fix(repository): Move backend code into subdirectory

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>

backend/src/api/private/alias/alias.controller.ts

@@ -0,0 +1,99 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  Delete,
+  Param,
+  Post,
+  Put,
+  UnauthorizedException,
+  UseGuards,
+} from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+
+import { SessionGuard } from '../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { AliasCreateDto } from '../../../notes/alias-create.dto';
+import { AliasUpdateDto } from '../../../notes/alias-update.dto';
+import { AliasDto } from '../../../notes/alias.dto';
+import { AliasService } from '../../../notes/alias.service';
+import { NotesService } from '../../../notes/notes.service';
+import { PermissionsService } from '../../../permissions/permissions.service';
+import { User } from '../../../users/user.entity';
+import { UsersService } from '../../../users/users.service';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(SessionGuard)
+@OpenApi(401)
+@ApiTags('alias')
+@Controller('alias')
+export class AliasController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private aliasService: AliasService,
+    private noteService: NotesService,
+    private userService: UsersService,
+    private permissionsService: PermissionsService,
+  ) {
+    this.logger.setContext(AliasController.name);
+  }
+
+  @Post()
+  @OpenApi(201, 400, 404, 409)
+  async addAlias(
+    @RequestUser() user: User,
+    @Body() newAliasDto: AliasCreateDto,
+  ): Promise<AliasDto> {
+    const note = await this.noteService.getNoteByIdOrAlias(
+      newAliasDto.noteIdOrAlias,
+    );
+    if (!(await this.permissionsService.isOwner(user, note))) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
+    const updatedAlias = await this.aliasService.addAlias(
+      note,
+      newAliasDto.newAlias,
+    );
+    return this.aliasService.toAliasDto(updatedAlias, note);
+  }
+
+  @Put(':alias')
+  @OpenApi(200, 400, 404)
+  async makeAliasPrimary(
+    @RequestUser() user: User,
+    @Param('alias') alias: string,
+    @Body() changeAliasDto: AliasUpdateDto,
+  ): Promise<AliasDto> {
+    if (!changeAliasDto.primaryAlias) {
+      throw new BadRequestException(
+        `The field 'primaryAlias' must be set to 'true'.`,
+      );
+    }
+    const note = await this.noteService.getNoteByIdOrAlias(alias);
+    if (!(await this.permissionsService.isOwner(user, note))) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
+    const updatedAlias = await this.aliasService.makeAliasPrimary(note, alias);
+    return this.aliasService.toAliasDto(updatedAlias, note);
+  }
+
+  @Delete(':alias')
+  @OpenApi(204, 400, 404)
+  async removeAlias(
+    @RequestUser() user: User,
+    @Param('alias') alias: string,
+  ): Promise<void> {
+    const note = await this.noteService.getNoteByIdOrAlias(alias);
+    if (!(await this.permissionsService.isOwner(user, note))) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
+    await this.aliasService.removeAlias(note, alias);
+    return;
+  }
+}

backend/src/api/private/auth/auth.controller.ts

@@ -0,0 +1,126 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  Delete,
+  Param,
+  Post,
+  Put,
+  Req,
+  UseGuards,
+} from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+import { Session } from 'express-session';
+
+import { IdentityService } from '../../../identity/identity.service';
+import { LdapLoginDto } from '../../../identity/ldap/ldap-login.dto';
+import { LdapAuthGuard } from '../../../identity/ldap/ldap.strategy';
+import { LocalAuthGuard } from '../../../identity/local/local.strategy';
+import { LoginDto } from '../../../identity/local/login.dto';
+import { RegisterDto } from '../../../identity/local/register.dto';
+import { UpdatePasswordDto } from '../../../identity/local/update-password.dto';
+import { SessionGuard } from '../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { User } from '../../../users/user.entity';
+import { UsersService } from '../../../users/users.service';
+import { LoginEnabledGuard } from '../../utils/login-enabled.guard';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RegistrationEnabledGuard } from '../../utils/registration-enabled.guard';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+type RequestWithSession = Request & {
+  session: {
+    authProvider: string;
+    user: string;
+  };
+};
+
+@ApiTags('auth')
+@Controller('auth')
+export class AuthController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private usersService: UsersService,
+    private identityService: IdentityService,
+  ) {
+    this.logger.setContext(AuthController.name);
+  }
+
+  @UseGuards(RegistrationEnabledGuard)
+  @Post('local')
+  @OpenApi(201, 400, 409)
+  async registerUser(@Body() registerDto: RegisterDto): Promise<void> {
+    const user = await this.usersService.createUser(
+      registerDto.username,
+      registerDto.displayName,
+    );
+    // ToDo: Figure out how to rollback user if anything with this calls goes wrong
+    await this.identityService.createLocalIdentity(user, registerDto.password);
+  }
+
+  @UseGuards(LoginEnabledGuard, SessionGuard)
+  @Put('local')
+  @OpenApi(200, 400, 401)
+  async updatePassword(
+    @RequestUser() user: User,
+    @Body() changePasswordDto: UpdatePasswordDto,
+  ): Promise<void> {
+    await this.identityService.checkLocalPassword(
+      user,
+      changePasswordDto.currentPassword,
+    );
+    await this.identityService.updateLocalPassword(
+      user,
+      changePasswordDto.newPassword,
+    );
+    return;
+  }
+
+  @UseGuards(LoginEnabledGuard, LocalAuthGuard)
+  @Post('local/login')
+  @OpenApi(201, 400, 401)
+  login(
+    @Req()
+    request: RequestWithSession,
+    @Body() loginDto: LoginDto,
+  ): void {
+    // There is no further testing needed as we only get to this point if LocalAuthGuard was successful
+    request.session.user = loginDto.username;
+    request.session.authProvider = 'local';
+  }
+
+  @UseGuards(LdapAuthGuard)
+  @Post('ldap/:ldapIdentifier')
+  @OpenApi(201, 400, 401)
+  loginWithLdap(
+    @Req()
+    request: RequestWithSession,
+    @Param('ldapIdentifier') ldapIdentifier: string,
+    @Body() loginDto: LdapLoginDto,
+  ): void {
+    // There is no further testing needed as we only get to this point if LocalAuthGuard was successful
+    request.session.user = loginDto.username;
+    request.session.authProvider = 'ldap';
+  }
+
+  @UseGuards(SessionGuard)
+  @Delete('logout')
+  @OpenApi(204, 400, 401)
+  logout(@Req() request: Request & { session: Session }): Promise<void> {
+    return new Promise((resolve, reject) => {
+      request.session.destroy((err) => {
+        if (err) {
+          this.logger.error('Encountered an error while logging out: ${err}');
+          reject(new BadRequestException('Unable to log out'));
+        } else {
+          resolve();
+        }
+      });
+    });
+  }
+}

backend/src/api/private/config/config.controller.ts

@@ -0,0 +1,29 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Controller, Get } from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+
+import { FrontendConfigDto } from '../../../frontend-config/frontend-config.dto';
+import { FrontendConfigService } from '../../../frontend-config/frontend-config.service';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { OpenApi } from '../../utils/openapi.decorator';
+
+@ApiTags('config')
+@Controller('config')
+export class ConfigController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private frontendConfigService: FrontendConfigService,
+  ) {
+    this.logger.setContext(ConfigController.name);
+  }
+
+  @Get()
+  @OpenApi(200)
+  async getFrontendConfig(): Promise<FrontendConfigDto> {
+    return await this.frontendConfigService.getFrontendConfig();
+  }
+}

backend/src/api/private/groups/groups.controller.ts

@@ -0,0 +1,34 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Controller, Get, Param, UseGuards } from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+
+import { GroupInfoDto } from '../../../groups/group-info.dto';
+import { GroupsService } from '../../../groups/groups.service';
+import { SessionGuard } from '../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { OpenApi } from '../../utils/openapi.decorator';
+
+@UseGuards(SessionGuard)
+@OpenApi(401, 403)
+@ApiTags('groups')
+@Controller('groups')
+export class GroupsController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private groupService: GroupsService,
+  ) {
+    this.logger.setContext(GroupsController.name);
+  }
+
+  @Get(':groupName')
+  @OpenApi(200)
+  async getGroup(@Param('groupName') groupName: string): Promise<GroupInfoDto> {
+    return this.groupService.toGroupDto(
+      await this.groupService.getGroupByName(groupName),
+    );
+  }
+}

backend/src/api/private/me/history/history.controller.ts

@@ -0,0 +1,92 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Post,
+  Put,
+  UseGuards,
+  UseInterceptors,
+} from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+
+import { HistoryEntryImportListDto } from '../../../../history/history-entry-import.dto';
+import { HistoryEntryUpdateDto } from '../../../../history/history-entry-update.dto';
+import { HistoryEntryDto } from '../../../../history/history-entry.dto';
+import { HistoryService } from '../../../../history/history.service';
+import { SessionGuard } from '../../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../../logger/console-logger.service';
+import { Note } from '../../../../notes/note.entity';
+import { User } from '../../../../users/user.entity';
+import { GetNoteInterceptor } from '../../../utils/get-note.interceptor';
+import { OpenApi } from '../../../utils/openapi.decorator';
+import { RequestNote } from '../../../utils/request-note.decorator';
+import { RequestUser } from '../../../utils/request-user.decorator';
+
+@UseGuards(SessionGuard)
+@OpenApi(401)
+@ApiTags('history')
+@Controller('/me/history')
+export class HistoryController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private historyService: HistoryService,
+  ) {
+    this.logger.setContext(HistoryController.name);
+  }
+
+  @Get()
+  @OpenApi(200, 404)
+  async getHistory(@RequestUser() user: User): Promise<HistoryEntryDto[]> {
+    const foundEntries = await this.historyService.getEntriesByUser(user);
+    return await Promise.all(
+      foundEntries.map((entry) => this.historyService.toHistoryEntryDto(entry)),
+    );
+  }
+
+  @Post()
+  @OpenApi(201, 404)
+  async setHistory(
+    @RequestUser() user: User,
+    @Body() historyImport: HistoryEntryImportListDto,
+  ): Promise<void> {
+    await this.historyService.setHistory(user, historyImport.history);
+  }
+
+  @Delete()
+  @OpenApi(204, 404)
+  async deleteHistory(@RequestUser() user: User): Promise<void> {
+    await this.historyService.deleteHistory(user);
+  }
+
+  @Put(':noteIdOrAlias')
+  @OpenApi(200, 404)
+  @UseInterceptors(GetNoteInterceptor)
+  async updateHistoryEntry(
+    @RequestNote() note: Note,
+    @RequestUser() user: User,
+    @Body() entryUpdateDto: HistoryEntryUpdateDto,
+  ): Promise<HistoryEntryDto> {
+    const newEntry = await this.historyService.updateHistoryEntry(
+      note,
+      user,
+      entryUpdateDto,
+    );
+    return await this.historyService.toHistoryEntryDto(newEntry);
+  }
+
+  @Delete(':noteIdOrAlias')
+  @OpenApi(204, 404)
+  @UseInterceptors(GetNoteInterceptor)
+  async deleteHistoryEntry(
+    @RequestNote() note: Note,
+    @RequestUser() user: User,
+  ): Promise<void> {
+    await this.historyService.deleteHistoryEntry(note, user);
+  }
+}

backend/src/api/private/me/me.controller.ts

@@ -0,0 +1,80 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Body, Controller, Delete, Get, Post, UseGuards } from '@nestjs/common';
+import { ApiBody, ApiTags } from '@nestjs/swagger';
+
+import { SessionGuard } from '../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { MediaUploadDto } from '../../../media/media-upload.dto';
+import { MediaService } from '../../../media/media.service';
+import { UserLoginInfoDto } from '../../../users/user-info.dto';
+import { User } from '../../../users/user.entity';
+import { UsersService } from '../../../users/users.service';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+import { SessionAuthProvider } from '../../utils/session-authprovider.decorator';
+
+@UseGuards(SessionGuard)
+@OpenApi(401)
+@ApiTags('me')
+@Controller('me')
+export class MeController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private userService: UsersService,
+    private mediaService: MediaService,
+  ) {
+    this.logger.setContext(MeController.name);
+  }
+
+  @Get()
+  @OpenApi(200)
+  getMe(
+    @RequestUser() user: User,
+    @SessionAuthProvider() authProvider: string,
+  ): UserLoginInfoDto {
+    return this.userService.toUserLoginInfoDto(user, authProvider);
+  }
+
+  @Get('media')
+  @OpenApi(200)
+  async getMyMedia(@RequestUser() user: User): Promise<MediaUploadDto[]> {
+    const media = await this.mediaService.listUploadsByUser(user);
+    return await Promise.all(
+      media.map((media) => this.mediaService.toMediaUploadDto(media)),
+    );
+  }
+
+  @Delete()
+  @OpenApi(204, 404, 500)
+  async deleteUser(@RequestUser() user: User): Promise<void> {
+    const mediaUploads = await this.mediaService.listUploadsByUser(user);
+    for (const mediaUpload of mediaUploads) {
+      await this.mediaService.deleteFile(mediaUpload);
+    }
+    this.logger.debug(`Deleted all media uploads of ${user.username}`);
+    await this.userService.deleteUser(user);
+    this.logger.debug(`Deleted ${user.username}`);
+  }
+
+  @Post('profile')
+  @ApiBody({
+    schema: {
+      type: 'object',
+      properties: {
+        displayName: { type: 'string', nullable: false },
+      },
+      required: ['displayName'],
+    },
+  })
+  @OpenApi(200)
+  async updateDisplayName(
+    @RequestUser() user: User,
+    @Body('displayName') newDisplayName: string,
+  ): Promise<void> {
+    await this.userService.changeDisplayName(user, newDisplayName);
+  }
+}

backend/src/api/private/media/media.controller.ts

@@ -0,0 +1,111 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  Controller,
+  Delete,
+  Param,
+  Post,
+  UploadedFile,
+  UseGuards,
+  UseInterceptors,
+} from '@nestjs/common';
+import { FileInterceptor } from '@nestjs/platform-express';
+import { ApiBody, ApiConsumes, ApiHeader, ApiTags } from '@nestjs/swagger';
+
+import { PermissionError } from '../../../errors/errors';
+import { SessionGuard } from '../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { MediaUploadDto } from '../../../media/media-upload.dto';
+import { MediaService } from '../../../media/media.service';
+import { MulterFile } from '../../../media/multer-file.interface';
+import { Note } from '../../../notes/note.entity';
+import { NotesService } from '../../../notes/notes.service';
+import { User } from '../../../users/user.entity';
+import { NoteHeaderInterceptor } from '../../utils/note-header.interceptor';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RequestNote } from '../../utils/request-note.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(SessionGuard)
+@OpenApi(401)
+@ApiTags('media')
+@Controller('media')
+export class MediaController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private mediaService: MediaService,
+    private noteService: NotesService,
+  ) {
+    this.logger.setContext(MediaController.name);
+  }
+
+  @Post()
+  @ApiConsumes('multipart/form-data')
+  @ApiBody({
+    schema: {
+      type: 'object',
+      properties: {
+        file: {
+          type: 'string',
+          format: 'binary',
+        },
+      },
+    },
+  })
+  @ApiHeader({
+    name: 'HedgeDoc-Note',
+    description: 'ID or alias of the parent note',
+  })
+  @UseInterceptors(FileInterceptor('file'))
+  @UseInterceptors(NoteHeaderInterceptor)
+  @OpenApi(
+    {
+      code: 201,
+      description: 'The file was uploaded successfully',
+      dto: MediaUploadDto,
+    },
+    400,
+    403,
+    404,
+    500,
+  )
+  async uploadMedia(
+    @UploadedFile() file: MulterFile,
+    @RequestNote() note: Note,
+    @RequestUser() user: User,
+  ): Promise<MediaUploadDto> {
+    this.logger.debug(
+      `Recieved filename '${file.originalname}' for note '${note.id}' from user '${user.username}'`,
+      'uploadMedia',
+    );
+    const upload = await this.mediaService.saveFile(file.buffer, user, note);
+    return await this.mediaService.toMediaUploadDto(upload);
+  }
+
+  @Delete(':filename')
+  @OpenApi(204, 403, 404, 500)
+  async deleteMedia(
+    @RequestUser() user: User,
+    @Param('filename') filename: string,
+  ): Promise<void> {
+    const username = user.username;
+    this.logger.debug(
+      `Deleting '${filename}' for user '${username}'`,
+      'deleteMedia',
+    );
+    const mediaUpload = await this.mediaService.findUploadByFilename(filename);
+    if ((await mediaUpload.user).username !== username) {
+      this.logger.warn(
+        `${username} tried to delete '${filename}', but is not the owner`,
+        'deleteMedia',
+      );
+      throw new PermissionError(
+        `File '${filename}' is not owned by '${username}'`,
+      );
+    }
+    await this.mediaService.deleteFile(mediaUpload);
+  }
+}

backend/src/api/private/notes/notes.controller.ts

@@ -0,0 +1,294 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  Post,
+  Put,
+  UseGuards,
+  UseInterceptors,
+} from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+
+import { TokenAuthGuard } from '../../../auth/token.strategy';
+import { NotInDBError } from '../../../errors/errors';
+import { GroupsService } from '../../../groups/groups.service';
+import { HistoryService } from '../../../history/history.service';
+import { SessionGuard } from '../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { MediaUploadDto } from '../../../media/media-upload.dto';
+import { MediaService } from '../../../media/media.service';
+import { NoteMetadataDto } from '../../../notes/note-metadata.dto';
+import { NotePermissionsDto } from '../../../notes/note-permissions.dto';
+import { NoteDto } from '../../../notes/note.dto';
+import { Note } from '../../../notes/note.entity';
+import { NoteMediaDeletionDto } from '../../../notes/note.media-deletion.dto';
+import { NotesService } from '../../../notes/notes.service';
+import { Permission } from '../../../permissions/permissions.enum';
+import { PermissionsService } from '../../../permissions/permissions.service';
+import { RevisionMetadataDto } from '../../../revisions/revision-metadata.dto';
+import { RevisionDto } from '../../../revisions/revision.dto';
+import { RevisionsService } from '../../../revisions/revisions.service';
+import { User } from '../../../users/user.entity';
+import { UsersService } from '../../../users/users.service';
+import { GetNoteInterceptor } from '../../utils/get-note.interceptor';
+import { MarkdownBody } from '../../utils/markdown-body.decorator';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { Permissions } from '../../utils/permissions.decorator';
+import { PermissionsGuard } from '../../utils/permissions.guard';
+import { RequestNote } from '../../utils/request-note.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(SessionGuard, PermissionsGuard)
+@OpenApi(401, 403)
+@ApiTags('notes')
+@Controller('notes')
+export class NotesController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private noteService: NotesService,
+    private historyService: HistoryService,
+    private userService: UsersService,
+    private mediaService: MediaService,
+    private revisionsService: RevisionsService,
+    private permissionService: PermissionsService,
+    private groupService: GroupsService,
+  ) {
+    this.logger.setContext(NotesController.name);
+  }
+
+  @Get(':noteIdOrAlias')
+  @OpenApi(200)
+  @Permissions(Permission.READ)
+  @UseInterceptors(GetNoteInterceptor)
+  async getNote(
+    @RequestUser({ guestsAllowed: true }) user: User | null,
+    @RequestNote() note: Note,
+  ): Promise<NoteDto> {
+    await this.historyService.updateHistoryEntryTimestamp(note, user);
+    return await this.noteService.toNoteDto(note);
+  }
+
+  @Get(':noteIdOrAlias/media')
+  @OpenApi(200)
+  @Permissions(Permission.READ)
+  @UseInterceptors(GetNoteInterceptor)
+  async getNotesMedia(@RequestNote() note: Note): Promise<MediaUploadDto[]> {
+    const media = await this.mediaService.listUploadsByNote(note);
+    return await Promise.all(
+      media.map((media) => this.mediaService.toMediaUploadDto(media)),
+    );
+  }
+
+  @Post()
+  @OpenApi(201, 413)
+  @Permissions(Permission.CREATE)
+  async createNote(
+    @RequestUser({ guestsAllowed: true }) user: User | null,
+    @MarkdownBody() text: string,
+  ): Promise<NoteDto> {
+    this.logger.debug('Got raw markdown:\n' + text, 'createNote');
+    return await this.noteService.toNoteDto(
+      await this.noteService.createNote(text, user),
+    );
+  }
+
+  @Post(':noteAlias')
+  @OpenApi(201, 400, 404, 409, 413)
+  @Permissions(Permission.CREATE)
+  async createNamedNote(
+    @RequestUser({ guestsAllowed: true }) user: User | null,
+    @Param('noteAlias') noteAlias: string,
+    @MarkdownBody() text: string,
+  ): Promise<NoteDto> {
+    this.logger.debug('Got raw markdown:\n' + text, 'createNamedNote');
+    return await this.noteService.toNoteDto(
+      await this.noteService.createNote(text, user, noteAlias),
+    );
+  }
+
+  @Delete(':noteIdOrAlias')
+  @OpenApi(204, 404, 500)
+  @Permissions(Permission.OWNER)
+  @UseInterceptors(GetNoteInterceptor)
+  async deleteNote(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Body() noteMediaDeletionDto: NoteMediaDeletionDto,
+  ): Promise<void> {
+    const mediaUploads = await this.mediaService.listUploadsByNote(note);
+    for (const mediaUpload of mediaUploads) {
+      if (!noteMediaDeletionDto.keepMedia) {
+        await this.mediaService.deleteFile(mediaUpload);
+      } else {
+        await this.mediaService.removeNoteFromMediaUpload(mediaUpload);
+      }
+    }
+    this.logger.debug(`Deleting note: ${note.id}`, 'deleteNote');
+    await this.noteService.deleteNote(note);
+    this.logger.debug(`Successfully deleted ${note.id}`, 'deleteNote');
+    return;
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @Get(':noteIdOrAlias/metadata')
+  async getNoteMetadata(
+    @RequestUser({ guestsAllowed: true }) user: User | null,
+    @RequestNote() note: Note,
+  ): Promise<NoteMetadataDto> {
+    return await this.noteService.toNoteMetadataDto(note);
+  }
+
+  @Get(':noteIdOrAlias/revisions')
+  @OpenApi(200, 404)
+  @Permissions(Permission.READ)
+  @UseInterceptors(GetNoteInterceptor)
+  async getNoteRevisions(
+    @RequestUser({ guestsAllowed: true }) user: User | null,
+    @RequestNote() note: Note,
+  ): Promise<RevisionMetadataDto[]> {
+    const revisions = await this.revisionsService.getAllRevisions(note);
+    return await Promise.all(
+      revisions.map((revision) =>
+        this.revisionsService.toRevisionMetadataDto(revision),
+      ),
+    );
+  }
+
+  @Delete(':noteIdOrAlias/revisions')
+  @OpenApi(204, 404)
+  @Permissions(Permission.OWNER)
+  @UseInterceptors(GetNoteInterceptor)
+  async purgeNoteRevisions(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<void> {
+    this.logger.debug(
+      `Purging history of note: ${note.id}`,
+      'purgeNoteRevisions',
+    );
+    await this.revisionsService.purgeRevisions(note);
+    this.logger.debug(
+      `Successfully purged history of note ${note.id}`,
+      'purgeNoteRevisions',
+    );
+    return;
+  }
+
+  @Get(':noteIdOrAlias/revisions/:revisionId')
+  @OpenApi(200, 404)
+  @Permissions(Permission.READ)
+  @UseInterceptors(GetNoteInterceptor)
+  async getNoteRevision(
+    @RequestUser({ guestsAllowed: true }) user: User | null,
+    @RequestNote() note: Note,
+    @Param('revisionId') revisionId: number,
+  ): Promise<RevisionDto> {
+    return await this.revisionsService.toRevisionDto(
+      await this.revisionsService.getRevision(note, revisionId),
+    );
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  async setUserPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('userName') username: string,
+    @Body() canEdit: boolean,
+  ): Promise<NotePermissionsDto> {
+    const permissionUser = await this.userService.getUserByUsername(username);
+    const returnedNote = await this.permissionService.setUserPermission(
+      note,
+      permissionUser,
+      canEdit,
+    );
+    return await this.noteService.toNotePermissionsDto(returnedNote);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Delete(':noteIdOrAlias/metadata/permissions/users/:userName')
+  async removeUserPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('userName') username: string,
+  ): Promise<NotePermissionsDto> {
+    try {
+      const permissionUser = await this.userService.getUserByUsername(username);
+      const returnedNote = await this.permissionService.removeUserPermission(
+        note,
+        permissionUser,
+      );
+      return await this.noteService.toNotePermissionsDto(returnedNote);
+    } catch (e) {
+      if (e instanceof NotInDBError) {
+        throw new BadRequestException(
+          "Can't remove user from permissions. User not known.",
+        );
+      }
+      throw e;
+    }
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Put(':noteIdOrAlias/metadata/permissions/groups/:groupName')
+  async setGroupPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('groupName') groupName: string,
+    @Body() canEdit: boolean,
+  ): Promise<NotePermissionsDto> {
+    const permissionGroup = await this.groupService.getGroupByName(groupName);
+    const returnedNote = await this.permissionService.setGroupPermission(
+      note,
+      permissionGroup,
+      canEdit,
+    );
+    return await this.noteService.toNotePermissionsDto(returnedNote);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Delete(':noteIdOrAlias/metadata/permissions/groups/:groupName')
+  async removeGroupPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('groupName') groupName: string,
+  ): Promise<NotePermissionsDto> {
+    const permissionGroup = await this.groupService.getGroupByName(groupName);
+    const returnedNote = await this.permissionService.removeGroupPermission(
+      note,
+      permissionGroup,
+    );
+    return await this.noteService.toNotePermissionsDto(returnedNote);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Put(':noteIdOrAlias/metadata/permissions/owner')
+  async changeOwner(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Body() newOwner: string,
+  ): Promise<NoteDto> {
+    const owner = await this.userService.getUserByUsername(newOwner);
+    return await this.noteService.toNoteDto(
+      await this.permissionService.changeOwner(note, owner),
+    );
+  }
+}

backend/src/api/private/private-api.module.ts

@@ -0,0 +1,57 @@
+/*
+ * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Module } from '@nestjs/common';
+
+import { AuthModule } from '../../auth/auth.module';
+import { FrontendConfigModule } from '../../frontend-config/frontend-config.module';
+import { GroupsModule } from '../../groups/groups.module';
+import { HistoryModule } from '../../history/history.module';
+import { IdentityModule } from '../../identity/identity.module';
+import { LoggerModule } from '../../logger/logger.module';
+import { MediaModule } from '../../media/media.module';
+import { NotesModule } from '../../notes/notes.module';
+import { PermissionsModule } from '../../permissions/permissions.module';
+import { RevisionsModule } from '../../revisions/revisions.module';
+import { UsersModule } from '../../users/users.module';
+import { AliasController } from './alias/alias.controller';
+import { AuthController } from './auth/auth.controller';
+import { ConfigController } from './config/config.controller';
+import { GroupsController } from './groups/groups.controller';
+import { HistoryController } from './me/history/history.controller';
+import { MeController } from './me/me.controller';
+import { MediaController } from './media/media.controller';
+import { NotesController } from './notes/notes.controller';
+import { TokensController } from './tokens/tokens.controller';
+import { UsersController } from './users/users.controller';
+
+@Module({
+  imports: [
+    LoggerModule,
+    UsersModule,
+    AuthModule,
+    FrontendConfigModule,
+    HistoryModule,
+    PermissionsModule,
+    NotesModule,
+    MediaModule,
+    RevisionsModule,
+    IdentityModule,
+    GroupsModule,
+  ],
+  controllers: [
+    TokensController,
+    ConfigController,
+    MediaController,
+    HistoryController,
+    MeController,
+    NotesController,
+    AliasController,
+    AuthController,
+    UsersController,
+    GroupsController,
+  ],
+})
+export class PrivateApiModule {}

backend/src/api/private/tokens/tokens.controller.ts

@@ -0,0 +1,79 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  Post,
+  UnauthorizedException,
+  UseGuards,
+} from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+
+import {
+  AuthTokenCreateDto,
+  AuthTokenDto,
+  AuthTokenWithSecretDto,
+} from '../../../auth/auth-token.dto';
+import { AuthService } from '../../../auth/auth.service';
+import { SessionGuard } from '../../../identity/session.guard';
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { User } from '../../../users/user.entity';
+import { OpenApi } from '../../utils/openapi.decorator';
+import { RequestUser } from '../../utils/request-user.decorator';
+
+@UseGuards(SessionGuard)
+@OpenApi(401)
+@ApiTags('tokens')
+@Controller('tokens')
+export class TokensController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private authService: AuthService,
+  ) {
+    this.logger.setContext(TokensController.name);
+  }
+
+  @Get()
+  @OpenApi(200)
+  async getUserTokens(@RequestUser() user: User): Promise<AuthTokenDto[]> {
+    return (await this.authService.getTokensByUser(user)).map((token) =>
+      this.authService.toAuthTokenDto(token),
+    );
+  }
+
+  @Post()
+  @OpenApi(201)
+  async postTokenRequest(
+    @Body() createDto: AuthTokenCreateDto,
+    @RequestUser() user: User,
+  ): Promise<AuthTokenWithSecretDto> {
+    return await this.authService.addToken(
+      user,
+      createDto.label,
+      createDto.validUntil,
+    );
+  }
+
+  @Delete('/:keyId')
+  @OpenApi(204, 404)
+  async deleteToken(
+    @RequestUser() user: User,
+    @Param('keyId') keyId: string,
+  ): Promise<void> {
+    const tokens = await this.authService.getTokensByUser(user);
+    for (const token of tokens) {
+      if (token.keyId == keyId) {
+        return await this.authService.removeToken(keyId);
+      }
+    }
+    throw new UnauthorizedException(
+      'User is not authorized to delete this token',
+    );
+  }
+}

backend/src/api/private/users/users.controller.ts

@@ -0,0 +1,31 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Controller, Get, Param } from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+
+import { ConsoleLoggerService } from '../../../logger/console-logger.service';
+import { UserInfoDto } from '../../../users/user-info.dto';
+import { UsersService } from '../../../users/users.service';
+import { OpenApi } from '../../utils/openapi.decorator';
+
+@ApiTags('users')
+@Controller('users')
+export class UsersController {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private userService: UsersService,
+  ) {
+    this.logger.setContext(UsersController.name);
+  }
+
+  @Get(':username')
+  @OpenApi(200)
+  async getUser(@Param('username') username: string): Promise<UserInfoDto> {
+    return this.userService.toUserDto(
+      await this.userService.getUserByUsername(username),
+    );
+  }
+}