From f4652d9f3e03ff58b13629d4d5ffc87f6ea9cc0c Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 2 Jun 2021 21:27:12 +0800
Subject: [PATCH 01/26] Split UI API routes from API v1 routes

---
 modules/context/api_ui.go                     |  72 ++++
 routers/api/ui/api.go                         | 373 ++++++++++++++++++
 routers/api/v1/api.go                         |   3 -
 routers/web/web.go                            |   1 +
 .../repo/issue/view_content/sidebar.tmpl      |   2 +-
 web_src/js/components/DashboardRepoList.js    |   4 +-
 web_src/js/features/notification.js           |   2 +-
 web_src/js/features/stopwatch.js              |   2 +-
 8 files changed, 451 insertions(+), 8 deletions(-)
 create mode 100644 modules/context/api_ui.go
 create mode 100644 routers/api/ui/api.go

diff --git a/modules/context/api_ui.go b/modules/context/api_ui.go
new file mode 100644
index 0000000000000..ddd7579c0e479
--- /dev/null
+++ b/modules/context/api_ui.go
@@ -0,0 +1,72 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package context
+
+import (
+	"html"
+	"net/http"
+	"strings"
+
+	"code.gitea.io/gitea/modules/auth/sso"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web/middleware"
+
+	"gitea.com/go-chi/session"
+)
+
+// APIUIContexter returns apicontext as middleware
+func APIUIContexter() func(http.Handler) http.Handler {
+	var csrfOpts = getCsrfOpts()
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			var locale = middleware.Locale(w, req)
+			var ctx = APIContext{
+				Context: &Context{
+					Resp:    NewResponse(w),
+					Data:    map[string]interface{}{},
+					Locale:  locale,
+					Session: session.GetSession(req),
+					Repo: &Repository{
+						PullRequest: &PullRequest{},
+					},
+					Org: &Organization{},
+				},
+				Org: &APIOrganization{},
+			}
+
+			ctx.Req = WithAPIContext(WithContext(req, ctx.Context), &ctx)
+			ctx.csrf = Csrfer(csrfOpts, ctx.Context)
+
+			// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
+			if ctx.Req.Method == "POST" && strings.Contains(ctx.Req.Header.Get("Content-Type"), "multipart/form-data") {
+				if err := ctx.Req.ParseMultipartForm(setting.Attachment.MaxSize << 20); err != nil && !strings.Contains(err.Error(), "EOF") { // 32MB max size
+					ctx.InternalServerError(err)
+					return
+				}
+			}
+
+			// Get user from session if logged in.
+			ctx.User, ctx.IsBasicAuth = sso.SignedInUser(ctx.Req, ctx.Resp, &ctx, ctx.Session)
+			if ctx.User != nil {
+				ctx.IsSigned = true
+				ctx.Data["IsSigned"] = ctx.IsSigned
+				ctx.Data["SignedUser"] = ctx.User
+				ctx.Data["SignedUserID"] = ctx.User.ID
+				ctx.Data["SignedUserName"] = ctx.User.Name
+				ctx.Data["IsAdmin"] = ctx.User.IsAdmin
+			} else {
+				ctx.Data["SignedUserID"] = int64(0)
+				ctx.Data["SignedUserName"] = ""
+			}
+
+			ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
+
+			ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
+
+			next.ServeHTTP(ctx.Resp, ctx.Req)
+		})
+	}
+}
diff --git a/routers/api/ui/api.go b/routers/api/ui/api.go
new file mode 100644
index 0000000000000..b56f7afccf979
--- /dev/null
+++ b/routers/api/ui/api.go
@@ -0,0 +1,373 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package ui
+
+import (
+	"net/http"
+	"reflect"
+	"strings"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/routers/api/v1/notify"
+	"code.gitea.io/gitea/routers/api/v1/org"
+	"code.gitea.io/gitea/routers/api/v1/repo"
+	_ "code.gitea.io/gitea/routers/api/v1/swagger" // for swagger generation
+	"code.gitea.io/gitea/routers/api/v1/user"
+
+	"gitea.com/go-chi/binding"
+	"gitea.com/go-chi/session"
+	"github.com/go-chi/cors"
+)
+
+func repoAssignment() func(ctx *context.APIContext) {
+	return func(ctx *context.APIContext) {
+		userName := ctx.Params("username")
+		repoName := ctx.Params("reponame")
+
+		var (
+			owner *models.User
+			err   error
+		)
+
+		// Check if the user is the same as the repository owner.
+		if ctx.IsSigned && ctx.User.LowerName == strings.ToLower(userName) {
+			owner = ctx.User
+		} else {
+			owner, err = models.GetUserByName(userName)
+			if err != nil {
+				if models.IsErrUserNotExist(err) {
+					if redirectUserID, err := models.LookupUserRedirect(userName); err == nil {
+						context.RedirectToUser(ctx.Context, userName, redirectUserID)
+					} else if models.IsErrUserRedirectNotExist(err) {
+						ctx.NotFound("GetUserByName", err)
+					} else {
+						ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)
+					}
+				} else {
+					ctx.Error(http.StatusInternalServerError, "GetUserByName", err)
+				}
+				return
+			}
+		}
+		ctx.Repo.Owner = owner
+
+		// Get repository.
+		repo, err := models.GetRepositoryByName(owner.ID, repoName)
+		if err != nil {
+			if models.IsErrRepoNotExist(err) {
+				redirectRepoID, err := models.LookupRepoRedirect(owner.ID, repoName)
+				if err == nil {
+					context.RedirectToRepo(ctx.Context, redirectRepoID)
+				} else if models.IsErrRepoRedirectNotExist(err) {
+					ctx.NotFound()
+				} else {
+					ctx.Error(http.StatusInternalServerError, "LookupRepoRedirect", err)
+				}
+			} else {
+				ctx.Error(http.StatusInternalServerError, "GetRepositoryByName", err)
+			}
+			return
+		}
+
+		repo.Owner = owner
+		ctx.Repo.Repository = repo
+
+		ctx.Repo.Permission, err = models.GetUserRepoPermission(repo, ctx.User)
+		if err != nil {
+			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)
+			return
+		}
+
+		if !ctx.Repo.HasAccess() {
+			ctx.NotFound()
+			return
+		}
+	}
+}
+
+// Contexter middleware already checks token for user sign in process.
+func reqToken() func(ctx *context.APIContext) {
+	return func(ctx *context.APIContext) {
+		if true == ctx.Data["IsApiToken"] {
+			return
+		}
+		if ctx.Context.IsBasicAuth {
+			ctx.CheckForOTP()
+			return
+		}
+		if ctx.IsSigned {
+			ctx.RequireCSRF()
+			return
+		}
+		ctx.Error(http.StatusUnauthorized, "reqToken", "token is required")
+	}
+}
+
+func reqExploreSignIn() func(ctx *context.APIContext) {
+	return func(ctx *context.APIContext) {
+		if setting.Service.Explore.RequireSigninView && !ctx.IsSigned {
+			ctx.Error(http.StatusUnauthorized, "reqExploreSignIn", "you must be signed in to search for users")
+		}
+	}
+}
+
+// reqOrgOwnership user should be an organization owner, or a site admin
+func reqOrgOwnership() func(ctx *context.APIContext) {
+	return func(ctx *context.APIContext) {
+		if ctx.Context.IsUserSiteAdmin() {
+			return
+		}
+
+		var orgID int64
+		if ctx.Org.Organization != nil {
+			orgID = ctx.Org.Organization.ID
+		} else if ctx.Org.Team != nil {
+			orgID = ctx.Org.Team.OrgID
+		} else {
+			ctx.Error(http.StatusInternalServerError, "", "reqOrgOwnership: unprepared context")
+			return
+		}
+
+		isOwner, err := models.IsOrganizationOwner(orgID, ctx.User.ID)
+		if err != nil {
+			ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)
+			return
+		} else if !isOwner {
+			if ctx.Org.Organization != nil {
+				ctx.Error(http.StatusForbidden, "", "Must be an organization owner")
+			} else {
+				ctx.NotFound()
+			}
+			return
+		}
+	}
+}
+
+// reqOrgMembership user should be an organization member, or a site admin
+func reqOrgMembership() func(ctx *context.APIContext) {
+	return func(ctx *context.APIContext) {
+		if ctx.Context.IsUserSiteAdmin() {
+			return
+		}
+
+		var orgID int64
+		if ctx.Org.Organization != nil {
+			orgID = ctx.Org.Organization.ID
+		} else if ctx.Org.Team != nil {
+			orgID = ctx.Org.Team.OrgID
+		} else {
+			ctx.Error(http.StatusInternalServerError, "", "reqOrgMembership: unprepared context")
+			return
+		}
+
+		if isMember, err := models.IsOrganizationMember(orgID, ctx.User.ID); err != nil {
+			ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)
+			return
+		} else if !isMember {
+			if ctx.Org.Organization != nil {
+				ctx.Error(http.StatusForbidden, "", "Must be an organization member")
+			} else {
+				ctx.NotFound()
+			}
+			return
+		}
+	}
+}
+
+func orgAssignment(args ...bool) func(ctx *context.APIContext) {
+	var (
+		assignOrg  bool
+		assignTeam bool
+	)
+	if len(args) > 0 {
+		assignOrg = args[0]
+	}
+	if len(args) > 1 {
+		assignTeam = args[1]
+	}
+	return func(ctx *context.APIContext) {
+		ctx.Org = new(context.APIOrganization)
+
+		var err error
+		if assignOrg {
+			ctx.Org.Organization, err = models.GetOrgByName(ctx.Params(":org"))
+			if err != nil {
+				if models.IsErrOrgNotExist(err) {
+					redirectUserID, err := models.LookupUserRedirect(ctx.Params(":org"))
+					if err == nil {
+						context.RedirectToUser(ctx.Context, ctx.Params(":org"), redirectUserID)
+					} else if models.IsErrUserRedirectNotExist(err) {
+						ctx.NotFound("GetOrgByName", err)
+					} else {
+						ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)
+					}
+				} else {
+					ctx.Error(http.StatusInternalServerError, "GetOrgByName", err)
+				}
+				return
+			}
+		}
+
+		if assignTeam {
+			ctx.Org.Team, err = models.GetTeamByID(ctx.ParamsInt64(":teamid"))
+			if err != nil {
+				if models.IsErrTeamNotExist(err) {
+					ctx.NotFound()
+				} else {
+					ctx.Error(http.StatusInternalServerError, "GetTeamById", err)
+				}
+				return
+			}
+		}
+	}
+}
+
+func mustEnableIssuesOrPulls(ctx *context.APIContext) {
+	if !ctx.Repo.CanRead(models.UnitTypeIssues) &&
+		!(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(models.UnitTypePullRequests)) {
+		if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() {
+			if ctx.IsSigned {
+				log.Trace("Permission Denied: User %-v cannot read %-v and %-v in Repo %-v\n"+
+					"User in Repo has Permissions: %-+v",
+					ctx.User,
+					models.UnitTypeIssues,
+					models.UnitTypePullRequests,
+					ctx.Repo.Repository,
+					ctx.Repo.Permission)
+			} else {
+				log.Trace("Permission Denied: Anonymous user cannot read %-v and %-v in Repo %-v\n"+
+					"Anonymous user in Repo has Permissions: %-+v",
+					models.UnitTypeIssues,
+					models.UnitTypePullRequests,
+					ctx.Repo.Repository,
+					ctx.Repo.Permission)
+			}
+		}
+		ctx.NotFound()
+		return
+	}
+}
+
+func mustNotBeArchived(ctx *context.APIContext) {
+	if ctx.Repo.Repository.IsArchived {
+		ctx.NotFound()
+		return
+	}
+}
+
+// bind binding an obj to a func(ctx *context.APIContext)
+func bind(obj interface{}) http.HandlerFunc {
+	var tp = reflect.TypeOf(obj)
+	for tp.Kind() == reflect.Ptr {
+		tp = tp.Elem()
+	}
+	return web.Wrap(func(ctx *context.APIContext) {
+		var theObj = reflect.New(tp).Interface() // create a new form obj for every request but not use obj directly
+		errs := binding.Bind(ctx.Req, theObj)
+		if len(errs) > 0 {
+			ctx.Error(http.StatusUnprocessableEntity, "validationError", errs[0].Error())
+			return
+		}
+		web.SetForm(ctx, theObj)
+	})
+}
+
+// Routes registers all v1 APIs routes to web application.
+func Routes() *web.Route {
+	var m = web.NewRoute()
+
+	m.Use(session.Sessioner(session.Options{
+		Provider:       setting.SessionConfig.Provider,
+		ProviderConfig: setting.SessionConfig.ProviderConfig,
+		CookieName:     setting.SessionConfig.CookieName,
+		CookiePath:     setting.SessionConfig.CookiePath,
+		Gclifetime:     setting.SessionConfig.Gclifetime,
+		Maxlifetime:    setting.SessionConfig.Maxlifetime,
+		Secure:         setting.SessionConfig.Secure,
+		SameSite:       setting.SessionConfig.SameSite,
+		Domain:         setting.SessionConfig.Domain,
+	}))
+	m.Use(securityHeaders())
+	if setting.CORSConfig.Enabled {
+		m.Use(cors.Handler(cors.Options{
+			//Scheme:           setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option
+			AllowedOrigins: setting.CORSConfig.AllowDomain,
+			//setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
+			AllowedMethods:   setting.CORSConfig.Methods,
+			AllowCredentials: setting.CORSConfig.AllowCredentials,
+			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),
+		}))
+	}
+	m.Use(context.APIContexter())
+
+	m.Use(context.ToggleAPI(&context.ToggleOptions{
+		SignInRequired: setting.Service.RequireSignInView,
+	}))
+
+	m.Group("", func() {
+		// Notifications
+		m.Group("/notifications", func() {
+			m.Get("/new", notify.NewAvailable)
+		}, reqToken())
+
+		// Users
+		m.Group("/users", func() {
+			m.Get("/search", reqExploreSignIn(), user.Search)
+		})
+
+		m.Group("/user", func() {
+			m.Get("/stopwatches", repo.GetStopwatches)
+		}, reqToken())
+
+		// Repositories
+		m.Group("/repos", func() {
+			m.Get("/search", repo.Search)
+
+			m.Get("/issues/search", repo.SearchIssues)
+
+			m.Group("/{username}/{reponame}", func() {
+				m.Group("/issues", func() {
+					m.Combo("").Get(repo.ListIssues).
+						Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue)
+					m.Group("/{index}", func() {
+						m.Combo("").Get(repo.GetIssue).
+							Patch(reqToken(), bind(api.EditIssueOption{}), repo.EditIssue)
+					})
+				}, mustEnableIssuesOrPulls)
+			}, repoAssignment())
+		})
+
+		// Organizations
+		m.Group("/orgs/{org}", func() {
+			m.Group("/teams", func() {
+				m.Combo("", reqToken()).Get(org.ListTeams).
+					Post(reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam)
+				m.Get("/search", org.SearchTeam)
+			}, reqOrgMembership())
+		}, orgAssignment(true))
+
+		m.Group("/topics", func() {
+			m.Get("/search", repo.TopicSearch)
+		})
+	})
+
+	return m
+}
+
+func securityHeaders() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
+			// CORB: https://www.chromium.org/Home/chromium-security/corb-for-developers
+			// http://stackoverflow.com/a/3146618/244009
+			resp.Header().Set("x-content-type-options", "nosniff")
+			next.ServeHTTP(resp, req)
+		})
+	}
+}
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 4b30164026745..8998804966ef5 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -563,9 +563,6 @@ func bind(obj interface{}) http.HandlerFunc {
 // Routes registers all v1 APIs routes to web application.
 func Routes(sessioner func(http.Handler) http.Handler) *web.Route {
 	m := web.NewRoute()
-
-	m.Use(sessioner)
-
 	m.Use(securityHeaders())
 	if setting.CORSConfig.Enabled {
 		m.Use(cors.Handler(cors.Options{
diff --git a/routers/web/web.go b/routers/web/web.go
index b40a43058d423..7b0e76b38fb55 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -23,6 +23,7 @@ import (
 	"code.gitea.io/gitea/modules/validation"
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/modules/web/routing"
+	"code.gitea.io/gitea/routers/admin"
 	"code.gitea.io/gitea/routers/api/v1/misc"
 	"code.gitea.io/gitea/routers/web/admin"
 	"code.gitea.io/gitea/routers/web/auth"
diff --git a/templates/repo/issue/view_content/sidebar.tmpl b/templates/repo/issue/view_content/sidebar.tmpl
index aed155fdbfb43..e0880f1952f66 100644
--- a/templates/repo/issue/view_content/sidebar.tmpl
+++ b/templates/repo/issue/view_content/sidebar.tmpl
@@ -429,7 +429,7 @@
 
 			{{if and .HasIssuesOrPullsWritePermission (not .Repository.IsArchived)}}
 				<div {{if ne .Issue.DeadlineUnix 0}} style="display: none;"{{end}} id="deadlineForm">
-					<form class="ui fluid action input issue-due-form" action="{{AppSubUrl}}/api/v1/repos/{{PathEscape .Repository.Owner.Name}}/{{PathEscape .Repository.Name}}/issues/{{.Issue.Index}}" method="post" id="update-issue-deadline-form">
+					<form class="ui fluid action input issue-due-form" action="{{AppSubUrl}}/api/ui/repos/{{PathEscape .Repository.Owner.Name}}/{{PathEscape .Repository.Name}}/issues/{{.Issue.Index}}" method="post" id="update-issue-deadline-form">
 						{{$.CsrfTokenHtml}}
 						<input required placeholder="{{.i18n.Tr "repo.issues.due_date_form"}}" {{if gt .Issue.DeadlineUnix 0}}value="{{.Issue.DeadlineUnix.Format "2006-01-02"}}"{{end}} type="date" name="deadlineDate" id="deadlineDate">
 						<button class="ui green icon button">
diff --git a/web_src/js/components/DashboardRepoList.js b/web_src/js/components/DashboardRepoList.js
index 8d8f186cc632f..56f767736a82d 100644
--- a/web_src/js/components/DashboardRepoList.js
+++ b/web_src/js/components/DashboardRepoList.js
@@ -124,7 +124,7 @@ function initVueComponents() {
         return this.repos.length > 0 && this.repos.length < this.counts[`${this.reposFilter}:${this.archivedFilter}:${this.privateFilter}`];
       },
       searchURL() {
-        return `${this.subUrl}/api/v1/repos/search?sort=updated&order=desc&uid=${this.uid}&team_id=${this.teamId}&q=${this.searchQuery
+        return `${this.subUrl}/api/ui/repos/search?sort=updated&order=desc&uid=${this.uid}&team_id=${this.teamId}&q=${this.searchQuery
         }&page=${this.page}&limit=${this.searchLimit}&mode=${this.repoTypes[this.reposFilter].searchMode
         }${this.reposFilter !== 'all' ? '&exclusive=1' : ''
         }${this.archivedFilter === 'archived' ? '&archived=true' : ''}${this.archivedFilter === 'unarchived' ? '&archived=false' : ''
@@ -302,7 +302,7 @@ function initVueComponents() {
         this.isLoading = true;
 
         if (!this.reposTotalCount) {
-          const totalCountSearchURL = `${this.subUrl}/api/v1/repos/search?sort=updated&order=desc&uid=${this.uid}&team_id=${this.teamId}&q=&page=1&mode=`;
+          const totalCountSearchURL = `${this.subUrl}/api/ui/repos/search?sort=updated&order=desc&uid=${this.uid}&team_id=${this.teamId}&q=&page=1&mode=`;
           $.getJSON(totalCountSearchURL, (_result, _textStatus, request) => {
             this.reposTotalCount = request.getResponseHeader('X-Total-Count');
           });
diff --git a/web_src/js/features/notification.js b/web_src/js/features/notification.js
index 68b23ef162188..6f62b99e026ce 100644
--- a/web_src/js/features/notification.js
+++ b/web_src/js/features/notification.js
@@ -158,7 +158,7 @@ async function updateNotificationTable() {
 async function updateNotificationCount() {
   const data = await $.ajax({
     type: 'GET',
-    url: `${appSubUrl}/api/v1/notifications/new`,
+    url: `${appSubUrl}/api/ui/notifications/new`,
     headers: {
       'X-Csrf-Token': csrfToken,
     },
diff --git a/web_src/js/features/stopwatch.js b/web_src/js/features/stopwatch.js
index 1748c5119c2ca..5084ed7cda993 100644
--- a/web_src/js/features/stopwatch.js
+++ b/web_src/js/features/stopwatch.js
@@ -111,7 +111,7 @@ async function updateStopwatchWithCallback(callback, timeout) {
 async function updateStopwatch() {
   const data = await $.ajax({
     type: 'GET',
-    url: `${appSubUrl}/api/v1/user/stopwatches`,
+    url: `${appSubUrl}/api/ui/user/stopwatches`,
     headers: {'X-Csrf-Token': csrfToken},
   });
 

From 62bbad4f9dbf00f113427d43d5dc6adc872a2a02 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 2 Jun 2021 21:39:24 +0800
Subject: [PATCH 02/26] remove swagger import

---
 routers/api/ui/api.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/routers/api/ui/api.go b/routers/api/ui/api.go
index b56f7afccf979..add17b7b7b806 100644
--- a/routers/api/ui/api.go
+++ b/routers/api/ui/api.go
@@ -18,7 +18,6 @@ import (
 	"code.gitea.io/gitea/routers/api/v1/notify"
 	"code.gitea.io/gitea/routers/api/v1/org"
 	"code.gitea.io/gitea/routers/api/v1/repo"
-	_ "code.gitea.io/gitea/routers/api/v1/swagger" // for swagger generation
 	"code.gitea.io/gitea/routers/api/v1/user"
 
 	"gitea.com/go-chi/binding"

From 86aaa7140e1656a7cf1f29336327e0545d125d91 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Fri, 4 Jun 2021 09:48:44 +0800
Subject: [PATCH 03/26] Fix lint

---
 modules/context/api.go | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/modules/context/api.go b/modules/context/api.go
index e847ca35fac9b..ea4d775f2ef02 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -269,8 +269,6 @@ func APIAuth(authMethod auth_service.Method) func(*APIContext) {
 
 // APIContexter returns apicontext as middleware
 func APIContexter() func(http.Handler) http.Handler {
-	csrfOpts := getCsrfOpts()
-
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 			locale := middleware.Locale(w, req)
@@ -289,7 +287,6 @@ func APIContexter() func(http.Handler) http.Handler {
 			}
 
 			ctx.Req = WithAPIContext(WithContext(req, ctx.Context), &ctx)
-			ctx.csrf = Csrfer(csrfOpts, ctx.Context)
 
 			// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
 			if ctx.Req.Method == "POST" && strings.Contains(ctx.Req.Header.Get("Content-Type"), "multipart/form-data") {

From 5cda626035381b1271381fb1b6e0c928945603de Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Fri, 4 Jun 2021 23:48:09 +0800
Subject: [PATCH 04/26] Remove session sso check for api/v1

---
 modules/context/api.go   | 15 +++++----------
 modules/session/store.go | 19 +++++++++++++++++++
 routers/api/ui/api.go    |  2 +-
 routers/api/v1/api.go    |  2 +-
 services/auth/auth.go    | 16 ++++++++++++++++
 5 files changed, 42 insertions(+), 12 deletions(-)

diff --git a/modules/context/api.go b/modules/context/api.go
index ea4d775f2ef02..04c8ab518e8fc 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -8,7 +8,6 @@ package context
 import (
 	"context"
 	"fmt"
-	"html"
 	"net/http"
 	"net/url"
 	"strings"
@@ -247,8 +246,9 @@ func (ctx *APIContext) CheckForOTP() {
 // APIAuth converts auth_service.Auth as a middleware
 func APIAuth(authMethod auth_service.Method) func(*APIContext) {
 	return func(ctx *APIContext) {
+		var store = session.NewEmptyStore()
 		// Get user from session if logged in.
-		ctx.Doer = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+		ctx.Doer = authMethod.Verify(ctx.Req, ctx.Resp, ctx, store)
 		if ctx.Doer != nil {
 			if ctx.Locale.Language() != ctx.Doer.Language {
 				ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
@@ -271,13 +271,11 @@ func APIAuth(authMethod auth_service.Method) func(*APIContext) {
 func APIContexter() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-			locale := middleware.Locale(w, req)
 			ctx := APIContext{
 				Context: &Context{
-					Resp:    NewResponse(w),
-					Data:    map[string]interface{}{},
-					Locale:  locale,
-					Session: session.GetSession(req),
+					Resp:   NewResponse(w),
+					Data:   map[string]interface{}{},
+					Locale: middleware.Locale(w, req),
 					Repo: &Repository{
 						PullRequest: &PullRequest{},
 					},
@@ -298,9 +296,6 @@ func APIContexter() func(http.Handler) http.Handler {
 
 			ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
 
-			ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
-			ctx.Data["Context"] = &ctx
-
 			next.ServeHTTP(ctx.Resp, ctx.Req)
 
 			// Handle adding signedUserName to the context for the AccessLogger
diff --git a/modules/session/store.go b/modules/session/store.go
index 8c5d7d82eb463..5a723712571ef 100644
--- a/modules/session/store.go
+++ b/modules/session/store.go
@@ -22,3 +22,22 @@ func RegenerateSession(resp http.ResponseWriter, req *http.Request) (Store, erro
 	s, err := session.RegenerateSession(resp, req)
 	return s, err
 }
+
+type emptyStore struct{}
+
+// NewEmptyStore returns an emptyStore
+func NewEmptyStore() *emptyStore {
+	return &emptyStore{}
+}
+
+func (emptyStore) Get(interface{}) interface{} {
+	return nil
+}
+
+func (emptyStore) Set(interface{}, interface{}) error {
+	return nil
+}
+
+func (emptyStore) Delete(interface{}) error {
+	return nil
+}
diff --git a/routers/api/ui/api.go b/routers/api/ui/api.go
index add17b7b7b806..86432e272f85c 100644
--- a/routers/api/ui/api.go
+++ b/routers/api/ui/api.go
@@ -304,7 +304,7 @@ func Routes() *web.Route {
 			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),
 		}))
 	}
-	m.Use(context.APIContexter())
+	m.Use(context.APIUIContexter())
 
 	m.Use(context.ToggleAPI(&context.ToggleOptions{
 		SignInRequired: setting.Service.RequireSignInView,
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 8998804966ef5..854b76ad68f61 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -578,7 +578,7 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route {
 	m.Use(context.APIContexter())
 
 	// Get user from session if logged in.
-	m.Use(context.APIAuth(auth.NewGroup(auth.Methods()...)))
+	m.Use(context.APIAuth(auth.NewGroup(auth.APIMethods()...)))
 
 	m.Use(context.ToggleAPI(&context.ToggleOptions{
 		SignInRequired: setting.Service.RequireSignInView,
diff --git a/services/auth/auth.go b/services/auth/auth.go
index bdff777f506e4..69ad8061b5305 100644
--- a/services/auth/auth.go
+++ b/services/auth/auth.go
@@ -36,14 +36,30 @@ var authMethods = []Method{
 	&Session{},
 }
 
+var authAPIMethods = []Auth{
+	&OAuth2{},
+	&Basic{},
+	&ReverseProxy{},
+}
+
 // The purpose of the following three function variables is to let the linter know that
 // those functions are not dead code and are actually being used
 var (
 	_ = handleSignIn
 )
 
+<<<<<<< HEAD
 // Methods returns the instances of all registered methods
 func Methods() []Method {
+=======
+// Methods returns the instances of all SSO methods API needed
+func APIMethods() []Auth {
+	return authAPIMethods
+}
+
+// Methods returns the instances of all registered SSO methods
+func Methods() []Auth {
+>>>>>>> 87b8db9e5 (Remove session sso check for api/v1)
 	return authMethods
 }
 

From 810c999cd0bb9a9878946d52babc385a7c2f540d Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 5 Jun 2021 00:09:18 +0800
Subject: [PATCH 05/26] Fix lint

---
 modules/session/store.go | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/modules/session/store.go b/modules/session/store.go
index 5a723712571ef..7513b07039659 100644
--- a/modules/session/store.go
+++ b/modules/session/store.go
@@ -23,21 +23,22 @@ func RegenerateSession(resp http.ResponseWriter, req *http.Request) (Store, erro
 	return s, err
 }
 
-type emptyStore struct{}
+// EmptyStore represents an empty store
+type EmptyStore struct{}
 
-// NewEmptyStore returns an emptyStore
-func NewEmptyStore() *emptyStore {
-	return &emptyStore{}
+// NewEmptyStore returns an EmptyStore
+func NewEmptyStore() *EmptyStore {
+	return &EmptyStore{}
 }
 
-func (emptyStore) Get(interface{}) interface{} {
+func (EmptyStore) Get(interface{}) interface{} {
 	return nil
 }
 
-func (emptyStore) Set(interface{}, interface{}) error {
+func (EmptyStore) Set(interface{}, interface{}) error {
 	return nil
 }
 
-func (emptyStore) Delete(interface{}) error {
+func (EmptyStore) Delete(interface{}) error {
 	return nil
 }

From 541205ac0c3138559b0b44ff33d6747216b6cdef Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 5 Jun 2021 21:12:49 +0800
Subject: [PATCH 06/26] fix lint

---
 modules/session/store.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/session/store.go b/modules/session/store.go
index 7513b07039659..5df7d4f925412 100644
--- a/modules/session/store.go
+++ b/modules/session/store.go
@@ -31,14 +31,17 @@ func NewEmptyStore() *EmptyStore {
 	return &EmptyStore{}
 }
 
+// Get implements Store
 func (EmptyStore) Get(interface{}) interface{} {
 	return nil
 }
 
+// Set implements Store
 func (EmptyStore) Set(interface{}, interface{}) error {
 	return nil
 }
 
+// Delete implements Store
 func (EmptyStore) Delete(interface{}) error {
 	return nil
 }

From 01d0418bb1427f1b2bb9e9b469131ce4fc157396 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 5 Jun 2021 21:38:08 +0800
Subject: [PATCH 07/26] Fix lint

---
 services/auth/auth.go | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/services/auth/auth.go b/services/auth/auth.go
index 69ad8061b5305..6d37619ab06c6 100644
--- a/services/auth/auth.go
+++ b/services/auth/auth.go
@@ -36,7 +36,7 @@ var authMethods = []Method{
 	&Session{},
 }
 
-var authAPIMethods = []Auth{
+var authAPIMethods = []Method{
 	&OAuth2{},
 	&Basic{},
 	&ReverseProxy{},
@@ -48,18 +48,13 @@ var (
 	_ = handleSignIn
 )
 
-<<<<<<< HEAD
-// Methods returns the instances of all registered methods
-func Methods() []Method {
-=======
-// Methods returns the instances of all SSO methods API needed
-func APIMethods() []Auth {
+// APIMethods returns the instances of all SSO methods API needed
+func APIMethods() []Method {
 	return authAPIMethods
 }
 
 // Methods returns the instances of all registered SSO methods
-func Methods() []Auth {
->>>>>>> 87b8db9e5 (Remove session sso check for api/v1)
+func Methods() []Method {
 	return authMethods
 }
 

From 5726a517dd14b7ff8b26ebab96bbb60c63ea41b4 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 6 Jun 2021 12:40:11 +0800
Subject: [PATCH 08/26] Fix test

---
 integrations/api_issue_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/integrations/api_issue_test.go b/integrations/api_issue_test.go
index 3957c102339d3..776ebcd6922d9 100644
--- a/integrations/api_issue_test.go
+++ b/integrations/api_issue_test.go
@@ -171,7 +171,7 @@ func TestAPISearchIssues(t *testing.T) {
 	session := loginUser(t, "user2")
 	token := getTokenForLoggedInUser(t, session)
 
-	link, _ := url.Parse("/api/v1/repos/issues/search")
+	link, _ := url.Parse("/api/ui/repos/issues/search")
 	req := NewRequest(t, "GET", link.String())
 	resp := session.MakeRequest(t, req, http.StatusOK)
 	var apiIssues []*api.Issue

From b10a9fe760652b879ed5f585339b23a6916ca0a6 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 6 Jun 2021 16:28:59 +0800
Subject: [PATCH 09/26] Fix test

---
 integrations/api_issue_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/integrations/api_issue_test.go b/integrations/api_issue_test.go
index 776ebcd6922d9..f692cfcb5ab69 100644
--- a/integrations/api_issue_test.go
+++ b/integrations/api_issue_test.go
@@ -268,7 +268,7 @@ func TestAPISearchIssuesWithLabels(t *testing.T) {
 	session := loginUser(t, "user1")
 	token := getTokenForLoggedInUser(t, session)
 
-	link, _ := url.Parse("/api/v1/repos/issues/search")
+	link, _ := url.Parse("/api/ui/repos/issues/search")
 	req := NewRequest(t, "GET", link.String())
 	resp := session.MakeRequest(t, req, http.StatusOK)
 	var apiIssues []*api.Issue

From 5e09cb913d226fe8b1b06c16722a513df7a9897d Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 9 Jun 2021 23:25:49 +0800
Subject: [PATCH 10/26] Remove duplicated functions

---
 routers/api/ui/api.go      | 14 ++------------
 routers/api/v1/api.go      | 16 +++-------------
 routers/common/security.go | 19 +++++++++++++++++++
 routers/init.go            |  4 +++-
 4 files changed, 27 insertions(+), 26 deletions(-)
 create mode 100644 routers/common/security.go

diff --git a/routers/api/ui/api.go b/routers/api/ui/api.go
index 86432e272f85c..a7512f1181d56 100644
--- a/routers/api/ui/api.go
+++ b/routers/api/ui/api.go
@@ -19,6 +19,7 @@ import (
 	"code.gitea.io/gitea/routers/api/v1/org"
 	"code.gitea.io/gitea/routers/api/v1/repo"
 	"code.gitea.io/gitea/routers/api/v1/user"
+	"code.gitea.io/gitea/routers/common"
 
 	"gitea.com/go-chi/binding"
 	"gitea.com/go-chi/session"
@@ -293,7 +294,7 @@ func Routes() *web.Route {
 		SameSite:       setting.SessionConfig.SameSite,
 		Domain:         setting.SessionConfig.Domain,
 	}))
-	m.Use(securityHeaders())
+	m.Use(common.SecurityHeaders())
 	if setting.CORSConfig.Enabled {
 		m.Use(cors.Handler(cors.Options{
 			//Scheme:           setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option
@@ -359,14 +360,3 @@ func Routes() *web.Route {
 
 	return m
 }
-
-func securityHeaders() func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
-			// CORB: https://www.chromium.org/Home/chromium-security/corb-for-developers
-			// http://stackoverflow.com/a/3146618/244009
-			resp.Header().Set("x-content-type-options", "nosniff")
-			next.ServeHTTP(resp, req)
-		})
-	}
-}
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 854b76ad68f61..a8a61e160b49c 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -86,6 +86,7 @@ import (
 	"code.gitea.io/gitea/routers/api/v1/repo"
 	"code.gitea.io/gitea/routers/api/v1/settings"
 	"code.gitea.io/gitea/routers/api/v1/user"
+	"code.gitea.io/gitea/routers/common"
 	"code.gitea.io/gitea/services/auth"
 	"code.gitea.io/gitea/services/forms"
 
@@ -561,9 +562,9 @@ func bind(obj interface{}) http.HandlerFunc {
 }
 
 // Routes registers all v1 APIs routes to web application.
-func Routes(sessioner func(http.Handler) http.Handler) *web.Route {
+func Routes() *web.Route {
 	m := web.NewRoute()
-	m.Use(securityHeaders())
+	m.Use(common.SecurityHeaders())
 	if setting.CORSConfig.Enabled {
 		m.Use(cors.Handler(cors.Options{
 			// Scheme:           setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option
@@ -1096,14 +1097,3 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route {
 
 	return m
 }
-
-func securityHeaders() func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
-			// CORB: https://www.chromium.org/Home/chromium-security/corb-for-developers
-			// http://stackoverflow.com/a/3146618/244009
-			resp.Header().Set("x-content-type-options", "nosniff")
-			next.ServeHTTP(resp, req)
-		})
-	}
-}
diff --git a/routers/common/security.go b/routers/common/security.go
new file mode 100644
index 0000000000000..7f5da4fce3c32
--- /dev/null
+++ b/routers/common/security.go
@@ -0,0 +1,19 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package common
+
+import "net/http"
+
+// SecurityHeaders returns a chi middleware to add nosniff header
+func SecurityHeaders() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
+			// CORB: https://www.chromium.org/Home/chromium-security/corb-for-developers
+			// http://stackoverflow.com/a/3146618/244009
+			resp.Header().Set("x-content-type-options", "nosniff")
+			next.ServeHTTP(resp, req)
+		})
+	}
+}
diff --git a/routers/init.go b/routers/init.go
index 804dfd65335b6..a42fff9e686c7 100644
--- a/routers/init.go
+++ b/routers/init.go
@@ -32,6 +32,7 @@ import (
 	"code.gitea.io/gitea/modules/svg"
 	"code.gitea.io/gitea/modules/translation"
 	"code.gitea.io/gitea/modules/web"
+	apiui "code.gitea.io/gitea/routers/api/ui"
 	apiv1 "code.gitea.io/gitea/routers/api/v1"
 	"code.gitea.io/gitea/routers/common"
 	"code.gitea.io/gitea/routers/private"
@@ -186,7 +187,8 @@ func NormalRoutes() *web.Route {
 	})
 
 	r.Mount("/", web_routers.Routes(sessioner))
-	r.Mount("/api/v1", apiv1.Routes(sessioner))
+	r.Mount("/api/v1", apiv1.Routes())
+	r.Mount("/api/ui", apiui.Routes())
 	r.Mount("/api/internal", private.Routes())
 	return r
 }

From 40ab875f855ed7af7ce96bb1a1b6d92bab36ec14 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 10 Jun 2021 12:21:29 +0800
Subject: [PATCH 11/26] resolve conflicts

---
 modules/context/api.go    |  1 +
 modules/context/api_ui.go | 15 ---------------
 routers/api/ui/api.go     |  2 ++
 3 files changed, 3 insertions(+), 15 deletions(-)

diff --git a/modules/context/api.go b/modules/context/api.go
index 04c8ab518e8fc..ce23784782685 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -16,6 +16,7 @@ import (
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/session"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web/middleware"
 	auth_service "code.gitea.io/gitea/services/auth"
diff --git a/modules/context/api_ui.go b/modules/context/api_ui.go
index ddd7579c0e479..dce49b1c5c819 100644
--- a/modules/context/api_ui.go
+++ b/modules/context/api_ui.go
@@ -9,7 +9,6 @@ import (
 	"net/http"
 	"strings"
 
-	"code.gitea.io/gitea/modules/auth/sso"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web/middleware"
 
@@ -48,20 +47,6 @@ func APIUIContexter() func(http.Handler) http.Handler {
 				}
 			}
 
-			// Get user from session if logged in.
-			ctx.User, ctx.IsBasicAuth = sso.SignedInUser(ctx.Req, ctx.Resp, &ctx, ctx.Session)
-			if ctx.User != nil {
-				ctx.IsSigned = true
-				ctx.Data["IsSigned"] = ctx.IsSigned
-				ctx.Data["SignedUser"] = ctx.User
-				ctx.Data["SignedUserID"] = ctx.User.ID
-				ctx.Data["SignedUserName"] = ctx.User.Name
-				ctx.Data["IsAdmin"] = ctx.User.IsAdmin
-			} else {
-				ctx.Data["SignedUserID"] = int64(0)
-				ctx.Data["SignedUserName"] = ""
-			}
-
 			ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
 
 			ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
diff --git a/routers/api/ui/api.go b/routers/api/ui/api.go
index a7512f1181d56..ef9990e5e1e2c 100644
--- a/routers/api/ui/api.go
+++ b/routers/api/ui/api.go
@@ -20,6 +20,7 @@ import (
 	"code.gitea.io/gitea/routers/api/v1/repo"
 	"code.gitea.io/gitea/routers/api/v1/user"
 	"code.gitea.io/gitea/routers/common"
+	"code.gitea.io/gitea/services/auth"
 
 	"gitea.com/go-chi/binding"
 	"gitea.com/go-chi/session"
@@ -306,6 +307,7 @@ func Routes() *web.Route {
 		}))
 	}
 	m.Use(context.APIUIContexter())
+	m.Use(context.APIAuth(auth.NewGroup(auth.APIMethods()...)))
 
 	m.Use(context.ToggleAPI(&context.ToggleOptions{
 		SignInRequired: setting.Service.RequireSignInView,

From 66d3a591312ed93d8f1979ac9f034f8546403d9e Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 24 Jun 2021 14:51:27 +0800
Subject: [PATCH 12/26] Fix test

---
 integrations/api_issue_test.go   | 85 +++++++++++++++++++++++++++-----
 integrations/integration_test.go |  5 ++
 routers/api/ui/api.go            |  2 +-
 3 files changed, 79 insertions(+), 13 deletions(-)

diff --git a/integrations/api_issue_test.go b/integrations/api_issue_test.go
index f692cfcb5ab69..fd07cd72273df 100644
--- a/integrations/api_issue_test.go
+++ b/integrations/api_issue_test.go
@@ -173,7 +173,7 @@ func TestAPISearchIssues(t *testing.T) {
 
 	link, _ := url.Parse("/api/ui/repos/issues/search")
 	req := NewRequest(t, "GET", link.String())
-	resp := session.MakeRequest(t, req, http.StatusOK)
+	resp := MakeRequest(t, WithToken(req, token), http.StatusOK)
 	var apiIssues []*api.Issue
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 10)
@@ -181,7 +181,7 @@ func TestAPISearchIssues(t *testing.T) {
 	query := url.Values{"token": {token}}
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 10)
 
@@ -191,7 +191,7 @@ func TestAPISearchIssues(t *testing.T) {
 	query.Add("before", before)
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 8)
 	query.Del("since")
@@ -200,14 +200,14 @@ func TestAPISearchIssues(t *testing.T) {
 	query.Add("state", "closed")
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 2)
 
 	query.Set("state", "all")
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.EqualValues(t, "15", resp.Header().Get("X-Total-Count"))
 	assert.Len(t, apiIssues, 10) // there are more but 10 is page item limit
@@ -215,28 +215,28 @@ func TestAPISearchIssues(t *testing.T) {
 	query.Add("limit", "20")
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 15)
 
 	query = url.Values{"assigned": {"true"}, "state": {"all"}}
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 1)
 
 	query = url.Values{"milestones": {"milestone1"}, "state": {"all"}}
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 1)
 
 	query = url.Values{"milestones": {"milestone1,milestone3"}, "state": {"all"}}
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 2)
 
@@ -262,11 +262,10 @@ func TestAPISearchIssues(t *testing.T) {
 	assert.Len(t, apiIssues, 2)
 }
 
-func TestAPISearchIssuesWithLabels(t *testing.T) {
+func TestUISearchIssuesWithLabels(t *testing.T) {
 	defer prepareTestEnv(t)()
 
 	session := loginUser(t, "user1")
-	token := getTokenForLoggedInUser(t, session)
 
 	link, _ := url.Parse("/api/ui/repos/issues/search")
 	req := NewRequest(t, "GET", link.String())
@@ -277,7 +276,6 @@ func TestAPISearchIssuesWithLabels(t *testing.T) {
 	assert.Len(t, apiIssues, 10)
 
 	query := url.Values{}
-	query.Add("token", token)
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
 	resp = session.MakeRequest(t, req, http.StatusOK)
@@ -324,3 +322,66 @@ func TestAPISearchIssuesWithLabels(t *testing.T) {
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 2)
 }
+
+func TestAPISearchIssuesWithLabels(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	session := loginUser(t, "user1")
+	token := getTokenForLoggedInUser(t, session)
+
+	link, _ := url.Parse("/api/v1/repos/issues/search")
+	req := NewRequest(t, "GET", link.String())
+	resp := MakeRequest(t, WithToken(req, token), http.StatusOK)
+	var apiIssues []*api.Issue
+	DecodeJSON(t, resp, &apiIssues)
+
+	assert.Len(t, apiIssues, 10)
+
+	query := url.Values{}
+	query.Add("token", token)
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 10)
+
+	query.Add("labels", "label1")
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 2)
+
+	// multiple labels
+	query.Set("labels", "label1,label2")
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 2)
+
+	// an org label
+	query.Set("labels", "orglabel4")
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 1)
+
+	// org and repo label
+	query.Set("labels", "label2,orglabel4")
+	query.Add("state", "all")
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 2)
+
+	// org and repo label which share the same issue
+	query.Set("labels", "label1,orglabel4")
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 2)
+}
diff --git a/integrations/integration_test.go b/integrations/integration_test.go
index c778fb8013459..f59885b5ff4e2 100644
--- a/integrations/integration_test.go
+++ b/integrations/integration_test.go
@@ -458,6 +458,11 @@ func NewRequestWithBody(t testing.TB, method, urlStr string, body io.Reader) *ht
 	return request
 }
 
+func WithToken(req *http.Request, token string) *http.Request {
+	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", token))
+	return req
+}
+
 func AddBasicAuthHeader(request *http.Request, username string) *http.Request {
 	request.SetBasicAuth(username, userPassword)
 	return request
diff --git a/routers/api/ui/api.go b/routers/api/ui/api.go
index ef9990e5e1e2c..51dcadce845c9 100644
--- a/routers/api/ui/api.go
+++ b/routers/api/ui/api.go
@@ -307,7 +307,7 @@ func Routes() *web.Route {
 		}))
 	}
 	m.Use(context.APIUIContexter())
-	m.Use(context.APIAuth(auth.NewGroup(auth.APIMethods()...)))
+	m.Use(context.APIAuth(auth.NewGroup(auth.Methods()...)))
 
 	m.Use(context.ToggleAPI(&context.ToggleOptions{
 		SignInRequired: setting.Service.RequireSignInView,

From 9fb8d78e323595ff7b92638a101c7c749afa6fdf Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Fri, 20 Aug 2021 23:34:40 +0800
Subject: [PATCH 13/26] Fix test

---
 modules/context/api.go |  4 +---
 routers/api/ui/api.go  | 15 ++-------------
 routers/init.go        |  5 ++++-
 3 files changed, 7 insertions(+), 17 deletions(-)

diff --git a/modules/context/api.go b/modules/context/api.go
index ce23784782685..e834092ec4741 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -16,7 +16,6 @@ import (
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/session"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web/middleware"
 	auth_service "code.gitea.io/gitea/services/auth"
@@ -247,9 +246,8 @@ func (ctx *APIContext) CheckForOTP() {
 // APIAuth converts auth_service.Auth as a middleware
 func APIAuth(authMethod auth_service.Method) func(*APIContext) {
 	return func(ctx *APIContext) {
-		var store = session.NewEmptyStore()
 		// Get user from session if logged in.
-		ctx.Doer = authMethod.Verify(ctx.Req, ctx.Resp, ctx, store)
+		ctx.Doer = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
 		if ctx.Doer != nil {
 			if ctx.Locale.Language() != ctx.Doer.Language {
 				ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
diff --git a/routers/api/ui/api.go b/routers/api/ui/api.go
index 51dcadce845c9..450351adc0f1f 100644
--- a/routers/api/ui/api.go
+++ b/routers/api/ui/api.go
@@ -23,7 +23,6 @@ import (
 	"code.gitea.io/gitea/services/auth"
 
 	"gitea.com/go-chi/binding"
-	"gitea.com/go-chi/session"
 	"github.com/go-chi/cors"
 )
 
@@ -281,20 +280,10 @@ func bind(obj interface{}) http.HandlerFunc {
 }
 
 // Routes registers all v1 APIs routes to web application.
-func Routes() *web.Route {
+func Routes(sess func(next http.Handler) http.Handler) *web.Route {
 	var m = web.NewRoute()
 
-	m.Use(session.Sessioner(session.Options{
-		Provider:       setting.SessionConfig.Provider,
-		ProviderConfig: setting.SessionConfig.ProviderConfig,
-		CookieName:     setting.SessionConfig.CookieName,
-		CookiePath:     setting.SessionConfig.CookiePath,
-		Gclifetime:     setting.SessionConfig.Gclifetime,
-		Maxlifetime:    setting.SessionConfig.Maxlifetime,
-		Secure:         setting.SessionConfig.Secure,
-		SameSite:       setting.SessionConfig.SameSite,
-		Domain:         setting.SessionConfig.Domain,
-	}))
+	m.Use(sess)
 	m.Use(common.SecurityHeaders())
 	if setting.CORSConfig.Enabled {
 		m.Use(cors.Handler(cors.Options{
diff --git a/routers/init.go b/routers/init.go
index a42fff9e686c7..e7334c24bf6cb 100644
--- a/routers/init.go
+++ b/routers/init.go
@@ -48,7 +48,10 @@ import (
 	"code.gitea.io/gitea/services/repository/archiver"
 	"code.gitea.io/gitea/services/task"
 	"code.gitea.io/gitea/services/webhook"
+<<<<<<< HEAD
 
+=======
+>>>>>>> 7afa66cba (Fix test)
 	"gitea.com/go-chi/session"
 )
 
@@ -188,7 +191,7 @@ func NormalRoutes() *web.Route {
 
 	r.Mount("/", web_routers.Routes(sessioner))
 	r.Mount("/api/v1", apiv1.Routes())
-	r.Mount("/api/ui", apiui.Routes())
+	r.Mount("/api/ui", apiui.Routes(sessioner))
 	r.Mount("/api/internal", private.Routes())
 	return r
 }

From f777be0b596d6df0a71dd07bd2d18ca048dd1b9b Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 21 Aug 2021 00:36:50 +0800
Subject: [PATCH 14/26] Fix more tests

---
 integrations/api_admin_org_test.go            |  21 +-
 integrations/api_admin_test.go                |  59 +++---
 integrations/api_branch_test.go               |  39 ++--
 .../api_helper_for_declarative_test.go        |  26 ++-
 integrations/api_issue_test.go                |  59 +++---
 integrations/api_notification_test.go         |  25 ++-
 integrations/api_org_test.go                  |  10 +-
 integrations/api_ui_issue_stopwatch_test.go   |  83 ++++++++
 integrations/api_ui_issue_test.go             | 111 +++++++++++
 integrations/api_ui_notification_test.go      | 122 ++++++++++++
 integrations/api_ui_repo_test.go              | 181 ++++++++++++++++++
 integrations/api_ui_user_search_test.go       |  86 +++++++++
 integrations/api_user_search_test.go          |  10 +-
 13 files changed, 694 insertions(+), 138 deletions(-)
 create mode 100644 integrations/api_ui_issue_stopwatch_test.go
 create mode 100644 integrations/api_ui_issue_test.go
 create mode 100644 integrations/api_ui_notification_test.go
 create mode 100644 integrations/api_ui_repo_test.go
 create mode 100644 integrations/api_ui_user_search_test.go

diff --git a/integrations/api_admin_org_test.go b/integrations/api_admin_org_test.go
index 8f36850a1a144..7293e73d3e905 100644
--- a/integrations/api_admin_org_test.go
+++ b/integrations/api_admin_org_test.go
@@ -17,10 +17,13 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+func getUserToken(t testing.TB, userName string) string {
+	return getTokenForLoggedInUser(t, loginUser(t, userName))
+}
+
 func TestAPIAdminOrgCreate(t *testing.T) {
 	onGiteaRun(t, func(*testing.T, *url.URL) {
-		session := loginUser(t, "user1")
-		token := getTokenForLoggedInUser(t, session)
+		token := getUserToken(t, "user1")
 
 		org := api.CreateOrgOption{
 			UserName:    "user2_org",
@@ -31,7 +34,7 @@ func TestAPIAdminOrgCreate(t *testing.T) {
 			Visibility:  "private",
 		}
 		req := NewRequestWithJSON(t, "POST", "/api/v1/admin/users/user2/orgs?token="+token, &org)
-		resp := session.MakeRequest(t, req, http.StatusCreated)
+		resp := MakeRequest(t, req, http.StatusCreated)
 
 		var apiOrg api.Organization
 		DecodeJSON(t, resp, &apiOrg)
@@ -53,8 +56,7 @@ func TestAPIAdminOrgCreate(t *testing.T) {
 
 func TestAPIAdminOrgCreateBadVisibility(t *testing.T) {
 	onGiteaRun(t, func(*testing.T, *url.URL) {
-		session := loginUser(t, "user1")
-		token := getTokenForLoggedInUser(t, session)
+		token := getUserToken(t, "user1")
 
 		org := api.CreateOrgOption{
 			UserName:    "user2_org",
@@ -65,15 +67,14 @@ func TestAPIAdminOrgCreateBadVisibility(t *testing.T) {
 			Visibility:  "notvalid",
 		}
 		req := NewRequestWithJSON(t, "POST", "/api/v1/admin/users/user2/orgs?token="+token, &org)
-		session.MakeRequest(t, req, http.StatusUnprocessableEntity)
+		MakeRequest(t, req, http.StatusUnprocessableEntity)
 	})
 }
 
 func TestAPIAdminOrgCreateNotAdmin(t *testing.T) {
 	defer prepareTestEnv(t)()
-	nonAdminUsername := "user2"
-	session := loginUser(t, nonAdminUsername)
-	token := getTokenForLoggedInUser(t, session)
+
+	token := getUserToken(t, "user2")
 	org := api.CreateOrgOption{
 		UserName:    "user2_org",
 		FullName:    "User2's organization",
@@ -83,5 +84,5 @@ func TestAPIAdminOrgCreateNotAdmin(t *testing.T) {
 		Visibility:  "public",
 	}
 	req := NewRequestWithJSON(t, "POST", "/api/v1/admin/users/user2/orgs?token="+token, &org)
-	session.MakeRequest(t, req, http.StatusForbidden)
+	MakeRequest(t, req, http.StatusForbidden)
 }
diff --git a/integrations/api_admin_test.go b/integrations/api_admin_test.go
index b935d3eac5948..ab4aa06508129 100644
--- a/integrations/api_admin_test.go
+++ b/integrations/api_admin_test.go
@@ -20,17 +20,16 @@ import (
 
 func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {
 	defer prepareTestEnv(t)()
+
 	// user1 is an admin user
-	session := loginUser(t, "user1")
+	token := getUserToken(t, "user1")
 	keyOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"}).(*user_model.User)
-
-	token := getTokenForLoggedInUser(t, session)
 	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", keyOwner.Name, token)
 	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
 		"key":   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4cn+iXnA4KvcQYSV88vGn0Yi91vG47t1P7okprVmhNTkipNRIHWr6WdCO4VDr/cvsRkuVJAsLO2enwjGWWueOO6BodiBgyAOZ/5t5nJNMCNuLGT5UIo/RI1b0WRQwxEZTRjt6mFNw6lH14wRd8ulsr9toSWBPMOGWoYs1PDeDL0JuTjL+tr1SZi/EyxCngpYszKdXllJEHyI79KQgeD0Vt3pTrkbNVTOEcCNqZePSVmUH8X8Vhugz3bnE0/iE9Pb5fkWO9c4AnM1FgI/8Bvp27Fw2ShryIXuR6kKvUqhVMTuOSDHwu6A8jLE5Owt3GAYugDpDYuwTVNGrHLXKpPzrGGPE/jPmaLCMZcsdkec95dYeU3zKODEm8UQZFhmJmDeWVJ36nGrGZHL4J5aTTaeFUJmmXDaJYiJ+K2/ioKgXqnXvltu0A9R8/LGy4nrTJRr4JMLuJFoUXvGm1gXQ70w2LSpk6yl71RNC0hCtsBe8BP8IhYCM0EP5jh7eCMQZNvM= nocomment\n",
 		"title": "test-key",
 	})
-	resp := session.MakeRequest(t, req, http.StatusCreated)
+	resp := MakeRequest(t, req, http.StatusCreated)
 
 	var newPublicKey api.PublicKey
 	DecodeJSON(t, resp, &newPublicKey)
@@ -44,53 +43,48 @@ func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {
 
 	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",
 		keyOwner.Name, newPublicKey.ID, token)
-	session.MakeRequest(t, req, http.StatusNoContent)
+	MakeRequest(t, req, http.StatusNoContent)
 	unittest.AssertNotExistsBean(t, &asymkey_model.PublicKey{ID: newPublicKey.ID})
 }
 
 func TestAPIAdminDeleteMissingSSHKey(t *testing.T) {
 	defer prepareTestEnv(t)()
 	// user1 is an admin user
-	session := loginUser(t, "user1")
-
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, "user1")
 	req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token=%s", unittest.NonexistentID, token)
-	session.MakeRequest(t, req, http.StatusNotFound)
+	MakeRequest(t, req, http.StatusNotFound)
 }
 
 func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) {
 	defer prepareTestEnv(t)()
 	adminUsername := "user1"
 	normalUsername := "user2"
-	session := loginUser(t, adminUsername)
+	token := getUserToken(t, adminUsername)
 
-	token := getTokenForLoggedInUser(t, session)
 	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", adminUsername, token)
 	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
 		"key":   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4cn+iXnA4KvcQYSV88vGn0Yi91vG47t1P7okprVmhNTkipNRIHWr6WdCO4VDr/cvsRkuVJAsLO2enwjGWWueOO6BodiBgyAOZ/5t5nJNMCNuLGT5UIo/RI1b0WRQwxEZTRjt6mFNw6lH14wRd8ulsr9toSWBPMOGWoYs1PDeDL0JuTjL+tr1SZi/EyxCngpYszKdXllJEHyI79KQgeD0Vt3pTrkbNVTOEcCNqZePSVmUH8X8Vhugz3bnE0/iE9Pb5fkWO9c4AnM1FgI/8Bvp27Fw2ShryIXuR6kKvUqhVMTuOSDHwu6A8jLE5Owt3GAYugDpDYuwTVNGrHLXKpPzrGGPE/jPmaLCMZcsdkec95dYeU3zKODEm8UQZFhmJmDeWVJ36nGrGZHL4J5aTTaeFUJmmXDaJYiJ+K2/ioKgXqnXvltu0A9R8/LGy4nrTJRr4JMLuJFoUXvGm1gXQ70w2LSpk6yl71RNC0hCtsBe8BP8IhYCM0EP5jh7eCMQZNvM= nocomment\n",
 		"title": "test-key",
 	})
-	resp := session.MakeRequest(t, req, http.StatusCreated)
+	resp := MakeRequest(t, req, http.StatusCreated)
 	var newPublicKey api.PublicKey
 	DecodeJSON(t, resp, &newPublicKey)
 
-	session = loginUser(t, normalUsername)
-	token = getTokenForLoggedInUser(t, session)
+	token = getUserToken(t, normalUsername)
 	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",
 		adminUsername, newPublicKey.ID, token)
-	session.MakeRequest(t, req, http.StatusForbidden)
+	MakeRequest(t, req, http.StatusForbidden)
 }
 
 func TestAPISudoUser(t *testing.T) {
 	defer prepareTestEnv(t)()
 	adminUsername := "user1"
 	normalUsername := "user2"
-	session := loginUser(t, adminUsername)
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, adminUsername)
 
 	urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", normalUsername, token)
 	req := NewRequest(t, "GET", urlStr)
-	resp := session.MakeRequest(t, req, http.StatusOK)
+	resp := MakeRequest(t, req, http.StatusOK)
 	var user api.User
 	DecodeJSON(t, resp, &user)
 
@@ -102,23 +96,21 @@ func TestAPISudoUserForbidden(t *testing.T) {
 	adminUsername := "user1"
 	normalUsername := "user2"
 
-	session := loginUser(t, normalUsername)
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, normalUsername)
 
 	urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", adminUsername, token)
 	req := NewRequest(t, "GET", urlStr)
-	session.MakeRequest(t, req, http.StatusForbidden)
+	MakeRequest(t, req, http.StatusForbidden)
 }
 
 func TestAPIListUsers(t *testing.T) {
 	defer prepareTestEnv(t)()
 	adminUsername := "user1"
-	session := loginUser(t, adminUsername)
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, adminUsername)
 
 	urlStr := fmt.Sprintf("/api/v1/admin/users?token=%s", token)
 	req := NewRequest(t, "GET", urlStr)
-	resp := session.MakeRequest(t, req, http.StatusOK)
+	resp := MakeRequest(t, req, http.StatusOK)
 	var users []api.User
 	DecodeJSON(t, resp, &users)
 
@@ -142,17 +134,15 @@ func TestAPIListUsersNotLoggedIn(t *testing.T) {
 func TestAPIListUsersNonAdmin(t *testing.T) {
 	defer prepareTestEnv(t)()
 	nonAdminUsername := "user2"
-	session := loginUser(t, nonAdminUsername)
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, nonAdminUsername)
 	req := NewRequestf(t, "GET", "/api/v1/admin/users?token=%s", token)
-	session.MakeRequest(t, req, http.StatusForbidden)
+	MakeRequest(t, req, http.StatusForbidden)
 }
 
 func TestAPICreateUserInvalidEmail(t *testing.T) {
 	defer prepareTestEnv(t)()
 	adminUsername := "user1"
-	session := loginUser(t, adminUsername)
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, adminUsername)
 	urlStr := fmt.Sprintf("/api/v1/admin/users?token=%s", token)
 	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
 		"email":                "invalid_email@domain.com\r\n",
@@ -164,14 +154,13 @@ func TestAPICreateUserInvalidEmail(t *testing.T) {
 		"source_id":            "0",
 		"username":             "invalidUser",
 	})
-	session.MakeRequest(t, req, http.StatusUnprocessableEntity)
+	MakeRequest(t, req, http.StatusUnprocessableEntity)
 }
 
 func TestAPIEditUser(t *testing.T) {
 	defer prepareTestEnv(t)()
 	adminUsername := "user1"
-	session := loginUser(t, adminUsername)
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, adminUsername)
 	urlStr := fmt.Sprintf("/api/v1/admin/users/%s?token=%s", "user2", token)
 
 	req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
@@ -181,7 +170,7 @@ func TestAPIEditUser(t *testing.T) {
 		// to change
 		"full_name": "Full Name User 2",
 	})
-	session.MakeRequest(t, req, http.StatusOK)
+	MakeRequest(t, req, http.StatusOK)
 
 	empty := ""
 	req = NewRequestWithJSON(t, "PATCH", urlStr, api.EditUserOption{
@@ -189,7 +178,7 @@ func TestAPIEditUser(t *testing.T) {
 		SourceID:  0,
 		Email:     &empty,
 	})
-	resp := session.MakeRequest(t, req, http.StatusUnprocessableEntity)
+	resp := MakeRequest(t, WithToken(req, token), http.StatusUnprocessableEntity)
 
 	errMap := make(map[string]interface{})
 	json.Unmarshal(resp.Body.Bytes(), &errMap)
@@ -205,7 +194,7 @@ func TestAPIEditUser(t *testing.T) {
 		// to change
 		Restricted: &bTrue,
 	})
-	session.MakeRequest(t, req, http.StatusOK)
+	MakeRequest(t, WithToken(req, token), http.StatusOK)
 	user2 = unittest.AssertExistsAndLoadBean(t, &user_model.User{LoginName: "user2"}).(*user_model.User)
 	assert.True(t, user2.IsRestricted)
 }
diff --git a/integrations/api_branch_test.go b/integrations/api_branch_test.go
index e137331343f34..86b134dd9f31b 100644
--- a/integrations/api_branch_test.go
+++ b/integrations/api_branch_test.go
@@ -15,10 +15,9 @@ import (
 )
 
 func testAPIGetBranch(t *testing.T, branchName string, exists bool) {
-	session := loginUser(t, "user2")
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, "user2")
 	req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/branches/%s?token=%s", branchName, token)
-	resp := session.MakeRequest(t, req, NoExpectedStatus)
+	resp := MakeRequest(t, req, NoExpectedStatus)
 	if !exists {
 		assert.EqualValues(t, http.StatusNotFound, resp.Code)
 		return
@@ -32,10 +31,9 @@ func testAPIGetBranch(t *testing.T, branchName string, exists bool) {
 }
 
 func testAPIGetBranchProtection(t *testing.T, branchName string, expectedHTTPStatus int) {
-	session := loginUser(t, "user2")
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, "user2")
 	req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/branch_protections/%s?token=%s", branchName, token)
-	resp := session.MakeRequest(t, req, expectedHTTPStatus)
+	resp := MakeRequest(t, req, expectedHTTPStatus)
 
 	if resp.Code == http.StatusOK {
 		var branchProtection api.BranchProtection
@@ -45,12 +43,11 @@ func testAPIGetBranchProtection(t *testing.T, branchName string, expectedHTTPSta
 }
 
 func testAPICreateBranchProtection(t *testing.T, branchName string, expectedHTTPStatus int) {
-	session := loginUser(t, "user2")
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, "user2")
 	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/user2/repo1/branch_protections?token="+token, &api.BranchProtection{
 		BranchName: branchName,
 	})
-	resp := session.MakeRequest(t, req, expectedHTTPStatus)
+	resp := MakeRequest(t, req, expectedHTTPStatus)
 
 	if resp.Code == http.StatusCreated {
 		var branchProtection api.BranchProtection
@@ -60,10 +57,9 @@ func testAPICreateBranchProtection(t *testing.T, branchName string, expectedHTTP
 }
 
 func testAPIEditBranchProtection(t *testing.T, branchName string, body *api.BranchProtection, expectedHTTPStatus int) {
-	session := loginUser(t, "user2")
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, "user2")
 	req := NewRequestWithJSON(t, "PATCH", "/api/v1/repos/user2/repo1/branch_protections/"+branchName+"?token="+token, body)
-	resp := session.MakeRequest(t, req, expectedHTTPStatus)
+	resp := MakeRequest(t, req, expectedHTTPStatus)
 
 	if resp.Code == http.StatusOK {
 		var branchProtection api.BranchProtection
@@ -73,17 +69,15 @@ func testAPIEditBranchProtection(t *testing.T, branchName string, body *api.Bran
 }
 
 func testAPIDeleteBranchProtection(t *testing.T, branchName string, expectedHTTPStatus int) {
-	session := loginUser(t, "user2")
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, "user2")
 	req := NewRequestf(t, "DELETE", "/api/v1/repos/user2/repo1/branch_protections/%s?token=%s", branchName, token)
-	session.MakeRequest(t, req, expectedHTTPStatus)
+	MakeRequest(t, req, expectedHTTPStatus)
 }
 
 func testAPIDeleteBranch(t *testing.T, branchName string, expectedHTTPStatus int) {
-	session := loginUser(t, "user2")
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, "user2")
 	req := NewRequestf(t, "DELETE", "/api/v1/repos/user2/repo1/branches/%s?token=%s", branchName, token)
-	session.MakeRequest(t, req, expectedHTTPStatus)
+	MakeRequest(t, req, expectedHTTPStatus)
 }
 
 func TestAPIGetBranch(t *testing.T) {
@@ -149,18 +143,17 @@ func testAPICreateBranches(t *testing.T, giteaURL *url.URL) {
 	}
 	for _, test := range tests {
 		defer resetFixtures(t)
-		session := ctx.Session
-		testAPICreateBranch(t, session, "user2", "my-noo-repo", test.OldBranch, test.NewBranch, test.ExpectedHTTPStatus)
+		testAPICreateBranch(t, username, "my-noo-repo", test.OldBranch, test.NewBranch, test.ExpectedHTTPStatus)
 	}
 }
 
-func testAPICreateBranch(t testing.TB, session *TestSession, user, repo, oldBranch, newBranch string, status int) bool {
-	token := getTokenForLoggedInUser(t, session)
+func testAPICreateBranch(t testing.TB, user, repo, oldBranch, newBranch string, status int) bool {
+	token := getUserToken(t, user)
 	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/"+user+"/"+repo+"/branches?token="+token, &api.CreateBranchRepoOption{
 		BranchName:    newBranch,
 		OldBranchName: oldBranch,
 	})
-	resp := session.MakeRequest(t, req, status)
+	resp := MakeRequest(t, req, status)
 
 	var branch api.Branch
 	DecodeJSON(t, resp, &branch)
diff --git a/integrations/api_helper_for_declarative_test.go b/integrations/api_helper_for_declarative_test.go
index 5da72b7fb15a6..de6c3d8f40a4e 100644
--- a/integrations/api_helper_for_declarative_test.go
+++ b/integrations/api_helper_for_declarative_test.go
@@ -26,18 +26,14 @@ import (
 
 type APITestContext struct {
 	Reponame     string
-	Session      *TestSession
 	Token        string
 	Username     string
 	ExpectedCode int
 }
 
 func NewAPITestContext(t *testing.T, username, reponame string) APITestContext {
-	session := loginUser(t, username)
-	token := getTokenForLoggedInUser(t, session)
 	return APITestContext{
-		Session:  session,
-		Token:    token,
+		Token:    getUserToken(t, username),
 		Username: username,
 		Reponame: reponame,
 	}
@@ -61,10 +57,10 @@ func doAPICreateRepository(ctx APITestContext, empty bool, callback ...func(*tes
 		}
 		req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos?token="+ctx.Token, createRepoOption)
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		resp := ctx.Session.MakeRequest(t, req, http.StatusCreated)
+		resp := MakeRequest(t, req, http.StatusCreated)
 
 		var repository api.Repository
 		DecodeJSON(t, resp, &repository)
@@ -78,10 +74,10 @@ func doAPIEditRepository(ctx APITestContext, editRepoOption *api.EditRepoOption,
 	return func(t *testing.T) {
 		req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame), ctx.Token), editRepoOption)
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		resp := ctx.Session.MakeRequest(t, req, http.StatusOK)
+		resp := MakeRequest(t, req, http.StatusOK)
 
 		var repository api.Repository
 		DecodeJSON(t, resp, &repository)
@@ -105,10 +101,10 @@ func doAPIAddCollaborator(ctx APITestContext, username string, mode perm.AccessM
 		}
 		req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/collaborators/%s?token=%s", ctx.Username, ctx.Reponame, username, ctx.Token), addCollaboratorOption)
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		ctx.Session.MakeRequest(t, req, http.StatusNoContent)
+		MakeRequest(t, req, http.StatusNoContent)
 	}
 }
 
@@ -117,10 +113,10 @@ func doAPIForkRepository(ctx APITestContext, username string, callback ...func(*
 		createForkOption := &api.CreateForkOption{}
 		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/forks?token=%s", username, ctx.Reponame, ctx.Token), createForkOption)
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		resp := ctx.Session.MakeRequest(t, req, http.StatusAccepted)
+		resp := MakeRequest(t, req, http.StatusAccepted)
 		var repository api.Repository
 		DecodeJSON(t, resp, &repository)
 		if len(callback) > 0 {
@@ -135,10 +131,10 @@ func doAPIGetRepository(ctx APITestContext, callback ...func(*testing.T, api.Rep
 
 		req := NewRequest(t, "GET", urlStr)
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		resp := ctx.Session.MakeRequest(t, req, http.StatusOK)
+		resp := MakeRequest(t, req, http.StatusOK)
 
 		var repository api.Repository
 		DecodeJSON(t, resp, &repository)
diff --git a/integrations/api_issue_test.go b/integrations/api_issue_test.go
index fd07cd72273df..ced1e875f1d1c 100644
--- a/integrations/api_issue_test.go
+++ b/integrations/api_issue_test.go
@@ -26,12 +26,11 @@ func TestAPIListIssues(t *testing.T) {
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1}).(*repo_model.Repository)
 	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID}).(*user_model.User)
 
-	session := loginUser(t, owner.Name)
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, owner.Name)
 	link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/issues", owner.Name, repo.Name))
 
 	link.RawQuery = url.Values{"token": {token}, "state": {"all"}}.Encode()
-	resp := session.MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
+	resp := MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
 	var apiIssues []*api.Issue
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, unittest.GetCount(t, &models.Issue{RepoID: repo.ID}))
@@ -41,7 +40,7 @@ func TestAPIListIssues(t *testing.T) {
 
 	// test milestone filter
 	link.RawQuery = url.Values{"token": {token}, "state": {"all"}, "type": {"all"}, "milestones": {"ignore,milestone1,3,4"}}.Encode()
-	resp = session.MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
+	resp = MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	if assert.Len(t, apiIssues, 2) {
 		assert.EqualValues(t, 3, apiIssues[0].Milestone.ID)
@@ -49,21 +48,21 @@ func TestAPIListIssues(t *testing.T) {
 	}
 
 	link.RawQuery = url.Values{"token": {token}, "state": {"all"}, "created_by": {"user2"}}.Encode()
-	resp = session.MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
+	resp = MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	if assert.Len(t, apiIssues, 1) {
 		assert.EqualValues(t, 5, apiIssues[0].ID)
 	}
 
 	link.RawQuery = url.Values{"token": {token}, "state": {"all"}, "assigned_by": {"user1"}}.Encode()
-	resp = session.MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
+	resp = MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	if assert.Len(t, apiIssues, 1) {
 		assert.EqualValues(t, 1, apiIssues[0].ID)
 	}
 
 	link.RawQuery = url.Values{"token": {token}, "state": {"all"}, "mentioned_by": {"user4"}}.Encode()
-	resp = session.MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
+	resp = MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	if assert.Len(t, apiIssues, 1) {
 		assert.EqualValues(t, 1, apiIssues[0].ID)
@@ -77,15 +76,14 @@ func TestAPICreateIssue(t *testing.T) {
 	repoBefore := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1}).(*repo_model.Repository)
 	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repoBefore.OwnerID}).(*user_model.User)
 
-	session := loginUser(t, owner.Name)
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, owner.Name)
 	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all&token=%s", owner.Name, repoBefore.Name, token)
 	req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateIssueOption{
 		Body:     body,
 		Title:    title,
 		Assignee: owner.Name,
 	})
-	resp := session.MakeRequest(t, req, http.StatusCreated)
+	resp := MakeRequest(t, req, http.StatusCreated)
 	var apiIssue api.Issue
 	DecodeJSON(t, resp, &apiIssue)
 	assert.Equal(t, body, apiIssue.Body)
@@ -113,8 +111,7 @@ func TestAPIEditIssue(t *testing.T) {
 	assert.Equal(t, int64(1019307200), int64(issueBefore.DeadlineUnix))
 	assert.Equal(t, api.StateOpen, issueBefore.State())
 
-	session := loginUser(t, owner.Name)
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, owner.Name)
 
 	// update values of issue
 	issueState := "closed"
@@ -133,7 +130,7 @@ func TestAPIEditIssue(t *testing.T) {
 
 		// ToDo change more
 	})
-	resp := session.MakeRequest(t, req, http.StatusCreated)
+	resp := MakeRequest(t, req, http.StatusCreated)
 	var apiIssue api.Issue
 	DecodeJSON(t, resp, &apiIssue)
 
@@ -168,10 +165,9 @@ func TestAPIEditIssue(t *testing.T) {
 func TestAPISearchIssues(t *testing.T) {
 	defer prepareTestEnv(t)()
 
-	session := loginUser(t, "user2")
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, "user2")
 
-	link, _ := url.Parse("/api/ui/repos/issues/search")
+	link, _ := url.Parse("/api/v1/repos/issues/search")
 	req := NewRequest(t, "GET", link.String())
 	resp := MakeRequest(t, WithToken(req, token), http.StatusOK)
 	var apiIssues []*api.Issue
@@ -243,21 +239,21 @@ func TestAPISearchIssues(t *testing.T) {
 	query = url.Values{"owner": {"user2"}} // user
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 6)
 
 	query = url.Values{"owner": {"user3"}} // organization
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 3)
 
 	query = url.Values{"owner": {"user3"}, "team": {"team1"}} // organization + team
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 2)
 }
@@ -265,27 +261,29 @@ func TestAPISearchIssues(t *testing.T) {
 func TestUISearchIssuesWithLabels(t *testing.T) {
 	defer prepareTestEnv(t)()
 
-	session := loginUser(t, "user1")
+	token := getUserToken(t, "user1")
 
-	link, _ := url.Parse("/api/ui/repos/issues/search")
+	link, _ := url.Parse("/api/v1/repos/issues/search?token=" + token)
 	req := NewRequest(t, "GET", link.String())
-	resp := session.MakeRequest(t, req, http.StatusOK)
+	resp := MakeRequest(t, req, http.StatusOK)
 	var apiIssues []*api.Issue
 	DecodeJSON(t, resp, &apiIssues)
 
 	assert.Len(t, apiIssues, 10)
 
-	query := url.Values{}
+	query := url.Values{
+		"token": []string{token},
+	}
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 10)
 
 	query.Add("labels", "label1")
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 2)
 
@@ -293,7 +291,7 @@ func TestUISearchIssuesWithLabels(t *testing.T) {
 	query.Set("labels", "label1,label2")
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 2)
 
@@ -301,7 +299,7 @@ func TestUISearchIssuesWithLabels(t *testing.T) {
 	query.Set("labels", "orglabel4")
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 1)
 
@@ -310,7 +308,7 @@ func TestUISearchIssuesWithLabels(t *testing.T) {
 	query.Add("state", "all")
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 2)
 
@@ -318,7 +316,7 @@ func TestUISearchIssuesWithLabels(t *testing.T) {
 	query.Set("labels", "label1,orglabel4")
 	link.RawQuery = query.Encode()
 	req = NewRequest(t, "GET", link.String())
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 2)
 }
@@ -326,8 +324,7 @@ func TestUISearchIssuesWithLabels(t *testing.T) {
 func TestAPISearchIssuesWithLabels(t *testing.T) {
 	defer prepareTestEnv(t)()
 
-	session := loginUser(t, "user1")
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, "user1")
 
 	link, _ := url.Parse("/api/v1/repos/issues/search")
 	req := NewRequest(t, "GET", link.String())
diff --git a/integrations/api_notification_test.go b/integrations/api_notification_test.go
index 4bf18632ca07f..c182cd416e312 100644
--- a/integrations/api_notification_test.go
+++ b/integrations/api_notification_test.go
@@ -25,14 +25,13 @@ func TestAPINotification(t *testing.T) {
 	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1}).(*repo_model.Repository)
 	thread5 := unittest.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
 	assert.NoError(t, thread5.LoadAttributes())
-	session := loginUser(t, user2.Name)
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, user2.Name)
 
 	// -- GET /notifications --
 	// test filter
 	since := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801
 	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?since=%s&token=%s", since, token))
-	resp := session.MakeRequest(t, req, http.StatusOK)
+	resp := MakeRequest(t, req, http.StatusOK)
 	var apiNL []api.NotificationThread
 	DecodeJSON(t, resp, &apiNL)
 
@@ -43,7 +42,7 @@ func TestAPINotification(t *testing.T) {
 	before := "2000-01-01T01%3A06%3A59%2B00%3A00" // 946688819
 
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?all=%s&before=%s&token=%s", "true", before, token))
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 
 	assert.Len(t, apiNL, 3)
@@ -59,7 +58,7 @@ func TestAPINotification(t *testing.T) {
 
 	// -- GET /repos/{owner}/{repo}/notifications --
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?status-types=unread&token=%s", user2.Name, repo1.Name, token))
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 
 	assert.Len(t, apiNL, 1)
@@ -81,11 +80,11 @@ func TestAPINotification(t *testing.T) {
 	// -- GET /notifications/threads/{id} --
 	// get forbidden
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", 1, token))
-	session.MakeRequest(t, req, http.StatusForbidden)
+	resp = MakeRequest(t, req, http.StatusForbidden)
 
 	// get own
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", thread5.ID, token))
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	var apiN api.NotificationThread
 	DecodeJSON(t, resp, &apiN)
 
@@ -103,28 +102,28 @@ func TestAPINotification(t *testing.T) {
 
 	// -- check notifications --
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/new?token=%s", token))
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &new)
 	assert.True(t, new.New > 0)
 
 	// -- mark notifications as read --
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?status-types=unread&token=%s", token))
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 	assert.Len(t, apiNL, 2)
 
 	lastReadAt := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801 <- only Notification 4 is in this filter ...
 	req = NewRequest(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?last_read_at=%s&token=%s", user2.Name, repo1.Name, lastReadAt, token))
-	session.MakeRequest(t, req, http.StatusResetContent)
+	resp = MakeRequest(t, req, http.StatusResetContent)
 
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?status-types=unread&token=%s", token))
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 	assert.Len(t, apiNL, 1)
 
 	// -- PATCH /notifications/threads/{id} --
 	req = NewRequest(t, "PATCH", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", thread5.ID, token))
-	session.MakeRequest(t, req, http.StatusResetContent)
+	resp = MakeRequest(t, req, http.StatusResetContent)
 
 	assert.Equal(t, models.NotificationStatusUnread, thread5.Status)
 	thread5 = unittest.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
@@ -132,7 +131,7 @@ func TestAPINotification(t *testing.T) {
 
 	// -- check notifications --
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/new?token=%s", token))
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &new)
 	assert.True(t, new.New == 0)
 }
diff --git a/integrations/api_org_test.go b/integrations/api_org_test.go
index e33c010e88c2a..22550dc96c0fc 100644
--- a/integrations/api_org_test.go
+++ b/integrations/api_org_test.go
@@ -32,7 +32,7 @@ func TestAPIOrgCreate(t *testing.T) {
 			Visibility:  "limited",
 		}
 		req := NewRequestWithJSON(t, "POST", "/api/v1/orgs?token="+token, &org)
-		resp := session.MakeRequest(t, req, http.StatusCreated)
+		resp := MakeRequest(t, req, http.StatusCreated)
 
 		var apiOrg api.Organization
 		DecodeJSON(t, resp, &apiOrg)
@@ -51,12 +51,12 @@ func TestAPIOrgCreate(t *testing.T) {
 		})
 
 		req = NewRequestf(t, "GET", "/api/v1/orgs/%s", org.UserName)
-		resp = session.MakeRequest(t, req, http.StatusOK)
+		resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
 		DecodeJSON(t, resp, &apiOrg)
 		assert.EqualValues(t, org.UserName, apiOrg.UserName)
 
 		req = NewRequestf(t, "GET", "/api/v1/orgs/%s/repos", org.UserName)
-		resp = session.MakeRequest(t, req, http.StatusOK)
+		resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
 
 		var repos []*api.Repository
 		DecodeJSON(t, resp, &repos)
@@ -65,7 +65,7 @@ func TestAPIOrgCreate(t *testing.T) {
 		}
 
 		req = NewRequestf(t, "GET", "/api/v1/orgs/%s/members", org.UserName)
-		resp = session.MakeRequest(t, req, http.StatusOK)
+		resp = MakeRequest(t, WithToken(req, token), http.StatusOK)
 
 		// user1 on this org is public
 		var users []*api.User
@@ -88,7 +88,7 @@ func TestAPIOrgEdit(t *testing.T) {
 			Visibility:  "private",
 		}
 		req := NewRequestWithJSON(t, "PATCH", "/api/v1/orgs/user3?token="+token, &org)
-		resp := session.MakeRequest(t, req, http.StatusOK)
+		resp := MakeRequest(t, req, http.StatusOK)
 
 		var apiOrg api.Organization
 		DecodeJSON(t, resp, &apiOrg)
diff --git a/integrations/api_ui_issue_stopwatch_test.go b/integrations/api_ui_issue_stopwatch_test.go
new file mode 100644
index 0000000000000..0fff6eaa79b81
--- /dev/null
+++ b/integrations/api_ui_issue_stopwatch_test.go
@@ -0,0 +1,83 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"net/http"
+	"testing"
+
+	"code.gitea.io/gitea/models"
+	api "code.gitea.io/gitea/modules/structs"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestUIAPIListStopWatches(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	repo := models.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
+	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
+
+	session := loginUser(t, owner.Name)
+	req := NewRequestf(t, "GET", "/api/ui/user/stopwatches")
+	resp := session.MakeRequest(t, req, http.StatusOK)
+	var apiWatches []*api.StopWatch
+	DecodeJSON(t, resp, &apiWatches)
+	stopwatch := models.AssertExistsAndLoadBean(t, &models.Stopwatch{UserID: owner.ID}).(*models.Stopwatch)
+	issue := models.AssertExistsAndLoadBean(t, &models.Issue{ID: stopwatch.IssueID}).(*models.Issue)
+	if assert.Len(t, apiWatches, 1) {
+		assert.EqualValues(t, stopwatch.CreatedUnix.AsTime().Unix(), apiWatches[0].Created.Unix())
+		assert.EqualValues(t, issue.Index, apiWatches[0].IssueIndex)
+		assert.EqualValues(t, issue.Title, apiWatches[0].IssueTitle)
+		assert.EqualValues(t, repo.Name, apiWatches[0].RepoName)
+		assert.EqualValues(t, repo.OwnerName, apiWatches[0].RepoOwnerName)
+		assert.Greater(t, int64(apiWatches[0].Seconds), int64(0))
+	}
+}
+
+func TestAPIUIStopStopWatches(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	issue := models.AssertExistsAndLoadBean(t, &models.Issue{ID: 2}).(*models.Issue)
+	_ = issue.LoadRepo()
+	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: issue.Repo.OwnerID}).(*models.User)
+	user := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
+
+	session := loginUser(t, user.Name)
+
+	req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/issues/%d/stopwatch/stop", owner.Name, issue.Repo.Name, issue.Index)
+	session.MakeRequest(t, req, http.StatusCreated)
+	session.MakeRequest(t, req, http.StatusConflict)
+}
+
+func TestAPIUICancelStopWatches(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	issue := models.AssertExistsAndLoadBean(t, &models.Issue{ID: 1}).(*models.Issue)
+	_ = issue.LoadRepo()
+	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: issue.Repo.OwnerID}).(*models.User)
+	user := models.AssertExistsAndLoadBean(t, &models.User{ID: 1}).(*models.User)
+
+	session := loginUser(t, user.Name)
+
+	req := NewRequestf(t, "DELETE", "/api/ui/repos/%s/%s/issues/%d/stopwatch/delete", owner.Name, issue.Repo.Name, issue.Index)
+	session.MakeRequest(t, req, http.StatusNoContent)
+	session.MakeRequest(t, req, http.StatusConflict)
+}
+
+func TestAPIUIStartStopWatches(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	issue := models.AssertExistsAndLoadBean(t, &models.Issue{ID: 3}).(*models.Issue)
+	_ = issue.LoadRepo()
+	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: issue.Repo.OwnerID}).(*models.User)
+	user := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
+
+	session := loginUser(t, user.Name)
+
+	req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/issues/%d/stopwatch/start", owner.Name, issue.Repo.Name, issue.Index)
+	session.MakeRequest(t, req, http.StatusCreated)
+	session.MakeRequest(t, req, http.StatusConflict)
+}
diff --git a/integrations/api_ui_issue_test.go b/integrations/api_ui_issue_test.go
new file mode 100644
index 0000000000000..e18c7a9b0bf0e
--- /dev/null
+++ b/integrations/api_ui_issue_test.go
@@ -0,0 +1,111 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"net/http"
+	"net/url"
+	"testing"
+	"time"
+
+	api "code.gitea.io/gitea/modules/structs"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAPIUISearchIssues(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	session := loginUser(t, "user2")
+
+	link, _ := url.Parse("/api/ui/repos/issues/search")
+	req := NewRequest(t, "GET", link.String())
+	resp := session.MakeRequest(t, req, http.StatusOK)
+	var apiIssues []*api.Issue
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 10)
+
+	query := url.Values{}
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 10)
+
+	since := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801
+	before := time.Unix(999307200, 0).Format(time.RFC3339)
+	query.Add("since", since)
+	query.Add("before", before)
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 8)
+	query.Del("since")
+	query.Del("before")
+
+	query.Add("state", "closed")
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 2)
+
+	query.Set("state", "all")
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.EqualValues(t, "15", resp.Header().Get("X-Total-Count"))
+	assert.Len(t, apiIssues, 10) //there are more but 10 is page item limit
+
+	query.Add("limit", "20")
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 15)
+
+	query = url.Values{"assigned": {"true"}, "state": {"all"}}
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 1)
+
+	query = url.Values{"milestones": {"milestone1"}, "state": {"all"}}
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 1)
+
+	query = url.Values{"milestones": {"milestone1,milestone3"}, "state": {"all"}}
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 2)
+
+	query = url.Values{"owner": {"user2"}} // user
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 6)
+
+	query = url.Values{"owner": {"user3"}} // organization
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 3)
+
+	query = url.Values{"owner": {"user3"}, "team": {"team1"}} // organization + team
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 2)
+}
diff --git a/integrations/api_ui_notification_test.go b/integrations/api_ui_notification_test.go
new file mode 100644
index 0000000000000..628d9fa6c4de5
--- /dev/null
+++ b/integrations/api_ui_notification_test.go
@@ -0,0 +1,122 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	"code.gitea.io/gitea/models"
+	api "code.gitea.io/gitea/modules/structs"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAPIUINotification(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
+	repo1 := models.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
+	thread5 := models.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
+	assert.NoError(t, thread5.LoadAttributes())
+	session := loginUser(t, user2.Name)
+	token := getTokenForLoggedInUser(t, session)
+
+	// -- GET /notifications --
+	// test filter
+	since := "2000-01-01T00%3A50%3A01%2B00%3A00" //946687801
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications?since=%s", since))
+	resp := session.MakeRequest(t, req, http.StatusOK)
+	var apiNL []api.NotificationThread
+	DecodeJSON(t, resp, &apiNL)
+
+	assert.Len(t, apiNL, 1)
+	assert.EqualValues(t, 5, apiNL[0].ID)
+
+	// test filter
+	before := "2000-01-01T01%3A06%3A59%2B00%3A00" //946688819
+
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications?all=%s&before=%s", "true", before))
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiNL)
+
+	assert.Len(t, apiNL, 3)
+	assert.EqualValues(t, 4, apiNL[0].ID)
+	assert.True(t, apiNL[0].Unread)
+	assert.False(t, apiNL[0].Pinned)
+	assert.EqualValues(t, 3, apiNL[1].ID)
+	assert.False(t, apiNL[1].Unread)
+	assert.True(t, apiNL[1].Pinned)
+	assert.EqualValues(t, 2, apiNL[2].ID)
+	assert.False(t, apiNL[2].Unread)
+	assert.False(t, apiNL[2].Pinned)
+
+	// -- GET /repos/{owner}/{repo}/notifications --
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?status-types=unread&token=%s", user2.Name, repo1.Name, token))
+	resp = MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiNL)
+
+	assert.Len(t, apiNL, 1)
+	assert.EqualValues(t, 4, apiNL[0].ID)
+
+	// -- GET /notifications/threads/{id} --
+	// get forbidden
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications/threads/%d", 1))
+	resp = session.MakeRequest(t, req, http.StatusForbidden)
+
+	// get own
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications/threads/%d", thread5.ID))
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	var apiN api.NotificationThread
+	DecodeJSON(t, resp, &apiN)
+
+	assert.EqualValues(t, 5, apiN.ID)
+	assert.False(t, apiN.Pinned)
+	assert.True(t, apiN.Unread)
+	assert.EqualValues(t, "issue4", apiN.Subject.Title)
+	assert.EqualValues(t, "Issue", apiN.Subject.Type)
+	assert.EqualValues(t, thread5.Issue.APIURL(), apiN.Subject.URL)
+	assert.EqualValues(t, thread5.Repository.HTMLURL(), apiN.Repository.HTMLURL)
+
+	new := struct {
+		New int64 `json:"new"`
+	}{}
+
+	// -- check notifications --
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications/new"))
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &new)
+	assert.True(t, new.New > 0)
+
+	// -- mark notifications as read --
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications?status-types=unread"))
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiNL)
+	assert.Len(t, apiNL, 2)
+
+	lastReadAt := "2000-01-01T00%3A50%3A01%2B00%3A00" //946687801 <- only Notification 4 is in this filter ...
+	req = NewRequest(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?last_read_at=%s&token=%s", user2.Name, repo1.Name, lastReadAt, token))
+	resp = MakeRequest(t, req, http.StatusResetContent)
+
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications?status-types=unread"))
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiNL)
+	assert.Len(t, apiNL, 1)
+
+	// -- PATCH /notifications/threads/{id} --
+	req = NewRequest(t, "PATCH", fmt.Sprintf("/api/ui/notifications/threads/%d", thread5.ID))
+	resp = session.MakeRequest(t, req, http.StatusResetContent)
+
+	assert.Equal(t, models.NotificationStatusUnread, thread5.Status)
+	thread5 = models.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
+	assert.Equal(t, models.NotificationStatusRead, thread5.Status)
+
+	// -- check notifications --
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications/new"))
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &new)
+	assert.True(t, new.New == 0)
+}
diff --git a/integrations/api_ui_repo_test.go b/integrations/api_ui_repo_test.go
new file mode 100644
index 0000000000000..18bdb62933cf3
--- /dev/null
+++ b/integrations/api_ui_repo_test.go
@@ -0,0 +1,181 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/setting"
+	api "code.gitea.io/gitea/modules/structs"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAPIUISearchRepo(t *testing.T) {
+	defer prepareTestEnv(t)()
+	const keyword = "test"
+
+	req := NewRequestf(t, "GET", "/api/ui/repos/search?q=%s", keyword)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var body api.SearchResults
+	DecodeJSON(t, resp, &body)
+	assert.NotEmpty(t, body.Data)
+	for _, repo := range body.Data {
+		assert.Contains(t, repo.Name, keyword)
+		assert.False(t, repo.Private)
+	}
+
+	user := models.AssertExistsAndLoadBean(t, &models.User{ID: 15}).(*models.User)
+	user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: 16}).(*models.User)
+	user3 := models.AssertExistsAndLoadBean(t, &models.User{ID: 18}).(*models.User)
+	user4 := models.AssertExistsAndLoadBean(t, &models.User{ID: 20}).(*models.User)
+	orgUser := models.AssertExistsAndLoadBean(t, &models.User{ID: 17}).(*models.User)
+
+	oldAPIDefaultNum := setting.API.DefaultPagingNum
+	defer func() {
+		setting.API.DefaultPagingNum = oldAPIDefaultNum
+	}()
+	setting.API.DefaultPagingNum = 10
+
+	// Map of expected results, where key is user for login
+	type expectedResults map[*models.User]struct {
+		count           int
+		repoOwnerID     int64
+		repoName        string
+		includesPrivate bool
+	}
+
+	testCases := []struct {
+		name, requestURL string
+		expectedResults
+	}{
+		{name: "RepositoriesMax50", requestURL: "/api/ui/repos/search?limit=50&private=false", expectedResults: expectedResults{
+			nil:   {count: 30},
+			user:  {count: 30},
+			user2: {count: 30}},
+		},
+		{name: "RepositoriesMax10", requestURL: "/api/ui/repos/search?limit=10&private=false", expectedResults: expectedResults{
+			nil:   {count: 10},
+			user:  {count: 10},
+			user2: {count: 10}},
+		},
+		{name: "RepositoriesDefault", requestURL: "/api/ui/repos/search?default&private=false", expectedResults: expectedResults{
+			nil:   {count: 10},
+			user:  {count: 10},
+			user2: {count: 10}},
+		},
+		{name: "RepositoriesByName", requestURL: fmt.Sprintf("/api/ui/repos/search?q=%s&private=false", "big_test_"), expectedResults: expectedResults{
+			nil:   {count: 7, repoName: "big_test_"},
+			user:  {count: 7, repoName: "big_test_"},
+			user2: {count: 7, repoName: "big_test_"}},
+		},
+		{name: "RepositoriesAccessibleAndRelatedToUser", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d", user.ID), expectedResults: expectedResults{
+			nil:   {count: 5},
+			user:  {count: 9, includesPrivate: true},
+			user2: {count: 6, includesPrivate: true}},
+		},
+		{name: "RepositoriesAccessibleAndRelatedToUser2", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d", user2.ID), expectedResults: expectedResults{
+			nil:   {count: 1},
+			user:  {count: 2, includesPrivate: true},
+			user2: {count: 2, includesPrivate: true},
+			user4: {count: 1}},
+		},
+		{name: "RepositoriesAccessibleAndRelatedToUser3", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d", user3.ID), expectedResults: expectedResults{
+			nil:   {count: 1},
+			user:  {count: 4, includesPrivate: true},
+			user2: {count: 3, includesPrivate: true},
+			user3: {count: 4, includesPrivate: true}},
+		},
+		{name: "RepositoriesOwnedByOrganization", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d", orgUser.ID), expectedResults: expectedResults{
+			nil:   {count: 1, repoOwnerID: orgUser.ID},
+			user:  {count: 2, repoOwnerID: orgUser.ID, includesPrivate: true},
+			user2: {count: 1, repoOwnerID: orgUser.ID}},
+		},
+		{name: "RepositoriesAccessibleAndRelatedToUser4", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d", user4.ID), expectedResults: expectedResults{
+			nil:   {count: 3},
+			user:  {count: 4, includesPrivate: true},
+			user4: {count: 7, includesPrivate: true}}},
+		{name: "RepositoriesAccessibleAndRelatedToUser4/SearchModeSource", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d&mode=%s", user4.ID, "source"), expectedResults: expectedResults{
+			nil:   {count: 0},
+			user:  {count: 1, includesPrivate: true},
+			user4: {count: 1, includesPrivate: true}}},
+		{name: "RepositoriesAccessibleAndRelatedToUser4/SearchModeFork", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d&mode=%s", user4.ID, "fork"), expectedResults: expectedResults{
+			nil:   {count: 1},
+			user:  {count: 1},
+			user4: {count: 2, includesPrivate: true}}},
+		{name: "RepositoriesAccessibleAndRelatedToUser4/SearchModeFork/Exclusive", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d&mode=%s&exclusive=1", user4.ID, "fork"), expectedResults: expectedResults{
+			nil:   {count: 1},
+			user:  {count: 1},
+			user4: {count: 2, includesPrivate: true}}},
+		{name: "RepositoriesAccessibleAndRelatedToUser4/SearchModeMirror", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d&mode=%s", user4.ID, "mirror"), expectedResults: expectedResults{
+			nil:   {count: 2},
+			user:  {count: 2},
+			user4: {count: 4, includesPrivate: true}}},
+		{name: "RepositoriesAccessibleAndRelatedToUser4/SearchModeMirror/Exclusive", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d&mode=%s&exclusive=1", user4.ID, "mirror"), expectedResults: expectedResults{
+			nil:   {count: 1},
+			user:  {count: 1},
+			user4: {count: 2, includesPrivate: true}}},
+		{name: "RepositoriesAccessibleAndRelatedToUser4/SearchModeCollaborative", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d&mode=%s", user4.ID, "collaborative"), expectedResults: expectedResults{
+			nil:   {count: 0},
+			user:  {count: 1, includesPrivate: true},
+			user4: {count: 1, includesPrivate: true}}},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			for userToLogin, expected := range testCase.expectedResults {
+				var session *TestSession
+				var testName string
+				var userID int64
+				if userToLogin != nil && userToLogin.ID > 0 {
+					testName = fmt.Sprintf("LoggedUser%d", userToLogin.ID)
+					session = loginUser(t, userToLogin.Name)
+					userID = userToLogin.ID
+				} else {
+					testName = "AnonymousUser"
+					session = emptyTestSession(t)
+				}
+
+				t.Run(testName, func(t *testing.T) {
+					request := NewRequest(t, "GET", testCase.requestURL)
+					response := session.MakeRequest(t, request, http.StatusOK)
+
+					var body api.SearchResults
+					DecodeJSON(t, response, &body)
+
+					repoNames := make([]string, 0, len(body.Data))
+					for _, repo := range body.Data {
+						repoNames = append(repoNames, fmt.Sprintf("%d:%s:%t", repo.ID, repo.FullName, repo.Private))
+					}
+					assert.Len(t, repoNames, expected.count)
+					for _, repo := range body.Data {
+						r := getRepo(t, repo.ID)
+						hasAccess, err := models.HasAccess(userID, r)
+						assert.NoError(t, err, "Error when checking if User: %d has access to %s: %v", userID, repo.FullName, err)
+						assert.True(t, hasAccess, "User: %d does not have access to %s", userID, repo.FullName)
+
+						assert.NotEmpty(t, repo.Name)
+						assert.Equal(t, repo.Name, r.Name)
+
+						if len(expected.repoName) > 0 {
+							assert.Contains(t, repo.Name, expected.repoName)
+						}
+
+						if expected.repoOwnerID > 0 {
+							assert.Equal(t, expected.repoOwnerID, repo.Owner.ID)
+						}
+
+						if !expected.includesPrivate {
+							assert.False(t, repo.Private, "User: %d not expecting private repository: %s", userID, repo.FullName)
+						}
+					}
+				})
+			}
+		})
+	}
+}
diff --git a/integrations/api_ui_user_search_test.go b/integrations/api_ui_user_search_test.go
new file mode 100644
index 0000000000000..f7c1106163280
--- /dev/null
+++ b/integrations/api_ui_user_search_test.go
@@ -0,0 +1,86 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.package models
+
+package integrations
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/setting"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAPIUIUserSearchLoggedIn(t *testing.T) {
+	defer prepareTestEnv(t)()
+	adminUsername := "user1"
+	session := loginUser(t, adminUsername)
+	token := getTokenForLoggedInUser(t, session)
+	query := "user2"
+	req := NewRequestf(t, "GET", "/api/ui/users/search?token=%s&q=%s", token, query)
+	resp := session.MakeRequest(t, req, http.StatusOK)
+
+	var results SearchResults
+	DecodeJSON(t, resp, &results)
+	assert.NotEmpty(t, results.Data)
+	for _, user := range results.Data {
+		assert.Contains(t, user.UserName, query)
+		assert.NotEmpty(t, user.Email)
+	}
+}
+
+func TestAPIUIUserSearchNotLoggedIn(t *testing.T) {
+	defer prepareTestEnv(t)()
+	query := "user2"
+	req := NewRequestf(t, "GET", "/api/ui/users/search?q=%s", query)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var results SearchResults
+	DecodeJSON(t, resp, &results)
+	assert.NotEmpty(t, results.Data)
+	var modelUser *models.User
+	for _, user := range results.Data {
+		assert.Contains(t, user.UserName, query)
+		modelUser = models.AssertExistsAndLoadBean(t, &models.User{ID: user.ID}).(*models.User)
+		if modelUser.KeepEmailPrivate {
+			assert.EqualValues(t, fmt.Sprintf("%s@%s", modelUser.LowerName, setting.Service.NoReplyAddress), user.Email)
+		} else {
+			assert.EqualValues(t, modelUser.Email, user.Email)
+		}
+	}
+}
+
+func TestAPIUIUserSearchAdminLoggedInUserHidden(t *testing.T) {
+	defer prepareTestEnv(t)()
+	adminUsername := "user1"
+	session := loginUser(t, adminUsername)
+	token := getTokenForLoggedInUser(t, session)
+	query := "user31"
+	req := NewRequestf(t, "GET", "/api/ui/users/search?token=%s&q=%s", token, query)
+	req.SetBasicAuth(token, "x-oauth-basic")
+	resp := session.MakeRequest(t, req, http.StatusOK)
+
+	var results SearchResults
+	DecodeJSON(t, resp, &results)
+	assert.NotEmpty(t, results.Data)
+	for _, user := range results.Data {
+		assert.Contains(t, user.UserName, query)
+		assert.NotEmpty(t, user.Email)
+		assert.EqualValues(t, "private", user.Visibility)
+	}
+}
+
+func TestAPIUIUserSearchNotLoggedInUserHidden(t *testing.T) {
+	defer prepareTestEnv(t)()
+	query := "user31"
+	req := NewRequestf(t, "GET", "/api/ui/users/search?q=%s", query)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var results SearchResults
+	DecodeJSON(t, resp, &results)
+	assert.Empty(t, results.Data)
+}
diff --git a/integrations/api_user_search_test.go b/integrations/api_user_search_test.go
index 41f14cf944f33..959c26358c477 100644
--- a/integrations/api_user_search_test.go
+++ b/integrations/api_user_search_test.go
@@ -25,11 +25,10 @@ type SearchResults struct {
 func TestAPIUserSearchLoggedIn(t *testing.T) {
 	defer prepareTestEnv(t)()
 	adminUsername := "user1"
-	session := loginUser(t, adminUsername)
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, adminUsername)
 	query := "user2"
 	req := NewRequestf(t, "GET", "/api/v1/users/search?token=%s&q=%s", token, query)
-	resp := session.MakeRequest(t, req, http.StatusOK)
+	resp := MakeRequest(t, req, http.StatusOK)
 
 	var results SearchResults
 	DecodeJSON(t, resp, &results)
@@ -64,12 +63,11 @@ func TestAPIUserSearchNotLoggedIn(t *testing.T) {
 func TestAPIUserSearchAdminLoggedInUserHidden(t *testing.T) {
 	defer prepareTestEnv(t)()
 	adminUsername := "user1"
-	session := loginUser(t, adminUsername)
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, adminUsername)
 	query := "user31"
 	req := NewRequestf(t, "GET", "/api/v1/users/search?token=%s&q=%s", token, query)
 	req.SetBasicAuth(token, "x-oauth-basic")
-	resp := session.MakeRequest(t, req, http.StatusOK)
+	resp := MakeRequest(t, req, http.StatusOK)
 
 	var results SearchResults
 	DecodeJSON(t, resp, &results)

From 127ed028985c77091e6f080edf2b458f4604cfc1 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 21 Aug 2021 11:44:36 +0800
Subject: [PATCH 15/26] Fix tests

---
 .../api_helper_for_declarative_test.go        |  53 ++--
 integrations/api_releases_test.go             |  26 +-
 integrations/api_repo_teams_test.go           |  22 +-
 integrations/api_repo_test.go                 |   4 +-
 integrations/api_repo_topic_test.go           |  41 ++-
 integrations/api_team_test.go                 |  12 +-
 .../api_ui_helper_for_declarative_test.go     | 265 ++++++++++++++++++
 integrations/api_ui_issue_stopwatch_test.go   |  45 ---
 integrations/api_ui_notification_test.go      |  41 +--
 integrations/api_ui_repo_topic_test.go        |  46 +++
 integrations/api_user_heatmap_test.go         |   4 +-
 integrations/benchmarks_test.go               |   2 +-
 integrations/git_test.go                      |  72 ++---
 integrations/mirror_push_test.go              |   4 +-
 routers/api/ui/api.go                         |   7 +-
 web_src/js/components/ContextPopup.vue        |   2 +-
 16 files changed, 453 insertions(+), 193 deletions(-)
 create mode 100644 integrations/api_ui_helper_for_declarative_test.go
 create mode 100644 integrations/api_ui_repo_topic_test.go

diff --git a/integrations/api_helper_for_declarative_test.go b/integrations/api_helper_for_declarative_test.go
index de6c3d8f40a4e..def817cc72064 100644
--- a/integrations/api_helper_for_declarative_test.go
+++ b/integrations/api_helper_for_declarative_test.go
@@ -43,6 +43,10 @@ func (ctx APITestContext) GitPath() string {
 	return fmt.Sprintf("%s/%s.git", ctx.Username, ctx.Reponame)
 }
 
+func (ctx APITestContext) MakeRequest(t testing.TB, req *http.Request, expectedStatus int) *httptest.ResponseRecorder {
+	return MakeRequest(t, WithToken(req, ctx.Token), expectedStatus)
+}
+
 func doAPICreateRepository(ctx APITestContext, empty bool, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
 	return func(t *testing.T) {
 		createRepoOption := &api.CreateRepoOption{
@@ -150,10 +154,10 @@ func doAPIDeleteRepository(ctx APITestContext) func(*testing.T) {
 
 		req := NewRequest(t, "DELETE", urlStr)
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		ctx.Session.MakeRequest(t, req, http.StatusNoContent)
+		MakeRequest(t, req, http.StatusNoContent)
 	}
 }
 
@@ -168,10 +172,10 @@ func doAPICreateUserKey(ctx APITestContext, keyname, keyFile string, callback ..
 			Key:   string(dataPubKey),
 		})
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		resp := ctx.Session.MakeRequest(t, req, http.StatusCreated)
+		resp := MakeRequest(t, req, http.StatusCreated)
 		var publicKey api.PublicKey
 		DecodeJSON(t, resp, &publicKey)
 		if len(callback) > 0 {
@@ -186,10 +190,10 @@ func doAPIDeleteUserKey(ctx APITestContext, keyID int64) func(*testing.T) {
 
 		req := NewRequest(t, "DELETE", urlStr)
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		ctx.Session.MakeRequest(t, req, http.StatusNoContent)
+		MakeRequest(t, req, http.StatusNoContent)
 	}
 }
 
@@ -206,10 +210,10 @@ func doAPICreateDeployKey(ctx APITestContext, keyname, keyFile string, readOnly
 		})
 
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		ctx.Session.MakeRequest(t, req, http.StatusCreated)
+		MakeRequest(t, req, http.StatusCreated)
 	}
 }
 
@@ -246,7 +250,7 @@ func doAPIGetPullRequest(ctx APITestContext, owner, repo string, index int64) fu
 		if ctx.ExpectedCode != 0 {
 			expected = ctx.ExpectedCode
 		}
-		resp := ctx.Session.MakeRequest(t, req, expected)
+		resp := MakeRequest(t, req, expected)
 
 		decoder := json.NewDecoder(resp.Body)
 		pr := api.PullRequest{}
@@ -259,7 +263,6 @@ func doAPIMergePullRequest(ctx APITestContext, owner, repo string, index int64)
 	return func(t *testing.T) {
 		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s",
 			owner, repo, index, ctx.Token)
-
 		var req *http.Request
 		var resp *httptest.ResponseRecorder
 
@@ -269,7 +272,7 @@ func doAPIMergePullRequest(ctx APITestContext, owner, repo string, index int64)
 				Do:                string(repo_model.MergeStyleMerge),
 			})
 
-			resp = ctx.Session.MakeRequest(t, req, NoExpectedStatus)
+			resp = MakeRequest(t, req, NoExpectedStatus)
 
 			if resp.Code != http.StatusMethodNotAllowed {
 				break
@@ -314,10 +317,10 @@ func doAPIGetBranch(ctx APITestContext, branch string, callback ...func(*testing
 	return func(t *testing.T) {
 		req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/branches/%s?token=%s", ctx.Username, ctx.Reponame, branch, ctx.Token)
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		resp := ctx.Session.MakeRequest(t, req, http.StatusOK)
+		resp := MakeRequest(t, req, http.StatusOK)
 
 		var branch api.Branch
 		DecodeJSON(t, resp, &branch)
@@ -332,10 +335,10 @@ func doAPICreateFile(ctx APITestContext, treepath string, options *api.CreateFil
 		url := fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", ctx.Username, ctx.Reponame, treepath, ctx.Token)
 		req := NewRequestWithJSON(t, "POST", url, &options)
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		resp := ctx.Session.MakeRequest(t, req, http.StatusCreated)
+		resp := MakeRequest(t, req, http.StatusCreated)
 
 		var contents api.FileResponse
 		DecodeJSON(t, resp, &contents)
@@ -351,10 +354,10 @@ func doAPICreateOrganization(ctx APITestContext, options *api.CreateOrgOption, c
 
 		req := NewRequestWithJSON(t, "POST", url, &options)
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		resp := ctx.Session.MakeRequest(t, req, http.StatusCreated)
+		resp := MakeRequest(t, req, http.StatusCreated)
 
 		var contents api.Organization
 		DecodeJSON(t, resp, &contents)
@@ -370,10 +373,10 @@ func doAPICreateOrganizationRepository(ctx APITestContext, orgName string, optio
 
 		req := NewRequestWithJSON(t, "POST", url, &options)
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		resp := ctx.Session.MakeRequest(t, req, http.StatusCreated)
+		resp := MakeRequest(t, req, http.StatusCreated)
 
 		var contents api.Repository
 		DecodeJSON(t, resp, &contents)
@@ -389,10 +392,10 @@ func doAPICreateOrganizationTeam(ctx APITestContext, orgName string, options *ap
 
 		req := NewRequestWithJSON(t, "POST", url, &options)
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		resp := ctx.Session.MakeRequest(t, req, http.StatusCreated)
+		resp := MakeRequest(t, req, http.StatusCreated)
 
 		var contents api.Team
 		DecodeJSON(t, resp, &contents)
@@ -408,10 +411,10 @@ func doAPIAddUserToOrganizationTeam(ctx APITestContext, teamID int64, username s
 
 		req := NewRequest(t, "PUT", url)
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		ctx.Session.MakeRequest(t, req, http.StatusNoContent)
+		MakeRequest(t, req, http.StatusNoContent)
 	}
 }
 
@@ -421,9 +424,9 @@ func doAPIAddRepoToOrganizationTeam(ctx APITestContext, teamID int64, orgName, r
 
 		req := NewRequest(t, "PUT", url)
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		ctx.Session.MakeRequest(t, req, http.StatusNoContent)
+		MakeRequest(t, req, http.StatusNoContent)
 	}
 }
diff --git a/integrations/api_releases_test.go b/integrations/api_releases_test.go
index 815b749110cee..e4dcdf04f3664 100644
--- a/integrations/api_releases_test.go
+++ b/integrations/api_releases_test.go
@@ -25,12 +25,11 @@ func TestAPIListReleases(t *testing.T) {
 
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1}).(*repo_model.Repository)
 	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}).(*user_model.User)
-	session := loginUser(t, user2.LowerName)
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, user2.LowerName)
 
 	link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/releases", user2.Name, repo.Name))
 	link.RawQuery = url.Values{"token": {token}}.Encode()
-	resp := session.MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
+	resp := MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
 	var apiReleases []*api.Release
 	DecodeJSON(t, resp, &apiReleases)
 	if assert.Len(t, apiReleases, 3) {
@@ -53,15 +52,20 @@ func TestAPIListReleases(t *testing.T) {
 
 	// test filter
 	testFilterByLen := func(auth bool, query url.Values, expectedLength int, msgAndArgs ...string) {
-		link.RawQuery = query.Encode()
-		if auth {
-			query.Set("token", token)
-			resp = session.MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
-		} else {
-			resp = MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
+		var comment = link.String()
+		if len(msgAndArgs) > 0 {
+			comment = msgAndArgs[0]
 		}
-		DecodeJSON(t, resp, &apiReleases)
-		assert.Len(t, apiReleases, expectedLength, msgAndArgs)
+		t.Run(comment, func(t *testing.T) {
+			if auth {
+				query.Set("token", token)
+			}
+			link.RawQuery = query.Encode()
+			resp = MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
+
+			DecodeJSON(t, resp, &apiReleases)
+			assert.Len(t, apiReleases, expectedLength, msgAndArgs)
+		})
 	}
 
 	testFilterByLen(false, url.Values{"draft": {"true"}}, 0, "anon should not see drafts")
diff --git a/integrations/api_repo_teams_test.go b/integrations/api_repo_teams_test.go
index a3baeba63c804..1e042ff7e36f3 100644
--- a/integrations/api_repo_teams_test.go
+++ b/integrations/api_repo_teams_test.go
@@ -26,13 +26,12 @@ func TestAPIRepoTeams(t *testing.T) {
 	publicOrgRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 32}).(*repo_model.Repository)
 	// user4
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}).(*user_model.User)
-	session := loginUser(t, user.Name)
-	token := getTokenForLoggedInUser(t, session)
+	token := getUserToken(t, user.Name)
 
 	// ListTeams
 	url := fmt.Sprintf("/api/v1/repos/%s/teams?token=%s", publicOrgRepo.FullName(), token)
 	req := NewRequest(t, "GET", url)
-	res := session.MakeRequest(t, req, http.StatusOK)
+	res := MakeRequest(t, req, http.StatusOK)
 	var teams []*api.Team
 	DecodeJSON(t, res, &teams)
 	if assert.Len(t, teams, 2) {
@@ -50,32 +49,31 @@ func TestAPIRepoTeams(t *testing.T) {
 	// IsTeam
 	url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "Test_Team", token)
 	req = NewRequest(t, "GET", url)
-	res = session.MakeRequest(t, req, http.StatusOK)
+	res = MakeRequest(t, req, http.StatusOK)
 	var team *api.Team
 	DecodeJSON(t, res, &team)
 	assert.EqualValues(t, teams[1], team)
 
 	url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "NonExistingTeam", token)
 	req = NewRequest(t, "GET", url)
-	session.MakeRequest(t, req, http.StatusNotFound)
+	res = MakeRequest(t, req, http.StatusNotFound)
 
 	// AddTeam with user4
 	url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "team1", token)
 	req = NewRequest(t, "PUT", url)
-	session.MakeRequest(t, req, http.StatusForbidden)
+	res = MakeRequest(t, req, http.StatusForbidden)
 
 	// AddTeam with user2
 	user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}).(*user_model.User)
-	session = loginUser(t, user.Name)
-	token = getTokenForLoggedInUser(t, session)
+	token = getUserToken(t, user.Name)
 	url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "team1", token)
 	req = NewRequest(t, "PUT", url)
-	session.MakeRequest(t, req, http.StatusNoContent)
-	session.MakeRequest(t, req, http.StatusUnprocessableEntity) // test duplicate request
+	res = MakeRequest(t, req, http.StatusNoContent)
+	res = MakeRequest(t, req, http.StatusUnprocessableEntity) // test duplicate request
 
 	// DeleteTeam
 	url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "team1", token)
 	req = NewRequest(t, "DELETE", url)
-	session.MakeRequest(t, req, http.StatusNoContent)
-	session.MakeRequest(t, req, http.StatusUnprocessableEntity) // test duplicate request
+	res = MakeRequest(t, req, http.StatusNoContent)
+	res = MakeRequest(t, req, http.StatusUnprocessableEntity) // test duplicate request
 }
diff --git a/integrations/api_repo_test.go b/integrations/api_repo_test.go
index ce1ecb1d43d8a..9fd2d33f1e18f 100644
--- a/integrations/api_repo_test.go
+++ b/integrations/api_repo_test.go
@@ -398,7 +398,7 @@ func testAPIRepoMigrateConflict(t *testing.T, u *url.URL) {
 				RepoOwnerID: userID,
 				RepoName:    httpContext.Reponame,
 			})
-		resp := httpContext.Session.MakeRequest(t, req, http.StatusConflict)
+		resp := MakeRequest(t, req, http.StatusConflict)
 		respJSON := map[string]string{}
 		DecodeJSON(t, resp, &respJSON)
 		assert.Equal(t, "The repository with the same name already exists.", respJSON["message"])
@@ -453,7 +453,7 @@ func testAPIRepoCreateConflict(t *testing.T, u *url.URL) {
 			&api.CreateRepoOption{
 				Name: httpContext.Reponame,
 			})
-		resp := httpContext.Session.MakeRequest(t, req, http.StatusConflict)
+		resp := MakeRequest(t, req, http.StatusConflict)
 		respJSON := map[string]string{}
 		DecodeJSON(t, resp, &respJSON)
 		assert.Equal(t, respJSON["message"], "The repository with the same name already exists.")
diff --git a/integrations/api_repo_topic_test.go b/integrations/api_repo_topic_test.go
index b7f9a5a5a6898..f0a0c4e73518c 100644
--- a/integrations/api_repo_topic_test.go
+++ b/integrations/api_repo_topic_test.go
@@ -59,36 +59,33 @@ func TestAPIRepoTopic(t *testing.T) {
 	repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3}).(*repo_model.Repository)
 
 	// Get user2's token
-	session := loginUser(t, user2.Name)
-	token2 := getTokenForLoggedInUser(t, session)
+	token2 := getUserToken(t, user2.Name)
 
 	// Test read topics using login
 	url := fmt.Sprintf("/api/v1/repos/%s/%s/topics", user2.Name, repo2.Name)
 	req := NewRequest(t, "GET", url)
-	res := session.MakeRequest(t, req, http.StatusOK)
+	res := MakeRequest(t, WithToken(req, token2), http.StatusOK)
 	var topics *api.TopicName
 	DecodeJSON(t, res, &topics)
 	assert.ElementsMatch(t, []string{"topicname1", "topicname2"}, topics.TopicNames)
 
-	// Log out user2
-	session = emptyTestSession(t)
 	url = fmt.Sprintf("/api/v1/repos/%s/%s/topics?token=%s", user2.Name, repo2.Name, token2)
 
 	// Test delete a topic
 	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/topics/%s?token=%s", user2.Name, repo2.Name, "Topicname1", token2)
-	session.MakeRequest(t, req, http.StatusNoContent)
+	MakeRequest(t, req, http.StatusNoContent)
 
 	// Test add an existing topic
 	req = NewRequestf(t, "PUT", "/api/v1/repos/%s/%s/topics/%s?token=%s", user2.Name, repo2.Name, "Golang", token2)
-	session.MakeRequest(t, req, http.StatusNoContent)
+	MakeRequest(t, req, http.StatusNoContent)
 
 	// Test add a topic
 	req = NewRequestf(t, "PUT", "/api/v1/repos/%s/%s/topics/%s?token=%s", user2.Name, repo2.Name, "topicName3", token2)
-	session.MakeRequest(t, req, http.StatusNoContent)
+	MakeRequest(t, req, http.StatusNoContent)
 
 	// Test read topics using token
 	req = NewRequest(t, "GET", url)
-	res = session.MakeRequest(t, req, http.StatusOK)
+	res = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, res, &topics)
 	assert.ElementsMatch(t, []string{"topicname2", "golang", "topicname3"}, topics.TopicNames)
 
@@ -97,9 +94,9 @@ func TestAPIRepoTopic(t *testing.T) {
 	req = NewRequestWithJSON(t, "PUT", url, &api.RepoTopicOptions{
 		Topics: newTopics,
 	})
-	session.MakeRequest(t, req, http.StatusNoContent)
+	MakeRequest(t, req, http.StatusNoContent)
 	req = NewRequest(t, "GET", url)
-	res = session.MakeRequest(t, req, http.StatusOK)
+	res = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, res, &topics)
 	assert.ElementsMatch(t, []string{"windows", "mac"}, topics.TopicNames)
 
@@ -108,9 +105,9 @@ func TestAPIRepoTopic(t *testing.T) {
 	req = NewRequestWithJSON(t, "PUT", url, &api.RepoTopicOptions{
 		Topics: newTopics,
 	})
-	session.MakeRequest(t, req, http.StatusUnprocessableEntity)
+	MakeRequest(t, req, http.StatusUnprocessableEntity)
 	req = NewRequest(t, "GET", url)
-	res = session.MakeRequest(t, req, http.StatusOK)
+	res = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, res, &topics)
 	assert.ElementsMatch(t, []string{"windows", "mac"}, topics.TopicNames)
 
@@ -119,9 +116,9 @@ func TestAPIRepoTopic(t *testing.T) {
 	req = NewRequestWithJSON(t, "PUT", url, &api.RepoTopicOptions{
 		Topics: newTopics,
 	})
-	session.MakeRequest(t, req, http.StatusNoContent)
+	MakeRequest(t, req, http.StatusNoContent)
 	req = NewRequest(t, "GET", url)
-	res = session.MakeRequest(t, req, http.StatusOK)
+	res = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, res, &topics)
 	assert.Len(t, topics.TopicNames, 25)
 
@@ -130,29 +127,27 @@ func TestAPIRepoTopic(t *testing.T) {
 	req = NewRequestWithJSON(t, "PUT", url, &api.RepoTopicOptions{
 		Topics: newTopics,
 	})
-	session.MakeRequest(t, req, http.StatusUnprocessableEntity)
+	MakeRequest(t, req, http.StatusUnprocessableEntity)
 
 	// Test add a topic when there is already maximum
 	req = NewRequestf(t, "PUT", "/api/v1/repos/%s/%s/topics/%s?token=%s", user2.Name, repo2.Name, "t26", token2)
-	session.MakeRequest(t, req, http.StatusUnprocessableEntity)
+	MakeRequest(t, req, http.StatusUnprocessableEntity)
 
 	// Test delete a topic that repo doesn't have
 	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/topics/%s?token=%s", user2.Name, repo2.Name, "Topicname1", token2)
-	session.MakeRequest(t, req, http.StatusNotFound)
+	MakeRequest(t, req, http.StatusNotFound)
 
 	// Get user4's token
-	session = loginUser(t, user4.Name)
-	token4 := getTokenForLoggedInUser(t, session)
-	session = emptyTestSession(t)
+	token4 := getUserToken(t, user4.Name)
 
 	// Test read topics with write access
 	url = fmt.Sprintf("/api/v1/repos/%s/%s/topics?token=%s", user3.Name, repo3.Name, token4)
 	req = NewRequest(t, "GET", url)
-	res = session.MakeRequest(t, req, http.StatusOK)
+	res = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, res, &topics)
 	assert.Empty(t, topics.TopicNames)
 
 	// Test add a topic to repo with write access (requires repo admin access)
 	req = NewRequestf(t, "PUT", "/api/v1/repos/%s/%s/topics/%s?token=%s", user3.Name, repo3.Name, "topicName", token4)
-	session.MakeRequest(t, req, http.StatusForbidden)
+	MakeRequest(t, req, http.StatusForbidden)
 }
diff --git a/integrations/api_team_test.go b/integrations/api_team_test.go
index a622c63145f70..8c30759159b2b 100644
--- a/integrations/api_team_test.go
+++ b/integrations/api_team_test.go
@@ -224,11 +224,9 @@ func TestAPITeamSearch(t *testing.T) {
 
 	var results TeamSearchResults
 
-	session := loginUser(t, user.Name)
-	csrf := GetCSRF(t, session, "/"+org.Name)
+	token := getUserToken(t, user.Name)
 	req := NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s", org.Name, "_team")
-	req.Header.Add("X-Csrf-Token", csrf)
-	resp := session.MakeRequest(t, req, http.StatusOK)
+	resp := MakeRequest(t, WithToken(req, token), http.StatusOK)
 	DecodeJSON(t, resp, &results)
 	assert.NotEmpty(t, results.Data)
 	assert.Len(t, results.Data, 1)
@@ -236,9 +234,7 @@ func TestAPITeamSearch(t *testing.T) {
 
 	// no access if not organization member
 	user5 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}).(*user_model.User)
-	session = loginUser(t, user5.Name)
-	csrf = GetCSRF(t, session, "/"+org.Name)
+	token = getUserToken(t, user5.Name)
 	req = NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s", org.Name, "team")
-	req.Header.Add("X-Csrf-Token", csrf)
-	session.MakeRequest(t, req, http.StatusForbidden)
+	MakeRequest(t, WithToken(req, token), http.StatusForbidden)
 }
diff --git a/integrations/api_ui_helper_for_declarative_test.go b/integrations/api_ui_helper_for_declarative_test.go
new file mode 100644
index 0000000000000..0c5cf9ff97b72
--- /dev/null
+++ b/integrations/api_ui_helper_for_declarative_test.go
@@ -0,0 +1,265 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"testing"
+	"time"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/queue"
+	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/services/forms"
+	"github.com/stretchr/testify/assert"
+)
+
+type TestContext struct {
+	Reponame     string
+	Session      *TestSession
+	Username     string
+	ExpectedCode int
+}
+
+func NewTestContext(t *testing.T, username, reponame string) TestContext {
+	return TestContext{
+		Session:  loginUser(t, username),
+		Username: username,
+		Reponame: reponame,
+	}
+}
+
+func (ctx TestContext) GitPath() string {
+	return fmt.Sprintf("%s/%s.git", ctx.Username, ctx.Reponame)
+}
+
+func (ctx TestContext) CreateAPITestContext(t *testing.T) APITestContext {
+	return NewAPITestContext(t, ctx.Username, ctx.Reponame)
+}
+
+func doCreateRepository(ctx TestContext, empty bool, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
+	return func(t *testing.T) {
+		createRepoOption := &api.CreateRepoOption{
+			AutoInit:    !empty,
+			Description: "Temporary repo",
+			Name:        ctx.Reponame,
+			Private:     true,
+			Template:    true,
+			Gitignores:  "",
+			License:     "WTFPL",
+			Readme:      "Default",
+		}
+		req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos", createRepoOption)
+		apiCtx := ctx.CreateAPITestContext(t)
+		if ctx.ExpectedCode != 0 {
+			apiCtx.MakeRequest(t, req, ctx.ExpectedCode)
+			return
+		}
+		resp := apiCtx.MakeRequest(t, req, http.StatusCreated)
+
+		var repository api.Repository
+		DecodeJSON(t, resp, &repository)
+		if len(callback) > 0 {
+			callback[0](t, repository)
+		}
+	}
+}
+
+func doDeleteRepository(ctx TestContext) func(*testing.T) {
+	return func(t *testing.T) {
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s", ctx.Username, ctx.Reponame)
+		apiCtx := ctx.CreateAPITestContext(t)
+		req := NewRequest(t, "DELETE", urlStr)
+		if ctx.ExpectedCode != 0 {
+			apiCtx.MakeRequest(t, req, ctx.ExpectedCode)
+			return
+		}
+		apiCtx.MakeRequest(t, req, http.StatusNoContent)
+	}
+}
+
+func doAddCollaborator(ctx TestContext, username string, mode models.AccessMode) func(*testing.T) {
+	return func(t *testing.T) {
+		permission := "read"
+
+		if mode == models.AccessModeAdmin {
+			permission = "admin"
+		} else if mode > models.AccessModeRead {
+			permission = "write"
+		}
+		addCollaboratorOption := &api.AddCollaboratorOption{
+			Permission: &permission,
+		}
+		apiCtx := ctx.CreateAPITestContext(t)
+		req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/collaborators/%s", ctx.Username, ctx.Reponame, username), addCollaboratorOption)
+		if ctx.ExpectedCode != 0 {
+			apiCtx.MakeRequest(t, req, ctx.ExpectedCode)
+			return
+		}
+		apiCtx.MakeRequest(t, req, http.StatusNoContent)
+	}
+}
+
+func doForkRepository(ctx TestContext, username string, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
+	return func(t *testing.T) {
+		createForkOption := &api.CreateForkOption{}
+		apiCtx := ctx.CreateAPITestContext(t)
+		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/forks", username, ctx.Reponame), createForkOption)
+		if ctx.ExpectedCode != 0 {
+			apiCtx.MakeRequest(t, req, ctx.ExpectedCode)
+			return
+		}
+		resp := apiCtx.MakeRequest(t, req, http.StatusAccepted)
+		var repository api.Repository
+		DecodeJSON(t, resp, &repository)
+		if len(callback) > 0 {
+			callback[0](t, repository)
+		}
+	}
+}
+
+func doEditRepository(ctx TestContext, editRepoOption *api.EditRepoOption, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
+	return func(t *testing.T) {
+		apiCtx := ctx.CreateAPITestContext(t)
+		req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame)), editRepoOption)
+		if ctx.ExpectedCode != 0 {
+			apiCtx.MakeRequest(t, req, ctx.ExpectedCode)
+			return
+		}
+		resp := apiCtx.MakeRequest(t, req, http.StatusOK)
+
+		var repository api.Repository
+		DecodeJSON(t, resp, &repository)
+		if len(callback) > 0 {
+			callback[0](t, repository)
+		}
+	}
+}
+
+func doCreatePullRequest(ctx TestContext, owner, repo, baseBranch, headBranch string) func(*testing.T) (api.PullRequest, error) {
+	return func(t *testing.T) (api.PullRequest, error) {
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls", owner, repo)
+		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &api.CreatePullRequestOption{
+			Head:  headBranch,
+			Base:  baseBranch,
+			Title: fmt.Sprintf("create a pr from %s to %s", headBranch, baseBranch),
+		})
+
+		expected := 201
+		if ctx.ExpectedCode != 0 {
+			expected = ctx.ExpectedCode
+		}
+		apiCtx := ctx.CreateAPITestContext(t)
+		resp := apiCtx.MakeRequest(t, req, expected)
+
+		decoder := json.NewDecoder(resp.Body)
+		pr := api.PullRequest{}
+		err := decoder.Decode(&pr)
+		return pr, err
+	}
+}
+
+func doCreateUserKey(ctx TestContext, keyname, keyFile string, callback ...func(*testing.T, api.PublicKey)) func(*testing.T) {
+	return func(t *testing.T) {
+		urlStr := "/api/v1/user/keys"
+
+		dataPubKey, err := ioutil.ReadFile(keyFile + ".pub")
+		assert.NoError(t, err)
+		req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateKeyOption{
+			Title: keyname,
+			Key:   string(dataPubKey),
+		})
+		apiCtx := ctx.CreateAPITestContext(t)
+		if ctx.ExpectedCode != 0 {
+			apiCtx.MakeRequest(t, req, ctx.ExpectedCode)
+			return
+		}
+		resp := apiCtx.MakeRequest(t, req, http.StatusCreated)
+		var publicKey api.PublicKey
+		DecodeJSON(t, resp, &publicKey)
+		if len(callback) > 0 {
+			callback[0](t, publicKey)
+		}
+	}
+}
+
+func doGetPullRequest(ctx TestContext, owner, repo string, index int64) func(*testing.T) (api.PullRequest, error) {
+	return func(t *testing.T) (api.PullRequest, error) {
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d", owner, repo, index)
+		req := NewRequest(t, http.MethodGet, urlStr)
+
+		expected := 200
+		if ctx.ExpectedCode != 0 {
+			expected = ctx.ExpectedCode
+		}
+		apiCtx := ctx.CreateAPITestContext(t)
+		resp := apiCtx.MakeRequest(t, req, expected)
+
+		decoder := json.NewDecoder(resp.Body)
+		pr := api.PullRequest{}
+		err := decoder.Decode(&pr)
+		return pr, err
+	}
+}
+
+func doMergePullRequest(ctx TestContext, owner, repo string, index int64) func(*testing.T) {
+	return func(t *testing.T) {
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge",
+			owner, repo, index)
+		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
+			MergeMessageField: "doAPIMergePullRequest Merge",
+			Do:                string(models.MergeStyleMerge),
+		})
+
+		apiCtx := ctx.CreateAPITestContext(t)
+		resp := apiCtx.MakeRequest(t, req, NoExpectedStatus)
+
+		if resp.Code == http.StatusMethodNotAllowed {
+			err := api.APIError{}
+			DecodeJSON(t, resp, &err)
+			assert.EqualValues(t, "Please try again later", err.Message)
+			queue.GetManager().FlushAll(context.Background(), 5*time.Second)
+			req = NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
+				MergeMessageField: "doAPIMergePullRequest Merge",
+				Do:                string(models.MergeStyleMerge),
+			})
+			resp = apiCtx.MakeRequest(t, req, NoExpectedStatus)
+		}
+
+		expected := ctx.ExpectedCode
+		if expected == 0 {
+			expected = 200
+		}
+
+		if !assert.EqualValues(t, expected, resp.Code,
+			"Request: %s %s", req.Method, req.URL.String()) {
+			logUnexpectedResponse(t, resp)
+		}
+	}
+}
+
+func doManuallyMergePullRequest(ctx TestContext, owner, repo, commitID string, index int64) func(*testing.T) {
+	return func(t *testing.T) {
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge",
+			owner, repo, index)
+		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
+			Do:            string(models.MergeStyleManuallyMerged),
+			MergeCommitID: commitID,
+		})
+
+		apiCtx := ctx.CreateAPITestContext(t)
+
+		if ctx.ExpectedCode != 0 {
+			apiCtx.MakeRequest(t, req, ctx.ExpectedCode)
+			return
+		}
+		apiCtx.MakeRequest(t, req, 200)
+	}
+}
diff --git a/integrations/api_ui_issue_stopwatch_test.go b/integrations/api_ui_issue_stopwatch_test.go
index 0fff6eaa79b81..5adc4d8548ee2 100644
--- a/integrations/api_ui_issue_stopwatch_test.go
+++ b/integrations/api_ui_issue_stopwatch_test.go
@@ -36,48 +36,3 @@ func TestUIAPIListStopWatches(t *testing.T) {
 		assert.Greater(t, int64(apiWatches[0].Seconds), int64(0))
 	}
 }
-
-func TestAPIUIStopStopWatches(t *testing.T) {
-	defer prepareTestEnv(t)()
-
-	issue := models.AssertExistsAndLoadBean(t, &models.Issue{ID: 2}).(*models.Issue)
-	_ = issue.LoadRepo()
-	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: issue.Repo.OwnerID}).(*models.User)
-	user := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
-
-	session := loginUser(t, user.Name)
-
-	req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/issues/%d/stopwatch/stop", owner.Name, issue.Repo.Name, issue.Index)
-	session.MakeRequest(t, req, http.StatusCreated)
-	session.MakeRequest(t, req, http.StatusConflict)
-}
-
-func TestAPIUICancelStopWatches(t *testing.T) {
-	defer prepareTestEnv(t)()
-
-	issue := models.AssertExistsAndLoadBean(t, &models.Issue{ID: 1}).(*models.Issue)
-	_ = issue.LoadRepo()
-	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: issue.Repo.OwnerID}).(*models.User)
-	user := models.AssertExistsAndLoadBean(t, &models.User{ID: 1}).(*models.User)
-
-	session := loginUser(t, user.Name)
-
-	req := NewRequestf(t, "DELETE", "/api/ui/repos/%s/%s/issues/%d/stopwatch/delete", owner.Name, issue.Repo.Name, issue.Index)
-	session.MakeRequest(t, req, http.StatusNoContent)
-	session.MakeRequest(t, req, http.StatusConflict)
-}
-
-func TestAPIUIStartStopWatches(t *testing.T) {
-	defer prepareTestEnv(t)()
-
-	issue := models.AssertExistsAndLoadBean(t, &models.Issue{ID: 3}).(*models.Issue)
-	_ = issue.LoadRepo()
-	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: issue.Repo.OwnerID}).(*models.User)
-	user := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
-
-	session := loginUser(t, user.Name)
-
-	req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/issues/%d/stopwatch/start", owner.Name, issue.Repo.Name, issue.Index)
-	session.MakeRequest(t, req, http.StatusCreated)
-	session.MakeRequest(t, req, http.StatusConflict)
-}
diff --git a/integrations/api_ui_notification_test.go b/integrations/api_ui_notification_test.go
index 628d9fa6c4de5..40c60e99871ef 100644
--- a/integrations/api_ui_notification_test.go
+++ b/integrations/api_ui_notification_test.go
@@ -15,21 +15,21 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestAPIUINotification(t *testing.T) {
+func TestNotification(t *testing.T) {
 	defer prepareTestEnv(t)()
 
 	user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
 	repo1 := models.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
 	thread5 := models.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
 	assert.NoError(t, thread5.LoadAttributes())
-	session := loginUser(t, user2.Name)
-	token := getTokenForLoggedInUser(t, session)
+
+	token := getUserToken(t, user2.Name)
 
 	// -- GET /notifications --
 	// test filter
 	since := "2000-01-01T00%3A50%3A01%2B00%3A00" //946687801
-	req := NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications?since=%s", since))
-	resp := session.MakeRequest(t, req, http.StatusOK)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?since=%s&token=%s", since, token))
+	resp := MakeRequest(t, req, http.StatusOK)
 	var apiNL []api.NotificationThread
 	DecodeJSON(t, resp, &apiNL)
 
@@ -39,8 +39,8 @@ func TestAPIUINotification(t *testing.T) {
 	// test filter
 	before := "2000-01-01T01%3A06%3A59%2B00%3A00" //946688819
 
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications?all=%s&before=%s", "true", before))
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?all=%s&before=%s&token=%s", "true", before, token))
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 
 	assert.Len(t, apiNL, 3)
@@ -64,12 +64,12 @@ func TestAPIUINotification(t *testing.T) {
 
 	// -- GET /notifications/threads/{id} --
 	// get forbidden
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications/threads/%d", 1))
-	resp = session.MakeRequest(t, req, http.StatusForbidden)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", 1, token))
+	MakeRequest(t, req, http.StatusForbidden)
 
 	// get own
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications/threads/%d", thread5.ID))
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", thread5.ID, token))
+	resp = MakeRequest(t, req, http.StatusOK)
 	var apiN api.NotificationThread
 	DecodeJSON(t, resp, &apiN)
 
@@ -85,37 +85,38 @@ func TestAPIUINotification(t *testing.T) {
 		New int64 `json:"new"`
 	}{}
 
+	session := loginUser(t, user2.Name)
 	// -- check notifications --
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications/new"))
+	req = NewRequest(t, "GET", "/api/ui/notifications/new")
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &new)
 	assert.True(t, new.New > 0)
 
 	// -- mark notifications as read --
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications?status-types=unread"))
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?status-types=unread&token=%s", token))
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 	assert.Len(t, apiNL, 2)
 
 	lastReadAt := "2000-01-01T00%3A50%3A01%2B00%3A00" //946687801 <- only Notification 4 is in this filter ...
 	req = NewRequest(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?last_read_at=%s&token=%s", user2.Name, repo1.Name, lastReadAt, token))
-	resp = MakeRequest(t, req, http.StatusResetContent)
+	MakeRequest(t, req, http.StatusResetContent)
 
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications?status-types=unread"))
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?status-types=unread&token=%s", token))
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 	assert.Len(t, apiNL, 1)
 
 	// -- PATCH /notifications/threads/{id} --
-	req = NewRequest(t, "PATCH", fmt.Sprintf("/api/ui/notifications/threads/%d", thread5.ID))
-	resp = session.MakeRequest(t, req, http.StatusResetContent)
+	req = NewRequest(t, "PATCH", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", thread5.ID, token))
+	MakeRequest(t, req, http.StatusResetContent)
 
 	assert.Equal(t, models.NotificationStatusUnread, thread5.Status)
 	thread5 = models.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
 	assert.Equal(t, models.NotificationStatusRead, thread5.Status)
 
 	// -- check notifications --
-	req = NewRequest(t, "GET", fmt.Sprintf("/api/ui/notifications/new"))
+	req = NewRequest(t, "GET", "/api/ui/notifications/new")
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &new)
 	assert.True(t, new.New == 0)
diff --git a/integrations/api_ui_repo_topic_test.go b/integrations/api_ui_repo_topic_test.go
new file mode 100644
index 0000000000000..26757e06d586c
--- /dev/null
+++ b/integrations/api_ui_repo_topic_test.go
@@ -0,0 +1,46 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"net/http"
+	"net/url"
+	"testing"
+
+	api "code.gitea.io/gitea/modules/structs"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAPIUITopicSearch(t *testing.T) {
+	defer prepareTestEnv(t)()
+	searchURL, _ := url.Parse("/api/ui/topics/search")
+	var topics struct {
+		TopicNames []*api.TopicResponse `json:"topics"`
+	}
+
+	query := url.Values{"page": []string{"1"}, "limit": []string{"4"}}
+
+	searchURL.RawQuery = query.Encode()
+	res := MakeRequest(t, NewRequest(t, "GET", searchURL.String()), http.StatusOK)
+	DecodeJSON(t, res, &topics)
+	assert.Len(t, topics.TopicNames, 4)
+	assert.EqualValues(t, "6", res.Header().Get("x-total-count"))
+
+	query.Add("q", "topic")
+	searchURL.RawQuery = query.Encode()
+	res = MakeRequest(t, NewRequest(t, "GET", searchURL.String()), http.StatusOK)
+	DecodeJSON(t, res, &topics)
+	assert.Len(t, topics.TopicNames, 2)
+
+	query.Set("q", "database")
+	searchURL.RawQuery = query.Encode()
+	res = MakeRequest(t, NewRequest(t, "GET", searchURL.String()), http.StatusOK)
+	DecodeJSON(t, res, &topics)
+	if assert.Len(t, topics.TopicNames, 1) {
+		assert.EqualValues(t, 2, topics.TopicNames[0].ID)
+		assert.EqualValues(t, "database", topics.TopicNames[0].Name)
+		assert.EqualValues(t, 1, topics.TopicNames[0].RepoCount)
+	}
+}
diff --git a/integrations/api_user_heatmap_test.go b/integrations/api_user_heatmap_test.go
index 69f4ff2249bff..42560f5de6375 100644
--- a/integrations/api_user_heatmap_test.go
+++ b/integrations/api_user_heatmap_test.go
@@ -20,7 +20,7 @@ func TestUserHeatmap(t *testing.T) {
 	defer prepareTestEnv(t)()
 	adminUsername := "user1"
 	normalUsername := "user2"
-	session := loginUser(t, adminUsername)
+	token := getUserToken(t, adminUsername)
 
 	fakeNow := time.Date(2011, 10, 20, 0, 0, 0, 0, time.Local)
 	timeutil.Set(fakeNow)
@@ -28,7 +28,7 @@ func TestUserHeatmap(t *testing.T) {
 
 	urlStr := fmt.Sprintf("/api/v1/users/%s/heatmap", normalUsername)
 	req := NewRequest(t, "GET", urlStr)
-	resp := session.MakeRequest(t, req, http.StatusOK)
+	resp := MakeRequest(t, WithToken(req, token), http.StatusOK)
 	var heatmap []*models.UserHeatmapData
 	DecodeJSON(t, resp, &heatmap)
 	var dummyheatmap []*models.UserHeatmapData
diff --git a/integrations/benchmarks_test.go b/integrations/benchmarks_test.go
index ffae471307d21..a03b09878d2d3 100644
--- a/integrations/benchmarks_test.go
+++ b/integrations/benchmarks_test.go
@@ -45,7 +45,7 @@ func BenchmarkRepoBranchCommit(b *testing.B) {
 					for i := 0; i < b.N; i++ {
 						b.Run("new_"+branchName, func(b *testing.B) {
 							b.Skip("benchmark broken") // TODO fix
-							testAPICreateBranch(b, session, repo.OwnerName, repo.Name, repo.DefaultBranch, "new_"+branchName, http.StatusCreated)
+							testAPICreateBranch(b, repo.OwnerName, repo.Name, repo.DefaultBranch, "new_"+branchName, http.StatusCreated)
 						})
 					}
 				})
diff --git a/integrations/git_test.go b/integrations/git_test.go
index 675b1879fafc9..5c990e0c6227d 100644
--- a/integrations/git_test.go
+++ b/integrations/git_test.go
@@ -42,16 +42,16 @@ func TestGit(t *testing.T) {
 
 func testGit(t *testing.T, u *url.URL) {
 	username := "user2"
-	baseAPITestContext := NewAPITestContext(t, username, "repo1")
+	baseTestContext := NewTestContext(t, username, "repo1")
 
-	u.Path = baseAPITestContext.GitPath()
+	u.Path = baseTestContext.GitPath()
 
-	forkedUserCtx := NewAPITestContext(t, "user4", "repo1")
+	forkedUserCtx := NewTestContext(t, "user4", "repo1")
 
 	t.Run("HTTP", func(t *testing.T) {
 		defer PrintCurrentTest(t)()
 		ensureAnonymousClone(t, u)
-		httpContext := baseAPITestContext
+		httpContext := baseTestContext
 		httpContext.Reponame = "repo-tmp-17"
 		forkedUserCtx.Reponame = httpContext.Reponame
 
@@ -59,10 +59,10 @@ func testGit(t *testing.T, u *url.URL) {
 		assert.NoError(t, err)
 		defer util.RemoveAll(dstPath)
 
-		t.Run("CreateRepoInDifferentUser", doAPICreateRepository(forkedUserCtx, false))
-		t.Run("AddUserAsCollaborator", doAPIAddCollaborator(forkedUserCtx, httpContext.Username, perm.AccessModeRead))
+		t.Run("CreateRepoInDifferentUser", doCreateRepository(forkedUserCtx, false))
+		t.Run("AddUserAsCollaborator", doAddCollaborator(forkedUserCtx, httpContext.Username, perm.AccessModeRead))
 
-		t.Run("ForkFromDifferentUser", doAPIForkRepository(httpContext, forkedUserCtx.Username))
+		t.Run("ForkFromDifferentUser", doForkRepository(httpContext, forkedUserCtx.Username))
 
 		u.Path = httpContext.GitPath()
 		u.User = url.UserPassword(username, userPassword)
@@ -94,17 +94,17 @@ func testGit(t *testing.T, u *url.URL) {
 	})
 	t.Run("SSH", func(t *testing.T) {
 		defer PrintCurrentTest(t)()
-		sshContext := baseAPITestContext
+		sshContext := baseTestContext
 		sshContext.Reponame = "repo-tmp-18"
 		keyname := "my-testing-key"
 		forkedUserCtx.Reponame = sshContext.Reponame
-		t.Run("CreateRepoInDifferentUser", doAPICreateRepository(forkedUserCtx, false))
-		t.Run("AddUserAsCollaborator", doAPIAddCollaborator(forkedUserCtx, sshContext.Username, perm.AccessModeRead))
-		t.Run("ForkFromDifferentUser", doAPIForkRepository(sshContext, forkedUserCtx.Username))
+		t.Run("CreateRepoInDifferentUser", doCreateRepository(forkedUserCtx, false))
+		t.Run("AddUserAsCollaborator", doAddCollaborator(forkedUserCtx, sshContext.Username, perm.AccessModeRead))
+		t.Run("ForkFromDifferentUser", doForkRepository(sshContext, forkedUserCtx.Username))
 
 		// Setup key the user ssh key
 		withKeyFile(t, keyname, func(keyFile string) {
-			t.Run("CreateUserKey", doAPICreateUserKey(sshContext, "test-key", keyFile))
+			t.Run("CreateUserKey", doCreateUserKey(sshContext, "test-key", keyFile))
 
 			// Setup remote link
 			// TODO: get url from api
@@ -211,7 +211,7 @@ func commitAndPushTest(t *testing.T, dstPath, prefix string) (little, big string
 	return
 }
 
-func rawTest(t *testing.T, ctx *APITestContext, little, big, littleLFS, bigLFS string) {
+func rawTest(t *testing.T, ctx *TestContext, little, big, littleLFS, bigLFS string) {
 	t.Run("Raw", func(t *testing.T) {
 		defer PrintCurrentTest(t)()
 		username := ctx.Username
@@ -252,7 +252,7 @@ func rawTest(t *testing.T, ctx *APITestContext, little, big, littleLFS, bigLFS s
 	})
 }
 
-func mediaTest(t *testing.T, ctx *APITestContext, little, big, littleLFS, bigLFS string) {
+func mediaTest(t *testing.T, ctx *TestContext, little, big, littleLFS, bigLFS string) {
 	t.Run("Media", func(t *testing.T) {
 		defer PrintCurrentTest(t)()
 
@@ -367,7 +367,7 @@ func generateCommitWithNewData(size int, repoPath, email, fullName, prefix strin
 	return filepath.Base(tmpFile.Name()), err
 }
 
-func doBranchProtectPRMerge(baseCtx *APITestContext, dstPath string) func(t *testing.T) {
+func doBranchProtectPRMerge(baseCtx *TestContext, dstPath string) func(t *testing.T) {
 	return func(t *testing.T) {
 		defer PrintCurrentTest(t)()
 		t.Run("CreateBranchProtected", doGitCreateBranch(dstPath, "protected"))
@@ -384,7 +384,7 @@ func doBranchProtectPRMerge(baseCtx *APITestContext, dstPath string) func(t *tes
 		var pr api.PullRequest
 		var err error
 		t.Run("CreatePullRequest", func(t *testing.T) {
-			pr, err = doAPICreatePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, "protected", "unprotected")(t)
+			pr, err = doCreatePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, "protected", "unprotected")(t)
 			assert.NoError(t, err)
 		})
 		t.Run("GenerateCommit", func(t *testing.T) {
@@ -394,11 +394,11 @@ func doBranchProtectPRMerge(baseCtx *APITestContext, dstPath string) func(t *tes
 		t.Run("PushToUnprotectedBranch", doGitPushTestRepository(dstPath, "origin", "protected:unprotected-2"))
 		var pr2 api.PullRequest
 		t.Run("CreatePullRequest", func(t *testing.T) {
-			pr2, err = doAPICreatePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, "unprotected", "unprotected-2")(t)
+			pr2, err = doCreatePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, "unprotected", "unprotected-2")(t)
 			assert.NoError(t, err)
 		})
-		t.Run("MergePR2", doAPIMergePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, pr2.Index))
-		t.Run("MergePR", doAPIMergePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, pr.Index))
+		t.Run("MergePR2", doMergePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, pr2.Index))
+		t.Run("MergePR", doMergePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, pr.Index))
 		t.Run("PullProtected", doGitPull(dstPath, "origin", "protected"))
 
 		t.Run("ProtectProtectedBranchUnprotectedFilePaths", doProtectBranch(ctx, "protected", "", "unprotected-file-*"))
@@ -457,7 +457,7 @@ func doProtectBranch(ctx APITestContext, branch, userToWhitelist, unprotectedFil
 	}
 }
 
-func doMergeFork(ctx, baseCtx APITestContext, baseBranch, headBranch string) func(t *testing.T) {
+func doMergeFork(ctx, baseCtx TestContext, baseBranch, headBranch string) func(t *testing.T) {
 	return func(t *testing.T) {
 		defer PrintCurrentTest(t)()
 		var pr api.PullRequest
@@ -465,7 +465,7 @@ func doMergeFork(ctx, baseCtx APITestContext, baseBranch, headBranch string) fun
 
 		// Create a test pullrequest
 		t.Run("CreatePullRequest", func(t *testing.T) {
-			pr, err = doAPICreatePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, baseBranch, headBranch)(t)
+			pr, err = doCreatePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, baseBranch, headBranch)(t)
 			assert.NoError(t, err)
 		})
 
@@ -483,11 +483,11 @@ func doMergeFork(ctx, baseCtx APITestContext, baseBranch, headBranch string) fun
 		})
 
 		// Now: Merge the PR & make sure that doesn't break the PR page or change its diff
-		t.Run("MergePR", doAPIMergePullRequest(baseCtx, baseCtx.Username, baseCtx.Reponame, pr.Index))
+		t.Run("MergePR", doMergePullRequest(baseCtx, baseCtx.Username, baseCtx.Reponame, pr.Index))
 		t.Run("EnsureCanSeePull", doEnsureCanSeePull(baseCtx, pr))
 		t.Run("CheckPR", func(t *testing.T) {
 			oldMergeBase := pr.MergeBase
-			pr2, err := doAPIGetPullRequest(baseCtx, baseCtx.Username, baseCtx.Reponame, pr.Index)(t)
+			pr2, err := doGetPullRequest(baseCtx, baseCtx.Username, baseCtx.Reponame, pr.Index)(t)
 			assert.NoError(t, err)
 			assert.Equal(t, oldMergeBase, pr2.MergeBase)
 		})
@@ -499,13 +499,13 @@ func doMergeFork(ctx, baseCtx APITestContext, baseBranch, headBranch string) fun
 		t.Run("EnsureDiffNoChange", doEnsureDiffNoChange(baseCtx, pr, diffHash, diffLength))
 
 		// Delete the head repository & make sure that doesn't break the PR page or change its diff
-		t.Run("DeleteHeadRepository", doAPIDeleteRepository(ctx))
+		t.Run("DeleteHeadRepository", doDeleteRepository(ctx))
 		t.Run("EnsureCanSeePull", doEnsureCanSeePull(baseCtx, pr))
 		t.Run("EnsureDiffNoChange", doEnsureDiffNoChange(baseCtx, pr, diffHash, diffLength))
 	}
 }
 
-func doCreatePRAndSetManuallyMerged(ctx, baseCtx APITestContext, dstPath, baseBranch, headBranch string) func(t *testing.T) {
+func doCreatePRAndSetManuallyMerged(ctx, baseCtx TestContext, dstPath, baseBranch, headBranch string) func(t *testing.T) {
 	return func(t *testing.T) {
 		defer PrintCurrentTest(t)()
 		var (
@@ -517,7 +517,7 @@ func doCreatePRAndSetManuallyMerged(ctx, baseCtx APITestContext, dstPath, baseBr
 		trueBool := true
 		falseBool := false
 
-		t.Run("AllowSetManuallyMergedAndSwitchOffAutodetectManualMerge", doAPIEditRepository(baseCtx, &api.EditRepoOption{
+		t.Run("AllowSetManuallyMergedAndSwitchOffAutodetectManualMerge", doEditRepository(baseCtx, &api.EditRepoOption{
 			HasPullRequests:       &trueBool,
 			AllowManualMerge:      &trueBool,
 			AutodetectManualMerge: &falseBool,
@@ -526,15 +526,15 @@ func doCreatePRAndSetManuallyMerged(ctx, baseCtx APITestContext, dstPath, baseBr
 		t.Run("CreateHeadBranch", doGitCreateBranch(dstPath, headBranch))
 		t.Run("PushToHeadBranch", doGitPushTestRepository(dstPath, "origin", headBranch))
 		t.Run("CreateEmptyPullRequest", func(t *testing.T) {
-			pr, err = doAPICreatePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, baseBranch, headBranch)(t)
+			pr, err = doCreatePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, baseBranch, headBranch)(t)
 			assert.NoError(t, err)
 		})
 		lastCommitID = pr.Base.Sha
-		t.Run("ManuallyMergePR", doAPIManuallyMergePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, lastCommitID, pr.Index))
+		t.Run("ManuallyMergePR", doManuallyMergePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, lastCommitID, pr.Index))
 	}
 }
 
-func doEnsureCanSeePull(ctx APITestContext, pr api.PullRequest) func(t *testing.T) {
+func doEnsureCanSeePull(ctx TestContext, pr api.PullRequest) func(t *testing.T) {
 	return func(t *testing.T) {
 		req := NewRequest(t, "GET", fmt.Sprintf("/%s/%s/pulls/%d", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame), pr.Index))
 		ctx.Session.MakeRequest(t, req, http.StatusOK)
@@ -545,7 +545,7 @@ func doEnsureCanSeePull(ctx APITestContext, pr api.PullRequest) func(t *testing.
 	}
 }
 
-func doEnsureDiffNoChange(ctx APITestContext, pr api.PullRequest, diffHash string, diffLength int) func(t *testing.T) {
+func doEnsureDiffNoChange(ctx TestContext, pr api.PullRequest, diffHash string, diffLength int) func(t *testing.T) {
 	return func(t *testing.T) {
 		req := NewRequest(t, "GET", fmt.Sprintf("/%s/%s/pulls/%d.diff", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame), pr.Index))
 		resp := ctx.Session.MakeRequestNilResponseHashSumRecorder(t, req, http.StatusOK)
@@ -557,7 +557,7 @@ func doEnsureDiffNoChange(ctx APITestContext, pr api.PullRequest, diffHash strin
 	}
 }
 
-func doPushCreate(ctx APITestContext, u *url.URL) func(t *testing.T) {
+func doPushCreate(ctx TestContext, u *url.URL) func(t *testing.T) {
 	return func(t *testing.T) {
 		defer PrintCurrentTest(t)()
 
@@ -604,7 +604,7 @@ func doPushCreate(ctx APITestContext, u *url.URL) func(t *testing.T) {
 	}
 }
 
-func doBranchDelete(ctx APITestContext, owner, repo, branch string) func(*testing.T) {
+func doBranchDelete(ctx TestContext, owner, repo, branch string) func(*testing.T) {
 	return func(t *testing.T) {
 		csrf := GetCSRF(t, ctx.Session, fmt.Sprintf("/%s/%s/branches", url.PathEscape(owner), url.PathEscape(repo)))
 
@@ -615,7 +615,7 @@ func doBranchDelete(ctx APITestContext, owner, repo, branch string) func(*testin
 	}
 }
 
-func doCreateAgitFlowPull(dstPath string, ctx *APITestContext, baseBranch, headBranch string) func(t *testing.T) {
+func doCreateAgitFlowPull(dstPath string, ctx *TestContext, baseBranch, headBranch string) func(t *testing.T) {
 	return func(t *testing.T) {
 		defer PrintCurrentTest(t)()
 
@@ -683,7 +683,7 @@ func doCreateAgitFlowPull(dstPath string, ctx *APITestContext, baseBranch, headB
 			if !assert.NotEmpty(t, pr1) {
 				return
 			}
-			prMsg, err := doAPIGetPullRequest(*ctx, ctx.Username, ctx.Reponame, pr1.Index)(t)
+			prMsg, err := doGetPullRequest(*ctx, ctx.Username, ctx.Reponame, pr1.Index)(t)
 			if !assert.NoError(t, err) {
 				return
 			}
@@ -705,7 +705,7 @@ func doCreateAgitFlowPull(dstPath string, ctx *APITestContext, baseBranch, headB
 			if !assert.NotEmpty(t, pr2) {
 				return
 			}
-			prMsg, err = doAPIGetPullRequest(*ctx, ctx.Username, ctx.Reponame, pr2.Index)(t)
+			prMsg, err = doGetPullRequest(*ctx, ctx.Username, ctx.Reponame, pr2.Index)(t)
 			if !assert.NoError(t, err) {
 				return
 			}
@@ -769,7 +769,7 @@ func doCreateAgitFlowPull(dstPath string, ctx *APITestContext, baseBranch, headB
 			assert.Equal(t, false, prMsg.HasMerged)
 			assert.Equal(t, commit, prMsg.Head.Sha)
 		})
-		t.Run("Merge", doAPIMergePullRequest(*ctx, ctx.Username, ctx.Reponame, pr1.Index))
+		t.Run("Merge", doMergePullRequest(*ctx, ctx.Username, ctx.Reponame, pr1.Index))
 		t.Run("CheckoutMasterAgain", doGitCheckoutBranch(dstPath, "master"))
 	}
 }
diff --git a/integrations/mirror_push_test.go b/integrations/mirror_push_test.go
index c5f45643ec290..04c8261c2c35a 100644
--- a/integrations/mirror_push_test.go
+++ b/integrations/mirror_push_test.go
@@ -43,7 +43,7 @@ func testMirrorPush(t *testing.T, u *url.URL) {
 	})
 	assert.NoError(t, err)
 
-	ctx := NewAPITestContext(t, user.LowerName, srcRepo.Name)
+	ctx := NewTestContext(t, user.LowerName, srcRepo.Name)
 
 	doCreatePushMirror(ctx, fmt.Sprintf("%s%s/%s", u.String(), url.PathEscape(ctx.Username), url.PathEscape(mirrorRepo.Name)), user.LowerName, userPassword)(t)
 
@@ -77,7 +77,7 @@ func testMirrorPush(t *testing.T, u *url.URL) {
 	assert.Len(t, mirrors, 0)
 }
 
-func doCreatePushMirror(ctx APITestContext, address, username, password string) func(t *testing.T) {
+func doCreatePushMirror(ctx TestContext, address, username, password string) func(t *testing.T) {
 	return func(t *testing.T) {
 		csrf := GetCSRF(t, ctx.Session, fmt.Sprintf("/%s/%s/settings", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame)))
 
diff --git a/routers/api/ui/api.go b/routers/api/ui/api.go
index 450351adc0f1f..6744a2d0d4860 100644
--- a/routers/api/ui/api.go
+++ b/routers/api/ui/api.go
@@ -95,9 +95,6 @@ func repoAssignment() func(ctx *context.APIContext) {
 // Contexter middleware already checks token for user sign in process.
 func reqToken() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
-		if true == ctx.Data["IsApiToken"] {
-			return
-		}
 		if ctx.Context.IsBasicAuth {
 			ctx.CheckForOTP()
 			return
@@ -306,7 +303,7 @@ func Routes(sess func(next http.Handler) http.Handler) *web.Route {
 		// Notifications
 		m.Group("/notifications", func() {
 			m.Get("/new", notify.NewAvailable)
-		}, reqToken())
+		})
 
 		// Users
 		m.Group("/users", func() {
@@ -315,7 +312,7 @@ func Routes(sess func(next http.Handler) http.Handler) *web.Route {
 
 		m.Group("/user", func() {
 			m.Get("/stopwatches", repo.GetStopwatches)
-		}, reqToken())
+		})
 
 		// Repositories
 		m.Group("/repos", func() {
diff --git a/web_src/js/components/ContextPopup.vue b/web_src/js/components/ContextPopup.vue
index 0ff141476af1f..6f8eb73775385 100644
--- a/web_src/js/components/ContextPopup.vue
+++ b/web_src/js/components/ContextPopup.vue
@@ -120,7 +120,7 @@ export default {
     load(data, callback) {
       this.loading = true;
       this.i18nErrorMessage = null;
-      $.get(`${appSubUrl}/api/v1/repos/${data.owner}/${data.repo}/issues/${data.index}`).done((issue) => {
+      $.get(`${appSubUrl}/api/ui/repos/${data.owner}/${data.repo}/issues/${data.index}`).done((issue) => {
         this.issue = issue;
       }).fail((jqXHR) => {
         if (jqXHR.responseJSON && jqXHR.responseJSON.message) {

From 40db2212d7aea171e00bcbe5face93f8ed7428f9 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 14 Oct 2021 13:53:26 +0800
Subject: [PATCH 16/26] Fix merge

---
 routers/init.go | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/routers/init.go b/routers/init.go
index e7334c24bf6cb..58f2425de4e9c 100644
--- a/routers/init.go
+++ b/routers/init.go
@@ -48,10 +48,7 @@ import (
 	"code.gitea.io/gitea/services/repository/archiver"
 	"code.gitea.io/gitea/services/task"
 	"code.gitea.io/gitea/services/webhook"
-<<<<<<< HEAD
 
-=======
->>>>>>> 7afa66cba (Fix test)
 	"gitea.com/go-chi/session"
 )
 

From acb09a01910d6818286a2fa1507e8b5b20dc3a95 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Fri, 15 Oct 2021 11:01:27 +0800
Subject: [PATCH 17/26] Fix test

---
 .../api_ui_helper_for_declarative_test.go     | 10 +++----
 integrations/api_ui_issue_stopwatch_test.go   |  9 +++---
 integrations/api_ui_notification_test.go      |  9 +++---
 integrations/api_ui_repo_test.go              | 11 +++----
 integrations/api_ui_user_search_test.go       |  3 +-
 integrations/git_test.go                      | 29 +++++++++++--------
 6 files changed, 39 insertions(+), 32 deletions(-)

diff --git a/integrations/api_ui_helper_for_declarative_test.go b/integrations/api_ui_helper_for_declarative_test.go
index 0c5cf9ff97b72..6707307e651d3 100644
--- a/integrations/api_ui_helper_for_declarative_test.go
+++ b/integrations/api_ui_helper_for_declarative_test.go
@@ -143,7 +143,7 @@ func doEditRepository(ctx TestContext, editRepoOption *api.EditRepoOption, callb
 	}
 }
 
-func doCreatePullRequest(ctx TestContext, owner, repo, baseBranch, headBranch string) func(*testing.T) (api.PullRequest, error) {
+func doCreatePullRequest(ctx APITestContext, owner, repo, baseBranch, headBranch string) func(*testing.T) (api.PullRequest, error) {
 	return func(t *testing.T) (api.PullRequest, error) {
 		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls", owner, repo)
 		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &api.CreatePullRequestOption{
@@ -156,9 +156,8 @@ func doCreatePullRequest(ctx TestContext, owner, repo, baseBranch, headBranch st
 		if ctx.ExpectedCode != 0 {
 			expected = ctx.ExpectedCode
 		}
-		apiCtx := ctx.CreateAPITestContext(t)
-		resp := apiCtx.MakeRequest(t, req, expected)
 
+		resp := ctx.MakeRequest(t, req, expected)
 		decoder := json.NewDecoder(resp.Body)
 		pr := api.PullRequest{}
 		err := decoder.Decode(&pr)
@@ -209,7 +208,7 @@ func doGetPullRequest(ctx TestContext, owner, repo string, index int64) func(*te
 	}
 }
 
-func doMergePullRequest(ctx TestContext, owner, repo string, index int64) func(*testing.T) {
+func doMergePullRequest(apiCtx APITestContext, owner, repo string, index int64) func(*testing.T) {
 	return func(t *testing.T) {
 		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge",
 			owner, repo, index)
@@ -218,7 +217,6 @@ func doMergePullRequest(ctx TestContext, owner, repo string, index int64) func(*
 			Do:                string(models.MergeStyleMerge),
 		})
 
-		apiCtx := ctx.CreateAPITestContext(t)
 		resp := apiCtx.MakeRequest(t, req, NoExpectedStatus)
 
 		if resp.Code == http.StatusMethodNotAllowed {
@@ -233,7 +231,7 @@ func doMergePullRequest(ctx TestContext, owner, repo string, index int64) func(*
 			resp = apiCtx.MakeRequest(t, req, NoExpectedStatus)
 		}
 
-		expected := ctx.ExpectedCode
+		expected := apiCtx.ExpectedCode
 		if expected == 0 {
 			expected = 200
 		}
diff --git a/integrations/api_ui_issue_stopwatch_test.go b/integrations/api_ui_issue_stopwatch_test.go
index 5adc4d8548ee2..a847f005ae535 100644
--- a/integrations/api_ui_issue_stopwatch_test.go
+++ b/integrations/api_ui_issue_stopwatch_test.go
@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/db"
 	api "code.gitea.io/gitea/modules/structs"
 
 	"github.com/stretchr/testify/assert"
@@ -17,16 +18,16 @@ import (
 func TestUIAPIListStopWatches(t *testing.T) {
 	defer prepareTestEnv(t)()
 
-	repo := models.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
-	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
+	repo := db.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
+	owner := db.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
 
 	session := loginUser(t, owner.Name)
 	req := NewRequestf(t, "GET", "/api/ui/user/stopwatches")
 	resp := session.MakeRequest(t, req, http.StatusOK)
 	var apiWatches []*api.StopWatch
 	DecodeJSON(t, resp, &apiWatches)
-	stopwatch := models.AssertExistsAndLoadBean(t, &models.Stopwatch{UserID: owner.ID}).(*models.Stopwatch)
-	issue := models.AssertExistsAndLoadBean(t, &models.Issue{ID: stopwatch.IssueID}).(*models.Issue)
+	stopwatch := db.AssertExistsAndLoadBean(t, &models.Stopwatch{UserID: owner.ID}).(*models.Stopwatch)
+	issue := db.AssertExistsAndLoadBean(t, &models.Issue{ID: stopwatch.IssueID}).(*models.Issue)
 	if assert.Len(t, apiWatches, 1) {
 		assert.EqualValues(t, stopwatch.CreatedUnix.AsTime().Unix(), apiWatches[0].Created.Unix())
 		assert.EqualValues(t, issue.Index, apiWatches[0].IssueIndex)
diff --git a/integrations/api_ui_notification_test.go b/integrations/api_ui_notification_test.go
index 40c60e99871ef..9f442945786ee 100644
--- a/integrations/api_ui_notification_test.go
+++ b/integrations/api_ui_notification_test.go
@@ -10,6 +10,7 @@ import (
 	"testing"
 
 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/db"
 	api "code.gitea.io/gitea/modules/structs"
 
 	"github.com/stretchr/testify/assert"
@@ -18,9 +19,9 @@ import (
 func TestNotification(t *testing.T) {
 	defer prepareTestEnv(t)()
 
-	user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
-	repo1 := models.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
-	thread5 := models.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
+	user2 := db.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
+	repo1 := db.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
+	thread5 := db.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
 	assert.NoError(t, thread5.LoadAttributes())
 
 	token := getUserToken(t, user2.Name)
@@ -112,7 +113,7 @@ func TestNotification(t *testing.T) {
 	MakeRequest(t, req, http.StatusResetContent)
 
 	assert.Equal(t, models.NotificationStatusUnread, thread5.Status)
-	thread5 = models.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
+	thread5 = db.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
 	assert.Equal(t, models.NotificationStatusRead, thread5.Status)
 
 	// -- check notifications --
diff --git a/integrations/api_ui_repo_test.go b/integrations/api_ui_repo_test.go
index 18bdb62933cf3..949a515526572 100644
--- a/integrations/api_ui_repo_test.go
+++ b/integrations/api_ui_repo_test.go
@@ -10,6 +10,7 @@ import (
 	"testing"
 
 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	"github.com/stretchr/testify/assert"
@@ -30,11 +31,11 @@ func TestAPIUISearchRepo(t *testing.T) {
 		assert.False(t, repo.Private)
 	}
 
-	user := models.AssertExistsAndLoadBean(t, &models.User{ID: 15}).(*models.User)
-	user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: 16}).(*models.User)
-	user3 := models.AssertExistsAndLoadBean(t, &models.User{ID: 18}).(*models.User)
-	user4 := models.AssertExistsAndLoadBean(t, &models.User{ID: 20}).(*models.User)
-	orgUser := models.AssertExistsAndLoadBean(t, &models.User{ID: 17}).(*models.User)
+	user := db.AssertExistsAndLoadBean(t, &models.User{ID: 15}).(*models.User)
+	user2 := db.AssertExistsAndLoadBean(t, &models.User{ID: 16}).(*models.User)
+	user3 := db.AssertExistsAndLoadBean(t, &models.User{ID: 18}).(*models.User)
+	user4 := db.AssertExistsAndLoadBean(t, &models.User{ID: 20}).(*models.User)
+	orgUser := db.AssertExistsAndLoadBean(t, &models.User{ID: 17}).(*models.User)
 
 	oldAPIDefaultNum := setting.API.DefaultPagingNum
 	defer func() {
diff --git a/integrations/api_ui_user_search_test.go b/integrations/api_ui_user_search_test.go
index f7c1106163280..26ffbace7505a 100644
--- a/integrations/api_ui_user_search_test.go
+++ b/integrations/api_ui_user_search_test.go
@@ -10,6 +10,7 @@ import (
 	"testing"
 
 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/setting"
 
 	"github.com/stretchr/testify/assert"
@@ -45,7 +46,7 @@ func TestAPIUIUserSearchNotLoggedIn(t *testing.T) {
 	var modelUser *models.User
 	for _, user := range results.Data {
 		assert.Contains(t, user.UserName, query)
-		modelUser = models.AssertExistsAndLoadBean(t, &models.User{ID: user.ID}).(*models.User)
+		modelUser = db.AssertExistsAndLoadBean(t, &models.User{ID: user.ID}).(*models.User)
 		if modelUser.KeepEmailPrivate {
 			assert.EqualValues(t, fmt.Sprintf("%s@%s", modelUser.LowerName, setting.Service.NoReplyAddress), user.Email)
 		} else {
diff --git a/integrations/git_test.go b/integrations/git_test.go
index 5c990e0c6227d..ce0c2de791a32 100644
--- a/integrations/git_test.go
+++ b/integrations/git_test.go
@@ -373,7 +373,8 @@ func doBranchProtectPRMerge(baseCtx *TestContext, dstPath string) func(t *testin
 		t.Run("CreateBranchProtected", doGitCreateBranch(dstPath, "protected"))
 		t.Run("PushProtectedBranch", doGitPushTestRepository(dstPath, "origin", "protected"))
 
-		ctx := NewAPITestContext(t, baseCtx.Username, baseCtx.Reponame)
+		ctx := NewTestContext(t, baseCtx.Username, baseCtx.Reponame)
+		apiCtx := ctx.CreateAPITestContext(t)
 		t.Run("ProtectProtectedBranchNoWhitelist", doProtectBranch(ctx, "protected", "", ""))
 		t.Run("GenerateCommit", func(t *testing.T) {
 			_, err := generateCommitWithNewData(littleSize, dstPath, "user2@example.com", "User Two", "branch-data-file-")
@@ -384,7 +385,7 @@ func doBranchProtectPRMerge(baseCtx *TestContext, dstPath string) func(t *testin
 		var pr api.PullRequest
 		var err error
 		t.Run("CreatePullRequest", func(t *testing.T) {
-			pr, err = doCreatePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, "protected", "unprotected")(t)
+			pr, err = doCreatePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, "protected", "unprotected")(t)
 			assert.NoError(t, err)
 		})
 		t.Run("GenerateCommit", func(t *testing.T) {
@@ -394,11 +395,11 @@ func doBranchProtectPRMerge(baseCtx *TestContext, dstPath string) func(t *testin
 		t.Run("PushToUnprotectedBranch", doGitPushTestRepository(dstPath, "origin", "protected:unprotected-2"))
 		var pr2 api.PullRequest
 		t.Run("CreatePullRequest", func(t *testing.T) {
-			pr2, err = doCreatePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, "unprotected", "unprotected-2")(t)
+			pr2, err = doCreatePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, "unprotected", "unprotected-2")(t)
 			assert.NoError(t, err)
 		})
-		t.Run("MergePR2", doMergePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, pr2.Index))
-		t.Run("MergePR", doMergePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, pr.Index))
+		t.Run("MergePR2", doMergePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, pr2.Index))
+		t.Run("MergePR", doMergePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, pr.Index))
 		t.Run("PullProtected", doGitPull(dstPath, "origin", "protected"))
 
 		t.Run("ProtectProtectedBranchUnprotectedFilePaths", doProtectBranch(ctx, "protected", "", "unprotected-file-*"))
@@ -423,7 +424,7 @@ func doBranchProtectPRMerge(baseCtx *TestContext, dstPath string) func(t *testin
 	}
 }
 
-func doProtectBranch(ctx APITestContext, branch, userToWhitelist, unprotectedFilePatterns string) func(t *testing.T) {
+func doProtectBranch(ctx TestContext, branch string, userToWhitelist string, unprotectedFilePatterns string) func(t *testing.T) {
 	// We are going to just use the owner to set the protection.
 	return func(t *testing.T) {
 		csrf := GetCSRF(t, ctx.Session, fmt.Sprintf("/%s/%s/settings/branches", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame)))
@@ -463,9 +464,11 @@ func doMergeFork(ctx, baseCtx TestContext, baseBranch, headBranch string) func(t
 		var pr api.PullRequest
 		var err error
 
+		apiCtx := ctx.CreateAPITestContext(t)
+
 		// Create a test pullrequest
 		t.Run("CreatePullRequest", func(t *testing.T) {
-			pr, err = doCreatePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, baseBranch, headBranch)(t)
+			pr, err = doCreatePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, baseBranch, headBranch)(t)
 			assert.NoError(t, err)
 		})
 
@@ -483,7 +486,7 @@ func doMergeFork(ctx, baseCtx TestContext, baseBranch, headBranch string) func(t
 		})
 
 		// Now: Merge the PR & make sure that doesn't break the PR page or change its diff
-		t.Run("MergePR", doMergePullRequest(baseCtx, baseCtx.Username, baseCtx.Reponame, pr.Index))
+		t.Run("MergePR", doMergePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, pr.Index))
 		t.Run("EnsureCanSeePull", doEnsureCanSeePull(baseCtx, pr))
 		t.Run("CheckPR", func(t *testing.T) {
 			oldMergeBase := pr.MergeBase
@@ -526,7 +529,8 @@ func doCreatePRAndSetManuallyMerged(ctx, baseCtx TestContext, dstPath, baseBranc
 		t.Run("CreateHeadBranch", doGitCreateBranch(dstPath, headBranch))
 		t.Run("PushToHeadBranch", doGitPushTestRepository(dstPath, "origin", headBranch))
 		t.Run("CreateEmptyPullRequest", func(t *testing.T) {
-			pr, err = doCreatePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, baseBranch, headBranch)(t)
+			apiCtx := ctx.CreateAPITestContext(t)
+			pr, err = doCreatePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, baseBranch, headBranch)(t)
 			assert.NoError(t, err)
 		})
 		lastCommitID = pr.Base.Sha
@@ -750,7 +754,7 @@ func doCreateAgitFlowPull(dstPath string, ctx *TestContext, baseBranch, headBran
 				return
 			}
 			unittest.AssertCount(t, &models.PullRequest{}, pullNum+2)
-			prMsg, err := doAPIGetPullRequest(*ctx, ctx.Username, ctx.Reponame, pr1.Index)(t)
+			prMsg, err := doGetPullRequest(*ctx, ctx.Username, ctx.Reponame, pr1.Index)(t)
 			if !assert.NoError(t, err) {
 				return
 			}
@@ -762,14 +766,15 @@ func doCreateAgitFlowPull(dstPath string, ctx *TestContext, baseBranch, headBran
 				return
 			}
 			unittest.AssertCount(t, &models.PullRequest{}, pullNum+2)
-			prMsg, err = doAPIGetPullRequest(*ctx, ctx.Username, ctx.Reponame, pr2.Index)(t)
+			prMsg, err = doGetPullRequest(*ctx, ctx.Username, ctx.Reponame, pr2.Index)(t)
 			if !assert.NoError(t, err) {
 				return
 			}
 			assert.Equal(t, false, prMsg.HasMerged)
 			assert.Equal(t, commit, prMsg.Head.Sha)
 		})
-		t.Run("Merge", doMergePullRequest(*ctx, ctx.Username, ctx.Reponame, pr1.Index))
+		apiCtx := ctx.CreateAPITestContext(t)
+		t.Run("Merge", doMergePullRequest(apiCtx, ctx.Username, ctx.Reponame, pr1.Index))
 		t.Run("CheckoutMasterAgain", doGitCheckoutBranch(dstPath, "master"))
 	}
 }

From a10a1c8ab0639ce110e6632e02e3ef1bc17e4197 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Fri, 15 Oct 2021 16:06:33 +0800
Subject: [PATCH 18/26] Fix test

---
 integrations/api_ui_helper_for_declarative_test.go | 14 +++++++-------
 integrations/git_test.go                           |  6 +++---
 routers/api/ui/api.go                              |  3 +++
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/integrations/api_ui_helper_for_declarative_test.go b/integrations/api_ui_helper_for_declarative_test.go
index 6707307e651d3..fc8aeec8e43c0 100644
--- a/integrations/api_ui_helper_for_declarative_test.go
+++ b/integrations/api_ui_helper_for_declarative_test.go
@@ -208,16 +208,16 @@ func doGetPullRequest(ctx TestContext, owner, repo string, index int64) func(*te
 	}
 }
 
-func doMergePullRequest(apiCtx APITestContext, owner, repo string, index int64) func(*testing.T) {
+func doMergePullRequest(ctx TestContext, owner, repo string, index int64) func(*testing.T) {
 	return func(t *testing.T) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge",
+		urlStr := fmt.Sprintf("/api/ui/repos/%s/%s/pulls/%d/merge",
 			owner, repo, index)
 		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
-			MergeMessageField: "doAPIMergePullRequest Merge",
+			MergeMessageField: "doMergePullRequest Merge",
 			Do:                string(models.MergeStyleMerge),
 		})
 
-		resp := apiCtx.MakeRequest(t, req, NoExpectedStatus)
+		resp := MakeRequest(t, req, NoExpectedStatus)
 
 		if resp.Code == http.StatusMethodNotAllowed {
 			err := api.APIError{}
@@ -225,13 +225,13 @@ func doMergePullRequest(apiCtx APITestContext, owner, repo string, index int64)
 			assert.EqualValues(t, "Please try again later", err.Message)
 			queue.GetManager().FlushAll(context.Background(), 5*time.Second)
 			req = NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
-				MergeMessageField: "doAPIMergePullRequest Merge",
+				MergeMessageField: "doMergePullRequest Merge",
 				Do:                string(models.MergeStyleMerge),
 			})
-			resp = apiCtx.MakeRequest(t, req, NoExpectedStatus)
+			resp = MakeRequest(t, req, NoExpectedStatus)
 		}
 
-		expected := apiCtx.ExpectedCode
+		expected := ctx.ExpectedCode
 		if expected == 0 {
 			expected = 200
 		}
diff --git a/integrations/git_test.go b/integrations/git_test.go
index ce0c2de791a32..5441bcb69d0f4 100644
--- a/integrations/git_test.go
+++ b/integrations/git_test.go
@@ -398,8 +398,8 @@ func doBranchProtectPRMerge(baseCtx *TestContext, dstPath string) func(t *testin
 			pr2, err = doCreatePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, "unprotected", "unprotected-2")(t)
 			assert.NoError(t, err)
 		})
-		t.Run("MergePR2", doMergePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, pr2.Index))
-		t.Run("MergePR", doMergePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, pr.Index))
+		t.Run("MergePR2", doMergePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, pr2.Index))
+		t.Run("MergePR", doMergePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, pr.Index))
 		t.Run("PullProtected", doGitPull(dstPath, "origin", "protected"))
 
 		t.Run("ProtectProtectedBranchUnprotectedFilePaths", doProtectBranch(ctx, "protected", "", "unprotected-file-*"))
@@ -486,7 +486,7 @@ func doMergeFork(ctx, baseCtx TestContext, baseBranch, headBranch string) func(t
 		})
 
 		// Now: Merge the PR & make sure that doesn't break the PR page or change its diff
-		t.Run("MergePR", doMergePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, pr.Index))
+		t.Run("MergePR", doMergePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, pr.Index))
 		t.Run("EnsureCanSeePull", doEnsureCanSeePull(baseCtx, pr))
 		t.Run("CheckPR", func(t *testing.T) {
 			oldMergeBase := pr.MergeBase
diff --git a/routers/api/ui/api.go b/routers/api/ui/api.go
index 6744a2d0d4860..d2472a3a8abbc 100644
--- a/routers/api/ui/api.go
+++ b/routers/api/ui/api.go
@@ -21,6 +21,7 @@ import (
 	"code.gitea.io/gitea/routers/api/v1/user"
 	"code.gitea.io/gitea/routers/common"
 	"code.gitea.io/gitea/services/auth"
+	"code.gitea.io/gitea/services/forms"
 
 	"gitea.com/go-chi/binding"
 	"github.com/go-chi/cors"
@@ -329,6 +330,8 @@ func Routes(sess func(next http.Handler) http.Handler) *web.Route {
 							Patch(reqToken(), bind(api.EditIssueOption{}), repo.EditIssue)
 					})
 				}, mustEnableIssuesOrPulls)
+
+				m.Post("/pulls/{index}/merge", reqToken(), mustNotBeArchived, bind(forms.MergePullRequestForm{}), repo.MergePullRequest)
 			}, repoAssignment())
 		})
 

From 7b70c7a5c6763feff9d502211768b297ba2de213 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Fri, 15 Oct 2021 16:13:47 +0800
Subject: [PATCH 19/26] Fix lint

---
 integrations/git_test.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/integrations/git_test.go b/integrations/git_test.go
index 5441bcb69d0f4..472b8ae53ae29 100644
--- a/integrations/git_test.go
+++ b/integrations/git_test.go
@@ -773,8 +773,7 @@ func doCreateAgitFlowPull(dstPath string, ctx *TestContext, baseBranch, headBran
 			assert.Equal(t, false, prMsg.HasMerged)
 			assert.Equal(t, commit, prMsg.Head.Sha)
 		})
-		apiCtx := ctx.CreateAPITestContext(t)
-		t.Run("Merge", doMergePullRequest(apiCtx, ctx.Username, ctx.Reponame, pr1.Index))
+		t.Run("Merge", doMergePullRequest(*ctx, ctx.Username, ctx.Reponame, pr1.Index))
 		t.Run("CheckoutMasterAgain", doGitCheckoutBranch(dstPath, "master"))
 	}
 }

From 53a31d8748c561ae1f9eb98f5b394350ac4c7d03 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 21 Oct 2021 13:43:10 +0800
Subject: [PATCH 20/26] merge main branch

---
 modules/session/store.go                  | 29 -----------------------
 web_src/js/features/comp/SearchUserBox.js |  2 +-
 web_src/js/features/org-team.js           |  2 +-
 web_src/js/features/repo-home.js          |  2 +-
 web_src/js/features/repo-issue.js         |  6 ++---
 web_src/js/features/repo-settings.js      |  2 +-
 web_src/js/features/repo-template.js      |  2 +-
 7 files changed, 8 insertions(+), 37 deletions(-)

diff --git a/modules/session/store.go b/modules/session/store.go
index 5df7d4f925412..aad64ffe37851 100644
--- a/modules/session/store.go
+++ b/modules/session/store.go
@@ -16,32 +16,3 @@ type Store interface {
 	Set(interface{}, interface{}) error
 	Delete(interface{}) error
 }
-
-// RegenerateSession regenerates the underlying session and returns the new store
-func RegenerateSession(resp http.ResponseWriter, req *http.Request) (Store, error) {
-	s, err := session.RegenerateSession(resp, req)
-	return s, err
-}
-
-// EmptyStore represents an empty store
-type EmptyStore struct{}
-
-// NewEmptyStore returns an EmptyStore
-func NewEmptyStore() *EmptyStore {
-	return &EmptyStore{}
-}
-
-// Get implements Store
-func (EmptyStore) Get(interface{}) interface{} {
-	return nil
-}
-
-// Set implements Store
-func (EmptyStore) Set(interface{}, interface{}) error {
-	return nil
-}
-
-// Delete implements Store
-func (EmptyStore) Delete(interface{}) error {
-	return nil
-}
diff --git a/web_src/js/features/comp/SearchUserBox.js b/web_src/js/features/comp/SearchUserBox.js
index 18b67919b5bd0..4734f853728bd 100644
--- a/web_src/js/features/comp/SearchUserBox.js
+++ b/web_src/js/features/comp/SearchUserBox.js
@@ -8,7 +8,7 @@ export function initCompSearchUserBox() {
   $searchUserBox.search({
     minCharacters: 2,
     apiSettings: {
-      url: `${appSubUrl}/api/v1/users/search?q={query}`,
+      url: `${appSubUrl}/api/ui/users/search?q={query}`,
       onResponse(response) {
         const items = [];
         const searchQueryUppercase = $searchUserBox.find('input').val().toUpperCase();
diff --git a/web_src/js/features/org-team.js b/web_src/js/features/org-team.js
index 1a045022d2000..37dd4fcde9aa7 100644
--- a/web_src/js/features/org-team.js
+++ b/web_src/js/features/org-team.js
@@ -20,7 +20,7 @@ export function initOrgTeamSearchRepoBox() {
   $searchRepoBox.search({
     minCharacters: 2,
     apiSettings: {
-      url: `${appSubUrl}/api/v1/repos/search?q={query}&uid=${$searchRepoBox.data('uid')}`,
+      url: `${appSubUrl}/api/ui/repos/search?q={query}&uid=${$searchRepoBox.data('uid')}`,
       onResponse(response) {
         const items = [];
         $.each(response.data, (_i, item) => {
diff --git a/web_src/js/features/repo-home.js b/web_src/js/features/repo-home.js
index c718bd75d8cab..0539a33412d6c 100644
--- a/web_src/js/features/repo-home.js
+++ b/web_src/js/features/repo-home.js
@@ -91,7 +91,7 @@ export function initRepoTopicBar() {
       label: 'ui small label'
     },
     apiSettings: {
-      url: `${appSubUrl}/api/v1/topics/search?q={query}`,
+      url: `${appSubUrl}/api/ui/topics/search?q={query}`,
       throttle: 500,
       cache: false,
       onResponse(res) {
diff --git a/web_src/js/features/repo-issue.js b/web_src/js/features/repo-issue.js
index 43ce8a9f1b1f9..d7f09919d0c21 100644
--- a/web_src/js/features/repo-issue.js
+++ b/web_src/js/features/repo-issue.js
@@ -91,9 +91,9 @@ export function initRepoIssueList() {
   const repoId = $('#repoId').val();
   const crossRepoSearch = $('#crossRepoSearch').val();
   const tp = $('#type').val();
-  let issueSearchUrl = `${appSubUrl}/api/v1/repos/${repolink}/issues?q={query}&type=${tp}`;
+  let issueSearchUrl = `${appSubUrl}/api/ui/repos/${repolink}/issues?q={query}&type=${tp}`;
   if (crossRepoSearch === 'true') {
-    issueSearchUrl = `${appSubUrl}/api/v1/repos/issues/search?q={query}&priority_repo_id=${repoId}&type=${tp}`;
+    issueSearchUrl = `${appSubUrl}/api/ui/repos/issues/search?q={query}&priority_repo_id=${repoId}&type=${tp}`;
   }
   $('#new-dependency-drop-list')
     .dropdown({
@@ -292,7 +292,7 @@ export function initRepoIssueReferenceRepositorySearch() {
   $('.issue_reference_repository_search')
     .dropdown({
       apiSettings: {
-        url: `${appSubUrl}/api/v1/repos/search?q={query}&limit=20`,
+        url: `${appSubUrl}/api/ui/repos/search?q={query}&limit=20`,
         onResponse(response) {
           const filteredResponse = {success: true, results: []};
           $.each(response.data, (_r, repo) => {
diff --git a/web_src/js/features/repo-settings.js b/web_src/js/features/repo-settings.js
index dcb07883507de..06414f6811a6e 100644
--- a/web_src/js/features/repo-settings.js
+++ b/web_src/js/features/repo-settings.js
@@ -21,7 +21,7 @@ export function initRepoSettingSearchTeamBox() {
   $searchTeamBox.search({
     minCharacters: 2,
     apiSettings: {
-      url: `${appSubUrl}/api/v1/orgs/${$searchTeamBox.data('org')}/teams/search?q={query}`,
+      url: `${appSubUrl}/api/ui/orgs/${$searchTeamBox.data('org')}/teams/search?q={query}`,
       headers: {'X-Csrf-Token': csrfToken},
       onResponse(response) {
         const items = [];
diff --git a/web_src/js/features/repo-template.js b/web_src/js/features/repo-template.js
index e387678909f38..6b560e81b31dd 100644
--- a/web_src/js/features/repo-template.js
+++ b/web_src/js/features/repo-template.js
@@ -23,7 +23,7 @@ export function initRepoTemplateSearch() {
     $('#repo_template_search')
       .dropdown({
         apiSettings: {
-          url: `${appSubUrl}/api/v1/repos/search?q={query}&template=true&priority_owner_id=${$('#uid').val()}`,
+          url: `${appSubUrl}/api/ui/repos/search?q={query}&template=true&priority_owner_id=${$('#uid').val()}`,
           onResponse(response) {
             const filteredResponse = {success: true, results: []};
             filteredResponse.results.push({

From 76ff5a8aed71155ed882890e67e33de835576efd Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 21 Oct 2021 22:55:31 +0800
Subject: [PATCH 21/26] improve code

---
 .../api_helper_for_declarative_test.go        |  53 ++++--
 .../api_ui_helper_for_declarative_test.go     | 152 +-----------------
 integrations/git_test.go                      |  39 +++--
 3 files changed, 68 insertions(+), 176 deletions(-)

diff --git a/integrations/api_helper_for_declarative_test.go b/integrations/api_helper_for_declarative_test.go
index def817cc72064..2375abc52b0e5 100644
--- a/integrations/api_helper_for_declarative_test.go
+++ b/integrations/api_helper_for_declarative_test.go
@@ -76,12 +76,12 @@ func doAPICreateRepository(ctx APITestContext, empty bool, callback ...func(*tes
 
 func doAPIEditRepository(ctx APITestContext, editRepoOption *api.EditRepoOption, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
 	return func(t *testing.T) {
-		req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame), ctx.Token), editRepoOption)
+		req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame)), editRepoOption)
 		if ctx.ExpectedCode != 0 {
-			MakeRequest(t, req, ctx.ExpectedCode)
+			ctx.MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		resp := MakeRequest(t, req, http.StatusOK)
+		resp := ctx.MakeRequest(t, req, http.StatusOK)
 
 		var repository api.Repository
 		DecodeJSON(t, resp, &repository)
@@ -103,24 +103,24 @@ func doAPIAddCollaborator(ctx APITestContext, username string, mode perm.AccessM
 		addCollaboratorOption := &api.AddCollaboratorOption{
 			Permission: &permission,
 		}
-		req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/collaborators/%s?token=%s", ctx.Username, ctx.Reponame, username, ctx.Token), addCollaboratorOption)
+		req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/collaborators/%s", ctx.Username, ctx.Reponame, username), addCollaboratorOption)
 		if ctx.ExpectedCode != 0 {
-			MakeRequest(t, req, ctx.ExpectedCode)
+			ctx.MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		MakeRequest(t, req, http.StatusNoContent)
+		ctx.MakeRequest(t, req, http.StatusNoContent)
 	}
 }
 
 func doAPIForkRepository(ctx APITestContext, username string, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
 	return func(t *testing.T) {
 		createForkOption := &api.CreateForkOption{}
-		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/forks?token=%s", username, ctx.Reponame, ctx.Token), createForkOption)
+		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/forks", username, ctx.Reponame), createForkOption)
 		if ctx.ExpectedCode != 0 {
-			MakeRequest(t, req, ctx.ExpectedCode)
+			ctx.MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		resp := MakeRequest(t, req, http.StatusAccepted)
+		resp := ctx.MakeRequest(t, req, http.StatusAccepted)
 		var repository api.Repository
 		DecodeJSON(t, resp, &repository)
 		if len(callback) > 0 {
@@ -259,6 +259,41 @@ func doAPIGetPullRequest(ctx APITestContext, owner, repo string, index int64) fu
 	}
 }
 
+func doAPIGetPullRequest(ctx APITestContext, owner, repo string, index int64) func(*testing.T) (api.PullRequest, error) {
+	return func(t *testing.T) (api.PullRequest, error) {
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d", owner, repo, index)
+		req := NewRequest(t, http.MethodGet, urlStr)
+
+		expected := 200
+		if ctx.ExpectedCode != 0 {
+			expected = ctx.ExpectedCode
+		}
+		resp := ctx.MakeRequest(t, req, expected)
+
+		decoder := json.NewDecoder(resp.Body)
+		pr := api.PullRequest{}
+		err := decoder.Decode(&pr)
+		return pr, err
+	}
+}
+
+func doAPIManuallyMergePullRequest(ctx APITestContext, owner, repo, commitID string, index int64) func(*testing.T) {
+	return func(t *testing.T) {
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge",
+			owner, repo, index)
+		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
+			Do:            string(models.MergeStyleManuallyMerged),
+			MergeCommitID: commitID,
+		})
+
+		if ctx.ExpectedCode != 0 {
+			ctx.MakeRequest(t, req, ctx.ExpectedCode)
+			return
+		}
+		ctx.MakeRequest(t, req, 200)
+	}
+}
+
 func doAPIMergePullRequest(ctx APITestContext, owner, repo string, index int64) func(*testing.T) {
 	return func(t *testing.T) {
 		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s",
diff --git a/integrations/api_ui_helper_for_declarative_test.go b/integrations/api_ui_helper_for_declarative_test.go
index fc8aeec8e43c0..5dadfc525cfea 100644
--- a/integrations/api_ui_helper_for_declarative_test.go
+++ b/integrations/api_ui_helper_for_declarative_test.go
@@ -9,12 +9,10 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
-	"net/url"
 	"testing"
 	"time"
 
 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/queue"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/services/forms"
@@ -44,34 +42,6 @@ func (ctx TestContext) CreateAPITestContext(t *testing.T) APITestContext {
 	return NewAPITestContext(t, ctx.Username, ctx.Reponame)
 }
 
-func doCreateRepository(ctx TestContext, empty bool, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
-	return func(t *testing.T) {
-		createRepoOption := &api.CreateRepoOption{
-			AutoInit:    !empty,
-			Description: "Temporary repo",
-			Name:        ctx.Reponame,
-			Private:     true,
-			Template:    true,
-			Gitignores:  "",
-			License:     "WTFPL",
-			Readme:      "Default",
-		}
-		req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos", createRepoOption)
-		apiCtx := ctx.CreateAPITestContext(t)
-		if ctx.ExpectedCode != 0 {
-			apiCtx.MakeRequest(t, req, ctx.ExpectedCode)
-			return
-		}
-		resp := apiCtx.MakeRequest(t, req, http.StatusCreated)
-
-		var repository api.Repository
-		DecodeJSON(t, resp, &repository)
-		if len(callback) > 0 {
-			callback[0](t, repository)
-		}
-	}
-}
-
 func doDeleteRepository(ctx TestContext) func(*testing.T) {
 	return func(t *testing.T) {
 		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s", ctx.Username, ctx.Reponame)
@@ -85,86 +55,6 @@ func doDeleteRepository(ctx TestContext) func(*testing.T) {
 	}
 }
 
-func doAddCollaborator(ctx TestContext, username string, mode models.AccessMode) func(*testing.T) {
-	return func(t *testing.T) {
-		permission := "read"
-
-		if mode == models.AccessModeAdmin {
-			permission = "admin"
-		} else if mode > models.AccessModeRead {
-			permission = "write"
-		}
-		addCollaboratorOption := &api.AddCollaboratorOption{
-			Permission: &permission,
-		}
-		apiCtx := ctx.CreateAPITestContext(t)
-		req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/collaborators/%s", ctx.Username, ctx.Reponame, username), addCollaboratorOption)
-		if ctx.ExpectedCode != 0 {
-			apiCtx.MakeRequest(t, req, ctx.ExpectedCode)
-			return
-		}
-		apiCtx.MakeRequest(t, req, http.StatusNoContent)
-	}
-}
-
-func doForkRepository(ctx TestContext, username string, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
-	return func(t *testing.T) {
-		createForkOption := &api.CreateForkOption{}
-		apiCtx := ctx.CreateAPITestContext(t)
-		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/forks", username, ctx.Reponame), createForkOption)
-		if ctx.ExpectedCode != 0 {
-			apiCtx.MakeRequest(t, req, ctx.ExpectedCode)
-			return
-		}
-		resp := apiCtx.MakeRequest(t, req, http.StatusAccepted)
-		var repository api.Repository
-		DecodeJSON(t, resp, &repository)
-		if len(callback) > 0 {
-			callback[0](t, repository)
-		}
-	}
-}
-
-func doEditRepository(ctx TestContext, editRepoOption *api.EditRepoOption, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
-	return func(t *testing.T) {
-		apiCtx := ctx.CreateAPITestContext(t)
-		req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame)), editRepoOption)
-		if ctx.ExpectedCode != 0 {
-			apiCtx.MakeRequest(t, req, ctx.ExpectedCode)
-			return
-		}
-		resp := apiCtx.MakeRequest(t, req, http.StatusOK)
-
-		var repository api.Repository
-		DecodeJSON(t, resp, &repository)
-		if len(callback) > 0 {
-			callback[0](t, repository)
-		}
-	}
-}
-
-func doCreatePullRequest(ctx APITestContext, owner, repo, baseBranch, headBranch string) func(*testing.T) (api.PullRequest, error) {
-	return func(t *testing.T) (api.PullRequest, error) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls", owner, repo)
-		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &api.CreatePullRequestOption{
-			Head:  headBranch,
-			Base:  baseBranch,
-			Title: fmt.Sprintf("create a pr from %s to %s", headBranch, baseBranch),
-		})
-
-		expected := 201
-		if ctx.ExpectedCode != 0 {
-			expected = ctx.ExpectedCode
-		}
-
-		resp := ctx.MakeRequest(t, req, expected)
-		decoder := json.NewDecoder(resp.Body)
-		pr := api.PullRequest{}
-		err := decoder.Decode(&pr)
-		return pr, err
-	}
-}
-
 func doCreateUserKey(ctx TestContext, keyname, keyFile string, callback ...func(*testing.T, api.PublicKey)) func(*testing.T) {
 	return func(t *testing.T) {
 		urlStr := "/api/v1/user/keys"
@@ -189,25 +79,6 @@ func doCreateUserKey(ctx TestContext, keyname, keyFile string, callback ...func(
 	}
 }
 
-func doGetPullRequest(ctx TestContext, owner, repo string, index int64) func(*testing.T) (api.PullRequest, error) {
-	return func(t *testing.T) (api.PullRequest, error) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d", owner, repo, index)
-		req := NewRequest(t, http.MethodGet, urlStr)
-
-		expected := 200
-		if ctx.ExpectedCode != 0 {
-			expected = ctx.ExpectedCode
-		}
-		apiCtx := ctx.CreateAPITestContext(t)
-		resp := apiCtx.MakeRequest(t, req, expected)
-
-		decoder := json.NewDecoder(resp.Body)
-		pr := api.PullRequest{}
-		err := decoder.Decode(&pr)
-		return pr, err
-	}
-}
-
 func doMergePullRequest(ctx TestContext, owner, repo string, index int64) func(*testing.T) {
 	return func(t *testing.T) {
 		urlStr := fmt.Sprintf("/api/ui/repos/%s/%s/pulls/%d/merge",
@@ -217,7 +88,7 @@ func doMergePullRequest(ctx TestContext, owner, repo string, index int64) func(*
 			Do:                string(models.MergeStyleMerge),
 		})
 
-		resp := MakeRequest(t, req, NoExpectedStatus)
+		resp := ctx.Session.MakeRequest(t, req, NoExpectedStatus)
 
 		if resp.Code == http.StatusMethodNotAllowed {
 			err := api.APIError{}
@@ -228,7 +99,7 @@ func doMergePullRequest(ctx TestContext, owner, repo string, index int64) func(*
 				MergeMessageField: "doMergePullRequest Merge",
 				Do:                string(models.MergeStyleMerge),
 			})
-			resp = MakeRequest(t, req, NoExpectedStatus)
+			resp = ctx.Session.MakeRequest(t, req, NoExpectedStatus)
 		}
 
 		expected := ctx.ExpectedCode
@@ -242,22 +113,3 @@ func doMergePullRequest(ctx TestContext, owner, repo string, index int64) func(*
 		}
 	}
 }
-
-func doManuallyMergePullRequest(ctx TestContext, owner, repo, commitID string, index int64) func(*testing.T) {
-	return func(t *testing.T) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge",
-			owner, repo, index)
-		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
-			Do:            string(models.MergeStyleManuallyMerged),
-			MergeCommitID: commitID,
-		})
-
-		apiCtx := ctx.CreateAPITestContext(t)
-
-		if ctx.ExpectedCode != 0 {
-			apiCtx.MakeRequest(t, req, ctx.ExpectedCode)
-			return
-		}
-		apiCtx.MakeRequest(t, req, 200)
-	}
-}
diff --git a/integrations/git_test.go b/integrations/git_test.go
index 472b8ae53ae29..97e5d8d411c4b 100644
--- a/integrations/git_test.go
+++ b/integrations/git_test.go
@@ -59,10 +59,12 @@ func testGit(t *testing.T, u *url.URL) {
 		assert.NoError(t, err)
 		defer util.RemoveAll(dstPath)
 
-		t.Run("CreateRepoInDifferentUser", doCreateRepository(forkedUserCtx, false))
-		t.Run("AddUserAsCollaborator", doAddCollaborator(forkedUserCtx, httpContext.Username, perm.AccessModeRead))
+		apiForkedUserCtx := forkedUserCtx.CreateAPITestContext(t)
 
-		t.Run("ForkFromDifferentUser", doForkRepository(httpContext, forkedUserCtx.Username))
+		t.Run("CreateRepoInDifferentUser", doAPICreateRepository(apiForkedUserCtx, false))
+		t.Run("AddUserAsCollaborator", doAPIAddCollaborator(apiForkedUserCtx, httpContext.Username, perm.AccessModeRead))
+
+		t.Run("ForkFromDifferentUser", doAPIForkRepository(apiForkedUserCtx, forkedUserCtx.Username))
 
 		u.Path = httpContext.GitPath()
 		u.User = url.UserPassword(username, userPassword)
@@ -98,9 +100,11 @@ func testGit(t *testing.T, u *url.URL) {
 		sshContext.Reponame = "repo-tmp-18"
 		keyname := "my-testing-key"
 		forkedUserCtx.Reponame = sshContext.Reponame
-		t.Run("CreateRepoInDifferentUser", doCreateRepository(forkedUserCtx, false))
-		t.Run("AddUserAsCollaborator", doAddCollaborator(forkedUserCtx, sshContext.Username, perm.AccessModeRead))
-		t.Run("ForkFromDifferentUser", doForkRepository(sshContext, forkedUserCtx.Username))
+
+		apiForkedUserCtx := forkedUserCtx.CreateAPITestContext(t)
+		t.Run("CreateRepoInDifferentUser", doAPICreateRepository(apiForkedUserCtx, false))
+		t.Run("AddUserAsCollaborator", doAPIAddCollaborator(apiForkedUserCtx, sshContext.Username, perm.AccessModeRead))
+		t.Run("ForkFromDifferentUser", doAPIForkRepository(sshContext.CreateAPITestContext(t), forkedUserCtx.Username))
 
 		// Setup key the user ssh key
 		withKeyFile(t, keyname, func(keyFile string) {
@@ -385,7 +389,7 @@ func doBranchProtectPRMerge(baseCtx *TestContext, dstPath string) func(t *testin
 		var pr api.PullRequest
 		var err error
 		t.Run("CreatePullRequest", func(t *testing.T) {
-			pr, err = doCreatePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, "protected", "unprotected")(t)
+			pr, err = doAPICreatePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, "protected", "unprotected")(t)
 			assert.NoError(t, err)
 		})
 		t.Run("GenerateCommit", func(t *testing.T) {
@@ -395,7 +399,7 @@ func doBranchProtectPRMerge(baseCtx *TestContext, dstPath string) func(t *testin
 		t.Run("PushToUnprotectedBranch", doGitPushTestRepository(dstPath, "origin", "protected:unprotected-2"))
 		var pr2 api.PullRequest
 		t.Run("CreatePullRequest", func(t *testing.T) {
-			pr2, err = doCreatePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, "unprotected", "unprotected-2")(t)
+			pr2, err = doAPICreatePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, "unprotected", "unprotected-2")(t)
 			assert.NoError(t, err)
 		})
 		t.Run("MergePR2", doMergePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, pr2.Index))
@@ -468,7 +472,7 @@ func doMergeFork(ctx, baseCtx TestContext, baseBranch, headBranch string) func(t
 
 		// Create a test pullrequest
 		t.Run("CreatePullRequest", func(t *testing.T) {
-			pr, err = doCreatePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, baseBranch, headBranch)(t)
+			pr, err = doAPICreatePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, baseBranch, headBranch)(t)
 			assert.NoError(t, err)
 		})
 
@@ -490,7 +494,7 @@ func doMergeFork(ctx, baseCtx TestContext, baseBranch, headBranch string) func(t
 		t.Run("EnsureCanSeePull", doEnsureCanSeePull(baseCtx, pr))
 		t.Run("CheckPR", func(t *testing.T) {
 			oldMergeBase := pr.MergeBase
-			pr2, err := doGetPullRequest(baseCtx, baseCtx.Username, baseCtx.Reponame, pr.Index)(t)
+			pr2, err := doAPIGetPullRequest(baseCtx.CreateAPITestContext(t), baseCtx.Username, baseCtx.Reponame, pr.Index)(t)
 			assert.NoError(t, err)
 			assert.Equal(t, oldMergeBase, pr2.MergeBase)
 		})
@@ -520,7 +524,7 @@ func doCreatePRAndSetManuallyMerged(ctx, baseCtx TestContext, dstPath, baseBranc
 		trueBool := true
 		falseBool := false
 
-		t.Run("AllowSetManuallyMergedAndSwitchOffAutodetectManualMerge", doEditRepository(baseCtx, &api.EditRepoOption{
+		t.Run("AllowSetManuallyMergedAndSwitchOffAutodetectManualMerge", doAPIEditRepository(baseCtx.CreateAPITestContext(t), &api.EditRepoOption{
 			HasPullRequests:       &trueBool,
 			AllowManualMerge:      &trueBool,
 			AutodetectManualMerge: &falseBool,
@@ -530,11 +534,11 @@ func doCreatePRAndSetManuallyMerged(ctx, baseCtx TestContext, dstPath, baseBranc
 		t.Run("PushToHeadBranch", doGitPushTestRepository(dstPath, "origin", headBranch))
 		t.Run("CreateEmptyPullRequest", func(t *testing.T) {
 			apiCtx := ctx.CreateAPITestContext(t)
-			pr, err = doCreatePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, baseBranch, headBranch)(t)
+			pr, err = doAPICreatePullRequest(apiCtx, baseCtx.Username, baseCtx.Reponame, baseBranch, headBranch)(t)
 			assert.NoError(t, err)
 		})
 		lastCommitID = pr.Base.Sha
-		t.Run("ManuallyMergePR", doManuallyMergePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, lastCommitID, pr.Index))
+		t.Run("ManuallyMergePR", doAPIManuallyMergePullRequest(ctx.CreateAPITestContext(t), baseCtx.Username, baseCtx.Reponame, lastCommitID, pr.Index))
 	}
 }
 
@@ -687,7 +691,8 @@ func doCreateAgitFlowPull(dstPath string, ctx *TestContext, baseBranch, headBran
 			if !assert.NotEmpty(t, pr1) {
 				return
 			}
-			prMsg, err := doGetPullRequest(*ctx, ctx.Username, ctx.Reponame, pr1.Index)(t)
+			apiCtx := ctx.CreateAPITestContext(t)
+			prMsg, err := doAPIGetPullRequest(apiCtx, ctx.Username, ctx.Reponame, pr1.Index)(t)
 			if !assert.NoError(t, err) {
 				return
 			}
@@ -709,7 +714,7 @@ func doCreateAgitFlowPull(dstPath string, ctx *TestContext, baseBranch, headBran
 			if !assert.NotEmpty(t, pr2) {
 				return
 			}
-			prMsg, err = doGetPullRequest(*ctx, ctx.Username, ctx.Reponame, pr2.Index)(t)
+			prMsg, err = doAPIGetPullRequest(apiCtx, ctx.Username, ctx.Reponame, pr2.Index)(t)
 			if !assert.NoError(t, err) {
 				return
 			}
@@ -754,7 +759,7 @@ func doCreateAgitFlowPull(dstPath string, ctx *TestContext, baseBranch, headBran
 				return
 			}
 			unittest.AssertCount(t, &models.PullRequest{}, pullNum+2)
-			prMsg, err := doGetPullRequest(*ctx, ctx.Username, ctx.Reponame, pr1.Index)(t)
+			prMsg, err := doAPIGetPullRequest(ctx.CreateAPITestContext(t), ctx.Username, ctx.Reponame, pr1.Index)(t)
 			if !assert.NoError(t, err) {
 				return
 			}
@@ -766,7 +771,7 @@ func doCreateAgitFlowPull(dstPath string, ctx *TestContext, baseBranch, headBran
 				return
 			}
 			unittest.AssertCount(t, &models.PullRequest{}, pullNum+2)
-			prMsg, err = doGetPullRequest(*ctx, ctx.Username, ctx.Reponame, pr2.Index)(t)
+			prMsg, err = doAPIGetPullRequest(ctx.CreateAPITestContext(t), ctx.Username, ctx.Reponame, pr2.Index)(t)
 			if !assert.NoError(t, err) {
 				return
 			}

From ebe10a9ce8bca2673d7bb600388080c78ef0c5ae Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Fri, 22 Oct 2021 11:01:08 +0800
Subject: [PATCH 22/26] Fix test

---
 .../api_helper_for_declarative_test.go        | 25 ++----------
 .../api_ui_helper_for_declarative_test.go     | 38 -------------------
 integrations/git_test.go                      |  4 +-
 3 files changed, 6 insertions(+), 61 deletions(-)

diff --git a/integrations/api_helper_for_declarative_test.go b/integrations/api_helper_for_declarative_test.go
index 2375abc52b0e5..18d9e24cae2e8 100644
--- a/integrations/api_helper_for_declarative_test.go
+++ b/integrations/api_helper_for_declarative_test.go
@@ -277,23 +277,6 @@ func doAPIGetPullRequest(ctx APITestContext, owner, repo string, index int64) fu
 	}
 }
 
-func doAPIManuallyMergePullRequest(ctx APITestContext, owner, repo, commitID string, index int64) func(*testing.T) {
-	return func(t *testing.T) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge",
-			owner, repo, index)
-		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
-			Do:            string(models.MergeStyleManuallyMerged),
-			MergeCommitID: commitID,
-		})
-
-		if ctx.ExpectedCode != 0 {
-			ctx.MakeRequest(t, req, ctx.ExpectedCode)
-			return
-		}
-		ctx.MakeRequest(t, req, 200)
-	}
-}
-
 func doAPIMergePullRequest(ctx APITestContext, owner, repo string, index int64) func(*testing.T) {
 	return func(t *testing.T) {
 		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s",
@@ -333,18 +316,18 @@ func doAPIMergePullRequest(ctx APITestContext, owner, repo string, index int64)
 
 func doAPIManuallyMergePullRequest(ctx APITestContext, owner, repo, commitID string, index int64) func(*testing.T) {
 	return func(t *testing.T) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s",
-			owner, repo, index, ctx.Token)
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge",
+			owner, repo, index)
 		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
 			Do:            string(repo_model.MergeStyleManuallyMerged),
 			MergeCommitID: commitID,
 		})
 
 		if ctx.ExpectedCode != 0 {
-			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			ctx.MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		ctx.Session.MakeRequest(t, req, http.StatusOK)
+		ctx.MakeRequest(t, req, http.StatusOK)
 	}
 }
 
diff --git a/integrations/api_ui_helper_for_declarative_test.go b/integrations/api_ui_helper_for_declarative_test.go
index 5dadfc525cfea..2682133f28bdf 100644
--- a/integrations/api_ui_helper_for_declarative_test.go
+++ b/integrations/api_ui_helper_for_declarative_test.go
@@ -7,7 +7,6 @@ package integrations
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"testing"
 	"time"
@@ -42,43 +41,6 @@ func (ctx TestContext) CreateAPITestContext(t *testing.T) APITestContext {
 	return NewAPITestContext(t, ctx.Username, ctx.Reponame)
 }
 
-func doDeleteRepository(ctx TestContext) func(*testing.T) {
-	return func(t *testing.T) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s", ctx.Username, ctx.Reponame)
-		apiCtx := ctx.CreateAPITestContext(t)
-		req := NewRequest(t, "DELETE", urlStr)
-		if ctx.ExpectedCode != 0 {
-			apiCtx.MakeRequest(t, req, ctx.ExpectedCode)
-			return
-		}
-		apiCtx.MakeRequest(t, req, http.StatusNoContent)
-	}
-}
-
-func doCreateUserKey(ctx TestContext, keyname, keyFile string, callback ...func(*testing.T, api.PublicKey)) func(*testing.T) {
-	return func(t *testing.T) {
-		urlStr := "/api/v1/user/keys"
-
-		dataPubKey, err := ioutil.ReadFile(keyFile + ".pub")
-		assert.NoError(t, err)
-		req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateKeyOption{
-			Title: keyname,
-			Key:   string(dataPubKey),
-		})
-		apiCtx := ctx.CreateAPITestContext(t)
-		if ctx.ExpectedCode != 0 {
-			apiCtx.MakeRequest(t, req, ctx.ExpectedCode)
-			return
-		}
-		resp := apiCtx.MakeRequest(t, req, http.StatusCreated)
-		var publicKey api.PublicKey
-		DecodeJSON(t, resp, &publicKey)
-		if len(callback) > 0 {
-			callback[0](t, publicKey)
-		}
-	}
-}
-
 func doMergePullRequest(ctx TestContext, owner, repo string, index int64) func(*testing.T) {
 	return func(t *testing.T) {
 		urlStr := fmt.Sprintf("/api/ui/repos/%s/%s/pulls/%d/merge",
diff --git a/integrations/git_test.go b/integrations/git_test.go
index 97e5d8d411c4b..6dbedefd1a979 100644
--- a/integrations/git_test.go
+++ b/integrations/git_test.go
@@ -108,7 +108,7 @@ func testGit(t *testing.T, u *url.URL) {
 
 		// Setup key the user ssh key
 		withKeyFile(t, keyname, func(keyFile string) {
-			t.Run("CreateUserKey", doCreateUserKey(sshContext, "test-key", keyFile))
+			t.Run("CreateUserKey", doAPICreateUserKey(sshContext.CreateAPITestContext(t), "test-key", keyFile))
 
 			// Setup remote link
 			// TODO: get url from api
@@ -506,7 +506,7 @@ func doMergeFork(ctx, baseCtx TestContext, baseBranch, headBranch string) func(t
 		t.Run("EnsureDiffNoChange", doEnsureDiffNoChange(baseCtx, pr, diffHash, diffLength))
 
 		// Delete the head repository & make sure that doesn't break the PR page or change its diff
-		t.Run("DeleteHeadRepository", doDeleteRepository(ctx))
+		t.Run("DeleteHeadRepository", doAPIDeleteRepository(ctx.CreateAPITestContext(t)))
 		t.Run("EnsureCanSeePull", doEnsureCanSeePull(baseCtx, pr))
 		t.Run("EnsureDiffNoChange", doEnsureDiffNoChange(baseCtx, pr, diffHash, diffLength))
 	}

From 3486a8b1050e871b57a15977d2e8ddfd46d5d16a Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Fri, 22 Oct 2021 15:42:14 +0800
Subject: [PATCH 23/26] Fix test

---
 integrations/git_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/integrations/git_test.go b/integrations/git_test.go
index 6dbedefd1a979..8eab8cff7a8e7 100644
--- a/integrations/git_test.go
+++ b/integrations/git_test.go
@@ -64,7 +64,7 @@ func testGit(t *testing.T, u *url.URL) {
 		t.Run("CreateRepoInDifferentUser", doAPICreateRepository(apiForkedUserCtx, false))
 		t.Run("AddUserAsCollaborator", doAPIAddCollaborator(apiForkedUserCtx, httpContext.Username, perm.AccessModeRead))
 
-		t.Run("ForkFromDifferentUser", doAPIForkRepository(apiForkedUserCtx, forkedUserCtx.Username))
+		t.Run("ForkFromDifferentUser", doAPIForkRepository(httpContext.CreateAPITestContext(t), forkedUserCtx.Username))
 
 		u.Path = httpContext.GitPath()
 		u.User = url.UserPassword(username, userPassword)

From 330bdae2f1f3df8e9ab3ea328acaf6ee9b89616e Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 20 Nov 2021 01:01:19 +0800
Subject: [PATCH 24/26] Fix test

---
 integrations/api_ui_issue_stopwatch_test.go | 10 +++++-----
 integrations/api_ui_notification_test.go    |  7 ++++---
 routers/api/ui/api.go                       | 22 +++++++++++----------
 3 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/integrations/api_ui_issue_stopwatch_test.go b/integrations/api_ui_issue_stopwatch_test.go
index a847f005ae535..9242351c10407 100644
--- a/integrations/api_ui_issue_stopwatch_test.go
+++ b/integrations/api_ui_issue_stopwatch_test.go
@@ -9,7 +9,7 @@ import (
 	"testing"
 
 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/unittest"
 	api "code.gitea.io/gitea/modules/structs"
 
 	"github.com/stretchr/testify/assert"
@@ -18,16 +18,16 @@ import (
 func TestUIAPIListStopWatches(t *testing.T) {
 	defer prepareTestEnv(t)()
 
-	repo := db.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
-	owner := db.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
+	repo := unittest.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
+	owner := unittest.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
 
 	session := loginUser(t, owner.Name)
 	req := NewRequestf(t, "GET", "/api/ui/user/stopwatches")
 	resp := session.MakeRequest(t, req, http.StatusOK)
 	var apiWatches []*api.StopWatch
 	DecodeJSON(t, resp, &apiWatches)
-	stopwatch := db.AssertExistsAndLoadBean(t, &models.Stopwatch{UserID: owner.ID}).(*models.Stopwatch)
-	issue := db.AssertExistsAndLoadBean(t, &models.Issue{ID: stopwatch.IssueID}).(*models.Issue)
+	stopwatch := unittest.AssertExistsAndLoadBean(t, &models.Stopwatch{UserID: owner.ID}).(*models.Stopwatch)
+	issue := unittest.AssertExistsAndLoadBean(t, &models.Issue{ID: stopwatch.IssueID}).(*models.Issue)
 	if assert.Len(t, apiWatches, 1) {
 		assert.EqualValues(t, stopwatch.CreatedUnix.AsTime().Unix(), apiWatches[0].Created.Unix())
 		assert.EqualValues(t, issue.Index, apiWatches[0].IssueIndex)
diff --git a/integrations/api_ui_notification_test.go b/integrations/api_ui_notification_test.go
index 9f442945786ee..9dd3274eb699d 100644
--- a/integrations/api_ui_notification_test.go
+++ b/integrations/api_ui_notification_test.go
@@ -11,6 +11,7 @@ import (
 
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/unittest"
 	api "code.gitea.io/gitea/modules/structs"
 
 	"github.com/stretchr/testify/assert"
@@ -19,9 +20,9 @@ import (
 func TestNotification(t *testing.T) {
 	defer prepareTestEnv(t)()
 
-	user2 := db.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
-	repo1 := db.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
-	thread5 := db.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
+	user2 := unittest.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
+	repo1 := unittest.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
+	thread5 := unittest.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
 	assert.NoError(t, thread5.LoadAttributes())
 
 	token := getUserToken(t, user2.Name)
diff --git a/routers/api/ui/api.go b/routers/api/ui/api.go
index d2472a3a8abbc..a003ed73b3a92 100644
--- a/routers/api/ui/api.go
+++ b/routers/api/ui/api.go
@@ -10,6 +10,8 @@ import (
 	"strings"
 
 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/unit"
+	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
@@ -44,9 +46,9 @@ func repoAssignment() func(ctx *context.APIContext) {
 			owner, err = models.GetUserByName(userName)
 			if err != nil {
 				if models.IsErrUserNotExist(err) {
-					if redirectUserID, err := models.LookupUserRedirect(userName); err == nil {
+					if redirectUserID, err := user_model.LookupUserRedirect(userName); err == nil {
 						context.RedirectToUser(ctx.Context, userName, redirectUserID)
-					} else if models.IsErrUserRedirectNotExist(err) {
+					} else if user_model.IsErrUserRedirectNotExist(err) {
 						ctx.NotFound("GetUserByName", err)
 					} else {
 						ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)
@@ -198,10 +200,10 @@ func orgAssignment(args ...bool) func(ctx *context.APIContext) {
 			ctx.Org.Organization, err = models.GetOrgByName(ctx.Params(":org"))
 			if err != nil {
 				if models.IsErrOrgNotExist(err) {
-					redirectUserID, err := models.LookupUserRedirect(ctx.Params(":org"))
+					redirectUserID, err := user_model.LookupUserRedirect(ctx.Params(":org"))
 					if err == nil {
 						context.RedirectToUser(ctx.Context, ctx.Params(":org"), redirectUserID)
-					} else if models.IsErrUserRedirectNotExist(err) {
+					} else if user_model.IsErrUserRedirectNotExist(err) {
 						ctx.NotFound("GetOrgByName", err)
 					} else {
 						ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)
@@ -228,22 +230,22 @@ func orgAssignment(args ...bool) func(ctx *context.APIContext) {
 }
 
 func mustEnableIssuesOrPulls(ctx *context.APIContext) {
-	if !ctx.Repo.CanRead(models.UnitTypeIssues) &&
-		!(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(models.UnitTypePullRequests)) {
+	if !ctx.Repo.CanRead(unit.TypeIssues) &&
+		!(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(unit.TypePullRequests)) {
 		if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() {
 			if ctx.IsSigned {
 				log.Trace("Permission Denied: User %-v cannot read %-v and %-v in Repo %-v\n"+
 					"User in Repo has Permissions: %-+v",
 					ctx.User,
-					models.UnitTypeIssues,
-					models.UnitTypePullRequests,
+					unit.TypeIssues,
+					unit.TypePullRequests,
 					ctx.Repo.Repository,
 					ctx.Repo.Permission)
 			} else {
 				log.Trace("Permission Denied: Anonymous user cannot read %-v and %-v in Repo %-v\n"+
 					"Anonymous user in Repo has Permissions: %-+v",
-					models.UnitTypeIssues,
-					models.UnitTypePullRequests,
+					unit.TypeIssues,
+					unit.TypePullRequests,
 					ctx.Repo.Repository,
 					ctx.Repo.Permission)
 			}

From f10724fe53a86ed6e2c8c61996f9175f83d555c1 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 13 Dec 2021 14:50:02 +0800
Subject: [PATCH 25/26] Merge

---
 integrations/api_notification_test.go             |  8 ++++----
 integrations/api_repo_teams_test.go               | 12 ++++++------
 .../api_ui_helper_for_declarative_test.go         |  6 +++---
 integrations/api_ui_issue_stopwatch_test.go       |  6 ++++--
 integrations/api_ui_notification_test.go          |  9 +++++----
 integrations/api_ui_repo_test.go                  | 15 ++++++++-------
 integrations/api_ui_user_search_test.go           |  8 ++++----
 routers/api/ui/api.go                             | 15 ++++++++-------
 8 files changed, 42 insertions(+), 37 deletions(-)

diff --git a/integrations/api_notification_test.go b/integrations/api_notification_test.go
index c182cd416e312..f0dc2ff75e8c6 100644
--- a/integrations/api_notification_test.go
+++ b/integrations/api_notification_test.go
@@ -66,7 +66,7 @@ func TestAPINotification(t *testing.T) {
 
 	// -- GET /repos/{owner}/{repo}/notifications -- multiple status-types
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?status-types=unread&status-types=pinned&token=%s", user2.Name, repo1.Name, token))
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	resp = MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiNL)
 
 	assert.Len(t, apiNL, 2)
@@ -80,7 +80,7 @@ func TestAPINotification(t *testing.T) {
 	// -- GET /notifications/threads/{id} --
 	// get forbidden
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", 1, token))
-	resp = MakeRequest(t, req, http.StatusForbidden)
+	MakeRequest(t, req, http.StatusForbidden)
 
 	// get own
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", thread5.ID, token))
@@ -114,7 +114,7 @@ func TestAPINotification(t *testing.T) {
 
 	lastReadAt := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801 <- only Notification 4 is in this filter ...
 	req = NewRequest(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?last_read_at=%s&token=%s", user2.Name, repo1.Name, lastReadAt, token))
-	resp = MakeRequest(t, req, http.StatusResetContent)
+	MakeRequest(t, req, http.StatusResetContent)
 
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?status-types=unread&token=%s", token))
 	resp = MakeRequest(t, req, http.StatusOK)
@@ -123,7 +123,7 @@ func TestAPINotification(t *testing.T) {
 
 	// -- PATCH /notifications/threads/{id} --
 	req = NewRequest(t, "PATCH", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", thread5.ID, token))
-	resp = MakeRequest(t, req, http.StatusResetContent)
+	MakeRequest(t, req, http.StatusResetContent)
 
 	assert.Equal(t, models.NotificationStatusUnread, thread5.Status)
 	thread5 = unittest.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
diff --git a/integrations/api_repo_teams_test.go b/integrations/api_repo_teams_test.go
index 1e042ff7e36f3..34059877eba85 100644
--- a/integrations/api_repo_teams_test.go
+++ b/integrations/api_repo_teams_test.go
@@ -56,24 +56,24 @@ func TestAPIRepoTeams(t *testing.T) {
 
 	url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "NonExistingTeam", token)
 	req = NewRequest(t, "GET", url)
-	res = MakeRequest(t, req, http.StatusNotFound)
+	MakeRequest(t, req, http.StatusNotFound)
 
 	// AddTeam with user4
 	url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "team1", token)
 	req = NewRequest(t, "PUT", url)
-	res = MakeRequest(t, req, http.StatusForbidden)
+	MakeRequest(t, req, http.StatusForbidden)
 
 	// AddTeam with user2
 	user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}).(*user_model.User)
 	token = getUserToken(t, user.Name)
 	url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "team1", token)
 	req = NewRequest(t, "PUT", url)
-	res = MakeRequest(t, req, http.StatusNoContent)
-	res = MakeRequest(t, req, http.StatusUnprocessableEntity) // test duplicate request
+	MakeRequest(t, req, http.StatusNoContent)
+	MakeRequest(t, req, http.StatusUnprocessableEntity) // test duplicate request
 
 	// DeleteTeam
 	url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "team1", token)
 	req = NewRequest(t, "DELETE", url)
-	res = MakeRequest(t, req, http.StatusNoContent)
-	res = MakeRequest(t, req, http.StatusUnprocessableEntity) // test duplicate request
+	MakeRequest(t, req, http.StatusNoContent)
+	MakeRequest(t, req, http.StatusUnprocessableEntity) // test duplicate request
 }
diff --git a/integrations/api_ui_helper_for_declarative_test.go b/integrations/api_ui_helper_for_declarative_test.go
index 2682133f28bdf..36fcce257702b 100644
--- a/integrations/api_ui_helper_for_declarative_test.go
+++ b/integrations/api_ui_helper_for_declarative_test.go
@@ -11,7 +11,7 @@ import (
 	"testing"
 	"time"
 
-	"code.gitea.io/gitea/models"
+	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/modules/queue"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/services/forms"
@@ -47,7 +47,7 @@ func doMergePullRequest(ctx TestContext, owner, repo string, index int64) func(*
 			owner, repo, index)
 		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
 			MergeMessageField: "doMergePullRequest Merge",
-			Do:                string(models.MergeStyleMerge),
+			Do:                string(repo_model.MergeStyleMerge),
 		})
 
 		resp := ctx.Session.MakeRequest(t, req, NoExpectedStatus)
@@ -59,7 +59,7 @@ func doMergePullRequest(ctx TestContext, owner, repo string, index int64) func(*
 			queue.GetManager().FlushAll(context.Background(), 5*time.Second)
 			req = NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
 				MergeMessageField: "doMergePullRequest Merge",
-				Do:                string(models.MergeStyleMerge),
+				Do:                string(repo_model.MergeStyleMerge),
 			})
 			resp = ctx.Session.MakeRequest(t, req, NoExpectedStatus)
 		}
diff --git a/integrations/api_ui_issue_stopwatch_test.go b/integrations/api_ui_issue_stopwatch_test.go
index 9242351c10407..7093e8cc3e310 100644
--- a/integrations/api_ui_issue_stopwatch_test.go
+++ b/integrations/api_ui_issue_stopwatch_test.go
@@ -9,7 +9,9 @@ import (
 	"testing"
 
 	"code.gitea.io/gitea/models"
+	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
 	api "code.gitea.io/gitea/modules/structs"
 
 	"github.com/stretchr/testify/assert"
@@ -18,8 +20,8 @@ import (
 func TestUIAPIListStopWatches(t *testing.T) {
 	defer prepareTestEnv(t)()
 
-	repo := unittest.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
-	owner := unittest.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1}).(*repo_model.Repository)
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID}).(*user_model.User)
 
 	session := loginUser(t, owner.Name)
 	req := NewRequestf(t, "GET", "/api/ui/user/stopwatches")
diff --git a/integrations/api_ui_notification_test.go b/integrations/api_ui_notification_test.go
index 9dd3274eb699d..d7e555fec5d9c 100644
--- a/integrations/api_ui_notification_test.go
+++ b/integrations/api_ui_notification_test.go
@@ -10,8 +10,9 @@ import (
 	"testing"
 
 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/models/db"
+	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
 	api "code.gitea.io/gitea/modules/structs"
 
 	"github.com/stretchr/testify/assert"
@@ -20,8 +21,8 @@ import (
 func TestNotification(t *testing.T) {
 	defer prepareTestEnv(t)()
 
-	user2 := unittest.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
-	repo1 := unittest.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}).(*user_model.User)
+	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1}).(*repo_model.Repository)
 	thread5 := unittest.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
 	assert.NoError(t, thread5.LoadAttributes())
 
@@ -114,7 +115,7 @@ func TestNotification(t *testing.T) {
 	MakeRequest(t, req, http.StatusResetContent)
 
 	assert.Equal(t, models.NotificationStatusUnread, thread5.Status)
-	thread5 = db.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
+	thread5 = unittest.AssertExistsAndLoadBean(t, &models.Notification{ID: 5}).(*models.Notification)
 	assert.Equal(t, models.NotificationStatusRead, thread5.Status)
 
 	// -- check notifications --
diff --git a/integrations/api_ui_repo_test.go b/integrations/api_ui_repo_test.go
index 949a515526572..54290c36de66e 100644
--- a/integrations/api_ui_repo_test.go
+++ b/integrations/api_ui_repo_test.go
@@ -10,7 +10,8 @@ import (
 	"testing"
 
 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	"github.com/stretchr/testify/assert"
@@ -31,11 +32,11 @@ func TestAPIUISearchRepo(t *testing.T) {
 		assert.False(t, repo.Private)
 	}
 
-	user := db.AssertExistsAndLoadBean(t, &models.User{ID: 15}).(*models.User)
-	user2 := db.AssertExistsAndLoadBean(t, &models.User{ID: 16}).(*models.User)
-	user3 := db.AssertExistsAndLoadBean(t, &models.User{ID: 18}).(*models.User)
-	user4 := db.AssertExistsAndLoadBean(t, &models.User{ID: 20}).(*models.User)
-	orgUser := db.AssertExistsAndLoadBean(t, &models.User{ID: 17}).(*models.User)
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 15}).(*user_model.User)
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 16}).(*user_model.User)
+	user3 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 18}).(*user_model.User)
+	user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 20}).(*user_model.User)
+	orgUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 17}).(*user_model.User)
 
 	oldAPIDefaultNum := setting.API.DefaultPagingNum
 	defer func() {
@@ -44,7 +45,7 @@ func TestAPIUISearchRepo(t *testing.T) {
 	setting.API.DefaultPagingNum = 10
 
 	// Map of expected results, where key is user for login
-	type expectedResults map[*models.User]struct {
+	type expectedResults map[*user_model.User]struct {
 		count           int
 		repoOwnerID     int64
 		repoName        string
diff --git a/integrations/api_ui_user_search_test.go b/integrations/api_ui_user_search_test.go
index 26ffbace7505a..511f3bfb7c448 100644
--- a/integrations/api_ui_user_search_test.go
+++ b/integrations/api_ui_user_search_test.go
@@ -9,8 +9,8 @@ import (
 	"net/http"
 	"testing"
 
-	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/setting"
 
 	"github.com/stretchr/testify/assert"
@@ -43,10 +43,10 @@ func TestAPIUIUserSearchNotLoggedIn(t *testing.T) {
 	var results SearchResults
 	DecodeJSON(t, resp, &results)
 	assert.NotEmpty(t, results.Data)
-	var modelUser *models.User
+	var modelUser *user_model.User
 	for _, user := range results.Data {
 		assert.Contains(t, user.UserName, query)
-		modelUser = db.AssertExistsAndLoadBean(t, &models.User{ID: user.ID}).(*models.User)
+		modelUser = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: user.ID}).(*user_model.User)
 		if modelUser.KeepEmailPrivate {
 			assert.EqualValues(t, fmt.Sprintf("%s@%s", modelUser.LowerName, setting.Service.NoReplyAddress), user.Email)
 		} else {
diff --git a/routers/api/ui/api.go b/routers/api/ui/api.go
index a003ed73b3a92..a82b1c99f62c9 100644
--- a/routers/api/ui/api.go
+++ b/routers/api/ui/api.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	"code.gitea.io/gitea/models"
+	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
@@ -35,7 +36,7 @@ func repoAssignment() func(ctx *context.APIContext) {
 		repoName := ctx.Params("reponame")
 
 		var (
-			owner *models.User
+			owner *user_model.User
 			err   error
 		)
 
@@ -43,9 +44,9 @@ func repoAssignment() func(ctx *context.APIContext) {
 		if ctx.IsSigned && ctx.User.LowerName == strings.ToLower(userName) {
 			owner = ctx.User
 		} else {
-			owner, err = models.GetUserByName(userName)
+			owner, err = user_model.GetUserByName(userName)
 			if err != nil {
-				if models.IsErrUserNotExist(err) {
+				if user_model.IsErrUserNotExist(err) {
 					if redirectUserID, err := user_model.LookupUserRedirect(userName); err == nil {
 						context.RedirectToUser(ctx.Context, userName, redirectUserID)
 					} else if user_model.IsErrUserRedirectNotExist(err) {
@@ -62,13 +63,13 @@ func repoAssignment() func(ctx *context.APIContext) {
 		ctx.Repo.Owner = owner
 
 		// Get repository.
-		repo, err := models.GetRepositoryByName(owner.ID, repoName)
+		repo, err := repo_model.GetRepositoryByName(owner.ID, repoName)
 		if err != nil {
-			if models.IsErrRepoNotExist(err) {
-				redirectRepoID, err := models.LookupRepoRedirect(owner.ID, repoName)
+			if repo_model.IsErrRepoNotExist(err) {
+				redirectRepoID, err := repo_model.LookupRedirect(owner.ID, repoName)
 				if err == nil {
 					context.RedirectToRepo(ctx.Context, redirectRepoID)
-				} else if models.IsErrRepoRedirectNotExist(err) {
+				} else if repo_model.IsErrRedirectNotExist(err) {
 					ctx.NotFound()
 				} else {
 					ctx.Error(http.StatusInternalServerError, "LookupRepoRedirect", err)

From d133972436df36166a83d924eda5281ece59b79c Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Fri, 25 Mar 2022 11:19:50 +0800
Subject: [PATCH 26/26] Rebase

---
 .../api_helper_for_declarative_test.go        |  21 +---
 integrations/api_releases_test.go             |   2 +-
 .../api_ui_helper_for_declarative_test.go     |   1 +
 integrations/api_ui_issue_test.go             |   3 +-
 integrations/api_ui_notification_test.go      |   6 +-
 integrations/api_ui_repo_test.go              | 106 +++++++++++-------
 integrations/api_ui_repo_topic_test.go        |   1 +
 integrations/git_test.go                      |   2 +-
 integrations/mirror_push_test.go              |   2 +-
 modules/context/api.go                        |   2 -
 modules/context/api_ui.go                     |   6 +-
 modules/session/store.go                      |   6 +
 routers/api/ui/api.go                         |  22 ++--
 routers/web/web.go                            |   1 -
 14 files changed, 96 insertions(+), 85 deletions(-)

diff --git a/integrations/api_helper_for_declarative_test.go b/integrations/api_helper_for_declarative_test.go
index 18d9e24cae2e8..b503f50df38fb 100644
--- a/integrations/api_helper_for_declarative_test.go
+++ b/integrations/api_helper_for_declarative_test.go
@@ -231,26 +231,7 @@ func doAPICreatePullRequest(ctx APITestContext, owner, repo, baseBranch, headBra
 		if ctx.ExpectedCode != 0 {
 			expected = ctx.ExpectedCode
 		}
-		resp := ctx.Session.MakeRequest(t, req, expected)
-
-		decoder := json.NewDecoder(resp.Body)
-		pr := api.PullRequest{}
-		err := decoder.Decode(&pr)
-		return pr, err
-	}
-}
-
-func doAPIGetPullRequest(ctx APITestContext, owner, repo string, index int64) func(*testing.T) (api.PullRequest, error) {
-	return func(t *testing.T) (api.PullRequest, error) {
-		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d?token=%s",
-			owner, repo, index, ctx.Token)
-		req := NewRequest(t, http.MethodGet, urlStr)
-
-		expected := http.StatusOK
-		if ctx.ExpectedCode != 0 {
-			expected = ctx.ExpectedCode
-		}
-		resp := MakeRequest(t, req, expected)
+		resp := ctx.MakeRequest(t, req, expected)
 
 		decoder := json.NewDecoder(resp.Body)
 		pr := api.PullRequest{}
diff --git a/integrations/api_releases_test.go b/integrations/api_releases_test.go
index e4dcdf04f3664..470e1239b8f8e 100644
--- a/integrations/api_releases_test.go
+++ b/integrations/api_releases_test.go
@@ -52,7 +52,7 @@ func TestAPIListReleases(t *testing.T) {
 
 	// test filter
 	testFilterByLen := func(auth bool, query url.Values, expectedLength int, msgAndArgs ...string) {
-		var comment = link.String()
+		comment := link.String()
 		if len(msgAndArgs) > 0 {
 			comment = msgAndArgs[0]
 		}
diff --git a/integrations/api_ui_helper_for_declarative_test.go b/integrations/api_ui_helper_for_declarative_test.go
index 36fcce257702b..c8d65eb70d739 100644
--- a/integrations/api_ui_helper_for_declarative_test.go
+++ b/integrations/api_ui_helper_for_declarative_test.go
@@ -15,6 +15,7 @@ import (
 	"code.gitea.io/gitea/modules/queue"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/services/forms"
+
 	"github.com/stretchr/testify/assert"
 )
 
diff --git a/integrations/api_ui_issue_test.go b/integrations/api_ui_issue_test.go
index e18c7a9b0bf0e..9e99e64c88f48 100644
--- a/integrations/api_ui_issue_test.go
+++ b/integrations/api_ui_issue_test.go
@@ -11,6 +11,7 @@ import (
 	"time"
 
 	api "code.gitea.io/gitea/modules/structs"
+
 	"github.com/stretchr/testify/assert"
 )
 
@@ -58,7 +59,7 @@ func TestAPIUISearchIssues(t *testing.T) {
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.EqualValues(t, "15", resp.Header().Get("X-Total-Count"))
-	assert.Len(t, apiIssues, 10) //there are more but 10 is page item limit
+	assert.Len(t, apiIssues, 10) // there are more but 10 is page item limit
 
 	query.Add("limit", "20")
 	link.RawQuery = query.Encode()
diff --git a/integrations/api_ui_notification_test.go b/integrations/api_ui_notification_test.go
index d7e555fec5d9c..56d12809f3b4b 100644
--- a/integrations/api_ui_notification_test.go
+++ b/integrations/api_ui_notification_test.go
@@ -30,7 +30,7 @@ func TestNotification(t *testing.T) {
 
 	// -- GET /notifications --
 	// test filter
-	since := "2000-01-01T00%3A50%3A01%2B00%3A00" //946687801
+	since := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801
 	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?since=%s&token=%s", since, token))
 	resp := MakeRequest(t, req, http.StatusOK)
 	var apiNL []api.NotificationThread
@@ -40,7 +40,7 @@ func TestNotification(t *testing.T) {
 	assert.EqualValues(t, 5, apiNL[0].ID)
 
 	// test filter
-	before := "2000-01-01T01%3A06%3A59%2B00%3A00" //946688819
+	before := "2000-01-01T01%3A06%3A59%2B00%3A00" // 946688819
 
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?all=%s&before=%s&token=%s", "true", before, token))
 	resp = MakeRequest(t, req, http.StatusOK)
@@ -101,7 +101,7 @@ func TestNotification(t *testing.T) {
 	DecodeJSON(t, resp, &apiNL)
 	assert.Len(t, apiNL, 2)
 
-	lastReadAt := "2000-01-01T00%3A50%3A01%2B00%3A00" //946687801 <- only Notification 4 is in this filter ...
+	lastReadAt := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801 <- only Notification 4 is in this filter ...
 	req = NewRequest(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?last_read_at=%s&token=%s", user2.Name, repo1.Name, lastReadAt, token))
 	MakeRequest(t, req, http.StatusResetContent)
 
diff --git a/integrations/api_ui_repo_test.go b/integrations/api_ui_repo_test.go
index 54290c36de66e..f3cbb45e6ea4f 100644
--- a/integrations/api_ui_repo_test.go
+++ b/integrations/api_ui_repo_test.go
@@ -14,6 +14,7 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+
 	"github.com/stretchr/testify/assert"
 )
 
@@ -56,76 +57,99 @@ func TestAPIUISearchRepo(t *testing.T) {
 		name, requestURL string
 		expectedResults
 	}{
-		{name: "RepositoriesMax50", requestURL: "/api/ui/repos/search?limit=50&private=false", expectedResults: expectedResults{
-			nil:   {count: 30},
-			user:  {count: 30},
-			user2: {count: 30}},
+		{
+			name: "RepositoriesMax50", requestURL: "/api/ui/repos/search?limit=50&private=false", expectedResults: expectedResults{
+				nil:   {count: 30},
+				user:  {count: 30},
+				user2: {count: 30},
+			},
 		},
-		{name: "RepositoriesMax10", requestURL: "/api/ui/repos/search?limit=10&private=false", expectedResults: expectedResults{
-			nil:   {count: 10},
-			user:  {count: 10},
-			user2: {count: 10}},
+		{
+			name: "RepositoriesMax10", requestURL: "/api/ui/repos/search?limit=10&private=false", expectedResults: expectedResults{
+				nil:   {count: 10},
+				user:  {count: 10},
+				user2: {count: 10},
+			},
 		},
-		{name: "RepositoriesDefault", requestURL: "/api/ui/repos/search?default&private=false", expectedResults: expectedResults{
-			nil:   {count: 10},
-			user:  {count: 10},
-			user2: {count: 10}},
+		{
+			name: "RepositoriesDefault", requestURL: "/api/ui/repos/search?default&private=false", expectedResults: expectedResults{
+				nil:   {count: 10},
+				user:  {count: 10},
+				user2: {count: 10},
+			},
 		},
-		{name: "RepositoriesByName", requestURL: fmt.Sprintf("/api/ui/repos/search?q=%s&private=false", "big_test_"), expectedResults: expectedResults{
-			nil:   {count: 7, repoName: "big_test_"},
-			user:  {count: 7, repoName: "big_test_"},
-			user2: {count: 7, repoName: "big_test_"}},
+		{
+			name: "RepositoriesByName", requestURL: fmt.Sprintf("/api/ui/repos/search?q=%s&private=false", "big_test_"), expectedResults: expectedResults{
+				nil:   {count: 7, repoName: "big_test_"},
+				user:  {count: 7, repoName: "big_test_"},
+				user2: {count: 7, repoName: "big_test_"},
+			},
 		},
-		{name: "RepositoriesAccessibleAndRelatedToUser", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d", user.ID), expectedResults: expectedResults{
-			nil:   {count: 5},
-			user:  {count: 9, includesPrivate: true},
-			user2: {count: 6, includesPrivate: true}},
+		{
+			name: "RepositoriesAccessibleAndRelatedToUser", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d", user.ID), expectedResults: expectedResults{
+				nil:   {count: 5},
+				user:  {count: 9, includesPrivate: true},
+				user2: {count: 6, includesPrivate: true},
+			},
 		},
-		{name: "RepositoriesAccessibleAndRelatedToUser2", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d", user2.ID), expectedResults: expectedResults{
-			nil:   {count: 1},
-			user:  {count: 2, includesPrivate: true},
-			user2: {count: 2, includesPrivate: true},
-			user4: {count: 1}},
+		{
+			name: "RepositoriesAccessibleAndRelatedToUser2", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d", user2.ID), expectedResults: expectedResults{
+				nil:   {count: 1},
+				user:  {count: 2, includesPrivate: true},
+				user2: {count: 2, includesPrivate: true},
+				user4: {count: 1},
+			},
 		},
-		{name: "RepositoriesAccessibleAndRelatedToUser3", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d", user3.ID), expectedResults: expectedResults{
-			nil:   {count: 1},
-			user:  {count: 4, includesPrivate: true},
-			user2: {count: 3, includesPrivate: true},
-			user3: {count: 4, includesPrivate: true}},
+		{
+			name: "RepositoriesAccessibleAndRelatedToUser3", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d", user3.ID), expectedResults: expectedResults{
+				nil:   {count: 1},
+				user:  {count: 4, includesPrivate: true},
+				user2: {count: 3, includesPrivate: true},
+				user3: {count: 4, includesPrivate: true},
+			},
 		},
-		{name: "RepositoriesOwnedByOrganization", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d", orgUser.ID), expectedResults: expectedResults{
-			nil:   {count: 1, repoOwnerID: orgUser.ID},
-			user:  {count: 2, repoOwnerID: orgUser.ID, includesPrivate: true},
-			user2: {count: 1, repoOwnerID: orgUser.ID}},
+		{
+			name: "RepositoriesOwnedByOrganization", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d", orgUser.ID), expectedResults: expectedResults{
+				nil:   {count: 1, repoOwnerID: orgUser.ID},
+				user:  {count: 2, repoOwnerID: orgUser.ID, includesPrivate: true},
+				user2: {count: 1, repoOwnerID: orgUser.ID},
+			},
 		},
 		{name: "RepositoriesAccessibleAndRelatedToUser4", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d", user4.ID), expectedResults: expectedResults{
 			nil:   {count: 3},
 			user:  {count: 4, includesPrivate: true},
-			user4: {count: 7, includesPrivate: true}}},
+			user4: {count: 7, includesPrivate: true},
+		}},
 		{name: "RepositoriesAccessibleAndRelatedToUser4/SearchModeSource", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d&mode=%s", user4.ID, "source"), expectedResults: expectedResults{
 			nil:   {count: 0},
 			user:  {count: 1, includesPrivate: true},
-			user4: {count: 1, includesPrivate: true}}},
+			user4: {count: 1, includesPrivate: true},
+		}},
 		{name: "RepositoriesAccessibleAndRelatedToUser4/SearchModeFork", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d&mode=%s", user4.ID, "fork"), expectedResults: expectedResults{
 			nil:   {count: 1},
 			user:  {count: 1},
-			user4: {count: 2, includesPrivate: true}}},
+			user4: {count: 2, includesPrivate: true},
+		}},
 		{name: "RepositoriesAccessibleAndRelatedToUser4/SearchModeFork/Exclusive", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d&mode=%s&exclusive=1", user4.ID, "fork"), expectedResults: expectedResults{
 			nil:   {count: 1},
 			user:  {count: 1},
-			user4: {count: 2, includesPrivate: true}}},
+			user4: {count: 2, includesPrivate: true},
+		}},
 		{name: "RepositoriesAccessibleAndRelatedToUser4/SearchModeMirror", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d&mode=%s", user4.ID, "mirror"), expectedResults: expectedResults{
 			nil:   {count: 2},
 			user:  {count: 2},
-			user4: {count: 4, includesPrivate: true}}},
+			user4: {count: 4, includesPrivate: true},
+		}},
 		{name: "RepositoriesAccessibleAndRelatedToUser4/SearchModeMirror/Exclusive", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d&mode=%s&exclusive=1", user4.ID, "mirror"), expectedResults: expectedResults{
 			nil:   {count: 1},
 			user:  {count: 1},
-			user4: {count: 2, includesPrivate: true}}},
+			user4: {count: 2, includesPrivate: true},
+		}},
 		{name: "RepositoriesAccessibleAndRelatedToUser4/SearchModeCollaborative", requestURL: fmt.Sprintf("/api/ui/repos/search?uid=%d&mode=%s", user4.ID, "collaborative"), expectedResults: expectedResults{
 			nil:   {count: 0},
 			user:  {count: 1, includesPrivate: true},
-			user4: {count: 1, includesPrivate: true}}},
+			user4: {count: 1, includesPrivate: true},
+		}},
 	}
 
 	for _, testCase := range testCases {
diff --git a/integrations/api_ui_repo_topic_test.go b/integrations/api_ui_repo_topic_test.go
index 26757e06d586c..1190596bb639f 100644
--- a/integrations/api_ui_repo_topic_test.go
+++ b/integrations/api_ui_repo_topic_test.go
@@ -10,6 +10,7 @@ import (
 	"testing"
 
 	api "code.gitea.io/gitea/modules/structs"
+
 	"github.com/stretchr/testify/assert"
 )
 
diff --git a/integrations/git_test.go b/integrations/git_test.go
index 8eab8cff7a8e7..42fab9e2fb129 100644
--- a/integrations/git_test.go
+++ b/integrations/git_test.go
@@ -428,7 +428,7 @@ func doBranchProtectPRMerge(baseCtx *TestContext, dstPath string) func(t *testin
 	}
 }
 
-func doProtectBranch(ctx TestContext, branch string, userToWhitelist string, unprotectedFilePatterns string) func(t *testing.T) {
+func doProtectBranch(ctx TestContext, branch, userToWhitelist, unprotectedFilePatterns string) func(t *testing.T) {
 	// We are going to just use the owner to set the protection.
 	return func(t *testing.T) {
 		csrf := GetCSRF(t, ctx.Session, fmt.Sprintf("/%s/%s/settings/branches", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame)))
diff --git a/integrations/mirror_push_test.go b/integrations/mirror_push_test.go
index 04c8261c2c35a..fd75612db4ff2 100644
--- a/integrations/mirror_push_test.go
+++ b/integrations/mirror_push_test.go
@@ -97,7 +97,7 @@ func doCreatePushMirror(ctx TestContext, address, username, password string) fun
 	}
 }
 
-func doRemovePushMirror(ctx APITestContext, address, username, password string, pushMirrorID int) func(t *testing.T) {
+func doRemovePushMirror(ctx TestContext, address, username, password string, pushMirrorID int) func(t *testing.T) {
 	return func(t *testing.T) {
 		csrf := GetCSRF(t, ctx.Session, fmt.Sprintf("/%s/%s/settings", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame)))
 
diff --git a/modules/context/api.go b/modules/context/api.go
index e834092ec4741..13756001bf43e 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -19,8 +19,6 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web/middleware"
 	auth_service "code.gitea.io/gitea/services/auth"
-
-	"gitea.com/go-chi/session"
 )
 
 // APIContext is a specific context for API service
diff --git a/modules/context/api_ui.go b/modules/context/api_ui.go
index dce49b1c5c819..ee0251ebf0ede 100644
--- a/modules/context/api_ui.go
+++ b/modules/context/api_ui.go
@@ -17,12 +17,12 @@ import (
 
 // APIUIContexter returns apicontext as middleware
 func APIUIContexter() func(http.Handler) http.Handler {
-	var csrfOpts = getCsrfOpts()
+	csrfOpts := getCsrfOpts()
 
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-			var locale = middleware.Locale(w, req)
-			var ctx = APIContext{
+			locale := middleware.Locale(w, req)
+			ctx := APIContext{
 				Context: &Context{
 					Resp:    NewResponse(w),
 					Data:    map[string]interface{}{},
diff --git a/modules/session/store.go b/modules/session/store.go
index aad64ffe37851..8c5d7d82eb463 100644
--- a/modules/session/store.go
+++ b/modules/session/store.go
@@ -16,3 +16,9 @@ type Store interface {
 	Set(interface{}, interface{}) error
 	Delete(interface{}) error
 }
+
+// RegenerateSession regenerates the underlying session and returns the new store
+func RegenerateSession(resp http.ResponseWriter, req *http.Request) (Store, error) {
+	s, err := session.RegenerateSession(resp, req)
+	return s, err
+}
diff --git a/routers/api/ui/api.go b/routers/api/ui/api.go
index a82b1c99f62c9..bf02be40af947 100644
--- a/routers/api/ui/api.go
+++ b/routers/api/ui/api.go
@@ -41,8 +41,8 @@ func repoAssignment() func(ctx *context.APIContext) {
 		)
 
 		// Check if the user is the same as the repository owner.
-		if ctx.IsSigned && ctx.User.LowerName == strings.ToLower(userName) {
-			owner = ctx.User
+		if ctx.IsSigned && ctx.Doer.LowerName == strings.ToLower(userName) {
+			owner = ctx.Doer
 		} else {
 			owner, err = user_model.GetUserByName(userName)
 			if err != nil {
@@ -83,7 +83,7 @@ func repoAssignment() func(ctx *context.APIContext) {
 		repo.Owner = owner
 		ctx.Repo.Repository = repo
 
-		ctx.Repo.Permission, err = models.GetUserRepoPermission(repo, ctx.User)
+		ctx.Repo.Permission, err = models.GetUserRepoPermission(repo, ctx.Doer)
 		if err != nil {
 			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)
 			return
@@ -136,7 +136,7 @@ func reqOrgOwnership() func(ctx *context.APIContext) {
 			return
 		}
 
-		isOwner, err := models.IsOrganizationOwner(orgID, ctx.User.ID)
+		isOwner, err := models.IsOrganizationOwner(orgID, ctx.Doer.ID)
 		if err != nil {
 			ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)
 			return
@@ -168,7 +168,7 @@ func reqOrgMembership() func(ctx *context.APIContext) {
 			return
 		}
 
-		if isMember, err := models.IsOrganizationMember(orgID, ctx.User.ID); err != nil {
+		if isMember, err := models.IsOrganizationMember(orgID, ctx.Doer.ID); err != nil {
 			ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)
 			return
 		} else if !isMember {
@@ -237,7 +237,7 @@ func mustEnableIssuesOrPulls(ctx *context.APIContext) {
 			if ctx.IsSigned {
 				log.Trace("Permission Denied: User %-v cannot read %-v and %-v in Repo %-v\n"+
 					"User in Repo has Permissions: %-+v",
-					ctx.User,
+					ctx.Doer,
 					unit.TypeIssues,
 					unit.TypePullRequests,
 					ctx.Repo.Repository,
@@ -265,12 +265,12 @@ func mustNotBeArchived(ctx *context.APIContext) {
 
 // bind binding an obj to a func(ctx *context.APIContext)
 func bind(obj interface{}) http.HandlerFunc {
-	var tp = reflect.TypeOf(obj)
+	tp := reflect.TypeOf(obj)
 	for tp.Kind() == reflect.Ptr {
 		tp = tp.Elem()
 	}
 	return web.Wrap(func(ctx *context.APIContext) {
-		var theObj = reflect.New(tp).Interface() // create a new form obj for every request but not use obj directly
+		theObj := reflect.New(tp).Interface() // create a new form obj for every request but not use obj directly
 		errs := binding.Bind(ctx.Req, theObj)
 		if len(errs) > 0 {
 			ctx.Error(http.StatusUnprocessableEntity, "validationError", errs[0].Error())
@@ -282,15 +282,15 @@ func bind(obj interface{}) http.HandlerFunc {
 
 // Routes registers all v1 APIs routes to web application.
 func Routes(sess func(next http.Handler) http.Handler) *web.Route {
-	var m = web.NewRoute()
+	m := web.NewRoute()
 
 	m.Use(sess)
 	m.Use(common.SecurityHeaders())
 	if setting.CORSConfig.Enabled {
 		m.Use(cors.Handler(cors.Options{
-			//Scheme:           setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option
+			// Scheme:           setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option
 			AllowedOrigins: setting.CORSConfig.AllowDomain,
-			//setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
+			// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
 			AllowedMethods:   setting.CORSConfig.Methods,
 			AllowCredentials: setting.CORSConfig.AllowCredentials,
 			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),
diff --git a/routers/web/web.go b/routers/web/web.go
index 7b0e76b38fb55..b40a43058d423 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -23,7 +23,6 @@ import (
 	"code.gitea.io/gitea/modules/validation"
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/modules/web/routing"
-	"code.gitea.io/gitea/routers/admin"
 	"code.gitea.io/gitea/routers/api/v1/misc"
 	"code.gitea.io/gitea/routers/web/admin"
 	"code.gitea.io/gitea/routers/web/auth"