diff --git a/app.db b/app.db
index 559ab6f..a4b9ca8 100644
Binary files a/app.db and b/app.db differ
diff --git a/src/main/java/com/iflytop/digester/controller/DigestionTaskController.java b/src/main/java/com/iflytop/digester/controller/DigestionTaskController.java
index 8d94a18..073836f 100644
--- a/src/main/java/com/iflytop/digester/controller/DigestionTaskController.java
+++ b/src/main/java/com/iflytop/digester/controller/DigestionTaskController.java
@@ -4,8 +4,8 @@ import com.iflytop.digester.DigestionTaskTheadManager;
 import com.iflytop.digester.model.MdbDigestionSolution;
 import com.iflytop.digester.underframework.dao.record.UfActiveRecord;
 import com.iflytop.digester.underframework.util.UfJsonHelper;
-import com.iflytop.digester.underframework.web.api.UfApiControllerBase;
-import com.iflytop.digester.underframework.web.api.UfApiResponse;
+import com.iflytop.digester.underframework.controller.UfApiControllerBase;
+import com.iflytop.digester.underframework.controller.UfApiResponse;
 import jakarta.annotation.Resource;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.PostMapping;
diff --git a/src/main/java/com/iflytop/digester/underframework/web/api/TsApiActuator.java b/src/main/java/com/iflytop/digester/underframework/controller/TsApiActuator.java
similarity index 96%
rename from src/main/java/com/iflytop/digester/underframework/web/api/TsApiActuator.java
rename to src/main/java/com/iflytop/digester/underframework/controller/TsApiActuator.java
index 2c2800f..e4b2c98 100644
--- a/src/main/java/com/iflytop/digester/underframework/web/api/TsApiActuator.java
+++ b/src/main/java/com/iflytop/digester/underframework/controller/TsApiActuator.java
@@ -1,4 +1,4 @@
-package com.iflytop.digester.underframework.web.api;
+package com.iflytop.digester.underframework.controller;
 import com.iflytop.digester.underframework.dao.record.UfActiveRecord;
 import com.iflytop.digester.underframework.dao.record.UfActiveRecordCriteria;
 import com.iflytop.digester.underframework.dao.model.TsMdbActuator;
diff --git a/src/main/java/com/iflytop/digester/underframework/web/api/TsApiActuatorCommand.java b/src/main/java/com/iflytop/digester/underframework/controller/TsApiActuatorCommand.java
similarity index 97%
rename from src/main/java/com/iflytop/digester/underframework/web/api/TsApiActuatorCommand.java
rename to src/main/java/com/iflytop/digester/underframework/controller/TsApiActuatorCommand.java
index 19e2aea..961c8a4 100644
--- a/src/main/java/com/iflytop/digester/underframework/web/api/TsApiActuatorCommand.java
+++ b/src/main/java/com/iflytop/digester/underframework/controller/TsApiActuatorCommand.java
@@ -1,4 +1,4 @@
-package com.iflytop.digester.underframework.web.api;
+package com.iflytop.digester.underframework.controller;
 import com.iflytop.digester.underframework.UfActuatorCmdExecutor;
 import com.iflytop.digester.underframework.UfApplication;
 import com.iflytop.digester.underframework.dao.record.UfActiveRecord;
diff --git a/src/main/java/com/iflytop/digester/underframework/web/api/TsApiModule.java b/src/main/java/com/iflytop/digester/underframework/controller/TsApiModule.java
similarity index 95%
rename from src/main/java/com/iflytop/digester/underframework/web/api/TsApiModule.java
rename to src/main/java/com/iflytop/digester/underframework/controller/TsApiModule.java
index 278e8ee..ad591e7 100644
--- a/src/main/java/com/iflytop/digester/underframework/web/api/TsApiModule.java
+++ b/src/main/java/com/iflytop/digester/underframework/controller/TsApiModule.java
@@ -1,4 +1,4 @@
-package com.iflytop.digester.underframework.web.api;
+package com.iflytop.digester.underframework.controller;
 import com.iflytop.digester.underframework.dao.record.UfActiveRecord;
 import com.iflytop.digester.underframework.dao.model.TsMdbModule;
 import org.springframework.stereotype.Controller;
diff --git a/src/main/java/com/iflytop/digester/underframework/web/api/TsApiSnippet.java b/src/main/java/com/iflytop/digester/underframework/controller/TsApiSnippet.java
similarity index 97%
rename from src/main/java/com/iflytop/digester/underframework/web/api/TsApiSnippet.java
rename to src/main/java/com/iflytop/digester/underframework/controller/TsApiSnippet.java
index dcc87f0..9ec3e8b 100644
--- a/src/main/java/com/iflytop/digester/underframework/web/api/TsApiSnippet.java
+++ b/src/main/java/com/iflytop/digester/underframework/controller/TsApiSnippet.java
@@ -1,4 +1,4 @@
-package com.iflytop.digester.underframework.web.api;
+package com.iflytop.digester.underframework.controller;
 import com.iflytop.digester.underframework.UfCmdSnippetExecutor;
 import com.iflytop.digester.underframework.dao.record.UfActiveRecord;
 import com.iflytop.digester.underframework.dao.model.UfMdbSnippet;
diff --git a/src/main/java/com/iflytop/digester/underframework/web/api/UfApiControllerBase.java b/src/main/java/com/iflytop/digester/underframework/controller/UfApiControllerBase.java
similarity index 70%
rename from src/main/java/com/iflytop/digester/underframework/web/api/UfApiControllerBase.java
rename to src/main/java/com/iflytop/digester/underframework/controller/UfApiControllerBase.java
index 7f3c31f..9cb2173 100644
--- a/src/main/java/com/iflytop/digester/underframework/web/api/UfApiControllerBase.java
+++ b/src/main/java/com/iflytop/digester/underframework/controller/UfApiControllerBase.java
@@ -1,4 +1,11 @@
-package com.iflytop.digester.underframework.web.api;
+package com.iflytop.digester.underframework.controller;
+
+import com.iflytop.digester.underframework.dao.model.UfMdbUser;
+import com.iflytop.digester.underframework.dao.record.UfActiveRecord;
+import jakarta.servlet.http.HttpServletRequest;
+
+import java.util.Map;
+
 abstract public class UfApiControllerBase {
     /**
      * success response
@@ -51,4 +58,13 @@ abstract public class UfApiControllerBase {
         response.code = code;
         return response;
     }
+
+    // get user from request
+    protected UfMdbUser getUserFromRequest(HttpServletRequest request) {
+        String accessToken = request.getHeader("App-Access-Token");
+        if ( null == accessToken ) {
+            return null;
+        }
+        return UfActiveRecord.findOne(UfMdbUser.class, Map.of("accessToken", accessToken));
+    }
 }
diff --git a/src/main/java/com/iflytop/digester/underframework/web/api/UfApiResponse.java b/src/main/java/com/iflytop/digester/underframework/controller/UfApiResponse.java
similarity index 78%
rename from src/main/java/com/iflytop/digester/underframework/web/api/UfApiResponse.java
rename to src/main/java/com/iflytop/digester/underframework/controller/UfApiResponse.java
index 4d0a06a..3610e8b 100644
--- a/src/main/java/com/iflytop/digester/underframework/web/api/UfApiResponse.java
+++ b/src/main/java/com/iflytop/digester/underframework/controller/UfApiResponse.java
@@ -1,4 +1,4 @@
-package com.iflytop.digester.underframework.web.api;
+package com.iflytop.digester.underframework.controller;
 public class UfApiResponse {
     // success or not
     public boolean success;
diff --git a/src/main/java/com/iflytop/digester/underframework/controller/UfApiUser.java b/src/main/java/com/iflytop/digester/underframework/controller/UfApiUser.java
new file mode 100644
index 0000000..e252796
--- /dev/null
+++ b/src/main/java/com/iflytop/digester/underframework/controller/UfApiUser.java
@@ -0,0 +1,114 @@
+package com.iflytop.digester.underframework.controller;
+import com.iflytop.digester.underframework.dao.model.UfMdbUser;
+import com.iflytop.digester.underframework.dao.record.UfActiveRecord;
+import com.iflytop.digester.underframework.dao.record.UfActiveRecordCriteria;
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import java.util.Map;
+import java.util.UUID;
+@Controller
+public class UfApiUser extends UfApiControllerBase {
+    @ResponseBody
+    @RequestMapping("/api/user/login")
+    public UfApiResponse login(@RequestBody Map<String,Object> params) {
+        String account = (String)params.get("account");
+        String password = (String)params.get("password");
+
+        var user = UfActiveRecord.findOne(UfMdbUser.class, Map.of("account", account));
+        if ( null == user || !user.matchPassword(password) ) {
+            return this.error("无效的账号或密码");
+        }
+
+        user.accessToken = UUID.randomUUID().toString();
+        user.accessTokenExpiredAt = (int)(System.currentTimeMillis() / 1000) + 3600 * 24;
+        user.save();
+        return this.success(Map.of(
+            "accessToken", user.accessToken,
+            "accessTokenExpiredAt", user.accessTokenExpiredAt
+        ));
+    }
+
+    @ResponseBody
+    @RequestMapping("/api/user/logout")
+    public UfApiResponse logout( HttpServletRequest request ) {
+        String accessToken = request.getHeader("App-Access-Token");
+        var user = UfActiveRecord.findOne(UfMdbUser.class, Map.of("accessToken", accessToken));
+        if ( null == user ) {
+            return this.success();
+        }
+
+        user.accessToken = "";
+        user.accessTokenExpiredAt = 0;
+        user.save();
+        return this.success();
+    }
+
+    @ResponseBody
+    @PostMapping("/api/user/save")
+    public UfApiResponse save( HttpServletRequest request, @RequestBody Map<String,Object> params ) {
+        UfMdbUser curUser = this.getUserFromRequest(request);
+        String id = (String)params.get("id");
+        Map<String,Object> data = (Map<String,Object>)params.get("data");
+
+        var user = new UfMdbUser();
+        user.password = "";
+        user.salt = UUID.randomUUID().toString().substring(0, 8);
+        user.createdAt = (int)(System.currentTimeMillis() / 1000);
+        user.createdBy = curUser.id;
+        if ( null != id ) {
+            user = UfActiveRecord.findOne(UfMdbUser.class, id);
+        }
+
+        user.setAttributes(data);
+        user.save();
+        return this.success();
+    }
+
+    @ResponseBody
+    @PostMapping("/api/user/delete")
+    public UfApiResponse delete( @RequestBody Map<String,Object> params ) {
+        String id = (String)params.get("id");
+        var user = UfActiveRecord.findOne(UfMdbUser.class, id);
+        if ( null == user ) {
+            return this.success();
+        }
+
+        user.delete();
+        return this.success();
+    }
+
+    @ResponseBody
+    @PostMapping("/api/user/password-update")
+    public UfApiResponse updatePassword( @RequestBody Map<String,Object> params ) {
+        String id = (String)params.get("id");
+        String password = (String)params.get("password");
+        var user = UfActiveRecord.findOne(UfMdbUser.class, id);
+        if ( null == user ) {
+            return this.error("无效的用户");
+        }
+        user.password = user.hashPassword(password);
+        user.save();
+        return this.success();
+    }
+
+    @ResponseBody
+    @RequestMapping("/api/user/list")
+    public UfApiResponse list() {
+        var criteria = new UfActiveRecordCriteria();
+        criteria.limit = 10;
+        var users = UfActiveRecord.find(UfMdbUser.class, criteria);
+        return this.success(Map.of("list",users));
+    }
+
+    @ResponseBody
+    @RequestMapping("/api/user/current-get")
+    public UfApiResponse currentGet( HttpServletRequest request ) {
+        String accessToken = request.getHeader("App-Access-Token");
+        var user = UfActiveRecord.findOne(UfMdbUser.class, Map.of("accessToken", accessToken));
+        return this.success(user);
+    }
+}
diff --git a/src/main/java/com/iflytop/digester/underframework/dao/model/UfMdbUser.java b/src/main/java/com/iflytop/digester/underframework/dao/model/UfMdbUser.java
new file mode 100644
index 0000000..506da4c
--- /dev/null
+++ b/src/main/java/com/iflytop/digester/underframework/dao/model/UfMdbUser.java
@@ -0,0 +1,51 @@
+package com.iflytop.digester.underframework.dao.model;
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.iflytop.digester.underframework.dao.record.UfActiveRecord;
+import com.iflytop.digester.underframework.dao.record.UfActiveRecordField;
+import org.springframework.util.DigestUtils;
+public class UfMdbUser extends UfActiveRecord {
+    @UfActiveRecordField
+    public String account;
+
+    @JsonIgnore
+    @UfActiveRecordField
+    public String password;
+
+    @JsonIgnore
+    @UfActiveRecordField
+    public String salt;
+
+    @UfActiveRecordField
+    public Integer isAdmin;
+
+    @UfActiveRecordField
+    public Integer createdAt;
+
+    @UfActiveRecordField
+    public String createdBy;
+
+    @JsonIgnore
+    @UfActiveRecordField
+    public String accessToken;
+
+    @JsonIgnore
+    @UfActiveRecordField
+    public Integer accessTokenExpiredAt;
+
+    // get table name
+    public static String getTableName() {
+        return "app_users";
+    }
+
+    // check if password matches
+    public Boolean matchPassword(String password) {
+        String hash = this.hashPassword(password);
+        return this.password.equals(hash);
+    }
+
+    // hash password
+    public String hashPassword(String password) {
+        String salt = this.salt;
+        return DigestUtils.md5DigestAsHex((salt + password + salt).getBytes());
+    }
+}
diff --git a/web b/web
index 6c2047a..5a0d772 160000
--- a/web
+++ b/web
@@ -1 +1 @@
-Subproject commit 6c2047a06153a3328abbf4332dd3f012ae024b77
+Subproject commit 5a0d77238339189b0fc83e950c0f12d02fff9d2d