summary refs log tree commit diff
path: root/api/src/routes
diff options
context:
space:
mode:
authorFlam3rboy <34555296+Flam3rboy@users.noreply.github.com>2021-08-12 20:09:35 +0200
committerFlam3rboy <34555296+Flam3rboy@users.noreply.github.com>2021-08-12 20:09:35 +0200
commit524b5df7231635682053d0c028b0a24189b875ab (patch)
tree38bdb481e6149a825170cb67cb961410de92efdd /api/src/routes
parentnpm i @fosscord/server-util@1.3.52 (diff)
downloadserver-524b5df7231635682053d0c028b0a24189b875ab.tar.xz
:sparkles: api
Diffstat (limited to 'api/src/routes')
-rw-r--r--api/src/routes/auth/login.ts113
-rw-r--r--api/src/routes/auth/register.ts309
-rw-r--r--api/src/routes/channels/#channel_id/followers.ts14
-rw-r--r--api/src/routes/channels/#channel_id/index.ts60
-rw-r--r--api/src/routes/channels/#channel_id/invites.ts65
-rw-r--r--api/src/routes/channels/#channel_id/messages/#message_id/ack.ts35
-rw-r--r--api/src/routes/channels/#channel_id/messages/#message_id/crosspost.ts8
-rw-r--r--api/src/routes/channels/#channel_id/messages/#message_id/index.ts72
-rw-r--r--api/src/routes/channels/#channel_id/messages/#message_id/reactions.ts191
-rw-r--r--api/src/routes/channels/#channel_id/messages/bulk-delete.ts37
-rw-r--r--api/src/routes/channels/#channel_id/messages/index.ts146
-rw-r--r--api/src/routes/channels/#channel_id/permissions.ts72
-rw-r--r--api/src/routes/channels/#channel_id/pins.ts93
-rw-r--r--api/src/routes/channels/#channel_id/recipients.ts5
-rw-r--r--api/src/routes/channels/#channel_id/typing.ts31
-rw-r--r--api/src/routes/channels/#channel_id/webhooks.ts26
-rw-r--r--api/src/routes/experiments.ts10
-rw-r--r--api/src/routes/gateway.ts11
-rw-r--r--api/src/routes/guilds/#guild_id/bans.ts90
-rw-r--r--api/src/routes/guilds/#guild_id/channels.ts73
-rw-r--r--api/src/routes/guilds/#guild_id/delete.ts48
-rw-r--r--api/src/routes/guilds/#guild_id/index.ts61
-rw-r--r--api/src/routes/guilds/#guild_id/invites.ts17
-rw-r--r--api/src/routes/guilds/#guild_id/members/#member_id/index.ts69
-rw-r--r--api/src/routes/guilds/#guild_id/members/#member_id/nick.ts24
-rw-r--r--api/src/routes/guilds/#guild_id/members/#member_id/roles/#role_id/index.ts27
-rw-r--r--api/src/routes/guilds/#guild_id/members/index.ts38
-rw-r--r--api/src/routes/guilds/#guild_id/regions.ts10
-rw-r--r--api/src/routes/guilds/#guild_id/roles.ts128
-rw-r--r--api/src/routes/guilds/#guild_id/templates.ts99
-rw-r--r--api/src/routes/guilds/#guild_id/vanity-url.ts45
-rw-r--r--api/src/routes/guilds/#guild_id/welcome_screen.ts49
-rw-r--r--api/src/routes/guilds/#guild_id/widget.json.ts139
-rw-r--r--api/src/routes/guilds/#guild_id/widget.png.ts110
-rw-r--r--api/src/routes/guilds/#guild_id/widget.ts35
-rw-r--r--api/src/routes/guilds/index.ts89
-rw-r--r--api/src/routes/guilds/templates/index.ts61
-rw-r--r--api/src/routes/invites/index.ts44
-rw-r--r--api/src/routes/ping.ts9
-rw-r--r--api/src/routes/science.ts10
-rw-r--r--api/src/routes/users/#id/index.ts13
-rw-r--r--api/src/routes/users/#id/profile.ts27
-rw-r--r--api/src/routes/users/@me/affinities/guilds.ts10
-rw-r--r--api/src/routes/users/@me/affinities/user.ts10
-rw-r--r--api/src/routes/users/@me/channels.ts53
-rw-r--r--api/src/routes/users/@me/delete.ts22
-rw-r--r--api/src/routes/users/@me/disable.ts20
-rw-r--r--api/src/routes/users/@me/guilds.ts55
-rw-r--r--api/src/routes/users/@me/index.ts48
-rw-r--r--api/src/routes/users/@me/library.ts10
-rw-r--r--api/src/routes/users/@me/profile.ts27
-rw-r--r--api/src/routes/users/@me/relationships.ts176
-rw-r--r--api/src/routes/users/@me/settings.ts10
53 files changed, 3054 insertions, 0 deletions
diff --git a/api/src/routes/auth/login.ts b/api/src/routes/auth/login.ts
new file mode 100644
index 00000000..c3661608
--- /dev/null
+++ b/api/src/routes/auth/login.ts
@@ -0,0 +1,113 @@
+import { Request, Response, Router } from "express";
+import { check, FieldErrors, Length } from "../../util/instanceOf";
+import bcrypt from "bcrypt";
+import jwt from "jsonwebtoken";
+import { Config, UserModel } from "@fosscord/server-util";
+import { adjustEmail } from "./register";
+import RateLimit from "../../middlewares/RateLimit";
+
+const router: Router = Router();
+export default router;
+
+// TODO: check if user is deleted --> prohibit login
+
+router.post(
+	"/",
+	check({
+		login: new Length(String, 2, 100), // email or telephone
+		password: new Length(String, 8, 72),
+		$undelete: Boolean,
+		$captcha_key: String,
+		$login_source: String,
+		$gift_code_sku_id: String
+	}),
+	async (req: Request, res: Response) => {
+		const { login, password, captcha_key, undelete } = req.body;
+		const email = adjustEmail(login);
+		const query: any[] = [{ phone: login }];
+		if (email) query.push({ email });
+
+		// TODO: Rewrite this to have the proper config syntax on the new method
+
+		const config = Config.get();
+
+		if (config.login.requireCaptcha && config.security.captcha.enabled) {
+			if (!captcha_key) {
+				const { sitekey, service } = config.security.captcha;
+				return res.status(400).json({
+					captcha_key: ["captcha-required"],
+					captcha_sitekey: sitekey,
+					captcha_service: service
+				});
+			}
+
+			// TODO: check captcha
+		}
+
+		const user = await UserModel.findOne(
+			{ $or: query },
+			{ user_data: { hash: true }, id: true, disabled: true, deleted: true, user_settings: { locale: true, theme: true } }
+		)
+			.exec()
+			.catch((e) => {
+				throw FieldErrors({ login: { message: req.t("auth:login.INVALID_LOGIN"), code: "INVALID_LOGIN" } });
+			});
+
+		if (undelete) {
+			// undelete refers to un'disable' here
+			if (user.disabled) await UserModel.updateOne({ id: user.id }, { disabled: false }).exec();
+			if (user.deleted) await UserModel.updateOne({ id: user.id }, { deleted: false }).exec();
+		} else {
+			if (user.deleted) return res.status(400).json({ message: "This account is scheduled for deletion.", code: 20011 });
+			if (user.disabled) return res.status(400).json({ message: req.t("auth:login.ACCOUNT_DISABLED"), code: 20013 });
+		}
+
+		// the salt is saved in the password refer to bcrypt docs
+		const same_password = await bcrypt.compare(password, user.user_data.hash || "");
+		if (!same_password) {
+			throw FieldErrors({ password: { message: req.t("auth:login.INVALID_PASSWORD"), code: "INVALID_PASSWORD" } });
+		}
+
+		const token = await generateToken(user.id);
+
+		// Notice this will have a different token structure, than discord
+		// Discord header is just the user id as string, which is not possible with npm-jsonwebtoken package
+		// https://user-images.githubusercontent.com/6506416/81051916-dd8c9900-8ec2-11ea-8794-daf12d6f31f0.png
+
+		res.json({ token, user_settings: user.user_settings });
+	}
+);
+
+export async function generateToken(id: string) {
+	const iat = Math.floor(Date.now() / 1000);
+	const algorithm = "HS256";
+
+	return new Promise((res, rej) => {
+		jwt.sign(
+			{ id: id, iat },
+			Config.get().security.jwtSecret,
+			{
+				algorithm
+			},
+			(err, token) => {
+				if (err) return rej(err);
+				return res(token);
+			}
+		);
+	});
+}
+
+/**
+ * POST /auth/login
+ * @argument { login: "email@gmail.com", password: "cleartextpassword", undelete: false, captcha_key: null, login_source: null, gift_code_sku_id: null, }
+
+ * MFA required:
+ * @returns {"token": null, "mfa": true, "sms": true, "ticket": "SOME TICKET JWT TOKEN"}
+
+ * Captcha required:
+ * @returns {"captcha_key": ["captcha-required"], "captcha_sitekey": null, "captcha_service": "recaptcha"}
+
+ * Sucess:
+ * @returns {"token": "USERTOKEN", "user_settings": {"locale": "en", "theme": "dark"}}
+
+ */
diff --git a/api/src/routes/auth/register.ts b/api/src/routes/auth/register.ts
new file mode 100644
index 00000000..66a1fc8d
--- /dev/null
+++ b/api/src/routes/auth/register.ts
@@ -0,0 +1,309 @@
+import { Request, Response, Router } from "express";
+import { trimSpecial, User, Snowflake, UserModel, Config } from "@fosscord/server-util";
+import bcrypt from "bcrypt";
+import { check, Email, EMAIL_REGEX, FieldErrors, Length } from "../../util/instanceOf";
+import "missing-native-js-functions";
+import { generateToken } from "./login";
+import { getIpAdress, IPAnalysis, isProxy } from "../../util/ipAddress";
+import { HTTPError } from "lambert-server";
+import RateLimit from "../../middlewares/RateLimit";
+
+const router: Router = Router();
+
+router.post(
+	"/",
+	check({
+		username: new Length(String, 2, 32),
+		// TODO: check min password length in config
+		// prevent Denial of Service with max length of 72 chars
+		password: new Length(String, 8, 72),
+		consent: Boolean,
+		$email: new Length(Email, 5, 100),
+		$fingerprint: String,
+		$invite: String,
+		$date_of_birth: Date, // "2000-04-03"
+		$gift_code_sku_id: String,
+		$captcha_key: String
+	}),
+	async (req: Request, res: Response) => {
+		const {
+			email,
+			username,
+			password,
+			consent,
+			fingerprint,
+			invite,
+			date_of_birth,
+			gift_code_sku_id, // ? what is this
+			captcha_key
+		} = req.body;
+
+		// get register Config
+		const { register, security } = Config.get();
+		const ip = getIpAdress(req);
+
+		if (register.blockProxies) {
+			if (isProxy(await IPAnalysis(ip))) {
+				console.log(`proxy ${ip} blocked from registration`);
+				throw new HTTPError("Your IP is blocked from registration");
+			}
+		}
+
+		console.log("register", req.body.email, req.body.username, ip);
+		// TODO: automatically join invite
+		// TODO: gift_code_sku_id?
+		// TODO: check password strength
+
+		// adjusted_email will be slightly modified version of the user supplied email -> e.g. protection against GMail Trick
+		let adjusted_email: string | null = adjustEmail(email);
+
+		// adjusted_password will be the hash of the password
+		let adjusted_password: string = "";
+
+		// trim special uf8 control characters -> Backspace, Newline, ...
+		let adjusted_username: string = trimSpecial(username);
+
+		// discriminator will be randomly generated
+		let discriminator = "";
+
+		// check if registration is allowed
+		if (!register.allowNewRegistration) {
+			throw FieldErrors({
+				email: { code: "REGISTRATION_DISABLED", message: req.t("auth:register.REGISTRATION_DISABLED") }
+			});
+		}
+
+		// check if the user agreed to the Terms of Service
+		if (!consent) {
+			throw FieldErrors({
+				consent: { code: "CONSENT_REQUIRED", message: req.t("auth:register.CONSENT_REQUIRED") }
+			});
+		}
+
+		// require invite to register -> e.g. for organizations to send invites to their employees
+		if (register.requireInvite && !invite) {
+			throw FieldErrors({
+				email: { code: "INVITE_ONLY", message: req.t("auth:register.INVITE_ONLY") }
+			});
+		}
+
+		if (email) {
+			// replace all dots and chars after +, if its a gmail.com email
+			if (!adjusted_email) throw FieldErrors({ email: { code: "INVALID_EMAIL", message: req.t("auth:register.INVALID_EMAIL") } });
+
+			// check if there is already an account with this email
+			const exists = await UserModel.findOne({ email: adjusted_email })
+				.exec()
+				.catch((e) => {});
+
+			if (exists) {
+				throw FieldErrors({
+					email: {
+						code: "EMAIL_ALREADY_REGISTERED",
+						message: req.t("auth:register.EMAIL_ALREADY_REGISTERED")
+					}
+				});
+			}
+		} else if (register.email.necessary) {
+			throw FieldErrors({
+				email: { code: "BASE_TYPE_REQUIRED", message: req.t("common:field.BASE_TYPE_REQUIRED") }
+			});
+		}
+
+		if (register.dateOfBirth.necessary && !date_of_birth) {
+			throw FieldErrors({
+				date_of_birth: { code: "BASE_TYPE_REQUIRED", message: req.t("common:field.BASE_TYPE_REQUIRED") }
+			});
+		} else if (register.dateOfBirth.minimum) {
+			const minimum = new Date();
+			minimum.setFullYear(minimum.getFullYear() - register.dateOfBirth.minimum);
+
+			// higher is younger
+			if (date_of_birth > minimum) {
+				throw FieldErrors({
+					date_of_birth: {
+						code: "DATE_OF_BIRTH_UNDERAGE",
+						message: req.t("auth:register.DATE_OF_BIRTH_UNDERAGE", { years: register.dateOfBirth.minimum })
+					}
+				});
+			}
+		}
+
+		if (!register.allowMultipleAccounts) {
+			// TODO: check if fingerprint was eligible generated
+			const exists = await UserModel.findOne({ fingerprints: fingerprint })
+				.exec()
+				.catch((e) => {});
+
+			if (exists) {
+				throw FieldErrors({
+					email: {
+						code: "EMAIL_ALREADY_REGISTERED",
+						message: req.t("auth:register.EMAIL_ALREADY_REGISTERED")
+					}
+				});
+			}
+		}
+
+		if (register.requireCaptcha && security.captcha.enabled) {
+			if (!captcha_key) {
+				const { sitekey, service } = security.captcha;
+				return res.status(400).json({
+					captcha_key: ["captcha-required"],
+					captcha_sitekey: sitekey,
+					captcha_service: service
+				});
+			}
+
+			// TODO: check captcha
+		}
+
+		// the salt is saved in the password refer to bcrypt docs
+		adjusted_password = await bcrypt.hash(password, 12);
+
+		let exists;
+		// randomly generates a discriminator between 1 and 9999 and checks max five times if it already exists
+		// if it all five times already exists, abort with USERNAME_TOO_MANY_USERS error
+		// else just continue
+		// TODO: is there any better way to generate a random discriminator only once, without checking if it already exists in the mongodb database?
+		for (let tries = 0; tries < 5; tries++) {
+			discriminator = Math.randomIntBetween(1, 9999).toString().padStart(4, "0");
+			try {
+				exists = await UserModel.findOne({ discriminator, username: adjusted_username }, "id").exec();
+			} catch (error) {
+				// doesn't exist -> break
+				break;
+			}
+		}
+
+		if (exists) {
+			throw FieldErrors({
+				username: {
+					code: "USERNAME_TOO_MANY_USERS",
+					message: req.t("auth:register.USERNAME_TOO_MANY_USERS")
+				}
+			});
+		}
+
+		// TODO: save date_of_birth
+		// appearently discord doesn't save the date of birth and just calculate if nsfw is allowed
+		// if nsfw_allowed is null/undefined it'll require date_of_birth to set it to true/false
+
+		const user: User = {
+			id: Snowflake.generate(),
+			created_at: new Date(),
+			username: adjusted_username,
+			discriminator,
+			avatar: null,
+			accent_color: null,
+			banner: null,
+			bot: false,
+			system: false,
+			desktop: false,
+			mobile: false,
+			premium: true,
+			premium_type: 2,
+			phone: null,
+			bio: "",
+			mfa_enabled: false,
+			verified: false,
+			disabled: false,
+			deleted: false,
+			presence: {
+				activities: [],
+				client_status: {
+					desktop: undefined,
+					mobile: undefined,
+					web: undefined
+				},
+				status: "offline"
+			},
+			email: adjusted_email,
+			nsfw_allowed: true, // TODO: depending on age
+			public_flags: 0n,
+			flags: 0n, // TODO: generate default flags
+			guilds: [],
+			user_data: {
+				hash: adjusted_password,
+				valid_tokens_since: new Date(),
+				relationships: [],
+				connected_accounts: [],
+				fingerprints: []
+			},
+			user_settings: {
+				afk_timeout: 300,
+				allow_accessibility_detection: true,
+				animate_emoji: true,
+				animate_stickers: 0,
+				contact_sync_enabled: false,
+				convert_emoticons: false,
+				custom_status: {
+					emoji_id: null,
+					emoji_name: null,
+					expires_at: null,
+					text: null
+				},
+				default_guilds_restricted: false,
+				detect_platform_accounts: true,
+				developer_mode: false,
+				disable_games_tab: false,
+				enable_tts_command: true,
+				explicit_content_filter: 0,
+				friend_source_flags: { all: true },
+				gateway_connected: false,
+				gif_auto_play: true,
+				guild_folders: [],
+				guild_positions: [],
+				inline_attachment_media: true,
+				inline_embed_media: true,
+				locale: req.language,
+				message_display_compact: false,
+				native_phone_integration_enabled: true,
+				render_embeds: true,
+				render_reactions: true,
+				restricted_guilds: [],
+				show_current_game: true,
+				status: "offline",
+				stream_notifications_enabled: true,
+				theme: "dark",
+				timezone_offset: 0
+				// timezone_offset: // TODO: timezone from request
+			}
+		};
+
+		// insert user into database
+		await new UserModel(user).save();
+
+		return res.json({ token: await generateToken(user.id) });
+	}
+);
+
+export function adjustEmail(email: string): string | null {
+	// body parser already checked if it is a valid email
+	const parts = <RegExpMatchArray>email.match(EMAIL_REGEX);
+	// @ts-ignore
+	if (!parts || parts.length < 5) return undefined;
+	const domain = parts[5];
+	const user = parts[1];
+
+	// TODO: check accounts with uncommon email domains
+	if (domain === "gmail.com" || domain === "googlemail.com") {
+		// replace .dots and +alternatives -> Gmail Dot Trick https://support.google.com/mail/answer/7436150 and https://generator.email/blog/gmail-generator
+		return user.replace(/[.]|(\+.*)/g, "") + "@gmail.com";
+	}
+
+	return email;
+}
+
+export default router;
+
+/**
+ * POST /auth/register
+ * @argument { "fingerprint":"805826570869932034.wR8vi8lGlFBJerErO9LG5NViJFw", "email":"qo8etzvaf@gmail.com", "username":"qp39gr98", "password":"wtp9gep9gw", "invite":null, "consent":true, "date_of_birth":"2000-04-04", "gift_code_sku_id":null, "captcha_key":null}
+ *
+ * Field Error
+ * @returns { "code": 50035, "errors": { "consent": { "_errors": [{ "code": "CONSENT_REQUIRED", "message": "You must agree to Discord's Terms of Service and Privacy Policy." }]}}, "message": "Invalid Form Body"}
+ *
+ * Success 201:
+ * @returns {token: "OMITTED"}
+ */
diff --git a/api/src/routes/channels/#channel_id/followers.ts b/api/src/routes/channels/#channel_id/followers.ts
new file mode 100644
index 00000000..641af4f8
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/followers.ts
@@ -0,0 +1,14 @@
+import { Router, Response, Request } from "express";
+const router: Router = Router();
+// TODO:
+
+export default router;
+
+/**
+ *
+ * @param {"webhook_channel_id":"754001514330062952"}
+ *
+ * Creates a WebHook in the channel and returns the id of it
+ *
+ * @returns {"channel_id": "816382962056560690", "webhook_id": "834910735095037962"}
+ */
diff --git a/api/src/routes/channels/#channel_id/index.ts b/api/src/routes/channels/#channel_id/index.ts
new file mode 100644
index 00000000..81e5054e
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/index.ts
@@ -0,0 +1,60 @@
+import { ChannelDeleteEvent, ChannelModel, ChannelUpdateEvent, getPermission, GuildUpdateEvent, toObject } from "@fosscord/server-util";
+import { Router, Response, Request } from "express";
+import { HTTPError } from "lambert-server";
+import { ChannelModifySchema } from "../../../schema/Channel";
+import { emitEvent } from "../../../util/Event";
+import { check } from "../../../util/instanceOf";
+const router: Router = Router();
+// TODO: delete channel
+// TODO: Get channel
+
+router.get("/", async (req: Request, res: Response) => {
+	const { channel_id } = req.params;
+
+	const channel = await ChannelModel.findOne({ id: channel_id }).exec();
+
+	const permission = await getPermission(req.user_id, channel.guild_id, channel_id);
+	permission.hasThrow("VIEW_CHANNEL");
+
+	return res.send(toObject(channel));
+});
+
+router.delete("/", async (req: Request, res: Response) => {
+	const { channel_id } = req.params;
+
+	const channel = await ChannelModel.findOne({ id: channel_id }).exec();
+
+	const permission = await getPermission(req.user_id, channel?.guild_id, channel_id, { channel });
+	permission.hasThrow("MANAGE_CHANNELS");
+
+	// TODO: Dm channel "close" not delete
+	const data = toObject(channel);
+
+	await emitEvent({ event: "CHANNEL_DELETE", data, channel_id } as ChannelDeleteEvent);
+
+	await ChannelModel.deleteOne({ id: channel_id });
+
+	res.send(data);
+});
+
+router.patch("/", check(ChannelModifySchema), async (req: Request, res: Response) => {
+	var payload = req.body as ChannelModifySchema;
+	const { channel_id } = req.params;
+
+	const permission = await getPermission(req.user_id, undefined, channel_id);
+	permission.hasThrow("MANAGE_CHANNELS");
+
+	const channel = await ChannelModel.findOneAndUpdate({ id: channel_id }, payload).exec();
+
+	const data = toObject(channel);
+
+	await emitEvent({
+		event: "CHANNEL_UPDATE",
+		data,
+		channel_id
+	} as ChannelUpdateEvent);
+
+	res.send(data);
+});
+
+export default router;
diff --git a/api/src/routes/channels/#channel_id/invites.ts b/api/src/routes/channels/#channel_id/invites.ts
new file mode 100644
index 00000000..c9db4dd2
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/invites.ts
@@ -0,0 +1,65 @@
+import { Router, Request, Response } from "express";
+import { HTTPError } from "lambert-server";
+
+import { check } from "../../../util/instanceOf";
+import { random } from "../../../util/RandomInviteID";
+import { emitEvent } from "../../../util/Event";
+
+import { InviteCreateSchema } from "../../../schema/Invite";
+
+import { getPermission, ChannelModel, InviteModel, InviteCreateEvent, toObject } from "@fosscord/server-util";
+
+const router: Router = Router();
+
+router.post("/", check(InviteCreateSchema), async (req: Request, res: Response) => {
+	const { user_id } = req;
+	const { channel_id } = req.params;
+	const channel = await ChannelModel.findOne({ id: channel_id }).exec();
+
+	if (!channel.guild_id) {
+		throw new HTTPError("This channel doesn't exist", 404);
+	}
+	const { guild_id } = channel;
+
+	const permission = await getPermission(user_id, guild_id);
+	permission.hasThrow("CREATE_INSTANT_INVITE");
+
+	const expires_at = new Date(req.body.max_age * 1000 + Date.now());
+
+	const invite = {
+		code: random(),
+		temporary: req.body.temporary,
+		uses: 0,
+		max_uses: req.body.max_uses,
+		max_age: req.body.max_age,
+		expires_at,
+		created_at: new Date(),
+		guild_id,
+		channel_id: channel_id,
+		inviter_id: user_id
+	};
+
+	await new InviteModel(invite).save();
+
+	await emitEvent({ event: "INVITE_CREATE", data: invite, guild_id } as InviteCreateEvent);
+	res.status(201).send(invite);
+});
+
+router.get("/", async (req: Request, res: Response) => {
+	const { user_id } = req;
+	const { channel_id } = req.params;
+	const channel = await ChannelModel.findOne({ id: channel_id }).exec();
+
+	if (!channel.guild_id) {
+		throw new HTTPError("This channel doesn't exist", 404);
+	}
+	const { guild_id } = channel;
+	const permission = await getPermission(user_id, guild_id);
+	permission.hasThrow("MANAGE_CHANNELS");
+
+	const invites = await InviteModel.find({ guild_id }).exec();
+
+	res.status(200).send(toObject(invites));
+});
+
+export default router;
diff --git a/api/src/routes/channels/#channel_id/messages/#message_id/ack.ts b/api/src/routes/channels/#channel_id/messages/#message_id/ack.ts
new file mode 100644
index 00000000..f4d9e696
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/messages/#message_id/ack.ts
@@ -0,0 +1,35 @@
+import { getPermission, MessageAckEvent, ReadStateModel } from "@fosscord/server-util";
+import { Request, Response, Router } from "express";
+import { emitEvent } from "../../../../../util/Event";
+import { check } from "../../../../../util/instanceOf";
+
+const router = Router();
+
+// TODO: check if message exists
+// TODO: send read state event to all channel members
+
+router.post("/", check({ $manual: Boolean, $mention_count: Number }), async (req: Request, res: Response) => {
+	const { channel_id, message_id } = req.params;
+
+	const permission = await getPermission(req.user_id, undefined, channel_id);
+	permission.hasThrow("VIEW_CHANNEL");
+
+	await ReadStateModel.updateOne(
+		{ user_id: req.user_id, channel_id, message_id },
+		{ user_id: req.user_id, channel_id, message_id }
+	).exec();
+
+	await emitEvent({
+		event: "MESSAGE_ACK",
+		user_id: req.user_id,
+		data: {
+			channel_id,
+			message_id,
+			version: 496
+		}
+	} as MessageAckEvent);
+
+	res.sendStatus(204);
+});
+
+export default router;
diff --git a/api/src/routes/channels/#channel_id/messages/#message_id/crosspost.ts b/api/src/routes/channels/#channel_id/messages/#message_id/crosspost.ts
new file mode 100644
index 00000000..6753e832
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/messages/#message_id/crosspost.ts
@@ -0,0 +1,8 @@
+import { Router, Response, Request } from "express";
+
+const router = Router();
+
+// TODO:
+// router.post("/", (req: Request, res: Response) => {});
+
+export default router;
diff --git a/api/src/routes/channels/#channel_id/messages/#message_id/index.ts b/api/src/routes/channels/#channel_id/messages/#message_id/index.ts
new file mode 100644
index 00000000..a7c23d2f
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/messages/#message_id/index.ts
@@ -0,0 +1,72 @@
+import { ChannelModel, getPermission, MessageDeleteEvent, MessageModel, MessageUpdateEvent, toObject } from "@fosscord/server-util";
+import { Router, Response, Request } from "express";
+import { HTTPError } from "lambert-server";
+import { MessageCreateSchema } from "../../../../../schema/Message";
+import { emitEvent } from "../../../../../util/Event";
+import { check } from "../../../../../util/instanceOf";
+import { handleMessage, postHandleMessage } from "../../../../../util/Message";
+
+const router = Router();
+
+router.patch("/", check(MessageCreateSchema), async (req: Request, res: Response) => {
+	const { message_id, channel_id } = req.params;
+	var body = req.body as MessageCreateSchema;
+
+	var message = await MessageModel.findOne({ id: message_id, channel_id }, { author_id: true }).exec();
+
+	const permissions = await getPermission(req.user_id, undefined, channel_id);
+
+	if (req.user_id !== message.author_id) {
+		permissions.hasThrow("MANAGE_MESSAGES");
+		body = { flags: body.flags };
+	}
+
+	const opts = await handleMessage({
+		...body,
+		author_id: message.author_id,
+		channel_id,
+		id: message_id,
+		edited_timestamp: new Date()
+	});
+
+	// @ts-ignore
+	message = await MessageModel.findOneAndUpdate({ id: message_id }, opts).populate("author").exec();
+
+	await emitEvent({
+		event: "MESSAGE_UPDATE",
+		channel_id,
+		data: { ...toObject(message), nonce: undefined }
+	} as MessageUpdateEvent);
+
+	postHandleMessage(message);
+
+	return res.json(toObject(message));
+});
+
+// TODO: delete attachments in message
+
+router.delete("/", async (req: Request, res: Response) => {
+	const { message_id, channel_id } = req.params;
+
+	const channel = await ChannelModel.findOne({ id: channel_id }, { guild_id: true });
+	const message = await MessageModel.findOne({ id: message_id }, { author_id: true }).exec();
+
+	const permission = await getPermission(req.user_id, channel.guild_id, channel_id);
+	if (message.author_id !== req.user_id) permission.hasThrow("MANAGE_MESSAGES");
+
+	await MessageModel.deleteOne({ id: message_id }).exec();
+
+	await emitEvent({
+		event: "MESSAGE_DELETE",
+		channel_id,
+		data: {
+			id: message_id,
+			channel_id,
+			guild_id: channel.guild_id
+		}
+	} as MessageDeleteEvent);
+
+	res.sendStatus(204);
+});
+
+export default router;
diff --git a/api/src/routes/channels/#channel_id/messages/#message_id/reactions.ts b/api/src/routes/channels/#channel_id/messages/#message_id/reactions.ts
new file mode 100644
index 00000000..168a870f
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/messages/#message_id/reactions.ts
@@ -0,0 +1,191 @@
+import {
+	ChannelModel,
+	EmojiModel,
+	getPermission,
+	MemberModel,
+	MessageModel,
+	MessageReactionAddEvent,
+	MessageReactionRemoveAllEvent,
+	MessageReactionRemoveEmojiEvent,
+	MessageReactionRemoveEvent,
+	PartialEmoji,
+	PublicUserProjection,
+	toObject,
+	UserModel
+} from "@fosscord/server-util";
+import { Router, Response, Request } from "express";
+import { HTTPError } from "lambert-server";
+import { emitEvent } from "../../../../../util/Event";
+
+const router = Router();
+// TODO: check if emoji is really an unicode emoji or a prperly encoded external emoji
+
+function getEmoji(emoji: string): PartialEmoji {
+	emoji = decodeURIComponent(emoji);
+	const parts = emoji.includes(":") && emoji.split(":");
+	if (parts)
+		return {
+			name: parts[0],
+			id: parts[1]
+		};
+
+	return {
+		id: undefined,
+		name: emoji
+	};
+}
+
+router.delete("/", async (req: Request, res: Response) => {
+	const { message_id, channel_id } = req.params;
+
+	const channel = await ChannelModel.findOne({ id: channel_id }, { guild_id: true }).exec();
+
+	const permissions = await getPermission(req.user_id, undefined, channel_id);
+	permissions.hasThrow("MANAGE_MESSAGES");
+
+	await MessageModel.findOneAndUpdate({ id: message_id, channel_id }, { reactions: [] }).exec();
+
+	await emitEvent({
+		event: "MESSAGE_REACTION_REMOVE_ALL",
+		channel_id,
+		data: {
+			channel_id,
+			message_id,
+			guild_id: channel.guild_id
+		}
+	} as MessageReactionRemoveAllEvent);
+
+	res.sendStatus(204);
+});
+
+router.delete("/:emoji", async (req: Request, res: Response) => {
+	const { message_id, channel_id } = req.params;
+	const emoji = getEmoji(req.params.emoji);
+
+	const channel = await ChannelModel.findOne({ id: channel_id }, { guild_id: true }).exec();
+
+	const permissions = await getPermission(req.user_id, undefined, channel_id);
+	permissions.hasThrow("MANAGE_MESSAGES");
+
+	const message = await MessageModel.findOne({ id: message_id, channel_id }).exec();
+
+	const already_added = message.reactions.find((x) => (x.emoji.id === emoji.id && emoji.id) || x.emoji.name === emoji.name);
+	if (!already_added) throw new HTTPError("Reaction not found", 404);
+	message.reactions.remove(already_added);
+
+	await MessageModel.updateOne({ id: message_id, channel_id }, message).exec();
+
+	await emitEvent({
+		event: "MESSAGE_REACTION_REMOVE_EMOJI",
+		channel_id,
+		data: {
+			channel_id,
+			message_id,
+			guild_id: channel.guild_id,
+			emoji
+		}
+	} as MessageReactionRemoveEmojiEvent);
+
+	res.sendStatus(204);
+});
+
+router.get("/:emoji", async (req: Request, res: Response) => {
+	const { message_id, channel_id } = req.params;
+	const emoji = getEmoji(req.params.emoji);
+
+	const message = await MessageModel.findOne({ id: message_id, channel_id }).exec();
+	if (!message) throw new HTTPError("Message not found", 404);
+	const reaction = message.reactions.find((x) => (x.emoji.id === emoji.id && emoji.id) || x.emoji.name === emoji.name);
+	if (!reaction) throw new HTTPError("Reaction not found", 404);
+
+	const permissions = await getPermission(req.user_id, undefined, channel_id);
+	permissions.hasThrow("VIEW_CHANNEL");
+
+	const users = await UserModel.find({ id: { $in: reaction.user_ids } }, PublicUserProjection).exec();
+
+	res.json(toObject(users));
+});
+
+router.put("/:emoji/:user_id", async (req: Request, res: Response) => {
+	const { message_id, channel_id, user_id } = req.params;
+	if (user_id !== "@me") throw new HTTPError("Invalid user");
+	const emoji = getEmoji(req.params.emoji);
+
+	const channel = await ChannelModel.findOne({ id: channel_id }, { guild_id: true }).exec();
+	const message = await MessageModel.findOne({ id: message_id, channel_id }).exec();
+	const already_added = message.reactions.find((x) => (x.emoji.id === emoji.id && emoji.id) || x.emoji.name === emoji.name);
+
+	const permissions = await getPermission(req.user_id, undefined, channel_id);
+	permissions.hasThrow("READ_MESSAGE_HISTORY");
+	if (!already_added) permissions.hasThrow("ADD_REACTIONS");
+
+	if (emoji.id) {
+		const external_emoji = await EmojiModel.findOne({ id: emoji.id }).exec();
+		if (!already_added) permissions.hasThrow("USE_EXTERNAL_EMOJIS");
+		emoji.animated = external_emoji.animated;
+		emoji.name = external_emoji.name;
+	}
+
+	if (already_added) {
+		if (already_added.user_ids.includes(req.user_id)) return res.sendStatus(204); // Do not throw an error ¯\_(ツ)_/¯ as discord also doesn't throw any error
+		already_added.count++;
+	} else message.reactions.push({ count: 1, emoji, user_ids: [req.user_id] });
+
+	await MessageModel.updateOne({ id: message_id, channel_id }, message).exec();
+
+	const member = channel.guild_id && (await MemberModel.findOne({ id: req.user_id }).exec());
+
+	await emitEvent({
+		event: "MESSAGE_REACTION_ADD",
+		channel_id,
+		data: {
+			user_id: req.user_id,
+			channel_id,
+			message_id,
+			guild_id: channel.guild_id,
+			emoji,
+			member
+		}
+	} as MessageReactionAddEvent);
+
+	res.sendStatus(204);
+});
+
+router.delete("/:emoji/:user_id", async (req: Request, res: Response) => {
+	var { message_id, channel_id, user_id } = req.params;
+
+	const emoji = getEmoji(req.params.emoji);
+
+	const channel = await ChannelModel.findOne({ id: channel_id }, { guild_id: true }).exec();
+	const message = await MessageModel.findOne({ id: message_id, channel_id }).exec();
+
+	const permissions = await getPermission(req.user_id, undefined, channel_id);
+
+	if (user_id === "@me") user_id = req.user_id;
+	else permissions.hasThrow("MANAGE_MESSAGES");
+
+	const already_added = message.reactions.find((x) => (x.emoji.id === emoji.id && emoji.id) || x.emoji.name === emoji.name);
+	if (!already_added || !already_added.user_ids.includes(user_id)) throw new HTTPError("Reaction not found", 404);
+
+	already_added.count--;
+
+	if (already_added.count <= 0) message.reactions.remove(already_added);
+
+	await MessageModel.updateOne({ id: message_id, channel_id }, message).exec();
+
+	await emitEvent({
+		event: "MESSAGE_REACTION_REMOVE",
+		channel_id,
+		data: {
+			user_id: req.user_id,
+			channel_id,
+			message_id,
+			guild_id: channel.guild_id,
+			emoji
+		}
+	} as MessageReactionRemoveEvent);
+
+	res.sendStatus(204);
+});
+
+export default router;
diff --git a/api/src/routes/channels/#channel_id/messages/bulk-delete.ts b/api/src/routes/channels/#channel_id/messages/bulk-delete.ts
new file mode 100644
index 00000000..e53cd597
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/messages/bulk-delete.ts
@@ -0,0 +1,37 @@
+import { Router, Response, Request } from "express";
+import { ChannelModel, Config, getPermission, MessageDeleteBulkEvent, MessageModel } from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { emitEvent } from "../../../../util/Event";
+import { check } from "../../../../util/instanceOf";
+
+const router: Router = Router();
+
+export default router;
+
+// TODO: should users be able to bulk delete messages or only bots?
+// TODO: should this request fail, if you provide messages older than 14 days/invalid ids?
+// https://discord.com/developers/docs/resources/channel#bulk-delete-messages
+router.post("/", check({ messages: [String] }), async (req: Request, res: Response) => {
+	const { channel_id } = req.params;
+	const channel = await ChannelModel.findOne({ id: channel_id }, { permission_overwrites: true, guild_id: true }).exec();
+	if (!channel.guild_id) throw new HTTPError("Can't bulk delete dm channel messages", 400);
+
+	const permission = await getPermission(req.user_id, channel?.guild_id, channel_id, { channel });
+	permission.hasThrow("MANAGE_MESSAGES");
+
+	const { maxBulkDelete } = Config.get().limits.message;
+
+	const { messages } = req.body as { messages: string[] };
+	if (messages.length < 2) throw new HTTPError("You must at least specify 2 messages to bulk delete");
+	if (messages.length > maxBulkDelete) throw new HTTPError(`You cannot delete more than ${maxBulkDelete} messages`);
+
+	await MessageModel.deleteMany({ id: { $in: messages } }).exec();
+
+	await emitEvent({
+		event: "MESSAGE_DELETE_BULK",
+		channel_id,
+		data: { ids: messages, channel_id, guild_id: channel.guild_id }
+	} as MessageDeleteBulkEvent);
+
+	res.sendStatus(204);
+});
diff --git a/api/src/routes/channels/#channel_id/messages/index.ts b/api/src/routes/channels/#channel_id/messages/index.ts
new file mode 100644
index 00000000..fea4d6a4
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/messages/index.ts
@@ -0,0 +1,146 @@
+import { Router, Response, Request } from "express";
+import { Attachment, ChannelModel, ChannelType, getPermission, MessageDocument, MessageModel, toObject } from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { MessageCreateSchema } from "../../../../schema/Message";
+import { check, instanceOf, Length } from "../../../../util/instanceOf";
+import multer from "multer";
+import { Query } from "mongoose";
+import { sendMessage } from "../../../../util/Message";
+import { uploadFile } from "../../../../util/cdn";
+
+const router: Router = Router();
+
+export default router;
+
+export function isTextChannel(type: ChannelType): boolean {
+	switch (type) {
+		case ChannelType.GUILD_VOICE:
+		case ChannelType.GUILD_CATEGORY:
+			throw new HTTPError("not a text channel", 400);
+		case ChannelType.DM:
+		case ChannelType.GROUP_DM:
+		case ChannelType.GUILD_NEWS:
+		case ChannelType.GUILD_STORE:
+		case ChannelType.GUILD_TEXT:
+			return true;
+	}
+}
+
+// https://discord.com/developers/docs/resources/channel#create-message
+// get messages
+router.get("/", async (req: Request, res: Response) => {
+	const channel_id = req.params.channel_id;
+	const channel = await ChannelModel.findOne(
+		{ id: channel_id },
+		{ guild_id: true, type: true, permission_overwrites: true, recipient_ids: true, owner_id: true }
+	)
+		.lean() // lean is needed, because we don't want to populate .recipients that also auto deletes .recipient_ids
+		.exec();
+	if (!channel) throw new HTTPError("Channel not found", 404);
+
+	isTextChannel(channel.type);
+
+	try {
+		instanceOf({ $around: String, $after: String, $before: String, $limit: new Length(Number, 1, 100) }, req.query, {
+			path: "query",
+			req
+		});
+	} catch (error) {
+		return res.status(400).json({ code: 50035, message: "Invalid Query", success: false, errors: error });
+	}
+	var { around, after, before, limit }: { around?: string; after?: string; before?: string; limit?: number } = req.query;
+	if (!limit) limit = 50;
+	var halfLimit = Math.floor(limit / 2);
+
+	// @ts-ignore
+	const permissions = await getPermission(req.user_id, channel.guild_id, channel_id, { channel });
+	permissions.hasThrow("VIEW_CHANNEL");
+	if (!permissions.has("READ_MESSAGE_HISTORY")) return res.json([]);
+
+	var query: Query<MessageDocument[], MessageDocument>;
+	if (after) query = MessageModel.find({ channel_id, id: { $gt: after } });
+	else if (before) query = MessageModel.find({ channel_id, id: { $lt: before } });
+	else if (around)
+		query = MessageModel.find({
+			channel_id,
+			id: { $gt: (BigInt(around) - BigInt(halfLimit)).toString(), $lt: (BigInt(around) + BigInt(halfLimit)).toString() }
+		});
+	else {
+		query = MessageModel.find({ channel_id });
+	}
+
+	query = query.sort({ id: -1 });
+
+	const messages = await query.limit(limit).exec();
+
+	return res.json(
+		toObject(messages).map((x) => {
+			(x.reactions || []).forEach((x) => {
+				// @ts-ignore
+				if ((x.user_ids || []).includes(req.user_id)) x.me = true;
+				// @ts-ignore
+				delete x.user_ids;
+			});
+			// @ts-ignore
+			if (!x.author) x.author = { discriminator: "0000", username: "Deleted User", public_flags: 0n, avatar: null };
+
+			return x;
+		})
+	);
+});
+
+// TODO: config max upload size
+const messageUpload = multer({
+	limits: {
+		fileSize: 1024 * 1024 * 100,
+		fields: 10,
+		files: 1
+	},
+	storage: multer.memoryStorage()
+}); // max upload 50 mb
+
+// TODO: dynamically change limit of MessageCreateSchema with config
+// TODO: check: sum of all characters in an embed structure must not exceed 6000 characters
+
+// https://discord.com/developers/docs/resources/channel#create-message
+// TODO: text channel slowdown
+// TODO: trim and replace message content and every embed field
+// TODO: check allowed_mentions
+
+// Send message
+router.post("/", messageUpload.single("file"), async (req: Request, res: Response) => {
+	const { channel_id } = req.params;
+	var body = req.body as MessageCreateSchema;
+	const attachments: Attachment[] = [];
+
+	if (req.file) {
+		try {
+			const file = await uploadFile(`/attachments/${channel_id}`, req.file);
+			attachments.push({ ...file, proxy_url: file.url });
+		} catch (error) {
+			return res.status(400).json(error);
+		}
+	}
+
+	if (body.payload_json) {
+		body = JSON.parse(body.payload_json);
+	}
+
+	const errors = instanceOf(MessageCreateSchema, body, { req });
+	if (errors !== true) throw errors;
+
+	const embeds = [];
+	if (body.embed) embeds.push(body.embed);
+	const data = await sendMessage({
+		...body,
+		type: 0,
+		pinned: false,
+		author_id: req.user_id,
+		embeds,
+		channel_id,
+		attachments,
+		edited_timestamp: null
+	});
+
+	return res.send(data);
+});
diff --git a/api/src/routes/channels/#channel_id/permissions.ts b/api/src/routes/channels/#channel_id/permissions.ts
new file mode 100644
index 00000000..12364293
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/permissions.ts
@@ -0,0 +1,72 @@
+import { ChannelModel, ChannelPermissionOverwrite, ChannelUpdateEvent, getPermission, MemberModel, RoleModel } from "@fosscord/server-util";
+import { Router, Response, Request } from "express";
+import { HTTPError } from "lambert-server";
+import { emitEvent } from "../../../util/Event";
+import { check } from "../../../util/instanceOf";
+const router: Router = Router();
+
+// TODO: Only permissions your bot has in the guild or channel can be allowed/denied (unless your bot has a MANAGE_ROLES overwrite in the channel)
+
+router.put("/:overwrite_id", check({ allow: String, deny: String, type: Number, id: String }), async (req: Request, res: Response) => {
+	const { channel_id, overwrite_id } = req.params;
+	const body = req.body as { allow: bigint; deny: bigint; type: number; id: string };
+
+	var channel = await ChannelModel.findOne({ id: channel_id }, { guild_id: true, permission_overwrites: true }).exec();
+	if (!channel.guild_id) throw new HTTPError("Channel not found", 404);
+
+	const permissions = await getPermission(req.user_id, channel.guild_id, channel_id);
+	permissions.hasThrow("MANAGE_ROLES");
+
+	if (body.type === 0) {
+		if (!(await RoleModel.exists({ id: overwrite_id }))) throw new HTTPError("role not found", 404);
+	} else if (body.type === 1) {
+		if (!(await MemberModel.exists({ id: overwrite_id }))) throw new HTTPError("user not found", 404);
+	} else throw new HTTPError("type not supported", 501);
+
+	// @ts-ignore
+	var overwrite: ChannelPermissionOverwrite = channel.permission_overwrites.find((x) => x.id === overwrite_id);
+	if (!overwrite) {
+		// @ts-ignore
+		overwrite = {
+			id: overwrite_id,
+			type: body.type,
+			allow: body.allow,
+			deny: body.deny
+		};
+		channel.permission_overwrites.push(overwrite);
+	}
+	overwrite.allow = body.allow;
+	overwrite.deny = body.deny;
+
+	// @ts-ignore
+	channel = await ChannelModel.findOneAndUpdate({ id: channel_id }, channel).exec();
+
+	await emitEvent({
+		event: "CHANNEL_UPDATE",
+		channel_id,
+		data: channel
+	} as ChannelUpdateEvent);
+
+	return res.sendStatus(204);
+});
+
+// TODO: check permission hierarchy
+router.delete("/:overwrite_id", async (req: Request, res: Response) => {
+	const { channel_id, overwrite_id } = req.params;
+
+	const permissions = await getPermission(req.user_id, undefined, channel_id);
+	permissions.hasThrow("MANAGE_ROLES");
+
+	const channel = await ChannelModel.findOneAndUpdate({ id: channel_id }, { $pull: { permission_overwrites: { id: overwrite_id } } });
+	if (!channel.guild_id) throw new HTTPError("Channel not found", 404);
+
+	await emitEvent({
+		event: "CHANNEL_UPDATE",
+		channel_id,
+		data: channel
+	} as ChannelUpdateEvent);
+
+	return res.sendStatus(204);
+});
+
+export default router;
diff --git a/api/src/routes/channels/#channel_id/pins.ts b/api/src/routes/channels/#channel_id/pins.ts
new file mode 100644
index 00000000..65d6b975
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/pins.ts
@@ -0,0 +1,93 @@
+import {
+	ChannelModel,
+	ChannelPinsUpdateEvent,
+	Config,
+	getPermission,
+	MessageModel,
+	MessageUpdateEvent,
+	toObject
+} from "@fosscord/server-util";
+import { Router, Request, Response } from "express";
+import { HTTPError } from "lambert-server";
+import { emitEvent } from "../../../util/Event";
+
+const router: Router = Router();
+
+router.put("/:message_id", async (req: Request, res: Response) => {
+	const { channel_id, message_id } = req.params;
+	const channel = await ChannelModel.findOne({ id: channel_id }).exec();
+	const permission = await getPermission(req.user_id, channel.guild_id, channel_id);
+	permission.hasThrow("VIEW_CHANNEL");
+
+	// * in dm channels anyone can pin messages -> only check for guilds
+	if (channel.guild_id) permission.hasThrow("MANAGE_MESSAGES");
+
+	const pinned_count = await MessageModel.count({ channel_id, pinned: true }).exec();
+	const { maxPins } = Config.get().limits.channel;
+	if (pinned_count >= maxPins) throw new HTTPError("Max pin count reached: " + maxPins);
+
+	await MessageModel.updateOne({ id: message_id }, { pinned: true }).exec();
+	const message = toObject(await MessageModel.findOne({ id: message_id }).exec());
+
+	await emitEvent({
+		event: "MESSAGE_UPDATE",
+		channel_id,
+		data: message
+	} as MessageUpdateEvent);
+
+	await emitEvent({
+		event: "CHANNEL_PINS_UPDATE",
+		channel_id,
+		data: {
+			channel_id,
+			guild_id: channel.guild_id,
+			last_pin_timestamp: undefined
+		}
+	} as ChannelPinsUpdateEvent);
+
+	res.sendStatus(204);
+});
+
+router.delete("/:message_id", async (req: Request, res: Response) => {
+	const { channel_id, message_id } = req.params;
+
+	const channel = await ChannelModel.findOne({ id: channel_id }).exec();
+
+	const permission = await getPermission(req.user_id, channel.guild_id, channel_id);
+	permission.hasThrow("VIEW_CHANNEL");
+	if (channel.guild_id) permission.hasThrow("MANAGE_MESSAGES");
+
+	const message = toObject(await MessageModel.findOneAndUpdate({ id: message_id }, { pinned: false }).exec());
+
+	await emitEvent({
+		event: "MESSAGE_UPDATE",
+		channel_id,
+		data: message
+	} as MessageUpdateEvent);
+
+	await emitEvent({
+		event: "CHANNEL_PINS_UPDATE",
+		channel_id,
+		data: {
+			channel_id,
+			guild_id: channel.guild_id,
+			last_pin_timestamp: undefined
+		}
+	} as ChannelPinsUpdateEvent);
+
+	res.sendStatus(204);
+});
+
+router.get("/", async (req: Request, res: Response) => {
+	const { channel_id } = req.params;
+
+	const channel = await ChannelModel.findOne({ id: channel_id }).exec();
+	const permission = await getPermission(req.user_id, channel.guild_id, channel_id);
+	permission.hasThrow("VIEW_CHANNEL");
+
+	let pins = await MessageModel.find({ channel_id: channel_id, pinned: true }).exec();
+
+	res.send(toObject(pins));
+});
+
+export default router;
diff --git a/api/src/routes/channels/#channel_id/recipients.ts b/api/src/routes/channels/#channel_id/recipients.ts
new file mode 100644
index 00000000..ea6bc563
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/recipients.ts
@@ -0,0 +1,5 @@
+import { Router, Response, Request } from "express";
+const router: Router = Router();
+// TODO:
+
+export default router;
diff --git a/api/src/routes/channels/#channel_id/typing.ts b/api/src/routes/channels/#channel_id/typing.ts
new file mode 100644
index 00000000..de549883
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/typing.ts
@@ -0,0 +1,31 @@
+import { ChannelModel, MemberModel, toObject, TypingStartEvent } from "@fosscord/server-util";
+import { Router, Request, Response } from "express";
+
+import { HTTPError } from "lambert-server";
+import { emitEvent } from "../../../util/Event";
+
+const router: Router = Router();
+
+router.post("/", async (req: Request, res: Response) => {
+	const { channel_id } = req.params;
+	const user_id = req.user_id;
+	const timestamp = Date.now();
+	const channel = await ChannelModel.findOne({ id: channel_id });
+	const member = await MemberModel.findOne({ id: user_id }).exec();
+
+	await emitEvent({
+		event: "TYPING_START",
+		channel_id: channel_id,
+		data: {
+			// this is the paylod
+			member: toObject(member),
+			channel_id,
+			timestamp,
+			user_id,
+			guild_id: channel.guild_id
+		}
+	} as TypingStartEvent);
+	res.sendStatus(204);
+});
+
+export default router;
diff --git a/api/src/routes/channels/#channel_id/webhooks.ts b/api/src/routes/channels/#channel_id/webhooks.ts
new file mode 100644
index 00000000..6c1aea2a
--- /dev/null
+++ b/api/src/routes/channels/#channel_id/webhooks.ts
@@ -0,0 +1,26 @@
+import { Router, Response, Request } from "express";
+import { check, Length } from "../../../util/instanceOf";
+import { ChannelModel, getPermission, trimSpecial } from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { isTextChannel } from "./messages/index";
+
+const router: Router = Router();
+// TODO:
+
+// TODO: use Image Data Type for avatar instead of String
+router.post("/", check({ name: new Length(String, 1, 80), $avatar: String }), async (req: Request, res: Response) => {
+	const channel_id = req.params.channel_id;
+	const channel = await ChannelModel.findOne({ id: channel_id }, { guild_id: true, type: true }).exec();
+
+	isTextChannel(channel.type);
+	if (!channel.guild_id) throw new HTTPError("Not a guild channel", 400);
+
+	const permission = await getPermission(req.user_id, channel.guild_id);
+	permission.hasThrow("MANAGE_WEBHOOKS");
+
+	var { avatar, name } = req.body as { name: string; avatar?: string };
+	name = trimSpecial(name);
+	if (name === "clyde") throw new HTTPError("Invalid name", 400);
+});
+
+export default router;
diff --git a/api/src/routes/experiments.ts b/api/src/routes/experiments.ts
new file mode 100644
index 00000000..3bdbed62
--- /dev/null
+++ b/api/src/routes/experiments.ts
@@ -0,0 +1,10 @@
+import { Router, Response, Request } from "express";
+
+const router = Router();
+
+router.get("/", (req: Request, res: Response) => {
+	// TODO:
+	res.send({ fingerprint: "", assignments: [] });
+});
+
+export default router;
diff --git a/api/src/routes/gateway.ts b/api/src/routes/gateway.ts
new file mode 100644
index 00000000..f2bc5b34
--- /dev/null
+++ b/api/src/routes/gateway.ts
@@ -0,0 +1,11 @@
+import { Config } from "@fosscord/server-util";
+import { Router, Response, Request } from "express";
+
+const router = Router();
+
+router.get("/", (req: Request, res: Response) => {
+	const { endpoint } = Config.get().gateway;
+	res.json({ url: endpoint || process.env.GATEWAY || "ws://localhost:3002" });
+});
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts
new file mode 100644
index 00000000..d9752f61
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/bans.ts
@@ -0,0 +1,90 @@
+import { Request, Response, Router } from "express";
+import { BanModel, getPermission, GuildBanAddEvent, GuildBanRemoveEvent, GuildModel, toObject } from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { getIpAdress } from "../../../util/ipAddress";
+import { BanCreateSchema } from "../../../schema/Ban";
+import { emitEvent } from "../../../util/Event";
+import { check } from "../../../util/instanceOf";
+import { removeMember } from "../../../util/Member";
+import { getPublicUser } from "../../../util/User";
+
+const router: Router = Router();
+
+router.get("/", async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+
+	const guild = await GuildModel.exists({ id: guild_id });
+	if (!guild) throw new HTTPError("Guild not found", 404);
+
+	var bans = await BanModel.find({ guild_id: guild_id }, { user_id: true, reason: true }).exec();
+	return res.json(toObject(bans));
+});
+
+router.get("/:user", async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+	const user_id = req.params.ban;
+
+	var ban = await BanModel.findOne({ guild_id: guild_id, user_id: user_id }).exec();
+	return res.json(ban);
+});
+
+router.put("/:user_id", check(BanCreateSchema), async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+	const banned_user_id = req.params.user_id;
+
+	const banned_user = await getPublicUser(banned_user_id);
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("BAN_MEMBERS");
+	if (req.user_id === banned_user_id) throw new HTTPError("You can't ban yourself", 400);
+
+	await removeMember(banned_user_id, guild_id);
+
+	const ban = await new BanModel({
+		user_id: banned_user_id,
+		guild_id: guild_id,
+		ip: getIpAdress(req),
+		executor_id: req.user_id,
+		reason: req.body.reason // || otherwise empty
+	}).save();
+
+	await emitEvent({
+		event: "GUILD_BAN_ADD",
+		data: {
+			guild_id: guild_id,
+			user: banned_user
+		},
+		guild_id: guild_id
+	} as GuildBanAddEvent);
+
+	return res.json(toObject(ban));
+});
+
+router.delete("/:user_id", async (req: Request, res: Response) => {
+	var { guild_id } = req.params;
+	var banned_user_id = req.params.user_id;
+
+	const banned_user = await getPublicUser(banned_user_id);
+	const guild = await GuildModel.exists({ id: guild_id });
+	if (!guild) throw new HTTPError("Guild not found", 404);
+
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("BAN_MEMBERS");
+
+	await BanModel.deleteOne({
+		user_id: banned_user_id,
+		guild_id
+	}).exec();
+
+	await emitEvent({
+		event: "GUILD_BAN_REMOVE",
+		data: {
+			guild_id,
+			user: banned_user
+		},
+		guild_id
+	} as GuildBanRemoveEvent);
+
+	return res.status(204).send();
+});
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/channels.ts b/api/src/routes/guilds/#guild_id/channels.ts
new file mode 100644
index 00000000..52361f5e
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/channels.ts
@@ -0,0 +1,73 @@
+import { Router, Response, Request } from "express";
+import {
+	ChannelCreateEvent,
+	ChannelModel,
+	ChannelType,
+	GuildModel,
+	Snowflake,
+	toObject,
+	ChannelUpdateEvent,
+	AnyChannel,
+	getPermission
+} from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { ChannelModifySchema } from "../../../schema/Channel";
+import { emitEvent } from "../../../util/Event";
+import { check } from "../../../util/instanceOf";
+import { createChannel } from "../../../util/Channel";
+const router = Router();
+
+router.get("/", async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+	const channels = await ChannelModel.find({ guild_id }).exec();
+
+	res.json(toObject(channels));
+});
+
+// TODO: check if channel type is permitted
+// TODO: check if parent_id exists
+
+router.post("/", check(ChannelModifySchema), async (req: Request, res: Response) => {
+	// creates a new guild channel https://discord.com/developers/docs/resources/guild#create-guild-channel
+	const { guild_id } = req.params;
+	const body = req.body as ChannelModifySchema;
+
+	const channel = await createChannel({ ...body, guild_id }, req.user_id);
+
+	res.json(toObject(channel));
+});
+
+// TODO: check if parent_id exists
+router.patch(
+	"/",
+	check([{ id: String, $position: Number, $lock_permissions: Boolean, $parent_id: String }]),
+	async (req: Request, res: Response) => {
+		// changes guild channel position
+		const { guild_id } = req.params;
+		const body = req.body as { id: string; position?: number; lock_permissions?: boolean; parent_id?: string };
+		body.position = Math.floor(body.position || 0);
+		if (!body.position && !body.parent_id) throw new HTTPError(`You need to at least specify position or parent_id`, 400);
+
+		const permission = await getPermission(req.user_id, guild_id);
+		permission.hasThrow("MANAGE_CHANNELS");
+
+		const opts: any = {};
+		if (body.position) opts.position = body.position;
+
+		if (body.parent_id) {
+			opts.parent_id = body.parent_id;
+			const parent_channel = await ChannelModel.findOne({ id: body.parent_id, guild_id }, { permission_overwrites: true }).exec();
+			if (body.lock_permissions) {
+				opts.permission_overwrites = parent_channel.permission_overwrites;
+			}
+		}
+
+		const channel = await ChannelModel.findOneAndUpdate({ id: req.body, guild_id }, opts).exec();
+
+		await emitEvent({ event: "CHANNEL_UPDATE", data: channel, channel_id: body.id, guild_id } as ChannelUpdateEvent);
+
+		res.json(toObject(channel));
+	}
+);
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/delete.ts b/api/src/routes/guilds/#guild_id/delete.ts
new file mode 100644
index 00000000..6cca289e
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/delete.ts
@@ -0,0 +1,48 @@
+import {
+	ChannelModel,
+	EmojiModel,
+	GuildDeleteEvent,
+	GuildModel,
+	InviteModel,
+	MemberModel,
+	MessageModel,
+	RoleModel,
+	UserModel
+} from "@fosscord/server-util";
+import { Router, Request, Response } from "express";
+import { HTTPError } from "lambert-server";
+import { emitEvent } from "../../../util/Event";
+
+const router = Router();
+
+// discord prefixes this route with /delete instead of using the delete method
+// docs are wrong https://discord.com/developers/docs/resources/guild#delete-guild
+router.post("/", async (req: Request, res: Response) => {
+	var { guild_id } = req.params;
+
+	const guild = await GuildModel.findOne({ id: guild_id }, "owner_id").exec();
+	if (guild.owner_id !== req.user_id) throw new HTTPError("You are not the owner of this guild", 401);
+
+	await emitEvent({
+		event: "GUILD_DELETE",
+		data: {
+			id: guild_id
+		},
+		guild_id: guild_id
+	} as GuildDeleteEvent);
+
+	await Promise.all([
+		GuildModel.deleteOne({ id: guild_id }).exec(),
+		UserModel.updateMany({ guilds: guild_id }, { $pull: { guilds: guild_id } }).exec(),
+		RoleModel.deleteMany({ guild_id }).exec(),
+		ChannelModel.deleteMany({ guild_id }).exec(),
+		EmojiModel.deleteMany({ guild_id }).exec(),
+		InviteModel.deleteMany({ guild_id }).exec(),
+		MessageModel.deleteMany({ guild_id }).exec(),
+		MemberModel.deleteMany({ guild_id }).exec()
+	]);
+
+	return res.sendStatus(204);
+});
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/index.ts b/api/src/routes/guilds/#guild_id/index.ts
new file mode 100644
index 00000000..dc4ddb39
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/index.ts
@@ -0,0 +1,61 @@
+import { Request, Response, Router } from "express";
+import {
+	ChannelModel,
+	EmojiModel,
+	getPermission,
+	GuildDeleteEvent,
+	GuildModel,
+	GuildUpdateEvent,
+	InviteModel,
+	MemberModel,
+	MessageModel,
+	RoleModel,
+	toObject,
+	UserModel
+} from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { GuildUpdateSchema } from "../../../schema/Guild";
+import { emitEvent } from "../../../util/Event";
+import { check } from "../../../util/instanceOf";
+import { handleFile } from "../../../util/cdn";
+import "missing-native-js-functions";
+
+const router = Router();
+
+router.get("/", async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+
+	const guild = await GuildModel.findOne({ id: guild_id })
+		.populate({ path: "joined_at", match: { id: req.user_id } })
+		.exec();
+
+	const member = await MemberModel.exists({ guild_id: guild_id, id: req.user_id });
+	if (!member) throw new HTTPError("You are not a member of the guild you are trying to access", 401);
+
+	return res.json(guild);
+});
+
+router.patch("/", check(GuildUpdateSchema), async (req: Request, res: Response) => {
+	const body = req.body as GuildUpdateSchema;
+	const { guild_id } = req.params;
+	// TODO: guild update check image
+
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("MANAGE_GUILD");
+
+	if (body.icon) body.icon = await handleFile(`/icons/${guild_id}`, body.icon);
+	if (body.banner) body.banner = await handleFile(`/banners/${guild_id}`, body.banner);
+	if (body.splash) body.splash = await handleFile(`/splashes/${guild_id}`, body.splash);
+
+	const guild = await GuildModel.findOneAndUpdate({ id: guild_id }, body)
+		.populate({ path: "joined_at", match: { id: req.user_id } })
+		.exec();
+
+	const data = toObject(guild);
+
+	emitEvent({ event: "GUILD_UPDATE", data: data, guild_id } as GuildUpdateEvent);
+
+	return res.json(data);
+});
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/invites.ts b/api/src/routes/guilds/#guild_id/invites.ts
new file mode 100644
index 00000000..1894ec96
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/invites.ts
@@ -0,0 +1,17 @@
+import { getPermission, InviteModel, toObject } from "@fosscord/server-util";
+import { Request, Response, Router } from "express";
+
+const router = Router();
+
+router.get("/", async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+
+	const permissions = await getPermission(req.user_id, guild_id);
+	permissions.hasThrow("MANAGE_GUILD");
+
+	const invites = await InviteModel.find({ guild_id }).exec();
+
+	return res.json(toObject(invites));
+});
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/members/#member_id/index.ts b/api/src/routes/guilds/#guild_id/members/#member_id/index.ts
new file mode 100644
index 00000000..9a1676e6
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/members/#member_id/index.ts
@@ -0,0 +1,69 @@
+import { Request, Response, Router } from "express";
+import {
+	GuildModel,
+	MemberModel,
+	UserModel,
+	toObject,
+	GuildMemberAddEvent,
+	getPermission,
+	PermissionResolvable,
+	RoleModel,
+	GuildMemberUpdateEvent
+} from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { addMember, isMember, removeMember } from "../../../../../util/Member";
+import { check } from "../../../../../util/instanceOf";
+import { MemberChangeSchema } from "../../../../../schema/Member";
+import { emitEvent } from "../../../../../util/Event";
+
+const router = Router();
+
+router.get("/", async (req: Request, res: Response) => {
+	const { guild_id, member_id } = req.params;
+	await isMember(req.user_id, guild_id);
+
+	const member = await MemberModel.findOne({ id: member_id, guild_id }).exec();
+
+	return res.json(toObject(member));
+});
+
+router.patch("/", check(MemberChangeSchema), async (req: Request, res: Response) => {
+	const { guild_id, member_id } = req.params;
+	const body = req.body as MemberChangeSchema;
+	if (body.roles) {
+		const roles = await RoleModel.find({ id: { $in: body.roles } }).exec();
+		if (body.roles.length !== roles.length) throw new HTTPError("Roles not found", 404);
+		// TODO: check if user has permission to add role
+	}
+
+	const member = await MemberModel.findOneAndUpdate({ id: member_id, guild_id }, body).exec();
+
+	await emitEvent({
+		event: "GUILD_MEMBER_UPDATE",
+		guild_id,
+		data: toObject(member)
+	} as GuildMemberUpdateEvent);
+
+	res.json(toObject(member));
+});
+
+router.put("/", async (req: Request, res: Response) => {
+	const { guild_id, member_id } = req.params;
+
+	throw new HTTPError("Maintenance: Currently you can't add a member", 403);
+	// TODO: only for oauth2 applications
+	await addMember(member_id, guild_id);
+	res.sendStatus(204);
+});
+
+router.delete("/", async (req: Request, res: Response) => {
+	const { guild_id, member_id } = req.params;
+
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("KICK_MEMBERS");
+
+	await removeMember(member_id, guild_id);
+	res.sendStatus(204);
+});
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/members/#member_id/nick.ts b/api/src/routes/guilds/#guild_id/members/#member_id/nick.ts
new file mode 100644
index 00000000..9078409d
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/members/#member_id/nick.ts
@@ -0,0 +1,24 @@
+import { getPermission, PermissionResolvable } from "@fosscord/server-util";
+import { Request, Response, Router } from "express";
+import { check } from "lambert-server";
+import { MemberNickChangeSchema } from "../../../../../schema/Member";
+import { changeNickname } from "../../../../../util/Member";
+
+const router = Router();
+
+router.patch("/", check(MemberNickChangeSchema), async (req: Request, res: Response) => {
+	var { guild_id, member_id } = req.params;
+	var permissionString: PermissionResolvable = "MANAGE_NICKNAMES";
+	if (member_id === "@me") {
+		member_id = req.user_id;
+		permissionString = "CHANGE_NICKNAME";
+	}
+
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow(permissionString);
+
+	await changeNickname(member_id, guild_id, req.body.nickname);
+	res.status(204);
+});
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/members/#member_id/roles/#role_id/index.ts b/api/src/routes/guilds/#guild_id/members/#member_id/roles/#role_id/index.ts
new file mode 100644
index 00000000..b7a43c74
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/members/#member_id/roles/#role_id/index.ts
@@ -0,0 +1,27 @@
+import { getPermission } from "@fosscord/server-util";
+import { Request, Response, Router } from "express";
+import { addRole, removeRole } from "../../../../../../../util/Member";
+
+const router = Router();
+
+router.delete("/:member_id/roles/:role_id", async (req: Request, res: Response) => {
+	const { guild_id, role_id, member_id } = req.params;
+
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("MANAGE_ROLES");
+
+	await removeRole(member_id, guild_id, role_id);
+	res.sendStatus(204);
+});
+
+router.put("/:member_id/roles/:role_id", async (req: Request, res: Response) => {
+	const { guild_id, role_id, member_id } = req.params;
+
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("MANAGE_ROLES");
+
+	await addRole(member_id, guild_id, role_id);
+	res.sendStatus(204);
+});
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/members/index.ts b/api/src/routes/guilds/#guild_id/members/index.ts
new file mode 100644
index 00000000..a157d8f5
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/members/index.ts
@@ -0,0 +1,38 @@
+import { Request, Response, Router } from "express";
+import { GuildModel, MemberModel, toObject } from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { instanceOf, Length } from "../../../../util/instanceOf";
+import { PublicMemberProjection, isMember } from "../../../../util/Member";
+
+const router = Router();
+
+// TODO: not allowed for user -> only allowed for bots with privileged intents
+// TODO: send over websocket
+router.get("/", async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+	const guild = await GuildModel.findOne({ id: guild_id }).exec();
+	await isMember(req.user_id, guild_id);
+
+	try {
+		instanceOf({ $limit: new Length(Number, 1, 1000), $after: String }, req.query, {
+			path: "query",
+			req,
+			ref: { obj: null, key: "" }
+		});
+	} catch (error) {
+		return res.status(400).json({ code: 50035, message: "Invalid Query", success: false, errors: error });
+	}
+
+	// @ts-ignore
+	if (!req.query.limit) req.query.limit = 1;
+	const { limit, after } = (<unknown>req.query) as { limit: number; after: string };
+	const query = after ? { id: { $gt: after } } : {};
+
+	var members = await MemberModel.find({ guild_id, ...query }, PublicMemberProjection)
+		.limit(limit)
+		.exec();
+
+	return res.json(toObject(members));
+});
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/regions.ts b/api/src/routes/guilds/#guild_id/regions.ts
new file mode 100644
index 00000000..3a46d766
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/regions.ts
@@ -0,0 +1,10 @@
+import { Config } from "@fosscord/server-util";
+import { Request, Response, Router } from "express";
+
+const router = Router();
+
+router.get("/", async (req: Request, res: Response) => {
+	return res.json(Config.get().regions.available);
+});
+
+export default router;
\ No newline at end of file
diff --git a/api/src/routes/guilds/#guild_id/roles.ts b/api/src/routes/guilds/#guild_id/roles.ts
new file mode 100644
index 00000000..77206a0f
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/roles.ts
@@ -0,0 +1,128 @@
+import { Request, Response, Router } from "express";
+import {
+	RoleModel,
+	GuildModel,
+	getPermission,
+	toObject,
+	UserModel,
+	Snowflake,
+	MemberModel,
+	GuildRoleCreateEvent,
+	GuildRoleUpdateEvent,
+	GuildRoleDeleteEvent
+} from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { emitEvent } from "../../../util/Event";
+import { check } from "../../../util/instanceOf";
+import { RoleModifySchema } from "../../../schema/Roles";
+import { getPublicUser } from "../../../util/User";
+import { isMember } from "../../../util/Member";
+
+const router: Router = Router();
+
+router.get("/", async (req: Request, res: Response) => {
+	const guild_id = req.params.guild_id;
+
+	await isMember(req.user_id, guild_id);
+
+	const roles = await RoleModel.find({ guild_id: guild_id }).exec();
+
+	return res.json(toObject(roles));
+});
+
+router.post("/", check(RoleModifySchema), async (req: Request, res: Response) => {
+	const guild_id = req.params.guild_id;
+	const body = req.body as RoleModifySchema;
+
+	const guild = await GuildModel.findOne({ id: guild_id }, { id: true }).exec();
+	const user = await UserModel.findOne({ id: req.user_id }).exec();
+
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("MANAGE_ROLES");
+	if (!body.name) throw new HTTPError("You need to specify a name");
+
+	const role = await new RoleModel({
+		...body,
+		id: Snowflake.generate(),
+		guild_id: guild_id,
+		managed: false,
+		position: 0,
+		tags: null,
+		permissions: body.permissions || 0n
+	}).save();
+
+	await emitEvent({
+		event: "GUILD_ROLE_CREATE",
+		guild_id,
+		data: {
+			guild_id,
+			role: toObject(role)
+		}
+	} as GuildRoleCreateEvent);
+
+	res.json(toObject(role));
+});
+
+router.delete("/:role_id", async (req: Request, res: Response) => {
+	const guild_id = req.params.guild_id;
+	const { role_id } = req.params;
+
+	const guild = await GuildModel.findOne({ id: guild_id }, { id: true }).exec();
+	const user = await UserModel.findOne({ id: req.user_id }).exec();
+
+	const perms = await getPermission(req.user_id, guild_id);
+
+	if (!perms.has("MANAGE_ROLES")) throw new HTTPError("You missing the MANAGE_ROLES permission", 401);
+
+	await RoleModel.findOneAndDelete({
+		id: role_id,
+		guild_id: guild_id
+	}).exec();
+
+	await emitEvent({
+		event: "GUILD_ROLE_DELETE",
+		guild_id,
+		data: {
+			guild_id,
+			role_id
+		}
+	} as GuildRoleDeleteEvent);
+
+	res.sendStatus(204);
+});
+
+// TODO: check role hierarchy
+
+router.patch("/:role_id", check(RoleModifySchema), async (req: Request, res: Response) => {
+	const guild_id = req.params.guild_id;
+	const { role_id } = req.params;
+	const body = req.body as RoleModifySchema;
+
+	const guild = await GuildModel.findOne({ id: guild_id }, { id: true }).exec();
+	const user = await UserModel.findOne({ id: req.user_id }).exec();
+
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("MANAGE_ROLES");
+
+	const role = await RoleModel.findOneAndUpdate(
+		{
+			id: role_id,
+			guild_id: guild_id
+		},
+		// @ts-ignore
+		body
+	).exec();
+
+	await emitEvent({
+		event: "GUILD_ROLE_UPDATE",
+		guild_id,
+		data: {
+			guild_id,
+			role
+		}
+	} as GuildRoleUpdateEvent);
+
+	res.json(toObject(role));
+});
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/templates.ts b/api/src/routes/guilds/#guild_id/templates.ts
new file mode 100644
index 00000000..8306ac37
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/templates.ts
@@ -0,0 +1,99 @@
+import { Request, Response, Router } from "express";
+import { TemplateModel, GuildModel, getPermission, toObject, UserModel, Snowflake } from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { TemplateCreateSchema, TemplateModifySchema } from "../../../schema/Template";
+import { check } from "../../../util/instanceOf";
+import { generateCode } from "../../../util/String";
+
+const router: Router = Router();
+
+const TemplateGuildProjection = {
+	name: true,
+	description: true,
+	region: true,
+	verification_level: true,
+	default_message_notifications: true,
+	explicit_content_filter: true,
+	preferred_locale: true,
+	afk_timeout: true,
+	roles: true,
+	channels: true,
+	afk_channel_id: true,
+	system_channel_id: true,
+	system_channel_flags: true,
+	icon_hash: true
+};
+
+router.get("/", async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+
+	var templates = await TemplateModel.find({ source_guild_id: guild_id }).exec();
+
+	return res.json(toObject(templates));
+});
+
+router.post("/", check(TemplateCreateSchema), async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+	const guild = await GuildModel.findOne({ id: guild_id }, TemplateGuildProjection).exec();
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("MANAGE_GUILD");
+
+	const exists = await TemplateModel.findOne({ id: guild_id })
+		.exec()
+		.catch((e) => {});
+	if (exists) throw new HTTPError("Template already exists", 400);
+
+	const template = await new TemplateModel({
+		...req.body,
+		code: generateCode(),
+		creator_id: req.user_id,
+		created_at: new Date(),
+		updated_at: new Date(),
+		source_guild_id: guild_id,
+		serialized_source_guild: guild
+	}).save();
+
+	res.json(toObject(template)).send();
+});
+
+router.delete("/:code", async (req: Request, res: Response) => {
+	const guild_id = req.params.guild_id;
+	const { code } = req.params;
+
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("MANAGE_GUILD");
+
+	const template = await TemplateModel.findOneAndDelete({
+		code
+	}).exec();
+
+	res.send(toObject(template));
+});
+
+router.put("/:code", async (req: Request, res: Response) => {
+	const guild_id = req.params.guild_id;
+	const { code } = req.params;
+
+	const guild = await GuildModel.findOne({ id: guild_id }, TemplateGuildProjection).exec();
+
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("MANAGE_GUILD");
+
+	const template = await TemplateModel.findOneAndUpdate({ code }, { serialized_source_guild: guild }).exec();
+
+	res.json(toObject(template)).send();
+});
+
+router.patch("/:code", check(TemplateModifySchema), async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+	const { code } = req.params;
+
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("MANAGE_GUILD");
+
+	const template = await TemplateModel.findOneAndUpdate({ code }, { name: req.body.name, description: req.body.description }).exec();
+
+	res.json(toObject(template)).send();
+});
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/vanity-url.ts b/api/src/routes/guilds/#guild_id/vanity-url.ts
new file mode 100644
index 00000000..323b2647
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/vanity-url.ts
@@ -0,0 +1,45 @@
+import { getPermission, GuildModel, InviteModel, trimSpecial } from "@fosscord/server-util";
+import { Router, Request, Response } from "express";
+import { HTTPError } from "lambert-server";
+import { check, Length } from "../../../util/instanceOf";
+import { isMember } from "../../../util/Member";
+
+const router = Router();
+
+const InviteRegex = /\W/g;
+
+router.get("/", async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+
+	await isMember(req.user_id, guild_id);
+	const guild = await GuildModel.findOne({ id: guild_id }).exec();
+	if (!guild.vanity_url) throw new HTTPError("This guild has no vanity url", 204);
+
+	return res.json({ code: guild.vanity_url.code });
+});
+
+// TODO: check if guild is elgible for vanity url
+router.patch("/", check({ code: new Length(String, 0, 20) }), async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+	var code = req.body.code.replace(InviteRegex);
+	if (!code) code = null;
+
+	const permission = await getPermission(req.user_id, guild_id);
+	permission.hasThrow("MANAGE_GUILD");
+
+	const alreadyExists = await Promise.all([
+		GuildModel.findOne({ "vanity_url.code": code })
+			.exec()
+			.catch(() => null),
+		InviteModel.findOne({ code: code })
+			.exec()
+			.catch(() => null)
+	]);
+	if (alreadyExists.some((x) => x)) throw new HTTPError("Vanity url already exists", 400);
+
+	await GuildModel.updateOne({ id: guild_id }, { "vanity_url.code": code }).exec();
+
+	return res.json({ code: code });
+});
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/welcome_screen.ts b/api/src/routes/guilds/#guild_id/welcome_screen.ts
new file mode 100644
index 00000000..656a0ee0
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/welcome_screen.ts
@@ -0,0 +1,49 @@
+import { Request, Response, Router } from "express";
+import { GuildModel, getPermission, toObject, Snowflake } from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { emitEvent } from "../../../util/Event";
+import { check } from "../../../util/instanceOf";
+import { isMember } from "../../../util/Member";
+import { GuildAddChannelToWelcomeScreenSchema } from "../../../schema/Guild";
+import { getPublicUser } from "../../../util/User";
+
+const router: Router = Router();
+
+router.get("/", async (req: Request, res: Response) => {
+	const guild_id = req.params.guild_id;
+
+	const guild = await GuildModel.findOne({ id: guild_id });
+
+	await isMember(req.user_id, guild_id);
+
+	res.json(toObject(guild.welcome_screen));
+});
+
+router.post("/", check(GuildAddChannelToWelcomeScreenSchema), async (req: Request, res: Response) => {
+	const guild_id = req.params.guild_id;
+	const body = req.body as GuildAddChannelToWelcomeScreenSchema;
+
+	const guild = await GuildModel.findOne({ id: guild_id }).exec();
+
+	var channelObject = {
+		...body
+	};
+
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("MANAGE_GUILD");
+
+	if (!guild.welcome_screen.enabled) throw new HTTPError("Welcome screen disabled", 400);
+	if (guild.welcome_screen.welcome_channels.some((channel) => channel.channel_id === body.channel_id))
+		throw new Error("Welcome Channel exists");
+
+	await GuildModel.findOneAndUpdate(
+		{
+			id: guild_id
+		},
+		{ $push: { "welcome_screen.welcome_channels": channelObject } }
+	).exec();
+
+	res.sendStatus(204);
+});
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/widget.json.ts b/api/src/routes/guilds/#guild_id/widget.json.ts
new file mode 100644
index 00000000..6f777ab4
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/widget.json.ts
@@ -0,0 +1,139 @@
+import { Request, Response, Router } from "express";
+import { Config, Permissions, GuildModel, InviteModel, ChannelModel, MemberModel } from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { random } from "../../../util/RandomInviteID";
+
+const router: Router = Router();
+
+// Undocumented API notes:
+// An invite is created for the widget_channel_id on request (only if an existing one created by the widget doesn't already exist)
+// This invite created doesn't include an inviter object like user created ones and has a default expiry of 24 hours
+// Missing user object information is intentional (https://github.com/discord/discord-api-docs/issues/1287)
+// channels returns voice channel objects where @everyone has the CONNECT permission
+// members (max 100 returned) is a sample of all members, and bots par invisible status, there exists some alphabetical distribution pattern between the members returned
+
+// https://discord.com/developers/docs/resources/guild#get-guild-widget
+// TODO: Cache the response for a guild for 5 minutes regardless of response
+router.get("/", async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+
+	const guild = await GuildModel.findOne({ id: guild_id }).exec();
+	if (!guild.widget_enabled) throw new HTTPError("Widget Disabled", 404);
+
+	// Fetch existing widget invite for widget channel
+	var invite = await InviteModel.findOne({ channel_id: guild.widget_channel_id, inviter_id: { $type: 10 } }).exec();
+	if (guild.widget_channel_id && !invite) {
+		// Create invite for channel if none exists
+		// TODO: Refactor invite create code to a shared function
+		const max_age = 86400; // 24 hours
+		const expires_at = new Date(max_age * 1000 + Date.now());
+		const body = {
+			code: random(),
+			temporary: false,
+			uses: 0,
+			max_uses: 0,
+			max_age: max_age,
+			expires_at,
+			created_at: new Date(),
+			guild_id,
+			channel_id: guild.widget_channel_id,
+			inviter_id: null
+		};
+
+		invite = await new InviteModel(body).save();
+	}
+
+	// Fetch voice channels, and the @everyone permissions object
+	let channels: any[] = [];
+	await ChannelModel.find({ guild_id: guild_id, type: 2 }, { permission_overwrites: { $elemMatch: { id: guild_id } } })
+		.lean()
+		.select("id name position permission_overwrites")
+		.sort({ position: 1 })
+		.cursor()
+		.eachAsync((doc) => {
+			// Only return channels where @everyone has the CONNECT permission
+			if (
+				doc.permission_overwrites === undefined ||
+				Permissions.channelPermission(doc.permission_overwrites, Permissions.FLAGS.CONNECT) === Permissions.FLAGS.CONNECT
+			) {
+				channels.push({
+					id: doc.id,
+					name: doc.name,
+					position: doc.position
+				});
+			}
+		});
+
+	// Fetch members
+	// TODO: Understand how Discord's max 100 random member sample works, and apply to here (see top of this file)
+	let members: any[] = [];
+	await MemberModel.find({ guild_id: guild_id })
+		.lean()
+		.populate({ path: "user", select: { _id: 0, username: 1, avatar: 1, presence: 1 } })
+		.select("id user nick deaf mute")
+		.cursor()
+		.eachAsync((doc) => {
+			const status = doc.user?.presence?.status || "offline";
+			if (status == "offline") return;
+
+			let item = {};
+
+			item = {
+				...item,
+				id: null, // this is updated during the sort outside of the query
+				username: doc.nick || doc.user?.username,
+				discriminator: "0000", // intended (https://github.com/discord/discord-api-docs/issues/1287)
+				avatar: null, // intended, avatar_url below will return a unique guild + user url to the avatar
+				status: status
+			};
+
+			const activity = doc.user?.presence?.activities?.[0];
+			if (activity) {
+				item = {
+					...item,
+					game: { name: activity.name }
+				};
+			}
+
+			// TODO: If the member is in a voice channel, return extra widget details
+			// Extra fields returned include deaf, mute, self_deaf, self_mute, supress, and channel_id (voice channel connected to)
+			// Get this from VoiceState
+
+			// TODO: Implement a widget-avatar endpoint on the CDN, and implement logic here to request it
+			// Get unique avatar url for guild user, cdn to serve the actual avatar image on this url
+			/*
+		const avatar = doc.user?.avatar;
+		if (avatar) {
+			const CDN_HOST = Config.get().cdn.endpoint || "http://localhost:3003";
+			const avatar_url = "/widget-avatars/" + ;
+			item = {
+				...item,
+				avatar_url: avatar_url
+			}
+		}
+		*/
+
+			members.push(item);
+		});
+
+	// Sort members, and update ids (Unable to do under the mongoose query due to https://mongoosejs.com/docs/faq.html#populate_sort_order)
+	members = members.sort((first, second) => 0 - (first.username > second.username ? -1 : 1));
+	members.forEach((x, i) => {
+		x.id = i;
+	});
+
+	// Construct object to respond with
+	const data = {
+		id: guild_id,
+		name: guild.name,
+		instant_invite: invite?.code,
+		channels: channels,
+		members: members,
+		presence_count: guild.presence_count
+	};
+
+	res.set("Cache-Control", "public, max-age=300");
+	return res.json(data);
+});
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/widget.png.ts b/api/src/routes/guilds/#guild_id/widget.png.ts
new file mode 100644
index 00000000..a0a8c938
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/widget.png.ts
@@ -0,0 +1,110 @@
+import { Request, Response, Router } from "express";
+import { GuildModel } from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import fs from "fs";
+import path from "path";
+
+const router: Router = Router();
+
+// TODO: use svg templates instead of node-canvas for improved performance and to change it easily
+
+// https://discord.com/developers/docs/resources/guild#get-guild-widget-image
+// TODO: Cache the response
+router.get("/", async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+
+	const guild = await GuildModel.findOne({ id: guild_id }).exec();
+	if (!guild.widget_enabled) throw new HTTPError("Unknown Guild", 404);
+
+	// Fetch guild information
+	const icon = guild.icon;
+	const name = guild.name;
+	const presence = guild.presence_count + " ONLINE";
+
+	// Fetch parameter
+	const style = req.query.style?.toString() || "shield";
+	if (!["shield", "banner1", "banner2", "banner3", "banner4"].includes(style)) {
+		throw new HTTPError("Value must be one of ('shield', 'banner1', 'banner2', 'banner3', 'banner4').", 400);
+	}
+
+	// Setup canvas
+	const { createCanvas } = require("canvas");
+	const { loadImage } = require("canvas");
+	const sizeOf = require("image-size");
+
+	// TODO: Widget style templates need Fosscord branding
+	const source = path.join(__dirname, "..", "..", "..", "..", "assets", "widget", `${style}.png`);
+	if (!fs.existsSync(source)) {
+		throw new HTTPError("Widget template does not exist.", 400);
+	}
+
+	// Create base template image for parameter
+	const { width, height } = await sizeOf(source);
+	const canvas = createCanvas(width, height);
+	const ctx = canvas.getContext("2d");
+	const template = await loadImage(source);
+	ctx.drawImage(template, 0, 0);
+
+	// Add the guild specific information to the template asset image
+	switch (style) {
+		case "shield":
+			ctx.textAlign = "center";
+			await drawText(ctx, 73, 13, "#FFFFFF", "thin 10px Verdana", presence);
+			break;
+		case "banner1":
+			if (icon) await drawIcon(ctx, 20, 27, 50, icon);
+			await drawText(ctx, 83, 51, "#FFFFFF", "12px Verdana", name, 22);
+			await drawText(ctx, 83, 66, "#C9D2F0FF", "thin 11px Verdana", presence);
+			break;
+		case "banner2":
+			if (icon) await drawIcon(ctx, 13, 19, 36, icon);
+			await drawText(ctx, 62, 34, "#FFFFFF", "12px Verdana", name, 15);
+			await drawText(ctx, 62, 49, "#C9D2F0FF", "thin 11px Verdana", presence);
+			break;
+		case "banner3":
+			if (icon) await drawIcon(ctx, 20, 20, 50, icon);
+			await drawText(ctx, 83, 44, "#FFFFFF", "12px Verdana", name, 27);
+			await drawText(ctx, 83, 58, "#C9D2F0FF", "thin 11px Verdana", presence);
+			break;
+		case "banner4":
+			if (icon) await drawIcon(ctx, 21, 136, 50, icon);
+			await drawText(ctx, 84, 156, "#FFFFFF", "13px Verdana", name, 27);
+			await drawText(ctx, 84, 171, "#C9D2F0FF", "thin 12px Verdana", presence);
+			break;
+		default:
+			throw new HTTPError("Value must be one of ('shield', 'banner1', 'banner2', 'banner3', 'banner4').", 400);
+	}
+
+	// Return final image
+	const buffer = canvas.toBuffer("image/png");
+	res.set("Content-Type", "image/png");
+	res.set("Cache-Control", "public, max-age=3600");
+	return res.send(buffer);
+});
+
+async function drawIcon(canvas: any, x: number, y: number, scale: number, icon: string) {
+	// @ts-ignore
+	const img = new require("canvas").Image();
+	img.src = icon;
+
+	// Do some canvas clipping magic!
+	canvas.save();
+	canvas.beginPath();
+
+	const r = scale / 2; // use scale to determine radius
+	canvas.arc(x + r, y + r, r, 0, 2 * Math.PI, false); // start circle at x, and y coords + radius to find center
+
+	canvas.clip();
+	canvas.drawImage(img, x, y, scale, scale);
+
+	canvas.restore();
+}
+
+async function drawText(canvas: any, x: number, y: number, color: string, font: string, text: string, maxcharacters?: number) {
+	canvas.fillStyle = color;
+	canvas.font = font;
+	if (text.length > (maxcharacters || 0) && maxcharacters) text = text.slice(0, maxcharacters) + "...";
+	canvas.fillText(text, x, y);
+}
+
+export default router;
diff --git a/api/src/routes/guilds/#guild_id/widget.ts b/api/src/routes/guilds/#guild_id/widget.ts
new file mode 100644
index 00000000..0e6df186
--- /dev/null
+++ b/api/src/routes/guilds/#guild_id/widget.ts
@@ -0,0 +1,35 @@
+import { Request, Response, Router } from "express";
+import { getPermission, GuildModel } from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { check } from "../../../util/instanceOf";
+import { WidgetModifySchema } from "../../../schema/Widget";
+
+const router: Router = Router();
+
+// https://discord.com/developers/docs/resources/guild#get-guild-widget-settings
+router.get("/", async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("MANAGE_GUILD");
+
+	const guild = await GuildModel.findOne({ id: guild_id }).exec();
+
+	return res.json({ enabled: guild.widget_enabled || false, channel_id: guild.widget_channel_id || null });
+});
+
+// https://discord.com/developers/docs/resources/guild#modify-guild-widget
+router.patch("/", check(WidgetModifySchema), async (req: Request, res: Response) => {
+	const body = req.body as WidgetModifySchema;
+	const { guild_id } = req.params;
+
+	const perms = await getPermission(req.user_id, guild_id);
+	perms.hasThrow("MANAGE_GUILD");
+
+	await GuildModel.updateOne({ id: guild_id }, { widget_enabled: body.enabled, widget_channel_id: body.channel_id }).exec();
+	// Widget invite for the widget_channel_id gets created as part of the /guilds/{guild.id}/widget.json request
+
+	return res.json(body);
+});
+
+export default router;
diff --git a/api/src/routes/guilds/index.ts b/api/src/routes/guilds/index.ts
new file mode 100644
index 00000000..25b55896
--- /dev/null
+++ b/api/src/routes/guilds/index.ts
@@ -0,0 +1,89 @@
+import { Router, Request, Response } from "express";
+import { RoleModel, GuildModel, Snowflake, Guild, RoleDocument, Config } from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { check } from "./../../util/instanceOf";
+import { GuildCreateSchema } from "../../schema/Guild";
+import { getPublicUser } from "../../util/User";
+import { addMember } from "../../util/Member";
+import { createChannel } from "../../util/Channel";
+
+const router: Router = Router();
+
+//TODO: create default channel
+
+router.post("/", check(GuildCreateSchema), async (req: Request, res: Response) => {
+	const body = req.body as GuildCreateSchema;
+
+	const { maxGuilds } = Config.get().limits.user;
+	const user = await getPublicUser(req.user_id, { guilds: true });
+
+	if (user.guilds.length >= maxGuilds) {
+		throw new HTTPError(`Maximum number of guilds reached ${maxGuilds}`, 403);
+	}
+
+	const guild_id = Snowflake.generate();
+	const guild: Guild = {
+		name: body.name,
+		region: Config.get().regions.default,
+		owner_id: req.user_id,
+		icon: undefined,
+		afk_channel_id: undefined,
+		afk_timeout: 300,
+		application_id: undefined,
+		banner: undefined,
+		default_message_notifications: 0,
+		description: undefined,
+		splash: undefined,
+		discovery_splash: undefined,
+		explicit_content_filter: 0,
+		features: [],
+		id: guild_id,
+		large: undefined,
+		max_members: 250000,
+		max_presences: 250000,
+		max_video_channel_users: 25,
+		presence_count: 0,
+		member_count: 0, // will automatically be increased by addMember()
+		mfa_level: 0,
+		preferred_locale: "en-US",
+		premium_subscription_count: 0,
+		premium_tier: 0,
+		public_updates_channel_id: undefined,
+		rules_channel_id: undefined,
+		system_channel_flags: 0,
+		system_channel_id: undefined,
+		unavailable: false,
+		vanity_url: undefined,
+		verification_level: 0,
+		welcome_screen: {
+			enabled: false,
+			description: "No description",
+			welcome_channels: []
+		},
+		widget_channel_id: undefined,
+		widget_enabled: false
+	};
+
+	const [guild_doc, role] = await Promise.all([
+		new GuildModel(guild).save(),
+		new RoleModel({
+			id: guild_id,
+			guild_id: guild_id,
+			color: 0,
+			hoist: false,
+			managed: false,
+			mentionable: false,
+			name: "@everyone",
+			permissions: 2251804225n,
+			position: 0,
+			tags: null
+		}).save()
+	]);
+
+	await createChannel({ name: "general", type: 0, guild_id, position: 0, permission_overwrites: [] }, req.user_id);
+	await addMember(req.user_id, guild_id);
+
+	res.status(201).json({ id: guild.id });
+});
+
+export default router;
diff --git a/api/src/routes/guilds/templates/index.ts b/api/src/routes/guilds/templates/index.ts
new file mode 100644
index 00000000..0f332de0
--- /dev/null
+++ b/api/src/routes/guilds/templates/index.ts
@@ -0,0 +1,61 @@
+import { Request, Response, Router } from "express";
+const router: Router = Router();
+import { TemplateModel, GuildModel, toObject, UserModel, RoleModel, Snowflake, Guild, Config } from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { GuildTemplateCreateSchema } from "../../../schema/Guild";
+import { getPublicUser } from "../../../util/User";
+import { check } from "../../../util/instanceOf";
+import { addMember } from "../../../util/Member";
+
+router.get("/:code", async (req: Request, res: Response) => {
+	const { code } = req.params;
+
+	const template = await TemplateModel.findOne({ code: code }).exec();
+
+	res.json(toObject(template)).send();
+});
+
+router.post("/:code", check(GuildTemplateCreateSchema), async (req: Request, res: Response) => {
+	const { code } = req.params;
+	const body = req.body as GuildTemplateCreateSchema;
+
+	const { maxGuilds } = Config.get().limits.user;
+	const user = await getPublicUser(req.user_id, { guilds: true });
+
+	if (user.guilds.length >= maxGuilds) {
+		throw new HTTPError(`Maximum number of guilds reached ${maxGuilds}`, 403);
+	}
+
+	const template = await TemplateModel.findOne({ code: code }).exec();
+
+	const guild_id = Snowflake.generate();
+
+	const guild: Guild = {
+		...body,
+		...template.serialized_source_guild,
+		id: guild_id,
+		owner_id: req.user_id
+	};
+
+	const [guild_doc, role] = await Promise.all([
+		new GuildModel(guild).save(),
+		new RoleModel({
+			id: guild_id,
+			guild_id: guild_id,
+			color: 0,
+			hoist: false,
+			managed: true,
+			mentionable: true,
+			name: "@everyone",
+			permissions: 2251804225n,
+			position: 0,
+			tags: null
+		}).save()
+	]);
+
+	await addMember(req.user_id, guild_id, { guild: guild_doc });
+
+	res.status(201).json({ id: guild.id });
+});
+
+export default router;
diff --git a/api/src/routes/invites/index.ts b/api/src/routes/invites/index.ts
new file mode 100644
index 00000000..8c04713c
--- /dev/null
+++ b/api/src/routes/invites/index.ts
@@ -0,0 +1,44 @@
+import { Router, Request, Response } from "express";
+import { getPermission, InviteModel, toObject } from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { addMember } from "../../util/Member";
+const router: Router = Router();
+
+router.get("/:code", async (req: Request, res: Response) => {
+	const { code } = req.params;
+
+	const invite = await InviteModel.findOne({ code }).exec();
+	if (!invite) throw new HTTPError("Unknown Invite", 404);
+
+	res.status(200).send(toObject(invite));
+});
+
+router.post("/:code", async (req: Request, res: Response) => {
+	const { code } = req.params;
+
+	const invite = await InviteModel.findOneAndUpdate({ code }, { $inc: { uses: 1 } }).exec();
+	if (!invite) throw new HTTPError("Unknown Invite", 404);
+
+	await addMember(req.user_id, invite.guild_id);
+
+	res.status(200).send(toObject(invite));
+});
+
+router.delete("/:code", async (req: Request, res: Response) => {
+	const { code } = req.params;
+	const invite = await InviteModel.findOne({ code }).exec();
+
+	if (!invite) throw new HTTPError("Unknown Invite", 404);
+
+	const { guild_id, channel_id } = invite;
+	const perms = await getPermission(req.user_id, guild_id, channel_id);
+
+	if (!perms.has("MANAGE_GUILD") && !perms.has("MANAGE_CHANNELS"))
+		throw new HTTPError("You missing the MANAGE_GUILD or MANAGE_CHANNELS permission", 401);
+
+	await InviteModel.deleteOne({ code }).exec();
+
+	res.status(200).send({ invite: toObject(invite) });
+});
+
+export default router;
diff --git a/api/src/routes/ping.ts b/api/src/routes/ping.ts
new file mode 100644
index 00000000..38daf81e
--- /dev/null
+++ b/api/src/routes/ping.ts
@@ -0,0 +1,9 @@
+import { Router, Response, Request } from "express";
+
+const router = Router();
+
+router.get("/", (req: Request, res: Response) => {
+	res.send("pong");
+});
+
+export default router;
diff --git a/api/src/routes/science.ts b/api/src/routes/science.ts
new file mode 100644
index 00000000..b16ef783
--- /dev/null
+++ b/api/src/routes/science.ts
@@ -0,0 +1,10 @@
+import { Router, Response, Request } from "express";
+
+const router = Router();
+
+router.post("/", (req: Request, res: Response) => {
+	// TODO:
+	res.sendStatus(204);
+});
+
+export default router;
diff --git a/api/src/routes/users/#id/index.ts b/api/src/routes/users/#id/index.ts
new file mode 100644
index 00000000..a2ad3ae6
--- /dev/null
+++ b/api/src/routes/users/#id/index.ts
@@ -0,0 +1,13 @@
+import { Router, Request, Response } from "express";
+import { getPublicUser } from "../../../util/User";
+import { HTTPError } from "lambert-server";
+
+const router: Router = Router();
+
+router.get("/", async (req: Request, res: Response) => {
+	const { id } = req.params;
+
+	res.json(await getPublicUser(id));
+});
+
+export default router;
diff --git a/api/src/routes/users/#id/profile.ts b/api/src/routes/users/#id/profile.ts
new file mode 100644
index 00000000..4b4b9439
--- /dev/null
+++ b/api/src/routes/users/#id/profile.ts
@@ -0,0 +1,27 @@
+import { Router, Request, Response } from "express";
+import { getPublicUser } from "../../../util/User";
+
+const router: Router = Router();
+
+router.get("/", async (req: Request, res: Response) => {
+	const user = await getPublicUser(req.params.id, { user_data: true })
+
+    res.json({
+        connected_accounts: user.user_data.connected_accounts,
+        premium_guild_since: null, // TODO
+        premium_since: null, // TODO
+        user: {
+            username: user.username,
+            discriminator: user.discriminator,
+            id: user.id,
+            public_flags: user.public_flags,
+            avatar: user.avatar,
+            accent_color: user.accent_color,
+            banner: user.banner,
+            bio: req.user_bot ? null : user.bio,
+            bot: user.bot,
+        }
+    });
+});
+
+export default router;
diff --git a/api/src/routes/users/@me/affinities/guilds.ts b/api/src/routes/users/@me/affinities/guilds.ts
new file mode 100644
index 00000000..fa6be0e7
--- /dev/null
+++ b/api/src/routes/users/@me/affinities/guilds.ts
@@ -0,0 +1,10 @@
+import { Router, Response, Request } from "express";
+
+const router = Router();
+
+router.get("/", (req: Request, res: Response) => {
+	// TODO:
+	res.status(200).send({ guild_affinities: [] });
+});
+
+export default router;
diff --git a/api/src/routes/users/@me/affinities/user.ts b/api/src/routes/users/@me/affinities/user.ts
new file mode 100644
index 00000000..0790a8a4
--- /dev/null
+++ b/api/src/routes/users/@me/affinities/user.ts
@@ -0,0 +1,10 @@
+import { Router, Response, Request } from "express";
+
+const router = Router();
+
+router.get("/", (req: Request, res: Response) => {
+	// TODO:
+	res.status(200).send({ user_affinities: [], inverse_user_affinities: [] });
+});
+
+export default router;
diff --git a/api/src/routes/users/@me/channels.ts b/api/src/routes/users/@me/channels.ts
new file mode 100644
index 00000000..a425a25f
--- /dev/null
+++ b/api/src/routes/users/@me/channels.ts
@@ -0,0 +1,53 @@
+import { Router, Request, Response } from "express";
+import {
+	ChannelModel,
+	ChannelCreateEvent,
+	toObject,
+	ChannelType,
+	Snowflake,
+	trimSpecial,
+	Channel,
+	DMChannel,
+	UserModel
+} from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { emitEvent } from "../../../util/Event";
+import { DmChannelCreateSchema } from "../../../schema/Channel";
+import { check } from "../../../util/instanceOf";
+
+const router: Router = Router();
+
+router.get("/", async (req: Request, res: Response) => {
+	var channels = await ChannelModel.find({ recipient_ids: req.user_id }).exec();
+
+	res.json(toObject(channels));
+});
+
+router.post("/", check(DmChannelCreateSchema), async (req: Request, res: Response) => {
+	const body = req.body as DmChannelCreateSchema;
+
+	body.recipients = body.recipients.filter((x) => x !== req.user_id).unique();
+
+	if (!(await Promise.all(body.recipients.map((x) => UserModel.exists({ id: x })))).every((x) => x)) {
+		throw new HTTPError("Recipient not found");
+	}
+
+	const type = body.recipients.length === 1 ? ChannelType.DM : ChannelType.GROUP_DM;
+	const name = trimSpecial(body.name);
+
+	const channel = await new ChannelModel({
+		name,
+		type,
+		owner_id: req.user_id,
+		id: Snowflake.generate(),
+		created_at: new Date(),
+		last_message_id: null,
+		recipient_ids: [...body.recipients, req.user_id]
+	}).save();
+
+	await emitEvent({ event: "CHANNEL_CREATE", data: toObject(channel), user_id: req.user_id } as ChannelCreateEvent);
+
+	res.json(toObject(channel));
+});
+
+export default router;
diff --git a/api/src/routes/users/@me/delete.ts b/api/src/routes/users/@me/delete.ts
new file mode 100644
index 00000000..edda8e2d
--- /dev/null
+++ b/api/src/routes/users/@me/delete.ts
@@ -0,0 +1,22 @@
+import { Router, Request, Response } from "express";
+import { GuildModel, MemberModel, UserModel } from "@fosscord/server-util";
+import bcrypt from "bcrypt";
+const router = Router();
+
+router.post("/", async (req: Request, res: Response) => {
+	const user = await UserModel.findOne({ id: req.user_id }).exec(); //User object
+
+	let correctpass = await bcrypt.compare(req.body.password, user!.user_data.hash); //Not sure if user typed right password :/
+	if (correctpass) {
+		await Promise.all([
+			UserModel.deleteOne({ id: req.user_id }).exec(), //Yeetus user deletus
+			MemberModel.deleteMany({ id: req.user_id }).exec()
+		]);
+
+		res.sendStatus(204);
+	} else {
+		res.sendStatus(401);
+	}
+});
+
+export default router;
diff --git a/api/src/routes/users/@me/disable.ts b/api/src/routes/users/@me/disable.ts
new file mode 100644
index 00000000..0e5b734e
--- /dev/null
+++ b/api/src/routes/users/@me/disable.ts
@@ -0,0 +1,20 @@
+import { UserModel } from "@fosscord/server-util";
+import { Router, Response, Request } from "express";
+import bcrypt from "bcrypt";
+
+const router = Router();
+
+router.post("/", async (req: Request, res: Response) => {
+	const user = await UserModel.findOne({ id: req.user_id }).exec(); //User object
+
+	let correctpass = await bcrypt.compare(req.body.password, user!.user_data.hash); //Not sure if user typed right password :/
+	if (correctpass) {
+		await UserModel.updateOne({ id: req.user_id }, { disabled: true }).exec();
+
+		res.sendStatus(204);
+	} else {
+		res.status(400).json({ message: "Password does not match", code: 50018 });
+	}
+});
+
+export default router;
diff --git a/api/src/routes/users/@me/guilds.ts b/api/src/routes/users/@me/guilds.ts
new file mode 100644
index 00000000..6528552b
--- /dev/null
+++ b/api/src/routes/users/@me/guilds.ts
@@ -0,0 +1,55 @@
+import { Router, Request, Response } from "express";
+import { GuildModel, MemberModel, UserModel, GuildDeleteEvent, GuildMemberRemoveEvent, toObject } from "@fosscord/server-util";
+import { HTTPError } from "lambert-server";
+import { emitEvent } from "../../../util/Event";
+import { getPublicUser } from "../../../util/User";
+
+const router: Router = Router();
+
+router.get("/", async (req: Request, res: Response) => {
+	const user = await UserModel.findOne({ id: req.user_id }, { guilds: true }).exec();
+	if (!user) throw new HTTPError("User not found", 404);
+
+	var guildIDs = user.guilds || [];
+	var guild = await GuildModel.find({ id: { $in: guildIDs } })
+		.populate({ path: "joined_at", match: { id: req.user_id } })
+		.exec();
+
+	res.json(toObject(guild));
+});
+
+// user send to leave a certain guild
+router.delete("/:id", async (req: Request, res: Response) => {
+	const guild_id = req.params.id;
+	const guild = await GuildModel.findOne({ id: guild_id }, { guild_id: true }).exec();
+
+	if (!guild) throw new HTTPError("Guild doesn't exist", 404);
+	if (guild.owner_id === req.user_id) throw new HTTPError("You can't leave your own guild", 400);
+
+	await Promise.all([
+		MemberModel.deleteOne({ id: req.user_id, guild_id: guild_id }).exec(),
+		UserModel.updateOne({ id: req.user_id }, { $pull: { guilds: guild_id } }).exec(),
+		emitEvent({
+			event: "GUILD_DELETE",
+			data: {
+				id: guild_id,
+			},
+			user_id: req.user_id,
+		} as GuildDeleteEvent),
+	]);
+
+	const user = await getPublicUser(req.user_id);
+
+	await emitEvent({
+		event: "GUILD_MEMBER_REMOVE",
+		data: {
+			guild_id: guild_id,
+			user: user,
+		},
+		guild_id: guild_id,
+	} as GuildMemberRemoveEvent);
+
+	return res.sendStatus(204);
+});
+
+export default router;
diff --git a/api/src/routes/users/@me/index.ts b/api/src/routes/users/@me/index.ts
new file mode 100644
index 00000000..7bd4a486
--- /dev/null
+++ b/api/src/routes/users/@me/index.ts
@@ -0,0 +1,48 @@
+import { Router, Request, Response } from "express";
+import { UserModel, toObject, PublicUserProjection } from "@fosscord/server-util";
+import { getPublicUser } from "../../../util/User";
+import { UserModifySchema } from "../../../schema/User";
+import { check } from "../../../util/instanceOf";
+import { handleFile } from "../../../util/cdn";
+
+const router: Router = Router();
+
+router.get("/", async (req: Request, res: Response) => {
+	res.json(await getPublicUser(req.user_id));
+});
+
+const UserUpdateProjection = {
+	accent_color: true,
+	avatar: true,
+	banner: true,
+	bio: true,
+	bot: true,
+	discriminator: true,
+	email: true,
+	flags: true,
+	id: true,
+	locale: true,
+	mfa_enabled: true,
+	nsfw_alllowed: true,
+	phone: true,
+	public_flags: true,
+	purchased_flags: true,
+	// token: true, // this isn't saved in the db and needs to be set manually
+	username: true,
+	verified: true
+};
+
+router.patch("/", check(UserModifySchema), async (req: Request, res: Response) => {
+	const body = req.body as UserModifySchema;
+
+	if (body.avatar) body.avatar = await handleFile(`/avatars/${req.user_id}`, body.avatar as string);
+	if (body.banner) body.banner = await handleFile(`/banners/${req.user_id}`, body.banner as string);
+
+	const user = await UserModel.findOneAndUpdate({ id: req.user_id }, body, { projection: UserUpdateProjection }).exec();
+	// TODO: dispatch user update event
+
+	res.json(toObject(user));
+});
+
+export default router;
+// {"message": "Invalid two-factor code", "code": 60008}
diff --git a/api/src/routes/users/@me/library.ts b/api/src/routes/users/@me/library.ts
new file mode 100644
index 00000000..d771cb5e
--- /dev/null
+++ b/api/src/routes/users/@me/library.ts
@@ -0,0 +1,10 @@
+import { Router, Response, Request } from "express";
+
+const router = Router();
+
+router.get("/", (req: Request, res: Response) => {
+	// TODO:
+	res.status(200).send([]);
+});
+
+export default router;
diff --git a/api/src/routes/users/@me/profile.ts b/api/src/routes/users/@me/profile.ts
new file mode 100644
index 00000000..b67d1964
--- /dev/null
+++ b/api/src/routes/users/@me/profile.ts
@@ -0,0 +1,27 @@
+import { Router, Request, Response } from "express";
+import { getPublicUser } from "../../../util/User";
+
+const router: Router = Router();
+
+router.get("/", async (req: Request, res: Response) => {
+    const user = await getPublicUser(req.user_id, { user_data: true })
+
+    res.json({
+        connected_accounts: user.user_data.connected_accounts,
+        premium_guild_since: null, // TODO
+        premium_since: null, // TODO
+        user: {
+            username: user.username,
+            discriminator: user.discriminator,
+            id: user.id,
+            public_flags: user.public_flags,
+            avatar: user.avatar,
+            accent_color: user.accent_color,
+            banner: user.banner,
+            bio: user.bio,
+            bot: user.bot,
+        }
+    });
+});
+
+export default router;
diff --git a/api/src/routes/users/@me/relationships.ts b/api/src/routes/users/@me/relationships.ts
new file mode 100644
index 00000000..a8f03143
--- /dev/null
+++ b/api/src/routes/users/@me/relationships.ts
@@ -0,0 +1,176 @@
+import {
+	RelationshipAddEvent,
+	UserModel,
+	PublicUserProjection,
+	toObject,
+	RelationshipType,
+	RelationshipRemoveEvent,
+	UserDocument
+} from "@fosscord/server-util";
+import { Router, Response, Request } from "express";
+import { HTTPError } from "lambert-server";
+import { emitEvent } from "../../../util/Event";
+import { check, Length } from "../../../util/instanceOf";
+
+const router = Router();
+
+const userProjection = { "user_data.relationships": true, ...PublicUserProjection };
+
+router.get("/", async (req: Request, res: Response) => {
+	const user = await UserModel.findOne({ id: req.user_id }, { user_data: { relationships: true } })
+		.populate({ path: "user_data.relationships.id", model: UserModel })
+		.exec();
+
+	return res.json(toObject(user.user_data.relationships));
+});
+
+async function addRelationship(req: Request, res: Response, friend: UserDocument, type: RelationshipType) {
+	const id = friend.id;
+	if (id === req.user_id) throw new HTTPError("You can't add yourself as a friend");
+
+	const user = await UserModel.findOne({ id: req.user_id }, userProjection).exec();
+	const newUserRelationships = [...user.user_data.relationships];
+	const newFriendRelationships = [...friend.user_data.relationships];
+
+	var relationship = newUserRelationships.find((x) => x.id === id);
+	const friendRequest = newFriendRelationships.find((x) => x.id === req.user_id);
+
+	if (type === RelationshipType.blocked) {
+		if (relationship) {
+			if (relationship.type === RelationshipType.blocked) throw new HTTPError("You already blocked the user");
+			relationship.type = RelationshipType.blocked;
+		} else {
+			relationship = { id, type: RelationshipType.blocked };
+			newUserRelationships.push(relationship);
+		}
+
+		if (friendRequest && friendRequest.type !== RelationshipType.blocked) {
+			newFriendRelationships.remove(friendRequest);
+			await Promise.all([
+				UserModel.updateOne({ id: friend.id }, { "user_data.relationships": newFriendRelationships }).exec(),
+				emitEvent({
+					event: "RELATIONSHIP_REMOVE",
+					data: friendRequest,
+					user_id: id
+				} as RelationshipRemoveEvent)
+			]);
+		}
+
+		await Promise.all([
+			UserModel.updateOne({ id: req.user_id }, { "user_data.relationships": newUserRelationships }).exec(),
+			emitEvent({
+				event: "RELATIONSHIP_ADD",
+				data: {
+					...toObject(relationship),
+					user: { ...toObject(friend), user_data: undefined }
+				},
+				user_id: req.user_id
+			} as RelationshipAddEvent)
+		]);
+
+		return res.sendStatus(204);
+	}
+
+	var incoming_relationship = { id: req.user_id, nickname: undefined, type: RelationshipType.incoming };
+	var outgoing_relationship = { id, nickname: undefined, type: RelationshipType.outgoing };
+
+	if (friendRequest) {
+		if (friendRequest.type === RelationshipType.blocked) throw new HTTPError("The user blocked you");
+		// accept friend request
+		// @ts-ignore
+		incoming_relationship = friendRequest;
+		incoming_relationship.type = RelationshipType.friends;
+		outgoing_relationship.type = RelationshipType.friends;
+	} else newFriendRelationships.push(incoming_relationship);
+
+	if (relationship) {
+		if (relationship.type === RelationshipType.outgoing) throw new HTTPError("You already sent a friend request");
+		if (relationship.type === RelationshipType.blocked) throw new HTTPError("Unblock the user before sending a friend request");
+		if (relationship.type === RelationshipType.friends) throw new HTTPError("You are already friends with the user");
+	} else newUserRelationships.push(outgoing_relationship);
+
+	await Promise.all([
+		UserModel.updateOne({ id: req.user_id }, { "user_data.relationships": newUserRelationships }).exec(),
+		UserModel.updateOne({ id: friend.id }, { "user_data.relationships": newFriendRelationships }).exec(),
+		emitEvent({
+			event: "RELATIONSHIP_ADD",
+			data: {
+				...outgoing_relationship,
+				user: { ...toObject(friend), user_data: undefined }
+			},
+			user_id: req.user_id
+		} as RelationshipAddEvent),
+		emitEvent({
+			event: "RELATIONSHIP_ADD",
+			data: {
+				...toObject(incoming_relationship),
+				should_notify: true,
+				user: { ...toObject(user), user_data: undefined }
+			},
+			user_id: id
+		} as RelationshipAddEvent)
+	]);
+
+	return res.sendStatus(204);
+}
+
+router.put("/:id", check({ $type: new Length(Number, 1, 4) }), async (req: Request, res: Response) => {
+	return await addRelationship(req, res, await UserModel.findOne({ id: req.params.id }), req.body.type);
+});
+
+router.post("/", check({ discriminator: String, username: String }), async (req: Request, res: Response) => {
+	return await addRelationship(
+		req,
+		res,
+		await UserModel.findOne(req.body as { discriminator: string; username: string }).exec(),
+		req.body.type
+	);
+});
+
+router.delete("/:id", async (req: Request, res: Response) => {
+	const { id } = req.params;
+	if (id === req.user_id) throw new HTTPError("You can't remove yourself as a friend");
+
+	const user = await UserModel.findOne({ id: req.user_id }).exec();
+	if (!user) throw new HTTPError("Invalid token", 400);
+
+	const friend = await UserModel.findOne({ id }, userProjection).exec();
+	if (!friend) throw new HTTPError("User not found", 404);
+
+	const relationship = user.user_data.relationships.find((x) => x.id === id);
+	const friendRequest = friend.user_data.relationships.find((x) => x.id === req.user_id);
+	if (relationship?.type === RelationshipType.blocked) {
+		// unblock user
+		user.user_data.relationships.remove(relationship);
+
+		await Promise.all([
+			user.save(),
+			emitEvent({ event: "RELATIONSHIP_REMOVE", user_id: req.user_id, data: relationship } as RelationshipRemoveEvent)
+		]);
+		return res.sendStatus(204);
+	}
+	if (!relationship || !friendRequest) throw new HTTPError("You are not friends with the user", 404);
+	if (friendRequest.type === RelationshipType.blocked) throw new HTTPError("The user blocked you");
+
+	user.user_data.relationships.remove(relationship);
+	friend.user_data.relationships.remove(friendRequest);
+
+	await Promise.all([
+		user.save(),
+		friend.save(),
+		emitEvent({
+			event: "RELATIONSHIP_REMOVE",
+			data: relationship,
+			user_id: req.user_id
+		} as RelationshipRemoveEvent),
+		emitEvent({
+			event: "RELATIONSHIP_REMOVE",
+			data: friendRequest,
+			user_id: id
+		} as RelationshipRemoveEvent)
+	]);
+
+	return res.sendStatus(204);
+});
+
+export default router;
diff --git a/api/src/routes/users/@me/settings.ts b/api/src/routes/users/@me/settings.ts
new file mode 100644
index 00000000..cca9b3ab
--- /dev/null
+++ b/api/src/routes/users/@me/settings.ts
@@ -0,0 +1,10 @@
+import { Router, Response, Request } from "express";
+
+const router = Router();
+
+router.patch("/", (req: Request, res: Response) => {
+	// TODO:
+	res.sendStatus(204);
+});
+
+export default router;