diff --git a/admin/accounthttp.go b/admin/accounthttp.go
index b2cf18a..408b4c5 100644
--- a/admin/accounthttp.go
+++ b/admin/accounthttp.go
@@ -3,8 +3,8 @@ package admin
 import (
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"
-	"strings"
 	"time"
 
 	"arimelody-web/controller"
@@ -13,29 +13,58 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
-type TemplateData struct {
-    Account *model.Account
-    Message string
-    Token string
+func accountHandler(app *model.AppState) http.Handler {
+    mux := http.NewServeMux()
+
+    mux.Handle("/totp-setup", totpSetupHandler(app))
+    mux.Handle("/totp-confirm", totpConfirmHandler(app))
+    mux.Handle("/totp-delete/", http.StripPrefix("/totp-delete", totpDeleteHandler(app)))
+
+    mux.Handle("/password", changePasswordHandler(app))
+    mux.Handle("/delete", deleteAccountHandler(app))
+
+    return mux
 }
 
-func AccountHandler(app *model.AppState) http.Handler {
+func accountIndexHandler(app *model.AppState) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        account := r.Context().Value("account").(*model.Account)
+        session := r.Context().Value("session").(*model.Session)
 
-        totps, err := controller.GetTOTPsForAccount(app.DB, account.ID)
+        dbTOTPs, err := controller.GetTOTPsForAccount(app.DB, session.Account.ID)
         if err != nil {
             fmt.Printf("WARN: Failed to fetch TOTPs: %v\n", err)
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
         }
 
-        type AccountResponse struct {
-            Account *model.Account
-            TOTPs []model.TOTP
+        type (
+            TOTP struct {
+                model.TOTP
+                CreatedAtString string
+            }
+
+            accountResponse struct {
+                Session *model.Session
+                TOTPs []TOTP
+            }
+        )
+
+        totps := []TOTP{}
+        for _, totp := range dbTOTPs { 
+            totps = append(totps, TOTP{
+                TOTP: totp,
+                CreatedAtString: totp.CreatedAt.Format("02 Jan 2006, 15:04:05"),
+            })
         }
 
-        err = pages["account"].Execute(w, AccountResponse{
-            Account: account,
+        sessionMessage := session.Message
+        sessionError := session.Error
+        controller.SetSessionMessage(app.DB, session, "")
+        controller.SetSessionError(app.DB, session, "")
+        session.Message = sessionMessage
+        session.Error = sessionError
+
+        err = accountTemplate.Execute(w, accountResponse{
+            Session: session,
             TOTPs: totps,
         })
         if err != nil {
@@ -45,299 +74,307 @@ func AccountHandler(app *model.AppState) http.Handler {
     })
 }
 
-func LoginHandler(app *model.AppState) http.Handler {
+func changePasswordHandler(app *model.AppState) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        if r.Method == http.MethodGet {
-            account, err := controller.GetAccountByRequest(app.DB, r)
-            if err != nil {
-                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-                fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %v\n", err)
-                return
-            }
-            if account != nil {
-                http.Redirect(w, r, "/admin", http.StatusFound)
-                return
-            }
-
-            err = pages["login"].Execute(w, TemplateData{})
-            if err != nil {
-                fmt.Fprintf(os.Stderr, "WARN: Error rendering admin login page: %s\n", err)
-                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-                return
-            }
+        if r.Method != http.MethodPost {
+            http.NotFound(w, r)
             return
         }
 
-        type LoginResponse struct {
-            Account *model.Account
-            Token string
-            Message string
+        session := r.Context().Value("session").(*model.Session)
+
+        controller.SetSessionMessage(app.DB, session, "")
+        controller.SetSessionError(app.DB, session, "")
+
+        r.ParseForm()
+
+        currentPassword := r.Form.Get("current-password")
+        if err := bcrypt.CompareHashAndPassword([]byte(session.Account.Password), []byte(currentPassword)); err != nil {
+            controller.SetSessionError(app.DB, session, "Incorrect password.")
+            http.Redirect(w, r, "/admin/account", http.StatusFound)
+            return
         }
 
-        render := func(data LoginResponse) {
-            err := pages["login"].Execute(w, data)
-            if err != nil {
-                fmt.Fprintf(os.Stderr, "WARN: Error rendering admin login page: %s\n", err)
-                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-                return
-            }
+        newPassword := r.Form.Get("new-password")
+
+        hashedPassword, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to generate password hash: %v\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            http.Redirect(w, r, "/admin/account", http.StatusFound)
+            return
         }
 
+        session.Account.Password = string(hashedPassword)
+        err = controller.UpdateAccount(app.DB, session.Account)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to update account password: %v\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            http.Redirect(w, r, "/admin/account", http.StatusFound)
+            return
+        }
+
+        controller.SetSessionError(app.DB, session, "")
+        controller.SetSessionMessage(app.DB, session, "Password updated successfully.")
+        http.Redirect(w, r, "/admin/account", http.StatusFound)
+    })
+}
+
+func deleteAccountHandler(app *model.AppState) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
         if r.Method != http.MethodPost {
-            http.NotFound(w, r);
+            http.NotFound(w, r)
             return
         }
 
         err := r.ParseForm()
         if err != nil {
-            render(LoginResponse{ Message: "Malformed request." })
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
             return
         }
 
-        type LoginRequest struct {
-            Username string `json:"username"`
-            Password string `json:"password"`
-            TOTP string `json:"totp"`
-        }
-        credentials := LoginRequest{
-            Username: r.Form.Get("username"),
-            Password: r.Form.Get("password"),
-            TOTP: r.Form.Get("totp"),
+        if !r.Form.Has("password") || !r.Form.Has("totp") {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
         }
 
-        account, err := controller.GetAccount(app.DB, credentials.Username)
+        session := r.Context().Value("session").(*model.Session)
+
+        // check password
+        if err := bcrypt.CompareHashAndPassword([]byte(session.Account.Password), []byte(r.Form.Get("password"))); err != nil {
+            fmt.Printf(
+                "[%s] WARN: Account \"%s\" attempted account deletion with incorrect password.\n",
+                time.Now().Format(time.UnixDate),
+                session.Account.Username,
+            )
+            controller.SetSessionError(app.DB, session, "Incorrect password.")
+            http.Redirect(w, r, "/admin/account", http.StatusFound)
+            return
+        }
+
+        totpMethod, err := controller.CheckTOTPForAccount(app.DB, session.Account.ID, r.Form.Get("totp"))
         if err != nil {
-            render(LoginResponse{ Message: "Invalid username or password" })
+            fmt.Fprintf(os.Stderr, "Failed to fetch account: %v\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            http.Redirect(w, r, "/admin/account", http.StatusFound)
             return
         }
-        if account == nil {
-            render(LoginResponse{ Message: "Invalid username or password" })
-            return
+        if totpMethod == nil {
+            fmt.Printf(
+                "[%s] WARN: Account \"%s\" attempted account deletion with incorrect TOTP.\n",
+                time.Now().Format(time.UnixDate),
+                session.Account.Username,
+            )
+            controller.SetSessionError(app.DB, session, "Incorrect TOTP.")
+            http.Redirect(w, r, "/admin/account", http.StatusFound)
         }
 
-        err = bcrypt.CompareHashAndPassword([]byte(account.Password), []byte(credentials.Password))
+        err = controller.DeleteAccount(app.DB, session.Account.ID)
         if err != nil {
-            render(LoginResponse{ Message: "Invalid username or password" })
+            fmt.Fprintf(os.Stderr, "Failed to delete account: %v\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            http.Redirect(w, r, "/admin/account", http.StatusFound)
             return
         }
 
-        totps, err := controller.GetTOTPsForAccount(app.DB, account.ID)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to fetch TOTPs: %v\n", err)
-            render(LoginResponse{ Message: "Something went wrong. Please try again." })
-            return
-        }
-        if len(totps) > 0 {
-            success := false
-            for _, totp := range totps {
-                check := controller.GenerateTOTP(totp.Secret, 0)
-                if check == credentials.TOTP {
-                    success = true
-                    break
-                }
-            }
-            if !success {
-                render(LoginResponse{ Message: "Invalid TOTP" })
-                return
-            }
-        } else {
-            // TODO: user should be prompted to add 2FA method
-        }
+        fmt.Printf(
+            "[%s] INFO: Account \"%s\" deleted by user request.\n",
+            time.Now().Format(time.UnixDate),
+            session.Account.Username,
+        )
 
-        // login success!
-        token, err := controller.CreateToken(app.DB, account.ID, r.UserAgent())
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to create token: %v\n", err)
-            render(LoginResponse{ Message: "Something went wrong. Please try again." })
-            return
-        }
-
-        cookie := http.Cookie{}
-        cookie.Name = model.COOKIE_TOKEN
-        cookie.Value = token.Token
-        cookie.Expires = token.ExpiresAt
-        if strings.HasPrefix(app.Config.BaseUrl, "https") {
-            cookie.Secure = true
-        }
-        cookie.HttpOnly = true
-        cookie.Path = "/"
-        http.SetCookie(w, &cookie)
-
-        render(LoginResponse{ Account: account, Token: token.Token })
+        controller.SetSessionAccount(app.DB, session, nil)
+        controller.SetSessionError(app.DB, session, "")
+        controller.SetSessionMessage(app.DB, session, "Account deleted successfully.")
+        http.Redirect(w, r, "/admin/login", http.StatusFound)
     })
 }
 
-func LogoutHandler(app *model.AppState) http.Handler {
+func totpSetupHandler(app *model.AppState) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        if r.Method == http.MethodGet {
+            type totpSetupData struct {
+                Session *model.Session
+            }
+
+            session := r.Context().Value("session").(*model.Session)
+
+            err := totpSetupTemplate.Execute(w, totpSetupData{ Session: session })
+            if err != nil {
+                fmt.Printf("WARN: Failed to render TOTP setup page: %s\n", err)
+                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            }
+            return
+        }
+
+        if r.Method != http.MethodPost {
+            http.NotFound(w, r)
+            return
+        }
+
+        type totpSetupData struct {
+            Session *model.Session
+            TOTP *model.TOTP
+            NameEscaped string
+            QRBase64Image string
+        }
+
+        err := r.ParseForm()
+        if err != nil {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+
+        name := r.FormValue("totp-name")
+        if len(name) == 0 {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+
+        session := r.Context().Value("session").(*model.Session)
+
+        secret := controller.GenerateTOTPSecret(controller.TOTP_SECRET_LENGTH)
+        totp := model.TOTP {
+            AccountID: session.Account.ID,
+            Name: name,
+            Secret: string(secret),
+        }
+        err = controller.CreateTOTP(app.DB, &totp)
+        if err != nil {
+            fmt.Printf("WARN: Failed to create TOTP method: %s\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            err := totpSetupTemplate.Execute(w, totpSetupData{ Session: session })
+            if err != nil {
+                fmt.Printf("WARN: Failed to render TOTP setup page: %s\n", err)
+                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            }
+            return
+        }
+
+        qrBase64Image, err := controller.GenerateQRCode(
+            controller.GenerateTOTPURI(session.Account.Username, totp.Secret))
+        if err != nil {
+            fmt.Printf("WARN: Failed to generate TOTP setup QR code: %s\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            err := totpSetupTemplate.Execute(w, totpSetupData{ Session: session })
+            if err != nil {
+                fmt.Printf("WARN: Failed to render TOTP setup page: %s\n", err)
+                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            }
+            return
+        }
+
+        err = totpConfirmTemplate.Execute(w, totpSetupData{
+            Session: session,
+            TOTP: &totp,
+            NameEscaped: url.PathEscape(totp.Name),
+            QRBase64Image: qrBase64Image,
+        })
+        if err != nil {
+            fmt.Printf("WARN: Failed to render TOTP confirm page: %s\n", err)
+            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+        }
+    })
+}
+
+func totpConfirmHandler(app *model.AppState) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        if r.Method != http.MethodPost {
+            http.NotFound(w, r)
+            return
+        }
+
+        type totpConfirmData struct {
+            Session *model.Session
+            TOTP *model.TOTP
+        }
+
+        session := r.Context().Value("session").(*model.Session)
+
+        err := r.ParseForm()
+        if err != nil {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+        name := r.FormValue("totp-name")
+        if len(name) == 0 {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+        code := r.FormValue("totp")
+        if len(code) != controller.TOTP_CODE_LENGTH {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+
+        totp, err := controller.GetTOTP(app.DB, session.Account.ID, name)
+        if err != nil {
+            fmt.Printf("WARN: Failed to fetch TOTP method: %s\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            http.Redirect(w, r, "/admin/account", http.StatusFound)
+            return
+        }
+        if totp == nil {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+
+        confirmCode := controller.GenerateTOTP(totp.Secret, 0)
+        if code != confirmCode {
+            confirmCodeOffset := controller.GenerateTOTP(totp.Secret, 1)
+            if code != confirmCodeOffset {
+                controller.SetSessionError(app.DB, session, "Incorrect TOTP code. Please try again.")
+                err = totpConfirmTemplate.Execute(w, totpConfirmData{
+                    Session: session,
+                    TOTP: totp,
+                })
+                return
+            }
+        }
+
+        controller.SetSessionError(app.DB, session, "")
+        controller.SetSessionMessage(app.DB, session, fmt.Sprintf("TOTP method \"%s\" created successfully.", totp.Name))
+        http.Redirect(w, r, "/admin/account", http.StatusFound)
+    })
+}
+
+func totpDeleteHandler(app *model.AppState) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
         if r.Method != http.MethodGet {
             http.NotFound(w, r)
             return
         }
 
-        tokenStr := controller.GetTokenFromRequest(app.DB, r)
-
-        if len(tokenStr) > 0 {
-            err := controller.DeleteToken(app.DB, tokenStr)
-            if err != nil {
-                fmt.Fprintf(os.Stderr, "WARN: Failed to revoke token: %v\n", err)
-                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-                return
-            }
+        if len(r.URL.Path) < 2 {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
         }
+        name := r.URL.Path[1:]
 
-        cookie := http.Cookie{}
-        cookie.Name = model.COOKIE_TOKEN
-        cookie.Value = ""
-        cookie.Expires = time.Now()
-        if strings.HasPrefix(app.Config.BaseUrl, "https") {
-            cookie.Secure = true
-        }
-        cookie.HttpOnly = true
-        cookie.Path = "/"
-        http.SetCookie(w, &cookie)
-        http.Redirect(w, r, "/admin/login", http.StatusFound)
-    })
-}
+        session := r.Context().Value("session").(*model.Session)
 
-func createAccountHandler(app *model.AppState) http.Handler {
-    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        checkAccount, err := controller.GetAccountByRequest(app.DB, r)
+        totp, err := controller.GetTOTP(app.DB, session.Account.ID, name)
         if err != nil {
-            fmt.Printf("WARN: Failed to fetch account: %s\n", err)
-            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            fmt.Printf("WARN: Failed to fetch TOTP method: %s\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            http.Redirect(w, r, "/admin/account", http.StatusFound)
             return
         }
-        if checkAccount != nil {
-            // user is already logged in
-            http.Redirect(w, r, "/admin", http.StatusFound)
-            return
-        }
-
-        type CreateAccountResponse struct {
-            Account *model.Account
-            Message string
-        }
-
-        render := func(data CreateAccountResponse) {
-            err := pages["create-account"].Execute(w, data)
-            if err != nil {
-                fmt.Printf("WARN: Error rendering create account page: %s\n", err)
-                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-            }
-        }
-
-        if r.Method == http.MethodGet {
-            render(CreateAccountResponse{})
-            return
-        }
-
-        if r.Method != http.MethodPost {
+        if totp == nil {
             http.NotFound(w, r)
             return
         }
 
-        err = r.ParseForm()
+        err = controller.DeleteTOTP(app.DB, session.Account.ID, totp.Name)
         if err != nil {
-            render(CreateAccountResponse{
-                Message: "Malformed data.",
-            })
+            fmt.Printf("WARN: Failed to delete TOTP method: %s\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            http.Redirect(w, r, "/admin/account", http.StatusFound)
             return
         }
 
-        type RegisterRequest struct {
-            Username    string `json:"username"`
-            Email       string `json:"email"`
-            Password    string `json:"password"`
-            Invite      string `json:"invite"`
-        }
-        credentials := RegisterRequest{
-            Username: r.Form.Get("username"),
-            Email: r.Form.Get("email"),
-            Password: r.Form.Get("password"),
-            Invite: r.Form.Get("invite"),
-        }
-
-        // make sure code exists in DB
-        invite, err := controller.GetInvite(app.DB, credentials.Invite)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve invite: %v\n", err)
-            render(CreateAccountResponse{
-                Message: "Something went wrong. Please try again.",
-            })
-            return
-        }
-        if invite == nil || time.Now().After(invite.ExpiresAt) {
-            if invite != nil {
-                err := controller.DeleteInvite(app.DB, invite.Code)
-                if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to delete expired invite: %v\n", err) }
-            }
-            render(CreateAccountResponse{
-                Message: "Invalid invite code.",
-            })
-            return
-        }
-
-        hashedPassword, err := bcrypt.GenerateFromPassword([]byte(credentials.Password), bcrypt.DefaultCost)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to generate password hash: %v\n", err)
-            render(CreateAccountResponse{
-                Message: "Something went wrong. Please try again.",
-            })
-            return
-        }
-
-        account := model.Account{
-            Username: credentials.Username,
-            Password: string(hashedPassword),
-            Email: credentials.Email,
-            AvatarURL: "/img/default-avatar.png",
-        }
-        err = controller.CreateAccount(app.DB, &account)
-        if err != nil {
-            if strings.HasPrefix(err.Error(), "pq: duplicate key") {
-                render(CreateAccountResponse{
-                    Message: "An account with that username already exists.",
-                })
-                return
-            }
-            fmt.Fprintf(os.Stderr, "WARN: Failed to create account: %v\n", err)
-            render(CreateAccountResponse{
-                Message: "Something went wrong. Please try again.",
-            })
-            return
-        }
-
-        err = controller.DeleteInvite(app.DB, invite.Code)
-        if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to delete expired invite: %v\n", err) }
-
-        // registration success!
-        token, err := controller.CreateToken(app.DB, account.ID, r.UserAgent())
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to create token: %v\n", err)
-            // gracefully redirect user to login page
-            http.Redirect(w, r, "/admin/login", http.StatusFound)
-            return
-        }
-
-        cookie := http.Cookie{}
-        cookie.Name = model.COOKIE_TOKEN
-        cookie.Value = token.Token
-        cookie.Expires = token.ExpiresAt
-        if strings.HasPrefix(app.Config.BaseUrl, "https") {
-            cookie.Secure = true
-        }
-        cookie.HttpOnly = true
-        cookie.Path = "/"
-        http.SetCookie(w, &cookie)
-
-        err = pages["login"].Execute(w, TemplateData{
-            Account: &account,
-            Token: token.Token,
-        })
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to render login page: %v\n", err)
-			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-            return
-        }
+        controller.SetSessionError(app.DB, session, "")
+        controller.SetSessionMessage(app.DB, session, fmt.Sprintf("TOTP method \"%s\" deleted successfully.", totp.Name))
+        http.Redirect(w, r, "/admin/account", http.StatusFound)
     })
 }
diff --git a/admin/artisthttp.go b/admin/artisthttp.go
index d6a5e76..6dfbbfd 100644
--- a/admin/artisthttp.go
+++ b/admin/artisthttp.go
@@ -32,15 +32,15 @@ func serveArtist(app *model.AppState) http.Handler {
         }
 
         type ArtistResponse struct {
-            Account *model.Account
+            Session *model.Session
             Artist *model.Artist
             Credits []*model.Credit
         }
 
-        account := r.Context().Value("account").(*model.Account)
+        session := r.Context().Value("session").(*model.Session)
 
-        err = pages["artist"].Execute(w, ArtistResponse{
-            Account: account,
+        err = artistTemplate.Execute(w, ArtistResponse{
+            Session: session,
             Artist: artist,
             Credits: credits,
         })
diff --git a/admin/components/tracks/edittracks.html b/admin/components/tracks/edittracks.html
index 0500532..d03f80a 100644
--- a/admin/components/tracks/edittracks.html
+++ b/admin/components/tracks/edittracks.html
@@ -3,20 +3,20 @@
         <h2>Editing: Tracks</h2>
         <a id="add-track"
            class="button new"
-           href="/admin/release/{{.ID}}/addtrack"
-           hx-get="/admin/release/{{.ID}}/addtrack"
+           href="/admin/release/{{.Release.ID}}/addtrack"
+           hx-get="/admin/release/{{.Release.ID}}/addtrack"
            hx-target="body"
            hx-swap="beforeend"
         >Add</a>
     </header>
 
-    <form action="/api/v1/music/{{.ID}}/tracks">
+    <form action="/api/v1/music/{{.Release.ID}}/tracks">
         <ul>
-            {{range $i, $track := .Tracks}}
+            {{range $i, $track := .Release.Tracks}}
             <li class="track" data-track="{{$track.ID}}" data-title="{{$track.Title}}" data-number="{{$track.Add $i 1}}" draggable="true">
                 <div>
                     <p class="track-name">
-                        <span class="track-number">{{$track.Add $i 1}}</span>
+                        <span class="track-number">{{.Add $i 1}}</span>
                         {{$track.Title}}
                     </p>
                     <a class="delete">Delete</a>
diff --git a/admin/http.go b/admin/http.go
index b44cfa9..6fd8f59 100644
--- a/admin/http.go
+++ b/admin/http.go
@@ -2,40 +2,62 @@ package admin
 
 import (
 	"context"
+	"database/sql"
 	"fmt"
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
+	"time"
 
 	"arimelody-web/controller"
 	"arimelody-web/model"
+
+	"golang.org/x/crypto/bcrypt"
 )
 
 func Handler(app *model.AppState) http.Handler {
     mux := http.NewServeMux()
 
-    mux.Handle("/login", LoginHandler(app))
-    mux.Handle("/register", createAccountHandler(app))
-    mux.Handle("/logout", RequireAccount(app, LogoutHandler(app)))
-    mux.Handle("/account", RequireAccount(app, AccountHandler(app)))
+    mux.Handle("/qr-test", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        qrB64Img, err := controller.GenerateQRCode("super epic mega gaming test message. be sure to buy free2play on bandcamp so i can put food on my family")
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to generate QR code: %v\n", err)
+            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            return
+        }
+
+        w.Write([]byte("<html><img style=\"image-rendering:pixelated;width:100%;height:100%;object-fit:contain\" src=\"" + qrB64Img + "\"/></html>"))
+    }))
+
+    mux.Handle("/login", loginHandler(app))
+    mux.Handle("/logout", requireAccount(app, logoutHandler(app)))
+
+    mux.Handle("/register", registerAccountHandler(app))
+
+    mux.Handle("/account", requireAccount(app, accountIndexHandler(app)))
+    mux.Handle("/account/", requireAccount(app, http.StripPrefix("/account", accountHandler(app))))
+
+    mux.Handle("/release/", requireAccount(app, http.StripPrefix("/release", serveRelease(app))))
+    mux.Handle("/artist/", requireAccount(app, http.StripPrefix("/artist", serveArtist(app))))
+    mux.Handle("/track/", requireAccount(app, http.StripPrefix("/track", serveTrack(app))))
+
     mux.Handle("/static/", http.StripPrefix("/static", staticHandler()))
-    mux.Handle("/release/", RequireAccount(app, http.StripPrefix("/release", serveRelease(app))))
-    mux.Handle("/artist/", RequireAccount(app, http.StripPrefix("/artist", serveArtist(app))))
-    mux.Handle("/track/", RequireAccount(app, http.StripPrefix("/track", serveTrack(app))))
-    mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+    mux.Handle("/", requireAccount(app, AdminIndexHandler(app)))
+
+    // response wrapper to make sure a session cookie exists
+    return enforceSession(app, mux)
+}
+
+func AdminIndexHandler(app *model.AppState) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
         if r.URL.Path != "/" {
             http.NotFound(w, r)
             return
         }
 
-        account, err := controller.GetAccountByRequest(app.DB, r)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %s\n", err)
-        }
-        if account == nil {
-            http.Redirect(w, r, "/admin/login", http.StatusFound)
-            return
-        }
+        session := r.Context().Value("session").(*model.Session)
 
         releases, err := controller.GetAllReleases(app.DB, false, 0, true)
         if err != nil {
@@ -52,52 +74,328 @@ func Handler(app *model.AppState) http.Handler {
         }
 
         tracks, err := controller.GetOrphanTracks(app.DB)
-		if err != nil {
+        if err != nil {
             fmt.Fprintf(os.Stderr, "WARN: Failed to pull orphan tracks: %s\n", err)
-			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-			return
-		}
+            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            return
+        }
 
         type IndexData struct {
-            Account     *model.Account
+            Session     *model.Session
             Releases    []*model.Release
             Artists     []*model.Artist
             Tracks      []*model.Track
         }
 
-        err = pages["index"].Execute(w, IndexData{
-            Account: account,
+        err = indexTemplate.Execute(w, IndexData{
+            Session: session,
             Releases: releases,
             Artists: artists,
             Tracks: tracks,
         })
-		if err != nil {
+        if err != nil {
             fmt.Fprintf(os.Stderr, "WARN: Failed to render admin index: %s\n", err)
-			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-			return
-		}
-    }))
-
-    return mux
+            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            return
+        }
+    })
 }
 
-func RequireAccount(app *model.AppState, next http.Handler) http.HandlerFunc {
+func registerAccountHandler(app *model.AppState) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        account, err := controller.GetAccountByRequest(app.DB, r)
+        session := r.Context().Value("session").(*model.Session)
+
+        if session.Account != nil {
+            // user is already logged in
+            http.Redirect(w, r, "/admin", http.StatusFound)
+            return
+        }
+
+        type registerData struct {
+            Session *model.Session
+        }
+
+        render := func() {
+            err := registerTemplate.Execute(w, registerData{ Session: session })
+            if err != nil {
+                fmt.Printf("WARN: Error rendering create account page: %s\n", err)
+                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            }
+        }
+
+        if r.Method == http.MethodGet {
+            render()
+            return
+        }
+
+        if r.Method != http.MethodPost {
+            http.NotFound(w, r)
+            return
+        }
+
+        err := r.ParseForm()
         if err != nil {
-            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-            fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %v\n", err)
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+
+        type RegisterRequest struct {
+            Username    string `json:"username"`
+            Email       string `json:"email"`
+            Password    string `json:"password"`
+            Invite      string `json:"invite"`
+        }
+        credentials := RegisterRequest{
+            Username: r.Form.Get("username"),
+            Email: r.Form.Get("email"),
+            Password: r.Form.Get("password"),
+            Invite: r.Form.Get("invite"),
+        }
+
+        // make sure invite code exists in DB
+        invite, err := controller.GetInvite(app.DB, credentials.Invite)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve invite: %v\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            render()
+            return
+        }
+        if invite == nil || time.Now().After(invite.ExpiresAt) {
+            if invite != nil {
+                err := controller.DeleteInvite(app.DB, invite.Code)
+                if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to delete expired invite: %v\n", err) }
+            }
+            controller.SetSessionError(app.DB, session, "Invalid invite code.")
+            render()
+            return
+        }
+
+        hashedPassword, err := bcrypt.GenerateFromPassword([]byte(credentials.Password), bcrypt.DefaultCost)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to generate password hash: %v\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            render()
+            return
+        }
+
+        account := model.Account{
+            Username: credentials.Username,
+            Password: string(hashedPassword),
+            Email: sql.NullString{ String: credentials.Email, Valid: true },
+            AvatarURL: sql.NullString{ String:  "/img/default-avatar.png", Valid: true },
+        }
+        err = controller.CreateAccount(app.DB, &account)
+        if err != nil {
+            if strings.HasPrefix(err.Error(), "pq: duplicate key") {
+                controller.SetSessionError(app.DB, session, "An account with that username already exists.")
+                render()
+                return
+            }
+            fmt.Fprintf(os.Stderr, "WARN: Failed to create account: %v\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            render()
+            return
+        }
+
+        fmt.Printf(
+            "[%s]: Account registered: %s (%s)\n",
+            time.Now().Format(time.UnixDate),
+            account.Username,
+            account.ID,
+        )
+
+        err = controller.DeleteInvite(app.DB, invite.Code)
+        if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to delete expired invite: %v\n", err) }
+
+        // registration success!
+        controller.SetSessionAccount(app.DB, session, &account)
+        controller.SetSessionMessage(app.DB, session, "")
+        controller.SetSessionError(app.DB, session, "")
+        http.Redirect(w, r, "/admin", http.StatusFound)
+    })
+}
+
+func loginHandler(app *model.AppState) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        if r.Method != http.MethodGet && r.Method != http.MethodPost {
+            http.NotFound(w, r)
+            return
+        }
+
+        session := r.Context().Value("session").(*model.Session)
+
+        type loginData struct {
+            Session *model.Session
+        }
+
+        render := func() {
+            err := loginTemplate.Execute(w, loginData{ Session: session })
+            if err != nil {
+                fmt.Fprintf(os.Stderr, "WARN: Error rendering admin login page: %s\n", err)
+                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+                return
+            }
+        }
+
+        if r.Method == http.MethodGet {
+            if session.Account != nil {
+                // user is already logged in
+                http.Redirect(w, r, "/admin", http.StatusFound)
+                return
+            }
+
+            render()
+            return
+        }
+
+        err := r.ParseForm()
+        if err != nil {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+
+        type LoginRequest struct {
+            Username string `json:"username"`
+            Password string `json:"password"`
+            TOTP string `json:"totp"`
+        }
+        credentials := LoginRequest{
+            Username: r.Form.Get("username"),
+            Password: r.Form.Get("password"),
+            TOTP: r.Form.Get("totp"),
+        }
+
+        account, err := controller.GetAccountByUsername(app.DB, credentials.Username)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account for login: %v\n", err)
+            controller.SetSessionError(app.DB, session, "Invalid username or password.")
+            render()
             return
         }
         if account == nil {
+            controller.SetSessionError(app.DB, session, "Invalid username or password.")
+            render()
+            return
+        }
+
+        err = bcrypt.CompareHashAndPassword([]byte(account.Password), []byte(credentials.Password))
+        if err != nil {
+            fmt.Printf(
+                "[%s] INFO: Account \"%s\" attempted login with incorrect password.\n",
+                time.Now().Format(time.UnixDate),
+                account.Username,
+            )
+            controller.SetSessionError(app.DB, session, "Invalid username or password.")
+            render()
+            return
+        }
+
+        var totpMethod *model.TOTP
+        if len(credentials.TOTP) == 0 {
+            // check if user has TOTP
+            totps, err := controller.GetTOTPsForAccount(app.DB, account.ID)
+            if err != nil {
+                fmt.Fprintf(os.Stderr, "WARN: Failed to fetch TOTPs: %v\n", err)
+                controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+                render()
+                return
+            }
+
+            if len(totps) > 0 {
+                type loginTOTPData struct {
+                    Session *model.Session
+                    Username string
+                    Password string
+                }
+                err = loginTOTPTemplate.Execute(w, loginTOTPData{
+                    Session: session,
+                    Username: credentials.Username,
+                    Password: credentials.Password,
+                })
+                if err != nil {
+                    fmt.Fprintf(os.Stderr, "WARN: Failed to render login TOTP page: %v\n", err)
+                    http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+                    return
+                }
+            }
+        } else {
+            totpMethod, err = controller.CheckTOTPForAccount(app.DB, account.ID, credentials.TOTP)
+            if err != nil {
+                fmt.Fprintf(os.Stderr, "WARN: Failed to fetch TOTPs: %v\n", err)
+                controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+                render()
+                return
+            }
+            if totpMethod == nil {
+                controller.SetSessionError(app.DB, session, "Invalid TOTP.")
+                render()
+                return
+            }
+        }
+
+        if totpMethod != nil {
+            fmt.Printf(
+                "[%s] INFO: Account \"%s\" logged in with method \"%s\"\n",
+                time.Now().Format(time.UnixDate),
+                account.Username,
+                totpMethod.Name,
+            )
+        } else {
+            fmt.Printf(
+                "[%s] INFO: Account \"%s\" logged in\n",
+                time.Now().Format(time.UnixDate),
+                account.Username,
+            )
+        }
+
+        // TODO: log login activity to user
+
+        // login success!
+        controller.SetSessionAccount(app.DB, session, account)
+        controller.SetSessionMessage(app.DB, session, "")
+        controller.SetSessionError(app.DB, session, "")
+        http.Redirect(w, r, "/admin", http.StatusFound)
+    })
+}
+
+func logoutHandler(app *model.AppState) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        if r.Method != http.MethodGet {
+            http.NotFound(w, r)
+            return
+        }
+
+        session := r.Context().Value("session").(*model.Session)
+        err := controller.DeleteSession(app.DB, session.Token)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to delete session: %v\n", err)
+            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            return
+        }
+
+        http.SetCookie(w, &http.Cookie{
+            Name: model.COOKIE_TOKEN,
+            Expires: time.Now(),
+            Path: "/",
+        })
+
+        err = logoutTemplate.Execute(w, nil)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to render logout page: %v\n", err)
+            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+        }
+    })
+}
+
+func requireAccount(app *model.AppState, next http.Handler) http.HandlerFunc {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        session := r.Context().Value("session").(*model.Session)
+        if session.Account == nil {
             // TODO: include context in redirect
             http.Redirect(w, r, "/admin/login", http.StatusFound)
             return
         }
-
-        ctx := context.WithValue(r.Context(), "account", account)
-
-        next.ServeHTTP(w, r.WithContext(ctx))
+        next.ServeHTTP(w, r)
     })
 }
 
@@ -121,3 +419,53 @@ func staticHandler() http.Handler {
         http.FileServer(http.Dir(filepath.Join("admin", "static"))).ServeHTTP(w, r)
     })
 }
+
+func enforceSession(app *model.AppState, next http.Handler) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        sessionCookie, err := r.Cookie(model.COOKIE_TOKEN)
+        if err != nil && err != http.ErrNoCookie {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve session cookie: %v\n", err)
+			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            return
+        }
+
+        var session *model.Session
+        
+        if sessionCookie != nil {
+            // fetch existing session
+            session, err = controller.GetSession(app.DB, sessionCookie.Value)
+
+            if err != nil && !strings.Contains(err.Error(), "no rows") {
+                fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve session: %v\n", err)
+                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+                return
+            }
+
+            if session != nil {
+                // TODO: consider running security checks here (i.e. user agent mismatches)
+            }
+        }
+
+        if session == nil {
+            // create a new session
+            session, err = controller.CreateSession(app.DB, r.UserAgent())
+            if err != nil {
+                fmt.Fprintf(os.Stderr, "WARN: Failed to create session: %v\n", err)
+                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+                return
+            }
+
+            http.SetCookie(w, &http.Cookie{
+                Name: model.COOKIE_TOKEN,
+                Value: session.Token,
+                Expires: session.ExpiresAt,
+                Secure: strings.HasPrefix(app.Config.BaseUrl, "https"),
+                HttpOnly: true,
+                Path: "/",
+            })
+        }
+
+        ctx := context.WithValue(r.Context(), "session", session)
+        next.ServeHTTP(w, r.WithContext(ctx))
+    })
+}
diff --git a/admin/releasehttp.go b/admin/releasehttp.go
index 503166b..be5052b 100644
--- a/admin/releasehttp.go
+++ b/admin/releasehttp.go
@@ -14,7 +14,7 @@ func serveRelease(app *model.AppState) http.Handler {
         slices := strings.Split(r.URL.Path[1:], "/")
         releaseID := slices[0]
 
-        account := r.Context().Value("account").(*model.Account)
+        session := r.Context().Value("session").(*model.Session)
 
         release, err := controller.GetRelease(app.DB, releaseID, true)
         if err != nil {
@@ -56,12 +56,12 @@ func serveRelease(app *model.AppState) http.Handler {
         }
 
         type ReleaseResponse struct {
-            Account *model.Account
+            Session *model.Session
             Release *model.Release
         }
 
-        err = pages["release"].Execute(w, ReleaseResponse{
-            Account: account,
+        err = releaseTemplate.Execute(w, ReleaseResponse{
+            Session: session,
             Release: release,
         })
         if err != nil {
@@ -74,7 +74,7 @@ func serveRelease(app *model.AppState) http.Handler {
 func serveEditCredits(release *model.Release) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
         w.Header().Set("Content-Type", "text/html")
-        err := components["editcredits"].Execute(w, release)
+        err := editCreditsTemplate.Execute(w, release)
         if err != nil {
             fmt.Printf("Error rendering edit credits component for %s: %s\n", release.ID, err)
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -97,7 +97,7 @@ func serveAddCredit(app *model.AppState, release *model.Release) http.Handler {
         }
 
         w.Header().Set("Content-Type", "text/html")
-        err = components["addcredit"].Execute(w, response{
+        err = addCreditTemplate.Execute(w, response{
             ReleaseID: release.ID,
             Artists: artists,
         })
@@ -123,7 +123,7 @@ func serveNewCredit(app *model.AppState) http.Handler {
         }
 
         w.Header().Set("Content-Type", "text/html")
-        err = components["newcredit"].Execute(w, artist)
+        err = newCreditTemplate.Execute(w, artist)
         if err != nil {
             fmt.Printf("Error rendering new credit component for %s: %s\n", artist.ID, err)
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -134,7 +134,7 @@ func serveNewCredit(app *model.AppState) http.Handler {
 func serveEditLinks(release *model.Release) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
         w.Header().Set("Content-Type", "text/html")
-        err := components["editlinks"].Execute(w, release)
+        err := editLinksTemplate.Execute(w, release)
         if err != nil {
             fmt.Printf("Error rendering edit links component for %s: %s\n", release.ID, err)
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -145,7 +145,16 @@ func serveEditLinks(release *model.Release) http.Handler {
 func serveEditTracks(release *model.Release) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
         w.Header().Set("Content-Type", "text/html")
-        err := components["edittracks"].Execute(w, release)
+
+        type editTracksData struct {
+            Release *model.Release
+            Add func(a int, b int) int
+        }
+
+        err := editTracksTemplate.Execute(w, editTracksData{
+            Release: release,
+            Add: func(a, b int) int { return a + b },
+        })
         if err != nil {
             fmt.Printf("Error rendering edit tracks component for %s: %s\n", release.ID, err)
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -168,7 +177,7 @@ func serveAddTrack(app *model.AppState, release *model.Release) http.Handler {
         }
 
         w.Header().Set("Content-Type", "text/html")
-        err = components["addtrack"].Execute(w, response{
+        err = addTrackTemplate.Execute(w, response{
             ReleaseID: release.ID,
             Tracks: tracks,
         })
@@ -195,7 +204,7 @@ func serveNewTrack(app *model.AppState) http.Handler {
         }
 
         w.Header().Set("Content-Type", "text/html")
-        err = components["newtrack"].Execute(w, track)
+        err = newTrackTemplate.Execute(w, track)
         if err != nil {
             fmt.Printf("Error rendering new track component for %s: %s\n", track.ID, err)
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
diff --git a/admin/static/admin.css b/admin/static/admin.css
index 32f69bb..877b5da 100644
--- a/admin/static/admin.css
+++ b/admin/static/admin.css
@@ -24,7 +24,7 @@ nav {
     justify-content: left;
 
     background: #f8f8f8;
-    border-radius: .5em;
+    border-radius: 4px;
     border: 1px solid #808080;
 }
 nav .icon {
@@ -85,6 +85,15 @@ a img.icon {
     height: .8em;
 }
 
+code {
+    background: #303030;
+    color: #f0f0f0;
+    padding: .23em .3em;
+    border-radius: 4px;
+}
+
+
+
 .card {
     margin-bottom: 1em;
 }
@@ -93,13 +102,6 @@ a img.icon {
     margin: 0 0 .5em 0;
 }
 
-/*
-.card h3,
-.card p {
-    margin: 0;
-}
-*/
-
 .card-title {
     margin-bottom: 1em;
     display: flex;
@@ -127,20 +129,34 @@ a img.icon {
 
 
 
+#message,
 #error {
-    background: #ffa9b8;
-    border: 1px solid #dc5959;
+    margin: 0 0 1em 0;
     padding: 1em;
     border-radius: 4px;
+    background: #ffffff;
+    border: 1px solid #888;
+}
+#message {
+    background: #a9dfff;
+    border-color: #599fdc;
+}
+#error {
+    background: #ffa9b8;
+    border-color: #dc5959;
 }
 
 
 
+a.delete:not(.button) {
+    color: #d22828;
+}
+
 button, .button {
     padding: .5em .8em;
     font-family: inherit;
     font-size: inherit;
-    border-radius: .5em;
+    border-radius: 4px;
     border: 1px solid #a0a0a0;
     background: #f0f0f0;
     color: inherit;
@@ -154,35 +170,59 @@ button:active, .button:active {
     border-color: #808080;
 }
 
-button {
+.button, button {
     color: inherit;
 }
-button.new {
+.button.new, button.new {
     background: #c4ff6a;
     border-color: #84b141;
 }
-button.save {
+.button.save, button.save {
     background: #6fd7ff;
     border-color: #6f9eb0;
 }
-button.delete {
+.button.delete, button.delete {
     background: #ff7171;
     border-color: #7d3535;
 }
-button:hover {
+.button:hover, button:hover {
     background: #fff;
     border-color: #d0d0d0;
 }
-button:active {
+.button:active, button:active {
     background: #d0d0d0;
     border-color: #808080;
 }
-button[disabled] {
+.button[disabled], button[disabled] {
     background: #d0d0d0 !important;
     border-color: #808080 !important;
     opacity: .5;
     cursor: not-allowed !important;
 }
-a.delete {
-    color: #d22828;
+
+
+
+form {
+    width: 100%;
+    display: block;
+}
+form label {
+    width: 100%;
+    margin: 1rem 0 .5rem 0;
+    display: block;
+    color: #10101080;
+}
+form input {
+    margin: .5rem 0;
+    padding: .3rem .5rem;
+    display: block;
+    border-radius: 4px;
+    border: 1px solid #808080;
+    font-size: inherit;
+    font-family: inherit;
+    color: inherit;
+}
+input[disabled] {
+    opacity: .5;
+    cursor: not-allowed;
 }
diff --git a/admin/static/edit-account.css b/admin/static/edit-account.css
index 625db13..7a4d34a 100644
--- a/admin/static/edit-account.css
+++ b/admin/static/edit-account.css
@@ -1,28 +1,18 @@
 @import url("/admin/static/index.css");
 
-form#change-password {
-    width: 100%;
-    display: flex;
-    flex-direction: column;
-    align-items: start;
-}
-
-form div {
-    width: 20rem;
-}
-
-form button {
-    margin-top: 1rem;
+div.card {
+    margin-bottom: 2rem;
 }
 
 label {
-    width: 100%;
-    margin: 1rem 0 .5rem 0;
-    display: block;
-    color: #10101080;
+    width: auto;
+    margin: 0;
+    display: flex;
+    align-items: center;
+    color: inherit;
 }
 input {
-    width: 100%;
+    width: min(20rem, calc(100% - 1rem));
     margin: .5rem 0;
     padding: .3rem .5rem;
     display: block;
@@ -33,18 +23,11 @@ input {
     color: inherit;
 }
 
-#error {
-    background: #ffa9b8;
-    border: 1px solid #dc5959;
-    padding: 1em;
-    border-radius: 4px;
-}
-
 .mfa-device {
     padding: .75em;
     background: #f8f8f8f8;
     border: 1px solid #808080;
-    border-radius: .5em;
+    border-radius: 8px;
     margin-bottom: .5em;
     display: flex;
     justify-content: space-between;
diff --git a/admin/static/edit-artist.css b/admin/static/edit-artist.css
index 793b989..5627e64 100644
--- a/admin/static/edit-artist.css
+++ b/admin/static/edit-artist.css
@@ -9,7 +9,7 @@ h1 {
     flex-direction: row;
     gap: 1.2em;
 
-    border-radius: .5em;
+    border-radius: 8px;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
diff --git a/admin/static/edit-release.css b/admin/static/edit-release.css
index 10eada3..aa70e34 100644
--- a/admin/static/edit-release.css
+++ b/admin/static/edit-release.css
@@ -11,7 +11,7 @@ input[type="text"] {
     flex-direction: row;
     gap: 1.2em;
 
-    border-radius: .5em;
+    border-radius: 8px;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
@@ -160,7 +160,7 @@ dialog div.dialog-actions {
     align-items: center;
     gap: 1em;
 
-    border-radius: .5em;
+    border-radius: 8px;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
@@ -170,7 +170,7 @@ dialog div.dialog-actions {
 }
 
 .card.credits .credit .artist-avatar {
-    border-radius: .5em;
+    border-radius: 8px;
 }
 
 .card.credits .credit .artist-name {
@@ -196,7 +196,7 @@ dialog div.dialog-actions {
     align-items: center;
     gap: 1em;
 
-    border-radius: .5em;
+    border-radius: 8px;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
@@ -215,7 +215,7 @@ dialog div.dialog-actions {
 }
 
 #editcredits .credit .artist-avatar {
-    border-radius: .5em;
+    border-radius: 8px;
 }
 
 #editcredits .credit .credit-info {
@@ -228,12 +228,14 @@ dialog div.dialog-actions {
 }
 
 #editcredits .credit .credit-info .credit-attribute label {
+    width: auto;
+    margin: 0;
     display: flex;
     align-items: center;
 }
 
 #editcredits .credit .credit-info .credit-attribute input[type="text"] {
-    margin-left: .25em;
+    margin: 0 0 0 .25em;
     padding: .2em .4em;
     flex-grow: 1;
     font-family: inherit;
@@ -241,6 +243,9 @@ dialog div.dialog-actions {
     border-radius: 4px;
     color: inherit;
 }
+#editcredits .credit .credit-info .credit-attribute input[type="checkbox"] {
+    margin: 0 .3em;
+}
 
 #editcredits .credit .artist-name {
     font-weight: bold;
@@ -369,8 +374,10 @@ dialog div.dialog-actions {
 #editlinks td input[type="text"] {
     width: calc(100% - .6em);
     height: 100%;
+    margin: 0;
     padding: 0 .3em;
     border: none;
+    border-radius: 0;
     outline: none;
     cursor: pointer;
     background: none;
@@ -393,7 +400,7 @@ dialog div.dialog-actions {
     flex-direction: column;
     gap: .5em;
 
-    border-radius: .5em;
+    border-radius: 8px;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
diff --git a/admin/static/edit-track.css b/admin/static/edit-track.css
index 8a05089..600b680 100644
--- a/admin/static/edit-track.css
+++ b/admin/static/edit-track.css
@@ -11,7 +11,7 @@ h1 {
     flex-direction: row;
     gap: 1.2em;
 
-    border-radius: .5em;
+    border-radius: 8px;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
diff --git a/admin/static/index.css b/admin/static/index.css
index 9d38940..9fcd731 100644
--- a/admin/static/index.css
+++ b/admin/static/index.css
@@ -1,23 +1,5 @@
 @import url("/admin/static/release-list-item.css");
 
-.create-btn {
-    background: #c4ff6a;
-    padding: .5em .8em;
-    border-radius: .5em;
-    border: 1px solid #84b141;
-    text-decoration: none;
-}
-.create-btn:hover {
-    background: #fff;
-    border-color: #d0d0d0;
-    text-decoration: inherit;
-}
-.create-btn:active {
-    background: #d0d0d0;
-    border-color: #808080;
-    text-decoration: inherit;
-}
-
 .artist {
     margin-bottom: .5em;
     padding: .5em;
@@ -26,7 +8,7 @@
     align-items: center;
     gap: .5em;
 
-    border-radius: .5em;
+    border-radius: 8px;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
@@ -49,7 +31,7 @@
     flex-direction: column;
     gap: .5em;
 
-    border-radius: .5em;
+    border-radius: 8px;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
diff --git a/admin/static/release-list-item.css b/admin/static/release-list-item.css
index ee67de7..638eac0 100644
--- a/admin/static/release-list-item.css
+++ b/admin/static/release-list-item.css
@@ -5,7 +5,7 @@
     flex-direction: row;
     gap: 1em;
 
-    border-radius: .5em;
+    border-radius: 8px;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
@@ -50,7 +50,7 @@
     padding: .5em;
     display: block;
 
-    border-radius: .5em;
+    border-radius: 8px;
     text-decoration: none;
     color: #f0f0f0;
     background: #303030;
@@ -73,7 +73,7 @@
     padding: .3em .5em;
     display: inline-block;
 
-    border-radius: .3em;
+    border-radius: 4px;
     background: #e0e0e0;
 
     transition: color .1s, background .1s;
diff --git a/admin/templates.go b/admin/templates.go
index 1fa7a65..49c118b 100644
--- a/admin/templates.go
+++ b/admin/templates.go
@@ -1,65 +1,90 @@
 package admin
 
 import (
-	"html/template"
-	"path/filepath"
+    "html/template"
+    "path/filepath"
 )
 
-var pages = map[string]*template.Template{
-    "index": template.Must(template.ParseFiles(
-        filepath.Join("admin", "views", "layout.html"),
-        filepath.Join("views", "prideflag.html"),
-        filepath.Join("admin", "components", "release", "release-list-item.html"),
-        filepath.Join("admin", "views", "index.html"),
-    )),
+var indexTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "views", "layout.html"),
+    filepath.Join("views", "prideflag.html"),
+    filepath.Join("admin", "components", "release", "release-list-item.html"),
+    filepath.Join("admin", "views", "index.html"),
+))
 
-    "login": template.Must(template.ParseFiles(
-        filepath.Join("admin", "views", "layout.html"),
-        filepath.Join("views", "prideflag.html"),
-        filepath.Join("admin", "views", "login.html"),
-    )),
-    "create-account": template.Must(template.ParseFiles(
-        filepath.Join("admin", "views", "layout.html"),
-        filepath.Join("views", "prideflag.html"),
-        filepath.Join("admin", "views", "create-account.html"),
-    )),
-    "logout": template.Must(template.ParseFiles(
-        filepath.Join("admin", "views", "layout.html"),
-        filepath.Join("views", "prideflag.html"),
-        filepath.Join("admin", "views", "logout.html"),
-    )),
-    "account": template.Must(template.ParseFiles(
-        filepath.Join("admin", "views", "layout.html"),
-        filepath.Join("views", "prideflag.html"),
-        filepath.Join("admin", "views", "edit-account.html"),
-    )),
+var loginTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "views", "layout.html"),
+    filepath.Join("views", "prideflag.html"),
+    filepath.Join("admin", "views", "login.html"),
+))
+var loginTOTPTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "views", "layout.html"),
+    filepath.Join("views", "prideflag.html"),
+    filepath.Join("admin", "views", "login-totp.html"),
+))
+var registerTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "views", "layout.html"),
+    filepath.Join("views", "prideflag.html"),
+    filepath.Join("admin", "views", "register.html"),
+))
+var logoutTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "views", "layout.html"),
+    filepath.Join("views", "prideflag.html"),
+    filepath.Join("admin", "views", "logout.html"),
+))
+var accountTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "views", "layout.html"),
+    filepath.Join("views", "prideflag.html"),
+    filepath.Join("admin", "views", "edit-account.html"),
+))
+var totpSetupTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "views", "layout.html"),
+    filepath.Join("views", "prideflag.html"),
+    filepath.Join("admin", "views", "totp-setup.html"),
+))
+var totpConfirmTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "views", "layout.html"),
+    filepath.Join("views", "prideflag.html"),
+    filepath.Join("admin", "views", "totp-confirm.html"),
+))
 
-    "release": template.Must(template.ParseFiles(
-        filepath.Join("admin", "views", "layout.html"),
-        filepath.Join("views", "prideflag.html"),
-        filepath.Join("admin", "views", "edit-release.html"),
-    )),
-    "artist": template.Must(template.ParseFiles(
-        filepath.Join("admin", "views", "layout.html"),
-        filepath.Join("views", "prideflag.html"),
-        filepath.Join("admin", "views", "edit-artist.html"),
-    )),
-    "track": template.Must(template.ParseFiles(
-        filepath.Join("admin", "views", "layout.html"),
-        filepath.Join("views", "prideflag.html"),
-        filepath.Join("admin", "components", "release", "release-list-item.html"),
-        filepath.Join("admin", "views", "edit-track.html"),
-    )),
-}
+var releaseTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "views", "layout.html"),
+    filepath.Join("views", "prideflag.html"),
+    filepath.Join("admin", "views", "edit-release.html"),
+))
+var artistTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "views", "layout.html"),
+    filepath.Join("views", "prideflag.html"),
+    filepath.Join("admin", "views", "edit-artist.html"),
+))
+var trackTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "views", "layout.html"),
+    filepath.Join("views", "prideflag.html"),
+    filepath.Join("admin", "components", "release", "release-list-item.html"),
+    filepath.Join("admin", "views", "edit-track.html"),
+))
 
-var components = map[string]*template.Template{
-    "editcredits": template.Must(template.ParseFiles(filepath.Join("admin", "components", "credits", "editcredits.html"))),
-    "addcredit": template.Must(template.ParseFiles(filepath.Join("admin", "components", "credits", "addcredit.html"))),
-    "newcredit": template.Must(template.ParseFiles(filepath.Join("admin", "components", "credits", "newcredit.html"))),
+var editCreditsTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "components", "credits", "editcredits.html"),
+))
+var addCreditTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "components", "credits", "addcredit.html"),
+))
+var newCreditTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "components", "credits", "newcredit.html"),
+))
 
-    "editlinks": template.Must(template.ParseFiles(filepath.Join("admin", "components", "links", "editlinks.html"))),
+var editLinksTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "components", "links", "editlinks.html"),
+))
 
-    "edittracks": template.Must(template.ParseFiles(filepath.Join("admin", "components", "tracks", "edittracks.html"))),
-    "addtrack": template.Must(template.ParseFiles(filepath.Join("admin", "components", "tracks", "addtrack.html"))),
-    "newtrack": template.Must(template.ParseFiles(filepath.Join("admin", "components", "tracks", "newtrack.html"))),
-}
+var editTracksTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "components", "tracks", "edittracks.html"),
+))
+var addTrackTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "components", "tracks", "addtrack.html"),
+))
+var newTrackTemplate = template.Must(template.ParseFiles(
+    filepath.Join("admin", "components", "tracks", "newtrack.html"),
+))
diff --git a/admin/trackhttp.go b/admin/trackhttp.go
index fa49b53..a92f81a 100644
--- a/admin/trackhttp.go
+++ b/admin/trackhttp.go
@@ -32,15 +32,15 @@ func serveTrack(app *model.AppState) http.Handler {
         }
 
         type TrackResponse struct {
-            Account     *model.Account
+            Session     *model.Session
             Track       *model.Track
             Releases    []*model.Release
         }
 
-        account := r.Context().Value("account").(*model.Account)
+        session := r.Context().Value("session").(*model.Session)
 
-        err = pages["track"].Execute(w, TrackResponse{
-            Account: account,
+        err = trackTemplate.Execute(w, TrackResponse{
+            Session: session,
             Track: track,
             Releases: releases,
         })
diff --git a/admin/views/edit-account.html b/admin/views/edit-account.html
index 4d89052..6c17088 100644
--- a/admin/views/edit-account.html
+++ b/admin/views/edit-account.html
@@ -6,23 +6,27 @@
 
 {{define "content"}}
 <main>
-    <h1>Account Settings ({{.Account.Username}})</h1>
+    {{if .Session.Message.Valid}}
+    <p id="message">{{html .Session.Message.String}}</p>
+    {{end}}
+    {{if .Session.Error.Valid}}
+    <p id="error">{{html .Session.Error.String}}</p>
+    {{end}}
+    <h1>Account Settings ({{.Session.Account.Username}})</h1>
 
     <div class="card-title">
         <h2>Change Password</h2>
     </div>
     <div class="card">
-        <form action="/api/v1/change-password" method="POST" id="change-password">
-            <div>
-                <label for="current-password">Current Password</label>
-                <input type="password" name="current-password" value="" autocomplete="current-password">
+        <form action="/admin/account/password" method="POST" id="change-password">
+            <label for="current-password">Current Password</label>
+            <input type="password" id="current-password" name="current-password" value="" autocomplete="current-password" required>
 
-                <label for="new-password">Password</label>
-                <input type="password" name="new-password" value="" autocomplete="new-password">
+            <label for="new-password">New Password</label>
+            <input type="password" id="new-password" name="new-password" value="" autocomplete="new-password" required>
 
-                <label for="confirm-password">Confirm Password</label>
-                <input type="password" name="confirm-password" value="" autocomplete="new-password">
-            </div>
+            <label for="confirm-password">Confirm Password</label>
+            <input type="password" id="confirm-password" value="" autocomplete="new-password" required>
 
             <button type="submit" class="save">Change Password</button>
         </form>
@@ -36,11 +40,11 @@
         {{range .TOTPs}}
         <div class="mfa-device">
             <div>
-                <p class="mfa-device-name">{{.Name}}</p>
-                <p class="mfa-device-date">Added: {{.CreatedAt}}</p>
+                <p class="mfa-device-name">{{.TOTP.Name}}</p>
+                <p class="mfa-device-date">Added: {{.CreatedAtString}}</p>
             </div>
             <div>
-                <a class="delete">Delete</a>
+                <a class="button delete" href="/admin/account/totp-delete/{{.TOTP.Name}}">Delete</a>
             </div>
         </div>
         {{end}}
@@ -48,7 +52,10 @@
         <p>You have no MFA devices.</p>
         {{end}}
 
-        <button type="submit" class="new" id="add-mfa-device">Add MFA Device</button>
+        <div>
+            <button type="submit" class="save" id="enable-email" disabled>Enable Email TOTP</button>
+            <a class="button new" id="add-totp-device" href="/admin/account/totp-setup">Add TOTP Device</a>
+        </div>
     </div>
 
     <div class="card-title">
@@ -58,9 +65,17 @@
         <p>
         Clicking the button below will delete your account.
         This action is <strong>irreversible</strong>.
-        You will be prompted to confirm this decision.
+        You will need to enter your password and TOTP below.
         </p>
-        <button class="delete" id="delete">Delete Account</button>
+        <form action="/admin/account/delete" method="POST">
+            <label for="password">Password</label>
+            <input type="password" name="password" value="" autocomplete="current-password" required>
+
+            <label for="totp">TOTP</label>
+            <input type="text" name="totp" value="" autocomplete="one-time-code" required>
+
+            <button type="submit" class="delete">Delete Account</button>
+        </form>
     </div>
 
 </main>
diff --git a/admin/views/edit-artist.html b/admin/views/edit-artist.html
index ccb3a45..b0cfb41 100644
--- a/admin/views/edit-artist.html
+++ b/admin/views/edit-artist.html
@@ -36,13 +36,13 @@
         {{if .Credits}}
         {{range .Credits}}
         <div class="credit">
-            <img src="{{.Artist.Release.Artwork}}" alt="" width="64" loading="lazy" class="release-artwork">
+            <img src="{{.Release.Artwork}}" alt="" width="64" loading="lazy" class="release-artwork">
             <div class="credit-info">
-                <h3 class="credit-name"><a href="/admin/release/{{.Artist.Release.ID}}">{{.Artist.Release.Title}}</a></h3>
-                <p class="credit-artists">{{.Artist.Release.PrintArtists true true}}</p>
+                <h3 class="credit-name"><a href="/admin/release/{{.Release.ID}}">{{.Release.Title}}</a></h3>
+                <p class="credit-artists">{{.Release.PrintArtists true true}}</p>
                 <p class="artist-role">
-                Role: {{.Artist.Role}}
-                {{if .Artist.Primary}}
+                Role: {{.Role}}
+                {{if .Primary}}
                 <small>(Primary)</small>
                 {{end}}
                 </p>
diff --git a/admin/views/index.html b/admin/views/index.html
index 8f42e0e..2b9c897 100644
--- a/admin/views/index.html
+++ b/admin/views/index.html
@@ -9,7 +9,7 @@
 
     <div class="card-title">
         <h1>Releases</h1>
-        <a class="create-btn" id="create-release">Create New</a>
+        <a class="button new" id="create-release">Create New</a>
     </div>
     <div class="card releases">
         {{range .Releases}}
@@ -22,7 +22,7 @@
 
     <div class="card-title">
         <h1>Artists</h1>
-        <a class="create-btn" id="create-artist">Create New</a>
+        <a class="button new" id="create-artist">Create New</a>
     </div>
     <div class="card artists">
         {{range $Artist := .Artists}}
@@ -38,7 +38,7 @@
 
     <div class="card-title">
         <h1>Tracks</h1>
-        <a class="create-btn" id="create-track">Create New</a>
+        <a class="button new" id="create-track">Create New</a>
     </div>
     <div class="card tracks">
         <p><em>"Orphaned" tracks that have not yet been bound to a release.</em></p>
diff --git a/admin/views/layout.html b/admin/views/layout.html
index 0a33b72..8c34c8e 100644
--- a/admin/views/layout.html
+++ b/admin/views/layout.html
@@ -24,9 +24,12 @@
                     <a href="/admin">home</a>
                 </div>
                 <div class="flex-fill"></div>
-                {{if .Account}}
+                {{if .Session.Account}}
                 <div class="nav-item">
-                    <a href="/admin/logout" id="logout">logged in as {{.Account.Username}}. log out</a>
+                    <a href="/admin/account">account ({{.Session.Account.Username}})</a>
+                </div>
+                <div class="nav-item">
+                    <a href="/admin/logout" id="logout">log out</a>
                 </div>
                 {{else}}
                 <div class="nav-item">
diff --git a/admin/views/login-totp.html b/admin/views/login-totp.html
new file mode 100644
index 0000000..d959e3c
--- /dev/null
+++ b/admin/views/login-totp.html
@@ -0,0 +1,42 @@
+{{define "head"}}
+<title>Login - ari melody 💫</title>
+<link rel="shortcut icon" href="/img/favicon.png" type="image/x-icon">
+<link rel="stylesheet" href="/admin/static/admin.css">
+<style>
+form#login-totp {
+    width: 100%;
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+}
+
+form div {
+    width: 20rem;
+}
+
+form button {
+    margin-top: 1rem;
+}
+
+input {
+    width: calc(100% - 1rem - 2px);
+}
+</style>
+{{end}}
+
+{{define "content"}}
+<main>
+    <form action="/admin/login" method="POST" id="login-totp">
+        <h1>Two-Factor Authentication</h1>
+
+        <div>
+            <label for="totp">TOTP</label>
+            <input type="text" name="totp" value="" autocomplete="one-time-code" required autofocus>
+            <input type="hidden" name="username" value="{{.Username}}">
+            <input type="hidden" name="password" value="{{.Password}}">
+        </div>
+
+        <button type="submit" class="save">Login</button>
+    </form>
+</main>
+{{end}}
diff --git a/admin/views/login.html b/admin/views/login.html
index 7744e91..fbb7294 100644
--- a/admin/views/login.html
+++ b/admin/views/login.html
@@ -3,15 +3,7 @@
 <link rel="shortcut icon" href="/img/favicon.png" type="image/x-icon">
 <link rel="stylesheet" href="/admin/static/admin.css">
 <style>
-p a {
-    color: #2a67c8;
-}
-
-a.discord {
-    color: #5865F2;
-}
-
-form {
+form#login {
     width: 100%;
     display: flex;
     flex-direction: column;
@@ -26,61 +18,33 @@ form button {
     margin-top: 1rem;
 }
 
-label {
-    width: 100%;
-    margin: 1rem 0 .5rem 0;
-    display: block;
-    color: #10101080;
-}
 input {
-    width: 100%;
-    margin: .5rem 0;
-    padding: .3rem .5rem;
-    display: block;
-    border-radius: 4px;
-    border: 1px solid #808080;
-    font-size: inherit;
-    font-family: inherit;
-    color: inherit;
-}
-input[disabled] {
-    opacity: .5;
-    cursor: not-allowed;
+    width: calc(100% - 1rem - 2px);
 }
 </style>
 {{end}}
 
 {{define "content"}}
 <main>
-    {{if .Message}}
-    <p id="error">{{.Message}}</p>
+    {{if .Session.Message.Valid}}
+    <p id="message">{{html .Session.Message.String}}</p>
+    {{end}}
+    {{if .Session.Error.Valid}}
+    <p id="error">{{html .Session.Error.String}}</p>
     {{end}}
 
-    {{if .Token}}
-
-    <meta http-equiv="refresh" content="0;url=/admin/" />
-    <p>
-    Logged in successfully.
-    You should be redirected to <a href="/admin">/admin</a> soon.
-    </p>
-
-    {{else}}
-
     <form action="/admin/login" method="POST" id="login">
+        <h1>Log In</h1>
+
         <div>
             <label for="username">Username</label>
-            <input type="text" name="username" value="" autocomplete="username">
+            <input type="text" name="username" value="" autocomplete="username" required autofocus>
 
             <label for="password">Password</label>
-            <input type="password" name="password" value="" autocomplete="current-password">
-
-            <label for="totp">TOTP</label>
-            <input type="text" name="totp" value="" autocomplete="one-time-code">
+            <input type="password" name="password" value="" autocomplete="current-password" required>
         </div>
 
         <button type="submit" class="save">Login</button>
     </form>
-
-    {{end}}
 </main>
 {{end}}
diff --git a/admin/views/logout.html b/admin/views/logout.html
index 1999377..f127fd6 100644
--- a/admin/views/logout.html
+++ b/admin/views/logout.html
@@ -12,13 +12,10 @@ p a {
 {{define "content"}}
 <main>
 
-    <meta http-equiv="refresh" content="5;url=/" />
+    <meta http-equiv="refresh" content="0;url=/admin/login" />
     <p>
     Logged out successfully.
-    You should be redirected to <a href="/">/</a> in 5 seconds.
-    <script>
-        localStorage.removeItem("arime-token");
-    </script>
+    You should be redirected to <a href="/admin/login">/admin/login</a> shortly.
     </p>
 
 </main>
diff --git a/admin/views/create-account.html b/admin/views/register.html
similarity index 55%
rename from admin/views/create-account.html
rename to admin/views/register.html
index 8d59c0f..37f0947 100644
--- a/admin/views/create-account.html
+++ b/admin/views/register.html
@@ -11,7 +11,7 @@ a.discord {
     color: #5865F2;
 }
 
-form {
+form#register {
     width: 100%;
     display: flex;
     flex-direction: column;
@@ -26,45 +26,33 @@ form button {
     margin-top: 1rem;
 }
 
-label {
-    width: 100%;
-    margin: 1rem 0 .5rem 0;
-    display: block;
-    color: #10101080;
-}
 input {
-    width: 100%;
-    margin: .5rem 0;
-    padding: .3rem .5rem;
-    display: block;
-    border-radius: 4px;
-    border: 1px solid #808080;
-    font-size: inherit;
-    font-family: inherit;
-    color: inherit;
+    width: calc(100% - 1rem - 2px);
 }
 </style>
 {{end}}
 
 {{define "content"}}
 <main>
-    {{if .Message}}
-    <p id="error">{{.Message}}</p>
+    {{if .Session.Error.Valid}}
+    <p id="error">{{html .Session.Error.String}}</p>
     {{end}}
 
-    <form action="/admin/register" method="POST" id="create-account">
+    <form action="/admin/register" method="POST" id="register">
+        <h1>Create Account</h1>
+
         <div>
             <label for="username">Username</label>
-            <input type="text" name="username" value="">
+            <input type="text" name="username" value="" autocomplete="username" required autofocus>
 
             <label for="email">Email</label>
-            <input type="text" name="email" value="">
+            <input type="text" name="email" value="" autocomplete="email" required>
 
             <label for="password">Password</label>
-            <input type="password" name="password" value="">
+            <input type="password" name="password" value="" autocomplete="new-password" required>
 
             <label for="invite">Invite Code</label>
-            <input type="text" name="invite" value="">
+            <input type="text" name="invite" value="" autocomplete="off" required>
         </div>
 
         <button type="submit" class="new">Create Account</button>
diff --git a/admin/views/totp-confirm.html b/admin/views/totp-confirm.html
new file mode 100644
index 0000000..b0810e2
--- /dev/null
+++ b/admin/views/totp-confirm.html
@@ -0,0 +1,41 @@
+{{define "head"}}
+<title>TOTP Confirmation - ari melody 💫</title>
+<link rel="shortcut icon" href="/img/favicon.png" type="image/x-icon">
+<link rel="stylesheet" href="/admin/static/admin.css">
+<style>
+.qr-code {
+    border: 1px solid #8888;
+}
+code {
+    user-select: all;
+}
+</style>
+{{end}}
+
+{{define "content"}}
+<main>
+    {{if .Session.Error.Valid}}
+    <p id="error">{{html .Session.Error.String}}</p>
+    {{end}}
+
+    <form action="/admin/account/totp-confirm?totp-name={{.NameEscaped}}" method="POST" id="totp-setup">
+        <img src="data:image/png;base64,{{.QRBase64Image}}" alt="" class="qr-code">
+
+        <p>
+        Scan the QR code above into your authentication app or password manager,
+        then enter your 2FA code below.
+        </p>
+
+        <p>
+        If the QR code does not work, you may also enter this secret code:
+        </p>
+
+        <p><code>{{.TOTP.Secret}}</code></p>
+
+        <label for="totp">TOTP:</label>
+        <input type="text" name="totp" value="" autocomplete="one-time-code" required autofocus>
+
+        <button type="submit" class="new">Create</button>
+    </form>
+</main>
+{{end}}
diff --git a/admin/views/totp-setup.html b/admin/views/totp-setup.html
new file mode 100644
index 0000000..e74c970
--- /dev/null
+++ b/admin/views/totp-setup.html
@@ -0,0 +1,20 @@
+{{define "head"}}
+<title>TOTP Setup - ari melody 💫</title>
+<link rel="shortcut icon" href="/img/favicon.png" type="image/x-icon">
+<link rel="stylesheet" href="/admin/static/admin.css">
+{{end}}
+
+{{define "content"}}
+<main>
+    {{if .Session.Error.Valid}}
+    <p id="error">{{html .Session.Error.String}}</p>
+    {{end}}
+
+    <form action="/admin/account/totp-setup" method="POST" id="totp-setup">
+        <label for="totp-name">TOTP Device Name:</label>
+        <input type="text" name="totp-name" value="" autocomplete="off" required autofocus>
+
+        <button type="submit" class="new">Create</button>
+    </form>
+</main>
+{{end}}
diff --git a/api/api.go b/api/api.go
index 9489126..50b1c63 100644
--- a/api/api.go
+++ b/api/api.go
@@ -1,11 +1,13 @@
 package api
 
 import (
+	"context"
+	"errors"
 	"fmt"
 	"net/http"
+	"os"
 	"strings"
 
-	"arimelody-web/admin"
 	"arimelody-web/controller"
 	"arimelody-web/model"
 )
@@ -36,10 +38,10 @@ func Handler(app *model.AppState) http.Handler {
             ServeArtist(app, artist).ServeHTTP(w, r)
         case http.MethodPut:
             // PUT /api/v1/artist/{id} (admin)
-            admin.RequireAccount(app, UpdateArtist(app, artist)).ServeHTTP(w, r)
+            requireAccount(app, UpdateArtist(app, artist)).ServeHTTP(w, r)
         case http.MethodDelete:
             // DELETE /api/v1/artist/{id} (admin)
-            admin.RequireAccount(app, DeleteArtist(app, artist)).ServeHTTP(w, r)
+            requireAccount(app, DeleteArtist(app, artist)).ServeHTTP(w, r)
         default:
             http.NotFound(w, r)
         }
@@ -51,7 +53,7 @@ func Handler(app *model.AppState) http.Handler {
             ServeAllArtists(app).ServeHTTP(w, r)
         case http.MethodPost:
             // POST /api/v1/artist (admin)
-            admin.RequireAccount(app, CreateArtist(app)).ServeHTTP(w, r)
+            requireAccount(app, CreateArtist(app)).ServeHTTP(w, r)
         default:
             http.NotFound(w, r)
         }
@@ -78,10 +80,10 @@ func Handler(app *model.AppState) http.Handler {
             ServeRelease(app, release).ServeHTTP(w, r)
         case http.MethodPut:
             // PUT /api/v1/music/{id} (admin)
-            admin.RequireAccount(app, UpdateRelease(app, release)).ServeHTTP(w, r)
+            requireAccount(app, UpdateRelease(app, release)).ServeHTTP(w, r)
         case http.MethodDelete:
             // DELETE /api/v1/music/{id} (admin)
-            admin.RequireAccount(app, DeleteRelease(app, release)).ServeHTTP(w, r)
+            requireAccount(app, DeleteRelease(app, release)).ServeHTTP(w, r)
         default:
             http.NotFound(w, r)
         }
@@ -93,7 +95,7 @@ func Handler(app *model.AppState) http.Handler {
             ServeCatalog(app).ServeHTTP(w, r)
         case http.MethodPost:
             // POST /api/v1/music (admin)
-            admin.RequireAccount(app, CreateRelease(app)).ServeHTTP(w, r)
+            requireAccount(app, CreateRelease(app)).ServeHTTP(w, r)
         default:
             http.NotFound(w, r)
         }
@@ -117,13 +119,13 @@ func Handler(app *model.AppState) http.Handler {
         switch r.Method {
         case http.MethodGet:
             // GET /api/v1/track/{id} (admin)
-            admin.RequireAccount(app, ServeTrack(app, track)).ServeHTTP(w, r)
+            requireAccount(app, ServeTrack(app, track)).ServeHTTP(w, r)
         case http.MethodPut:
             // PUT /api/v1/track/{id} (admin)
-            admin.RequireAccount(app, UpdateTrack(app, track)).ServeHTTP(w, r)
+            requireAccount(app, UpdateTrack(app, track)).ServeHTTP(w, r)
         case http.MethodDelete:
             // DELETE /api/v1/track/{id} (admin)
-            admin.RequireAccount(app, DeleteTrack(app, track)).ServeHTTP(w, r)
+            requireAccount(app, DeleteTrack(app, track)).ServeHTTP(w, r)
         default:
             http.NotFound(w, r)
         }
@@ -132,10 +134,10 @@ func Handler(app *model.AppState) http.Handler {
         switch r.Method {
         case http.MethodGet:
             // GET /api/v1/track (admin)
-            admin.RequireAccount(app, ServeAllTracks(app)).ServeHTTP(w, r)
+            requireAccount(app, ServeAllTracks(app)).ServeHTTP(w, r)
         case http.MethodPost:
             // POST /api/v1/track (admin)
-            admin.RequireAccount(app, CreateTrack(app)).ServeHTTP(w, r)
+            requireAccount(app, CreateTrack(app)).ServeHTTP(w, r)
         default:
             http.NotFound(w, r)
         }
@@ -143,3 +145,51 @@ func Handler(app *model.AppState) http.Handler {
 
     return mux
 }
+
+func requireAccount(app *model.AppState, next http.Handler) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        session, err := getSession(app, r)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to get session: %v\n", err)
+            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            return
+        }
+        if session.Account == nil {
+            http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+            return
+        }
+        ctx := context.WithValue(r.Context(), "session", session)
+        next.ServeHTTP(w, r.WithContext(ctx))
+    })
+}
+
+func getSession(app *model.AppState, r *http.Request) (*model.Session, error) {
+    var token string
+
+    // check cookies first
+    sessionCookie, err := r.Cookie(model.COOKIE_TOKEN)
+    if err != nil && err != http.ErrNoCookie {
+        return nil, errors.New(fmt.Sprintf("Failed to retrieve session cookie: %v\n", err))
+    }
+    if sessionCookie != nil {
+        token = sessionCookie.Value
+    } else {
+        // check Authorization header
+        token = strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
+    }
+
+    if token == "" { return nil, nil }
+
+    // fetch existing session
+    session, err := controller.GetSession(app.DB, token)
+
+    if err != nil && !strings.Contains(err.Error(), "no rows") {
+        return nil, errors.New(fmt.Sprintf("Failed to retrieve session: %v\n", err))
+    }
+
+    if session != nil {
+        // TODO: consider running security checks here (i.e. user agent mismatches)
+    }
+
+    return session, nil
+}
diff --git a/api/artist.go b/api/artist.go
index a9676b1..51c9d62 100644
--- a/api/artist.go
+++ b/api/artist.go
@@ -51,13 +51,8 @@ func ServeArtist(app *model.AppState, artist *model.Artist) http.Handler {
 			}
 		)
 
-        account, err := controller.GetAccountByRequest(app.DB, r)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %v\n", err)
-            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-            return
-        }
-        show_hidden_releases := account != nil
+        session := r.Context().Value("session").(*model.Session)
+        show_hidden_releases := session != nil && session.Account != nil
 
         dbCredits, err := controller.GetArtistCredits(app.DB, artist.ID, show_hidden_releases)
 		if err != nil {
diff --git a/api/release.go b/api/release.go
index c71043e..4e7372f 100644
--- a/api/release.go
+++ b/api/release.go
@@ -19,13 +19,8 @@ func ServeRelease(app *model.AppState, release *model.Release) http.Handler {
         // only allow authorised users to view hidden releases
         privileged := false
         if !release.Visible {
-            account, err := controller.GetAccountByRequest(app.DB, r)
-            if err != nil {
-                fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %v\n", err)
-                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-                return
-            }
-            if account != nil {
+            session := r.Context().Value("session").(*model.Session)
+            if session != nil && session.Account != nil {
                 // TODO: check privilege on release
                 privileged = true
             }
@@ -145,16 +140,11 @@ func ServeCatalog(app *model.AppState) http.Handler {
         }
 
         catalog := []Release{}
-        account, err := controller.GetAccountByRequest(app.DB, r)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %v\n", err)
-            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-            return
-        }
+        session := r.Context().Value("session").(*model.Session)
         for _, release := range releases {
             if !release.Visible {
                 privileged := false
-                if account != nil {
+                if session != nil && session.Account != nil {
                     // TODO: check privilege on release
                     privileged = true
                 }
diff --git a/controller/account.go b/controller/account.go
index 044faec..0cf3364 100644
--- a/controller/account.go
+++ b/controller/account.go
@@ -2,8 +2,6 @@ package controller
 
 import (
 	"arimelody-web/model"
-	"errors"
-	"fmt"
 	"net/http"
 	"strings"
 
@@ -21,7 +19,21 @@ func GetAllAccounts(db *sqlx.DB) ([]model.Account, error) {
     return accounts, nil
 }
 
-func GetAccount(db *sqlx.DB, username string) (*model.Account, error) {
+func GetAccountByID(db *sqlx.DB, id string) (*model.Account, error) {
+    var account = model.Account{}
+
+    err := db.Get(&account, "SELECT * FROM account WHERE id=$1", id)
+    if err != nil {
+        if strings.Contains(err.Error(), "no rows") {
+            return nil, nil
+        }
+        return nil, err
+    }
+
+    return &account, nil
+}
+
+func GetAccountByUsername(db *sqlx.DB, username string) (*model.Account, error) {
     var account = model.Account{}
 
     err := db.Get(&account, "SELECT * FROM account WHERE username=$1", username)
@@ -49,12 +61,12 @@ func GetAccountByEmail(db *sqlx.DB, email string) (*model.Account, error) {
     return &account, nil
 }
 
-func GetAccountByToken(db *sqlx.DB, token string) (*model.Account, error) {
-    if token == "" { return nil, nil }
+func GetAccountBySession(db *sqlx.DB, sessionToken string) (*model.Account, error) {
+    if sessionToken == "" { return nil, nil }
 
     account := model.Account{}
 
-    err := db.Get(&account, "SELECT account.* FROM account JOIN token ON id=account WHERE token=$1", token)
+    err := db.Get(&account, "SELECT account.* FROM account JOIN token ON id=account WHERE token=$1", sessionToken)
     if err != nil {
         if strings.Contains(err.Error(), "no rows") {
             return nil, nil
@@ -65,7 +77,7 @@ func GetAccountByToken(db *sqlx.DB, token string) (*model.Account, error) {
     return &account, nil
 }
 
-func GetTokenFromRequest(db *sqlx.DB, r *http.Request) string {
+func GetSessionFromRequest(db *sqlx.DB, r *http.Request) string {
     tokenStr := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
     if len(tokenStr) > 0 {
         return tokenStr
@@ -78,29 +90,6 @@ func GetTokenFromRequest(db *sqlx.DB, r *http.Request) string {
     return cookie.Value
 }
 
-func GetAccountByRequest(db *sqlx.DB, r *http.Request) (*model.Account, error) {
-    tokenStr := GetTokenFromRequest(db, r)
-
-    token, err := GetToken(db, tokenStr)
-    if err != nil {
-        if strings.Contains(err.Error(), "no rows") {
-            return nil, nil
-        }
-        return nil, errors.New("GetToken: " + err.Error())
-    }
-
-    // does user-agent match the token?
-    if r.UserAgent() != token.UserAgent {
-        // invalidate the token
-        DeleteToken(db, tokenStr)
-        fmt.Printf("WARN: Attempted use of token by unauthorised User-Agent (Expected `%s`, got `%s`)\n", token.UserAgent, r.UserAgent())
-        // TODO: log unauthorised activity to the user
-        return nil, errors.New("User agent mismatch")
-    }
-
-    return GetAccountByToken(db, tokenStr)
-}
-
 func CreateAccount(db *sqlx.DB, account *model.Account) error {
     err := db.Get(
         &account.ID,
@@ -119,7 +108,7 @@ func CreateAccount(db *sqlx.DB, account *model.Account) error {
 func UpdateAccount(db *sqlx.DB, account *model.Account) error {
     _, err := db.Exec(
         "UPDATE account " +
-        "SET username=$2, password=$3, email=$4, avatar_url=$5) " +
+        "SET username=$2,password=$3,email=$4,avatar_url=$5 " +
         "WHERE id=$1",
         account.ID,
         account.Username,
@@ -131,7 +120,7 @@ func UpdateAccount(db *sqlx.DB, account *model.Account) error {
     return err
 }
 
-func DeleteAccount(db *sqlx.DB, username string) error {
-    _, err := db.Exec("DELETE FROM account WHERE username=$1", username)
+func DeleteAccount(db *sqlx.DB, accountID string) error {
+    _, err := db.Exec("DELETE FROM account WHERE id=$1", accountID)
     return err
 }
diff --git a/controller/config.go b/controller/config.go
index 28d4be4..8772b6b 100644
--- a/controller/config.go
+++ b/controller/config.go
@@ -19,6 +19,7 @@ func GetConfig() model.Config {
 
     config := model.Config{
         BaseUrl: "https://arimelody.me",
+        Host: "0.0.0.0",
         Port: 8080,
         DB: model.DBConfig{
             Host: "127.0.0.1",
@@ -55,6 +56,7 @@ func handleConfigOverrides(config *model.Config) error {
     var err error
 
     if env, has := os.LookupEnv("ARIMELODY_BASE_URL"); has { config.BaseUrl = env }
+    if env, has := os.LookupEnv("ARIMELODY_HOST"); has { config.Host = env }
     if env, has := os.LookupEnv("ARIMELODY_PORT"); has {
         config.Port, err = strconv.ParseInt(env, 10, 0)
         if err != nil { return errors.New("ARIMELODY_PORT: " + err.Error()) }
diff --git a/controller/qr.go b/controller/qr.go
new file mode 100644
index 0000000..7ada0f8
--- /dev/null
+++ b/controller/qr.go
@@ -0,0 +1,120 @@
+package controller
+
+import (
+	"bytes"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"image"
+	"image/color"
+	"image/png"
+
+    "github.com/skip2/go-qrcode"
+)
+
+func GenerateQRCode(data string) (string, error) {
+    imgBytes, err := qrcode.Encode(data, qrcode.Medium, 256)
+    if err != nil {
+        return "", err
+    }
+    base64Img := base64.StdEncoding.EncodeToString(imgBytes)
+    return base64Img, nil
+}
+
+// vvv DEPRECATED vvv
+
+const margin = 4
+
+type QRCodeECCLevel int64
+const (
+    LOW QRCodeECCLevel = iota
+    MEDIUM
+    QUARTILE
+    HIGH
+)
+
+func noDepsGenerateQRCode() (string, error) {
+    version := 1
+
+    size := 0
+    size = 21 + version * 4
+    if version > 10 {
+        return "", errors.New(fmt.Sprintf("QR version %d not supported", version))
+    }
+
+    img := image.NewGray(image.Rect(0, 0, size + margin * 2, size + margin * 2))
+
+    // fill white
+    for y := range size + margin * 2 {
+        for x := range size + margin * 2 {
+            img.Set(x, y, color.White)
+        }
+    }
+
+    // draw alignment squares
+    drawLargeAlignmentSquare(margin, margin, img)
+    drawLargeAlignmentSquare(margin, margin + size - 7, img)
+    drawLargeAlignmentSquare(margin + size - 7, margin, img)
+    drawSmallAlignmentSquare(size - 5, size - 5, img)
+    /*
+    if version > 4 {
+        space := version * 3 - 2
+        end := size / space
+        for y := range size / space + 1 {
+            for x := range size / space + 1 {
+                if x == 0 && y == 0 { continue }
+                if x == 0 && y == end { continue }
+                if x == end && y == 0 { continue }
+                if x == end && y == end { continue }
+                drawSmallAlignmentSquare(
+                    x * space + margin + 4,
+                    y * space + margin + 4,
+                    img,
+                )
+            }
+        }
+    }
+    */
+
+    // draw timing bits
+    for i := margin + 6; i < size - 4; i++ {
+        if (i % 2 == 0) {
+            img.Set(i, margin + 6, color.Black)
+            img.Set(margin + 6, i, color.Black)
+        }
+    }
+    img.Set(margin + 8, size - 4, color.Black)
+
+    var imgBuf bytes.Buffer
+    err := png.Encode(&imgBuf, img)
+    if err != nil {
+        return "", err
+    }
+
+    base64Img := base64.StdEncoding.EncodeToString(imgBuf.Bytes())
+
+    return "data:image/png;base64," + base64Img, nil
+}
+
+func drawLargeAlignmentSquare(x int, y int, img *image.Gray) {
+    for yi := range 7 {
+        for xi := range 7 {
+            if (xi == 0 || xi == 6) || (yi == 0 || yi == 6) {
+                img.Set(x + xi, y + yi, color.Black)
+            } else if (xi > 1 && xi < 5) && (yi > 1 && yi < 5) {
+                img.Set(x + xi, y + yi, color.Black)
+            }
+        }
+    }
+}
+
+func drawSmallAlignmentSquare(x int, y int, img *image.Gray) {
+    for yi := range 5 {
+        for xi := range 5 {
+            if (xi == 0 || xi == 4) || (yi == 0 || yi == 4) {
+                img.Set(x + xi, y + yi, color.Black)
+            }
+        }
+    }
+    img.Set(x + 2, y + 2, color.Black)
+}
diff --git a/controller/session.go b/controller/session.go
new file mode 100644
index 0000000..c9c4cbb
--- /dev/null
+++ b/controller/session.go
@@ -0,0 +1,130 @@
+package controller
+
+import (
+	"database/sql"
+	"time"
+
+	"arimelody-web/model"
+
+	"github.com/jmoiron/sqlx"
+)
+
+const TOKEN_LEN = 64
+
+func CreateSession(db *sqlx.DB, userAgent string) (*model.Session, error) {
+    tokenString := GenerateAlnumString(TOKEN_LEN)
+
+    session := model.Session{
+        Token: string(tokenString),
+        UserAgent: userAgent,
+        CreatedAt: time.Now(),
+        ExpiresAt: time.Now().Add(time.Hour * 24),
+    }
+
+    _, err := db.Exec("INSERT INTO session " +
+        "(token, user_agent, created_at, expires_at) VALUES " +
+        "($1, $2, $3, $4)",
+        session.Token,
+        session.UserAgent,
+        session.CreatedAt,
+        session.ExpiresAt,
+    )
+    if err != nil {
+        return nil, err
+    }
+
+    return &session, nil
+}
+
+// func WriteSession(db *sqlx.DB, session *model.Session) error {
+//     _, err := db.Exec(
+//         "UPDATE session " +
+//         "SET account=$2,message=$3,error=$4 " +
+//         "WHERE token=$1",
+//         session.Token,
+//         session.Account.ID,
+//         session.Message,
+//         session.Error,
+//     )
+//     return err
+// }
+
+func SetSessionAccount(db *sqlx.DB, session *model.Session, account *model.Account) error {
+    var err error
+    session.Account = account
+    if account == nil {
+        _, err = db.Exec("UPDATE session SET account=NULL WHERE token=$1", session.Token)
+    } else {
+        _, err = db.Exec("UPDATE session SET account=$2 WHERE token=$1", session.Token, account.ID)
+    }
+    return err
+}
+
+func SetSessionMessage(db *sqlx.DB, session *model.Session, message string) error {
+    var err error
+    if message == "" {
+        if !session.Message.Valid { return nil }
+        session.Message = sql.NullString{ }
+        _, err = db.Exec("UPDATE session SET message=NULL WHERE token=$1", session.Token)
+    } else {
+        session.Message = sql.NullString{ String: message, Valid: true }
+        _, err = db.Exec("UPDATE session SET message=$2 WHERE token=$1", session.Token, message)
+    }
+    return err
+}
+
+func SetSessionError(db *sqlx.DB, session *model.Session, message string) error {
+    var err error
+    if message == "" {
+        if !session.Error.Valid { return nil }
+        session.Error = sql.NullString{ }
+        _, err = db.Exec("UPDATE session SET error=NULL WHERE token=$1", session.Token)
+    } else {
+        session.Error = sql.NullString{ String: message, Valid: true }
+        _, err = db.Exec("UPDATE session SET error=$2 WHERE token=$1", session.Token, message)
+    }
+    return err
+}
+
+func GetSession(db *sqlx.DB, token string) (*model.Session, error) {
+    type dbSession struct {
+        model.Session
+        AccountID sql.NullString    `db:"account"`
+    }
+
+    session := dbSession{}
+    err := db.Get(
+        &session,
+        "SELECT * FROM session WHERE token=$1",
+        token,
+    )
+    if err != nil {
+        return nil, err
+    }
+
+    if session.AccountID.Valid {
+        session.Account, err = GetAccountByID(db, session.AccountID.String)
+        if err != nil {
+            return nil, err
+        }
+    }
+
+    return &session.Session, err
+}
+
+// func GetAllSessionsForAccount(db *sqlx.DB, accountID string) ([]model.Session, error) {
+//     sessions := []model.Session{}
+//     err := db.Select(&sessions, "SELECT * FROM session WHERE account=$1 AND expires_at>current_timestamp", accountID)
+//     return sessions, err
+// }
+
+func DeleteAllSessionsForAccount(db *sqlx.DB, accountID string) error {
+    _, err := db.Exec("DELETE FROM session WHERE account=$1", accountID)
+    return err
+}
+
+func DeleteSession(db *sqlx.DB, token string) error {
+    _, err := db.Exec("DELETE FROM session WHERE token=$1", token)
+    return err
+}
+
diff --git a/controller/token.go b/controller/token.go
deleted file mode 100644
index 12982bd..0000000
--- a/controller/token.go
+++ /dev/null
@@ -1,61 +0,0 @@
-package controller
-
-import (
-	"time"
-
-	"arimelody-web/model"
-
-	"github.com/jmoiron/sqlx"
-)
-
-const TOKEN_LEN = 32
-
-func CreateToken(db *sqlx.DB, accountID string, userAgent string) (*model.Token, error) {
-    tokenString := GenerateAlnumString(TOKEN_LEN)
-
-    token := model.Token{
-        Token: string(tokenString),
-        AccountID: accountID,
-        UserAgent: userAgent,
-        CreatedAt: time.Now(),
-        ExpiresAt: time.Now().Add(time.Hour * 24),
-    }
-
-    _, err := db.Exec("INSERT INTO token " +
-        "(token, account, user_agent, created_at, expires_at) VALUES " +
-        "($1, $2, $3, $4, $5)",
-        token.Token,
-        token.AccountID,
-        token.UserAgent,
-        token.CreatedAt,
-        token.ExpiresAt,
-    )
-    if err != nil {
-        return nil, err
-    }
-
-    return &token, nil
-}
-
-func GetToken(db *sqlx.DB, token_str string) (*model.Token, error) {
-    token := model.Token{}
-    err := db.Get(&token, "SELECT * FROM token WHERE token=$1", token_str)
-    return &token, err
-}
-
-func GetAllTokensForAccount(db *sqlx.DB, accountID string) ([]model.Token, error) {
-    tokens := []model.Token{}
-    err := db.Select(&tokens, "SELECT * FROM token WHERE account=$1 AND expires_at>current_timestamp", accountID)
-    return tokens, err
-}
-
-func DeleteAllTokensForAccount(db *sqlx.DB, accountID string) error {
-    _, err := db.Exec("DELETE FROM token WHERE account=$1", accountID)
-    return err
-}
-
-func DeleteToken(db *sqlx.DB, token string) error {
-    _, err := db.Exec("DELETE FROM token WHERE token=$1", token)
-    return err
-}
-
diff --git a/controller/totp.go b/controller/totp.go
index 18616da..dbbeec7 100644
--- a/controller/totp.go
+++ b/controller/totp.go
@@ -18,8 +18,8 @@ import (
 )
 
 const TOTP_SECRET_LENGTH = 32
-const TIME_STEP int64 = 30
-const CODE_LENGTH = 6
+const TOTP_TIME_STEP int64 = 30
+const TOTP_CODE_LENGTH = 6
 
 func GenerateTOTP(secret string, timeStepOffset int) string {
     decodedSecret, err := base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(secret)
@@ -27,7 +27,7 @@ func GenerateTOTP(secret string, timeStepOffset int) string {
         fmt.Fprintf(os.Stderr, "WARN: Invalid Base32 secret\n")
     }
 
-    counter := time.Now().Unix() / TIME_STEP - int64(timeStepOffset)
+    counter := time.Now().Unix() / TOTP_TIME_STEP - int64(timeStepOffset)
     counterBytes := make([]byte, 8)
     binary.BigEndian.PutUint64(counterBytes, uint64(counter))
 
@@ -37,9 +37,9 @@ func GenerateTOTP(secret string, timeStepOffset int) string {
 
     offset := hash[len(hash) - 1] & 0x0f
     binaryCode := int32(binary.BigEndian.Uint32(hash[offset : offset + 4]) & 0x7FFFFFFF)
-    code := binaryCode % int32(math.Pow10(CODE_LENGTH))
+    code := binaryCode % int32(math.Pow10(TOTP_CODE_LENGTH))
 
-    return fmt.Sprintf(fmt.Sprintf("%%0%dd", CODE_LENGTH), code)
+    return fmt.Sprintf(fmt.Sprintf("%%0%dd", TOTP_CODE_LENGTH), code)
 }
 
 func GenerateTOTPSecret(length int) string {
@@ -64,9 +64,9 @@ func GenerateTOTPURI(username string, secret string) string {
     query := url.Query()
     query.Set("secret", secret)
     query.Set("issuer", "arimelody.me")
-    query.Set("algorithm", "SHA1")
-    query.Set("digits", fmt.Sprintf("%d", CODE_LENGTH))
-    query.Set("period", fmt.Sprintf("%d", TIME_STEP))
+    // query.Set("algorithm", "SHA1")
+    // query.Set("digits", fmt.Sprintf("%d", TOTP_CODE_LENGTH))
+    // query.Set("period", fmt.Sprintf("%d", TOTP_TIME_STEP))
     url.RawQuery = query.Encode()
 
     return url.String()
@@ -89,14 +89,36 @@ func GetTOTPsForAccount(db *sqlx.DB, accountID string) ([]model.TOTP, error) {
     return totps, nil
 }
 
+func CheckTOTPForAccount(db *sqlx.DB, accountID string, totp string) (*model.TOTP, error) {
+    totps, err := GetTOTPsForAccount(db, accountID)
+    if err != nil {
+        return nil, err
+    }
+    for _, method := range totps {
+        check := GenerateTOTP(method.Secret, 0)
+        if check == totp {
+            return &method, nil
+        }
+        // try again with offset- maybe user input the code late?
+        check = GenerateTOTP(method.Secret, 1)
+        if check == totp {
+            return &method, nil
+        }
+    }
+    // user failed all TOTP checks
+    // note: this state will still occur even if the account has no TOTP methods.
+    return nil, nil
+}
+
 func GetTOTP(db *sqlx.DB, accountID string, name string) (*model.TOTP, error) {
     totp := model.TOTP{}
 
     err := db.Get(
         &totp,
         "SELECT * FROM totp " +
-        "WHERE account=$1",
+        "WHERE account=$1 AND name=$2",
         accountID,
+        name,
     )
     if err != nil {
         if strings.Contains(err.Error(), "no rows") {
diff --git a/go.mod b/go.mod
index 73a1cf1..f8717a2 100644
--- a/go.mod
+++ b/go.mod
@@ -8,4 +8,8 @@ require (
 )
 
 require golang.org/x/crypto v0.27.0 // indirect
-require github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+
+require (
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e // indirect
+)
diff --git a/go.sum b/go.sum
index 35e1b20..15259a1 100644
--- a/go.sum
+++ b/go.sum
@@ -8,7 +8,9 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
 github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
 github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
+github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
+github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
+golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
+golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
diff --git a/main.go b/main.go
index 23fc997..3b25ac4 100644
--- a/main.go
+++ b/main.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"log"
+	"math"
 	"math/rand"
 	"net/http"
 	"os"
@@ -22,6 +23,7 @@ import (
 
 	"github.com/jmoiron/sqlx"
 	_ "github.com/lib/pq"
+	"golang.org/x/crypto/bcrypt"
 )
 
 // used for database migrations
@@ -87,19 +89,19 @@ func main() {
             }
             username := os.Args[2]
             totpName := os.Args[3]
-            secret := controller.GenerateTOTPSecret(controller.TOTP_SECRET_LENGTH)
 
-            account, err := controller.GetAccount(app.DB, username)
+            account, err := controller.GetAccountByUsername(app.DB, username)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err)
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err)
                 os.Exit(1)
             }
 
             if account == nil {
-                fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username)
+                fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username)
                 os.Exit(1)
             }
 
+            secret := controller.GenerateTOTPSecret(controller.TOTP_SECRET_LENGTH)
             totp := model.TOTP {
                 AccountID: account.ID,
                 Name: totpName,
@@ -108,7 +110,11 @@ func main() {
 
             err = controller.CreateTOTP(app.DB, &totp)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "Failed to create TOTP method: %v\n", err)
+                if strings.HasPrefix(err.Error(), "pq: duplicate key") {
+                    fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" already has a TOTP method named \"%s\"!\n", account.Username, totp.Name)
+                    os.Exit(1)
+                }
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to create TOTP method: %v\n", err)
                 os.Exit(1)
             }
 
@@ -124,20 +130,20 @@ func main() {
             username := os.Args[2]
             totpName := os.Args[3]
 
-            account, err := controller.GetAccount(app.DB, username)
+            account, err := controller.GetAccountByUsername(app.DB, username)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err)
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err)
                 os.Exit(1)
             }
 
             if account == nil {
-                fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username)
+                fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username)
                 os.Exit(1)
             }
 
             err = controller.DeleteTOTP(app.DB, account.ID, totpName)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "Failed to create TOTP method: %v\n", err)
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to create TOTP method: %v\n", err)
                 os.Exit(1)
             }
 
@@ -151,20 +157,20 @@ func main() {
             }
             username := os.Args[2]
 
-            account, err := controller.GetAccount(app.DB, username)
+            account, err := controller.GetAccountByUsername(app.DB, username)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err)
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err)
                 os.Exit(1)
             }
 
             if account == nil {
-                fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username)
+                fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username)
                 os.Exit(1)
             }
 
             totps, err := controller.GetTOTPsForAccount(app.DB, account.ID)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "Failed to create TOTP methods: %v\n", err)
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to create TOTP methods: %v\n", err)
                 os.Exit(1)
             }
 
@@ -184,25 +190,25 @@ func main() {
             username := os.Args[2]
             totpName := os.Args[3]
 
-            account, err := controller.GetAccount(app.DB, username)
+            account, err := controller.GetAccountByUsername(app.DB, username)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err)
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err)
                 os.Exit(1)
             }
 
             if account == nil {
-                fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username)
+                fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username)
                 os.Exit(1)
             }
 
             totp, err := controller.GetTOTP(app.DB, account.ID, totpName)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "Failed to fetch TOTP method \"%s\": %v\n", totpName, err)
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch TOTP method \"%s\": %v\n", totpName, err)
                 os.Exit(1)
             }
 
             if totp == nil {
-                fmt.Fprintf(os.Stderr, "TOTP method \"%s\" does not exist for account \"%s\"\n", totpName, username)
+                fmt.Fprintf(os.Stderr, "FATAL: TOTP method \"%s\" does not exist for account \"%s\"\n", totpName, username)
                 os.Exit(1)
             }
 
@@ -214,18 +220,22 @@ func main() {
             fmt.Printf("Creating invite...\n")
             invite, err := controller.CreateInvite(app.DB, 16, time.Hour * 24)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "Failed to create invite code: %v\n", err)
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to create invite code: %v\n", err)
                 os.Exit(1)
             }
 
-            fmt.Printf("Here you go! This code expires in 24 hours: %s\n", invite.Code)
+            fmt.Printf(
+                "Here you go! This code expires in %d hours: %s\n",
+                int(math.Ceil(invite.ExpiresAt.Sub(invite.CreatedAt).Hours())),
+                invite.Code,
+            )
             return
 
         case "purgeInvites":
             fmt.Printf("Deleting all invites...\n")
             err := controller.DeleteAllInvites(app.DB)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "Failed to delete invites: %v\n", err)
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to delete invites: %v\n", err)
                 os.Exit(1)
             }
 
@@ -235,11 +245,13 @@ func main() {
         case "listAccounts":
             accounts, err := controller.GetAllAccounts(app.DB)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "Failed to fetch accounts: %v\n", err)
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch accounts: %v\n", err)
                 os.Exit(1)
             }
 
             for _, account := range accounts {
+                email := "<none>"
+                if account.Email.Valid { email = account.Email.String }
                 fmt.Printf(
                     "User: %s\n" +
                     "\tID: %s\n" +
@@ -247,12 +259,45 @@ func main() {
                     "\tCreated: %s\n",
                     account.Username,
                     account.ID,
-                    account.Email,
+                    email,
                     account.CreatedAt,
                 )
             }
             return
 
+        case "changePassword":
+            if len(os.Args) < 4 {
+                fmt.Fprintf(os.Stderr, "FATAL: `username` and `password` must be specified for changePassword\n")
+                os.Exit(1)
+            }
+
+            username := os.Args[2]
+            password := os.Args[3]
+            account, err := controller.GetAccountByUsername(app.DB, username)
+            if err != nil {
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err)
+                os.Exit(1)
+            }
+            if account == nil {
+                fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username)
+                os.Exit(1)
+            }
+
+            hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+            if err != nil {
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to update password: %v\n", err)
+                os.Exit(1)
+            }
+            account.Password = string(hashedPassword)
+            err = controller.UpdateAccount(app.DB, account)
+            if err != nil {
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to delete account: %v\n", err)
+                os.Exit(1)
+            }
+
+            fmt.Printf("Account \"%s\" deleted successfully.\n", account.Username)
+            return
+
         case "deleteAccount":
             if len(os.Args) < 3 {
                 fmt.Fprintf(os.Stderr, "FATAL: `username` must be specified for deleteAccount\n")
@@ -261,14 +306,14 @@ func main() {
             username := os.Args[2]
             fmt.Printf("Deleting account \"%s\"...\n", username)
 
-            account, err := controller.GetAccount(app.DB, username)
+            account, err := controller.GetAccountByUsername(app.DB, username)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err)
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err)
                 os.Exit(1)
             }
 
             if account == nil {
-                fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username)
+                fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username)
                 os.Exit(1)
             }
 
@@ -279,9 +324,9 @@ func main() {
                 return
             }
             
-            err = controller.DeleteAccount(app.DB, username)
+            err = controller.DeleteAccount(app.DB, account.ID)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "Failed to delete account: %v\n", err)
+                fmt.Fprintf(os.Stderr, "FATAL: Failed to delete account: %v\n", err)
                 os.Exit(1)
             }
 
@@ -338,9 +383,9 @@ func main() {
 
     // start the web server!
     mux := createServeMux(&app)
-    fmt.Printf("Now serving at %s:%d\n", app.Config.BaseUrl, app.Config.Port)
+    fmt.Printf("Now serving at http://%s:%d\n", app.Config.Host, app.Config.Port)
     log.Fatal(
-        http.ListenAndServe(fmt.Sprintf(":%d", app.Config.Port), 
+        http.ListenAndServe(fmt.Sprintf("%s:%d", app.Config.Host, app.Config.Port), 
         HTTPLog(DefaultHeaders(mux)),
     ))
 }
@@ -359,7 +404,7 @@ func createServeMux(app *model.AppState) *http.ServeMux {
         }
 
         if r.URL.Path == "/" || r.URL.Path == "/index.html" {
-            err := templates.Pages["index"].Execute(w, nil)
+            err := templates.IndexTemplate.Execute(w, nil)
             if err != nil {
                 http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
             }
diff --git a/model/account.go b/model/account.go
index 72720a0..166e880 100644
--- a/model/account.go
+++ b/model/account.go
@@ -1,17 +1,20 @@
 package model
 
-import "time"
+import (
+	"database/sql"
+	"time"
+)
 
-const COOKIE_TOKEN string = "AM_TOKEN"
+const COOKIE_TOKEN string = "AM_SESSION"
 
 type (
     Account struct {
-        ID          string      `json:"id" db:"id"`
-        Username    string      `json:"username" db:"username"`
-        Password    string      `json:"password" db:"password"`
-        Email       string      `json:"email" db:"email"`
-        AvatarURL   string      `json:"avatar_url" db:"avatar_url"`
-        CreatedAt   time.Time   `json:"created_at" db:"created_at"`
+        ID          string          `json:"id" db:"id"`
+        Username    string          `json:"username" db:"username"`
+        Password    string          `json:"password" db:"password"`
+        Email       sql.NullString  `json:"email" db:"email"`
+        AvatarURL   sql.NullString  `json:"avatar_url" db:"avatar_url"`
+        CreatedAt   time.Time       `json:"created_at" db:"created_at"`
 
         Privileges  []AccountPrivilege  `json:"privileges"`
     }
diff --git a/model/appstate.go b/model/appstate.go
index 08016b7..6a965d5 100644
--- a/model/appstate.go
+++ b/model/appstate.go
@@ -19,6 +19,7 @@ type (
 
     Config struct {
         BaseUrl string `toml:"base_url" comment:"Used for OAuth redirects."`
+        Host string `toml:"host"`
         Port int64 `toml:"port"`
         DataDirectory string `toml:"data_dir"`
         DB DBConfig `toml:"db"`
diff --git a/model/token.go b/model/session.go
similarity index 54%
rename from model/token.go
rename to model/session.go
index 31beb72..c1983a1 100644
--- a/model/token.go
+++ b/model/session.go
@@ -1,11 +1,17 @@
 package model
 
-import "time"
+import (
+	"database/sql"
+	"time"
+)
 
-type Token struct {
+type Session struct {
     Token string `json:"token" db:"token"`
-    AccountID string `json:"-" db:"account"`
     UserAgent string `json:"user_agent" db:"user_agent"`
     CreatedAt time.Time `json:"created_at" db:"created_at"`
     ExpiresAt time.Time `json:"expires_at" db:"expires_at"`
+
+    Account *Account `json:"-" db:"account"`
+    Message sql.NullString `json:"-" db:"message"`
+    Error sql.NullString `json:"-" db:"error"`
 }
diff --git a/model/track.go b/model/track.go
index d44c224..ca54ddd 100644
--- a/model/track.go
+++ b/model/track.go
@@ -12,6 +12,8 @@ type (
 		Description string  `json:"description"`
         Lyrics      string  `json:"lyrics" db:"lyrics"`
 		PreviewURL  string  `json:"previewURL" db:"preview_url"`
+
+        Number      int
 	}
 )
 
diff --git a/public/style/footer.css b/public/style/footer.css
index 72cdebb..d9682b1 100644
--- a/public/style/footer.css
+++ b/public/style/footer.css
@@ -1,11 +1,11 @@
 footer {
-        border-top: 1px solid #888;
+    border-top: 1px solid #8888;
 }
 
 #footer {
-        width: 	min(calc(100% - 4rem), 720px);
-        margin: auto;
-        padding: 2rem 0;
-        color: #aaa;
+    width: 	min(calc(100% - 4rem), 720px);
+    margin: auto;
+    padding: 2rem 0;
+    color: #aaa;
 }
 
diff --git a/public/style/index.css b/public/style/index.css
index 363c381..f3cb761 100644
--- a/public/style/index.css
+++ b/public/style/index.css
@@ -91,7 +91,7 @@ hr {
     text-align: center;
     line-height: 0px;
     border-width: 1px 0 0 0;
-    border-color: #888f;
+    border-color: #888;
     margin: 1.5em 0;
     overflow: visible;
 }
diff --git a/schema_migration/000-init.sql b/schema_migration/000-init.sql
index 3f4c723..ff5c1af 100644
--- a/schema_migration/000-init.sql
+++ b/schema_migration/000-init.sql
@@ -1,24 +1,22 @@
-CREATE SCHEMA IF NOT EXISTS arimelody;
-
 --
 -- Tables
 --
 
 -- Accounts
 CREATE TABLE arimelody.account (
-    id uuid DEFAULT gen_random_uuid(), 
-    username text NOT NULL UNIQUE, 
-    password text NOT NULL, 
-    email text, 
-    avatar_url text,
+    id UUID DEFAULT gen_random_uuid(), 
+    username TEXT NOT NULL UNIQUE, 
+    password TEXT NOT NULL, 
+    email TEXT,
+    avatar_url TEXT,
     created_at TIMESTAMP DEFAULT current_timestamp
 );
 ALTER TABLE arimelody.account ADD CONSTRAINT account_pk PRIMARY KEY (id);
 
 -- Privilege
 CREATE TABLE arimelody.privilege (
-    account uuid NOT NULL, 
-    privilege text NOT NULL
+    account UUID NOT NULL, 
+    privilege TEXT NOT NULL
 );
 ALTER TABLE arimelody.privilege ADD CONSTRAINT privilege_pk PRIMARY KEY (account, privilege);
 
@@ -30,15 +28,17 @@ CREATE TABLE arimelody.invite (
 );
 ALTER TABLE arimelody.invite ADD CONSTRAINT invite_pk PRIMARY KEY (code);
 
--- Tokens
-CREATE TABLE arimelody.token (
+-- Session
+CREATE TABLE arimelody.session (
     token TEXT,
-    account UUID NOT NULL,
     user_agent TEXT NOT NULL,
     created_at TIMESTAMP NOT NULL DEFAULT current_timestamp,
-    expires_at TIMESTAMP DEFAULT NULL
+    expires_at TIMESTAMP DEFAULT NULL,
+    account UUID,
+    message TEXT,
+    error TEXT
 );
-ALTER TABLE arimelody.token ADD CONSTRAINT token_pk PRIMARY KEY (token);
+ALTER TABLE arimelody.session ADD CONSTRAINT session_pk PRIMARY KEY (token);
 
 -- TOTPs
 CREATE TABLE arimelody.totp (
@@ -118,7 +118,7 @@ ALTER TABLE arimelody.musicreleasetrack ADD CONSTRAINT musicreleasetrack_pk PRIM
 --
 
 ALTER TABLE arimelody.privilege ADD CONSTRAINT privilege_account_fk FOREIGN KEY (account) REFERENCES account(id) ON DELETE CASCADE;
-ALTER TABLE arimelody.token ADD CONSTRAINT token_account_fk FOREIGN KEY (account) REFERENCES account(id) ON DELETE CASCADE;
+ALTER TABLE arimelody.session ADD CONSTRAINT session_account_fk FOREIGN KEY (account) REFERENCES account(id) ON DELETE CASCADE;
 ALTER TABLE arimelody.totp ADD CONSTRAINT totp_account_fk FOREIGN KEY (account) REFERENCES account(id) ON DELETE CASCADE;
 
 ALTER TABLE arimelody.musiccredit ADD CONSTRAINT musiccredit_artist_fk FOREIGN KEY (artist) REFERENCES artist(id) ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/schema_migration/001-pre-versioning.sql b/schema_migration/001-pre-versioning.sql
index 62bc15b..cd0c061 100644
--- a/schema_migration/001-pre-versioning.sql
+++ b/schema_migration/001-pre-versioning.sql
@@ -1,36 +1,22 @@
---
--- Migration
---
-
--- Move existing tables to new schema
-ALTER TABLE public.artist SET SCHEMA arimelody;
-ALTER TABLE public.musicrelease SET SCHEMA arimelody;
-ALTER TABLE public.musiclink SET SCHEMA arimelody;
-ALTER TABLE public.musiccredit SET SCHEMA arimelody;
-ALTER TABLE public.musictrack SET SCHEMA arimelody;
-ALTER TABLE public.musicreleasetrack SET SCHEMA arimelody;
-
-
-
 --
 -- New items
 --
 
--- Acounts
+-- Accounts
 CREATE TABLE arimelody.account (
-    id uuid DEFAULT gen_random_uuid(), 
-    username text NOT NULL UNIQUE, 
-    password text NOT NULL, 
-    email text, 
-    avatar_url text,
+    id UUID DEFAULT gen_random_uuid(), 
+    username TEXT NOT NULL UNIQUE, 
+    password TEXT NOT NULL, 
+    email TEXT,
+    avatar_url TEXT,
     created_at TIMESTAMP DEFAULT current_timestamp
 );
 ALTER TABLE arimelody.account ADD CONSTRAINT account_pk PRIMARY KEY (id);
 
 -- Privilege
 CREATE TABLE arimelody.privilege (
-    account uuid NOT NULL, 
-    privilege text NOT NULL
+    account UUID NOT NULL, 
+    privilege TEXT NOT NULL
 );
 ALTER TABLE arimelody.privilege ADD CONSTRAINT privilege_pk PRIMARY KEY (account, privilege);
 
@@ -42,15 +28,17 @@ CREATE TABLE arimelody.invite (
 );
 ALTER TABLE arimelody.invite ADD CONSTRAINT invite_pk PRIMARY KEY (code);
 
--- Tokens
-CREATE TABLE arimelody.token (
+-- Session
+CREATE TABLE arimelody.session (
     token TEXT,
-    account UUID NOT NULL,
     user_agent TEXT NOT NULL,
     created_at TIMESTAMP NOT NULL DEFAULT current_timestamp,
-    expires_at TIMESTAMP DEFAULT NULL
+    expires_at TIMESTAMP DEFAULT NULL,
+    account UUID,
+    message TEXT,
+    error TEXT
 );
-ALTER TABLE arimelody.token ADD CONSTRAINT token_pk PRIMARY KEY (token);
+ALTER TABLE arimelody.session ADD CONSTRAINT session_pk PRIMARY KEY (token);
 
 -- TOTPs
 CREATE TABLE arimelody.totp (
diff --git a/templates/templates.go b/templates/templates.go
index 094e61d..8d1a5ca 100644
--- a/templates/templates.go
+++ b/templates/templates.go
@@ -5,29 +5,24 @@ import (
 	"path/filepath"
 )
 
-var Pages = map[string]*template.Template{
-    "index": template.Must(template.ParseFiles(
-        filepath.Join("views", "layout.html"),
-        filepath.Join("views", "header.html"),
-        filepath.Join("views", "footer.html"),
-        filepath.Join("views", "prideflag.html"),
-        filepath.Join("views", "index.html"),
-    )),
-    "music": template.Must(template.ParseFiles(
-        filepath.Join("views", "layout.html"),
-        filepath.Join("views", "header.html"),
-        filepath.Join("views", "footer.html"),
-        filepath.Join("views", "prideflag.html"),
-        filepath.Join("views", "music.html"),
-    )),
-    "music-gateway": template.Must(template.ParseFiles(
-        filepath.Join("views", "layout.html"),
-        filepath.Join("views", "header.html"),
-        filepath.Join("views", "footer.html"),
-        filepath.Join("views", "prideflag.html"),
-        filepath.Join("views", "music-gateway.html"),
-    )),
-}
-
-var Components = map[string]*template.Template{
-}
+var IndexTemplate = template.Must(template.ParseFiles(
+    filepath.Join("views", "layout.html"),
+    filepath.Join("views", "header.html"),
+    filepath.Join("views", "footer.html"),
+    filepath.Join("views", "prideflag.html"),
+    filepath.Join("views", "index.html"),
+))
+var MusicTemplate = template.Must(template.ParseFiles(
+    filepath.Join("views", "layout.html"),
+    filepath.Join("views", "header.html"),
+    filepath.Join("views", "footer.html"),
+    filepath.Join("views", "prideflag.html"),
+    filepath.Join("views", "music.html"),
+))
+var MusicGatewayTemplate = template.Must(template.ParseFiles(
+    filepath.Join("views", "layout.html"),
+    filepath.Join("views", "header.html"),
+    filepath.Join("views", "footer.html"),
+    filepath.Join("views", "prideflag.html"),
+    filepath.Join("views", "music-gateway.html"),
+))
diff --git a/view/music.go b/view/music.go
index cae325f..7b86270 100644
--- a/view/music.go
+++ b/view/music.go
@@ -3,7 +3,6 @@ package view
 import (
 	"fmt"
 	"net/http"
-	"os"
 
 	"arimelody-web/controller"
 	"arimelody-web/model"
@@ -48,7 +47,7 @@ func ServeCatalog(app *model.AppState) http.Handler {
             }
         }
 
-        err = templates.Pages["music"].Execute(w, releases)
+        err = templates.MusicTemplate.Execute(w, releases)
         if err != nil {
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
         }
@@ -60,13 +59,8 @@ func ServeGateway(app *model.AppState, release *model.Release) http.Handler {
         // only allow authorised users to view hidden releases
         privileged := false
         if !release.Visible {
-            account, err := controller.GetAccountByRequest(app.DB, r)
-            if err != nil {
-                fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %v\n", err)
-                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-                return
-            }
-            if account != nil {
+            session := r.Context().Value("session").(*model.Session)
+            if session != nil && session.Account != nil {
                 // TODO: check privilege on release
                 privileged = true
             }
@@ -85,7 +79,7 @@ func ServeGateway(app *model.AppState, release *model.Release) http.Handler {
             response.Links = release.Links
         }
 
-        err := templates.Pages["music-gateway"].Execute(w, response)
+        err := templates.MusicGatewayTemplate.Execute(w, response)
 
         if err != nil {
             fmt.Printf("Error rendering music gateway for %s: %s\n", release.ID, err)