fix: consume blob stream correctly (#5706)

- use correctly endpoint in r2
- consume blob stream correctly

.eslintignore

@@ -11,6 +11,4 @@ e2e-dist-*
 static
 web-static
 public
-packages/common/sdk/src/*.d.ts
-packages/common/sdk/src/*.js
 packages/frontend/i18n/src/i18n-generated.ts

.eslintrc.js

@@ -61,7 +61,6 @@ const allPackages = [
   'packages/frontend/core',
   'packages/frontend/electron',
   'packages/frontend/graphql',
-  'packages/frontend/hooks',
   'packages/frontend/i18n',
   'packages/frontend/native',
   'packages/frontend/templates',
@@ -69,10 +68,8 @@ const allPackages = [
   'packages/common/debug',
   'packages/common/env',
   'packages/common/infra',
-  'packages/common/sdk',
   'packages/common/theme',
   'packages/common/y-indexeddb',
-  'packages/plugins/copilot',
   'tools/cli',
   'tests/storybook',
 ];

.github/CLA.md

@@ -33,32 +33,6 @@ You accept and agree to the following terms and conditions for your past, presen
 
 9. This Agreement will be governed by the laws of Republic of Singapore without reference to conflict of laws principles.
 
-## List of Contributors
+## How To Sign
 
-The below-signed are contributors to a code repository that is part of the project named "AFFiNE". Each below-signed contributor has read, understand and agrees to the terms above in the section within this document entitled "AFFiNE Contributor License Agreement" as of the date beside their real name (or entity name) and GitHub account name.
-
----
-
-<!--
-Example:
-
-- Dark Sky, @darkskygit, 2022/07/22
--->
-
-- Dark Sky, @darkskygit, 2022/07/22
-- Lin Onetwo, @linonetwo, 2022/02/14
-- zqran, @zqran, 2023/02/17
-- Alessio Gravili, @AlessioGr, 2023/03/04
-- Victor Nanka, @victornanka, 2023/03/09
-- Aditya Sharma, @adityash1, 2023/03/21
-- Fangdun Tsai, @fundon, 2023/03/21
-- Zhilin Liu, @lzlme, 2023/04/09
-- Skye Sun, @skyesun, 2023/04/14
-- Jordy Delgado, @Jdelgad8, 2023/04/17
-- Howard Do, @howarddo2208, 2023/04/20
-- 三咲智子 Kevin Deng, @sxzz, 2023/04/21
-- Moeyua, @moeyua, 2023/04/22
-- Shishu, @shishudesu, 2023/05/19
-- Kushagra Singh, @kush002, 2023/06/28
-- Sarvesh Kumar, @sarvesh521 2023/08/25
-- 微扰理论 Qinghao Huang, @wfnuser 2023/09/29
+Visit https://cla-assistant.io/toeverything/AFFiNE and sign it.

.github/actions/deploy/deploy.mjs

@@ -13,7 +13,6 @@ const {
   R2_ACCOUNT_ID,
   R2_ACCESS_KEY_ID,
   R2_SECRET_ACCESS_KEY,
-  R2_BUCKET,
   ENABLE_CAPTCHA,
   CAPTCHA_TURNSTILE_SECRET,
   OAUTH_EMAIL_SENDER,
@@ -96,7 +95,6 @@ const createHelmCommand = ({ isDryRun }) => {
     `--set-string graphql.app.objectStorage.r2.accountId="${R2_ACCOUNT_ID}"`,
     `--set-string graphql.app.objectStorage.r2.accessKeyId="${R2_ACCESS_KEY_ID}"`,
     `--set-string graphql.app.objectStorage.r2.secretAccessKey="${R2_SECRET_ACCESS_KEY}"`,
-    `--set-string graphql.app.objectStorage.r2.bucket="${R2_BUCKET}"`,
     `--set-string graphql.app.oauth.email.sender="${OAUTH_EMAIL_SENDER}"`,
     `--set-string graphql.app.oauth.email.login="${OAUTH_EMAIL_LOGIN}"`,
     `--set-string graphql.app.oauth.email.password="${OAUTH_EMAIL_PASSWORD}"`,

.github/actions/download-core/action.yml

@@ -9,7 +9,7 @@ runs:
   using: 'composite'
   steps:
     - name: Download tar.gz
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: core
         path: .

.github/actions/setup-node/action.yml

@@ -21,14 +21,6 @@ inputs:
     description: 'set nmMode to hardlinks-local in .yarnrc.yml'
     required: false
     default: 'true'
-  build-infra:
-    description: 'Build infra'
-    required: false
-    default: 'true'
-  build-plugins:
-    description: 'Build plugins'
-    required: false
-    default: 'true'
   nmHoistingLimits:
     description: 'Set nmHoistingLimits in .yarnrc.yml'
     required: false
@@ -190,13 +182,3 @@ runs:
       run: node ./node_modules/electron/install.js
       env:
         electron_config_cache: ./node_modules/.cache/electron
-
-    - name: Build Infra
-      shell: bash
-      if: inputs.build-infra == 'true'
-      run: yarn run build:infra
-
-    - name: Build Plugins
-      if: inputs.build-plugins == 'true'
-      shell: bash
-      run: yarn run build:plugins

.github/deployment/front/Dockerfile

@@ -1,4 +1,4 @@
-FROM openresty/openresty:1.21.4.1-0-buster
+FROM openresty/openresty:1.21.4.3-0-buster
 WORKDIR /app
 COPY ./packages/frontend/core/dist ./dist
 COPY ./.github/deployment/front/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf

.github/helm/affine-cloud/.gitignore

@@ -1 +0,0 @@
-charts/

.github/helm/affine-cloud/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

.github/helm/affine-cloud/Chart.lock

@@ -1,6 +0,0 @@
-dependencies:
-- name: postgresql
-  repository: https://charts.bitnami.com/bitnami
-  version: 13.2.23
-digest: sha256:5b64538509bd067bb0f67bf082847a2c5d66dc37d0b9d7948a40405d9c446400
-generated: "2023-12-05T03:04:57.997927753Z"

.github/helm/affine-cloud/Chart.yaml

@@ -1,12 +0,0 @@
-apiVersion: v2
-name: affine-cloud
-description: A Helm chart for AFFiNE Cloud
-
-type: application
-version: 0.6.1
-appVersion: '0.6.1'
-
-dependencies:
-  - name: postgresql
-    version: 13.2.23
-    repository: https://charts.bitnami.com/bitnami

.github/helm/affine-cloud/readme.md

@@ -1,30 +0,0 @@
-# Helm Chart Configuration
-
-The following table lists the configurable parameters of this Helm chart and their default values.
-
-## AFFiNE Cloud Server parameters
-
-| Parameter                      | Description                                        | Default            |
-| ------------------------------ | -------------------------------------------------- | ------------------ |
-| `affineCloud.tag`              | The Docker tag of the AffineCloud image to be used | `'nightly-latest'` |
-| `affineCloud.resources.cpu`    | The CPU resources allocated for AffineCloud        | `'250m'`           |
-| `affineCloud.resources.memory` | The memory resources allocated for AffineCloud     | `'0.5Gi'`          |
-| `affineCloud.signKey`          | The key used to sign the JWT tokens                | `'c2VjcmV0'`       |
-| `affineCloud.service.type`     | The type of the Kubernetes service                 | `'ClusterIP'`      |
-| `affineCloud.service.port`     | The port of the Kubernetes service                 | `'http'`           |
-| `affineCloud.mail.account`     | The email account used to send emails              | `''`               |
-| `affineCloud.mail.password`    | The password of the email account                  | `''`               |
-
-## PostgreSQL parameters
-
-| Parameter                                    | Description                                                                           | Default      |
-| -------------------------------------------- | ------------------------------------------------------------------------------------- | ------------ |
-| `postgresql.auth.username`                   | Username for the PostgreSQL database                                                  | `'affine'`   |
-| `postgresql.auth.password`                   | Password for the PostgreSQL database. Please change this for production environments. | `'password'` |
-| `postgresql.auth.database`                   | The name of the default database that will be created on image startup                | `'affine'`   |
-| `postgresql.primary.resources.limits.cpu`    | The CPU resources allocated for the PostgreSQL primary node                           | `'500m'`     |
-| `postgresql.primary.resources.limits.memory` | The memory resources allocated for the PostgreSQL primary node                        | `'0.5Gi'`    |
-
-For more postgres parameters, please refer to: https://artifacthub.io/packages/helm/bitnami/postgresql
-
-Please note that for the `postgresql.auth.password`, you should provide your own password for production environments. The default value is provided only for demonstration purposes.

.github/helm/affine-cloud/templates/_helper.tpl

@@ -1,51 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "affine-cloud.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "affine-cloud.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "affine-cloud.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "affine-cloud.labels" -}}
-helm.sh/chart: {{ include "affine-cloud.chart" . }}
-{{ include "affine-cloud.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "affine-cloud.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "affine-cloud.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}

.github/helm/affine-cloud/templates/deployment.yaml

@@ -1,51 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: "{{ include "affine-cloud.fullname" . }}"
-  labels:
-    {{- include "affine-cloud.labels" . | nindent 4 }}
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      {{- include "affine-cloud.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 2
-  template:
-    metadata:
-      labels:
-        {{- include "affine-cloud.selectorLabels" . | nindent 8 }}
-    spec:
-      restartPolicy: Always
-      containers:
-      - name: affine-cloud
-        image: "ghcr.io/toeverything/cloud-self-hosted:{{ .Values.affineCloud.tag | default .Chart.AppVersion }}"
-        env:
-        - name: PG_USER
-          value: "{{ .Values.postgresql.auth.username }}"
-        - name: PG_PASS
-          value: "{{ .Values.postgresql.auth.password }}"
-        - name: PG_DATABASE
-          value: "{{ .Values.postgresql.auth.database }}"
-        - name: PG_HOST
-          value: "{{ .Values.postgresql.fullnameOverride | default (printf "%s-postgresql" .Release.Name) }}"
-        - name: DATABASE_URL
-          value: "{{ .Values.affineCloud.databaseUrl | default "postgresql://$(PG_USER):$(PG_PASS)@$(PG_HOST)/$(PG_DATABASE)" }}"
-        envFrom:
-        - secretRef:
-            name: affine-cloud-secret
-        ports:
-        - containerPort: 3000
-        livenessProbe:
-          httpGet:
-            path: /api/healthz
-            port: 3000
-          failureThreshold: 1
-          initialDelaySeconds: 10
-          periodSeconds: 10
-        resources:
-          limits:
-            cpu: "{{ .Values.affineCloud.resources.cpu }}"
-            memory: "{{ .Values.affineCloud.resources.memory }}"

.github/helm/affine-cloud/templates/secret.yaml

@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: affine-cloud-secret
-type: Opaque
-data:
-  SIGN_KEY: "{{ .Values.affineCloud.signKey }}"
-  MAIL_ACCOUNT: "{{ .Values.affineCloud.mail.account }}"
-  MAIL_PASSWORD: "{{ .Values.affineCloud.mail.password }}"

.github/helm/affine-cloud/templates/services.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: "{{ include "affine-cloud.fullname" . }}"
-  labels:
-    {{- include "affine-cloud.labels" . | nindent 4 }}
-spec:
-  type: "{{ .Values.affineCloud.service.type }}"
-  ports:
-    - name: http
-      protocol: TCP
-      port: {{ .Values.affineCloud.service.port }}
-      targetPort: 3000
-  selector:
-    {{- include "affine-cloud.selectorLabels" . | nindent 4 }}

.github/helm/affine-cloud/values.yaml

@@ -1,30 +0,0 @@
-affineCloud:
-  tag: 'canary-5e0d5e0cc65ea46f326fdde12658bfac59b38c9f-0949'
-  # databaseUrl: 'postgresql://affine:password@affine-cloud-postgresql:5432/affine'
-  signKey: TUFtdFdzQTJhdGJuem01TA==
-  mail:
-    account: ''
-    password: ''
-  service:
-    type: ClusterIP
-    port: 80
-  resources:
-    cpu: '250m'
-    memory: 0.5Gi
-postgresql:
-  fullnameOverride: tcp-postgresql
-  auth:
-    # only for demo, please modify it at prod env
-    username: affine
-    password: password
-    database: affine
-  primary:
-    initdb:
-      scripts:
-        01-init.sql: |
-          CREATE DATABASE affine_binary;
-          GRANT ALL PRIVILEGES ON DATABASE affine_binary TO affine;
-    resources:
-      limits:
-        cpu: '500m'
-        memory: 0.5Gi

.github/helm/affine/charts/graphql/templates/deployment.yaml

@@ -136,11 +136,6 @@ spec:
               secretKeyRef:
                 name: "{{ .Values.app.objectStorage.r2.secretName }}"
                 key: secretAccessKey
-          - name: R2_OBJECT_STORAGE_BUCKET
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.app.objectStorage.r2.secretName }}"
-                key: bucket
           {{ end }}
           {{ if .Values.app.captcha.enabled }}
           - name: CAPTCHA_TURNSTILE_SECRET

.github/helm/affine/charts/graphql/templates/migration.yaml

@@ -35,6 +35,23 @@ spec:
           - name: DATABASE_URL
             value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.gcloud.cloudSqlInternal }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
           {{ end }}
+          {{ if .Values.app.objectStorage.r2.enabled }}
+          - name: R2_OBJECT_STORAGE_ACCOUNT_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: accountId
+          - name: R2_OBJECT_STORAGE_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: accessKeyId
+          - name: R2_OBJECT_STORAGE_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: secretAccessKey
+          {{ end }}
         resources:
           requests:
             cpu: '100m'

.github/helm/affine/charts/graphql/templates/r2-secret.yaml

@@ -8,5 +8,4 @@ data:
   accountId: {{ .Values.app.objectStorage.r2.accountId | b64enc }}
   accessKeyId: {{ .Values.app.objectStorage.r2.accessKeyId | b64enc }}
   secretAccessKey: {{ .Values.app.objectStorage.r2.secretAccessKey | b64enc }}
-  bucket: {{ .Values.app.objectStorage.r2.bucket | b64enc }}
 {{- end }}

.github/helm/affine/charts/graphql/values.yaml

@@ -34,7 +34,6 @@ app:
       accountId: ''
       accessKeyId: ''
       secretAccessKey: ''
-      bucket: ''
   oauth:
     email:
       secretName: 'oauth-email'

.github/helm/deployment_guide.md

@@ -1,60 +0,0 @@
-# Cluster Deployment Guide
-
-This document provides a step-by-step guide for developers on how to deploy services in a Kubernetes cluster. The following content assumes that the reader already has a basic understanding of Kubernetes concepts and operations.
-
-### 1. Configure Service Mesh (Optional)
-
-In the Kubernetes cluster, we optionally use Service Mesh (like Istio and Anthos Service Mesh) to manage the network interactions of microservices. If Service Mesh is already deployed on your cluster or do not need to use the service network, you can skip this step. In this step, we assume that you are using Google Kubernetes Engine (GKE) and have already installed Anthos Service Mesh on your cluster, if you wish to use another Ingress Controller, please refer to the relevant documentation.
-
-To configure your kubectl context to interact with your Kubernetes cluster using the gcloud tool, you need to execute the following commands:
-
-```sh
-export CLUSTER_NAME=your_cluster_name
-export REGION=your_cluster_region
-export PROJECT=your_project_id
-gcloud container clusters get-credentials $CLUSTER_NAME --region $REGION --project $PROJECT
-```
-
-In this command, you should replace `CLUSTER_NAME`, `REGION` and `PROJECT` with the actual name, region and project id of your Kubernetes cluster. This command retrieves the access credentials for your Kubernetes cluster and automatically configures kubectl to use these credentials.
-
-Now, to inject Service Mesh for a specific Namespace, first, set the environment variable `NAMESPACE` that should correspond to your target Kubernetes Namespace. In this example, we use `prod` as the target Namespace:
-
-```sh
-export NAMESPACE=prod
-```
-
-Then, we label the Namespace which will enable Istio to automatically inject the sidecar container for all new Pods under this Namespace:
-
-```sh
-kubectl label namespace $NAMESPACE istio-injection- istio.io/rev=asm-managed --overwrite
-```
-
-Finally, we trigger the Kubernetes Deployment restart mechanism to allow existing Pods to also obtain sidecar container injection:
-
-```sh
-kubectl rollout restart deployment -n $NAMESPACE
-```
-
-### 2. Deploying the Application
-
-Next, we will deploy our application in the Kubernetes cluster through Helm. First, set relevant environment variables:
-
-```sh
-export NAMESPACE=prod
-export RELEASE=affine-cloud-prod
-export PATH=.github/helm/affine-cloud
-```
-
-- `NAMESPACE` should be consistent with the first step, indicating your target Kubernetes Namespace.
-- `RELEASE` is the name of your Helm release.
-- `PATH` is the location of your Helm chart in your file system.
-
-Finally, use the `helm upgrade --install` command to deploy or upgrade your application:
-
-```sh
-helm upgrade --namespace $NAMESPACE --create-namespace --install $RELEASE $PATH
-```
-
-This command creates (if it doesn't already exist) and deploys your Helm chart in the specified Namespace. If the release already exists, it will be upgraded.
-
-The above are the complete steps for deploying an application in a Kubernetes cluster. Make sure all prerequisites are met before deploying, and also ensure that you have the correct permissions for operations in Kubernetes.

.github/labeler.yml

@@ -19,26 +19,11 @@ mod:dev:
           - 'tools/cli/**/*'
           - 'packages/common/debug/**/*'
 
-mod:plugin:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/plugins/**/*'
-
-plugin:copilot:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/plugins/copilot/**/*'
-
 mod:infra:
   - changed-files:
       - any-glob-to-any-file:
           - 'packages/common/infra/**/*'
 
-mod:sdk:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/common/sdk/**/*'
-
 mod:plugin-cli:
   - changed-files:
       - any-glob-to-any-file:
@@ -47,7 +32,12 @@ mod:plugin-cli:
 mod:workspace:
   - changed-files:
       - any-glob-to-any-file:
-          - 'packages/frontend/workspace/**/*'
+          - 'packages/common/workspace/**/*'
+
+mod:workspace-impl:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'packages/frontend/workspace-impl/**/*'
 
 mod:i18n:
   - changed-files:
@@ -59,11 +49,6 @@ mod:env:
       - any-glob-to-any-file:
           - 'packages/common/env/**/*'
 
-mod:hooks:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/frontend/hooks/**/*'
-
 mod:component:
   - changed-files:
       - any-glob-to-any-file:

.github/renovate.json

@@ -1,27 +1,35 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:base",
-    "group:allNonMajor",
-    ":preserveSemverRanges",
-    ":disablePeerDependencies"
-  ],
+  "extends": ["config:recommended", ":disablePeerDependencies"],
   "labels": ["dependencies"],
+  "ignorePaths": [
+    "**/node_modules/**",
+    "**/bower_components/**",
+    "**/vendor/**",
+    "**/examples/**",
+    "**/__tests__/**",
+    "**/test/**",
+    "**/__fixtures__/**"
+  ],
   "packageRules": [
     {
       "matchPackageNames": ["napi", "napi-build", "napi-derive"],
+      "rangeStrategy": "replace",
       "groupName": "napi-rs"
     },
     {
       "matchPackagePatterns": ["^eslint", "^@typescript-eslint"],
+      "rangeStrategy": "replace",
       "groupName": "linter"
     },
     {
       "matchPackagePatterns": ["^@nestjs"],
+      "rangeStrategy": "replace",
       "groupName": "nestjs"
     },
     {
       "matchPackagePatterns": ["^@opentelemetry"],
+      "rangeStrategy": "replace",
       "groupName": "opentelemetry"
     },
     {
@@ -30,16 +38,32 @@
         "@prisma/instrumentation",
         "prisma"
       ],
+      "rangeStrategy": "replace",
       "groupName": "prisma"
     },
     {
       "matchPackagePatterns": ["^@electron-forge"],
+      "rangeStrategy": "replace",
       "groupName": "electron-forge"
     },
     {
+      "groupName": "blocksuite-nightly",
       "matchPackagePatterns": ["^@blocksuite"],
       "excludePackageNames": ["@blocksuite/icons"],
+      "rangeStrategy": "replace",
       "followTag": "nightly"
+    },
+    {
+      "groupName": "all non-major dependencies",
+      "groupSlug": "all-minor-patch",
+      "matchPackagePatterns": ["*"],
+      "excludePackagePatterns": ["^@blocksuite/"],
+      "matchUpdateTypes": ["minor", "patch"]
+    },
+    {
+      "matchPackagePatterns": ["*"],
+      "rangeStrategy": "replace",
+      "excludePackagePatterns": ["^@blocksuite/"]
     }
   ],
   "commitMessagePrefix": "chore: ",

.github/workflows/build-test.yml

@@ -108,44 +108,6 @@ jobs:
           yarn set version $(node -e "console.log(require('./package.json').packageManager.split('@')[1])")
           git diff --exit-code
 
-  e2e-plugin-test:
-    name: E2E Plugin Test
-    runs-on: ubuntu-latest
-    env:
-      DISTRIBUTION: browser
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          playwright-install: true
-          electron-install: false
-          full-cache: true
-      - name: Run playwright tests
-        run: yarn e2e --forbid-only
-        working-directory: tests/affine-plugin
-        env:
-          COVERAGE: true
-      - name: Collect code coverage report
-        run: yarn exec nyc report -t .nyc_output --report-dir .coverage --reporter=lcov
-
-      - name: Upload e2e test coverage results
-        uses: codecov/codecov-action@v3
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./.coverage/lcov.info
-          flags: e2e-plugin-test
-          name: affine
-          fail_ci_if_error: false
-
-      - name: Upload test results
-        if: ${{ failure() }}
-        uses: actions/upload-artifact@v3
-        with:
-          name: test-results-e2e-plugin
-          path: ./test-results
-          if-no-files-found: ignore
-
   e2e-test:
     name: E2E Test
     runs-on: ubuntu-latest
@@ -169,7 +131,7 @@ jobs:
 
       - name: Upload test results
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: test-results-e2e-${{ matrix.shard }}
           path: ./test-results
@@ -194,7 +156,7 @@ jobs:
 
       - name: Upload test results
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: test-results-e2e-migration
           path: ./tests/affine-migration/test-results
@@ -216,7 +178,7 @@ jobs:
           full-cache: true
 
       - name: Download affine.linux-x64-gnu.node
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: affine.linux-x64-gnu.node
           path: ./packages/frontend/native
@@ -254,8 +216,6 @@ jobs:
         with:
           extra-flags: workspaces focus @affine/native
           electron-install: false
-          build-infra: false
-          build-plugins: false
       - name: Setup filename
         id: filename
         shell: bash
@@ -269,7 +229,7 @@ jobs:
           package: '@affine/native'
           nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
       - name: Upload ${{ steps.filename.outputs.filename }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ steps.filename.outputs.filename }}
           path: ./packages/frontend/native/${{ steps.filename.outputs.filename }}
@@ -287,8 +247,6 @@ jobs:
         with:
           extra-flags: workspaces focus @affine/storage
           electron-install: false
-          build-infra: false
-          build-plugins: false
       - name: Build Rust
         uses: ./.github/actions/build-rust
         with:
@@ -296,7 +254,7 @@ jobs:
           package: '@affine/storage'
           nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
       - name: Upload storage.node
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: storage.node
           path: ./packages/backend/storage/storage.node
@@ -312,7 +270,6 @@ jobs:
         uses: ./.github/actions/setup-node
         with:
           electron-install: false
-          build-plugins: false
           full-cache: true
       - name: Build Core
         # always skip cache because its fast, and cache configuration is always changing
@@ -320,7 +277,7 @@ jobs:
       - name: zip core
         run: tar -czf dist.tar.gz --directory=packages/frontend/core/dist .
       - name: Upload core artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: core
           path: dist.tar.gz
@@ -358,6 +315,12 @@ jobs:
           electron-install: false
           full-cache: true
 
+      - name: Download storage.node
+        uses: actions/download-artifact@v4
+        with:
+          name: storage.node
+          path: ./packages/backend/server
+
       - name: Initialize database
         run: |
           psql -h localhost -U postgres -c "CREATE DATABASE affine;"
@@ -380,12 +343,6 @@ jobs:
         env:
           DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
 
-      - name: Download storage.node
-        uses: actions/download-artifact@v3
-        with:
-          name: storage.node
-          path: ./packages/backend/server
-
       - name: Run server tests
         run: yarn workspace @affine/server test:coverage
         env:
@@ -450,6 +407,18 @@ jobs:
           playwright-install: true
           hard-link-nm: false
 
+      - name: Download storage.node
+        uses: actions/download-artifact@v4
+        with:
+          name: storage.node
+          path: ./packages/backend/server
+
+      - name: Download affine.linux-x64-gnu.node
+        uses: actions/download-artifact@v4
+        with:
+          name: affine.linux-x64-gnu.node
+          path: ./packages/frontend/native
+
       - name: Initialize database
         run: |
           psql -h localhost -U postgres -c "CREATE DATABASE affine;"
@@ -469,17 +438,6 @@ jobs:
         run: |
           yarn workspace @affine/server data-migration run
           yarn workspace @affine/server exec node --loader ts-node/esm/transpile-only ./scripts/init-db.ts
-      - name: Download storage.node
-        uses: actions/download-artifact@v3
-        with:
-          name: storage.node
-          path: ./packages/backend/server
-
-      - name: Download affine.linux-x64-gnu.node
-        uses: actions/download-artifact@v3
-        with:
-          name: affine.linux-x64-gnu.node
-          path: ./packages/frontend/native
 
       - name: ${{ matrix.tests.name }}
         run: |
@@ -490,7 +448,7 @@ jobs:
 
       - name: Upload test results
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: test-results-e2e-server
           path: ./tests/affine-cloud/test-results
@@ -554,7 +512,7 @@ jobs:
           echo "filename=affine.$PLATFORM_ARCH_ABI.node" >> "$GITHUB_OUTPUT"
 
       - name: Download ${{ steps.filename.outputs.filename }}
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: ${{ steps.filename.outputs.filename }}
           path: ./packages/frontend/native
@@ -562,8 +520,7 @@ jobs:
       - name: Run unit tests
         if: ${{ matrix.spec.test }}
         shell: bash
-        run: yarn vitest
-        working-directory: packages/frontend/electron
+        run: yarn workspace @affine/electron vitest
 
       - name: Download core artifact
         uses: ./.github/actions/download-core
@@ -596,7 +553,7 @@ jobs:
 
       - name: Upload test results
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: test-results-e2e-${{ matrix.spec.os }}-${{ matrix.spec.arch }}
           path: ./test-results

.github/workflows/deploy.yml

@@ -32,7 +32,7 @@ jobs:
       - name: Build Server
         run: yarn workspace @affine/server build
       - name: Upload server dist
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: server-dist
           path: ./packages/backend/server/dist
@@ -48,8 +48,6 @@ jobs:
         uses: ./.github/actions/setup-version
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
-      - name: Build Plugins
-        run: yarn run build:plugins
       - name: Build Core
         run: yarn nx build @affine/core --skip-nx-cache
         env:
@@ -65,7 +63,7 @@ jobs:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
       - name: Upload core artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: core
           path: ./packages/frontend/core/dist
@@ -89,7 +87,7 @@ jobs:
           package: '@affine/storage'
           nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
       - name: Upload storage.node
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: storage.node
           path: ./packages/backend/storage/storage.node
@@ -113,7 +111,7 @@ jobs:
           package: '@affine/storage'
           nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
       - name: Upload storage.node
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: storage.arm64.node
           path: ./packages/backend/storage/storage.node
@@ -130,22 +128,22 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Download core artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: core
           path: ./packages/frontend/core/dist
       - name: Download server dist
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: server-dist
           path: ./packages/backend/server/dist
       - name: Download storage.node
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: storage.node
           path: ./packages/backend/server
       - name: Download storage.node arm64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: storage.arm64.node
           path: ./packages/backend/storage
@@ -242,7 +240,6 @@ jobs:
           R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
           R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
           R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          R2_BUCKET: ${{ secrets.R2_BUCKET }}
           ENABLE_CAPTCHA: true
           CAPTCHA_TURNSTILE_SECRET: ${{ secrets.CAPTCHA_TURNSTILE_SECRET }}
           OAUTH_EMAIL_SENDER: ${{ secrets.OAUTH_EMAIL_SENDER }}

.github/workflows/publish-storybook.yml

@@ -32,8 +32,6 @@ jobs:
         uses: ./.github/actions/setup-node
         with:
           electron-install: false
-      - name: Build Plugins
-        run: yarn run build:plugins
       - uses: chromaui/action-next@v1
         with:
           workingDir: tests/storybook
@@ -44,7 +42,7 @@ jobs:
         env:
           CHROMATIC_PROJECT_TOKEN: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
           NODE_OPTIONS: ${{ env.NODE_OPTIONS }}
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: always()
         with:
           name: chromatic-build-artifacts-${{ github.run_id }}

.github/workflows/release-desktop.yml

@@ -61,7 +61,7 @@ jobs:
           SKIP_NX_CACHE: 'true'
 
       - name: Upload core artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: core
           path: packages/frontend/electron/resources/web-static
@@ -102,7 +102,6 @@ jobs:
         with:
           extra-flags: workspaces focus @affine/electron @affine/monorepo
           hard-link-nm: false
-          build-plugins: false
           nmHoistingLimits: workspaces
           enableScripts: false
       - name: Build AFFiNE native
@@ -111,7 +110,7 @@ jobs:
           target: ${{ matrix.spec.target }}
           package: '@affine/native'
           nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           name: core
           path: packages/frontend/electron/resources/web-static
@@ -147,7 +146,7 @@ jobs:
           mv packages/frontend/electron/out/*/make/AppImage/x64/*.AppImage ./builds/affine-${{ env.BUILD_TYPE }}-linux-x64.AppImage
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: affine-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}-builds
           path: builds
@@ -179,7 +178,6 @@ jobs:
         with:
           extra-flags: workspaces focus @affine/electron @affine/monorepo
           hard-link-nm: false
-          build-plugins: false
           nmHoistingLimits: workspaces
       - name: Build AFFiNE native
         uses: ./.github/actions/build-rust
@@ -187,14 +185,11 @@ jobs:
           target: ${{ matrix.spec.target }}
           package: '@affine/native'
           nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           name: core
           path: packages/frontend/electron/resources/web-static
 
-      - name: Build Plugins
-        run: yarn run build:plugins
-
       - name: Build Desktop Layers
         run: yarn workspace @affine/electron build
 
@@ -216,7 +211,7 @@ jobs:
         run: Compress-Archive -CompressionLevel Fastest -Path packages/frontend/electron/out/* -DestinationPath archive.zip
 
       - name: Save packaged artifacts for signing
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: packaged-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
           path: |
@@ -250,7 +245,7 @@ jobs:
         timeout-minutes: 10
         uses: ./.github/actions/setup-node
       - name: Download and overwrite packaged artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: signed-packaged-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
           path: .
@@ -271,7 +266,7 @@ jobs:
           echo $FILES_TO_BE_SIGNED
 
       - name: Save installer for signing
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: installer-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
           path: archive.zip
@@ -297,7 +292,7 @@ jobs:
     runs-on: ${{ matrix.spec.runner }}
     steps:
       - name: Download and overwrite installer artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: signed-installer-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
           path: .
@@ -312,7 +307,7 @@ jobs:
           mv packages/frontend/electron/out/*/make/squirrel.windows/x64/*.msi ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.msi
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: affine-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}-builds
           path: builds
@@ -323,29 +318,29 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           name: core
           path: web-static
       - name: Zip web-static
         run: zip -r web-static.zip web-static
       - name: Download Artifacts (macos-x64)
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: affine-darwin-x64-builds
           path: ./
       - name: Download Artifacts (macos-arm64)
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: affine-darwin-arm64-builds
           path: ./
       - name: Download Artifacts (windows-x64)
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: affine-win32-x64-builds
           path: ./
       - name: Download Artifacts (linux-x64)
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: affine-linux-x64-builds
           path: ./
@@ -358,6 +353,7 @@ jobs:
         env:
           RELEASE_VERSION: ${{ needs.before-make.outputs.RELEASE_VERSION }}
       - name: Create Release Draft
+        if: ${{ github.ref_type == 'tag' }}
         uses: softprops/action-gh-release@v1
         with:
           name: ${{ needs.before-make.outputs.RELEASE_VERSION }}
@@ -372,3 +368,25 @@ jobs:
             ./*.AppImage
             ./*.apk
             ./*.yml
+      - name: Create Nightly Release Draft
+        if: ${{ github.ref_type == 'branch' }}
+        uses: softprops/action-gh-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        with:
+          # Temporarily, treat release from branch as nightly release, artifact saved to AFFiNE-Releases.
+          # Need to improve internal build and nightly release logic.
+          repository: 'toeverything/AFFiNE-Releases'
+          name: ${{ needs.before-make.outputs.RELEASE_VERSION }}
+          tag_name: ${{ needs.before-make.outputs.RELEASE_VERSION }}
+          body: ''
+          draft: false
+          prerelease: true
+          files: |
+            ./VERSION
+            ./*.zip
+            ./*.dmg
+            ./*.exe
+            ./*.AppImage
+            ./*.apk
+            ./*.yml

.github/workflows/windows-signer.yml

@@ -14,7 +14,7 @@ jobs:
     env:
       ARCHIVE_DIR: ${{ github.run_id }}-${{ github.run_attempt }}-${{ inputs.artifact-name }}
     steps:
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           name: ${{ inputs.artifact-name }}
           path: ${{ env.ARCHIVE_DIR }}
@@ -36,7 +36,7 @@ jobs:
           cd ${{ env.ARCHIVE_DIR }}
           7za a signed.zip .\out\*
       - name: upload
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: signed-${{ inputs.artifact-name }}
           path: ${{ env.ARCHIVE_DIR }}/signed.zip

.github/workflows/workers.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Publish
-        uses: cloudflare/wrangler-action@v3.3.2
+        uses: cloudflare/wrangler-action@v3.4.0
         with:
           apiToken: ${{ secrets.CF_API_TOKEN }}
           accountId: ${{ secrets.CF_ACCOUNT_ID }}

.prettierignore

@@ -16,6 +16,8 @@ packages/frontend/i18n/src/i18n-generated.ts
 packages/frontend/graphql/src/graphql/index.ts
 tests/affine-legacy/**/static
 .yarnrc.yml
+packages/frontend/templates/templates.gen.ts
+packages/frontend/templates/onboarding
 
 # auto-generated by NAPI-RS
 # fixme(@joooye34): need script to check and generate ignore list here

Cargo.lock

@@ -2024,16 +2024,14 @@ dependencies = [
 
 [[package]]
 name = "rsa"
-version = "0.9.2"
+version = "0.9.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6ab43bb47d23c1a631b4b680199a45255dce26fa9ab2fa902581f624ff13e6a8"
+checksum = "5d0e5124fcb30e76a7e79bfee683a2746db83784b86289f6251b54b7950a0dfc"
 dependencies = [
- "byteorder",
  "const-oid",
  "digest",
  "num-bigint-dig",
  "num-integer",
- "num-iter",
  "num-traits",
  "pkcs1",
  "pkcs8",
@@ -2462,9 +2460,9 @@ dependencies = [
 
 [[package]]
 name = "spki"
-version = "0.7.2"
+version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d1e996ef02c474957d681f1b05213dfb0abab947b446a62d37770b23500184a"
+checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
 dependencies = [
  "base64ct",
  "der",

README.md

@@ -113,21 +113,6 @@ If you have questions, you are welcome to contact us. One of the best places to
 | [@toeverything/y-indexeddb](packages/common/y-indexeddb) | IndexedDB database adapter for Yjs | [![](https://img.shields.io/npm/dm/@toeverything/y-indexeddb?style=flat-square&color=eee)](https://www.npmjs.com/package/@toeverything/y-indexeddb) |
 | [@toeverything/theme](packages/common/theme)             | AFFiNE theme                       | [![](https://img.shields.io/npm/dm/@toeverything/theme?style=flat-square&color=eee)](https://www.npmjs.com/package/@toeverything/theme)             |
 
-## Plugins
-
-> Plugins are a way to extend the functionality of AFFiNE. You can use plugins to add new blocks, new features, and even new ways to edit content.
->
-> (Currently, the plugin system is under heavy development. You will see the plugin system in the canary release.)
-
-- [@affine/sdk](./packages/common/sdk) - SDK for developing plugins
-- [@affine/plugin-cli](./tools/plugin-cli) - CLI for developing plugins
-
-| Official Plugin                                                  | Description                               | Status |
-| ---------------------------------------------------------------- | ----------------------------------------- | ------ |
-| [@affine/copilot-plugin](./packages/plugins/copilot)             | AI Copilot that help you document writing | 🚧     |
-| [@affine/image-preview-plugin](./packages/plugins/image-preview) | Component for previewing an image         | ✅     |
-| [@affine/outline](./packages/plugins/outline)                    | Outline for your document                 | ✅     |
-
 ## Upstreams
 
 We would also like to give thanks to open-source projects that make AFFiNE possible:
@@ -227,7 +212,7 @@ See [LICENSE] for details.
 [jobs available]: ./docs/jobs.md
 [latest packages]: https://github.com/toeverything/AFFiNE/pkgs/container/affine-self-hosted
 [contributor license agreement]: https://github.com/toeverything/affine/edit/canary/.github/CLA.md
-[rust-version-icon]: https://img.shields.io/badge/Rust-1.74.1-dea584
+[rust-version-icon]: https://img.shields.io/badge/Rust-1.75.0-dea584
 [stars-icon]: https://img.shields.io/github/stars/toeverything/AFFiNE.svg?style=flat&logo=github&colorB=red&label=stars
 [codecov]: https://codecov.io/gh/toeverything/affine/branch/canary/graphs/badge.svg?branch=canary
 [node-version-icon]: https://img.shields.io/badge/node-%3E=18.16.1-success

docs/BUILDING.md

@@ -57,6 +57,29 @@ corepack prepare yarn@stable --activate
 yarn install
 ```
 
+### Clone repository
+
+#### Linux & MacOS
+
+```sh
+git clone https://github.com/toeverything/AFFiNE
+```
+
+#### Windows
+
+In our codebase, we use symbolic links. Due to the security design of Windows, the creation of symbolic links requires administrator privileges. This is part of the security policy settings of Windows, and more information can be found at [Security Policy Settings for Creating Symbolic Links](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/create-symbolic-links).
+
+For detailed guidance on enabling this feature, please refer to the official documentation: [Enable Developer Mode on Windows](https://learn.microsoft.com/en-us/windows/apps/get-started/enable-your-device-for-development).
+
+Once Developer Mode is enabled, execute the following command with administrator privileges:
+
+```sh
+# Enable symbolic links
+git config --global core.symlinks true
+# Clone the repository, also need to be run with administrator privileges
+git clone https://github.com/toeverything/AFFiNE
+```
+
 ### Build Native Dependencies
 
 Run the following script. It will build the native module at [`/packages/frontend/native`](/packages/frontend/native) and build Node.js binding using [NAPI.rs](https://napi.rs/).
@@ -67,18 +90,6 @@ Note: use `strip` from system instead of `binutils` if you are running MacOS. [s
 yarn workspace @affine/native build
 ```
 
-### Build Infra
-
-```sh
-yarn run build:infra
-```
-
-### Build Plugins
-
-```sh
-yarn run build:plugins
-```
-
 ### Build Server Dependencies
 
 ```sh
@@ -102,7 +113,7 @@ yarn test
 ### E2E Test
 
 ```shell
-# there are `affine-local`, `affine-migration`, `affine-local`, `affine-plugin`, `affine-prototype` e2e tests,
+# there are `affine-local`, `affine-migration`, `affine-local`, `affine-prototype` e2e tests,
 #   which are run under different situations.
 cd tests/affine-local
 yarn e2e

docs/contributing/tutorial.md

@@ -17,7 +17,6 @@ The codebase is organized as follows:
 - `packages/` contains all code running in production.
   - `backend/` contains backend code, more information from <https://github.com/toeverything/OctoBase>.
   - `frontend/` contains frontend code, including the web app, the electron app and business libraries.
-  - `plugins/` contains all build-in plugins.
   - `common` contains the isomorphic code or basic libraries without business.
 - `tools/` contains tools to help developing or CI, not used in production.
 - `tests/` contains testings across different libraries, including e2e testings and integration testings.

docs/reference/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "@affine/docs",
+  "type": "module",
+  "private": true,
+  "scripts": {
+    "build": "typedoc --options ../../typedoc.json",
+    "dev": "nodemon --exec 'typedoc --options ../../typedoc.json' & serve dist/"
+  },
+  "devDependencies": {
+    "nodemon": "^3.0.1",
+    "serve": "^14.2.1",
+    "typedoc": "^0.25.4"
+  },
+  "nodemonConfig": {
+    "watch": [
+      "./readme.md",
+      "../../packages/*/*/src/*.ts",
+      "../../**/typedoc{.base,}.json"
+    ],
+    "ext": "ts,md,json"
+  },
+  "version": "0.10.3-canary.2"
+}

docs/reference/readme.md

@@ -0,0 +1,7 @@
+Welcome to AFFiNE development reference.
+
+This document is intended for developers who want to contribute to AFFiNE. It contains information about the architecture of AFFiNE, how to build it, and how to contribute to it.
+
+### The Infrastructure of AFFiNE
+
+see {@link @toeverything/infra!}

package.json

@@ -8,10 +8,9 @@
     ".",
     "packages/*/*",
     "tools/*",
-    "!tools/@types",
+    "docs/reference",
     "tools/@types/*",
     "tests/*",
-    "!tests/affine-legacy",
     "tests/affine-legacy/*"
   ],
   "engines": {
@@ -23,8 +22,6 @@
     "build": "yarn nx build @affine/core",
     "build:electron": "yarn nx build @affine/electron",
     "build:storage": "yarn nx run-many -t build -p @affine/storage",
-    "build:infra": "yarn nx run-many -t build --projects=tag:infra",
-    "build:plugins": "yarn nx run-many -t build --projects=tag:plugin",
     "build:storybook": "yarn nx build @affine/storybook",
     "start:web-static": "yarn workspace @affine/core static-server",
     "start:storybook": "yarn exec serve tests/storybook/storybook-static -l 6006",
@@ -33,7 +30,7 @@
     "lint:eslint:fix": "yarn lint:eslint --fix",
     "lint:prettier": "prettier --ignore-unknown --cache --check .",
     "lint:prettier:fix": "prettier --ignore-unknown --cache --write .",
-    "lint:ox": "oxlint --deny-warnings -D correctness -D nursery -D prefer-array-some -D no-useless-promise-resolve-reject -A no-undef -A consistent-type-exports -A default -A named -A ban-ts-comment",
+    "lint:ox": "oxlint --import-plugin --deny-warnings -D correctness -D nursery -D prefer-array-some -D no-useless-promise-resolve-reject -D perf -A no-undef -A consistent-type-exports -A default -A named -A ban-ts-comment -A export",
     "lint": "yarn lint:eslint && yarn lint:prettier",
     "lint:fix": "yarn lint:eslint:fix && yarn lint:prettier:fix",
     "test": "vitest --run",
@@ -58,13 +55,12 @@
   "devDependencies": {
     "@affine-test/kit": "workspace:*",
     "@affine/cli": "workspace:*",
-    "@affine/plugin-cli": "workspace:*",
     "@commitlint/cli": "^18.4.3",
     "@commitlint/config-conventional": "^18.4.3",
     "@faker-js/faker": "^8.3.1",
     "@istanbuljs/schema": "^0.1.3",
     "@magic-works/i18n-codegen": "^0.5.0",
-    "@nx/vite": "17.1.3",
+    "@nx/vite": "17.2.8",
     "@perfsee/sdk": "^1.9.0",
     "@playwright/test": "^1.40.0",
     "@taplo/cli": "^0.5.2",
@@ -78,8 +74,8 @@
     "@vanilla-extract/vite-plugin": "^3.9.2",
     "@vanilla-extract/webpack-plugin": "^2.3.1",
     "@vitejs/plugin-react-swc": "^3.5.0",
-    "@vitest/coverage-istanbul": "1.0.4",
-    "@vitest/ui": "1.0.4",
+    "@vitest/coverage-istanbul": "1.1.3",
+    "@vitest/ui": "1.1.3",
     "electron": "^27.1.0",
     "eslint": "^8.54.0",
     "eslint-config-prettier": "^9.0.0",
@@ -91,7 +87,7 @@
     "eslint-plugin-unicorn": "^50.0.0",
     "eslint-plugin-unused-imports": "^3.0.0",
     "eslint-plugin-vue": "^9.18.1",
-    "fake-indexeddb": "5.0.1",
+    "fake-indexeddb": "5.0.2",
     "happy-dom": "^12.10.3",
     "husky": "^8.0.3",
     "lint-staged": "^15.1.0",
@@ -100,7 +96,7 @@
     "nx": "^17.1.3",
     "nx-cloud": "^16.5.2",
     "nyc": "^15.1.0",
-    "oxlint": "0.0.21",
+    "oxlint": "0.0.22",
     "prettier": "^3.1.0",
     "semver": "^7.5.4",
     "serve": "^14.2.1",
@@ -111,7 +107,7 @@
     "vite-plugin-istanbul": "^5.0.0",
     "vite-plugin-static-copy": "^1.0.0",
     "vite-tsconfig-paths": "^4.2.1",
-    "vitest": "1.0.4",
+    "vitest": "1.1.3",
     "vitest-fetch-mock": "^0.2.2",
     "vitest-mock-extended": "^1.3.1"
   },
@@ -176,6 +172,7 @@
     "next-auth@^4.24.5": "patch:next-auth@npm%3A4.24.5#~/.yarn/patches/next-auth-npm-4.24.5-8428e11927.patch",
     "@reforged/maker-appimage/@electron-forge/maker-base": "7.2.0",
     "macos-alias": "npm:macos-alias-building@latest",
-    "fs-xattr": "npm:@napi-rs/xattr@latest"
+    "fs-xattr": "npm:@napi-rs/xattr@latest",
+    "@radix-ui/react-dialog": "npm:@radix-ui/react-dialog@latest"
   }
 }

packages/backend/server/migrations/20240103092238_add_workspace_features/migration.sql

@@ -0,0 +1,18 @@
+-- CreateTable
+CREATE TABLE "workspace_features" (
+    "id" SERIAL NOT NULL,
+    "workspace_id" VARCHAR(36) NOT NULL,
+    "feature_id" INTEGER NOT NULL,
+    "reason" VARCHAR NOT NULL,
+    "created_at" TIMESTAMPTZ(6) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "expired_at" TIMESTAMPTZ(6),
+    "activated" BOOLEAN NOT NULL DEFAULT false,
+
+    CONSTRAINT "workspace_features_pkey" PRIMARY KEY ("id")
+);
+
+-- AddForeignKey
+ALTER TABLE "workspace_features" ADD CONSTRAINT "workspace_features_feature_id_fkey" FOREIGN KEY ("feature_id") REFERENCES "features"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "workspace_features" ADD CONSTRAINT "workspace_features_workspace_id_fkey" FOREIGN KEY ("workspace_id") REFERENCES "workspaces"("id") ON DELETE CASCADE ON UPDATE CASCADE;

packages/backend/server/package.json

@@ -9,18 +9,18 @@
   },
   "scripts": {
     "build": "tsc",
-    "start": "node --loader ts-node/esm.mjs --es-module-specifier-resolution node ./src/index.ts",
+    "start": "node --loader ts-node/esm/transpile-only.mjs --es-module-specifier-resolution node ./src/index.ts",
     "dev": "nodemon ./src/index.ts",
     "test": "ava --concurrency 1 --serial",
     "test:coverage": "c8 ava --concurrency 1 --serial",
     "postinstall": "prisma generate",
-    "data-migration": "node --loader ts-node/esm.mjs --es-module-specifier-resolution node ./src/data/app.ts",
+    "data-migration": "node --loader ts-node/esm/transpile-only.mjs --es-module-specifier-resolution node ./src/data/app.ts",
     "predeploy": "yarn prisma migrate deploy && node --es-module-specifier-resolution node ./dist/data/app.js run"
   },
   "dependencies": {
     "@apollo/server": "^4.9.5",
     "@auth/prisma-adapter": "^1.0.7",
-    "@aws-sdk/client-s3": "^3.454.0",
+    "@aws-sdk/client-s3": "^3.499.0",
     "@google-cloud/opentelemetry-cloud-monitoring-exporter": "^0.17.0",
     "@google-cloud/opentelemetry-cloud-trace-exporter": "^2.1.0",
     "@keyv/redis": "^2.8.0",
@@ -36,29 +36,29 @@
     "@nestjs/websockets": "^10.2.10",
     "@node-rs/argon2": "^1.5.2",
     "@node-rs/crc32": "^1.7.2",
-    "@node-rs/jsonwebtoken": "^0.2.3",
+    "@node-rs/jsonwebtoken": "^0.3.0",
     "@opentelemetry/api": "^1.7.0",
-    "@opentelemetry/core": "^1.18.1",
-    "@opentelemetry/exporter-prometheus": "^0.45.1",
-    "@opentelemetry/exporter-zipkin": "^1.18.1",
+    "@opentelemetry/core": "^1.19.0",
+    "@opentelemetry/exporter-prometheus": "^0.46.0",
+    "@opentelemetry/exporter-zipkin": "^1.19.0",
     "@opentelemetry/host-metrics": "^0.34.0",
-    "@opentelemetry/instrumentation": "^0.45.1",
+    "@opentelemetry/instrumentation": "^0.46.0",
     "@opentelemetry/instrumentation-graphql": "^0.36.0",
-    "@opentelemetry/instrumentation-http": "^0.45.1",
+    "@opentelemetry/instrumentation-http": "^0.46.0",
     "@opentelemetry/instrumentation-ioredis": "^0.36.0",
     "@opentelemetry/instrumentation-nestjs-core": "^0.33.3",
-    "@opentelemetry/instrumentation-socket.io": "^0.34.3",
-    "@opentelemetry/resources": "^1.18.1",
-    "@opentelemetry/sdk-metrics": "^1.18.1",
-    "@opentelemetry/sdk-node": "^0.45.1",
-    "@opentelemetry/sdk-trace-node": "^1.18.1",
-    "@prisma/client": "^5.6.0",
-    "@prisma/instrumentation": "^5.6.0",
+    "@opentelemetry/instrumentation-socket.io": "^0.35.0",
+    "@opentelemetry/resources": "^1.19.0",
+    "@opentelemetry/sdk-metrics": "^1.19.0",
+    "@opentelemetry/sdk-node": "^0.46.0",
+    "@opentelemetry/sdk-trace-node": "^1.19.0",
+    "@prisma/client": "^5.7.1",
+    "@prisma/instrumentation": "^5.7.1",
     "@socket.io/redis-adapter": "^8.2.1",
     "cookie-parser": "^1.4.6",
     "dotenv": "^16.3.1",
     "express": "^4.18.2",
-    "file-type": "^18.7.0",
+    "file-type": "^19.0.0",
     "get-stream": "^8.0.1",
     "graphql": "^16.8.1",
     "graphql-type-json": "^0.3.2",
@@ -74,9 +74,9 @@
     "on-headers": "^1.0.2",
     "parse-duration": "^1.1.0",
     "pretty-time": "^1.1.0",
-    "prisma": "^5.6.0",
+    "prisma": "^5.7.1",
     "prom-client": "^15.0.0",
-    "reflect-metadata": "^0.1.13",
+    "reflect-metadata": "^0.2.0",
     "rxjs": "^7.8.1",
     "semver": "^7.5.4",
     "socket.io": "^4.7.2",
@@ -101,10 +101,10 @@
     "@types/on-headers": "^1.0.3",
     "@types/pretty-time": "^1.1.5",
     "@types/sinon": "^17.0.2",
-    "@types/supertest": "^2.0.16",
+    "@types/supertest": "^6.0.0",
     "@types/ws": "^8.5.10",
     "ava": "^6.0.0",
-    "c8": "^8.0.1",
+    "c8": "^9.0.0",
     "nodemon": "^3.0.1",
     "sinon": "^17.0.1",
     "supertest": "^6.3.3",

packages/backend/server/schema.prisma

@@ -1,7 +1,7 @@
 generator client {
   provider        = "prisma-client-js"
   binaryTargets   = ["native", "debian-openssl-3.0.x", "linux-arm64-openssl-3.0.x"]
-  previewFeatures = ["metrics", "tracing"]
+  previewFeatures = ["metrics", "tracing", "relationJoins", "nativeDistinct"]
 }
 
 datasource db {
@@ -40,6 +40,7 @@ model Workspace {
   pages           WorkspacePage[]
   permissions     WorkspaceUserPermission[]
   pagePermissions WorkspacePageUserPermission[]
+  features        WorkspaceFeatures[]
 
   @@map("workspaces")
 }
@@ -135,12 +136,39 @@ model UserFeatures {
   // - if we switch the user to another plan, we will set the old plan to deactivated, but dont delete it
   activated Boolean   @default(false)
 
-  user    User     @relation(fields: [userId], references: [id], onDelete: Cascade)
   feature Features @relation(fields: [featureId], references: [id], onDelete: Cascade)
+  user    User     @relation(fields: [userId], references: [id], onDelete: Cascade)
 
   @@map("user_features")
 }
 
+// feature gates is a way to enable/disable features for a workspace
+// for example:
+// - copilet is a feature that allow some users in a workspace to access the copilet feature
+model WorkspaceFeatures {
+  id          Int    @id @default(autoincrement())
+  workspaceId String @map("workspace_id") @db.VarChar(36)
+  featureId   Int    @map("feature_id") @db.Integer
+
+  // we will record the reason why the feature is enabled/disabled
+  // for example:
+  // - copilet_v1: "owner buy the copilet feature package"
+  reason    String    @db.VarChar
+  // record the feature enabled time
+  createdAt DateTime  @default(now()) @map("created_at") @db.Timestamptz(6)
+  // record the quota expired time, pay plan is a subscription, so it will expired
+  expiredAt DateTime? @map("expired_at") @db.Timestamptz(6)
+  // whether the feature is activated
+  // for example:
+  // - if owner unsubscribe a feature package, we will set the feature to deactivated, but dont delete it
+  activated Boolean   @default(false)
+
+  feature   Features  @relation(fields: [featureId], references: [id], onDelete: Cascade)
+  workspace Workspace @relation(fields: [workspaceId], references: [id], onDelete: Cascade)
+
+  @@map("workspace_features")
+}
+
 model Features {
   id        Int      @id @default(autoincrement())
   feature   String   @db.VarChar
@@ -151,7 +179,8 @@ model Features {
   configs   Json     @db.Json
   createdAt DateTime @default(now()) @map("created_at") @db.Timestamptz(6)
 
-  UserFeatureGates UserFeatures[]
+  UserFeatureGates  UserFeatures[]
+  WorkspaceFeatures WorkspaceFeatures[]
 
   @@unique([feature, version])
   @@map("features")
@@ -196,6 +225,7 @@ model VerificationToken {
   @@map("verificationtokens")
 }
 
+// deprecated, use [ObjectStorage]
 model Blob {
   id          Int       @id @default(autoincrement()) @db.Integer
   hash        String    @db.VarChar
@@ -210,6 +240,7 @@ model Blob {
   @@map("blobs")
 }
 
+// deprecated, use [ObjectStorage]
 model OptimizedBlob {
   id          Int       @id @default(autoincrement()) @db.Integer
   hash        String    @db.VarChar

packages/backend/server/src/affine.config.ts

@@ -0,0 +1,25 @@
+/* eslint-disable @typescript-eslint/no-non-null-assertion */
+// Custom configurations
+
+const env = process.env;
+const node = AFFiNE.node;
+
+// TODO: may be separate config overring in `affine.[env].config`?
+if (node.prod && env.R2_OBJECT_STORAGE_ACCOUNT_ID) {
+  AFFiNE.storage.providers.r2 = {
+    accountId: env.R2_OBJECT_STORAGE_ACCOUNT_ID,
+    credentials: {
+      accessKeyId: env.R2_OBJECT_STORAGE_ACCESS_KEY_ID!,
+      secretAccessKey: env.R2_OBJECT_STORAGE_SECRET_ACCESS_KEY!,
+    },
+  };
+  AFFiNE.storage.storages.avatar.provider = 'r2';
+  AFFiNE.storage.storages.avatar.bucket = 'account-avatar';
+  AFFiNE.storage.storages.avatar.publicLinkFactory = key =>
+    `https://avatar.affineassets.com/${key}`;
+
+  AFFiNE.storage.storages.blob.provider = 'r2';
+  AFFiNE.storage.storages.blob.bucket = `workspace-blobs-${
+    AFFiNE.affine.canary ? 'canary' : 'prod'
+  }`;
+}

packages/backend/server/src/affine.ts

@@ -0,0 +1,3 @@
+import { getDefaultAFFiNEConfig } from './config/default';
+
+globalThis.AFFiNE = getDefaultAFFiNEConfig();

packages/backend/server/src/app.ts

@@ -9,7 +9,6 @@ import { BusinessModules } from './modules';
 import { AuthModule } from './modules/auth';
 import { PrismaModule } from './prisma';
 import { SessionModule } from './session';
-import { StorageModule } from './storage';
 import { RateLimiterModule } from './throttler';
 
 const BasicModules = [
@@ -17,7 +16,6 @@ const BasicModules = [
   ConfigModule.forRoot(),
   CacheModule,
   EventModule,
-  StorageModule.forRoot(),
   SessionModule,
   RateLimiterModule,
   AuthModule,

packages/backend/server/src/config/def.ts

@@ -1,6 +1,7 @@
 import type { ApolloDriverConfig } from '@nestjs/apollo';
 
 import type { LeafPaths } from '../utils/types';
+import type { AFFiNEStorageConfig } from './storage';
 
 declare global {
   // eslint-disable-next-line @typescript-eslint/no-namespace
@@ -165,30 +166,11 @@ export interface AFFiNEConfig {
   featureFlags: {
     earlyAccessPreview: boolean;
   };
+
   /**
-   * object storage Config
-   *
-   * all artifacts and logs will be stored on instance disk,
-   * and can not shared between instances if not configured
+   * Configuration for Object Storage, which defines how blobs and avatar assets are stored.
    */
-  objectStorage: {
-    /**
-     * whether use remote object storage
-     */
-    r2: {
-      enabled: boolean;
-      accountId: string;
-      bucket: string;
-      accessKeyId: string;
-      secretAccessKey: string;
-    };
-    /**
-     * Only used when `enable` is `false`
-     */
-    fs: {
-      path: string;
-    };
-  };
+  storage: AFFiNEStorageConfig;
 
   /**
    * Rate limiter config

packages/backend/server/src/config/default.ts

@@ -1,14 +1,13 @@
 /// <reference types="../global.d.ts" />
 
 import { createPrivateKey, createPublicKey } from 'node:crypto';
-import { homedir } from 'node:os';
-import { join } from 'node:path';
 
 import parse from 'parse-duration';
 
 import pkg from '../../package.json' assert { type: 'json' };
 import type { AFFiNEConfig, ServerFlavor } from './def';
 import { applyEnvToConfig } from './env';
+import { getDefaultAFFiNEStorageConfig } from './storage';
 
 export const SERVER_FLAVOR = (process.env.SERVER_FLAVOR ??
   'allinone') as ServerFlavor;
@@ -59,11 +58,6 @@ export const getDefaultAFFiNEConfig: () => AFFiNEConfig = () => {
       AFFINE_SERVER_SUB_PATH: 'path',
       AFFINE_ENV: 'affineEnv',
       DATABASE_URL: 'db.url',
-      ENABLE_R2_OBJECT_STORAGE: ['objectStorage.r2.enabled', 'boolean'],
-      R2_OBJECT_STORAGE_ACCOUNT_ID: 'objectStorage.r2.accountId',
-      R2_OBJECT_STORAGE_ACCESS_KEY_ID: 'objectStorage.r2.accessKeyId',
-      R2_OBJECT_STORAGE_SECRET_ACCESS_KEY: 'objectStorage.r2.secretAccessKey',
-      R2_OBJECT_STORAGE_BUCKET: 'objectStorage.r2.bucket',
       ENABLE_CAPTCHA: ['auth.captcha.enable', 'boolean'],
       CAPTCHA_TURNSTILE_SECRET: ['auth.captcha.turnstile.secret', 'string'],
       OAUTH_GOOGLE_ENABLED: ['auth.oauthProviders.google.enabled', 'boolean'],
@@ -180,18 +174,7 @@ export const getDefaultAFFiNEConfig: () => AFFiNEConfig = () => {
         password: '',
       },
     },
-    objectStorage: {
-      r2: {
-        enabled: false,
-        bucket: '',
-        accountId: '',
-        accessKeyId: '',
-        secretAccessKey: '',
-      },
-      fs: {
-        path: join(homedir(), '.affine-storage'),
-      },
-    },
+    storage: getDefaultAFFiNEStorageConfig(),
     rateLimiter: {
       ttl: 60,
       limit: 60,

packages/backend/server/src/config/index.ts

@@ -74,3 +74,4 @@ export class ConfigModule {
 
 export type { AFFiNEConfig } from './def';
 export { SERVER_FLAVOR } from './default';
+export * from './storage';

packages/backend/server/src/config/storage/index.ts

@@ -0,0 +1,59 @@
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+
+import { S3ClientConfigType } from '@aws-sdk/client-s3';
+
+export type StorageProviderType = 'fs' | 'r2' | 's3';
+export interface FsStorageConfig {
+  path: string;
+}
+export type R2StorageConfig = S3ClientConfigType & {
+  accountId: string;
+};
+export type S3StorageConfig = S3ClientConfigType;
+
+export type StorageTargetConfig<Ext = unknown> = {
+  provider: StorageProviderType;
+  bucket: string;
+} & Ext;
+
+export interface AFFiNEStorageConfig {
+  /**
+   * All providers for object storage
+   *
+   * Support different providers for different usage at the same time.
+   */
+  providers: {
+    fs?: FsStorageConfig;
+    s3?: S3StorageConfig;
+    r2?: R2StorageConfig;
+  };
+  storages: {
+    avatar: StorageTargetConfig<{ publicLinkFactory: (key: string) => string }>;
+    blob: StorageTargetConfig;
+  };
+}
+
+export type StorageProviders = AFFiNEStorageConfig['providers'];
+export type Storages = keyof AFFiNEStorageConfig['storages'];
+
+export function getDefaultAFFiNEStorageConfig(): AFFiNEStorageConfig {
+  return {
+    providers: {
+      fs: {
+        path: join(homedir(), '.affine/storage'),
+      },
+    },
+    storages: {
+      avatar: {
+        provider: 'fs',
+        bucket: 'avatars',
+        publicLinkFactory: key => `/api/avatars/${key}`,
+      },
+      blob: {
+        provider: 'fs',
+        bucket: 'blobs',
+      },
+    },
+  };
+}

packages/backend/server/src/data/app.ts

@@ -1,18 +1,32 @@
 import { Logger, Module } from '@nestjs/common';
 import { CommandFactory } from 'nest-commander';
 
-import { PrismaModule } from '../prisma';
+import { AppModule as BusinessAppModule } from '../app';
+import { ConfigModule } from '../config';
 import { CreateCommand, NameQuestion } from './commands/create';
 import { RevertCommand, RunCommand } from './commands/run';
 
 @Module({
-  imports: [PrismaModule],
+  imports: [
+    ConfigModule.forRoot({
+      doc: {
+        manager: {
+          enableUpdateAutoMerging: false,
+        },
+      },
+    }),
+    BusinessAppModule,
+  ],
   providers: [NameQuestion, CreateCommand, RunCommand, RevertCommand],
 })
 class AppModule {}
 
 async function bootstrap() {
-  await CommandFactory.run(AppModule, new Logger());
+  await CommandFactory.run(AppModule, new Logger()).catch(e => {
+    console.error(e);
+    process.exit(1);
+  });
+  process.exit(0);
 }
 
 await bootstrap();

packages/backend/server/src/data/commands/run.ts

@@ -3,6 +3,7 @@ import { join } from 'node:path';
 import { fileURLToPath } from 'node:url';
 
 import { Logger } from '@nestjs/common';
+import { ModuleRef } from '@nestjs/core';
 import { Command, CommandRunner } from 'nest-commander';
 
 import { PrismaService } from '../../prisma';
@@ -10,8 +11,8 @@ import { PrismaService } from '../../prisma';
 interface Migration {
   file: string;
   name: string;
-  up: (db: PrismaService) => Promise<void>;
-  down: (db: PrismaService) => Promise<void>;
+  up: (db: PrismaService, injector: ModuleRef) => Promise<void>;
+  down: (db: PrismaService, injector: ModuleRef) => Promise<void>;
 }
 
 export async function collectMigrations(): Promise<Migration[]> {
@@ -46,7 +47,10 @@ export async function collectMigrations(): Promise<Migration[]> {
 })
 export class RunCommand extends CommandRunner {
   logger = new Logger(RunCommand.name);
-  constructor(private readonly db: PrismaService) {
+  constructor(
+    private readonly db: PrismaService,
+    private readonly injector: ModuleRef
+  ) {
     super();
   }
 
@@ -103,14 +107,14 @@ export class RunCommand extends CommandRunner {
     });
 
     try {
-      await migration.up(this.db);
+      await migration.up(this.db, this.injector);
     } catch (e) {
       await this.db.dataMigration.delete({
         where: {
           id: record.id,
         },
       });
-      await migration.down(this.db);
+      await migration.down(this.db, this.injector);
       this.logger.error('Failed to run data migration', e);
       process.exit(1);
     }
@@ -134,7 +138,10 @@ export class RunCommand extends CommandRunner {
 export class RevertCommand extends CommandRunner {
   logger = new Logger(RevertCommand.name);
 
-  constructor(private readonly db: PrismaService) {
+  constructor(
+    private readonly db: PrismaService,
+    private readonly injector: ModuleRef
+  ) {
     super();
   }
 
@@ -168,7 +175,7 @@ export class RevertCommand extends CommandRunner {
 
     try {
       this.logger.log(`Reverting ${name}...`);
-      await migration.down(this.db);
+      await migration.down(this.db, this.injector);
       this.logger.log('Done reverting');
     } catch (e) {
       this.logger.error(`Failed to revert data migration ${name}`, e);

packages/backend/server/src/data/migrations/1698652531198-user-features-init.ts

@@ -1,13 +1,7 @@
-import { Prisma } from '@prisma/client';
-
-import {
-  CommonFeature,
-  FeatureKind,
-  Features,
-  FeatureType,
-} from '../../modules/features';
+import { Features } from '../../modules/features';
 import { Quotas } from '../../modules/quota/schema';
 import { PrismaService } from '../../prisma';
+import { migrateNewFeatureTable, upsertFeature } from './utils/user-features';
 
 export class UserFeaturesInit1698652531198 {
   // do the migration
@@ -28,95 +22,3 @@ export class UserFeaturesInit1698652531198 {
     // TODO: revert the migration
   }
 }
-
-// upgrade features from lower version to higher version
-async function upsertFeature(
-  db: PrismaService,
-  feature: CommonFeature
-): Promise<void> {
-  const hasEqualOrGreaterVersion =
-    (await db.features.count({
-      where: {
-        feature: feature.feature,
-        version: {
-          gte: feature.version,
-        },
-      },
-    })) > 0;
-  // will not update exists version
-  if (!hasEqualOrGreaterVersion) {
-    await db.features.create({
-      data: {
-        feature: feature.feature,
-        type: feature.type,
-        version: feature.version,
-        configs: feature.configs as Prisma.InputJsonValue,
-      },
-    });
-  }
-}
-
-async function migrateNewFeatureTable(prisma: PrismaService) {
-  const waitingList = await prisma.newFeaturesWaitingList.findMany();
-  for (const oldUser of waitingList) {
-    const user = await prisma.user.findFirst({
-      where: {
-        email: oldUser.email,
-      },
-    });
-    if (user) {
-      const hasEarlyAccess = await prisma.userFeatures.count({
-        where: {
-          userId: user.id,
-          feature: {
-            feature: FeatureType.EarlyAccess,
-          },
-          activated: true,
-        },
-      });
-      if (hasEarlyAccess === 0) {
-        await prisma.$transaction(async tx => {
-          const latestFlag = await tx.userFeatures.findFirst({
-            where: {
-              userId: user.id,
-              feature: {
-                feature: FeatureType.EarlyAccess,
-                type: FeatureKind.Feature,
-              },
-              activated: true,
-            },
-            orderBy: {
-              createdAt: 'desc',
-            },
-          });
-          if (latestFlag) {
-            return latestFlag.id;
-          } else {
-            return tx.userFeatures
-              .create({
-                data: {
-                  reason: 'Early access user',
-                  activated: true,
-                  user: {
-                    connect: {
-                      id: user.id,
-                    },
-                  },
-                  feature: {
-                    connect: {
-                      feature_version: {
-                        feature: FeatureType.EarlyAccess,
-                        version: 1,
-                      },
-                      type: FeatureKind.Feature,
-                    },
-                  },
-                },
-              })
-              .then(r => r.id);
-          }
-        });
-      }
-    }
-  }
-}

packages/backend/server/src/data/migrations/1703756315970-unamed-account.ts

@@ -0,0 +1,31 @@
+import type { UserType } from '../../modules/users';
+import { PrismaService } from '../../prisma';
+
+export class UnamedAccount1703756315970 {
+  // do the migration
+  static async up(db: PrismaService) {
+    await db.$transaction(async tx => {
+      // only find users with empty names
+      const users = await db.$queryRaw<
+        UserType[]
+      >`SELECT * FROM users WHERE name ~ E'^[\\s\\u2000-\\u200F]*$';`;
+      console.log(
+        `renaming ${users.map(({ email }) => email).join('|')} users`
+      );
+
+      await Promise.all(
+        users.map(({ id, email }) =>
+          tx.user.update({
+            where: { id },
+            data: {
+              name: email.split('@')[0],
+            },
+          })
+        )
+      );
+    });
+  }
+
+  // revert the migration
+  static async down(_db: PrismaService) {}
+}

packages/backend/server/src/data/migrations/1703828796699-workspace-blobs.ts

@@ -0,0 +1,38 @@
+import { ModuleRef } from '@nestjs/core';
+
+import { WorkspaceBlobStorage } from '../../modules/storage';
+import { PrismaService } from '../../prisma';
+
+export class WorkspaceBlobs1703828796699 {
+  // do the migration
+  static async up(db: PrismaService, injector: ModuleRef) {
+    const blobStorage = injector.get(WorkspaceBlobStorage, { strict: false });
+    let hasMore = true;
+    let turn = 0;
+    const eachTurnCount = 50;
+
+    while (hasMore) {
+      const blobs = await db.blob.findMany({
+        skip: turn * eachTurnCount,
+        take: eachTurnCount,
+        orderBy: {
+          createdAt: 'asc',
+        },
+      });
+
+      hasMore = blobs.length === eachTurnCount;
+      turn += 1;
+
+      await Promise.all(
+        blobs.map(async ({ workspaceId, hash, blob }) =>
+          blobStorage.put(workspaceId, hash, blob)
+        )
+      );
+    }
+  }
+
+  // revert the migration
+  static async down(_db: PrismaService) {
+    // old data kept, no need to downgrade the migration
+  }
+}

packages/backend/server/src/data/migrations/1704352562369-refresh-user-features.ts

@@ -0,0 +1,16 @@
+import { Features } from '../../modules/features';
+import { PrismaService } from '../../prisma';
+import { upsertFeature } from './utils/user-features';
+
+export class RefreshUserFeatures1704352562369 {
+  // do the migration
+  static async up(db: PrismaService) {
+    // add early access v2 & copilot feature
+    for (const feature of Features) {
+      await upsertFeature(db, feature);
+    }
+  }
+
+  // revert the migration
+  static async down(_db: PrismaService) {}
+}

packages/backend/server/src/data/migrations/utils/user-features.ts

@@ -0,0 +1,100 @@
+import { Prisma } from '@prisma/client';
+
+import {
+  CommonFeature,
+  FeatureKind,
+  FeatureType,
+} from '../../../modules/features';
+import { PrismaService } from '../../../prisma';
+
+// upgrade features from lower version to higher version
+export async function upsertFeature(
+  db: PrismaService,
+  feature: CommonFeature
+): Promise<void> {
+  const hasEqualOrGreaterVersion =
+    (await db.features.count({
+      where: {
+        feature: feature.feature,
+        version: {
+          gte: feature.version,
+        },
+      },
+    })) > 0;
+  // will not update exists version
+  if (!hasEqualOrGreaterVersion) {
+    await db.features.create({
+      data: {
+        feature: feature.feature,
+        type: feature.type,
+        version: feature.version,
+        configs: feature.configs as Prisma.InputJsonValue,
+      },
+    });
+  }
+}
+
+export async function migrateNewFeatureTable(prisma: PrismaService) {
+  const waitingList = await prisma.newFeaturesWaitingList.findMany();
+  for (const oldUser of waitingList) {
+    const user = await prisma.user.findFirst({
+      where: {
+        email: oldUser.email,
+      },
+    });
+    if (user) {
+      const hasEarlyAccess = await prisma.userFeatures.count({
+        where: {
+          userId: user.id,
+          feature: {
+            feature: FeatureType.EarlyAccess,
+          },
+          activated: true,
+        },
+      });
+      if (hasEarlyAccess === 0) {
+        await prisma.$transaction(async tx => {
+          const latestFlag = await tx.userFeatures.findFirst({
+            where: {
+              userId: user.id,
+              feature: {
+                feature: FeatureType.EarlyAccess,
+                type: FeatureKind.Feature,
+              },
+              activated: true,
+            },
+            orderBy: {
+              createdAt: 'desc',
+            },
+          });
+          if (latestFlag) {
+            return latestFlag.id;
+          } else {
+            return tx.userFeatures
+              .create({
+                data: {
+                  reason: 'Early access user',
+                  activated: true,
+                  user: {
+                    connect: {
+                      id: user.id,
+                    },
+                  },
+                  feature: {
+                    connect: {
+                      feature_version: {
+                        feature: FeatureType.EarlyAccess,
+                        version: 1,
+                      },
+                      type: FeatureKind.Feature,
+                    },
+                  },
+                },
+              })
+              .then(r => r.id);
+          }
+        });
+      }
+    }
+  }
+}

packages/backend/server/src/event/events.ts

@@ -1,10 +1,16 @@
-import type { Snapshot, Workspace } from '@prisma/client';
+import type { Snapshot, User, Workspace } from '@prisma/client';
 
 import { Flatten, Payload } from './types';
 
 interface EventDefinitions {
   workspace: {
     deleted: Payload<Workspace['id']>;
+    blob: {
+      deleted: Payload<{
+        workspaceId: Workspace['id'];
+        name: string;
+      }>;
+    };
   };
 
   snapshot: {
@@ -15,6 +21,10 @@ interface EventDefinitions {
     >;
     deleted: Payload<Pick<Snapshot, 'id' | 'workspaceId'>>;
   };
+
+  user: {
+    deleted: Payload<User>;
+  };
 }
 
 export type EventKV = Flatten<EventDefinitions>;

packages/backend/server/src/index.ts

@@ -5,7 +5,6 @@ startAutoMetrics();
 import { NestFactory } from '@nestjs/core';
 import type { NestExpressApplication } from '@nestjs/platform-express';
 import cookieParser from 'cookie-parser';
-import { static as staticMiddleware } from 'express';
 import graphqlUploadExpress from 'graphql-upload/graphqlUploadExpress.mjs';
 
 import { AppModule } from './app';
@@ -43,10 +42,6 @@ const config = app.get(Config);
 const host = config.node.prod ? '0.0.0.0' : 'localhost';
 const port = config.port ?? 3010;
 
-if (!config.objectStorage.r2.enabled) {
-  app.use('/assets', staticMiddleware(config.objectStorage.fs.path));
-}
-
 if (config.redis.enabled) {
   const redisIoAdapter = new RedisIoAdapter(app);
   await redisIoAdapter.connectToRedis(

packages/backend/server/src/metrics/opentelemetry.ts

@@ -29,7 +29,9 @@ import {
   SpanExporter,
   TraceIdRatioBasedSampler,
 } from '@opentelemetry/sdk-trace-node';
-import { PrismaInstrumentation } from '@prisma/instrumentation';
+import prismaInstrument from '@prisma/instrumentation';
+
+const { PrismaInstrumentation } = prismaInstrument;
 
 import { PrismaMetricProducer } from './prisma';
 

packages/backend/server/src/modules/auth/service.ts

@@ -51,7 +51,7 @@ export class AuthService {
         exp: now + this.config.auth.accessTokenExpiresIn,
         iss: this.config.serverId,
         sub: user.id,
-        aud: user.name,
+        aud: 'https://affine.pro',
         jti: randomUUID({
           disableEntropyCache: true,
         }),
@@ -80,7 +80,7 @@ export class AuthService {
         iat: now,
         iss: this.config.serverId,
         sub: user.id,
-        aud: user.name,
+        aud: 'https://affine.pro',
         jti: randomUUID({
           disableEntropyCache: true,
         }),
@@ -100,6 +100,7 @@ export class AuthService {
           iss: [this.config.serverId],
           leeway: this.config.auth.leeway,
           requiredSpecClaims: ['exp', 'iat', 'iss', 'sub'],
+          aud: ['https://affine.pro'],
         })
       ).data as UserClaim;
 

packages/backend/server/src/modules/auth/utils/jwt.ts

@@ -38,7 +38,7 @@ export const jwtEncode = async (
       exp: now + (maxAge ?? config.auth.accessTokenExpiresIn),
       iss: config.serverId,
       sub: user.id,
-      aud: user.name,
+      aud: 'https://affine.pro',
       jti: randomUUID({
         disableEntropyCache: true,
       }),

packages/backend/server/src/modules/features/feature.ts

@@ -19,7 +19,20 @@ class FeatureConfig {
   }
 }
 
+export class CopilotFeatureConfig extends FeatureConfig {
+  override config!: Feature & { feature: FeatureType.Copilot };
+  constructor(data: any) {
+    super(data);
+
+    if (this.config.feature !== FeatureType.Copilot) {
+      throw new Error('Invalid feature config: type is not Copilot');
+    }
+  }
+}
+
 export class EarlyAccessFeatureConfig extends FeatureConfig {
+  override config!: Feature & { feature: FeatureType.EarlyAccess };
+
   constructor(data: any) {
     super(data);
 
@@ -27,25 +40,18 @@ export class EarlyAccessFeatureConfig extends FeatureConfig {
       throw new Error('Invalid feature config: type is not EarlyAccess');
     }
   }
-
-  checkWhiteList(email: string) {
-    for (const domain in this.config.configs.whitelist) {
-      if (email.endsWith(domain)) {
-        return true;
-      }
-    }
-    return false;
-  }
 }
 
 const FeatureConfigMap = {
+  [FeatureType.Copilot]: CopilotFeatureConfig,
   [FeatureType.EarlyAccess]: EarlyAccessFeatureConfig,
 };
 
-const FeatureCache = new Map<
-  number,
-  InstanceType<(typeof FeatureConfigMap)[FeatureType]>
->();
+export type FeatureConfigType<F extends FeatureType> = InstanceType<
+  (typeof FeatureConfigMap)[F]
+>;
+
+const FeatureCache = new Map<number, FeatureConfigType<FeatureType>>();
 
 export async function getFeature(prisma: PrismaService, featureId: number) {
   const cachedQuota = FeatureCache.get(featureId);

packages/backend/server/src/modules/features/management.ts

@@ -1,35 +1,32 @@
-import { Injectable, Logger, OnModuleInit } from '@nestjs/common';
+import { Injectable, Logger } from '@nestjs/common';
 
 import { Config } from '../../config';
 import { PrismaService } from '../../prisma';
-import { EarlyAccessFeatureConfig } from './feature';
 import { FeatureService } from './service';
 import { FeatureType } from './types';
 
-enum NewFeaturesKind {
-  EarlyAccess,
-}
+const STAFF = ['@toeverything.info'];
 
 @Injectable()
-export class FeatureManagementService implements OnModuleInit {
+export class FeatureManagementService {
   protected logger = new Logger(FeatureManagementService.name);
-  private earlyAccessFeature?: EarlyAccessFeatureConfig;
+
   constructor(
     private readonly feature: FeatureService,
     private readonly prisma: PrismaService,
     private readonly config: Config
   ) {}
-  async onModuleInit() {
-    this.earlyAccessFeature = await this.feature.getFeature(
-      FeatureType.EarlyAccess
-    );
-  }
 
   // ======== Admin ========
 
   // todo(@darkskygit): replace this with abac
   isStaff(email: string) {
-    return this.earlyAccessFeature?.checkWhiteList(email) ?? false;
+    for (const domain of STAFF) {
+      if (email.endsWith(domain)) {
+        return true;
+      }
+    }
+    return false;
   }
 
   // ======== Early Access ========
@@ -38,7 +35,7 @@ export class FeatureManagementService implements OnModuleInit {
     return this.feature.addUserFeature(
       userId,
       FeatureType.EarlyAccess,
-      1,
+      2,
       'Early access user'
     );
   }
@@ -61,29 +58,54 @@ export class FeatureManagementService implements OnModuleInit {
       });
       if (user) {
         const canEarlyAccess = await this.feature
-          .hasFeature(user.id, FeatureType.EarlyAccess)
+          .hasUserFeature(user.id, FeatureType.EarlyAccess)
           .catch(() => false);
-        if (canEarlyAccess) {
-          return true;
-        }
 
-        // TODO: Outdated, switch to feature gates
-        const oldCanEarlyAccess = await this.prisma.newFeaturesWaitingList
-          .findUnique({
-            where: { email, type: NewFeaturesKind.EarlyAccess },
-          })
-          .then(x => !!x)
-          .catch(() => false);
-        if (oldCanEarlyAccess) {
-          this.logger.warn(
-            `User ${email} has early access in old table but not in new table`
-          );
-        }
-        return oldCanEarlyAccess;
+        return canEarlyAccess;
       }
       return false;
     } else {
       return true;
     }
   }
+
+  // ======== Workspace Feature ========
+  async addWorkspaceFeatures(
+    workspaceId: string,
+    feature: FeatureType,
+    version?: number,
+    reason?: string
+  ) {
+    const latestVersions = await this.feature.getFeaturesVersion();
+    // use latest version if not specified
+    const latestVersion = version || latestVersions[feature];
+    if (!Number.isInteger(latestVersion)) {
+      throw new Error(`Version of feature ${feature} not found`);
+    }
+    return this.feature.addWorkspaceFeature(
+      workspaceId,
+      feature,
+      latestVersion,
+      reason || 'add feature by api'
+    );
+  }
+
+  async getWorkspaceFeatures(workspaceId: string) {
+    const features = await this.feature.getWorkspaceFeatures(workspaceId);
+    return features.filter(f => f.activated).map(f => f.feature.name);
+  }
+
+  async hasWorkspaceFeature(workspaceId: string, feature: FeatureType) {
+    return this.feature.hasWorkspaceFeature(workspaceId, feature);
+  }
+
+  async removeWorkspaceFeature(workspaceId: string, feature: FeatureType) {
+    return this.feature
+      .removeWorkspaceFeature(workspaceId, feature)
+      .then(c => c > 0);
+  }
+
+  async listFeatureWorkspaces(feature: FeatureType) {
+    return this.feature.listFeatureWorkspaces(feature);
+  }
 }

packages/backend/server/src/modules/features/service.ts

@@ -2,7 +2,8 @@ import { Injectable } from '@nestjs/common';
 
 import { PrismaService } from '../../prisma';
 import { UserType } from '../users/types';
-import { getFeature } from './feature';
+import { WorkspaceType } from '../workspaces/types';
+import { FeatureConfigType, getFeature } from './feature';
 import { FeatureKind, FeatureType } from './types';
 
 @Injectable()
@@ -21,14 +22,23 @@ export class FeatureService {
     });
     return features.reduce(
       (acc, feature) => {
-        acc[feature.feature] = feature.version;
+        // only keep the latest version
+        if (acc[feature.feature]) {
+          if (acc[feature.feature] < feature.version) {
+            acc[feature.feature] = feature.version;
+          }
+        } else {
+          acc[feature.feature] = feature.version;
+        }
         return acc;
       },
       {} as Record<string, number>
     );
   }
 
-  async getFeature(feature: FeatureType) {
+  async getFeature<F extends FeatureType>(
+    feature: F
+  ): Promise<FeatureConfigType<F> | undefined> {
     const data = await this.prisma.features.findFirst({
       where: {
         feature,
@@ -40,11 +50,13 @@ export class FeatureService {
       },
     });
     if (data) {
-      return getFeature(this.prisma, data.id);
+      return getFeature(this.prisma, data.id) as FeatureConfigType<F>;
     }
     return undefined;
   }
 
+  // ======== User Features ========
+
   async addUserFeature(
     userId: string,
     feature: FeatureType,
@@ -114,6 +126,11 @@ export class FeatureService {
       .then(r => r.count);
   }
 
+  /**
+   * get user's features, will included inactivated features
+   * @param userId user id
+   * @returns list of features
+   */
   async getUserFeatures(userId: string) {
     const features = await this.prisma.userFeatures.findMany({
       where: {
@@ -167,7 +184,7 @@ export class FeatureService {
       .then(users => users.map(user => user.user));
   }
 
-  async hasFeature(userId: string, feature: FeatureType) {
+  async hasUserFeature(userId: string, feature: FeatureType) {
     return this.prisma.userFeatures
       .count({
         where: {
@@ -181,4 +198,145 @@ export class FeatureService {
       })
       .then(count => count > 0);
   }
+
+  // ======== Workspace Features ========
+
+  async addWorkspaceFeature(
+    workspaceId: string,
+    feature: FeatureType,
+    version: number,
+    reason: string,
+    expiredAt?: Date | string
+  ) {
+    return this.prisma.$transaction(async tx => {
+      const latestFlag = await tx.workspaceFeatures.findFirst({
+        where: {
+          workspaceId,
+          feature: {
+            feature,
+            type: FeatureKind.Feature,
+          },
+          activated: true,
+        },
+        orderBy: {
+          createdAt: 'desc',
+        },
+      });
+      if (latestFlag) {
+        return latestFlag.id;
+      } else {
+        return tx.workspaceFeatures
+          .create({
+            data: {
+              reason,
+              expiredAt,
+              activated: true,
+              workspace: {
+                connect: {
+                  id: workspaceId,
+                },
+              },
+              feature: {
+                connect: {
+                  feature_version: {
+                    feature,
+                    version,
+                  },
+                  type: FeatureKind.Feature,
+                },
+              },
+            },
+          })
+          .then(r => r.id);
+      }
+    });
+  }
+
+  async removeWorkspaceFeature(workspaceId: string, feature: FeatureType) {
+    return this.prisma.workspaceFeatures
+      .updateMany({
+        where: {
+          workspaceId,
+          feature: {
+            feature,
+            type: FeatureKind.Feature,
+          },
+          activated: true,
+        },
+        data: {
+          activated: false,
+        },
+      })
+      .then(r => r.count);
+  }
+
+  /**
+   * get workspace's features, will included inactivated features
+   * @param workspaceId workspace id
+   * @returns list of features
+   */
+  async getWorkspaceFeatures(workspaceId: string) {
+    const features = await this.prisma.workspaceFeatures.findMany({
+      where: {
+        workspace: { id: workspaceId },
+        feature: {
+          type: FeatureKind.Feature,
+        },
+      },
+      select: {
+        activated: true,
+        reason: true,
+        createdAt: true,
+        expiredAt: true,
+        featureId: true,
+      },
+    });
+
+    const configs = await Promise.all(
+      features.map(async feature => ({
+        ...feature,
+        feature: await getFeature(this.prisma, feature.featureId),
+      }))
+    );
+
+    return configs.filter(feature => !!feature.feature);
+  }
+
+  async listFeatureWorkspaces(feature: FeatureType): Promise<WorkspaceType[]> {
+    return this.prisma.workspaceFeatures
+      .findMany({
+        where: {
+          activated: true,
+          feature: {
+            feature: feature,
+            type: FeatureKind.Feature,
+          },
+        },
+        select: {
+          workspace: {
+            select: {
+              id: true,
+              public: true,
+              createdAt: true,
+            },
+          },
+        },
+      })
+      .then(wss => wss.map(ws => ws.workspace as WorkspaceType));
+  }
+
+  async hasWorkspaceFeature(workspaceId: string, feature: FeatureType) {
+    return this.prisma.workspaceFeatures
+      .count({
+        where: {
+          workspaceId,
+          activated: true,
+          feature: {
+            feature,
+            type: FeatureKind.Feature,
+          },
+        },
+      })
+      .then(count => count > 0);
+  }
 }

packages/backend/server/src/modules/features/types/common.ts

@@ -0,0 +1,11 @@
+import { registerEnumType } from '@nestjs/graphql';
+
+export enum FeatureType {
+  Copilot = 'copilot',
+  EarlyAccess = 'early_access',
+}
+
+registerEnumType(FeatureType, {
+  name: 'FeatureType',
+  description: 'The type of workspace feature',
+});

packages/backend/server/src/modules/features/types/copilot.ts

@@ -0,0 +1,8 @@
+import { z } from 'zod';
+
+import { FeatureType } from './common';
+
+export const featureCopilot = z.object({
+  feature: z.literal(FeatureType.Copilot),
+  configs: z.object({}),
+});

packages/backend/server/src/modules/features/types/early-access.ts

@@ -0,0 +1,8 @@
+import { z } from 'zod';
+
+import { FeatureType } from './common';
+
+export const featureEarlyAccess = z.object({
+  feature: z.literal(FeatureType.EarlyAccess),
+  configs: z.object({}),
+});

packages/backend/server/src/modules/features/types/index.ts

@@ -1,7 +1,9 @@
-import { URL } from 'node:url';
-
 import { z } from 'zod';
 
+import { FeatureType } from './common';
+import { featureCopilot } from './copilot';
+import { featureEarlyAccess } from './early-access';
+
 /// ======== common schema ========
 
 export enum FeatureKind {
@@ -20,30 +22,13 @@ export type CommonFeature = z.infer<typeof commonFeatureSchema>;
 
 /// ======== feature define ========
 
-export enum FeatureType {
-  EarlyAccess = 'early_access',
-}
-
-function checkHostname(host: string) {
-  try {
-    return new URL(`https://${host}`).hostname === host;
-  } catch (_) {
-    return false;
-  }
-}
-
-const featureEarlyAccess = z.object({
-  feature: z.literal(FeatureType.EarlyAccess),
-  configs: z.object({
-    whitelist: z
-      .string()
-      .startsWith('@')
-      .refine(domain => checkHostname(domain.slice(1)))
-      .array(),
-  }),
-});
-
 export const Features: Feature[] = [
+  {
+    feature: FeatureType.Copilot,
+    type: FeatureKind.Feature,
+    version: 1,
+    configs: {},
+  },
   {
     feature: FeatureType.EarlyAccess,
     type: FeatureKind.Feature,
@@ -52,6 +37,12 @@ export const Features: Feature[] = [
       whitelist: ['@toeverything.info'],
     },
   },
+  {
+    feature: FeatureType.EarlyAccess,
+    type: FeatureKind.Feature,
+    version: 2,
+    configs: {},
+  },
 ];
 
 /// ======== schema infer ========
@@ -60,6 +51,8 @@ export const FeatureSchema = commonFeatureSchema
   .extend({
     type: z.literal(FeatureKind.Feature),
   })
-  .and(z.discriminatedUnion('feature', [featureEarlyAccess]));
+  .and(z.discriminatedUnion('feature', [featureCopilot, featureEarlyAccess]));
 
 export type Feature = z.infer<typeof FeatureSchema>;
+
+export { FeatureType };

packages/backend/server/src/modules/index.ts

@@ -8,6 +8,7 @@ import { DocModule } from './doc';
 import { PaymentModule } from './payment';
 import { QuotaModule } from './quota';
 import { SelfHostedModule } from './self-hosted';
+import { StorageModule } from './storage';
 import { SyncModule } from './sync';
 import { UsersModule } from './users';
 import { WorkspaceModule } from './workspaces';
@@ -27,7 +28,8 @@ switch (SERVER_FLAVOR) {
       WorkspaceModule,
       UsersModule,
       SyncModule,
-      DocModule
+      DocModule,
+      StorageModule
     );
     break;
   case 'graphql':
@@ -39,7 +41,8 @@ switch (SERVER_FLAVOR) {
       UsersModule,
       DocModule,
       PaymentModule,
-      QuotaModule
+      QuotaModule,
+      StorageModule
     );
     break;
   case 'allinone':
@@ -53,7 +56,8 @@ switch (SERVER_FLAVOR) {
       QuotaModule,
       SyncModule,
       DocModule,
-      PaymentModule
+      PaymentModule,
+      StorageModule
     );
     break;
 }

packages/backend/server/src/modules/quota/index.ts

@@ -1,5 +1,6 @@
 import { Module } from '@nestjs/common';
 
+import { StorageModule } from '../storage';
 import { PermissionService } from '../workspaces/permission';
 import { QuotaService } from './service';
 import { QuotaManagementService } from './storage';
@@ -11,6 +12,7 @@ import { QuotaManagementService } from './storage';
  * - quota statistics
  */
 @Module({
+  imports: [StorageModule],
   providers: [PermissionService, QuotaService, QuotaManagementService],
   exports: [QuotaService, QuotaManagementService],
 })

packages/backend/server/src/modules/quota/storage.ts

@@ -1,7 +1,6 @@
-import type { Storage } from '@affine/storage';
-import { Inject, Injectable, NotFoundException } from '@nestjs/common';
+import { Injectable, NotFoundException } from '@nestjs/common';
 
-import { StorageProvide } from '../../storage';
+import { WorkspaceBlobStorage } from '../storage';
 import { PermissionService } from '../workspaces/permission';
 import { QuotaService } from './service';
 
@@ -10,7 +9,7 @@ export class QuotaManagementService {
   constructor(
     private readonly quota: QuotaService,
     private readonly permissions: PermissionService,
-    @Inject(StorageProvide) private readonly storage: Storage
+    private readonly storage: WorkspaceBlobStorage
   ) {}
 
   async getUserQuota(userId: string) {
@@ -29,7 +28,12 @@ export class QuotaManagementService {
   // TODO: lazy calc, need to be optimized with cache
   async getUserUsage(userId: string) {
     const workspaces = await this.permissions.getOwnedWorkspaces(userId);
-    return this.storage.blobsSize(workspaces);
+
+    const sizes = await Promise.all(
+      workspaces.map(workspace => this.storage.totalSize(workspace))
+    );
+
+    return sizes.reduce((total, size) => total + size, 0);
   }
 
   // get workspace's owner quota and total size of used

packages/backend/server/src/modules/storage/__tests__/fs.spec.ts

@@ -0,0 +1,113 @@
+import { promises as fs } from 'node:fs';
+import { join } from 'node:path';
+
+import test from 'ava';
+import { getStreamAsBuffer } from 'get-stream';
+
+import { ListObjectsMetadata } from '../providers';
+import { FsStorageProvider } from '../providers/fs';
+
+const config = {
+  path: join(process.cwd(), 'node_modules', '.cache/affine-test-storage'),
+};
+
+function createProvider() {
+  return new FsStorageProvider(
+    config,
+    'test' + Math.random().toString(16).substring(2, 8)
+  );
+}
+
+function keys(list: ListObjectsMetadata[]) {
+  return list.map(i => i.key);
+}
+
+async function randomPut(
+  provider: FsStorageProvider,
+  prefix = ''
+): Promise<string> {
+  const key = prefix + 'test-key-' + Math.random().toString(16).substring(2, 8);
+  const body = Buffer.from(key);
+  provider.put(key, body);
+  return key;
+}
+
+test.after.always(() => {
+  fs.rm(config.path, { recursive: true });
+});
+
+test('put & get', async t => {
+  const provider = createProvider();
+  const key = 'testKey';
+  const body = Buffer.from('testBody');
+  await provider.put(key, body);
+
+  const result = await provider.get(key);
+
+  t.deepEqual(await getStreamAsBuffer(result.body!), body);
+  t.is(result.metadata?.contentLength, body.length);
+});
+
+test('list - one level', async t => {
+  const provider = createProvider();
+  const list = await Promise.all(
+    Array.from({ length: 100 }).map(() => randomPut(provider))
+  );
+  list.sort();
+  // random order, use set
+  const result = await provider.list();
+  t.deepEqual(keys(result), list);
+
+  const result2 = await provider.list('test-key');
+  t.deepEqual(keys(result2), list);
+
+  const result3 = await provider.list('testKey');
+  t.is(result3.length, 0);
+});
+
+test('list recursively', async t => {
+  const provider = createProvider();
+
+  await Promise.all([
+    Promise.all(Array.from({ length: 10 }).map(() => randomPut(provider))),
+    Promise.all(
+      Array.from({ length: 10 }).map(() => randomPut(provider, 'a/'))
+    ),
+    Promise.all(
+      Array.from({ length: 10 }).map(() => randomPut(provider, 'a/b/'))
+    ),
+    Promise.all(
+      Array.from({ length: 10 }).map(() => randomPut(provider, 'a/b/t/'))
+    ),
+  ]);
+
+  const r1 = await provider.list();
+  t.is(r1.length, 40);
+
+  // contains all `a/xxx` and `a/b/xxx` and `a/b/c/xxx`
+  const r2 = await provider.list('a');
+  t.is(r2.length, 30);
+
+  // contains only `a/b/xxx`
+  const r3 = await provider.list('a/b');
+  const r4 = await provider.list('a/b/');
+  t.is(r3.length, 20);
+  t.deepEqual(r3, r4);
+
+  // prefix is not ended with '/', it's open to all files and sub dirs
+  // contains all `a/b/t/xxx` and `a/b/t{xxxx}`
+  const r5 = await provider.list('a/b/t');
+
+  t.is(r5.length, 20);
+});
+
+test.only('delete', async t => {
+  const provider = createProvider();
+  const key = 'testKey';
+  const body = Buffer.from('testBody');
+  await provider.put(key, body);
+
+  await provider.delete(key);
+
+  await t.throwsAsync(() => fs.access(join(config.path, provider.bucket, key)));
+});

packages/backend/server/src/modules/storage/fs.ts

@@ -1,30 +0,0 @@
-import { randomUUID } from 'node:crypto';
-import { createWriteStream } from 'node:fs';
-import { mkdir } from 'node:fs/promises';
-import { join } from 'node:path';
-import { pipeline } from 'node:stream/promises';
-
-import { Injectable } from '@nestjs/common';
-
-import { Config } from '../../config';
-import { FileUpload } from '../../types';
-
-@Injectable()
-export class FSService {
-  constructor(private readonly config: Config) {}
-
-  async writeFile(key: string, file: FileUpload) {
-    const dest = this.config.objectStorage.fs.path;
-    const fileName = `${key}-${randomUUID()}`;
-    const prefix = this.config.node.dev
-      ? `${this.config.https ? 'https' : 'http'}://${this.config.host}:${
-          this.config.port
-        }`
-      : '';
-    await mkdir(dest, { recursive: true });
-    const destFile = join(dest, fileName);
-    await pipeline(file.createReadStream(), createWriteStream(destFile));
-
-    return `${prefix}/assets/${fileName}`;
-  }
-}

packages/backend/server/src/modules/storage/index.ts

@@ -1,11 +1,11 @@
 import { Module } from '@nestjs/common';
 
-import { FSService } from './fs';
-import { S3 } from './s3';
-import { StorageService } from './storage.service';
+import { AvatarStorage, WorkspaceBlobStorage } from './wrappers';
 
 @Module({
-  providers: [S3, StorageService, FSService],
-  exports: [StorageService],
+  providers: [WorkspaceBlobStorage, AvatarStorage],
+  exports: [WorkspaceBlobStorage, AvatarStorage],
 })
 export class StorageModule {}
+
+export { AvatarStorage, WorkspaceBlobStorage };

packages/backend/server/src/modules/storage/providers/fs.ts

@@ -0,0 +1,258 @@
+import {
+  accessSync,
+  constants,
+  createReadStream,
+  Dirent,
+  mkdirSync,
+  readdirSync,
+  readFileSync,
+  rmSync,
+  statSync,
+  writeFileSync,
+} from 'node:fs';
+import { join, parse, resolve } from 'node:path';
+
+import { Logger } from '@nestjs/common';
+import { Readable } from 'stream';
+
+import { FsStorageConfig } from '../../../config/storage';
+import {
+  BlobInputType,
+  GetObjectMetadata,
+  ListObjectsMetadata,
+  PutObjectMetadata,
+  StorageProvider,
+} from './provider';
+import { autoMetadata, toBuffer } from './utils';
+
+function escapeKey(key: string): string {
+  // avoid '../' and './' in key
+  return key.replace(/\.?\.[/\\]/g, '%');
+}
+
+export class FsStorageProvider implements StorageProvider {
+  private readonly path: string;
+  private readonly logger: Logger;
+
+  readonly type = 'fs';
+
+  constructor(
+    config: FsStorageConfig,
+    public readonly bucket: string
+  ) {
+    this.path = resolve(config.path, bucket);
+    this.ensureAvailability();
+
+    this.logger = new Logger(`${FsStorageProvider.name}:${bucket}`);
+  }
+
+  async put(
+    key: string,
+    body: BlobInputType,
+    metadata: PutObjectMetadata = {}
+  ): Promise<void> {
+    key = escapeKey(key);
+    const blob = await toBuffer(body);
+
+    // write object
+    this.writeObject(key, blob);
+    // write metadata
+    await this.writeMetadata(key, blob, metadata);
+    this.logger.verbose(`Object \`${key}\` put`);
+  }
+
+  async get(key: string): Promise<{
+    body?: Readable;
+    metadata?: GetObjectMetadata;
+  }> {
+    key = escapeKey(key);
+
+    try {
+      const metadata = this.readMetadata(key);
+      const stream = this.readObject(this.join(key));
+      this.logger.verbose(`Read object \`${key}\``);
+      return {
+        body: stream,
+        metadata,
+      };
+    } catch (e) {
+      this.logger.error(`Failed to read object \`${key}\``, e);
+      return {};
+    }
+  }
+
+  async list(prefix?: string): Promise<ListObjectsMetadata[]> {
+    // prefix cases:
+    // - `undefined`: list all objects
+    // - `a/b`: list objects under dir `a` with prefix `b`, `b` might be a dir under `a` as well.
+    // - `a/b/` list objects under dir `a/b`
+
+    // read dir recursively and filter out '.metadata.json' files
+    let dir = this.path;
+    if (prefix) {
+      prefix = escapeKey(prefix);
+      const parts = prefix.split(/[/\\]/);
+      // for prefix `a/b/c`, move `a/b` to dir and `c` to key prefix
+      if (parts.length > 1) {
+        dir = join(dir, ...parts.slice(0, -1));
+        prefix = parts[parts.length - 1];
+      }
+    }
+
+    const results: ListObjectsMetadata[] = [];
+    async function getFiles(dir: string, prefix?: string): Promise<void> {
+      try {
+        const entries: Dirent[] = readdirSync(dir, { withFileTypes: true });
+
+        for (const entry of entries) {
+          const res = join(dir, entry.name);
+
+          if (entry.isDirectory()) {
+            if (!prefix || entry.name.startsWith(prefix)) {
+              await getFiles(res);
+            }
+          } else if (
+            (!prefix || entry.name.startsWith(prefix)) &&
+            !entry.name.endsWith('.metadata.json')
+          ) {
+            const stat = statSync(res);
+            results.push({
+              key: res,
+              lastModified: stat.mtime,
+              size: stat.size,
+            });
+          }
+        }
+      } catch (e) {
+        // failed to read dir, stop recursion
+      }
+    }
+
+    await getFiles(dir, prefix);
+
+    // trim path with `this.path` prefix
+    results.forEach(r => (r.key = r.key.slice(this.path.length + 1)));
+
+    return results;
+  }
+
+  delete(key: string): Promise<void> {
+    key = escapeKey(key);
+
+    try {
+      rmSync(this.join(key), { force: true });
+      rmSync(this.join(`${key}.metadata.json`), { force: true });
+    } catch (e) {
+      throw new Error(`Failed to delete object \`${key}\``, {
+        cause: e,
+      });
+    }
+
+    this.logger.verbose(`Object \`${key}\` deleted`);
+
+    return Promise.resolve();
+  }
+
+  ensureAvailability() {
+    // check stats
+    const stats = statSync(this.path, {
+      throwIfNoEntry: false,
+    });
+
+    // not existing, create it
+    if (!stats) {
+      try {
+        mkdirSync(this.path, { recursive: true });
+      } catch (e) {
+        throw new Error(
+          `Failed to create target directory for fs storage provider: ${this.path}`,
+          {
+            cause: e,
+          }
+        );
+      }
+    } else if (stats.isDirectory()) {
+      // the target directory has already existed, check if it is readable & writable
+      try {
+        accessSync(this.path, constants.W_OK | constants.R_OK);
+      } catch (e) {
+        throw new Error(
+          `The target directory for fs storage provider has already existed, but it is not readable & writable: ${this.path}`,
+          {
+            cause: e,
+          }
+        );
+      }
+    } else if (stats.isFile()) {
+      throw new Error(
+        `The target directory for fs storage provider is a file: ${this.path}`
+      );
+    }
+  }
+
+  private join(...paths: string[]) {
+    return join(this.path, ...paths);
+  }
+
+  private readObject(file: string): Readable | undefined {
+    const state = statSync(file, { throwIfNoEntry: false });
+
+    if (state?.isFile()) {
+      return createReadStream(file);
+    }
+
+    return undefined;
+  }
+
+  private writeObject(key: string, blob: Buffer) {
+    const path = this.join(key);
+    mkdirSync(parse(path).dir, { recursive: true });
+    writeFileSync(path, blob);
+  }
+
+  private async writeMetadata(
+    key: string,
+    blob: Buffer,
+    raw: PutObjectMetadata
+  ) {
+    try {
+      const metadata = await autoMetadata(blob, raw);
+
+      if (raw.checksumCRC32 && metadata.checksumCRC32 !== raw.checksumCRC32) {
+        throw new Error(
+          'The checksum of the uploaded file is not matched with the one you provide, the file may be corrupted and the uploading will not be processed.'
+        );
+      }
+
+      writeFileSync(
+        this.join(`${key}.metadata.json`),
+        JSON.stringify({
+          ...metadata,
+          lastModified: Date.now(),
+        })
+      );
+    } catch (e) {
+      this.logger.warn(`Failed to write metadata of object \`${key}\``, e);
+    }
+  }
+
+  private readMetadata(key: string): GetObjectMetadata | undefined {
+    try {
+      const raw = JSON.parse(
+        readFileSync(this.join(`${key}.metadata.json`), {
+          encoding: 'utf-8',
+        })
+      );
+
+      return {
+        ...raw,
+        lastModified: new Date(raw.lastModified),
+        expires: raw.expires ? new Date(raw.expires) : undefined,
+      };
+    } catch (e) {
+      this.logger.warn(`Failed to read metadata of object \`${key}\``, e);
+
+      return;
+    }
+  }
+}

packages/backend/server/src/modules/storage/providers/index.ts

@@ -0,0 +1,34 @@
+import { AFFiNEStorageConfig, Storages } from '../../../config/storage';
+import { FsStorageProvider } from './fs';
+import type { StorageProvider } from './provider';
+import { R2StorageProvider } from './r2';
+import { S3StorageProvider } from './s3';
+
+export function createStorageProvider(
+  config: AFFiNEStorageConfig,
+  storage: Storages
+): StorageProvider {
+  const storageConfig = config.storages[storage];
+  const providerConfig = config.providers[storageConfig.provider] as any;
+  if (!providerConfig) {
+    throw new Error(
+      `Failed to create ${storageConfig.provider} storage, configuration not correctly set`
+    );
+  }
+
+  if (storageConfig.provider === 's3') {
+    return new S3StorageProvider(providerConfig, storageConfig.bucket);
+  }
+
+  if (storageConfig.provider === 'r2') {
+    return new R2StorageProvider(providerConfig, storageConfig.bucket);
+  }
+
+  if (storageConfig.provider === 'fs') {
+    return new FsStorageProvider(providerConfig, storageConfig.bucket);
+  }
+
+  throw new Error(`Unknown storage provider type: ${storageConfig.provider}`);
+}
+
+export type * from './provider';

packages/backend/server/src/modules/storage/providers/provider.ts

@@ -0,0 +1,42 @@
+import type { Readable } from 'node:stream';
+
+import { StorageProviderType } from '../../../config';
+
+export interface GetObjectMetadata {
+  /**
+   * @default 'application/octet-stream'
+   */
+  contentType: string;
+  contentLength: number;
+  lastModified: Date;
+  checksumCRC32?: string;
+}
+
+export interface PutObjectMetadata {
+  contentType?: string;
+  contentLength?: number;
+  checksumCRC32?: string;
+}
+
+export interface ListObjectsMetadata {
+  key: string;
+  lastModified: Date;
+  size: number;
+}
+
+export type BlobInputType = Buffer | Readable | string;
+export type BlobOutputType = Readable;
+
+export interface StorageProvider {
+  readonly type: StorageProviderType;
+  put(
+    key: string,
+    body: BlobInputType,
+    metadata?: PutObjectMetadata
+  ): Promise<void>;
+  get(
+    key: string
+  ): Promise<{ body?: BlobOutputType; metadata?: GetObjectMetadata }>;
+  list(prefix?: string): Promise<ListObjectsMetadata[]>;
+  delete(key: string): Promise<void>;
+}

packages/backend/server/src/modules/storage/providers/r2.ts

@@ -0,0 +1,20 @@
+import { Logger } from '@nestjs/common';
+
+import { R2StorageConfig } from '../../../config/storage';
+import { S3StorageProvider } from './s3';
+
+export class R2StorageProvider extends S3StorageProvider {
+  override readonly type = 'r2' as any /* cast 'r2' to 's3' */;
+
+  constructor(config: R2StorageConfig, bucket: string) {
+    super(
+      {
+        ...config,
+        forcePathStyle: true,
+        endpoint: `https://${config.accountId}.r2.cloudflarestorage.com`,
+      },
+      bucket
+    );
+    this.logger = new Logger(`${R2StorageProvider.name}:${bucket}`);
+  }
+}

packages/backend/server/src/modules/storage/providers/s3.ts

@@ -0,0 +1,170 @@
+/* eslint-disable @typescript-eslint/no-non-null-assertion */
+import { Readable } from 'node:stream';
+
+import {
+  DeleteObjectCommand,
+  GetObjectCommand,
+  ListObjectsV2Command,
+  NoSuchKey,
+  PutObjectCommand,
+  S3Client,
+} from '@aws-sdk/client-s3';
+import { Logger } from '@nestjs/common';
+
+import { S3StorageConfig } from '../../../config/storage';
+import {
+  BlobInputType,
+  GetObjectMetadata,
+  ListObjectsMetadata,
+  PutObjectMetadata,
+  StorageProvider,
+} from './provider';
+import { autoMetadata, toBuffer } from './utils';
+
+export class S3StorageProvider implements StorageProvider {
+  protected logger: Logger;
+  protected client: S3Client;
+
+  readonly type = 's3';
+
+  constructor(
+    config: S3StorageConfig,
+    public readonly bucket: string
+  ) {
+    this.client = new S3Client({ region: 'auto', ...config });
+    this.logger = new Logger(`${S3StorageProvider.name}:${bucket}`);
+  }
+
+  async put(
+    key: string,
+    body: BlobInputType,
+    metadata: PutObjectMetadata = {}
+  ): Promise<void> {
+    const blob = await toBuffer(body);
+
+    metadata = await autoMetadata(blob, metadata);
+
+    try {
+      await this.client.send(
+        new PutObjectCommand({
+          Bucket: this.bucket,
+          Key: key,
+          Body: blob,
+
+          // metadata
+          ContentType: metadata.contentType,
+          ContentLength: metadata.contentLength,
+          // TODO: Cloudflare doesn't support CRC32, use md5 instead later.
+          // ChecksumCRC32: metadata.checksumCRC32,
+        })
+      );
+
+      this.logger.verbose(`Object \`${key}\` put`);
+    } catch (e) {
+      throw new Error(`Failed to put object \`${key}\``, {
+        cause: e,
+      });
+    }
+  }
+
+  async get(key: string): Promise<{
+    body?: Readable;
+    metadata?: GetObjectMetadata;
+  }> {
+    try {
+      const obj = await this.client.send(
+        new GetObjectCommand({
+          Bucket: this.bucket,
+          Key: key,
+        })
+      );
+
+      if (!obj.Body) {
+        this.logger.verbose(`Object \`${key}\` not found`);
+        return {};
+      }
+
+      this.logger.verbose(`Read object \`${key}\``);
+      return {
+        // @ts-expect-errors ignore browser response type `Blob`
+        body: obj.Body,
+        metadata: {
+          // always set when putting object
+          contentType: obj.ContentType!,
+          contentLength: obj.ContentLength!,
+          lastModified: obj.LastModified!,
+          checksumCRC32: obj.ChecksumCRC32,
+        },
+      };
+    } catch (e) {
+      // 404
+      if (e instanceof NoSuchKey) {
+        this.logger.verbose(`Object \`${key}\` not found`);
+        return {};
+      } else {
+        throw new Error(`Failed to read object \`${key}\``, {
+          cause: e,
+        });
+      }
+    }
+  }
+
+  async list(prefix?: string): Promise<ListObjectsMetadata[]> {
+    // continuationToken should be `string | undefined`,
+    // but TypeScript will fail on type infer in the code below.
+    // Seems to be a bug in TypeScript
+    let continuationToken: any = undefined;
+    let hasMore = true;
+    let result: ListObjectsMetadata[] = [];
+
+    try {
+      while (hasMore) {
+        const listResult = await this.client.send(
+          new ListObjectsV2Command({
+            Bucket: this.bucket,
+            Prefix: prefix,
+            ContinuationToken: continuationToken,
+          })
+        );
+
+        if (listResult.Contents?.length) {
+          result = result.concat(
+            listResult.Contents.map(r => ({
+              key: r.Key!,
+              lastModified: r.LastModified!,
+              size: r.Size!,
+            }))
+          );
+        }
+
+        // has more items not listed
+        hasMore = !!listResult.IsTruncated;
+        continuationToken = listResult.NextContinuationToken;
+      }
+
+      this.logger.verbose(
+        `List ${result.length} objects with prefix \`${prefix}\``
+      );
+      return result;
+    } catch (e) {
+      throw new Error(`Failed to list objects with prefix \`${prefix}\``, {
+        cause: e,
+      });
+    }
+  }
+
+  async delete(key: string): Promise<void> {
+    try {
+      await this.client.send(
+        new DeleteObjectCommand({
+          Bucket: this.bucket,
+          Key: key,
+        })
+      );
+    } catch (e) {
+      throw new Error(`Failed to delete object \`${key}\``, {
+        cause: e,
+      });
+    }
+  }
+}

packages/backend/server/src/modules/storage/providers/utils.ts

@@ -0,0 +1,49 @@
+import { Readable } from 'node:stream';
+
+import { crc32 } from '@node-rs/crc32';
+import { fileTypeFromBuffer } from 'file-type';
+import { getStreamAsBuffer } from 'get-stream';
+
+import { BlobInputType, PutObjectMetadata } from './provider';
+
+export async function toBuffer(input: BlobInputType): Promise<Buffer> {
+  return input instanceof Readable
+    ? await getStreamAsBuffer(input)
+    : input instanceof Buffer
+      ? input
+      : Buffer.from(input);
+}
+
+export async function autoMetadata(
+  blob: Buffer,
+  raw: PutObjectMetadata
+): Promise<PutObjectMetadata> {
+  const metadata = {
+    ...raw,
+  };
+  try {
+    // length
+    if (!metadata.contentLength) {
+      metadata.contentLength = blob.length;
+    }
+
+    // checksum
+    if (!metadata.checksumCRC32) {
+      metadata.checksumCRC32 = crc32(blob).toString(16);
+    }
+
+    // mime type
+    if (!metadata.contentType) {
+      try {
+        const typeResult = await fileTypeFromBuffer(blob);
+        metadata.contentType = typeResult?.mime ?? 'application/octet-stream';
+      } catch {
+        // ignore
+      }
+    }
+
+    return metadata;
+  } catch (e) {
+    return metadata;
+  }
+}

packages/backend/server/src/modules/storage/s3.ts

@@ -1,22 +0,0 @@
-import { S3Client } from '@aws-sdk/client-s3';
-import { FactoryProvider } from '@nestjs/common';
-
-import { Config } from '../../config';
-
-export const S3_SERVICE = Symbol('S3_SERVICE');
-
-export const S3: FactoryProvider<S3Client> = {
-  provide: S3_SERVICE,
-  useFactory: (config: Config) => {
-    const s3 = new S3Client({
-      region: 'auto',
-      endpoint: `https://${config.objectStorage.r2.accountId}.r2.cloudflarestorage.com`,
-      credentials: {
-        accessKeyId: config.objectStorage.r2.accessKeyId,
-        secretAccessKey: config.objectStorage.r2.secretAccessKey,
-      },
-    });
-    return s3;
-  },
-  inject: [Config],
-};

packages/backend/server/src/modules/storage/storage.service.ts

@@ -1,43 +0,0 @@
-import { PutObjectCommand, S3Client } from '@aws-sdk/client-s3';
-import { Inject, Injectable } from '@nestjs/common';
-import { crc32 } from '@node-rs/crc32';
-import { fileTypeFromBuffer } from 'file-type';
-// eslint-disable-next-line @typescript-eslint/ban-ts-comment
-// @ts-ignore - no types
-import { getStreamAsBuffer } from 'get-stream';
-
-import { Config } from '../../config';
-import { FileUpload } from '../../types';
-import { FSService } from './fs';
-import { S3_SERVICE } from './s3';
-
-@Injectable()
-export class StorageService {
-  constructor(
-    @Inject(S3_SERVICE) private readonly s3: S3Client,
-    private readonly fs: FSService,
-    private readonly config: Config
-  ) {}
-
-  async uploadFile(key: string, file: FileUpload) {
-    if (this.config.objectStorage.r2.enabled) {
-      const readableFile = file.createReadStream();
-      const fileBuffer = await getStreamAsBuffer(readableFile);
-      const mime = (await fileTypeFromBuffer(fileBuffer))?.mime;
-      const crc32Value = crc32(fileBuffer);
-      const keyWithCrc32 = `${crc32Value}-${key}`;
-      await this.s3.send(
-        new PutObjectCommand({
-          Body: fileBuffer,
-          Bucket: this.config.objectStorage.r2.bucket,
-          Key: keyWithCrc32,
-          ContentLength: fileBuffer.length,
-          ContentType: mime,
-        })
-      );
-      return `https://avatar.affineassets.com/${keyWithCrc32}`;
-    } else {
-      return this.fs.writeFile(key, file);
-    }
-  }
-}

packages/backend/server/src/modules/storage/wrappers/avatar.ts

@@ -0,0 +1,47 @@
+import { Injectable } from '@nestjs/common';
+
+import { AFFiNEStorageConfig, Config } from '../../../config';
+import { type EventPayload, OnEvent } from '../../../event';
+import {
+  BlobInputType,
+  createStorageProvider,
+  PutObjectMetadata,
+  StorageProvider,
+} from '../providers';
+
+@Injectable()
+export class AvatarStorage {
+  public readonly provider: StorageProvider;
+  private readonly storageConfig: AFFiNEStorageConfig['storages']['avatar'];
+
+  constructor(private readonly config: Config) {
+    this.provider = createStorageProvider(this.config.storage, 'avatar');
+    this.storageConfig = this.config.storage.storages.avatar;
+  }
+
+  async put(key: string, blob: BlobInputType, metadata?: PutObjectMetadata) {
+    await this.provider.put(key, blob, metadata);
+    let link = this.storageConfig.publicLinkFactory(key);
+
+    if (link.startsWith('/')) {
+      link = this.config.baseUrl + link;
+    }
+
+    return link;
+  }
+
+  get(key: string) {
+    return this.provider.get(key);
+  }
+
+  delete(key: string) {
+    return this.provider.delete(key);
+  }
+
+  @OnEvent('user.deleted')
+  async onUserDeleted(user: EventPayload<'user.deleted'>) {
+    if (user.avatarUrl) {
+      await this.delete(user.avatarUrl);
+    }
+  }
+}

packages/backend/server/src/modules/storage/wrappers/blob.ts

@@ -0,0 +1,114 @@
+import { Readable } from 'node:stream';
+
+import type { Storage } from '@affine/storage';
+import { Injectable, OnModuleInit } from '@nestjs/common';
+
+import { Config } from '../../../config';
+import { EventEmitter, type EventPayload, OnEvent } from '../../../event';
+import { OctoBaseStorageModule } from '../../../storage';
+import {
+  BlobInputType,
+  createStorageProvider,
+  StorageProvider,
+} from '../providers';
+import { toBuffer } from '../providers/utils';
+
+@Injectable()
+export class WorkspaceBlobStorage implements OnModuleInit {
+  public readonly provider: StorageProvider;
+
+  /**
+   * @deprecated for backwards compatibility, need to be removed in next stable release
+   */
+  private octobase: Storage | null = null;
+
+  constructor(
+    private readonly event: EventEmitter,
+    private readonly config: Config
+  ) {
+    this.provider = createStorageProvider(this.config.storage, 'blob');
+  }
+
+  async onModuleInit() {
+    if (!this.config.node.test) {
+      this.octobase = await OctoBaseStorageModule.Storage.connect(
+        this.config.db.url
+      );
+    }
+  }
+
+  async put(workspaceId: string, key: string, blob: BlobInputType) {
+    const buf = await toBuffer(blob);
+    await this.provider.put(`${workspaceId}/${key}`, buf);
+    if (this.octobase) {
+      await this.octobase.uploadBlob(workspaceId, buf);
+    }
+  }
+
+  async get(workspaceId: string, key: string) {
+    const result = await this.provider.get(`${workspaceId}/${key}`);
+    if (!result.body && this.octobase) {
+      const blob = await this.octobase.getBlob(workspaceId, key);
+
+      if (!blob) {
+        return result;
+      }
+
+      return {
+        body: Readable.from(blob.data),
+        metadata: {
+          contentType: blob.contentType,
+          contentLength: blob.size,
+          lastModified: new Date(blob.lastModified),
+        },
+      };
+    }
+
+    return result;
+  }
+
+  async list(workspaceId: string) {
+    const blobs = await this.provider.list(workspaceId + '/');
+
+    blobs.forEach(item => {
+      // trim workspace prefix
+      item.key = item.key.slice(workspaceId.length + 1);
+    });
+
+    return blobs;
+  }
+
+  /**
+   * we won't really delete the blobs until the doc blobs manager is implemented sounded
+   */
+  async delete(_workspaceId: string, _key: string) {
+    // return this.provider.delete(`${workspaceId}/${key}`);
+  }
+
+  async totalSize(workspaceId: string) {
+    const blobs = await this.list(workspaceId);
+    // how could we ignore the ones get soft-deleted?
+    return blobs.reduce((acc, item) => acc + item.size, 0);
+  }
+
+  @OnEvent('workspace.deleted')
+  async onWorkspaceDeleted(workspaceId: EventPayload<'workspace.deleted'>) {
+    const blobs = await this.list(workspaceId);
+
+    // to reduce cpu time holding
+    blobs.forEach(blob => {
+      this.event.emit('workspace.blob.deleted', {
+        workspaceId: workspaceId,
+        name: blob.key,
+      });
+    });
+  }
+
+  @OnEvent('workspace.blob.deleted')
+  async onDeleteWorkspaceBlob({
+    workspaceId,
+    name,
+  }: EventPayload<'workspace.blob.deleted'>) {
+    await this.delete(workspaceId, name);
+  }
+}

packages/backend/server/src/modules/storage/wrappers/index.ts

@@ -0,0 +1,2 @@
+export { AvatarStorage } from './avatar';
+export { WorkspaceBlobStorage } from './blob';

packages/backend/server/src/modules/users/controller.ts

@@ -0,0 +1,40 @@
+import {
+  Controller,
+  ForbiddenException,
+  Get,
+  NotFoundException,
+  Param,
+  Res,
+} from '@nestjs/common';
+import type { Response } from 'express';
+
+import { AvatarStorage } from '../storage';
+
+@Controller('/api/avatars')
+export class UserAvatarController {
+  constructor(private readonly storage: AvatarStorage) {}
+
+  @Get('/:id')
+  async getAvatar(@Res() res: Response, @Param('id') id: string) {
+    if (this.storage.provider.type !== 'fs') {
+      throw new ForbiddenException(
+        'Only available when avatar storage provider set to fs.'
+      );
+    }
+
+    const { body, metadata } = await this.storage.get(id);
+
+    if (!body) {
+      throw new NotFoundException(`Avatar ${id} not found.`);
+    }
+
+    // metadata should always exists if body is not null
+    if (metadata) {
+      res.setHeader('content-type', metadata.contentType);
+      res.setHeader('last-modified', metadata.lastModified.toISOString());
+      res.setHeader('content-length', metadata.contentLength);
+    }
+
+    body.pipe(res);
+  }
+}

packages/backend/server/src/modules/users/index.ts

@@ -3,12 +3,15 @@ import { Module } from '@nestjs/common';
 import { FeatureModule } from '../features';
 import { QuotaModule } from '../quota';
 import { StorageModule } from '../storage';
+import { UserAvatarController } from './controller';
+import { UserManagementResolver } from './management';
 import { UserResolver } from './resolver';
 import { UsersService } from './users';
 
 @Module({
   imports: [StorageModule, FeatureModule, QuotaModule],
-  providers: [UserResolver, UsersService],
+  providers: [UserResolver, UserManagementResolver, UsersService],
+  controllers: [UserAvatarController],
   exports: [UsersService],
 })
 export class UsersModule {}

packages/backend/server/src/modules/users/management.ts

@@ -0,0 +1,91 @@
+import {
+  BadRequestException,
+  ForbiddenException,
+  UseGuards,
+} from '@nestjs/common';
+import { Args, Context, Int, Mutation, Query, Resolver } from '@nestjs/graphql';
+
+import { CloudThrottlerGuard, Throttle } from '../../throttler';
+import { Auth, CurrentUser } from '../auth/guard';
+import { AuthService } from '../auth/service';
+import { FeatureManagementService } from '../features';
+import { UserType } from './types';
+import { UsersService } from './users';
+
+/**
+ * User resolver
+ * All op rate limit: 10 req/m
+ */
+@UseGuards(CloudThrottlerGuard)
+@Auth()
+@Resolver(() => UserType)
+export class UserManagementResolver {
+  constructor(
+    private readonly auth: AuthService,
+    private readonly users: UsersService,
+    private readonly feature: FeatureManagementService
+  ) {}
+
+  @Throttle({
+    default: {
+      limit: 10,
+      ttl: 60,
+    },
+  })
+  @Mutation(() => Int)
+  async addToEarlyAccess(
+    @CurrentUser() currentUser: UserType,
+    @Args('email') email: string
+  ): Promise<number> {
+    if (!this.feature.isStaff(currentUser.email)) {
+      throw new ForbiddenException('You are not allowed to do this');
+    }
+    const user = await this.users.findUserByEmail(email);
+    if (user) {
+      return this.feature.addEarlyAccess(user.id);
+    } else {
+      const user = await this.auth.createAnonymousUser(email);
+      return this.feature.addEarlyAccess(user.id);
+    }
+  }
+
+  @Throttle({
+    default: {
+      limit: 10,
+      ttl: 60,
+    },
+  })
+  @Mutation(() => Int)
+  async removeEarlyAccess(
+    @CurrentUser() currentUser: UserType,
+    @Args('email') email: string
+  ): Promise<number> {
+    if (!this.feature.isStaff(currentUser.email)) {
+      throw new ForbiddenException('You are not allowed to do this');
+    }
+    const user = await this.users.findUserByEmail(email);
+    if (!user) {
+      throw new BadRequestException(`User ${email} not found`);
+    }
+    return this.feature.removeEarlyAccess(user.id);
+  }
+
+  @Throttle({
+    default: {
+      limit: 10,
+      ttl: 60,
+    },
+  })
+  @Query(() => [UserType])
+  async earlyAccessUsers(
+    @Context() ctx: { isAdminQuery: boolean },
+    @CurrentUser() user: UserType
+  ): Promise<UserType[]> {
+    if (!this.feature.isStaff(user.email)) {
+      throw new ForbiddenException('You are not allowed to do this');
+    }
+    // allow query other user's subscription
+    ctx.isAdminQuery = true;
+    return this.feature.listEarlyAccess();
+  }
+}

packages/backend/server/src/modules/users/resolver.ts

@@ -1,12 +1,6 @@
-import {
-  BadRequestException,
-  ForbiddenException,
-  HttpStatus,
-  UseGuards,
-} from '@nestjs/common';
+import { BadRequestException, HttpStatus, UseGuards } from '@nestjs/common';
 import {
   Args,
-  Context,
   Int,
   Mutation,
   Query,
@@ -17,15 +11,21 @@ import type { User } from '@prisma/client';
 import { GraphQLError } from 'graphql';
 import GraphQLUpload from 'graphql-upload/GraphQLUpload.mjs';
 
+import { EventEmitter } from '../../event';
 import { PrismaService } from '../../prisma/service';
 import { CloudThrottlerGuard, Throttle } from '../../throttler';
 import type { FileUpload } from '../../types';
 import { Auth, CurrentUser, Public, Publicable } from '../auth/guard';
-import { AuthService } from '../auth/service';
 import { FeatureManagementService } from '../features';
 import { QuotaService } from '../quota';
-import { StorageService } from '../storage/storage.service';
-import { DeleteAccount, RemoveAvatar, UserQuotaType, UserType } from './types';
+import { AvatarStorage } from '../storage';
+import {
+  DeleteAccount,
+  RemoveAvatar,
+  UserOrLimitedUser,
+  UserQuotaType,
+  UserType,
+} from './types';
 import { UsersService } from './users';
 
 /**
@@ -37,12 +37,12 @@ import { UsersService } from './users';
 @Resolver(() => UserType)
 export class UserResolver {
   constructor(
-    private readonly auth: AuthService,
     private readonly prisma: PrismaService,
-    private readonly storage: StorageService,
+    private readonly storage: AvatarStorage,
     private readonly users: UsersService,
     private readonly feature: FeatureManagementService,
-    private readonly quota: QuotaService
+    private readonly quota: QuotaService,
+    private readonly event: EventEmitter
   ) {}
 
   @Throttle({
@@ -83,14 +83,17 @@ export class UserResolver {
       ttl: 60,
     },
   })
-  @Query(() => UserType, {
+  @Query(() => UserOrLimitedUser, {
     name: 'user',
     description: 'Get user by email',
     nullable: true,
   })
   @Public()
-  async user(@Args('email') email: string) {
-    if (!(await this.feature.canEarlyAccess(email))) {
+  async user(
+    @CurrentUser() currentUser?: UserType,
+    @Args('email') email?: string
+  ) {
+    if (!email || !(await this.feature.canEarlyAccess(email))) {
       return new GraphQLError(
         `You don't have early access permission\nVisit https://community.affine.pro/c/insider-general/ for more information`,
         {
@@ -101,13 +104,16 @@ export class UserResolver {
         }
       );
     }
+
     // TODO: need to limit a user can only get another user witch is in the same workspace
     const user = await this.users.findUserByEmail(email);
-    if (user?.password) {
-      const userResponse: UserType = user;
-      userResponse.hasPassword = true;
-    }
-    return user;
+    if (currentUser) return user;
+
+    // only return limited info when not logged in
+    return {
+      email: user?.email,
+      hasPassword: !!user?.password,
+    };
   }
 
   @Throttle({ default: { limit: 10, ttl: 60 } })
@@ -147,10 +153,20 @@ export class UserResolver {
     if (!user) {
       throw new BadRequestException(`User not found`);
     }
-    const url = await this.storage.uploadFile(`${user.id}-avatar`, avatar);
+
+    const link = await this.storage.put(
+      `${user.id}-avatar`,
+      avatar.createReadStream(),
+      {
+        contentType: avatar.mimetype,
+      }
+    );
+
     return this.prisma.user.update({
       where: { id: user.id },
-      data: { avatarUrl: url },
+      data: {
+        avatarUrl: link,
+      },
     });
   }
 
@@ -183,70 +199,8 @@ export class UserResolver {
   })
   @Mutation(() => DeleteAccount)
   async deleteAccount(@CurrentUser() user: UserType): Promise<DeleteAccount> {
-    await this.users.deleteUser(user.id);
+    const deletedUser = await this.users.deleteUser(user.id);
+    this.event.emit('user.deleted', deletedUser);
     return { success: true };
   }
-
-  @Throttle({
-    default: {
-      limit: 10,
-      ttl: 60,
-    },
-  })
-  @Mutation(() => Int)
-  async addToEarlyAccess(
-    @CurrentUser() currentUser: UserType,
-    @Args('email') email: string
-  ): Promise<number> {
-    if (!this.feature.isStaff(currentUser.email)) {
-      throw new ForbiddenException('You are not allowed to do this');
-    }
-    const user = await this.users.findUserByEmail(email);
-    if (user) {
-      return this.feature.addEarlyAccess(user.id);
-    } else {
-      const user = await this.auth.createAnonymousUser(email);
-      return this.feature.addEarlyAccess(user.id);
-    }
-  }
-
-  @Throttle({
-    default: {
-      limit: 10,
-      ttl: 60,
-    },
-  })
-  @Mutation(() => Int)
-  async removeEarlyAccess(
-    @CurrentUser() currentUser: UserType,
-    @Args('email') email: string
-  ): Promise<number> {
-    if (!this.feature.isStaff(currentUser.email)) {
-      throw new ForbiddenException('You are not allowed to do this');
-    }
-    const user = await this.users.findUserByEmail(email);
-    if (!user) {
-      throw new BadRequestException(`User ${email} not found`);
-    }
-    return this.feature.removeEarlyAccess(user.id);
-  }
-
-  @Throttle({
-    default: {
-      limit: 10,
-      ttl: 60,
-    },
-  })
-  @Query(() => [UserType])
-  async earlyAccessUsers(
-    @Context() ctx: { isAdminQuery: boolean },
-    @CurrentUser() user: UserType
-  ): Promise<UserType[]> {
-    if (!this.feature.isStaff(user.email)) {
-      throw new ForbiddenException('You are not allowed to do this');
-    }
-    // allow query other user's subscription
-    ctx.isAdminQuery = true;
-    return this.feature.listEarlyAccess();
-  }
 }

packages/backend/server/src/modules/users/types.ts

@@ -1,4 +1,4 @@
-import { Field, Float, ID, ObjectType } from '@nestjs/graphql';
+import { createUnionType, Field, Float, ID, ObjectType } from '@nestjs/graphql';
 import type { User } from '@prisma/client';
 
 @ObjectType('UserQuotaHumanReadable')
@@ -67,6 +67,29 @@ export class UserType implements Partial<User> {
   hasPassword?: boolean;
 }
 
+@ObjectType()
+export class LimitedUserType implements Partial<User> {
+  @Field({ description: 'User email' })
+  email!: string;
+
+  @Field(() => Boolean, {
+    description: 'User password has been set',
+    nullable: true,
+  })
+  hasPassword?: boolean;
+}
+
+export const UserOrLimitedUser = createUnionType({
+  name: 'UserOrLimitedUser',
+  types: () => [UserType, LimitedUserType] as const,
+  resolveType(value) {
+    if (value.id) {
+      return UserType;
+    }
+    return LimitedUserType;
+  },
+});
+
 @ObjectType()
 export class DeleteAccount {
   @Field()

packages/backend/server/src/modules/workspaces/controller.ts

@@ -1,9 +1,8 @@
-import type { Storage } from '@affine/storage';
 import {
   Controller,
   ForbiddenException,
   Get,
-  Inject,
+  Logger,
   NotFoundException,
   Param,
   Res,
@@ -12,18 +11,19 @@ import type { Response } from 'express';
 
 import { CallTimer } from '../../metrics';
 import { PrismaService } from '../../prisma';
-import { StorageProvide } from '../../storage';
 import { DocID } from '../../utils/doc';
 import { Auth, CurrentUser, Publicable } from '../auth';
 import { DocHistoryManager, DocManager } from '../doc';
+import { WorkspaceBlobStorage } from '../storage';
 import { UserType } from '../users';
 import { PermissionService, PublicPageMode } from './permission';
 import { Permission } from './types';
 
 @Controller('/api/workspaces')
 export class WorkspacesController {
+  logger = new Logger(WorkspacesController.name);
   constructor(
-    @Inject(StorageProvide) private readonly storage: Storage,
+    private readonly storage: WorkspaceBlobStorage,
     private readonly permission: PermissionService,
     private readonly docManager: DocManager,
     private readonly historyManager: DocHistoryManager,
@@ -40,19 +40,25 @@ export class WorkspacesController {
     @Param('name') name: string,
     @Res() res: Response
   ) {
-    const blob = await this.storage.getBlob(workspaceId, name);
+    const { body, metadata } = await this.storage.get(workspaceId, name);
 
-    if (!blob) {
+    if (!body) {
       throw new NotFoundException(
         `Blob not found in workspace ${workspaceId}: ${name}`
       );
     }
 
-    res.setHeader('content-type', blob.contentType);
-    res.setHeader('last-modified', blob.lastModified);
-    res.setHeader('content-length', blob.size);
+    // metadata should always exists if body is not null
+    if (metadata) {
+      res.setHeader('content-type', metadata.contentType);
+      res.setHeader('last-modified', metadata.lastModified.toISOString());
+      res.setHeader('content-length', metadata.contentLength);
+    } else {
+      this.logger.warn(`Blob ${workspaceId}/${name} has no metadata`);
+    }
 
-    res.send(blob.data);
+    res.setHeader('cache-control', 'public, max-age=31536000, immutable');
+    body.pipe(res);
   }
 
   // get doc binary

packages/backend/server/src/modules/workspaces/index.ts

@@ -1,24 +1,34 @@
 import { Module } from '@nestjs/common';
 
 import { DocModule } from '../doc';
+import { FeatureModule } from '../features';
 import { QuotaModule } from '../quota';
+import { StorageModule } from '../storage';
 import { UsersService } from '../users';
 import { WorkspacesController } from './controller';
-import { DocHistoryResolver } from './history.resolver';
+import { WorkspaceManagementResolver } from './management';
 import { PermissionService } from './permission';
-import { PagePermissionResolver, WorkspaceResolver } from './resolver';
+import {
+  DocHistoryResolver,
+  PagePermissionResolver,
+  WorkspaceBlobResolver,
+  WorkspaceResolver,
+} from './resolvers';
 
 @Module({
-  imports: [DocModule, QuotaModule],
+  imports: [DocModule, FeatureModule, QuotaModule, StorageModule],
   controllers: [WorkspacesController],
   providers: [
     WorkspaceResolver,
+    WorkspaceManagementResolver,
     PermissionService,
     UsersService,
     PagePermissionResolver,
     DocHistoryResolver,
+    WorkspaceBlobResolver,
   ],
   exports: [PermissionService],
 })
 export class WorkspaceModule {}
-export { InvitationType, WorkspaceType } from './resolver';
+
+export type { InvitationType, WorkspaceType } from './types';

packages/backend/server/src/modules/workspaces/management.ts

@@ -0,0 +1,136 @@
+import { ForbiddenException, UseGuards } from '@nestjs/common';
+import {
+  Args,
+  Int,
+  Mutation,
+  Parent,
+  Query,
+  ResolveField,
+  Resolver,
+} from '@nestjs/graphql';
+
+import { CloudThrottlerGuard, Throttle } from '../../throttler';
+import { Auth, CurrentUser } from '../auth';
+import { FeatureManagementService, FeatureType } from '../features';
+import { UserType } from '../users';
+import { PermissionService } from './permission';
+import { WorkspaceType } from './types';
+
+@UseGuards(CloudThrottlerGuard)
+@Auth()
+@Resolver(() => WorkspaceType)
+export class WorkspaceManagementResolver {
+  constructor(
+    private readonly feature: FeatureManagementService,
+    private readonly permission: PermissionService
+  ) {}
+
+  @Throttle({
+    default: {
+      limit: 10,
+      ttl: 60,
+    },
+  })
+  @Mutation(() => Int)
+  async addWorkspaceFeature(
+    @CurrentUser() currentUser: UserType,
+    @Args('workspaceId') workspaceId: string,
+    @Args('feature', { type: () => FeatureType }) feature: FeatureType
+  ): Promise<number> {
+    if (!this.feature.isStaff(currentUser.email)) {
+      throw new ForbiddenException('You are not allowed to do this');
+    }
+
+    return this.feature.addWorkspaceFeatures(workspaceId, feature);
+  }
+
+  @Throttle({
+    default: {
+      limit: 10,
+      ttl: 60,
+    },
+  })
+  @Mutation(() => Int)
+  async removeWorkspaceFeature(
+    @CurrentUser() currentUser: UserType,
+    @Args('workspaceId') workspaceId: string,
+    @Args('feature', { type: () => FeatureType }) feature: FeatureType
+  ): Promise<boolean> {
+    if (!this.feature.isStaff(currentUser.email)) {
+      throw new ForbiddenException('You are not allowed to do this');
+    }
+
+    return this.feature.removeWorkspaceFeature(workspaceId, feature);
+  }
+
+  @Throttle({
+    default: {
+      limit: 10,
+      ttl: 60,
+    },
+  })
+  @Query(() => [WorkspaceType])
+  async listWorkspaceFeatures(
+    @CurrentUser() user: UserType,
+    @Args('feature', { type: () => FeatureType }) feature: FeatureType
+  ): Promise<WorkspaceType[]> {
+    if (!this.feature.isStaff(user.email)) {
+      throw new ForbiddenException('You are not allowed to do this');
+    }
+
+    return this.feature.listFeatureWorkspaces(feature);
+  }
+
+  @Mutation(() => Boolean)
+  async setWorkspaceExperimentalFeature(
+    @CurrentUser() user: UserType,
+    @Args('workspaceId') workspaceId: string,
+    @Args('feature', { type: () => FeatureType }) feature: FeatureType,
+    @Args('enable') enable: boolean
+  ): Promise<boolean> {
+    if (!(await this.feature.canEarlyAccess(user.email))) {
+      throw new ForbiddenException('You are not allowed to do this');
+    }
+
+    const owner = await this.permission.getWorkspaceOwner(workspaceId);
+    const availableFeatures = await this.availableFeatures(user);
+    if (owner.user.id !== user.id || !availableFeatures.includes(feature)) {
+      throw new ForbiddenException('You are not allowed to do this');
+    }
+
+    if (enable) {
+      return await this.feature
+        .addWorkspaceFeatures(
+          workspaceId,
+          feature,
+          undefined,
+          'add by experimental feature api'
+        )
+        .then(id => id > 0);
+    } else {
+      return await this.feature.removeWorkspaceFeature(workspaceId, feature);
+    }
+  }
+
+  @ResolveField(() => [FeatureType], {
+    description: 'Available features of workspace',
+    complexity: 2,
+  })
+  async availableFeatures(
+    @CurrentUser() user: UserType
+  ): Promise<FeatureType[]> {
+    if (await this.feature.canEarlyAccess(user.email)) {
+      return [FeatureType.Copilot];
+    } else {
+      return [];
+    }
+  }
+
+  @ResolveField(() => [FeatureType], {
+    description: 'Enabled features of workspace',
+    complexity: 2,
+  })
+  async features(@Parent() workspace: WorkspaceType): Promise<FeatureType[]> {
+    return this.feature.getWorkspaceFeatures(workspace.id);
+  }
+}

packages/backend/server/src/modules/workspaces/permission.ts

@@ -34,6 +34,9 @@ export class PermissionService {
           accepted: true,
           type: Permission.Owner,
         },
+        select: {
+          workspaceId: true,
+        },
       })
       .then(data => data.map(({ workspaceId }) => workspaceId));
   }

packages/backend/server/src/modules/workspaces/resolvers/blob.ts

@@ -0,0 +1,174 @@
+import { ForbiddenException, Logger, UseGuards } from '@nestjs/common';
+import {
+  Args,
+  Float,
+  Int,
+  Mutation,
+  Parent,
+  Query,
+  ResolveField,
+  Resolver,
+} from '@nestjs/graphql';
+import GraphQLUpload from 'graphql-upload/GraphQLUpload.mjs';
+
+import { MakeCache, PreventCache } from '../../../cache';
+import { CloudThrottlerGuard } from '../../../throttler';
+import type { FileUpload } from '../../../types';
+import { Auth, CurrentUser } from '../../auth';
+import { QuotaManagementService } from '../../quota';
+import { WorkspaceBlobStorage } from '../../storage';
+import { UserType } from '../../users';
+import { PermissionService } from '../permission';
+import { Permission, WorkspaceBlobSizes, WorkspaceType } from '../types';
+
+@UseGuards(CloudThrottlerGuard)
+@Auth()
+@Resolver(() => WorkspaceType)
+export class WorkspaceBlobResolver {
+  logger = new Logger(WorkspaceBlobResolver.name);
+  constructor(
+    private readonly permissions: PermissionService,
+    private readonly quota: QuotaManagementService,
+    private readonly storage: WorkspaceBlobStorage
+  ) {}
+
+  @ResolveField(() => Int, {
+    description: 'Blobs size of workspace',
+    complexity: 2,
+  })
+  async blobsSize(@Parent() workspace: WorkspaceType) {
+    return this.storage.totalSize(workspace.id);
+  }
+
+  /**
+   * @deprecated use `workspace.blobs` instead
+   */
+  @Query(() => [String], {
+    description: 'List blobs of workspace',
+    deprecationReason: 'use `workspace.blobs` instead',
+  })
+  @MakeCache(['blobs'], ['workspaceId'])
+  async listBlobs(
+    @CurrentUser() user: UserType,
+    @Args('workspaceId') workspaceId: string
+  ) {
+    await this.permissions.checkWorkspace(workspaceId, user.id);
+
+    return this.storage
+      .list(workspaceId)
+      .then(list => list.map(item => item.key));
+  }
+
+  /**
+   * @deprecated use `user.storageUsage` instead
+   */
+  @Query(() => WorkspaceBlobSizes, {
+    deprecationReason: 'use `user.storageUsage` instead',
+  })
+  async collectAllBlobSizes(@CurrentUser() user: UserType) {
+    const size = await this.quota.getUserUsage(user.id);
+    return { size };
+  }
+
+  /**
+   * @deprecated mutation `setBlob` will check blob limit & quota usage
+   */
+  @Query(() => WorkspaceBlobSizes, {
+    deprecationReason: 'no more needed',
+  })
+  async checkBlobSize(
+    @CurrentUser() user: UserType,
+    @Args('workspaceId') workspaceId: string,
+    @Args('size', { type: () => Float }) blobSize: number
+  ) {
+    const canWrite = await this.permissions.tryCheckWorkspace(
+      workspaceId,
+      user.id,
+      Permission.Write
+    );
+    if (canWrite) {
+      const size = await this.quota.checkBlobQuota(workspaceId, blobSize);
+      return { size };
+    }
+    return false;
+  }
+
+  @Mutation(() => String)
+  @PreventCache(['blobs'], ['workspaceId'])
+  async setBlob(
+    @CurrentUser() user: UserType,
+    @Args('workspaceId') workspaceId: string,
+    @Args({ name: 'blob', type: () => GraphQLUpload })
+    blob: FileUpload
+  ) {
+    await this.permissions.checkWorkspace(
+      workspaceId,
+      user.id,
+      Permission.Write
+    );
+
+    const { quota, size } = await this.quota.getWorkspaceUsage(workspaceId);
+
+    const checkExceeded = (recvSize: number) => {
+      if (!quota) {
+        throw new ForbiddenException('cannot find user quota');
+      }
+      if (size + recvSize > quota) {
+        this.logger.log(
+          `storage size limit exceeded: ${size + recvSize} > ${quota}`
+        );
+        return true;
+      } else {
+        return false;
+      }
+    };
+
+    if (checkExceeded(0)) {
+      throw new ForbiddenException('storage size limit exceeded');
+    }
+    const buffer = await new Promise<Buffer>((resolve, reject) => {
+      const stream = blob.createReadStream();
+      const chunks: Uint8Array[] = [];
+      stream.on('data', chunk => {
+        chunks.push(chunk);
+
+        // check size after receive each chunk to avoid unnecessary memory usage
+        const bufferSize = chunks.reduce((acc, cur) => acc + cur.length, 0);
+        if (checkExceeded(bufferSize)) {
+          reject(new ForbiddenException('storage size limit exceeded'));
+        }
+      });
+      stream.on('error', reject);
+      stream.on('end', () => {
+        const buffer = Buffer.concat(chunks);
+
+        if (checkExceeded(buffer.length)) {
+          reject(new ForbiddenException('storage size limit exceeded'));
+        } else {
+          resolve(buffer);
+        }
+      });
+    });
+
+    if (!(await this.quota.checkBlobQuota(workspaceId, buffer.length))) {
+      throw new ForbiddenException('blob size limit exceeded');
+    }
+
+    await this.storage.put(workspaceId, blob.filename, buffer);
+    return blob.filename;
+  }
+
+  @Mutation(() => Boolean)
+  @PreventCache(['blobs'], ['workspaceId'])
+  async deleteBlob(
+    @CurrentUser() user: UserType,
+    @Args('workspaceId') workspaceId: string,
+    @Args('hash') name: string
+  ) {
+    await this.permissions.checkWorkspace(workspaceId, user.id);
+
+    await this.storage.delete(workspaceId, name);
+
+    return true;
+  }
+}

packages/backend/server/src/modules/workspaces/resolvers/history.ts

@@ -1,3 +1,4 @@
+import { UseGuards } from '@nestjs/common';
 import {
   Args,
   Field,
@@ -11,13 +12,13 @@ import {
 } from '@nestjs/graphql';
 import type { SnapshotHistory } from '@prisma/client';
 
-import { DocID } from '../../utils/doc';
-import { Auth, CurrentUser } from '../auth';
-import { DocHistoryManager } from '../doc/history';
-import { UserType } from '../users';
-import { PermissionService } from './permission';
-import { WorkspaceType } from './resolver';
-import { Permission } from './types';
+import { CloudThrottlerGuard } from '../../../throttler';
+import { DocID } from '../../../utils/doc';
+import { Auth, CurrentUser } from '../../auth';
+import { DocHistoryManager } from '../../doc/history';
+import { UserType } from '../../users';
+import { PermissionService } from '../permission';
+import { Permission, WorkspaceType } from '../types';
 
 @ObjectType()
 class DocHistoryType implements Partial<SnapshotHistory> {
@@ -31,6 +32,7 @@ class DocHistoryType implements Partial<SnapshotHistory> {
   timestamp!: Date;
 }
 
+@UseGuards(CloudThrottlerGuard)
 @Resolver(() => WorkspaceType)
 export class DocHistoryResolver {
   constructor(

packages/backend/server/src/modules/workspaces/resolvers/index.ts

@@ -0,0 +1,4 @@
+export * from './blob';
+export * from './history';
+export * from './page';
+export * from './workspace';

packages/backend/server/src/modules/workspaces/resolvers/page.ts

@@ -0,0 +1,163 @@
+import { ForbiddenException, UseGuards } from '@nestjs/common';
+import {
+  Args,
+  Field,
+  Mutation,
+  ObjectType,
+  Parent,
+  registerEnumType,
+  ResolveField,
+  Resolver,
+} from '@nestjs/graphql';
+import type { WorkspacePage as PrismaWorkspacePage } from '@prisma/client';
+
+import { PrismaService } from '../../../prisma';
+import { CloudThrottlerGuard } from '../../../throttler';
+import { DocID } from '../../../utils/doc';
+import { Auth, CurrentUser } from '../../auth';
+import { UserType } from '../../users';
+import { PermissionService, PublicPageMode } from '../permission';
+import { Permission, WorkspaceType } from '../types';
+
+registerEnumType(PublicPageMode, {
+  name: 'PublicPageMode',
+  description: 'The mode which the public page default in',
+});
+
+@ObjectType()
+class WorkspacePage implements Partial<PrismaWorkspacePage> {
+  @Field(() => String, { name: 'id' })
+  pageId!: string;
+
+  @Field()
+  workspaceId!: string;
+
+  @Field(() => PublicPageMode)
+  mode!: PublicPageMode;
+
+  @Field()
+  public!: boolean;
+}
+
+@UseGuards(CloudThrottlerGuard)
+@Auth()
+@Resolver(() => WorkspaceType)
+export class PagePermissionResolver {
+  constructor(
+    private readonly prisma: PrismaService,
+    private readonly permission: PermissionService
+  ) {}
+
+  /**
+   * @deprecated
+   */
+  @ResolveField(() => [String], {
+    description: 'Shared pages of workspace',
+    complexity: 2,
+    deprecationReason: 'use WorkspaceType.publicPages',
+  })
+  async sharedPages(@Parent() workspace: WorkspaceType) {
+    const data = await this.prisma.workspacePage.findMany({
+      where: {
+        workspaceId: workspace.id,
+        public: true,
+      },
+    });
+
+    return data.map(row => row.pageId);
+  }
+
+  @ResolveField(() => [WorkspacePage], {
+    description: 'Public pages of a workspace',
+    complexity: 2,
+  })
+  async publicPages(@Parent() workspace: WorkspaceType) {
+    return this.prisma.workspacePage.findMany({
+      where: {
+        workspaceId: workspace.id,
+        public: true,
+      },
+    });
+  }
+
+  /**
+   * @deprecated
+   */
+  @Mutation(() => Boolean, {
+    name: 'sharePage',
+    deprecationReason: 'renamed to publicPage',
+  })
+  async deprecatedSharePage(
+    @CurrentUser() user: UserType,
+    @Args('workspaceId') workspaceId: string,
+    @Args('pageId') pageId: string
+  ) {
+    await this.publishPage(user, workspaceId, pageId, PublicPageMode.Page);
+    return true;
+  }
+
+  @Mutation(() => WorkspacePage)
+  async publishPage(
+    @CurrentUser() user: UserType,
+    @Args('workspaceId') workspaceId: string,
+    @Args('pageId') pageId: string,
+    @Args({
+      name: 'mode',
+      type: () => PublicPageMode,
+      nullable: true,
+      defaultValue: PublicPageMode.Page,
+    })
+    mode: PublicPageMode
+  ) {
+    const docId = new DocID(pageId, workspaceId);
+
+    if (docId.isWorkspace) {
+      throw new ForbiddenException('Expect page not to be workspace');
+    }
+
+    await this.permission.checkWorkspace(
+      docId.workspace,
+      user.id,
+      Permission.Read
+    );
+
+    return this.permission.publishPage(docId.workspace, docId.guid, mode);
+  }
+
+  /**
+   * @deprecated
+   */
+  @Mutation(() => Boolean, {
+    name: 'revokePage',
+    deprecationReason: 'use revokePublicPage',
+  })
+  async deprecatedRevokePage(
+    @CurrentUser() user: UserType,
+    @Args('workspaceId') workspaceId: string,
+    @Args('pageId') pageId: string
+  ) {
+    await this.revokePublicPage(user, workspaceId, pageId);
+    return true;
+  }
+
+  @Mutation(() => WorkspacePage)
+  async revokePublicPage(
+    @CurrentUser() user: UserType,
+    @Args('workspaceId') workspaceId: string,
+    @Args('pageId') pageId: string
+  ) {
+    const docId = new DocID(pageId, workspaceId);
+
+    if (docId.isWorkspace) {
+      throw new ForbiddenException('Expect page not to be workspace');
+    }
+
+    await this.permission.checkWorkspace(
+      docId.workspace,
+      user.id,
+      Permission.Read
+    );
+
+    return this.permission.revokePublicPage(docId.workspace, docId.guid);
+  }
+}

packages/backend/server/src/modules/workspaces/resolvers/workspace.ts

@@ -1,7 +1,5 @@
-import type { Storage } from '@affine/storage';
 import {
   ForbiddenException,
-  Inject,
   InternalServerErrorException,
   Logger,
   NotFoundException,
@@ -9,127 +7,36 @@ import {
 } from '@nestjs/common';
 import {
   Args,
-  Field,
-  Float,
-  ID,
-  InputType,
   Int,
   Mutation,
-  ObjectType,
-  OmitType,
   Parent,
-  PartialType,
-  PickType,
   Query,
-  registerEnumType,
   ResolveField,
   Resolver,
 } from '@nestjs/graphql';
-import type {
-  User,
-  Workspace,
-  WorkspacePage as PrismaWorkspacePage,
-} from '@prisma/client';
+import type { User } from '@prisma/client';
+import { getStreamAsBuffer } from 'get-stream';
 import GraphQLUpload from 'graphql-upload/GraphQLUpload.mjs';
 import { applyUpdate, Doc } from 'yjs';
 
-import { MakeCache, PreventCache } from '../../cache';
-import { EventEmitter } from '../../event';
-import { PrismaService } from '../../prisma';
-import { StorageProvide } from '../../storage';
-import { CloudThrottlerGuard, Throttle } from '../../throttler';
-import type { FileUpload } from '../../types';
-import { DocID } from '../../utils/doc';
-import { Auth, CurrentUser, Public } from '../auth';
-import { MailService } from '../auth/mailer';
-import { AuthService } from '../auth/service';
-import { QuotaManagementService } from '../quota';
-import { UsersService, UserType } from '../users';
-import { PermissionService, PublicPageMode } from './permission';
-import { Permission } from './types';
-import { defaultWorkspaceAvatar } from './utils';
-
-registerEnumType(Permission, {
-  name: 'Permission',
-  description: 'User permission in workspace',
-});
-
-@ObjectType()
-export class InviteUserType extends OmitType(
-  PartialType(UserType),
-  ['id'],
-  ObjectType
-) {
-  @Field(() => ID)
-  id!: string;
-
-  @Field(() => Permission, { description: 'User permission in workspace' })
-  permission!: Permission;
-
-  @Field({ description: 'Invite id' })
-  inviteId!: string;
-
-  @Field({ description: 'User accepted' })
-  accepted!: boolean;
-}
-
-@ObjectType()
-export class WorkspaceType implements Partial<Workspace> {
-  @Field(() => ID)
-  id!: string;
-
-  @Field({ description: 'is Public workspace' })
-  public!: boolean;
-
-  @Field({ description: 'Workspace created date' })
-  createdAt!: Date;
-
-  @Field(() => [InviteUserType], {
-    description: 'Members of workspace',
-  })
-  members!: InviteUserType[];
-}
-
-@ObjectType()
-export class InvitationWorkspaceType {
-  @Field(() => ID)
-  id!: string;
-
-  @Field({ description: 'Workspace name' })
-  name!: string;
-
-  @Field(() => String, {
-    // nullable: true,
-    description: 'Base64 encoded avatar',
-  })
-  avatar!: string;
-}
-
-@ObjectType()
-export class WorkspaceBlobSizes {
-  @Field(() => Float)
-  size!: number;
-}
-
-@ObjectType()
-export class InvitationType {
-  @Field({ description: 'Workspace information' })
-  workspace!: InvitationWorkspaceType;
-  @Field({ description: 'User information' })
-  user!: UserType;
-  @Field({ description: 'Invitee information' })
-  invitee!: UserType;
-}
-
-@InputType()
-export class UpdateWorkspaceInput extends PickType(
-  PartialType(WorkspaceType),
-  ['public'],
-  InputType
-) {
-  @Field(() => ID)
-  id!: string;
-}
+import { EventEmitter } from '../../../event';
+import { PrismaService } from '../../../prisma';
+import { CloudThrottlerGuard, Throttle } from '../../../throttler';
+import type { FileUpload } from '../../../types';
+import { Auth, CurrentUser, Public } from '../../auth';
+import { MailService } from '../../auth/mailer';
+import { AuthService } from '../../auth/service';
+import { WorkspaceBlobStorage } from '../../storage';
+import { UsersService, UserType } from '../../users';
+import { PermissionService } from '../permission';
+import {
+  InvitationType,
+  InviteUserType,
+  Permission,
+  UpdateWorkspaceInput,
+  WorkspaceType,
+} from '../types';
+import { defaultWorkspaceAvatar } from '../utils';
 
 /**
  * Workspace resolver
@@ -140,7 +47,7 @@ export class UpdateWorkspaceInput extends PickType(
 @Auth()
 @Resolver(() => WorkspaceType)
 export class WorkspaceResolver {
-  private readonly logger = new Logger('WorkspaceResolver');
+  private readonly logger = new Logger(WorkspaceResolver.name);
 
   constructor(
     private readonly auth: AuthService,
@@ -149,8 +56,7 @@ export class WorkspaceResolver {
     private readonly permissions: PermissionService,
     private readonly users: UsersService,
     private readonly event: EventEmitter,
-    private readonly quota: QuotaManagementService,
-    @Inject(StorageProvide) private readonly storage: Storage
+    private readonly blobStorage: WorkspaceBlobStorage
   ) {}
 
   @ResolveField(() => Permission, {
@@ -235,14 +141,6 @@ export class WorkspaceResolver {
       }));
   }
 
-  @ResolveField(() => Int, {
-    description: 'Blobs size of workspace',
-    complexity: 2,
-  })
-  async blobsSize(@Parent() workspace: WorkspaceType) {
-    return this.storage.blobsSize([workspace.id]);
-  }
-
   @Query(() => Boolean, {
     description: 'Get is owner of workspace',
     complexity: 2,
@@ -565,11 +463,14 @@ export class WorkspaceResolver {
     let avatar = '';
 
     if (metaJSON.avatar) {
-      const avatarBlob = await this.storage.getBlob(
+      const avatarBlob = await this.blobStorage.get(
         workspaceId,
         metaJSON.avatar
       );
-      avatar = avatarBlob?.data.toString('base64') || '';
+
+      if (avatarBlob.body) {
+        avatar = (await getStreamAsBuffer(avatarBlob.body)).toString('base64');
+      }
     }
 
     return {
@@ -653,256 +554,4 @@ export class WorkspaceResolver {
 
     return this.permissions.revokeWorkspace(workspaceId, user.id);
   }
-
-  @Query(() => [String], {
-    description: 'List blobs of workspace',
-  })
-  @MakeCache(['blobs'], ['workspaceId'])
-  async listBlobs(
-    @CurrentUser() user: UserType,
-    @Args('workspaceId') workspaceId: string
-  ) {
-    await this.permissions.checkWorkspace(workspaceId, user.id);
-
-    return this.storage.listBlobs(workspaceId);
-  }
-
-  @Query(() => WorkspaceBlobSizes)
-  async collectAllBlobSizes(@CurrentUser() user: UserType) {
-    const size = await this.quota.getUserUsage(user.id);
-    return { size };
-  }
-
-  @Query(() => WorkspaceBlobSizes)
-  async checkBlobSize(
-    @CurrentUser() user: UserType,
-    @Args('workspaceId') workspaceId: string,
-    @Args('size', { type: () => Float }) blobSize: number
-  ) {
-    const canWrite = await this.permissions.tryCheckWorkspace(
-      workspaceId,
-      user.id,
-      Permission.Write
-    );
-    if (canWrite) {
-      const size = await this.quota.checkBlobQuota(workspaceId, blobSize);
-      return { size };
-    }
-    return false;
-  }
-
-  @Mutation(() => String)
-  @PreventCache(['blobs'], ['workspaceId'])
-  async setBlob(
-    @CurrentUser() user: UserType,
-    @Args('workspaceId') workspaceId: string,
-    @Args({ name: 'blob', type: () => GraphQLUpload })
-    blob: FileUpload
-  ) {
-    await this.permissions.checkWorkspace(
-      workspaceId,
-      user.id,
-      Permission.Write
-    );
-
-    const { quota, size } = await this.quota.getWorkspaceUsage(workspaceId);
-
-    const checkExceeded = (recvSize: number) => {
-      if (!quota) {
-        throw new ForbiddenException('cannot find user quota');
-      }
-      if (size + recvSize > quota) {
-        this.logger.log(
-          `storage size limit exceeded: ${size + recvSize} > ${quota}`
-        );
-        return true;
-      } else {
-        return false;
-      }
-    };
-
-    if (checkExceeded(0)) {
-      throw new ForbiddenException('storage size limit exceeded');
-    }
-    const buffer = await new Promise<Buffer>((resolve, reject) => {
-      const stream = blob.createReadStream();
-      const chunks: Uint8Array[] = [];
-      stream.on('data', chunk => {
-        chunks.push(chunk);
-
-        // check size after receive each chunk to avoid unnecessary memory usage
-        const bufferSize = chunks.reduce((acc, cur) => acc + cur.length, 0);
-        if (checkExceeded(bufferSize)) {
-          reject(new ForbiddenException('storage size limit exceeded'));
-        }
-      });
-      stream.on('error', reject);
-      stream.on('end', () => {
-        const buffer = Buffer.concat(chunks);
-
-        if (checkExceeded(buffer.length)) {
-          reject(new ForbiddenException('storage size limit exceeded'));
-        } else {
-          resolve(buffer);
-        }
-      });
-    });
-
-    return this.storage.uploadBlob(workspaceId, buffer);
-  }
-
-  @Mutation(() => Boolean)
-  @PreventCache(['blobs'], ['workspaceId'])
-  async deleteBlob(
-    @CurrentUser() user: UserType,
-    @Args('workspaceId') workspaceId: string,
-    @Args('hash') hash: string
-  ) {
-    await this.permissions.checkWorkspace(workspaceId, user.id);
-
-    return this.storage.deleteBlob(workspaceId, hash);
-  }
-}
-
-registerEnumType(PublicPageMode, {
-  name: 'PublicPageMode',
-  description: 'The mode which the public page default in',
-});
-
-@ObjectType()
-class WorkspacePage implements Partial<PrismaWorkspacePage> {
-  @Field(() => String, { name: 'id' })
-  pageId!: string;
-
-  @Field()
-  workspaceId!: string;
-
-  @Field(() => PublicPageMode)
-  mode!: PublicPageMode;
-
-  @Field()
-  public!: boolean;
-}
-
-@UseGuards(CloudThrottlerGuard)
-@Auth()
-@Resolver(() => WorkspaceType)
-export class PagePermissionResolver {
-  constructor(
-    private readonly prisma: PrismaService,
-    private readonly permission: PermissionService
-  ) {}
-
-  /**
-   * @deprecated
-   */
-  @ResolveField(() => [String], {
-    description: 'Shared pages of workspace',
-    complexity: 2,
-    deprecationReason: 'use WorkspaceType.publicPages',
-  })
-  async sharedPages(@Parent() workspace: WorkspaceType) {
-    const data = await this.prisma.workspacePage.findMany({
-      where: {
-        workspaceId: workspace.id,
-        public: true,
-      },
-    });
-
-    return data.map(row => row.pageId);
-  }
-
-  @ResolveField(() => [WorkspacePage], {
-    description: 'Public pages of a workspace',
-    complexity: 2,
-  })
-  async publicPages(@Parent() workspace: WorkspaceType) {
-    return this.prisma.workspacePage.findMany({
-      where: {
-        workspaceId: workspace.id,
-        public: true,
-      },
-    });
-  }
-
-  /**
-   * @deprecated
-   */
-  @Mutation(() => Boolean, {
-    name: 'sharePage',
-    deprecationReason: 'renamed to publicPage',
-  })
-  async deprecatedSharePage(
-    @CurrentUser() user: UserType,
-    @Args('workspaceId') workspaceId: string,
-    @Args('pageId') pageId: string
-  ) {
-    await this.publishPage(user, workspaceId, pageId, PublicPageMode.Page);
-    return true;
-  }
-
-  @Mutation(() => WorkspacePage)
-  async publishPage(
-    @CurrentUser() user: UserType,
-    @Args('workspaceId') workspaceId: string,
-    @Args('pageId') pageId: string,
-    @Args({
-      name: 'mode',
-      type: () => PublicPageMode,
-      nullable: true,
-      defaultValue: PublicPageMode.Page,
-    })
-    mode: PublicPageMode
-  ) {
-    const docId = new DocID(pageId, workspaceId);
-
-    if (docId.isWorkspace) {
-      throw new ForbiddenException('Expect page not to be workspace');
-    }
-
-    await this.permission.checkWorkspace(
-      docId.workspace,
-      user.id,
-      Permission.Read
-    );
-
-    return this.permission.publishPage(docId.workspace, docId.guid, mode);
-  }
-
-  /**
-   * @deprecated
-   */
-  @Mutation(() => Boolean, {
-    name: 'revokePage',
-    deprecationReason: 'use revokePublicPage',
-  })
-  async deprecatedRevokePage(
-    @CurrentUser() user: UserType,
-    @Args('workspaceId') workspaceId: string,
-    @Args('pageId') pageId: string
-  ) {
-    await this.revokePublicPage(user, workspaceId, pageId);
-    return true;
-  }
-
-  @Mutation(() => WorkspacePage)
-  async revokePublicPage(
-    @CurrentUser() user: UserType,
-    @Args('workspaceId') workspaceId: string,
-    @Args('pageId') pageId: string
-  ) {
-    const docId = new DocID(pageId, workspaceId);
-
-    if (docId.isWorkspace) {
-      throw new ForbiddenException('Expect page not to be workspace');
-    }
-
-    await this.permission.checkWorkspace(
-      docId.workspace,
-      user.id,
-      Permission.Read
-    );
-
-    return this.permission.revokePublicPage(docId.workspace, docId.guid);
-  }
 }

packages/backend/server/src/modules/workspaces/types.ts

@@ -1,6 +1,103 @@
+import {
+  Field,
+  Float,
+  ID,
+  InputType,
+  ObjectType,
+  OmitType,
+  PartialType,
+  PickType,
+  registerEnumType,
+} from '@nestjs/graphql';
+import type { Workspace } from '@prisma/client';
+
+import { UserType } from '../users/types';
+
 export enum Permission {
   Read = 0,
   Write = 1,
   Admin = 10,
   Owner = 99,
 }
+
+registerEnumType(Permission, {
+  name: 'Permission',
+  description: 'User permission in workspace',
+});
+
+@ObjectType()
+export class InviteUserType extends OmitType(
+  PartialType(UserType),
+  ['id'],
+  ObjectType
+) {
+  @Field(() => ID)
+  id!: string;
+
+  @Field(() => Permission, { description: 'User permission in workspace' })
+  permission!: Permission;
+
+  @Field({ description: 'Invite id' })
+  inviteId!: string;
+
+  @Field({ description: 'User accepted' })
+  accepted!: boolean;
+}
+
+@ObjectType()
+export class WorkspaceType implements Partial<Workspace> {
+  @Field(() => ID)
+  id!: string;
+
+  @Field({ description: 'is Public workspace' })
+  public!: boolean;
+
+  @Field({ description: 'Workspace created date' })
+  createdAt!: Date;
+
+  @Field(() => [InviteUserType], {
+    description: 'Members of workspace',
+  })
+  members!: InviteUserType[];
+}
+
+@ObjectType()
+export class InvitationWorkspaceType {
+  @Field(() => ID)
+  id!: string;
+
+  @Field({ description: 'Workspace name' })
+  name!: string;
+
+  @Field(() => String, {
+    // nullable: true,
+    description: 'Base64 encoded avatar',
+  })
+  avatar!: string;
+}
+
+@ObjectType()
+export class WorkspaceBlobSizes {
+  @Field(() => Float)
+  size!: number;
+}
+
+@ObjectType()
+export class InvitationType {
+  @Field({ description: 'Workspace information' })
+  workspace!: InvitationWorkspaceType;
+  @Field({ description: 'User information' })
+  user!: UserType;
+  @Field({ description: 'Invitee information' })
+  invitee!: UserType;
+}
+
+@InputType()
+export class UpdateWorkspaceInput extends PickType(
+  PartialType(WorkspaceType),
+  ['public'],
+  InputType
+) {
+  @Field(() => ID)
+  id!: string;
+}