fix(repository): Move backend code into subdirectory

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2025-05-13 22:54:42 -04:00 · 2022-10-02 20:10:32 +02:00 · 2022-10-02 20:10:32 +02:00 · bf30cbcf48
commit bf30cbcf48
parent 86584e705f
272 changed files with 87 additions and 67 deletions
--- a/backend/src/api/private/alias/alias.controller.ts
+++ b/backend/src/api/private/alias/alias.controller.ts
@ -0,0 +1,99 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  Delete,
+  Param,
+  Post,
+  Put,
+  UnauthorizedException,
+  UseGuards,
+} from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+
+import { SessionGuard } from '../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { AliasCreateDto } from '../../../notes/alias-create.dto';
+import { AliasUpdateDto } from '../../../notes/alias-update.dto';
+import { AliasDto } from '../../../notes/alias.dto';
+import { AliasService } from '../../../notes/alias.service';
+import { NotesService } from '../../../notes/notes.service';
+import { PermissionsService } from '../../../permissions/permissions.service';
+import { User } from '../../../users/user.entity';
+import { UsersService } from '../../../users/users.service';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(SessionGuard)
+@OpenApi(401)
+@ApiTags('alias')
+@Controller('alias')
+export class AliasController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private aliasService: AliasService,
+    private noteService: NotesService,
+    private userService: UsersService,
+    private permissionsService: PermissionsService,
+  ) {
+    this.logger.setContext(AliasController.name);
+  }
+
+  @Post()
+  @OpenApi(201, 400, 404, 409)
+  async addAlias(
+    @RequestUser() user: User,
+    @Body() newAliasDto: AliasCreateDto,
+  ): Promise<AliasDto> {
+    const note = await this.noteService.getNoteByIdOrAlias(
+      newAliasDto.noteIdOrAlias,
+    );
+    if (!(await this.permissionsService.isOwner(user, note))) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
+    const updatedAlias = await this.aliasService.addAlias(
+      note,
+      newAliasDto.newAlias,
+    );
+    return this.aliasService.toAliasDto(updatedAlias, note);
+  }
+
+  @Put(':alias')
+  @OpenApi(200, 400, 404)
+  async makeAliasPrimary(
+    @RequestUser() user: User,
+    @Param('alias') alias: string,
+    @Body() changeAliasDto: AliasUpdateDto,
+  ): Promise<AliasDto> {
+    if (!changeAliasDto.primaryAlias) {
+      throw new BadRequestException(
+        `The field 'primaryAlias' must be set to 'true'.`,
+      );
+    }
+    const note = await this.noteService.getNoteByIdOrAlias(alias);
+    if (!(await this.permissionsService.isOwner(user, note))) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
+    const updatedAlias = await this.aliasService.makeAliasPrimary(note, alias);
+    return this.aliasService.toAliasDto(updatedAlias, note);
+  }
+
+  @Delete(':alias')
+  @OpenApi(204, 400, 404)
+  async removeAlias(
+    @RequestUser() user: User,
+    @Param('alias') alias: string,
+  ): Promise<void> {
+    const note = await this.noteService.getNoteByIdOrAlias(alias);
+    if (!(await this.permissionsService.isOwner(user, note))) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
+    await this.aliasService.removeAlias(note, alias);
+    return;
+  }
+}
--- a/backend/src/api/private/auth/auth.controller.ts
+++ b/backend/src/api/private/auth/auth.controller.ts
@ -0,0 +1,126 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  Delete,
+  Param,
+  Post,
+  Put,
+  Req,
+  UseGuards,
+} from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+import { Session } from 'express-session';
+
+import { IdentityService } from '../../../identity/identity.service';
+import { LdapLoginDto } from '../../../identity/ldap/ldap-login.dto';
+import { LdapAuthGuard } from '../../../identity/ldap/ldap.strategy';
+import { LocalAuthGuard } from '../../../identity/local/local.strategy';
+import { LoginDto } from '../../../identity/local/login.dto';
+import { RegisterDto } from '../../../identity/local/register.dto';
+import { UpdatePasswordDto } from '../../../identity/local/update-password.dto';
+import { SessionGuard } from '../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { User } from '../../../users/user.entity';
+import { UsersService } from '../../../users/users.service';
+import { LoginEnabledGuard } from '../../utils/login-enabled.guard';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RegistrationEnabledGuard } from '../../utils/registration-enabled.guard';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+type RequestWithSession = Request & {
+  session: {
+    authProvider: string;
+    user: string;
+  };
+};
+
+@ApiTags('auth')
+@Controller('auth')
+export class AuthController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private usersService: UsersService,
+    private identityService: IdentityService,
+  ) {
+    this.logger.setContext(AuthController.name);
+  }
+
+  @UseGuards(RegistrationEnabledGuard)
+  @Post('local')
+  @OpenApi(201, 400, 409)
+  async registerUser(@Body() registerDto: RegisterDto): Promise<void> {
+    const user = await this.usersService.createUser(
+      registerDto.username,
+      registerDto.displayName,
+    );
+    // ToDo: Figure out how to rollback user if anything with this calls goes wrong
+    await this.identityService.createLocalIdentity(user, registerDto.password);
+  }
+
+  @UseGuards(LoginEnabledGuard, SessionGuard)
+  @Put('local')
+  @OpenApi(200, 400, 401)
+  async updatePassword(
+    @RequestUser() user: User,
+    @Body() changePasswordDto: UpdatePasswordDto,
+  ): Promise<void> {
+    await this.identityService.checkLocalPassword(
+      user,
+      changePasswordDto.currentPassword,
+    );
+    await this.identityService.updateLocalPassword(
+      user,
+      changePasswordDto.newPassword,
+    );
+    return;
+  }
+
+  @UseGuards(LoginEnabledGuard, LocalAuthGuard)
+  @Post('local/login')
+  @OpenApi(201, 400, 401)
+  login(
+    @Req()
+    request: RequestWithSession,
+    @Body() loginDto: LoginDto,
+  ): void {
+    // There is no further testing needed as we only get to this point if LocalAuthGuard was successful
+    request.session.user = loginDto.username;
+    request.session.authProvider = 'local';
+  }
+
+  @UseGuards(LdapAuthGuard)
+  @Post('ldap/:ldapIdentifier')
+  @OpenApi(201, 400, 401)
+  loginWithLdap(
+    @Req()
+    request: RequestWithSession,
+    @Param('ldapIdentifier') ldapIdentifier: string,
+    @Body() loginDto: LdapLoginDto,
+  ): void {
+    // There is no further testing needed as we only get to this point if LocalAuthGuard was successful
+    request.session.user = loginDto.username;
+    request.session.authProvider = 'ldap';
+  }
+
+  @UseGuards(SessionGuard)
+  @Delete('logout')
+  @OpenApi(204, 400, 401)
+  logout(@Req() request: Request & { session: Session }): Promise<void> {
+    return new Promise((resolve, reject) => {
+      request.session.destroy((err) => {
+        if (err) {
+          this.logger.error('Encountered an error while logging out: ${err}');
+          reject(new BadRequestException('Unable to log out'));
+        } else {
+          resolve();
+        }
+      });
+    });
+  }
+}
--- a/backend/src/api/private/config/config.controller.ts
+++ b/backend/src/api/private/config/config.controller.ts
@ -0,0 +1,29 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Controller, Get } from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+
+import { FrontendConfigDto } from '../../../frontend-config/frontend-config.dto';
+import { FrontendConfigService } from '../../../frontend-config/frontend-config.service';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { OpenApi } from '../../utils/openapi.decorator';
+
+@ApiTags('config')
+@Controller('config')
+export class ConfigController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private frontendConfigService: FrontendConfigService,
+  ) {
+    this.logger.setContext(ConfigController.name);
+  }
+
+  @Get()
+  @OpenApi(200)
+  async getFrontendConfig(): Promise<FrontendConfigDto> {
+    return await this.frontendConfigService.getFrontendConfig();
+  }
+}
--- a/backend/src/api/private/groups/groups.controller.ts
+++ b/backend/src/api/private/groups/groups.controller.ts
@ -0,0 +1,34 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Controller, Get, Param, UseGuards } from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+
+import { GroupInfoDto } from '../../../groups/group-info.dto';
+import { GroupsService } from '../../../groups/groups.service';
+import { SessionGuard } from '../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { OpenApi } from '../../utils/openapi.decorator';
+
+@UseGuards(SessionGuard)
+@OpenApi(401, 403)
+@ApiTags('groups')
+@Controller('groups')
+export class GroupsController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private groupService: GroupsService,
+  ) {
+    this.logger.setContext(GroupsController.name);
+  }
+
+  @Get(':groupName')
+  @OpenApi(200)
+  async getGroup(@Param('groupName') groupName: string): Promise<GroupInfoDto> {
+    return this.groupService.toGroupDto(
+      await this.groupService.getGroupByName(groupName),
+    );
+  }
+}
--- a/backend/src/api/private/me/history/history.controller.ts
+++ b/backend/src/api/private/me/history/history.controller.ts
@ -0,0 +1,92 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Post,
+  Put,
+  UseGuards,
+  UseInterceptors,
+} from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+
+import { HistoryEntryImportListDto } from '../../../../history/history-entry-import.dto';
+import { HistoryEntryUpdateDto } from '../../../../history/history-entry-update.dto';
+import { HistoryEntryDto } from '../../../../history/history-entry.dto';
+import { HistoryService } from '../../../../history/history.service';
+import { SessionGuard } from '../../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../../logger/console-logger.service';
+import { Note } from '../../../../notes/note.entity';
+import { User } from '../../../../users/user.entity';
+import { GetNoteInterceptor } from '../../../utils/get-note.interceptor';
+import { OpenApi } from '../../../utils/openapi.decorator';
+import { RequestNote } from '../../../utils/request-note.decorator';
+import { RequestUser } from '../../../utils/request-user.decorator';
+
+@UseGuards(SessionGuard)
+@OpenApi(401)
+@ApiTags('history')
+@Controller('/me/history')
+export class HistoryController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private historyService: HistoryService,
+  ) {
+    this.logger.setContext(HistoryController.name);
+  }
+
+  @Get()
+  @OpenApi(200, 404)
+  async getHistory(@RequestUser() user: User): Promise<HistoryEntryDto[]> {
+    const foundEntries = await this.historyService.getEntriesByUser(user);
+    return await Promise.all(
+      foundEntries.map((entry) => this.historyService.toHistoryEntryDto(entry)),
+    );
+  }
+
+  @Post()
+  @OpenApi(201, 404)
+  async setHistory(
+    @RequestUser() user: User,
+    @Body() historyImport: HistoryEntryImportListDto,
+  ): Promise<void> {
+    await this.historyService.setHistory(user, historyImport.history);
+  }
+
+  @Delete()
+  @OpenApi(204, 404)
+  async deleteHistory(@RequestUser() user: User): Promise<void> {
+    await this.historyService.deleteHistory(user);
+  }
+
+  @Put(':noteIdOrAlias')
+  @OpenApi(200, 404)
+  @UseInterceptors(GetNoteInterceptor)
+  async updateHistoryEntry(
+    @RequestNote() note: Note,
+    @RequestUser() user: User,
+    @Body() entryUpdateDto: HistoryEntryUpdateDto,
+  ): Promise<HistoryEntryDto> {
+    const newEntry = await this.historyService.updateHistoryEntry(
+      note,
+      user,
+      entryUpdateDto,
+    );
+    return await this.historyService.toHistoryEntryDto(newEntry);
+  }
+
+  @Delete(':noteIdOrAlias')
+  @OpenApi(204, 404)
+  @UseInterceptors(GetNoteInterceptor)
+  async deleteHistoryEntry(
+    @RequestNote() note: Note,
+    @RequestUser() user: User,
+  ): Promise<void> {
+    await this.historyService.deleteHistoryEntry(note, user);
+  }
+}
--- a/backend/src/api/private/me/me.controller.ts
+++ b/backend/src/api/private/me/me.controller.ts
@ -0,0 +1,80 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Body, Controller, Delete, Get, Post, UseGuards } from '@nestjs/common';
+import { ApiBody, ApiTags } from '@nestjs/swagger';
+
+import { SessionGuard } from '../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { MediaUploadDto } from '../../../media/media-upload.dto';
+import { MediaService } from '../../../media/media.service';
+import { UserLoginInfoDto } from '../../../users/user-info.dto';
+import { User } from '../../../users/user.entity';
+import { UsersService } from '../../../users/users.service';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+import { SessionAuthProvider } from '../../utils/session-authprovider.decorator';
+
+@UseGuards(SessionGuard)
+@OpenApi(401)
+@ApiTags('me')
+@Controller('me')
+export class MeController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private userService: UsersService,
+    private mediaService: MediaService,
+  ) {
+    this.logger.setContext(MeController.name);
+  }
+
+  @Get()
+  @OpenApi(200)
+  getMe(
+    @RequestUser() user: User,
+    @SessionAuthProvider() authProvider: string,
+  ): UserLoginInfoDto {
+    return this.userService.toUserLoginInfoDto(user, authProvider);
+  }
+
+  @Get('media')
+  @OpenApi(200)
+  async getMyMedia(@RequestUser() user: User): Promise<MediaUploadDto[]> {
+    const media = await this.mediaService.listUploadsByUser(user);
+    return await Promise.all(
+      media.map((media) => this.mediaService.toMediaUploadDto(media)),
+    );
+  }
+
+  @Delete()
+  @OpenApi(204, 404, 500)
+  async deleteUser(@RequestUser() user: User): Promise<void> {
+    const mediaUploads = await this.mediaService.listUploadsByUser(user);
+    for (const mediaUpload of mediaUploads) {
+      await this.mediaService.deleteFile(mediaUpload);
+    }
+    this.logger.debug(`Deleted all media uploads of ${user.username}`);
+    await this.userService.deleteUser(user);
+    this.logger.debug(`Deleted ${user.username}`);
+  }
+
+  @Post('profile')
+  @ApiBody({
+    schema: {
+      type: 'object',
+      properties: {
+        displayName: { type: 'string', nullable: false },
+      },
+      required: ['displayName'],
+    },
+  })
+  @OpenApi(200)
+  async updateDisplayName(
+    @RequestUser() user: User,
+    @Body('displayName') newDisplayName: string,
+  ): Promise<void> {
+    await this.userService.changeDisplayName(user, newDisplayName);
+  }
+}
--- a/backend/src/api/private/media/media.controller.ts
+++ b/backend/src/api/private/media/media.controller.ts
@ -0,0 +1,111 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  Controller,
+  Delete,
+  Param,
+  Post,
+  UploadedFile,
+  UseGuards,
+  UseInterceptors,
+} from '@nestjs/common';
+import { FileInterceptor } from '@nestjs/platform-express';
+import { ApiBody, ApiConsumes, ApiHeader, ApiTags } from '@nestjs/swagger';
+
+import { PermissionError } from '../../../errors/errors';
+import { SessionGuard } from '../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { MediaUploadDto } from '../../../media/media-upload.dto';
+import { MediaService } from '../../../media/media.service';
+import { MulterFile } from '../../../media/multer-file.interface';
+import { Note } from '../../../notes/note.entity';
+import { NotesService } from '../../../notes/notes.service';
+import { User } from '../../../users/user.entity';
+import { NoteHeaderInterceptor } from '../../utils/note-header.interceptor';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RequestNote } from '../../utils/request-note.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(SessionGuard)
+@OpenApi(401)
+@ApiTags('media')
+@Controller('media')
+export class MediaController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private mediaService: MediaService,
+    private noteService: NotesService,
+  ) {
+    this.logger.setContext(MediaController.name);
+  }
+
+  @Post()
+  @ApiConsumes('multipart/form-data')
+  @ApiBody({
+    schema: {
+      type: 'object',
+      properties: {
+        file: {
+          type: 'string',
+          format: 'binary',
+        },
+      },
+    },
+  })
+  @ApiHeader({
+    name: 'HedgeDoc-Note',
+    description: 'ID or alias of the parent note',
+  })
+  @UseInterceptors(FileInterceptor('file'))
+  @UseInterceptors(NoteHeaderInterceptor)
+  @OpenApi(
+    {
+      code: 201,
+      description: 'The file was uploaded successfully',
+      dto: MediaUploadDto,
+    },
+    400,
+    403,
+    404,
+    500,
+  )
+  async uploadMedia(
+    @UploadedFile() file: MulterFile,
+    @RequestNote() note: Note,
+    @RequestUser() user: User,
+  ): Promise<MediaUploadDto> {
+    this.logger.debug(
+      `Recieved filename '${file.originalname}' for note '${note.id}' from user '${user.username}'`,
+      'uploadMedia',
+    );
+    const upload = await this.mediaService.saveFile(file.buffer, user, note);
+    return await this.mediaService.toMediaUploadDto(upload);
+  }
+
+  @Delete(':filename')
+  @OpenApi(204, 403, 404, 500)
+  async deleteMedia(
+    @RequestUser() user: User,
+    @Param('filename') filename: string,
+  ): Promise<void> {
+    const username = user.username;
+    this.logger.debug(
+      `Deleting '${filename}' for user '${username}'`,
+      'deleteMedia',
+    );
+    const mediaUpload = await this.mediaService.findUploadByFilename(filename);
+    if ((await mediaUpload.user).username !== username) {
+      this.logger.warn(
+        `${username} tried to delete '${filename}', but is not the owner`,
+        'deleteMedia',
+      );
+      throw new PermissionError(
+        `File '${filename}' is not owned by '${username}'`,
+      );
+    }
+    await this.mediaService.deleteFile(mediaUpload);
+  }
+}
--- a/backend/src/api/private/notes/notes.controller.ts
+++ b/backend/src/api/private/notes/notes.controller.ts
@ -0,0 +1,294 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  Post,
+  Put,
+  UseGuards,
+  UseInterceptors,
+} from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+
+import { TokenAuthGuard } from '../../../auth/token.strategy';
+import { NotInDBError } from '../../../errors/errors';
+import { GroupsService } from '../../../groups/groups.service';
+import { HistoryService } from '../../../history/history.service';
+import { SessionGuard } from '../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { MediaUploadDto } from '../../../media/media-upload.dto';
+import { MediaService } from '../../../media/media.service';
+import { NoteMetadataDto } from '../../../notes/note-metadata.dto';
+import { NotePermissionsDto } from '../../../notes/note-permissions.dto';
+import { NoteDto } from '../../../notes/note.dto';
+import { Note } from '../../../notes/note.entity';
+import { NoteMediaDeletionDto } from '../../../notes/note.media-deletion.dto';
+import { NotesService } from '../../../notes/notes.service';
+import { Permission } from '../../../permissions/permissions.enum';
+import { PermissionsService } from '../../../permissions/permissions.service';
+import { RevisionMetadataDto } from '../../../revisions/revision-metadata.dto';
+import { RevisionDto } from '../../../revisions/revision.dto';
+import { RevisionsService } from '../../../revisions/revisions.service';
+import { User } from '../../../users/user.entity';
+import { UsersService } from '../../../users/users.service';
+import { GetNoteInterceptor } from '../../utils/get-note.interceptor';
+import { MarkdownBody } from '../../utils/markdown-body.decorator';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { Permissions } from '../../utils/permissions.decorator';
+import { PermissionsGuard } from '../../utils/permissions.guard';
+import { RequestNote } from '../../utils/request-note.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(SessionGuard, PermissionsGuard)
+@OpenApi(401, 403)
+@ApiTags('notes')
+@Controller('notes')
+export class NotesController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private noteService: NotesService,
+    private historyService: HistoryService,
+    private userService: UsersService,
+    private mediaService: MediaService,
+    private revisionsService: RevisionsService,
+    private permissionService: PermissionsService,
+    private groupService: GroupsService,
+  ) {
+    this.logger.setContext(NotesController.name);
+  }
+
+  @Get(':noteIdOrAlias')
+  @OpenApi(200)
+  @Permissions(Permission.READ)
+  @UseInterceptors(GetNoteInterceptor)
+  async getNote(
+    @RequestUser({ guestsAllowed: true }) user: User | null,
+    @RequestNote() note: Note,
+  ): Promise<NoteDto> {
+    await this.historyService.updateHistoryEntryTimestamp(note, user);
+    return await this.noteService.toNoteDto(note);
+  }
+
+  @Get(':noteIdOrAlias/media')
+  @OpenApi(200)
+  @Permissions(Permission.READ)
+  @UseInterceptors(GetNoteInterceptor)
+  async getNotesMedia(@RequestNote() note: Note): Promise<MediaUploadDto[]> {
+    const media = await this.mediaService.listUploadsByNote(note);
+    return await Promise.all(
+      media.map((media) => this.mediaService.toMediaUploadDto(media)),
+    );
+  }
+
+  @Post()
+  @OpenApi(201, 413)
+  @Permissions(Permission.CREATE)
+  async createNote(
+    @RequestUser({ guestsAllowed: true }) user: User | null,
+    @MarkdownBody() text: string,
+  ): Promise<NoteDto> {
+    this.logger.debug('Got raw markdown:\n' + text, 'createNote');
+    return await this.noteService.toNoteDto(
+      await this.noteService.createNote(text, user),
+    );
+  }
+
+  @Post(':noteAlias')
+  @OpenApi(201, 400, 404, 409, 413)
+  @Permissions(Permission.CREATE)
+  async createNamedNote(
+    @RequestUser({ guestsAllowed: true }) user: User | null,
+    @Param('noteAlias') noteAlias: string,
+    @MarkdownBody() text: string,
+  ): Promise<NoteDto> {
+    this.logger.debug('Got raw markdown:\n' + text, 'createNamedNote');
+    return await this.noteService.toNoteDto(
+      await this.noteService.createNote(text, user, noteAlias),
+    );
+  }
+
+  @Delete(':noteIdOrAlias')
+  @OpenApi(204, 404, 500)
+  @Permissions(Permission.OWNER)
+  @UseInterceptors(GetNoteInterceptor)
+  async deleteNote(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Body() noteMediaDeletionDto: NoteMediaDeletionDto,
+  ): Promise<void> {
+    const mediaUploads = await this.mediaService.listUploadsByNote(note);
+    for (const mediaUpload of mediaUploads) {
+      if (!noteMediaDeletionDto.keepMedia) {
+        await this.mediaService.deleteFile(mediaUpload);
+      } else {
+        await this.mediaService.removeNoteFromMediaUpload(mediaUpload);
+      }
+    }
+    this.logger.debug(`Deleting note: ${note.id}`, 'deleteNote');
+    await this.noteService.deleteNote(note);
+    this.logger.debug(`Successfully deleted ${note.id}`, 'deleteNote');
+    return;
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @Get(':noteIdOrAlias/metadata')
+  async getNoteMetadata(
+    @RequestUser({ guestsAllowed: true }) user: User | null,
+    @RequestNote() note: Note,
+  ): Promise<NoteMetadataDto> {
+    return await this.noteService.toNoteMetadataDto(note);
+  }
+
+  @Get(':noteIdOrAlias/revisions')
+  @OpenApi(200, 404)
+  @Permissions(Permission.READ)
+  @UseInterceptors(GetNoteInterceptor)
+  async getNoteRevisions(
+    @RequestUser({ guestsAllowed: true }) user: User | null,
+    @RequestNote() note: Note,
+  ): Promise<RevisionMetadataDto[]> {
+    const revisions = await this.revisionsService.getAllRevisions(note);
+    return await Promise.all(
+      revisions.map((revision) =>
+        this.revisionsService.toRevisionMetadataDto(revision),
+      ),
+    );
+  }
+
+  @Delete(':noteIdOrAlias/revisions')
+  @OpenApi(204, 404)
+  @Permissions(Permission.OWNER)
+  @UseInterceptors(GetNoteInterceptor)
+  async purgeNoteRevisions(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<void> {
+    this.logger.debug(
+      `Purging history of note: ${note.id}`,
+      'purgeNoteRevisions',
+    );
+    await this.revisionsService.purgeRevisions(note);
+    this.logger.debug(
+      `Successfully purged history of note ${note.id}`,
+      'purgeNoteRevisions',
+    );
+    return;
+  }
+
+  @Get(':noteIdOrAlias/revisions/:revisionId')
+  @OpenApi(200, 404)
+  @Permissions(Permission.READ)
+  @UseInterceptors(GetNoteInterceptor)
+  async getNoteRevision(
+    @RequestUser({ guestsAllowed: true }) user: User | null,
+    @RequestNote() note: Note,
+    @Param('revisionId') revisionId: number,
+  ): Promise<RevisionDto> {
+    return await this.revisionsService.toRevisionDto(
+      await this.revisionsService.getRevision(note, revisionId),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  async setUserPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('userName') username: string,
+    @Body() canEdit: boolean,
+  ): Promise<NotePermissionsDto> {
+    const permissionUser = await this.userService.getUserByUsername(username);
+    const returnedNote = await this.permissionService.setUserPermission(
+      note,
+      permissionUser,
+      canEdit,
+    );
+    return await this.noteService.toNotePermissionsDto(returnedNote);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Delete(':noteIdOrAlias/metadata/permissions/users/:userName')
+  async removeUserPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('userName') username: string,
+  ): Promise<NotePermissionsDto> {
+    try {
+      const permissionUser = await this.userService.getUserByUsername(username);
+      const returnedNote = await this.permissionService.removeUserPermission(
+        note,
+        permissionUser,
+      );
+      return await this.noteService.toNotePermissionsDto(returnedNote);
+    } catch (e) {
+      if (e instanceof NotInDBError) {
+        throw new BadRequestException(
+          "Can't remove user from permissions. User not known.",
+        );
+      }
+      throw e;
+    }
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Put(':noteIdOrAlias/metadata/permissions/groups/:groupName')
+  async setGroupPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('groupName') groupName: string,
+    @Body() canEdit: boolean,
+  ): Promise<NotePermissionsDto> {
+    const permissionGroup = await this.groupService.getGroupByName(groupName);
+    const returnedNote = await this.permissionService.setGroupPermission(
+      note,
+      permissionGroup,
+      canEdit,
+    );
+    return await this.noteService.toNotePermissionsDto(returnedNote);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Delete(':noteIdOrAlias/metadata/permissions/groups/:groupName')
+  async removeGroupPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('groupName') groupName: string,
+  ): Promise<NotePermissionsDto> {
+    const permissionGroup = await this.groupService.getGroupByName(groupName);
+    const returnedNote = await this.permissionService.removeGroupPermission(
+      note,
+      permissionGroup,
+    );
+    return await this.noteService.toNotePermissionsDto(returnedNote);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Put(':noteIdOrAlias/metadata/permissions/owner')
+  async changeOwner(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Body() newOwner: string,
+  ): Promise<NoteDto> {
+    const owner = await this.userService.getUserByUsername(newOwner);
+    return await this.noteService.toNoteDto(
+      await this.permissionService.changeOwner(note, owner),
+    );
+  }
+}
--- a/backend/src/api/private/private-api.module.ts
+++ b/backend/src/api/private/private-api.module.ts
@ -0,0 +1,57 @@
+/*
+ * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Module } from '@nestjs/common';
+
+import { AuthModule } from '../../auth/auth.module';
+import { FrontendConfigModule } from '../../frontend-config/frontend-config.module';
+import { GroupsModule } from '../../groups/groups.module';
+import { HistoryModule } from '../../history/history.module';
+import { IdentityModule } from '../../identity/identity.module';
+import { LoggerModule } from '../../logger/logger.module';
+import { MediaModule } from '../../media/media.module';
+import { NotesModule } from '../../notes/notes.module';
+import { PermissionsModule } from '../../permissions/permissions.module';
+import { RevisionsModule } from '../../revisions/revisions.module';
+import { UsersModule } from '../../users/users.module';
+import { AliasController } from './alias/alias.controller';
+import { AuthController } from './auth/auth.controller';
+import { ConfigController } from './config/config.controller';
+import { GroupsController } from './groups/groups.controller';
+import { HistoryController } from './me/history/history.controller';
+import { MeController } from './me/me.controller';
+import { MediaController } from './media/media.controller';
+import { NotesController } from './notes/notes.controller';
+import { TokensController } from './tokens/tokens.controller';
+import { UsersController } from './users/users.controller';
+
+@Module({
+  imports: [
+    LoggerModule,
+    UsersModule,
+    AuthModule,
+    FrontendConfigModule,
+    HistoryModule,
+    PermissionsModule,
+    NotesModule,
+    MediaModule,
+    RevisionsModule,
+    IdentityModule,
+    GroupsModule,
+  ],
+  controllers: [
+    TokensController,
+    ConfigController,
+    MediaController,
+    HistoryController,
+    MeController,
+    NotesController,
+    AliasController,
+    AuthController,
+    UsersController,
+    GroupsController,
+  ],
+})
+export class PrivateApiModule {}
--- a/backend/src/api/private/tokens/tokens.controller.ts
+++ b/backend/src/api/private/tokens/tokens.controller.ts
@ -0,0 +1,79 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  Post,
+  UnauthorizedException,
+  UseGuards,
+} from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+
+import {
+  AuthTokenCreateDto,
+  AuthTokenDto,
+  AuthTokenWithSecretDto,
+} from '../../../auth/auth-token.dto';
+import { AuthService } from '../../../auth/auth.service';
+import { SessionGuard } from '../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { User } from '../../../users/user.entity';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(SessionGuard)
+@OpenApi(401)
+@ApiTags('tokens')
+@Controller('tokens')
+export class TokensController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private authService: AuthService,
+  ) {
+    this.logger.setContext(TokensController.name);
+  }
+
+  @Get()
+  @OpenApi(200)
+  async getUserTokens(@RequestUser() user: User): Promise<AuthTokenDto[]> {
+    return (await this.authService.getTokensByUser(user)).map((token) =>
+      this.authService.toAuthTokenDto(token),
+    );
+  }
+
+  @Post()
+  @OpenApi(201)
+  async postTokenRequest(
+    @Body() createDto: AuthTokenCreateDto,
+    @RequestUser() user: User,
+  ): Promise<AuthTokenWithSecretDto> {
+    return await this.authService.addToken(
+      user,
+      createDto.label,
+      createDto.validUntil,
+    );
+  }
+
+  @Delete('/:keyId')
+  @OpenApi(204, 404)
+  async deleteToken(
+    @RequestUser() user: User,
+    @Param('keyId') keyId: string,
+  ): Promise<void> {
+    const tokens = await this.authService.getTokensByUser(user);
+    for (const token of tokens) {
+      if (token.keyId == keyId) {
+        return await this.authService.removeToken(keyId);
+      }
+    }
+    throw new UnauthorizedException(
+      'User is not authorized to delete this token',
+    );
+  }
+}
--- a/backend/src/api/private/users/users.controller.ts
+++ b/backend/src/api/private/users/users.controller.ts
@ -0,0 +1,31 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Controller, Get, Param } from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { UserInfoDto } from '../../../users/user-info.dto';
+import { UsersService } from '../../../users/users.service';
+import { OpenApi } from '../../utils/openapi.decorator';
+
+@ApiTags('users')
+@Controller('users')
+export class UsersController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private userService: UsersService,
+  ) {
+    this.logger.setContext(UsersController.name);
+  }
+
+  @Get(':username')
+  @OpenApi(200)
+  async getUser(@Param('username') username: string): Promise<UserInfoDto> {
+    return this.userService.toUserDto(
+      await this.userService.getUserByUsername(username),
+    );
+  }
+}
--- a/backend/src/api/public/alias/alias.controller.ts
+++ b/backend/src/api/public/alias/alias.controller.ts
@ -0,0 +1,121 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  Delete,
+  Param,
+  Post,
+  Put,
+  UnauthorizedException,
+  UseGuards,
+} from '@nestjs/common';
+import { ApiSecurity, ApiTags } from '@nestjs/swagger';
+
+import { TokenAuthGuard } from '../../../auth/token.strategy';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { AliasCreateDto } from '../../../notes/alias-create.dto';
+import { AliasUpdateDto } from '../../../notes/alias-update.dto';
+import { AliasDto } from '../../../notes/alias.dto';
+import { AliasService } from '../../../notes/alias.service';
+import { NotesService } from '../../../notes/notes.service';
+import { PermissionsService } from '../../../permissions/permissions.service';
+import { User } from '../../../users/user.entity';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(TokenAuthGuard)
+@OpenApi(401)
+@ApiTags('alias')
+@ApiSecurity('token')
+@Controller('alias')
+export class AliasController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private aliasService: AliasService,
+    private noteService: NotesService,
+    private permissionsService: PermissionsService,
+  ) {
+    this.logger.setContext(AliasController.name);
+  }
+
+  @Post()
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The new alias',
+      dto: AliasDto,
+    },
+    403,
+    404,
+  )
+  async addAlias(
+    @RequestUser() user: User,
+    @Body() newAliasDto: AliasCreateDto,
+  ): Promise<AliasDto> {
+    const note = await this.noteService.getNoteByIdOrAlias(
+      newAliasDto.noteIdOrAlias,
+    );
+    if (!(await this.permissionsService.isOwner(user, note))) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
+    const updatedAlias = await this.aliasService.addAlias(
+      note,
+      newAliasDto.newAlias,
+    );
+    return this.aliasService.toAliasDto(updatedAlias, note);
+  }
+
+  @Put(':alias')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The updated alias',
+      dto: AliasDto,
+    },
+    403,
+    404,
+  )
+  async makeAliasPrimary(
+    @RequestUser() user: User,
+    @Param('alias') alias: string,
+    @Body() changeAliasDto: AliasUpdateDto,
+  ): Promise<AliasDto> {
+    if (!changeAliasDto.primaryAlias) {
+      throw new BadRequestException(
+        `The field 'primaryAlias' must be set to 'true'.`,
+      );
+    }
+    const note = await this.noteService.getNoteByIdOrAlias(alias);
+    if (!(await this.permissionsService.isOwner(user, note))) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
+    const updatedAlias = await this.aliasService.makeAliasPrimary(note, alias);
+    return this.aliasService.toAliasDto(updatedAlias, note);
+  }
+
+  @Delete(':alias')
+  @OpenApi(
+    {
+      code: 204,
+      description: 'The alias was deleted',
+    },
+    400,
+    403,
+    404,
+  )
+  async removeAlias(
+    @RequestUser() user: User,
+    @Param('alias') alias: string,
+  ): Promise<void> {
+    const note = await this.noteService.getNoteByIdOrAlias(alias);
+    if (!(await this.permissionsService.isOwner(user, note))) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
+    await this.aliasService.removeAlias(note, alias);
+  }
+}
--- a/backend/src/api/public/me/me.controller.ts
+++ b/backend/src/api/public/me/me.controller.ts
@ -0,0 +1,152 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Put,
+  UseGuards,
+  UseInterceptors,
+} from '@nestjs/common';
+import { ApiSecurity, ApiTags } from '@nestjs/swagger';
+
+import { TokenAuthGuard } from '../../../auth/token.strategy';
+import { HistoryEntryUpdateDto } from '../../../history/history-entry-update.dto';
+import { HistoryEntryDto } from '../../../history/history-entry.dto';
+import { HistoryService } from '../../../history/history.service';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { MediaUploadDto } from '../../../media/media-upload.dto';
+import { MediaService } from '../../../media/media.service';
+import { NoteMetadataDto } from '../../../notes/note-metadata.dto';
+import { Note } from '../../../notes/note.entity';
+import { NotesService } from '../../../notes/notes.service';
+import { FullUserInfoDto } from '../../../users/user-info.dto';
+import { User } from '../../../users/user.entity';
+import { UsersService } from '../../../users/users.service';
+import { GetNoteInterceptor } from '../../utils/get-note.interceptor';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RequestNote } from '../../utils/request-note.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(TokenAuthGuard)
+@OpenApi(401)
+@ApiTags('me')
+@ApiSecurity('token')
+@Controller('me')
+export class MeController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private usersService: UsersService,
+    private historyService: HistoryService,
+    private notesService: NotesService,
+    private mediaService: MediaService,
+  ) {
+    this.logger.setContext(MeController.name);
+  }
+
+  @Get()
+  @OpenApi({
+    code: 200,
+    description: 'The user information',
+    dto: FullUserInfoDto,
+  })
+  getMe(@RequestUser() user: User): FullUserInfoDto {
+    return this.usersService.toFullUserDto(user);
+  }
+
+  @Get('history')
+  @OpenApi({
+    code: 200,
+    description: 'The history entries of the user',
+    isArray: true,
+    dto: HistoryEntryDto,
+  })
+  async getUserHistory(@RequestUser() user: User): Promise<HistoryEntryDto[]> {
+    const foundEntries = await this.historyService.getEntriesByUser(user);
+    return await Promise.all(
+      foundEntries.map((entry) => this.historyService.toHistoryEntryDto(entry)),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Get('history/:noteIdOrAlias')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The history entry of the user which points to the note',
+      dto: HistoryEntryDto,
+    },
+    404,
+  )
+  async getHistoryEntry(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<HistoryEntryDto> {
+    const foundEntry = await this.historyService.getEntryByNote(note, user);
+    return await this.historyService.toHistoryEntryDto(foundEntry);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Put('history/:noteIdOrAlias')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The updated history entry',
+      dto: HistoryEntryDto,
+    },
+    404,
+  )
+  async updateHistoryEntry(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Body() entryUpdateDto: HistoryEntryUpdateDto,
+  ): Promise<HistoryEntryDto> {
+    // ToDo: Check if user is allowed to pin this history entry
+    return await this.historyService.toHistoryEntryDto(
+      await this.historyService.updateHistoryEntry(note, user, entryUpdateDto),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Delete('history/:noteIdOrAlias')
+  @OpenApi(204, 404)
+  async deleteHistoryEntry(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<void> {
+    // ToDo: Check if user is allowed to delete note
+    await this.historyService.deleteHistoryEntry(note, user);
+  }
+
+  @Get('notes')
+  @OpenApi({
+    code: 200,
+    description: 'Metadata of all notes of the user',
+    isArray: true,
+    dto: NoteMetadataDto,
+  })
+  async getMyNotes(@RequestUser() user: User): Promise<NoteMetadataDto[]> {
+    const notes = this.notesService.getUserNotes(user);
+    return await Promise.all(
+      (await notes).map((note) => this.notesService.toNoteMetadataDto(note)),
+    );
+  }
+
+  @Get('media')
+  @OpenApi({
+    code: 200,
+    description: 'All media uploads of the user',
+    isArray: true,
+    dto: MediaUploadDto,
+  })
+  async getMyMedia(@RequestUser() user: User): Promise<MediaUploadDto[]> {
+    const media = await this.mediaService.listUploadsByUser(user);
+    return await Promise.all(
+      media.map((media) => this.mediaService.toMediaUploadDto(media)),
+    );
+  }
+}
--- a/backend/src/api/public/media/media.controller.ts
+++ b/backend/src/api/public/media/media.controller.ts
@ -0,0 +1,118 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  Controller,
+  Delete,
+  Param,
+  Post,
+  UploadedFile,
+  UseGuards,
+  UseInterceptors,
+} from '@nestjs/common';
+import { FileInterceptor } from '@nestjs/platform-express';
+import {
+  ApiBody,
+  ApiConsumes,
+  ApiHeader,
+  ApiSecurity,
+  ApiTags,
+} from '@nestjs/swagger';
+
+import { TokenAuthGuard } from '../../../auth/token.strategy';
+import { PermissionError } from '../../../errors/errors';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { MediaUploadDto } from '../../../media/media-upload.dto';
+import { MediaService } from '../../../media/media.service';
+import { MulterFile } from '../../../media/multer-file.interface';
+import { Note } from '../../../notes/note.entity';
+import { NotesService } from '../../../notes/notes.service';
+import { User } from '../../../users/user.entity';
+import { NoteHeaderInterceptor } from '../../utils/note-header.interceptor';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RequestNote } from '../../utils/request-note.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(TokenAuthGuard)
+@OpenApi(401)
+@ApiTags('media')
+@ApiSecurity('token')
+@Controller('media')
+export class MediaController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private mediaService: MediaService,
+    private noteService: NotesService,
+  ) {
+    this.logger.setContext(MediaController.name);
+  }
+
+  @Post()
+  @ApiConsumes('multipart/form-data')
+  @ApiBody({
+    schema: {
+      type: 'object',
+      properties: {
+        file: {
+          type: 'string',
+          format: 'binary',
+        },
+      },
+    },
+  })
+  @ApiHeader({
+    name: 'HedgeDoc-Note',
+    description: 'ID or alias of the parent note',
+  })
+  @OpenApi(
+    {
+      code: 201,
+      description: 'The file was uploaded successfully',
+      dto: MediaUploadDto,
+    },
+    400,
+    403,
+    404,
+    500,
+  )
+  @UseInterceptors(FileInterceptor('file'))
+  @UseInterceptors(NoteHeaderInterceptor)
+  async uploadMedia(
+    @RequestUser() user: User,
+    @UploadedFile() file: MulterFile,
+    @RequestNote() note: Note,
+  ): Promise<MediaUploadDto> {
+    this.logger.debug(
+      `Recieved filename '${file.originalname}' for note '${note.id}' from user '${user.username}'`,
+      'uploadMedia',
+    );
+    const upload = await this.mediaService.saveFile(file.buffer, user, note);
+    return await this.mediaService.toMediaUploadDto(upload);
+  }
+
+  @Delete(':filename')
+  @OpenApi(204, 403, 404, 500)
+  async deleteMedia(
+    @RequestUser() user: User,
+    @Param('filename') filename: string,
+  ): Promise<void> {
+    const username = user.username;
+    this.logger.debug(
+      `Deleting '${filename}' for user '${username}'`,
+      'deleteMedia',
+    );
+    const mediaUpload = await this.mediaService.findUploadByFilename(filename);
+    if ((await mediaUpload.user).username !== username) {
+      this.logger.warn(
+        `${username} tried to delete '${filename}', but is not the owner`,
+        'deleteMedia',
+      );
+      throw new PermissionError(
+        `File '${filename}' is not owned by '${username}'`,
+      );
+    }
+    await this.mediaService.deleteFile(mediaUpload);
+  }
+}
--- a/backend/src/api/public/monitoring/monitoring.controller.ts
+++ b/backend/src/api/public/monitoring/monitoring.controller.ts
@ -0,0 +1,48 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Controller, Get, UseGuards } from '@nestjs/common';
+import { ApiSecurity, ApiTags } from '@nestjs/swagger';
+
+import { TokenAuthGuard } from '../../../auth/token.strategy';
+import { MonitoringService } from '../../../monitoring/monitoring.service';
+import { ServerStatusDto } from '../../../monitoring/server-status.dto';
+import { OpenApi } from '../../utils/openapi.decorator';
+
+@UseGuards(TokenAuthGuard)
+@OpenApi(401)
+@ApiTags('monitoring')
+@ApiSecurity('token')
+@Controller('monitoring')
+export class MonitoringController {
+  constructor(private monitoringService: MonitoringService) {}
+
+  @Get()
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The server info',
+      dto: ServerStatusDto,
+    },
+    403,
+  )
+  getStatus(): Promise<ServerStatusDto> {
+    // TODO: toServerStatusDto.
+    return this.monitoringService.getServerStatus();
+  }
+
+  @Get('prometheus')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Prometheus compatible monitoring data',
+      mimeType: 'text/plain',
+    },
+    403,
+  )
+  getPrometheusStatus(): string {
+    return '';
+  }
+}
--- a/backend/src/api/public/notes/notes.controller.ts
+++ b/backend/src/api/public/notes/notes.controller.ts
@ -0,0 +1,459 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  Post,
+  Put,
+  UseGuards,
+  UseInterceptors,
+} from '@nestjs/common';
+import { ApiSecurity, ApiTags } from '@nestjs/swagger';
+
+import { TokenAuthGuard } from '../../../auth/token.strategy';
+import { NotInDBError } from '../../../errors/errors';
+import { GroupsService } from '../../../groups/groups.service';
+import { HistoryService } from '../../../history/history.service';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { MediaUploadDto } from '../../../media/media-upload.dto';
+import { MediaService } from '../../../media/media.service';
+import { NoteMetadataDto } from '../../../notes/note-metadata.dto';
+import {
+  NotePermissionsDto,
+  NotePermissionsUpdateDto,
+} from '../../../notes/note-permissions.dto';
+import { NoteDto } from '../../../notes/note.dto';
+import { Note } from '../../../notes/note.entity';
+import { NoteMediaDeletionDto } from '../../../notes/note.media-deletion.dto';
+import { NotesService } from '../../../notes/notes.service';
+import { Permission } from '../../../permissions/permissions.enum';
+import { PermissionsService } from '../../../permissions/permissions.service';
+import { RevisionMetadataDto } from '../../../revisions/revision-metadata.dto';
+import { RevisionDto } from '../../../revisions/revision.dto';
+import { RevisionsService } from '../../../revisions/revisions.service';
+import { User } from '../../../users/user.entity';
+import { UsersService } from '../../../users/users.service';
+import { GetNoteInterceptor } from '../../utils/get-note.interceptor';
+import { MarkdownBody } from '../../utils/markdown-body.decorator';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { Permissions } from '../../utils/permissions.decorator';
+import { PermissionsGuard } from '../../utils/permissions.guard';
+import { RequestNote } from '../../utils/request-note.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(TokenAuthGuard, PermissionsGuard)
+@OpenApi(401)
+@ApiTags('notes')
+@ApiSecurity('token')
+@Controller('notes')
+export class NotesController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private noteService: NotesService,
+    private userService: UsersService,
+    private groupService: GroupsService,
+    private revisionsService: RevisionsService,
+    private historyService: HistoryService,
+    private mediaService: MediaService,
+    private permissionService: PermissionsService,
+  ) {
+    this.logger.setContext(NotesController.name);
+  }
+
+  @Permissions(Permission.CREATE)
+  @Post()
+  @OpenApi(201, 403, 409, 413)
+  async createNote(
+    @RequestUser() user: User,
+    @MarkdownBody() text: string,
+  ): Promise<NoteDto> {
+    this.logger.debug('Got raw markdown:\n' + text);
+    return await this.noteService.toNoteDto(
+      await this.noteService.createNote(text, user),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @Get(':noteIdOrAlias')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Get information about the newly created note',
+      dto: NoteDto,
+    },
+    403,
+    404,
+  )
+  async getNote(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<NoteDto> {
+    await this.historyService.updateHistoryEntryTimestamp(note, user);
+    return await this.noteService.toNoteDto(note);
+  }
+
+  @Permissions(Permission.CREATE)
+  @UseGuards(PermissionsGuard)
+  @Post(':noteAlias')
+  @OpenApi(
+    {
+      code: 201,
+      description: 'Get information about the newly created note',
+      dto: NoteDto,
+    },
+    400,
+    403,
+    409,
+    413,
+  )
+  async createNamedNote(
+    @RequestUser() user: User,
+    @Param('noteAlias') noteAlias: string,
+    @MarkdownBody() text: string,
+  ): Promise<NoteDto> {
+    this.logger.debug('Got raw markdown:\n' + text, 'createNamedNote');
+    return await this.noteService.toNoteDto(
+      await this.noteService.createNote(text, user, noteAlias),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @Delete(':noteIdOrAlias')
+  @OpenApi(204, 403, 404, 500)
+  async deleteNote(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Body() noteMediaDeletionDto: NoteMediaDeletionDto,
+  ): Promise<void> {
+    const mediaUploads = await this.mediaService.listUploadsByNote(note);
+    for (const mediaUpload of mediaUploads) {
+      if (!noteMediaDeletionDto.keepMedia) {
+        await this.mediaService.deleteFile(mediaUpload);
+      } else {
+        await this.mediaService.removeNoteFromMediaUpload(mediaUpload);
+      }
+    }
+    this.logger.debug(`Deleting note: ${note.id}`, 'deleteNote');
+    await this.noteService.deleteNote(note);
+    this.logger.debug(`Successfully deleted ${note.id}`, 'deleteNote');
+    return;
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.WRITE)
+  @Put(':noteIdOrAlias')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The new, changed note',
+      dto: NoteDto,
+    },
+    403,
+    404,
+  )
+  async updateNote(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @MarkdownBody() text: string,
+  ): Promise<NoteDto> {
+    this.logger.debug('Got raw markdown:\n' + text, 'updateNote');
+    return await this.noteService.toNoteDto(
+      await this.noteService.updateNote(note, text),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @Get(':noteIdOrAlias/content')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The raw markdown content of the note',
+      mimeType: 'text/markdown',
+    },
+    403,
+    404,
+  )
+  async getNoteContent(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<string> {
+    return await this.noteService.getNoteContent(note);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @Get(':noteIdOrAlias/metadata')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The metadata of the note',
+      dto: NoteMetadataDto,
+    },
+    403,
+    404,
+  )
+  async getNoteMetadata(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<NoteMetadataDto> {
+    return await this.noteService.toNoteMetadataDto(note);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @Put(':noteIdOrAlias/metadata/permissions')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'The updated permissions of the note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async updateNotePermissions(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Body() updateDto: NotePermissionsUpdateDto,
+  ): Promise<NotePermissionsDto> {
+    return await this.noteService.toNotePermissionsDto(
+      await this.permissionService.updateNotePermissions(note, updateDto),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Get(':noteIdOrAlias/metadata/permissions')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Get the permissions for a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async getPermissions(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<NotePermissionsDto> {
+    return await this.noteService.toNotePermissionsDto(note);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Set the permissions for a user on a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async setUserPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('userName') username: string,
+    @Body() canEdit: boolean,
+  ): Promise<NotePermissionsDto> {
+    const permissionUser = await this.userService.getUserByUsername(username);
+    const returnedNote = await this.permissionService.setUserPermission(
+      note,
+      permissionUser,
+      canEdit,
+    );
+    return await this.noteService.toNotePermissionsDto(returnedNote);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Delete(':noteIdOrAlias/metadata/permissions/users/:userName')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Remove the permission for a user on a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async removeUserPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('userName') username: string,
+  ): Promise<NotePermissionsDto> {
+    try {
+      const permissionUser = await this.userService.getUserByUsername(username);
+      const returnedNote = await this.permissionService.removeUserPermission(
+        note,
+        permissionUser,
+      );
+      return await this.noteService.toNotePermissionsDto(returnedNote);
+    } catch (e) {
+      if (e instanceof NotInDBError) {
+        throw new BadRequestException(
+          "Can't remove user from permissions. User not known.",
+        );
+      }
+      throw e;
+    }
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Put(':noteIdOrAlias/metadata/permissions/groups/:groupName')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Set the permissions for a user on a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async setGroupPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('groupName') groupName: string,
+    @Body() canEdit: boolean,
+  ): Promise<NotePermissionsDto> {
+    const permissionGroup = await this.groupService.getGroupByName(groupName);
+    const returnedNote = await this.permissionService.setGroupPermission(
+      note,
+      permissionGroup,
+      canEdit,
+    );
+    return await this.noteService.toNotePermissionsDto(returnedNote);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Delete(':noteIdOrAlias/metadata/permissions/groups/:groupName')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Remove the permission for a group on a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async removeGroupPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('groupName') groupName: string,
+  ): Promise<NotePermissionsDto> {
+    const permissionGroup = await this.groupService.getGroupByName(groupName);
+    const returnedNote = await this.permissionService.removeGroupPermission(
+      note,
+      permissionGroup,
+    );
+    return await this.noteService.toNotePermissionsDto(returnedNote);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Put(':noteIdOrAlias/metadata/permissions/owner')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Changes the owner of the note',
+      dto: NoteDto,
+    },
+    403,
+    404,
+  )
+  async changeOwner(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Body() newOwner: string,
+  ): Promise<NoteDto> {
+    const owner = await this.userService.getUserByUsername(newOwner);
+    return await this.noteService.toNoteDto(
+      await this.permissionService.changeOwner(note, owner),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @Get(':noteIdOrAlias/revisions')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Revisions of the note',
+      isArray: true,
+      dto: RevisionMetadataDto,
+    },
+    403,
+    404,
+  )
+  async getNoteRevisions(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<RevisionMetadataDto[]> {
+    const revisions = await this.revisionsService.getAllRevisions(note);
+    return await Promise.all(
+      revisions.map((revision) =>
+        this.revisionsService.toRevisionMetadataDto(revision),
+      ),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @Get(':noteIdOrAlias/revisions/:revisionId')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Revision of the note for the given id or alias',
+      dto: RevisionDto,
+    },
+    403,
+    404,
+  )
+  async getNoteRevision(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('revisionId') revisionId: number,
+  ): Promise<RevisionDto> {
+    return await this.revisionsService.toRevisionDto(
+      await this.revisionsService.getRevision(note, revisionId),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @Get(':noteIdOrAlias/media')
+  @OpenApi({
+    code: 200,
+    description: 'All media uploads of the note',
+    isArray: true,
+    dto: MediaUploadDto,
+  })
+  async getNotesMedia(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<MediaUploadDto[]> {
+    const media = await this.mediaService.listUploadsByNote(note);
+    return await Promise.all(
+      media.map((media) => this.mediaService.toMediaUploadDto(media)),
+    );
+  }
+}
--- a/backend/src/api/public/public-api.module.ts
+++ b/backend/src/api/public/public-api.module.ts
@ -0,0 +1,43 @@
+/*
+ * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Module } from '@nestjs/common';
+
+import { GroupsModule } from '../../groups/groups.module';
+import { HistoryModule } from '../../history/history.module';
+import { LoggerModule } from '../../logger/logger.module';
+import { MediaModule } from '../../media/media.module';
+import { MonitoringModule } from '../../monitoring/monitoring.module';
+import { NotesModule } from '../../notes/notes.module';
+import { PermissionsModule } from '../../permissions/permissions.module';
+import { RevisionsModule } from '../../revisions/revisions.module';
+import { UsersModule } from '../../users/users.module';
+import { AliasController } from './alias/alias.controller';
+import { MeController } from './me/me.controller';
+import { MediaController } from './media/media.controller';
+import { MonitoringController } from './monitoring/monitoring.controller';
+import { NotesController } from './notes/notes.controller';
+
+@Module({
+  imports: [
+    GroupsModule,
+    UsersModule,
+    HistoryModule,
+    NotesModule,
+    RevisionsModule,
+    MonitoringModule,
+    LoggerModule,
+    MediaModule,
+    PermissionsModule,
+  ],
+  controllers: [
+    AliasController,
+    MeController,
+    NotesController,
+    MediaController,
+    MonitoringController,
+  ],
+})
+export class PublicApiModule {}
--- a/backend/src/api/utils/descriptions.ts
+++ b/backend/src/api/utils/descriptions.ts
@ -0,0 +1,28 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+export const okDescription = 'This request was successful';
+export const createdDescription =
+  'The requested resource was successfully created';
+export const noContentDescription =
+  'The requested resource was successfully deleted';
+export const badRequestDescription =
+  "The request is malformed and can't be processed";
+export const unauthorizedDescription =
+  'Authorization information is missing or invalid';
+export const forbiddenDescription =
+  'Access to the requested resource is not permitted';
+export const notFoundDescription = 'The requested resource was not found';
+export const successfullyDeletedDescription =
+  'The requested resource was sucessfully deleted';
+export const unprocessableEntityDescription =
+  "The request change can't be processed";
+export const conflictDescription =
+  'The request conflicts with the current state of the application';
+export const payloadTooLargeDescription =
+  'The note is longer than the maximal allowed length of a note';
+export const internalServerErrorDescription =
+  'The request triggered an internal server error.';
--- a/backend/src/api/utils/get-note.interceptor.ts
+++ b/backend/src/api/utils/get-note.interceptor.ts
@ -0,0 +1,45 @@
+/*
+ * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  CallHandler,
+  ExecutionContext,
+  Injectable,
+  NestInterceptor,
+} from '@nestjs/common';
+import { Request } from 'express';
+import { Observable } from 'rxjs';
+
+import { Note } from '../../notes/note.entity';
+import { NotesService } from '../../notes/notes.service';
+import { User } from '../../users/user.entity';
+
+/**
+ * Saves the note identified by the `noteIdOrAlias` URL parameter
+ * under the `note` property of the request object.
+ */
+@Injectable()
+export class GetNoteInterceptor implements NestInterceptor {
+  constructor(private noteService: NotesService) {}
+
+  async intercept<T>(
+    context: ExecutionContext,
+    next: CallHandler,
+  ): Promise<Observable<T>> {
+    const request: Request & { user: User; note: Note } = context
+      .switchToHttp()
+      .getRequest();
+    const noteIdOrAlias = request.params['noteIdOrAlias'];
+    request.note = await getNote(this.noteService, noteIdOrAlias);
+    return next.handle();
+  }
+}
+
+export async function getNote(
+  noteService: NotesService,
+  noteIdOrAlias: string,
+): Promise<Note> {
+  return await noteService.getNoteByIdOrAlias(noteIdOrAlias);
+}
--- a/backend/src/api/utils/login-enabled.guard.ts
+++ b/backend/src/api/utils/login-enabled.guard.ts
@ -0,0 +1,33 @@
+/*
+ * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  BadRequestException,
+  CanActivate,
+  Inject,
+  Injectable,
+} from '@nestjs/common';
+
+import authConfiguration, { AuthConfig } from '../../config/auth.config';
+import { ConsoleLoggerService } from '../../logger/console-logger.service';
+
+@Injectable()
+export class LoginEnabledGuard implements CanActivate {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    @Inject(authConfiguration.KEY)
+    private authConfig: AuthConfig,
+  ) {
+    this.logger.setContext(LoginEnabledGuard.name);
+  }
+
+  canActivate(): boolean {
+    if (!this.authConfig.local.enableLogin) {
+      this.logger.debug('Local auth is disabled.', 'canActivate');
+      throw new BadRequestException('Local auth is disabled.');
+    }
+    return true;
+  }
+}
--- a/backend/src/api/utils/markdown-body.decorator.ts
+++ b/backend/src/api/utils/markdown-body.decorator.ts
@ -0,0 +1,60 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  BadRequestException,
+  createParamDecorator,
+  ExecutionContext,
+  InternalServerErrorException,
+} from '@nestjs/common';
+import { ApiBody, ApiConsumes } from '@nestjs/swagger';
+import getRawBody from 'raw-body';
+
+/**
+ * Extract the raw markdown from the request body and create a new note with it
+ *
+ * Implementation inspired by https://stackoverflow.com/questions/52283713/how-do-i-pass-plain-text-as-my-request-body-using-nestjs
+ */
+// Override naming convention as decorators are in PascalCase
+// eslint-disable-next-line @typescript-eslint/naming-convention
+export const MarkdownBody = createParamDecorator(
+  async (_, context: ExecutionContext) => {
+    // we have to check req.readable because of raw-body issue #57
+    // https://github.com/stream-utils/raw-body/issues/57
+    const req = context.switchToHttp().getRequest<import('express').Request>();
+    // Here the Content-Type of the http request is checked to be text/markdown
+    // because we dealing with markdown. Technically by now there can be any content which can be encoded.
+    // There could be features in the software which do not work properly if the text can't be parsed as markdown.
+    if (req.get('Content-Type') === 'text/markdown') {
+      if (req.readable) {
+        return (await getRawBody(req)).toString().trim();
+      } else {
+        throw new InternalServerErrorException('Failed to parse request body!');
+      }
+    } else {
+      throw new BadRequestException(
+        'Body Content-Type has to be text/markdown!',
+      );
+    }
+  },
+  [
+    (target, key): void => {
+      const ownPropertyDescriptor = Object.getOwnPropertyDescriptor(
+        target,
+        key,
+      );
+      if (!ownPropertyDescriptor) {
+        throw new Error(
+          `Could not get property descriptor for target ${target.toString()} and key ${key.toString()}`,
+        );
+      }
+      ApiConsumes('text/markdown')(target, key, ownPropertyDescriptor);
+      ApiBody({
+        required: true,
+        schema: { example: '# Markdown Body' },
+      })(target, key, ownPropertyDescriptor);
+    },
+  ],
+);
--- a/backend/src/api/utils/note-header.interceptor.ts
+++ b/backend/src/api/utils/note-header.interceptor.ts
@ -0,0 +1,37 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  CallHandler,
+  ExecutionContext,
+  Injectable,
+  NestInterceptor,
+} from '@nestjs/common';
+import { Request } from 'express';
+import { Observable } from 'rxjs';
+
+import { Note } from '../../notes/note.entity';
+import { NotesService } from '../../notes/notes.service';
+
+/**
+ * Saves the note identified by the `HedgeDoc-Note` header
+ * under the `note` property of the request object.
+ */
+@Injectable()
+export class NoteHeaderInterceptor implements NestInterceptor {
+  constructor(private noteService: NotesService) {}
+
+  async intercept<T>(
+    context: ExecutionContext,
+    next: CallHandler,
+  ): Promise<Observable<T>> {
+    const request: Request & {
+      note: Note;
+    } = context.switchToHttp().getRequest();
+    const noteId: string = request.headers['hedgedoc-note'] as string;
+    request.note = await this.noteService.getNoteByIdOrAlias(noteId);
+    return next.handle();
+  }
+}
--- a/backend/src/api/utils/openapi.decorator.ts
+++ b/backend/src/api/utils/openapi.decorator.ts
@ -0,0 +1,179 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { applyDecorators, Header, HttpCode } from '@nestjs/common';
+import {
+  ApiBadRequestResponse,
+  ApiConflictResponse,
+  ApiCreatedResponse,
+  ApiInternalServerErrorResponse,
+  ApiNoContentResponse,
+  ApiNotFoundResponse,
+  ApiOkResponse,
+  ApiProduces,
+  ApiUnauthorizedResponse,
+} from '@nestjs/swagger';
+
+import { BaseDto } from '../../utils/base.dto.';
+import {
+  badRequestDescription,
+  conflictDescription,
+  createdDescription,
+  internalServerErrorDescription,
+  noContentDescription,
+  notFoundDescription,
+  okDescription,
+  payloadTooLargeDescription,
+  unauthorizedDescription,
+} from './descriptions';
+
+export type HttpStatusCodes =
+  | 200
+  | 201
+  | 204
+  | 400
+  | 401
+  | 403
+  | 404
+  | 409
+  | 413
+  | 500;
+
+/**
+ * Defines what the open api route should document.
+ *
+ * This makes it possible to document
+ * - description
+ * - return object
+ * - if the return object is an array
+ * - the mimeType of the response
+ */
+export interface HttpStatusCodeWithExtraInformation {
+  code: HttpStatusCodes;
+  description?: string;
+  isArray?: boolean;
+  dto?: BaseDto;
+  mimeType?: string;
+}
+
+/**
+ * This decorator is used to document what an api route returns.
+ *
+ * The decorator can be used on a controller method or on a whole controller class (if one wants to document that every method of the controller returns something).
+ *
+ * @param httpStatusCodesMaybeWithExtraInformation - list of parameters can either be just the {@link HttpStatusCodes} or a {@link HttpStatusCodeWithExtraInformation}.
+ * If only a {@link HttpStatusCodes} is provided a default description will be used.
+ *
+ * For non-200 successful responses the appropriate {@link HttpCode} decorator is set
+ * @constructor
+ */
+// eslint-disable-next-line @typescript-eslint/naming-convention,func-style
+export const OpenApi = (
+  ...httpStatusCodesMaybeWithExtraInformation: (
+    | HttpStatusCodes
+    | HttpStatusCodeWithExtraInformation
+  )[]
+): // eslint-disable-next-line @typescript-eslint/ban-types
+(<TFunction extends Function, Y>(
+  target: object | TFunction,
+  propertyKey?: string | symbol,
+  descriptor?: TypedPropertyDescriptor<Y>,
+) => void) => {
+  const decoratorsToApply: (MethodDecorator | ClassDecorator)[] = [];
+  for (const entry of httpStatusCodesMaybeWithExtraInformation) {
+    let code: HttpStatusCodes = 200;
+    let description: string | undefined = undefined;
+    let isArray: boolean | undefined = undefined;
+    let dto: BaseDto | undefined = undefined;
+    if (typeof entry == 'number') {
+      code = entry;
+    } else {
+      // We've got a HttpStatusCodeWithExtraInformation
+      code = entry.code;
+      description = entry.description;
+      isArray = entry.isArray;
+      dto = entry.dto;
+      if (entry.mimeType) {
+        decoratorsToApply.push(
+          ApiProduces(entry.mimeType),
+          Header('Content-Type', entry.mimeType),
+        );
+      }
+    }
+    switch (code) {
+      case 200:
+        decoratorsToApply.push(
+          ApiOkResponse({
+            description: description ?? okDescription,
+            isArray: isArray,
+            type: dto ? (): BaseDto => dto as BaseDto : undefined,
+          }),
+        );
+        break;
+      case 201:
+        decoratorsToApply.push(
+          ApiCreatedResponse({
+            description: description ?? createdDescription,
+            isArray: isArray,
+            type: dto ? (): BaseDto => dto as BaseDto : undefined,
+          }),
+          HttpCode(201),
+        );
+        break;
+      case 204:
+        decoratorsToApply.push(
+          ApiNoContentResponse({
+            description: description ?? noContentDescription,
+          }),
+          HttpCode(204),
+        );
+        break;
+      case 400:
+        decoratorsToApply.push(
+          ApiBadRequestResponse({
+            description: description ?? badRequestDescription,
+          }),
+        );
+        break;
+      case 401:
+        decoratorsToApply.push(
+          ApiUnauthorizedResponse({
+            description: description ?? unauthorizedDescription,
+          }),
+        );
+        break;
+      case 404:
+        decoratorsToApply.push(
+          ApiNotFoundResponse({
+            description: description ?? notFoundDescription,
+          }),
+        );
+        break;
+      case 409:
+        decoratorsToApply.push(
+          ApiConflictResponse({
+            description: description ?? conflictDescription,
+          }),
+        );
+        break;
+      case 413:
+        decoratorsToApply.push(
+          ApiConflictResponse({
+            description: description ?? payloadTooLargeDescription,
+          }),
+        );
+        break;
+      case 500:
+        decoratorsToApply.push(
+          ApiInternalServerErrorResponse({
+            description: internalServerErrorDescription,
+          }),
+        );
+        break;
+    }
+  }
+
+  return applyDecorators(...decoratorsToApply);
+};
--- a/backend/src/api/utils/permissions.decorator.ts
+++ b/backend/src/api/utils/permissions.decorator.ts
@ -0,0 +1,17 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { CustomDecorator, SetMetadata } from '@nestjs/common';
+
+import { Permission } from '../../permissions/permissions.enum';
+
+/**
+ * This decorator gathers the {@link Permission Permission} a user must hold for the {@link PermissionsGuard}
+ * @param permissions - an array of permissions. In practice this should always contain exactly one {@link Permission}
+ * @constructor
+ */
+// eslint-disable-next-line func-style,@typescript-eslint/naming-convention
+export const Permissions = (...permissions: Permission[]): CustomDecorator =>
+  SetMetadata('permissions', permissions);
--- a/backend/src/api/utils/permissions.guard.ts
+++ b/backend/src/api/utils/permissions.guard.ts
@ -0,0 +1,66 @@
+/*
+ * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Request } from 'express';
+
+import { ConsoleLoggerService } from '../../logger/console-logger.service';
+import { NotesService } from '../../notes/notes.service';
+import { Permission } from '../../permissions/permissions.enum';
+import { PermissionsService } from '../../permissions/permissions.service';
+import { User } from '../../users/user.entity';
+import { getNote } from './get-note.interceptor';
+
+/**
+ * This guards controller methods from access, if the user has not the appropriate permissions.
+ * The permissions are set via the {@link Permissions} decorator in addition to this guard.
+ */
+@Injectable()
+export class PermissionsGuard implements CanActivate {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private reflector: Reflector,
+    private permissionsService: PermissionsService,
+    private noteService: NotesService,
+  ) {
+    this.logger.setContext(PermissionsGuard.name);
+  }
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const permissions = this.reflector.get<Permission[]>(
+      'permissions',
+      context.getHandler(),
+    );
+    // If no permissions are set this is probably an error and this guard should not let the request pass
+    if (!permissions) {
+      this.logger.error(
+        'Could not find permission metadata. This should never happen. If you see this, please open an issue at https://github.com/hedgedoc/hedgedoc/issues',
+      );
+      return false;
+    }
+    const request: Request & { user: User } = context
+      .switchToHttp()
+      .getRequest();
+    const user = request.user;
+    // handle CREATE permissions, as this does not need any note
+    if (permissions[0] === Permission.CREATE) {
+      return this.permissionsService.mayCreate(user);
+    }
+    // Get the note from the parameter noteIdOrAlias
+    // Attention: This gets the note an additional time if used in conjunction with GetNoteInterceptor
+    const noteIdOrAlias = request.params['noteIdOrAlias'];
+    const note = await getNote(this.noteService, noteIdOrAlias);
+    switch (permissions[0]) {
+      case Permission.READ:
+        return await this.permissionsService.mayRead(user, note);
+      case Permission.WRITE:
+        return await this.permissionsService.mayWrite(user, note);
+      case Permission.OWNER:
+        return await this.permissionsService.isOwner(user, note);
+    }
+    return false;
+  }
+}
--- a/backend/src/api/utils/registration-enabled.guard.ts
+++ b/backend/src/api/utils/registration-enabled.guard.ts
@ -0,0 +1,33 @@
+/*
+ * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  BadRequestException,
+  CanActivate,
+  Inject,
+  Injectable,
+} from '@nestjs/common';
+
+import authConfiguration, { AuthConfig } from '../../config/auth.config';
+import { ConsoleLoggerService } from '../../logger/console-logger.service';
+
+@Injectable()
+export class RegistrationEnabledGuard implements CanActivate {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    @Inject(authConfiguration.KEY)
+    private authConfig: AuthConfig,
+  ) {
+    this.logger.setContext(RegistrationEnabledGuard.name);
+  }
+
+  canActivate(): boolean {
+    if (!this.authConfig.local.enableRegister) {
+      this.logger.debug('User registration is disabled.', 'canActivate');
+      throw new BadRequestException('User registration is disabled.');
+    }
+    return true;
+  }
+}
--- a/backend/src/api/utils/request-note.decorator.ts
+++ b/backend/src/api/utils/request-note.decorator.ts
@ -0,0 +1,32 @@
+/*
+ * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  createParamDecorator,
+  ExecutionContext,
+  InternalServerErrorException,
+} from '@nestjs/common';
+import { Request } from 'express';
+
+import { Note } from '../../notes/note.entity';
+
+/**
+ * Extracts the {@link Note} object from a request
+ *
+ * Will throw an {@link InternalServerErrorException} if no note is present
+ */
+// eslint-disable-next-line @typescript-eslint/naming-convention
+export const RequestNote = createParamDecorator(
+  (data: unknown, ctx: ExecutionContext) => {
+    const request: Request & { note: Note } = ctx.switchToHttp().getRequest();
+    if (!request.note) {
+      // We should have a note here, otherwise something is wrong
+      throw new InternalServerErrorException(
+        'Request is missing a note object',
+      );
+    }
+    return request.note;
+  },
+);
--- a/backend/src/api/utils/request-user.decorator.ts
+++ b/backend/src/api/utils/request-user.decorator.ts
@ -0,0 +1,43 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  createParamDecorator,
+  ExecutionContext,
+  UnauthorizedException,
+} from '@nestjs/common';
+import { Request } from 'express';
+
+import { User } from '../../users/user.entity';
+
+type RequestUserParameter = {
+  guestsAllowed: boolean;
+};
+
+/**
+ * Trys to extract the {@link User} object from a request
+ *
+ * If a user is present in the request, returns the user object.
+ * If no user is present and guests are allowed, returns `null`.
+ * If no user is present and guests are not allowed, throws {@link UnauthorizedException}.
+ */
+// eslint-disable-next-line @typescript-eslint/naming-convention
+export const RequestUser = createParamDecorator(
+  (
+    data: RequestUserParameter = { guestsAllowed: false },
+    ctx: ExecutionContext,
+  ) => {
+    const request: Request & { user: User | null } = ctx
+      .switchToHttp()
+      .getRequest();
+    if (!request.user) {
+      if (data.guestsAllowed) {
+        return null;
+      }
+      throw new UnauthorizedException("You're not logged in");
+    }
+    return request.user;
+  },
+);
--- a/backend/src/api/utils/session-authprovider.decorator.ts
+++ b/backend/src/api/utils/session-authprovider.decorator.ts
@ -0,0 +1,34 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  createParamDecorator,
+  ExecutionContext,
+  InternalServerErrorException,
+} from '@nestjs/common';
+import { Request } from 'express';
+
+/**
+ * Extracts the auth provider identifier from a session inside a request
+ *
+ * Will throw an {@link InternalServerErrorException} if no identifier is present
+ */
+// eslint-disable-next-line @typescript-eslint/naming-convention
+export const SessionAuthProvider = createParamDecorator(
+  (data: unknown, ctx: ExecutionContext) => {
+    const request: Request & {
+      session: {
+        authProvider: string;
+      };
+    } = ctx.switchToHttp().getRequest();
+    if (!request.session?.authProvider) {
+      // We should have an auth provider here, otherwise something is wrong
+      throw new InternalServerErrorException(
+        'Session is missing an auth provider identifier',
+      );
+    }
+    return request.session.authProvider;
+  },
+);