch': {
+            'host': 'localhost',
+            'port': 9200,
+            'index': 'szurubooru_test',
+        },
+    })
+    image_hash.purge()
+    image_hash.add_image('test', read_asset('jpeg.jpg'))
+
+    paths = image_hash.get_all_paths()
+    results_exact = image_hash.search_by_image(read_asset('jpeg.jpg'))
+    results_similar = image_hash.search_by_image(
+        read_asset('jpeg-similar.jpg'))
+
+    assert len(paths) == 1
+    assert len(results_exact) == 1
+    assert len(results_similar) == 1
+    assert results_exact[0].path == 'test'
+    assert results_exact[0].score == 63
+    assert results_exact[0].distance == 0
+    assert results_similar[0].path == 'test'
+    assert results_similar[0].score == 26
+    assert abs(results_similar[0].distance - 0.189390583) < 1e-8
diff --git a/server/szurubooru/tests/func/test_net.py b/server/szurubooru/tests/func/test_net.py
index f749d384..fb149b05 100644
--- a/server/szurubooru/tests/func/test_net.py
+++ b/server/szurubooru/tests/func/test_net.py
@@ -1,7 +1,10 @@
 from szurubooru.func import net
 
 
-def test_download():
+def test_download(config_injector):
+    config_injector({
+        'user_agent': None
+    })
     url = 'http://info.cern.ch/hypertext/WWW/TheProject.html'
 
     expected_content = (
diff --git a/server/szurubooru/tests/func/test_posts.py b/server/szurubooru/tests/func/test_posts.py
index f44fb03b..d0c27ba6 100644
--- a/server/szurubooru/tests/func/test_posts.py
+++ b/server/szurubooru/tests/func/test_posts.py
@@ -1,20 +1,20 @@
-import os
-from unittest.mock import patch
 from datetime import datetime
+from unittest.mock import patch
+import os
 import pytest
-from szurubooru import db
+from szurubooru import db, model
 from szurubooru.func import (
     posts, users, comments, tags, images, files, util, image_hash)
 
 
 @pytest.mark.parametrize('input_mime_type,expected_url', [
-    ('image/jpeg', 'http://example.com/posts/1.jpg'),
-    ('image/gif', 'http://example.com/posts/1.gif'),
-    ('totally/unknown', 'http://example.com/posts/1.dat'),
+    ('image/jpeg', 'http://example.com/posts/1_244c8840887984c4.jpg'),
+    ('image/gif', 'http://example.com/posts/1_244c8840887984c4.gif'),
+    ('totally/unknown', 'http://example.com/posts/1_244c8840887984c4.dat'),
 ])
 def test_get_post_url(input_mime_type, expected_url, config_injector):
-    config_injector({'data_url': 'http://example.com/'})
-    post = db.Post()
+    config_injector({'data_url': 'http://example.com/', 'secret': 'test'})
+    post = model.Post()
     post.post_id = 1
     post.mime_type = input_mime_type
     assert posts.get_post_content_url(post) == expected_url
@@ -22,21 +22,21 @@ def test_get_post_url(input_mime_type, expected_url, config_injector):
 
 @pytest.mark.parametrize('input_mime_type', ['image/jpeg', 'image/gif'])
 def test_get_post_thumbnail_url(input_mime_type, config_injector):
-    config_injector({'data_url': 'http://example.com/'})
-    post = db.Post()
+    config_injector({'data_url': 'http://example.com/', 'secret': 'test'})
+    post = model.Post()
     post.post_id = 1
     post.mime_type = input_mime_type
     assert posts.get_post_thumbnail_url(post) \
-        == 'http://example.com/generated-thumbnails/1.jpg'
+        == 'http://example.com/generated-thumbnails/1_244c8840887984c4.jpg'
 
 
 @pytest.mark.parametrize('input_mime_type,expected_path', [
-    ('image/jpeg', 'posts/1.jpg'),
-    ('image/gif', 'posts/1.gif'),
-    ('totally/unknown', 'posts/1.dat'),
+    ('image/jpeg', 'posts/1_244c8840887984c4.jpg'),
+    ('image/gif', 'posts/1_244c8840887984c4.gif'),
+    ('totally/unknown', 'posts/1_244c8840887984c4.dat'),
 ])
 def test_get_post_content_path(input_mime_type, expected_path):
-    post = db.Post()
+    post = model.Post()
     post.post_id = 1
     post.mime_type = input_mime_type
     assert posts.get_post_content_path(post) == expected_path
@@ -44,23 +44,24 @@ def test_get_post_content_path(input_mime_type, expected_path):
 
 @pytest.mark.parametrize('input_mime_type', ['image/jpeg', 'image/gif'])
 def test_get_post_thumbnail_path(input_mime_type):
-    post = db.Post()
+    post = model.Post()
     post.post_id = 1
     post.mime_type = input_mime_type
-    assert posts.get_post_thumbnail_path(post) == 'generated-thumbnails/1.jpg'
+    assert posts.get_post_thumbnail_path(post) \
+        == 'generated-thumbnails/1_244c8840887984c4.jpg'
 
 
 @pytest.mark.parametrize('input_mime_type', ['image/jpeg', 'image/gif'])
 def test_get_post_thumbnail_backup_path(input_mime_type):
-    post = db.Post()
+    post = model.Post()
     post.post_id = 1
     post.mime_type = input_mime_type
     assert posts.get_post_thumbnail_backup_path(post) \
-        == 'posts/custom-thumbnails/1.dat'
+        == 'posts/custom-thumbnails/1_244c8840887984c4.dat'
 
 
 def test_serialize_note():
-    note = db.PostNote()
+    note = model.PostNote()
     note.polygon = [[0, 1], [1, 1], [1, 0], [0, 0]]
     note.text = '...'
     assert posts.serialize_note(note) == {
@@ -74,8 +75,12 @@ def test_serialize_post_when_empty():
 
 
 def test_serialize_post(
-        user_factory, comment_factory, tag_factory, config_injector):
-    config_injector({'data_url': 'http://example.com/'})
+        user_factory,
+        comment_factory,
+        tag_factory,
+        tag_category_factory,
+        config_injector):
+    config_injector({'data_url': 'http://example.com/', 'secret': 'test'})
     with patch('szurubooru.func.comments.serialize_comment'), \
             patch('szurubooru.func.users.serialize_micro_user'), \
             patch('szurubooru.func.posts.files.has'):
@@ -86,17 +91,21 @@ def test_serialize_post(
             = lambda comment, auth_user: comment.user.name
 
         auth_user = user_factory(name='auth user')
-        post = db.Post()
+        post = model.Post()
         post.post_id = 1
         post.creation_time = datetime(1997, 1, 1)
         post.last_edit_time = datetime(1998, 1, 1)
         post.tags = [
-            tag_factory(names=['tag1', 'tag2']),
-            tag_factory(names=['tag3'])
+            tag_factory(
+                names=['tag1', 'tag2'],
+                category=tag_category_factory('test-cat1')),
+            tag_factory(
+                names=['tag3'],
+                category=tag_category_factory('test-cat2'))
         ]
-        post.safety = db.Post.SAFETY_SAFE
+        post.safety = model.Post.SAFETY_SAFE
         post.source = '4gag'
-        post.type = db.Post.TYPE_IMAGE
+        post.type = model.Post.TYPE_IMAGE
         post.checksum = 'deadbeef'
         post.mime_type = 'image/jpeg'
         post.file_size = 100
@@ -116,25 +125,25 @@ def test_serialize_post(
                 user=user_factory(name='commenter2'),
                 post=post,
                 time=datetime(1999, 1, 2)),
-            db.PostFavorite(
+            model.PostFavorite(
                 post=post,
                 user=user_factory(name='fav1'),
                 time=datetime(1800, 1, 1)),
-            db.PostFeature(
+            model.PostFeature(
                 post=post,
                 user=user_factory(),
                 time=datetime(1999, 1, 1)),
-            db.PostScore(
+            model.PostScore(
                 post=post,
                 user=auth_user,
                 score=-1,
                 time=datetime(1800, 1, 1)),
-            db.PostScore(
+            model.PostScore(
                 post=post,
                 user=user_factory(),
                 score=1,
                 time=datetime(1800, 1, 1)),
-            db.PostScore(
+            model.PostScore(
                 post=post,
                 user=user_factory(),
                 score=1,
@@ -142,7 +151,7 @@ def test_serialize_post(
         db.session.flush()
 
         result = posts.serialize_post(post, auth_user)
-        result['tags'].sort()
+        result['tags'].sort(key=lambda tag: tag['names'][0])
 
         assert result == {
             'id': 1,
@@ -156,10 +165,22 @@ def test_serialize_post(
             'fileSize': 100,
             'canvasWidth': 200,
             'canvasHeight': 300,
-            'contentUrl': 'http://example.com/posts/1.jpg',
-            'thumbnailUrl': 'http://example.com/generated-thumbnails/1.jpg',
+            'contentUrl': 'http://example.com/posts/1_244c8840887984c4.jpg',
+            'thumbnailUrl':
+                'http://example.com/'
+                'generated-thumbnails/1_244c8840887984c4.jpg',
             'flags': ['loop'],
-            'tags': ['tag1', 'tag3'],
+            'tags': [
+                {
+                    'names': ['tag1', 'tag2'],
+                    'category': 'test-cat1', 'usages': 1,
+                },
+                {
+                    'names': ['tag3'],
+                    'category': 'test-cat2',
+                    'usages': 1,
+                },
+            ],
             'relations': [],
             'notes': [],
             'user': 'post author',
@@ -209,8 +230,6 @@ def test_try_get_post_by_id(post_factory):
     db.session.flush()
     assert posts.try_get_post_by_id(post.post_id) == post
     assert posts.try_get_post_by_id(post.post_id + 1) is None
-    with pytest.raises(posts.InvalidPostIdError):
-        posts.get_post_by_id('-')
 
 
 def test_get_post_by_id(post_factory):
@@ -220,8 +239,6 @@ def test_get_post_by_id(post_factory):
     assert posts.get_post_by_id(post.post_id) == post
     with pytest.raises(posts.PostNotFoundError):
         posts.get_post_by_id(post.post_id + 1)
-    with pytest.raises(posts.InvalidPostIdError):
-        posts.get_post_by_id('-')
 
 
 def test_create_post(user_factory, fake_datetime):
@@ -237,30 +254,30 @@ def test_create_post(user_factory, fake_datetime):
 
 
 @pytest.mark.parametrize('input_safety,expected_safety', [
-    ('safe', db.Post.SAFETY_SAFE),
-    ('sketchy', db.Post.SAFETY_SKETCHY),
-    ('unsafe', db.Post.SAFETY_UNSAFE),
+    ('safe', model.Post.SAFETY_SAFE),
+    ('sketchy', model.Post.SAFETY_SKETCHY),
+    ('unsafe', model.Post.SAFETY_UNSAFE),
 ])
 def test_update_post_safety(input_safety, expected_safety):
-    post = db.Post()
+    post = model.Post()
     posts.update_post_safety(post, input_safety)
     assert post.safety == expected_safety
 
 
 def test_update_post_safety_with_invalid_string():
-    post = db.Post()
+    post = model.Post()
     with pytest.raises(posts.InvalidPostSafetyError):
         posts.update_post_safety(post, 'bad')
 
 
 def test_update_post_source():
-    post = db.Post()
+    post = model.Post()
     posts.update_post_source(post, 'x')
     assert post.source == 'x'
 
 
 def test_update_post_source_with_too_long_string():
-    post = db.Post()
+    post = model.Post()
     with pytest.raises(posts.InvalidPostSourceError):
         posts.update_post_source(post, 'x' * 1000)
 
@@ -268,37 +285,66 @@ def test_update_post_source_with_too_long_string():
 @pytest.mark.parametrize(
     'is_existing,input_file,expected_mime_type,expected_type,output_file_name',
     [
-        (True, 'png.png', 'image/png', db.Post.TYPE_IMAGE, '1.png'),
-        (False, 'png.png', 'image/png', db.Post.TYPE_IMAGE, '1.png'),
-        (False, 'jpeg.jpg', 'image/jpeg', db.Post.TYPE_IMAGE, '1.jpg'),
-        (False, 'gif.gif', 'image/gif', db.Post.TYPE_IMAGE, '1.gif'),
+        (
+            True,
+            'png.png',
+            'image/png',
+            model.Post.TYPE_IMAGE,
+            '1_244c8840887984c4.png',
+        ),
+        (
+            False,
+            'png.png',
+            'image/png',
+            model.Post.TYPE_IMAGE,
+            '1_244c8840887984c4.png',
+        ),
+        (
+            False,
+            'jpeg.jpg',
+            'image/jpeg',
+            model.Post.TYPE_IMAGE,
+            '1_244c8840887984c4.jpg',
+        ),
+        (
+            False,
+            'gif.gif',
+            'image/gif',
+            model.Post.TYPE_IMAGE,
+            '1_244c8840887984c4.gif',
+        ),
         (
             False,
             'gif-animated.gif',
             'image/gif',
-            db.Post.TYPE_ANIMATION,
-            '1.gif',
+            model.Post.TYPE_ANIMATION,
+            '1_244c8840887984c4.gif',
+        ),
+        (
+            False,
+            'webm.webm',
+            'video/webm',
+            model.Post.TYPE_VIDEO,
+            '1_244c8840887984c4.webm',
+        ),
+        (
+            False,
+            'mp4.mp4',
+            'video/mp4',
+            model.Post.TYPE_VIDEO,
+            '1_244c8840887984c4.mp4',
         ),
-        (False, 'webm.webm', 'video/webm', db.Post.TYPE_VIDEO, '1.webm'),
-        (False, 'mp4.mp4', 'video/mp4', db.Post.TYPE_VIDEO, '1.mp4'),
         (
             False,
             'flash.swf',
             'application/x-shockwave-flash',
-            db.Post.TYPE_FLASH,
-            '1.swf'
+            model.Post.TYPE_FLASH,
+            '1_244c8840887984c4.swf',
         ),
     ])
 def test_update_post_content_for_new_post(
-        tmpdir,
-        config_injector,
-        post_factory,
-        read_asset,
-        is_existing,
-        input_file,
-        expected_mime_type,
-        expected_type,
-        output_file_name):
+        tmpdir, config_injector, post_factory, read_asset, is_existing,
+        input_file, expected_mime_type, expected_type, output_file_name):
     with patch('szurubooru.func.util.get_sha1'):
         util.get_sha1.return_value = 'crc'
         config_injector({
@@ -307,15 +353,14 @@ def test_update_post_content_for_new_post(
                 'post_width': 300,
                 'post_height': 300,
             },
+            'secret': 'test',
         })
-        output_file_path = str(tmpdir) + '/data/posts/' + output_file_name
-        post = post_factory()
+        output_file_path = '{}/data/posts/{}'.format(tmpdir, output_file_name)
+        post = post_factory(id=1)
         db.session.add(post)
         if is_existing:
             db.session.flush()
-            assert post.post_id
-        else:
-            assert not post.post_id
+        assert post.post_id
         assert not os.path.exists(output_file_path)
         content = read_asset(input_file)
         posts.update_post_content(post, content)
@@ -325,7 +370,7 @@ def test_update_post_content_for_new_post(
         assert post.type == expected_type
         assert post.checksum == 'crc'
         assert os.path.exists(output_file_path)
-        if post.type in (db.Post.TYPE_IMAGE, db.Post.TYPE_ANIMATION):
+        if post.type in (model.Post.TYPE_IMAGE, model.Post.TYPE_ANIMATION):
             image_hash.delete_image.assert_called_once_with(post.post_id)
             image_hash.add_image.assert_called_once_with(post.post_id, content)
         else:
@@ -342,6 +387,7 @@ def test_update_post_content_to_existing_content(
             'post_width': 300,
             'post_height': 300,
         },
+        'secret': 'test',
     })
     post = post_factory()
     another_post = post_factory()
@@ -363,6 +409,7 @@ def test_update_post_content_with_broken_content(
             'post_width': 300,
             'post_height': 300,
         },
+        'secret': 'test',
     })
     post = post_factory()
     another_post = post_factory()
@@ -375,7 +422,7 @@ def test_update_post_content_with_broken_content(
 
 @pytest.mark.parametrize('input_content', [None, b'not a media file'])
 def test_update_post_content_with_invalid_content(input_content):
-    post = db.Post()
+    post = model.Post()
     with pytest.raises(posts.InvalidPostContentError):
         posts.update_post_content(post, input_content)
 
@@ -389,16 +436,19 @@ def test_update_post_thumbnail_to_new_one(
             'post_width': 300,
             'post_height': 300,
         },
+        'secret': 'test',
     })
-    post = post_factory()
+    post = post_factory(id=1)
     db.session.add(post)
     if is_existing:
         db.session.flush()
-        assert post.post_id
-    else:
-        assert not post.post_id
-    generated_path = str(tmpdir) + '/data/generated-thumbnails/1.jpg'
-    source_path = str(tmpdir) + '/data/posts/custom-thumbnails/1.dat'
+    assert post.post_id
+    generated_path = (
+        '{}/data/generated-thumbnails/1_244c8840887984c4.jpg'
+        .format(tmpdir))
+    source_path = (
+        '{}/data/posts/custom-thumbnails/1_244c8840887984c4.dat'
+        .format(tmpdir))
     assert not os.path.exists(generated_path)
     assert not os.path.exists(source_path)
     posts.update_post_content(post, read_asset('png.png'))
@@ -421,16 +471,19 @@ def test_update_post_thumbnail_to_default(
             'post_width': 300,
             'post_height': 300,
         },
+        'secret': 'test',
     })
-    post = post_factory()
+    post = post_factory(id=1)
     db.session.add(post)
     if is_existing:
         db.session.flush()
-        assert post.post_id
-    else:
-        assert not post.post_id
-    generated_path = str(tmpdir) + '/data/generated-thumbnails/1.jpg'
-    source_path = str(tmpdir) + '/data/posts/custom-thumbnails/1.dat'
+    assert post.post_id
+    generated_path = (
+        '{}/data/generated-thumbnails/1_244c8840887984c4.jpg'
+        .format(tmpdir))
+    source_path = (
+        '{}/data/posts/custom-thumbnails/1_244c8840887984c4.dat'
+        .format(tmpdir))
     assert not os.path.exists(generated_path)
     assert not os.path.exists(source_path)
     posts.update_post_content(post, read_asset('png.png'))
@@ -452,16 +505,19 @@ def test_update_post_thumbnail_with_broken_thumbnail(
             'post_width': 300,
             'post_height': 300,
         },
+        'secret': 'test',
     })
-    post = post_factory()
+    post = post_factory(id=1)
     db.session.add(post)
     if is_existing:
         db.session.flush()
-        assert post.post_id
-    else:
-        assert not post.post_id
-    generated_path = str(tmpdir) + '/data/generated-thumbnails/1.jpg'
-    source_path = str(tmpdir) + '/data/posts/custom-thumbnails/1.dat'
+    assert post.post_id
+    generated_path = (
+        '{}/data/generated-thumbnails/1_244c8840887984c4.jpg'
+        .format(tmpdir))
+    source_path = (
+        '{}/data/posts/custom-thumbnails/1_244c8840887984c4.dat'
+        .format(tmpdir))
     assert not os.path.exists(generated_path)
     assert not os.path.exists(source_path)
     posts.update_post_content(post, read_asset('png.png'))
@@ -487,6 +543,7 @@ def test_update_post_content_leaving_custom_thumbnail(
             'post_width': 300,
             'post_height': 300,
         },
+        'secret': 'test',
     })
     post = post_factory(id=1)
     db.session.add(post)
@@ -494,16 +551,21 @@ def test_update_post_content_leaving_custom_thumbnail(
     posts.update_post_thumbnail(post, read_asset('jpeg.jpg'))
     posts.update_post_content(post, read_asset('png.png'))
     db.session.flush()
-    assert os.path.exists(str(tmpdir) + '/data/posts/custom-thumbnails/1.dat')
-    assert os.path.exists(str(tmpdir) + '/data/generated-thumbnails/1.jpg')
+    generated_path = (
+        '{}/data/generated-thumbnails/1_244c8840887984c4.jpg'
+        .format(tmpdir))
+    source_path = (
+        '{}/data/posts/custom-thumbnails/1_244c8840887984c4.dat'
+        .format(tmpdir))
+    assert os.path.exists(source_path)
+    assert os.path.exists(generated_path)
 
 
 def test_update_post_tags(tag_factory):
-    post = db.Post()
+    post = model.Post()
     with patch('szurubooru.func.tags.get_or_create_tags_by_names'):
-        tags.get_or_create_tags_by_names.side_effect \
-            = lambda tag_names: \
-                ([tag_factory(names=[name]) for name in tag_names], [])
+        tags.get_or_create_tags_by_names.side_effect = lambda tag_names: \
+            ([tag_factory(names=[name]) for name in tag_names], [])
         posts.update_post_tags(post, ['tag1', 'tag2'])
     assert len(post.tags) == 2
     assert post.tags[0].names[0].name == 'tag1'
@@ -536,7 +598,7 @@ def test_update_post_relations_bidirectionality(post_factory):
 
 
 def test_update_post_relations_with_nonexisting_posts():
-    post = db.Post()
+    post = model.Post()
     with pytest.raises(posts.InvalidPostRelationError):
         posts.update_post_relations(post, [100])
 
@@ -550,7 +612,7 @@ def test_update_post_relations_with_itself(post_factory):
 
 
 def test_update_post_notes():
-    post = db.Post()
+    post = model.Post()
     posts.update_post_notes(
         post,
         [
@@ -584,19 +646,19 @@ def test_update_post_notes():
     [{'polygon': [[0, 0], [0, 0], [0, 1]]}],
 ])
 def test_update_post_notes_with_invalid_content(input):
-    post = db.Post()
+    post = model.Post()
     with pytest.raises(posts.InvalidPostNoteError):
         posts.update_post_notes(post, input)
 
 
 def test_update_post_flags():
-    post = db.Post()
+    post = model.Post()
     posts.update_post_flags(post, ['loop'])
     assert post.flags == ['loop']
 
 
 def test_update_post_flags_with_invalid_content():
-    post = db.Post()
+    post = model.Post()
     with pytest.raises(posts.InvalidPostFlagError):
         posts.update_post_flags(post, ['invalid'])
 
@@ -613,7 +675,8 @@ def test_feature_post(post_factory, user_factory):
     assert new_featured_post == post
 
 
-def test_delete(post_factory):
+def test_delete(post_factory, config_injector):
+    config_injector({'delete_source_files': False})
     post = post_factory()
     db.session.add(post)
     db.session.flush()
@@ -623,7 +686,8 @@ def test_delete(post_factory):
     assert posts.get_post_count() == 0
 
 
-def test_merge_posts_deletes_source_post(post_factory):
+def test_merge_posts_deletes_source_post(post_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     target_post = post_factory()
     db.session.add_all([source_post, target_post])
@@ -635,7 +699,8 @@ def test_merge_posts_deletes_source_post(post_factory):
     assert post is not None
 
 
-def test_merge_posts_with_itself(post_factory):
+def test_merge_posts_with_itself(post_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     db.session.add(source_post)
     db.session.flush()
@@ -643,7 +708,8 @@ def test_merge_posts_with_itself(post_factory):
         posts.merge_posts(source_post, source_post, False)
 
 
-def test_merge_posts_moves_tags(post_factory, tag_factory):
+def test_merge_posts_moves_tags(post_factory, tag_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     target_post = post_factory()
     tag = tag_factory()
@@ -658,7 +724,9 @@ def test_merge_posts_moves_tags(post_factory, tag_factory):
     assert posts.get_post_by_id(target_post.post_id).tag_count == 1
 
 
-def test_merge_posts_doesnt_duplicate_tags(post_factory, tag_factory):
+def test_merge_posts_doesnt_duplicate_tags(
+        post_factory, tag_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     target_post = post_factory()
     tag = tag_factory()
@@ -673,7 +741,9 @@ def test_merge_posts_doesnt_duplicate_tags(post_factory, tag_factory):
     assert posts.get_post_by_id(target_post.post_id).tag_count == 1
 
 
-def test_merge_posts_moves_comments(post_factory, comment_factory):
+def test_merge_posts_moves_comments(
+        post_factory, comment_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     target_post = post_factory()
     comment = comment_factory(post=source_post)
@@ -687,7 +757,9 @@ def test_merge_posts_moves_comments(post_factory, comment_factory):
     assert posts.get_post_by_id(target_post.post_id).comment_count == 1
 
 
-def test_merge_posts_moves_scores(post_factory, post_score_factory):
+def test_merge_posts_moves_scores(
+        post_factory, post_score_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     target_post = post_factory()
     score = post_score_factory(post=source_post, score=1)
@@ -702,7 +774,8 @@ def test_merge_posts_moves_scores(post_factory, post_score_factory):
 
 
 def test_merge_posts_doesnt_duplicate_scores(
-        post_factory, user_factory, post_score_factory):
+        post_factory, user_factory, post_score_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     target_post = post_factory()
     user = user_factory()
@@ -718,7 +791,9 @@ def test_merge_posts_doesnt_duplicate_scores(
     assert posts.get_post_by_id(target_post.post_id).score == 1
 
 
-def test_merge_posts_moves_favorites(post_factory, post_favorite_factory):
+def test_merge_posts_moves_favorites(
+        post_factory, post_favorite_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     target_post = post_factory()
     favorite = post_favorite_factory(post=source_post)
@@ -733,7 +808,8 @@ def test_merge_posts_moves_favorites(post_factory, post_favorite_factory):
 
 
 def test_merge_posts_doesnt_duplicate_favorites(
-        post_factory, user_factory, post_favorite_factory):
+        post_factory, user_factory, post_favorite_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     target_post = post_factory()
     user = user_factory()
@@ -749,7 +825,8 @@ def test_merge_posts_doesnt_duplicate_favorites(
     assert posts.get_post_by_id(target_post.post_id).favorite_count == 1
 
 
-def test_merge_posts_moves_child_relations(post_factory):
+def test_merge_posts_moves_child_relations(post_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     target_post = post_factory()
     related_post = post_factory()
@@ -764,7 +841,9 @@ def test_merge_posts_moves_child_relations(post_factory):
     assert posts.get_post_by_id(target_post.post_id).relation_count == 1
 
 
-def test_merge_posts_doesnt_duplicate_child_relations(post_factory):
+def test_merge_posts_doesnt_duplicate_child_relations(
+        post_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     target_post = post_factory()
     related_post = post_factory()
@@ -780,7 +859,8 @@ def test_merge_posts_doesnt_duplicate_child_relations(post_factory):
     assert posts.get_post_by_id(target_post.post_id).relation_count == 1
 
 
-def test_merge_posts_moves_parent_relations(post_factory):
+def test_merge_posts_moves_parent_relations(post_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     target_post = post_factory()
     related_post = post_factory()
@@ -797,7 +877,9 @@ def test_merge_posts_moves_parent_relations(post_factory):
     assert posts.get_post_by_id(related_post.post_id).relation_count == 1
 
 
-def test_merge_posts_doesnt_duplicate_parent_relations(post_factory):
+def test_merge_posts_doesnt_duplicate_parent_relations(
+        post_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     target_post = post_factory()
     related_post = post_factory()
@@ -814,7 +896,9 @@ def test_merge_posts_doesnt_duplicate_parent_relations(post_factory):
     assert posts.get_post_by_id(related_post.post_id).relation_count == 1
 
 
-def test_merge_posts_doesnt_create_relation_loop_for_children(post_factory):
+def test_merge_posts_doesnt_create_relation_loop_for_children(
+        post_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     target_post = post_factory()
     source_post.relations = [target_post]
@@ -828,7 +912,9 @@ def test_merge_posts_doesnt_create_relation_loop_for_children(post_factory):
     assert posts.get_post_by_id(target_post.post_id).relation_count == 0
 
 
-def test_merge_posts_doesnt_create_relation_loop_for_parents(post_factory):
+def test_merge_posts_doesnt_create_relation_loop_for_parents(
+        post_factory, config_injector):
+    config_injector({'delete_source_files': False})
     source_post = post_factory()
     target_post = post_factory()
     target_post.relations = [source_post]
@@ -847,25 +933,34 @@ def test_merge_posts_replaces_content(
     config_injector({
         'data_dir': str(tmpdir.mkdir('data')),
         'data_url': 'example.com',
+        'delete_source_files': False,
         'thumbnails': {
             'post_width': 300,
             'post_height': 300,
         },
+        'secret': 'test',
     })
-    source_post = post_factory()
-    target_post = post_factory()
+    source_post = post_factory(id=1)
+    target_post = post_factory(id=2)
     content = read_asset('png.png')
     db.session.add_all([source_post, target_post])
     db.session.commit()
     posts.update_post_content(source_post, content)
     db.session.flush()
-    assert os.path.exists(os.path.join(str(tmpdir), 'data/posts/1.png'))
-    assert not os.path.exists(os.path.join(str(tmpdir), 'data/posts/2.dat'))
-    assert not os.path.exists(os.path.join(str(tmpdir), 'data/posts/2.png'))
+    source_path = (
+        os.path.join('{}/data/posts/1_244c8840887984c4.png'.format(tmpdir)))
+    target_path1 = (
+        os.path.join('{}/data/posts/2_49caeb3ec1643406.png'.format(tmpdir)))
+    target_path2 = (
+        os.path.join('{}/data/posts/2_49caeb3ec1643406.dat'.format(tmpdir)))
+    assert os.path.exists(source_path)
+    assert not os.path.exists(target_path1)
+    assert not os.path.exists(target_path2)
     posts.merge_posts(source_post, target_post, True)
     db.session.flush()
     assert posts.try_get_post_by_id(source_post.post_id) is None
     post = posts.get_post_by_id(target_post.post_id)
     assert post is not None
-    assert os.path.exists(os.path.join(str(tmpdir), 'data/posts/1.png'))
-    assert os.path.exists(os.path.join(str(tmpdir), 'data/posts/2.png'))
+    assert os.path.exists(source_path)
+    assert os.path.exists(target_path1)
+    assert not os.path.exists(target_path2)
diff --git a/server/szurubooru/tests/func/test_snapshots.py b/server/szurubooru/tests/func/test_snapshots.py
index d4c6754a..09491990 100644
--- a/server/szurubooru/tests/func/test_snapshots.py
+++ b/server/szurubooru/tests/func/test_snapshots.py
@@ -1,7 +1,7 @@
 from unittest.mock import patch
 from datetime import datetime
 import pytest
-from szurubooru import db
+from szurubooru import db, model
 from szurubooru.func import snapshots, users
 
 
@@ -56,20 +56,20 @@ def test_get_post_snapshot(post_factory, user_factory, tag_factory):
     db.session.add_all([user, tag1, tag2, post, related_post1, related_post2])
     db.session.flush()
 
-    score = db.PostScore()
+    score = model.PostScore()
     score.post = post
     score.user = user
     score.time = datetime(1997, 1, 1)
     score.score = 1
-    favorite = db.PostFavorite()
+    favorite = model.PostFavorite()
     favorite.post = post
     favorite.user = user
     favorite.time = datetime(1997, 1, 1)
-    feature = db.PostFeature()
+    feature = model.PostFeature()
     feature.post = post
     feature.user = user
     feature.time = datetime(1997, 1, 1)
-    note = db.PostNote()
+    note = model.PostNote()
     note.post = post
     note.polygon = [(1, 1), (200, 1), (200, 200), (1, 200)]
     note.text = 'some text'
@@ -105,7 +105,7 @@ def test_get_post_snapshot(post_factory, user_factory, tag_factory):
 
 def test_serialize_snapshot(user_factory):
     auth_user = user_factory()
-    snapshot = db.Snapshot()
+    snapshot = model.Snapshot()
     snapshot.operation = snapshot.OPERATION_CREATED
     snapshot.resource_type = 'type'
     snapshot.resource_name = 'id'
@@ -132,9 +132,9 @@ def test_create(tag_factory, user_factory):
         snapshots.get_tag_snapshot.return_value = 'mocked'
         snapshots.create(tag, user_factory())
     db.session.flush()
-    results = db.session.query(db.Snapshot).all()
+    results = db.session.query(model.Snapshot).all()
     assert len(results) == 1
-    assert results[0].operation == db.Snapshot.OPERATION_CREATED
+    assert results[0].operation == model.Snapshot.OPERATION_CREATED
     assert results[0].data == 'mocked'
 
 
@@ -144,16 +144,16 @@ def test_modify_saves_non_empty_diffs(post_factory, user_factory):
             'SQLite doesn\'t support transaction isolation, '
             'which is required to retrieve original entity')
     post = post_factory()
-    post.notes = [db.PostNote(polygon=[(0, 0), (0, 1), (1, 1)], text='old')]
+    post.notes = [model.PostNote(polygon=[(0, 0), (0, 1), (1, 1)], text='old')]
     user = user_factory()
     db.session.add_all([post, user])
     db.session.commit()
     post.source = 'new source'
-    post.notes = [db.PostNote(polygon=[(0, 0), (0, 1), (1, 1)], text='new')]
+    post.notes = [model.PostNote(polygon=[(0, 0), (0, 1), (1, 1)], text='new')]
     db.session.flush()
     snapshots.modify(post, user)
     db.session.flush()
-    results = db.session.query(db.Snapshot).all()
+    results = db.session.query(model.Snapshot).all()
     assert len(results) == 1
     assert results[0].data == {
         'type': 'object change',
@@ -181,7 +181,7 @@ def test_modify_doesnt_save_empty_diffs(tag_factory, user_factory):
     db.session.commit()
     snapshots.modify(tag, user)
     db.session.flush()
-    assert db.session.query(db.Snapshot).count() == 0
+    assert db.session.query(model.Snapshot).count() == 0
 
 
 def test_delete(tag_factory, user_factory):
@@ -192,9 +192,9 @@ def test_delete(tag_factory, user_factory):
         snapshots.get_tag_snapshot.return_value = 'mocked'
         snapshots.delete(tag, user_factory())
     db.session.flush()
-    results = db.session.query(db.Snapshot).all()
+    results = db.session.query(model.Snapshot).all()
     assert len(results) == 1
-    assert results[0].operation == db.Snapshot.OPERATION_DELETED
+    assert results[0].operation == model.Snapshot.OPERATION_DELETED
     assert results[0].data == 'mocked'
 
 
@@ -205,6 +205,6 @@ def test_merge(tag_factory, user_factory):
     db.session.flush()
     snapshots.merge(source_tag, target_tag, user_factory())
     db.session.flush()
-    result = db.session.query(db.Snapshot).one()
-    assert result.operation == db.Snapshot.OPERATION_MERGED
+    result = db.session.query(model.Snapshot).one()
+    assert result.operation == model.Snapshot.OPERATION_MERGED
     assert result.data == ['tag', 'target']
diff --git a/server/szurubooru/tests/func/test_tag_categories.py b/server/szurubooru/tests/func/test_tag_categories.py
index 70f0aa0e..d1e55709 100644
--- a/server/szurubooru/tests/func/test_tag_categories.py
+++ b/server/szurubooru/tests/func/test_tag_categories.py
@@ -1,6 +1,6 @@
 from unittest.mock import patch
 import pytest
-from szurubooru import db
+from szurubooru import db, model
 from szurubooru.func import tag_categories, cache
 
 
@@ -191,9 +191,10 @@ def test_get_default_category_name(tag_category_factory):
     db.session.flush()
     cache.purge()
     assert tag_categories.get_default_category_name() == category1.name
-    db.session.query(db.TagCategory).delete()
+    db.session.query(model.TagCategory).delete()
     cache.purge()
-    assert tag_categories.get_default_category_name() is None
+    with pytest.raises(tag_categories.TagCategoryNotFoundError):
+        tag_categories.get_default_category_name()
 
 
 def test_get_default_category_name_caching(tag_category_factory):
diff --git a/server/szurubooru/tests/func/test_tags.py b/server/szurubooru/tests/func/test_tags.py
index d4674998..2f888ef5 100644
--- a/server/szurubooru/tests/func/test_tags.py
+++ b/server/szurubooru/tests/func/test_tags.py
@@ -3,7 +3,7 @@ import json
 from unittest.mock import patch
 from datetime import datetime
 import pytest
-from szurubooru import db
+from szurubooru import db, model
 from szurubooru.func import tags, tag_categories, cache
 
 
@@ -45,15 +45,18 @@ def test_serialize_tag_when_empty():
 
 
 def test_serialize_tag(post_factory, tag_factory, tag_category_factory):
-    tag = tag_factory(
-        names=['tag1', 'tag2'],
-        category=tag_category_factory(name='cat'))
+    cat = tag_category_factory(name='cat')
+    tag = tag_factory(names=['tag1', 'tag2'], category=cat)
     tag.tag_id = 1
     tag.description = 'description'
     tag.suggestions = [
-        tag_factory(names=['sug1']), tag_factory(names=['sug2'])]
+        tag_factory(names=['sug1'], category=cat),
+        tag_factory(names=['sug2'], category=cat),
+    ]
     tag.implications = [
-        tag_factory(names=['impl1']), tag_factory(names=['impl2'])]
+        tag_factory(names=['impl1'], category=cat),
+        tag_factory(names=['impl2'], category=cat),
+    ]
     tag.last_edit_time = datetime(1998, 1, 1)
     post1 = post_factory()
     post2 = post_factory()
@@ -62,8 +65,8 @@ def test_serialize_tag(post_factory, tag_factory, tag_category_factory):
     db.session.add_all([tag, post1, post2])
     db.session.flush()
     result = tags.serialize_tag(tag)
-    result['suggestions'].sort()
-    result['implications'].sort()
+    result['suggestions'].sort(key=lambda relation: relation['names'][0])
+    result['implications'].sort(key=lambda relation: relation['names'][0])
     assert result == {
         'names': ['tag1', 'tag2'],
         'version': 1,
@@ -71,69 +74,18 @@ def test_serialize_tag(post_factory, tag_factory, tag_category_factory):
         'creationTime': datetime(1996, 1, 1, 0, 0),
         'lastEditTime': datetime(1998, 1, 1, 0, 0),
         'description': 'description',
-        'suggestions': ['sug1', 'sug2'],
-        'implications': ['impl1', 'impl2'],
+        'suggestions': [
+            {'names': ['sug1'], 'category': 'cat', 'usages': 0},
+            {'names': ['sug2'], 'category': 'cat', 'usages': 0},
+        ],
+        'implications': [
+            {'names': ['impl1'], 'category': 'cat', 'usages': 0},
+            {'names': ['impl2'], 'category': 'cat', 'usages': 0},
+        ],
         'usages': 2,
     }
 
 
-def test_export_to_json(
-        tmpdir,
-        query_counter,
-        config_injector,
-        post_factory,
-        tag_factory,
-        tag_category_factory):
-    config_injector({'data_dir': str(tmpdir)})
-    cat1 = tag_category_factory(name='cat1', color='black')
-    cat2 = tag_category_factory(name='cat2', color='white')
-    tag = tag_factory(names=['alias1', 'alias2'], category=cat2)
-    tag.suggestions = [
-        tag_factory(names=['sug1'], category=cat1),
-        tag_factory(names=['sug2'], category=cat1),
-    ]
-    tag.implications = [
-        tag_factory(names=['imp1'], category=cat1),
-        tag_factory(names=['imp2'], category=cat1),
-    ]
-    post = post_factory()
-    post.tags = [tag]
-    db.session.add_all([post, tag])
-    db.session.flush()
-
-    with query_counter:
-        tags.export_to_json()
-        assert len(query_counter.statements) == 5
-
-    export_path = os.path.join(str(tmpdir), 'tags.json')
-    assert os.path.exists(export_path)
-    with open(export_path, 'r') as handle:
-        actual_json = json.loads(handle.read())
-        assert actual_json['tags']
-        assert actual_json['categories']
-        actual_json['tags'].sort(key=lambda tag: tag['names'][0])
-        actual_json['categories'].sort(key=lambda category: category['name'])
-        assert actual_json == {
-            'tags': [
-                {
-                    'names': ['alias1', 'alias2'],
-                    'usages': 1,
-                    'category': 'cat2',
-                    'suggestions': ['sug1', 'sug2'],
-                    'implications': ['imp1', 'imp2'],
-                },
-                {'names': ['imp1'], 'usages': 0, 'category': 'cat1'},
-                {'names': ['imp2'], 'usages': 0, 'category': 'cat1'},
-                {'names': ['sug1'], 'usages': 0, 'category': 'cat1'},
-                {'names': ['sug2'], 'usages': 0, 'category': 'cat1'},
-            ],
-            'categories': [
-                {'name': 'cat1', 'color': 'black'},
-                {'name': 'cat2', 'color': 'white'},
-            ]
-        }
-
-
 @pytest.mark.parametrize('name_to_search,expected_to_find', [
     ('name', True),
     ('NAME', True),
@@ -304,10 +256,10 @@ def test_delete(tag_factory):
     tag.implications = [tag_factory(names=['imp'])]
     db.session.add(tag)
     db.session.flush()
-    assert db.session.query(db.Tag).count() == 3
+    assert db.session.query(model.Tag).count() == 3
     tags.delete(tag)
     db.session.flush()
-    assert db.session.query(db.Tag).count() == 2
+    assert db.session.query(model.Tag).count() == 2
 
 
 def test_merge_tags_deletes_source_tag(tag_factory):
diff --git a/server/szurubooru/tests/func/test_user_tokens.py b/server/szurubooru/tests/func/test_user_tokens.py
new file mode 100644
index 00000000..8c3577c8
--- /dev/null
+++ b/server/szurubooru/tests/func/test_user_tokens.py
@@ -0,0 +1,155 @@
+from datetime import datetime, timedelta
+from unittest.mock import patch
+import pytest
+import pytz
+import random
+import string
+from szurubooru import db, model
+from szurubooru.func import user_tokens, users, auth, util
+
+
+def test_serialize_user_token(user_token_factory):
+    user_token = user_token_factory()
+    db.session.add(user_token)
+    db.session.flush()
+    with patch('szurubooru.func.users.get_avatar_url'):
+        users.get_avatar_url.return_value = 'https://example.com/avatar.png'
+        result = user_tokens.serialize_user_token(user_token, user_token.user)
+        assert result == {
+            'creationTime': datetime(1997, 1, 1, 0, 0),
+            'enabled': True,
+            'expirationTime': None,
+            'lastEditTime': None,
+            'lastUsageTime': None,
+            'note': None,
+            'token': 'dummy',
+            'user': {
+                'avatarUrl': 'https://example.com/avatar.png',
+                'name': user_token.user.name},
+            'version': 1
+        }
+
+
+def test_serialize_user_token_none():
+    result = user_tokens.serialize_user_token(None, None)
+    assert result is None
+
+
+def test_get_by_user_and_token(user_token_factory):
+    user_token = user_token_factory()
+    db.session.add(user_token)
+    db.session.flush()
+    db.session.commit()
+    result = user_tokens.get_by_user_and_token(
+        user_token.user, user_token.token)
+    assert result == user_token
+
+
+def test_get_user_tokens(user_token_factory):
+    user_token1 = user_token_factory()
+    user_token2 = user_token_factory(user=user_token1.user)
+    db.session.add(user_token1)
+    db.session.add(user_token2)
+    db.session.flush()
+    db.session.commit()
+    result = user_tokens.get_user_tokens(user_token1.user)
+    assert result == [user_token1, user_token2]
+
+
+def test_create_user_token(user_factory):
+    user = user_factory()
+    db.session.add(user)
+    db.session.flush()
+    db.session.commit()
+    with patch('szurubooru.func.auth.generate_authorization_token'):
+        auth.generate_authorization_token.return_value = 'test'
+        result = user_tokens.create_user_token(user, True)
+        assert result.token == 'test'
+        assert result.user == user
+
+
+def test_update_user_token_enabled(user_token_factory):
+    user_token = user_token_factory()
+    user_tokens.update_user_token_enabled(user_token, False)
+    assert user_token.enabled is False
+    assert user_token.last_edit_time is not None
+
+
+def test_update_user_token_edit_time(user_token_factory):
+    user_token = user_token_factory()
+    assert user_token.last_edit_time is None
+    user_tokens.update_user_token_edit_time(user_token)
+    assert user_token.last_edit_time is not None
+
+
+def test_update_user_token_note(user_token_factory):
+    user_token = user_token_factory()
+    assert user_token.note is None
+    user_tokens.update_user_token_note(user_token, ' Test Note ')
+    assert user_token.note == 'Test Note'
+    assert user_token.last_edit_time is not None
+
+
+def test_update_user_token_note_input_too_long(user_token_factory):
+    user_token = user_token_factory()
+    assert user_token.note is None
+    note_max_length = util.get_column_size(model.UserToken.note) + 1
+    note = ''.join(
+        random.choice(string.ascii_letters) for _ in range(note_max_length))
+    with pytest.raises(user_tokens.InvalidNoteError):
+        user_tokens.update_user_token_note(user_token, note)
+
+
+def test_update_user_token_expiration_time(user_token_factory):
+    user_token = user_token_factory()
+    assert user_token.expiration_time is None
+    expiration_time_str = (
+        (datetime.utcnow() + timedelta(days=1))
+        .replace(tzinfo=pytz.utc)
+    ).isoformat()
+    user_tokens.update_user_token_expiration_time(
+        user_token, expiration_time_str)
+    assert user_token.expiration_time.isoformat() == expiration_time_str
+    assert user_token.last_edit_time is not None
+
+
+def test_update_user_token_expiration_time_in_past(user_token_factory):
+    user_token = user_token_factory()
+    assert user_token.expiration_time is None
+    expiration_time_str = (
+        (datetime.utcnow() - timedelta(days=1))
+        .replace(tzinfo=pytz.utc)
+    ).isoformat()
+    with pytest.raises(
+            user_tokens.InvalidExpirationError,
+            match='Expiration cannot happen in the past'):
+        user_tokens.update_user_token_expiration_time(
+            user_token, expiration_time_str)
+
+
+@pytest.mark.parametrize('expiration_time_str', [
+    datetime.utcnow().isoformat(),
+    (datetime.utcnow() - timedelta(days=1)).ctime(),
+    '1970/01/01 00:00:01.0000Z',
+    '70/01/01 00:00:01.0000Z',
+    ''.join(random.choice(string.ascii_letters) for _ in range(15)),
+    ''.join(random.choice(string.digits) for _ in range(8))
+])
+def test_update_user_token_expiration_time_invalid_format(
+        expiration_time_str, user_token_factory):
+    user_token = user_token_factory()
+    assert user_token.expiration_time is None
+
+    with pytest.raises(
+            user_tokens.InvalidExpirationError,
+            match='Expiration is in an invalid format %s'
+                  % expiration_time_str):
+        user_tokens.update_user_token_expiration_time(
+            user_token, expiration_time_str)
+
+
+def test_bump_usage_time(user_token_factory, fake_datetime):
+    user_token = user_token_factory()
+    with fake_datetime('1997-01-01'):
+        user_tokens.bump_usage_time(user_token)
+        assert user_token.last_usage_time == datetime(1997, 1, 1)
diff --git a/server/szurubooru/tests/func/test_users.py b/server/szurubooru/tests/func/test_users.py
index ce2a40ec..55061276 100644
--- a/server/szurubooru/tests/func/test_users.py
+++ b/server/szurubooru/tests/func/test_users.py
@@ -1,14 +1,14 @@
 from unittest.mock import patch
 from datetime import datetime
 import pytest
-from szurubooru import db, errors
+from szurubooru import db, model, errors
 from szurubooru.func import auth, users, files, util
 
 
-EMPTY_PIXEL = \
-    b'\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x01\x00\x00\x00\x00' \
-    b'\xff\xff\xff\x21\xf9\x04\x01\x00\x00\x01\x00\x2c\x00\x00\x00\x00' \
-    b'\x01\x00\x01\x00\x00\x02\x02\x4c\x01\x00\x3b'
+EMPTY_PIXEL = (
+    b'\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x01\x00\x00\x00\x00'
+    b'\xff\xff\xff\x21\xf9\x04\x01\x00\x00\x01\x00\x2c\x00\x00\x00\x00'
+    b'\x01\x00\x01\x00\x00\x02\x02\x4c\x01\x00\x3b')
 
 
 @pytest.mark.parametrize('user_name', ['test', 'TEST'])
@@ -20,28 +20,28 @@ def test_get_avatar_path(user_name):
     (
         'user',
         None,
-        db.User.AVATAR_GRAVATAR,
-        'https://gravatar.com/avatar/' +
-            'ee11cbb19052e40b07aac0ca060c23ee?d=retro&s=100',
+        model.User.AVATAR_GRAVATAR,
+        ('https://gravatar.com/avatar/' +
+            'ee11cbb19052e40b07aac0ca060c23ee?d=retro&s=100'),
     ),
     (
         None,
         'user@example.com',
-        db.User.AVATAR_GRAVATAR,
-        'https://gravatar.com/avatar/' +
-            'b58996c504c5638798eb6b511e6f49af?d=retro&s=100',
+        model.User.AVATAR_GRAVATAR,
+        ('https://gravatar.com/avatar/' +
+            'b58996c504c5638798eb6b511e6f49af?d=retro&s=100'),
     ),
     (
         'user',
         'user@example.com',
-        db.User.AVATAR_GRAVATAR,
-        'https://gravatar.com/avatar/' +
-            'b58996c504c5638798eb6b511e6f49af?d=retro&s=100',
+        model.User.AVATAR_GRAVATAR,
+        ('https://gravatar.com/avatar/' +
+            'b58996c504c5638798eb6b511e6f49af?d=retro&s=100'),
     ),
     (
         'user',
         None,
-        db.User.AVATAR_MANUAL,
+        model.User.AVATAR_MANUAL,
         'http://example.com/avatars/user.png',
     ),
 ])
@@ -51,7 +51,7 @@ def test_get_avatar_url(
         'data_url': 'http://example.com/',
         'thumbnails': {'avatar_width': 100},
     })
-    user = db.User()
+    user = model.User()
     user.name = user_name
     user.email = user_email
     user.avatar_style = avatar_style
@@ -100,7 +100,7 @@ def test_get_liked_post_count(
     user = user_factory()
     post = post_factory()
     auth_user = user if same_user else user_factory()
-    score = db.PostScore(
+    score = model.PostScore(
         post=post, user=user, score=score, time=datetime.now())
     db.session.add_all([post, user, score])
     db.session.flush()
@@ -127,8 +127,8 @@ def test_serialize_user(user_factory):
         user = user_factory(name='dummy user')
         user.creation_time = datetime(1997, 1, 1)
         user.last_edit_time = datetime(1998, 1, 1)
-        user.avatar_style = db.User.AVATAR_MANUAL
-        user.rank = db.User.RANK_ADMINISTRATOR
+        user.avatar_style = model.User.AVATAR_MANUAL
+        user.rank = model.User.RANK_ADMINISTRATOR
         db.session.add(user)
         db.session.flush()
         assert users.serialize_user(user, auth_user) == {
@@ -222,7 +222,7 @@ def test_create_user_for_first_user(fake_datetime):
         user = users.create_user('name', 'password', 'email')
         assert user.creation_time == datetime(1997, 1, 1)
         assert user.last_login_time is None
-        assert user.rank == db.User.RANK_ADMINISTRATOR
+        assert user.rank == model.User.RANK_ADMINISTRATOR
         users.update_user_name.assert_called_once_with(user, 'name')
         users.update_user_password.assert_called_once_with(user, 'password')
         users.update_user_email.assert_called_once_with(user, 'email')
@@ -236,7 +236,7 @@ def test_create_user_for_subsequent_users(user_factory, config_injector):
             patch('szurubooru.func.users.update_user_email'), \
             patch('szurubooru.func.users.update_user_password'):
         user = users.create_user('name', 'password', 'email')
-        assert user.rank == db.User.RANK_REGULAR
+        assert user.rank == model.User.RANK_REGULAR
 
 
 def test_update_user_name_with_empty_string(user_factory):
@@ -320,10 +320,11 @@ def test_update_user_password(user_factory, config_injector):
     with patch('szurubooru.func.auth.create_password'), \
             patch('szurubooru.func.auth.get_password_hash'):
         auth.create_password.return_value = 'salt'
-        auth.get_password_hash.return_value = 'hash'
+        auth.get_password_hash.return_value = ('hash', 3)
         users.update_user_password(user, 'a')
         assert user.password_salt == 'salt'
         assert user.password_hash == 'hash'
+        assert user.password_revision == 3
 
 
 def test_update_user_email_with_too_long_string(user_factory):
@@ -379,7 +380,7 @@ def test_update_user_rank_with_higher_rank_than_possible(user_factory):
     db.session.flush()
     user = user_factory()
     auth_user = user_factory()
-    auth_user.rank = db.User.RANK_ANONYMOUS
+    auth_user.rank = model.User.RANK_ANONYMOUS
     with pytest.raises(errors.AuthError):
         users.update_user_rank(user, 'regular', auth_user)
     with pytest.raises(errors.AuthError):
@@ -391,11 +392,11 @@ def test_update_user_rank(user_factory):
     db.session.flush()
     user = user_factory()
     auth_user = user_factory()
-    auth_user.rank = db.User.RANK_ADMINISTRATOR
+    auth_user.rank = model.User.RANK_ADMINISTRATOR
     users.update_user_rank(user, 'regular', auth_user)
     users.update_user_rank(auth_user, 'regular', auth_user)
-    assert user.rank == db.User.RANK_REGULAR
-    assert auth_user.rank == db.User.RANK_REGULAR
+    assert user.rank == model.User.RANK_REGULAR
+    assert auth_user.rank == model.User.RANK_REGULAR
 
 
 def test_update_user_avatar_with_invalid_style(user_factory):
@@ -407,7 +408,7 @@ def test_update_user_avatar_with_invalid_style(user_factory):
 def test_update_user_avatar_to_gravatar(user_factory):
     user = user_factory()
     users.update_user_avatar(user, 'gravatar')
-    assert user.avatar_style == db.User.AVATAR_GRAVATAR
+    assert user.avatar_style == model.User.AVATAR_GRAVATAR
 
 
 def test_update_user_avatar_to_empty_manual(user_factory):
@@ -431,7 +432,7 @@ def test_update_user_avatar_to_new_manual(user_factory, config_injector):
     user = user_factory()
     with patch('szurubooru.func.files.save'):
         users.update_user_avatar(user, 'manual', EMPTY_PIXEL)
-        assert user.avatar_style == db.User.AVATAR_MANUAL
+        assert user.avatar_style == model.User.AVATAR_MANUAL
         assert files.save.called
 
 
@@ -447,7 +448,8 @@ def test_reset_user_password(user_factory):
             patch('szurubooru.func.auth.get_password_hash'):
         user = user_factory()
         auth.create_password.return_value = 'salt'
-        auth.get_password_hash.return_value = 'hash'
+        auth.get_password_hash.return_value = ('hash', 3)
         users.reset_user_password(user)
         assert user.password_salt == 'salt'
         assert user.password_hash == 'hash'
+        assert user.password_revision == 3
diff --git a/server/szurubooru/tests/db/__init__.py b/server/szurubooru/tests/middleware/__init__.py
similarity index 100%
rename from server/szurubooru/tests/db/__init__.py
rename to server/szurubooru/tests/middleware/__init__.py
diff --git a/server/szurubooru/tests/middleware/test_authenticator.py b/server/szurubooru/tests/middleware/test_authenticator.py
new file mode 100644
index 00000000..be21a931
--- /dev/null
+++ b/server/szurubooru/tests/middleware/test_authenticator.py
@@ -0,0 +1,93 @@
+from unittest.mock import patch
+import pytest
+from szurubooru import db
+from szurubooru.func import auth, users, user_tokens
+from szurubooru.middleware import authenticator
+from szurubooru.rest import errors
+
+
+def test_process_request_no_header(context_factory):
+    ctx = context_factory()
+    authenticator.process_request(ctx)
+    assert ctx.user.name is None
+
+
+def test_process_request_bump_login(context_factory, user_factory):
+    user = user_factory()
+    db.session.add(user)
+    db.session.flush()
+    ctx = context_factory(
+        headers={
+            'Authorization': 'Basic dGVzdFVzZXI6dGVzdFRva2Vu'
+        },
+        params={
+            'bump-login': 'true'
+        })
+    with patch('szurubooru.func.auth.is_valid_password'), \
+            patch('szurubooru.func.users.get_user_by_name'):
+        users.get_user_by_name.return_value = user
+        auth.is_valid_password.return_value = True
+        authenticator.process_request(ctx)
+        assert user.last_login_time is not None
+
+
+def test_process_request_bump_login_with_token(
+        context_factory, user_token_factory):
+    user_token = user_token_factory()
+    db.session.add(user_token)
+    db.session.flush()
+    ctx = context_factory(
+        headers={
+            'Authorization': 'Token dGVzdFVzZXI6dGVzdFRva2Vu'
+        },
+        params={
+            'bump-login': 'true'
+        })
+    with patch('szurubooru.func.auth.is_valid_token'), \
+            patch('szurubooru.func.users.get_user_by_name'), \
+            patch('szurubooru.func.user_tokens.get_by_user_and_token'):
+        users.get_user_by_name.return_value = user_token.user
+        user_tokens.get_by_user_and_token.return_value = user_token
+        auth.is_valid_token.return_value = True
+        authenticator.process_request(ctx)
+        assert user_token.user.last_login_time is not None
+        assert user_token.last_usage_time is not None
+
+
+def test_process_request_basic_auth_valid(context_factory, user_factory):
+    user = user_factory()
+    ctx = context_factory(
+        headers={
+            'Authorization': 'Basic dGVzdFVzZXI6dGVzdFBhc3N3b3Jk'
+        })
+    with patch('szurubooru.func.auth.is_valid_password'), \
+            patch('szurubooru.func.users.get_user_by_name'):
+        users.get_user_by_name.return_value = user
+        auth.is_valid_password.return_value = True
+        authenticator.process_request(ctx)
+        assert ctx.user == user
+
+
+def test_process_request_token_auth_valid(context_factory, user_token_factory):
+    user_token = user_token_factory()
+    ctx = context_factory(
+        headers={
+            'Authorization': 'Token dGVzdFVzZXI6dGVzdFRva2Vu'
+        })
+    with patch('szurubooru.func.auth.is_valid_token'), \
+            patch('szurubooru.func.users.get_user_by_name'), \
+            patch('szurubooru.func.user_tokens.get_by_user_and_token'):
+        users.get_user_by_name.return_value = user_token.user
+        user_tokens.get_by_user_and_token.return_value = user_token
+        auth.is_valid_token.return_value = True
+        authenticator.process_request(ctx)
+        assert ctx.user == user_token.user
+
+
+def test_process_request_bad_header(context_factory):
+    ctx = context_factory(
+        headers={
+            'Authorization': 'Secret SuperSecretValue'
+        })
+    with pytest.raises(errors.HttpBadRequest):
+        authenticator.process_request(ctx)
diff --git a/server/szurubooru/tests/model/__init__.py b/server/szurubooru/tests/model/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/server/szurubooru/tests/db/test_comment.py b/server/szurubooru/tests/model/test_comment.py
similarity index 74%
rename from server/szurubooru/tests/db/test_comment.py
rename to server/szurubooru/tests/model/test_comment.py
index 9a78f952..ffd51893 100644
--- a/server/szurubooru/tests/db/test_comment.py
+++ b/server/szurubooru/tests/model/test_comment.py
@@ -1,11 +1,11 @@
 from datetime import datetime
-from szurubooru import db
+from szurubooru import db, model
 
 
 def test_saving_comment(user_factory, post_factory):
     user = user_factory()
     post = post_factory()
-    comment = db.Comment()
+    comment = model.Comment()
     comment.text = 'long text' * 1000
     comment.user = user
     comment.post = post
@@ -29,7 +29,7 @@ def test_cascade_deletions(comment_factory, user_factory, post_factory):
     db.session.add_all([user, comment])
     db.session.flush()
 
-    score = db.CommentScore()
+    score = model.CommentScore()
     score.comment = comment
     score.user = user
     score.time = datetime(1997, 1, 1)
@@ -39,14 +39,14 @@ def test_cascade_deletions(comment_factory, user_factory, post_factory):
 
     assert not db.session.dirty
     assert comment.user is not None and comment.user.user_id is not None
-    assert db.session.query(db.User).count() == 1
-    assert db.session.query(db.Comment).count() == 1
-    assert db.session.query(db.CommentScore).count() == 1
+    assert db.session.query(model.User).count() == 1
+    assert db.session.query(model.Comment).count() == 1
+    assert db.session.query(model.CommentScore).count() == 1
 
     db.session.delete(comment)
     db.session.commit()
 
     assert not db.session.dirty
-    assert db.session.query(db.User).count() == 1
-    assert db.session.query(db.Comment).count() == 0
-    assert db.session.query(db.CommentScore).count() == 0
+    assert db.session.query(model.User).count() == 1
+    assert db.session.query(model.Comment).count() == 0
+    assert db.session.query(model.CommentScore).count() == 0
diff --git a/server/szurubooru/tests/db/test_post.py b/server/szurubooru/tests/model/test_post.py
similarity index 68%
rename from server/szurubooru/tests/db/test_post.py
rename to server/szurubooru/tests/model/test_post.py
index c0213535..ee691460 100644
--- a/server/szurubooru/tests/db/test_post.py
+++ b/server/szurubooru/tests/model/test_post.py
@@ -1,5 +1,15 @@
 from datetime import datetime
-from szurubooru import db
+import pytest
+from szurubooru import db, model
+
+
+@pytest.fixture(autouse=True)
+def inject_config(config_injector):
+    config_injector({
+        'secret': 'secret',
+        'data_dir': '',
+        'delete_source_files': False
+    })
 
 
 def test_saving_post(post_factory, user_factory, tag_factory):
@@ -8,7 +18,7 @@ def test_saving_post(post_factory, user_factory, tag_factory):
     tag2 = tag_factory()
     related_post1 = post_factory()
     related_post2 = post_factory()
-    post = db.Post()
+    post = model.Post()
     post.safety = 'safety'
     post.type = 'type'
     post.checksum = 'deadbeef'
@@ -54,20 +64,20 @@ def test_cascade_deletions(
         user, tag1, tag2, post, related_post1, related_post2, comment])
     db.session.flush()
 
-    score = db.PostScore()
+    score = model.PostScore()
     score.post = post
     score.user = user
     score.time = datetime(1997, 1, 1)
     score.score = 1
-    favorite = db.PostFavorite()
+    favorite = model.PostFavorite()
     favorite.post = post
     favorite.user = user
     favorite.time = datetime(1997, 1, 1)
-    feature = db.PostFeature()
+    feature = model.PostFeature()
     feature.post = post
     feature.user = user
     feature.time = datetime(1997, 1, 1)
-    note = db.PostNote()
+    note = model.PostNote()
     note.post = post
     note.polygon = ''
     note.text = ''
@@ -88,31 +98,31 @@ def test_cascade_deletions(
     assert not db.session.dirty
     assert post.user is not None and post.user.user_id is not None
     assert len(post.relations) == 1
-    assert db.session.query(db.User).count() == 1
-    assert db.session.query(db.Tag).count() == 2
-    assert db.session.query(db.Post).count() == 3
-    assert db.session.query(db.PostTag).count() == 2
-    assert db.session.query(db.PostRelation).count() == 2
-    assert db.session.query(db.PostScore).count() == 1
-    assert db.session.query(db.PostNote).count() == 1
-    assert db.session.query(db.PostFeature).count() == 1
-    assert db.session.query(db.PostFavorite).count() == 1
-    assert db.session.query(db.Comment).count() == 1
+    assert db.session.query(model.User).count() == 1
+    assert db.session.query(model.Tag).count() == 2
+    assert db.session.query(model.Post).count() == 3
+    assert db.session.query(model.PostTag).count() == 2
+    assert db.session.query(model.PostRelation).count() == 2
+    assert db.session.query(model.PostScore).count() == 1
+    assert db.session.query(model.PostNote).count() == 1
+    assert db.session.query(model.PostFeature).count() == 1
+    assert db.session.query(model.PostFavorite).count() == 1
+    assert db.session.query(model.Comment).count() == 1
 
     db.session.delete(post)
     db.session.commit()
 
     assert not db.session.dirty
-    assert db.session.query(db.User).count() == 1
-    assert db.session.query(db.Tag).count() == 2
-    assert db.session.query(db.Post).count() == 2
-    assert db.session.query(db.PostTag).count() == 0
-    assert db.session.query(db.PostRelation).count() == 0
-    assert db.session.query(db.PostScore).count() == 0
-    assert db.session.query(db.PostNote).count() == 0
-    assert db.session.query(db.PostFeature).count() == 0
-    assert db.session.query(db.PostFavorite).count() == 0
-    assert db.session.query(db.Comment).count() == 0
+    assert db.session.query(model.User).count() == 1
+    assert db.session.query(model.Tag).count() == 2
+    assert db.session.query(model.Post).count() == 2
+    assert db.session.query(model.PostTag).count() == 0
+    assert db.session.query(model.PostRelation).count() == 0
+    assert db.session.query(model.PostScore).count() == 0
+    assert db.session.query(model.PostNote).count() == 0
+    assert db.session.query(model.PostFeature).count() == 0
+    assert db.session.query(model.PostFavorite).count() == 0
+    assert db.session.query(model.Comment).count() == 0
 
 
 def test_tracking_tag_count(post_factory, tag_factory):
diff --git a/server/szurubooru/tests/db/test_tag.py b/server/szurubooru/tests/model/test_tag.py
similarity index 74%
rename from server/szurubooru/tests/db/test_tag.py
rename to server/szurubooru/tests/model/test_tag.py
index 02134d69..b677eeff 100644
--- a/server/szurubooru/tests/db/test_tag.py
+++ b/server/szurubooru/tests/model/test_tag.py
@@ -1,5 +1,15 @@
 from datetime import datetime
-from szurubooru import db
+import pytest
+from szurubooru import db, model
+
+
+@pytest.fixture(autouse=True)
+def inject_config(config_injector):
+    config_injector({
+        'delete_source_files': False,
+        'secret': 'secret',
+        'data_dir': ''
+    })
 
 
 def test_saving_tag(tag_factory):
@@ -7,11 +17,11 @@ def test_saving_tag(tag_factory):
     sug2 = tag_factory(names=['sug2'])
     imp1 = tag_factory(names=['imp1'])
     imp2 = tag_factory(names=['imp2'])
-    tag = db.Tag()
-    tag.names = [db.TagName('alias1', 0), db.TagName('alias2', 1)]
+    tag = model.Tag()
+    tag.names = [model.TagName('alias1', 0), model.TagName('alias2', 1)]
     tag.suggestions = []
     tag.implications = []
-    tag.category = db.TagCategory('category')
+    tag.category = model.TagCategory('category')
     tag.creation_time = datetime(1997, 1, 1)
     tag.last_edit_time = datetime(1998, 1, 1)
     db.session.add_all([tag, sug1, sug2, imp1, imp2])
@@ -28,11 +38,12 @@ def test_saving_tag(tag_factory):
     tag.implications.append(imp2)
     db.session.commit()
 
-    tag = db.session \
-        .query(db.Tag) \
-        .join(db.TagName) \
-        .filter(db.TagName.name == 'alias1') \
-        .one()
+    tag = (
+        db.session
+        .query(model.Tag)
+        .join(model.TagName)
+        .filter(model.TagName.name == 'alias1')
+        .one())
     assert [tag_name.name for tag_name in tag.names] == ['alias1', 'alias2']
     assert tag.category.name == 'category'
     assert tag.creation_time == datetime(1997, 1, 1)
@@ -48,11 +59,11 @@ def test_cascade_deletions(tag_factory):
     sug2 = tag_factory(names=['sug2'])
     imp1 = tag_factory(names=['imp1'])
     imp2 = tag_factory(names=['imp2'])
-    tag = db.Tag()
-    tag.names = [db.TagName('alias1', 0), db.TagName('alias2', 1)]
+    tag = model.Tag()
+    tag.names = [model.TagName('alias1', 0), model.TagName('alias2', 1)]
     tag.suggestions = []
     tag.implications = []
-    tag.category = db.TagCategory('category')
+    tag.category = model.TagCategory('category')
     tag.creation_time = datetime(1997, 1, 1)
     tag.last_edit_time = datetime(1998, 1, 1)
     tag.post_count = 1
@@ -72,10 +83,10 @@ def test_cascade_deletions(tag_factory):
 
     db.session.delete(tag)
     db.session.commit()
-    assert db.session.query(db.Tag).count() == 4
-    assert db.session.query(db.TagName).count() == 4
-    assert db.session.query(db.TagImplication).count() == 0
-    assert db.session.query(db.TagSuggestion).count() == 0
+    assert db.session.query(model.Tag).count() == 4
+    assert db.session.query(model.TagName).count() == 4
+    assert db.session.query(model.TagImplication).count() == 0
+    assert db.session.query(model.TagSuggestion).count() == 0
 
 
 def test_tracking_post_count(post_factory, tag_factory):
diff --git a/server/szurubooru/tests/db/test_user.py b/server/szurubooru/tests/model/test_user.py
similarity index 66%
rename from server/szurubooru/tests/db/test_user.py
rename to server/szurubooru/tests/model/test_user.py
index 59933e36..08875fa2 100644
--- a/server/szurubooru/tests/db/test_user.py
+++ b/server/szurubooru/tests/model/test_user.py
@@ -1,16 +1,16 @@
 from datetime import datetime
-from szurubooru import db
+from szurubooru import db, model
 
 
 def test_saving_user():
-    user = db.User()
+    user = model.User()
     user.name = 'name'
     user.password_salt = 'salt'
     user.password_hash = 'hash'
     user.email = 'email'
     user.rank = 'rank'
     user.creation_time = datetime(1997, 1, 1)
-    user.avatar_style = db.User.AVATAR_GRAVATAR
+    user.avatar_style = model.User.AVATAR_GRAVATAR
     db.session.add(user)
     db.session.flush()
     db.session.refresh(user)
@@ -21,7 +21,7 @@ def test_saving_user():
     assert user.email == 'email'
     assert user.rank == 'rank'
     assert user.creation_time == datetime(1997, 1, 1)
-    assert user.avatar_style == db.User.AVATAR_GRAVATAR
+    assert user.avatar_style == model.User.AVATAR_GRAVATAR
 
 
 def test_upload_count(user_factory, post_factory):
@@ -61,8 +61,8 @@ def test_favorite_count(user_factory, post_factory):
     post1 = post_factory()
     post2 = post_factory()
     db.session.add_all([
-        db.PostFavorite(post=post1, time=datetime.utcnow(), user=user1),
-        db.PostFavorite(post=post2, time=datetime.utcnow(), user=user2),
+        model.PostFavorite(post=post1, time=datetime.utcnow(), user=user1),
+        model.PostFavorite(post=post2, time=datetime.utcnow(), user=user2),
     ])
     db.session.flush()
     db.session.refresh(user1)
@@ -79,8 +79,10 @@ def test_liked_post_count(user_factory, post_factory):
     post1 = post_factory()
     post2 = post_factory()
     db.session.add_all([
-        db.PostScore(post=post1, time=datetime.utcnow(), user=user1, score=1),
-        db.PostScore(post=post2, time=datetime.utcnow(), user=user2, score=1),
+        model.PostScore(
+            post=post1, time=datetime.utcnow(), user=user1, score=1),
+        model.PostScore(
+            post=post2, time=datetime.utcnow(), user=user2, score=1),
     ])
     db.session.flush()
     db.session.refresh(user1)
@@ -98,8 +100,10 @@ def test_disliked_post_count(user_factory, post_factory):
     post1 = post_factory()
     post2 = post_factory()
     db.session.add_all([
-        db.PostScore(post=post1, time=datetime.utcnow(), user=user1, score=-1),
-        db.PostScore(post=post2, time=datetime.utcnow(), user=user2, score=1),
+        model.PostScore(
+            post=post1, time=datetime.utcnow(), user=user1, score=-1),
+        model.PostScore(
+            post=post2, time=datetime.utcnow(), user=user2, score=1),
     ])
     db.session.flush()
     db.session.refresh(user1)
@@ -114,34 +118,34 @@ def test_cascade_deletions(post_factory, user_factory, comment_factory):
     post = post_factory()
     post.user = user
 
-    post_score = db.PostScore()
+    post_score = model.PostScore()
     post_score.post = post
     post_score.user = user
     post_score.time = datetime(1997, 1, 1)
     post_score.score = 1
     post.scores.append(post_score)
 
-    post_favorite = db.PostFavorite()
+    post_favorite = model.PostFavorite()
     post_favorite.post = post
     post_favorite.user = user
     post_favorite.time = datetime(1997, 1, 1)
     post.favorited_by.append(post_favorite)
 
-    post_feature = db.PostFeature()
+    post_feature = model.PostFeature()
     post_feature.post = post
     post_feature.user = user
     post_feature.time = datetime(1997, 1, 1)
     post.features.append(post_feature)
 
     comment = comment_factory(post=post, user=user)
-    comment_score = db.CommentScore()
+    comment_score = model.CommentScore()
     comment_score.comment = comment
     comment_score.user = user
     comment_score.time = datetime(1997, 1, 1)
     comment_score.score = 1
     comment.scores.append(comment_score)
 
-    snapshot = db.Snapshot()
+    snapshot = model.Snapshot()
     snapshot.user = user
     snapshot.creation_time = datetime(1997, 1, 1)
     snapshot.resource_type = '-'
@@ -154,27 +158,27 @@ def test_cascade_deletions(post_factory, user_factory, comment_factory):
 
     assert not db.session.dirty
     assert post.user is not None and post.user.user_id is not None
-    assert db.session.query(db.User).count() == 1
-    assert db.session.query(db.Post).count() == 1
-    assert db.session.query(db.PostScore).count() == 1
-    assert db.session.query(db.PostFeature).count() == 1
-    assert db.session.query(db.PostFavorite).count() == 1
-    assert db.session.query(db.Comment).count() == 1
-    assert db.session.query(db.CommentScore).count() == 1
-    assert db.session.query(db.Snapshot).count() == 1
+    assert db.session.query(model.User).count() == 1
+    assert db.session.query(model.Post).count() == 1
+    assert db.session.query(model.PostScore).count() == 1
+    assert db.session.query(model.PostFeature).count() == 1
+    assert db.session.query(model.PostFavorite).count() == 1
+    assert db.session.query(model.Comment).count() == 1
+    assert db.session.query(model.CommentScore).count() == 1
+    assert db.session.query(model.Snapshot).count() == 1
 
     db.session.delete(user)
     db.session.commit()
 
     assert not db.session.dirty
-    assert db.session.query(db.User).count() == 0
-    assert db.session.query(db.Post).count() == 1
-    assert db.session.query(db.Post)[0].user is None
-    assert db.session.query(db.PostScore).count() == 0
-    assert db.session.query(db.PostFeature).count() == 0
-    assert db.session.query(db.PostFavorite).count() == 0
-    assert db.session.query(db.Comment).count() == 1
-    assert db.session.query(db.Comment)[0].user is None
-    assert db.session.query(db.CommentScore).count() == 0
-    assert db.session.query(db.Snapshot).count() == 1
-    assert db.session.query(db.Snapshot)[0].user is None
+    assert db.session.query(model.User).count() == 0
+    assert db.session.query(model.Post).count() == 1
+    assert db.session.query(model.Post)[0].user is None
+    assert db.session.query(model.PostScore).count() == 0
+    assert db.session.query(model.PostFeature).count() == 0
+    assert db.session.query(model.PostFavorite).count() == 0
+    assert db.session.query(model.Comment).count() == 1
+    assert db.session.query(model.Comment)[0].user is None
+    assert db.session.query(model.CommentScore).count() == 0
+    assert db.session.query(model.Snapshot).count() == 1
+    assert db.session.query(model.Snapshot)[0].user is None
diff --git a/server/szurubooru/tests/model/test_user_token.py b/server/szurubooru/tests/model/test_user_token.py
new file mode 100644
index 00000000..0280082e
--- /dev/null
+++ b/server/szurubooru/tests/model/test_user_token.py
@@ -0,0 +1,14 @@
+from datetime import datetime
+from szurubooru import db
+
+
+def test_saving_user_token(user_token_factory):
+    user_token = user_token_factory()
+    db.session.add(user_token)
+    db.session.flush()
+    db.session.refresh(user_token)
+    assert not db.session.dirty
+    assert user_token.user is not None
+    assert user_token.token == 'dummy'
+    assert user_token.enabled is True
+    assert user_token.creation_time == datetime(1997, 1, 1)
diff --git a/server/szurubooru/tests/rest/test_context.py b/server/szurubooru/tests/rest/test_context.py
index 7380a855..681d9d70 100644
--- a/server/szurubooru/tests/rest/test_context.py
+++ b/server/szurubooru/tests/rest/test_context.py
@@ -6,61 +6,68 @@ from szurubooru.func import net
 
 
 def test_has_param():
-    ctx = rest.Context(method=None, url=None, params={'key': 'value'})
+    ctx = rest.Context(env={}, method=None, url=None, params={'key': 'value'})
     assert ctx.has_param('key')
-    assert not ctx.has_param('key2')
+    assert not ctx.has_param('non-existing')
 
 
 def test_get_file():
-    ctx = rest.Context(method=None, url=None, files={'key': b'content'})
+    ctx = rest.Context(
+        env={}, method=None, url=None, files={'key': b'content'})
     assert ctx.get_file('key') == b'content'
-    assert ctx.get_file('key2') is None
+    with pytest.raises(errors.ValidationError):
+        ctx.get_file('non-existing')
 
 
 def test_get_file_from_url():
     with unittest.mock.patch('szurubooru.func.net.download'):
         net.download.return_value = b'content'
         ctx = rest.Context(
-            method=None, url=None, params={'keyUrl': 'example.com'})
+            env={}, method=None, url=None, params={'keyUrl': 'example.com'})
         assert ctx.get_file('key') == b'content'
-        assert ctx.get_file('key2') is None
         net.download.assert_called_once_with('example.com')
+        with pytest.raises(errors.ValidationError):
+            assert ctx.get_file('non-existing')
 
 
 def test_getting_list_parameter():
     ctx = rest.Context(
-        method=None, url=None, params={'key': 'value', 'list': list('123')})
+        env={},
+        method=None,
+        url=None,
+        params={'key': 'value', 'list': ['1', '2', '3']})
     assert ctx.get_param_as_list('key') == ['value']
-    assert ctx.get_param_as_list('key2') is None
-    assert ctx.get_param_as_list('key2', default=['def']) == ['def']
     assert ctx.get_param_as_list('list') == ['1', '2', '3']
     with pytest.raises(errors.ValidationError):
-        ctx.get_param_as_list('key2', required=True)
+        ctx.get_param_as_list('non-existing')
+    assert ctx.get_param_as_list('non-existing', default=['def']) == ['def']
 
 
 def test_getting_string_parameter():
     ctx = rest.Context(
-        method=None, url=None, params={'key': 'value', 'list': list('123')})
+        env={},
+        method=None,
+        url=None,
+        params={'key': 'value', 'list': ['1', '2', '3']})
     assert ctx.get_param_as_string('key') == 'value'
-    assert ctx.get_param_as_string('key2') is None
-    assert ctx.get_param_as_string('key2', default='def') == 'def'
     assert ctx.get_param_as_string('list') == '1,2,3'
     with pytest.raises(errors.ValidationError):
-        ctx.get_param_as_string('key2', required=True)
+        ctx.get_param_as_string('non-existing')
+    assert ctx.get_param_as_string('non-existing', default='x') == 'x'
 
 
 def test_getting_int_parameter():
     ctx = rest.Context(
+        env={},
         method=None,
         url=None,
         params={'key': '50', 'err': 'invalid', 'list': [1, 2, 3]})
     assert ctx.get_param_as_int('key') == 50
-    assert ctx.get_param_as_int('key2') is None
-    assert ctx.get_param_as_int('key2', default=5) == 5
     with pytest.raises(errors.ValidationError):
         ctx.get_param_as_int('list')
     with pytest.raises(errors.ValidationError):
-        ctx.get_param_as_int('key2', required=True)
+        ctx.get_param_as_int('non-existing')
+    assert ctx.get_param_as_int('non-existing', default=5) == 5
     with pytest.raises(errors.ValidationError):
         ctx.get_param_as_int('err')
     with pytest.raises(errors.ValidationError):
@@ -73,7 +80,8 @@ def test_getting_int_parameter():
 
 def test_getting_bool_parameter():
     def test(value):
-        ctx = rest.Context(method=None, url=None, params={'key': value})
+        ctx = rest.Context(
+            env={}, method=None, url=None, params={'key': value})
         return ctx.get_param_as_bool('key')
 
     assert test('1') is True
@@ -101,8 +109,7 @@ def test_getting_bool_parameter():
     with pytest.raises(errors.ValidationError):
         test(['1', '2'])
 
-    ctx = rest.Context(method=None, url=None)
-    assert ctx.get_param_as_bool('non-existing') is None
-    assert ctx.get_param_as_bool('non-existing', default=True) is True
+    ctx = rest.Context(env={}, method=None, url=None)
     with pytest.raises(errors.ValidationError):
-        assert ctx.get_param_as_bool('non-existing', required=True) is None
+        ctx.get_param_as_bool('non-existing')
+    assert ctx.get_param_as_bool('non-existing', default=True) is True
diff --git a/server/szurubooru/tests/search/configs/test_comment_search_config.py b/server/szurubooru/tests/search/configs/test_comment_search_config.py
index f2fe3630..109629bb 100644
--- a/server/szurubooru/tests/search/configs/test_comment_search_config.py
+++ b/server/szurubooru/tests/search/configs/test_comment_search_config.py
@@ -13,7 +13,7 @@ def executor():
 def verify_unpaged(executor):
     def verify(input, expected_comment_text):
         actual_count, actual_comments = executor.execute(
-            input, page=1, page_size=100)
+            input, offset=0, limit=100)
         actual_comment_text = [c.text for c in actual_comments]
         assert actual_count == len(expected_comment_text)
         assert actual_comment_text == expected_comment_text
diff --git a/server/szurubooru/tests/search/configs/test_post_search_config.py b/server/szurubooru/tests/search/configs/test_post_search_config.py
index d5796779..4d541d17 100644
--- a/server/szurubooru/tests/search/configs/test_post_search_config.py
+++ b/server/szurubooru/tests/search/configs/test_post_search_config.py
@@ -1,13 +1,13 @@
 # pylint: disable=redefined-outer-name
 from datetime import datetime
 import pytest
-from szurubooru import db, errors, search
+from szurubooru import db, model, errors, search
 
 
 @pytest.fixture
 def fav_factory(user_factory):
     def factory(post, user=None):
-        return db.PostFavorite(
+        return model.PostFavorite(
             post=post,
             user=user or user_factory(),
             time=datetime.utcnow())
@@ -17,7 +17,7 @@ def fav_factory(user_factory):
 @pytest.fixture
 def score_factory(user_factory):
     def factory(post, user=None, score=1):
-        return db.PostScore(
+        return model.PostScore(
             post=post,
             user=user or user_factory(),
             time=datetime.utcnow(),
@@ -27,8 +27,8 @@ def score_factory(user_factory):
 
 @pytest.fixture
 def note_factory():
-    def factory():
-        return db.PostNote(polygon='...', text='...')
+    def factory(text='...'):
+        return model.PostNote(polygon='...', text=text)
     return factory
 
 
@@ -36,11 +36,11 @@ def note_factory():
 def feature_factory(user_factory):
     def factory(post=None):
         if post:
-            return db.PostFeature(
+            return model.PostFeature(
                 time=datetime.utcnow(),
                 user=user_factory(),
                 post=post)
-        return db.PostFeature(
+        return model.PostFeature(
             time=datetime.utcnow(), user=user_factory())
     return factory
 
@@ -65,7 +65,7 @@ def auth_executor(executor, user_factory):
 def verify_unpaged(executor):
     def verify(input, expected_post_ids, test_order=False):
         actual_count, actual_posts = executor.execute(
-            input, page=1, page_size=100)
+            input, offset=0, limit=100)
         actual_post_ids = list([p.post_id for p in actual_posts])
         if not test_order:
             actual_post_ids = sorted(actual_post_ids)
@@ -123,7 +123,7 @@ def test_filter_by_score(
     post3 = post_factory(id=3)
     for post in [post1, post2, post3]:
         db.session.add(
-            db.PostScore(
+            model.PostScore(
                 score=post.post_id,
                 time=datetime.utcnow(),
                 post=post,
@@ -294,6 +294,25 @@ def test_filter_by_note_count(
     verify_unpaged(input, expected_post_ids)
 
 
+@pytest.mark.parametrize('input,expected_post_ids', [
+    ('note-text:*', [1, 2, 3]),
+    ('note-text:text2', [2]),
+    ('note-text:text3*', [3]),
+    ('note-text:text3a,text2', [2, 3]),
+])
+def test_filter_by_note_text(
+        verify_unpaged, post_factory, note_factory, input, expected_post_ids):
+    post1 = post_factory(id=1)
+    post2 = post_factory(id=2)
+    post3 = post_factory(id=3)
+    post1.notes = [note_factory(text='text1')]
+    post2.notes = [note_factory(text='text2'), note_factory(text='text2')]
+    post3.notes = [note_factory(text='text3a'), note_factory(text='text3b')]
+    db.session.add_all([post1, post2, post3])
+    db.session.flush()
+    verify_unpaged(input, expected_post_ids)
+
+
 @pytest.mark.parametrize('input,expected_post_ids', [
     ('feature-count:1', [1]),
     ('feature-count:3', [3]),
@@ -332,10 +351,10 @@ def test_filter_by_type(
     post2 = post_factory(id=2)
     post3 = post_factory(id=3)
     post4 = post_factory(id=4)
-    post1.type = db.Post.TYPE_IMAGE
-    post2.type = db.Post.TYPE_ANIMATION
-    post3.type = db.Post.TYPE_VIDEO
-    post4.type = db.Post.TYPE_FLASH
+    post1.type = model.Post.TYPE_IMAGE
+    post2.type = model.Post.TYPE_ANIMATION
+    post3.type = model.Post.TYPE_VIDEO
+    post4.type = model.Post.TYPE_FLASH
     db.session.add_all([post1, post2, post3, post4])
     db.session.flush()
     verify_unpaged(input, expected_post_ids)
@@ -352,9 +371,9 @@ def test_filter_by_safety(
     post1 = post_factory(id=1)
     post2 = post_factory(id=2)
     post3 = post_factory(id=3)
-    post1.safety = db.Post.SAFETY_SAFE
-    post2.safety = db.Post.SAFETY_SKETCHY
-    post3.safety = db.Post.SAFETY_UNSAFE
+    post1.safety = model.Post.SAFETY_SAFE
+    post2.safety = model.Post.SAFETY_SKETCHY
+    post3.safety = model.Post.SAFETY_UNSAFE
     db.session.add_all([post1, post2, post3])
     db.session.flush()
     verify_unpaged(input, expected_post_ids)
@@ -362,7 +381,7 @@ def test_filter_by_safety(
 
 def test_filter_by_invalid_type(executor):
     with pytest.raises(errors.SearchError):
-        executor.execute('type:invalid', page=1, page_size=100)
+        executor.execute('type:invalid', offset=0, limit=100)
 
 
 @pytest.mark.parametrize('input,expected_post_ids', [
@@ -403,31 +422,45 @@ def test_filter_by_file_size(
 
 @pytest.mark.parametrize('input,expected_post_ids', [
     ('image-width:100', [1]),
-    ('image-width:102', [3]),
-    ('image-width:100,102', [1, 3]),
+    ('image-width:200', [2]),
+    ('image-width:100,300', [1, 3]),
     ('image-height:200', [1]),
-    ('image-height:202', [3]),
-    ('image-height:200,202', [1, 3]),
-    ('image-area:20000', [1]),
-    ('image-area:20604', [3]),
-    ('image-area:20000,20604', [1, 3]),
+    ('image-height:100', [2]),
+    ('image-height:200,300', [1, 3]),
+    ('image-area:20000', [1, 2]),
+    ('image-area:90000', [3]),
+    ('image-area:20000,90000', [1, 2, 3]),
+    ('image-ar:1', [3]),
+    ('image-ar:..0.9', [1, 4]),
+    ('image-ar:1.1..', [2]),
+    ('image-ar:1/1..1/1', [3]),
+    ('image-ar:1:1..1:1', [3]),
+    ('image-ar:0.62..0.63', [4]),
 ])
 def test_filter_by_image_size(
         verify_unpaged, post_factory, input, expected_post_ids):
     post1 = post_factory(id=1)
     post2 = post_factory(id=2)
     post3 = post_factory(id=3)
+    post4 = post_factory(id=4)
     post1.canvas_width = 100
-    post2.canvas_width = 101
-    post3.canvas_width = 102
     post1.canvas_height = 200
-    post2.canvas_height = 201
-    post3.canvas_height = 202
-    db.session.add_all([post1, post2, post3])
+    post2.canvas_width = 200
+    post2.canvas_height = 100
+    post3.canvas_width = 300
+    post3.canvas_height = 300
+    post4.canvas_width = 480
+    post4.canvas_height = 767
+    db.session.add_all([post1, post2, post3, post4])
     db.session.flush()
     verify_unpaged(input, expected_post_ids)
 
 
+def test_filter_by_invalid_aspect_ratio(executor):
+    with pytest.raises(errors.SearchError):
+        executor.execute('image-ar:1:1:1', offset=0, limit=100)
+
+
 @pytest.mark.parametrize('input,expected_post_ids', [
     ('creation-date:2014', [1]),
     ('creation-date:2016', [3]),
@@ -673,7 +706,7 @@ def test_own_disliked(
 ])
 def test_someones_score(executor, input):
     with pytest.raises(errors.SearchError):
-        executor.execute(input, page=1, page_size=100)
+        executor.execute(input, offset=0, limit=100)
 
 
 def test_own_fav(
diff --git a/server/szurubooru/tests/search/configs/test_tag_search_config.py b/server/szurubooru/tests/search/configs/test_tag_search_config.py
index 83609433..8ea107f1 100644
--- a/server/szurubooru/tests/search/configs/test_tag_search_config.py
+++ b/server/szurubooru/tests/search/configs/test_tag_search_config.py
@@ -13,7 +13,7 @@ def executor():
 def verify_unpaged(executor):
     def verify(input, expected_tag_names):
         actual_count, actual_tags = executor.execute(
-            input, page=1, page_size=100)
+            input, offset=0, limit=100)
         actual_tag_names = [u.names[0].name for u in actual_tags]
         assert actual_count == len(expected_tag_names)
         assert actual_tag_names == expected_tag_names
@@ -35,10 +35,77 @@ def test_filter_anonymous(
     verify_unpaged(input, expected_tag_names)
 
 
+@pytest.mark.parametrize('db_driver,input,expected_tag_names', [
+    (None, ',', None),
+    (None, 't1,', None),
+    (None, 't1,t2', ['t1', 't2']),
+    (None, 't1\\,', []),
+    (None, 'asd..asd', None),
+    (None, 'asd\\..asd', []),
+    (None, 'asd.\\.asd', []),
+    (None, 'asd\\.\\.asd', []),
+    (None, '-', None),
+    (None, '\\-', ['-']),
+    (None, '--', [
+        't1', 't2', '*', '*asd*', ':', 'asd:asd', '\\', '\\asd', '-asd',
+    ]),
+    (None, '\\--', []),
+    (None, '-\\-', [
+        't1', 't2', '*', '*asd*', ':', 'asd:asd', '\\', '\\asd', '-asd',
+    ]),
+    (None, '-*', []),
+    (None, '\\-*', ['-', '-asd']),
+    (None, ':', None),
+    (None, '\\:', [':']),
+    (None, '\\:asd', []),
+    (None, '*\\:*', [':', 'asd:asd']),
+    (None, 'asd:asd', None),
+    (None, 'asd\\:asd', ['asd:asd']),
+    (None, '*', [
+        't1', 't2', '*', '*asd*', ':', 'asd:asd', '\\', '\\asd', '-', '-asd'
+    ]),
+    (None, '\\*', ['*']),
+    (None, '\\', None),
+    (None, '\\asd', None),
+    ('psycopg2', '\\\\', ['\\']),
+    ('psycopg2', '\\\\asd', ['\\asd']),
+])
+def test_escaping(
+        executor, tag_factory, input, expected_tag_names, db_driver):
+    db.session.add_all([
+        tag_factory(names=['t1']),
+        tag_factory(names=['t2']),
+        tag_factory(names=['*']),
+        tag_factory(names=['*asd*']),
+        tag_factory(names=[':']),
+        tag_factory(names=['asd:asd']),
+        tag_factory(names=['\\']),
+        tag_factory(names=['\\asd']),
+        tag_factory(names=['-']),
+        tag_factory(names=['-asd'])
+    ])
+    db.session.flush()
+
+    if db_driver:
+        if db.sessionmaker.kw['bind'].driver != db_driver:
+            pytest.xfail()
+    if expected_tag_names is None:
+        with pytest.raises(errors.SearchError):
+            executor.execute(input, offset=0, limit=100)
+    else:
+        actual_count, actual_tags = executor.execute(
+            input, offset=0, limit=100)
+        actual_tag_names = [u.names[0].name for u in actual_tags]
+        assert actual_count == len(expected_tag_names)
+        assert sorted(actual_tag_names) == sorted(expected_tag_names)
+
+
 def test_filter_anonymous_starting_with_colon(verify_unpaged, tag_factory):
     db.session.add(tag_factory(names=[':t']))
     db.session.flush()
-    verify_unpaged(':t', [':t'])
+    with pytest.raises(errors.SearchError):
+        verify_unpaged(':t', [':t'])
+    verify_unpaged('\\:t', [':t'])
 
 
 @pytest.mark.parametrize('input,expected_tag_names', [
@@ -183,7 +250,7 @@ def test_filter_by_post_count(
 ])
 def test_filter_by_invalid_input(executor, input):
     with pytest.raises(errors.SearchError):
-        executor.execute(input, page=1, page_size=100)
+        executor.execute(input, offset=0, limit=100)
 
 
 @pytest.mark.parametrize('input,expected_tag_names', [
diff --git a/server/szurubooru/tests/search/configs/test_user_search_config.py b/server/szurubooru/tests/search/configs/test_user_search_config.py
index f54ba456..c4d9402a 100644
--- a/server/szurubooru/tests/search/configs/test_user_search_config.py
+++ b/server/szurubooru/tests/search/configs/test_user_search_config.py
@@ -13,7 +13,7 @@ def executor():
 def verify_unpaged(executor):
     def verify(input, expected_user_names):
         actual_count, actual_users = executor.execute(
-            input, page=1, page_size=100)
+            input, offset=0, limit=100)
         actual_user_names = [u.name for u in actual_users]
         assert actual_count == len(expected_user_names)
         assert actual_user_names == expected_user_names
@@ -86,12 +86,24 @@ def test_filter_by_name(
 
 @pytest.mark.parametrize('input,expected_user_names', [
     ('name:u1', ['u1']),
-    ('name:u2..', ['u2..']),
     ('name:u2*', ['u2..']),
-    ('name:*..*', ['u2..', 'u3..x']),
-    ('name:u3..x', ['u3..x']),
-    ('name:*..x', ['u3..x']),
     ('name:u1,u3..x', ['u1', 'u3..x']),
+    ('name:u2..', None),
+    ('name:*..*', None),
+    ('name:u3..x', None),
+    ('name:*..x', None),
+    ('name:u2\\..', ['u2..']),
+    ('name:*\\..*', ['u2..', 'u3..x']),
+    ('name:u3\\..x', ['u3..x']),
+    ('name:*\\..x', ['u3..x']),
+    ('name:u2.\\.', ['u2..']),
+    ('name:*.\\.*', ['u2..', 'u3..x']),
+    ('name:u3.\\.x', ['u3..x']),
+    ('name:*.\\.x', ['u3..x']),
+    ('name:u2\\.\\.', ['u2..']),
+    ('name:*\\.\\.*', ['u2..', 'u3..x']),
+    ('name:u3\\.\\.x', ['u3..x']),
+    ('name:*\\.\\.x', ['u3..x']),
 ])
 def test_filter_by_name_that_looks_like_range(
         verify_unpaged, input, expected_user_names, user_factory):
@@ -99,7 +111,11 @@ def test_filter_by_name_that_looks_like_range(
     db.session.add(user_factory(name='u2..'))
     db.session.add(user_factory(name='u3..x'))
     db.session.flush()
-    verify_unpaged(input, expected_user_names)
+    if not expected_user_names:
+        with pytest.raises(errors.SearchError):
+            verify_unpaged(input, expected_user_names)
+    else:
+        verify_unpaged(input, expected_user_names)
 
 
 @pytest.mark.parametrize('input,expected_user_names', [
@@ -135,21 +151,24 @@ def test_combining_tokens(
 
 
 @pytest.mark.parametrize(
-    'page,page_size,expected_total_count,expected_user_names', [
-        (1, 1, 2, ['u1']),
-        (2, 1, 2, ['u2']),
-        (3, 1, 2, []),
+    'offset,limit,expected_total_count,expected_user_names', [
         (0, 1, 2, ['u1']),
+        (1, 1, 2, ['u2']),
+        (2, 1, 2, []),
+        (-1, 1, 2, []),
+        (-1, 2, 2, ['u1']),
+        (0, 2, 2, ['u1', 'u2']),
+        (3, 1, 2, []),
         (0, 0, 2, []),
     ])
 def test_paging(
-        executor, user_factory, page, page_size,
+        executor, user_factory, offset, limit,
         expected_total_count, expected_user_names):
     db.session.add(user_factory(name='u1'))
     db.session.add(user_factory(name='u2'))
     db.session.flush()
     actual_count, actual_users = executor.execute(
-        '', page=page, page_size=page_size)
+        '', offset=offset, limit=limit)
     actual_user_names = [u.name for u in actual_users]
     assert actual_count == expected_total_count
     assert actual_user_names == expected_user_names
@@ -222,7 +241,7 @@ def test_random_sort(executor, user_factory):
     db.session.add_all([user3, user1, user2])
     db.session.flush()
     actual_count, actual_users = executor.execute(
-        'sort:random', page=1, page_size=100)
+        'sort:random', offset=0, limit=100)
     actual_user_names = [u.name for u in actual_users]
     assert actual_count == 3
     assert len(actual_user_names) == 3
@@ -251,4 +270,4 @@ def test_random_sort(executor, user_factory):
 ])
 def test_bad_tokens(executor, input, expected_error):
     with pytest.raises(expected_error):
-        executor.execute(input, page=1, page_size=100)
+        executor.execute(input, offset=0, limit=100)
diff --git a/server/test b/server/test
deleted file mode 100755
index df8ae5f5..00000000
--- a/server/test
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/usr/bin/env python3
-import pytest
-import sys
-pytest.main(' '.join([
-    '--cov-report=term-missing',
-    '--cov=szurubooru',
-    ] + (sys.argv[1:] or ['szurubooru'])))
diff --git a/server/wait-for-es b/server/wait-for-es
new file mode 100755
index 00000000..6855c757
--- /dev/null
+++ b/server/wait-for-es
@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+'''
+Docker helper script. Blocks until the ElasticSearch service is ready.
+'''
+import logging
+import time
+import elasticsearch
+from szurubooru import config, errors
+
+
+def main():
+    print('Looking for ElasticSearch connection...')
+    logging.basicConfig(level=logging.ERROR)
+    es = elasticsearch.Elasticsearch([{
+        'host': config.config['elasticsearch']['host'],
+        'port': config.config['elasticsearch']['port'],
+    }])
+
+    TIMEOUT = 30
+    DELAY = 0.1
+    for _ in range(int(TIMEOUT / DELAY)):
+        try:
+            es.cluster.health(wait_for_status='yellow')
+            print('Connected to ElasticSearch!')
+            return
+        except Exception:
+            time.sleep(DELAY)
+            pass
+    raise errors.ThirdPartyError('Error connecting to ElasticSearch')
+
+
+if __name__ == '__main__':
+    main()