diff --git a/admin/accounthttp.go b/admin/accounthttp.go
index 098eb59..b2cf18a 100644
--- a/admin/accounthttp.go
+++ b/admin/accounthttp.go
@@ -1,11 +1,10 @@
 package admin
 
 import (
-	"database/sql"
 	"fmt"
 	"net/http"
-	"net/url"
 	"os"
+	"strings"
 	"time"
 
 	"arimelody-web/controller"
@@ -14,58 +13,29 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
-func accountHandler(app *model.AppState) http.Handler {
-    mux := http.NewServeMux()
-
-    mux.Handle("/totp-setup", totpSetupHandler(app))
-    mux.Handle("/totp-confirm", totpConfirmHandler(app))
-    mux.Handle("/totp-delete/", http.StripPrefix("/totp-delete", totpDeleteHandler(app)))
-
-    mux.Handle("/password", changePasswordHandler(app))
-    mux.Handle("/delete", deleteAccountHandler(app))
-
-    return mux
+type TemplateData struct {
+    Account *model.Account
+    Message string
+    Token string
 }
 
-func accountIndexHandler(app *model.AppState) http.Handler {
+func AccountHandler(app *model.AppState) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        session := r.Context().Value("session").(*model.Session)
+        account := r.Context().Value("account").(*model.Account)
 
-        dbTOTPs, err := controller.GetTOTPsForAccount(app.DB, session.Account.ID)
+        totps, err := controller.GetTOTPsForAccount(app.DB, account.ID)
         if err != nil {
             fmt.Printf("WARN: Failed to fetch TOTPs: %v\n", err)
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
         }
 
-        type (
-            TOTP struct {
-                model.TOTP
-                CreatedAtString string
-            }
-
-            accountResponse struct {
-                Session *model.Session
-                TOTPs []TOTP
-            }
-        )
-
-        totps := []TOTP{}
-        for _, totp := range dbTOTPs { 
-            totps = append(totps, TOTP{
-                TOTP: totp,
-                CreatedAtString: totp.CreatedAt.Format("02 Jan 2006, 15:04:05"),
-            })
+        type AccountResponse struct {
+            Account *model.Account
+            TOTPs []model.TOTP
         }
 
-        sessionMessage := session.Message
-        sessionError := session.Error
-        controller.SetSessionMessage(app.DB, session, "")
-        controller.SetSessionError(app.DB, session, "")
-        session.Message = sessionMessage
-        session.Error = sessionError
-
-        err = accountTemplate.Execute(w, accountResponse{
-            Session: session,
+        err = pages["account"].Execute(w, AccountResponse{
+            Account: account,
             TOTPs: totps,
         })
         if err != nil {
@@ -75,298 +45,299 @@ func accountIndexHandler(app *model.AppState) http.Handler {
     })
 }
 
-func changePasswordHandler(app *model.AppState) http.Handler {
-    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        if r.Method != http.MethodPost {
-            http.NotFound(w, r)
-            return
-        }
-
-        session := r.Context().Value("session").(*model.Session)
-
-        controller.SetSessionMessage(app.DB, session, "")
-        controller.SetSessionError(app.DB, session, "")
-
-        r.ParseForm()
-
-        currentPassword := r.Form.Get("current-password")
-        if err := bcrypt.CompareHashAndPassword([]byte(session.Account.Password), []byte(currentPassword)); err != nil {
-            controller.SetSessionError(app.DB, session, "Incorrect password.")
-            http.Redirect(w, r, "/admin/account", http.StatusFound)
-            return
-        }
-
-        newPassword := r.Form.Get("new-password")
-
-        hashedPassword, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to generate password hash: %v\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            http.Redirect(w, r, "/admin/account", http.StatusFound)
-            return
-        }
-
-        session.Account.Password = string(hashedPassword)
-        err = controller.UpdateAccount(app.DB, session.Account)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to update account password: %v\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            http.Redirect(w, r, "/admin/account", http.StatusFound)
-            return
-        }
-
-        controller.SetSessionError(app.DB, session, "")
-        controller.SetSessionMessage(app.DB, session, "Password updated successfully.")
-        http.Redirect(w, r, "/admin/account", http.StatusFound)
-    })
-}
-
-func deleteAccountHandler(app *model.AppState) http.Handler {
-    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        if r.Method != http.MethodPost {
-            http.NotFound(w, r)
-            return
-        }
-
-        err := r.ParseForm()
-        if err != nil {
-            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-            return
-        }
-
-        if !r.Form.Has("password") {
-            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-            return
-        }
-
-        session := r.Context().Value("session").(*model.Session)
-
-        // check password
-        if err := bcrypt.CompareHashAndPassword([]byte(session.Account.Password), []byte(r.Form.Get("password"))); err != nil {
-            fmt.Printf(
-                "[%s] WARN: Account \"%s\" attempted account deletion with incorrect password.\n",
-                time.Now().Format(time.UnixDate),
-                session.Account.Username,
-            )
-            controller.SetSessionError(app.DB, session, "Incorrect password.")
-            http.Redirect(w, r, "/admin/account", http.StatusFound)
-            return
-        }
-
-        err = controller.DeleteAccount(app.DB, session.Account.ID)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "Failed to delete account: %v\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            http.Redirect(w, r, "/admin/account", http.StatusFound)
-            return
-        }
-
-        fmt.Printf(
-            "[%s] INFO: Account \"%s\" deleted by user request.\n",
-            time.Now().Format(time.UnixDate),
-            session.Account.Username,
-        )
-
-        controller.SetSessionAccount(app.DB, session, nil)
-        controller.SetSessionError(app.DB, session, "")
-        controller.SetSessionMessage(app.DB, session, "Account deleted successfully.")
-        http.Redirect(w, r, "/admin/login", http.StatusFound)
-    })
-}
-
-type totpConfirmData struct {
-    Session *model.Session
-    TOTP *model.TOTP
-    NameEscaped string
-    QRBase64Image string
-}
-
-func totpSetupHandler(app *model.AppState) http.Handler {
+func LoginHandler(app *model.AppState) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
         if r.Method == http.MethodGet {
-            type totpSetupData struct {
-                Session *model.Session
-            }
-
-            session := r.Context().Value("session").(*model.Session)
-
-            err := totpSetupTemplate.Execute(w, totpSetupData{ Session: session })
+            account, err := controller.GetAccountByRequest(app.DB, r)
             if err != nil {
-                fmt.Printf("WARN: Failed to render TOTP setup page: %s\n", err)
                 http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+                fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %v\n", err)
+                return
+            }
+            if account != nil {
+                http.Redirect(w, r, "/admin", http.StatusFound)
+                return
             }
-            return
-        }
 
-        if r.Method != http.MethodPost {
-            http.NotFound(w, r)
-            return
-        }
-
-        err := r.ParseForm()
-        if err != nil {
-            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-            return
-        }
-
-        name := r.FormValue("totp-name")
-        if len(name) == 0 {
-            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-            return
-        }
-
-        session := r.Context().Value("session").(*model.Session)
-
-        secret := controller.GenerateTOTPSecret(controller.TOTP_SECRET_LENGTH)
-        totp := model.TOTP {
-            AccountID: session.Account.ID,
-            Name: name,
-            Secret: string(secret),
-        }
-        err = controller.CreateTOTP(app.DB, &totp)
-        if err != nil {
-            fmt.Printf("WARN: Failed to create TOTP method: %s\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            err := totpSetupTemplate.Execute(w, totpConfirmData{ Session: session })
+            err = pages["login"].Execute(w, TemplateData{})
             if err != nil {
-                fmt.Printf("WARN: Failed to render TOTP setup page: %s\n", err)
+                fmt.Fprintf(os.Stderr, "WARN: Error rendering admin login page: %s\n", err)
                 http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+                return
             }
             return
         }
 
-        qrBase64Image, err := controller.GenerateQRCode(
-            controller.GenerateTOTPURI(session.Account.Username, totp.Secret))
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to generate TOTP QR code: %v\n", err)
+        type LoginResponse struct {
+            Account *model.Account
+            Token string
+            Message string
         }
 
-        err = totpConfirmTemplate.Execute(w, totpConfirmData{
-            Session: session,
-            TOTP: &totp,
-            NameEscaped: url.PathEscape(totp.Name),
-            QRBase64Image: qrBase64Image,
-        })
-        if err != nil {
-            fmt.Printf("WARN: Failed to render TOTP confirm page: %s\n", err)
-            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-        }
-    })
-}
-
-func totpConfirmHandler(app *model.AppState) http.Handler {
-    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        if r.Method != http.MethodPost {
-            http.NotFound(w, r)
-            return
-        }
-
-        session := r.Context().Value("session").(*model.Session)
-
-        err := r.ParseForm()
-        if err != nil {
-            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-            return
-        }
-        name := r.FormValue("totp-name")
-        if len(name) == 0 {
-            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-            return
-        }
-        code := r.FormValue("totp")
-        if len(code) != controller.TOTP_CODE_LENGTH {
-            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-            return
-        }
-
-        totp, err := controller.GetTOTP(app.DB, session.Account.ID, name)
-        if err != nil {
-            fmt.Printf("WARN: Failed to fetch TOTP method: %v\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            http.Redirect(w, r, "/admin/account", http.StatusFound)
-            return
-        }
-        if totp == nil {
-            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-            return
-        }
-
-        qrBase64Image, err := controller.GenerateQRCode(
-            controller.GenerateTOTPURI(session.Account.Username, totp.Secret))
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to generate TOTP QR code: %v\n", err)
-        }
-
-        confirmCode := controller.GenerateTOTP(totp.Secret, 0)
-        if code != confirmCode {
-            confirmCodeOffset := controller.GenerateTOTP(totp.Secret, 1)
-            if code != confirmCodeOffset {
-                session.Error = sql.NullString{ Valid: true, String: "Incorrect TOTP code. Please try again." }
-                err = totpConfirmTemplate.Execute(w, totpConfirmData{
-                    Session: session,
-                    TOTP: totp,
-                    NameEscaped: url.PathEscape(totp.Name),
-                    QRBase64Image: qrBase64Image,
-                })
-                if err != nil {
-                    fmt.Fprintf(os.Stderr, "WARN: Failed to render TOTP setup page: %v\n", err)
-                    http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-                }
+        render := func(data LoginResponse) {
+            err := pages["login"].Execute(w, data)
+            if err != nil {
+                fmt.Fprintf(os.Stderr, "WARN: Error rendering admin login page: %s\n", err)
+                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
                 return
             }
         }
 
-        err = controller.ConfirmTOTP(app.DB, session.Account.ID, name)
-        if err != nil {
-            fmt.Printf("WARN: Failed to confirm TOTP method: %s\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            http.Redirect(w, r, "/admin/account", http.StatusFound)
+        if r.Method != http.MethodPost {
+            http.NotFound(w, r);
             return
         }
 
-        controller.SetSessionError(app.DB, session, "")
-        controller.SetSessionMessage(app.DB, session, fmt.Sprintf("TOTP method \"%s\" created successfully.", totp.Name))
-        http.Redirect(w, r, "/admin/account", http.StatusFound)
+        err := r.ParseForm()
+        if err != nil {
+            render(LoginResponse{ Message: "Malformed request." })
+            return
+        }
+
+        type LoginRequest struct {
+            Username string `json:"username"`
+            Password string `json:"password"`
+            TOTP string `json:"totp"`
+        }
+        credentials := LoginRequest{
+            Username: r.Form.Get("username"),
+            Password: r.Form.Get("password"),
+            TOTP: r.Form.Get("totp"),
+        }
+
+        account, err := controller.GetAccount(app.DB, credentials.Username)
+        if err != nil {
+            render(LoginResponse{ Message: "Invalid username or password" })
+            return
+        }
+        if account == nil {
+            render(LoginResponse{ Message: "Invalid username or password" })
+            return
+        }
+
+        err = bcrypt.CompareHashAndPassword([]byte(account.Password), []byte(credentials.Password))
+        if err != nil {
+            render(LoginResponse{ Message: "Invalid username or password" })
+            return
+        }
+
+        totps, err := controller.GetTOTPsForAccount(app.DB, account.ID)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to fetch TOTPs: %v\n", err)
+            render(LoginResponse{ Message: "Something went wrong. Please try again." })
+            return
+        }
+        if len(totps) > 0 {
+            success := false
+            for _, totp := range totps {
+                check := controller.GenerateTOTP(totp.Secret, 0)
+                if check == credentials.TOTP {
+                    success = true
+                    break
+                }
+            }
+            if !success {
+                render(LoginResponse{ Message: "Invalid TOTP" })
+                return
+            }
+        } else {
+            // TODO: user should be prompted to add 2FA method
+        }
+
+        // login success!
+        token, err := controller.CreateToken(app.DB, account.ID, r.UserAgent())
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to create token: %v\n", err)
+            render(LoginResponse{ Message: "Something went wrong. Please try again." })
+            return
+        }
+
+        cookie := http.Cookie{}
+        cookie.Name = model.COOKIE_TOKEN
+        cookie.Value = token.Token
+        cookie.Expires = token.ExpiresAt
+        if strings.HasPrefix(app.Config.BaseUrl, "https") {
+            cookie.Secure = true
+        }
+        cookie.HttpOnly = true
+        cookie.Path = "/"
+        http.SetCookie(w, &cookie)
+
+        render(LoginResponse{ Account: account, Token: token.Token })
     })
 }
 
-func totpDeleteHandler(app *model.AppState) http.Handler {
+func LogoutHandler(app *model.AppState) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
         if r.Method != http.MethodGet {
             http.NotFound(w, r)
             return
         }
 
-        if len(r.URL.Path) < 2 {
-            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-            return
+        tokenStr := controller.GetTokenFromRequest(app.DB, r)
+
+        if len(tokenStr) > 0 {
+            err := controller.DeleteToken(app.DB, tokenStr)
+            if err != nil {
+                fmt.Fprintf(os.Stderr, "WARN: Failed to revoke token: %v\n", err)
+                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+                return
+            }
         }
-        name := r.URL.Path[1:]
 
-        session := r.Context().Value("session").(*model.Session)
+        cookie := http.Cookie{}
+        cookie.Name = model.COOKIE_TOKEN
+        cookie.Value = ""
+        cookie.Expires = time.Now()
+        if strings.HasPrefix(app.Config.BaseUrl, "https") {
+            cookie.Secure = true
+        }
+        cookie.HttpOnly = true
+        cookie.Path = "/"
+        http.SetCookie(w, &cookie)
+        http.Redirect(w, r, "/admin/login", http.StatusFound)
+    })
+}
 
-        totp, err := controller.GetTOTP(app.DB, session.Account.ID, name)
+func createAccountHandler(app *model.AppState) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        checkAccount, err := controller.GetAccountByRequest(app.DB, r)
         if err != nil {
-            fmt.Printf("WARN: Failed to fetch TOTP method: %s\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            http.Redirect(w, r, "/admin/account", http.StatusFound)
+            fmt.Printf("WARN: Failed to fetch account: %s\n", err)
+            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
             return
         }
-        if totp == nil {
+        if checkAccount != nil {
+            // user is already logged in
+            http.Redirect(w, r, "/admin", http.StatusFound)
+            return
+        }
+
+        type CreateAccountResponse struct {
+            Account *model.Account
+            Message string
+        }
+
+        render := func(data CreateAccountResponse) {
+            err := pages["create-account"].Execute(w, data)
+            if err != nil {
+                fmt.Printf("WARN: Error rendering create account page: %s\n", err)
+                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            }
+        }
+
+        if r.Method == http.MethodGet {
+            render(CreateAccountResponse{})
+            return
+        }
+
+        if r.Method != http.MethodPost {
             http.NotFound(w, r)
             return
         }
 
-        err = controller.DeleteTOTP(app.DB, session.Account.ID, totp.Name)
+        err = r.ParseForm()
         if err != nil {
-            fmt.Printf("WARN: Failed to delete TOTP method: %s\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            http.Redirect(w, r, "/admin/account", http.StatusFound)
+            render(CreateAccountResponse{
+                Message: "Malformed data.",
+            })
             return
         }
 
-        controller.SetSessionError(app.DB, session, "")
-        controller.SetSessionMessage(app.DB, session, fmt.Sprintf("TOTP method \"%s\" deleted successfully.", totp.Name))
-        http.Redirect(w, r, "/admin/account", http.StatusFound)
+        type RegisterRequest struct {
+            Username    string `json:"username"`
+            Email       string `json:"email"`
+            Password    string `json:"password"`
+            Invite      string `json:"invite"`
+        }
+        credentials := RegisterRequest{
+            Username: r.Form.Get("username"),
+            Email: r.Form.Get("email"),
+            Password: r.Form.Get("password"),
+            Invite: r.Form.Get("invite"),
+        }
+
+        // make sure code exists in DB
+        invite, err := controller.GetInvite(app.DB, credentials.Invite)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve invite: %v\n", err)
+            render(CreateAccountResponse{
+                Message: "Something went wrong. Please try again.",
+            })
+            return
+        }
+        if invite == nil || time.Now().After(invite.ExpiresAt) {
+            if invite != nil {
+                err := controller.DeleteInvite(app.DB, invite.Code)
+                if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to delete expired invite: %v\n", err) }
+            }
+            render(CreateAccountResponse{
+                Message: "Invalid invite code.",
+            })
+            return
+        }
+
+        hashedPassword, err := bcrypt.GenerateFromPassword([]byte(credentials.Password), bcrypt.DefaultCost)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to generate password hash: %v\n", err)
+            render(CreateAccountResponse{
+                Message: "Something went wrong. Please try again.",
+            })
+            return
+        }
+
+        account := model.Account{
+            Username: credentials.Username,
+            Password: string(hashedPassword),
+            Email: credentials.Email,
+            AvatarURL: "/img/default-avatar.png",
+        }
+        err = controller.CreateAccount(app.DB, &account)
+        if err != nil {
+            if strings.HasPrefix(err.Error(), "pq: duplicate key") {
+                render(CreateAccountResponse{
+                    Message: "An account with that username already exists.",
+                })
+                return
+            }
+            fmt.Fprintf(os.Stderr, "WARN: Failed to create account: %v\n", err)
+            render(CreateAccountResponse{
+                Message: "Something went wrong. Please try again.",
+            })
+            return
+        }
+
+        err = controller.DeleteInvite(app.DB, invite.Code)
+        if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to delete expired invite: %v\n", err) }
+
+        // registration success!
+        token, err := controller.CreateToken(app.DB, account.ID, r.UserAgent())
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to create token: %v\n", err)
+            // gracefully redirect user to login page
+            http.Redirect(w, r, "/admin/login", http.StatusFound)
+            return
+        }
+
+        cookie := http.Cookie{}
+        cookie.Name = model.COOKIE_TOKEN
+        cookie.Value = token.Token
+        cookie.Expires = token.ExpiresAt
+        if strings.HasPrefix(app.Config.BaseUrl, "https") {
+            cookie.Secure = true
+        }
+        cookie.HttpOnly = true
+        cookie.Path = "/"
+        http.SetCookie(w, &cookie)
+
+        err = pages["login"].Execute(w, TemplateData{
+            Account: &account,
+            Token: token.Token,
+        })
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to render login page: %v\n", err)
+			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            return
+        }
     })
 }
diff --git a/admin/artisthttp.go b/admin/artisthttp.go
index 6dfbbfd..d6a5e76 100644
--- a/admin/artisthttp.go
+++ b/admin/artisthttp.go
@@ -32,15 +32,15 @@ func serveArtist(app *model.AppState) http.Handler {
         }
 
         type ArtistResponse struct {
-            Session *model.Session
+            Account *model.Account
             Artist *model.Artist
             Credits []*model.Credit
         }
 
-        session := r.Context().Value("session").(*model.Session)
+        account := r.Context().Value("account").(*model.Account)
 
-        err = artistTemplate.Execute(w, ArtistResponse{
-            Session: session,
+        err = pages["artist"].Execute(w, ArtistResponse{
+            Account: account,
             Artist: artist,
             Credits: credits,
         })
diff --git a/admin/components/tracks/edittracks.html b/admin/components/tracks/edittracks.html
index d03f80a..0500532 100644
--- a/admin/components/tracks/edittracks.html
+++ b/admin/components/tracks/edittracks.html
@@ -3,20 +3,20 @@
         <h2>Editing: Tracks</h2>
         <a id="add-track"
            class="button new"
-           href="/admin/release/{{.Release.ID}}/addtrack"
-           hx-get="/admin/release/{{.Release.ID}}/addtrack"
+           href="/admin/release/{{.ID}}/addtrack"
+           hx-get="/admin/release/{{.ID}}/addtrack"
            hx-target="body"
            hx-swap="beforeend"
         >Add</a>
     </header>
 
-    <form action="/api/v1/music/{{.Release.ID}}/tracks">
+    <form action="/api/v1/music/{{.ID}}/tracks">
         <ul>
-            {{range $i, $track := .Release.Tracks}}
+            {{range $i, $track := .Tracks}}
             <li class="track" data-track="{{$track.ID}}" data-title="{{$track.Title}}" data-number="{{$track.Add $i 1}}" draggable="true">
                 <div>
                     <p class="track-name">
-                        <span class="track-number">{{.Add $i 1}}</span>
+                        <span class="track-number">{{$track.Add $i 1}}</span>
                         {{$track.Title}}
                     </p>
                     <a class="delete">Delete</a>
diff --git a/admin/http.go b/admin/http.go
index 0ca61a3..b44cfa9 100644
--- a/admin/http.go
+++ b/admin/http.go
@@ -2,63 +2,40 @@ package admin
 
 import (
 	"context"
-	"database/sql"
 	"fmt"
 	"net/http"
 	"os"
 	"path/filepath"
-	"strings"
-	"time"
 
 	"arimelody-web/controller"
 	"arimelody-web/model"
-
-	"golang.org/x/crypto/bcrypt"
 )
 
 func Handler(app *model.AppState) http.Handler {
     mux := http.NewServeMux()
 
-    mux.Handle("/qr-test", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        qrB64Img, err := controller.GenerateQRCode("super epic mega gaming test message. be sure to buy free2play on bandcamp so i can put food on my family")
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to generate QR code: %v\n", err)
-            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-            return
-        }
-
-        w.Write([]byte("<html><img style=\"image-rendering:pixelated;width:100%;height:100%;object-fit:contain\" src=\"" + qrB64Img + "\"/></html>"))
-    }))
-
-    mux.Handle("/login", loginHandler(app))
-    mux.Handle("/totp", loginTOTPHandler(app))
-    mux.Handle("/logout", requireAccount(logoutHandler(app)))
-
-    mux.Handle("/register", registerAccountHandler(app))
-
-    mux.Handle("/account", requireAccount(accountIndexHandler(app)))
-    mux.Handle("/account/", requireAccount(http.StripPrefix("/account", accountHandler(app))))
-
-    mux.Handle("/release/", requireAccount(http.StripPrefix("/release", serveRelease(app))))
-    mux.Handle("/artist/", requireAccount(http.StripPrefix("/artist", serveArtist(app))))
-    mux.Handle("/track/", requireAccount(http.StripPrefix("/track", serveTrack(app))))
-
+    mux.Handle("/login", LoginHandler(app))
+    mux.Handle("/register", createAccountHandler(app))
+    mux.Handle("/logout", RequireAccount(app, LogoutHandler(app)))
+    mux.Handle("/account", RequireAccount(app, AccountHandler(app)))
     mux.Handle("/static/", http.StripPrefix("/static", staticHandler()))
-
-    mux.Handle("/", requireAccount(AdminIndexHandler(app)))
-
-    // response wrapper to make sure a session cookie exists
-    return enforceSession(app, mux)
-}
-
-func AdminIndexHandler(app *model.AppState) http.Handler {
-    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+    mux.Handle("/release/", RequireAccount(app, http.StripPrefix("/release", serveRelease(app))))
+    mux.Handle("/artist/", RequireAccount(app, http.StripPrefix("/artist", serveArtist(app))))
+    mux.Handle("/track/", RequireAccount(app, http.StripPrefix("/track", serveTrack(app))))
+    mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
         if r.URL.Path != "/" {
             http.NotFound(w, r)
             return
         }
 
-        session := r.Context().Value("session").(*model.Session)
+        account, err := controller.GetAccountByRequest(app.DB, r)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %s\n", err)
+        }
+        if account == nil {
+            http.Redirect(w, r, "/admin/login", http.StatusFound)
+            return
+        }
 
         releases, err := controller.GetAllReleases(app.DB, false, 0, true)
         if err != nil {
@@ -75,382 +52,52 @@ func AdminIndexHandler(app *model.AppState) http.Handler {
         }
 
         tracks, err := controller.GetOrphanTracks(app.DB)
-        if err != nil {
+		if err != nil {
             fmt.Fprintf(os.Stderr, "WARN: Failed to pull orphan tracks: %s\n", err)
-            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-            return
-        }
+			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+			return
+		}
 
         type IndexData struct {
-            Session     *model.Session
+            Account     *model.Account
             Releases    []*model.Release
             Artists     []*model.Artist
             Tracks      []*model.Track
         }
 
-        err = indexTemplate.Execute(w, IndexData{
-            Session: session,
+        err = pages["index"].Execute(w, IndexData{
+            Account: account,
             Releases: releases,
             Artists: artists,
             Tracks: tracks,
         })
-        if err != nil {
+		if err != nil {
             fmt.Fprintf(os.Stderr, "WARN: Failed to render admin index: %s\n", err)
+			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+			return
+		}
+    }))
+
+    return mux
+}
+
+func RequireAccount(app *model.AppState, next http.Handler) http.HandlerFunc {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        account, err := controller.GetAccountByRequest(app.DB, r)
+        if err != nil {
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-            return
-        }
-    })
-}
-
-func registerAccountHandler(app *model.AppState) http.Handler {
-    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        session := r.Context().Value("session").(*model.Session)
-
-        if session.Account != nil {
-            // user is already logged in
-            http.Redirect(w, r, "/admin", http.StatusFound)
-            return
-        }
-
-        type registerData struct {
-            Session *model.Session
-        }
-
-        render := func() {
-            err := registerTemplate.Execute(w, registerData{ Session: session })
-            if err != nil {
-                fmt.Printf("WARN: Error rendering create account page: %s\n", err)
-                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-            }
-        }
-
-        if r.Method == http.MethodGet {
-            render()
-            return
-        }
-
-        if r.Method != http.MethodPost {
-            http.NotFound(w, r)
-            return
-        }
-
-        err := r.ParseForm()
-        if err != nil {
-            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-            return
-        }
-
-        type RegisterRequest struct {
-            Username    string `json:"username"`
-            Email       string `json:"email"`
-            Password    string `json:"password"`
-            Invite      string `json:"invite"`
-        }
-        credentials := RegisterRequest{
-            Username: r.Form.Get("username"),
-            Email: r.Form.Get("email"),
-            Password: r.Form.Get("password"),
-            Invite: r.Form.Get("invite"),
-        }
-
-        // make sure invite code exists in DB
-        invite, err := controller.GetInvite(app.DB, credentials.Invite)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve invite: %v\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            render()
-            return
-        }
-        if invite == nil || time.Now().After(invite.ExpiresAt) {
-            if invite != nil {
-                err := controller.DeleteInvite(app.DB, invite.Code)
-                if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to delete expired invite: %v\n", err) }
-            }
-            controller.SetSessionError(app.DB, session, "Invalid invite code.")
-            render()
-            return
-        }
-
-        hashedPassword, err := bcrypt.GenerateFromPassword([]byte(credentials.Password), bcrypt.DefaultCost)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to generate password hash: %v\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            render()
-            return
-        }
-
-        account := model.Account{
-            Username: credentials.Username,
-            Password: string(hashedPassword),
-            Email: sql.NullString{ String: credentials.Email, Valid: true },
-            AvatarURL: sql.NullString{ String:  "/img/default-avatar.png", Valid: true },
-        }
-        err = controller.CreateAccount(app.DB, &account)
-        if err != nil {
-            if strings.HasPrefix(err.Error(), "pq: duplicate key") {
-                controller.SetSessionError(app.DB, session, "An account with that username already exists.")
-                render()
-                return
-            }
-            fmt.Fprintf(os.Stderr, "WARN: Failed to create account: %v\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            render()
-            return
-        }
-
-        fmt.Printf(
-            "[%s]: Account registered: %s (%s)\n",
-            time.Now().Format(time.UnixDate),
-            account.Username,
-            account.ID,
-        )
-
-        err = controller.DeleteInvite(app.DB, invite.Code)
-        if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to delete expired invite: %v\n", err) }
-
-        // registration success!
-        controller.SetSessionAccount(app.DB, session, &account)
-        controller.SetSessionMessage(app.DB, session, "")
-        controller.SetSessionError(app.DB, session, "")
-        http.Redirect(w, r, "/admin", http.StatusFound)
-    })
-}
-
-func loginHandler(app *model.AppState) http.Handler {
-    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        if r.Method != http.MethodGet && r.Method != http.MethodPost {
-            http.NotFound(w, r)
-            return
-        }
-
-        session := r.Context().Value("session").(*model.Session)
-
-        type loginData struct {
-            Session *model.Session
-        }
-
-        render := func() {
-            err := loginTemplate.Execute(w, loginData{ Session: session })
-            if err != nil {
-                fmt.Fprintf(os.Stderr, "WARN: Error rendering admin login page: %s\n", err)
-                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-                return
-            }
-        }
-
-        if r.Method == http.MethodGet {
-            if session.Account != nil {
-                // user is already logged in
-                http.Redirect(w, r, "/admin", http.StatusFound)
-                return
-            }
-            render()
-            return
-        }
-
-        err := r.ParseForm()
-        if err != nil {
-            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-            return
-        }
-
-        if !r.Form.Has("username") || !r.Form.Has("password") {
-            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-            return
-        }
-
-        username := r.FormValue("username")
-        password := r.FormValue("password")
-
-        account, err := controller.GetAccountByUsername(app.DB, username)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account for login: %v\n", err)
-            controller.SetSessionError(app.DB, session, "Invalid username or password.")
-            render()
+            fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %v\n", err)
             return
         }
         if account == nil {
-            controller.SetSessionError(app.DB, session, "Invalid username or password.")
-            render()
-            return
-        }
-
-        err = bcrypt.CompareHashAndPassword([]byte(account.Password), []byte(password))
-        if err != nil {
-            fmt.Printf(
-                "[%s] INFO: Account \"%s\" attempted login with incorrect password.\n",
-                time.Now().Format(time.UnixDate),
-                account.Username,
-            )
-            controller.SetSessionError(app.DB, session, "Invalid username or password.")
-            render()
-            return
-        }
-
-        totps, err := controller.GetTOTPsForAccount(app.DB, account.ID)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to fetch TOTPs: %v\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            render()
-            return
-        }
-
-        if len(totps) > 0 {
-            err = controller.SetSessionAttemptAccount(app.DB, session, account)
-            if err != nil {
-                fmt.Fprintf(os.Stderr, "WARN: Failed to set attempt session: %v\n", err)
-                controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-                render()
-                return
-            }
-            http.Redirect(w, r, "/admin/totp", http.StatusFound)
-            return
-        }
-
-        fmt.Printf(
-            "[%s] INFO: Account \"%s\" logged in\n",
-            time.Now().Format(time.UnixDate),
-            account.Username,
-        )
-
-        // TODO: log login activity to user
-
-        // login success!
-        err = controller.SetSessionAccount(app.DB, session, account)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to set session account: %v\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            render()
-            return
-        }
-        controller.SetSessionMessage(app.DB, session, "")
-        controller.SetSessionError(app.DB, session, "")
-        http.Redirect(w, r, "/admin", http.StatusFound)
-    })
-}
-
-func loginTOTPHandler(app *model.AppState) http.Handler {
-    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        session := r.Context().Value("session").(*model.Session)
-
-        if session.AttemptAccount == nil {
-            http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
-            return
-        }
-
-        type loginTOTPData struct {
-            Session *model.Session
-        }
-
-        render := func() {
-            err := loginTOTPTemplate.Execute(w, loginTOTPData{ Session: session })
-            if err != nil {
-                fmt.Fprintf(os.Stderr, "WARN: Failed to render login TOTP page: %v\n", err)
-                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-                return
-            }
-        }
-
-        if r.Method == http.MethodGet {
-            render()
-            return
-        }
-
-        if r.Method != http.MethodPost {
-            http.NotFound(w, r)
-            return
-        }
-
-        r.ParseForm()
-
-        if !r.Form.Has("totp") {
-            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-            return
-        }
-
-        totpCode := r.FormValue("totp")
-
-        if len(totpCode) != controller.TOTP_CODE_LENGTH {
-            controller.SetSessionError(app.DB, session, "Invalid TOTP.")
-            render()
-            return
-        }
-
-        totpMethod, err := controller.CheckTOTPForAccount(app.DB, session.AttemptAccount.ID, totpCode)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to check TOTPs: %v\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            render()
-            return
-        }
-        if totpMethod == nil {
-            controller.SetSessionError(app.DB, session, "Invalid TOTP.")
-            render()
-            return
-        }
-
-        fmt.Printf(
-            "[%s] INFO: Account \"%s\" logged in with method \"%s\"\n",
-            time.Now().Format(time.UnixDate),
-            session.AttemptAccount.Username,
-            totpMethod.Name,
-        )
-
-        err = controller.SetSessionAccount(app.DB, session, session.AttemptAccount)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to set session account: %v\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            render()
-            return
-        }
-        err = controller.SetSessionAttemptAccount(app.DB, session, nil)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to clear attempt session: %v\n", err)
-        }
-        controller.SetSessionMessage(app.DB, session, "")
-        controller.SetSessionError(app.DB, session, "")
-        http.Redirect(w, r, "/admin", http.StatusFound)
-    })
-}
-
-func logoutHandler(app *model.AppState) http.Handler {
-    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        if r.Method != http.MethodGet {
-            http.NotFound(w, r)
-            return
-        }
-
-        session := r.Context().Value("session").(*model.Session)
-        err := controller.DeleteSession(app.DB, session.Token)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to delete session: %v\n", err)
-            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-            return
-        }
-
-        http.SetCookie(w, &http.Cookie{
-            Name: model.COOKIE_TOKEN,
-            Expires: time.Now(),
-            Path: "/",
-        })
-
-        err = logoutTemplate.Execute(w, nil)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to render logout page: %v\n", err)
-            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-        }
-    })
-}
-
-func requireAccount(next http.Handler) http.HandlerFunc {
-    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        session := r.Context().Value("session").(*model.Session)
-        if session.Account == nil {
             // TODO: include context in redirect
             http.Redirect(w, r, "/admin/login", http.StatusFound)
             return
         }
-        next.ServeHTTP(w, r)
+
+        ctx := context.WithValue(r.Context(), "account", account)
+
+        next.ServeHTTP(w, r.WithContext(ctx))
     })
 }
 
@@ -474,36 +121,3 @@ func staticHandler() http.Handler {
         http.FileServer(http.Dir(filepath.Join("admin", "static"))).ServeHTTP(w, r)
     })
 }
-
-func enforceSession(app *model.AppState, next http.Handler) http.Handler {
-    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        session, err := controller.GetSessionFromRequest(app.DB, r)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve session: %v\n", err)
-            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-            return
-        }
-
-        if session == nil {
-            // create a new session
-            session, err = controller.CreateSession(app.DB, r.UserAgent())
-            if err != nil {
-                fmt.Fprintf(os.Stderr, "WARN: Failed to create session: %v\n", err)
-                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-                return
-            }
-
-            http.SetCookie(w, &http.Cookie{
-                Name: model.COOKIE_TOKEN,
-                Value: session.Token,
-                Expires: session.ExpiresAt,
-                Secure: strings.HasPrefix(app.Config.BaseUrl, "https"),
-                HttpOnly: true,
-                Path: "/",
-            })
-        }
-
-        ctx := context.WithValue(r.Context(), "session", session)
-        next.ServeHTTP(w, r.WithContext(ctx))
-    })
-}
diff --git a/admin/releasehttp.go b/admin/releasehttp.go
index be5052b..503166b 100644
--- a/admin/releasehttp.go
+++ b/admin/releasehttp.go
@@ -14,7 +14,7 @@ func serveRelease(app *model.AppState) http.Handler {
         slices := strings.Split(r.URL.Path[1:], "/")
         releaseID := slices[0]
 
-        session := r.Context().Value("session").(*model.Session)
+        account := r.Context().Value("account").(*model.Account)
 
         release, err := controller.GetRelease(app.DB, releaseID, true)
         if err != nil {
@@ -56,12 +56,12 @@ func serveRelease(app *model.AppState) http.Handler {
         }
 
         type ReleaseResponse struct {
-            Session *model.Session
+            Account *model.Account
             Release *model.Release
         }
 
-        err = releaseTemplate.Execute(w, ReleaseResponse{
-            Session: session,
+        err = pages["release"].Execute(w, ReleaseResponse{
+            Account: account,
             Release: release,
         })
         if err != nil {
@@ -74,7 +74,7 @@ func serveRelease(app *model.AppState) http.Handler {
 func serveEditCredits(release *model.Release) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
         w.Header().Set("Content-Type", "text/html")
-        err := editCreditsTemplate.Execute(w, release)
+        err := components["editcredits"].Execute(w, release)
         if err != nil {
             fmt.Printf("Error rendering edit credits component for %s: %s\n", release.ID, err)
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -97,7 +97,7 @@ func serveAddCredit(app *model.AppState, release *model.Release) http.Handler {
         }
 
         w.Header().Set("Content-Type", "text/html")
-        err = addCreditTemplate.Execute(w, response{
+        err = components["addcredit"].Execute(w, response{
             ReleaseID: release.ID,
             Artists: artists,
         })
@@ -123,7 +123,7 @@ func serveNewCredit(app *model.AppState) http.Handler {
         }
 
         w.Header().Set("Content-Type", "text/html")
-        err = newCreditTemplate.Execute(w, artist)
+        err = components["newcredit"].Execute(w, artist)
         if err != nil {
             fmt.Printf("Error rendering new credit component for %s: %s\n", artist.ID, err)
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -134,7 +134,7 @@ func serveNewCredit(app *model.AppState) http.Handler {
 func serveEditLinks(release *model.Release) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
         w.Header().Set("Content-Type", "text/html")
-        err := editLinksTemplate.Execute(w, release)
+        err := components["editlinks"].Execute(w, release)
         if err != nil {
             fmt.Printf("Error rendering edit links component for %s: %s\n", release.ID, err)
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -145,16 +145,7 @@ func serveEditLinks(release *model.Release) http.Handler {
 func serveEditTracks(release *model.Release) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
         w.Header().Set("Content-Type", "text/html")
-
-        type editTracksData struct {
-            Release *model.Release
-            Add func(a int, b int) int
-        }
-
-        err := editTracksTemplate.Execute(w, editTracksData{
-            Release: release,
-            Add: func(a, b int) int { return a + b },
-        })
+        err := components["edittracks"].Execute(w, release)
         if err != nil {
             fmt.Printf("Error rendering edit tracks component for %s: %s\n", release.ID, err)
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -177,7 +168,7 @@ func serveAddTrack(app *model.AppState, release *model.Release) http.Handler {
         }
 
         w.Header().Set("Content-Type", "text/html")
-        err = addTrackTemplate.Execute(w, response{
+        err = components["addtrack"].Execute(w, response{
             ReleaseID: release.ID,
             Tracks: tracks,
         })
@@ -204,7 +195,7 @@ func serveNewTrack(app *model.AppState) http.Handler {
         }
 
         w.Header().Set("Content-Type", "text/html")
-        err = newTrackTemplate.Execute(w, track)
+        err = components["newtrack"].Execute(w, track)
         if err != nil {
             fmt.Printf("Error rendering new track component for %s: %s\n", track.ID, err)
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
diff --git a/admin/static/admin.css b/admin/static/admin.css
index 877b5da..32f69bb 100644
--- a/admin/static/admin.css
+++ b/admin/static/admin.css
@@ -24,7 +24,7 @@ nav {
     justify-content: left;
 
     background: #f8f8f8;
-    border-radius: 4px;
+    border-radius: .5em;
     border: 1px solid #808080;
 }
 nav .icon {
@@ -85,15 +85,6 @@ a img.icon {
     height: .8em;
 }
 
-code {
-    background: #303030;
-    color: #f0f0f0;
-    padding: .23em .3em;
-    border-radius: 4px;
-}
-
-
-
 .card {
     margin-bottom: 1em;
 }
@@ -102,6 +93,13 @@ code {
     margin: 0 0 .5em 0;
 }
 
+/*
+.card h3,
+.card p {
+    margin: 0;
+}
+*/
+
 .card-title {
     margin-bottom: 1em;
     display: flex;
@@ -129,34 +127,20 @@ code {
 
 
 
-#message,
-#error {
-    margin: 0 0 1em 0;
-    padding: 1em;
-    border-radius: 4px;
-    background: #ffffff;
-    border: 1px solid #888;
-}
-#message {
-    background: #a9dfff;
-    border-color: #599fdc;
-}
 #error {
     background: #ffa9b8;
-    border-color: #dc5959;
+    border: 1px solid #dc5959;
+    padding: 1em;
+    border-radius: 4px;
 }
 
 
 
-a.delete:not(.button) {
-    color: #d22828;
-}
-
 button, .button {
     padding: .5em .8em;
     font-family: inherit;
     font-size: inherit;
-    border-radius: 4px;
+    border-radius: .5em;
     border: 1px solid #a0a0a0;
     background: #f0f0f0;
     color: inherit;
@@ -170,59 +154,35 @@ button:active, .button:active {
     border-color: #808080;
 }
 
-.button, button {
+button {
     color: inherit;
 }
-.button.new, button.new {
+button.new {
     background: #c4ff6a;
     border-color: #84b141;
 }
-.button.save, button.save {
+button.save {
     background: #6fd7ff;
     border-color: #6f9eb0;
 }
-.button.delete, button.delete {
+button.delete {
     background: #ff7171;
     border-color: #7d3535;
 }
-.button:hover, button:hover {
+button:hover {
     background: #fff;
     border-color: #d0d0d0;
 }
-.button:active, button:active {
+button:active {
     background: #d0d0d0;
     border-color: #808080;
 }
-.button[disabled], button[disabled] {
+button[disabled] {
     background: #d0d0d0 !important;
     border-color: #808080 !important;
     opacity: .5;
     cursor: not-allowed !important;
 }
-
-
-
-form {
-    width: 100%;
-    display: block;
-}
-form label {
-    width: 100%;
-    margin: 1rem 0 .5rem 0;
-    display: block;
-    color: #10101080;
-}
-form input {
-    margin: .5rem 0;
-    padding: .3rem .5rem;
-    display: block;
-    border-radius: 4px;
-    border: 1px solid #808080;
-    font-size: inherit;
-    font-family: inherit;
-    color: inherit;
-}
-input[disabled] {
-    opacity: .5;
-    cursor: not-allowed;
+a.delete {
+    color: #d22828;
 }
diff --git a/admin/static/edit-account.css b/admin/static/edit-account.css
index 7a4d34a..625db13 100644
--- a/admin/static/edit-account.css
+++ b/admin/static/edit-account.css
@@ -1,18 +1,28 @@
 @import url("/admin/static/index.css");
 
-div.card {
-    margin-bottom: 2rem;
+form#change-password {
+    width: 100%;
+    display: flex;
+    flex-direction: column;
+    align-items: start;
+}
+
+form div {
+    width: 20rem;
+}
+
+form button {
+    margin-top: 1rem;
 }
 
 label {
-    width: auto;
-    margin: 0;
-    display: flex;
-    align-items: center;
-    color: inherit;
+    width: 100%;
+    margin: 1rem 0 .5rem 0;
+    display: block;
+    color: #10101080;
 }
 input {
-    width: min(20rem, calc(100% - 1rem));
+    width: 100%;
     margin: .5rem 0;
     padding: .3rem .5rem;
     display: block;
@@ -23,11 +33,18 @@ input {
     color: inherit;
 }
 
+#error {
+    background: #ffa9b8;
+    border: 1px solid #dc5959;
+    padding: 1em;
+    border-radius: 4px;
+}
+
 .mfa-device {
     padding: .75em;
     background: #f8f8f8f8;
     border: 1px solid #808080;
-    border-radius: 8px;
+    border-radius: .5em;
     margin-bottom: .5em;
     display: flex;
     justify-content: space-between;
diff --git a/admin/static/edit-artist.css b/admin/static/edit-artist.css
index 5627e64..793b989 100644
--- a/admin/static/edit-artist.css
+++ b/admin/static/edit-artist.css
@@ -9,7 +9,7 @@ h1 {
     flex-direction: row;
     gap: 1.2em;
 
-    border-radius: 8px;
+    border-radius: .5em;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
diff --git a/admin/static/edit-release.css b/admin/static/edit-release.css
index aa70e34..10eada3 100644
--- a/admin/static/edit-release.css
+++ b/admin/static/edit-release.css
@@ -11,7 +11,7 @@ input[type="text"] {
     flex-direction: row;
     gap: 1.2em;
 
-    border-radius: 8px;
+    border-radius: .5em;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
@@ -160,7 +160,7 @@ dialog div.dialog-actions {
     align-items: center;
     gap: 1em;
 
-    border-radius: 8px;
+    border-radius: .5em;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
@@ -170,7 +170,7 @@ dialog div.dialog-actions {
 }
 
 .card.credits .credit .artist-avatar {
-    border-radius: 8px;
+    border-radius: .5em;
 }
 
 .card.credits .credit .artist-name {
@@ -196,7 +196,7 @@ dialog div.dialog-actions {
     align-items: center;
     gap: 1em;
 
-    border-radius: 8px;
+    border-radius: .5em;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
@@ -215,7 +215,7 @@ dialog div.dialog-actions {
 }
 
 #editcredits .credit .artist-avatar {
-    border-radius: 8px;
+    border-radius: .5em;
 }
 
 #editcredits .credit .credit-info {
@@ -228,14 +228,12 @@ dialog div.dialog-actions {
 }
 
 #editcredits .credit .credit-info .credit-attribute label {
-    width: auto;
-    margin: 0;
     display: flex;
     align-items: center;
 }
 
 #editcredits .credit .credit-info .credit-attribute input[type="text"] {
-    margin: 0 0 0 .25em;
+    margin-left: .25em;
     padding: .2em .4em;
     flex-grow: 1;
     font-family: inherit;
@@ -243,9 +241,6 @@ dialog div.dialog-actions {
     border-radius: 4px;
     color: inherit;
 }
-#editcredits .credit .credit-info .credit-attribute input[type="checkbox"] {
-    margin: 0 .3em;
-}
 
 #editcredits .credit .artist-name {
     font-weight: bold;
@@ -374,10 +369,8 @@ dialog div.dialog-actions {
 #editlinks td input[type="text"] {
     width: calc(100% - .6em);
     height: 100%;
-    margin: 0;
     padding: 0 .3em;
     border: none;
-    border-radius: 0;
     outline: none;
     cursor: pointer;
     background: none;
@@ -400,7 +393,7 @@ dialog div.dialog-actions {
     flex-direction: column;
     gap: .5em;
 
-    border-radius: 8px;
+    border-radius: .5em;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
diff --git a/admin/static/edit-track.css b/admin/static/edit-track.css
index 600b680..8a05089 100644
--- a/admin/static/edit-track.css
+++ b/admin/static/edit-track.css
@@ -11,7 +11,7 @@ h1 {
     flex-direction: row;
     gap: 1.2em;
 
-    border-radius: 8px;
+    border-radius: .5em;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
diff --git a/admin/static/index.css b/admin/static/index.css
index 9fcd731..9d38940 100644
--- a/admin/static/index.css
+++ b/admin/static/index.css
@@ -1,5 +1,23 @@
 @import url("/admin/static/release-list-item.css");
 
+.create-btn {
+    background: #c4ff6a;
+    padding: .5em .8em;
+    border-radius: .5em;
+    border: 1px solid #84b141;
+    text-decoration: none;
+}
+.create-btn:hover {
+    background: #fff;
+    border-color: #d0d0d0;
+    text-decoration: inherit;
+}
+.create-btn:active {
+    background: #d0d0d0;
+    border-color: #808080;
+    text-decoration: inherit;
+}
+
 .artist {
     margin-bottom: .5em;
     padding: .5em;
@@ -8,7 +26,7 @@
     align-items: center;
     gap: .5em;
 
-    border-radius: 8px;
+    border-radius: .5em;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
@@ -31,7 +49,7 @@
     flex-direction: column;
     gap: .5em;
 
-    border-radius: 8px;
+    border-radius: .5em;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
diff --git a/admin/static/release-list-item.css b/admin/static/release-list-item.css
index 638eac0..ee67de7 100644
--- a/admin/static/release-list-item.css
+++ b/admin/static/release-list-item.css
@@ -5,7 +5,7 @@
     flex-direction: row;
     gap: 1em;
 
-    border-radius: 8px;
+    border-radius: .5em;
     background: #f8f8f8f8;
     border: 1px solid #808080;
 }
@@ -50,7 +50,7 @@
     padding: .5em;
     display: block;
 
-    border-radius: 8px;
+    border-radius: .5em;
     text-decoration: none;
     color: #f0f0f0;
     background: #303030;
@@ -73,7 +73,7 @@
     padding: .3em .5em;
     display: inline-block;
 
-    border-radius: 4px;
+    border-radius: .3em;
     background: #e0e0e0;
 
     transition: color .1s, background .1s;
diff --git a/admin/templates.go b/admin/templates.go
index 49c118b..1fa7a65 100644
--- a/admin/templates.go
+++ b/admin/templates.go
@@ -1,90 +1,65 @@
 package admin
 
 import (
-    "html/template"
-    "path/filepath"
+	"html/template"
+	"path/filepath"
 )
 
-var indexTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "views", "layout.html"),
-    filepath.Join("views", "prideflag.html"),
-    filepath.Join("admin", "components", "release", "release-list-item.html"),
-    filepath.Join("admin", "views", "index.html"),
-))
+var pages = map[string]*template.Template{
+    "index": template.Must(template.ParseFiles(
+        filepath.Join("admin", "views", "layout.html"),
+        filepath.Join("views", "prideflag.html"),
+        filepath.Join("admin", "components", "release", "release-list-item.html"),
+        filepath.Join("admin", "views", "index.html"),
+    )),
 
-var loginTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "views", "layout.html"),
-    filepath.Join("views", "prideflag.html"),
-    filepath.Join("admin", "views", "login.html"),
-))
-var loginTOTPTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "views", "layout.html"),
-    filepath.Join("views", "prideflag.html"),
-    filepath.Join("admin", "views", "login-totp.html"),
-))
-var registerTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "views", "layout.html"),
-    filepath.Join("views", "prideflag.html"),
-    filepath.Join("admin", "views", "register.html"),
-))
-var logoutTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "views", "layout.html"),
-    filepath.Join("views", "prideflag.html"),
-    filepath.Join("admin", "views", "logout.html"),
-))
-var accountTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "views", "layout.html"),
-    filepath.Join("views", "prideflag.html"),
-    filepath.Join("admin", "views", "edit-account.html"),
-))
-var totpSetupTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "views", "layout.html"),
-    filepath.Join("views", "prideflag.html"),
-    filepath.Join("admin", "views", "totp-setup.html"),
-))
-var totpConfirmTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "views", "layout.html"),
-    filepath.Join("views", "prideflag.html"),
-    filepath.Join("admin", "views", "totp-confirm.html"),
-))
+    "login": template.Must(template.ParseFiles(
+        filepath.Join("admin", "views", "layout.html"),
+        filepath.Join("views", "prideflag.html"),
+        filepath.Join("admin", "views", "login.html"),
+    )),
+    "create-account": template.Must(template.ParseFiles(
+        filepath.Join("admin", "views", "layout.html"),
+        filepath.Join("views", "prideflag.html"),
+        filepath.Join("admin", "views", "create-account.html"),
+    )),
+    "logout": template.Must(template.ParseFiles(
+        filepath.Join("admin", "views", "layout.html"),
+        filepath.Join("views", "prideflag.html"),
+        filepath.Join("admin", "views", "logout.html"),
+    )),
+    "account": template.Must(template.ParseFiles(
+        filepath.Join("admin", "views", "layout.html"),
+        filepath.Join("views", "prideflag.html"),
+        filepath.Join("admin", "views", "edit-account.html"),
+    )),
 
-var releaseTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "views", "layout.html"),
-    filepath.Join("views", "prideflag.html"),
-    filepath.Join("admin", "views", "edit-release.html"),
-))
-var artistTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "views", "layout.html"),
-    filepath.Join("views", "prideflag.html"),
-    filepath.Join("admin", "views", "edit-artist.html"),
-))
-var trackTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "views", "layout.html"),
-    filepath.Join("views", "prideflag.html"),
-    filepath.Join("admin", "components", "release", "release-list-item.html"),
-    filepath.Join("admin", "views", "edit-track.html"),
-))
+    "release": template.Must(template.ParseFiles(
+        filepath.Join("admin", "views", "layout.html"),
+        filepath.Join("views", "prideflag.html"),
+        filepath.Join("admin", "views", "edit-release.html"),
+    )),
+    "artist": template.Must(template.ParseFiles(
+        filepath.Join("admin", "views", "layout.html"),
+        filepath.Join("views", "prideflag.html"),
+        filepath.Join("admin", "views", "edit-artist.html"),
+    )),
+    "track": template.Must(template.ParseFiles(
+        filepath.Join("admin", "views", "layout.html"),
+        filepath.Join("views", "prideflag.html"),
+        filepath.Join("admin", "components", "release", "release-list-item.html"),
+        filepath.Join("admin", "views", "edit-track.html"),
+    )),
+}
 
-var editCreditsTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "components", "credits", "editcredits.html"),
-))
-var addCreditTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "components", "credits", "addcredit.html"),
-))
-var newCreditTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "components", "credits", "newcredit.html"),
-))
+var components = map[string]*template.Template{
+    "editcredits": template.Must(template.ParseFiles(filepath.Join("admin", "components", "credits", "editcredits.html"))),
+    "addcredit": template.Must(template.ParseFiles(filepath.Join("admin", "components", "credits", "addcredit.html"))),
+    "newcredit": template.Must(template.ParseFiles(filepath.Join("admin", "components", "credits", "newcredit.html"))),
 
-var editLinksTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "components", "links", "editlinks.html"),
-))
+    "editlinks": template.Must(template.ParseFiles(filepath.Join("admin", "components", "links", "editlinks.html"))),
 
-var editTracksTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "components", "tracks", "edittracks.html"),
-))
-var addTrackTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "components", "tracks", "addtrack.html"),
-))
-var newTrackTemplate = template.Must(template.ParseFiles(
-    filepath.Join("admin", "components", "tracks", "newtrack.html"),
-))
+    "edittracks": template.Must(template.ParseFiles(filepath.Join("admin", "components", "tracks", "edittracks.html"))),
+    "addtrack": template.Must(template.ParseFiles(filepath.Join("admin", "components", "tracks", "addtrack.html"))),
+    "newtrack": template.Must(template.ParseFiles(filepath.Join("admin", "components", "tracks", "newtrack.html"))),
+}
diff --git a/admin/trackhttp.go b/admin/trackhttp.go
index a92f81a..fa49b53 100644
--- a/admin/trackhttp.go
+++ b/admin/trackhttp.go
@@ -32,15 +32,15 @@ func serveTrack(app *model.AppState) http.Handler {
         }
 
         type TrackResponse struct {
-            Session     *model.Session
+            Account     *model.Account
             Track       *model.Track
             Releases    []*model.Release
         }
 
-        session := r.Context().Value("session").(*model.Session)
+        account := r.Context().Value("account").(*model.Account)
 
-        err = trackTemplate.Execute(w, TrackResponse{
-            Session: session,
+        err = pages["track"].Execute(w, TrackResponse{
+            Account: account,
             Track: track,
             Releases: releases,
         })
diff --git a/admin/views/register.html b/admin/views/create-account.html
similarity index 55%
rename from admin/views/register.html
rename to admin/views/create-account.html
index 37f0947..8d59c0f 100644
--- a/admin/views/register.html
+++ b/admin/views/create-account.html
@@ -11,7 +11,7 @@ a.discord {
     color: #5865F2;
 }
 
-form#register {
+form {
     width: 100%;
     display: flex;
     flex-direction: column;
@@ -26,33 +26,45 @@ form button {
     margin-top: 1rem;
 }
 
+label {
+    width: 100%;
+    margin: 1rem 0 .5rem 0;
+    display: block;
+    color: #10101080;
+}
 input {
-    width: calc(100% - 1rem - 2px);
+    width: 100%;
+    margin: .5rem 0;
+    padding: .3rem .5rem;
+    display: block;
+    border-radius: 4px;
+    border: 1px solid #808080;
+    font-size: inherit;
+    font-family: inherit;
+    color: inherit;
 }
 </style>
 {{end}}
 
 {{define "content"}}
 <main>
-    {{if .Session.Error.Valid}}
-    <p id="error">{{html .Session.Error.String}}</p>
+    {{if .Message}}
+    <p id="error">{{.Message}}</p>
     {{end}}
 
-    <form action="/admin/register" method="POST" id="register">
-        <h1>Create Account</h1>
-
+    <form action="/admin/register" method="POST" id="create-account">
         <div>
             <label for="username">Username</label>
-            <input type="text" name="username" value="" autocomplete="username" required autofocus>
+            <input type="text" name="username" value="">
 
             <label for="email">Email</label>
-            <input type="text" name="email" value="" autocomplete="email" required>
+            <input type="text" name="email" value="">
 
             <label for="password">Password</label>
-            <input type="password" name="password" value="" autocomplete="new-password" required>
+            <input type="password" name="password" value="">
 
             <label for="invite">Invite Code</label>
-            <input type="text" name="invite" value="" autocomplete="off" required>
+            <input type="text" name="invite" value="">
         </div>
 
         <button type="submit" class="new">Create Account</button>
diff --git a/admin/views/edit-account.html b/admin/views/edit-account.html
index 6c17088..4d89052 100644
--- a/admin/views/edit-account.html
+++ b/admin/views/edit-account.html
@@ -6,27 +6,23 @@
 
 {{define "content"}}
 <main>
-    {{if .Session.Message.Valid}}
-    <p id="message">{{html .Session.Message.String}}</p>
-    {{end}}
-    {{if .Session.Error.Valid}}
-    <p id="error">{{html .Session.Error.String}}</p>
-    {{end}}
-    <h1>Account Settings ({{.Session.Account.Username}})</h1>
+    <h1>Account Settings ({{.Account.Username}})</h1>
 
     <div class="card-title">
         <h2>Change Password</h2>
     </div>
     <div class="card">
-        <form action="/admin/account/password" method="POST" id="change-password">
-            <label for="current-password">Current Password</label>
-            <input type="password" id="current-password" name="current-password" value="" autocomplete="current-password" required>
+        <form action="/api/v1/change-password" method="POST" id="change-password">
+            <div>
+                <label for="current-password">Current Password</label>
+                <input type="password" name="current-password" value="" autocomplete="current-password">
 
-            <label for="new-password">New Password</label>
-            <input type="password" id="new-password" name="new-password" value="" autocomplete="new-password" required>
+                <label for="new-password">Password</label>
+                <input type="password" name="new-password" value="" autocomplete="new-password">
 
-            <label for="confirm-password">Confirm Password</label>
-            <input type="password" id="confirm-password" value="" autocomplete="new-password" required>
+                <label for="confirm-password">Confirm Password</label>
+                <input type="password" name="confirm-password" value="" autocomplete="new-password">
+            </div>
 
             <button type="submit" class="save">Change Password</button>
         </form>
@@ -40,11 +36,11 @@
         {{range .TOTPs}}
         <div class="mfa-device">
             <div>
-                <p class="mfa-device-name">{{.TOTP.Name}}</p>
-                <p class="mfa-device-date">Added: {{.CreatedAtString}}</p>
+                <p class="mfa-device-name">{{.Name}}</p>
+                <p class="mfa-device-date">Added: {{.CreatedAt}}</p>
             </div>
             <div>
-                <a class="button delete" href="/admin/account/totp-delete/{{.TOTP.Name}}">Delete</a>
+                <a class="delete">Delete</a>
             </div>
         </div>
         {{end}}
@@ -52,10 +48,7 @@
         <p>You have no MFA devices.</p>
         {{end}}
 
-        <div>
-            <button type="submit" class="save" id="enable-email" disabled>Enable Email TOTP</button>
-            <a class="button new" id="add-totp-device" href="/admin/account/totp-setup">Add TOTP Device</a>
-        </div>
+        <button type="submit" class="new" id="add-mfa-device">Add MFA Device</button>
     </div>
 
     <div class="card-title">
@@ -65,17 +58,9 @@
         <p>
         Clicking the button below will delete your account.
         This action is <strong>irreversible</strong>.
-        You will need to enter your password and TOTP below.
+        You will be prompted to confirm this decision.
         </p>
-        <form action="/admin/account/delete" method="POST">
-            <label for="password">Password</label>
-            <input type="password" name="password" value="" autocomplete="current-password" required>
-
-            <label for="totp">TOTP</label>
-            <input type="text" name="totp" value="" autocomplete="one-time-code" required>
-
-            <button type="submit" class="delete">Delete Account</button>
-        </form>
+        <button class="delete" id="delete">Delete Account</button>
     </div>
 
 </main>
diff --git a/admin/views/edit-artist.html b/admin/views/edit-artist.html
index b0cfb41..ccb3a45 100644
--- a/admin/views/edit-artist.html
+++ b/admin/views/edit-artist.html
@@ -36,13 +36,13 @@
         {{if .Credits}}
         {{range .Credits}}
         <div class="credit">
-            <img src="{{.Release.Artwork}}" alt="" width="64" loading="lazy" class="release-artwork">
+            <img src="{{.Artist.Release.Artwork}}" alt="" width="64" loading="lazy" class="release-artwork">
             <div class="credit-info">
-                <h3 class="credit-name"><a href="/admin/release/{{.Release.ID}}">{{.Release.Title}}</a></h3>
-                <p class="credit-artists">{{.Release.PrintArtists true true}}</p>
+                <h3 class="credit-name"><a href="/admin/release/{{.Artist.Release.ID}}">{{.Artist.Release.Title}}</a></h3>
+                <p class="credit-artists">{{.Artist.Release.PrintArtists true true}}</p>
                 <p class="artist-role">
-                Role: {{.Role}}
-                {{if .Primary}}
+                Role: {{.Artist.Role}}
+                {{if .Artist.Primary}}
                 <small>(Primary)</small>
                 {{end}}
                 </p>
diff --git a/admin/views/index.html b/admin/views/index.html
index 2b9c897..8f42e0e 100644
--- a/admin/views/index.html
+++ b/admin/views/index.html
@@ -9,7 +9,7 @@
 
     <div class="card-title">
         <h1>Releases</h1>
-        <a class="button new" id="create-release">Create New</a>
+        <a class="create-btn" id="create-release">Create New</a>
     </div>
     <div class="card releases">
         {{range .Releases}}
@@ -22,7 +22,7 @@
 
     <div class="card-title">
         <h1>Artists</h1>
-        <a class="button new" id="create-artist">Create New</a>
+        <a class="create-btn" id="create-artist">Create New</a>
     </div>
     <div class="card artists">
         {{range $Artist := .Artists}}
@@ -38,7 +38,7 @@
 
     <div class="card-title">
         <h1>Tracks</h1>
-        <a class="button new" id="create-track">Create New</a>
+        <a class="create-btn" id="create-track">Create New</a>
     </div>
     <div class="card tracks">
         <p><em>"Orphaned" tracks that have not yet been bound to a release.</em></p>
diff --git a/admin/views/layout.html b/admin/views/layout.html
index 8c34c8e..0a33b72 100644
--- a/admin/views/layout.html
+++ b/admin/views/layout.html
@@ -24,12 +24,9 @@
                     <a href="/admin">home</a>
                 </div>
                 <div class="flex-fill"></div>
-                {{if .Session.Account}}
+                {{if .Account}}
                 <div class="nav-item">
-                    <a href="/admin/account">account ({{.Session.Account.Username}})</a>
-                </div>
-                <div class="nav-item">
-                    <a href="/admin/logout" id="logout">log out</a>
+                    <a href="/admin/logout" id="logout">logged in as {{.Account.Username}}. log out</a>
                 </div>
                 {{else}}
                 <div class="nav-item">
diff --git a/admin/views/login-totp.html b/admin/views/login-totp.html
deleted file mode 100644
index 33e8c88..0000000
--- a/admin/views/login-totp.html
+++ /dev/null
@@ -1,47 +0,0 @@
-{{define "head"}}
-<title>Login - ari melody 💫</title>
-<link rel="shortcut icon" href="/img/favicon.png" type="image/x-icon">
-<link rel="stylesheet" href="/admin/static/admin.css">
-<style>
-form#login-totp {
-    width: 100%;
-    display: flex;
-    flex-direction: column;
-    align-items: center;
-}
-
-form div {
-    width: 20rem;
-}
-
-form button {
-    margin-top: 1rem;
-}
-
-input {
-    width: calc(100% - 1rem - 2px);
-}
-</style>
-{{end}}
-
-{{define "content"}}
-<main>
-    {{if .Session.Message.Valid}}
-    <p id="message">{{html .Session.Message.String}}</p>
-    {{end}}
-    {{if .Session.Error.Valid}}
-    <p id="error">{{html .Session.Error.String}}</p>
-    {{end}}
-
-    <form action="/admin/totp" method="POST" id="login-totp">
-        <h1>Two-Factor Authentication</h1>
-
-        <div>
-            <label for="totp">TOTP</label>
-            <input type="text" name="totp" value="" autocomplete="one-time-code" required autofocus>
-        </div>
-
-        <button type="submit" class="save">Login</button>
-    </form>
-</main>
-{{end}}
diff --git a/admin/views/login.html b/admin/views/login.html
index fbb7294..7744e91 100644
--- a/admin/views/login.html
+++ b/admin/views/login.html
@@ -3,7 +3,15 @@
 <link rel="shortcut icon" href="/img/favicon.png" type="image/x-icon">
 <link rel="stylesheet" href="/admin/static/admin.css">
 <style>
-form#login {
+p a {
+    color: #2a67c8;
+}
+
+a.discord {
+    color: #5865F2;
+}
+
+form {
     width: 100%;
     display: flex;
     flex-direction: column;
@@ -18,33 +26,61 @@ form button {
     margin-top: 1rem;
 }
 
+label {
+    width: 100%;
+    margin: 1rem 0 .5rem 0;
+    display: block;
+    color: #10101080;
+}
 input {
-    width: calc(100% - 1rem - 2px);
+    width: 100%;
+    margin: .5rem 0;
+    padding: .3rem .5rem;
+    display: block;
+    border-radius: 4px;
+    border: 1px solid #808080;
+    font-size: inherit;
+    font-family: inherit;
+    color: inherit;
+}
+input[disabled] {
+    opacity: .5;
+    cursor: not-allowed;
 }
 </style>
 {{end}}
 
 {{define "content"}}
 <main>
-    {{if .Session.Message.Valid}}
-    <p id="message">{{html .Session.Message.String}}</p>
-    {{end}}
-    {{if .Session.Error.Valid}}
-    <p id="error">{{html .Session.Error.String}}</p>
+    {{if .Message}}
+    <p id="error">{{.Message}}</p>
     {{end}}
 
+    {{if .Token}}
+
+    <meta http-equiv="refresh" content="0;url=/admin/" />
+    <p>
+    Logged in successfully.
+    You should be redirected to <a href="/admin">/admin</a> soon.
+    </p>
+
+    {{else}}
+
     <form action="/admin/login" method="POST" id="login">
-        <h1>Log In</h1>
-
         <div>
             <label for="username">Username</label>
-            <input type="text" name="username" value="" autocomplete="username" required autofocus>
+            <input type="text" name="username" value="" autocomplete="username">
 
             <label for="password">Password</label>
-            <input type="password" name="password" value="" autocomplete="current-password" required>
+            <input type="password" name="password" value="" autocomplete="current-password">
+
+            <label for="totp">TOTP</label>
+            <input type="text" name="totp" value="" autocomplete="one-time-code">
         </div>
 
         <button type="submit" class="save">Login</button>
     </form>
+
+    {{end}}
 </main>
 {{end}}
diff --git a/admin/views/logout.html b/admin/views/logout.html
index f127fd6..1999377 100644
--- a/admin/views/logout.html
+++ b/admin/views/logout.html
@@ -12,10 +12,13 @@ p a {
 {{define "content"}}
 <main>
 
-    <meta http-equiv="refresh" content="0;url=/admin/login" />
+    <meta http-equiv="refresh" content="5;url=/" />
     <p>
     Logged out successfully.
-    You should be redirected to <a href="/admin/login">/admin/login</a> shortly.
+    You should be redirected to <a href="/">/</a> in 5 seconds.
+    <script>
+        localStorage.removeItem("arime-token");
+    </script>
     </p>
 
 </main>
diff --git a/admin/views/totp-confirm.html b/admin/views/totp-confirm.html
deleted file mode 100644
index 7d305ec..0000000
--- a/admin/views/totp-confirm.html
+++ /dev/null
@@ -1,48 +0,0 @@
-{{define "head"}}
-<title>TOTP Confirmation - ari melody 💫</title>
-<link rel="shortcut icon" href="/img/favicon.png" type="image/x-icon">
-<link rel="stylesheet" href="/admin/static/admin.css">
-<style>
-.qr-code {
-    border: 1px solid #8888;
-}
-code {
-    user-select: all;
-}
-</style>
-{{end}}
-
-{{define "content"}}
-<main>
-    {{if .Session.Error.Valid}}
-    <p id="error">{{html .Session.Error.String}}</p>
-    {{end}}
-
-    <form action="/admin/account/totp-confirm?totp-name={{.NameEscaped}}" method="POST" id="totp-setup">
-        {{if .QRBase64Image}}
-        <img src="data:image/png;base64,{{.QRBase64Image}}" alt="" class="qr-code">
-
-        <p>
-        Scan the QR code above into your authentication app or password manager,
-        then enter your 2FA code below.
-        </p>
-
-        <p>
-        If the QR code does not work, you may also enter this secret code:
-        </p>
-        {{else}}
-        <p>
-        Paste the below secret code into your authentication app or password manager,
-        then enter your 2FA code below:
-        </p>
-        {{end}}
-
-        <p><code>{{.TOTP.Secret}}</code></p>
-
-        <label for="totp">TOTP:</label>
-        <input type="text" name="totp" value="" autocomplete="one-time-code" required autofocus>
-
-        <button type="submit" class="new">Create</button>
-    </form>
-</main>
-{{end}}
diff --git a/admin/views/totp-setup.html b/admin/views/totp-setup.html
deleted file mode 100644
index e74c970..0000000
--- a/admin/views/totp-setup.html
+++ /dev/null
@@ -1,20 +0,0 @@
-{{define "head"}}
-<title>TOTP Setup - ari melody 💫</title>
-<link rel="shortcut icon" href="/img/favicon.png" type="image/x-icon">
-<link rel="stylesheet" href="/admin/static/admin.css">
-{{end}}
-
-{{define "content"}}
-<main>
-    {{if .Session.Error.Valid}}
-    <p id="error">{{html .Session.Error.String}}</p>
-    {{end}}
-
-    <form action="/admin/account/totp-setup" method="POST" id="totp-setup">
-        <label for="totp-name">TOTP Device Name:</label>
-        <input type="text" name="totp-name" value="" autocomplete="off" required autofocus>
-
-        <button type="submit" class="new">Create</button>
-    </form>
-</main>
-{{end}}
diff --git a/api/api.go b/api/api.go
index 50b1c63..9489126 100644
--- a/api/api.go
+++ b/api/api.go
@@ -1,13 +1,11 @@
 package api
 
 import (
-	"context"
-	"errors"
 	"fmt"
 	"net/http"
-	"os"
 	"strings"
 
+	"arimelody-web/admin"
 	"arimelody-web/controller"
 	"arimelody-web/model"
 )
@@ -38,10 +36,10 @@ func Handler(app *model.AppState) http.Handler {
             ServeArtist(app, artist).ServeHTTP(w, r)
         case http.MethodPut:
             // PUT /api/v1/artist/{id} (admin)
-            requireAccount(app, UpdateArtist(app, artist)).ServeHTTP(w, r)
+            admin.RequireAccount(app, UpdateArtist(app, artist)).ServeHTTP(w, r)
         case http.MethodDelete:
             // DELETE /api/v1/artist/{id} (admin)
-            requireAccount(app, DeleteArtist(app, artist)).ServeHTTP(w, r)
+            admin.RequireAccount(app, DeleteArtist(app, artist)).ServeHTTP(w, r)
         default:
             http.NotFound(w, r)
         }
@@ -53,7 +51,7 @@ func Handler(app *model.AppState) http.Handler {
             ServeAllArtists(app).ServeHTTP(w, r)
         case http.MethodPost:
             // POST /api/v1/artist (admin)
-            requireAccount(app, CreateArtist(app)).ServeHTTP(w, r)
+            admin.RequireAccount(app, CreateArtist(app)).ServeHTTP(w, r)
         default:
             http.NotFound(w, r)
         }
@@ -80,10 +78,10 @@ func Handler(app *model.AppState) http.Handler {
             ServeRelease(app, release).ServeHTTP(w, r)
         case http.MethodPut:
             // PUT /api/v1/music/{id} (admin)
-            requireAccount(app, UpdateRelease(app, release)).ServeHTTP(w, r)
+            admin.RequireAccount(app, UpdateRelease(app, release)).ServeHTTP(w, r)
         case http.MethodDelete:
             // DELETE /api/v1/music/{id} (admin)
-            requireAccount(app, DeleteRelease(app, release)).ServeHTTP(w, r)
+            admin.RequireAccount(app, DeleteRelease(app, release)).ServeHTTP(w, r)
         default:
             http.NotFound(w, r)
         }
@@ -95,7 +93,7 @@ func Handler(app *model.AppState) http.Handler {
             ServeCatalog(app).ServeHTTP(w, r)
         case http.MethodPost:
             // POST /api/v1/music (admin)
-            requireAccount(app, CreateRelease(app)).ServeHTTP(w, r)
+            admin.RequireAccount(app, CreateRelease(app)).ServeHTTP(w, r)
         default:
             http.NotFound(w, r)
         }
@@ -119,13 +117,13 @@ func Handler(app *model.AppState) http.Handler {
         switch r.Method {
         case http.MethodGet:
             // GET /api/v1/track/{id} (admin)
-            requireAccount(app, ServeTrack(app, track)).ServeHTTP(w, r)
+            admin.RequireAccount(app, ServeTrack(app, track)).ServeHTTP(w, r)
         case http.MethodPut:
             // PUT /api/v1/track/{id} (admin)
-            requireAccount(app, UpdateTrack(app, track)).ServeHTTP(w, r)
+            admin.RequireAccount(app, UpdateTrack(app, track)).ServeHTTP(w, r)
         case http.MethodDelete:
             // DELETE /api/v1/track/{id} (admin)
-            requireAccount(app, DeleteTrack(app, track)).ServeHTTP(w, r)
+            admin.RequireAccount(app, DeleteTrack(app, track)).ServeHTTP(w, r)
         default:
             http.NotFound(w, r)
         }
@@ -134,10 +132,10 @@ func Handler(app *model.AppState) http.Handler {
         switch r.Method {
         case http.MethodGet:
             // GET /api/v1/track (admin)
-            requireAccount(app, ServeAllTracks(app)).ServeHTTP(w, r)
+            admin.RequireAccount(app, ServeAllTracks(app)).ServeHTTP(w, r)
         case http.MethodPost:
             // POST /api/v1/track (admin)
-            requireAccount(app, CreateTrack(app)).ServeHTTP(w, r)
+            admin.RequireAccount(app, CreateTrack(app)).ServeHTTP(w, r)
         default:
             http.NotFound(w, r)
         }
@@ -145,51 +143,3 @@ func Handler(app *model.AppState) http.Handler {
 
     return mux
 }
-
-func requireAccount(app *model.AppState, next http.Handler) http.Handler {
-    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        session, err := getSession(app, r)
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "WARN: Failed to get session: %v\n", err)
-            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-            return
-        }
-        if session.Account == nil {
-            http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
-            return
-        }
-        ctx := context.WithValue(r.Context(), "session", session)
-        next.ServeHTTP(w, r.WithContext(ctx))
-    })
-}
-
-func getSession(app *model.AppState, r *http.Request) (*model.Session, error) {
-    var token string
-
-    // check cookies first
-    sessionCookie, err := r.Cookie(model.COOKIE_TOKEN)
-    if err != nil && err != http.ErrNoCookie {
-        return nil, errors.New(fmt.Sprintf("Failed to retrieve session cookie: %v\n", err))
-    }
-    if sessionCookie != nil {
-        token = sessionCookie.Value
-    } else {
-        // check Authorization header
-        token = strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
-    }
-
-    if token == "" { return nil, nil }
-
-    // fetch existing session
-    session, err := controller.GetSession(app.DB, token)
-
-    if err != nil && !strings.Contains(err.Error(), "no rows") {
-        return nil, errors.New(fmt.Sprintf("Failed to retrieve session: %v\n", err))
-    }
-
-    if session != nil {
-        // TODO: consider running security checks here (i.e. user agent mismatches)
-    }
-
-    return session, nil
-}
diff --git a/api/artist.go b/api/artist.go
index 51c9d62..a9676b1 100644
--- a/api/artist.go
+++ b/api/artist.go
@@ -51,8 +51,13 @@ func ServeArtist(app *model.AppState, artist *model.Artist) http.Handler {
 			}
 		)
 
-        session := r.Context().Value("session").(*model.Session)
-        show_hidden_releases := session != nil && session.Account != nil
+        account, err := controller.GetAccountByRequest(app.DB, r)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %v\n", err)
+            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            return
+        }
+        show_hidden_releases := account != nil
 
         dbCredits, err := controller.GetArtistCredits(app.DB, artist.ID, show_hidden_releases)
 		if err != nil {
diff --git a/api/release.go b/api/release.go
index b89cec8..c71043e 100644
--- a/api/release.go
+++ b/api/release.go
@@ -19,14 +19,13 @@ func ServeRelease(app *model.AppState, release *model.Release) http.Handler {
         // only allow authorised users to view hidden releases
         privileged := false
         if !release.Visible {
-            session, err := controller.GetSessionFromRequest(app.DB, r)
+            account, err := controller.GetAccountByRequest(app.DB, r)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve session: %v\n", err)
+                fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %v\n", err)
                 http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
                 return
             }
-
-            if session != nil && session.Account != nil {
+            if account != nil {
                 // TODO: check privilege on release
                 privileged = true
             }
@@ -146,11 +145,16 @@ func ServeCatalog(app *model.AppState) http.Handler {
         }
 
         catalog := []Release{}
-        session := r.Context().Value("session").(*model.Session)
+        account, err := controller.GetAccountByRequest(app.DB, r)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %v\n", err)
+            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            return
+        }
         for _, release := range releases {
             if !release.Visible {
                 privileged := false
-                if session != nil && session.Account != nil {
+                if account != nil {
                     // TODO: check privilege on release
                     privileged = true
                 }
diff --git a/bundle.sh b/bundle.sh
index dc7c023..4e7068b 100755
--- a/bundle.sh
+++ b/bundle.sh
@@ -6,4 +6,4 @@ if [ ! -f arimelody-web ]; then
     exit 1
 fi
 
-tar czvf arimelody-web.tar.gz arimelody-web admin/components/ admin/views/ admin/static/ views/ public/ schema-migration/
+tar czvf arimelody-web.tar.gz arimelody-web admin/components/ admin/views/ admin/static/ views/ public/
diff --git a/controller/account.go b/controller/account.go
index 9c7c1e1..044faec 100644
--- a/controller/account.go
+++ b/controller/account.go
@@ -2,6 +2,9 @@ package controller
 
 import (
 	"arimelody-web/model"
+	"errors"
+	"fmt"
+	"net/http"
 	"strings"
 
 	"github.com/jmoiron/sqlx"
@@ -18,21 +21,7 @@ func GetAllAccounts(db *sqlx.DB) ([]model.Account, error) {
     return accounts, nil
 }
 
-func GetAccountByID(db *sqlx.DB, id string) (*model.Account, error) {
-    var account = model.Account{}
-
-    err := db.Get(&account, "SELECT * FROM account WHERE id=$1", id)
-    if err != nil {
-        if strings.Contains(err.Error(), "no rows") {
-            return nil, nil
-        }
-        return nil, err
-    }
-
-    return &account, nil
-}
-
-func GetAccountByUsername(db *sqlx.DB, username string) (*model.Account, error) {
+func GetAccount(db *sqlx.DB, username string) (*model.Account, error) {
     var account = model.Account{}
 
     err := db.Get(&account, "SELECT * FROM account WHERE username=$1", username)
@@ -60,12 +49,12 @@ func GetAccountByEmail(db *sqlx.DB, email string) (*model.Account, error) {
     return &account, nil
 }
 
-func GetAccountBySession(db *sqlx.DB, sessionToken string) (*model.Account, error) {
-    if sessionToken == "" { return nil, nil }
+func GetAccountByToken(db *sqlx.DB, token string) (*model.Account, error) {
+    if token == "" { return nil, nil }
 
     account := model.Account{}
 
-    err := db.Get(&account, "SELECT account.* FROM account JOIN token ON id=account WHERE token=$1", sessionToken)
+    err := db.Get(&account, "SELECT account.* FROM account JOIN token ON id=account WHERE token=$1", token)
     if err != nil {
         if strings.Contains(err.Error(), "no rows") {
             return nil, nil
@@ -76,6 +65,42 @@ func GetAccountBySession(db *sqlx.DB, sessionToken string) (*model.Account, erro
     return &account, nil
 }
 
+func GetTokenFromRequest(db *sqlx.DB, r *http.Request) string {
+    tokenStr := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
+    if len(tokenStr) > 0 {
+        return tokenStr
+    }
+
+    cookie, err := r.Cookie(model.COOKIE_TOKEN)
+    if err != nil {
+        return ""
+    }
+    return cookie.Value
+}
+
+func GetAccountByRequest(db *sqlx.DB, r *http.Request) (*model.Account, error) {
+    tokenStr := GetTokenFromRequest(db, r)
+
+    token, err := GetToken(db, tokenStr)
+    if err != nil {
+        if strings.Contains(err.Error(), "no rows") {
+            return nil, nil
+        }
+        return nil, errors.New("GetToken: " + err.Error())
+    }
+
+    // does user-agent match the token?
+    if r.UserAgent() != token.UserAgent {
+        // invalidate the token
+        DeleteToken(db, tokenStr)
+        fmt.Printf("WARN: Attempted use of token by unauthorised User-Agent (Expected `%s`, got `%s`)\n", token.UserAgent, r.UserAgent())
+        // TODO: log unauthorised activity to the user
+        return nil, errors.New("User agent mismatch")
+    }
+
+    return GetAccountByToken(db, tokenStr)
+}
+
 func CreateAccount(db *sqlx.DB, account *model.Account) error {
     err := db.Get(
         &account.ID,
@@ -94,7 +119,7 @@ func CreateAccount(db *sqlx.DB, account *model.Account) error {
 func UpdateAccount(db *sqlx.DB, account *model.Account) error {
     _, err := db.Exec(
         "UPDATE account " +
-        "SET username=$2,password=$3,email=$4,avatar_url=$5 " +
+        "SET username=$2, password=$3, email=$4, avatar_url=$5) " +
         "WHERE id=$1",
         account.ID,
         account.Username,
@@ -106,7 +131,7 @@ func UpdateAccount(db *sqlx.DB, account *model.Account) error {
     return err
 }
 
-func DeleteAccount(db *sqlx.DB, accountID string) error {
-    _, err := db.Exec("DELETE FROM account WHERE id=$1", accountID)
+func DeleteAccount(db *sqlx.DB, username string) error {
+    _, err := db.Exec("DELETE FROM account WHERE username=$1", username)
     return err
 }
diff --git a/controller/config.go b/controller/config.go
index 8772b6b..28d4be4 100644
--- a/controller/config.go
+++ b/controller/config.go
@@ -19,7 +19,6 @@ func GetConfig() model.Config {
 
     config := model.Config{
         BaseUrl: "https://arimelody.me",
-        Host: "0.0.0.0",
         Port: 8080,
         DB: model.DBConfig{
             Host: "127.0.0.1",
@@ -56,7 +55,6 @@ func handleConfigOverrides(config *model.Config) error {
     var err error
 
     if env, has := os.LookupEnv("ARIMELODY_BASE_URL"); has { config.BaseUrl = env }
-    if env, has := os.LookupEnv("ARIMELODY_HOST"); has { config.Host = env }
     if env, has := os.LookupEnv("ARIMELODY_PORT"); has {
         config.Port, err = strconv.ParseInt(env, 10, 0)
         if err != nil { return errors.New("ARIMELODY_PORT: " + err.Error()) }
diff --git a/controller/migrator.go b/controller/migrator.go
index d0011ee..3624255 100644
--- a/controller/migrator.go
+++ b/controller/migrator.go
@@ -50,7 +50,7 @@ func CheckDBVersionAndMigrate(db *sqlx.DB) {
 func ApplyMigration(db *sqlx.DB, scriptFile string) {
     fmt.Printf("Applying schema migration %s...\n", scriptFile)
 
-    bytes, err := os.ReadFile("schema-migration/" + scriptFile + ".sql")
+    bytes, err := os.ReadFile("schema_migration/" + scriptFile + ".sql")
     if err != nil {
         fmt.Fprintf(os.Stderr, "FATAL: Failed to open schema file \"%s\": %v\n", scriptFile, err)
         os.Exit(1)
diff --git a/controller/qr.go b/controller/qr.go
deleted file mode 100644
index 7ada0f8..0000000
--- a/controller/qr.go
+++ /dev/null
@@ -1,120 +0,0 @@
-package controller
-
-import (
-	"bytes"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"image"
-	"image/color"
-	"image/png"
-
-    "github.com/skip2/go-qrcode"
-)
-
-func GenerateQRCode(data string) (string, error) {
-    imgBytes, err := qrcode.Encode(data, qrcode.Medium, 256)
-    if err != nil {
-        return "", err
-    }
-    base64Img := base64.StdEncoding.EncodeToString(imgBytes)
-    return base64Img, nil
-}
-
-// vvv DEPRECATED vvv
-
-const margin = 4
-
-type QRCodeECCLevel int64
-const (
-    LOW QRCodeECCLevel = iota
-    MEDIUM
-    QUARTILE
-    HIGH
-)
-
-func noDepsGenerateQRCode() (string, error) {
-    version := 1
-
-    size := 0
-    size = 21 + version * 4
-    if version > 10 {
-        return "", errors.New(fmt.Sprintf("QR version %d not supported", version))
-    }
-
-    img := image.NewGray(image.Rect(0, 0, size + margin * 2, size + margin * 2))
-
-    // fill white
-    for y := range size + margin * 2 {
-        for x := range size + margin * 2 {
-            img.Set(x, y, color.White)
-        }
-    }
-
-    // draw alignment squares
-    drawLargeAlignmentSquare(margin, margin, img)
-    drawLargeAlignmentSquare(margin, margin + size - 7, img)
-    drawLargeAlignmentSquare(margin + size - 7, margin, img)
-    drawSmallAlignmentSquare(size - 5, size - 5, img)
-    /*
-    if version > 4 {
-        space := version * 3 - 2
-        end := size / space
-        for y := range size / space + 1 {
-            for x := range size / space + 1 {
-                if x == 0 && y == 0 { continue }
-                if x == 0 && y == end { continue }
-                if x == end && y == 0 { continue }
-                if x == end && y == end { continue }
-                drawSmallAlignmentSquare(
-                    x * space + margin + 4,
-                    y * space + margin + 4,
-                    img,
-                )
-            }
-        }
-    }
-    */
-
-    // draw timing bits
-    for i := margin + 6; i < size - 4; i++ {
-        if (i % 2 == 0) {
-            img.Set(i, margin + 6, color.Black)
-            img.Set(margin + 6, i, color.Black)
-        }
-    }
-    img.Set(margin + 8, size - 4, color.Black)
-
-    var imgBuf bytes.Buffer
-    err := png.Encode(&imgBuf, img)
-    if err != nil {
-        return "", err
-    }
-
-    base64Img := base64.StdEncoding.EncodeToString(imgBuf.Bytes())
-
-    return "data:image/png;base64," + base64Img, nil
-}
-
-func drawLargeAlignmentSquare(x int, y int, img *image.Gray) {
-    for yi := range 7 {
-        for xi := range 7 {
-            if (xi == 0 || xi == 6) || (yi == 0 || yi == 6) {
-                img.Set(x + xi, y + yi, color.Black)
-            } else if (xi > 1 && xi < 5) && (yi > 1 && yi < 5) {
-                img.Set(x + xi, y + yi, color.Black)
-            }
-        }
-    }
-}
-
-func drawSmallAlignmentSquare(x int, y int, img *image.Gray) {
-    for yi := range 5 {
-        for xi := range 5 {
-            if (xi == 0 || xi == 4) || (yi == 0 || yi == 4) {
-                img.Set(x + xi, y + yi, color.Black)
-            }
-        }
-    }
-    img.Set(x + 2, y + 2, color.Black)
-}
diff --git a/controller/session.go b/controller/session.go
deleted file mode 100644
index cf423fe..0000000
--- a/controller/session.go
+++ /dev/null
@@ -1,177 +0,0 @@
-package controller
-
-import (
-	"database/sql"
-	"errors"
-	"fmt"
-	"net/http"
-	"strings"
-	"time"
-
-	"arimelody-web/model"
-
-	"github.com/jmoiron/sqlx"
-)
-
-const TOKEN_LEN = 64
-
-func GetSessionFromRequest(db *sqlx.DB, r *http.Request) (*model.Session, error) {
-    sessionCookie, err := r.Cookie(model.COOKIE_TOKEN)
-    if err != nil && err != http.ErrNoCookie {
-        return nil, errors.New(fmt.Sprintf("Failed to retrieve session cookie: %v", err))
-    }
-
-    var session *model.Session
-
-    if sessionCookie != nil {
-        // fetch existing session
-        session, err = GetSession(db, sessionCookie.Value)
-
-        if err != nil && !strings.Contains(err.Error(), "no rows") {
-            return nil, errors.New(fmt.Sprintf("Failed to retrieve session: %v", err))
-        }
-
-        if session != nil {
-            // TODO: consider running security checks here (i.e. user agent mismatches)
-        }
-    }
-
-    return session, nil
-}
-
-func CreateSession(db *sqlx.DB, userAgent string) (*model.Session, error) {
-    tokenString := GenerateAlnumString(TOKEN_LEN)
-
-    session := model.Session{
-        Token: string(tokenString),
-        UserAgent: userAgent,
-        CreatedAt: time.Now(),
-        ExpiresAt: time.Now().Add(time.Hour * 24),
-    }
-
-    _, err := db.Exec("INSERT INTO session " +
-        "(token, user_agent, created_at, expires_at) VALUES " +
-        "($1, $2, $3, $4)",
-        session.Token,
-        session.UserAgent,
-        session.CreatedAt,
-        session.ExpiresAt,
-    )
-    if err != nil {
-        return nil, err
-    }
-
-    return &session, nil
-}
-
-// func WriteSession(db *sqlx.DB, session *model.Session) error {
-//     _, err := db.Exec(
-//         "UPDATE session " +
-//         "SET account=$2,message=$3,error=$4 " +
-//         "WHERE token=$1",
-//         session.Token,
-//         session.Account.ID,
-//         session.Message,
-//         session.Error,
-//     )
-//     return err
-// }
-
-func SetSessionAttemptAccount(db *sqlx.DB, session *model.Session, account *model.Account) error {
-    var err error
-    session.AttemptAccount = account
-    if account == nil {
-        _, err = db.Exec("UPDATE session SET attempt_account=NULL WHERE token=$1", session.Token)
-    } else {
-        _, err = db.Exec("UPDATE session SET attempt_account=$2 WHERE token=$1", session.Token, account.ID)
-    }
-    return err
-}
-
-func SetSessionAccount(db *sqlx.DB, session *model.Session, account *model.Account) error {
-    var err error
-    session.Account = account
-    if account == nil {
-        _, err = db.Exec("UPDATE session SET account=NULL WHERE token=$1", session.Token)
-    } else {
-        _, err = db.Exec("UPDATE session SET account=$2 WHERE token=$1", session.Token, account.ID)
-    }
-    return err
-}
-
-func SetSessionMessage(db *sqlx.DB, session *model.Session, message string) error {
-    var err error
-    if message == "" {
-        if !session.Message.Valid { return nil }
-        session.Message = sql.NullString{ }
-        _, err = db.Exec("UPDATE session SET message=NULL WHERE token=$1", session.Token)
-    } else {
-        session.Message = sql.NullString{ String: message, Valid: true }
-        _, err = db.Exec("UPDATE session SET message=$2 WHERE token=$1", session.Token, message)
-    }
-    return err
-}
-
-func SetSessionError(db *sqlx.DB, session *model.Session, message string) error {
-    var err error
-    if message == "" {
-        if !session.Error.Valid { return nil }
-        session.Error = sql.NullString{ }
-        _, err = db.Exec("UPDATE session SET error=NULL WHERE token=$1", session.Token)
-    } else {
-        session.Error = sql.NullString{ String: message, Valid: true }
-        _, err = db.Exec("UPDATE session SET error=$2 WHERE token=$1", session.Token, message)
-    }
-    return err
-}
-
-func GetSession(db *sqlx.DB, token string) (*model.Session, error) {
-    type dbSession struct {
-        model.Session
-        AttemptAccountID sql.NullString `db:"attempt_account"`
-        AccountID sql.NullString        `db:"account"`
-    }
-
-    session := dbSession{}
-    err := db.Get(
-        &session,
-        "SELECT * FROM session WHERE token=$1",
-        token,
-    )
-    if err != nil {
-        return nil, err
-    }
-
-    if session.AccountID.Valid {
-        session.Account, err = GetAccountByID(db, session.AccountID.String)
-        if err != nil {
-            return nil, err
-        }
-    }
-
-    if session.AttemptAccountID.Valid {
-        session.AttemptAccount, err = GetAccountByID(db, session.AttemptAccountID.String)
-        if err != nil {
-            return nil, err
-        }
-    }
-
-    return &session.Session, err
-}
-
-// func GetAllSessionsForAccount(db *sqlx.DB, accountID string) ([]model.Session, error) {
-//     sessions := []model.Session{}
-//     err := db.Select(&sessions, "SELECT * FROM session WHERE account=$1 AND expires_at>current_timestamp", accountID)
-//     return sessions, err
-// }
-
-func DeleteAllSessionsForAccount(db *sqlx.DB, accountID string) error {
-    _, err := db.Exec("DELETE FROM session WHERE account=$1", accountID)
-    return err
-}
-
-func DeleteSession(db *sqlx.DB, token string) error {
-    _, err := db.Exec("DELETE FROM session WHERE token=$1", token)
-    return err
-}
-
diff --git a/controller/token.go b/controller/token.go
new file mode 100644
index 0000000..12982bd
--- /dev/null
+++ b/controller/token.go
@@ -0,0 +1,61 @@
+package controller
+
+import (
+	"time"
+
+	"arimelody-web/model"
+
+	"github.com/jmoiron/sqlx"
+)
+
+const TOKEN_LEN = 32
+
+func CreateToken(db *sqlx.DB, accountID string, userAgent string) (*model.Token, error) {
+    tokenString := GenerateAlnumString(TOKEN_LEN)
+
+    token := model.Token{
+        Token: string(tokenString),
+        AccountID: accountID,
+        UserAgent: userAgent,
+        CreatedAt: time.Now(),
+        ExpiresAt: time.Now().Add(time.Hour * 24),
+    }
+
+    _, err := db.Exec("INSERT INTO token " +
+        "(token, account, user_agent, created_at, expires_at) VALUES " +
+        "($1, $2, $3, $4, $5)",
+        token.Token,
+        token.AccountID,
+        token.UserAgent,
+        token.CreatedAt,
+        token.ExpiresAt,
+    )
+    if err != nil {
+        return nil, err
+    }
+
+    return &token, nil
+}
+
+func GetToken(db *sqlx.DB, token_str string) (*model.Token, error) {
+    token := model.Token{}
+    err := db.Get(&token, "SELECT * FROM token WHERE token=$1", token_str)
+    return &token, err
+}
+
+func GetAllTokensForAccount(db *sqlx.DB, accountID string) ([]model.Token, error) {
+    tokens := []model.Token{}
+    err := db.Select(&tokens, "SELECT * FROM token WHERE account=$1 AND expires_at>current_timestamp", accountID)
+    return tokens, err
+}
+
+func DeleteAllTokensForAccount(db *sqlx.DB, accountID string) error {
+    _, err := db.Exec("DELETE FROM token WHERE account=$1", accountID)
+    return err
+}
+
+func DeleteToken(db *sqlx.DB, token string) error {
+    _, err := db.Exec("DELETE FROM token WHERE token=$1", token)
+    return err
+}
+
diff --git a/controller/totp.go b/controller/totp.go
index 88f6bc3..18616da 100644
--- a/controller/totp.go
+++ b/controller/totp.go
@@ -18,8 +18,8 @@ import (
 )
 
 const TOTP_SECRET_LENGTH = 32
-const TOTP_TIME_STEP int64 = 30
-const TOTP_CODE_LENGTH = 6
+const TIME_STEP int64 = 30
+const CODE_LENGTH = 6
 
 func GenerateTOTP(secret string, timeStepOffset int) string {
     decodedSecret, err := base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(secret)
@@ -27,7 +27,7 @@ func GenerateTOTP(secret string, timeStepOffset int) string {
         fmt.Fprintf(os.Stderr, "WARN: Invalid Base32 secret\n")
     }
 
-    counter := time.Now().Unix() / TOTP_TIME_STEP - int64(timeStepOffset)
+    counter := time.Now().Unix() / TIME_STEP - int64(timeStepOffset)
     counterBytes := make([]byte, 8)
     binary.BigEndian.PutUint64(counterBytes, uint64(counter))
 
@@ -37,9 +37,9 @@ func GenerateTOTP(secret string, timeStepOffset int) string {
 
     offset := hash[len(hash) - 1] & 0x0f
     binaryCode := int32(binary.BigEndian.Uint32(hash[offset : offset + 4]) & 0x7FFFFFFF)
-    code := binaryCode % int32(math.Pow10(TOTP_CODE_LENGTH))
+    code := binaryCode % int32(math.Pow10(CODE_LENGTH))
 
-    return fmt.Sprintf(fmt.Sprintf("%%0%dd", TOTP_CODE_LENGTH), code)
+    return fmt.Sprintf(fmt.Sprintf("%%0%dd", CODE_LENGTH), code)
 }
 
 func GenerateTOTPSecret(length int) string {
@@ -64,9 +64,9 @@ func GenerateTOTPURI(username string, secret string) string {
     query := url.Query()
     query.Set("secret", secret)
     query.Set("issuer", "arimelody.me")
-    // query.Set("algorithm", "SHA1")
-    // query.Set("digits", fmt.Sprintf("%d", TOTP_CODE_LENGTH))
-    // query.Set("period", fmt.Sprintf("%d", TOTP_TIME_STEP))
+    query.Set("algorithm", "SHA1")
+    query.Set("digits", fmt.Sprintf("%d", CODE_LENGTH))
+    query.Set("period", fmt.Sprintf("%d", TIME_STEP))
     url.RawQuery = query.Encode()
 
     return url.String()
@@ -78,7 +78,7 @@ func GetTOTPsForAccount(db *sqlx.DB, accountID string) ([]model.TOTP, error) {
     err := db.Select(
         &totps,
         "SELECT * FROM totp " +
-        "WHERE account=$1 AND confirmed=true " +
+        "WHERE account=$1 " +
         "ORDER BY created_at ASC",
         accountID,
     )
@@ -89,36 +89,14 @@ func GetTOTPsForAccount(db *sqlx.DB, accountID string) ([]model.TOTP, error) {
     return totps, nil
 }
 
-func CheckTOTPForAccount(db *sqlx.DB, accountID string, totp string) (*model.TOTP, error) {
-    totps, err := GetTOTPsForAccount(db, accountID)
-    if err != nil {
-        return nil, err
-    }
-    for _, method := range totps {
-        check := GenerateTOTP(method.Secret, 0)
-        if check == totp {
-            return &method, nil
-        }
-        // try again with offset- maybe user input the code late?
-        check = GenerateTOTP(method.Secret, 1)
-        if check == totp {
-            return &method, nil
-        }
-    }
-    // user failed all TOTP checks
-    // note: this state will still occur even if the account has no TOTP methods.
-    return nil, nil
-}
-
 func GetTOTP(db *sqlx.DB, accountID string, name string) (*model.TOTP, error) {
     totp := model.TOTP{}
 
     err := db.Get(
         &totp,
         "SELECT * FROM totp " +
-        "WHERE account=$1 AND name=$2",
+        "WHERE account=$1",
         accountID,
-        name,
     )
     if err != nil {
         if strings.Contains(err.Error(), "no rows") {
@@ -130,15 +108,6 @@ func GetTOTP(db *sqlx.DB, accountID string, name string) (*model.TOTP, error) {
     return &totp, nil
 }
 
-func ConfirmTOTP(db *sqlx.DB, accountID string, name string) error {
-    _, err := db.Exec(
-        "UPDATE totp SET confirmed=true WHERE account=$1 AND name=$2",
-        accountID,
-        name,
-    )
-    return err
-}
-
 func CreateTOTP(db *sqlx.DB, totp *model.TOTP) error {
     _, err := db.Exec(
         "INSERT INTO totp (account, name, secret) " +
@@ -158,8 +127,3 @@ func DeleteTOTP(db *sqlx.DB, accountID string, name string) error {
     )
     return err
 }
-
-func DeleteUnconfirmedTOTPs(db *sqlx.DB) error {
-    _, err := db.Exec("DELETE FROM totp WHERE confirmed=false")
-    return err
-}
diff --git a/go.mod b/go.mod
index f8717a2..73a1cf1 100644
--- a/go.mod
+++ b/go.mod
@@ -8,8 +8,4 @@ require (
 )
 
 require golang.org/x/crypto v0.27.0 // indirect
-
-require (
-	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
-	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e // indirect
-)
+require github.com/pelletier/go-toml/v2 v2.2.3 // indirect
diff --git a/go.sum b/go.sum
index 15259a1..35e1b20 100644
--- a/go.sum
+++ b/go.sum
@@ -8,9 +8,7 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
-github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
-github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
-github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
-github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
 golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
 golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
diff --git a/main.go b/main.go
index 7e8e06f..23fc997 100644
--- a/main.go
+++ b/main.go
@@ -4,7 +4,6 @@ import (
 	"errors"
 	"fmt"
 	"log"
-	"math"
 	"math/rand"
 	"net/http"
 	"os"
@@ -23,7 +22,6 @@ import (
 
 	"github.com/jmoiron/sqlx"
 	_ "github.com/lib/pq"
-	"golang.org/x/crypto/bcrypt"
 )
 
 // used for database migrations
@@ -89,19 +87,19 @@ func main() {
             }
             username := os.Args[2]
             totpName := os.Args[3]
+            secret := controller.GenerateTOTPSecret(controller.TOTP_SECRET_LENGTH)
 
-            account, err := controller.GetAccountByUsername(app.DB, username)
+            account, err := controller.GetAccount(app.DB, username)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err)
+                fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err)
                 os.Exit(1)
             }
 
             if account == nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username)
+                fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username)
                 os.Exit(1)
             }
 
-            secret := controller.GenerateTOTPSecret(controller.TOTP_SECRET_LENGTH)
             totp := model.TOTP {
                 AccountID: account.ID,
                 Name: totpName,
@@ -110,11 +108,7 @@ func main() {
 
             err = controller.CreateTOTP(app.DB, &totp)
             if err != nil {
-                if strings.HasPrefix(err.Error(), "pq: duplicate key") {
-                    fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" already has a TOTP method named \"%s\"!\n", account.Username, totp.Name)
-                    os.Exit(1)
-                }
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to create TOTP method: %v\n", err)
+                fmt.Fprintf(os.Stderr, "Failed to create TOTP method: %v\n", err)
                 os.Exit(1)
             }
 
@@ -130,20 +124,20 @@ func main() {
             username := os.Args[2]
             totpName := os.Args[3]
 
-            account, err := controller.GetAccountByUsername(app.DB, username)
+            account, err := controller.GetAccount(app.DB, username)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err)
+                fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err)
                 os.Exit(1)
             }
 
             if account == nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username)
+                fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username)
                 os.Exit(1)
             }
 
             err = controller.DeleteTOTP(app.DB, account.ID, totpName)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to create TOTP method: %v\n", err)
+                fmt.Fprintf(os.Stderr, "Failed to create TOTP method: %v\n", err)
                 os.Exit(1)
             }
 
@@ -157,20 +151,20 @@ func main() {
             }
             username := os.Args[2]
 
-            account, err := controller.GetAccountByUsername(app.DB, username)
+            account, err := controller.GetAccount(app.DB, username)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err)
+                fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err)
                 os.Exit(1)
             }
 
             if account == nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username)
+                fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username)
                 os.Exit(1)
             }
 
             totps, err := controller.GetTOTPsForAccount(app.DB, account.ID)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to create TOTP methods: %v\n", err)
+                fmt.Fprintf(os.Stderr, "Failed to create TOTP methods: %v\n", err)
                 os.Exit(1)
             }
 
@@ -190,61 +184,48 @@ func main() {
             username := os.Args[2]
             totpName := os.Args[3]
 
-            account, err := controller.GetAccountByUsername(app.DB, username)
+            account, err := controller.GetAccount(app.DB, username)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err)
+                fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err)
                 os.Exit(1)
             }
 
             if account == nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username)
+                fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username)
                 os.Exit(1)
             }
 
             totp, err := controller.GetTOTP(app.DB, account.ID, totpName)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch TOTP method \"%s\": %v\n", totpName, err)
+                fmt.Fprintf(os.Stderr, "Failed to fetch TOTP method \"%s\": %v\n", totpName, err)
                 os.Exit(1)
             }
 
             if totp == nil {
-                fmt.Fprintf(os.Stderr, "FATAL: TOTP method \"%s\" does not exist for account \"%s\"\n", totpName, username)
+                fmt.Fprintf(os.Stderr, "TOTP method \"%s\" does not exist for account \"%s\"\n", totpName, username)
                 os.Exit(1)
             }
 
             code := controller.GenerateTOTP(totp.Secret, 0)
             fmt.Printf("%s\n", code)
             return
-        
-        case "cleanTOTP":
-            err := controller.DeleteUnconfirmedTOTPs(app.DB)
-            if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to clean up TOTP methods: %v\n", err)
-                os.Exit(1)
-            }
-            fmt.Printf("Cleaned up dangling TOTP methods successfully.\n")
-            return
 
         case "createInvite":
             fmt.Printf("Creating invite...\n")
             invite, err := controller.CreateInvite(app.DB, 16, time.Hour * 24)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to create invite code: %v\n", err)
+                fmt.Fprintf(os.Stderr, "Failed to create invite code: %v\n", err)
                 os.Exit(1)
             }
 
-            fmt.Printf(
-                "Here you go! This code expires in %d hours: %s\n",
-                int(math.Ceil(invite.ExpiresAt.Sub(invite.CreatedAt).Hours())),
-                invite.Code,
-            )
+            fmt.Printf("Here you go! This code expires in 24 hours: %s\n", invite.Code)
             return
 
         case "purgeInvites":
             fmt.Printf("Deleting all invites...\n")
             err := controller.DeleteAllInvites(app.DB)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to delete invites: %v\n", err)
+                fmt.Fprintf(os.Stderr, "Failed to delete invites: %v\n", err)
                 os.Exit(1)
             }
 
@@ -254,13 +235,11 @@ func main() {
         case "listAccounts":
             accounts, err := controller.GetAllAccounts(app.DB)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch accounts: %v\n", err)
+                fmt.Fprintf(os.Stderr, "Failed to fetch accounts: %v\n", err)
                 os.Exit(1)
             }
 
             for _, account := range accounts {
-                email := "<none>"
-                if account.Email.Valid { email = account.Email.String }
                 fmt.Printf(
                     "User: %s\n" +
                     "\tID: %s\n" +
@@ -268,45 +247,12 @@ func main() {
                     "\tCreated: %s\n",
                     account.Username,
                     account.ID,
-                    email,
+                    account.Email,
                     account.CreatedAt,
                 )
             }
             return
 
-        case "changePassword":
-            if len(os.Args) < 4 {
-                fmt.Fprintf(os.Stderr, "FATAL: `username` and `password` must be specified for changePassword\n")
-                os.Exit(1)
-            }
-
-            username := os.Args[2]
-            password := os.Args[3]
-            account, err := controller.GetAccountByUsername(app.DB, username)
-            if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err)
-                os.Exit(1)
-            }
-            if account == nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username)
-                os.Exit(1)
-            }
-
-            hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
-            if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to update password: %v\n", err)
-                os.Exit(1)
-            }
-            account.Password = string(hashedPassword)
-            err = controller.UpdateAccount(app.DB, account)
-            if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to delete account: %v\n", err)
-                os.Exit(1)
-            }
-
-            fmt.Printf("Account \"%s\" deleted successfully.\n", account.Username)
-            return
-
         case "deleteAccount":
             if len(os.Args) < 3 {
                 fmt.Fprintf(os.Stderr, "FATAL: `username` must be specified for deleteAccount\n")
@@ -315,14 +261,14 @@ func main() {
             username := os.Args[2]
             fmt.Printf("Deleting account \"%s\"...\n", username)
 
-            account, err := controller.GetAccountByUsername(app.DB, username)
+            account, err := controller.GetAccount(app.DB, username)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err)
+                fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err)
                 os.Exit(1)
             }
 
             if account == nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username)
+                fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username)
                 os.Exit(1)
             }
 
@@ -333,9 +279,9 @@ func main() {
                 return
             }
             
-            err = controller.DeleteAccount(app.DB, account.ID)
+            err = controller.DeleteAccount(app.DB, username)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "FATAL: Failed to delete account: %v\n", err)
+                fmt.Fprintf(os.Stderr, "Failed to delete account: %v\n", err)
                 os.Exit(1)
             }
 
@@ -351,7 +297,6 @@ func main() {
             "listTOTP <username>:\n\tLists an account's TOTP methods.\n" +
             "deleteTOTP <username> <name>:\n\tDeletes an account's TOTP method.\n" +
             "testTOTP <username> <name>:\n\tGenerates the code for an account's TOTP method.\n" +
-            "cleanTOTP:\n\tCleans up unconfirmed (dangling) TOTP methods.\n" +
             "\n" +
             "createInvite:\n\tCreates an invite code to register new accounts.\n" +
             "purgeInvites:\n\tDeletes all available invite codes.\n" +
@@ -391,18 +336,11 @@ func main() {
         os.Exit(1)
     }
 
-    // clean up unconfirmed TOTP methods
-    err = controller.DeleteUnconfirmedTOTPs(app.DB)
-    if err != nil {
-        fmt.Fprintf(os.Stderr, "FATAL: Failed to clean up unconfirmed TOTP methods: %v\n", err)
-        os.Exit(1)
-    }
-
     // start the web server!
     mux := createServeMux(&app)
-    fmt.Printf("Now serving at http://%s:%d\n", app.Config.Host, app.Config.Port)
+    fmt.Printf("Now serving at %s:%d\n", app.Config.BaseUrl, app.Config.Port)
     log.Fatal(
-        http.ListenAndServe(fmt.Sprintf("%s:%d", app.Config.Host, app.Config.Port), 
+        http.ListenAndServe(fmt.Sprintf(":%d", app.Config.Port), 
         HTTPLog(DefaultHeaders(mux)),
     ))
 }
@@ -421,7 +359,7 @@ func createServeMux(app *model.AppState) *http.ServeMux {
         }
 
         if r.URL.Path == "/" || r.URL.Path == "/index.html" {
-            err := templates.IndexTemplate.Execute(w, nil)
+            err := templates.Pages["index"].Execute(w, nil)
             if err != nil {
                 http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
             }
diff --git a/model/account.go b/model/account.go
index 166e880..72720a0 100644
--- a/model/account.go
+++ b/model/account.go
@@ -1,20 +1,17 @@
 package model
 
-import (
-	"database/sql"
-	"time"
-)
+import "time"
 
-const COOKIE_TOKEN string = "AM_SESSION"
+const COOKIE_TOKEN string = "AM_TOKEN"
 
 type (
     Account struct {
-        ID          string          `json:"id" db:"id"`
-        Username    string          `json:"username" db:"username"`
-        Password    string          `json:"password" db:"password"`
-        Email       sql.NullString  `json:"email" db:"email"`
-        AvatarURL   sql.NullString  `json:"avatar_url" db:"avatar_url"`
-        CreatedAt   time.Time       `json:"created_at" db:"created_at"`
+        ID          string      `json:"id" db:"id"`
+        Username    string      `json:"username" db:"username"`
+        Password    string      `json:"password" db:"password"`
+        Email       string      `json:"email" db:"email"`
+        AvatarURL   string      `json:"avatar_url" db:"avatar_url"`
+        CreatedAt   time.Time   `json:"created_at" db:"created_at"`
 
         Privileges  []AccountPrivilege  `json:"privileges"`
     }
diff --git a/model/appstate.go b/model/appstate.go
index 6a965d5..08016b7 100644
--- a/model/appstate.go
+++ b/model/appstate.go
@@ -19,7 +19,6 @@ type (
 
     Config struct {
         BaseUrl string `toml:"base_url" comment:"Used for OAuth redirects."`
-        Host string `toml:"host"`
         Port int64 `toml:"port"`
         DataDirectory string `toml:"data_dir"`
         DB DBConfig `toml:"db"`
diff --git a/model/session.go b/model/session.go
deleted file mode 100644
index de016e1..0000000
--- a/model/session.go
+++ /dev/null
@@ -1,18 +0,0 @@
-package model
-
-import (
-	"database/sql"
-	"time"
-)
-
-type Session struct {
-    Token string `json:"-" db:"token"`
-    UserAgent string `json:"user_agent" db:"user_agent"`
-    CreatedAt time.Time `json:"created_at" db:"created_at"`
-    ExpiresAt time.Time `json:"-" db:"expires_at"`
-
-    Account *Account `json:"-" db:"-"`
-    AttemptAccount *Account `json:"-" db:"-"`
-    Message sql.NullString `json:"-" db:"message"`
-    Error sql.NullString `json:"-" db:"error"`
-}
diff --git a/model/token.go b/model/token.go
new file mode 100644
index 0000000..31beb72
--- /dev/null
+++ b/model/token.go
@@ -0,0 +1,11 @@
+package model
+
+import "time"
+
+type Token struct {
+    Token string `json:"token" db:"token"`
+    AccountID string `json:"-" db:"account"`
+    UserAgent string `json:"user_agent" db:"user_agent"`
+    CreatedAt time.Time `json:"created_at" db:"created_at"`
+    ExpiresAt time.Time `json:"expires_at" db:"expires_at"`
+}
diff --git a/model/totp.go b/model/totp.go
index cfad10a..8d8422f 100644
--- a/model/totp.go
+++ b/model/totp.go
@@ -9,5 +9,4 @@ type TOTP struct {
     AccountID   string      `json:"accountID" db:"account"`
     Secret      string      `json:"-" db:"secret"`
     CreatedAt   time.Time   `json:"created_at" db:"created_at"`
-    Confirmed   bool        `json:"-" db:"confirmed"`
 }
diff --git a/model/track.go b/model/track.go
index ca54ddd..d44c224 100644
--- a/model/track.go
+++ b/model/track.go
@@ -12,8 +12,6 @@ type (
 		Description string  `json:"description"`
         Lyrics      string  `json:"lyrics" db:"lyrics"`
 		PreviewURL  string  `json:"previewURL" db:"preview_url"`
-
-        Number      int
 	}
 )
 
diff --git a/public/style/footer.css b/public/style/footer.css
index d9682b1..72cdebb 100644
--- a/public/style/footer.css
+++ b/public/style/footer.css
@@ -1,11 +1,11 @@
 footer {
-    border-top: 1px solid #8888;
+        border-top: 1px solid #888;
 }
 
 #footer {
-    width: 	min(calc(100% - 4rem), 720px);
-    margin: auto;
-    padding: 2rem 0;
-    color: #aaa;
+        width: 	min(calc(100% - 4rem), 720px);
+        margin: auto;
+        padding: 2rem 0;
+        color: #aaa;
 }
 
diff --git a/public/style/index.css b/public/style/index.css
index f3cb761..363c381 100644
--- a/public/style/index.css
+++ b/public/style/index.css
@@ -91,7 +91,7 @@ hr {
     text-align: center;
     line-height: 0px;
     border-width: 1px 0 0 0;
-    border-color: #888;
+    border-color: #888f;
     margin: 1.5em 0;
     overflow: visible;
 }
diff --git a/schema-migration/000-init.sql b/schema_migration/000-init.sql
similarity index 80%
rename from schema-migration/000-init.sql
rename to schema_migration/000-init.sql
index 42b982a..3f4c723 100644
--- a/schema-migration/000-init.sql
+++ b/schema_migration/000-init.sql
@@ -1,53 +1,51 @@
+CREATE SCHEMA IF NOT EXISTS arimelody;
+
 --
 -- Tables
 --
 
 -- Accounts
 CREATE TABLE arimelody.account (
-    id UUID DEFAULT gen_random_uuid(), 
-    username TEXT NOT NULL UNIQUE, 
-    password TEXT NOT NULL, 
-    email TEXT,
-    avatar_url TEXT,
+    id uuid DEFAULT gen_random_uuid(), 
+    username text NOT NULL UNIQUE, 
+    password text NOT NULL, 
+    email text, 
+    avatar_url text,
     created_at TIMESTAMP DEFAULT current_timestamp
 );
 ALTER TABLE arimelody.account ADD CONSTRAINT account_pk PRIMARY KEY (id);
 
 -- Privilege
 CREATE TABLE arimelody.privilege (
-    account UUID NOT NULL, 
-    privilege TEXT NOT NULL
+    account uuid NOT NULL, 
+    privilege text NOT NULL
 );
 ALTER TABLE arimelody.privilege ADD CONSTRAINT privilege_pk PRIMARY KEY (account, privilege);
 
 -- Invites
 CREATE TABLE arimelody.invite (
     code text NOT NULL, 
-    created_at TIMESTAMP NOT NULL DEFAULT current_timestamp, 
+    created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, 
     expires_at TIMESTAMP NOT NULL
 );
 ALTER TABLE arimelody.invite ADD CONSTRAINT invite_pk PRIMARY KEY (code);
 
--- Sessions
-CREATE TABLE arimelody.session (
+-- Tokens
+CREATE TABLE arimelody.token (
     token TEXT,
+    account UUID NOT NULL,
     user_agent TEXT NOT NULL,
     created_at TIMESTAMP NOT NULL DEFAULT current_timestamp,
-    expires_at TIMESTAMP DEFAULT NULL,
-    account UUID,
-    attempt_account UUID,
-    message TEXT,
-    error TEXT
+    expires_at TIMESTAMP DEFAULT NULL
 );
-ALTER TABLE arimelody.session ADD CONSTRAINT session_pk PRIMARY KEY (token);
+ALTER TABLE arimelody.token ADD CONSTRAINT token_pk PRIMARY KEY (token);
 
--- TOTP methods
+-- TOTPs
 CREATE TABLE arimelody.totp (
     name TEXT NOT NULL,
     account UUID NOT NULL,
     secret TEXT,
-    created_at TIMESTAMP NOT NULL DEFAULT current_timestamp,
-    confirmed BOOLEAN DEFAULT false
+    created_at TIMESTAMP NOT NULL DEFAULT current_timestamp
 );
 ALTER TABLE arimelody.totp ADD CONSTRAINT totp_pk PRIMARY KEY (account, name);
 
@@ -120,8 +118,7 @@ ALTER TABLE arimelody.musicreleasetrack ADD CONSTRAINT musicreleasetrack_pk PRIM
 --
 
 ALTER TABLE arimelody.privilege ADD CONSTRAINT privilege_account_fk FOREIGN KEY (account) REFERENCES account(id) ON DELETE CASCADE;
-ALTER TABLE arimelody.session ADD CONSTRAINT session_account_fk FOREIGN KEY (account) REFERENCES account(id) ON DELETE CASCADE;
-ALTER TABLE arimelody.session ADD CONSTRAINT session_attempt_account_fk FOREIGN KEY (account) REFERENCES account(id) ON DELETE CASCADE;
+ALTER TABLE arimelody.token ADD CONSTRAINT token_account_fk FOREIGN KEY (account) REFERENCES account(id) ON DELETE CASCADE;
 ALTER TABLE arimelody.totp ADD CONSTRAINT totp_account_fk FOREIGN KEY (account) REFERENCES account(id) ON DELETE CASCADE;
 
 ALTER TABLE arimelody.musiccredit ADD CONSTRAINT musiccredit_artist_fk FOREIGN KEY (artist) REFERENCES artist(id) ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/schema-migration/001-pre-versioning.sql b/schema_migration/001-pre-versioning.sql
similarity index 51%
rename from schema-migration/001-pre-versioning.sql
rename to schema_migration/001-pre-versioning.sql
index 1447bae..62bc15b 100644
--- a/schema-migration/001-pre-versioning.sql
+++ b/schema_migration/001-pre-versioning.sql
@@ -1,58 +1,67 @@
+--
+-- Migration
+--
+
+-- Move existing tables to new schema
+ALTER TABLE public.artist SET SCHEMA arimelody;
+ALTER TABLE public.musicrelease SET SCHEMA arimelody;
+ALTER TABLE public.musiclink SET SCHEMA arimelody;
+ALTER TABLE public.musiccredit SET SCHEMA arimelody;
+ALTER TABLE public.musictrack SET SCHEMA arimelody;
+ALTER TABLE public.musicreleasetrack SET SCHEMA arimelody;
+
+
+
 --
 -- New items
 --
 
--- Accounts
+-- Acounts
 CREATE TABLE arimelody.account (
-    id UUID DEFAULT gen_random_uuid(), 
-    username TEXT NOT NULL UNIQUE, 
-    password TEXT NOT NULL, 
-    email TEXT,
-    avatar_url TEXT,
+    id uuid DEFAULT gen_random_uuid(), 
+    username text NOT NULL UNIQUE, 
+    password text NOT NULL, 
+    email text, 
+    avatar_url text,
     created_at TIMESTAMP DEFAULT current_timestamp
 );
 ALTER TABLE arimelody.account ADD CONSTRAINT account_pk PRIMARY KEY (id);
 
 -- Privilege
 CREATE TABLE arimelody.privilege (
-    account UUID NOT NULL, 
-    privilege TEXT NOT NULL
+    account uuid NOT NULL, 
+    privilege text NOT NULL
 );
 ALTER TABLE arimelody.privilege ADD CONSTRAINT privilege_pk PRIMARY KEY (account, privilege);
 
 -- Invites
 CREATE TABLE arimelody.invite (
     code text NOT NULL, 
-    created_at TIMESTAMP NOT NULL DEFAULT current_timestamp, 
+    created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, 
     expires_at TIMESTAMP NOT NULL
 );
 ALTER TABLE arimelody.invite ADD CONSTRAINT invite_pk PRIMARY KEY (code);
 
--- Sessions
-CREATE TABLE arimelody.session (
+-- Tokens
+CREATE TABLE arimelody.token (
     token TEXT,
+    account UUID NOT NULL,
     user_agent TEXT NOT NULL,
     created_at TIMESTAMP NOT NULL DEFAULT current_timestamp,
-    expires_at TIMESTAMP DEFAULT NULL,
-    account UUID,
-    attempt_account UUID,
-    message TEXT,
-    error TEXT
+    expires_at TIMESTAMP DEFAULT NULL
 );
-ALTER TABLE arimelody.session ADD CONSTRAINT session_pk PRIMARY KEY (token);
+ALTER TABLE arimelody.token ADD CONSTRAINT token_pk PRIMARY KEY (token);
 
--- TOTP methods
+-- TOTPs
 CREATE TABLE arimelody.totp (
     name TEXT NOT NULL,
     account UUID NOT NULL,
     secret TEXT,
-    created_at TIMESTAMP NOT NULL DEFAULT current_timestamp,
-    confirmed BOOLEAN DEFAULT false
+    created_at TIMESTAMP NOT NULL DEFAULT current_timestamp
 );
 ALTER TABLE arimelody.totp ADD CONSTRAINT totp_pk PRIMARY KEY (account, name);
 
 -- Foreign keys
 ALTER TABLE arimelody.privilege ADD CONSTRAINT privilege_account_fk FOREIGN KEY (account) REFERENCES account(id) ON DELETE CASCADE;
-ALTER TABLE arimelody.session ADD CONSTRAINT session_account_fk FOREIGN KEY (account) REFERENCES account(id) ON DELETE CASCADE;
-ALTER TABLE arimelody.session ADD CONSTRAINT session_attempt_account_fk FOREIGN KEY (account) REFERENCES account(id) ON DELETE CASCADE;
+ALTER TABLE arimelody.token ADD CONSTRAINT token_account_fk FOREIGN KEY (account) REFERENCES account(id) ON DELETE CASCADE;
 ALTER TABLE arimelody.totp ADD CONSTRAINT totp_account_fk FOREIGN KEY (account) REFERENCES account(id) ON DELETE CASCADE;
diff --git a/templates/templates.go b/templates/templates.go
index 8d1a5ca..094e61d 100644
--- a/templates/templates.go
+++ b/templates/templates.go
@@ -5,24 +5,29 @@ import (
 	"path/filepath"
 )
 
-var IndexTemplate = template.Must(template.ParseFiles(
-    filepath.Join("views", "layout.html"),
-    filepath.Join("views", "header.html"),
-    filepath.Join("views", "footer.html"),
-    filepath.Join("views", "prideflag.html"),
-    filepath.Join("views", "index.html"),
-))
-var MusicTemplate = template.Must(template.ParseFiles(
-    filepath.Join("views", "layout.html"),
-    filepath.Join("views", "header.html"),
-    filepath.Join("views", "footer.html"),
-    filepath.Join("views", "prideflag.html"),
-    filepath.Join("views", "music.html"),
-))
-var MusicGatewayTemplate = template.Must(template.ParseFiles(
-    filepath.Join("views", "layout.html"),
-    filepath.Join("views", "header.html"),
-    filepath.Join("views", "footer.html"),
-    filepath.Join("views", "prideflag.html"),
-    filepath.Join("views", "music-gateway.html"),
-))
+var Pages = map[string]*template.Template{
+    "index": template.Must(template.ParseFiles(
+        filepath.Join("views", "layout.html"),
+        filepath.Join("views", "header.html"),
+        filepath.Join("views", "footer.html"),
+        filepath.Join("views", "prideflag.html"),
+        filepath.Join("views", "index.html"),
+    )),
+    "music": template.Must(template.ParseFiles(
+        filepath.Join("views", "layout.html"),
+        filepath.Join("views", "header.html"),
+        filepath.Join("views", "footer.html"),
+        filepath.Join("views", "prideflag.html"),
+        filepath.Join("views", "music.html"),
+    )),
+    "music-gateway": template.Must(template.ParseFiles(
+        filepath.Join("views", "layout.html"),
+        filepath.Join("views", "header.html"),
+        filepath.Join("views", "footer.html"),
+        filepath.Join("views", "prideflag.html"),
+        filepath.Join("views", "music-gateway.html"),
+    )),
+}
+
+var Components = map[string]*template.Template{
+}
diff --git a/view/music.go b/view/music.go
index 89e428c..cae325f 100644
--- a/view/music.go
+++ b/view/music.go
@@ -48,7 +48,7 @@ func ServeCatalog(app *model.AppState) http.Handler {
             }
         }
 
-        err = templates.MusicTemplate.Execute(w, releases)
+        err = templates.Pages["music"].Execute(w, releases)
         if err != nil {
             http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
         }
@@ -60,14 +60,13 @@ func ServeGateway(app *model.AppState, release *model.Release) http.Handler {
         // only allow authorised users to view hidden releases
         privileged := false
         if !release.Visible {
-            session, err := controller.GetSessionFromRequest(app.DB, r)
+            account, err := controller.GetAccountByRequest(app.DB, r)
             if err != nil {
-                fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve session: %v\n", err)
+                fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account: %v\n", err)
                 http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
                 return
             }
-
-            if session != nil && session.Account != nil {
+            if account != nil {
                 // TODO: check privilege on release
                 privileged = true
             }
@@ -86,7 +85,7 @@ func ServeGateway(app *model.AppState, release *model.Release) http.Handler {
             response.Links = release.Links
         }
 
-        err := templates.MusicGatewayTemplate.Execute(w, response)
+        err := templates.Pages["music-gateway"].Execute(w, response)
 
         if err != nil {
             fmt.Printf("Error rendering music gateway for %s: %s\n", release.ID, err)