No OneTemporary
Actions

Size

66 KB

Subscribers

None

View Options

	diff --git a/go.mod b/go.mod
	index 372b7ba..358173b 100644
	--- a/go.mod
	+++ b/go.mod
	@@ -1,59 +1,59 @@
	module github.com/writeas/writefreely

	require (
	github.com/BurntSushi/toml v0.3.1 // indirect
	github.com/alecthomas/gometalinter v3.0.0+incompatible // indirect
	github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf // indirect
	github.com/captncraig/cors v0.0.0-20180620154129-376d45073b49 // indirect
	github.com/clbanning/mxj v1.8.4 // indirect
	github.com/dustin/go-humanize v1.0.0
	github.com/fatih/color v1.7.0
	github.com/go-sql-driver/mysql v1.4.1
	github.com/go-test/deep v1.0.1 // indirect
	github.com/golang/lint v0.0.0-20181217174547-8f45f776aaf1 // indirect
	github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e // indirect
	github.com/gorilla/feeds v1.1.0
	github.com/gorilla/mux v1.7.0
	github.com/gorilla/schema v1.0.2
	github.com/gorilla/sessions v1.1.3
	github.com/guregu/null v3.4.0+incompatible
	github.com/ikeikeikeike/go-sitemap-generator/v2 v2.0.2
	github.com/jtolds/gls v4.2.1+incompatible // indirect
	github.com/kylemcc/twitter-text-go v0.0.0-20180726194232-7f582f6736ec
	github.com/lunixbochs/vtclean v1.0.0 // indirect
	github.com/manifoldco/promptui v0.3.2
	github.com/mattn/go-colorable v0.1.0 // indirect
	github.com/mattn/go-sqlite3 v1.10.0
	github.com/microcosm-cc/bluemonday v1.0.2
	github.com/mitchellh/go-wordwrap v1.0.0
	github.com/nicksnyder/go-i18n v1.10.0 // indirect
	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d
	github.com/pelletier/go-toml v1.2.0 // indirect
	github.com/pkg/errors v0.8.1
	github.com/rainycape/unidecode v0.0.0-20150907023854-cb7f23ec59be // indirect
	github.com/smartystreets/assertions v0.0.0-20190116191733-b6c0e53d7304 // indirect
	github.com/smartystreets/goconvey v0.0.0-20181108003508-044398e4856c // indirect
	github.com/stretchr/testify v1.3.0
	github.com/writeas/activity v0.1.2
	github.com/writeas/go-strip-markdown v2.0.1+incompatible
	github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2
	github.com/writeas/httpsig v1.0.0
	- github.com/writeas/impart v1.1.0
	+ github.com/writeas/impart v1.1.1-0.20191230230525-d3c45ced010d
	github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219
	github.com/writeas/nerds v1.0.0
	github.com/writeas/saturday v1.7.1
	github.com/writeas/slug v1.2.0
	github.com/writeas/web-core v1.2.0
	github.com/writefreely/go-nodeinfo v1.2.0
	golang.org/x/crypto v0.0.0-20190208162236-193df9c0f06f
	golang.org/x/lint v0.0.0-20181217174547-8f45f776aaf1 // indirect
	golang.org/x/net v0.0.0-20190206173232-65e2d4e15006 // indirect
	golang.org/x/sys v0.0.0-20190209173611-3b5209105503 // indirect
	golang.org/x/tools v0.0.0-20190208222737-3744606dbb67
	google.golang.org/appengine v1.4.0 // indirect
	gopkg.in/alecthomas/kingpin.v3-unstable v3.0.0-20180810215634-df19058c872c // indirect
	gopkg.in/ini.v1 v1.41.0
	gopkg.in/yaml.v2 v2.2.2 // indirect
	)

	go 1.13
	diff --git a/go.sum b/go.sum
	index ee3a418..38e804c 100644
	--- a/go.sum
	+++ b/go.sum
	@@ -1,175 +1,177 @@
	github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
	github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
	github.com/alecthomas/gometalinter v2.0.11+incompatible/go.mod h1:qfIpQGGz3d+NmgyPBqv+LSh50emm1pt72EtcX2vKYQk=
	github.com/alecthomas/gometalinter v3.0.0+incompatible h1:e9Zfvfytsw/e6Kd/PYd75wggK+/kX5Xn8IYDUKyc5fU=
	github.com/alecthomas/gometalinter v3.0.0+incompatible/go.mod h1:qfIpQGGz3d+NmgyPBqv+LSh50emm1pt72EtcX2vKYQk=
	github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZqLG4oE62mJzwPIB8+Tee4RNCL9ulrY=
	github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
	github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
	github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
	github.com/captncraig/cors v0.0.0-20180620154129-376d45073b49 h1:jWNY1NDg6a/c8RSXkai7IX6UOhir0LD39I4Dukg+4Ks=
	github.com/captncraig/cors v0.0.0-20180620154129-376d45073b49/go.mod h1:EIlIeMufZ8nqdUhnesledB15xLRl4wIJUppwDLPrdrQ=
	github.com/chzyer/logex v1.1.10 h1:Swpa1K6QvQznwJRcfTfQJmTE72DqScAa40E+fbHEXEE=
	github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8=
	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
	github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1 h1:q763qf9huN11kDQavWsoZXJNW3xEE4JJyHa5Q25/sd8=
	github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
	github.com/clbanning/mxj v1.8.3/go.mod h1:BVjHeAH+rl9rs6f+QIpeRl0tfu10SXn1pUSa5PVGJng=
	github.com/clbanning/mxj v1.8.4 h1:HuhwZtbyvyOw+3Z1AowPkU87JkJUSv751ELWaiTpj8I=
	github.com/clbanning/mxj v1.8.4/go.mod h1:BVjHeAH+rl9rs6f+QIpeRl0tfu10SXn1pUSa5PVGJng=
	github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
	github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
	github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
	github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
	github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
	github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
	github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
	github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
	github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
	github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
	github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
	github.com/go-fed/httpsig v0.1.0/go.mod h1:T56HUNYZUQ1AGUzhAYPugZfp36sKApVnGBgKlIY+aIE=
	github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
	github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
	github.com/go-test/deep v1.0.1 h1:UQhStjbkDClarlmv0am7OXXO4/GaPdCGiUiMTvi28sg=
	github.com/go-test/deep v1.0.1/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
	github.com/golang/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E=
	github.com/golang/lint v0.0.0-20181217174547-8f45f776aaf1 h1:6DVPu65tee05kY0/rciBQ47ue+AnuY8KTayV6VHikIo=
	github.com/golang/lint v0.0.0-20181217174547-8f45f776aaf1/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E=
	github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
	github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf h1:7+FW5aGwISbqUtkfmIpZJGRgNFg2ioYPvFaUxdqpDsg=
	github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf/go.mod h1:RpwtwJQFrIEPstU94h88MWPXP2ektJZ8cZ0YntAmXiE=
	github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e h1:JKmoR8x90Iww1ks85zJ1lfDGgIiMDuIptTOhJq+zKyg=
	github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
	github.com/gordonklaus/ineffassign v0.0.0-20180909121442-1003c8bd00dc h1:cJlkeAx1QYgO5N80aF5xRGstVsRQwgLR7uA2FnP1ZjY=
	github.com/gordonklaus/ineffassign v0.0.0-20180909121442-1003c8bd00dc/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU=
	github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
	github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
	github.com/gorilla/feeds v1.1.0 h1:pcgLJhbdYgaUESnj3AmXPcB7cS3vy63+jC/TI14AGXk=
	github.com/gorilla/feeds v1.1.0/go.mod h1:Nk0jZrvPFZX1OBe5NPiddPw7CfwF6Q9eqzaBbaightA=
	github.com/gorilla/mux v1.7.0 h1:tOSd0UKHQd6urX6ApfOn4XdBMY6Sh1MfxV3kmaazO+U=
	github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
	github.com/gorilla/schema v1.0.2 h1:sAgNfOcNYvdDSrzGHVy9nzCQahG+qmsg+nE8dK85QRA=
	github.com/gorilla/schema v1.0.2/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlIO2eleU=
	github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
	github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
	github.com/gorilla/sessions v1.1.3 h1:uXoZdcdA5XdXF3QzuSlheVRUvjl+1rKY7zBXL68L9RU=
	github.com/gorilla/sessions v1.1.3/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w=
	github.com/guregu/null v3.4.0+incompatible h1:a4mw37gBO7ypcBlTJeZGuMpSxxFTV9qFfFKgWxQSGaM=
	github.com/guregu/null v3.4.0+incompatible/go.mod h1:ePGpQaN9cw0tj45IR5E5ehMvsFlLlQZAkkOXZurJ3NM=
	github.com/ikeikeikeike/go-sitemap-generator/v2 v2.0.2 h1:wIdDEle9HEy7vBPjC6oKz6ejs3Ut+jmsYvuOoAW2pSM=
	github.com/ikeikeikeike/go-sitemap-generator/v2 v2.0.2/go.mod h1:WtaVKD9TeruTED9ydiaOJU08qGoEPP/LyzTKiD3jEsw=
	github.com/jtolds/gls v4.2.1+incompatible h1:fSuqC+Gmlu6l/ZYAoZzx2pyucC8Xza35fpRVWLVmUEE=
	github.com/jtolds/gls v4.2.1+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
	github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a h1:FaWFmfWdAUKbSCtOU2QjDaorUexogfaMgbipgYATUMU=
	github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a/go.mod h1:UJSiEoRfvx3hP73CvoARgeLjaIOjybY9vj8PUPPFGeU=
	github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
	github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
	github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
	github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
	github.com/kylemcc/twitter-text-go v0.0.0-20180726194232-7f582f6736ec h1:ZXWuspqypleMuJy4bzYEqlMhJnGAYpLrWe5p7W3CdvI=
	github.com/kylemcc/twitter-text-go v0.0.0-20180726194232-7f582f6736ec/go.mod h1:voECJzdraJmolzPBgL9Z7ANwXf4oMXaTCsIkdiPpR/g=
	github.com/lunixbochs/vtclean v0.0.0-20180621232353-2d01aacdc34a h1:weJVJJRzAJBFRlAiJQROKQs8oC9vOxvm4rZmBBk0ONw=
	github.com/lunixbochs/vtclean v0.0.0-20180621232353-2d01aacdc34a/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
	github.com/lunixbochs/vtclean v1.0.0 h1:xu2sLAri4lGiovBDQKxl5mrXyESr3gUr5m5SM5+LVb8=
	github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
	github.com/manifoldco/promptui v0.3.2 h1:rir7oByTERac6jhpHUPErHuopoRDvO3jxS+FdadEns8=
	github.com/manifoldco/promptui v0.3.2/go.mod h1:8JU+igZ+eeiiRku4T5BjtKh2ms8sziGpSYl1gN8Bazw=
	github.com/mattn/go-colorable v0.0.9 h1:UVL0vNpWh04HeJXV0KLcaT7r06gOH2l4OW6ddYRUIY4=
	github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
	github.com/mattn/go-colorable v0.1.0 h1:v2XXALHHh6zHfYTJ+cSkwtyffnaOyR1MXaA91mTrb8o=
	github.com/mattn/go-colorable v0.1.0/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
	github.com/mattn/go-isatty v0.0.4 h1:bnP0vzxcAdeI1zdubAl5PjU6zsERjGZb7raWodagDYs=
	github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
	github.com/mattn/go-sqlite3 v1.10.0 h1:jbhqpg7tQe4SupckyijYiy0mJJ/pRyHvXf7JdWK860o=
	github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
	github.com/microcosm-cc/bluemonday v1.0.2 h1:5lPfLTTAvAbtS0VqT+94yOtFnGfUWYyx0+iToC3Os3s=
	github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc=
	github.com/mitchellh/go-wordwrap v1.0.0 h1:6GlHJ/LTGMrIJbwgdqdl2eEH8o+Exx/0m8ir9Gns0u4=
	github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
	github.com/nicksnyder/go-i18n v1.10.0 h1:5AzlPKvXBH4qBzmZ09Ua9Gipyruv6uApMcrNZdo96+Q=
	github.com/nicksnyder/go-i18n v1.10.0/go.mod h1:HrK7VCrbOvQoUAQ7Vpy7i87N7JZZZ7R2xBGjv0j365Q=
	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d h1:VhgPp6v9qf9Agr/56bj7Y/xa04UccTW04VP0Qed4vnQ=
	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d/go.mod h1:YUTz3bUH2ZwIWBy3CJBeOBEugqcmXREj14T+iG/4k4U=
	github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc=
	github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
	github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
	github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
	github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
	github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
	github.com/rainycape/unidecode v0.0.0-20150907023854-cb7f23ec59be h1:ta7tUOvsPHVHGom5hKW5VXNc2xZIkfCKP8iaqOyYtUQ=
	github.com/rainycape/unidecode v0.0.0-20150907023854-cb7f23ec59be/go.mod h1:MIDFMn7db1kT65GmV94GzpX9Qdi7N/pQlwb+AN8wh+Q=
	github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
	github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
	github.com/smartystreets/assertions v0.0.0-20190116191733-b6c0e53d7304 h1:Jpy1PXuP99tXNrhbq2BaPz9B+jNAvH1JPQQpG/9GCXY=
	github.com/smartystreets/assertions v0.0.0-20190116191733-b6c0e53d7304/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
	github.com/smartystreets/goconvey v0.0.0-20181108003508-044398e4856c h1:Ho+uVpkel/udgjbwB5Lktg9BtvJSh2DT0Hi6LPSyI2w=
	github.com/smartystreets/goconvey v0.0.0-20181108003508-044398e4856c/go.mod h1:XDJAKZRPZ1CvBcN2aX5YOUTYGHki24fSF0Iv48Ibg0s=
	github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
	github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
	github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
	github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
	github.com/tsenart/deadcode v0.0.0-20160724212837-210d2dc333e9 h1:vY5WqiEon0ZSTGM3ayVVi+twaHKHDFUVloaQ/wug9/c=
	github.com/tsenart/deadcode v0.0.0-20160724212837-210d2dc333e9/go.mod h1:q+QjxYvZ+fpjMXqs+XEriussHjSYqeXVnAdSV1tkMYk=
	github.com/writeas/activity v0.1.2 h1:Y12B5lIrabfqKE7e7HFCWiXrlfXljr9tlkFm2mp7DgY=
	github.com/writeas/activity v0.1.2/go.mod h1:mYYgiewmEM+8tlifirK/vl6tmB2EbjYaxwb+ndUw5T0=
	github.com/writeas/go-strip-markdown v2.0.1+incompatible h1:IIqxTM5Jr7RzhigcL6FkrCNfXkvbR+Nbu1ls48pXYcw=
	github.com/writeas/go-strip-markdown v2.0.1+incompatible/go.mod h1:Rsyu10ZhbEK9pXdk8V6MVnZmTzRG0alMNLMwa0J01fE=
	github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2 h1:DUsp4OhdfI+e6iUqcPQlwx8QYXuUDsToTz/x82D3Zuo=
	github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2/go.mod h1:w2VxyRO/J5vfNjJHYVubsjUGHd3RLDoVciz0DE3ApOc=
	github.com/writeas/httpsig v1.0.0 h1:peIAoIA3DmlP8IG8tMNZqI4YD1uEnWBmkcC9OFPjt3A=
	github.com/writeas/httpsig v1.0.0/go.mod h1:7ClMGSrSVXJbmiLa17bZ1LrG1oibGZmUMlh3402flPY=
	github.com/writeas/impart v1.1.0 h1:nPnoO211VscNkp/gnzir5UwCDEvdHThL5uELU60NFSE=
	github.com/writeas/impart v1.1.0/go.mod h1:g0MpxdnTOHHrl+Ca/2oMXUHJ0PcRAEWtkCzYCJUXC9Y=
	+github.com/writeas/impart v1.1.1-0.20191230230525-d3c45ced010d h1:PK7DOj3JE6MGf647esPrKzXEHFjGWX2hl22uX79ixaE=
	+github.com/writeas/impart v1.1.1-0.20191230230525-d3c45ced010d/go.mod h1:g0MpxdnTOHHrl+Ca/2oMXUHJ0PcRAEWtkCzYCJUXC9Y=
	github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219 h1:baEp0631C8sT2r/hqwypIw2snCFZa6h7U6TojoLHu/c=
	github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219/go.mod h1:NyM35ayknT7lzO6O/1JpfgGyv+0W9Z9q7aE0J8bXxfQ=
	github.com/writeas/nerds v1.0.0 h1:ZzRcCN+Sr3MWID7o/x1cr1ZbLvdpej9Y1/Ho+JKlqxo=
	github.com/writeas/nerds v1.0.0/go.mod h1:Gn2bHy1EwRcpXeB7ZhVmuUwiweK0e+JllNf66gvNLdU=
	github.com/writeas/openssl-go v1.0.0 h1:YXM1tDXeYOlTyJjoMlYLQH1xOloUimSR1WMF8kjFc5o=
	github.com/writeas/openssl-go v1.0.0/go.mod h1:WsKeK5jYl0B5y8ggOmtVjbmb+3rEGqSD25TppjJnETA=
	github.com/writeas/saturday v1.6.0/go.mod h1:ETE1EK6ogxptJpAgUbcJD0prAtX48bSloie80+tvnzQ=
	github.com/writeas/saturday v1.7.1 h1:lYo1EH6CYyrFObQoA9RNWHVlpZA5iYL5Opxo7PYAnZE=
	github.com/writeas/saturday v1.7.1/go.mod h1:ETE1EK6ogxptJpAgUbcJD0prAtX48bSloie80+tvnzQ=
	github.com/writeas/slug v1.2.0 h1:EMQ+cwLiOcA6EtFwUgyw3Ge18x9uflUnOnR6bp/J+/g=
	github.com/writeas/slug v1.2.0/go.mod h1:RE8shOqQP3YhsfsQe0L3RnuejfQ4Mk+JjY5YJQFubfQ=
	github.com/writeas/web-core v1.0.0 h1:5VKkCakQgdKZcbfVKJXtRpc5VHrkflusCl/KRCPzpQ0=
	github.com/writeas/web-core v1.0.0/go.mod h1:Si3chV7VWgY8CsV+3gRolMXSO2Vx1ZFAQ/mkrpvmyEE=
	github.com/writeas/web-core v1.2.0 h1:CYqvBd+byi1cK4mCr1NZ6CjILuMOFmiFecv+OACcmG0=
	github.com/writeas/web-core v1.2.0/go.mod h1:vTYajviuNBAxjctPp2NUYdgjofywVkxUGpeaERF3SfI=
	github.com/writefreely/go-nodeinfo v1.2.0 h1:La+YbTCvmpTwFhBSlebWDDL81N88Qf/SCAvRLR7F8ss=
	github.com/writefreely/go-nodeinfo v1.2.0/go.mod h1:UTvE78KpcjYOlRHupZIiSEFcXHioTXuacCbHU+CAcPg=
	golang.org/x/crypto v0.0.0-20180527072434-ab813273cd59 h1:hk3yo72LXLapY9EXVttc3Z1rLOxT9IuAPPX3GpY2+jo=
	golang.org/x/crypto v0.0.0-20180527072434-ab813273cd59/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
	golang.org/x/crypto v0.0.0-20190131182504-b8fe1690c613/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
	golang.org/x/crypto v0.0.0-20190208162236-193df9c0f06f h1:ETU2VEl7TnT5bl7IvuKEzTDpplg5wzGYsOCAPhdoEIg=
	golang.org/x/crypto v0.0.0-20190208162236-193df9c0f06f/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
	golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
	golang.org/x/lint v0.0.0-20181217174547-8f45f776aaf1 h1:rJm0LuqUjoDhSk2zO9ISMSToQxGz7Os2jRiOL8AWu4c=
	golang.org/x/lint v0.0.0-20181217174547-8f45f776aaf1/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
	golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
	golang.org/x/net v0.0.0-20181220203305-927f97764cc3 h1:eH6Eip3UpmR+yM/qI9Ijluzb1bNv/cAU/n+6l8tRSis=
	golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
	golang.org/x/net v0.0.0-20190206173232-65e2d4e15006 h1:bfLnR+k0tq5Lqt6dflRLcZiz6UaXCMt3vhYJ1l4FQ80=
	golang.org/x/net v0.0.0-20190206173232-65e2d4e15006/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
	golang.org/x/sys v0.0.0-20180525142821-c11f84a56e43/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
	golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
	golang.org/x/sys v0.0.0-20190209173611-3b5209105503 h1:5SvYFrOM3W8Mexn9/oA44Ji7vhXAZQ9hiP+1Q/DMrWg=
	golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
	golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
	golang.org/x/tools v0.0.0-20181122213734-04b5d21e00f1/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
	golang.org/x/tools v0.0.0-20190208222737-3744606dbb67 h1:bPP/rGuN1LUM0eaEwo6vnP6OfIWJzJBulzGUiKLjjSY=
	golang.org/x/tools v0.0.0-20190208222737-3744606dbb67/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
	google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
	google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
	gopkg.in/alecthomas/kingpin.v3-unstable v3.0.0-20180810215634-df19058c872c h1:vTxShRUnK60yd8DZU+f95p1zSLj814+5CuEh7NjF2/Y=
	gopkg.in/alecthomas/kingpin.v3-unstable v3.0.0-20180810215634-df19058c872c/go.mod h1:3HH7i1SgMqlzxCcBmUHW657sD4Kvv9sC3HpL3YukzwA=
	gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
	gopkg.in/ini.v1 v1.41.0 h1:Ka3ViY6gNYSKiVy71zXBEqKplnV35ImDLVG+8uoIklE=
	gopkg.in/ini.v1 v1.41.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
	gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 h1:POO/ycCATvegFmVuPpQzZFJ+pGZeX22Ufu6fibxDVjU=
	gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
	gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
	gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
	diff --git a/handle.go b/handle.go
	index 7346f79..0fcc483 100644
	--- a/handle.go
	+++ b/handle.go
	@@ -1,848 +1,898 @@
	/*
	* Copyright © 2018-2019 A Bunch Tell LLC.
	*
	* This file is part of WriteFreely.
	*
	* WriteFreely is free software: you can redistribute it and/or modify
	* it under the terms of the GNU Affero General Public License, included
	* in the LICENSE file in this source code package.
	*/

	package writefreely

	import (
	"fmt"
	"html/template"
	"net/http"
	"net/url"
	"runtime/debug"
	"strconv"
	"strings"
	"time"

	"github.com/gorilla/sessions"
	"github.com/writeas/impart"
	"github.com/writeas/web-core/log"
	"github.com/writeas/writefreely/config"
	"github.com/writeas/writefreely/page"
	)

	// UserLevel represents the required user level for accessing an endpoint
	type UserLevel int

	const (
	UserLevelNoneType UserLevel = iota // user or not -- ignored
	UserLevelOptionalType // user or not -- object fetched if user
	UserLevelNoneRequiredType // non-user (required)
	UserLevelUserType // user (required)
	)

	func UserLevelNone(cfg *config.Config) UserLevel {
	return UserLevelNoneType
	}

	func UserLevelOptional(cfg *config.Config) UserLevel {
	return UserLevelOptionalType
	}

	func UserLevelNoneRequired(cfg *config.Config) UserLevel {
	return UserLevelNoneRequiredType
	}

	func UserLevelUser(cfg *config.Config) UserLevel {
	return UserLevelUserType
	}

	// UserLevelReader returns the permission level required for any route where
	// users can read published content.
	func UserLevelReader(cfg *config.Config) UserLevel {
	if cfg.App.Private {
	return UserLevelUserType
	}
	return UserLevelOptionalType
	}

	type (
	handlerFunc func(app App, w http.ResponseWriter, r http.Request) error
	userHandlerFunc func(app App, u User, w http.ResponseWriter, r *http.Request) error
	userApperHandlerFunc func(apper Apper, u User, w http.ResponseWriter, r http.Request) error
	dataHandlerFunc func(app App, w http.ResponseWriter, r http.Request) ([]byte, string, error)
	authFunc func(app App, r http.Request) (*User, error)
	UserLevelFunc func(cfg *config.Config) UserLevel
	)

	type Handler struct {
	errors *ErrorPages
	sessionStore sessions.Store
	app Apper
	}

	// ErrorPages hold template HTML error pages for displaying errors to the user.
	// In each, there should be a defined template named "base".
	type ErrorPages struct {
	NotFound *template.Template
	Gone *template.Template
	InternalServerError *template.Template
	Blank *template.Template
	}

	// NewHandler returns a new Handler instance, using the given StaticPage data,
	// and saving alias to the application's CookieStore.
	func NewHandler(apper Apper) *Handler {
	h := &Handler{
	errors: &ErrorPages{
	NotFound: template.Must(template.New("").Parse("{{define \"base\"}}<html><head><title>404</title></head><body><p>Not found.</p></body></html>{{end}}")),
	Gone: template.Must(template.New("").Parse("{{define \"base\"}}<html><head><title>410</title></head><body><p>Gone.</p></body></html>{{end}}")),
	InternalServerError: template.Must(template.New("").Parse("{{define \"base\"}}<html><head><title>500</title></head><body><p>Internal server error.</p></body></html>{{end}}")),
	Blank: template.Must(template.New("").Parse("{{define \"base\"}}<html><head><title>{{.Title}}</title></head><body><p>{{.Content}}</p></body></html>{{end}}")),
	},
	sessionStore: apper.App().SessionStore(),
	app: apper,
	}

	return h
	}

	// NewWFHandler returns a new Handler instance, using WriteFreely template files.
	// You MUST call writefreely.InitTemplates() before this.
	func NewWFHandler(apper Apper) *Handler {
	h := NewHandler(apper)
	h.SetErrorPages(&ErrorPages{
	NotFound: pages["404-general.tmpl"],
	Gone: pages["410.tmpl"],
	InternalServerError: pages["500.tmpl"],
	Blank: pages["blank.tmpl"],
	})
	return h
	}

	// SetErrorPages sets the given set of ErrorPages as templates for any errors
	// that come up.
	func (h Handler) SetErrorPages(e ErrorPages) {
	h.errors = e
	}

	// User handles requests made in the web application by the authenticated user.
	// This provides user-friendly HTML pages and actions that work in the browser.
	func (h *Handler) User(f userHandlerFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
	h.handleHTTPError(w, r, func() error {
	var status int
	start := time.Now()

	defer func() {
	if e := recover(); e != nil {
	log.Error("%s: %s", e, debug.Stack())
	h.errors.InternalServerError.ExecuteTemplate(w, "base", pageForReq(h.app.App(), r))
	status = http.StatusInternalServerError
	}

	log.Info(h.app.ReqLog(r, status, time.Since(start)))
	}()

	u := getUserSession(h.app.App(), r)
	if u == nil {
	err := ErrNotLoggedIn
	status = err.Status
	return err
	}

	err := f(h.app.App(), u, w, r)
	if err == nil {
	status = http.StatusOK
	} else if err, ok := err.(impart.HTTPError); ok {
	status = err.Status
	} else {
	status = http.StatusInternalServerError
	}

	return err
	}())
	}
	}

	// Admin handles requests on /admin routes
	func (h *Handler) Admin(f userHandlerFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
	h.handleHTTPError(w, r, func() error {
	var status int
	start := time.Now()

	defer func() {
	if e := recover(); e != nil {
	log.Error("%s: %s", e, debug.Stack())
	h.errors.InternalServerError.ExecuteTemplate(w, "base", pageForReq(h.app.App(), r))
	status = http.StatusInternalServerError
	}

	log.Info(h.app.ReqLog(r, status, time.Since(start)))
	}()

	u := getUserSession(h.app.App(), r)
	if u == nil \|\| !u.IsAdmin() {
	err := impart.HTTPError{http.StatusNotFound, ""}
	status = err.Status
	return err
	}

	err := f(h.app.App(), u, w, r)
	if err == nil {
	status = http.StatusOK
	} else if err, ok := err.(impart.HTTPError); ok {
	status = err.Status
	} else {
	status = http.StatusInternalServerError
	}

	return err
	}())
	}
	}

	// AdminApper handles requests on /admin routes that require an Apper.
	func (h *Handler) AdminApper(f userApperHandlerFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
	h.handleHTTPError(w, r, func() error {
	var status int
	start := time.Now()

	defer func() {
	if e := recover(); e != nil {
	log.Error("%s: %s", e, debug.Stack())
	h.errors.InternalServerError.ExecuteTemplate(w, "base", pageForReq(h.app.App(), r))
	status = http.StatusInternalServerError
	}

	log.Info(h.app.ReqLog(r, status, time.Since(start)))
	}()

	u := getUserSession(h.app.App(), r)
	if u == nil \|\| !u.IsAdmin() {
	err := impart.HTTPError{http.StatusNotFound, ""}
	status = err.Status
	return err
	}

	err := f(h.app, u, w, r)
	if err == nil {
	status = http.StatusOK
	} else if err, ok := err.(impart.HTTPError); ok {
	status = err.Status
	} else {
	status = http.StatusInternalServerError
	}

	return err
	}())
	}
	}

	func apiAuth(app App, r http.Request) (*User, error) {
	// Authorize user from Authorization header
	t := r.Header.Get("Authorization")
	if t == "" {
	return nil, ErrNoAccessToken
	}
	u := &User{ID: app.db.GetUserID(t)}
	if u.ID == -1 {
	return nil, ErrBadAccessToken
	}

	return u, nil
	}

	// optionaAPIAuth is used for endpoints that accept authenticated requests via
	// Authorization header or cookie, unlike apiAuth. It returns a different err
	// in the case where no Authorization header is present.
	func optionalAPIAuth(app App, r http.Request) (*User, error) {
	// Authorize user from Authorization header
	t := r.Header.Get("Authorization")
	if t == "" {
	return nil, ErrNotLoggedIn
	}
	u := &User{ID: app.db.GetUserID(t)}
	if u.ID == -1 {
	return nil, ErrBadAccessToken
	}

	return u, nil
	}

	func webAuth(app App, r http.Request) (*User, error) {
	u := getUserSession(app, r)
	if u == nil {
	return nil, ErrNotLoggedIn
	}
	return u, nil
	}

	// UserAPI handles requests made in the API by the authenticated user.
	// This provides user-friendly HTML pages and actions that work in the browser.
	func (h *Handler) UserAPI(f userHandlerFunc) http.HandlerFunc {
	return h.UserAll(false, f, apiAuth)
	}

	func (h *Handler) UserAll(web bool, f userHandlerFunc, a authFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
	handleFunc := func() error {
	var status int
	start := time.Now()

	defer func() {
	if e := recover(); e != nil {
	log.Error("%s: %s", e, debug.Stack())
	impart.WriteError(w, impart.HTTPError{http.StatusInternalServerError, "Something didn't work quite right."})
	status = 500
	}

	log.Info(h.app.ReqLog(r, status, time.Since(start)))
	}()

	u, err := a(h.app.App(), r)
	if err != nil {
	if err, ok := err.(impart.HTTPError); ok {
	status = err.Status
	} else {
	status = 500
	}
	return err
	}

	err = f(h.app.App(), u, w, r)
	if err == nil {
	status = 200
	} else if err, ok := err.(impart.HTTPError); ok {
	status = err.Status
	} else {
	status = 500
	}

	return err
	}

	if web {
	h.handleHTTPError(w, r, handleFunc())
	} else {
	h.handleError(w, r, handleFunc())
	}
	}
	}

	func (h *Handler) RedirectOnErr(f handlerFunc, loc string) handlerFunc {
	return func(app App, w http.ResponseWriter, r http.Request) error {
	err := f(app, w, r)
	if err != nil {
	if ie, ok := err.(impart.HTTPError); ok {
	// Override default redirect with returned error's, if it's a
	// redirect error.
	if ie.Status == http.StatusFound {
	return ie
	}
	}
	return impart.HTTPError{http.StatusFound, loc}
	}
	return nil
	}
	}

	func (h *Handler) Page(n string) http.HandlerFunc {
	return h.Web(func(app App, w http.ResponseWriter, r http.Request) error {
	t, ok := pages[n]
	if !ok {
	return impart.HTTPError{http.StatusNotFound, "Page not found."}
	}

	sp := pageForReq(app, r)

	err := t.ExecuteTemplate(w, "base", sp)
	if err != nil {
	log.Error("Unable to render page: %v", err)
	}
	return err
	}, UserLevelOptional)
	}

	func (h *Handler) WebErrors(f handlerFunc, ul UserLevelFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
	// TODO: factor out this logic shared with Web()
	h.handleHTTPError(w, r, func() error {
	var status int
	start := time.Now()

	defer func() {
	if e := recover(); e != nil {
	u := getUserSession(h.app.App(), r)
	username := "None"
	if u != nil {
	username = u.Username
	}
	log.Error("User: %s\n\n%s: %s", username, e, debug.Stack())
	h.errors.InternalServerError.ExecuteTemplate(w, "base", pageForReq(h.app.App(), r))
	status = 500
	}

	log.Info(h.app.ReqLog(r, status, time.Since(start)))
	}()

	var session *sessions.Session
	var err error
	if ul(h.app.App().cfg) != UserLevelNoneType {
	session, err = h.sessionStore.Get(r, cookieName)
	if err != nil && (ul(h.app.App().cfg) == UserLevelNoneRequiredType \|\| ul(h.app.App().cfg) == UserLevelUserType) {
	// Cookie is required, but we can ignore this error
	log.Error("Handler: Unable to get session (for user permission %d); ignoring: %v", ul(h.app.App().cfg), err)
	}

	_, gotUser := session.Values[cookieUserVal].(*User)
	if ul(h.app.App().cfg) == UserLevelNoneRequiredType && gotUser {
	to := correctPageFromLoginAttempt(r)
	log.Info("Handler: Required NO user, but got one. Redirecting to %s", to)
	err := impart.HTTPError{http.StatusFound, to}
	status = err.Status
	return err
	} else if ul(h.app.App().cfg) == UserLevelUserType && !gotUser {
	log.Info("Handler: Required a user, but DIDN'T get one. Sending not logged in.")
	err := ErrNotLoggedIn
	status = err.Status
	return err
	}
	}

	// TODO: pass User object to function
	err = f(h.app.App(), w, r)
	if err == nil {
	status = 200
	} else if httpErr, ok := err.(impart.HTTPError); ok {
	status = httpErr.Status
	if status < 300 \|\| status > 399 {
	addSessionFlash(h.app.App(), w, r, httpErr.Message, session)
	return impart.HTTPError{http.StatusFound, r.Referer()}
	}
	} else {
	e := fmt.Sprintf("[Web handler] 500: %v", err)
	if !strings.HasSuffix(e, "write: broken pipe") {
	log.Error(e)
	} else {
	log.Error(e)
	}
	log.Info("Web handler internal error render")
	h.errors.InternalServerError.ExecuteTemplate(w, "base", pageForReq(h.app.App(), r))
	status = 500
	}

	return err
	}())
	}
	}

	func (h Handler) CollectionPostOrStatic(w http.ResponseWriter, r http.Request) {
	if strings.Contains(r.URL.Path, ".") && !isRaw(r) {
	start := time.Now()
	status := 200
	defer func() {
	log.Info(h.app.ReqLog(r, status, time.Since(start)))
	}()

	// Serve static file
	h.app.App().shttp.ServeHTTP(w, r)
	return
	}

	h.Web(viewCollectionPost, UserLevelReader)(w, r)
	}

	// Web handles requests made in the web application. This provides user-
	// friendly HTML pages and actions that work in the browser.
	func (h *Handler) Web(f handlerFunc, ul UserLevelFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
	h.handleHTTPError(w, r, func() error {
	var status int
	start := time.Now()

	defer func() {
	if e := recover(); e != nil {
	u := getUserSession(h.app.App(), r)
	username := "None"
	if u != nil {
	username = u.Username
	}
	log.Error("User: %s\n\n%s: %s", username, e, debug.Stack())
	log.Info("Web deferred internal error render")
	h.errors.InternalServerError.ExecuteTemplate(w, "base", pageForReq(h.app.App(), r))
	status = 500
	}

	log.Info(h.app.ReqLog(r, status, time.Since(start)))
	}()

	if ul(h.app.App().cfg) != UserLevelNoneType {
	session, err := h.sessionStore.Get(r, cookieName)
	if err != nil && (ul(h.app.App().cfg) == UserLevelNoneRequiredType \|\| ul(h.app.App().cfg) == UserLevelUserType) {
	// Cookie is required, but we can ignore this error
	log.Error("Handler: Unable to get session (for user permission %d); ignoring: %v", ul(h.app.App().cfg), err)
	}

	_, gotUser := session.Values[cookieUserVal].(*User)
	if ul(h.app.App().cfg) == UserLevelNoneRequiredType && gotUser {
	to := correctPageFromLoginAttempt(r)
	log.Info("Handler: Required NO user, but got one. Redirecting to %s", to)
	err := impart.HTTPError{http.StatusFound, to}
	status = err.Status
	return err
	} else if ul(h.app.App().cfg) == UserLevelUserType && !gotUser {
	log.Info("Handler: Required a user, but DIDN'T get one. Sending not logged in.")
	err := ErrNotLoggedIn
	status = err.Status
	return err
	}
	}

	// TODO: pass User object to function
	err := f(h.app.App(), w, r)
	if err == nil {
	status = 200
	} else if httpErr, ok := err.(impart.HTTPError); ok {
	status = httpErr.Status
	} else {
	e := fmt.Sprintf("[Web handler] 500: %v", err)
	log.Error(e)
	log.Info("Web internal error render")
	h.errors.InternalServerError.ExecuteTemplate(w, "base", pageForReq(h.app.App(), r))
	status = 500
	}

	return err
	}())
	}
	}

	func (h *Handler) All(f handlerFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
	h.handleError(w, r, func() error {
	// TODO: return correct "success" status
	status := 200
	start := time.Now()

	defer func() {
	if e := recover(); e != nil {
	log.Error("%s:\n%s", e, debug.Stack())
	impart.WriteError(w, impart.HTTPError{http.StatusInternalServerError, "Something didn't work quite right."})
	status = 500
	}

	log.Info(h.app.ReqLog(r, status, time.Since(start)))
	}()

	// TODO: do any needed authentication

	err := f(h.app.App(), w, r)
	if err != nil {
	if err, ok := err.(impart.HTTPError); ok {
	status = err.Status
	} else {
	status = 500
	}
	}

	return err
	}())
	}
	}

	+func (h *Handler) OAuth(f handlerFunc) http.HandlerFunc {
	+ return func(w http.ResponseWriter, r *http.Request) {
	+ h.handleOAuthError(w, r, func() error {
	+ // TODO: return correct "success" status
	+ status := 200
	+ start := time.Now()
	+
	+ defer func() {
	+ if e := recover(); e != nil {
	+ log.Error("%s:\n%s", e, debug.Stack())
	+ impart.WriteError(w, impart.HTTPError{http.StatusInternalServerError, "Something didn't work quite right."})
	+ status = 500
	+ }
	+
	+ log.Info(h.app.ReqLog(r, status, time.Since(start)))
	+ }()
	+
	+ err := f(h.app.App(), w, r)
	+ if err != nil {
	+ if err, ok := err.(impart.HTTPError); ok {
	+ status = err.Status
	+ } else {
	+ status = 500
	+ }
	+ }
	+
	+ return err
	+ }())
	+ }
	+}
	+
	func (h *Handler) AllReader(f handlerFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
	h.handleError(w, r, func() error {
	status := 200
	start := time.Now()

	defer func() {
	if e := recover(); e != nil {
	log.Error("%s:\n%s", e, debug.Stack())
	impart.WriteError(w, impart.HTTPError{http.StatusInternalServerError, "Something didn't work quite right."})
	status = 500
	}

	log.Info(h.app.ReqLog(r, status, time.Since(start)))
	}()

	if h.app.App().cfg.App.Private {
	// This instance is private, so ensure it's being accessed by a valid user
	// Check if authenticated with an access token
	_, apiErr := optionalAPIAuth(h.app.App(), r)
	if apiErr != nil {
	if err, ok := apiErr.(impart.HTTPError); ok {
	status = err.Status
	} else {
	status = 500
	}

	if apiErr == ErrNotLoggedIn {
	// Fall back to web auth since there was no access token given
	_, err := webAuth(h.app.App(), r)
	if err != nil {
	if err, ok := apiErr.(impart.HTTPError); ok {
	status = err.Status
	} else {
	status = 500
	}
	return err
	}
	} else {
	return apiErr
	}
	}
	}

	err := f(h.app.App(), w, r)
	if err != nil {
	if err, ok := err.(impart.HTTPError); ok {
	status = err.Status
	} else {
	status = 500
	}
	}

	return err
	}())
	}
	}

	func (h *Handler) Download(f dataHandlerFunc, ul UserLevelFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
	h.handleHTTPError(w, r, func() error {
	var status int
	start := time.Now()
	defer func() {
	if e := recover(); e != nil {
	log.Error("%s: %s", e, debug.Stack())
	h.errors.InternalServerError.ExecuteTemplate(w, "base", pageForReq(h.app.App(), r))
	status = 500
	}

	log.Info(h.app.ReqLog(r, status, time.Since(start)))
	}()

	data, filename, err := f(h.app.App(), w, r)
	if err != nil {
	if err, ok := err.(impart.HTTPError); ok {
	status = err.Status
	} else {
	status = 500
	}
	return err
	}

	ext := ".json"
	ct := "application/json"
	if strings.HasSuffix(r.URL.Path, ".csv") {
	ext = ".csv"
	ct = "text/csv"
	} else if strings.HasSuffix(r.URL.Path, ".zip") {
	ext = ".zip"
	ct = "application/zip"
	}
	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s%s", filename, ext))
	w.Header().Set("Content-Type", ct)
	w.Header().Set("Content-Length", strconv.Itoa(len(data)))
	fmt.Fprint(w, string(data))

	status = 200
	return nil
	}())
	}
	}

	func (h *Handler) Redirect(url string, ul UserLevelFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
	h.handleHTTPError(w, r, func() error {
	start := time.Now()

	var status int
	if ul(h.app.App().cfg) != UserLevelNoneType {
	session, err := h.sessionStore.Get(r, cookieName)
	if err != nil && (ul(h.app.App().cfg) == UserLevelNoneRequiredType \|\| ul(h.app.App().cfg) == UserLevelUserType) {
	// Cookie is required, but we can ignore this error
	log.Error("Handler: Unable to get session (for user permission %d); ignoring: %v", ul(h.app.App().cfg), err)
	}

	_, gotUser := session.Values[cookieUserVal].(*User)
	if ul(h.app.App().cfg) == UserLevelNoneRequiredType && gotUser {
	to := correctPageFromLoginAttempt(r)
	log.Info("Handler: Required NO user, but got one. Redirecting to %s", to)
	err := impart.HTTPError{http.StatusFound, to}
	status = err.Status
	return err
	} else if ul(h.app.App().cfg) == UserLevelUserType && !gotUser {
	log.Info("Handler: Required a user, but DIDN'T get one. Sending not logged in.")
	err := ErrNotLoggedIn
	status = err.Status
	return err
	}
	}

	status = sendRedirect(w, http.StatusFound, url)

	log.Info(h.app.ReqLog(r, status, time.Since(start)))

	return nil
	}())
	}
	}

	func (h Handler) handleHTTPError(w http.ResponseWriter, r http.Request, err error) {
	if err == nil {
	return
	}

	if err, ok := err.(impart.HTTPError); ok {
	if err.Status >= 300 && err.Status < 400 {
	sendRedirect(w, err.Status, err.Message)
	return
	} else if err.Status == http.StatusUnauthorized {
	q := ""
	if r.URL.RawQuery != "" {
	q = url.QueryEscape("?" + r.URL.RawQuery)
	}
	sendRedirect(w, http.StatusFound, "/login?to="+r.URL.Path+q)
	return
	} else if err.Status == http.StatusGone {
	w.WriteHeader(err.Status)
	p := &struct {
	page.StaticPage
	Content *template.HTML
	}{
	StaticPage: pageForReq(h.app.App(), r),
	}
	if err.Message != "" {
	co := template.HTML(err.Message)
	p.Content = &co
	}
	h.errors.Gone.ExecuteTemplate(w, "base", p)
	return
	} else if err.Status == http.StatusNotFound {
	w.WriteHeader(err.Status)
	if strings.Contains(r.Header.Get("Accept"), "application/activity+json") {
	// This is a fediverse request; simply return the header
	return
	}
	h.errors.NotFound.ExecuteTemplate(w, "base", pageForReq(h.app.App(), r))
	return
	} else if err.Status == http.StatusInternalServerError {
	w.WriteHeader(err.Status)
	log.Info("handleHTTPErorr internal error render")
	h.errors.InternalServerError.ExecuteTemplate(w, "base", pageForReq(h.app.App(), r))
	return
	} else if err.Status == http.StatusAccepted {
	impart.WriteSuccess(w, "", err.Status)
	return
	} else {
	p := &struct {
	page.StaticPage
	Title string
	Content template.HTML
	}{
	pageForReq(h.app.App(), r),
	fmt.Sprintf("Uh oh (%d)", err.Status),
	template.HTML(fmt.Sprintf("<p style=\"text-align: center\" class=\"introduction\">%s</p>", err.Message)),
	}
	h.errors.Blank.ExecuteTemplate(w, "base", p)
	return
	}
	impart.WriteError(w, err)
	return
	}

	impart.WriteError(w, impart.HTTPError{http.StatusInternalServerError, "This is an unhelpful error message for a miscellaneous internal error."})
	}

	func (h Handler) handleError(w http.ResponseWriter, r http.Request, err error) {
	if err == nil {
	return
	}

	if err, ok := err.(impart.HTTPError); ok {
	if err.Status >= 300 && err.Status < 400 {
	sendRedirect(w, err.Status, err.Message)
	return
	}

	// if strings.Contains(r.Header.Get("Accept"), "text/html") {
	impart.WriteError(w, err)
	// }
	return
	}

	if IsJSON(r) {
	impart.WriteError(w, impart.HTTPError{http.StatusInternalServerError, "This is an unhelpful error message for a miscellaneous internal error."})
	return
	}
	h.errors.InternalServerError.ExecuteTemplate(w, "base", pageForReq(h.app.App(), r))
	}

	+func (h Handler) handleOAuthError(w http.ResponseWriter, r http.Request, err error) {
	+ if err == nil {
	+ return
	+ }
	+
	+ if err, ok := err.(impart.HTTPError); ok {
	+ if err.Status >= 300 && err.Status < 400 {
	+ sendRedirect(w, err.Status, err.Message)
	+ return
	+ }
	+
	+ impart.WriteOAuthError(w, err)
	+ return
	+ }
	+
	+ impart.WriteOAuthError(w, impart.HTTPError{http.StatusInternalServerError, "This is an unhelpful error message for a miscellaneous internal error."})
	+ return
	+}
	+
	func correctPageFromLoginAttempt(r *http.Request) string {
	to := r.FormValue("to")
	if to == "" {
	to = "/"
	} else if !strings.HasPrefix(to, "/") {
	to = "/" + to
	}
	return to
	}

	func (h *Handler) LogHandlerFunc(f http.HandlerFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
	h.handleHTTPError(w, r, func() error {
	status := 200
	start := time.Now()

	defer func() {
	if e := recover(); e != nil {
	log.Error("Handler.LogHandlerFunc\n\n%s: %s", e, debug.Stack())
	h.errors.InternalServerError.ExecuteTemplate(w, "base", pageForReq(h.app.App(), r))
	status = 500
	}

	// TODO: log actual status code returned
	log.Info(h.app.ReqLog(r, status, time.Since(start)))
	}()

	if h.app.App().cfg.App.Private {
	// This instance is private, so ensure it's being accessed by a valid user
	// Check if authenticated with an access token
	_, apiErr := optionalAPIAuth(h.app.App(), r)
	if apiErr != nil {
	if err, ok := apiErr.(impart.HTTPError); ok {
	status = err.Status
	} else {
	status = 500
	}

	if apiErr == ErrNotLoggedIn {
	// Fall back to web auth since there was no access token given
	_, err := webAuth(h.app.App(), r)
	if err != nil {
	if err, ok := apiErr.(impart.HTTPError); ok {
	status = err.Status
	} else {
	status = 500
	}
	return err
	}
	} else {
	return apiErr
	}
	}
	}

	f(w, r)

	return nil
	}())
	}
	}

	func sendRedirect(w http.ResponseWriter, code int, location string) int {
	w.Header().Set("Location", location)
	w.WriteHeader(code)
	return code
	}
	diff --git a/oauth.go b/oauth.go
	index d918f7f..bb6474d 100644
	--- a/oauth.go
	+++ b/oauth.go
	@@ -1,280 +1,260 @@
	package writefreely

	import (
	"context"
	"encoding/json"
	"fmt"
	"github.com/gorilla/sessions"
	"github.com/guregu/null/zero"
	+ "github.com/writeas/impart"
	"github.com/writeas/nerds/store"
	"github.com/writeas/web-core/auth"
	"github.com/writeas/web-core/log"
	"github.com/writeas/writefreely/config"
	"io"
	"io/ioutil"
	"net/http"
	"net/url"
	"strings"
	"time"
	)

	// TokenResponse contains data returned when a token is created either
	// through a code exchange or using a refresh token.
	type TokenResponse struct {
	AccessToken string `json:"access_token"`
	ExpiresIn int `json:"expires_in"`
	RefreshToken string `json:"refresh_token"`
	TokenType string `json:"token_type"`
	}

	// InspectResponse contains data returned when an access token is inspected.
	type InspectResponse struct {
	ClientID string `json:"client_id"`
	UserID int64 `json:"user_id"`
	ExpiresAt time.Time `json:"expires_at"`
	Username string `json:"username"`
	Email string `json:"email"`
	}

	// tokenRequestMaxLen is the most bytes that we'll read from the /oauth/token
	// endpoint. One megabyte is plenty.
	const tokenRequestMaxLen = 1000000

	// infoRequestMaxLen is the most bytes that we'll read from the
	// /oauth/inspect endpoint.
	const infoRequestMaxLen = 1000000

	// OAuthDatastoreProvider provides a minimal interface of data store, config,
	// and session store for use with the oauth handlers.
	type OAuthDatastoreProvider interface {
	DB() OAuthDatastore
	Config() *config.Config
	SessionStore() sessions.Store
	}

	// OAuthDatastore provides a minimal interface of data store methods used in
	// oauth functionality.
	type OAuthDatastore interface {
	GenerateOAuthState(context.Context) (string, error)
	ValidateOAuthState(context.Context, string) error
	GetIDForRemoteUser(context.Context, int64) (int64, error)
	CreateUser(config.Config, User, string) error
	RecordRemoteUserID(context.Context, int64, int64) error
	GetUserForAuthByID(int64) (*User, error)
	}

	type HttpClient interface {
	Do(req http.Request) (http.Response, error)
	}

	type oauthHandler struct {
	Config *config.Config
	DB OAuthDatastore
	Store sessions.Store
	HttpClient HttpClient
	}

	// buildAuthURL returns a URL used to initiate authentication.
	func buildAuthURL(db OAuthDatastore, ctx context.Context, clientID, authLocation, callbackURL string) (string, error) {
	state, err := db.GenerateOAuthState(ctx)
	if err != nil {
	return "", err
	}

	u, err := url.Parse(authLocation)
	if err != nil {
	return "", err
	}
	q := u.Query()
	q.Set("client_id", clientID)
	q.Set("redirect_uri", callbackURL)
	q.Set("response_type", "code")
	q.Set("state", state)
	u.RawQuery = q.Encode()

	return u.String(), nil
	}

	// app App, w http.ResponseWriter, r http.Request
	-func (h oauthHandler) viewOauthInit(w http.ResponseWriter, r *http.Request) {
	+func (h oauthHandler) viewOauthInit(app App, w http.ResponseWriter, r http.Request) error {
	location, err := buildAuthURL(h.DB, r.Context(), h.Config.App.OAuthClientID, h.Config.App.OAuthProviderAuthLocation, h.Config.App.OAuthClientCallbackLocation)
	if err != nil {
	- failOAuthRequest(w, http.StatusInternalServerError, "could not prepare oauth redirect url")
	- return
	+ return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}
	}
	- http.Redirect(w, r, location, http.StatusTemporaryRedirect)
	+ return impart.HTTPError{http.StatusTemporaryRedirect, location}
	}

	-func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request) {
	+func (h oauthHandler) viewOauthCallback(app App, w http.ResponseWriter, r http.Request) error {
	ctx := r.Context()

	code := r.FormValue("code")
	state := r.FormValue("state")

	err := h.DB.ValidateOAuthState(ctx, state)
	if err != nil {
	- failOAuthRequest(w, http.StatusInternalServerError, err.Error())
	- return
	+ return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}

	tokenResponse, err := h.exchangeOauthCode(ctx, code)
	if err != nil {
	- failOAuthRequest(w, http.StatusInternalServerError, err.Error())
	- return
	+ return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}

	// Now that we have the access token, let's use it real quick to make sur
	// it really really works.
	tokenInfo, err := h.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)
	if err != nil {
	- failOAuthRequest(w, http.StatusInternalServerError, err.Error())
	- return
	+ return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}

	localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID)
	if err != nil {
	- failOAuthRequest(w, http.StatusInternalServerError, err.Error())
	- return
	+ return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}

	fmt.Println("local user id", localUserID)

	if localUserID == -1 {
	// We don't have, nor do we want, the password from the origin, so we
	//create a random string. If the user needs to set a password, they
	//can do so through the settings page or through the password reset
	//flow.
	randPass := store.Generate62RandomString(14)
	hashedPass, err := auth.HashPass([]byte(randPass))
	if err != nil {
	log.ErrorLog.Println(err)
	- failOAuthRequest(w, http.StatusInternalServerError, "unable to create password hash")
	- return
	+ return impart.HTTPError{http.StatusInternalServerError, "unable to create password hash"}
	}
	newUser := &User{
	Username: tokenInfo.Username,
	HashedPass: hashedPass,
	HasPass: true,
	Email: zero.NewString("", tokenInfo.Email != ""),
	Created: time.Now().Truncate(time.Second).UTC(),
	}

	err = h.DB.CreateUser(h.Config, newUser, newUser.Username)
	if err != nil {
	- failOAuthRequest(w, http.StatusInternalServerError, err.Error())
	- return
	+ return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}

	err = h.DB.RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID)
	if err != nil {
	- failOAuthRequest(w, http.StatusInternalServerError, err.Error())
	- return
	+ return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}

	if err := loginOrFail(h.Store, w, r, newUser); err != nil {
	- failOAuthRequest(w, http.StatusInternalServerError, err.Error())
	+ return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}
	- return
	+ return nil
	}

	user, err := h.DB.GetUserForAuthByID(localUserID)
	if err != nil {
	- failOAuthRequest(w, http.StatusInternalServerError, err.Error())
	- return
	+ return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}
	if err = loginOrFail(h.Store, w, r, user); err != nil {
	- failOAuthRequest(w, http.StatusInternalServerError, err.Error())
	+ return impart.HTTPError{http.StatusInternalServerError, err.Error()}
	}
	+ return nil
	}

	func (h oauthHandler) exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error) {
	form := url.Values{}
	form.Add("grant_type", "authorization_code")
	form.Add("redirect_uri", h.Config.App.OAuthClientCallbackLocation)
	form.Add("code", code)
	req, err := http.NewRequest("POST", h.Config.App.OAuthProviderTokenLocation, strings.NewReader(form.Encode()))
	if err != nil {
	return nil, err
	}
	req.WithContext(ctx)
	req.Header.Set("User-Agent", "writefreely")
	req.Header.Set("Accept", "application/json")
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
	req.SetBasicAuth(h.Config.App.OAuthClientID, h.Config.App.OAuthClientSecret)

	resp, err := h.HttpClient.Do(req)
	if err != nil {
	return nil, err
	}

	// Nick: I like using limited readers to reduce the risk of an endpoint
	// being broken or compromised.
	lr := io.LimitReader(resp.Body, tokenRequestMaxLen)
	body, err := ioutil.ReadAll(lr)
	if err != nil {
	return nil, err
	}

	var tokenResponse TokenResponse
	err = json.Unmarshal(body, &tokenResponse)
	if err != nil {
	return nil, err
	}
	return &tokenResponse, nil
	}

	func (h oauthHandler) inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error) {
	req, err := http.NewRequest("GET", h.Config.App.OAuthProviderInspectLocation, nil)
	if err != nil {
	return nil, err
	}
	req.WithContext(ctx)
	req.Header.Set("User-Agent", "writefreely")
	req.Header.Set("Accept", "application/json")
	req.Header.Set("Authorization", "Bearer "+accessToken)

	resp, err := h.HttpClient.Do(req)
	if err != nil {
	return nil, err
	}

	// Nick: I like using limited readers to reduce the risk of an endpoint
	// being broken or compromised.
	lr := io.LimitReader(resp.Body, infoRequestMaxLen)
	body, err := ioutil.ReadAll(lr)
	if err != nil {
	return nil, err
	}

	var inspectResponse InspectResponse
	err = json.Unmarshal(body, &inspectResponse)
	if err != nil {
	return nil, err
	}
	return &inspectResponse, nil
	}

	func loginOrFail(store sessions.Store, w http.ResponseWriter, r http.Request, user User) error {
	// An error may be returned, but a valid session should always be returned.
	session, _ := store.Get(r, cookieName)
	session.Values[cookieUserVal] = user.Cookie()
	if err := session.Save(r, w); err != nil {
	fmt.Println("error saving session", err)
	return err
	}
	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
	return nil
	}
	-
	-// failOAuthRequest is an HTTP handler helper that formats returned error
	-// messages.
	-func failOAuthRequest(w http.ResponseWriter, statusCode int, message string) {
	- w.Header().Set("Content-Type", "application/json")
	- w.WriteHeader(statusCode)
	- err := json.NewEncoder(w).Encode(map[string]interface{}{
	- "error": message,
	- })
	- if err != nil {
	- panic(err)
	- }
	-}
	diff --git a/routes.go b/routes.go
	index e286c3e..6accc99 100644
	--- a/routes.go
	+++ b/routes.go
	@@ -1,218 +1,218 @@
	/*
	* Copyright © 2018-2019 A Bunch Tell LLC.
	*
	* This file is part of WriteFreely.
	*
	* WriteFreely is free software: you can redistribute it and/or modify
	* it under the terms of the GNU Affero General Public License, included
	* in the LICENSE file in this source code package.
	*/

	package writefreely

	import (
	"net/http"
	"path/filepath"
	"strings"

	"github.com/gorilla/mux"
	"github.com/writeas/go-webfinger"
	"github.com/writeas/web-core/log"
	"github.com/writefreely/go-nodeinfo"
	)

	// InitStaticRoutes adds routes for serving static files.
	// TODO: this should just be a func, not method
	func (app App) InitStaticRoutes(r mux.Router) {
	// Handle static files
	fs := http.FileServer(http.Dir(filepath.Join(app.cfg.Server.StaticParentDir, staticDir)))
	app.shttp = http.NewServeMux()
	app.shttp.Handle("/", fs)
	r.PathPrefix("/").Handler(fs)
	}

	// InitRoutes adds dynamic routes for the given mux.Router.
	func InitRoutes(apper Apper, r mux.Router) mux.Router {
	// Create handler
	handler := NewWFHandler(apper)

	// Set up routes
	hostSubroute := apper.App().cfg.App.Host[strings.Index(apper.App().cfg.App.Host, "://")+3:]
	if apper.App().cfg.App.SingleUser {
	hostSubroute = "{domain}"
	} else {
	if strings.HasPrefix(hostSubroute, "localhost") {
	hostSubroute = "localhost"
	}
	}

	if apper.App().cfg.App.SingleUser {
	log.Info("Adding %s routes (single user)...", hostSubroute)
	} else {
	log.Info("Adding %s routes (multi-user)...", hostSubroute)
	}

	// Primary app routes
	write := r.PathPrefix("/").Subrouter()

	// Federation endpoint configurations
	wf := webfinger.Default(wfResolver{apper.App().db, apper.App().cfg})
	wf.NoTLSHandler = nil

	// Federation endpoints
	// host-meta
	write.HandleFunc("/.well-known/host-meta", handler.Web(handleViewHostMeta, UserLevelReader))
	// webfinger
	write.HandleFunc(webfinger.WebFingerPath, handler.LogHandlerFunc(http.HandlerFunc(wf.Webfinger)))
	// nodeinfo
	niCfg := nodeInfoConfig(apper.App().db, apper.App().cfg)
	ni := nodeinfo.NewService(*niCfg, nodeInfoResolver{apper.App().cfg, apper.App().db})
	write.HandleFunc(nodeinfo.NodeInfoPath, handler.LogHandlerFunc(http.HandlerFunc(ni.NodeInfoDiscover)))
	write.HandleFunc(niCfg.InfoURL, handler.LogHandlerFunc(http.HandlerFunc(ni.NodeInfo)))

	// Set up dyamic page handlers
	// Handle auth
	auth := write.PathPrefix("/api/auth/").Subrouter()
	if apper.App().cfg.App.OpenRegistration {
	auth.HandleFunc("/signup", handler.All(apiSignup)).Methods("POST")
	}
	auth.HandleFunc("/login", handler.All(login)).Methods("POST")
	auth.HandleFunc("/read", handler.WebErrors(handleWebCollectionUnlock, UserLevelNone)).Methods("POST")
	auth.HandleFunc("/me", handler.All(handleAPILogout)).Methods("DELETE")

	oauthHandler := oauthHandler{
	HttpClient: &http.Client{},
	Config: apper.App().Config(),
	DB: apper.App().DB(),
	Store: apper.App().SessionStore(),
	}

	- write.HandleFunc("/oauth/write.as", oauthHandler.viewOauthInit).Methods("GET")
	- write.HandleFunc("/oauth/callback", oauthHandler.viewOauthCallback).Methods("GET")
	+ write.HandleFunc("/oauth/write.as", handler.OAuth(oauthHandler.viewOauthInit)).Methods("GET")
	+ write.HandleFunc("/oauth/callback", handler.OAuth(oauthHandler.viewOauthCallback)).Methods("GET")

	// Handle logged in user sections
	me := write.PathPrefix("/me").Subrouter()
	me.HandleFunc("/", handler.Redirect("/me", UserLevelUser))
	me.HandleFunc("/c", handler.Redirect("/me/c/", UserLevelUser)).Methods("GET")
	me.HandleFunc("/c/", handler.User(viewCollections)).Methods("GET")
	me.HandleFunc("/c/{collection}", handler.User(viewEditCollection)).Methods("GET")
	me.HandleFunc("/c/{collection}/stats", handler.User(viewStats)).Methods("GET")
	me.HandleFunc("/posts", handler.Redirect("/me/posts/", UserLevelUser)).Methods("GET")
	me.HandleFunc("/posts/", handler.User(viewArticles)).Methods("GET")
	me.HandleFunc("/posts/export.csv", handler.Download(viewExportPosts, UserLevelUser)).Methods("GET")
	me.HandleFunc("/posts/export.zip", handler.Download(viewExportPosts, UserLevelUser)).Methods("GET")
	me.HandleFunc("/posts/export.json", handler.Download(viewExportPosts, UserLevelUser)).Methods("GET")
	me.HandleFunc("/export", handler.User(viewExportOptions)).Methods("GET")
	me.HandleFunc("/export.json", handler.Download(viewExportFull, UserLevelUser)).Methods("GET")
	me.HandleFunc("/settings", handler.User(viewSettings)).Methods("GET")
	me.HandleFunc("/invites", handler.User(handleViewUserInvites)).Methods("GET")
	me.HandleFunc("/logout", handler.Web(viewLogout, UserLevelNone)).Methods("GET")

	write.HandleFunc("/api/me", handler.All(viewMeAPI)).Methods("GET")
	apiMe := write.PathPrefix("/api/me/").Subrouter()
	apiMe.HandleFunc("/", handler.All(viewMeAPI)).Methods("GET")
	apiMe.HandleFunc("/posts", handler.UserAPI(viewMyPostsAPI)).Methods("GET")
	apiMe.HandleFunc("/collections", handler.UserAPI(viewMyCollectionsAPI)).Methods("GET")
	apiMe.HandleFunc("/password", handler.All(updatePassphrase)).Methods("POST")
	apiMe.HandleFunc("/self", handler.All(updateSettings)).Methods("POST")
	apiMe.HandleFunc("/invites", handler.User(handleCreateUserInvite)).Methods("POST")

	// Sign up validation
	write.HandleFunc("/api/alias", handler.All(handleUsernameCheck)).Methods("POST")

	// Handle collections
	write.HandleFunc("/api/collections", handler.All(newCollection)).Methods("POST")
	apiColls := write.PathPrefix("/api/collections/").Subrouter()
	apiColls.HandleFunc("/{alias:[0-9a-zA-Z\\-]+}", handler.AllReader(fetchCollection)).Methods("GET")
	apiColls.HandleFunc("/{alias:[0-9a-zA-Z\\-]+}", handler.All(existingCollection)).Methods("POST", "DELETE")
	apiColls.HandleFunc("/{alias}/posts", handler.AllReader(fetchCollectionPosts)).Methods("GET")
	apiColls.HandleFunc("/{alias}/posts", handler.All(newPost)).Methods("POST")
	apiColls.HandleFunc("/{alias}/posts/{post}", handler.AllReader(fetchPost)).Methods("GET")
	apiColls.HandleFunc("/{alias}/posts/{post:[a-zA-Z0-9]{10}}", handler.All(existingPost)).Methods("POST")
	apiColls.HandleFunc("/{alias}/posts/{post}/{property}", handler.AllReader(fetchPostProperty)).Methods("GET")
	apiColls.HandleFunc("/{alias}/collect", handler.All(addPost)).Methods("POST")
	apiColls.HandleFunc("/{alias}/pin", handler.All(pinPost)).Methods("POST")
	apiColls.HandleFunc("/{alias}/unpin", handler.All(pinPost)).Methods("POST")
	apiColls.HandleFunc("/{alias}/inbox", handler.All(handleFetchCollectionInbox)).Methods("POST")
	apiColls.HandleFunc("/{alias}/outbox", handler.AllReader(handleFetchCollectionOutbox)).Methods("GET")
	apiColls.HandleFunc("/{alias}/following", handler.AllReader(handleFetchCollectionFollowing)).Methods("GET")
	apiColls.HandleFunc("/{alias}/followers", handler.AllReader(handleFetchCollectionFollowers)).Methods("GET")

	// Handle posts
	write.HandleFunc("/api/posts", handler.All(newPost)).Methods("POST")
	posts := write.PathPrefix("/api/posts/").Subrouter()
	posts.HandleFunc("/{post:[a-zA-Z0-9]{10}}", handler.AllReader(fetchPost)).Methods("GET")
	posts.HandleFunc("/{post:[a-zA-Z0-9]{10}}", handler.All(existingPost)).Methods("POST", "PUT")
	posts.HandleFunc("/{post:[a-zA-Z0-9]{10}}", handler.All(deletePost)).Methods("DELETE")
	posts.HandleFunc("/{post:[a-zA-Z0-9]{10}}/{property}", handler.AllReader(fetchPostProperty)).Methods("GET")
	posts.HandleFunc("/claim", handler.All(addPost)).Methods("POST")
	posts.HandleFunc("/disperse", handler.All(dispersePost)).Methods("POST")

	write.HandleFunc("/auth/signup", handler.Web(handleWebSignup, UserLevelNoneRequired)).Methods("POST")
	write.HandleFunc("/auth/login", handler.Web(webLogin, UserLevelNoneRequired)).Methods("POST")

	write.HandleFunc("/admin", handler.Admin(handleViewAdminDash)).Methods("GET")
	write.HandleFunc("/admin/users", handler.Admin(handleViewAdminUsers)).Methods("GET")
	write.HandleFunc("/admin/user/{username}", handler.Admin(handleViewAdminUser)).Methods("GET")
	write.HandleFunc("/admin/user/{username}/status", handler.Admin(handleAdminToggleUserStatus)).Methods("POST")
	write.HandleFunc("/admin/user/{username}/passphrase", handler.Admin(handleAdminResetUserPass)).Methods("POST")
	write.HandleFunc("/admin/pages", handler.Admin(handleViewAdminPages)).Methods("GET")
	write.HandleFunc("/admin/page/{slug}", handler.Admin(handleViewAdminPage)).Methods("GET")
	write.HandleFunc("/admin/update/config", handler.AdminApper(handleAdminUpdateConfig)).Methods("POST")
	write.HandleFunc("/admin/update/{page}", handler.Admin(handleAdminUpdateSite)).Methods("POST")

	// Handle special pages first
	write.HandleFunc("/login", handler.Web(viewLogin, UserLevelNoneRequired))
	write.HandleFunc("/signup", handler.Web(handleViewLanding, UserLevelNoneRequired))
	write.HandleFunc("/invite/{code}", handler.Web(handleViewInvite, UserLevelOptional)).Methods("GET")
	// TODO: show a reader-specific 404 page if the function is disabled
	write.HandleFunc("/read", handler.Web(viewLocalTimeline, UserLevelReader))
	RouteRead(handler, UserLevelReader, write.PathPrefix("/read").Subrouter())

	draftEditPrefix := ""
	if apper.App().cfg.App.SingleUser {
	draftEditPrefix = "/d"
	write.HandleFunc("/me/new", handler.Web(handleViewPad, UserLevelOptional)).Methods("GET")
	} else {
	write.HandleFunc("/new", handler.Web(handleViewPad, UserLevelOptional)).Methods("GET")
	}

	// All the existing stuff
	write.HandleFunc(draftEditPrefix+"/{action}/edit", handler.Web(handleViewPad, UserLevelOptional)).Methods("GET")
	write.HandleFunc(draftEditPrefix+"/{action}/meta", handler.Web(handleViewMeta, UserLevelOptional)).Methods("GET")
	// Collections
	if apper.App().cfg.App.SingleUser {
	RouteCollections(handler, write.PathPrefix("/").Subrouter())
	} else {
	write.HandleFunc("/{prefix:[@~$!\\-+]}{collection}", handler.Web(handleViewCollection, UserLevelReader))
	write.HandleFunc("/{collection}/", handler.Web(handleViewCollection, UserLevelReader))
	RouteCollections(handler, write.PathPrefix("/{prefix:[@~$!\\-+]?}{collection}").Subrouter())
	// Posts
	}
	write.HandleFunc(draftEditPrefix+"/{post}", handler.Web(handleViewPost, UserLevelOptional))
	write.HandleFunc("/", handler.Web(handleViewHome, UserLevelOptional))
	return r
	}

	func RouteCollections(handler Handler, r mux.Router) {
	r.HandleFunc("/page/{page:[0-9]+}", handler.Web(handleViewCollection, UserLevelReader))
	r.HandleFunc("/tag:{tag}", handler.Web(handleViewCollectionTag, UserLevelReader))
	r.HandleFunc("/tag:{tag}/feed/", handler.Web(ViewFeed, UserLevelReader))
	r.HandleFunc("/tags/{tag}", handler.Web(handleViewCollectionTag, UserLevelReader))
	r.HandleFunc("/sitemap.xml", handler.AllReader(handleViewSitemap))
	r.HandleFunc("/feed/", handler.AllReader(ViewFeed))
	r.HandleFunc("/{slug}", handler.CollectionPostOrStatic)
	r.HandleFunc("/{slug}/edit", handler.Web(handleViewPad, UserLevelUser))
	r.HandleFunc("/{slug}/edit/meta", handler.Web(handleViewMeta, UserLevelUser))
	r.HandleFunc("/{slug}/", handler.Web(handleCollectionPostRedirect, UserLevelReader)).Methods("GET")
	}

	func RouteRead(handler Handler, readPerm UserLevelFunc, r mux.Router) {
	r.HandleFunc("/api/posts", handler.Web(viewLocalTimelineAPI, readPerm))
	r.HandleFunc("/p/{page}", handler.Web(viewLocalTimeline, readPerm))
	r.HandleFunc("/feed/", handler.Web(viewLocalTimelineFeed, readPerm))
	r.HandleFunc("/t/{tag}", handler.Web(viewLocalTimeline, readPerm))
	r.HandleFunc("/a/{post}", handler.Web(handlePostIDRedirect, readPerm))
	r.HandleFunc("/{author}", handler.Web(viewLocalTimeline, readPerm))
	r.HandleFunc("/", handler.Web(viewLocalTimeline, readPerm))
	}

File Metadata

Mime Type: text/x-diff
Expires: Fri, Jan 31, 5:55 PM (1 d, 2 h)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 3145955

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions