Move macaron to chi (#14293)

Use [chi](https://github.com/go-chi/chi) instead of the forked [macaron](https://gitea.com/macaron/macaron). Since macaron and chi have conflicts with session share, this big PR becomes a have-to thing. According my previous idea, we can replace macaron step by step but I'm wrong. :( Below is a list of big changes on this PR. - [x] Define `context.ResponseWriter` interface with an implementation `context.Response`. - [x] Use chi instead of macaron, and also a customize `Route` to wrap chi so that the router usage is similar as before. - [x] Create different routers for `web`, `api`, `internal` and `install` so that the codes will be more clear and no magic . - [x] Use https://github.com/unrolled/render instead of macaron's internal render - [x] Use https://github.com/NYTimes/gziphandler instead of https://gitea.com/macaron/gzip - [x] Use https://gitea.com/go-chi/session which is a modified version of https://gitea.com/macaron/session and removed `nodb` support since it will not be maintained. **BREAK** - [x] Use https://gitea.com/go-chi/captcha which is a modified version of https://gitea.com/macaron/captcha - [x] Use https://gitea.com/go-chi/cache which is a modified version of https://gitea.com/macaron/cache - [x] Use https://gitea.com/go-chi/binding which is a modified version of https://gitea.com/macaron/binding - [x] Use https://github.com/go-chi/cors instead of https://gitea.com/macaron/cors - [x] Dropped https://gitea.com/macaron/i18n and make a new one in `code.gitea.io/gitea/modules/translation` - [x] Move validation form structs from `code.gitea.io/gitea/modules/auth` to `code.gitea.io/gitea/modules/forms` to avoid dependency cycle. - [x] Removed macaron log service because it's not need any more. **BREAK** - [x] All form structs have to be get by `web.GetForm(ctx)` in the route function but not as a function parameter on routes definition. - [x] Move Git HTTP protocol implementation to use routers directly. - [x] Fix the problem that chi routes don't support trailing slash but macaron did. - [x] `/api/v1/swagger` now will be redirect to `/api/swagger` but not render directly so that `APIContext` will not create a html render. Notices: - Chi router don't support request with trailing slash - Integration test `TestUserHeatmap` maybe mysql version related. It's failed on my macOS(mysql 5.7.29 installed via brew) but succeed on CI. Co-authored-by: 6543 <6543@obermui.de>
2021-01-26 23:36:53 +08:00 · 2021-01-26 23:36:53 +08:00 · 6433ba0ec3
commit 6433ba0ec3
parent 3adbbb4255
353 changed files with 5463 additions and 20785 deletions
--- a/routers/api/v1/admin/org.go
+++ b/routers/api/v1/admin/org.go
@ -13,12 +13,13 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/user"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )

 // CreateOrg api for create organization
-func CreateOrg(ctx *context.APIContext, form api.CreateOrgOption) {
+func CreateOrg(ctx *context.APIContext) {
 	// swagger:operation POST /admin/users/{username}/orgs admin adminCreateOrg
 	// ---
 	// summary: Create an organization
@ -43,7 +44,7 @@ func CreateOrg(ctx *context.APIContext, form api.CreateOrgOption) {
 	//     "$ref": "#/responses/forbidden"
 	//   "422":
 	//     "$ref": "#/responses/validationError"
-
+	form := web.GetForm(ctx).(*api.CreateOrgOption)
 	u := user.GetUserByParams(ctx)
 	if ctx.Written() {
 		return
--- a/routers/api/v1/admin/repo.go
+++ b/routers/api/v1/admin/repo.go
@ -7,12 +7,13 @@ package admin
 import (
 	"code.gitea.io/gitea/modules/context"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/repo"
 	"code.gitea.io/gitea/routers/api/v1/user"
 )

 // CreateRepo api for creating a repository
-func CreateRepo(ctx *context.APIContext, form api.CreateRepoOption) {
+func CreateRepo(ctx *context.APIContext) {
 	// swagger:operation POST /admin/users/{username}/repos admin adminCreateRepo
 	// ---
 	// summary: Create a repository on behalf of a user
@ -41,11 +42,11 @@ func CreateRepo(ctx *context.APIContext, form api.CreateRepoOption) {
 	//     "$ref": "#/responses/error"
 	//   "422":
 	//     "$ref": "#/responses/validationError"
-
+	form := web.GetForm(ctx).(*api.CreateRepoOption)
 	owner := user.GetUserByParams(ctx)
 	if ctx.Written() {
 		return
 	}

-	repo.CreateUserRepo(ctx, owner, form)
+	repo.CreateUserRepo(ctx, owner, *form)
 }
--- a/routers/api/v1/admin/user.go
+++ b/routers/api/v1/admin/user.go
@ -16,6 +16,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/password"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/user"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 	"code.gitea.io/gitea/services/mailer"
@ -42,7 +43,7 @@ func parseLoginSource(ctx *context.APIContext, u *models.User, sourceID int64, l
 }

 // CreateUser create a user
-func CreateUser(ctx *context.APIContext, form api.CreateUserOption) {
+func CreateUser(ctx *context.APIContext) {
 	// swagger:operation POST /admin/users admin adminCreateUser
 	// ---
 	// summary: Create a user
@ -64,7 +65,7 @@ func CreateUser(ctx *context.APIContext, form api.CreateUserOption) {
 	//     "$ref": "#/responses/forbidden"
 	//   "422":
 	//     "$ref": "#/responses/validationError"
-
+	form := web.GetForm(ctx).(*api.CreateUserOption)
 	u := &models.User{
 		Name:               form.Username,
 		FullName:           form.FullName,
@ -119,7 +120,7 @@ func CreateUser(ctx *context.APIContext, form api.CreateUserOption) {
 }

 // EditUser api for modifying a user's information
-func EditUser(ctx *context.APIContext, form api.EditUserOption) {
+func EditUser(ctx *context.APIContext) {
 	// swagger:operation PATCH /admin/users/{username} admin adminEditUser
 	// ---
 	// summary: Edit an existing user
@ -144,7 +145,7 @@ func EditUser(ctx *context.APIContext, form api.EditUserOption) {
 	//     "$ref": "#/responses/forbidden"
 	//   "422":
 	//     "$ref": "#/responses/validationError"
-
+	form := web.GetForm(ctx).(*api.EditUserOption)
 	u := user.GetUserByParams(ctx)
 	if ctx.Written() {
 		return
@ -283,7 +284,7 @@ func DeleteUser(ctx *context.APIContext) {
 }

 // CreatePublicKey api for creating a public key to a user
-func CreatePublicKey(ctx *context.APIContext, form api.CreateKeyOption) {
+func CreatePublicKey(ctx *context.APIContext) {
 	// swagger:operation POST /admin/users/{username}/keys admin adminCreatePublicKey
 	// ---
 	// summary: Add a public key on behalf of a user
@ -308,12 +309,12 @@ func CreatePublicKey(ctx *context.APIContext, form api.CreateKeyOption) {
 	//     "$ref": "#/responses/forbidden"
 	//   "422":
 	//     "$ref": "#/responses/validationError"
-
+	form := web.GetForm(ctx).(*api.CreateKeyOption)
 	u := user.GetUserByParams(ctx)
 	if ctx.Written() {
 		return
 	}
-	user.CreateUserPublicKey(ctx, form, u.ID)
+	user.CreateUserPublicKey(ctx, *form, u.ID)
 }

 // DeleteUserPublicKey api for deleting a user's public key
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -66,14 +66,16 @@ package v1

 import (
 	"net/http"
+	"reflect"
 	"strings"

 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/context"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/admin"
 	"code.gitea.io/gitea/routers/api/v1/misc"
 	"code.gitea.io/gitea/routers/api/v1/notify"
@ -83,11 +85,12 @@ import (
 	_ "code.gitea.io/gitea/routers/api/v1/swagger" // for swagger generation
 	"code.gitea.io/gitea/routers/api/v1/user"

-	"gitea.com/macaron/binding"
-	"gitea.com/macaron/macaron"
+	"gitea.com/go-chi/binding"
+	"gitea.com/go-chi/session"
+	"github.com/go-chi/cors"
 )

-func sudo() macaron.Handler {
+func sudo() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		sudo := ctx.Query("sudo")
 		if len(sudo) == 0 {
@ -117,10 +120,10 @@ func sudo() macaron.Handler {
 	}
 }

-func repoAssignment() macaron.Handler {
+func repoAssignment() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
-		userName := ctx.Params(":username")
-		repoName := ctx.Params(":reponame")
+		userName := ctx.Params("username")
+		repoName := ctx.Params("reponame")

 		var (
 			owner *models.User
@ -184,7 +187,7 @@ func repoAssignment() macaron.Handler {
 }

 // Contexter middleware already checks token for user sign in process.
-func reqToken() macaron.Handler {
+func reqToken() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		if true == ctx.Data["IsApiToken"] {
 			return
@ -201,7 +204,7 @@ func reqToken() macaron.Handler {
 	}
 }

-func reqBasicAuth() macaron.Handler {
+func reqBasicAuth() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		if !ctx.Context.IsBasicAuth {
 			ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "basic auth required")
@ -212,7 +215,7 @@ func reqBasicAuth() macaron.Handler {
 }

 // reqSiteAdmin user should be the site admin
-func reqSiteAdmin() macaron.Handler {
+func reqSiteAdmin() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		if !ctx.IsUserSiteAdmin() {
 			ctx.Error(http.StatusForbidden, "reqSiteAdmin", "user should be the site admin")
@ -222,7 +225,7 @@ func reqSiteAdmin() macaron.Handler {
 }

 // reqOwner user should be the owner of the repo or site admin.
-func reqOwner() macaron.Handler {
+func reqOwner() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		if !ctx.IsUserRepoOwner() && !ctx.IsUserSiteAdmin() {
 			ctx.Error(http.StatusForbidden, "reqOwner", "user should be the owner of the repo")
@ -232,7 +235,7 @@ func reqOwner() macaron.Handler {
 }

 // reqAdmin user should be an owner or a collaborator with admin write of a repository, or site admin
-func reqAdmin() macaron.Handler {
+func reqAdmin() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		if !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {
 			ctx.Error(http.StatusForbidden, "reqAdmin", "user should be an owner or a collaborator with admin write of a repository")
@ -242,7 +245,7 @@ func reqAdmin() macaron.Handler {
 }

 // reqRepoWriter user should have a permission to write to a repo, or be a site admin
-func reqRepoWriter(unitTypes ...models.UnitType) macaron.Handler {
+func reqRepoWriter(unitTypes ...models.UnitType) func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		if !ctx.IsUserRepoWriter(unitTypes) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {
 			ctx.Error(http.StatusForbidden, "reqRepoWriter", "user should have a permission to write to a repo")
@ -252,7 +255,7 @@ func reqRepoWriter(unitTypes ...models.UnitType) macaron.Handler {
 }

 // reqRepoReader user should have specific read permission or be a repo admin or a site admin
-func reqRepoReader(unitType models.UnitType) macaron.Handler {
+func reqRepoReader(unitType models.UnitType) func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		if !ctx.IsUserRepoReaderSpecific(unitType) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {
 			ctx.Error(http.StatusForbidden, "reqRepoReader", "user should have specific read permission or be a repo admin or a site admin")
@ -262,7 +265,7 @@ func reqRepoReader(unitType models.UnitType) macaron.Handler {
 }

 // reqAnyRepoReader user should have any permission to read repository or permissions of site admin
-func reqAnyRepoReader() macaron.Handler {
+func reqAnyRepoReader() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		if !ctx.IsUserRepoReaderAny() && !ctx.IsUserSiteAdmin() {
 			ctx.Error(http.StatusForbidden, "reqAnyRepoReader", "user should have any permission to read repository or permissions of site admin")
@ -272,7 +275,7 @@ func reqAnyRepoReader() macaron.Handler {
 }

 // reqOrgOwnership user should be an organization owner, or a site admin
-func reqOrgOwnership() macaron.Handler {
+func reqOrgOwnership() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		if ctx.Context.IsUserSiteAdmin() {
 			return
@ -304,7 +307,7 @@ func reqOrgOwnership() macaron.Handler {
 }

 // reqTeamMembership user should be an team member, or a site admin
-func reqTeamMembership() macaron.Handler {
+func reqTeamMembership() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		if ctx.Context.IsUserSiteAdmin() {
 			return
@ -341,7 +344,7 @@ func reqTeamMembership() macaron.Handler {
 }

 // reqOrgMembership user should be an organization member, or a site admin
-func reqOrgMembership() macaron.Handler {
+func reqOrgMembership() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		if ctx.Context.IsUserSiteAdmin() {
 			return
@ -371,7 +374,7 @@ func reqOrgMembership() macaron.Handler {
 	}
 }

-func reqGitHook() macaron.Handler {
+func reqGitHook() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		if !ctx.User.CanEditGitHook() {
 			ctx.Error(http.StatusForbidden, "", "must be allowed to edit Git hooks")
@ -380,7 +383,7 @@ func reqGitHook() macaron.Handler {
 	}
 }

-func orgAssignment(args ...bool) macaron.Handler {
+func orgAssignment(args ...bool) func(ctx *context.APIContext) {
 	var (
 		assignOrg  bool
 		assignTeam bool
@ -500,13 +503,6 @@ func mustEnableIssuesOrPulls(ctx *context.APIContext) {
 	}
 }

-func mustEnableUserHeatmap(ctx *context.APIContext) {
-	if !setting.Service.EnableUserHeatmap {
-		ctx.NotFound()
-		return
-	}
-}
-
 func mustNotBeArchived(ctx *context.APIContext) {
 	if ctx.Repo.Repository.IsArchived {
 		ctx.NotFound()
@ -514,18 +510,59 @@ func mustNotBeArchived(ctx *context.APIContext) {
 	}
 }

-// RegisterRoutes registers all v1 APIs routes to web application.
-func RegisterRoutes(m *macaron.Macaron) {
-	bind := binding.Bind
-
-	if setting.API.EnableSwagger {
-		m.Get("/swagger", misc.Swagger) // Render V1 by default
+// bind binding an obj to a func(ctx *context.APIContext)
+func bind(obj interface{}) http.HandlerFunc {
+	var tp = reflect.TypeOf(obj)
+	for tp.Kind() == reflect.Ptr {
+		tp = tp.Elem()
 	}
+	return web.Wrap(func(ctx *context.APIContext) {
+		var theObj = reflect.New(tp).Interface() // create a new form obj for every request but not use obj directly
+		errs := binding.Bind(ctx.Req, theObj)
+		if len(errs) > 0 {
+			ctx.Error(422, "validationError", errs[0].Error())
+			return
+		}
+		web.SetForm(ctx, theObj)
+	})
+}

-	m.Group("/v1", func() {
+// Routes registers all v1 APIs routes to web application.
+func Routes() *web.Route {
+	var m = web.NewRoute()
+
+	m.Use(session.Sessioner(session.Options{
+		Provider:       setting.SessionConfig.Provider,
+		ProviderConfig: setting.SessionConfig.ProviderConfig,
+		CookieName:     setting.SessionConfig.CookieName,
+		CookiePath:     setting.SessionConfig.CookiePath,
+		Gclifetime:     setting.SessionConfig.Gclifetime,
+		Maxlifetime:    setting.SessionConfig.Maxlifetime,
+		Secure:         setting.SessionConfig.Secure,
+		Domain:         setting.SessionConfig.Domain,
+	}))
+	m.Use(securityHeaders())
+	if setting.CORSConfig.Enabled {
+		m.Use(cors.Handler(cors.Options{
+			//Scheme:           setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option
+			AllowedOrigins: setting.CORSConfig.AllowDomain,
+			//setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
+			AllowedMethods:   setting.CORSConfig.Methods,
+			AllowCredentials: setting.CORSConfig.AllowCredentials,
+			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),
+		}))
+	}
+	m.Use(context.APIContexter())
+	m.Use(context.ToggleAPI(&context.ToggleOptions{
+		SignInRequired: setting.Service.RequireSignInView,
+	}))
+
+	m.Group("", func() {
 		// Miscellaneous
 		if setting.API.EnableSwagger {
-			m.Get("/swagger", misc.Swagger)
+			m.Get("/swagger", func(ctx *context.APIContext) {
+				ctx.Redirect("/api/swagger")
+			})
 		}
 		m.Get("/version", misc.Version)
 		m.Get("/signing-key.gpg", misc.SigningKey)
@ -544,7 +581,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 				Get(notify.ListNotifications).
 				Put(notify.ReadNotifications)
 			m.Get("/new", notify.NewAvailable)
-			m.Combo("/threads/:id").
+			m.Combo("/threads/{id}").
 				Get(notify.GetThread).
 				Patch(notify.ReadThread)
 		}, reqToken())
@ -553,28 +590,31 @@ func RegisterRoutes(m *macaron.Macaron) {
 		m.Group("/users", func() {
 			m.Get("/search", user.Search)

-			m.Group("/:username", func() {
+			m.Group("/{username}", func() {
 				m.Get("", user.GetInfo)
-				m.Get("/heatmap", mustEnableUserHeatmap, user.GetUserHeatmapData)
+
+				if setting.Service.EnableUserHeatmap {
+					m.Get("/heatmap", user.GetUserHeatmapData)
+				}

 				m.Get("/repos", user.ListUserRepos)
 				m.Group("/tokens", func() {
 					m.Combo("").Get(user.ListAccessTokens).
 						Post(bind(api.CreateAccessTokenOption{}), user.CreateAccessToken)
-					m.Combo("/:id").Delete(user.DeleteAccessToken)
+					m.Combo("/{id}").Delete(user.DeleteAccessToken)
 				}, reqBasicAuth())
 			})
 		})

 		m.Group("/users", func() {
-			m.Group("/:username", func() {
+			m.Group("/{username}", func() {
 				m.Get("/keys", user.ListPublicKeys)
 				m.Get("/gpg_keys", user.ListGPGKeys)

 				m.Get("/followers", user.ListFollowers)
 				m.Group("/following", func() {
 					m.Get("", user.ListFollowing)
-					m.Get("/:target", user.CheckFollowing)
+					m.Get("/{target}", user.CheckFollowing)
 				})

 				m.Get("/starred", user.GetStarredRepos)
@ -592,20 +632,20 @@ func RegisterRoutes(m *macaron.Macaron) {
 			m.Get("/followers", user.ListMyFollowers)
 			m.Group("/following", func() {
 				m.Get("", user.ListMyFollowing)
-				m.Combo("/:username").Get(user.CheckMyFollowing).Put(user.Follow).Delete(user.Unfollow)
+				m.Combo("/{username}").Get(user.CheckMyFollowing).Put(user.Follow).Delete(user.Unfollow)
 			})

 			m.Group("/keys", func() {
 				m.Combo("").Get(user.ListMyPublicKeys).
 					Post(bind(api.CreateKeyOption{}), user.CreatePublicKey)
-				m.Combo("/:id").Get(user.GetPublicKey).
+				m.Combo("/{id}").Get(user.GetPublicKey).
 					Delete(user.DeletePublicKey)
 			})
 			m.Group("/applications", func() {
 				m.Combo("/oauth2").
 					Get(user.ListOauth2Applications).
 					Post(bind(api.CreateOAuth2ApplicationOptions{}), user.CreateOauth2Application)
-				m.Combo("/oauth2/:id").
+				m.Combo("/oauth2/{id}").
 					Delete(user.DeleteOauth2Application).
 					Patch(bind(api.CreateOAuth2ApplicationOptions{}), user.UpdateOauth2Application).
 					Get(user.GetOauth2Application)
@ -614,7 +654,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 			m.Group("/gpg_keys", func() {
 				m.Combo("").Get(user.ListMyGPGKeys).
 					Post(bind(api.CreateGPGKeyOption{}), user.CreateGPGKey)
-				m.Combo("/:id").Get(user.GetGPGKey).
+				m.Combo("/{id}").Get(user.GetGPGKey).
 					Delete(user.DeleteGPGKey)
 			})

@ -623,7 +663,7 @@ func RegisterRoutes(m *macaron.Macaron) {

 			m.Group("/starred", func() {
 				m.Get("", user.GetMyStarredRepos)
-				m.Group("/:username/:reponame", func() {
+				m.Group("/{username}/{reponame}", func() {
 					m.Get("", user.IsStarring)
 					m.Put("", user.Star)
 					m.Delete("", user.Unstar)
@ -639,9 +679,9 @@ func RegisterRoutes(m *macaron.Macaron) {
 		}, reqToken())

 		// Repositories
-		m.Post("/org/:org/repos", reqToken(), bind(api.CreateRepoOption{}), repo.CreateOrgRepoDeprecated)
+		m.Post("/org/{org}/repos", reqToken(), bind(api.CreateRepoOption{}), repo.CreateOrgRepoDeprecated)

-		m.Combo("/repositories/:id", reqToken()).Get(repo.GetByID)
+		m.Combo("/repositories/{id}", reqToken()).Get(repo.GetByID)

 		m.Group("/repos", func() {
 			m.Get("/search", repo.Search)
@ -650,10 +690,10 @@ func RegisterRoutes(m *macaron.Macaron) {

 			m.Post("/migrate", reqToken(), bind(api.MigrateRepoOptions{}), repo.Migrate)

-			m.Group("/:username/:reponame", func() {
+			m.Group("/{username}/{reponame}", func() {
 				m.Combo("").Get(reqAnyRepoReader(), repo.Get).
 					Delete(reqToken(), reqOwner(), repo.Delete).
-					Patch(reqToken(), reqAdmin(), context.RepoRefForAPI(), bind(api.EditRepoOption{}), repo.Edit)
+					Patch(reqToken(), reqAdmin(), context.RepoRefForAPI, bind(api.EditRepoOption{}), repo.Edit)
 				m.Post("/transfer", reqOwner(), bind(api.TransferRepoOption{}), repo.Transfer)
 				m.Combo("/notifications").
 					Get(reqToken(), notify.ListRepoNotifications).
@ -661,15 +701,15 @@ func RegisterRoutes(m *macaron.Macaron) {
 				m.Group("/hooks", func() {
 					m.Combo("").Get(repo.ListHooks).
 						Post(bind(api.CreateHookOption{}), repo.CreateHook)
-					m.Group("/:id", func() {
+					m.Group("/{id}", func() {
 						m.Combo("").Get(repo.GetHook).
 							Patch(bind(api.EditHookOption{}), repo.EditHook).
 							Delete(repo.DeleteHook)
-						m.Post("/tests", context.RepoRefForAPI(), repo.TestHook)
+						m.Post("/tests", context.RepoRefForAPI, repo.TestHook)
 					})
 					m.Group("/git", func() {
 						m.Combo("").Get(repo.ListGitHooks)
-						m.Group("/:id", func() {
+						m.Group("/{id}", func() {
 							m.Combo("").Get(repo.GetGitHook).
 								Patch(bind(api.EditGitHookOption{}), repo.EditGitHook).
 								Delete(repo.DeleteGitHook)
@ -678,11 +718,11 @@ func RegisterRoutes(m *macaron.Macaron) {
 				}, reqToken(), reqAdmin())
 				m.Group("/collaborators", func() {
 					m.Get("", reqAnyRepoReader(), repo.ListCollaborators)
-					m.Combo("/:collaborator").Get(reqAnyRepoReader(), repo.IsCollaborator).
+					m.Combo("/{collaborator}").Get(reqAnyRepoReader(), repo.IsCollaborator).
 						Put(reqAdmin(), bind(api.AddCollaboratorOption{}), repo.AddCollaborator).
 						Delete(reqAdmin(), repo.DeleteCollaborator)
 				}, reqToken())
-				m.Get("/raw/*", context.RepoRefForAPI(), reqRepoReader(models.UnitTypeCode), repo.GetRawFile)
+				m.Get("/raw/*", context.RepoRefForAPI, reqRepoReader(models.UnitTypeCode), repo.GetRawFile)
 				m.Get("/archive/*", reqRepoReader(models.UnitTypeCode), repo.GetArchive)
 				m.Combo("/forks").Get(repo.ListForks).
 					Post(reqToken(), reqRepoReader(models.UnitTypeCode), bind(api.CreateForkOption{}), repo.CreateFork)
@ -695,7 +735,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 				m.Group("/branch_protections", func() {
 					m.Get("", repo.ListBranchProtections)
 					m.Post("", bind(api.CreateBranchProtectionOption{}), repo.CreateBranchProtection)
-					m.Group("/:name", func() {
+					m.Group("/{name}", func() {
 						m.Get("", repo.GetBranchProtection)
 						m.Patch("", bind(api.EditBranchProtectionOption{}), repo.EditBranchProtection)
 						m.Delete("", repo.DeleteBranchProtection)
@ -707,19 +747,19 @@ func RegisterRoutes(m *macaron.Macaron) {
 				m.Group("/keys", func() {
 					m.Combo("").Get(repo.ListDeployKeys).
 						Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)
-					m.Combo("/:id").Get(repo.GetDeployKey).
+					m.Combo("/{id}").Get(repo.GetDeployKey).
 						Delete(repo.DeleteDeploykey)
 				}, reqToken(), reqAdmin())
 				m.Group("/times", func() {
 					m.Combo("").Get(repo.ListTrackedTimesByRepository)
-					m.Combo("/:timetrackingusername").Get(repo.ListTrackedTimesByUser)
+					m.Combo("/{timetrackingusername}").Get(repo.ListTrackedTimesByUser)
 				}, mustEnableIssues, reqToken())
 				m.Group("/issues", func() {
 					m.Combo("").Get(repo.ListIssues).
 						Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue)
 					m.Group("/comments", func() {
 						m.Get("", repo.ListRepoIssueComments)
-						m.Group("/:id", func() {
+						m.Group("/{id}", func() {
 							m.Combo("").
 								Get(repo.GetIssueComment).
 								Patch(mustNotBeArchived, reqToken(), bind(api.EditIssueCommentOption{}), repo.EditIssueComment).
@ -730,13 +770,13 @@ func RegisterRoutes(m *macaron.Macaron) {
 								Delete(reqToken(), bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction)
 						})
 					})
-					m.Group("/:index", func() {
+					m.Group("/{index}", func() {
 						m.Combo("").Get(repo.GetIssue).
 							Patch(reqToken(), bind(api.EditIssueOption{}), repo.EditIssue)
 						m.Group("/comments", func() {
 							m.Combo("").Get(repo.ListIssueComments).
 								Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueCommentOption{}), repo.CreateIssueComment)
-							m.Combo("/:id", reqToken()).Patch(bind(api.EditIssueCommentOption{}), repo.EditIssueCommentDeprecated).
+							m.Combo("/{id}", reqToken()).Patch(bind(api.EditIssueCommentOption{}), repo.EditIssueCommentDeprecated).
 								Delete(repo.DeleteIssueCommentDeprecated)
 						})
 						m.Group("/labels", func() {
@ -744,14 +784,14 @@ func RegisterRoutes(m *macaron.Macaron) {
 								Post(reqToken(), bind(api.IssueLabelsOption{}), repo.AddIssueLabels).
 								Put(reqToken(), bind(api.IssueLabelsOption{}), repo.ReplaceIssueLabels).
 								Delete(reqToken(), repo.ClearIssueLabels)
-							m.Delete("/:id", reqToken(), repo.DeleteIssueLabel)
+							m.Delete("/{id}", reqToken(), repo.DeleteIssueLabel)
 						})
 						m.Group("/times", func() {
 							m.Combo("").
 								Get(repo.ListTrackedTimes).
 								Post(bind(api.AddTimeOption{}), repo.AddTime).
 								Delete(repo.ResetIssueTime)
-							m.Delete("/:id", repo.DeleteTime)
+							m.Delete("/{id}", repo.DeleteTime)
 						}, reqToken())
 						m.Combo("/deadline").Post(reqToken(), bind(api.EditDeadlineOption{}), repo.UpdateIssueDeadline)
 						m.Group("/stopwatch", func() {
@ -762,8 +802,8 @@ func RegisterRoutes(m *macaron.Macaron) {
 						m.Group("/subscriptions", func() {
 							m.Get("", repo.GetIssueSubscribers)
 							m.Get("/check", reqToken(), repo.CheckIssueSubscription)
-							m.Put("/:user", reqToken(), repo.AddIssueSubscription)
-							m.Delete("/:user", reqToken(), repo.DelIssueSubscription)
+							m.Put("/{user}", reqToken(), repo.AddIssueSubscription)
+							m.Delete("/{user}", reqToken(), repo.DelIssueSubscription)
 						})
 						m.Combo("/reactions").
 							Get(repo.GetIssueReactions).
@ -774,7 +814,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 				m.Group("/labels", func() {
 					m.Combo("").Get(repo.ListLabels).
 						Post(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), bind(api.CreateLabelOption{}), repo.CreateLabel)
-					m.Combo("/:id").Get(repo.GetLabel).
+					m.Combo("/{id}").Get(repo.GetLabel).
 						Patch(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), bind(api.EditLabelOption{}), repo.EditLabel).
 						Delete(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), repo.DeleteLabel)
 				})
@ -783,7 +823,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 				m.Group("/milestones", func() {
 					m.Combo("").Get(repo.ListMilestones).
 						Post(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), bind(api.CreateMilestoneOption{}), repo.CreateMilestone)
-					m.Combo("/:id").Get(repo.GetMilestone).
+					m.Combo("/{id}").Get(repo.GetMilestone).
 						Patch(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), bind(api.EditMilestoneOption{}), repo.EditMilestone).
 						Delete(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), repo.DeleteMilestone)
 				})
@ -797,30 +837,30 @@ func RegisterRoutes(m *macaron.Macaron) {
 				m.Group("/releases", func() {
 					m.Combo("").Get(repo.ListReleases).
 						Post(reqToken(), reqRepoWriter(models.UnitTypeReleases), context.ReferencesGitRepo(false), bind(api.CreateReleaseOption{}), repo.CreateRelease)
-					m.Group("/:id", func() {
+					m.Group("/{id}", func() {
 						m.Combo("").Get(repo.GetRelease).
 							Patch(reqToken(), reqRepoWriter(models.UnitTypeReleases), context.ReferencesGitRepo(false), bind(api.EditReleaseOption{}), repo.EditRelease).
 							Delete(reqToken(), reqRepoWriter(models.UnitTypeReleases), repo.DeleteRelease)
 						m.Group("/assets", func() {
 							m.Combo("").Get(repo.ListReleaseAttachments).
 								Post(reqToken(), reqRepoWriter(models.UnitTypeReleases), repo.CreateReleaseAttachment)
-							m.Combo("/:asset").Get(repo.GetReleaseAttachment).
+							m.Combo("/{asset}").Get(repo.GetReleaseAttachment).
 								Patch(reqToken(), reqRepoWriter(models.UnitTypeReleases), bind(api.EditAttachmentOptions{}), repo.EditReleaseAttachment).
 								Delete(reqToken(), reqRepoWriter(models.UnitTypeReleases), repo.DeleteReleaseAttachment)
 						})
 					})
 					m.Group("/tags", func() {
-						m.Combo("/:tag").
+						m.Combo("/{tag}").
 							Get(repo.GetReleaseTag).
 							Delete(reqToken(), reqRepoWriter(models.UnitTypeReleases), repo.DeleteReleaseTag)
 					})
 				}, reqRepoReader(models.UnitTypeReleases))
 				m.Post("/mirror-sync", reqToken(), reqRepoWriter(models.UnitTypeCode), repo.MirrorSync)
-				m.Get("/editorconfig/:filename", context.RepoRefForAPI(), reqRepoReader(models.UnitTypeCode), repo.GetEditorconfig)
+				m.Get("/editorconfig/{filename}", context.RepoRefForAPI, reqRepoReader(models.UnitTypeCode), repo.GetEditorconfig)
 				m.Group("/pulls", func() {
-					m.Combo("").Get(bind(api.ListPullRequestsOptions{}), repo.ListPullRequests).
+					m.Combo("").Get(repo.ListPullRequests).
 						Post(reqToken(), mustNotBeArchived, bind(api.CreatePullRequestOption{}), repo.CreatePullRequest)
-					m.Group("/:index", func() {
+					m.Group("/{index}", func() {
 						m.Combo("").Get(repo.GetPullRequest).
 							Patch(reqToken(), reqRepoWriter(models.UnitTypePullRequests), bind(api.EditPullRequestOption{}), repo.EditPullRequest)
 						m.Get(".diff", repo.DownloadPullDiff)
@ -832,7 +872,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 							m.Combo("").
 								Get(repo.ListPullReviews).
 								Post(reqToken(), bind(api.CreatePullReviewOptions{}), repo.CreatePullReview)
-							m.Group("/:id", func() {
+							m.Group("/{id}", func() {
 								m.Combo("").
 									Get(repo.GetPullReview).
 									Delete(reqToken(), repo.DeletePullReview).
@ -847,25 +887,25 @@ func RegisterRoutes(m *macaron.Macaron) {
 					})
 				}, mustAllowPulls, reqRepoReader(models.UnitTypeCode), context.ReferencesGitRepo(false))
 				m.Group("/statuses", func() {
-					m.Combo("/:sha").Get(repo.GetCommitStatuses).
+					m.Combo("/{sha}").Get(repo.GetCommitStatuses).
 						Post(reqToken(), bind(api.CreateStatusOption{}), repo.NewCommitStatus)
 				}, reqRepoReader(models.UnitTypeCode))
 				m.Group("/commits", func() {
 					m.Get("", repo.GetAllCommits)
-					m.Group("/:ref", func() {
+					m.Group("/{ref}", func() {
 						m.Get("/status", repo.GetCombinedCommitStatusByRef)
 						m.Get("/statuses", repo.GetCommitStatusesByRef)
 					})
 				}, reqRepoReader(models.UnitTypeCode))
 				m.Group("/git", func() {
 					m.Group("/commits", func() {
-						m.Get("/:sha", repo.GetSingleCommit)
+						m.Get("/{sha}", repo.GetSingleCommit)
 					})
 					m.Get("/refs", repo.GetGitAllRefs)
 					m.Get("/refs/*", repo.GetGitRefs)
-					m.Get("/trees/:sha", context.RepoRefForAPI(), repo.GetTree)
-					m.Get("/blobs/:sha", context.RepoRefForAPI(), repo.GetBlob)
-					m.Get("/tags/:sha", context.RepoRefForAPI(), repo.GetTag)
+					m.Get("/trees/{sha}", context.RepoRefForAPI, repo.GetTree)
+					m.Get("/blobs/{sha}", context.RepoRefForAPI, repo.GetBlob)
+					m.Get("/tags/{sha}", context.RepoRefForAPI, repo.GetTag)
 				}, reqRepoReader(models.UnitTypeCode))
 				m.Group("/contents", func() {
 					m.Get("", repo.GetContentsList)
@ -880,7 +920,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 				m.Group("/topics", func() {
 					m.Combo("").Get(repo.ListTopics).
 						Put(reqToken(), reqAdmin(), bind(api.RepoTopicOptions{}), repo.UpdateTopics)
-					m.Group("/:topic", func() {
+					m.Group("/{topic}", func() {
 						m.Combo("").Put(reqToken(), repo.AddTopic).
 							Delete(reqToken(), repo.DeleteTopic)
 					}, reqAdmin())
@ -892,10 +932,10 @@ func RegisterRoutes(m *macaron.Macaron) {

 		// Organizations
 		m.Get("/user/orgs", reqToken(), org.ListMyOrgs)
-		m.Get("/users/:username/orgs", org.ListUserOrgs)
+		m.Get("/users/{username}/orgs", org.ListUserOrgs)
 		m.Post("/orgs", reqToken(), bind(api.CreateOrgOption{}), org.Create)
 		m.Get("/orgs", org.GetAll)
-		m.Group("/orgs/:org", func() {
+		m.Group("/orgs/{org}", func() {
 			m.Combo("").Get(org.Get).
 				Patch(reqToken(), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).
 				Delete(reqToken(), reqOrgOwnership(), org.Delete)
@ -903,12 +943,12 @@ func RegisterRoutes(m *macaron.Macaron) {
 				Post(reqToken(), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)
 			m.Group("/members", func() {
 				m.Get("", org.ListMembers)
-				m.Combo("/:username").Get(org.IsMember).
+				m.Combo("/{username}").Get(org.IsMember).
 					Delete(reqToken(), reqOrgOwnership(), org.DeleteMember)
 			})
 			m.Group("/public_members", func() {
 				m.Get("", org.ListPublicMembers)
-				m.Combo("/:username").Get(org.IsPublicMember).
+				m.Combo("/{username}").Get(org.IsPublicMember).
 					Put(reqToken(), reqOrgMembership(), org.PublicizeMember).
 					Delete(reqToken(), reqOrgMembership(), org.ConcealMember)
 			})
@ -920,56 +960,52 @@ func RegisterRoutes(m *macaron.Macaron) {
 			m.Group("/labels", func() {
 				m.Get("", org.ListLabels)
 				m.Post("", reqToken(), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel)
-				m.Combo("/:id").Get(org.GetLabel).
+				m.Combo("/{id}").Get(org.GetLabel).
 					Patch(reqToken(), reqOrgOwnership(), bind(api.EditLabelOption{}), org.EditLabel).
 					Delete(reqToken(), reqOrgOwnership(), org.DeleteLabel)
 			})
 			m.Group("/hooks", func() {
 				m.Combo("").Get(org.ListHooks).
 					Post(bind(api.CreateHookOption{}), org.CreateHook)
-				m.Combo("/:id").Get(org.GetHook).
+				m.Combo("/{id}").Get(org.GetHook).
 					Patch(bind(api.EditHookOption{}), org.EditHook).
 					Delete(org.DeleteHook)
 			}, reqToken(), reqOrgOwnership())
 		}, orgAssignment(true))
-		m.Group("/teams/:teamid", func() {
+		m.Group("/teams/{teamid}", func() {
 			m.Combo("").Get(org.GetTeam).
 				Patch(reqOrgOwnership(), bind(api.EditTeamOption{}), org.EditTeam).
 				Delete(reqOrgOwnership(), org.DeleteTeam)
 			m.Group("/members", func() {
 				m.Get("", org.GetTeamMembers)
-				m.Combo("/:username").
+				m.Combo("/{username}").
 					Get(org.GetTeamMember).
 					Put(reqOrgOwnership(), org.AddTeamMember).
 					Delete(reqOrgOwnership(), org.RemoveTeamMember)
 			})
 			m.Group("/repos", func() {
 				m.Get("", org.GetTeamRepos)
-				m.Combo("/:org/:reponame").
+				m.Combo("/{org}/{reponame}").
 					Put(org.AddTeamRepository).
 					Delete(org.RemoveTeamRepository)
 			})
 		}, orgAssignment(false, true), reqToken(), reqTeamMembership())

-		m.Any("/*", func(ctx *context.APIContext) {
-			ctx.NotFound()
-		})
-
 		m.Group("/admin", func() {
 			m.Group("/cron", func() {
 				m.Get("", admin.ListCronTasks)
-				m.Post("/:task", admin.PostCronTask)
+				m.Post("/{task}", admin.PostCronTask)
 			})
 			m.Get("/orgs", admin.GetAllOrgs)
 			m.Group("/users", func() {
 				m.Get("", admin.GetAllUsers)
 				m.Post("", bind(api.CreateUserOption{}), admin.CreateUser)
-				m.Group("/:username", func() {
+				m.Group("/{username}", func() {
 					m.Combo("").Patch(bind(api.EditUserOption{}), admin.EditUser).
 						Delete(admin.DeleteUser)
 					m.Group("/keys", func() {
 						m.Post("", bind(api.CreateKeyOption{}), admin.CreatePublicKey)
-						m.Delete("/:id", admin.DeleteUserPublicKey)
+						m.Delete("/{id}", admin.DeleteUserPublicKey)
 					})
 					m.Get("/orgs", org.ListUserOrgs)
 					m.Post("/orgs", bind(api.CreateOrgOption{}), admin.CreateOrg)
@ -978,23 +1014,26 @@ func RegisterRoutes(m *macaron.Macaron) {
 			})
 			m.Group("/unadopted", func() {
 				m.Get("", admin.ListUnadoptedRepositories)
-				m.Post("/:username/:reponame", admin.AdoptRepository)
-				m.Delete("/:username/:reponame", admin.DeleteUnadoptedRepository)
+				m.Post("/{username}/{reponame}", admin.AdoptRepository)
+				m.Delete("/{username}/{reponame}", admin.DeleteUnadoptedRepository)
 			})
 		}, reqToken(), reqSiteAdmin())

 		m.Group("/topics", func() {
 			m.Get("/search", repo.TopicSearch)
 		})
-	}, securityHeaders(), context.APIContexter(), sudo())
+	}, sudo())
+
+	return m
 }

-func securityHeaders() macaron.Handler {
-	return func(ctx *macaron.Context) {
-		ctx.Resp.Before(func(w macaron.ResponseWriter) {
+func securityHeaders() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
 			// CORB: https://www.chromium.org/Home/chromium-security/corb-for-developers
 			// http://stackoverflow.com/a/3146618/244009
-			w.Header().Set("x-content-type-options", "nosniff")
+			resp.Header().Set("x-content-type-options", "nosniff")
+			next.ServeHTTP(resp, req)
 		})
 	}
 }
--- a/routers/api/v1/misc/markdown.go
+++ b/routers/api/v1/misc/markdown.go
@ -5,6 +5,7 @@
 package misc

 import (
+	"io/ioutil"
 	"net/http"
 	"strings"

@ -13,12 +14,13 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/modules/web"

 	"mvdan.cc/xurls/v2"
 )

 // Markdown render markdown document to HTML
-func Markdown(ctx *context.APIContext, form api.MarkdownOption) {
+func Markdown(ctx *context.APIContext) {
 	// swagger:operation POST /markdown miscellaneous renderMarkdown
 	// ---
 	// summary: Render a markdown document as HTML
@ -37,6 +39,8 @@ func Markdown(ctx *context.APIContext, form api.MarkdownOption) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"

+	form := web.GetForm(ctx).(*api.MarkdownOption)
+
 	if ctx.HasAPIError() {
 		ctx.Error(http.StatusUnprocessableEntity, "", ctx.GetErrMsg())
 		return
@ -117,7 +121,7 @@ func MarkdownRaw(ctx *context.APIContext) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"

-	body, err := ctx.Req.Body().Bytes()
+	body, err := ioutil.ReadAll(ctx.Req.Body)
 	if err != nil {
 		ctx.Error(http.StatusUnprocessableEntity, "", err)
 		return
--- a/routers/api/v1/misc/markdown_test.go
+++ b/routers/api/v1/misc/markdown_test.go
@ -15,10 +15,10 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/templates"
 	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/modules/web"

-	"gitea.com/macaron/inject"
-	"gitea.com/macaron/macaron"
 	"github.com/stretchr/testify/assert"
 )

@ -26,25 +26,21 @@ const AppURL = "http://localhost:3000/"
 const Repo = "gogits/gogs"
 const AppSubURL = AppURL + Repo + "/"

-func createContext(req *http.Request) (*macaron.Context, *httptest.ResponseRecorder) {
+func createContext(req *http.Request) (*context.Context, *httptest.ResponseRecorder) {
+	var rnd = templates.HTMLRenderer()
 	resp := httptest.NewRecorder()
-	c := &macaron.Context{
-		Injector: inject.New(),
-		Req:      macaron.Request{Request: req},
-		Resp:     macaron.NewResponseWriter(req.Method, resp),
-		Render:   &macaron.DummyRender{ResponseWriter: resp},
-		Data:     make(map[string]interface{}),
+	c := &context.Context{
+		Req:    req,
+		Resp:   context.NewResponse(resp),
+		Render: rnd,
+		Data:   make(map[string]interface{}),
 	}
-	c.Map(c)
-	c.Map(req)
 	return c, resp
 }

-func wrap(ctx *macaron.Context) *context.APIContext {
+func wrap(ctx *context.Context) *context.APIContext {
 	return &context.APIContext{
-		Context: &context.Context{
-			Context: ctx,
-		},
+		Context: ctx,
 	}
 }

@ -115,7 +111,8 @@ Here are some links to the most important topics. You can find the full list of

 	for i := 0; i < len(testCases); i += 2 {
 		options.Text = testCases[i]
-		Markdown(ctx, options)
+		web.SetForm(ctx, &options)
+		Markdown(ctx)
 		assert.Equal(t, testCases[i+1], resp.Body.String())
 		resp.Body.Reset()
 	}
@ -156,7 +153,8 @@ func TestAPI_RenderSimple(t *testing.T) {

 	for i := 0; i < len(simpleCases); i += 2 {
 		options.Text = simpleCases[i]
-		Markdown(ctx, options)
+		web.SetForm(ctx, &options)
+		Markdown(ctx)
 		assert.Equal(t, simpleCases[i+1], resp.Body.String())
 		resp.Body.Reset()
 	}
@ -174,7 +172,7 @@ func TestAPI_RenderRaw(t *testing.T) {
 	ctx := wrap(m)

 	for i := 0; i < len(simpleCases); i += 2 {
-		ctx.Req.Request.Body = ioutil.NopCloser(strings.NewReader(simpleCases[i]))
+		ctx.Req.Body = ioutil.NopCloser(strings.NewReader(simpleCases[i]))
 		MarkdownRaw(ctx)
 		assert.Equal(t, simpleCases[i+1], resp.Body.String())
 		resp.Body.Reset()
--- a/routers/api/v1/org/hook.go
+++ b/routers/api/v1/org/hook.go
@ -11,6 +11,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )

@ -85,7 +86,7 @@ func GetHook(ctx *context.APIContext) {
 }

 // CreateHook create a hook for an organization
-func CreateHook(ctx *context.APIContext, form api.CreateHookOption) {
+func CreateHook(ctx *context.APIContext) {
 	// swagger:operation POST /orgs/{org}/hooks/ organization orgCreateHook
 	// ---
 	// summary: Create a hook
@ -108,15 +109,16 @@ func CreateHook(ctx *context.APIContext, form api.CreateHookOption) {
 	//   "201":
 	//     "$ref": "#/responses/Hook"

+	form := web.GetForm(ctx).(*api.CreateHookOption)
 	//TODO in body params
-	if !utils.CheckCreateHookOption(ctx, &form) {
+	if !utils.CheckCreateHookOption(ctx, form) {
 		return
 	}
-	utils.AddOrgHook(ctx, &form)
+	utils.AddOrgHook(ctx, form)
 }

 // EditHook modify a hook of a repository
-func EditHook(ctx *context.APIContext, form api.EditHookOption) {
+func EditHook(ctx *context.APIContext) {
 	// swagger:operation PATCH /orgs/{org}/hooks/{id} organization orgEditHook
 	// ---
 	// summary: Update a hook
@ -144,9 +146,11 @@ func EditHook(ctx *context.APIContext, form api.EditHookOption) {
 	//   "200":
 	//     "$ref": "#/responses/Hook"

+	form := web.GetForm(ctx).(*api.EditHookOption)
+
 	//TODO in body params
 	hookID := ctx.ParamsInt64(":id")
-	utils.EditOrgHook(ctx, &form, hookID)
+	utils.EditOrgHook(ctx, form, hookID)
 }

 // DeleteHook delete a hook of an organization
--- a/routers/api/v1/org/label.go
+++ b/routers/api/v1/org/label.go
@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )

@ -52,7 +53,7 @@ func ListLabels(ctx *context.APIContext) {
 }

 // CreateLabel create a label for a repository
-func CreateLabel(ctx *context.APIContext, form api.CreateLabelOption) {
+func CreateLabel(ctx *context.APIContext) {
 	// swagger:operation POST /orgs/{org}/labels organization orgCreateLabel
 	// ---
 	// summary: Create a label for an organization
@ -75,7 +76,7 @@ func CreateLabel(ctx *context.APIContext, form api.CreateLabelOption) {
 	//     "$ref": "#/responses/Label"
 	//   "422":
 	//     "$ref": "#/responses/validationError"
-
+	form := web.GetForm(ctx).(*api.CreateLabelOption)
 	form.Color = strings.Trim(form.Color, " ")
 	if len(form.Color) == 6 {
 		form.Color = "#" + form.Color
@ -144,7 +145,7 @@ func GetLabel(ctx *context.APIContext) {
 }

 // EditLabel modify a label for an Organization
-func EditLabel(ctx *context.APIContext, form api.EditLabelOption) {
+func EditLabel(ctx *context.APIContext) {
 	// swagger:operation PATCH /orgs/{org}/labels/{id} organization orgEditLabel
 	// ---
 	// summary: Update a label
@ -173,7 +174,7 @@ func EditLabel(ctx *context.APIContext, form api.EditLabelOption) {
 	//     "$ref": "#/responses/Label"
 	//   "422":
 	//     "$ref": "#/responses/validationError"
-
+	form := web.GetForm(ctx).(*api.EditLabelOption)
 	label, err := models.GetLabelInOrgByID(ctx.Org.Organization.ID, ctx.ParamsInt64(":id"))
 	if err != nil {
 		if models.IsErrOrgLabelNotExist(err) {
--- a/routers/api/v1/org/org.go
+++ b/routers/api/v1/org/org.go
@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/user"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )
@ -149,7 +150,7 @@ func GetAll(ctx *context.APIContext) {
 }

 // Create api for create organization
-func Create(ctx *context.APIContext, form api.CreateOrgOption) {
+func Create(ctx *context.APIContext) {
 	// swagger:operation POST /orgs organization orgCreate
 	// ---
 	// summary: Create an organization
@ -169,7 +170,7 @@ func Create(ctx *context.APIContext, form api.CreateOrgOption) {
 	//     "$ref": "#/responses/forbidden"
 	//   "422":
 	//     "$ref": "#/responses/validationError"
-
+	form := web.GetForm(ctx).(*api.CreateOrgOption)
 	if !ctx.User.CanCreateOrganization() {
 		ctx.Error(http.StatusForbidden, "Create organization not allowed", nil)
 		return
@ -231,7 +232,7 @@ func Get(ctx *context.APIContext) {
 }

 // Edit change an organization's information
-func Edit(ctx *context.APIContext, form api.EditOrgOption) {
+func Edit(ctx *context.APIContext) {
 	// swagger:operation PATCH /orgs/{org} organization orgEdit
 	// ---
 	// summary: Edit an organization
@ -253,7 +254,7 @@ func Edit(ctx *context.APIContext, form api.EditOrgOption) {
 	// responses:
 	//   "200":
 	//     "$ref": "#/responses/Organization"
-
+	form := web.GetForm(ctx).(*api.EditOrgOption)
 	org := ctx.Org.Organization
 	org.FullName = form.FullName
 	org.Description = form.Description
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@ -15,6 +15,7 @@ import (
 	"code.gitea.io/gitea/modules/convert"
 	"code.gitea.io/gitea/modules/log"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/user"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )
@ -131,7 +132,7 @@ func GetTeam(ctx *context.APIContext) {
 }

 // CreateTeam api for create a team
-func CreateTeam(ctx *context.APIContext, form api.CreateTeamOption) {
+func CreateTeam(ctx *context.APIContext) {
 	// swagger:operation POST /orgs/{org}/teams organization orgCreateTeam
 	// ---
 	// summary: Create a team
@ -154,7 +155,7 @@ func CreateTeam(ctx *context.APIContext, form api.CreateTeamOption) {
 	//     "$ref": "#/responses/Team"
 	//   "422":
 	//     "$ref": "#/responses/validationError"
-
+	form := web.GetForm(ctx).(*api.CreateTeamOption)
 	team := &models.Team{
 		OrgID:                   ctx.Org.Organization.ID,
 		Name:                    form.Name,
@ -190,7 +191,7 @@ func CreateTeam(ctx *context.APIContext, form api.CreateTeamOption) {
 }

 // EditTeam api for edit a team
-func EditTeam(ctx *context.APIContext, form api.EditTeamOption) {
+func EditTeam(ctx *context.APIContext) {
 	// swagger:operation PATCH /teams/{id} organization orgEditTeam
 	// ---
 	// summary: Edit a team
@ -212,6 +213,8 @@ func EditTeam(ctx *context.APIContext, form api.EditTeamOption) {
 	//   "200":
 	//     "$ref": "#/responses/Team"

+	form := web.GetForm(ctx).(*api.EditTeamOption)
+
 	team := ctx.Org.Team
 	if err := team.GetUnits(); err != nil {
 		ctx.InternalServerError(err)
--- a/routers/api/v1/repo/branch.go
+++ b/routers/api/v1/repo/branch.go
@ -16,6 +16,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	repo_module "code.gitea.io/gitea/modules/repository"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	pull_service "code.gitea.io/gitea/services/pull"
 	repo_service "code.gitea.io/gitea/services/repository"
 )
@ -175,7 +176,7 @@ func DeleteBranch(ctx *context.APIContext) {
 }

 // CreateBranch creates a branch for a user's repository
-func CreateBranch(ctx *context.APIContext, opt api.CreateBranchRepoOption) {
+func CreateBranch(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/branches repository repoCreateBranch
 	// ---
 	// summary: Create a branch
@ -206,6 +207,7 @@ func CreateBranch(ctx *context.APIContext, opt api.CreateBranchRepoOption) {
 	//   "409":
 	//     description: The branch with the same name already exists.

+	opt := web.GetForm(ctx).(*api.CreateBranchRepoOption)
 	if ctx.Repo.Repository.IsEmpty {
 		ctx.Error(http.StatusNotFound, "", "Git Repository is empty.")
 		return
@ -395,7 +397,7 @@ func ListBranchProtections(ctx *context.APIContext) {
 }

 // CreateBranchProtection creates a branch protection for a repo
-func CreateBranchProtection(ctx *context.APIContext, form api.CreateBranchProtectionOption) {
+func CreateBranchProtection(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/branch_protections repository repoCreateBranchProtection
 	// ---
 	// summary: Create a branch protections for a repository
@ -428,6 +430,7 @@ func CreateBranchProtection(ctx *context.APIContext, form api.CreateBranchProtec
 	//   "422":
 	//     "$ref": "#/responses/validationError"

+	form := web.GetForm(ctx).(*api.CreateBranchProtectionOption)
 	repo := ctx.Repo.Repository

 	// Currently protection must match an actual branch
@ -561,7 +564,7 @@ func CreateBranchProtection(ctx *context.APIContext, form api.CreateBranchProtec
 }

 // EditBranchProtection edits a branch protection for a repo
-func EditBranchProtection(ctx *context.APIContext, form api.EditBranchProtectionOption) {
+func EditBranchProtection(ctx *context.APIContext) {
 	// swagger:operation PATCH /repos/{owner}/{repo}/branch_protections/{name} repository repoEditBranchProtection
 	// ---
 	// summary: Edit a branch protections for a repository. Only fields that are set will be changed
@ -596,7 +599,7 @@ func EditBranchProtection(ctx *context.APIContext, form api.EditBranchProtection
 	//     "$ref": "#/responses/notFound"
 	//   "422":
 	//     "$ref": "#/responses/validationError"
-
+	form := web.GetForm(ctx).(*api.EditBranchProtectionOption)
 	repo := ctx.Repo.Repository
 	bpName := ctx.Params(":name")
 	protectBranch, err := models.GetProtectedBranchBy(repo.ID, bpName)
--- a/routers/api/v1/repo/collaborators.go
+++ b/routers/api/v1/repo/collaborators.go
@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )

@ -111,7 +112,7 @@ func IsCollaborator(ctx *context.APIContext) {
 }

 // AddCollaborator add a collaborator to a repository
-func AddCollaborator(ctx *context.APIContext, form api.AddCollaboratorOption) {
+func AddCollaborator(ctx *context.APIContext) {
 	// swagger:operation PUT /repos/{owner}/{repo}/collaborators/{collaborator} repository repoAddCollaborator
 	// ---
 	// summary: Add a collaborator to a repository
@ -143,6 +144,8 @@ func AddCollaborator(ctx *context.APIContext, form api.AddCollaboratorOption) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"

+	form := web.GetForm(ctx).(*api.AddCollaboratorOption)
+
 	collaborator, err := models.GetUserByName(ctx.Params(":collaborator"))
 	if err != nil {
 		if models.IsErrUserNotExist(err) {
--- a/routers/api/v1/repo/commits.go
+++ b/routers/api/v1/repo/commits.go
@ -69,7 +69,11 @@ func getCommit(ctx *context.APIContext, identifier string) {
 	defer gitRepo.Close()
 	commit, err := gitRepo.GetCommit(identifier)
 	if err != nil {
-		ctx.NotFoundOrServerError("GetCommit", git.IsErrNotExist, err)
+		if git.IsErrNotExist(err) {
+			ctx.NotFound(identifier)
+			return
+		}
+		ctx.Error(http.StatusInternalServerError, "gitRepo.GetCommit", err)
 		return
 	}

--- a/routers/api/v1/repo/file.go
+++ b/routers/api/v1/repo/file.go
@ -16,6 +16,7 @@ import (
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/repofiles"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/repo"
 )

@ -167,7 +168,7 @@ func canReadFiles(r *context.Repository) bool {
 }

 // CreateFile handles API call for creating a file
-func CreateFile(ctx *context.APIContext, apiOpts api.CreateFileOptions) {
+func CreateFile(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/contents/{filepath} repository repoCreateFile
 	// ---
 	// summary: Create a file in a repository
@ -206,6 +207,7 @@ func CreateFile(ctx *context.APIContext, apiOpts api.CreateFileOptions) {
 	//   "422":
 	//     "$ref": "#/responses/error"

+	apiOpts := web.GetForm(ctx).(*api.CreateFileOptions)
 	if ctx.Repo.Repository.IsEmpty {
 		ctx.Error(http.StatusUnprocessableEntity, "RepoIsEmpty", fmt.Errorf("repo is empty"))
 	}
@ -253,7 +255,7 @@ func CreateFile(ctx *context.APIContext, apiOpts api.CreateFileOptions) {
 }

 // UpdateFile handles API call for updating a file
-func UpdateFile(ctx *context.APIContext, apiOpts api.UpdateFileOptions) {
+func UpdateFile(ctx *context.APIContext) {
 	// swagger:operation PUT /repos/{owner}/{repo}/contents/{filepath} repository repoUpdateFile
 	// ---
 	// summary: Update a file in a repository
@ -291,7 +293,7 @@ func UpdateFile(ctx *context.APIContext, apiOpts api.UpdateFileOptions) {
 	//     "$ref": "#/responses/notFound"
 	//   "422":
 	//     "$ref": "#/responses/error"
-
+	apiOpts := web.GetForm(ctx).(*api.UpdateFileOptions)
 	if ctx.Repo.Repository.IsEmpty {
 		ctx.Error(http.StatusUnprocessableEntity, "RepoIsEmpty", fmt.Errorf("repo is empty"))
 	}
@ -377,7 +379,7 @@ func createOrUpdateFile(ctx *context.APIContext, opts *repofiles.UpdateRepoFileO
 }

 // DeleteFile Delete a fle in a repository
-func DeleteFile(ctx *context.APIContext, apiOpts api.DeleteFileOptions) {
+func DeleteFile(ctx *context.APIContext) {
 	// swagger:operation DELETE /repos/{owner}/{repo}/contents/{filepath} repository repoDeleteFile
 	// ---
 	// summary: Delete a file in a repository
@ -416,6 +418,7 @@ func DeleteFile(ctx *context.APIContext, apiOpts api.DeleteFileOptions) {
 	//   "404":
 	//     "$ref": "#/responses/error"

+	apiOpts := web.GetForm(ctx).(*api.DeleteFileOptions)
 	if !canWriteFiles(ctx.Repo) {
 		ctx.Error(http.StatusForbidden, "DeleteFile", models.ErrUserDoesNotHaveAccessToRepo{
 			UserID:   ctx.User.ID,
--- a/routers/api/v1/repo/fork.go
+++ b/routers/api/v1/repo/fork.go
@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 	repo_service "code.gitea.io/gitea/services/repository"
 )
@ -65,7 +66,7 @@ func ListForks(ctx *context.APIContext) {
 }

 // CreateFork create a fork of a repo
-func CreateFork(ctx *context.APIContext, form api.CreateForkOption) {
+func CreateFork(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/forks repository createFork
 	// ---
 	// summary: Fork a repository
@ -94,6 +95,7 @@ func CreateFork(ctx *context.APIContext, form api.CreateForkOption) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"

+	form := web.GetForm(ctx).(*api.CreateForkOption)
 	repo := ctx.Repo.Repository
 	var forker *models.User // user/org that will own the fork
 	if form.Organization == nil {
--- a/routers/api/v1/repo/git_hook.go
+++ b/routers/api/v1/repo/git_hook.go
@ -11,6 +11,7 @@ import (
 	"code.gitea.io/gitea/modules/convert"
 	"code.gitea.io/gitea/modules/git"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 )

 // ListGitHooks list all Git hooks of a repository
@ -91,7 +92,7 @@ func GetGitHook(ctx *context.APIContext) {
 }

 // EditGitHook modify a Git hook of a repository
-func EditGitHook(ctx *context.APIContext, form api.EditGitHookOption) {
+func EditGitHook(ctx *context.APIContext) {
 	// swagger:operation PATCH /repos/{owner}/{repo}/hooks/git/{id} repository repoEditGitHook
 	// ---
 	// summary: Edit a Git hook in a repository
@ -123,6 +124,7 @@ func EditGitHook(ctx *context.APIContext, form api.EditGitHookOption) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"

+	form := web.GetForm(ctx).(*api.EditGitHookOption)
 	hookID := ctx.Params(":id")
 	hook, err := ctx.Repo.GitRepo.GetHook(hookID)
 	if err != nil {
--- a/routers/api/v1/repo/hook.go
+++ b/routers/api/v1/repo/hook.go
@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/modules/convert"
 	"code.gitea.io/gitea/modules/git"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 	"code.gitea.io/gitea/services/webhook"
 )
@ -158,7 +159,7 @@ func TestHook(ctx *context.APIContext) {
 }

 // CreateHook create a hook for a repository
-func CreateHook(ctx *context.APIContext, form api.CreateHookOption) {
+func CreateHook(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/hooks repository repoCreateHook
 	// ---
 	// summary: Create a hook
@ -184,14 +185,16 @@ func CreateHook(ctx *context.APIContext, form api.CreateHookOption) {
 	// responses:
 	//   "201":
 	//     "$ref": "#/responses/Hook"
-	if !utils.CheckCreateHookOption(ctx, &form) {
+	form := web.GetForm(ctx).(*api.CreateHookOption)
+
+	if !utils.CheckCreateHookOption(ctx, form) {
 		return
 	}
-	utils.AddRepoHook(ctx, &form)
+	utils.AddRepoHook(ctx, form)
 }

 // EditHook modify a hook of a repository
-func EditHook(ctx *context.APIContext, form api.EditHookOption) {
+func EditHook(ctx *context.APIContext) {
 	// swagger:operation PATCH /repos/{owner}/{repo}/hooks/{id} repository repoEditHook
 	// ---
 	// summary: Edit a hook in a repository
@ -221,8 +224,9 @@ func EditHook(ctx *context.APIContext, form api.EditHookOption) {
 	// responses:
 	//   "200":
 	//     "$ref": "#/responses/Hook"
+	form := web.GetForm(ctx).(*api.EditHookOption)
 	hookID := ctx.ParamsInt64(":id")
-	utils.EditRepoHook(ctx, &form, hookID)
+	utils.EditRepoHook(ctx, form, hookID)
 }

 // DeleteHook delete a hook of a repository
--- a/routers/api/v1/repo/issue.go
+++ b/routers/api/v1/repo/issue.go
@ -22,6 +22,7 @@ import (
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 	issue_service "code.gitea.io/gitea/services/issue"
 )
@ -448,7 +449,7 @@ func GetIssue(ctx *context.APIContext) {
 }

 // CreateIssue create an issue of a repository
-func CreateIssue(ctx *context.APIContext, form api.CreateIssueOption) {
+func CreateIssue(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/issues issue issueCreateIssue
 	// ---
 	// summary: Create an issue. If using deadline only the date will be taken into account, and time of day ignored.
@ -480,7 +481,7 @@ func CreateIssue(ctx *context.APIContext, form api.CreateIssueOption) {
 	//     "$ref": "#/responses/error"
 	//   "422":
 	//     "$ref": "#/responses/validationError"
-
+	form := web.GetForm(ctx).(*api.CreateIssueOption)
 	var deadlineUnix timeutil.TimeStamp
 	if form.Deadline != nil && ctx.Repo.CanWrite(models.UnitTypeIssues) {
 		deadlineUnix = timeutil.TimeStamp(form.Deadline.Unix())
@ -564,7 +565,7 @@ func CreateIssue(ctx *context.APIContext, form api.CreateIssueOption) {
 }

 // EditIssue modify an issue of a repository
-func EditIssue(ctx *context.APIContext, form api.EditIssueOption) {
+func EditIssue(ctx *context.APIContext) {
 	// swagger:operation PATCH /repos/{owner}/{repo}/issues/{index} issue issueEditIssue
 	// ---
 	// summary: Edit an issue. If using deadline only the date will be taken into account, and time of day ignored.
@ -603,6 +604,7 @@ func EditIssue(ctx *context.APIContext, form api.EditIssueOption) {
 	//   "412":
 	//     "$ref": "#/responses/error"

+	form := web.GetForm(ctx).(*api.EditIssueOption)
 	issue, err := models.GetIssueByIndex(ctx.Repo.Repository.ID, ctx.ParamsInt64(":index"))
 	if err != nil {
 		if models.IsErrIssueNotExist(err) {
@ -723,7 +725,7 @@ func EditIssue(ctx *context.APIContext, form api.EditIssueOption) {
 }

 // UpdateIssueDeadline updates an issue deadline
-func UpdateIssueDeadline(ctx *context.APIContext, form api.EditDeadlineOption) {
+func UpdateIssueDeadline(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/issues/{index}/deadline issue issueEditIssueDeadline
 	// ---
 	// summary: Set an issue deadline. If set to null, the deadline is deleted. If using deadline only the date will be taken into account, and time of day ignored.
@ -759,7 +761,7 @@ func UpdateIssueDeadline(ctx *context.APIContext, form api.EditDeadlineOption) {
 	//     "$ref": "#/responses/forbidden"
 	//   "404":
 	//     "$ref": "#/responses/notFound"
-
+	form := web.GetForm(ctx).(*api.EditDeadlineOption)
 	issue, err := models.GetIssueByIndex(ctx.Repo.Repository.ID, ctx.ParamsInt64(":index"))
 	if err != nil {
 		if models.IsErrIssueNotExist(err) {
--- a/routers/api/v1/repo/issue_comment.go
+++ b/routers/api/v1/repo/issue_comment.go
@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 	comment_service "code.gitea.io/gitea/services/comments"
 )
@ -174,7 +175,7 @@ func ListRepoIssueComments(ctx *context.APIContext) {
 }

 // CreateIssueComment create a comment for an issue
-func CreateIssueComment(ctx *context.APIContext, form api.CreateIssueCommentOption) {
+func CreateIssueComment(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/issues/{index}/comments issue issueCreateComment
 	// ---
 	// summary: Add a comment to an issue
@ -208,7 +209,7 @@ func CreateIssueComment(ctx *context.APIContext, form api.CreateIssueCommentOpti
 	//     "$ref": "#/responses/Comment"
 	//   "403":
 	//     "$ref": "#/responses/forbidden"
-
+	form := web.GetForm(ctx).(*api.CreateIssueCommentOption)
 	issue, err := models.GetIssueByIndex(ctx.Repo.Repository.ID, ctx.ParamsInt64(":index"))
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "GetIssueByIndex", err)
@ -298,7 +299,7 @@ func GetIssueComment(ctx *context.APIContext) {
 }

 // EditIssueComment modify a comment of an issue
-func EditIssueComment(ctx *context.APIContext, form api.EditIssueCommentOption) {
+func EditIssueComment(ctx *context.APIContext) {
 	// swagger:operation PATCH /repos/{owner}/{repo}/issues/comments/{id} issue issueEditComment
 	// ---
 	// summary: Edit a comment
@ -337,11 +338,12 @@ func EditIssueComment(ctx *context.APIContext, form api.EditIssueCommentOption)
 	//   "404":
 	//     "$ref": "#/responses/notFound"

-	editIssueComment(ctx, form)
+	form := web.GetForm(ctx).(*api.EditIssueCommentOption)
+	editIssueComment(ctx, *form)
 }

 // EditIssueCommentDeprecated modify a comment of an issue
-func EditIssueCommentDeprecated(ctx *context.APIContext, form api.EditIssueCommentOption) {
+func EditIssueCommentDeprecated(ctx *context.APIContext) {
 	// swagger:operation PATCH /repos/{owner}/{repo}/issues/{index}/comments/{id} issue issueEditCommentDeprecated
 	// ---
 	// summary: Edit a comment
@ -386,7 +388,8 @@ func EditIssueCommentDeprecated(ctx *context.APIContext, form api.EditIssueComme
 	//   "404":
 	//     "$ref": "#/responses/notFound"

-	editIssueComment(ctx, form)
+	form := web.GetForm(ctx).(*api.EditIssueCommentOption)
+	editIssueComment(ctx, *form)
 }

 func editIssueComment(ctx *context.APIContext, form api.EditIssueCommentOption) {
--- a/routers/api/v1/repo/issue_label.go
+++ b/routers/api/v1/repo/issue_label.go
@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	issue_service "code.gitea.io/gitea/services/issue"
 )

@ -64,7 +65,7 @@ func ListIssueLabels(ctx *context.APIContext) {
 }

 // AddIssueLabels add labels for an issue
-func AddIssueLabels(ctx *context.APIContext, form api.IssueLabelsOption) {
+func AddIssueLabels(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/issues/{index}/labels issue issueAddLabel
 	// ---
 	// summary: Add a label to an issue
@ -99,7 +100,8 @@ func AddIssueLabels(ctx *context.APIContext, form api.IssueLabelsOption) {
 	//   "403":
 	//     "$ref": "#/responses/forbidden"

-	issue, labels, err := prepareForReplaceOrAdd(ctx, form)
+	form := web.GetForm(ctx).(*api.IssueLabelsOption)
+	issue, labels, err := prepareForReplaceOrAdd(ctx, *form)
 	if err != nil {
 		return
 	}
@ -190,7 +192,7 @@ func DeleteIssueLabel(ctx *context.APIContext) {
 }

 // ReplaceIssueLabels replace labels for an issue
-func ReplaceIssueLabels(ctx *context.APIContext, form api.IssueLabelsOption) {
+func ReplaceIssueLabels(ctx *context.APIContext) {
 	// swagger:operation PUT /repos/{owner}/{repo}/issues/{index}/labels issue issueReplaceLabels
 	// ---
 	// summary: Replace an issue's labels
@ -224,8 +226,8 @@ func ReplaceIssueLabels(ctx *context.APIContext, form api.IssueLabelsOption) {
 	//     "$ref": "#/responses/LabelList"
 	//   "403":
 	//     "$ref": "#/responses/forbidden"
-
-	issue, labels, err := prepareForReplaceOrAdd(ctx, form)
+	form := web.GetForm(ctx).(*api.IssueLabelsOption)
+	issue, labels, err := prepareForReplaceOrAdd(ctx, *form)
 	if err != nil {
 		return
 	}
--- a/routers/api/v1/repo/issue_reaction.go
+++ b/routers/api/v1/repo/issue_reaction.go
@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )

@ -90,7 +91,7 @@ func GetIssueCommentReactions(ctx *context.APIContext) {
 }

 // PostIssueCommentReaction add a reaction to a comment of an issue
-func PostIssueCommentReaction(ctx *context.APIContext, form api.EditReactionOption) {
+func PostIssueCommentReaction(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/issues/comments/{id}/reactions issue issuePostCommentReaction
 	// ---
 	// summary: Add a reaction to a comment of an issue
@ -127,11 +128,13 @@ func PostIssueCommentReaction(ctx *context.APIContext, form api.EditReactionOpti
 	//   "403":
 	//     "$ref": "#/responses/forbidden"

-	changeIssueCommentReaction(ctx, form, true)
+	form := web.GetForm(ctx).(*api.EditReactionOption)
+
+	changeIssueCommentReaction(ctx, *form, true)
 }

 // DeleteIssueCommentReaction remove a reaction from a comment of an issue
-func DeleteIssueCommentReaction(ctx *context.APIContext, form api.EditReactionOption) {
+func DeleteIssueCommentReaction(ctx *context.APIContext) {
 	// swagger:operation DELETE /repos/{owner}/{repo}/issues/comments/{id}/reactions issue issueDeleteCommentReaction
 	// ---
 	// summary: Remove a reaction from a comment of an issue
@ -166,7 +169,9 @@ func DeleteIssueCommentReaction(ctx *context.APIContext, form api.EditReactionOp
 	//   "403":
 	//     "$ref": "#/responses/forbidden"

-	changeIssueCommentReaction(ctx, form, false)
+	form := web.GetForm(ctx).(*api.EditReactionOption)
+
+	changeIssueCommentReaction(ctx, *form, false)
 }

 func changeIssueCommentReaction(ctx *context.APIContext, form api.EditReactionOption, isCreateType bool) {
@ -304,7 +309,7 @@ func GetIssueReactions(ctx *context.APIContext) {
 }

 // PostIssueReaction add a reaction to an issue
-func PostIssueReaction(ctx *context.APIContext, form api.EditReactionOption) {
+func PostIssueReaction(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/issues/{index}/reactions issue issuePostIssueReaction
 	// ---
 	// summary: Add a reaction to an issue
@ -340,12 +345,12 @@ func PostIssueReaction(ctx *context.APIContext, form api.EditReactionOption) {
 	//     "$ref": "#/responses/Reaction"
 	//   "403":
 	//     "$ref": "#/responses/forbidden"
-
-	changeIssueReaction(ctx, form, true)
+	form := web.GetForm(ctx).(*api.EditReactionOption)
+	changeIssueReaction(ctx, *form, true)
 }

 // DeleteIssueReaction remove a reaction from an issue
-func DeleteIssueReaction(ctx *context.APIContext, form api.EditReactionOption) {
+func DeleteIssueReaction(ctx *context.APIContext) {
 	// swagger:operation DELETE /repos/{owner}/{repo}/issues/{index}/reactions issue issueDeleteIssueReaction
 	// ---
 	// summary: Remove a reaction from an issue
@ -379,8 +384,8 @@ func DeleteIssueReaction(ctx *context.APIContext, form api.EditReactionOption) {
 	//     "$ref": "#/responses/empty"
 	//   "403":
 	//     "$ref": "#/responses/forbidden"
-
-	changeIssueReaction(ctx, form, false)
+	form := web.GetForm(ctx).(*api.EditReactionOption)
+	changeIssueReaction(ctx, *form, false)
 }

 func changeIssueReaction(ctx *context.APIContext, form api.EditReactionOption, isCreateType bool) {
--- a/routers/api/v1/repo/issue_tracked_time.go
+++ b/routers/api/v1/repo/issue_tracked_time.go
@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )

@ -132,7 +133,7 @@ func ListTrackedTimes(ctx *context.APIContext) {
 }

 // AddTime add time manual to the given issue
-func AddTime(ctx *context.APIContext, form api.AddTimeOption) {
+func AddTime(ctx *context.APIContext) {
 	// swagger:operation Post /repos/{owner}/{repo}/issues/{index}/times issue issueAddTime
 	// ---
 	// summary: Add tracked time to a issue
@ -168,7 +169,7 @@ func AddTime(ctx *context.APIContext, form api.AddTimeOption) {
 	//     "$ref": "#/responses/error"
 	//   "403":
 	//     "$ref": "#/responses/forbidden"
-
+	form := web.GetForm(ctx).(*api.AddTimeOption)
 	issue, err := models.GetIssueByIndex(ctx.Repo.Repository.ID, ctx.ParamsInt64(":index"))
 	if err != nil {
 		if models.IsErrIssueNotExist(err) {
--- a/routers/api/v1/repo/key.go
+++ b/routers/api/v1/repo/key.go
@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/modules/convert"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )

@ -185,7 +186,7 @@ func HandleAddKeyError(ctx *context.APIContext, err error) {
 }

 // CreateDeployKey create deploy key for a repository
-func CreateDeployKey(ctx *context.APIContext, form api.CreateKeyOption) {
+func CreateDeployKey(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/keys repository repoCreateKey
 	// ---
 	// summary: Add a key to a repository
@ -214,6 +215,7 @@ func CreateDeployKey(ctx *context.APIContext, form api.CreateKeyOption) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"

+	form := web.GetForm(ctx).(*api.CreateKeyOption)
 	content, err := models.CheckPublicKeyString(form.Key)
 	if err != nil {
 		HandleCheckKeyStringError(ctx, err)
--- a/routers/api/v1/repo/label.go
+++ b/routers/api/v1/repo/label.go
@ -15,6 +15,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )

@ -108,7 +109,7 @@ func GetLabel(ctx *context.APIContext) {
 }

 // CreateLabel create a label for a repository
-func CreateLabel(ctx *context.APIContext, form api.CreateLabelOption) {
+func CreateLabel(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/labels issue issueCreateLabel
 	// ---
 	// summary: Create a label
@ -137,6 +138,7 @@ func CreateLabel(ctx *context.APIContext, form api.CreateLabelOption) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"

+	form := web.GetForm(ctx).(*api.CreateLabelOption)
 	form.Color = strings.Trim(form.Color, " ")
 	if len(form.Color) == 6 {
 		form.Color = "#" + form.Color
@ -160,7 +162,7 @@ func CreateLabel(ctx *context.APIContext, form api.CreateLabelOption) {
 }

 // EditLabel modify a label for a repository
-func EditLabel(ctx *context.APIContext, form api.EditLabelOption) {
+func EditLabel(ctx *context.APIContext) {
 	// swagger:operation PATCH /repos/{owner}/{repo}/labels/{id} issue issueEditLabel
 	// ---
 	// summary: Update a label
@ -195,6 +197,7 @@ func EditLabel(ctx *context.APIContext, form api.EditLabelOption) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"

+	form := web.GetForm(ctx).(*api.EditLabelOption)
 	label, err := models.GetLabelInRepoByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
 	if err != nil {
 		if models.IsErrRepoLabelNotExist(err) {
--- a/routers/api/v1/repo/migrate.go
+++ b/routers/api/v1/repo/migrate.go
@ -12,9 +12,9 @@ import (
 	"strings"

 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/graceful"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/migrations"
@ -24,10 +24,11 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/modules/web"
 )

 // Migrate migrate remote git repository to gitea
-func Migrate(ctx *context.APIContext, form api.MigrateRepoOptions) {
+func Migrate(ctx *context.APIContext) {
 	// swagger:operation POST /repos/migrate repository repoMigrate
 	// ---
 	// summary: Migrate a remote git repository
@ -48,6 +49,8 @@ func Migrate(ctx *context.APIContext, form api.MigrateRepoOptions) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"

+	form := web.GetForm(ctx).(*api.MigrateRepoOptions)
+
 	//get repoOwner
 	var (
 		repoOwner *models.User
--- a/routers/api/v1/repo/milestone.go
+++ b/routers/api/v1/repo/milestone.go
@ -15,6 +15,7 @@ import (
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )

@ -110,7 +111,7 @@ func GetMilestone(ctx *context.APIContext) {
 }

 // CreateMilestone create a milestone for a repository
-func CreateMilestone(ctx *context.APIContext, form api.CreateMilestoneOption) {
+func CreateMilestone(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/milestones issue issueCreateMilestone
 	// ---
 	// summary: Create a milestone
@ -136,6 +137,7 @@ func CreateMilestone(ctx *context.APIContext, form api.CreateMilestoneOption) {
 	// responses:
 	//   "201":
 	//     "$ref": "#/responses/Milestone"
+	form := web.GetForm(ctx).(*api.CreateMilestoneOption)

 	if form.Deadline == nil {
 		defaultDeadline, _ := time.ParseInLocation("2006-01-02", "9999-12-31", time.Local)
@ -162,7 +164,7 @@ func CreateMilestone(ctx *context.APIContext, form api.CreateMilestoneOption) {
 }

 // EditMilestone modify a milestone for a repository by ID and if not available by name
-func EditMilestone(ctx *context.APIContext, form api.EditMilestoneOption) {
+func EditMilestone(ctx *context.APIContext) {
 	// swagger:operation PATCH /repos/{owner}/{repo}/milestones/{id} issue issueEditMilestone
 	// ---
 	// summary: Update a milestone
@ -193,7 +195,7 @@ func EditMilestone(ctx *context.APIContext, form api.EditMilestoneOption) {
 	// responses:
 	//   "200":
 	//     "$ref": "#/responses/Milestone"
-
+	form := web.GetForm(ctx).(*api.EditMilestoneOption)
 	milestone := getMilestoneByIDOrName(ctx)
 	if ctx.Written() {
 		return
--- a/routers/api/v1/repo/pull.go
+++ b/routers/api/v1/repo/pull.go
@ -11,21 +11,22 @@ import (
 	"time"

 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
+	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/notification"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 	issue_service "code.gitea.io/gitea/services/issue"
 	pull_service "code.gitea.io/gitea/services/pull"
 )

 // ListPullRequests returns a list of all PRs
-func ListPullRequests(ctx *context.APIContext, form api.ListPullRequestsOptions) {
+func ListPullRequests(ctx *context.APIContext) {
 	// swagger:operation GET /repos/{owner}/{repo}/pulls repository repoListPullRequests
 	// ---
 	// summary: List a repo's pull requests
@ -253,7 +254,7 @@ func DownloadPullDiffOrPatch(ctx *context.APIContext, patch bool) {
 }

 // CreatePullRequest does what it says
-func CreatePullRequest(ctx *context.APIContext, form api.CreatePullRequestOption) {
+func CreatePullRequest(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/pulls repository repoCreatePullRequest
 	// ---
 	// summary: Create a pull request
@ -284,6 +285,7 @@ func CreatePullRequest(ctx *context.APIContext, form api.CreatePullRequestOption
 	//   "422":
 	//     "$ref": "#/responses/validationError"

+	form := *web.GetForm(ctx).(*api.CreatePullRequestOption)
 	if form.Head == form.Base {
 		ctx.Error(http.StatusUnprocessableEntity, "BaseHeadSame",
 			"Invalid PullRequest: There are no changes between the head and the base")
@ -437,7 +439,7 @@ func CreatePullRequest(ctx *context.APIContext, form api.CreatePullRequestOption
 }

 // EditPullRequest does what it says
-func EditPullRequest(ctx *context.APIContext, form api.EditPullRequestOption) {
+func EditPullRequest(ctx *context.APIContext) {
 	// swagger:operation PATCH /repos/{owner}/{repo}/pulls/{index} repository repoEditPullRequest
 	// ---
 	// summary: Update a pull request. If using deadline only the date will be taken into account, and time of day ignored.
@ -478,6 +480,7 @@ func EditPullRequest(ctx *context.APIContext, form api.EditPullRequestOption) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"

+	form := web.GetForm(ctx).(*api.EditPullRequestOption)
 	pr, err := models.GetPullRequestByIndex(ctx.Repo.Repository.ID, ctx.ParamsInt64(":index"))
 	if err != nil {
 		if models.IsErrPullRequestNotExist(err) {
@ -685,7 +688,7 @@ func IsPullRequestMerged(ctx *context.APIContext) {
 }

 // MergePullRequest merges a PR given an index
-func MergePullRequest(ctx *context.APIContext, form auth.MergePullRequestForm) {
+func MergePullRequest(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/pulls/{index}/merge repository repoMergePullRequest
 	// ---
 	// summary: Merge a pull request
@ -720,6 +723,7 @@ func MergePullRequest(ctx *context.APIContext, form auth.MergePullRequestForm) {
 	//   "409":
 	//     "$ref": "#/responses/error"

+	form := web.GetForm(ctx).(*auth.MergePullRequestForm)
 	pr, err := models.GetPullRequestByIndex(ctx.Repo.Repository.ID, ctx.ParamsInt64(":index"))
 	if err != nil {
 		if models.IsErrPullRequestNotExist(err) {
--- a/routers/api/v1/repo/pull_review.go
+++ b/routers/api/v1/repo/pull_review.go
@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/modules/convert"
 	"code.gitea.io/gitea/modules/git"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 	issue_service "code.gitea.io/gitea/services/issue"
 	pull_service "code.gitea.io/gitea/services/pull"
@ -258,7 +259,7 @@ func DeletePullReview(ctx *context.APIContext) {
 }

 // CreatePullReview create a review to an pull request
-func CreatePullReview(ctx *context.APIContext, opts api.CreatePullReviewOptions) {
+func CreatePullReview(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/pulls/{index}/reviews repository repoCreatePullReview
 	// ---
 	// summary: Create a review to an pull request
@ -294,6 +295,7 @@ func CreatePullReview(ctx *context.APIContext, opts api.CreatePullReviewOptions)
 	//   "422":
 	//     "$ref": "#/responses/validationError"

+	opts := web.GetForm(ctx).(*api.CreatePullReviewOptions)
 	pr, err := models.GetPullRequestByIndex(ctx.Repo.Repository.ID, ctx.ParamsInt64(":index"))
 	if err != nil {
 		if models.IsErrPullRequestNotExist(err) {
@ -373,7 +375,7 @@ func CreatePullReview(ctx *context.APIContext, opts api.CreatePullReviewOptions)
 }

 // SubmitPullReview submit a pending review to an pull request
-func SubmitPullReview(ctx *context.APIContext, opts api.SubmitPullReviewOptions) {
+func SubmitPullReview(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/pulls/{index}/reviews/{id} repository repoSubmitPullReview
 	// ---
 	// summary: Submit a pending review to an pull request
@ -415,6 +417,7 @@ func SubmitPullReview(ctx *context.APIContext, opts api.SubmitPullReviewOptions)
 	//   "422":
 	//     "$ref": "#/responses/validationError"

+	opts := web.GetForm(ctx).(*api.SubmitPullReviewOptions)
 	review, pr, isWrong := prepareSingleReview(ctx)
 	if isWrong {
 		return
@ -542,7 +545,7 @@ func prepareSingleReview(ctx *context.APIContext) (*models.Review, *models.PullR
 }

 // CreateReviewRequests create review requests to an pull request
-func CreateReviewRequests(ctx *context.APIContext, opts api.PullReviewRequestOptions) {
+func CreateReviewRequests(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/pulls/{index}/requested_reviewers repository repoCreatePullReviewRequests
 	// ---
 	// summary: create review requests for a pull request
@ -577,11 +580,13 @@ func CreateReviewRequests(ctx *context.APIContext, opts api.PullReviewRequestOpt
 	//     "$ref": "#/responses/validationError"
 	//   "404":
 	//     "$ref": "#/responses/notFound"
-	apiReviewRequest(ctx, opts, true)
+
+	opts := web.GetForm(ctx).(*api.PullReviewRequestOptions)
+	apiReviewRequest(ctx, *opts, true)
 }

 // DeleteReviewRequests delete review requests to an pull request
-func DeleteReviewRequests(ctx *context.APIContext, opts api.PullReviewRequestOptions) {
+func DeleteReviewRequests(ctx *context.APIContext) {
 	// swagger:operation DELETE /repos/{owner}/{repo}/pulls/{index}/requested_reviewers repository repoDeletePullReviewRequests
 	// ---
 	// summary: cancel review requests for a pull request
@ -616,7 +621,8 @@ func DeleteReviewRequests(ctx *context.APIContext, opts api.PullReviewRequestOpt
 	//     "$ref": "#/responses/validationError"
 	//   "404":
 	//     "$ref": "#/responses/notFound"
-	apiReviewRequest(ctx, opts, false)
+	opts := web.GetForm(ctx).(*api.PullReviewRequestOptions)
+	apiReviewRequest(ctx, *opts, false)
 }

 func apiReviewRequest(ctx *context.APIContext, opts api.PullReviewRequestOptions, isAdd bool) {
--- a/routers/api/v1/repo/release.go
+++ b/routers/api/v1/repo/release.go
@ -11,6 +11,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 	releaseservice "code.gitea.io/gitea/services/release"
 )
@ -124,7 +125,7 @@ func ListReleases(ctx *context.APIContext) {
 }

 // CreateRelease create a release
-func CreateRelease(ctx *context.APIContext, form api.CreateReleaseOption) {
+func CreateRelease(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/releases repository repoCreateRelease
 	// ---
 	// summary: Create a release
@ -154,7 +155,7 @@ func CreateRelease(ctx *context.APIContext, form api.CreateReleaseOption) {
 	//     "$ref": "#/responses/notFound"
 	//   "409":
 	//     "$ref": "#/responses/error"
-
+	form := web.GetForm(ctx).(*api.CreateReleaseOption)
 	rel, err := models.GetRelease(ctx.Repo.Repository.ID, form.TagName)
 	if err != nil {
 		if !models.IsErrReleaseNotExist(err) {
@ -210,7 +211,7 @@ func CreateRelease(ctx *context.APIContext, form api.CreateReleaseOption) {
 }

 // EditRelease edit a release
-func EditRelease(ctx *context.APIContext, form api.EditReleaseOption) {
+func EditRelease(ctx *context.APIContext) {
 	// swagger:operation PATCH /repos/{owner}/{repo}/releases/{id} repository repoEditRelease
 	// ---
 	// summary: Update a release
@ -245,6 +246,7 @@ func EditRelease(ctx *context.APIContext, form api.EditReleaseOption) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"

+	form := web.GetForm(ctx).(*api.EditReleaseOption)
 	id := ctx.ParamsInt64(":id")
 	rel, err := models.GetReleaseByID(id)
 	if err != nil && !models.IsErrReleaseNotExist(err) {
--- a/routers/api/v1/repo/release_attachment.go
+++ b/routers/api/v1/repo/release_attachment.go
@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/upload"
+	"code.gitea.io/gitea/modules/web"
 )

 // GetReleaseAttachment gets a single attachment of the release
@ -168,7 +169,7 @@ func CreateReleaseAttachment(ctx *context.APIContext) {
 	}

 	// Get uploaded file from request
-	file, header, err := ctx.GetFile("attachment")
+	file, header, err := ctx.Req.FormFile("attachment")
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "GetFile", err)
 		return
@ -208,7 +209,7 @@ func CreateReleaseAttachment(ctx *context.APIContext) {
 }

 // EditReleaseAttachment updates the given attachment
-func EditReleaseAttachment(ctx *context.APIContext, form api.EditAttachmentOptions) {
+func EditReleaseAttachment(ctx *context.APIContext) {
 	// swagger:operation PATCH /repos/{owner}/{repo}/releases/{id}/assets/{attachment_id} repository repoEditReleaseAttachment
 	// ---
 	// summary: Edit a release attachment
@ -247,6 +248,8 @@ func EditReleaseAttachment(ctx *context.APIContext, form api.EditAttachmentOptio
 	//   "201":
 	//     "$ref": "#/responses/Attachment"

+	form := web.GetForm(ctx).(*api.EditAttachmentOptions)
+
 	// Check if release exists an load release
 	releaseID := ctx.ParamsInt64(":id")
 	attachID := ctx.ParamsInt64(":asset")
--- a/routers/api/v1/repo/repo.go
+++ b/routers/api/v1/repo/repo.go
@ -20,6 +20,7 @@ import (
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/validation"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 	repo_service "code.gitea.io/gitea/services/repository"
 )
@ -277,7 +278,7 @@ func CreateUserRepo(ctx *context.APIContext, owner *models.User, opt api.CreateR
 }

 // Create one repository of mine
-func Create(ctx *context.APIContext, opt api.CreateRepoOption) {
+func Create(ctx *context.APIContext) {
 	// swagger:operation POST /user/repos repository user createCurrentUserRepo
 	// ---
 	// summary: Create a repository
@ -297,17 +298,17 @@ func Create(ctx *context.APIContext, opt api.CreateRepoOption) {
 	//     description: The repository with the same name already exists.
 	//   "422":
 	//     "$ref": "#/responses/validationError"
-
+	opt := web.GetForm(ctx).(*api.CreateRepoOption)
 	if ctx.User.IsOrganization() {
 		// Shouldn't reach this condition, but just in case.
 		ctx.Error(http.StatusUnprocessableEntity, "", "not allowed creating repository for organization")
 		return
 	}
-	CreateUserRepo(ctx, ctx.User, opt)
+	CreateUserRepo(ctx, ctx.User, *opt)
 }

 // CreateOrgRepoDeprecated create one repository of the organization
-func CreateOrgRepoDeprecated(ctx *context.APIContext, opt api.CreateRepoOption) {
+func CreateOrgRepoDeprecated(ctx *context.APIContext) {
 	// swagger:operation POST /org/{org}/repos organization createOrgRepoDeprecated
 	// ---
 	// summary: Create a repository in an organization
@ -334,11 +335,11 @@ func CreateOrgRepoDeprecated(ctx *context.APIContext, opt api.CreateRepoOption)
 	//   "403":
 	//     "$ref": "#/responses/forbidden"

-	CreateOrgRepo(ctx, opt)
+	CreateOrgRepo(ctx)
 }

 // CreateOrgRepo create one repository of the organization
-func CreateOrgRepo(ctx *context.APIContext, opt api.CreateRepoOption) {
+func CreateOrgRepo(ctx *context.APIContext) {
 	// swagger:operation POST /orgs/{org}/repos organization createOrgRepo
 	// ---
 	// summary: Create a repository in an organization
@ -363,7 +364,7 @@ func CreateOrgRepo(ctx *context.APIContext, opt api.CreateRepoOption) {
 	//     "$ref": "#/responses/notFound"
 	//   "403":
 	//     "$ref": "#/responses/forbidden"
-
+	opt := web.GetForm(ctx).(*api.CreateRepoOption)
 	org, err := models.GetOrgByName(ctx.Params(":org"))
 	if err != nil {
 		if models.IsErrOrgNotExist(err) {
@ -389,7 +390,7 @@ func CreateOrgRepo(ctx *context.APIContext, opt api.CreateRepoOption) {
 			return
 		}
 	}
-	CreateUserRepo(ctx, org, opt)
+	CreateUserRepo(ctx, org, *opt)
 }

 // Get one repository
@ -457,7 +458,7 @@ func GetByID(ctx *context.APIContext) {
 }

 // Edit edit repository properties
-func Edit(ctx *context.APIContext, opts api.EditRepoOption) {
+func Edit(ctx *context.APIContext) {
 	// swagger:operation PATCH /repos/{owner}/{repo} repository repoEdit
 	// ---
 	// summary: Edit a repository's properties. Only fields that are set will be changed.
@ -488,6 +489,8 @@ func Edit(ctx *context.APIContext, opts api.EditRepoOption) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"

+	opts := *web.GetForm(ctx).(*api.EditRepoOption)
+
 	if err := updateBasicProperties(ctx, opts); err != nil {
 		return
 	}
--- a/routers/api/v1/repo/repo_test.go
+++ b/routers/api/v1/repo/repo_test.go
@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/test"
+	"code.gitea.io/gitea/modules/web"

 	"github.com/stretchr/testify/assert"
 )
@ -53,7 +54,9 @@ func TestRepoEdit(t *testing.T) {
 		Archived:                  &archived,
 	}

-	Edit(&context.APIContext{Context: ctx, Org: nil}, opts)
+	var apiCtx = &context.APIContext{Context: ctx, Org: nil}
+	web.SetForm(apiCtx, &opts)
+	Edit(apiCtx)

 	assert.EqualValues(t, http.StatusOK, ctx.Resp.Status())
 	models.AssertExistsAndLoadBean(t, &models.Repository{
@ -73,7 +76,9 @@ func TestRepoEditNameChange(t *testing.T) {
 		Name: &name,
 	}

-	Edit(&context.APIContext{Context: ctx, Org: nil}, opts)
+	var apiCtx = &context.APIContext{Context: ctx, Org: nil}
+	web.SetForm(apiCtx, &opts)
+	Edit(apiCtx)
 	assert.EqualValues(t, http.StatusOK, ctx.Resp.Status())

 	models.AssertExistsAndLoadBean(t, &models.Repository{
--- a/routers/api/v1/repo/status.go
+++ b/routers/api/v1/repo/status.go
@ -13,11 +13,12 @@ import (
 	"code.gitea.io/gitea/modules/convert"
 	"code.gitea.io/gitea/modules/repofiles"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )

 // NewCommitStatus creates a new CommitStatus
-func NewCommitStatus(ctx *context.APIContext, form api.CreateStatusOption) {
+func NewCommitStatus(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/statuses/{sha} repository repoCreateStatus
 	// ---
 	// summary: Create a commit status
@ -49,6 +50,7 @@ func NewCommitStatus(ctx *context.APIContext, form api.CreateStatusOption) {
 	//   "400":
 	//     "$ref": "#/responses/error"

+	form := web.GetForm(ctx).(*api.CreateStatusOption)
 	sha := ctx.Params("sha")
 	if len(sha) == 0 {
 		ctx.Error(http.StatusBadRequest, "sha not given", nil)
--- a/routers/api/v1/repo/topic.go
+++ b/routers/api/v1/repo/topic.go
@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/modules/convert"
 	"code.gitea.io/gitea/modules/log"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )

@ -66,7 +67,7 @@ func ListTopics(ctx *context.APIContext) {
 }

 // UpdateTopics updates repo with a new set of topics
-func UpdateTopics(ctx *context.APIContext, form api.RepoTopicOptions) {
+func UpdateTopics(ctx *context.APIContext) {
 	// swagger:operation PUT /repos/{owner}/{repo}/topics repository repoUpdateTopics
 	// ---
 	// summary: Replace list of topics for a repository
@ -93,6 +94,7 @@ func UpdateTopics(ctx *context.APIContext, form api.RepoTopicOptions) {
 	//   "422":
 	//     "$ref": "#/responses/invalidTopicsError"

+	form := web.GetForm(ctx).(*api.RepoTopicOptions)
 	topicNames := form.Topics
 	validTopics, invalidTopics := models.SanitizeAndValidateTopics(topicNames)

--- a/routers/api/v1/repo/transfer.go
+++ b/routers/api/v1/repo/transfer.go
@ -14,11 +14,12 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/structs"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	repo_service "code.gitea.io/gitea/services/repository"
 )

 // Transfer transfers the ownership of a repository
-func Transfer(ctx *context.APIContext, opts api.TransferRepoOption) {
+func Transfer(ctx *context.APIContext) {
 	// swagger:operation POST /repos/{owner}/{repo}/transfer repository repoTransfer
 	// ---
 	// summary: Transfer a repo ownership
@ -51,6 +52,8 @@ func Transfer(ctx *context.APIContext, opts api.TransferRepoOption) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"

+	opts := web.GetForm(ctx).(*api.TransferRepoOption)
+
 	newOwner, err := models.GetUserByName(opts.NewOwner)
 	if err != nil {
 		if models.IsErrUserNotExist(err) {
--- a/routers/api/v1/swagger/options.go
+++ b/routers/api/v1/swagger/options.go
@ -5,7 +5,7 @@
 package swagger

 import (
-	"code.gitea.io/gitea/modules/auth"
+	auth "code.gitea.io/gitea/modules/forms"
 	api "code.gitea.io/gitea/modules/structs"
 )

--- a/routers/api/v1/user/app.go
+++ b/routers/api/v1/user/app.go
@ -15,6 +15,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )

@ -61,7 +62,7 @@ func ListAccessTokens(ctx *context.APIContext) {
 }

 // CreateAccessToken create access tokens
-func CreateAccessToken(ctx *context.APIContext, form api.CreateAccessTokenOption) {
+func CreateAccessToken(ctx *context.APIContext) {
 	// swagger:operation POST /users/{username}/tokens user userCreateToken
 	// ---
 	// summary: Create an access token
@ -88,6 +89,8 @@ func CreateAccessToken(ctx *context.APIContext, form api.CreateAccessTokenOption
 	//   "201":
 	//     "$ref": "#/responses/AccessToken"

+	form := web.GetForm(ctx).(*api.CreateAccessTokenOption)
+
 	t := &models.AccessToken{
 		UID:  ctx.User.ID,
 		Name: form.Name,
@ -181,7 +184,7 @@ func DeleteAccessToken(ctx *context.APIContext) {
 }

 // CreateOauth2Application is the handler to create a new OAuth2 Application for the authenticated user
-func CreateOauth2Application(ctx *context.APIContext, data api.CreateOAuth2ApplicationOptions) {
+func CreateOauth2Application(ctx *context.APIContext) {
 	// swagger:operation POST /user/applications/oauth2 user userCreateOAuth2Application
 	// ---
 	// summary: creates a new OAuth2 application
@ -196,6 +199,9 @@ func CreateOauth2Application(ctx *context.APIContext, data api.CreateOAuth2Appli
 	// responses:
 	//   "201":
 	//     "$ref": "#/responses/OAuth2Application"
+
+	data := web.GetForm(ctx).(*api.CreateOAuth2ApplicationOptions)
+
 	app, err := models.CreateOAuth2Application(models.CreateOAuth2ApplicationOptions{
 		Name:         data.Name,
 		UserID:       ctx.User.ID,
@ -309,7 +315,7 @@ func GetOauth2Application(ctx *context.APIContext) {
 }

 // UpdateOauth2Application update OAuth2 Application
-func UpdateOauth2Application(ctx *context.APIContext, data api.CreateOAuth2ApplicationOptions) {
+func UpdateOauth2Application(ctx *context.APIContext) {
 	// swagger:operation PATCH /user/applications/oauth2/{id} user userUpdateOAuth2Application
 	// ---
 	// summary: update an OAuth2 Application, this includes regenerating the client secret
@ -332,6 +338,8 @@ func UpdateOauth2Application(ctx *context.APIContext, data api.CreateOAuth2Appli
 	//     "$ref": "#/responses/OAuth2Application"
 	appID := ctx.ParamsInt64(":id")

+	data := web.GetForm(ctx).(*api.CreateOAuth2ApplicationOptions)
+
 	app, err := models.UpdateOAuth2Application(models.UpdateOAuth2ApplicationOptions{
 		Name:         data.Name,
 		UserID:       ctx.User.ID,
--- a/routers/api/v1/user/email.go
+++ b/routers/api/v1/user/email.go
@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/modules/convert"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 )

 // ListEmails list all of the authenticated user's email addresses
@ -40,7 +41,7 @@ func ListEmails(ctx *context.APIContext) {
 }

 // AddEmail add an email address
-func AddEmail(ctx *context.APIContext, form api.CreateEmailOption) {
+func AddEmail(ctx *context.APIContext) {
 	// swagger:operation POST /user/emails user userAddEmail
 	// ---
 	// summary: Add email addresses
@ -61,7 +62,7 @@ func AddEmail(ctx *context.APIContext, form api.CreateEmailOption) {
 	//     "$ref": "#/responses/EmailList"
 	//   "422":
 	//     "$ref": "#/responses/validationError"
-
+	form := web.GetForm(ctx).(*api.CreateEmailOption)
 	if len(form.Emails) == 0 {
 		ctx.Error(http.StatusUnprocessableEntity, "", "Email list empty")
 		return
@ -96,7 +97,7 @@ func AddEmail(ctx *context.APIContext, form api.CreateEmailOption) {
 }

 // DeleteEmail delete email
-func DeleteEmail(ctx *context.APIContext, form api.DeleteEmailOption) {
+func DeleteEmail(ctx *context.APIContext) {
 	// swagger:operation DELETE /user/emails user userDeleteEmail
 	// ---
 	// summary: Delete email addresses
@ -110,7 +111,7 @@ func DeleteEmail(ctx *context.APIContext, form api.DeleteEmailOption) {
 	// responses:
 	//   "204":
 	//     "$ref": "#/responses/empty"
-
+	form := web.GetForm(ctx).(*api.DeleteEmailOption)
 	if len(form.Emails) == 0 {
 		ctx.Status(http.StatusNoContent)
 		return
--- a/routers/api/v1/user/gpg_key.go
+++ b/routers/api/v1/user/gpg_key.go
@ -11,6 +11,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )

@ -133,7 +134,7 @@ type swaggerUserCurrentPostGPGKey struct {
 }

 //CreateGPGKey create a GPG key belonging to the authenticated user
-func CreateGPGKey(ctx *context.APIContext, form api.CreateGPGKeyOption) {
+func CreateGPGKey(ctx *context.APIContext) {
 	// swagger:operation POST /user/gpg_keys user userCurrentPostGPGKey
 	// ---
 	// summary: Create a GPG key
@ -149,7 +150,8 @@ func CreateGPGKey(ctx *context.APIContext, form api.CreateGPGKeyOption) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"

-	CreateUserGPGKey(ctx, form, ctx.User.ID)
+	form := web.GetForm(ctx).(*api.CreateGPGKeyOption)
+	CreateUserGPGKey(ctx, *form, ctx.User.ID)
 }

 //DeleteGPGKey remove a GPG key belonging to the authenticated user
--- a/routers/api/v1/user/key.go
+++ b/routers/api/v1/user/key.go
@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/modules/convert"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/repo"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 )
@ -204,7 +205,7 @@ func CreateUserPublicKey(ctx *context.APIContext, form api.CreateKeyOption, uid
 }

 // CreatePublicKey create one public key for me
-func CreatePublicKey(ctx *context.APIContext, form api.CreateKeyOption) {
+func CreatePublicKey(ctx *context.APIContext) {
 	// swagger:operation POST /user/keys user userCurrentPostKey
 	// ---
 	// summary: Create a public key
@ -223,7 +224,8 @@ func CreatePublicKey(ctx *context.APIContext, form api.CreateKeyOption) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"

-	CreateUserPublicKey(ctx, form, ctx.User.ID)
+	form := web.GetForm(ctx).(*api.CreateKeyOption)
+	CreateUserPublicKey(ctx, *form, ctx.User.ID)
 }

 // DeletePublicKey delete one public key