📎 Change version.txt file.

📎 Update changelog.
📎 Minor changes on internal audit module buffers.
2026-01-06 05:18:52 -05:00 · 2021-06-01 15:19:37 +02:00 · 2021-06-01 15:18:26 +02:00 · 2021-06-01 15:14:39 +02:00 · 2021-05-31 12:50:24 +02:00 · 2021-05-31 12:50:24 +02:00
612 changed files with 41077 additions and 18699 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -13,7 +13,7 @@ jobs:
        environment:
          POSTGRES_USER: penpot_test
          POSTGRES_PASSWORD: penpot_test
-          POSTGRES_DB: penpot
+          POSTGRES_DB: penpot_test

      - image: circleci/redis:6.0.8

@@ -45,10 +45,10 @@ jobs:
          name: backend test
          command: "clojure -M:dev:tests"
          environment:
-            PENPOT_DATABASE_URI: "postgresql://localhost/penpot"
-            PENPOT_DATABASE_USERNAME: penpot_test
-            PENPOT_DATABASE_PASSWORD: penpot_test
-            PENPOT_REDIS_URI: "redis://localhost/1"
+            PENPOT_TEST_DATABASE_URI: "postgresql://localhost/penpot_test"
+            PENPOT_TEST_DATABASE_USERNAME: penpot_test
+            PENPOT_TEST_DATABASE_PASSWORD: penpot_test
+            PENPOT_TEST_REDIS_URI: "redis://localhost/1"

      - run:
          working_directory: "./frontend"
@@ -57,7 +57,8 @@ jobs:
            yarn install
            npx shadow-cljs compile tests
          environment:
-            PATH: /usr/local/nodejs/bin/:/usr/local/bin:/bin:/usr/bin
+            JAVA_HOME: /usr/lib/jvm/openjdk16
+            PATH: /usr/local/nodejs/bin/:/usr/local/bin:/bin:/usr/bin:/usr/lib/jvm/openjdk16/bin

      - save_cache:
         paths:
--- a/.gitignore
+++ b/.gitignore
@@ -19,12 +19,14 @@ node_modules
 /backend/dist/
 /backend/logs/
 /backend/-
+/telemetry/
 /frontend/npm-debug.log
 /frontend/target/
 /frontend/dist/
 /frontend/out/
 /frontend/.shadow-cljs
 /frontend/resources/public/*
+/frontend/resources/fonts/experiments
 /exporter/target
 /exporter/.shadow-cljs
 /docker/images/bundle*
--- a/.gitpod.yml
+++ b/.gitpod.yml
@@ -0,0 +1,105 @@
+image:
+  file: docker/gitpod/Dockerfile
+
+ports:
+  # nginx
+  - port: 3449
+    onOpen: open-preview
+
+  # frontend nREPL
+  - port: 3447
+    onOpen: ignore
+    visibility: private
+
+  # frontend shadow server
+  - port: 3448
+    onOpen: ignore
+    visibility: private
+
+  # backend
+  - port: 6060
+    onOpen: ignore
+
+  # exporter shadow server
+  - port: 9630
+    onOpen: ignore
+    visibility: private
+
+  # exporter http server
+  - port: 6061
+    onOpen: ignore
+
+  # mailhog web interface
+  - port: 8025
+    onOpen: ignore
+
+  # mailhog postfix
+  - port: 1025
+    onOpen: ignore
+
+  # postgres
+  - port: 5432
+    onOpen: ignore
+
+  # redis
+  - port: 6379
+    onOpen: ignore
+
+  # openldap
+  - port: 389
+    onOpen: ignore
+
+tasks:
+  # https://github.com/gitpod-io/gitpod/issues/666#issuecomment-534347856
+  - name: gulp
+    command: >
+      cd $GITPOD_REPO_ROOT/frontend/;
+      yarn && gp sync-done 'frontend-yarn';
+      npx gulp --theme=${PENPOT_THEME} watch
+
+  - name: frontend shadow watch
+    command: >
+      cd $GITPOD_REPO_ROOT/frontend/;
+      gp sync-await 'frontend-yarn';
+      npx shadow-cljs watch main
+
+  - init: gp await-port 5432 && psql -f $GITPOD_REPO_ROOT/docker/gitpod/files/postgresql_init.sql
+    name: backend
+    command: >
+      cd $GITPOD_REPO_ROOT/backend/;
+      ./scripts/start-dev
+
+  - name: exporter shadow watch
+    command:
+      cd $GITPOD_REPO_ROOT/exporter/;
+      gp sync-await 'frontend-yarn';
+      yarn && npx shadow-cljs watch main
+
+  - name: exporter web server
+    command: >
+      cd $GITPOD_REPO_ROOT/exporter/;
+      ./scripts/wait-and-start.sh
+
+  - name: signed terminal
+    before: >
+      [[ ! -z ${GNUGPG}  ]] &&
+      cd ~ &&
+      rm -rf .gnupg &&
+      echo ${GNUGPG} | base64 -d | tar --no-same-owner -xzvf -
+    init: >
+      [[ ! -z ${GNUGPG_KEY}  ]] &&
+      git config --global commit.gpgsign true &&
+      git config --global user.signingkey ${GNUGPG_KEY}
+    command: cd $GITPOD_REPO_ROOT
+
+  - name: redis
+    command: redis-server
+
+  - before: go get github.com/mailhog/MailHog
+    name: mailhog
+    command: MailHog
+
+  - name: Nginx
+    command: >
+      nginx &&
+      multitail /var/log/nginx/access.log -I /var/log/nginx/error.log
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,15 +1,191 @@
 # CHANGELOG #

+
 ## :rocket: Next

 ### :sparkles: New features

 ### :bug: Bugs fixed
+### :arrow_up: Deps updates
+### :boom: Breaking changes
+### :heart: Community contributions by (Thank you!)
+
+## 1.6.3-alpha
+
+### :bug: Bugs fixed
+
+- Fix problem with merge and join nodes [#990](https://github.com/penpot/penpot/issues/990)
+- Fix problem with empty path editing.
+- Fix problem with create component.
+- Fix problem with move-objects.
+- Fix problem with merge and join nodes.
+
+## 1.6.2-alpha
+
+### :bug: Bugs fixed
+
+- Add better auth module logging.
+- Add missing `email` scope to OIDC backend.
+- Add missing cause prop on error loging.
+- Fix empty font-family handling on custom fonts page.
+- Fix incorrect unicode code points handling on draft-to-penpot conversion.
+- Fix some problems with paths.
+- Fix unexpected exception on duplicate project.
+- Fix unexpected exception when user leaves typography name empty.
+- Improve error report on uploading invalid image to library.
+- Minor fix on previous commit.
+- Minor improvements on svg uploading on libraries.
+
+
+## 1.6.1-alpha
+
+### :bug: Bugs fixed
+
+- Add safety check on reg-objects change impl.
+- Fix custom fonts embbedding issue.
+- Fix dashboard ordering issue.
+- Fix problem when creating a component with empty data.
+- Fix problem with moving shapes into frames.
+- Fix problems with mov-objects.
+- Fix unexpected excetion related to rounding integers.
+- Fix wrong type usage on libraries changes.
+- Improve editor lifecycle management.
+- Make the navigation async by default.
+
+
+## 1.6.0-alpha
+
+### :sparkles: New features
+
+- Add improved workspace font selector [Taiga US #292](https://tree.taiga.io/project/penpot/us/292).
+- Add option to interactively scale text [Taiga #1527](https://tree.taiga.io/project/penpot/us/1527)
+- Add performance improvements on dashboard data loading.
+- Add performance improvements to indexes handling on workspace.
+- Add the ability to upload/use custom fonts (and automatically generate all needed webfonts) [Taiga US #292](https://tree.taiga.io/project/penpot/us/292).
+- Transform shapes to path on double click
+- Translate automatic names of new files and projects.
+- Use shift instead of ctrl/cmd to keep aspect ratio [Taiga 1697](https://tree.taiga.io/project/penpot/issue/1697).
+- New translations: Portuguese (Brazil) and Romanias. 
+
+
+### :bug: Bugs fixed
+
+- Remove interactions when the destination artboard is deleted [Taiga #1656](https://tree.taiga.io/project/penpot/issue/1656).
+- Fix problem with fonts that ends with numbers [#940](https://github.com/penpot/penpot/issues/940).
+- Fix problem with imported SVG on editing paths [#971](https://github.com/penpot/penpot/issues/971)
+- Fix problem with color picker positioning
+- Fix order on color palette [#961](https://github.com/penpot/penpot/issues/961)
+- Fix issue when group creation leaves an empty group [#1724](https://tree.taiga.io/project/penpot/issue/1724)
+- Fix problem with :multiple for colors and typographies [#1668](https://tree.taiga.io/project/penpot/issue/1668)
+- Fix problem with locked shapes when change parents [#974](https://github.com/penpot/penpot/issues/974)
+- Fix problem with new nodes in paths [#978](https://github.com/penpot/penpot/issues/978)

 ### :arrow_up: Deps updates

+- Update exporter dependencies (puppeteer), that fixes some unexpected exceptions.
+- Update string manipulation library.
+
+
+### :boom: Breaking changes
+
+- The OIDC setting `PENPOT_OIDC_SCOPES` has changed the default semantics. Before this
+  configuration added scopes to the default set. Now it replaces it, so use with care, because
+  penpot requires at least `name` and `email` props found on the user info object.
+
 ### :heart: Community contributions by (Thank you!)

+- Translations: Portuguese (Brazil) and Romanias.
+
+
+## 1.5.4-alpha
+
+### :bug: Bugs fixed
+
+- Fix issues on group rendering.
+- Fix problem with text editing auto-height [Taiga #1683](https://tree.taiga.io/project/penpot/issue/1683)
+
+
+## 1.5.3-alpha
+
+### :bug: Bugs fixed
+
+- Fix problem undo/redo.
+
+## 1.5.2-alpha
+
+### :bug: Bugs fixed
+
+- Fix problem with `close-path` command [#917](https://github.com/penpot/penpot/issues/917)
+- Fix wrong query for obtain the profile default project-id
+- Fix problems with empty paths and shortcuts [#923](https://github.com/penpot/penpot/issues/923)
+
+## 1.5.1-alpha
+
+### :bug: Bugs fixed
+
+- Fix issue with bitmap image clipboard.
+- Fix issue when removing all path points.
+- Increase default team invitation token expiration to 48h.
+- Fix wrong error message when an expired token is used.
+
+
+## 1.5.0-alpha
+
+### :sparkles: New features
+
+- Add integration with gitpod.io (an online IDE) [#807](https://github.com/penpot/penpot/pull/807)
+- Allow basic math operations in inputs [Taiga 1383](https://tree.taiga.io/project/penpot/us/1383)
+- Autocomplete color names in hex inputs [Taiga 1596](https://tree.taiga.io/project/penpot/us/1596)
+- Allow to group assets (components and graphics) [Taiga #1289](https://tree.taiga.io/project/penpot/us/1289)
+- Change icon of pinned projects [Taiga 1298](https://tree.taiga.io/project/penpot/us/1298)
+- Internal: refactor of http client, replace internal xhr usage with more modern Fetch API.
+- New features for paths: snap points on edition, add/remove nodes, merge/join/split nodes. [Taiga #907](https://tree.taiga.io/project/penpot/us/907)
+- Add OpenID-Connect support.
+- Reimplement social auth providers on top of the generic openid impl.
+
+### :bug: Bugs fixed
+
+- Fix problem with pan and space [#811](https://github.com/penpot/penpot/issues/811)
+- Fix issue when parsing exponential numbers in paths
+- Remove legacy system user and team [#843](https://github.com/penpot/penpot/issues/843)
+- Fix ordering of copy pasted objects [Taiga #1618](https://tree.taiga.io/project/penpot/issue/1617)
+- Fix problems with blending modes [#837](https://github.com/penpot/penpot/issues/837)
+- Fix problem with zoom an selection rect [#845](https://github.com/penpot/penpot/issues/845)
+- Fix problem displaying team statistics [#859](https://github.com/penpot/penpot/issues/859)
+- Fix problems with text editor selection [Taiga #1546](https://tree.taiga.io/project/penpot/issue/1546)
+- Fix problem when opening the context menu in dashboard at the bottom [#856](https://github.com/penpot/penpot/issues/856)
+- Fix problem when clicking an interactive group in view mode [#863](https://github.com/penpot/penpot/issues/863)
+- Fix visibility of pages in sitemap when changing page [Taiga #1618](https://tree.taiga.io/project/penpot/issue/1618)
+- Fix visual problem with group invite [Taiga #1290](https://tree.taiga.io/project/penpot/issue/1290)
+- Fix issues with promote owner panel [Taiga #763](https://tree.taiga.io/project/penpot/issue/763)
+- Allow use library colors when defining gradients [Taiga #1614](https://tree.taiga.io/project/penpot/issue/1614)
+- Fix group selrect not updating after alignment [#895](https://github.com/penpot/penpot/issues/895)
+
+### :arrow_up: Deps updates
+
+### :boom: Breaking changes
+
+- Translations refactor: now penpot uses gettext instead of a custom
+  JSON, and each locale has its own separated file. All translations
+  should be contributed via the weblate.org service.
+
+### :heart: Community contributions by (Thank you!)
+
+- madmath03 (by [Monogramm](https://github.com/Monogramm)) [#807](https://github.com/penpot/penpot/pull/807)
+- zzkt [#814](https://github.com/penpot/penpot/pull/814)
+
+
+## 1.4.1-alpha
+
+### :bug: Bugs fixed
+
+- Fix typography unlinking.
+- Fix incorrect measures on shapes outside artboard.
+- Fix issues on svg parsing related to numbers with exponents.
+- Fix some race conditions on removing shape from workspace.
+- Fix incorrect state management of user lang selection.
+- Fix email validation usability issue on team invitation lightbox.
+

 ## 1.4.0-alpha

@@ -70,6 +246,12 @@
 - Fix titles in viewer thumbnails too long [Taiga #1474](https://tree.taiga.io/project/penpot/issue/1474)
 - Fix when right click on a selected text shows artboard contextual menu [Taiga #1226](https://tree.taiga.io/project/penpot/issue/1226)

+### :boom: Breaking changes
+
+- The LDAP configuration variables interpolation starts using `:`
+  (example `:username`) instead of `$`. The main reason is avoid
+  unnecesary conflict with bash interpolation.
+

 ### :arrow_up: Deps updates

--- a/README.md
+++ b/README.md
@@ -5,6 +5,7 @@
 [![License: MPL-2.0][uri_license_image]][uri_license]
 [![Gitter](https://badges.gitter.im/sereno-xyz/community.svg)](https://gitter.im/penpot/community)
 [![Managed with Taiga.io](https://img.shields.io/badge/managed%20with-TAIGA.io-709f14.svg)](https://tree.taiga.io/project/penpot/ "Managed with Taiga.io")
+[![Gitpod ready-to-code](https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/penpot/penpot)


 # PENPOT #
@@ -39,4 +40,6 @@ Please refer to the [help center](https://help.penpot.app).
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
 file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Copyright (c) UXBOX Labs SL
 ```
--- a/backend/deps.edn
+++ b/backend/deps.edn
@@ -4,10 +4,10 @@
  "jcenter" {:url "https://jcenter.bintray.com/"}}
 :deps
 {org.clojure/clojure {:mvn/version "1.10.3"}
-  org.clojure/clojurescript {:mvn/version "1.10.773"}
-  org.clojure/data.json {:mvn/version "1.1.0"}
-  org.clojure/core.async {:mvn/version "1.3.610"}
+  org.clojure/data.json {:mvn/version "2.2.3"}
+  org.clojure/core.async {:mvn/version "1.3.618"}
  org.clojure/tools.cli {:mvn/version "1.0.206"}
+  org.clojure/clojurescript {:mvn/version "1.10.844"}

  ;; Logging
  org.clojure/tools.logging {:mvn/version "1.1.0"}
@@ -15,12 +15,12 @@
  org.apache.logging.log4j/log4j-core {:mvn/version "2.14.1"}
  org.apache.logging.log4j/log4j-web {:mvn/version "2.14.1"}
  org.apache.logging.log4j/log4j-jul {:mvn/version "2.14.1"}
-  org.apache.logging.log4j/log4j-slf4j-impl {:mvn/version "2.14.1"}
-  org.slf4j/slf4j-api {:mvn/version "1.7.30"}
+  org.apache.logging.log4j/log4j-slf4j18-impl {:mvn/version "2.14.1"}
+  org.slf4j/slf4j-api {:mvn/version "2.0.0-alpha1"}
  org.zeromq/jeromq {:mvn/version "0.5.2"}

  com.taoensso/nippy {:mvn/version "3.1.1"}
-  com.github.luben/zstd-jni {:mvn/version "1.4.9-1"}
+  com.github.luben/zstd-jni {:mvn/version "1.4.9-5"}

  ;; NOTE: don't upgrade to latest version, breaking change is
  ;; introduced on 0.10.0 that suffixes counters with _total if they
@@ -32,28 +32,28 @@
                                                 org.eclipse.jetty/jetty-servlet]}
  io.prometheus/simpleclient_httpserver {:mvn/version "0.9.0"}

-  selmer/selmer {:mvn/version "1.12.33"}
+  selmer/selmer {:mvn/version "1.12.40"}
  expound/expound {:mvn/version "0.8.9"}
  com.cognitect/transit-clj {:mvn/version "1.0.324"}

-  io.lettuce/lettuce-core {:mvn/version "6.0.2.RELEASE"}
+  io.lettuce/lettuce-core {:mvn/version "6.1.2.RELEASE"}
  java-http-clj/java-http-clj {:mvn/version "0.4.2"}

-  info.sunng/ring-jetty9-adapter {:mvn/version "0.15.0"}
-  com.github.seancorfield/next.jdbc {:mvn/version "1.1.646"}
-  metosin/reitit-ring {:mvn/version "0.5.12"}
-  metosin/jsonista {:mvn/version "0.3.1"}
+  info.sunng/ring-jetty9-adapter {:mvn/version "0.15.1"}
+  com.github.seancorfield/next.jdbc {:mvn/version "1.2.659"}
+  metosin/reitit-ring {:mvn/version "0.5.13"}
+  metosin/jsonista {:mvn/version "0.3.3"}

-  org.postgresql/postgresql {:mvn/version "42.2.19"}
+  org.postgresql/postgresql {:mvn/version "42.2.20"}
  com.zaxxer/HikariCP {:mvn/version "4.0.3"}

-  funcool/datoteka {:mvn/version "1.2.0"}
-  funcool/promesa {:mvn/version "6.0.0"}
-  funcool/cuerdas {:mvn/version "2020.03.26-3"}
+  funcool/datoteka {:mvn/version "2.0.0"}
+  funcool/promesa {:mvn/version "6.0.1"}
+  funcool/cuerdas {:mvn/version "2021.05.09-0"}

-  buddy/buddy-core {:mvn/version "1.9.0"}
-  buddy/buddy-hashers {:mvn/version "1.7.0"}
-  buddy/buddy-sign {:mvn/version "3.3.0"}
+  buddy/buddy-core {:mvn/version "1.10.1"}
+  buddy/buddy-hashers {:mvn/version "1.8.1"}
+  buddy/buddy-sign {:mvn/version "3.4.1"}

  lambdaisland/uri {:mvn/version "1.4.54"
                    :exclusions [org.clojure/data.json]}
@@ -64,12 +64,12 @@
  org.im4java/im4java {:mvn/version "1.4.0"}
  org.lz4/lz4-java {:mvn/version "1.7.1"}
  commons-io/commons-io {:mvn/version "2.8.0"}
-  com.sun.mail/jakarta.mail {:mvn/version "2.0.0"}
+  com.sun.mail/jakarta.mail {:mvn/version "2.0.1"}

  org.clojars.pntblnk/clj-ldap {:mvn/version "0.0.17"}
  integrant/integrant {:mvn/version "0.8.0"}

-  software.amazon.awssdk/s3 {:mvn/version "2.16.19"}
+  software.amazon.awssdk/s3 {:mvn/version "2.16.62"}

  ;; exception printing
  io.aviso/pretty {:mvn/version "0.1.37"}
@@ -78,9 +78,9 @@
 :aliases
 {:dev
  {:extra-deps
-   {com.bhauman/rebel-readline {:mvn/version "0.1.4"}
-    org.clojure/tools.namespace {:mvn/version "1.1.0"}
-    org.clojure/test.check {:mvn/version "1.1.0"}
+   {com.bhauman/rebel-readline {:mvn/version "RELEASE"}
+    org.clojure/tools.namespace {:mvn/version "RELEASE"}
+    org.clojure/test.check {:mvn/version "RELEASE"}

    fipp/fipp {:mvn/version "0.6.23"}
    criterium/criterium {:mvn/version "0.4.6"}
@@ -96,7 +96,7 @@
   :main-opts ["-m" "kaocha.runner"]}

  :outdated
-  {:extra-deps {com.github.liquidz/antq {:mvn/version "0.12.0"}}
+  {:extra-deps {com.github.liquidz/antq {:mvn/version "RELEASE"}}
   :main-opts ["-m" "antq.core"]}

  :jmx-remote
--- a/backend/dev/user.clj
+++ b/backend/dev/user.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2016-2020 Andrey Antukh <niwi@niwi.nz>
+;; Copyright (c) UXBOX Labs SL

 (ns user
  (:require
@@ -70,7 +67,7 @@
  []
  (alter-var-root #'system (fn [sys]
                             (when sys (ig/halt! sys))
-                             (-> (main/build-system-config cfg/config)
+                             (-> main/system-config
                                 (ig/prep)
                                 (ig/init))))
  :started)
--- a/backend/resources/emails/feedback/en.html
+++ b/backend/resources/emails/feedback/en.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title></title>
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+  </head>
+  <body>
+    <p>
+      <strong>Feedback from:</strong><br />
+      {% if profile %}
+        <span>
+          <span>Name: </span>
+          <span><code>{{profile.fullname}}</code></span>
+        </span>
+        <br />
+
+        <span>
+          <span>Email: </span>
+          <span>{{profile.email}}</span>
+        </span>
+        <br />
+
+        <span>
+          <span>ID: </span>
+          <span><code>{{profile.id}}</code></span>
+        </span>
+      {% else %}
+        <span>
+          <span>Email: </span>
+          <span>{{profile.email}}</span>
+        </span>
+      {% endif %}
+    </p>
+    <p>
+      <strong>Subject:</strong><br />
+      <span>{{subject}}</span>
+    </p>
+
+    <p>
+      <strong>Message:</strong><br />
+      {{content|linebreaks-br|safe}}
+    </p>
+  </body>
+</html>
--- a/backend/resources/emails/invite-to-team/en.subj
+++ b/backend/resources/emails/invite-to-team/en.subj
@@ -1 +1 @@
-Inviation to join {{team}}
+Invitation to join {{team}}
--- a/backend/resources/log4j2-devenv.xml
+++ b/backend/resources/log4j2-devenv.xml
@@ -6,12 +6,17 @@
    </Console>

    <RollingFile name="main" fileName="logs/main.log" filePattern="logs/main-%i.log">
-      <PatternLayout pattern="[%d{YYYY-MM-dd HH:mm:ss.SSS}] [%t] %level{length=1} %logger{36} - %msg%n"/>
+      <PatternLayout pattern="[%d{YYYY-MM-dd HH:mm:ss.SSS}] %level{length=1} %logger{36} - %msg%n"/>
      <Policies>
        <SizeBasedTriggeringPolicy size="50M"/>
      </Policies>
      <DefaultRolloverStrategy max="9"/>
    </RollingFile>
+
+    <JeroMQ name="zmq">
+      <Property name="endpoint">tcp://localhost:45556</Property>
+      <JsonLayout complete="false" compact="true" includeTimeMillis="true" stacktraceAsString="true" properties="true" />
+    </JeroMQ>
  </Appenders>

  <Loggers>
@@ -30,6 +35,12 @@

    <Logger name="app" level="all" additivity="false">
      <AppenderRef ref="main" level="trace" />
+      <AppenderRef ref="zmq" level="debug" />
+    </Logger>
+
+    <Logger name="penpot" level="debug" additivity="false">
+      <AppenderRef ref="main" level="debug" />
+      <AppenderRef ref="zmq" level="debug" />
    </Logger>

    <Logger name="user" level="trace" additivity="false">
--- a/backend/resources/log4j2.xml
+++ b/backend/resources/log4j2.xml
@@ -14,6 +14,10 @@
      <AppenderRef ref="console" />
    </Logger>

+    <Logger name="penpot" level="fatal" additivity="false">
+      <AppenderRef ref="console" />
+    </Logger>
+
    <Root level="info">
      <AppenderRef ref="console" />
    </Root>
--- a/backend/scripts/build
+++ b/backend/scripts/build
@@ -4,9 +4,6 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
 ;; Copyright (c) UXBOX Labs SL

 (ns build
--- a/backend/scripts/manage.template.sh
+++ b/backend/scripts/manage.template.sh
@@ -16,4 +16,4 @@ if [ -f ./environ ]; then
   source ./environ
 fi

-exec $JAVA_CMD $JVM_OPTS -classpath $(cat classpath) -Dlog4j2.configurationFile=./log4j2.xml clojure.main -m app.cli.manage "\$@"
+exec $JAVA_CMD $JVM_OPTS -classpath $(cat classpath) -Dlog4j2.configurationFile=./log4j2.xml clojure.main -m app.cli.manage "$@"
--- a/backend/scripts/repl
+++ b/backend/scripts/repl
@@ -2,7 +2,9 @@

 export PENPOT_ASSERTS_ENABLED=true

-export OPTIONS="-A:jmx-remote:dev -J-Dclojure.tools.logging.factory=clojure.tools.logging.impl/log4j2-factory -J-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager -J-Xms512m -J-Xmx512m -J-Dlog4j2.configurationFile=log4j2-devenv.xml"
+export OPTIONS="-A:jmx-remote:dev -J-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager -J-Dlog4j2.configurationFile=log4j2-devenv.xml -J-XX:+UseZGC -J-XX:ConcGCThreads=1 -J-XX:-OmitStackTraceInFastThrow -J-Xms50m -J-Xmx512m";
+# export OPTIONS="$OPTIONS -J-XX:+UnlockDiagnosticVMOptions";
+# export OPTIONS="$OPTIONS -J-XX:-TieredCompilation -J-XX:CompileThreshold=10000";

 export OPTIONS_EVAL="nil"
 # export OPTIONS_EVAL="(set! *warn-on-reflection* true)"
--- a/backend/src/app/cli/fixtures.clj
+++ b/backend/src/app/cli/fixtures.clj
@@ -2,23 +2,19 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.cli.fixtures
  "A initial fixtures."
  (:require
   [app.common.pages :as cp]
   [app.common.uuid :as uuid]
-   [app.config :as cfg]
   [app.db :as db]
   [app.main :as main]
   [app.rpc.mutations.profile :as profile]
   [app.util.blob :as blob]
+   [app.util.logging :as l]
   [buddy.hashers :as hashers]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig]))

 (defn- mk-uuid
@@ -75,7 +71,9 @@
  (let [rng (java.util.Random. 1)]
    (letfn [(create-profile [conn index]
              (let [id   (mk-uuid "profile" index)
-                    _    (log/info "create profile" index id)
+                    _    (l/info :action "create profile"
+                                 :index index
+                                 :id id)

                    prof (register-profile conn
                                           {:id id
@@ -91,20 +89,22 @@
                prof))

            (create-profiles [conn]
-              (log/info "create profiles")
+              (l/info :action "create profiles")
              (collect (partial create-profile conn)
                       (range (:num-profiles opts))))

            (create-team [conn index]
              (let [id (mk-uuid "team" index)
                    name (str "Team" index)]
-                (log/info "create team" index id)
+                (l/info :action "create team"
+                        :index index
+                        :id id)
                (db/insert! conn :team {:id id
                                        :name name})
                id))

            (create-teams [conn]
-              (log/info "create teams")
+              (l/info :action "create teams")
              (collect (partial create-team conn)
                       (range (:num-teams opts))))

@@ -112,7 +112,9 @@
              (let [id (mk-uuid "file" project-id index)
                    name (str "file" index)
                    data (cp/make-file-data id)]
-                (log/info "create file" index id)
+                (l/info :action "create file"
+                        :index index
+                        :id id)
                (db/insert! conn :file
                            {:id id
                             :data (blob/encode data)
@@ -127,7 +129,7 @@
                id))

            (create-files [conn owner-id project-id]
-              (log/info "create files")
+              (l/info :action "create files")
              (run! (partial create-file conn owner-id project-id)
                    (range (:num-files-per-project opts))))

@@ -139,7 +141,9 @@
                                (str "project " index)
                                "Drafts")
                    is-default (nil? index)]
-                (log/info "create project" index id)
+                (l/info :action "create project"
+                        :index index
+                        :id id)
                (db/insert! conn :project
                            {:id id
                             :team-id team-id
@@ -154,7 +158,7 @@
                id))

            (create-projects [conn team-id profile-ids]
-              (log/info "create projects")
+              (l/info :action "create projects")
              (let [owner-id (rng-nth rng profile-ids)
                    project-ids (conj
                                  (collect (partial create-project conn team-id owner-id)
@@ -171,14 +175,16 @@
                           :can-edit true}))

            (setup-team [conn team-id profile-ids]
-              (log/info "setup team" team-id profile-ids)
+              (l/info :action "setup team"
+                      :team-id team-id
+                      :profile-ids (pr-str profile-ids))
              (assign-profile-to-team conn team-id true (first profile-ids))
              (run! (partial assign-profile-to-team conn team-id false)
                    (rest profile-ids))
              (create-projects conn team-id profile-ids))

            (assign-teams-and-profiles [conn teams profiles]
-              (log/info "assign teams and profiles")
+              (l/info :action "assign teams and profiles")
              (loop [team-id (first teams)
                     teams (rest teams)]
                (when-not (nil? team-id)
@@ -195,7 +201,9 @@
                    project-id (:default-project-id owner)
                    data       (cp/make-file-data id)]

-                (log/info "create draft file" index id)
+                (l/info :action "create draft file"
+                        :index index
+                        :id id)
                (db/insert! conn :file
                            {:id id
                             :data (blob/encode data)
@@ -233,7 +241,7 @@

 (defn run
  [{:keys [preset] :or {preset :small}}]
-  (let [config (select-keys (main/build-system-config cfg/config)
+  (let [config (select-keys main/system-config
                            [:app.db/pool
                             :app.telemetry/migrations
                             :app.migrations/migrations
@@ -245,6 +253,6 @@
    (try
      (run-in-system system preset)
      (catch Exception e
-        (log/errorf e "unhandled exception"))
+        (l/error :hint "unhandled exception" :cause e))
      (finally
        (ig/halt! system)))))
--- a/backend/src/app/cli/manage.clj
+++ b/backend/src/app/cli/manage.clj
@@ -2,22 +2,18 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.cli.manage
  "A manage cli api."
  (:require
-   [app.config :as cfg]
   [app.db :as db]
   [app.main :as main]
   [app.rpc.mutations.profile :as profile]
   [app.rpc.queries.profile :refer [retrieve-profile-data-by-email]]
+   [app.util.logging :as l]
   [clojure.string :as str]
   [clojure.tools.cli :refer [parse-opts]]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig])
  (:import
   java.io.Console))
@@ -26,7 +22,7 @@

 (defn init-system
  []
-  (let [data (-> (main/build-system-config cfg/config)
+  (let [data (-> main/system-config
                 (select-keys [:app.db/pool :app.metrics/metrics])
                 (assoc :app.migrations/all {}))]
    (-> data ig/prep ig/init)))
@@ -35,7 +31,7 @@
  [{:keys [label type] :or {type :text}}]
  (let [^Console console (System/console)]
    (when-not console
-      (log/error "no console found, can proceed")
+      (l/error :hint "no console found, can proceed")
      (System/exit 1))

    (binding [*out* (.writer console)]
--- a/backend/src/app/cli/migrate_media.clj
+++ b/backend/src/app/cli/migrate_media.clj
@@ -2,19 +2,16 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.cli.migrate-media
  (:require
   [app.common.media :as cm]
-   [app.config :as cfg]
+   [app.config :as cf]
   [app.db :as db]
   [app.main :as main]
   [app.storage :as sto]
-   [clojure.tools.logging :as log]
+   [app.util.logging :as l]
   [cuerdas.core :as str]
   [datoteka.core :as fs]
   [integrant.core :as ig]))
@@ -34,7 +31,7 @@

 (defn run
  []
-  (let [config (select-keys (main/build-system-config cfg/config)
+  (let [config (select-keys main/system-config
                            [:app.db/pool
                             :app.migrations/migrations
                             :app.metrics/metrics
@@ -49,7 +46,7 @@
          (run-in-system)
          (ig/halt!))
      (catch Exception e
-        (log/errorf e "Unhandled exception.")))))
+        (l/error :hint "unhandled exception" :cause e)))))


 ;; --- IMPL
@@ -60,7 +57,7 @@
            (->> (db/exec! conn ["select * from profile"])
                 (filter #(not (str/empty? (:photo %))))
                 (seq)))]
-    (let [base    (fs/path (:storage-fs-old-directory cfg/config))
+    (let [base    (fs/path (cf/get :storage-fs-old-directory))
          storage (-> (:app.storage/storage system)
                      (assoc :conn conn))]
      (doseq [profile (retrieve-profiles conn)]
@@ -81,7 +78,7 @@
            (->> (db/exec! conn ["select * from team"])
                 (filter #(not (str/empty? (:photo %))))
                 (seq)))]
-    (let [base    (fs/path (:storage-fs-old-directory cfg/config))
+    (let [base    (fs/path (cf/get :storage-fs-old-directory))
          storage (-> (:app.storage/storage system)
                      (assoc :conn conn))]
      (doseq [team (retrieve-teams conn)]
@@ -105,7 +102,7 @@
                                    from file_media_object as fmo
                                    join file_media_thumbnail as fth on (fth.media_object_id = fmo.id)"])
                 (seq)))]
-    (let [base    (fs/path (:storage-fs-old-directory cfg/config))
+    (let [base    (fs/path (cf/get :storage-fs-old-directory))
          storage (-> (:app.storage/storage system)
                      (assoc :conn conn))]
      (doseq [mobj (retrieve-media-objects conn)]
--- a/backend/src/app/config.clj
+++ b/backend/src/app/config.clj
@@ -2,23 +2,42 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
 ;; Copyright (c) UXBOX Labs SL

 (ns app.config
  "A configuration management."
  (:refer-clojure :exclude [get])
  (:require
+   [app.common.data :as d]
+   [app.common.exceptions :as ex]
   [app.common.spec :as us]
   [app.common.version :as v]
   [app.util.time :as dt]
   [clojure.core :as c]
   [clojure.java.io :as io]
+   [clojure.pprint :as pprint]
   [clojure.spec.alpha :as s]
   [cuerdas.core :as str]
-   [environ.core :refer [env]]))
+   [environ.core :refer [env]]
+   [integrant.core :as ig]))
+
+(prefer-method print-method
+               clojure.lang.IRecord
+               clojure.lang.IDeref)
+
+(prefer-method pprint/simple-dispatch
+               clojure.lang.IPersistentMap
+               clojure.lang.IDeref)
+
+(defmethod ig/init-key :default
+  [_ data]
+  (d/without-nils data))
+
+(defmethod ig/prep-key :default
+  [_ data]
+  (if (map? data)
+    (d/without-nils data)
+    data))

 (def defaults
  {:http-server-port 6060
@@ -28,8 +47,7 @@
   :database-username "penpot"
   :database-password "penpot"

-   :default-blob-version 1
-
+   :default-blob-version 3
   :loggers-zmq-uri "tcp://localhost:45556"

   :asserts-enabled false
@@ -66,7 +84,6 @@

   :allow-demo-users true
   :registration-enabled true
-   :registration-domain-whitelist ""

   :telemetry-enabled false
   :telemetry-uri "https://telemetry.penpot.app/"
@@ -81,6 +98,13 @@
   :initial-project-skey "initial-project"
   })

+(s/def ::audit-enabled ::us/boolean)
+(s/def ::audit-archive-enabled ::us/boolean)
+(s/def ::audit-archive-uri ::us/string)
+(s/def ::audit-archive-gc-enabled ::us/boolean)
+(s/def ::audit-archive-gc-max-age ::dt/duration)
+
+(s/def ::secret-key ::us/string)
 (s/def ::allow-demo-users ::us/boolean)
 (s/def ::asserts-enabled ::us/boolean)
 (s/def ::assets-path ::us/string)
@@ -99,9 +123,17 @@
 (s/def ::gitlab-client-secret ::us/string)
 (s/def ::google-client-id ::us/string)
 (s/def ::google-client-secret ::us/string)
+(s/def ::oidc-client-id ::us/string)
+(s/def ::oidc-client-secret ::us/string)
+(s/def ::oidc-base-uri ::us/string)
+(s/def ::oidc-token-uri ::us/string)
+(s/def ::oidc-auth-uri ::us/string)
+(s/def ::oidc-user-uri ::us/string)
+(s/def ::oidc-scopes ::us/set-of-str)
+(s/def ::oidc-roles ::us/set-of-str)
+(s/def ::oidc-roles-attr ::us/keyword)
 (s/def ::host ::us/string)
 (s/def ::http-server-port ::us/integer)
-(s/def ::http-session-cookie-name ::us/string)
 (s/def ::http-session-idle-max-age ::dt/duration)
 (s/def ::http-session-updater-batch-max-age ::dt/duration)
 (s/def ::http-session-updater-batch-max-size ::us/integer)
@@ -128,7 +160,7 @@
 (s/def ::profile-complaint-threshold ::us/integer)
 (s/def ::public-uri ::us/string)
 (s/def ::redis-uri ::us/string)
-(s/def ::registration-domain-whitelist ::us/string)
+(s/def ::registration-domain-whitelist ::us/set-of-str)
 (s/def ::registration-enabled ::us/boolean)
 (s/def ::rlimits-image ::us/integer)
 (s/def ::rlimits-password ::us/integer)
@@ -148,14 +180,18 @@
 (s/def ::storage-s3-bucket ::us/string)
 (s/def ::storage-s3-region ::us/keyword)
 (s/def ::telemetry-enabled ::us/boolean)
-(s/def ::telemetry-server-enabled ::us/boolean)
-(s/def ::telemetry-server-port ::us/integer)
 (s/def ::telemetry-uri ::us/string)
 (s/def ::telemetry-with-taiga ::us/boolean)
 (s/def ::tenant ::us/string)

 (s/def ::config
-  (s/keys :opt-un [::allow-demo-users
+  (s/keys :opt-un [::secret-key
+                   ::allow-demo-users
+                   ::audit-enabled
+                   ::audit-archive-enabled
+                   ::audit-archive-uri
+                   ::audit-archive-gc-enabled
+                   ::audit-archive-gc-max-age
                   ::asserts-enabled
                   ::database-password
                   ::database-uri
@@ -172,6 +208,15 @@
                   ::gitlab-client-secret
                   ::google-client-id
                   ::google-client-secret
+                   ::oidc-client-id
+                   ::oidc-client-secret
+                   ::oidc-base-uri
+                   ::oidc-token-uri
+                   ::oidc-auth-uri
+                   ::oidc-user-uri
+                   ::oidc-scopes
+                   ::oidc-roles-attr
+                   ::oidc-roles
                   ::host
                   ::http-server-port
                   ::http-session-idle-max-age
@@ -219,45 +264,42 @@
                   ::storage-s3-bucket
                   ::storage-s3-region
                   ::telemetry-enabled
-                   ::telemetry-server-enabled
-                   ::telemetry-server-port
                   ::telemetry-uri
+                   ::telemetry-referer
                   ::telemetry-with-taiga
                   ::tenant]))

-(defn- env->config
-  [env]
-  (reduce-kv
-   (fn [acc k v]
-     (cond-> acc
-       (str/starts-with? (name k) "penpot-")
-       (assoc (keyword (subs (name k) 7)) v)
-
-       (str/starts-with? (name k) "app-")
-       (assoc (keyword (subs (name k) 4)) v)))
-   {}
-   env))
+(defn read-env
+  [prefix]
+  (let [prefix (str prefix "-")
+        len    (count prefix)]
+    (reduce-kv
+     (fn [acc k v]
+       (cond-> acc
+         (str/starts-with? (name k) prefix)
+         (assoc (keyword (subs (name k) len)) v)))
+     {}
+     env)))

 (defn- read-config
-  [env]
-  (->> (env->config env)
-       (merge defaults)
-       (us/conform ::config)))
-
-(defn- read-test-config
-  [env]
-  (merge {:redis-uri "redis://redis/1"
-          :database-uri "postgresql://postgres/penpot_test"
-          :storage-fs-directory "/tmp/app/storage"
-          :migrations-verbose false}
-         (read-config env)))
+  []
+  (try
+    (->> (read-env "penpot")
+         (merge defaults)
+         (us/conform ::config))
+    (catch Throwable e
+      (when (ex/ex-info? e)
+        (println ";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;")
+        (println "Error on validating configuration:")
+        (println (:explain (ex-data e))
+        (println ";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;")))
+      (throw e))))

 (def version (v/parse (or (some-> (io/resource "version.txt")
                                  (slurp)
                                  (str/trim))
                          "%version%")))
-(def config (read-config env))
-(def test-config (read-test-config env))
+(def config (atom (read-config)))

 (def deletion-delay
  (dt/duration {:days 7}))
@@ -265,6 +307,9 @@
 (defn get
  "A configuration getter. Helps code be more testable."
  ([key]
-   (c/get config key))
+   (c/get @config key))
  ([key default]
-   (c/get config key default)))
+   (c/get @config key default)))
+
+;; Set value for all new threads bindings.
+(alter-var-root #'*assert* (constantly (get :asserts-enabled)))
--- a/backend/src/app/db.clj
+++ b/backend/src/app/db.clj
@@ -2,25 +2,23 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.db
  (:require
+   [app.common.data :as d]
   [app.common.exceptions :as ex]
   [app.common.geom.point :as gpt]
   [app.common.spec :as us]
   [app.db.sql :as sql]
   [app.metrics :as mtx]
   [app.util.json :as json]
+   [app.util.logging :as l]
   [app.util.migrations :as mg]
   [app.util.time :as dt]
   [app.util.transit :as t]
   [clojure.java.io :as io]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig]
   [next.jdbc :as jdbc]
   [next.jdbc.date-time :as jdbc-dt])
@@ -48,8 +46,8 @@

 (declare instrument-jdbc!)

+(s/def ::name keyword?)
 (s/def ::uri ::us/not-empty-string)
-(s/def ::name ::us/not-empty-string)
 (s/def ::min-pool-size ::us/integer)
 (s/def ::max-pool-size ::us/integer)
 (s/def ::migrations map?)
@@ -59,14 +57,16 @@

 (defmethod ig/init-key ::pool
  [_ {:keys [migrations metrics] :as cfg}]
-  (log/infof "initialize connection pool '%s' with uri '%s'" (:name cfg) (:uri cfg))
+  (l/info :action "initialize connection pool"
+          :name (d/name (:name cfg))
+          :uri (:uri cfg))
  (instrument-jdbc! (:registry metrics))
  (let [pool (create-pool cfg)]
    (when (seq migrations)
      (with-open [conn ^AutoCloseable (open pool)]
        (mg/setup! conn)
-        (doseq [[mname steps] migrations]
-          (mg/migrate! conn {:name (name mname) :steps steps}))))
+        (doseq [[name steps] migrations]
+          (mg/migrate! conn {:name (d/name name) :steps steps}))))
    pool))

 (defmethod ig/halt-key! ::pool
@@ -100,7 +100,7 @@
        mtf      (PrometheusMetricsTrackerFactory. (:registry metrics))]
    (doto config
      (.setJdbcUrl (str "jdbc:" dburi))
-      (.setPoolName (:name cfg "default"))
+      (.setPoolName (d/name (:name cfg)))
      (.setAutoCommit true)
      (.setReadOnly false)
      (.setConnectionTimeout 8000)  ;; 8seg
@@ -200,6 +200,13 @@
              (sql/insert table params opts)
              (assoc opts :return-keys true))))

+(defn insert-multi!
+  ([ds table cols rows] (insert-multi! ds table cols rows nil))
+  ([ds table cols rows opts]
+   (exec! ds
+          (sql/insert-multi table cols rows opts)
+          (assoc opts :return-keys true))))
+
 (defn update!
  ([ds table params where] (update! ds table params where nil))
  ([ds table params where opts]
@@ -326,6 +333,12 @@
      (t/decode-str val)
      val)))

+(defn inet
+  [ip-addr]
+  (doto (org.postgresql.util.PGobject.)
+    (.setType "inet")
+    (.setValue (str ip-addr))))
+
 (defn tjson
  "Encode as transit json."
  [data]
--- a/backend/src/app/db/sql.clj
+++ b/backend/src/app/db/sql.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.db.sql
  (:refer-clojure :exclude [update])
@@ -35,6 +32,11 @@
                (assoc :suffix "ON CONFLICT DO NOTHING"))]
     (sql/for-insert table key-map opts))))

+(defn insert-multi
+  [table cols rows opts]
+  (let [opts (merge default-opts opts)]
+    (sql/for-insert-multi table cols rows opts)))
+
 (defn select
  ([table where-params]
   (select table where-params nil))
--- a/backend/src/app/emails.clj
+++ b/backend/src/app/emails.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.emails
  "Main api for send emails."
@@ -14,18 +11,13 @@
   [app.config :as cfg]
   [app.db :as db]
   [app.db.sql :as sql]
-   [app.tasks :as tasks]
   [app.util.emails :as emails]
-   [clojure.spec.alpha :as s]))
+   [app.util.logging :as l]
+   [app.worker :as wrk]
+   [clojure.spec.alpha :as s]
+   [integrant.core :as ig]))

-;; --- Defaults
-
-(defn default-context
-  []
-  {:assets-uri (:assets-uri cfg/config)
-   :public-uri (:public-uri cfg/config)})
-
-;; --- Public API
+;; --- PUBLIC API

 (defn render
  [email-factory context]
@@ -33,17 +25,20 @@

 (defn send!
  "Schedule the email for sending."
-  [conn email-factory context]
-  (us/verify fn? email-factory)
-  (us/verify map? context)
-  (let [email (email-factory context)]
-    (tasks/submit! conn {:name "sendmail"
-                         :delay 0
-                         :max-retries 1
-                         :priority 200
-                         :props email})))
+  [{:keys [::conn ::factory] :as context}]
+  (us/verify fn? factory)
+  (us/verify some? conn)
+  (let [email (factory context)]
+    (wrk/submit! (assoc email
+                        ::wrk/task :sendmail
+                        ::wrk/delay 0
+                        ::wrk/max-retries 1
+                        ::wrk/priority 200
+                        ::wrk/conn conn))))


+;; --- BOUNCE/COMPLAINS HANDLING
+
 (def sql:profile-complaint-report
  "select (select count(*)
             from profile_complaint_report
@@ -91,7 +86,7 @@
     (>= (count reports) threshold))))


-;; --- Emails
+;; --- EMAIL FACTORIES

 (s/def ::subject ::us/string)
 (s/def ::content ::us/string)
@@ -101,7 +96,7 @@

 (def feedback
  "A profile feedback email."
-  (emails/template-factory ::feedback default-context))
+  (emails/template-factory ::feedback))

 (s/def ::name ::us/string)
 (s/def ::register
@@ -109,7 +104,7 @@

 (def register
  "A new profile registration welcome email."
-  (emails/template-factory ::register default-context))
+  (emails/template-factory ::register))

 (s/def ::token ::us/string)
 (s/def ::password-recovery
@@ -117,7 +112,7 @@

 (def password-recovery
  "A password recovery notification email."
-  (emails/template-factory ::password-recovery default-context))
+  (emails/template-factory ::password-recovery))

 (s/def ::pending-email ::us/email)
 (s/def ::change-email
@@ -125,7 +120,7 @@

 (def change-email
  "Password change confirmation email"
-  (emails/template-factory ::change-email default-context))
+  (emails/template-factory ::change-email))

 (s/def :internal.emails.invite-to-team/invited-by ::us/string)
 (s/def :internal.emails.invite-to-team/team ::us/string)
@@ -138,4 +133,50 @@

 (def invite-to-team
  "Teams member invitation email."
-  (emails/template-factory ::invite-to-team default-context))
+  (emails/template-factory ::invite-to-team))
+
+
+;; --- SENDMAIL TASK
+
+(declare send-console!)
+
+(s/def ::username ::cfg/smtp-username)
+(s/def ::password ::cfg/smtp-password)
+(s/def ::tls ::cfg/smtp-tls)
+(s/def ::ssl ::cfg/smtp-ssl)
+(s/def ::host ::cfg/smtp-host)
+(s/def ::port ::cfg/smtp-port)
+(s/def ::default-reply-to ::cfg/smtp-default-reply-to)
+(s/def ::default-from ::cfg/smtp-default-from)
+(s/def ::enabled ::cfg/smtp-enabled)
+
+(defmethod ig/pre-init-spec ::sendmail-handler [_]
+  (s/keys :req-un [::enabled]
+          :opt-un [::username
+                   ::password
+                   ::tls
+                   ::ssl
+                   ::host
+                   ::port
+                   ::default-from
+                   ::default-reply-to]))
+
+(defmethod ig/init-key ::sendmail-handler
+  [_ cfg]
+  (fn [{:keys [props] :as task}]
+    (if (:enabled cfg)
+      (emails/send! cfg props)
+      (send-console! cfg props))))
+
+(defn- send-console!
+  [cfg email]
+  (let [baos (java.io.ByteArrayOutputStream.)
+        mesg (emails/smtp-message cfg email)]
+    (.writeTo mesg baos)
+    (let [out (with-out-str
+                (println "email console dump:")
+                (println "******** start email" (:id email) "**********")
+                (println (.toString baos))
+                (println "******** end email "(:id email) "**********"))]
+      (l/info :email out))))
+
--- a/backend/src/app/http.clj
+++ b/backend/src/app/http.clj
@@ -2,22 +2,18 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.http
  (:require
   [app.common.data :as d]
+   [app.common.exceptions :as ex]
   [app.common.spec :as us]
-   [app.config :as cfg]
   [app.http.errors :as errors]
   [app.http.middleware :as middleware]
   [app.metrics :as mtx]
-   [app.util.log4j :refer [update-thread-context!]]
+   [app.util.logging :as l]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig]
   [reitit.ring :as rr]
   [ring.adapter.jetty9 :as jetty])
@@ -26,30 +22,32 @@
   org.eclipse.jetty.server.handler.ErrorHandler
   org.eclipse.jetty.server.handler.StatisticsHandler))

+(declare router-handler)
+
 (s/def ::handler fn?)
+(s/def ::router some?)
 (s/def ::ws (s/map-of ::us/string fn?))
-(s/def ::port ::cfg/http-server-port)
+(s/def ::port ::us/integer)
 (s/def ::name ::us/string)

 (defmethod ig/pre-init-spec ::server [_]
-  (s/keys :req-un [::handler ::port]
-          :opt-un [::ws ::name ::mtx/metrics]))
+  (s/keys :req-un [::port]
+          :opt-un [::ws ::name ::mtx/metrics ::router ::handler]))

 (defmethod ig/prep-key ::server
  [_ cfg]
-  (merge {:name "http"}
-         (d/without-nils cfg)))
+  (merge {:name "http"} (d/without-nils cfg)))

 (defmethod ig/init-key ::server
-  [_ {:keys [handler ws port name metrics] :as opts}]
-  (log/infof "starting '%s' server on port %s." name port)
+  [_ {:keys [handler router ws port name metrics] :as opts}]
+  (l/info :msg "starting http server" :port port :name name)
  (let [pre-start (fn [^Server server]
                    (let [handler (doto (ErrorHandler.)
                                    (.setShowStacks true)
                                    (.setServer server))]
                      (.setErrorHandler server ^ErrorHandler handler)
                      (when metrics
-                        (let [stats (new StatisticsHandler)]
+                        (let [stats (StatisticsHandler.)]
                          (.setHandler ^StatisticsHandler stats (.getHandler server))
                          (.setHandler server stats)
                          (mtx/instrument-jetty! (:registry metrics) stats)))))
@@ -63,61 +61,71 @@
                   (when (seq ws)
                     {:websockets ws}))

+        handler   (cond
+                    (fn? handler)  handler
+                    (some? router) (router-handler router)
+                    :else (ex/raise :type :internal
+                                    :code :invalid-argument
+                                    :hint "Missing `handler` or `router` option."))
+
        server    (jetty/run-jetty handler options)]
    (assoc opts :server server)))

 (defmethod ig/halt-key! ::server
  [_ {:keys [server name port] :as opts}]
-  (log/infof "stoping '%s' server on port %s." name port)
+  (l/info :msg "stoping http server"
+          :name name
+          :port port)
  (jetty/stop-server server))

-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; Http Main Handler (Router)
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-(declare create-router)
-
-(s/def ::rpc map?)
-(s/def ::session map?)
-(s/def ::metrics map?)
-(s/def ::oauth map?)
-(s/def ::storage map?)
-(s/def ::assets map?)
-(s/def ::feedback fn?)
-
-(defmethod ig/pre-init-spec ::router [_]
-  (s/keys :req-un [::rpc ::session ::metrics ::oauth ::storage ::assets ::feedback]))
-
-(defmethod ig/init-key ::router
-  [_ cfg]
-  (let [handler (rr/ring-handler
-                 (create-router cfg)
-                 (rr/routes
-                  (rr/create-resource-handler {:path "/"})
-                  (rr/create-default-handler))
-                 {:middleware [middleware/server-timing]})]
+(defn- router-handler
+  [router]
+  (let [handler (rr/ring-handler router
+                                 (rr/routes
+                                  (rr/create-resource-handler {:path "/"})
+                                  (rr/create-default-handler))
+                                 {:middleware [middleware/server-timing]})]
    (fn [request]
      (try
        (handler request)
        (catch Throwable e
          (try
            (let [cdata (errors/get-error-context request e)]
-              (update-thread-context! cdata)
-              (log/errorf e "unhandled exception: %s (id: %s)" (ex-message e) (str (:id cdata)))
-              {:status 500
-               :body "internal server error"})
+              (l/update-thread-context! cdata)
+              (l/error :hint "unhandled exception"
+                       :message (ex-message e)
+                       :error-id (str (:id cdata))
+                       :cause e))
+            {:status 500 :body "internal server error"}
            (catch Throwable e
-              (log/errorf e "unhandled exception: %s" (ex-message e))
-              {:status 500
-               :body "internal server error"})))))))
+              (l/error :hint "unhandled exception"
+                       :message (ex-message e)
+                       :cause e)
+              {:status 500 :body "internal server error"})))))))

-(defn- create-router
-  [{:keys [session rpc oauth metrics svgparse assets feedback] :as cfg}]
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Http Main Handler (Router)
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(s/def ::rpc map?)
+(s/def ::session map?)
+(s/def ::oauth map?)
+(s/def ::storage map?)
+(s/def ::assets map?)
+(s/def ::feedback fn?)
+
+(defmethod ig/pre-init-spec ::router [_]
+  (s/keys :req-un [::rpc ::session ::mtx/metrics ::oauth ::storage ::assets ::feedback]))
+
+(defmethod ig/init-key ::router
+  [_ {:keys [session rpc oauth metrics assets feedback] :as cfg}]
  (rr/router
   [["/metrics" {:get (:handler metrics)}]
-
    ["/assets" {:middleware [[middleware/format-response-body]
-                             [middleware/errors errors/handle]]}
+                             [middleware/errors errors/handle]
+                             [middleware/cookies]
+                             (:middleware session)]}
     ["/by-id/:id" {:get (:objects-handler assets)}]
     ["/by-file-media-id/:id" {:get (:file-objects-handler assets)}]
     ["/by-file-media-id/:id/thumbnail" {:get (:file-thumbnails-handler assets)}]]
@@ -137,20 +145,13 @@
                          [middleware/errors errors/handle]
                          [middleware/cookies]]}

-     ["/svg/parse" {:post svgparse}]
     ["/feedback" {:middleware [(:middleware session)]
                   :post feedback}]

-     ["/oauth"
-      ["/google" {:post (get-in oauth [:google :handler])}]
-      ["/google/callback" {:get (get-in oauth [:google :callback-handler])}]
-
-      ["/gitlab" {:post (get-in oauth [:gitlab :handler])}]
-      ["/gitlab/callback" {:get (get-in oauth [:gitlab :callback-handler])}]
-
-      ["/github" {:post (get-in oauth [:github :handler])}]
-      ["/github/callback" {:get (get-in oauth [:github :callback-handler])}]]
+     ["/auth/oauth/:provider" {:post (:handler oauth)}]
+     ["/auth/oauth/:provider/callback" {:get (:callback-handler oauth)}]

     ["/rpc" {:middleware [(:middleware session)]}
-      ["/query/:type" {:get (:query-handler rpc)}]
+      ["/query/:type" {:get (:query-handler rpc)
+                       :post (:query-handler rpc)}]
      ["/mutation/:type" {:post (:mutation-handler rpc)}]]]]))
--- a/backend/src/app/http/assets.clj
+++ b/backend/src/app/http/assets.clj
@@ -2,23 +2,20 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.http.assets
  "Assets related handlers."
  (:require
   [app.common.exceptions :as ex]
   [app.common.spec :as us]
+   [app.common.uri :as u]
   [app.db :as db]
   [app.metrics :as mtx]
   [app.storage :as sto]
   [app.util.time :as dt]
   [clojure.spec.alpha :as s]
-   [integrant.core :as ig]
-   [lambdaisland.uri :as u]))
+   [integrant.core :as ig]))

 (def ^:private cache-max-age
  (dt/duration {:hours 24}))
--- a/backend/src/app/http/awsns.clj
+++ b/backend/src/app/http/awsns.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 Andrey Antukh <niwi@niwi.nz>
+;; Copyright (c) UXBOX Labs SL

 (ns app.http.awsns
  "AWS SNS webhook handler for bounces."
@@ -14,9 +11,8 @@
   [app.db :as db]
   [app.db.sql :as sql]
   [app.util.http :as http]
-   [clojure.pprint :refer [pprint]]
+   [app.util.logging :as l]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [cuerdas.core :as str]
   [integrant.core :as ig]
   [jsonista.core :as j]))
@@ -25,11 +21,6 @@
 (declare parse-notification)
 (declare process-report)

-(defn- pprint-report
-  [message]
-  (binding [clojure.pprint/*print-right-margin* 120]
-    (with-out-str (pprint message))))
-
 (defmethod ig/pre-init-spec ::handler [_]
  (s/keys :req-un [::db/pool]))

@@ -42,19 +33,17 @@
        (= mtype "SubscriptionConfirmation")
        (let [surl   (get body "SubscribeURL")
              stopic (get body "TopicArn")]
-          (log/infof "subscription received (topic=%s, url=%s)" stopic surl)
+          (l/info :action "subscription received" :topic stopic :url surl)
          (http/send! {:uri surl :method :post :timeout 10000}))

        (= mtype "Notification")
        (when-let [message (parse-json (get body "Message"))]
-          ;; (log/infof "Received: %s" (pr-str message))
          (let [notification (parse-notification cfg message)]
            (process-report cfg notification)))

        :else
-        (log/warn (str "unexpected data received\n"
-                       (pprint-report body))))
-
+        (l/warn :hint "unexpected data received"
+                :report (pr-str body)))
      {:status 200 :body ""})))

 (defn- parse-bounce
@@ -184,15 +173,15 @@

 (defn- process-report
  [cfg {:keys [type profile-id] :as report}]
-  (log/trace (str "procesing report:\n" (pprint-report report)))
+  (l/trace :action "procesing report" :report (pr-str report))
  (cond
    ;; In this case we receive a bounce/complaint notification without
    ;; confirmed identity, we just emit a warning but do nothing about
    ;; it because this is not a normal case. All notifications should
    ;; come with profile identity.
    (nil? profile-id)
-    (log/warn (str "a notification without identity recevied from AWS\n"
-                   (pprint-report report)))
+    (l/warn :msg "a notification without identity recevied from AWS"
+            :report (pr-str report))

    (= "bounce" type)
    (register-bounce-for-profile cfg report)
@@ -201,7 +190,7 @@
    (register-complaint-for-profile cfg report)

    :else
-    (log/warn (str "unrecognized report received from AWS\n"
-                   (pprint-report report)))))
+    (l/warn :msg "unrecognized report received from AWS"
+            :report (pr-str report))))


--- a/backend/src/app/http/errors.clj
+++ b/backend/src/app/http/errors.clj
@@ -2,18 +2,14 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.http.errors
  "A errors handling for the http server."
  (:require
   [app.common.exceptions :as ex]
   [app.common.uuid :as uuid]
-   [app.util.log4j :refer [update-thread-context!]]
-   [clojure.tools.logging :as log]
+   [app.util.logging :as l]
   [cuerdas.core :as str]
   [expound.alpha :as expound]))

@@ -73,10 +69,14 @@
  [error request]
  (let [edata (ex-data error)
        cdata (get-error-context request error)]
-    (update-thread-context! cdata)
-    (log/errorf error "internal error: assertion (id: %s)" (str (:id cdata)))
+    (l/update-thread-context! cdata)
+    (l/error :hint "internal error: assertion"
+             :error-id (str (:id cdata))
+             :cause error)
+
    {:status 500
     :body {:type :server-error
+            :code :assertion
            :data (-> edata
                      (assoc :explain (explain-error edata))
                      (dissoc :data))}}))
@@ -97,12 +97,14 @@
             (ex/exception? (:handling edata)))
      (handle-exception (:handling edata) request)
      (let [cdata (get-error-context request error)]
-        (update-thread-context! cdata)
-        (log/errorf error "internal error: %s (id: %s)"
-                    (ex-message error)
-                    (str (:id cdata)))
+        (l/update-thread-context! cdata)
+        (l/error :hint "internal error"
+                 :error-message (ex-message error)
+                 :error-id (str (:id cdata))
+                 :cause error)
        {:status 500
         :body {:type :server-error
+                :code :unexpected
                :hint (ex-message error)
                :data edata}}))))

@@ -111,11 +113,12 @@
  (let [cdata (get-error-context request error)
        state (.getSQLState ^java.sql.SQLException error)]

-    (update-thread-context! cdata)
-    (log/errorf error "PSQL Exception: %s (id: %s, state: %s)"
-                (ex-message error)
-                (str (:id cdata))
-                state)
+    (l/update-thread-context! cdata)
+    (l/error :hint "psql exception"
+             :error-message (ex-message error)
+             :error-id (str (:id cdata))
+             :sql-state state
+             :cause error)

    (cond
      (= state "57014")
@@ -132,7 +135,8 @@

      :else
      {:status 500
-       :body {:type :server-timeout
+       :body {:type :server-error
+              :code :psql-exception
              :hint (ex-message error)
              :state state}})))

--- a/backend/src/app/http/feedback.clj
+++ b/backend/src/app/http/feedback.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.http.feedback
  "A general purpose feedback module."
@@ -15,7 +12,7 @@
   [app.common.spec :as us]
   [app.config :as cfg]
   [app.db :as db]
-   [app.emails :as emails]
+   [app.emails :as eml]
   [app.rpc.queries.profile :as profile]
   [clojure.spec.alpha :as s]
   [integrant.core :as ig]))
@@ -62,11 +59,12 @@
  [pool profile params]
  (let [params      (us/conform ::feedback params)
        destination (cfg/get :feedback-destination)]
-    (emails/send! pool emails/feedback
-                  {:to       destination
-                   :profile  profile
-                   :reply-to (:from params)
-                   :email    (:from params)
-                   :subject  (:subject params)
-                   :content  (:content params)})
+    (eml/send! {::eml/conn pool
+                ::eml/factory eml/feedback
+                :to       destination
+                :profile  profile
+                :reply-to (:from params)
+                :email    (:from params)
+                :subject  (:subject params)
+                :content  (:content params)})
    nil))
--- a/backend/src/app/http/middleware.clj
+++ b/backend/src/app/http/middleware.clj
@@ -2,15 +2,13 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.http.middleware
  (:require
   [app.metrics :as mtx]
   [app.util.json :as json]
+   [app.util.logging :as l]
   [app.util.transit :as t]
   [buddy.core.codecs :as bc]
   [buddy.core.hash :as bh]
@@ -165,3 +163,18 @@
 (def etag
  {:name ::etag
   :compile (constantly wrap-etag)})
+
+(defn activity-logger
+  [handler]
+  (let [logger "penpot.profile-activity"]
+    (fn [{:keys [headers] :as request}]
+      (let [ip-addr    (get headers "x-forwarded-for")
+            profile-id (:profile-id request)
+            qstring    (:query-string request)]
+        (l/info ::l/async true
+                ::l/logger logger
+                :ip-addr ip-addr
+                :profile-id profile-id
+                :uri (str (:uri request) (when qstring (str "?" qstring)))
+                :method (name (:request-method request)))
+        (handler request)))))
--- a/backend/src/app/http/oauth.clj
+++ b/backend/src/app/http/oauth.clj
@@ -0,0 +1,341 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) UXBOX Labs SL
+
+(ns app.http.oauth
+  (:require
+   [app.common.exceptions :as ex]
+   [app.common.spec :as us]
+   [app.common.uri :as u]
+   [app.config :as cf]
+   [app.util.http :as http]
+   [app.util.logging :as l]
+   [app.util.time :as dt]
+   [clojure.data.json :as json]
+   [clojure.set :as set]
+   [clojure.spec.alpha :as s]
+   [cuerdas.core :as str]
+   [integrant.core :as ig]))
+
+(defn redirect-response
+  [uri]
+  {:status 302
+   :headers {"location" (str uri)}
+   :body ""})
+
+(defn generate-error-redirect-uri
+  [cfg]
+  (-> (u/uri (:public-uri cfg))
+      (assoc :path "/#/auth/login")
+      (assoc :query (u/map->query-string {:error "unable-to-auth"}))))
+
+(defn register-profile
+  [{:keys [rpc] :as cfg} info]
+  (let [method-fn (get-in rpc [:methods :mutation :login-or-register])
+        profile   (method-fn info)]
+    (cond-> profile
+      (some? (:invitation-token info))
+      (assoc :invitation-token (:invitation-token info)))))
+
+(defn generate-redirect-uri
+  [{:keys [tokens] :as cfg} profile]
+  (let [token (or (:invitation-token profile)
+                  (tokens :generate {:iss :auth
+                                     :exp (dt/in-future "15m")
+                                     :profile-id (:id profile)}))]
+    (-> (u/uri (:public-uri cfg))
+        (assoc :path "/#/auth/verify-token")
+        (assoc :query (u/map->query-string {:token token})))))
+
+(defn- build-redirect-uri
+  [{:keys [provider] :as cfg}]
+  (let [public (u/uri (:public-uri cfg))]
+    (str (assoc public :path (str "/api/auth/oauth/" (:name provider) "/callback")))))
+
+(defn- build-auth-uri
+  [{:keys [provider] :as cfg} state]
+  (let [params {:client_id (:client-id provider)
+                :redirect_uri (build-redirect-uri cfg)
+                :response_type "code"
+                :state state
+                :scope (str/join " " (:scopes provider []))}
+        query  (u/map->query-string params)]
+    (-> (u/uri (:auth-uri provider))
+        (assoc :query query)
+        (str))))
+
+(defn retrieve-access-token
+  [{:keys [provider] :as cfg} code]
+  (try
+    (let [params {:client_id (:client-id provider)
+                  :client_secret (:client-secret provider)
+                  :code code
+                  :grant_type "authorization_code"
+                  :redirect_uri (build-redirect-uri cfg)}
+          req    {:method :post
+                  :headers {"content-type" "application/x-www-form-urlencoded"}
+                  :uri (:token-uri provider)
+                  :body (u/map->query-string params)}
+          res    (http/send! req)]
+      (when (= 200 (:status res))
+        (let [data (json/read-str (:body res))]
+          {:token (get data "access_token")
+           :type  (get data "token_type")})))
+    (catch Exception e
+      (l/error :hint "unexpected error on retrieve-access-token"
+               :cause e)
+      nil)))
+
+(defn- retrieve-user-info
+  [{:keys [provider] :as cfg} tdata]
+  (try
+    (let [req {:uri (:user-uri provider)
+               :headers {"Authorization" (str (:type tdata) " " (:token tdata))}
+               :timeout 6000
+               :method :get}
+          res (http/send! req)]
+
+      (when (= 200 (:status res))
+        (let [info (json/read-str (:body res) :key-fn keyword)]
+          {:backend (:name provider)
+           :email (:email info)
+           :fullname (:name info)
+           :props (dissoc info :name :email)})))
+
+    (catch Exception e
+      (l/error :hint "unexpected exception on retrieve-user-info"
+               :cause e)
+      nil)))
+
+(s/def ::backend ::us/not-empty-string)
+(s/def ::email ::us/not-empty-string)
+(s/def ::fullname ::us/not-empty-string)
+(s/def ::props (s/map-of ::us/keyword any?))
+
+(s/def ::info
+  (s/keys :req-un [::backend
+                   ::email
+                   ::fullname
+                   ::props]))
+
+(defn retrieve-info
+  [{:keys [tokens provider] :as cfg} request]
+  (let [state  (get-in request [:params :state])
+        state  (tokens :verify {:token state :iss :oauth})
+        info   (some->> (get-in request [:params :code])
+                        (retrieve-access-token cfg)
+                        (retrieve-user-info cfg))]
+
+    (when-not (s/valid? ::info info)
+      (l/warn :hint "received incomplete profile info object (please set correct scopes)"
+              :info (pr-str info))
+      (ex/raise :type :internal
+                :code :unable-to-auth
+                :hint "no user info"))
+
+    ;; If the provider is OIDC, we can proceed to check
+    ;; roles if they are defined.
+    (when (and (= "oidc" (:name provider))
+               (seq (:roles provider)))
+      (let [provider-roles (into #{} (:roles provider))
+            profile-roles  (let [attr  (cf/get :oidc-roles-attr :roles)
+                                 roles (get info attr)]
+                             (cond
+                               (string? roles) (into #{} (str/words roles))
+                               (vector? roles) (into #{} roles)
+                               :else #{}))]
+        ;; check if profile has a configured set of roles
+        (when-not (set/subset? provider-roles profile-roles)
+          (ex/raise :type :internal
+                    :code :unable-to-auth
+                    :hint "not enought permissions"))))
+
+    (cond-> info
+      (some? (:invitation-token state))
+      (assoc :invitation-token (:invitation-token state))
+
+      ;; If state token comes with props, merge them. The state token
+      ;; props can contain pm_ and utm_ prefixed query params.
+      (map? (:props state))
+      (update :props merge (:props state)))))
+
+;; --- HTTP HANDLERS
+
+(defn extract-props
+  [params]
+  (reduce-kv (fn [params k v]
+               (let [sk (name k)]
+                 (cond-> params
+                   (or (str/starts-with? sk "pm_")
+                       (str/starts-with? sk "pm-")
+                       (str/starts-with? sk "utm_"))
+                   (assoc (-> sk str/kebab keyword) v))))
+             {}
+             params))
+
+(defn- auth-handler
+  [{:keys [tokens] :as cfg} {:keys [params] :as request}]
+  (let [invitation (:invitation-token params)
+        props      (extract-props params)
+        state      (tokens :generate
+                           {:iss :oauth
+                            :invitation-token invitation
+                            :props props
+                            :exp (dt/in-future "15m")})
+        uri        (build-auth-uri cfg state)]
+    {:status 200
+     :body {:redirect-uri uri}}))
+
+(defn- callback-handler
+  [{:keys [session] :as cfg} request]
+  (try
+    (let [info    (retrieve-info cfg request)
+          profile (register-profile cfg info)
+          uri     (generate-redirect-uri cfg profile)
+          sxf     ((:create session) (:id profile))]
+      (->> (redirect-response uri)
+           (sxf request)))
+    (catch Exception _e
+      (-> (generate-error-redirect-uri cfg)
+          (redirect-response)))))
+
+;; --- INIT
+
+(declare initialize)
+
+(s/def ::public-uri ::us/not-empty-string)
+(s/def ::session map?)
+(s/def ::tokens fn?)
+(s/def ::rpc map?)
+
+(defmethod ig/pre-init-spec :app.http.oauth/handlers [_]
+  (s/keys :req-un [::public-uri ::session ::tokens ::rpc]))
+
+(defn wrap-handler
+  [cfg handler]
+  (fn [request]
+    (let [provider (get-in request [:path-params :provider])
+          provider (get-in @cfg [:providers provider])]
+      (when-not provider
+        (ex/raise :type :not-found
+                  :context {:provider provider}
+                  :hint "provider not configured"))
+      (-> (assoc @cfg :provider provider)
+          (handler request)))))
+
+(defmethod ig/init-key :app.http.oauth/handlers
+  [_ cfg]
+  (let [cfg (initialize cfg)]
+    {:handler (wrap-handler cfg auth-handler)
+     :callback-handler (wrap-handler cfg callback-handler)}))
+
+(defn- discover-oidc-config
+  [{:keys [base-uri] :as opts}]
+  (let [discovery-uri (u/join base-uri ".well-known/openid-configuration")
+        response      (http/send! {:method :get :uri (str discovery-uri)})]
+    (when (= 200 (:status response))
+      (let [data (json/read-str (:body response))]
+        (assoc opts
+               :token-uri (get data "token_endpoint")
+               :auth-uri (get data "authorization_endpoint")
+               :user-uri (get data "userinfo_endpoint"))))))
+
+(defn- obfuscate-string
+  [s]
+  (if (< (count s) 10)
+    (apply str (take (count s) (repeat "*")))
+    (str (subs s 0 5)
+         (apply str (take (- (count s) 5) (repeat "*"))))))
+
+(defn- initialize-oidc-provider
+  [cfg]
+  (let [opts {:base-uri      (cf/get :oidc-base-uri)
+              :client-id     (cf/get :oidc-client-id)
+              :client-secret (cf/get :oidc-client-secret)
+              :token-uri     (cf/get :oidc-token-uri)
+              :auth-uri      (cf/get :oidc-auth-uri)
+              :user-uri      (cf/get :oidc-user-uri)
+              :scopes        (cf/get :oidc-scopes #{"openid" "profile" "email"})
+              :roles-attr    (cf/get :oidc-roles-attr)
+              :roles         (cf/get :oidc-roles)
+              :name          "oidc"}]
+    (if (and (string? (:base-uri opts))
+             (string? (:client-id opts))
+             (string? (:client-secret opts)))
+      (if (and (string? (:token-uri opts))
+               (string? (:user-uri opts))
+               (string? (:auth-uri opts)))
+        (do
+          (l/info :action "initialize" :provider "oidc" :method "static"
+                  :opts (pr-str (update opts :client-secret obfuscate-string)))
+          (assoc-in cfg [:providers "oidc"] opts))
+        (let [opts (discover-oidc-config opts)]
+          (l/info :action "initialize" :provider "oidc" :method "discover"
+                  :opts (pr-str (update opts :client-secret obfuscate-string)))
+          (assoc-in cfg [:providers "oidc"] opts)))
+      cfg)))
+
+(defn- initialize-google-provider
+  [cfg]
+  (let [opts {:client-id     (cf/get :google-client-id)
+              :client-secret (cf/get :google-client-secret)
+              :scopes        #{"openid" "email" "profile"}
+              :auth-uri      "https://accounts.google.com/o/oauth2/v2/auth"
+              :token-uri     "https://oauth2.googleapis.com/token"
+              :user-uri      "https://openidconnect.googleapis.com/v1/userinfo"
+              :name          "google"}]
+    (if (and (string? (:client-id opts))
+             (string? (:client-secret opts)))
+      (do
+        (l/info :action "initialize" :provider "google"
+                :opts (pr-str (update opts :client-secret obfuscate-string)))
+        (assoc-in cfg [:providers "google"] opts))
+      cfg)))
+
+(defn- initialize-github-provider
+  [cfg]
+  (let [opts {:client-id     (cf/get :github-client-id)
+              :client-secret (cf/get :github-client-secret)
+              :scopes        #{"read:user" "user:email"}
+              :auth-uri      "https://github.com/login/oauth/authorize"
+              :token-uri     "https://github.com/login/oauth/access_token"
+              :user-uri      "https://api.github.com/user"
+              :name          "github"}]
+    (if (and (string? (:client-id opts))
+             (string? (:client-secret opts)))
+      (do
+        (l/info :action "initialize" :provider "github"
+                :opts (pr-str (update opts :client-secret obfuscate-string)))
+        (assoc-in cfg [:providers "github"] opts))
+      cfg)))
+
+
+(defn- initialize-gitlab-provider
+  [cfg]
+  (let [base (cf/get :gitlab-base-uri "https://gitlab.com")
+        opts {:base-uri      base
+              :client-id     (cf/get :gitlab-client-id)
+              :client-secret (cf/get :gitlab-client-secret)
+              :scopes        #{"read_user"}
+              :auth-uri      (str base "/oauth/authorize")
+              :token-uri     (str base "/oauth/token")
+              :user-uri      (str base "/api/v4/user")
+              :name          "gitlab"}]
+    (if (and (string? (:client-id opts))
+             (string? (:client-secret opts)))
+      (do
+        (l/info :action "initialize" :provider "gitlab"
+                :opts (pr-str (update opts :client-secret obfuscate-string)))
+        (assoc-in cfg [:providers "gitlab"] opts))
+      cfg)))
+
+(defn- initialize
+  [cfg]
+  (let [cfg (agent cfg :error-mode :continue)]
+    (send-off cfg initialize-google-provider)
+    (send-off cfg initialize-gitlab-provider)
+    (send-off cfg initialize-github-provider)
+    (send-off cfg initialize-oidc-provider)
+    cfg))
--- a/backend/src/app/http/oauth/github.clj
+++ b/backend/src/app/http/oauth/github.clj
@@ -1,159 +0,0 @@
-;; This Source Code Form is subject to the terms of the Mozilla Public
-;; License, v. 2.0. If a copy of the MPL was not distributed with this
-;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
-
-(ns app.http.oauth.github
-  (:require
-   [app.common.exceptions :as ex]
-   [app.common.spec :as us]
-   [app.config :as cfg]
-   [app.http.oauth.google :as gg]
-   [app.util.http :as http]
-   [app.util.time :as dt]
-   [clojure.data.json :as json]
-   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
-   [integrant.core :as ig]
-   [lambdaisland.uri :as u]))
-
-(def base-github-uri
-  (u/uri "https://github.com"))
-
-(def base-api-github-uri
-  (u/uri "https://api.github.com"))
-
-(def authorize-uri
-  (assoc base-github-uri :path "/login/oauth/authorize"))
-
-(def token-url
-  (assoc base-github-uri :path "/login/oauth/access_token"))
-
-(def user-info-url
-  (assoc base-api-github-uri :path "/user"))
-
-(def scope "user:email")
-
-(defn- build-redirect-url
-  [cfg]
-  (let [public (u/uri (:public-uri cfg))]
-    (str (assoc public :path "/api/oauth/github/callback"))))
-
-(defn- get-access-token
-  [cfg state code]
-  (try
-    (let [params {:client_id (:client-id cfg)
-                  :client_secret (:client-secret cfg)
-                  :code code
-                  :state state
-                  :redirect_uri (build-redirect-url cfg)}
-          req    {:method :post
-                  :headers {"content-type" "application/x-www-form-urlencoded"
-                            "accept" "application/json"}
-                  :uri  (str token-url)
-                  :timeout 6000
-                  :body (u/map->query-string params)}
-          res    (http/send! req)]
-
-      (when (= 200 (:status res))
-        (-> (json/read-str (:body res))
-            (get "access_token"))))
-
-    (catch Exception e
-      (log/error e "unexpected error on get-access-token")
-      nil)))
-
-(defn- get-user-info
-  [_ token]
-  (try
-    (let [req {:uri (str user-info-url)
-               :headers {"authorization" (str "token " token)}
-               :timeout 6000
-               :method :get}
-          res (http/send! req)]
-      (when (= 200 (:status res))
-        (let [data (json/read-str (:body res))]
-          {:email (get data "email")
-           :backend "github"
-           :fullname (get data "name")})))
-    (catch Exception e
-      (log/error e "unexpected exception on get-user-info")
-      nil)))
-
-(defn- retrieve-info
-  [{:keys [tokens] :as cfg} request]
-  (let [token (get-in request [:params :state])
-        state (tokens :verify {:token token :iss :github-oauth})
-        info  (some->> (get-in request [:params :code])
-                       (get-access-token cfg state)
-                       (get-user-info cfg))]
-    (when-not info
-      (ex/raise :type :internal
-                :code :unable-to-auth))
-
-    (cond-> info
-      (some? (:invitation-token state))
-      (assoc :invitation-token (:invitation-token state)))))
-
-(defn auth-handler
-  [{:keys [tokens] :as cfg} request]
-  (let [invitation (get-in request [:params :invitation-token])
-        state      (tokens :generate {:iss :github-oauth
-                                      :invitation-token invitation
-                                      :exp (dt/in-future "15m")})
-        params     {:client_id (:client-id cfg/config)
-                    :redirect_uri (build-redirect-url cfg)
-                    :state state
-                    :scope scope}
-        query      (u/map->query-string params)
-        uri        (-> authorize-uri
-                       (assoc :query query))]
-    {:status 200
-     :body {:redirect-uri (str uri)}}))
-
-(defn- callback-handler
-  [{:keys [session] :as cfg} request]
-  (try
-    (let [info    (retrieve-info cfg request)
-          profile (gg/register-profile cfg info)
-          uri     (gg/generate-redirect-uri cfg profile)
-          sxf     ((:create session) (:id profile))]
-      (->> (gg/redirect-response uri)
-           (sxf request)))
-    (catch Exception _e
-      (-> (gg/generate-error-redirect-uri cfg)
-          (gg/redirect-response)))))
-
-
-;; --- ENTRY POINT
-
-(s/def ::client-id ::us/not-empty-string)
-(s/def ::client-secret ::us/not-empty-string)
-(s/def ::public-uri ::us/not-empty-string)
-(s/def ::session map?)
-(s/def ::tokens fn?)
-
-(defmethod ig/pre-init-spec :app.http.oauth/github [_]
-  (s/keys :req-un [::public-uri
-                   ::session
-                   ::tokens]
-          :opt-un [::client-id
-                   ::client-secret]))
-
-(defn- default-handler
-  [_]
-  (ex/raise :type :not-found))
-
-(defmethod ig/init-key :app.http.oauth/github
-  [_ cfg]
-  (if (and (:client-id cfg)
-           (:client-secret cfg))
-    {:handler #(auth-handler cfg %)
-     :callback-handler #(callback-handler cfg %)}
-    {:handler default-handler
-     :callback-handler default-handler}))
-
--- a/backend/src/app/http/oauth/gitlab.clj
+++ b/backend/src/app/http/oauth/gitlab.clj
@@ -1,167 +0,0 @@
-;; This Source Code Form is subject to the terms of the Mozilla Public
-;; License, v. 2.0. If a copy of the MPL was not distributed with this
-;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
-
-(ns app.http.oauth.gitlab
-  (:require
-   [app.common.data :as d]
-   [app.common.exceptions :as ex]
-   [app.common.spec :as us]
-   [app.http.oauth.google :as gg]
-   [app.util.http :as http]
-   [app.util.time :as dt]
-   [clojure.data.json :as json]
-   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
-   [integrant.core :as ig]
-   [lambdaisland.uri :as u]))
-
-(def scope "read_user")
-
-(defn- build-redirect-url
-  [cfg]
-  (let [public (u/uri (:public-uri cfg))]
-    (str (assoc public :path "/api/oauth/gitlab/callback"))))
-
-(defn- build-oauth-uri
-  [cfg]
-  (let [base-uri (u/uri (:base-uri cfg))]
-    (assoc base-uri :path "/oauth/authorize")))
-
-(defn- build-token-url
-  [cfg]
-  (let [base-uri (u/uri (:base-uri cfg))]
-    (str (assoc base-uri :path "/oauth/token"))))
-
-(defn- build-user-info-url
-  [cfg]
-  (let [base-uri (u/uri (:base-uri cfg))]
-    (str (assoc base-uri :path "/api/v4/user"))))
-
-(defn- get-access-token
-  [cfg code]
-  (try
-    (let [params {:client_id (:client-id cfg)
-                  :client_secret (:client-secret cfg)
-                  :code code
-                  :grant_type "authorization_code"
-                  :redirect_uri (build-redirect-url cfg)}
-          req    {:method :post
-                  :headers {"content-type" "application/x-www-form-urlencoded"}
-                  :uri (build-token-url cfg)
-                  :body (u/map->query-string params)}
-        res    (http/send! req)]
-
-      (when (= 200 (:status res))
-        (-> (json/read-str (:body res))
-            (get "access_token"))))
-
-    (catch Exception e
-      (log/error e "unexpected error on get-access-token")
-      nil)))
-
-(defn- get-user-info
-  [cfg token]
-  (try
-    (let [req {:uri (build-user-info-url cfg)
-               :headers {"Authorization" (str "Bearer " token)}
-               :timeout 6000
-               :method :get}
-          res (http/send! req)]
-
-      (when (= 200 (:status res))
-        (let [data (json/read-str (:body res))]
-          {:email (get data "email")
-           :backend "gitlab"
-           :fullname (get data "name")})))
-
-    (catch Exception e
-      (log/error e "unexpected exception on get-user-info")
-      nil)))
-
-
-(defn- retrieve-info
-  [{:keys [tokens] :as cfg} request]
-  (let [token (get-in request [:params :state])
-        state (tokens :verify {:token token :iss :gitlab-oauth})
-        info  (some->> (get-in request [:params :code])
-                       (get-access-token cfg)
-                       (get-user-info cfg))]
-    (when-not info
-      (ex/raise :type :internal
-                :code :unable-to-auth))
-
-    (cond-> info
-      (some? (:invitation-token state))
-      (assoc :invitation-token (:invitation-token state)))))
-
-
-(defn- auth-handler
-  [{:keys [tokens] :as cfg} request]
-  (let [invitation (get-in request [:params :invitation-token])
-        state      (tokens :generate
-                           {:iss :gitlab-oauth
-                            :invitation-token invitation
-                            :exp (dt/in-future "15m")})
-
-        params     {:client_id (:client-id cfg)
-                    :redirect_uri (build-redirect-url cfg)
-                    :response_type "code"
-                    :state state
-                    :scope scope}
-        query      (u/map->query-string params)
-        uri        (-> (build-oauth-uri cfg)
-                       (assoc :query query))]
-    {:status 200
-     :body {:redirect-uri (str uri)}}))
-
-(defn- callback-handler
-  [{:keys [session] :as cfg} request]
-  (try
-    (let [info    (retrieve-info cfg request)
-          profile (gg/register-profile cfg info)
-          uri     (gg/generate-redirect-uri cfg profile)
-          sxf     ((:create session) (:id profile))]
-      (->> (gg/redirect-response uri)
-           (sxf request)))
-    (catch Exception _e
-      (-> (gg/generate-error-redirect-uri cfg)
-          (gg/redirect-response)))))
-
-(s/def ::client-id ::us/not-empty-string)
-(s/def ::client-secret ::us/not-empty-string)
-(s/def ::base-uri ::us/not-empty-string)
-(s/def ::public-uri ::us/not-empty-string)
-(s/def ::session map?)
-(s/def ::tokens fn?)
-
-(defmethod ig/pre-init-spec :app.http.oauth/gitlab [_]
-  (s/keys :req-un [::public-uri
-                   ::session
-                   ::tokens]
-          :opt-un [::base-uri
-                   ::client-id
-                   ::client-secret]))
-
-(defmethod ig/prep-key :app.http.oauth/gitlab
-  [_ cfg]
-  (d/merge {:base-uri "https://gitlab.com"}
-           (d/without-nils cfg)))
-
-(defn- default-handler
-  [_]
-  (ex/raise :type :not-found))
-
-(defmethod ig/init-key :app.http.oauth/gitlab
-  [_ cfg]
-  (if (and (:client-id cfg)
-           (:client-secret cfg))
-    {:handler #(auth-handler cfg %)
-     :callback-handler #(callback-handler cfg %)}
-    {:handler default-handler
-     :callback-handler default-handler}))
--- a/backend/src/app/http/oauth/google.clj
+++ b/backend/src/app/http/oauth/google.clj
@@ -1,182 +0,0 @@
-;; This Source Code Form is subject to the terms of the Mozilla Public
-;; License, v. 2.0. If a copy of the MPL was not distributed with this
-;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
-
-(ns app.http.oauth.google
-  (:require
-   [app.common.exceptions :as ex]
-   [app.common.spec :as us]
-   [app.util.http :as http]
-   [app.util.time :as dt]
-   [clojure.data.json :as json]
-   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
-   [integrant.core :as ig]
-   [lambdaisland.uri :as u]))
-
-(def base-goauth-uri "https://accounts.google.com/o/oauth2/v2/auth")
-
-(def scope
-  (str "email profile "
-       "https://www.googleapis.com/auth/userinfo.email "
-       "https://www.googleapis.com/auth/userinfo.profile "
-       "openid"))
-
-(defn- build-redirect-url
-  [cfg]
-  (let [public (u/uri (:public-uri cfg))]
-    (str (assoc public :path "/api/oauth/google/callback"))))
-
-(defn- get-access-token
-  [cfg code]
-  (try
-    (let [params {:code code
-                  :client_id (:client-id cfg)
-                  :client_secret (:client-secret cfg)
-                  :redirect_uri (build-redirect-url cfg)
-                  :grant_type "authorization_code"}
-          req    {:method :post
-                  :headers {"content-type" "application/x-www-form-urlencoded"}
-                  :uri "https://oauth2.googleapis.com/token"
-                  :timeout 6000
-                  :body (u/map->query-string params)}
-          res    (http/send! req)]
-
-      (when (= 200 (:status res))
-        (-> (json/read-str (:body res))
-            (get "access_token"))))
-    (catch Exception e
-      (log/error e "unexpected error on get-access-token")
-      nil)))
-
-(defn- get-user-info
-  [_ token]
-  (try
-    (let [req {:uri "https://openidconnect.googleapis.com/v1/userinfo"
-               :headers {"Authorization" (str "Bearer " token)}
-               :timeout 6000
-               :method :get}
-          res (http/send! req)]
-
-      (when (= 200 (:status res))
-        (let [data (json/read-str (:body res))]
-          {:email (get data "email")
-           :backend "google"
-           :fullname (get data "name")})))
-    (catch Exception e
-      (log/error e "unexpected exception on get-user-info")
-      nil)))
-
-(defn- retrieve-info
-  [{:keys [tokens] :as cfg} request]
-  (let [token (get-in request [:params :state])
-        state (tokens :verify {:token token :iss :google-oauth})
-        info  (some->> (get-in request [:params :code])
-                       (get-access-token cfg)
-                       (get-user-info cfg))]
-
-
-    (when-not info
-      (ex/raise :type :internal
-                :code :unable-to-auth))
-
-    (cond-> info
-      (some? (:invitation-token state))
-      (assoc :invitation-token (:invitation-token state)))))
-
-(defn register-profile
-  [{:keys [rpc] :as cfg} info]
-  (let [method-fn (get-in rpc [:methods :mutation :login-or-register])
-        profile   (method-fn {:email (:email info)
-                              :backend (:backend info)
-                              :fullname (:fullname info)})]
-    (cond-> profile
-      (some? (:invitation-token info))
-      (assoc :invitation-token (:invitation-token info)))))
-
-(defn generate-redirect-uri
-  [{:keys [tokens] :as cfg} profile]
-  (let [token (or (:invitation-token profile)
-                  (tokens :generate {:iss :auth
-                                     :exp (dt/in-future "15m")
-                                     :profile-id (:id profile)}))]
-    (-> (u/uri (:public-uri cfg))
-        (assoc :path "/#/auth/verify-token")
-        (assoc :query (u/map->query-string {:token token})))))
-
-(defn generate-error-redirect-uri
-  [cfg]
-  (-> (u/uri (:public-uri cfg))
-      (assoc :path "/#/auth/login")
-      (assoc :query (u/map->query-string {:error "unable-to-auth"}))))
-
-(defn redirect-response
-  [uri]
-  {:status 302
-   :headers {"location" (str uri)}
-   :body ""})
-
-(defn- auth-handler
-  [{:keys [tokens] :as cfg} request]
-  (let [invitation (get-in request [:params :invitation-token])
-        state      (tokens :generate
-                           {:iss :google-oauth
-                            :invitation-token invitation
-                            :exp (dt/in-future "15m")})
-        params     {:scope scope
-                    :access_type "offline"
-                    :include_granted_scopes true
-                    :state state
-                    :response_type "code"
-                    :redirect_uri (build-redirect-url cfg)
-                    :client_id (:client-id cfg)}
-        query      (u/map->query-string params)
-        uri        (-> (u/uri base-goauth-uri)
-                       (assoc :query query))]
-
-    {:status 200
-     :body {:redirect-uri (str uri)}}))
-
-(defn- callback-handler
-  [{:keys [session] :as cfg} request]
-  (try
-    (let [info    (retrieve-info cfg request)
-          profile (register-profile cfg info)
-          uri     (generate-redirect-uri cfg profile)
-          sxf     ((:create session) (:id profile))]
-      (->> (redirect-response uri)
-           (sxf request)))
-    (catch Exception _e
-      (-> (generate-error-redirect-uri cfg)
-          (redirect-response)))))
-
-(s/def ::client-id ::us/not-empty-string)
-(s/def ::client-secret ::us/not-empty-string)
-(s/def ::public-uri ::us/not-empty-string)
-(s/def ::session map?)
-(s/def ::tokens fn?)
-
-(defmethod ig/pre-init-spec :app.http.oauth/google [_]
-  (s/keys :req-un [::public-uri
-                   ::session
-                   ::tokens]
-          :opt-un [::client-id
-                   ::client-secret]))
-
-(defn- default-handler
-  [_]
-  (ex/raise :type :not-found))
-
-(defmethod ig/init-key :app.http.oauth/google
-  [_ cfg]
-  (if (and (:client-id cfg)
-           (:client-secret cfg))
-    {:handler #(auth-handler cfg %)
-     :callback-handler #(callback-handler cfg %)}
-    {:handler default-handler
-     :callback-handler default-handler}))
--- a/backend/src/app/http/session.clj
+++ b/backend/src/app/http/session.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.http.session
  (:require
@@ -15,104 +12,100 @@
   [app.db :as db]
   [app.metrics :as mtx]
   [app.util.async :as aa]
-   [app.util.log4j :refer [update-thread-context!]]
+   [app.util.logging :as l]
   [app.util.time :as dt]
   [app.worker :as wrk]
-   [buddy.core.codecs :as bc]
-   [buddy.core.nonce :as bn]
   [clojure.core.async :as a]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig]))

+;; A default cookie name for storing the session. We don't allow
+;; configure it.
+(def cookie-name "auth-token")
+
 ;; --- IMPL

-(defn- next-session-id
-  ([] (next-session-id 96))
-  ([n]
-   (-> (bn/random-nonce n)
-       (bc/bytes->b64u)
-       (bc/bytes->str))))
+(defn- create-session
+  [{:keys [conn tokens] :as cfg} {:keys [profile-id headers] :as request}]
+  (let [token  (tokens :generate {:iss "authentication"
+                                  :iat (dt/now)
+                                  :uid profile-id})
+        params {:user-agent (get headers "user-agent")
+                :profile-id profile-id
+                :id token}]
+    (db/insert! conn :http-session params)))

-(defn- create
-  [{:keys [conn] :as cfg} {:keys [profile-id user-agent]}]
-  (let [id (next-session-id)]
-    (db/insert! conn :http-session {:id id
-                                    :profile-id profile-id
-                                    :user-agent user-agent})
-    id))
-
-(defn- delete
-  [{:keys [conn cookie-name] :as cfg} {:keys [cookies] :as request}]
+(defn- delete-session
+  [{:keys [conn] :as cfg} {:keys [cookies] :as request}]
  (when-let [token (get-in cookies [cookie-name :value])]
    (db/delete! conn :http-session {:id token}))
  nil)

-(defn- retrieve
-  [{:keys [conn] :as cfg} token]
-  (when token
-    (db/exec-one! conn ["select id, profile_id from http_session where id = ?" token])))
+(defn- retrieve-session
+  [{:keys [conn] :as cfg} id]
+  (when id
+    (db/exec-one! conn ["select id, profile_id from http_session where id = ?" id])))

 (defn- retrieve-from-request
-  [{:keys [cookie-name] :as cfg} {:keys [cookies] :as request}]
+  [cfg {:keys [cookies] :as request}]
  (->> (get-in cookies [cookie-name :value])
-       (retrieve cfg)))
+       (retrieve-session cfg)))

-(defn- cookies
-  [{:keys [cookie-name] :as cfg} vals]
-  {cookie-name (merge vals {:path "/" :http-only true})})
+(defn- add-cookies
+  [response {:keys [id] :as session}]
+  (assoc response :cookies {cookie-name {:path "/" :http-only true :value id}}))
+
+(defn- clear-cookies
+  [response]
+  (assoc response :cookies {cookie-name {:value "" :max-age -1}}))

 (defn- middleware
  [cfg handler]
  (fn [request]
    (if-let [{:keys [id profile-id] :as session} (retrieve-from-request cfg request)]
-      (let [ech (::events-ch cfg)]
-        (a/>!! ech id)
-        (update-thread-context! {:profile-id profile-id})
+      (do
+        (a/>!! (::events-ch cfg) id)
+        (l/update-thread-context! {:profile-id profile-id})
        (handler (assoc request :profile-id profile-id)))
      (handler request))))

 ;; --- STATE INIT: SESSION

-(s/def ::cookie-name ::cfg/http-session-cookie-name)
-
 (defmethod ig/pre-init-spec ::session [_]
-  (s/keys :req-un [::db/pool]
-          :opt-un [::cookie-name]))
+  (s/keys :req-un [::db/pool]))

 (defmethod ig/prep-key ::session
  [_ cfg]
-  (merge {:cookie-name "auth-token"
-          :buffer-size 64}
-         (d/without-nils cfg)))
+  (d/merge {:buffer-size 64}
+           (d/without-nils cfg)))

 (defmethod ig/init-key ::session
  [_ {:keys [pool] :as cfg}]
  (let [events (a/chan (a/dropping-buffer (:buffer-size cfg)))
-        cfg    (assoc cfg
-                      :conn pool
-                      ::events-ch events)]
+        cfg    (-> cfg
+                   (assoc :conn pool)
+                   (assoc ::events-ch events))]
    (-> cfg
        (assoc :middleware #(middleware cfg %))
        (assoc :create (fn [profile-id]
                         (fn [request response]
-                           (let [uagent (get-in request [:headers "user-agent"])
-                                 value  (create cfg {:profile-id profile-id :user-agent uagent})]
-                             (assoc response :cookies (cookies cfg {:value value}))))))
+                           (let [request (assoc request :profile-id profile-id)
+                                 session (create-session cfg request)]
+                             (add-cookies response session)))))
        (assoc :delete (fn [request response]
-                         (delete cfg request)
-                         (assoc response
-                                :status 204
-                                :body ""
-                                :cookies (cookies cfg {:value "" :max-age -1})))))))
+                         (delete-session cfg request)
+                         (-> response
+                             (assoc :status 204)
+                             (assoc :body "")
+                             (clear-cookies)))))))

 (defmethod ig/halt-key! ::session
  [_ data]
  (a/close! (::events-ch data)))

+
 ;; --- STATE INIT: SESSION UPDATER

-(declare batch-events)
 (declare update-sessions)

 (s/def ::session map?)
@@ -132,10 +125,12 @@

 (defmethod ig/init-key ::updater
  [_ {:keys [session metrics] :as cfg}]
-  (log/infof "initialize session updater (max-batch-age=%s, max-batch-size=%s)"
-             (str (:max-batch-age cfg))
-             (str (:max-batch-size cfg)))
-  (let [input (batch-events cfg (::events-ch session))
+  (l/info :action "initialize session updater"
+          :max-batch-age (str (:max-batch-age cfg))
+          :max-batch-size (str (:max-batch-size cfg)))
+  (let [input (aa/batch (::events-ch session)
+                        {:max-batch-size (:max-batch-size cfg)
+                         :max-batch-age (inst-ms (:max-batch-age cfg))})
        mcnt  (mtx/create
               {:name "http_session_update_total"
                :help "A counter of session update batch events."
@@ -146,40 +141,15 @@
        (let [result (a/<! (update-sessions cfg batch))]
          (mcnt :inc)
          (if (ex/exception? result)
-            (log/error result "updater: unexpected error on update sessions")
-            (log/debugf "updater: updated %s sessions (reason: %s)." result (name reason)))
+            (l/error :task "updater"
+                     :hint "unexpected error on update sessions"
+                     :cause result)
+            (l/debug :task "updater"
+                     :action "update sessions"
+                     :reason (name reason)
+                     :count result))
          (recur))))))

-(defn- timeout-chan
-  [cfg]
-  (a/timeout (inst-ms (:max-batch-age cfg))))
-
-(defn- batch-events
-  [cfg in]
-  (let [out (a/chan)]
-    (a/go-loop [tch (timeout-chan cfg)
-                buf #{}]
-      (let [[val port] (a/alts! [tch in])]
-        (cond
-          (identical? port tch)
-          (if (empty? buf)
-            (recur (timeout-chan cfg) buf)
-            (do
-              (a/>! out [:timeout buf])
-              (recur (timeout-chan cfg) #{})))
-
-          (nil? val)
-          (a/close! out)
-
-          (identical? port in)
-          (let [buf (conj buf val)]
-            (if (>= (count buf) (:max-batch-size cfg))
-              (do
-                (a/>! out [:size buf])
-                (recur (timeout-chan cfg) #{}))
-              (recur tch buf))))))
-    out))
-
 (defn- update-sessions
  [{:keys [pool executor]} ids]
  (aa/with-thread executor
@@ -209,7 +179,9 @@
      (let [interval (db/interval max-age)
            result   (db/exec-one! conn [sql:delete-expired interval])
            result   (:next.jdbc/update-count result)]
-        (log/debugf "gc-task: removed %s rows from http-session table" result)
+        (l/debug :task "gc"
+                 :action "clean http sessions"
+                 :count result)
        result))))

 (def ^:private
--- a/backend/src/app/loggers/audit.clj
+++ b/backend/src/app/loggers/audit.clj
@@ -0,0 +1,232 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) UXBOX Labs SL
+
+(ns app.loggers.audit
+  "Services related to the user activity (audit log)."
+  (:require
+   [app.common.exceptions :as ex]
+   [app.common.spec :as us]
+   [app.common.uuid :as uuid]
+   [app.config :as cf]
+   [app.db :as db]
+   [app.util.async :as aa]
+   [app.util.http :as http]
+   [app.util.logging :as l]
+   [app.util.time :as dt]
+   [app.util.transit :as t]
+   [app.worker :as wrk]
+   [clojure.core.async :as a]
+   [clojure.spec.alpha :as s]
+   [integrant.core :as ig]
+   [lambdaisland.uri :as u]))
+
+(defn clean-props
+  [{:keys [profile-id] :as event}]
+  (letfn [(clean-common [props]
+            (-> props
+                (dissoc :session-id)
+                (dissoc :password)
+                (dissoc :old-password)
+                (dissoc :token)))
+
+          (clean-profile-id [props]
+            (cond-> props
+              (= profile-id (:profile-id props))
+              (dissoc :profile-id)))
+
+          (clean-complex-data [props]
+            (reduce-kv (fn [props k v]
+                         (cond-> props
+                           (or (string? v)
+                               (uuid? v)
+                               (boolean? v)
+                               (number? v))
+                           (assoc k v)
+
+                           (keyword? v)
+                           (assoc k (name v))))
+                       {}
+                       props))]
+    (update event :props #(-> % clean-common clean-profile-id clean-complex-data))))
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Collector
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+;; Defines a service that collects the audit/activity log using
+;; internal database. Later this audit log can be transferred to
+;; an external storage and data cleared.
+
+(declare persist-events)
+(s/def ::enabled ::us/boolean)
+
+(defmethod ig/pre-init-spec ::collector [_]
+  (s/keys :req-un [::db/pool ::wrk/executor ::enabled]))
+
+(def event-xform
+  (comp
+   (filter :profile-id)
+   (map clean-props)))
+
+(defmethod ig/init-key ::collector
+  [_ {:keys [enabled] :as cfg}]
+  (when enabled
+    (l/info :msg "intializing audit collector")
+    (let [input  (a/chan 512 event-xform)
+          buffer (aa/batch input {:max-batch-size 100
+                                  :max-batch-age (* 10 1000) ; 10s
+                                  :init []})]
+      (a/go-loop []
+        (when-let [[type events] (a/<! buffer)]
+          (l/debug :action "persist-events (batch)"
+                   :reason (name type)
+                   :count (count events))
+          (let [res (a/<! (persist-events cfg events))]
+            (when (ex/exception? res)
+              (l/error :hint "error on persiting events"
+                       :cause res)))
+          (recur)))
+
+      (fn [& [cmd & params]]
+        (case cmd
+          :stop (a/close! input)
+          :submit (when-not (a/offer! input (first params))
+                    (l/warn :msg "activity channel is full")))))))
+
+
+(defn- persist-events
+  [{:keys [pool executor] :as cfg} events]
+  (letfn [(event->row [event]
+            [(uuid/next)
+             (:name event)
+             (:type event)
+             (:profile-id event)
+             (db/tjson (:props event))])]
+
+    (aa/with-thread executor
+      (db/with-atomic [conn pool]
+        (db/insert-multi! conn :audit-log
+                          [:id :name :type :profile-id :props]
+                          (sequence (map event->row) events))))))
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Archive Task
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+;; This is a task responsible to send the accomulated events to an
+;; external service for archival.
+
+(declare archive-events)
+
+(s/def ::uri ::us/string)
+(s/def ::tokens fn?)
+
+(defmethod ig/pre-init-spec ::archive-task [_]
+  (s/keys :req-un [::db/pool ::tokens ::enabled]
+          :opt-un [::uri]))
+
+(defmethod ig/init-key ::archive-task
+  [_ {:keys [uri enabled] :as cfg}]
+  (fn [_]
+    (when (and enabled (not uri))
+      (ex/raise :type :internal
+                :code :task-not-configured
+                :hint "archive task not configured, missing uri"))
+    (loop []
+      (let [res (archive-events cfg)]
+        (when (= res :continue)
+          (aa/thread-sleep 200)
+          (recur))))))
+
+(def sql:retrieve-batch-of-audit-log
+  "select * from audit_log
+    where archived_at is null
+    order by created_at asc
+    limit 100
+      for update skip locked;")
+
+(defn archive-events
+  [{:keys [pool uri tokens] :as cfg}]
+  (letfn [(decode-row [{:keys [props] :as row}]
+            (cond-> row
+              (db/pgobject? props)
+              (assoc :props (db/decode-transit-pgobject props))))
+
+          (row->event [{:keys [name type created-at profile-id props]}]
+            {:type type
+             :name name
+             :timestamp created-at
+             :profile-id profile-id
+             :props props})
+
+          (send [events]
+            (let [token   (tokens :generate {:iss "authentication"
+                                             :iat (dt/now)
+                                             :uid uuid/zero})
+                  body    (t/encode {:events events})
+                  headers {"content-type" "application/transit+json"
+                           "origin" (cf/get :public-uri)
+                           "cookie" (u/map->query-string {:auth-token token})}
+                  params  {:uri uri
+                           :timeout 5000
+                           :method :post
+                           :headers headers
+                           :body body}
+                  resp    (http/send! params)]
+              (when (not= (:status resp) 204)
+                (ex/raise :type :internal
+                          :code :unable-to-send-events
+                          :hint "unable to send events"
+                          :context resp))))
+
+          (mark-as-archived [conn rows]
+            (db/exec-one! conn ["update audit_log set archived_at=now() where id = ANY(?)"
+                                (->> (map :id rows)
+                                     (into-array java.util.UUID)
+                                     (db/create-array conn "uuid"))]))]
+
+    (db/with-atomic [conn pool]
+      (let [rows   (db/exec! conn [sql:retrieve-batch-of-audit-log])
+
+            xform  (comp (map decode-row)
+                         (map row->event))
+            events (into [] xform rows)]
+        (l/debug :action "archive-events" :uri uri :events (count events))
+        (if (empty? events)
+          :empty
+          (do
+            (send events)
+            (mark-as-archived conn rows)
+            :continue))))))
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; GC Task
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(declare clean-archived)
+
+(s/def ::max-age ::cf/audit-archive-gc-max-age)
+
+(defmethod ig/pre-init-spec ::archive-gc-task [_]
+  (s/keys :req-un [::db/pool ::enabled ::max-age]))
+
+(defmethod ig/init-key ::archive-gc-task
+  [_ cfg]
+  (fn [_]
+    (clean-archived cfg)))
+
+(def sql:clean-archived
+  "delete from audit_log
+    where archived_at is not null
+      and archived_at < now() - ?::interval")
+
+(defn- clean-archived
+  [{:keys [pool max-age]}]
+  (let [interval (db/interval max-age)
+        result   (db/exec-one! pool [sql:clean-archived interval])
+        result   (:next.jdbc/update-count result)]
+    (l/debug :action "clean archived audit log" :removed result)
+    result))
--- a/backend/src/app/loggers/loki.clj
+++ b/backend/src/app/loggers/loki.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.loggers.loki
  "A Loki integration."
@@ -15,10 +12,10 @@
   [app.util.async :as aa]
   [app.util.http :as http]
   [app.util.json :as json]
+   [app.util.logging :as l]
   [app.worker :as wrk]
   [clojure.core.async :as a]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig]))

 (declare handle-event)
@@ -33,17 +30,17 @@
 (defmethod ig/init-key ::reporter
  [_ {:keys [receiver uri] :as cfg}]
  (when uri
-    (log/info "intializing loki reporter")
-    (let [output (a/chan (a/sliding-buffer 1024))]
-      (receiver :sub output)
+    (l/info :msg "intializing loki reporter" :uri uri)
+    (let [input (a/chan (a/sliding-buffer 1024))]
+      (receiver :sub input)
      (a/go-loop []
-        (let [msg (a/<! output)]
+        (let [msg (a/<! input)]
          (if (nil? msg)
-            (log/info "stoping error reporting loop")
+            (l/info :msg "stoping error reporting loop")
            (do
              (a/<! (handle-event cfg msg))
              (recur)))))
-      output)))
+      input)))

 (defmethod ig/halt-key! ::reporter
  [_ output]
@@ -75,10 +72,14 @@
      (if (= (:status response) 204)
        true
        (do
-          (log/errorf "error on sending log to loki (try %s)\n%s" i (pr-str response))
+          (l/error :hint "error on sending log to loki"
+                   :try i
+                   :rsp (pr-str response))
          false)))
    (catch Exception e
-      (log/errorf e "error on sending message to loki (try %s)" i)
+      (l/error :hint "error on sending message to loki"
+               :cause e
+               :try i)
      false)))

 (defn- handle-event
--- a/backend/src/app/loggers/mattermost.clj
+++ b/backend/src/app/loggers/mattermost.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.loggers.mattermost
  "A mattermost integration for error reporting."
@@ -18,12 +15,12 @@
   [app.util.async :as aa]
   [app.util.http :as http]
   [app.util.json :as json]
+   [app.util.logging :as l]
   [app.util.template :as tmpl]
   [app.worker :as wrk]
   [clojure.core.async :as a]
   [clojure.java.io :as io]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [cuerdas.core :as str]
   [integrant.core :as ig]))

@@ -42,15 +39,15 @@
          :opt-un [::uri]))

 (defmethod ig/init-key ::reporter
-  [_ {:keys [receiver] :as cfg}]
-  (log/info "intializing mattermost error reporter")
+  [_ {:keys [receiver uri] :as cfg}]
+  (l/info :msg "intializing mattermost error reporter" :uri uri)
  (let [output (a/chan (a/sliding-buffer 128)
                       (filter #(= (:level %) "error")))]
    (receiver :sub output)
    (a/go-loop []
      (let [msg (a/<! output)]
        (if (nil? msg)
-          (log/info "stoping error reporting loop")
+          (l/info :msg "stoping error reporting loop")
          (do
            (a/<! (handle-event cfg msg))
            (recur)))))
@@ -61,24 +58,25 @@
  (a/close! output))

 (defn- send-mattermost-notification!
-  [cfg {:keys [host version id error] :as cdata}]
+  [cfg {:keys [host version id] :as cdata}]
  (try
    (let [uri  (:uri cfg)
-          text (str "Unhandled exception (@channel):\n"
-                    "- detail: " (:public-uri cfg/config) "/dbg/error-by-id/" id "\n"
+          text (str "Unhandled exception:\n"
+                    "- detail: " (cfg/get :public-uri) "/dbg/error-by-id/" id "\n"
+                    "- profile-id: `" (:profile-id cdata) "`\n"
                    "- host: `" host "`\n"
-                    "- version: `" version "`\n"
-                    (when error
-                      (str "```\n" (:trace error)  "\n```")))
+                    "- version: `" version "`\n")
          rsp    (http/send! {:uri uri
                              :method :post
                              :headers {"content-type" "application/json"}
                              :body (json/encode-str {:text text})})]
      (when (not= (:status rsp) 200)
-        (log/errorf "error on sending data to mattermost\n%s" (pr-str rsp))))
+        (l/error :hint "error on sending data to mattermost"
+                 :response (pr-str rsp))))

    (catch Exception e
-      (log/error e "unexpected exception on error reporter"))))
+      (l/error :hint "unexpected exception on error reporter"
+               :cause e))))

 (defn- persist-on-database!
  [{:keys [pool] :as cfg} {:keys [id] :as cdata}]
@@ -116,7 +114,8 @@
          (send-mattermost-notification! cfg cdata))
        (persist-on-database! cfg cdata))
      (catch Exception e
-        (log/error e "unexpected exception on error reporter")))))
+        (l/error :hint "unexpected exception on error reporter"
+                 :cause e)))))

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Http Handler
--- a/backend/src/app/loggers/zmq.clj
+++ b/backend/src/app/loggers/zmq.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.loggers.zmq
  "A generic ZMQ listener."
@@ -13,10 +10,10 @@
   [app.common.data :as d]
   [app.common.spec :as us]
   [app.util.json :as json]
+   [app.util.logging :as l]
   [app.util.time :as dt]
   [clojure.core.async :as a]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [cuerdas.core :as str]
   [integrant.core :as ig])
  (:import
@@ -34,7 +31,7 @@

 (defmethod ig/init-key ::receiver
  [_ {:keys [endpoint] :as cfg}]
-  (log/infof "intializing ZMQ receiver on '%s'" endpoint)
+  (l/info :msg "intializing ZMQ receiver" :bind endpoint)
  (let [buffer (a/chan 1)
        output (a/chan 1 (comp (filter map?)
                               (map prepare)))
--- a/backend/src/app/main.clj
+++ b/backend/src/app/main.clj
@@ -2,377 +2,341 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.main
  (:require
-   [app.common.data :as d]
-   [app.config :as cfg]
+   [app.config :as cf]
+   [app.util.logging :as l]
   [app.util.time :as dt]
-   [clojure.pprint :as pprint]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig]))

-;; Set value for all new threads bindings.
-(alter-var-root #'*assert* (constantly (:asserts-enabled cfg/config)))
+(def system-config
+  {:app.db/pool
+   {:uri        (cf/get :database-uri)
+    :username   (cf/get :database-username)
+    :password   (cf/get :database-password)
+    :metrics    (ig/ref :app.metrics/metrics)
+    :migrations (ig/ref :app.migrations/all)
+    :name :main
+    :min-pool-size 0
+    :max-pool-size 20}

-(derive :app.telemetry/server :app.http/server)
+   :app.metrics/metrics
+   {:definitions
+    {:profile-register
+     {:name "actions_profile_register_count"
+      :help "A global counter of user registrations."
+      :type :counter}
+     :profile-activation
+     {:name "actions_profile_activation_count"
+      :help "A global counter of profile activations"
+      :type :counter}}}

-;; --- Entry point
+   :app.migrations/all
+   {:main (ig/ref :app.migrations/migrations)}

-(defn build-system-config
-  [config]
-  (d/deep-merge
-   {:app.db/pool
-    {:uri        (:database-uri config)
-     :username   (:database-username config)
-     :password   (:database-password config)
-     :metrics    (ig/ref :app.metrics/metrics)
-     :migrations (ig/ref :app.migrations/all)
-     :name "main"
-     :min-pool-size 0
-     :max-pool-size 20}
+   :app.migrations/migrations
+   {}

-    :app.metrics/metrics
-    {:definitions
-     {:profile-register
-      {:name "actions_profile_register_count"
-       :help "A global counter of user registrations."
-       :type :counter}
-      :profile-activation
-      {:name "actions_profile_activation_count"
-       :help "A global counter of profile activations"
-       :type :counter}}}
+   :app.msgbus/msgbus
+   {:backend   (cf/get :msgbus-backend :redis)
+    :redis-uri (cf/get :redis-uri)}

-    :app.migrations/all
-    {:main      (ig/ref :app.migrations/migrations)
-     :telemetry (ig/ref :app.telemetry/migrations)}
+   :app.tokens/tokens
+   {:props (ig/ref :app.setup/props)}

-    :app.migrations/migrations
-    {}
+   :app.storage/gc-deleted-task
+   {:pool     (ig/ref :app.db/pool)
+    :storage  (ig/ref :app.storage/storage)
+    :min-age  (dt/duration {:hours 2})}

-    :app.telemetry/migrations
-    {}
+   :app.storage/gc-touched-task
+   {:pool     (ig/ref :app.db/pool)}

-    :app.msgbus/msgbus
-    {:backend   (:msgbus-backend config :redis)
-     :redis-uri (:redis-uri config)}
+   :app.storage/recheck-task
+   {:pool     (ig/ref :app.db/pool)
+    :storage  (ig/ref :app.storage/storage)}

-    :app.tokens/tokens
-    {:sprops (ig/ref :app.setup/props)}
+   :app.http.session/session
+   {:pool   (ig/ref :app.db/pool)
+    :tokens (ig/ref :app.tokens/tokens)}

-    :app.storage/gc-deleted-task
-    {:pool     (ig/ref :app.db/pool)
-     :storage  (ig/ref :app.storage/storage)
-     :min-age  (dt/duration {:hours 2})}
+   :app.http.session/gc-task
+   {:pool        (ig/ref :app.db/pool)
+    :max-age     (cf/get :http-session-idle-max-age)}

-    :app.storage/gc-touched-task
-    {:pool     (ig/ref :app.db/pool)}
+   :app.http.session/updater
+   {:pool           (ig/ref :app.db/pool)
+    :metrics        (ig/ref :app.metrics/metrics)
+    :executor       (ig/ref :app.worker/executor)
+    :session        (ig/ref :app.http.session/session)
+    :max-batch-age  (cf/get :http-session-updater-batch-max-age)
+    :max-batch-size (cf/get :http-session-updater-batch-max-size)}

-    :app.storage/recheck-task
-    {:pool     (ig/ref :app.db/pool)
-     :storage  (ig/ref :app.storage/storage)}
+   :app.http.awsns/handler
+   {:tokens  (ig/ref :app.tokens/tokens)
+    :pool    (ig/ref :app.db/pool)}

-    :app.http.session/session
-    {:pool        (ig/ref :app.db/pool)
-     :cookie-name (:http-session-cookie-name config)}
+   :app.http/server
+   {:port    (cf/get :http-server-port)
+    :router  (ig/ref :app.http/router)
+    :metrics (ig/ref :app.metrics/metrics)
+    :ws      {"/ws/notifications" (ig/ref :app.notifications/handler)}}

-    :app.http.session/gc-task
-    {:pool        (ig/ref :app.db/pool)
-     :max-age     (:http-session-idle-max-age config)}
+   :app.http/router
+   {:rpc         (ig/ref :app.rpc/rpc)
+    :session     (ig/ref :app.http.session/session)
+    :tokens      (ig/ref :app.tokens/tokens)
+    :public-uri  (cf/get :public-uri)
+    :metrics     (ig/ref :app.metrics/metrics)
+    :oauth       (ig/ref :app.http.oauth/handlers)
+    :assets      (ig/ref :app.http.assets/handlers)
+    :storage     (ig/ref :app.storage/storage)
+    :sns-webhook (ig/ref :app.http.awsns/handler)
+    :feedback    (ig/ref :app.http.feedback/handler)
+    :error-report-handler (ig/ref :app.loggers.mattermost/handler)}

-    :app.http.session/updater
-    {:pool           (ig/ref :app.db/pool)
-     :metrics        (ig/ref :app.metrics/metrics)
-     :executor       (ig/ref :app.worker/executor)
-     :session        (ig/ref :app.http.session/session)
-     :max-batch-age  (:http-session-updater-batch-max-age config)
-     :max-batch-size (:http-session-updater-batch-max-size config)}
+   :app.http.assets/handlers
+   {:metrics           (ig/ref :app.metrics/metrics)
+    :assets-path       (cf/get :assets-path)
+    :storage           (ig/ref :app.storage/storage)
+    :cache-max-age     (dt/duration {:hours 24})
+    :signature-max-age (dt/duration {:hours 24 :minutes 5})}

-    :app.http.awsns/handler
-    {:tokens  (ig/ref :app.tokens/tokens)
-     :pool    (ig/ref :app.db/pool)}
+   :app.http.feedback/handler
+   {:pool (ig/ref :app.db/pool)}

-    :app.http/server
-    {:port    (:http-server-port config)
-     :handler (ig/ref :app.http/router)
-     :metrics (ig/ref :app.metrics/metrics)
-     :ws      {"/ws/notifications" (ig/ref :app.notifications/handler)}}
+   :app.http.oauth/handlers
+   {:rpc           (ig/ref :app.rpc/rpc)
+    :session       (ig/ref :app.http.session/session)
+    :tokens        (ig/ref :app.tokens/tokens)
+    :public-uri    (cf/get :public-uri)}

-    :app.http/router
-    {:rpc         (ig/ref :app.rpc/rpc)
-     :session     (ig/ref :app.http.session/session)
-     :tokens      (ig/ref :app.tokens/tokens)
-     :public-uri  (:public-uri config)
-     :metrics     (ig/ref :app.metrics/metrics)
-     :oauth       (ig/ref :app.http.oauth/all)
-     :assets      (ig/ref :app.http.assets/handlers)
-     :svgparse    (ig/ref :app.svgparse/handler)
-     :storage     (ig/ref :app.storage/storage)
-     :sns-webhook (ig/ref :app.http.awsns/handler)
-     :feedback    (ig/ref :app.http.feedback/handler)
-     :error-report-handler (ig/ref :app.loggers.mattermost/handler)}
+   ;; RLimit definition for password hashing
+   :app.rlimits/password
+   (cf/get :rlimits-password)

-    :app.http.assets/handlers
-    {:metrics           (ig/ref :app.metrics/metrics)
-     :assets-path       (:assets-path config)
-     :storage           (ig/ref :app.storage/storage)
-     :cache-max-age     (dt/duration {:hours 24})
-     :signature-max-age (dt/duration {:hours 24 :minutes 5})}
+   ;; RLimit definition for image processing
+   :app.rlimits/image
+   (cf/get :rlimits-image)

-    :app.http.feedback/handler
-    {:pool (ig/ref :app.db/pool)}
+   ;; RLimit definition for font processing
+   :app.rlimits/font
+   (cf/get :rlimits-font 2)

-    :app.http.oauth/all
-    {:google (ig/ref :app.http.oauth/google)
-     :gitlab (ig/ref :app.http.oauth/gitlab)
-     :github (ig/ref :app.http.oauth/github)}
+   ;; A collection of rlimits as hash-map.
+   :app.rlimits/all
+   {:password (ig/ref :app.rlimits/password)
+    :image    (ig/ref :app.rlimits/image)
+    :font     (ig/ref :app.rlimits/font)}

-    :app.http.oauth/google
-    {:rpc           (ig/ref :app.rpc/rpc)
-     :session       (ig/ref :app.http.session/session)
-     :tokens        (ig/ref :app.tokens/tokens)
-     :public-uri    (:public-uri config)
-     :client-id     (:google-client-id config)
-     :client-secret (:google-client-secret config)}
+   :app.rpc/rpc
+   {:pool       (ig/ref :app.db/pool)
+    :session    (ig/ref :app.http.session/session)
+    :tokens     (ig/ref :app.tokens/tokens)
+    :metrics    (ig/ref :app.metrics/metrics)
+    :storage    (ig/ref :app.storage/storage)
+    :msgbus     (ig/ref :app.msgbus/msgbus)
+    :rlimits    (ig/ref :app.rlimits/all)
+    :public-uri (cf/get :public-uri)
+    :audit      (ig/ref :app.loggers.audit/collector)}

-    :app.http.oauth/github
-    {:rpc           (ig/ref :app.rpc/rpc)
-     :session       (ig/ref :app.http.session/session)
-     :tokens        (ig/ref :app.tokens/tokens)
-     :public-uri    (:public-uri config)
-     :client-id     (:github-client-id config)
-     :client-secret (:github-client-secret config)}
+   :app.notifications/handler
+   {:msgbus   (ig/ref :app.msgbus/msgbus)
+    :pool     (ig/ref :app.db/pool)
+    :session  (ig/ref :app.http.session/session)
+    :metrics  (ig/ref :app.metrics/metrics)
+    :executor (ig/ref :app.worker/executor)}

-    :app.http.oauth/gitlab
-    {:rpc           (ig/ref :app.rpc/rpc)
-     :session       (ig/ref :app.http.session/session)
-     :tokens        (ig/ref :app.tokens/tokens)
-     :public-uri    (:public-uri config)
-     :base-uri      (:gitlab-base-uri config)
-     :client-id     (:gitlab-client-id config)
-     :client-secret (:gitlab-client-secret config)}
+   :app.worker/executor
+   {:min-threads 0
+    :max-threads 256
+    :idle-timeout 60000
+    :name :worker}

-    ;; HTTP Handler for SVG parsing
-    :app.svgparse/handler
-    {:metrics (ig/ref :app.metrics/metrics)}
+   :app.worker/worker
+   {:executor (ig/ref :app.worker/executor)
+    :tasks    (ig/ref :app.worker/registry)
+    :metrics  (ig/ref :app.metrics/metrics)
+    :pool     (ig/ref :app.db/pool)}

-    ;; RLimit definition for password hashing
-    :app.rlimits/password
-    (:rlimits-password config)
+   :app.worker/scheduler
+   {:executor   (ig/ref :app.worker/executor)
+    :tasks      (ig/ref :app.worker/registry)
+    :pool       (ig/ref :app.db/pool)
+    :schedule
+    [{:cron #app/cron "0 0 0 */1 * ? *" ;; daily
+      :task :file-media-gc}

-    ;; RLimit definition for image processing
-    :app.rlimits/image
-    (:rlimits-image config)
+     {:cron #app/cron "0 0 */1 * * ?"  ;; hourly
+      :task :file-xlog-gc}

-    ;; A collection of rlimits as hash-map.
-    :app.rlimits/all
-    {:password (ig/ref :app.rlimits/password)
-     :image    (ig/ref :app.rlimits/image)}
+     {:cron #app/cron "0 0 1 */1 * ?"  ;; daily (1 hour shift)
+      :task :storage-deleted-gc}

-    :app.rpc/rpc
-    {:pool    (ig/ref :app.db/pool)
-     :session (ig/ref :app.http.session/session)
-     :tokens  (ig/ref :app.tokens/tokens)
-     :metrics (ig/ref :app.metrics/metrics)
-     :storage (ig/ref :app.storage/storage)
-     :msgbus  (ig/ref :app.msgbus/msgbus)
-     :rlimits (ig/ref :app.rlimits/all)}
+     {:cron #app/cron "0 0 2 */1 * ?"  ;; daily (2 hour shift)
+      :task :storage-touched-gc}

-    :app.notifications/handler
-    {:msgbus   (ig/ref :app.msgbus/msgbus)
-     :pool     (ig/ref :app.db/pool)
-     :session  (ig/ref :app.http.session/session)
-     :metrics  (ig/ref :app.metrics/metrics)
-     :executor (ig/ref :app.worker/executor)}
+     {:cron #app/cron "0 0 3 */1 * ?"  ;; daily (3 hour shift)
+      :task :session-gc}

-    :app.worker/executor
-    {:name "worker"}
+     {:cron #app/cron "0 0 */1 * * ?"  ;; hourly
+      :task :storage-recheck}

-    :app.worker/worker
-    {:executor   (ig/ref :app.worker/executor)
-     :pool       (ig/ref :app.db/pool)
-     :tasks      (ig/ref :app.tasks/registry)}
+     {:cron #app/cron "0 0 0 */1 * ?"  ;; daily
+      :task :tasks-gc}

-    :app.worker/scheduler
-    {:executor   (ig/ref :app.worker/executor)
-     :pool       (ig/ref :app.db/pool)
-     :tasks      (ig/ref :app.tasks/registry)
-     :schedule
-     [{:id "file-media-gc"
-       :cron #app/cron "0 0 0 */1 * ? *" ;; daily
-       :task :file-media-gc}
+     (when (cf/get :audit-archive-enabled)
+       {:cron #app/cron "0 0 * * * ?" ;; every 1h
+        :task :audit-archive})

-      {:id "file-xlog-gc"
-       :cron #app/cron "0 0 */1 * * ?"  ;; hourly
-       :task :file-xlog-gc}
+     (when (cf/get :audit-archive-gc-enabled)
+       {:cron #app/cron "0 0 * * * ?" ;; every 1h
+        :task :audit-archive-gc})

-      {:id "storage-deleted-gc"
-       :cron #app/cron "0 0 1 */1 * ?"  ;; daily (1 hour shift)
-       :task :storage-deleted-gc}
+     (when (cf/get :telemetry-enabled)
+       {:cron #app/cron "0 0 */6 * * ?" ;; every 6h
+        :task :telemetry})]}

-      {:id "storage-touched-gc"
-       :cron #app/cron "0 0 2 */1 * ?"  ;; daily (2 hour shift)
-       :task :storage-touched-gc}
+   :app.worker/registry
+   {:metrics (ig/ref :app.metrics/metrics)
+    :tasks
+    {:sendmail           (ig/ref :app.emails/sendmail-handler)
+     :delete-object      (ig/ref :app.tasks.delete-object/handler)
+     :delete-profile     (ig/ref :app.tasks.delete-profile/handler)
+     :file-media-gc      (ig/ref :app.tasks.file-media-gc/handler)
+     :file-xlog-gc       (ig/ref :app.tasks.file-xlog-gc/handler)
+     :storage-deleted-gc (ig/ref :app.storage/gc-deleted-task)
+     :storage-touched-gc (ig/ref :app.storage/gc-touched-task)
+     :storage-recheck    (ig/ref :app.storage/recheck-task)
+     :tasks-gc           (ig/ref :app.tasks.tasks-gc/handler)
+     :telemetry          (ig/ref :app.tasks.telemetry/handler)
+     :session-gc         (ig/ref :app.http.session/gc-task)
+     :audit-archive      (ig/ref :app.loggers.audit/archive-task)
+     :audit-archive-gc   (ig/ref :app.loggers.audit/archive-gc-task)}}

-      {:id "session-gc"
-       :cron #app/cron "0 0 3 */1 * ?"  ;; daily (3 hour shift)
-       :task :session-gc}
+   :app.emails/sendmail-handler
+   {:host             (cf/get :smtp-host)
+    :port             (cf/get :smtp-port)
+    :ssl              (cf/get :smtp-ssl)
+    :tls              (cf/get :smtp-tls)
+    :enabled          (cf/get :smtp-enabled)
+    :username         (cf/get :smtp-username)
+    :password         (cf/get :smtp-password)
+    :metrics          (ig/ref :app.metrics/metrics)
+    :default-reply-to (cf/get :smtp-default-reply-to)
+    :default-from     (cf/get :smtp-default-from)}

-      {:id "storage-recheck"
-       :cron #app/cron "0 0 */1 * * ?"  ;; hourly
-       :task :storage-recheck}
+   :app.tasks.tasks-gc/handler
+   {:pool    (ig/ref :app.db/pool)
+    :max-age cf/deletion-delay
+    :metrics (ig/ref :app.metrics/metrics)}

-      {:id "tasks-gc"
-       :cron #app/cron "0 0 0 */1 * ?"  ;; daily
-       :task :tasks-gc}
+   :app.tasks.delete-object/handler
+   {:pool    (ig/ref :app.db/pool)
+    :metrics (ig/ref :app.metrics/metrics)}

-      (when (:telemetry-enabled config)
-        {:id   "telemetry"
-         :cron #app/cron "0 0 */6 * * ?" ;; every 6h
-         :uri  (:telemetry-uri config)
-         :task :telemetry})]}
+   :app.tasks.delete-storage-object/handler
+   {:pool    (ig/ref :app.db/pool)
+    :storage (ig/ref :app.storage/storage)
+    :metrics (ig/ref :app.metrics/metrics)}

-    :app.tasks/registry
-    {:metrics (ig/ref :app.metrics/metrics)
-     :tasks
-     {:sendmail           (ig/ref :app.tasks.sendmail/handler)
-      :delete-object      (ig/ref :app.tasks.delete-object/handler)
-      :delete-profile     (ig/ref :app.tasks.delete-profile/handler)
-      :file-media-gc      (ig/ref :app.tasks.file-media-gc/handler)
-      :file-xlog-gc       (ig/ref :app.tasks.file-xlog-gc/handler)
-      :storage-deleted-gc (ig/ref :app.storage/gc-deleted-task)
-      :storage-touched-gc (ig/ref :app.storage/gc-touched-task)
-      :storage-recheck    (ig/ref :app.storage/recheck-task)
-      :tasks-gc           (ig/ref :app.tasks.tasks-gc/handler)
-      :telemetry          (ig/ref :app.tasks.telemetry/handler)
-      :session-gc         (ig/ref :app.http.session/gc-task)}}
+   :app.tasks.delete-profile/handler
+   {:pool    (ig/ref :app.db/pool)
+    :metrics (ig/ref :app.metrics/metrics)}

-    :app.tasks.sendmail/handler
-    {:host             (:smtp-host config)
-     :port             (:smtp-port config)
-     :ssl              (:smtp-ssl config)
-     :tls              (:smtp-tls config)
-     :enabled          (:smtp-enabled config)
-     :username         (:smtp-username config)
-     :password         (:smtp-password config)
-     :metrics          (ig/ref :app.metrics/metrics)
-     :default-reply-to (:smtp-default-reply-to config)
-     :default-from     (:smtp-default-from config)}
+   :app.tasks.file-media-gc/handler
+   {:pool    (ig/ref :app.db/pool)
+    :metrics (ig/ref :app.metrics/metrics)
+    :max-age cf/deletion-delay}

-    :app.tasks.tasks-gc/handler
-    {:pool    (ig/ref :app.db/pool)
-     :max-age (dt/duration {:hours 24})
-     :metrics (ig/ref :app.metrics/metrics)}
+   :app.tasks.file-xlog-gc/handler
+   {:pool    (ig/ref :app.db/pool)
+    :metrics (ig/ref :app.metrics/metrics)
+    :max-age cf/deletion-delay}

-    :app.tasks.delete-object/handler
-    {:pool    (ig/ref :app.db/pool)
-     :metrics (ig/ref :app.metrics/metrics)}
+   :app.tasks.telemetry/handler
+   {:pool        (ig/ref :app.db/pool)
+    :version     (:full cf/version)
+    :uri         (cf/get :telemetry-uri)
+    :sprops      (ig/ref :app.setup/props)}

-    :app.tasks.delete-storage-object/handler
-    {:pool    (ig/ref :app.db/pool)
-     :storage (ig/ref :app.storage/storage)
-     :metrics (ig/ref :app.metrics/metrics)}
+   :app.srepl/server
+   {:port (cf/get :srepl-port)
+    :host (cf/get :srepl-host)}

-    :app.tasks.delete-profile/handler
-    {:pool    (ig/ref :app.db/pool)
-     :metrics (ig/ref :app.metrics/metrics)}
+   :app.setup/props
+   {:pool (ig/ref :app.db/pool)
+    :key  (cf/get :secret-key)}

-    :app.tasks.file-media-gc/handler
-    {:pool    (ig/ref :app.db/pool)
-     :metrics (ig/ref :app.metrics/metrics)
-     :max-age (dt/duration {:hours 48})}
+   :app.loggers.zmq/receiver
+   {:endpoint (cf/get :loggers-zmq-uri)}

-    :app.tasks.file-xlog-gc/handler
-    {:pool    (ig/ref :app.db/pool)
-     :metrics (ig/ref :app.metrics/metrics)
-     :max-age (dt/duration {:hours 48})}
+   :app.loggers.audit/collector
+   {:enabled  (cf/get :audit-enabled false)
+    :pool     (ig/ref :app.db/pool)
+    :executor (ig/ref :app.worker/executor)}

-    :app.tasks.telemetry/handler
-    {:pool        (ig/ref :app.db/pool)
-     :version     (:full cfg/version)
-     :uri         (:telemetry-uri config)
-     :sprops      (ig/ref :app.setup/props)}
+   :app.loggers.audit/archive-task
+   {:uri      (cf/get :audit-archive-uri)
+    :enabled  (cf/get :audit-archive-enabled false)
+    :tokens   (ig/ref :app.tokens/tokens)
+    :pool     (ig/ref :app.db/pool)}

-    :app.srepl/server
-    {:port (:srepl-port config)
-     :host (:srepl-host config)}
+   :app.loggers.audit/archive-gc-task
+   {:enabled  (cf/get :audit-archive-gc-enabled false)
+    :max-age  (cf/get :audit-archive-gc-max-age cf/deletion-delay)
+    :pool     (ig/ref :app.db/pool)}

-    :app.setup/props
-    {:pool (ig/ref :app.db/pool)}
+   :app.loggers.loki/reporter
+   {:uri      (cf/get :loggers-loki-uri)
+    :receiver (ig/ref :app.loggers.zmq/receiver)
+    :executor (ig/ref :app.worker/executor)}

-    :app.loggers.zmq/receiver
-    {:endpoint (:loggers-zmq-uri config)}
+   :app.loggers.mattermost/reporter
+   {:uri      (cf/get :error-report-webhook)
+    :receiver (ig/ref :app.loggers.zmq/receiver)
+    :pool     (ig/ref :app.db/pool)
+    :executor (ig/ref :app.worker/executor)}

-    :app.loggers.loki/reporter
-    {:uri      (:loggers-loki-uri config)
-     :receiver (ig/ref :app.loggers.zmq/receiver)
-     :executor (ig/ref :app.worker/executor)}
+   :app.loggers.mattermost/handler
+   {:pool (ig/ref :app.db/pool)}

-    :app.loggers.mattermost/reporter
-    {:uri      (:error-report-webhook config)
-     :receiver (ig/ref :app.loggers.zmq/receiver)
-     :pool     (ig/ref :app.db/pool)
-     :executor (ig/ref :app.worker/executor)}
+   :app.storage/storage
+   {:pool     (ig/ref :app.db/pool)
+    :executor (ig/ref :app.worker/executor)
+    :backend  (cf/get :storage-backend :fs)
+    :backends {:s3  (ig/ref [::main :app.storage.s3/backend])
+               :db  (ig/ref [::main :app.storage.db/backend])
+               :fs  (ig/ref [::main :app.storage.fs/backend])
+               :tmp (ig/ref [::tmp  :app.storage.fs/backend])}}

-    :app.loggers.mattermost/handler
-    {:pool (ig/ref :app.db/pool)}
+   [::main :app.storage.s3/backend]
+   {:region (cf/get :storage-s3-region)
+    :bucket (cf/get :storage-s3-bucket)}

-    :app.storage/storage
-    {:pool     (ig/ref :app.db/pool)
-     :executor (ig/ref :app.worker/executor)
-     :backend  (:storage-backend config :fs)
-     :backends {:s3  (ig/ref [::main :app.storage.s3/backend])
-                :db  (ig/ref [::main :app.storage.db/backend])
-                :fs  (ig/ref [::main :app.storage.fs/backend])
-                :tmp (ig/ref [::tmp  :app.storage.fs/backend])}}
+   [::main :app.storage.fs/backend]
+   {:directory (cf/get :storage-fs-directory)}

-    [::main :app.storage.s3/backend]
-    {:region (:storage-s3-region config)
-     :bucket (:storage-s3-bucket config)}
+   [::tmp :app.storage.fs/backend]
+   {:directory "/tmp/penpot"}

-    [::main :app.storage.fs/backend]
-    {:directory (:storage-fs-directory config)}
-
-    [::tmp :app.storage.fs/backend]
-    {:directory "/tmp/penpot"}
-
-    [::main :app.storage.db/backend]
-    {:pool (ig/ref :app.db/pool)}}
-
-   (when (:telemetry-server-enabled config)
-     {:app.telemetry/handler
-      {:pool     (ig/ref :app.db/pool)
-       :executor (ig/ref :app.worker/executor)}
-
-      :app.telemetry/server
-      {:port    (:telemetry-server-port config 6063)
-       :handler (ig/ref :app.telemetry/handler)
-       :name    "telemetry"}})))
-
-(defmethod ig/init-key :default [_ data] data)
-(defmethod ig/prep-key :default
-  [_ data]
-  (if (map? data)
-    (d/without-nils data)
-    data))
+   [::main :app.storage.db/backend]
+   {:pool (ig/ref :app.db/pool)}})

 (def system nil)

 (defn start
  []
-  (let [system-config (build-system-config cfg/config)]
-    (ig/load-namespaces system-config)
-    (alter-var-root #'system (fn [sys]
-                               (when sys (ig/halt! sys))
-                               (-> system-config
-                                   (ig/prep)
-                                   (ig/init))))
-    (log/infof "welcome to penpot (version: '%s')"
-               (:full cfg/version))))
+  (ig/load-namespaces system-config)
+  (alter-var-root #'system (fn [sys]
+                             (when sys (ig/halt! sys))
+                             (-> system-config
+                                 (ig/prep)
+                                 (ig/init))))
+  (l/info :msg "welcome to penpot"
+          :version (:full cf/version)))

 (defn stop
  []
@@ -380,14 +344,6 @@
                             (when sys (ig/halt! sys))
                             nil)))

-(prefer-method print-method
-               clojure.lang.IRecord
-               clojure.lang.IDeref)
-
-(prefer-method pprint/simple-dispatch
-               clojure.lang.IPersistentMap
-               clojure.lang.IDeref)
-
 (defn -main
  [& _args]
  (start))
--- a/backend/src/app/media.clj
+++ b/backend/src/app/media.clj
@@ -2,34 +2,42 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.media
-  "Media postprocessing."
+  "Media & Font postprocessing."
  (:require
   [app.common.data :as d]
   [app.common.exceptions :as ex]
   [app.common.media :as cm]
   [app.common.spec :as us]
   [app.rlimits :as rlm]
-   [app.svgparse :as svg]
+   [app.rpc.queries.svg :as svg]
+   [buddy.core.bytes :as bb]
+   [buddy.core.codecs :as bc]
+   [clojure.java.io :as io]
+   [clojure.java.shell :as sh]
   [clojure.spec.alpha :as s]
   [cuerdas.core :as str]
   [datoteka.core :as fs])
  (:import
   java.io.ByteArrayInputStream
+   java.io.OutputStream
+   org.apache.commons.io.IOUtils
   org.im4java.core.ConvertCmd
   org.im4java.core.IMOperation
   org.im4java.core.Info))

-;; --- Generic specs
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; --- Utility functions
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(s/def ::image-content-type cm/valid-image-types)
+(s/def ::font-content-type cm/valid-font-types)

 (s/def :internal.http.upload/filename ::us/string)
 (s/def :internal.http.upload/size ::us/integer)
-(s/def :internal.http.upload/content-type cm/valid-media-types)
+(s/def :internal.http.upload/content-type ::us/string)
 (s/def :internal.http.upload/tempfile any?)

 (s/def ::upload
@@ -38,8 +46,44 @@
                   :internal.http.upload/tempfile
                   :internal.http.upload/content-type]))

+(defn validate-media-type
+  ([mtype] (validate-media-type mtype cm/valid-image-types))
+  ([mtype allowed]
+   (when-not (contains? allowed mtype)
+     (ex/raise :type :validation
+               :code :media-type-not-allowed
+               :hint "Seems like you are uploading an invalid media object"))))

+
+(defmulti process :cmd)
+(defmulti process-error class)
+
+(defmethod process :default
+  [{:keys [cmd] :as params}]
+  (ex/raise :type :internal
+            :code :not-implemented
+            :hint (str/fmt "No impl found for process cmd: %s" cmd)))
+
+(defmethod process-error :default
+  [error]
+  (throw error))
+
+(defn run
+  [{:keys [rlimits] :as cfg} {:keys [rlimit] :or {rlimit :image} :as params}]
+  (us/assert map? rlimits)
+  (let [rlimit (get rlimits rlimit)]
+    (when-not rlimit
+      (ex/raise :type :internal
+                :code :rlimit-not-configured
+                :hint ":image rlimit not configured"))
+    (try
+      (rlm/execute rlimit (process params))
+      (catch Throwable e
+        (process-error e)))))
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; --- Thumbnails Generation
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

 (s/def ::cmd keyword?)

@@ -80,8 +124,6 @@
             :size   (alength ^bytes thumbnail-data)
             :data   (ByteArrayInputStream. thumbnail-data)))))

-(defmulti process :cmd)
-
 (defmethod process :generic-thumbnail
  [{:keys [quality width height] :as params}]
  (us/assert ::thumbnail-params params)
@@ -141,11 +183,10 @@
  (us/assert ::input input)
  (let [{:keys [path mtype]} input]
    (if (= mtype "image/svg+xml")
-      (let [data (svg/parse (slurp path))
-            info (get-basic-info-from-svg data)]
+      (let [info (some-> path slurp svg/parse get-basic-info-from-svg)]
        (when-not info
          (ex/raise :type :validation
-                    :code :unable-to-retrieve-dimensions
+                    :code :invalid-svg-file
                    :hint "uploaded svg does not provides dimensions"))
        (assoc info :mtype mtype))

@@ -164,33 +205,128 @@
         :height (.getPageHeight instance)
         :mtype  mtype}))))

-(defmethod process :default
-  [{:keys [cmd] :as params}]
-  (ex/raise :type :internal
-            :code :not-implemented
-            :hint (str "No impl found for process cmd:" cmd)))
+(defmethod process-error org.im4java.core.InfoException
+  [error]
+  (ex/raise :type :validation
+            :code :invalid-image
+            :hint "invalid image"
+            :cause error))

-(defn run
-  [{:keys [rlimits]} params]
-  (us/assert map? rlimits)
-  (let [rlimit (get rlimits :image)]
-    (when-not rlimit
-      (ex/raise :type :internal
-                :code :rlimit-not-configured
-                :hint ":image rlimit not configured"))
-    (try
-      (rlm/execute rlimit (process params))
-      (catch org.im4java.core.InfoException e
-        (ex/raise :type :validation
-                  :code :invalid-image
-                  :cause e)))))
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; --- Fonts Generation
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

-;; --- Utility functions
+(def all-fotmats #{"font/woff2", "font/woff", "font/otf", "font/ttf"})

-(defn validate-media-type
-  ([mtype] (validate-media-type mtype cm/valid-media-types))
-  ([mtype allowed]
-   (when-not (contains? allowed mtype)
-     (ex/raise :type :validation
-               :code :media-type-not-allowed
-               :hint "Seems like you are uploading an invalid media object"))))
+(defmethod process :generate-fonts
+  [{:keys [input] :as params}]
+  (letfn [(ttf->otf [data]
+            (let [input-file  (fs/create-tempfile :prefix "penpot")
+                  output-file (fs/path (str input-file ".otf"))
+                  _           (with-open [out (io/output-stream input-file)]
+                                (IOUtils/writeChunked ^bytes data ^OutputStream out)
+                                (.flush ^OutputStream out))
+                  res         (sh/sh "fontforge" "-lang=ff" "-c"
+                                     (str/fmt "Open('%s'); Generate('%s')"
+                                              (str input-file)
+                                              (str output-file)))]
+              (when (zero? (:exit res))
+                (fs/slurp-bytes output-file))))
+
+
+          (otf->ttf [data]
+            (let [input-file  (fs/create-tempfile :prefix "penpot")
+                  output-file (fs/path (str input-file ".ttf"))
+                  _           (with-open [out (io/output-stream input-file)]
+                                (IOUtils/writeChunked ^bytes data ^OutputStream out)
+                                (.flush ^OutputStream out))
+                  res         (sh/sh "fontforge" "-lang=ff" "-c"
+                                     (str/fmt "Open('%s'); Generate('%s')"
+                                              (str input-file)
+                                              (str output-file)))]
+              (when (zero? (:exit res))
+                (fs/slurp-bytes output-file))))
+
+          (ttf-or-otf->woff [data]
+            (let [input-file  (fs/create-tempfile :prefix "penpot" :suffix "")
+                  output-file (fs/path (str input-file ".woff"))
+                  _           (with-open [out (io/output-stream input-file)]
+                                (IOUtils/writeChunked ^bytes data ^OutputStream out)
+                                (.flush ^OutputStream out))
+                  res         (sh/sh "sfnt2woff" (str input-file))]
+              (when (zero? (:exit res))
+                (fs/slurp-bytes output-file))))
+
+          (ttf-or-otf->woff2 [data]
+            (let [input-file  (fs/create-tempfile :prefix "penpot" :suffix "")
+                  output-file (fs/path (str input-file ".woff2"))
+                  _           (with-open [out (io/output-stream input-file)]
+                                (IOUtils/writeChunked ^bytes data ^OutputStream out)
+                                (.flush ^OutputStream out))
+                  res         (sh/sh "woff2_compress" (str input-file))]
+              (when (zero? (:exit res))
+                (fs/slurp-bytes output-file))))
+
+          (woff->sfnt [data]
+            (let [input-file  (fs/create-tempfile :prefix "penpot" :suffix "")
+                  _           (with-open [out (io/output-stream input-file)]
+                                (IOUtils/writeChunked ^bytes data ^OutputStream out)
+                                (.flush ^OutputStream out))
+                  res         (sh/sh "woff2sfnt" (str input-file)
+                                     :out-enc :bytes)]
+              (when (zero? (:exit res))
+                (:out res))))
+
+          ;; Documented here:
+          ;; https://docs.microsoft.com/en-us/typography/opentype/spec/otff#table-directory
+          (get-sfnt-type [data]
+            (let [buff (bb/slice data 0 4)
+                  type (bc/bytes->hex buff)]
+              (case type
+                "4f54544f" :otf
+                "00010000" :ttf
+                (ex/raise :type :internal
+                          :code :unexpected-data
+                          :hint "unexpected font data"))))
+
+          (gen-if-nil [val factory]
+            (if (nil? val)
+              (factory)
+              val))]
+
+    (let [current (into #{} (keys input))]
+      (cond
+        (contains? current "font/ttf")
+        (let [data (get input "font/ttf")]
+          (-> input
+              (update "font/otf" gen-if-nil #(ttf->otf data))
+              (update "font/woff" gen-if-nil #(ttf-or-otf->woff data))
+              (assoc "font/woff2" (ttf-or-otf->woff2 data))))
+
+        (contains? current "font/otf")
+        (let [data (get input "font/otf")]
+          (-> input
+              (update "font/woff" gen-if-nil #(ttf-or-otf->woff data))
+              (assoc "font/ttf" (otf->ttf data))
+              (assoc "font/woff2" (ttf-or-otf->woff2 data))))
+
+        (contains? current "font/woff")
+        (let [data (get input "font/woff")
+              sfnt (woff->sfnt data)]
+          (when-not sfnt
+            (ex/raise :type :validation
+                      :code :invalid-woff-file
+                      :hint "invalid woff file"))
+          (let [stype (get-sfnt-type sfnt)]
+            (cond-> input
+              true
+              (-> (assoc "font/woff" data)
+                  (assoc "font/woff2" (ttf-or-otf->woff2 sfnt)))
+
+              (= stype :otf)
+              (-> (assoc "font/otf" sfnt)
+                  (assoc "font/ttf" (otf->ttf sfnt)))
+
+              (= stype :ttf)
+              (-> (assoc "font/otf" (ttf->otf sfnt))
+                  (assoc "font/ttf" sfnt)))))))))
--- a/backend/src/app/metrics.clj
+++ b/backend/src/app/metrics.clj
@@ -2,16 +2,13 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.metrics
  (:require
   [app.common.exceptions :as ex]
+   [app.util.logging :as l]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig])
  (:import
   io.prometheus.client.CollectorRegistry
@@ -50,7 +47,7 @@

 (defmethod ig/init-key ::metrics
  [_ {:keys [definitions] :as cfg}]
-  (log/infof "Initializing prometheus registry and instrumentation.")
+  (l/info :action "initialize metrics")
  (let [registry    (create-registry)
        definitions (reduce-kv (fn [res k v]
                                 (->> (assoc v :registry registry)
--- a/backend/src/app/migrations.clj
+++ b/backend/src/app/migrations.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.migrations
  (:require
@@ -166,6 +163,18 @@

   {:name "0051-mod-file-library-rel-table"
    :fn (mg/resource "app/migrations/sql/0051-mod-file-library-rel-table.sql")}
+
+   {:name "0052-del-legacy-user-and-team"
+    :fn (mg/resource "app/migrations/sql/0052-del-legacy-user-and-team.sql")}
+
+   {:name "0053-add-team-font-variant-table"
+    :fn (mg/resource "app/migrations/sql/0053-add-team-font-variant-table.sql")}
+
+   {:name "0054-add-audit-log-table"
+    :fn (mg/resource "app/migrations/sql/0054-add-audit-log-table.sql")}
+
+   {:name "0055-mod-file-media-object-table"
+    :fn (mg/resource "app/migrations/sql/0055-mod-file-media-object-table.sql")}
   ])


--- a/backend/src/app/migrations/migration_0023.clj
+++ b/backend/src/app/migrations/migration_0023.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.migrations.migration-0023
  (:require
--- a/backend/src/app/migrations/sql/0015-improve-tasks-tables.sql
+++ b/backend/src/app/migrations/sql/0015-improve-tasks-tables.sql
@@ -1,4 +1,4 @@
-DROP TABLE task;
+DROP TABLE IF EXISTS task;

 CREATE TABLE task (
  id uuid DEFAULT uuid_generate_v4(),
@@ -27,3 +27,11 @@ CREATE TABLE task_default partition OF task default;
 CREATE INDEX task__scheduled_at__queue__idx
    ON task (scheduled_at, queue)
 WHERE status = 'new' or status = 'retry';
+
+ALTER TABLE task
+  ALTER COLUMN queue SET STORAGE external,
+  ALTER COLUMN name SET STORAGE external,
+  ALTER COLUMN props SET STORAGE external,
+  ALTER COLUMN status SET STORAGE external,
+  ALTER COLUMN error SET STORAGE external;
+
--- a/backend/src/app/migrations/sql/0019-add-improved-scheduled-tasks.sql
+++ b/backend/src/app/migrations/sql/0019-add-improved-scheduled-tasks.sql
@@ -1,4 +1,4 @@
-DROP TABLE scheduled_task;
+DROP TABLE IF EXISTS scheduled_task;

 CREATE TABLE scheduled_task (
  id text PRIMARY KEY,
@@ -22,3 +22,7 @@ CREATE TABLE scheduled_task_history (

 CREATE INDEX scheduled_task_history__task_id__idx
    ON scheduled_task_history(task_id);
+
+ALTER TABLE scheduled_task
+  ALTER COLUMN id SET STORAGE external,
+  ALTER COLUMN cron_expr SET STORAGE external;
--- a/backend/src/app/migrations/sql/0041-mod-pg-storage-options.sql
+++ b/backend/src/app/migrations/sql/0041-mod-pg-storage-options.sql
@@ -27,17 +27,6 @@ ALTER TABLE comment_thread
  ALTER COLUMN participants SET STORAGE external,
  ALTER COLUMN page_name SET STORAGE external;

-ALTER TABLE task
-  ALTER COLUMN queue SET STORAGE external,
-  ALTER COLUMN name SET STORAGE external,
-  ALTER COLUMN props SET STORAGE external,
-  ALTER COLUMN status SET STORAGE external,
-  ALTER COLUMN error SET STORAGE external;
-
-ALTER TABLE scheduled_task
-  ALTER COLUMN id SET STORAGE external,
-  ALTER COLUMN cron_expr SET STORAGE external;
-
 ALTER TABLE http_session
  ALTER COLUMN id SET STORAGE external,
  ALTER COLUMN user_agent SET STORAGE external;
--- a/backend/src/app/migrations/sql/0052-del-legacy-user-and-team.sql
+++ b/backend/src/app/migrations/sql/0052-del-legacy-user-and-team.sql
@@ -0,0 +1,2 @@
+DELETE FROM team WHERE id = '00000000-0000-0000-0000-000000000000';
+DELETE FROM profile WHERE id = '00000000-0000-0000-0000-000000000000';
--- a/backend/src/app/migrations/sql/0053-add-team-font-variant-table.sql
+++ b/backend/src/app/migrations/sql/0053-add-team-font-variant-table.sql
@@ -0,0 +1,43 @@
+CREATE TABLE team_font_variant (
+  id uuid PRIMARY KEY DEFAULT uuid_generate_v4(),
+
+  team_id    uuid NOT NULL REFERENCES team(id) ON DELETE CASCADE DEFERRABLE,
+  profile_id uuid NULL REFERENCES profile(id) ON DELETE SET NULL DEFERRABLE,
+
+  created_at timestamptz NOT NULL DEFAULT now(),
+  modified_at timestamptz NOT NULL DEFAULT now(),
+  deleted_at timestamptz NULL DEFAULT NULL,
+
+  font_id uuid NOT NULL,
+  font_family text NOT NULL,
+  font_weight smallint NOT NULL,
+  font_style text NOT NULL,
+
+  otf_file_id   uuid NULL REFERENCES storage_object(id) ON DELETE SET NULL DEFERRABLE,
+  ttf_file_id   uuid NULL REFERENCES storage_object(id) ON DELETE SET NULL DEFERRABLE,
+  woff1_file_id uuid NULL REFERENCES storage_object(id) ON DELETE SET NULL DEFERRABLE,
+  woff2_file_id uuid NULL REFERENCES storage_object(id) ON DELETE SET NULL DEFERRABLE
+);
+
+CREATE INDEX team_font_variant_team_id_font_id_idx
+    ON team_font_variant (team_id, font_id);
+
+CREATE INDEX team_font_variant_profile_id_idx
+    ON team_font_variant (profile_id);
+
+CREATE INDEX team_font_variant_otf_file_id_idx
+    ON team_font_variant (otf_file_id);
+
+CREATE INDEX team_font_variant_ttf_file_id_idx
+    ON team_font_variant (ttf_file_id);
+
+CREATE INDEX team_font_variant_woff1_file_id_idx
+    ON team_font_variant (woff1_file_id);
+
+CREATE INDEX team_font_variant_woff2_file_id_idx
+    ON team_font_variant (woff2_file_id);
+
+ALTER TABLE team_font_variant
+  ALTER COLUMN font_family SET STORAGE external,
+  ALTER COLUMN font_style SET STORAGE external;
+
--- a/backend/src/app/migrations/sql/0054-add-audit-log-table.sql
+++ b/backend/src/app/migrations/sql/0054-add-audit-log-table.sql
@@ -0,0 +1,25 @@
+CREATE TABLE audit_log (
+   id uuid NOT NULL DEFAULT uuid_generate_v4(),
+
+   name text NOT NULL,
+   type text NOT NULL,
+
+   created_at timestamptz DEFAULT clock_timestamp() NOT NULL,
+   archived_at timestamptz NULL,
+
+   profile_id uuid NOT NULL,
+   props jsonb,
+
+   PRIMARY KEY (created_at, profile_id)
+) PARTITION BY RANGE (created_at);
+
+ALTER TABLE audit_log
+  ALTER COLUMN name SET STORAGE external,
+  ALTER COLUMN type SET STORAGE external,
+  ALTER COLUMN props SET STORAGE external;
+
+CREATE INDEX audit_log_id_archived_at_idx ON audit_log (id, archived_at);
+
+CREATE TABLE audit_log_default (LIKE audit_log INCLUDING ALL);
+
+ALTER TABLE audit_log ATTACH PARTITION audit_log_default DEFAULT;
--- a/backend/src/app/migrations/sql/0055-mod-file-media-object-table.sql
+++ b/backend/src/app/migrations/sql/0055-mod-file-media-object-table.sql
@@ -0,0 +1,4 @@
+ALTER TABLE file_media_object
+ DROP CONSTRAINT file_media_object_thumbnail_id_fkey,
+  ADD CONSTRAINT file_media_object_thumbnail_id_fkey
+      FOREIGN KEY (thumbnail_id) REFERENCES storage_object (id) ON DELETE SET NULL;
--- a/backend/src/app/msgbus.clj
+++ b/backend/src/app/msgbus.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.msgbus
  "The msgbus abstraction implemented using redis as underlying backend."
@@ -14,16 +11,17 @@
   [app.common.spec :as us]
   [app.config :as cfg]
   [app.util.blob :as blob]
+   [app.util.logging :as l]
   [app.util.time :as dt]
   [clojure.core.async :as a]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig]
   [promesa.core :as p])
  (:import
   java.time.Duration
   io.lettuce.core.RedisClient
   io.lettuce.core.RedisURI
+   io.lettuce.core.api.StatefulConnection
   io.lettuce.core.api.StatefulRedisConnection
   io.lettuce.core.api.async.RedisAsyncCommands
   io.lettuce.core.codec.ByteArrayCodec
@@ -60,7 +58,8 @@

 (defmethod ig/init-key ::msgbus
  [_ {:keys [backend buffer-size] :as cfg}]
-  (log/debugf "initializing msgbus (backend=%s)" (name backend))
+  (l/debug :action "initialize msgbus"
+           :backend (name backend))
  (let [cfg     (init-backend cfg)

        ;; Channel used for receive publications from the application.
@@ -132,6 +131,7 @@

 ;; --- REDIS BACKEND IMPL

+(declare impl-redis-open?)
 (declare impl-redis-pub)
 (declare impl-redis-sub)
 (declare impl-redis-unsub)
@@ -164,14 +164,16 @@
    (a/go-loop []
      (when-let [val (a/<! pub-ch)]
        (let [result (a/<! (impl-redis-pub rac val))]
-          (when (ex/exception? result)
-            (log/error result "unexpected error on publish message to redis")))
+          (when (and (impl-redis-open? pub-conn)
+                     (ex/exception? result))
+            (l/error :cause result
+                     :hint "unexpected error on publish message to redis")))
        (recur)))))

 (defmethod init-sub-loop :redis
  [{:keys [::sub-conn ::sub-ch buffer-size]}]
  (let [rcv-ch  (a/chan (a/dropping-buffer buffer-size))
-        chans   (agent {} :error-handler #(log/error % "unexpected error on agent"))
+        chans   (agent {} :error-handler #(l/error :cause % :hint "unexpected error on agent"))
        rac     (.async ^StatefulRedisPubSubConnection sub-conn)]

    ;; Add a unique listener to connection
@@ -184,7 +186,7 @@
                      ;; more messages that we can process.
                      (let [val {:topic topic :message (blob/decode message)}]
                        (when-not (a/offer! rcv-ch val)
-                          (log/warn "dropping message on subscription loop"))))
+                          (l/warn :msg "dropping message on subscription loop"))))
                    (psubscribed [it pattern count])
                    (punsubscribed [it pattern count])
                    (subscribed [it topic count])
@@ -194,9 +196,12 @@
              (let [nsubs (if (nil? nsubs) #{chan} (conj nsubs chan))]
                (when (= 1 (count nsubs))
                  (let [result (a/<!! (impl-redis-sub rac topic))]
-                    (log/tracef "opening subscription to %s" topic)
+                    (l/trace :action "open subscription"
+                             :topic topic)
                    (when (ex/exception? result)
-                      (log/errorf result "unexpected exception on subscribing to '%s'" topic))))
+                      (l/error :cause result
+                               :hint "unexpected exception on subscribing"
+                               :topic topic))))
                nsubs))

            (subscribe-to-topics [state topics chan]
@@ -210,9 +215,13 @@
              (let [nsubs (disj nsubs chan)]
                (when (empty? nsubs)
                  (let [result (a/<!! (impl-redis-unsub rac topic))]
-                    (log/tracef "closing subscription to %s" topic)
-                    (when (ex/exception? result)
-                      (log/errorf result "unexpected exception on unsubscribing from '%s'" topic))))
+                    (l/trace :action "close subscription"
+                             :topic topic)
+                    (when (and (impl-redis-open? sub-conn)
+                               (ex/exception? result))
+                      (l/error :cause result
+                               :hint "unexpected exception on unsubscribing"
+                               :topic topic))))
                nsubs))

            (unsubscribe-channels [state pending]
@@ -246,7 +255,6 @@
                              (recur (rest chans) pending)
                              (recur (rest chans) (conj pending ch)))
                            pending))]
-            ;; (log/tracef "received message => pending: %s" (pr-str pending))
            (some->> (seq pending)
                     (send-off chans unsubscribe-channels))

@@ -261,6 +269,10 @@
                                 (run! a/close!)))))))))


+(defn- impl-redis-open?
+  [^StatefulConnection conn]
+  (.isOpen conn))
+
 (defn- impl-redis-pub
  [^RedisAsyncCommands rac {:keys [topic message]}]
  (let [message (blob/encode message)
--- a/backend/src/app/notifications.clj
+++ b/backend/src/app/notifications.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.notifications
  "A websocket based notifications mechanism."
@@ -14,12 +11,12 @@
   [app.db :as db]
   [app.metrics :as mtx]
   [app.util.async :as aa]
+   [app.util.logging :as l]
   [app.util.time :as dt]
   [app.util.transit :as t]
   [app.worker :as wrk]
   [clojure.core.async :as a]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig]
   [ring.adapter.jetty9 :as jetty]
   [ring.middleware.cookies :refer [wrap-cookies]]
@@ -149,7 +146,7 @@
                                  :out-ch out-ch
                                  :sub-ch sub-ch)]

-                (log/tracef "on-connect %s" (:session-id cfg))
+                (l/trace :event "connect" :session (:session-id cfg))

                ;; Forward all messages from out-ch to the websocket
                ;; connection
@@ -163,26 +160,30 @@
                  ;; Subscribe to corresponding topics
                  (a/<! (msgbus :sub {:topics [file-id team-id] :chan sub-ch}))
                  (a/<! (handle-connect cfg))
+
+                  ;; when connection is closed
+                  (mtx-aconn :dec)
+                  (mtx-sessions :observe (/ (inst-ms (dt/duration-between created-at (dt/now))) 1000.0))
+
+                  ;; close subscription
                  (a/close! sub-ch))))

-            (on-error [_conn e]
-              (mtx-aconn :dec)
-              (mtx-sessions :observe (/ (inst-ms (dt/duration-between created-at (dt/now))) 1000.0))
-              (log/tracef "on-error %s (%s)" (:session-id cfg) (ex-message e))
+            (on-error [_conn _e]
+              (l/trace :event "error" :session (:session-id cfg))
+
              (a/close! out-ch)
              (a/close! rcv-ch))

            (on-close [_conn _status _reason]
-              (mtx-aconn :dec)
-              (mtx-sessions :observe (/ (inst-ms (dt/duration-between created-at (dt/now))) 1000.0))
-              (log/tracef "on-close %s" (:session-id cfg))
+              (l/trace :event "close" :session (:session-id cfg))
+
              (a/close! out-ch)
              (a/close! rcv-ch))

            (on-message [_ws message]
              (let [message (t/decode-str message)]
                (when-not (a/offer! rcv-ch message)
-                  (log/warn "droping ws input message, channe full"))))]
+                  (l/warn :msg "drop messages"))))]

      {:on-connect on-connect
       :on-error on-error
@@ -252,12 +253,10 @@

 (defmethod handle-message :connect
  [cfg _]
-  ;; (log/debugf "profile '%s' is connected to file '%s'" profile-id file-id)
  (send-presence cfg :connect))

 (defmethod handle-message :disconnect
  [cfg _]
-  ;; (log/debugf "profile '%s' is disconnected from '%s'" profile-id file-id)
  (send-presence cfg :disconnect))

 (defmethod handle-message :keepalive
@@ -275,5 +274,7 @@
 (defmethod handle-message :default
  [_ws message]
  (a/go
-    (log/warnf "received unexpected message: %s" message)))
+    (l/log :level :warn
+           :msg "received unexpected message"
+           :message message)))

--- a/backend/src/app/rlimits.clj
+++ b/backend/src/app/rlimits.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rlimits
  "Resource usage limits (in other words: semaphores)."
@@ -21,6 +18,7 @@

 (derive ::password ::instance)
 (derive ::image ::instance)
+(derive ::font ::instance)

 (defmethod ig/pre-init-spec ::instance [_]
  (s/spec int?))
--- a/backend/src/app/rpc.clj
+++ b/backend/src/app/rpc.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc
  (:require
@@ -13,11 +10,12 @@
   [app.common.exceptions :as ex]
   [app.common.spec :as us]
   [app.db :as db]
+   [app.loggers.audit :as audit]
   [app.metrics :as mtx]
   [app.rlimits :as rlm]
+   [app.util.logging :as l]
   [app.util.services :as sv]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [cuerdas.core :as str]
   [integrant.core :as ig]))

@@ -33,10 +31,15 @@
 (defn- rpc-query-handler
  [methods {:keys [profile-id] :as request}]
  (let [type   (keyword (get-in request [:path-params :type]))
-        data   (assoc (:params request) ::type type)
+
+        data   (d/merge (:params request)
+                        (:body-params request)
+                        (:uploads request))
+
        data   (if profile-id
                 (assoc data :profile-id profile-id)
                 (dissoc data :profile-id))
+
        result ((get methods type default-handler) data)
        mdata  (meta result)]

@@ -76,23 +79,40 @@
        (ex/raise :type :internal
                  :code :rlimit-not-configured
                  :hint (str/fmt "%s rlimit not configured" key)))
-      (log/tracef "adding rlimit to '%s' rpc handler" (::sv/name mdata))
+      (l/trace :action "add rlimit"
+               :handler (::sv/name mdata))
      (fn [cfg params]
        (rlm/execute rlinst (f cfg params))))
    f))

+
 (defn- wrap-impl
-  [cfg f mdata]
-  (let [f     (wrap-with-rlimits cfg f mdata)
-        f     (wrap-with-metrics cfg f mdata)
-        spec  (or (::sv/spec mdata) (s/spec any?))]
-    (log/tracef "registering '%s' command to rpc service" (::sv/name mdata))
+  [{:keys [audit] :as cfg} f mdata]
+  (let [f      (wrap-with-rlimits cfg f mdata)
+        f      (wrap-with-metrics cfg f mdata)
+        spec   (or (::sv/spec mdata) (s/spec any?))
+        auth?  (:auth mdata true)]
+
+    (l/trace :action "register" :name (::sv/name mdata))
    (fn [params]
-      (when (and (:auth mdata true) (not (uuid? (:profile-id params))))
+      (when (and auth? (not (uuid? (:profile-id params))))
        (ex/raise :type :authentication
                  :code :authentication-required
                  :hint "authentication required for this endpoint"))
-      (f cfg (us/conform spec params)))))
+      (let [params  (us/conform spec params)
+            result  (f cfg params)
+            resultm (meta result)]
+        (when (and (::type cfg) (fn? audit))
+          (let [profile-id (or (:profile-id params)
+                               (:profile-id result)
+                               (::audit/profile-id resultm))
+                props      (d/merge params (::audit/props resultm))]
+            (audit :submit {:type (::type cfg)
+                            :name (or (::audit/name resultm)
+                                      (::sv/name mdata))
+                            :profile-id profile-id
+                            :props props})))
+        result))))

 (defn- process-method
  [cfg vfn]
@@ -108,14 +128,16 @@
               :registry (get-in cfg [:metrics :registry])
               :type :histogram
               :help "Timing of query services."})
-        cfg  (assoc cfg ::mobj mobj)]
+        cfg  (assoc cfg ::mobj mobj ::type "query")]
    (->> (sv/scan-ns 'app.rpc.queries.projects
                     'app.rpc.queries.files
                     'app.rpc.queries.teams
                     'app.rpc.queries.comments
                     'app.rpc.queries.profile
                     'app.rpc.queries.recent-files
-                     'app.rpc.queries.viewer)
+                     'app.rpc.queries.viewer
+                     'app.rpc.queries.fonts
+                     'app.rpc.queries.svg)
         (map (partial process-method cfg))
         (into {}))))

@@ -127,7 +149,7 @@
               :registry (get-in cfg [:metrics :registry])
               :type :histogram
               :help "Timing of mutation services."})
-        cfg  (assoc cfg ::mobj mobj)]
+        cfg  (assoc cfg ::mobj mobj ::type "mutation")]
    (->> (sv/scan-ns 'app.rpc.mutations.demo
                     'app.rpc.mutations.media
                     'app.rpc.mutations.profile
@@ -138,6 +160,7 @@
                     'app.rpc.mutations.teams
                     'app.rpc.mutations.management
                     'app.rpc.mutations.ldap
+                     'app.rpc.mutations.fonts
                     'app.rpc.mutations.verify-token)
         (map (partial process-method cfg))
         (into {}))))
@@ -145,9 +168,11 @@
 (s/def ::storage some?)
 (s/def ::session map?)
 (s/def ::tokens fn?)
+(s/def ::audit (s/nilable fn?))

 (defmethod ig/pre-init-spec ::rpc [_]
-  (s/keys :req-un [::db/pool ::storage ::session ::tokens ::mtx/metrics ::rlm/rlimits]))
+  (s/keys :req-un [::storage ::session ::tokens ::audit
+                   ::mtx/metrics ::rlm/rlimits ::db/pool]))

 (defmethod ig/init-key ::rpc
  [_ cfg]
--- a/backend/src/app/rpc/mutations/comments.clj
+++ b/backend/src/app/rpc/mutations/comments.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.mutations.comments
  (:require
--- a/backend/src/app/rpc/mutations/demo.clj
+++ b/backend/src/app/rpc/mutations/demo.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.mutations.demo
  "A demo specific mutations."
@@ -14,10 +11,11 @@
   [app.common.uuid :as uuid]
   [app.config :as cfg]
   [app.db :as db]
+   [app.loggers.audit :as audit]
   [app.rpc.mutations.profile :as profile]
   [app.setup.initial-data :as sid]
-   [app.tasks :as tasks]
   [app.util.services :as sv]
+   [app.worker :as wrk]
   [buddy.core.codecs :as bc]
   [buddy.core.nonce :as bn]
   [clojure.spec.alpha :as s]))
@@ -40,7 +38,7 @@
                  :password password
                  :props {:onboarding-viewed true}}]

-    (when-not (:allow-demo-users cfg/config)
+    (when-not (cfg/get :allow-demo-users)
      (ex/raise :type :validation
                :code :demo-users-not-allowed
                :hint "Demo users are disabled by config."))
@@ -51,9 +49,11 @@
           (sid/load-initial-project! conn))

      ;; Schedule deletion of the demo profile
-      (tasks/submit! conn {:name "delete-profile"
-                           :delay cfg/deletion-delay
-                           :props {:profile-id id}})
+      (wrk/submit! {::wrk/task :delete-profile
+                    ::wrk/delay cfg/deletion-delay
+                    ::wrk/conn conn
+                    :profile-id id})

-      {:email email
-       :password password})))
+      (with-meta {:email email
+                  :password password}
+        {::audit/profile-id id}))))
--- a/backend/src/app/rpc/mutations/files.clj
+++ b/backend/src/app/rpc/mutations/files.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.mutations.files
  (:require
@@ -19,10 +16,10 @@
   [app.rpc.permissions :as perms]
   [app.rpc.queries.files :as files]
   [app.rpc.queries.projects :as proj]
-   [app.tasks :as tasks]
   [app.util.blob :as blob]
   [app.util.services :as sv]
   [app.util.time :as dt]
+   [app.worker :as wrk]
   [clojure.spec.alpha :as s]))

 ;; --- Helpers & Specs
@@ -126,9 +123,11 @@
    (files/check-edition-permissions! conn profile-id id)

    ;; Schedule object deletion
-    (tasks/submit! conn {:name "delete-object"
-                         :delay cfg/deletion-delay
-                         :props {:id id :type :file}})
+    (wrk/submit! {::wrk/task :delete-object
+                  ::wrk/delay cfg/deletion-delay
+                  ::wrk/conn conn
+                  :id id
+                  :type :file})

    (mark-file-deleted conn params)))

@@ -229,16 +228,10 @@
              {:id file-id}))


+;; --- MUTATION: update-file
+
 ;; A generic, Changes based (granular) file update method.

-(s/def ::changes
-  (s/coll-of map? :kind vector?))
-
-(s/def ::session-id ::us/uuid)
-(s/def ::revn ::us/integer)
-(s/def ::update-file
-  (s/keys :req-un [::id ::session-id ::profile-id ::revn ::changes]))
-
 ;; File changes that affect to the library, and must be notified
 ;; to all clients using it.
 (defn library-change?
@@ -257,6 +250,31 @@
 (declare send-notifications)
 (declare update-file)

+(s/def ::changes
+  (s/coll-of map? :kind vector?))
+
+(s/def ::hint-origin ::us/keyword)
+(s/def ::hint-events
+  (s/every ::us/keyword :kind vector?))
+
+(s/def ::change-with-metadata
+  (s/keys :req-un [::changes]
+          :opt-un [::hint-origin
+                   ::hint-events]))
+
+(s/def ::changes-with-metadata
+  (s/every ::change-with-metadata :kind vector?))
+
+(s/def ::session-id ::us/uuid)
+(s/def ::revn ::us/integer)
+(s/def ::update-file
+  (s/and
+   (s/keys :req-un [::id ::session-id ::profile-id ::revn]
+           :opt-un [::changes ::changes-with-metadata])
+   (fn [o]
+     (or (contains? o :changes)
+         (contains? o :changes-with-metadata)))))
+
 (sv/defmethod ::update-file
  [{:keys [pool] :as cfg} {:keys [id profile-id] :as params}]
  (db/with-atomic [conn pool]
@@ -266,7 +284,7 @@
                   (assoc params :file file)))))

 (defn- update-file
-  [{:keys [conn] :as cfg} {:keys [file changes session-id profile-id] :as params}]
+  [{:keys [conn] :as cfg} {:keys [file changes changes-with-metadata session-id profile-id] :as params}]
  (when (> (:revn params)
           (:revn file))
    (ex/raise :type :validation
@@ -275,15 +293,19 @@
              :context {:incoming-revn (:revn params)
                        :stored-revn (:revn file)}))

-  (let [file (-> file
-                 (update :revn inc)
-                 (update :data (fn [data]
-                                 (-> data
-                                     (blob/decode)
-                                     (assoc :id (:id file))
-                                     (pmg/migrate-data)
-                                     (cp/process-changes changes)
-                                     (blob/encode)))))]
+  (let [changes (if changes-with-metadata
+                  (mapcat :changes changes-with-metadata)
+                  changes)
+
+        file    (-> file
+                    (update :revn inc)
+                    (update :data (fn [data]
+                                    (-> data
+                                        (blob/decode)
+                                        (assoc :id (:id file))
+                                        (pmg/migrate-data)
+                                        (cp/process-changes changes)
+                                        (blob/encode)))))]
    ;; Insert change to the xlog
    (db/insert! conn :file-change
                {:id (uuid/next)
@@ -301,7 +323,8 @@
                 :has-media-trimmed false}
                {:id (:id file)})

-    (let [params (assoc params :file file)]
+    (let [params (-> params (assoc :file file
+                                   :changes changes))]
      ;; Send asynchronous notifications
      (send-notifications cfg params)

--- a/backend/src/app/rpc/mutations/fonts.clj
+++ b/backend/src/app/rpc/mutations/fonts.clj
@@ -0,0 +1,143 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) UXBOX Labs SL
+
+(ns app.rpc.mutations.fonts
+  (:require
+   [app.common.spec :as us]
+   [app.common.uuid :as uuid]
+   [app.config :as cf]
+   [app.db :as db]
+   [app.media :as media]
+   [app.rpc.queries.teams :as teams]
+   [app.storage :as sto]
+   [app.util.services :as sv]
+   [app.util.time :as dt]
+   [app.worker :as wrk]
+   [clojure.spec.alpha :as s]))
+
+(declare create-font-variant)
+
+(def valid-weight #{100 200 300 400 500 600 700 800 900 950})
+(def valid-style #{"normal" "italic"})
+
+(s/def ::id ::us/uuid)
+(s/def ::profile-id ::us/uuid)
+(s/def ::team-id ::us/uuid)
+(s/def ::name ::us/not-empty-string)
+(s/def ::weight valid-weight)
+(s/def ::style valid-style)
+(s/def ::font-id ::us/uuid)
+(s/def ::content-type ::media/font-content-type)
+(s/def ::data (s/map-of ::us/string any?))
+
+(s/def ::create-font-variant
+  (s/keys :req-un [::profile-id ::team-id ::data
+                   ::font-id ::font-family ::font-weight ::font-style]))
+
+(sv/defmethod ::create-font-variant
+  [{:keys [pool] :as cfg} {:keys [team-id profile-id] :as params}]
+  (db/with-atomic [conn pool]
+    (let [cfg (assoc cfg :conn conn)]
+      (teams/check-edition-permissions! conn profile-id team-id)
+      (create-font-variant cfg params))))
+
+(defn create-font-variant
+  [{:keys [conn storage] :as cfg} {:keys [data] :as params}]
+  (let [data    (media/run cfg {:cmd :generate-fonts :input data :rlimit :font})
+        storage (assoc storage :conn conn)
+        otf     (when-let [fdata (get data "font/otf")]
+                  (sto/put-object storage {:content (sto/content fdata)
+                                           :content-type "font/otf"}))
+
+        ttf     (when-let [fdata (get data "font/ttf")]
+                  (sto/put-object storage {:content (sto/content fdata)
+                                           :content-type "font/ttf"}))
+
+        woff1   (when-let [fdata (get data "font/woff")]
+                  (sto/put-object storage {:content (sto/content fdata)
+                                           :content-type "font/woff"}))
+
+        woff2   (when-let [fdata (get data "font/woff2")]
+                  (sto/put-object storage {:content (sto/content fdata)
+                                           :content-type "font/woff2"}))]
+
+    (db/insert! conn :team-font-variant
+                {:id (uuid/next)
+                 :team-id (:team-id params)
+                 :font-id (:font-id params)
+                 :font-family (:font-family params)
+                 :font-weight (:font-weight params)
+                 :font-style (:font-style params)
+                 :woff1-file-id (:id woff1)
+                 :woff2-file-id (:id woff2)
+                 :otf-file-id (:id otf)
+                 :ttf-file-id (:id ttf)})))
+
+;; --- UPDATE FONT FAMILY
+
+(s/def ::update-font
+  (s/keys :req-un [::profile-id ::team-id ::id ::name]))
+
+(def sql:update-font
+  "update team_font_variant
+      set font_family = ?
+    where team_id = ?
+      and font_id = ?")
+
+(sv/defmethod ::update-font
+  [{:keys [pool] :as cfg} {:keys [team-id profile-id id name] :as params}]
+  (db/with-atomic [conn pool]
+    (teams/check-edition-permissions! conn profile-id team-id)
+    (db/exec-one! conn [sql:update-font name team-id id])
+    nil))
+
+;; --- DELETE FONT
+
+(s/def ::delete-font
+  (s/keys :req-un [::profile-id ::team-id ::id]))
+
+(sv/defmethod ::delete-font
+  [{:keys [pool] :as cfg} {:keys [id team-id profile-id] :as params}]
+  (db/with-atomic [conn pool]
+    (teams/check-edition-permissions! conn profile-id team-id)
+
+    (let [items (db/query conn :team-font-variant
+                          {:font-id id :team-id team-id}
+                          {:for-update true})]
+      (doseq [item items]
+        ;; Schedule object deletion
+        (wrk/submit! {::wrk/task :delete-object
+                      ::wrk/delay cf/deletion-delay
+                      ::wrk/conn conn
+                      :id (:id item)
+                      :type :team-font-variant}))
+
+      (db/update! conn :team-font-variant
+                  {:deleted-at (dt/now)}
+                  {:font-id id :team-id team-id})
+      nil)))
+
+;; --- DELETE FONT VARIANT
+
+(s/def ::delete-font-variant
+  (s/keys :req-un [::profile-id ::team-id ::id]))
+
+(sv/defmethod ::delete-font-variant
+  [{:keys [pool] :as cfg} {:keys [id team-id profile-id] :as params}]
+  (db/with-atomic [conn pool]
+    (teams/check-edition-permissions! conn profile-id team-id)
+
+    ;; Schedule object deletion
+    (wrk/submit! {::wrk/task :delete-object
+                  ::wrk/delay cf/deletion-delay
+                  ::wrk/conn conn
+                  :id id
+                  :type :team-font-variant})
+
+    (db/update! conn :team-font-variant
+                {:deleted-at (dt/now)}
+                {:id id :team-id team-id})
+    nil))
--- a/backend/src/app/rpc/mutations/ldap.clj
+++ b/backend/src/app/rpc/mutations/ldap.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.mutations.ldap
  (:require
--- a/backend/src/app/rpc/mutations/management.clj
+++ b/backend/src/app/rpc/mutations/management.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.mutations.management
  "Move & Duplicate RPC methods for files and projects."
@@ -94,21 +91,21 @@
 (def sql:retrieve-used-media-objects
  "select fmo.*
     from file_media_object as fmo
-    inner join storage_object as o on (fmo.media_id = o.id)
+    inner join storage_object as so on (fmo.media_id = so.id)
    where fmo.file_id = ?
-      and o.deleted_at is null")
+      and so.deleted_at is null")

 (defn duplicate-file
-  [conn {:keys [profile-id file index project-id name]} {:keys [reset-shared-flag] :as opts}]
-  (let [flibs    (db/exec! conn [sql:retrieve-used-libraries (:id file)])
-        fmeds    (db/exec! conn [sql:retrieve-used-media-objects (:id file)])
+  [conn {:keys [profile-id file index project-id name flibs fmeds]} {:keys [reset-shared-flag] :as opts}]
+  (let [flibs    (or flibs (db/exec! conn [sql:retrieve-used-libraries (:id file)]))
+        fmeds    (or fmeds (db/exec! conn [sql:retrieve-used-media-objects (:id file)]))

        ;; memo uniform creation/modification date
        now      (dt/now)
        ignore   (dt/plus now (dt/duration {:seconds 5}))

        ;; add to the index all file media objects.
-        index  (reduce #(assoc %1 (:id %2) (uuid/next)) index fmeds)
+        index    (reduce #(assoc %1 (:id %2) (uuid/next)) index fmeds)

        flibs-xf (comp
                  (map #(remap-id % index :file-id))
@@ -176,7 +173,7 @@
          index  {file-id (uuid/next)}
          params (assoc params :index index :file file)]
      (proj/check-edition-permissions! conn profile-id (:project-id file))
-
+      (db/exec-one! conn ["SET CONSTRAINTS ALL DEFERRED"])
      (-> (duplicate-file conn params {:reset-shared-flag true})
          (update :data blob/decode)))))

@@ -194,6 +191,7 @@
  (db/with-atomic [conn pool]
    (let [project (db/get-by-id conn :project project-id)]
      (teams/check-edition-permissions! conn profile-id (:team-id project))
+      (db/exec-one! conn ["SET CONSTRAINTS ALL DEFERRED"])
      (duplicate-project conn (assoc params :project project)))))

 (defn duplicate-project
--- a/backend/src/app/rpc/mutations/media.clj
+++ b/backend/src/app/rpc/mutations/media.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.mutations.media
  (:require
@@ -35,12 +32,15 @@
 (s/def ::file-id ::us/uuid)
 (s/def ::team-id ::us/uuid)

+
 ;; --- Create File Media object (upload)

 (declare create-file-media-object)
 (declare select-file)

-(s/def ::content ::media/upload)
+(s/def ::content-type ::media/image-content-type)
+(s/def ::content (s/and ::media/upload (s/keys :req-un [::content-type])))
+
 (s/def ::is-local ::us/boolean)

 (s/def ::upload-file-media-object
--- a/backend/src/app/rpc/mutations/profile.clj
+++ b/backend/src/app/rpc/mutations/profile.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.mutations.profile
  (:require
@@ -14,16 +11,18 @@
   [app.common.uuid :as uuid]
   [app.config :as cfg]
   [app.db :as db]
-   [app.emails :as emails]
+   [app.emails :as eml]
+   [app.http.oauth :refer [extract-props]]
+   [app.loggers.audit :as audit]
   [app.media :as media]
   [app.rpc.mutations.projects :as projects]
   [app.rpc.mutations.teams :as teams]
   [app.rpc.queries.profile :as profile]
   [app.setup.initial-data :as sid]
   [app.storage :as sto]
-   [app.tasks :as tasks]
   [app.util.services :as sv]
   [app.util.time :as dt]
+   [app.worker :as wrk]
   [buddy.hashers :as hashers]
   [clojure.spec.alpha :as s]
   [cuerdas.core :as str]))
@@ -61,9 +60,10 @@
    (ex/raise :type :restriction
              :code :registration-disabled))

-  (when-not (email-domain-in-whitelist? (cfg/get :registration-domain-whitelist) (:email params))
-    (ex/raise :type :validation
-              :code :email-domain-is-not-allowed))
+  (when-let [domains (cfg/get :registration-domain-whitelist)]
+    (when-not (email-domain-in-whitelist? domains (:email params))
+      (ex/raise :type :validation
+                :code :email-domain-is-not-allowed)))

  (when-not (:terms-privacy params)
    (ex/raise :type :validation
@@ -103,7 +103,9 @@
            resp   {:invitation-token token}]
        (with-meta resp
          {:transform-response ((:create session) (:id profile))
-           :before-complete (annotate-profile-register metrics profile)}))
+           :before-complete (annotate-profile-register metrics profile)
+           ::audit/props (:props profile)
+           ::audit/profile-id (:id profile)}))

      ;; If no token is provided, send a verification email
      (let [vtoken (tokens :generate
@@ -117,28 +119,34 @@

        ;; Don't allow proceed in register page if the email is
        ;; already reported as permanent bounced
-        (when (emails/has-bounce-reports? conn (:email profile))
+        (when (eml/has-bounce-reports? conn (:email profile))
          (ex/raise :type :validation
                    :code :email-has-permanent-bounces
                    :hint "looks like the email has one or many bounces reported"))

-        (emails/send! conn emails/register
-                      {:to (:email profile)
-                       :name (:fullname profile)
-                       :token vtoken
-                       :extra-data ptoken})
+        (eml/send! {::eml/conn conn
+                    ::eml/factory eml/register
+                    :public-uri (:public-uri cfg)
+                    :to (:email profile)
+                    :name (:fullname profile)
+                    :token vtoken
+                    :extra-data ptoken})
+
        (with-meta profile
-          {:before-complete (annotate-profile-register metrics profile)})))))
+          {:before-complete (annotate-profile-register metrics profile)
+           ::audit/props (:props profile)
+           ::audit/profile-id (:id profile)})))))

 (defn email-domain-in-whitelist?
-  "Returns true if email's domain is in the given whitelist or if given
-  whitelist is an empty string."
-  [whitelist email]
-  (if (str/blank? whitelist)
+  "Returns true if email's domain is in the given whitelist or if
+  given whitelist is an empty string."
+  [domains email]
+  (if (or (empty? domains)
+          (nil? domains))
    true
-    (let [domains (str/split whitelist #",\s*")
-          email-domain (second (str/split email #"@"))]
-      (contains? (set domains) email-domain))))
+    (let [[_ candidate] (-> (str/lower email)
+                            (str/split #"@" 2))]
+      (contains? domains candidate))))

 (def ^:private sql:profile-existence
  "select exists (select * from profile
@@ -173,11 +181,12 @@
 (defn create-profile
  "Create the profile entry on the database with limited input
  filling all the other fields with defaults."
-  [conn {:keys [id fullname email password props is-active is-muted is-demo opts]
-         :or {is-active false is-muted false is-demo false}}]
+  [conn {:keys [id fullname email password is-active is-muted is-demo opts]
+         :or {is-active false is-muted false is-demo false}
+         :as params}]
  (let [id        (or id (uuid/next))
        is-active (if is-demo true is-active)
-        props     (db/tjson (or props {}))
+        props     (-> params extract-props db/tjson)
        password  (derive-password password)
        params    {:id id
                   :fullname fullname
@@ -269,10 +278,12 @@
                              :member-email (:email profile))
                token  (tokens :generate claims)]
            (with-meta {:invitation-token token}
-              {:transform-response ((:create session) (:id profile))}))
+              {:transform-response ((:create session) (:id profile))
+               ::audit/profile-id (:id profile)}))

          (with-meta profile
-            {:transform-response ((:create session) (:id profile))}))))))
+            {:transform-response ((:create session) (:id profile))
+             ::audit/profile-id (:id profile)}))))))

 ;; --- Mutation: Logout

@@ -297,21 +308,44 @@
  [{:keys [pool metrics] :as cfg} params]
  (db/with-atomic [conn pool]
    (let [profile (-> (assoc cfg :conn conn)
-                      (login-or-register params))]
+                      (login-or-register params))
+          props   (merge
+                   (select-keys profile [:backend :fullname :email])
+                   (:props profile))]
      (with-meta profile
-        {:before-complete (annotate-profile-register metrics profile)}))))
+        {:before-complete (annotate-profile-register metrics profile)
+         ::audit/name (if (::created profile) "register" "login")
+         ::audit/props props
+         ::audit/profile-id (:id profile)}))))

 (defn login-or-register
-  [{:keys [conn] :as cfg} {:keys [email backend] :as params}]
-  (letfn [(create-profile [conn {:keys [fullname email]}]
-            (db/insert! conn :profile
-                        {:id (uuid/next)
-                         :fullname fullname
-                         :email (str/lower email)
-                         :auth-backend backend
-                         :is-active true
-                         :password "!"
-                         :is-demo false}))
+  [{:keys [conn] :as cfg} {:keys [email] :as params}]
+  (letfn [(info->lang [{:keys [locale] :as info}]
+            (when (and (string? locale)
+                       (not (str/blank? locale)))
+              locale))
+
+          (create-profile [conn {:keys [fullname backend email props] :as info}]
+            (let [params {:id (uuid/next)
+                          :fullname fullname
+                          :email (str/lower email)
+                          :lang (info->lang props)
+                          :auth-backend backend
+                          :is-active true
+                          :password "!"
+                          :props (db/tjson props)
+                          :is-demo false}]
+              (-> (db/insert! conn :profile params)
+                  (update :props db/decode-transit-pgobject))))
+
+          (update-profile [conn info profile]
+            (let [props (merge (:props profile)
+                               (:props info))]
+              (db/update! conn :profile
+                          {:props (db/tjson props)
+                           :modified-at (dt/now)}
+                          {:id (:id profile)})
+              (assoc profile :props props)))

          (register-profile [conn params]
            (let [profile (->> (create-profile conn params)
@@ -321,7 +355,9 @@

    (let [profile (profile/retrieve-profile-data-by-email conn email)
          profile (if profile
-                    (profile/populate-additional-data conn profile)
+                    (->> profile
+                         (update-profile conn params)
+                         (profile/populate-additional-data conn))
                    (register-profile conn params))]
      (profile/strip-private-attrs profile))))

@@ -346,7 +382,6 @@
    (update-profile conn params)
    nil))

-
 ;; --- Mutation: Update Password

 (declare validate-password!)
@@ -380,7 +415,9 @@

 (declare update-profile-photo)

-(s/def ::file ::media/upload)
+(s/def ::content-type ::media/image-content-type)
+(s/def ::file (s/and ::media/upload (s/keys :req-un [::content-type])))
+
 (s/def ::update-profile-photo
  (s/keys :req-un [::profile-id ::file]))

@@ -439,7 +476,7 @@
  {:changed true})

 (defn- request-email-change
-  [{:keys [conn tokens]} {:keys [profile email] :as params}]
+  [{:keys [conn tokens] :as cfg} {:keys [profile email] :as params}]
  (let [token   (tokens :generate
                        {:iss :change-email
                         :exp (dt/in-future "15m")
@@ -452,22 +489,24 @@
    (when (not= email (:email profile))
      (check-profile-existence! conn params))

-    (when-not (emails/allow-send-emails? conn profile)
+    (when-not (eml/allow-send-emails? conn profile)
      (ex/raise :type :validation
                :code :profile-is-muted
                :hint "looks like the profile has reported repeatedly as spam or has permanent bounces."))

-    (when (emails/has-bounce-reports? conn email)
+    (when (eml/has-bounce-reports? conn email)
      (ex/raise :type :validation
                :code :email-has-permanent-bounces
                :hint "looks like the email you invite has been repeatedly reported as spam or permanent bounce"))

-    (emails/send! conn emails/change-email
-                  {:to (:email profile)
-                   :name (:fullname profile)
-                   :pending-email email
-                   :token token
-                   :extra-data ptoken})
+    (eml/send! {::eml/conn conn
+                ::eml/factory eml/change-email
+                :public-uri (:public-uri cfg)
+                :to (:email profile)
+                :name (:fullname profile)
+                :pending-email email
+                :token token
+                :extra-data ptoken})
    nil))


@@ -493,16 +532,18 @@
            (let [ptoken (tokens :generate-predefined
                                 {:iss :profile-identity
                                  :profile-id (:id profile)})]
-              (emails/send! conn emails/password-recovery
-                            {:to (:email profile)
-                             :token (:token profile)
-                             :name (:fullname profile)
-                             :extra-data ptoken})
+              (eml/send! {::eml/conn conn
+                          ::eml/factory eml/password-recovery
+                          :public-uri (:public-uri cfg)
+                          :to (:email profile)
+                          :token (:token profile)
+                          :name (:fullname profile)
+                          :extra-data ptoken})
              nil))]

    (db/with-atomic [conn pool]
      (when-let [profile (profile/retrieve-profile-data-by-email conn email)]
-        (when-not (emails/allow-send-emails? conn profile)
+        (when-not (eml/allow-send-emails? conn profile)
          (ex/raise :type :validation
                    :code :profile-is-muted
                    :hint "looks like the profile has reported repeatedly as spam or has permanent bounces."))
@@ -512,7 +553,7 @@
                    :code :profile-not-verified
                    :hint "the user need to validate profile before recover password"))

-        (when (emails/has-bounce-reports? conn (:email profile))
+        (when (eml/has-bounce-reports? conn (:email profile))
          (ex/raise :type :validation
                    :code :email-has-permanent-bounces
                    :hint "looks like the email you invite has been repeatedly reported as spam or permanent bounce"))
@@ -579,9 +620,10 @@
    (check-can-delete-profile! conn profile-id)

    ;; Schedule a complete deletion of profile
-    (tasks/submit! conn {:name "delete-profile"
-                         :delay cfg/deletion-delay
-                         :props {:profile-id profile-id}})
+    (wrk/submit! {::wrk/task :delete-profile
+                  ::wrk/delay cfg/deletion-delay
+                  ::wrk/conn conn
+                  :profile-id profile-id})

    (db/update! conn :profile
                {:deleted-at (dt/now)}
--- a/backend/src/app/rpc/mutations/projects.clj
+++ b/backend/src/app/rpc/mutations/projects.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.mutations.projects
  (:require
@@ -16,9 +13,9 @@
   [app.rpc.permissions :as perms]
   [app.rpc.queries.projects :as proj]
   [app.rpc.queries.teams :as teams]
-   [app.tasks :as tasks]
   [app.util.services :as sv]
   [app.util.time :as dt]
+   [app.worker :as wrk]
   [clojure.spec.alpha :as s]))

 ;; --- Helpers & Specs
@@ -128,9 +125,11 @@
    (proj/check-edition-permissions! conn profile-id id)

    ;; Schedule object deletion
-    (tasks/submit! conn {:name "delete-object"
-                         :delay cfg/deletion-delay
-                         :props {:id id :type :project}})
+    (wrk/submit! {::wrk/task :delete-object
+                  ::wrk/delay cfg/deletion-delay
+                  ::wrk/conn conn
+                  :id id
+                  :type :project})

    (db/update! conn :project
                {:deleted-at (dt/now)}
--- a/backend/src/app/rpc/mutations/teams.clj
+++ b/backend/src/app/rpc/mutations/teams.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.mutations.teams
  (:require
@@ -15,16 +12,16 @@
   [app.common.uuid :as uuid]
   [app.config :as cfg]
   [app.db :as db]
-   [app.emails :as emails]
+   [app.emails :as eml]
   [app.media :as media]
   [app.rpc.mutations.projects :as projects]
   [app.rpc.permissions :as perms]
   [app.rpc.queries.profile :as profile]
   [app.rpc.queries.teams :as teams]
   [app.storage :as sto]
-   [app.tasks :as tasks]
   [app.util.services :as sv]
   [app.util.time :as dt]
+   [app.worker :as wrk]
   [clojure.spec.alpha :as s]
   [datoteka.core :as fs]))

@@ -139,9 +136,11 @@
                  :code :only-owner-can-delete-team))

      ;; Schedule object deletion
-      (tasks/submit! conn {:name "delete-object"
-                           :delay cfg/deletion-delay
-                           :props {:id id :type :team}})
+      (wrk/submit! {::wrk/task :delete-object
+                    ::wrk/delay cfg/deletion-delay
+                    ::wrk/conn conn
+                    :id id
+                    :type :team})

      (db/update! conn :team
                  {:deleted-at (dt/now)}
@@ -250,7 +249,9 @@

 (declare upload-photo)

-(s/def ::file ::media/upload)
+(s/def ::content-type ::media/image-content-type)
+(s/def ::file (s/and ::media/upload (s/keys :req-un [::content-type])))
+
 (s/def ::update-team-photo
  (s/keys :req-un [::profile-id ::team-id ::file]))

@@ -308,7 +309,7 @@
          team     (db/get-by-id conn :team team-id)
          itoken   (tokens :generate
                           {:iss :team-invitation
-                            :exp (dt/in-future "6h")
+                            :exp (dt/in-future "48h")
                            :profile-id (:id profile)
                            :role role
                            :team-id team-id
@@ -323,27 +324,29 @@
                  :code :insufficient-permissions))

      ;; First check if the current profile is allowed to send emails.
-      (when-not (emails/allow-send-emails? conn profile)
+      (when-not (eml/allow-send-emails? conn profile)
        (ex/raise :type :validation
                  :code :profile-is-muted
                  :hint "looks like the profile has reported repeatedly as spam or has permanent bounces"))

-      (when (and member (not (emails/allow-send-emails? conn member)))
+      (when (and member (not (eml/allow-send-emails? conn member)))
        (ex/raise :type :validation
                  :code :member-is-muted
                  :hint "looks like the profile has reported repeatedly as spam or has permanent bounces"))

      ;; Secondly check if the invited member email is part of the
      ;; global spam/bounce report.
-      (when (emails/has-bounce-reports? conn email)
+      (when (eml/has-bounce-reports? conn email)
        (ex/raise :type :validation
                  :code :email-has-permanent-bounces
                  :hint "looks like the email you invite has been repeatedly reported as spam or permanent bounce"))

-      (emails/send! conn emails/invite-to-team
-                    {:to email
-                     :invited-by (:fullname profile)
-                     :team (:name team)
-                     :token itoken
-                     :extra-data ptoken})
+      (eml/send! {::eml/conn conn
+                  ::eml/factory eml/invite-to-team
+                  :public-uri (:public-uri cfg)
+                  :to email
+                  :invited-by (:fullname profile)
+                  :team (:name team)
+                  :token itoken
+                  :extra-data ptoken})
      nil)))
--- a/backend/src/app/rpc/mutations/verify_token.clj
+++ b/backend/src/app/rpc/mutations/verify_token.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.mutations.verify-token
  (:require
--- a/backend/src/app/rpc/mutations/viewer.clj
+++ b/backend/src/app/rpc/mutations/viewer.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.mutations.viewer
  (:require
--- a/backend/src/app/rpc/permissions.clj
+++ b/backend/src/app/rpc/permissions.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.permissions
  "A permission checking helper factories."
--- a/backend/src/app/rpc/queries/comments.clj
+++ b/backend/src/app/rpc/queries/comments.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.queries.comments
  (:require
@@ -131,7 +128,6 @@
      (-> (db/exec-one! conn [sql profile-id file-id id])
          (decode-row)))))

-
 ;; --- Query: Comments

 (declare retrieve-comments)
--- a/backend/src/app/rpc/queries/files.clj
+++ b/backend/src/app/rpc/queries/files.clj
@@ -2,19 +2,17 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.queries.files
  (:require
-   [app.common.exceptions :as ex]
   [app.common.pages.migrations :as pmg]
   [app.common.spec :as us]
+   [app.common.uuid :as uuid]
   [app.db :as db]
   [app.rpc.permissions :as perms]
   [app.rpc.queries.projects :as projects]
+   [app.rpc.queries.teams :as teams]
   [app.util.blob :as blob]
   [app.util.services :as sv]
   [clojure.spec.alpha :as s]))
@@ -100,7 +98,13 @@
             ppr.is_owner = true or
             ppr.can_edit = true)
   )
-   select distinct f.*
+   select distinct
+          f.id,
+          f.project_id,
+          f.created_at,
+          f.modified_at,
+          f.name,
+          f.is_shared
     from file as f
    inner join projects as pr on (f.project_id = pr.id)
    where f.name ilike ('%' || ? || '%')
@@ -112,14 +116,15 @@

 (sv/defmethod ::search-files
  [{:keys [pool] :as cfg} {:keys [profile-id team-id search-term] :as params}]
-  (let [rows (db/exec! pool [sql:search-files
-                                profile-id team-id
-                                profile-id team-id
-                                search-term])]
-    (into [] decode-row-xf rows)))
+  (db/exec! pool [sql:search-files
+                  profile-id team-id
+                  profile-id team-id
+                  search-term]))


-;; --- Query: Project Files
+;; --- Query: Files
+
+;; DEPRECATED: should be removed probably on 1.6.x

 (def ^:private sql:files
  "select f.*
@@ -139,6 +144,29 @@
    (into [] decode-row-xf (db/exec! conn [sql:files project-id]))))


+;; --- Query: Project Files
+
+(def ^:private sql:project-files
+  "select f.id,
+          f.project_id,
+          f.created_at,
+          f.modified_at,
+          f.name,
+          f.is_shared
+     from file as f
+    where f.project_id = ?
+      and f.deleted_at is null
+    order by f.modified_at desc")
+
+(s/def ::project-files
+  (s/keys :req-un [::profile-id ::project-id]))
+
+(sv/defmethod ::project-files
+  [{:keys [pool] :as cfg} {:keys [profile-id project-id] :as params}]
+  (with-open [conn (db/open pool)]
+    (projects/check-read-permissions! conn profile-id project-id)
+    (db/exec! conn [sql:project-files project-id])))
+
 ;; --- Query: File (By ID)

 (defn retrieve-file
@@ -157,17 +185,50 @@
    (retrieve-file conn id)))

 (s/def ::page
-  (s/keys :req-un [::profile-id ::id ::file-id]))
+  (s/keys :req-un [::profile-id ::file-id]))
+
+(defn remove-thumbnails-frames
+  "Removes from data the children for frames that have a thumbnail set up"
+  [data]
+  (let [filter-shape?
+        (fn [objects [id shape]]
+          (let [frame-id (:frame-id shape)]
+            (or (= id uuid/zero)
+                (= frame-id uuid/zero)
+                (not (some? (get-in objects [frame-id :thumbnail]))))))
+
+        ;; We need to remove from the attribute :shapes its childrens because
+        ;; they will not be sent in the data
+        remove-frame-children
+        (fn [[id shape]]
+          [id (cond-> shape
+                (some? (:thumbnail shape))
+                (assoc :shapes []))])
+
+        update-objects
+        (fn [objects]
+          (into {}
+                (comp (map remove-frame-children)
+                      (filter (partial filter-shape? objects)))
+                objects))]
+
+    (update data :objects update-objects)))

 (sv/defmethod ::page
-  [{:keys [pool] :as cfg} {:keys [profile-id file-id id]}]
+  [{:keys [pool] :as cfg} {:keys [profile-id file-id id strip-thumbnails]}]
+  [{:keys [pool] :as cfg} {:keys [profile-id file-id]}]
  (db/with-atomic [conn pool]
    (check-edition-permissions! conn profile-id file-id)
-    (let [file (retrieve-file conn file-id)]
-      (get-in file [:data :pages-index id]))))
+    (let [file    (retrieve-file conn file-id)
+          page-id (get-in file [:data :pages 0])]
+      (cond-> (get-in file [:data :pages-index page-id])
+        strip-thumbnails
+        (remove-thumbnails-frames)))))

 ;; --- Query: Shared Library Files

+;; DEPRECATED: and will be removed on 1.6.x
+
 (def ^:private sql:shared-files
  "select f.*
     from file as f
@@ -186,11 +247,36 @@
  (into [] decode-row-xf (db/exec! pool [sql:shared-files team-id])))


+;; --- Query: Shared Library Files
+
+(def ^:private sql:team-shared-files
+  "select f.id,
+          f.project_id,
+          f.created_at,
+          f.modified_at,
+          f.name,
+          f.is_shared
+     from file as f
+    inner join project as p on (p.id = f.project_id)
+    where f.is_shared = true
+      and f.deleted_at is null
+      and p.deleted_at is null
+      and p.team_id = ?
+    order by f.modified_at desc")
+
+(s/def ::team-shared-files
+  (s/keys :req-un [::profile-id ::team-id]))
+
+(sv/defmethod ::team-shared-files
+  [{:keys [pool] :as cfg} {:keys [profile-id team-id] :as params}]
+  (db/exec! pool [sql:team-shared-files team-id]))
+
+
 ;; --- Query: File Libraries used by a File

 (def ^:private sql:file-libraries
  "select fl.*,
-          ? as is_indirect,
+
          flr.synced_at as synced_at
     from file as fl
    inner join file_library_rel as flr on (flr.library_file_id = fl.id)
@@ -199,22 +285,13 @@

 (defn retrieve-file-libraries
  [conn is-indirect file-id]
-  (let [direct-libraries
-        (into [] decode-row-xf (db/exec! conn [sql:file-libraries is-indirect file-id]))
+  (let [libraries (->> (db/exec! conn [sql:file-libraries file-id])
+                       (map #(assoc % :is-indirect is-indirect))
+                       (into #{} decode-row-xf))]
+    (reduce #(into %1 (retrieve-file-libraries conn true %2))
+            libraries
+            (map :id libraries))))

-        select-distinct
-        (fn [used-libraries new-libraries]
-          (remove (fn [new-library]
-                    (some #(= (:id %) (:id new-library)) used-libraries))
-                  new-libraries))]
-
-    (reduce (fn [used-libraries library]
-              (concat used-libraries
-                      (select-distinct
-                        used-libraries
-                        (retrieve-file-libraries conn true (:id library)))))
-            direct-libraries
-            direct-libraries)))

 (s/def ::file-libraries
  (s/keys :req-un [::profile-id ::file-id]))
@@ -225,31 +302,35 @@
    (check-edition-permissions! conn profile-id file-id)
    (retrieve-file-libraries conn false file-id)))

+;; --- QUERY: team-recent-files

-;; --- Query: Single File Library
+(def sql:team-recent-files
+  "with recent_files as (
+     select f.id,
+            f.project_id,
+            f.created_at,
+            f.modified_at,
+            f.name,
+            f.is_shared,
+            row_number() over w as row_num
+       from file as f
+       join project as p on (p.id = f.project_id)
+      where p.team_id = ?
+        and p.deleted_at is null
+        and f.deleted_at is null
+     window w as (partition by f.project_id order by f.modified_at desc)
+      order by f.modified_at desc
+   )
+   select * from recent_files where row_num <= 10;")

-;; TODO: this looks like is duplicate of `::file`
+(s/def ::team-recent-files
+  (s/keys :req-un [::profile-id ::team-id]))

-(def ^:private sql:file-library
-  "select fl.*
-     from file as fl
-    where fl.id = ?")
-
-(defn retrieve-file-library
-  [conn file-id]
-  (let [rows (db/exec! conn [sql:file-library file-id])]
-    (when-not (seq rows)
-      (ex/raise :type :not-found))
-    (first (sequence decode-row-xf rows))))
-
-(s/def ::file-library
-  (s/keys :req-un [::profile-id ::file-id]))
-
-(sv/defmethod ::file-library
-  [{:keys [pool] :as cfg} {:keys [profile-id file-id] :as params}]
-  (db/with-atomic [conn pool]
-    (check-edition-permissions! conn profile-id file-id) ;; TODO: this should check read permissions
-    (retrieve-file-library conn file-id)))
+(sv/defmethod ::team-recent-files
+  [{:keys [pool] :as cfg} {:keys [profile-id team-id]}]
+  (with-open [conn (db/open pool)]
+    (teams/check-read-permissions! conn profile-id team-id)
+    (db/exec! conn [sql:team-recent-files team-id])))


 ;; --- Helpers
--- a/backend/src/app/rpc/queries/fonts.clj
+++ b/backend/src/app/rpc/queries/fonts.clj
@@ -0,0 +1,29 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) UXBOX Labs SL
+
+(ns app.rpc.queries.fonts
+  (:require
+   [app.common.spec :as us]
+   [app.db :as db]
+   [app.rpc.queries.teams :as teams]
+   [app.util.services :as sv]
+   [clojure.spec.alpha :as s]))
+
+;; --- Query: Team Font Variants
+
+(s/def ::team-id ::us/uuid)
+(s/def ::profile-id ::us/uuid)
+(s/def ::team-font-variants
+  (s/keys :req-un [::profile-id ::team-id]))
+
+(sv/defmethod ::team-font-variants
+  [{:keys [pool] :as cfg} {:keys [profile-id team-id] :as params}]
+  (with-open [conn (db/open pool)]
+    (teams/check-read-permissions! conn profile-id team-id)
+    (db/query conn :team-font-variant
+              {:team-id team-id
+               :deleted-at nil})))
+
--- a/backend/src/app/rpc/queries/profile.clj
+++ b/backend/src/app/rpc/queries/profile.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.queries.profile
  (:require
@@ -44,29 +41,27 @@
    {:id uuid/zero
     :fullname "Anonymous User"}))

-;; NOTE: this query make the assumption that union all preserves the
-;; order so the first id will always be the team id and the second the
-;; project_id; this is a postgresql behavior because UNION ALL works
-;; like APPEND operation.
-
-(def ^:private sql:default-team-and-project
-  "select t.id
+(def ^:private sql:default-profile-team
+  "select t.id, name
     from team as t
    inner join team_profile_rel as tp on (tp.team_id = t.id)
    where tp.profile_id = ?
      and tp.is_owner is true
-      and t.is_default is true
-    union all
-   select p.id
+      and t.is_default is true")
+
+(def ^:private sql:default-profile-project
+  "select p.id, name
     from project as p
    inner join project_profile_rel as tp on (tp.project_id = p.id)
    where tp.profile_id = ?
      and tp.is_owner is true
-      and p.is_default is true")
+      and p.is_default is true
+      and p.team_id = ?")

 (defn retrieve-additional-data
  [conn id]
-  (let [[team project] (db/exec! conn [sql:default-team-and-project id id])]
+  (let [team    (db/exec-one! conn [sql:default-profile-team id])
+        project (db/exec-one! conn [sql:default-profile-project id (:id team)])]
    {:default-team-id (:id team)
     :default-project-id (:id project)}))

--- a/backend/src/app/rpc/queries/projects.clj
+++ b/backend/src/app/rpc/queries/projects.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.queries.projects
  (:require
--- a/backend/src/app/rpc/queries/recent_files.clj
+++ b/backend/src/app/rpc/queries/recent_files.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.queries.recent-files
  (:require
@@ -16,6 +13,8 @@
   [app.util.services :as sv]
   [clojure.spec.alpha :as s]))

+;; DEPRECATED: should be removed on 1.6.x
+
 (def sql:recent-files
  "with recent_files as (
     select f.*, row_number() over w as row_num
--- a/backend/src/app/rpc/queries/svg.clj
+++ b/backend/src/app/rpc/queries/svg.clj
@@ -0,0 +1,59 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) UXBOX Labs SL
+
+(ns app.rpc.queries.svg
+  (:require
+   [app.common.exceptions :as ex]
+   [app.common.spec :as us]
+   [app.util.logging :as l]
+   [app.util.services :as sv]
+   [clojure.spec.alpha :as s]
+   [clojure.xml :as xml]
+   [cuerdas.core :as str])
+  (:import
+   javax.xml.XMLConstants
+   javax.xml.parsers.SAXParserFactory
+   org.apache.commons.io.IOUtils))
+
+(defn- secure-parser-factory
+  [s ch]
+  (.. (doto (SAXParserFactory/newInstance)
+        (.setFeature XMLConstants/FEATURE_SECURE_PROCESSING true)
+        (.setFeature "http://apache.org/xml/features/disallow-doctype-decl" true))
+      (newSAXParser)
+      (parse s ch)))
+
+(defn parse
+  [data]
+  (try
+    (with-open [istream (IOUtils/toInputStream data "UTF-8")]
+      (xml/parse istream secure-parser-factory))
+    (catch Exception e
+      (l/warn :hint "error on processing svg"
+              :message (ex-message e))
+      (ex/raise :type :validation
+                :code :invalid-svg-file
+                :hint "invalid svg file"
+                :cause e))))
+
+(declare pre-process)
+
+(s/def ::data ::us/string)
+(s/def ::parsed-svg (s/keys :req-un [::data]))
+
+(sv/defmethod ::parsed-svg
+  [_ {:keys [data] :as params}]
+  (->> data pre-process parse))
+
+;; --- PROCESSORS
+
+(defn strip-doctype
+  [data]
+  (cond-> data
+    (str/includes? data "<!DOCTYPE")
+    (str/replace #"<\!DOCTYPE[^>]*>" "")))
+
+(def pre-process strip-doctype)
--- a/backend/src/app/rpc/queries/teams.clj
+++ b/backend/src/app/rpc/queries/teams.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.queries.teams
  (:require
--- a/backend/src/app/rpc/queries/viewer.clj
+++ b/backend/src/app/rpc/queries/viewer.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.rpc.queries.viewer
  (:require
--- a/backend/src/app/setup.clj
+++ b/backend/src/app/setup.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.setup
  "Initial data setup of instance."
@@ -32,16 +29,26 @@
      (initialize-instance-id! cfg)
      (retrieve-all cfg))))

+(def sql:upsert-secret-key
+  "insert into server_prop (id, preload, content)
+   values ('secret-key', true, ?::jsonb)
+   on conflict (id) do update set content = ?::jsonb")
+
+(def sql:insert-secret-key
+  "insert into server_prop (id, preload, content)
+   values ('secret-key', true, ?::jsonb)
+   on conflict (id) do nothing")
+
 (defn- initialize-secret-key!
-  [{:keys [conn] :as cfg}]
-  (let [key (-> (bn/random-bytes 64)
-                (bc/bytes->b64u)
-                (bc/bytes->str))]
-    (db/insert! conn :server-prop
-                {:id "secret-key"
-                 :preload true
-                 :content (db/tjson key)}
-                {:on-conflict-do-nothing true})))
+  [{:keys [conn key] :as cfg}]
+  (if key
+    (let [key (db/tjson key)]
+      (db/exec-one! conn [sql:upsert-secret-key key key]))
+    (let [key (-> (bn/random-bytes 64)
+                  (bc/bytes->b64u)
+                  (bc/bytes->str))
+          key (db/tjson key)]
+      (db/exec-one! conn [sql:insert-secret-key key]))))

 (defn- initialize-instance-id!
  [{:keys [conn] :as cfg}]
--- a/backend/src/app/setup/initial_data.clj
+++ b/backend/src/app/setup/initial_data.clj
@@ -2,16 +2,13 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.setup.initial-data
  (:refer-clojure :exclude [load])
  (:require
   [app.common.uuid :as uuid]
-   [app.config :as cfg]
+   [app.config :as cf]
   [app.db :as db]
   [app.rpc.mutations.management :refer [duplicate-file]]
   [app.rpc.mutations.projects :refer [create-project create-project-role]]
@@ -39,7 +36,7 @@
  ([system project-id {:keys [skey project-name]
                       :or {project-name "Penpot Onboarding"}}]
   (db/with-atomic [conn (:app.db/pool system)]
-     (let [skey  (or skey (cfg/get :initial-project-skey))
+     (let [skey  (or skey (cf/get :initial-project-skey))
           files (db/exec! conn [sql:file project-id])
           flibs (db/exec! conn [sql:file-library-rel project-id])
           fmeds (db/exec! conn [sql:file-media-object project-id])
@@ -68,7 +65,7 @@
 (defn load-initial-project!
  ([conn profile] (load-initial-project! conn profile nil))
  ([conn profile opts]
-   (let [skey (or (:skey opts) (cfg/get :initial-project-skey))
+   (let [skey (or (:skey opts) (cf/get :initial-project-skey))
         data (retrieve-data conn skey)]
     (when data
       (let [index   (reduce #(assoc %1 (:id %2) (uuid/next)) {} (:files data))
@@ -85,10 +82,16 @@
                                    :role :owner})

         (doseq [file (:files data)]
-           (let [params {:profile-id (:id profile)
+           (let [flibs  (filterv #(= (:id file) (:file-id %)) (:flibs data))
+                 fmeds  (filterv #(= (:id file) (:file-id %)) (:fmeds data))
+
+                 params {:profile-id (:id profile)
                         :project-id (:id project)
                         :file file
-                         :index index}
+                         :index index
+                         :flibs flibs
+                         :fmeds fmeds}
+
                 opts   {:reset-shared-flag false}]
             (duplicate-file conn params opts))))))))

--- a/backend/src/app/srepl.clj
+++ b/backend/src/app/srepl.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.srepl
  "Server Repl."
--- a/backend/src/app/storage.clj
+++ b/backend/src/app/storage.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.storage
  "File Storage abstraction layer."
@@ -19,10 +16,10 @@
   [app.storage.fs :as sfs]
   [app.storage.impl :as impl]
   [app.storage.s3 :as ss3]
+   [app.util.logging :as l]
   [app.util.time :as dt]
   [app.worker :as wrk]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [cuerdas.core :as str]
   [datoteka.core :as fs]
   [integrant.core :as ig]
@@ -310,7 +307,9 @@
              (run! (partial delete-in-bulk conn) groups)
              (recur (+ n ^long total)))
            (do
-              (log/infof "gc-deleted: processed %s items" n)
+              (l/info :task "gc-deleted"
+                      :action "permanently delete items"
+                      :count n)
              {:deleted n})))))))

 (def sql:retrieve-deleted-objects
@@ -382,7 +381,12 @@
              (recur (+ cntf (count to-freeze))
                     (+ cntd (count to-delete))))
            (do
-              (log/infof "gc-touched: %s objects marked as freeze and %s marked to be deleted" cntf cntd)
+              (l/info :task "gc-touched"
+                      :action "mark freeze"
+                      :count cntf)
+              (l/info :task "gc-touched"
+                      :action "mark for deletion"
+                      :count cntd)
              {:freeze cntf :delete cntd})))))))

 (def sql:retrieve-touched-objects
@@ -459,7 +463,10 @@
              (recur (+ n (count all))
                     (+ d (count to-delete))))
            (do
-              (log/infof "recheck: processed %s items, %s deleted" n d)
+              (l/info :task "recheck"
+                      :action "recheck items"
+                      :processed n
+                      :deleted n)
              {:processed n :deleted d})))))))

 (def sql:retrieve-pending-to-recheck
--- a/backend/src/app/storage/db.clj
+++ b/backend/src/app/storage/db.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.storage.db
  (:require
--- a/backend/src/app/storage/fs.clj
+++ b/backend/src/app/storage/fs.clj
@@ -2,22 +2,19 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.storage.fs
  (:require
   [app.common.exceptions :as ex]
   [app.common.spec :as us]
+   [app.common.uri :as u]
   [app.storage.impl :as impl]
   [clojure.java.io :as io]
   [clojure.spec.alpha :as s]
   [cuerdas.core :as str]
   [datoteka.core :as fs]
-   [integrant.core :as ig]
-   [lambdaisland.uri :as u])
+   [integrant.core :as ig])
  (:import
   java.io.InputStream
   java.io.OutputStream
@@ -43,7 +40,7 @@
             :uri (u/uri (str "file://" dir))))))

 (s/def ::type ::us/keyword)
-(s/def ::uri #(instance? lambdaisland.uri.URI %))
+(s/def ::uri u/uri?)
 (s/def ::backend
  (s/keys :req-un [::type ::directory ::uri]))

--- a/backend/src/app/storage/impl.clj
+++ b/backend/src/app/storage/impl.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.storage.impl
  "Storage backends abstraction layer."
@@ -148,8 +145,8 @@
    (make-output-stream [_ opts]
      (throw (UnsupportedOperationException. "not implemented")))

-      clojure.lang.Counted
-      (count [_] size)))
+    clojure.lang.Counted
+    (count [_] size)))

 (defn content
  ([data] (content data nil))
--- a/backend/src/app/storage/s3.clj
+++ b/backend/src/app/storage/s3.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.storage.s3
  "Storage backends abstraction layer."
@@ -13,12 +10,12 @@
   [app.common.data :as d]
   [app.common.exceptions :as ex]
   [app.common.spec :as us]
+   [app.common.uri :as u]
   [app.storage.impl :as impl]
   [app.util.time :as dt]
   [clojure.java.io :as io]
   [clojure.spec.alpha :as s]
-   [integrant.core :as ig]
-   [lambdaisland.uri :as u])
+   [integrant.core :as ig])
  (:import
   java.time.Duration
   java.util.Collection
--- a/backend/src/app/svgparse.clj
+++ b/backend/src/app/svgparse.clj
@@ -1,72 +0,0 @@
-;; This Source Code Form is subject to the terms of the Mozilla Public
-;; License, v. 2.0. If a copy of the MPL was not distributed with this
-;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) UXBOX Labs SL
-
-(ns app.svgparse
-  (:require
-   [app.common.exceptions :as ex]
-   [app.metrics :as mtx]
-   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
-   [clojure.xml :as xml]
-   [integrant.core :as ig])
-  (:import
-   org.apache.commons.io.IOUtils))
-
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; Handler
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-(declare handler)
-(declare process-request)
-
-(defmethod ig/pre-init-spec ::handler [_]
-  (s/keys :req-un [::mtx/metrics]))
-
-(defmethod ig/init-key ::handler
-  [_ {:keys [metrics] :as cfg}]
-  (let [handler #(handler cfg %)]
-    (->> {:registry (:registry metrics)
-          :type :summary
-          :name "http_handler_svgparse_timing"
-          :help "svg parse timings"}
-         (mtx/instrument handler))))
-
-(defn- handler
-  [_ {:keys [headers body] :as request}]
-  (when (not= "image/svg+xml" (get headers "content-type"))
-    (ex/raise :type :validation
-              :code :unsupported-mime-type
-              :mime (get headers "content-type")))
-  {:status 200
-   :body (process-request body)})
-
-(defn secure-factory
-  [s ch]
-  (.. (doto (javax.xml.parsers.SAXParserFactory/newInstance)
-        (.setFeature javax.xml.XMLConstants/FEATURE_SECURE_PROCESSING true)
-        (.setFeature "http://apache.org/xml/features/disallow-doctype-decl" true))
-      (newSAXParser)
-      (parse s ch)))
-
-(defn parse
-  [data]
-  (try
-    (with-open [istream (IOUtils/toInputStream data "UTF-8")]
-      (xml/parse istream secure-factory))
-    (catch Exception e
-      (log/warnf "error on processing svg: %s" (ex-message e))
-      (ex/raise :type :validation
-                :code :invalid-svg-file
-                :cause e))))
-
-(defn process-request
-  [body]
-  (let [data (slurp body)]
-    (parse data)))
-
--- a/backend/src/app/tasks.clj
+++ b/backend/src/app/tasks.clj
@@ -1,110 +0,0 @@
-;; This Source Code Form is subject to the terms of the Mozilla Public
-;; License, v. 2.0. If a copy of the MPL was not distributed with this
-;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
-
-(ns app.tasks
-  (:require
-   [app.common.spec :as us]
-   [app.common.uuid :as uuid]
-   [app.db :as db]
-   [app.metrics :as mtx]
-   [app.util.time :as dt]
-   [app.worker]
-   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
-   [integrant.core :as ig]))
-
-(s/def ::name ::us/string)
-(s/def ::delay
-  (s/or :int ::us/integer
-        :duration dt/duration?))
-(s/def ::queue ::us/string)
-
-(s/def ::task-options
-  (s/keys :req-un [::name]
-          :opt-un [::delay ::props ::queue]))
-
-(def ^:private sql:insert-new-task
-  "insert into task (id, name, props, queue, priority, max_retries, scheduled_at)
-   values (?, ?, ?, ?, ?, ?, clock_timestamp() + ?)
-   returning id")
-
-(defn submit!
-  [conn {:keys [name delay props queue priority max-retries]
-         :or {delay 0 props {} queue "default" priority 100 max-retries 3}
-         :as options}]
-  (us/verify ::task-options options)
-  (let [duration  (dt/duration delay)
-        interval  (db/interval duration)
-        props     (db/tjson props)
-        id        (uuid/next)]
-    (log/debugf "submit task '%s' to be executed in '%s'" name (str duration))
-    (db/exec-one! conn [sql:insert-new-task id name props queue priority max-retries interval])
-    id))
-
-(defn- instrument!
-  [registry]
-  (mtx/instrument-vars!
-   [#'submit!]
-   {:registry registry
-    :type :counter
-    :labels ["name"]
-    :name "tasks_submit_total"
-    :help "A counter of task submissions."
-    :wrap (fn [rootf mobj]
-            (let [mdata (meta rootf)
-                  origf (::original mdata rootf)]
-              (with-meta
-                (fn [conn params]
-                  (let [tname (:name params)]
-                    (mobj :inc [tname])
-                    (origf conn params)))
-                {::original origf})))})
-
-  (mtx/instrument-vars!
-   [#'app.worker/run-task]
-   {:registry registry
-    :type :summary
-    :quantiles []
-    :name "tasks_checkout_timing"
-    :help "Latency measured between scheduld_at and execution time."
-    :wrap (fn [rootf mobj]
-            (let [mdata (meta rootf)
-                  origf (::original mdata rootf)]
-              (with-meta
-                (fn [tasks item]
-                  (let [now (inst-ms (dt/now))
-                        sat (inst-ms (:scheduled-at item))]
-                    (mobj :observe (- now sat))
-                    (origf tasks item)))
-                {::original origf})))}))
-
-;; --- STATE INIT: REGISTRY
-
-(s/def ::tasks
-  (s/map-of keyword? fn?))
-
-(defmethod ig/pre-init-spec ::registry [_]
-  (s/keys :req-un [::mtx/metrics ::tasks]))
-
-(defmethod ig/init-key ::registry
-  [_ {:keys [metrics tasks]}]
-  (instrument! (:registry metrics))
-  (let [mobj (mtx/create
-              {:registry (:registry metrics)
-               :type :summary
-               :labels ["name"]
-               :quantiles []
-               :name "tasks_timing"
-               :help "Background task execution timing."})]
-    (reduce-kv (fn [res k v]
-                 (let [tname (name k)]
-                   (log/debugf "registring task '%s'" tname)
-                   (assoc res tname (mtx/wrap-summary v mobj [tname]))))
-               {}
-               tasks)))
--- a/backend/src/app/tasks/delete_object.clj
+++ b/backend/src/app/tasks/delete_object.clj
@@ -2,18 +2,17 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.tasks.delete-object
  "Generic task for permanent deletion of objects."
  (:require
+   [app.common.data :as d]
   [app.common.spec :as us]
   [app.db :as db]
+   [app.storage :as sto]
+   [app.util.logging :as l]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig]))

 (declare handle-deletion)
@@ -26,7 +25,8 @@
  (fn [{:keys [props] :as task}]
    (us/verify ::props props)
    (db/with-atomic [conn pool]
-      (handle-deletion conn props))))
+      (let [cfg (assoc cfg :conn conn)]
+        (handle-deletion cfg props)))))

 (s/def ::type ::us/keyword)
 (s/def ::id ::us/uuid)
@@ -36,20 +36,32 @@
  (fn [_ props] (:type props)))

 (defmethod handle-deletion :default
-  [_conn {:keys [type]}]
-  (log/warnf "no handler found for '%s'" type))
+  [_cfg {:keys [type]}]
+  (l/warn :hint "no handler found"
+          :type (d/name type)))

 (defmethod handle-deletion :file
-  [conn {:keys [id] :as props}]
+  [{:keys [conn]} {:keys [id] :as props}]
  (let [sql "delete from file where id=? and deleted_at is not null"]
    (db/exec-one! conn [sql id])))

 (defmethod handle-deletion :project
-  [conn {:keys [id] :as props}]
+  [{:keys [conn]} {:keys [id] :as props}]
  (let [sql "delete from project where id=? and deleted_at is not null"]
    (db/exec-one! conn [sql id])))

 (defmethod handle-deletion :team
-  [conn {:keys [id] :as props}]
+  [{:keys [conn]} {:keys [id] :as props}]
  (let [sql "delete from team where id=? and deleted_at is not null"]
    (db/exec-one! conn [sql id])))
+
+(defmethod handle-deletion :team-font-variant
+  [{:keys [conn storage]} {:keys [id] :as props}]
+  (let [font    (db/get-by-id conn :team-font-variant id {:uncheked true})
+        storage (assoc storage :conn conn)]
+    (when (:deleted-at font)
+      (db/delete! conn :team-font-variant {:id id})
+      (some->> (:woff1-file-id font) (sto/del-object storage))
+      (some->> (:woff2-file-id font) (sto/del-object storage))
+      (some->> (:otf-file-id font)   (sto/del-object storage))
+      (some->> (:ttf-file-id font)   (sto/del-object storage)))))
--- a/backend/src/app/tasks/delete_profile.clj
+++ b/backend/src/app/tasks/delete_profile.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.tasks.delete-profile
  "Task for permanent deletion of profiles."
@@ -13,8 +10,8 @@
   [app.common.spec :as us]
   [app.db :as db]
   [app.db.sql :as sql]
+   [app.util.logging :as l]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig]))

 (declare delete-profile-data)
@@ -47,7 +44,8 @@
        (if (or (:is-demo profile)
                (:deleted-at profile))
          (delete-profile-data conn id)
-          (log/warnf "profile '%s' does not match constraints for deletion" id))))))
+          (l/warn :hint "profile does not match constraints for deletion"
+                  :profile-id id))))))

 ;; --- IMPL

@@ -70,7 +68,8 @@

 (defn- delete-profile-data
  [conn profile-id]
-  (log/debugf "proceding to delete all data related to profile '%s'" profile-id)
+  (l/debug :action "delete profile"
+           :profile-id profile-id)
  (delete-teams conn profile-id)
  (delete-profile conn profile-id)
  true)
--- a/backend/src/app/tasks/file_media_gc.clj
+++ b/backend/src/app/tasks/file_media_gc.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.tasks.file-media-gc
  "A maintenance task that is responsible to purge the unused media
@@ -15,9 +12,9 @@
   [app.common.pages.migrations :as pmg]
   [app.db :as db]
   [app.util.blob :as blob]
+   [app.util.logging :as l]
   [app.util.time :as dt]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig]))

 (declare process-file)
@@ -40,7 +37,7 @@
                (run! (partial process-file cfg) files)
                (recur (+ n (count files))))
              (do
-                (log/debugf "finalized with total of %s processed files" n)
+                (l/debug :msg "finished processing files" :processed n)
                {:processed n}))))))))

 (def ^:private
@@ -88,7 +85,10 @@
        unused (->> (db/query conn :file-media-object {:file-id id})
                    (remove #(contains? used (:id %))))]

-    (log/debugf "processing file: id='%s' age='%s' to-delete=%s" id age (count unused))
+    (l/debug :action "processing file"
+             :id id
+             :age age
+             :to-delete (count unused))

    ;; Mark file as trimmed
    (db/update! conn :file
@@ -96,10 +96,15 @@
                {:id id})

    (doseq [mobj unused]
-      (log/debugf "deleting media object: id='%s' media-id='%s' thumb-id='%s'"
-                  (:id mobj) (:media-id mobj) (:thumbnail-id mobj))
+      (l/debug :action "deleting media object"
+               :id (:id mobj)
+               :media-id (:media-id mobj)
+               :thumbnail-id (:thumbnail-id mobj))
      ;; NOTE: deleting the file-media-object in the database
-      ;; automatically marks as toched the referenced storage objects.
+      ;; automatically marks as toched the referenced storage
+      ;; objects. The touch mechanism is needed because many files can
+      ;; point to the same storage objects and we can't just delete
+      ;; them.
      (db/delete! conn :file-media-object {:id (:id mobj)}))

    nil))
--- a/backend/src/app/tasks/file_xlog_gc.clj
+++ b/backend/src/app/tasks/file_xlog_gc.clj
@@ -2,19 +2,16 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.tasks.file-xlog-gc
  "A maintenance task that performs a garbage collection of the file
  change (transaction) log."
  (:require
   [app.db :as db]
+   [app.util.logging :as l]
   [app.util.time :as dt]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig]))

 (declare sql:delete-files-xlog)
@@ -31,7 +28,7 @@
      (let [interval (db/interval max-age)
            result   (db/exec-one! conn [sql:delete-files-xlog interval])
            result   (:next.jdbc/update-count result)]
-        (log/debugf "removed %s rows from file-change table" result)
+        (l/debug :action "trim file-change table" :removed result)
        result))))

 (def ^:private
--- a/backend/src/app/tasks/sendmail.clj
+++ b/backend/src/app/tasks/sendmail.clj
@@ -1,58 +0,0 @@
-;; This Source Code Form is subject to the terms of the Mozilla Public
-;; License, v. 2.0. If a copy of the MPL was not distributed with this
-;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
-
-(ns app.tasks.sendmail
-  (:require
-   [app.config :as cfg]
-   [app.util.emails :as emails]
-   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
-   [integrant.core :as ig]))
-
-(declare send-console!)
-
-(s/def ::username ::cfg/smtp-username)
-(s/def ::password ::cfg/smtp-password)
-(s/def ::tls ::cfg/smtp-tls)
-(s/def ::ssl ::cfg/smtp-ssl)
-(s/def ::host ::cfg/smtp-host)
-(s/def ::port ::cfg/smtp-port)
-(s/def ::default-reply-to ::cfg/smtp-default-reply-to)
-(s/def ::default-from ::cfg/smtp-default-from)
-(s/def ::enabled ::cfg/smtp-enabled)
-
-(defmethod ig/pre-init-spec ::handler [_]
-  (s/keys :req-un [::enabled]
-          :opt-un [::username
-                   ::password
-                   ::tls
-                   ::ssl
-                   ::host
-                   ::port
-                   ::default-from
-                   ::default-reply-to]))
-
-(defmethod ig/init-key ::handler
-  [_ cfg]
-  (fn [{:keys [props] :as task}]
-    (if (:enabled cfg)
-      (emails/send! cfg props)
-      (send-console! cfg props))))
-
-(defn- send-console!
-  [cfg email]
-  (let [baos (java.io.ByteArrayOutputStream.)
-        mesg (emails/smtp-message cfg email)]
-    (.writeTo mesg baos)
-    (let [out (with-out-str
-                (println "email console dump:")
-                (println "******** start email" (:id email) "**********")
-                (println (.toString baos))
-                (println "******** end email "(:id email) "**********"))]
-      (log/info out))))
--- a/backend/src/app/tasks/tasks_gc.clj
+++ b/backend/src/app/tasks/tasks_gc.clj
@@ -2,19 +2,16 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.tasks.tasks-gc
  "A maintenance task that performs a cleanup of already executed tasks
  from the database table."
  (:require
   [app.db :as db]
+   [app.util.logging :as l]
   [app.util.time :as dt]
   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
   [integrant.core :as ig]))

 (declare sql:delete-completed-tasks)
@@ -31,7 +28,7 @@
      (let [interval (db/interval max-age)
            result   (db/exec-one! conn [sql:delete-completed-tasks interval])
            result   (:next.jdbc/update-count result)]
-        (log/debugf "removed %s rows from tasks-completed table" result)
+        (l/debug :action "trim completed tasks table" :removed result)
        result))))

 (def ^:private
--- a/backend/src/app/tasks/telemetry.clj
+++ b/backend/src/app/tasks/telemetry.clj
@@ -2,16 +2,14 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.tasks.telemetry
  "A task that is reponsible to collect anonymous statistical
  information about the current instance and send it to the telemetry
  server."
  (:require
+   [app.common.data :as d]
   [app.common.exceptions :as ex]
   [app.common.spec :as us]
   [app.config :as cfg]
@@ -32,7 +30,6 @@
 (s/def ::sprops
  (s/keys :req-un [::instance-id]))

-
 (defmethod ig/pre-init-spec ::handler [_]
  (s/keys :req-un [::db/pool ::version ::uri ::sprops]))

@@ -63,10 +60,9 @@
                                 :uri (:uri cfg)
                                 :headers {"content-type" "application/json"}
                                 :body (json/encode-str data)})]
-
-    (when (not= 200 (:status response))
+    (when (> (:status response) 206)
      (ex/raise :type :internal
-                :code :invalid-response-from-google
+                :code :invalid-response
                :context {:status (:status response)
                          :body (:body response)}))))

@@ -128,11 +124,16 @@

 (defn- retrieve-stats
  [{:keys [conn version]}]
-  (merge
-   {:version version
-    :with-taiga  (:telemetry-with-taiga cfg/config false)
-    :total-teams (retrieve-num-teams conn)
-    :total-projects (retrieve-num-projects conn)
-    :total-files (retrieve-num-files conn)}
-   (retrieve-team-averages conn)
-   (retrieve-jvm-stats)))
+  (let [referer (if (cfg/get :telemetry-with-taiga)
+                  "taiga"
+                  (cfg/get :telemetry-referer))]
+    (-> {:version        version
+         :referer        referer
+         :total-teams    (retrieve-num-teams conn)
+         :total-projects (retrieve-num-projects conn)
+         :total-files    (retrieve-num-files conn)}
+        (d/merge
+         (retrieve-team-averages conn)
+         (retrieve-jvm-stats))
+        (d/without-nils))))
+
--- a/backend/src/app/telemetry.clj
+++ b/backend/src/app/telemetry.clj
@@ -1,121 +0,0 @@
-;; This Source Code Form is subject to the terms of the Mozilla Public
-;; License, v. 2.0. If a copy of the MPL was not distributed with this
-;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
-
-(ns app.telemetry
-  (:require
-   [app.common.spec :as us]
-   [app.db :as db]
-   [app.http.middleware :refer [wrap-parse-request-body]]
-   [clojure.pprint :refer [pprint]]
-   [clojure.spec.alpha :as s]
-   [clojure.tools.logging :as log]
-   [integrant.core :as ig]
-   [promesa.exec :as px]
-   [ring.middleware.keyword-params :refer [wrap-keyword-params]]
-   [ring.middleware.params :refer [wrap-params]]))
-
-
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; Migrations
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-(def sql:create-instance-table
-  "CREATE TABLE IF NOT EXISTS telemetry.instance (
-    id uuid PRIMARY KEY,
-    created_at timestamptz NOT NULL DEFAULT now()
-  );")
-
-(def sql:create-info-table
-  "CREATE TABLE telemetry.info (
-     instance_id uuid,
-     created_at timestamptz NOT NULL DEFAULT clock_timestamp(),
-     data jsonb NOT NULL,
-
-     PRIMARY KEY (instance_id, created_at)
-  ) PARTITION BY RANGE(created_at);
-
-  CREATE TABLE telemetry.info_default (LIKE telemetry.info INCLUDING ALL);
-
-  ALTER TABLE telemetry.info
-    ATTACH PARTITION telemetry.info_default DEFAULT;")
-
-(def migrations
-  [{:name "0001-add-telemetry-schema"
-    :fn #(db/exec! % ["CREATE SCHEMA IF NOT EXISTS telemetry;"])}
-
-   {:name "0002-add-instance-table"
-    :fn #(db/exec! % [sql:create-instance-table])}
-
-   {:name "0003-add-info-table"
-    :fn #(db/exec! % [sql:create-info-table])}
-
-   {:name "0004-del-instance-table"
-    :fn #(db/exec! % ["DROP TABLE telemetry.instance;"])}])
-
-(defmethod ig/init-key ::migrations [_ _] migrations)
-
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; Router Handler
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-(declare handler)
-(declare process-request)
-
-(defmethod ig/init-key ::handler
-  [_ cfg]
-  (-> (partial handler cfg)
-      (wrap-keyword-params)
-      (wrap-params)
-      (wrap-parse-request-body)))
-
-(s/def ::instance-id ::us/uuid)
-(s/def ::params (s/keys :req-un [::instance-id]))
-
-(defn handler
-  [{:keys [executor] :as cfg} {:keys [params] :as request}]
-  (try
-    (let [params (us/conform ::params params)
-          cfg    (assoc cfg
-                        :instance-id (:instance-id params)
-                        :data (dissoc params :instance-id))]
-      (px/run! executor (partial process-request cfg)))
-    (catch Exception e
-      ;; We don't want notify user of a error, just log it for posible
-      ;; future investigation.
-      (log/warn e (str "unexpected error on telemetry:\n"
-                       (when-let [edata (ex-data e)]
-                         (str "ex-data: \n"
-                              (with-out-str (pprint edata))))
-                       (str "params: \n"
-                            (with-out-str (pprint params)))))))
-  {:status 200
-   :body "OK\n"})
-
-
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; Request Processing
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-(def sql:insert-instance-info
-  "insert into telemetry.info (instance_id, data, created_at)
-   values (?, ?, date_trunc('day', now()))
-       on conflict (instance_id, created_at)
-       do update set data = ?")
-
-(defn- process-request
-  [{:keys [pool instance-id data]}]
-  (try
-    (db/with-atomic [conn pool]
-      (let [data (db/json data)]
-        (db/exec! conn [sql:insert-instance-info
-                        instance-id
-                        data
-                        data])))
-    (catch Exception e
-      (log/errorf e "error on procesing request"))))
--- a/backend/src/app/tokens.clj
+++ b/backend/src/app/tokens.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020-2021 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.tokens
  "Tokens generation service."
@@ -54,11 +51,11 @@
    claims))

 (s/def ::secret-key ::us/string)
-(s/def ::sprops
+(s/def ::props
  (s/keys :req-un [::secret-key]))

 (defmethod ig/pre-init-spec ::tokens [_]
-  (s/keys :req-un [::sprops]))
+  (s/keys :req-un [::props]))

 (defn- generate-predefined
  [cfg {:keys [iss profile-id] :as params}]
@@ -74,8 +71,8 @@
              :hint "no predefined token")))

 (defmethod ig/init-key ::tokens
-  [_ {:keys [sprops] :as cfg}]
-  (let [secret (derive-tokens-secret (:secret-key sprops))
+  [_ {:keys [props] :as cfg}]
+  (let [secret (derive-tokens-secret (:secret-key props))
        cfg    (assoc cfg ::secret secret)]
    (fn [action params]
      (case action
--- a/backend/src/app/util/async.clj
+++ b/backend/src/app/util/async.clj
@@ -2,7 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; Copyright (c) 2020 Andrey Antukh <niwi@niwi.nz>
+;; Copyright (c) UXBOX Labs SL

 (ns app.util.async
  (:require
@@ -60,3 +60,44 @@
  (if (= executor ::default)
    `(a/thread-call (^:once fn* [] (try ~@body (catch Exception e# e#))))
    `(thread-call ~executor (^:once fn* [] ~@body))))
+
+(defn batch
+  [in {:keys [max-batch-size
+              max-batch-age
+              buffer-size
+              init]
+       :or {max-batch-size 200
+            max-batch-age (* 30 1000)
+            buffer-size 128
+            init #{}}
+       :as opts}]
+  (let [out (a/chan buffer-size)]
+    (a/go-loop [tch (a/timeout max-batch-age) buf init]
+      (let [[val port] (a/alts! [tch in])]
+        (cond
+          (identical? port tch)
+          (if (empty? buf)
+            (recur (a/timeout max-batch-age) buf)
+            (do
+              (a/>! out [:timeout buf])
+              (recur (a/timeout max-batch-age) init)))
+
+          (nil? val)
+          (if (empty? buf)
+            (a/close! out)
+            (do
+              (a/offer! out [:timeout buf])
+              (a/close! out)))
+
+          (identical? port in)
+          (let [buf (conj buf val)]
+            (if (>= (count buf) max-batch-size)
+              (do
+                (a/>! out [:size buf])
+                (recur (a/timeout max-batch-age) init))
+              (recur tch buf))))))
+    out))
+
+(defn thread-sleep
+  [ms]
+  (Thread/sleep ms))
--- a/backend/src/app/util/blob.clj
+++ b/backend/src/app/util/blob.clj
@@ -2,16 +2,13 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2016-2020 Andrey Antukh <niwi@niwi.nz>
+;; Copyright (c) UXBOX Labs SL

 (ns app.util.blob
-  "A generic blob storage encoding. Mainly used for
-  page data, page options and txlog payload storage."
+  "A generic blob storage encoding. Mainly used for page data, page
+  options and txlog payload storage."
  (:require
-   [app.config :as cfg]
+   [app.config :as cf]
   [app.util.transit :as t]
   [taoensso.nippy :as n])
  (:import
@@ -33,17 +30,15 @@
 (declare encode-v2)
 (declare encode-v3)

-(def default-version
-  (:default-blob-version cfg/config 1))
-
 (defn encode
  ([data] (encode data nil))
-  ([data {:keys [version] :or {version default-version}}]
-   (case  (long version)
-     1 (encode-v1 data)
-     2 (encode-v2 data)
-     3 (encode-v3 data)
-     (throw (ex-info "unsupported version" {:version version})))))
+  ([data {:keys [version]}]
+   (let [version (or version (cf/get :default-blob-version 1))]
+     (case (long version)
+       1 (encode-v1 data)
+       2 (encode-v2 data)
+       3 (encode-v3 data)
+       (throw (ex-info "unsupported version" {:version version}))))))

 (defn decode
  "A function used for decode persisted blobs in the database."
--- a/backend/src/app/util/closeable.clj
+++ b/backend/src/app/util/closeable.clj
@@ -2,7 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; Copyright (c) 2016 Andrey Antukh <niwi@niwi.nz>
+;; Copyright (c) UXBOX Labs SL

 (ns app.util.closeable
  "A closeable abstraction. A drop in replacement for
--- a/backend/src/app/util/data.clj
+++ b/backend/src/app/util/data.clj
@@ -1,54 +0,0 @@
-;; This Source Code Form is subject to the terms of the Mozilla Public
-;; License, v. 2.0. If a copy of the MPL was not distributed with this
-;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;;
-;; Copyright (c) 2016 Andrey Antukh <niwi@niwi.nz>
-
-(ns app.util.data
-  "Data transformations utils."
-  (:require [clojure.walk :as walk]
-            [cuerdas.core :as str]))
-
-;; TODO: move to app.common.helpers
-
-(defn dissoc-in
-  [m [k & ks]]
-  (if ks
-    (if-let [nextmap (get m k)]
-      (let [newmap (dissoc-in nextmap ks)]
-        (if (seq newmap)
-          (assoc m k newmap)
-          (dissoc m k)))
-      m)
-    (dissoc m k)))
-
-(defn normalize-attrs
-  "Recursively transforms all map keys from strings to keywords."
-  [m]
-  (letfn [(tf [[k v]]
-            (let [ks (-> (name k)
-                         (str/replace "_" "-"))]
-              [(keyword ks) v]))
-          (walker [x]
-            (if (map? x)
-              (into {} (map tf) x)
-              x))]
-    (walk/postwalk walker m)))
-
-(defn strip-delete-attrs
-  [m]
-  (dissoc m :deleted-at))
-
-(defn normalize
-  "Perform a common normalization transformation
-  for a entity (database retrieved) data structure."
-  [m]
-  (-> m normalize-attrs strip-delete-attrs))
-
-(defn deep-merge
-  [& maps]
-  (letfn [(merge' [& maps]
-            (if (every? map? maps)
-              (apply merge-with merge' maps)
-              (last maps)))]
-    (apply merge' (remove nil? maps))))
--- a/backend/src/app/util/dispatcher.clj
+++ b/backend/src/app/util/dispatcher.clj
@@ -1,95 +0,0 @@
-;; This Source Code Form is subject to the terms of the Mozilla Public
-;; License, v. 2.0. If a copy of the MPL was not distributed with this
-;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;;
-;; Copyright (c) 2019 Andrey Antukh <niwi@niwi.nz>
-
-(ns app.util.dispatcher
-  "A generic service dispatcher implementation."
-  (:refer-clojure :exclude [defmethod])
-  (:require
-   [app.common.exceptions :as ex]
-   [clojure.spec.alpha :as s])
-  (:import
-   java.util.HashMap
-   java.util.Map))
-
-(definterface IDispatcher
-  (^void add [key f]))
-
-(deftype Dispatcher [reg attr wrap]
-  IDispatcher
-  (add [this key f]
-    (.put ^Map reg key (wrap f))
-    this)
-
-
-  clojure.lang.IDeref
-  (deref [_]
-    {:registry reg
-     :attr attr
-     :wrap wrap})
-
-  clojure.lang.IFn
-  (invoke [_ params]
-    (let [key (get params attr)
-          f   (.get ^Map reg key)]
-      (when (nil? f)
-        (ex/raise :type :method-not-found
-                  :hint "No method found for the current request."
-                  :context {:key key}))
-      (f params))))
-
-(defn dispatcher?
-  [v]
-  (instance? IDispatcher v))
-
-(defmacro defservice
-  [sname & {:keys [dispatch-by wrap]}]
-  `(def ~sname (Dispatcher. (HashMap.) ~dispatch-by ~wrap)))
-
-(defn parse-defmethod
-  [args]
-  (loop [r {}
-         s 0
-         v (first args)
-         n (rest args)]
-    (case s
-      0 (if (symbol? v)
-          (recur (assoc r :sym v) 1 (first n) (rest n))
-          (throw (ex-info "first arg to `defmethod` should be a symbol" {})))
-      1 (if (qualified-keyword? v)
-          (recur (-> r
-                     (assoc :key (keyword (name v)))
-                     (assoc :meta {:spec v :doc nil}))
-                 3 (first n) (rest n))
-          (recur r (inc s) v n))
-      2  (if (simple-keyword? v)
-          (recur (-> r
-                     (assoc :key v)
-                     (assoc :meta {:doc nil}))
-                 3 (first n) (rest n))
-          (throw (ex-info "second arg to `defmethod` should be a keyword" {})))
-      3 (if (string? v)
-          (recur (update r :meta assoc :doc v) (inc s) (first n) (rest n))
-          (recur r 4 v n))
-      4 (if (map? v)
-          (recur (update r :meta merge v) (inc s) (first n) (rest n))
-          (recur r 5 v n))
-      5 (if (vector? v)
-          (assoc r :args v :body n)
-          (throw (ex-info "missing arguments vector" {}))))))
-
-(defn add-method
-  [^Dispatcher dsp key f meta]
-  (let [f (with-meta f meta)]
-    (.add dsp key f)
-    dsp))
-
-(defmacro defmethod
-  [& args]
-  (let [{:keys [key meta sym args body]} (parse-defmethod args)
-        f `(fn ~args ~@body)]
-    `(do
-       (s/assert dispatcher? ~sym)
-       (add-method ~sym ~key ~f ~meta))))
--- a/backend/src/app/util/emails.clj
+++ b/backend/src/app/util/emails.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.util.emails
  (:require
--- a/backend/src/app/util/http.clj
+++ b/backend/src/app/util/http.clj
@@ -2,10 +2,7 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; This Source Code Form is "Incompatible With Secondary Licenses", as
-;; defined by the Mozilla Public License, v. 2.0.
-;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.util.http
  "Http client abstraction layer."
--- a/Show More
+++ b/Show More