Move internal packages to an internal folder

For reference: https://go.dev/doc/go1.4#internalpackages

internal/api/api.go

@@ -0,0 +1,69 @@
+// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package api // import "miniflux.app/v2/internal/api"
+
+import (
+	"net/http"
+
+	"miniflux.app/v2/internal/storage"
+	"miniflux.app/v2/internal/worker"
+
+	"github.com/gorilla/mux"
+)
+
+type handler struct {
+	store  *storage.Storage
+	pool   *worker.Pool
+	router *mux.Router
+}
+
+// Serve declares API routes for the application.
+func Serve(router *mux.Router, store *storage.Storage, pool *worker.Pool) {
+	handler := &handler{store, pool, router}
+
+	sr := router.PathPrefix("/v1").Subrouter()
+	middleware := newMiddleware(store)
+	sr.Use(middleware.handleCORS)
+	sr.Use(middleware.apiKeyAuth)
+	sr.Use(middleware.basicAuth)
+	sr.Methods(http.MethodOptions)
+	sr.HandleFunc("/users", handler.createUser).Methods(http.MethodPost)
+	sr.HandleFunc("/users", handler.users).Methods(http.MethodGet)
+	sr.HandleFunc("/users/{userID:[0-9]+}", handler.userByID).Methods(http.MethodGet)
+	sr.HandleFunc("/users/{userID:[0-9]+}", handler.updateUser).Methods(http.MethodPut)
+	sr.HandleFunc("/users/{userID:[0-9]+}", handler.removeUser).Methods(http.MethodDelete)
+	sr.HandleFunc("/users/{userID:[0-9]+}/mark-all-as-read", handler.markUserAsRead).Methods(http.MethodPut)
+	sr.HandleFunc("/users/{username}", handler.userByUsername).Methods(http.MethodGet)
+	sr.HandleFunc("/me", handler.currentUser).Methods(http.MethodGet)
+	sr.HandleFunc("/categories", handler.createCategory).Methods(http.MethodPost)
+	sr.HandleFunc("/categories", handler.getCategories).Methods(http.MethodGet)
+	sr.HandleFunc("/categories/{categoryID}", handler.updateCategory).Methods(http.MethodPut)
+	sr.HandleFunc("/categories/{categoryID}", handler.removeCategory).Methods(http.MethodDelete)
+	sr.HandleFunc("/categories/{categoryID}/mark-all-as-read", handler.markCategoryAsRead).Methods(http.MethodPut)
+	sr.HandleFunc("/categories/{categoryID}/feeds", handler.getCategoryFeeds).Methods(http.MethodGet)
+	sr.HandleFunc("/categories/{categoryID}/refresh", handler.refreshCategory).Methods(http.MethodPut)
+	sr.HandleFunc("/categories/{categoryID}/entries", handler.getCategoryEntries).Methods(http.MethodGet)
+	sr.HandleFunc("/categories/{categoryID}/entries/{entryID}", handler.getCategoryEntry).Methods(http.MethodGet)
+	sr.HandleFunc("/discover", handler.discoverSubscriptions).Methods(http.MethodPost)
+	sr.HandleFunc("/feeds", handler.createFeed).Methods(http.MethodPost)
+	sr.HandleFunc("/feeds", handler.getFeeds).Methods(http.MethodGet)
+	sr.HandleFunc("/feeds/counters", handler.fetchCounters).Methods(http.MethodGet)
+	sr.HandleFunc("/feeds/refresh", handler.refreshAllFeeds).Methods(http.MethodPut)
+	sr.HandleFunc("/feeds/{feedID}/refresh", handler.refreshFeed).Methods(http.MethodPut)
+	sr.HandleFunc("/feeds/{feedID}", handler.getFeed).Methods(http.MethodGet)
+	sr.HandleFunc("/feeds/{feedID}", handler.updateFeed).Methods(http.MethodPut)
+	sr.HandleFunc("/feeds/{feedID}", handler.removeFeed).Methods(http.MethodDelete)
+	sr.HandleFunc("/feeds/{feedID}/icon", handler.feedIcon).Methods(http.MethodGet)
+	sr.HandleFunc("/feeds/{feedID}/mark-all-as-read", handler.markFeedAsRead).Methods(http.MethodPut)
+	sr.HandleFunc("/export", handler.exportFeeds).Methods(http.MethodGet)
+	sr.HandleFunc("/import", handler.importFeeds).Methods(http.MethodPost)
+	sr.HandleFunc("/feeds/{feedID}/entries", handler.getFeedEntries).Methods(http.MethodGet)
+	sr.HandleFunc("/feeds/{feedID}/entries/{entryID}", handler.getFeedEntry).Methods(http.MethodGet)
+	sr.HandleFunc("/entries", handler.getEntries).Methods(http.MethodGet)
+	sr.HandleFunc("/entries", handler.setEntryStatus).Methods(http.MethodPut)
+	sr.HandleFunc("/entries/{entryID}", handler.getEntry).Methods(http.MethodGet)
+	sr.HandleFunc("/entries/{entryID}/bookmark", handler.toggleBookmark).Methods(http.MethodPut)
+	sr.HandleFunc("/entries/{entryID}/save", handler.saveEntry).Methods(http.MethodPost)
+	sr.HandleFunc("/entries/{entryID}/fetch-content", handler.fetchContent).Methods(http.MethodGet)
+}

internal/api/category.go

@@ -0,0 +1,149 @@
+// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package api // import "miniflux.app/v2/internal/api"
+
+import (
+	json_parser "encoding/json"
+	"net/http"
+	"time"
+
+	"miniflux.app/v2/internal/http/request"
+	"miniflux.app/v2/internal/http/response/json"
+	"miniflux.app/v2/internal/model"
+	"miniflux.app/v2/internal/validator"
+)
+
+func (h *handler) createCategory(w http.ResponseWriter, r *http.Request) {
+	userID := request.UserID(r)
+
+	var categoryRequest model.CategoryRequest
+	if err := json_parser.NewDecoder(r.Body).Decode(&categoryRequest); err != nil {
+		json.BadRequest(w, r, err)
+		return
+	}
+
+	if validationErr := validator.ValidateCategoryCreation(h.store, userID, &categoryRequest); validationErr != nil {
+		json.BadRequest(w, r, validationErr.Error())
+		return
+	}
+
+	category, err := h.store.CreateCategory(userID, &categoryRequest)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.Created(w, r, category)
+}
+
+func (h *handler) updateCategory(w http.ResponseWriter, r *http.Request) {
+	userID := request.UserID(r)
+	categoryID := request.RouteInt64Param(r, "categoryID")
+
+	category, err := h.store.Category(userID, categoryID)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	if category == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	var categoryRequest model.CategoryRequest
+	if err := json_parser.NewDecoder(r.Body).Decode(&categoryRequest); err != nil {
+		json.BadRequest(w, r, err)
+		return
+	}
+
+	if validationErr := validator.ValidateCategoryModification(h.store, userID, category.ID, &categoryRequest); validationErr != nil {
+		json.BadRequest(w, r, validationErr.Error())
+		return
+	}
+
+	categoryRequest.Patch(category)
+	err = h.store.UpdateCategory(category)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.Created(w, r, category)
+}
+
+func (h *handler) markCategoryAsRead(w http.ResponseWriter, r *http.Request) {
+	userID := request.UserID(r)
+	categoryID := request.RouteInt64Param(r, "categoryID")
+
+	category, err := h.store.Category(userID, categoryID)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	if category == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	if err = h.store.MarkCategoryAsRead(userID, categoryID, time.Now()); err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.NoContent(w, r)
+}
+
+func (h *handler) getCategories(w http.ResponseWriter, r *http.Request) {
+	var categories model.Categories
+	var err error
+	includeCounts := request.QueryStringParam(r, "counts", "false")
+
+	if includeCounts == "true" {
+		categories, err = h.store.CategoriesWithFeedCount(request.UserID(r))
+	} else {
+		categories, err = h.store.Categories(request.UserID(r))
+	}
+
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+	json.OK(w, r, categories)
+}
+
+func (h *handler) removeCategory(w http.ResponseWriter, r *http.Request) {
+	userID := request.UserID(r)
+	categoryID := request.RouteInt64Param(r, "categoryID")
+
+	if !h.store.CategoryIDExists(userID, categoryID) {
+		json.NotFound(w, r)
+		return
+	}
+
+	if err := h.store.RemoveCategory(userID, categoryID); err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.NoContent(w, r)
+}
+
+func (h *handler) refreshCategory(w http.ResponseWriter, r *http.Request) {
+	userID := request.UserID(r)
+	categoryID := request.RouteInt64Param(r, "categoryID")
+
+	jobs, err := h.store.NewCategoryBatch(userID, categoryID, h.store.CountFeeds(userID))
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	go func() {
+		h.pool.Push(jobs)
+	}()
+
+	json.NoContent(w, r)
+}

internal/api/entry.go

@@ -0,0 +1,322 @@
+// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package api // import "miniflux.app/v2/internal/api"
+
+import (
+	json_parser "encoding/json"
+	"errors"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"miniflux.app/v2/internal/config"
+	"miniflux.app/v2/internal/http/request"
+	"miniflux.app/v2/internal/http/response/json"
+	"miniflux.app/v2/internal/integration"
+	"miniflux.app/v2/internal/model"
+	"miniflux.app/v2/internal/proxy"
+	"miniflux.app/v2/internal/reader/processor"
+	"miniflux.app/v2/internal/storage"
+	"miniflux.app/v2/internal/url"
+	"miniflux.app/v2/internal/validator"
+)
+
+func (h *handler) getEntryFromBuilder(w http.ResponseWriter, r *http.Request, b *storage.EntryQueryBuilder) {
+	entry, err := b.GetEntry()
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	if entry == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	entry.Content = proxy.AbsoluteProxyRewriter(h.router, r.Host, entry.Content)
+	proxyOption := config.Opts.ProxyOption()
+
+	for i := range entry.Enclosures {
+		if proxyOption == "all" || proxyOption != "none" && !url.IsHTTPS(entry.Enclosures[i].URL) {
+			for _, mediaType := range config.Opts.ProxyMediaTypes() {
+				if strings.HasPrefix(entry.Enclosures[i].MimeType, mediaType+"/") {
+					entry.Enclosures[i].URL = proxy.AbsoluteProxifyURL(h.router, r.Host, entry.Enclosures[i].URL)
+					break
+				}
+			}
+		}
+	}
+
+	json.OK(w, r, entry)
+}
+
+func (h *handler) getFeedEntry(w http.ResponseWriter, r *http.Request) {
+	feedID := request.RouteInt64Param(r, "feedID")
+	entryID := request.RouteInt64Param(r, "entryID")
+
+	builder := h.store.NewEntryQueryBuilder(request.UserID(r))
+	builder.WithFeedID(feedID)
+	builder.WithEntryID(entryID)
+
+	h.getEntryFromBuilder(w, r, builder)
+}
+
+func (h *handler) getCategoryEntry(w http.ResponseWriter, r *http.Request) {
+	categoryID := request.RouteInt64Param(r, "categoryID")
+	entryID := request.RouteInt64Param(r, "entryID")
+
+	builder := h.store.NewEntryQueryBuilder(request.UserID(r))
+	builder.WithCategoryID(categoryID)
+	builder.WithEntryID(entryID)
+
+	h.getEntryFromBuilder(w, r, builder)
+}
+
+func (h *handler) getEntry(w http.ResponseWriter, r *http.Request) {
+	entryID := request.RouteInt64Param(r, "entryID")
+	builder := h.store.NewEntryQueryBuilder(request.UserID(r))
+	builder.WithEntryID(entryID)
+
+	h.getEntryFromBuilder(w, r, builder)
+}
+
+func (h *handler) getFeedEntries(w http.ResponseWriter, r *http.Request) {
+	feedID := request.RouteInt64Param(r, "feedID")
+	h.findEntries(w, r, feedID, 0)
+}
+
+func (h *handler) getCategoryEntries(w http.ResponseWriter, r *http.Request) {
+	categoryID := request.RouteInt64Param(r, "categoryID")
+	h.findEntries(w, r, 0, categoryID)
+}
+
+func (h *handler) getEntries(w http.ResponseWriter, r *http.Request) {
+	h.findEntries(w, r, 0, 0)
+}
+
+func (h *handler) findEntries(w http.ResponseWriter, r *http.Request, feedID int64, categoryID int64) {
+	statuses := request.QueryStringParamList(r, "status")
+	for _, status := range statuses {
+		if err := validator.ValidateEntryStatus(status); err != nil {
+			json.BadRequest(w, r, err)
+			return
+		}
+	}
+
+	order := request.QueryStringParam(r, "order", model.DefaultSortingOrder)
+	if err := validator.ValidateEntryOrder(order); err != nil {
+		json.BadRequest(w, r, err)
+		return
+	}
+
+	direction := request.QueryStringParam(r, "direction", model.DefaultSortingDirection)
+	if err := validator.ValidateDirection(direction); err != nil {
+		json.BadRequest(w, r, err)
+		return
+	}
+
+	limit := request.QueryIntParam(r, "limit", 100)
+	offset := request.QueryIntParam(r, "offset", 0)
+	if err := validator.ValidateRange(offset, limit); err != nil {
+		json.BadRequest(w, r, err)
+		return
+	}
+
+	userID := request.UserID(r)
+	categoryID = request.QueryInt64Param(r, "category_id", categoryID)
+	if categoryID > 0 && !h.store.CategoryIDExists(userID, categoryID) {
+		json.BadRequest(w, r, errors.New("invalid category ID"))
+		return
+	}
+
+	feedID = request.QueryInt64Param(r, "feed_id", feedID)
+	if feedID > 0 && !h.store.FeedExists(userID, feedID) {
+		json.BadRequest(w, r, errors.New("invalid feed ID"))
+		return
+	}
+
+	tags := request.QueryStringParamList(r, "tags")
+
+	builder := h.store.NewEntryQueryBuilder(userID)
+	builder.WithFeedID(feedID)
+	builder.WithCategoryID(categoryID)
+	builder.WithStatuses(statuses)
+	builder.WithSorting(order, direction)
+	builder.WithOffset(offset)
+	builder.WithLimit(limit)
+	builder.WithTags(tags)
+	configureFilters(builder, r)
+
+	entries, err := builder.GetEntries()
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	count, err := builder.CountEntries()
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	for i := range entries {
+		entries[i].Content = proxy.AbsoluteProxyRewriter(h.router, r.Host, entries[i].Content)
+	}
+
+	json.OK(w, r, &entriesResponse{Total: count, Entries: entries})
+}
+
+func (h *handler) setEntryStatus(w http.ResponseWriter, r *http.Request) {
+	var entriesStatusUpdateRequest model.EntriesStatusUpdateRequest
+	if err := json_parser.NewDecoder(r.Body).Decode(&entriesStatusUpdateRequest); err != nil {
+		json.BadRequest(w, r, err)
+		return
+	}
+
+	if err := validator.ValidateEntriesStatusUpdateRequest(&entriesStatusUpdateRequest); err != nil {
+		json.BadRequest(w, r, err)
+		return
+	}
+
+	if err := h.store.SetEntriesStatus(request.UserID(r), entriesStatusUpdateRequest.EntryIDs, entriesStatusUpdateRequest.Status); err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.NoContent(w, r)
+}
+
+func (h *handler) toggleBookmark(w http.ResponseWriter, r *http.Request) {
+	entryID := request.RouteInt64Param(r, "entryID")
+	if err := h.store.ToggleBookmark(request.UserID(r), entryID); err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.NoContent(w, r)
+}
+
+func (h *handler) saveEntry(w http.ResponseWriter, r *http.Request) {
+	entryID := request.RouteInt64Param(r, "entryID")
+	builder := h.store.NewEntryQueryBuilder(request.UserID(r))
+	builder.WithEntryID(entryID)
+	builder.WithoutStatus(model.EntryStatusRemoved)
+
+	if !h.store.HasSaveEntry(request.UserID(r)) {
+		json.BadRequest(w, r, errors.New("no third-party integration enabled"))
+		return
+	}
+
+	entry, err := builder.GetEntry()
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	if entry == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	settings, err := h.store.Integration(request.UserID(r))
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	go integration.SendEntry(entry, settings)
+
+	json.Accepted(w, r)
+}
+
+func (h *handler) fetchContent(w http.ResponseWriter, r *http.Request) {
+	loggedUserID := request.UserID(r)
+	entryID := request.RouteInt64Param(r, "entryID")
+
+	entryBuilder := h.store.NewEntryQueryBuilder(loggedUserID)
+	entryBuilder.WithEntryID(entryID)
+	entryBuilder.WithoutStatus(model.EntryStatusRemoved)
+
+	entry, err := entryBuilder.GetEntry()
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	if entry == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	user, err := h.store.UserByID(entry.UserID)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	if user == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	feedBuilder := storage.NewFeedQueryBuilder(h.store, loggedUserID)
+	feedBuilder.WithFeedID(entry.FeedID)
+	feed, err := feedBuilder.GetFeed()
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	if feed == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	if err := processor.ProcessEntryWebPage(feed, entry, user); err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.OK(w, r, map[string]string{"content": entry.Content})
+}
+
+func configureFilters(builder *storage.EntryQueryBuilder, r *http.Request) {
+	beforeEntryID := request.QueryInt64Param(r, "before_entry_id", 0)
+	if beforeEntryID > 0 {
+		builder.BeforeEntryID(beforeEntryID)
+	}
+
+	afterEntryID := request.QueryInt64Param(r, "after_entry_id", 0)
+	if afterEntryID > 0 {
+		builder.AfterEntryID(afterEntryID)
+	}
+
+	beforeTimestamp := request.QueryInt64Param(r, "before", 0)
+	if beforeTimestamp > 0 {
+		builder.BeforeDate(time.Unix(beforeTimestamp, 0))
+	}
+
+	afterTimestamp := request.QueryInt64Param(r, "after", 0)
+	if afterTimestamp > 0 {
+		builder.AfterDate(time.Unix(afterTimestamp, 0))
+	}
+
+	categoryID := request.QueryInt64Param(r, "category_id", 0)
+	if categoryID > 0 {
+		builder.WithCategoryID(categoryID)
+	}
+
+	if request.HasQueryParam(r, "starred") {
+		starred, err := strconv.ParseBool(r.URL.Query().Get("starred"))
+		if err == nil {
+			builder.WithStarred(starred)
+		}
+	}
+
+	searchQuery := request.QueryStringParam(r, "search", "")
+	if searchQuery != "" {
+		builder.WithSearchQuery(searchQuery)
+	}
+}

internal/api/feed.go

@@ -0,0 +1,213 @@
+// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package api // import "miniflux.app/v2/internal/api"
+
+import (
+	json_parser "encoding/json"
+	"net/http"
+	"time"
+
+	"miniflux.app/v2/internal/http/request"
+	"miniflux.app/v2/internal/http/response/json"
+	"miniflux.app/v2/internal/model"
+	feedHandler "miniflux.app/v2/internal/reader/handler"
+	"miniflux.app/v2/internal/validator"
+)
+
+func (h *handler) createFeed(w http.ResponseWriter, r *http.Request) {
+	userID := request.UserID(r)
+
+	var feedCreationRequest model.FeedCreationRequest
+	if err := json_parser.NewDecoder(r.Body).Decode(&feedCreationRequest); err != nil {
+		json.BadRequest(w, r, err)
+		return
+	}
+
+	if validationErr := validator.ValidateFeedCreation(h.store, userID, &feedCreationRequest); validationErr != nil {
+		json.BadRequest(w, r, validationErr.Error())
+		return
+	}
+
+	feed, err := feedHandler.CreateFeed(h.store, userID, &feedCreationRequest)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.Created(w, r, &feedCreationResponse{FeedID: feed.ID})
+}
+
+func (h *handler) refreshFeed(w http.ResponseWriter, r *http.Request) {
+	feedID := request.RouteInt64Param(r, "feedID")
+	userID := request.UserID(r)
+
+	if !h.store.FeedExists(userID, feedID) {
+		json.NotFound(w, r)
+		return
+	}
+
+	err := feedHandler.RefreshFeed(h.store, userID, feedID, false)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.NoContent(w, r)
+}
+
+func (h *handler) refreshAllFeeds(w http.ResponseWriter, r *http.Request) {
+	userID := request.UserID(r)
+	jobs, err := h.store.NewUserBatch(userID, h.store.CountFeeds(userID))
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	go func() {
+		h.pool.Push(jobs)
+	}()
+
+	json.NoContent(w, r)
+}
+
+func (h *handler) updateFeed(w http.ResponseWriter, r *http.Request) {
+	var feedModificationRequest model.FeedModificationRequest
+	if err := json_parser.NewDecoder(r.Body).Decode(&feedModificationRequest); err != nil {
+		json.BadRequest(w, r, err)
+		return
+	}
+
+	userID := request.UserID(r)
+	feedID := request.RouteInt64Param(r, "feedID")
+
+	originalFeed, err := h.store.FeedByID(userID, feedID)
+	if err != nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	if originalFeed == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	if validationErr := validator.ValidateFeedModification(h.store, userID, &feedModificationRequest); validationErr != nil {
+		json.BadRequest(w, r, validationErr.Error())
+		return
+	}
+
+	feedModificationRequest.Patch(originalFeed)
+	if err := h.store.UpdateFeed(originalFeed); err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	originalFeed, err = h.store.FeedByID(userID, feedID)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.Created(w, r, originalFeed)
+}
+
+func (h *handler) markFeedAsRead(w http.ResponseWriter, r *http.Request) {
+	feedID := request.RouteInt64Param(r, "feedID")
+	userID := request.UserID(r)
+
+	feed, err := h.store.FeedByID(userID, feedID)
+	if err != nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	if feed == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	if err := h.store.MarkFeedAsRead(userID, feedID, time.Now()); err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.NoContent(w, r)
+}
+
+func (h *handler) getCategoryFeeds(w http.ResponseWriter, r *http.Request) {
+	userID := request.UserID(r)
+	categoryID := request.RouteInt64Param(r, "categoryID")
+
+	category, err := h.store.Category(userID, categoryID)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	if category == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	feeds, err := h.store.FeedsByCategoryWithCounters(userID, categoryID)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.OK(w, r, feeds)
+}
+
+func (h *handler) getFeeds(w http.ResponseWriter, r *http.Request) {
+	feeds, err := h.store.Feeds(request.UserID(r))
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.OK(w, r, feeds)
+}
+
+func (h *handler) fetchCounters(w http.ResponseWriter, r *http.Request) {
+	counters, err := h.store.FetchCounters(request.UserID(r))
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.OK(w, r, counters)
+}
+
+func (h *handler) getFeed(w http.ResponseWriter, r *http.Request) {
+	feedID := request.RouteInt64Param(r, "feedID")
+	feed, err := h.store.FeedByID(request.UserID(r), feedID)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	if feed == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	json.OK(w, r, feed)
+}
+
+func (h *handler) removeFeed(w http.ResponseWriter, r *http.Request) {
+	feedID := request.RouteInt64Param(r, "feedID")
+	userID := request.UserID(r)
+
+	if !h.store.FeedExists(userID, feedID) {
+		json.NotFound(w, r)
+		return
+	}
+
+	if err := h.store.RemoveFeed(userID, feedID); err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.NoContent(w, r)
+}

internal/api/icon.go

@@ -0,0 +1,37 @@
+// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package api // import "miniflux.app/v2/internal/api"
+
+import (
+	"net/http"
+
+	"miniflux.app/v2/internal/http/request"
+	"miniflux.app/v2/internal/http/response/json"
+)
+
+func (h *handler) feedIcon(w http.ResponseWriter, r *http.Request) {
+	feedID := request.RouteInt64Param(r, "feedID")
+
+	if !h.store.HasIcon(feedID) {
+		json.NotFound(w, r)
+		return
+	}
+
+	icon, err := h.store.IconByFeedID(request.UserID(r), feedID)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	if icon == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	json.OK(w, r, &feedIconResponse{
+		ID:       icon.ID,
+		MimeType: icon.MimeType,
+		Data:     icon.DataURL(),
+	})
+}

internal/api/middleware.go

@@ -0,0 +1,128 @@
+// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package api // import "miniflux.app/v2/internal/api"
+
+import (
+	"context"
+	"net/http"
+
+	"miniflux.app/v2/internal/http/request"
+	"miniflux.app/v2/internal/http/response/json"
+	"miniflux.app/v2/internal/logger"
+	"miniflux.app/v2/internal/storage"
+)
+
+type middleware struct {
+	store *storage.Storage
+}
+
+func newMiddleware(s *storage.Storage) *middleware {
+	return &middleware{s}
+}
+func (m *middleware) handleCORS(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
+		w.Header().Set("Access-Control-Allow-Headers", "X-Auth-Token, Authorization, Content-Type, Accept")
+		if r.Method == http.MethodOptions {
+			w.Header().Set("Access-Control-Max-Age", "3600")
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+func (m *middleware) apiKeyAuth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		clientIP := request.ClientIP(r)
+		token := r.Header.Get("X-Auth-Token")
+
+		if token == "" {
+			logger.Debug("[API][TokenAuth] [ClientIP=%s] No API Key provided, go to the next middleware", clientIP)
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		user, err := m.store.UserByAPIKey(token)
+		if err != nil {
+			logger.Error("[API][TokenAuth] %v", err)
+			json.ServerError(w, r, err)
+			return
+		}
+
+		if user == nil {
+			logger.Error("[API][TokenAuth] [ClientIP=%s] No user found with the given API key", clientIP)
+			json.Unauthorized(w, r)
+			return
+		}
+
+		logger.Info("[API][TokenAuth] [ClientIP=%s] User authenticated: %s", clientIP, user.Username)
+		m.store.SetLastLogin(user.ID)
+		m.store.SetAPIKeyUsedTimestamp(user.ID, token)
+
+		ctx := r.Context()
+		ctx = context.WithValue(ctx, request.UserIDContextKey, user.ID)
+		ctx = context.WithValue(ctx, request.UserTimezoneContextKey, user.Timezone)
+		ctx = context.WithValue(ctx, request.IsAdminUserContextKey, user.IsAdmin)
+		ctx = context.WithValue(ctx, request.IsAuthenticatedContextKey, true)
+
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+func (m *middleware) basicAuth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if request.IsAuthenticated(r) {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
+
+		clientIP := request.ClientIP(r)
+		username, password, authOK := r.BasicAuth()
+		if !authOK {
+			logger.Debug("[API][BasicAuth] [ClientIP=%s] No authentication headers sent", clientIP)
+			json.Unauthorized(w, r)
+			return
+		}
+
+		if username == "" || password == "" {
+			logger.Error("[API][BasicAuth] [ClientIP=%s] Empty username or password", clientIP)
+			json.Unauthorized(w, r)
+			return
+		}
+
+		if err := m.store.CheckPassword(username, password); err != nil {
+			logger.Error("[API][BasicAuth] [ClientIP=%s] Invalid username or password: %s", clientIP, username)
+			json.Unauthorized(w, r)
+			return
+		}
+
+		user, err := m.store.UserByUsername(username)
+		if err != nil {
+			logger.Error("[API][BasicAuth] %v", err)
+			json.ServerError(w, r, err)
+			return
+		}
+
+		if user == nil {
+			logger.Error("[API][BasicAuth] [ClientIP=%s] User not found: %s", clientIP, username)
+			json.Unauthorized(w, r)
+			return
+		}
+
+		logger.Info("[API][BasicAuth] [ClientIP=%s] User authenticated: %s", clientIP, username)
+		m.store.SetLastLogin(user.ID)
+
+		ctx := r.Context()
+		ctx = context.WithValue(ctx, request.UserIDContextKey, user.ID)
+		ctx = context.WithValue(ctx, request.UserTimezoneContextKey, user.Timezone)
+		ctx = context.WithValue(ctx, request.IsAdminUserContextKey, user.IsAdmin)
+		ctx = context.WithValue(ctx, request.IsAuthenticatedContextKey, true)
+
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}

internal/api/opml.go

@@ -0,0 +1,36 @@
+// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package api // import "miniflux.app/v2/internal/api"
+
+import (
+	"net/http"
+
+	"miniflux.app/v2/internal/http/request"
+	"miniflux.app/v2/internal/http/response/json"
+	"miniflux.app/v2/internal/http/response/xml"
+	"miniflux.app/v2/internal/reader/opml"
+)
+
+func (h *handler) exportFeeds(w http.ResponseWriter, r *http.Request) {
+	opmlHandler := opml.NewHandler(h.store)
+	opml, err := opmlHandler.Export(request.UserID(r))
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	xml.OK(w, r, opml)
+}
+
+func (h *handler) importFeeds(w http.ResponseWriter, r *http.Request) {
+	opmlHandler := opml.NewHandler(h.store)
+	err := opmlHandler.Import(request.UserID(r), r.Body)
+	defer r.Body.Close()
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.Created(w, r, map[string]string{"message": "Feeds imported successfully"})
+}

internal/api/payload.go

@@ -0,0 +1,23 @@
+// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package api // import "miniflux.app/v2/internal/api"
+
+import (
+	"miniflux.app/v2/internal/model"
+)
+
+type feedIconResponse struct {
+	ID       int64  `json:"id"`
+	MimeType string `json:"mime_type"`
+	Data     string `json:"data"`
+}
+
+type entriesResponse struct {
+	Total   int           `json:"total"`
+	Entries model.Entries `json:"entries"`
+}
+
+type feedCreationResponse struct {
+	FeedID int64 `json:"feed_id"`
+}

internal/api/subscription.go

@@ -0,0 +1,48 @@
+// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package api // import "miniflux.app/v2/internal/api"
+
+import (
+	json_parser "encoding/json"
+	"net/http"
+
+	"miniflux.app/v2/internal/http/response/json"
+	"miniflux.app/v2/internal/model"
+	"miniflux.app/v2/internal/reader/subscription"
+	"miniflux.app/v2/internal/validator"
+)
+
+func (h *handler) discoverSubscriptions(w http.ResponseWriter, r *http.Request) {
+	var subscriptionDiscoveryRequest model.SubscriptionDiscoveryRequest
+	if err := json_parser.NewDecoder(r.Body).Decode(&subscriptionDiscoveryRequest); err != nil {
+		json.BadRequest(w, r, err)
+		return
+	}
+
+	if validationErr := validator.ValidateSubscriptionDiscovery(&subscriptionDiscoveryRequest); validationErr != nil {
+		json.BadRequest(w, r, validationErr.Error())
+		return
+	}
+
+	subscriptions, finderErr := subscription.FindSubscriptions(
+		subscriptionDiscoveryRequest.URL,
+		subscriptionDiscoveryRequest.UserAgent,
+		subscriptionDiscoveryRequest.Cookie,
+		subscriptionDiscoveryRequest.Username,
+		subscriptionDiscoveryRequest.Password,
+		subscriptionDiscoveryRequest.FetchViaProxy,
+		subscriptionDiscoveryRequest.AllowSelfSignedCertificates,
+	)
+	if finderErr != nil {
+		json.ServerError(w, r, finderErr)
+		return
+	}
+
+	if subscriptions == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	json.OK(w, r, subscriptions)
+}

internal/api/user.go

@@ -0,0 +1,203 @@
+// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package api // import "miniflux.app/v2/internal/api"
+
+import (
+	json_parser "encoding/json"
+	"errors"
+	"net/http"
+
+	"miniflux.app/v2/internal/http/request"
+	"miniflux.app/v2/internal/http/response/json"
+	"miniflux.app/v2/internal/model"
+	"miniflux.app/v2/internal/validator"
+)
+
+func (h *handler) currentUser(w http.ResponseWriter, r *http.Request) {
+	user, err := h.store.UserByID(request.UserID(r))
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.OK(w, r, user)
+}
+
+func (h *handler) createUser(w http.ResponseWriter, r *http.Request) {
+	if !request.IsAdminUser(r) {
+		json.Forbidden(w, r)
+		return
+	}
+
+	var userCreationRequest model.UserCreationRequest
+	if err := json_parser.NewDecoder(r.Body).Decode(&userCreationRequest); err != nil {
+		json.BadRequest(w, r, err)
+		return
+	}
+
+	if validationErr := validator.ValidateUserCreationWithPassword(h.store, &userCreationRequest); validationErr != nil {
+		json.BadRequest(w, r, validationErr.Error())
+		return
+	}
+
+	user, err := h.store.CreateUser(&userCreationRequest)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.Created(w, r, user)
+}
+
+func (h *handler) updateUser(w http.ResponseWriter, r *http.Request) {
+	userID := request.RouteInt64Param(r, "userID")
+
+	var userModificationRequest model.UserModificationRequest
+	if err := json_parser.NewDecoder(r.Body).Decode(&userModificationRequest); err != nil {
+		json.BadRequest(w, r, err)
+		return
+	}
+
+	originalUser, err := h.store.UserByID(userID)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	if originalUser == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	if !request.IsAdminUser(r) {
+		if originalUser.ID != request.UserID(r) {
+			json.Forbidden(w, r)
+			return
+		}
+
+		if userModificationRequest.IsAdmin != nil && *userModificationRequest.IsAdmin {
+			json.BadRequest(w, r, errors.New("Only administrators can change permissions of standard users"))
+			return
+		}
+	}
+
+	if validationErr := validator.ValidateUserModification(h.store, originalUser.ID, &userModificationRequest); validationErr != nil {
+		json.BadRequest(w, r, validationErr.Error())
+		return
+	}
+
+	userModificationRequest.Patch(originalUser)
+	if err = h.store.UpdateUser(originalUser); err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.Created(w, r, originalUser)
+}
+
+func (h *handler) markUserAsRead(w http.ResponseWriter, r *http.Request) {
+	userID := request.RouteInt64Param(r, "userID")
+	if userID != request.UserID(r) {
+		json.Forbidden(w, r)
+		return
+	}
+
+	if _, err := h.store.UserByID(userID); err != nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	if err := h.store.MarkAllAsRead(userID); err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.NoContent(w, r)
+}
+
+func (h *handler) users(w http.ResponseWriter, r *http.Request) {
+	if !request.IsAdminUser(r) {
+		json.Forbidden(w, r)
+		return
+	}
+
+	users, err := h.store.Users()
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	users.UseTimezone(request.UserTimezone(r))
+	json.OK(w, r, users)
+}
+
+func (h *handler) userByID(w http.ResponseWriter, r *http.Request) {
+	if !request.IsAdminUser(r) {
+		json.Forbidden(w, r)
+		return
+	}
+
+	userID := request.RouteInt64Param(r, "userID")
+	user, err := h.store.UserByID(userID)
+	if err != nil {
+		json.BadRequest(w, r, errors.New("Unable to fetch this user from the database"))
+		return
+	}
+
+	if user == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	user.UseTimezone(request.UserTimezone(r))
+	json.OK(w, r, user)
+}
+
+func (h *handler) userByUsername(w http.ResponseWriter, r *http.Request) {
+	if !request.IsAdminUser(r) {
+		json.Forbidden(w, r)
+		return
+	}
+
+	username := request.RouteStringParam(r, "username")
+	user, err := h.store.UserByUsername(username)
+	if err != nil {
+		json.BadRequest(w, r, errors.New("Unable to fetch this user from the database"))
+		return
+	}
+
+	if user == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	json.OK(w, r, user)
+}
+
+func (h *handler) removeUser(w http.ResponseWriter, r *http.Request) {
+	if !request.IsAdminUser(r) {
+		json.Forbidden(w, r)
+		return
+	}
+
+	userID := request.RouteInt64Param(r, "userID")
+	user, err := h.store.UserByID(userID)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	if user == nil {
+		json.NotFound(w, r)
+		return
+	}
+
+	if user.ID == request.UserID(r) {
+		json.BadRequest(w, r, errors.New("You cannot remove yourself"))
+		return
+	}
+
+	h.store.RemoveUserAsync(user.ID)
+	json.NoContent(w, r)
+}