diff --git a/src/modules/rdb/http/router_auth.go b/src/modules/rdb/http/router_auth.go
index f0a3d0fb..b8186b37 100644
--- a/src/modules/rdb/http/router_auth.go
+++ b/src/modules/rdb/http/router_auth.go
@@ -29,6 +29,9 @@ var (
 	errUnsupportCaptcha = errors.New("unsupported captcha")
 	errInvalidAnswer    = errors.New("Invalid captcha answer")
 
+	// TODO: set false
+	debug = true
+
 	// https://captcha.mojotv.cn
 	captchaDirver = base64Captcha.DriverString{
 		Height:          30,
@@ -128,6 +131,7 @@ type authRedirect struct {
 
 func authAuthorizeV2(c *gin.Context) {
 	redirect := queryStr(c, "redirect", "/")
+	log.Printf("---> redirect %s", redirect)
 	ret := &authRedirect{Redirect: redirect}
 
 	username := cookieUsername(c)
@@ -236,6 +240,8 @@ func v1Login(c *gin.Context) {
 
 	user, err := authLogin(f)
 	renderData(c, *user, err)
+
+	go models.LoginLogNew(user.Username, f.RemoteAddr, "in")
 }
 
 // authLogin called by /v1/rdb/login, /api/rdb/auth/login
@@ -298,10 +304,11 @@ func v1SendLoginCodeBySms(c *gin.Context) {
 			return "", err
 		}
 
-		// log.Printf("[sms -> %s] %s", phone, buf.String())
+		if debug {
+			return fmt.Sprintf("[debug]: %s", buf.String()), nil
+		}
 
-		// TODO: remove code from msg
-		return fmt.Sprintf("[debug] msg: %s", buf.String()), nil
+		return "successed", nil
 
 	}()
 	renderData(c, msg, err)
@@ -344,22 +351,24 @@ func v1SendLoginCodeByEmail(c *gin.Context) {
 			return "", err
 		}
 
-		err := redisc.Write(&dataobj.Message{
+		if err := redisc.Write(&dataobj.Message{
 			Tos:     []string{email},
 			Content: buf.String(),
-		}, config.SMS_QUEUE_NAME)
-
-		// log.Printf("[email -> %s] %s", email, buf.String())
-
-		// TODO: remove code from msg
-		return fmt.Sprintf("[debug] msg: %s", buf.String()), err
+		}, config.SMS_QUEUE_NAME); err != nil {
+			return "", err
+		}
 
+		if debug {
+			return fmt.Sprintf("[debug]: %s", buf.String()), nil
+		}
+		return "successed", nil
 	}()
 	renderData(c, msg, err)
 }
 
 type sendRstCodeBySmsInput struct {
-	Phone string `json:"phone"`
+	Username string `json:"username"`
+	Phone    string `json:"phone"`
 }
 
 func sendRstCodeBySms(c *gin.Context) {
@@ -371,9 +380,9 @@ func sendRstCodeBySms(c *gin.Context) {
 			return "", fmt.Errorf("sms sender is disabled")
 		}
 		phone := f.Phone
-		user, _ := models.UserGet("phone=?", phone)
+		user, _ := models.UserGet("username=? and phone=?", f.Username, phone)
 		if user == nil {
-			return "", fmt.Errorf("phone %s dose not exist", phone)
+			return "", fmt.Errorf("user %s phone %s dose not exist", f.Username, phone)
 		}
 
 		// general a random code and add cache
@@ -402,51 +411,61 @@ func sendRstCodeBySms(c *gin.Context) {
 			return "", err
 		}
 
-		// log.Printf("[sms -> %s] %s", phone, buf.String())
+		if debug {
+			return fmt.Sprintf("[debug] msg: %s", buf.String()), nil
+		}
 
-		// TODO: remove code from msg
-		return fmt.Sprintf("[debug] msg: %s", buf.String()), nil
+		return "successed", nil
 
 	}()
 	renderData(c, msg, err)
 }
 
 type rstPasswordInput struct {
+	Username string `json:"username"`
 	Phone    string `json:"phone"`
 	Code     string `json:"code"`
 	Password string `json:"password"`
+	Type     string `json:"type"`
 }
 
 func rstPassword(c *gin.Context) {
-	var in loginInput
+	var in rstPasswordInput
 	bind(c, &in)
 
 	err := func() error {
-		user, _ := models.UserGet("phone=?", in.Phone)
+		user, _ := models.UserGet("username=? and phone=?", in.Username, in.Phone)
 		if user == nil {
-			return fmt.Errorf("phone %s dose not exist", in.Phone)
+			return fmt.Errorf("user's phone  not exist")
 		}
 
 		lc, err := models.LoginCodeGet("username=? and code=? and login_type=?",
 			user.Username, in.Code, models.LOGIN_T_RST)
 		if err != nil {
-			return fmt.Errorf("invalid code", in.Phone)
+			return fmt.Errorf("invalid code")
 		}
 
 		if time.Now().Unix()-lc.CreatedAt > models.LOGIN_EXPIRES_IN {
-			return fmt.Errorf("the code has expired", in.Phone)
+			return fmt.Errorf("the code has expired")
 		}
 
+		if in.Type == "verify-code" {
+			return nil
+		}
+		defer lc.Del()
+
 		// update password
 		if user.Password, err = models.CryptoPass(in.Password); err != nil {
 			return err
 		}
 
-		if err = user.Update("password"); err != nil {
+		if err = checkPassword(in.Password); err != nil {
 			return err
 		}
 
-		lc.Del()
+		if err = user.Update("password"); err != nil {
+			return err
+		}
 
 		return nil
 	}()
diff --git a/src/modules/rdb/http/router_funcs.go b/src/modules/rdb/http/router_funcs.go
index 820e3ba7..99c906ec 100644
--- a/src/modules/rdb/http/router_funcs.go
+++ b/src/modules/rdb/http/router_funcs.go
@@ -1,6 +1,7 @@
 package http
 
 import (
+	"fmt"
 	"strconv"
 
 	"github.com/gin-gonic/gin"
@@ -137,12 +138,12 @@ type idsForm struct {
 	Ids []int64 `json:"ids"`
 }
 
-func checkPassword(passwd string) {
+func checkPassword(passwd string) error {
 	indNum := [4]int{0, 0, 0, 0}
 	spCode := []byte{'!', '@', '#', '$', '%', '^', '&', '*', '_', '-', '~', '.', ',', '<', '>', '/', ';', ':', '|', '?', '+', '='}
 
 	if len(passwd) < 6 {
-		bomb("password too short")
+		return fmt.Errorf("password too short")
 	}
 
 	passwdByte := []byte(passwd)
@@ -174,7 +175,7 @@ func checkPassword(passwd string) {
 		}
 
 		if !has {
-			bomb("character: %s not supported", string(i))
+			return fmt.Errorf("character: %s not supported", string(i))
 		}
 
 	}
@@ -185,9 +186,11 @@ func checkPassword(passwd string) {
 		codeCount += i
 	}
 
-	if codeCount < 3 {
-		bomb("password too simple")
+	if codeCount < 4 {
+		return fmt.Errorf("password too simple")
 	}
+
+	return nil
 }
 
 // ------------
diff --git a/src/modules/rdb/http/router_self.go b/src/modules/rdb/http/router_self.go
index d9a104a0..a948ee10 100644
--- a/src/modules/rdb/http/router_self.go
+++ b/src/modules/rdb/http/router_self.go
@@ -42,7 +42,7 @@ type selfPasswordForm struct {
 func selfPasswordPut(c *gin.Context) {
 	var f selfPasswordForm
 	bind(c, &f)
-	checkPassword(f.NewPass)
+	dangerous(checkPassword(f.NewPass))
 
 	oldpass, err := models.CryptoPass(f.OldPass)
 	dangerous(err)
diff --git a/src/modules/rdb/http/router_user.go b/src/modules/rdb/http/router_user.go
index 08fe70e7..c2cb5da0 100644
--- a/src/modules/rdb/http/router_user.go
+++ b/src/modules/rdb/http/router_user.go
@@ -49,7 +49,7 @@ func userAddPost(c *gin.Context) {
 
 	var f userProfileForm
 	bind(c, &f)
-	checkPassword(f.Password)
+	dangerous(checkPassword(f.Password))
 
 	pass, err := models.CryptoPass(f.Password)
 	dangerous(err)
@@ -81,7 +81,7 @@ func userAddPost(c *gin.Context) {
 func userProfileGet(c *gin.Context) {
 	user := User(urlParamInt64(c, "id"))
 	user.UUID = ""
-	renderData(c, user,nil)
+	renderData(c, user, nil)
 }
 
 func userProfilePut(c *gin.Context) {
@@ -147,7 +147,7 @@ func userPasswordPut(c *gin.Context) {
 
 	var f userPasswordForm
 	bind(c, &f)
-	checkPassword(f.Password)
+	dangerous(checkPassword(f.Password))
 
 	target := User(urlParamInt64(c, "id"))
 
@@ -267,7 +267,7 @@ type userInviteForm struct {
 func userInvitePost(c *gin.Context) {
 	var f userInviteForm
 	bind(c, &f)
-	checkPassword(f.Password)
+	dangerous(checkPassword(f.Password))
 
 	inv, err := models.InviteGet("token=?", f.Token)
 	dangerous(err)