Add embedded web chat client with C2S HTTP API

- New DB schema: users, channel_members, messages tables (migration 003) - Full C2S HTTP API: register, channels, messages, DMs, polling - Preact SPA embedded via embed.FS, served at GET / - IRC-style UI: tab bar, channel messages, user list, DM tabs, /commands - Dark theme, responsive, esbuild-bundled (~19KB) - Polling-based message delivery (1.5s interval) - Commands: /join, /part, /msg, /nick
2026-02-10 09:22:22 -08:00
parent 03cbc3cd1a
commit ac933d07d2
16 changed files with 2271 additions and 0 deletions
--- a/internal/db/queries.go
+++ b/internal/db/queries.go
@@ -0,0 +1,303 @@
+package db
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"time"
+)
+
+func generateToken() string {
+	b := make([]byte, 32)
+	_, _ = rand.Read(b)
+	return hex.EncodeToString(b)
+}
+
+// CreateUser registers a new user with the given nick and returns the user with token.
+func (s *Database) CreateUser(ctx context.Context, nick string) (int64, string, error) {
+	token := generateToken()
+	now := time.Now()
+	res, err := s.db.ExecContext(ctx,
+		"INSERT INTO users (nick, token, created_at, last_seen) VALUES (?, ?, ?, ?)",
+		nick, token, now, now)
+	if err != nil {
+		return 0, "", fmt.Errorf("create user: %w", err)
+	}
+	id, _ := res.LastInsertId()
+	return id, token, nil
+}
+
+// GetUserByToken returns user id and nick for a given auth token.
+func (s *Database) GetUserByToken(ctx context.Context, token string) (int64, string, error) {
+	var id int64
+	var nick string
+	err := s.db.QueryRowContext(ctx, "SELECT id, nick FROM users WHERE token = ?", token).Scan(&id, &nick)
+	if err != nil {
+		return 0, "", err
+	}
+	// Update last_seen
+	_, _ = s.db.ExecContext(ctx, "UPDATE users SET last_seen = ? WHERE id = ?", time.Now(), id)
+	return id, nick, nil
+}
+
+// GetUserByNick returns user id for a given nick.
+func (s *Database) GetUserByNick(ctx context.Context, nick string) (int64, error) {
+	var id int64
+	err := s.db.QueryRowContext(ctx, "SELECT id FROM users WHERE nick = ?", nick).Scan(&id)
+	return id, err
+}
+
+// GetOrCreateChannel returns the channel id, creating it if needed.
+func (s *Database) GetOrCreateChannel(ctx context.Context, name string) (int64, error) {
+	var id int64
+	err := s.db.QueryRowContext(ctx, "SELECT id FROM channels WHERE name = ?", name).Scan(&id)
+	if err == nil {
+		return id, nil
+	}
+	now := time.Now()
+	res, err := s.db.ExecContext(ctx,
+		"INSERT INTO channels (name, created_at, updated_at) VALUES (?, ?, ?)",
+		name, now, now)
+	if err != nil {
+		return 0, fmt.Errorf("create channel: %w", err)
+	}
+	id, _ = res.LastInsertId()
+	return id, nil
+}
+
+// JoinChannel adds a user to a channel.
+func (s *Database) JoinChannel(ctx context.Context, channelID, userID int64) error {
+	_, err := s.db.ExecContext(ctx,
+		"INSERT OR IGNORE INTO channel_members (channel_id, user_id, joined_at) VALUES (?, ?, ?)",
+		channelID, userID, time.Now())
+	return err
+}
+
+// PartChannel removes a user from a channel.
+func (s *Database) PartChannel(ctx context.Context, channelID, userID int64) error {
+	_, err := s.db.ExecContext(ctx,
+		"DELETE FROM channel_members WHERE channel_id = ? AND user_id = ?",
+		channelID, userID)
+	return err
+}
+
+// ListChannels returns all channels the user has joined.
+func (s *Database) ListChannels(ctx context.Context, userID int64) ([]ChannelInfo, error) {
+	rows, err := s.db.QueryContext(ctx,
+		`SELECT c.id, c.name, c.topic FROM channels c
+		 INNER JOIN channel_members cm ON cm.channel_id = c.id
+		 WHERE cm.user_id = ? ORDER BY c.name`, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var channels []ChannelInfo
+	for rows.Next() {
+		var ch ChannelInfo
+		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Topic); err != nil {
+			return nil, err
+		}
+		channels = append(channels, ch)
+	}
+	if channels == nil {
+		channels = []ChannelInfo{}
+	}
+	return channels, nil
+}
+
+// ChannelInfo is a lightweight channel representation.
+type ChannelInfo struct {
+	ID    int64  `json:"id"`
+	Name  string `json:"name"`
+	Topic string `json:"topic"`
+}
+
+// ChannelMembers returns all members of a channel.
+func (s *Database) ChannelMembers(ctx context.Context, channelID int64) ([]MemberInfo, error) {
+	rows, err := s.db.QueryContext(ctx,
+		`SELECT u.id, u.nick, u.last_seen FROM users u
+		 INNER JOIN channel_members cm ON cm.user_id = u.id
+		 WHERE cm.channel_id = ? ORDER BY u.nick`, channelID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var members []MemberInfo
+	for rows.Next() {
+		var m MemberInfo
+		if err := rows.Scan(&m.ID, &m.Nick, &m.LastSeen); err != nil {
+			return nil, err
+		}
+		members = append(members, m)
+	}
+	if members == nil {
+		members = []MemberInfo{}
+	}
+	return members, nil
+}
+
+// MemberInfo represents a channel member.
+type MemberInfo struct {
+	ID       int64     `json:"id"`
+	Nick     string    `json:"nick"`
+	LastSeen time.Time `json:"lastSeen"`
+}
+
+// MessageInfo represents a chat message.
+type MessageInfo struct {
+	ID        int64     `json:"id"`
+	Channel   string    `json:"channel,omitempty"`
+	Nick      string    `json:"nick"`
+	Content   string    `json:"content"`
+	IsDM      bool      `json:"isDm,omitempty"`
+	DMTarget  string    `json:"dmTarget,omitempty"`
+	CreatedAt time.Time `json:"createdAt"`
+}
+
+// GetMessages returns messages for a channel, optionally after a given ID.
+func (s *Database) GetMessages(ctx context.Context, channelID int64, afterID int64, limit int) ([]MessageInfo, error) {
+	if limit <= 0 {
+		limit = 50
+	}
+	rows, err := s.db.QueryContext(ctx,
+		`SELECT m.id, c.name, u.nick, m.content, m.created_at
+		 FROM messages m
+		 INNER JOIN users u ON u.id = m.user_id
+		 INNER JOIN channels c ON c.id = m.channel_id
+		 WHERE m.channel_id = ? AND m.is_dm = 0 AND m.id > ?
+		 ORDER BY m.id ASC LIMIT ?`, channelID, afterID, limit)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var msgs []MessageInfo
+	for rows.Next() {
+		var m MessageInfo
+		if err := rows.Scan(&m.ID, &m.Channel, &m.Nick, &m.Content, &m.CreatedAt); err != nil {
+			return nil, err
+		}
+		msgs = append(msgs, m)
+	}
+	if msgs == nil {
+		msgs = []MessageInfo{}
+	}
+	return msgs, nil
+}
+
+// SendMessage inserts a channel message.
+func (s *Database) SendMessage(ctx context.Context, channelID, userID int64, content string) (int64, error) {
+	res, err := s.db.ExecContext(ctx,
+		"INSERT INTO messages (channel_id, user_id, content, is_dm, created_at) VALUES (?, ?, ?, 0, ?)",
+		channelID, userID, content, time.Now())
+	if err != nil {
+		return 0, err
+	}
+	return res.LastInsertId()
+}
+
+// SendDM inserts a direct message.
+func (s *Database) SendDM(ctx context.Context, fromID, toID int64, content string) (int64, error) {
+	res, err := s.db.ExecContext(ctx,
+		"INSERT INTO messages (user_id, content, is_dm, dm_target_id, created_at) VALUES (?, ?, 1, ?, ?)",
+		fromID, content, toID, time.Now())
+	if err != nil {
+		return 0, err
+	}
+	return res.LastInsertId()
+}
+
+// GetDMs returns direct messages between two users after a given ID.
+func (s *Database) GetDMs(ctx context.Context, userA, userB int64, afterID int64, limit int) ([]MessageInfo, error) {
+	if limit <= 0 {
+		limit = 50
+	}
+	rows, err := s.db.QueryContext(ctx,
+		`SELECT m.id, u.nick, m.content, t.nick, m.created_at
+		 FROM messages m
+		 INNER JOIN users u ON u.id = m.user_id
+		 INNER JOIN users t ON t.id = m.dm_target_id
+		 WHERE m.is_dm = 1 AND m.id > ?
+		 AND ((m.user_id = ? AND m.dm_target_id = ?) OR (m.user_id = ? AND m.dm_target_id = ?))
+		 ORDER BY m.id ASC LIMIT ?`, afterID, userA, userB, userB, userA, limit)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var msgs []MessageInfo
+	for rows.Next() {
+		var m MessageInfo
+		if err := rows.Scan(&m.ID, &m.Nick, &m.Content, &m.DMTarget, &m.CreatedAt); err != nil {
+			return nil, err
+		}
+		m.IsDM = true
+		msgs = append(msgs, m)
+	}
+	if msgs == nil {
+		msgs = []MessageInfo{}
+	}
+	return msgs, nil
+}
+
+// PollMessages returns all new messages (channel + DM) for a user after a given ID.
+func (s *Database) PollMessages(ctx context.Context, userID int64, afterID int64, limit int) ([]MessageInfo, error) {
+	if limit <= 0 {
+		limit = 100
+	}
+	rows, err := s.db.QueryContext(ctx,
+		`SELECT m.id, COALESCE(c.name, ''), u.nick, m.content, m.is_dm, COALESCE(t.nick, ''), m.created_at
+		 FROM messages m
+		 INNER JOIN users u ON u.id = m.user_id
+		 LEFT JOIN channels c ON c.id = m.channel_id
+		 LEFT JOIN users t ON t.id = m.dm_target_id
+		 WHERE m.id > ? AND (
+		   (m.is_dm = 0 AND m.channel_id IN (SELECT channel_id FROM channel_members WHERE user_id = ?))
+		   OR (m.is_dm = 1 AND (m.user_id = ? OR m.dm_target_id = ?))
+		 )
+		 ORDER BY m.id ASC LIMIT ?`, afterID, userID, userID, userID, limit)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var msgs []MessageInfo
+	for rows.Next() {
+		var m MessageInfo
+		var isDM int
+		if err := rows.Scan(&m.ID, &m.Channel, &m.Nick, &m.Content, &isDM, &m.DMTarget, &m.CreatedAt); err != nil {
+			return nil, err
+		}
+		m.IsDM = isDM == 1
+		msgs = append(msgs, m)
+	}
+	if msgs == nil {
+		msgs = []MessageInfo{}
+	}
+	return msgs, nil
+}
+
+// GetMOTD returns the server MOTD from config.
+func (s *Database) GetServerName() string {
+	return ""
+}
+
+// ListAllChannels returns all channels.
+func (s *Database) ListAllChannels(ctx context.Context) ([]ChannelInfo, error) {
+	rows, err := s.db.QueryContext(ctx,
+		"SELECT id, name, topic FROM channels ORDER BY name")
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var channels []ChannelInfo
+	for rows.Next() {
+		var ch ChannelInfo
+		if err := rows.Scan(&ch.ID, &ch.Name, &ch.Topic); err != nil {
+			return nil, err
+		}
+		channels = append(channels, ch)
+	}
+	if channels == nil {
+		channels = []ChannelInfo{}
+	}
+	return channels, nil
+}
--- a/internal/db/schema/003_users.sql
+++ b/internal/db/schema/003_users.sql
@@ -0,0 +1,31 @@
+PRAGMA foreign_keys = ON;
+
+CREATE TABLE IF NOT EXISTS users (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    nick TEXT NOT NULL UNIQUE,
+    token TEXT NOT NULL UNIQUE,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    last_seen DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE TABLE IF NOT EXISTS channel_members (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
+    user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    joined_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    UNIQUE(channel_id, user_id)
+);
+
+CREATE TABLE IF NOT EXISTS messages (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    channel_id INTEGER REFERENCES channels(id) ON DELETE CASCADE,
+    user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    content TEXT NOT NULL,
+    is_dm INTEGER NOT NULL DEFAULT 0,
+    dm_target_id INTEGER REFERENCES users(id) ON DELETE CASCADE,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE INDEX IF NOT EXISTS idx_messages_channel ON messages(channel_id, created_at);
+CREATE INDEX IF NOT EXISTS idx_messages_dm ON messages(user_id, dm_target_id, created_at);
+CREATE INDEX IF NOT EXISTS idx_users_token ON users(token);
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
@@ -0,0 +1,358 @@
+package handlers
+
+import (
+	"database/sql"
+	"encoding/json"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/go-chi/chi"
+)
+
+// authUser extracts the user from the Authorization header (Bearer token).
+func (s *Handlers) authUser(r *http.Request) (int64, string, error) {
+	auth := r.Header.Get("Authorization")
+	if !strings.HasPrefix(auth, "Bearer ") {
+		return 0, "", sql.ErrNoRows
+	}
+	token := strings.TrimPrefix(auth, "Bearer ")
+	return s.params.Database.GetUserByToken(r.Context(), token)
+}
+
+func (s *Handlers) requireAuth(w http.ResponseWriter, r *http.Request) (int64, string, bool) {
+	uid, nick, err := s.authUser(r)
+	if err != nil {
+		s.respondJSON(w, r, map[string]string{"error": "unauthorized"}, http.StatusUnauthorized)
+		return 0, "", false
+	}
+	return uid, nick, true
+}
+
+// HandleRegister creates a new user and returns the auth token.
+func (s *Handlers) HandleRegister() http.HandlerFunc {
+	type request struct {
+		Nick string `json:"nick"`
+	}
+	type response struct {
+		ID    int64  `json:"id"`
+		Nick  string `json:"nick"`
+		Token string `json:"token"`
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req request
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			s.respondJSON(w, r, map[string]string{"error": "invalid request"}, http.StatusBadRequest)
+			return
+		}
+		req.Nick = strings.TrimSpace(req.Nick)
+		if req.Nick == "" || len(req.Nick) > 32 {
+			s.respondJSON(w, r, map[string]string{"error": "nick must be 1-32 characters"}, http.StatusBadRequest)
+			return
+		}
+		id, token, err := s.params.Database.CreateUser(r.Context(), req.Nick)
+		if err != nil {
+			if strings.Contains(err.Error(), "UNIQUE") {
+				s.respondJSON(w, r, map[string]string{"error": "nick already taken"}, http.StatusConflict)
+				return
+			}
+			s.log.Error("create user failed", "error", err)
+			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)
+			return
+		}
+		s.respondJSON(w, r, &response{ID: id, Nick: req.Nick, Token: token}, http.StatusCreated)
+	}
+}
+
+// HandleMe returns the current user's info.
+func (s *Handlers) HandleMe() http.HandlerFunc {
+	type response struct {
+		ID   int64  `json:"id"`
+		Nick string `json:"nick"`
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		uid, nick, ok := s.requireAuth(w, r)
+		if !ok {
+			return
+		}
+		s.respondJSON(w, r, &response{ID: uid, Nick: nick}, http.StatusOK)
+	}
+}
+
+// HandleListChannels returns channels the user has joined.
+func (s *Handlers) HandleListChannels() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		uid, _, ok := s.requireAuth(w, r)
+		if !ok {
+			return
+		}
+		channels, err := s.params.Database.ListChannels(r.Context(), uid)
+		if err != nil {
+			s.log.Error("list channels failed", "error", err)
+			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)
+			return
+		}
+		s.respondJSON(w, r, channels, http.StatusOK)
+	}
+}
+
+// HandleListAllChannels returns all channels on the server.
+func (s *Handlers) HandleListAllChannels() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		_, _, ok := s.requireAuth(w, r)
+		if !ok {
+			return
+		}
+		channels, err := s.params.Database.ListAllChannels(r.Context())
+		if err != nil {
+			s.log.Error("list all channels failed", "error", err)
+			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)
+			return
+		}
+		s.respondJSON(w, r, channels, http.StatusOK)
+	}
+}
+
+// HandleJoinChannel joins a channel (creates it if needed).
+func (s *Handlers) HandleJoinChannel() http.HandlerFunc {
+	type request struct {
+		Channel string `json:"channel"`
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		uid, _, ok := s.requireAuth(w, r)
+		if !ok {
+			return
+		}
+		var req request
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			s.respondJSON(w, r, map[string]string{"error": "invalid request"}, http.StatusBadRequest)
+			return
+		}
+		req.Channel = strings.TrimSpace(req.Channel)
+		if req.Channel == "" {
+			s.respondJSON(w, r, map[string]string{"error": "channel name required"}, http.StatusBadRequest)
+			return
+		}
+		if !strings.HasPrefix(req.Channel, "#") {
+			req.Channel = "#" + req.Channel
+		}
+		chID, err := s.params.Database.GetOrCreateChannel(r.Context(), req.Channel)
+		if err != nil {
+			s.log.Error("get/create channel failed", "error", err)
+			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)
+			return
+		}
+		if err := s.params.Database.JoinChannel(r.Context(), chID, uid); err != nil {
+			s.log.Error("join channel failed", "error", err)
+			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)
+			return
+		}
+		s.respondJSON(w, r, map[string]string{"status": "joined", "channel": req.Channel}, http.StatusOK)
+	}
+}
+
+// HandlePartChannel leaves a channel.
+func (s *Handlers) HandlePartChannel() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		uid, _, ok := s.requireAuth(w, r)
+		if !ok {
+			return
+		}
+		name := "#" + chi.URLParam(r, "channel")
+		var chID int64
+		err := s.params.Database.GetDB().QueryRowContext(r.Context(),
+			"SELECT id FROM channels WHERE name = ?", name).Scan(&chID)
+		if err != nil {
+			s.respondJSON(w, r, map[string]string{"error": "channel not found"}, http.StatusNotFound)
+			return
+		}
+		if err := s.params.Database.PartChannel(r.Context(), chID, uid); err != nil {
+			s.log.Error("part channel failed", "error", err)
+			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)
+			return
+		}
+		s.respondJSON(w, r, map[string]string{"status": "parted", "channel": name}, http.StatusOK)
+	}
+}
+
+// HandleChannelMembers returns members of a channel.
+func (s *Handlers) HandleChannelMembers() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		_, _, ok := s.requireAuth(w, r)
+		if !ok {
+			return
+		}
+		name := "#" + chi.URLParam(r, "channel")
+		var chID int64
+		err := s.params.Database.GetDB().QueryRowContext(r.Context(),
+			"SELECT id FROM channels WHERE name = ?", name).Scan(&chID)
+		if err != nil {
+			s.respondJSON(w, r, map[string]string{"error": "channel not found"}, http.StatusNotFound)
+			return
+		}
+		members, err := s.params.Database.ChannelMembers(r.Context(), chID)
+		if err != nil {
+			s.log.Error("channel members failed", "error", err)
+			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)
+			return
+		}
+		s.respondJSON(w, r, members, http.StatusOK)
+	}
+}
+
+// HandleGetMessages returns messages for a channel.
+func (s *Handlers) HandleGetMessages() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		_, _, ok := s.requireAuth(w, r)
+		if !ok {
+			return
+		}
+		name := "#" + chi.URLParam(r, "channel")
+		var chID int64
+		err := s.params.Database.GetDB().QueryRowContext(r.Context(),
+			"SELECT id FROM channels WHERE name = ?", name).Scan(&chID)
+		if err != nil {
+			s.respondJSON(w, r, map[string]string{"error": "channel not found"}, http.StatusNotFound)
+			return
+		}
+		afterID, _ := strconv.ParseInt(r.URL.Query().Get("after"), 10, 64)
+		limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
+		msgs, err := s.params.Database.GetMessages(r.Context(), chID, afterID, limit)
+		if err != nil {
+			s.log.Error("get messages failed", "error", err)
+			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)
+			return
+		}
+		s.respondJSON(w, r, msgs, http.StatusOK)
+	}
+}
+
+// HandleSendMessage sends a message to a channel.
+func (s *Handlers) HandleSendMessage() http.HandlerFunc {
+	type request struct {
+		Content string `json:"content"`
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		uid, _, ok := s.requireAuth(w, r)
+		if !ok {
+			return
+		}
+		name := "#" + chi.URLParam(r, "channel")
+		var chID int64
+		err := s.params.Database.GetDB().QueryRowContext(r.Context(),
+			"SELECT id FROM channels WHERE name = ?", name).Scan(&chID)
+		if err != nil {
+			s.respondJSON(w, r, map[string]string{"error": "channel not found"}, http.StatusNotFound)
+			return
+		}
+		var req request
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			s.respondJSON(w, r, map[string]string{"error": "invalid request"}, http.StatusBadRequest)
+			return
+		}
+		if strings.TrimSpace(req.Content) == "" {
+			s.respondJSON(w, r, map[string]string{"error": "content required"}, http.StatusBadRequest)
+			return
+		}
+		msgID, err := s.params.Database.SendMessage(r.Context(), chID, uid, req.Content)
+		if err != nil {
+			s.log.Error("send message failed", "error", err)
+			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)
+			return
+		}
+		s.respondJSON(w, r, map[string]any{"id": msgID, "status": "sent"}, http.StatusCreated)
+	}
+}
+
+// HandleSendDM sends a direct message to a user.
+func (s *Handlers) HandleSendDM() http.HandlerFunc {
+	type request struct {
+		Content string `json:"content"`
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		uid, _, ok := s.requireAuth(w, r)
+		if !ok {
+			return
+		}
+		targetNick := chi.URLParam(r, "nick")
+		targetID, err := s.params.Database.GetUserByNick(r.Context(), targetNick)
+		if err != nil {
+			s.respondJSON(w, r, map[string]string{"error": "user not found"}, http.StatusNotFound)
+			return
+		}
+		var req request
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			s.respondJSON(w, r, map[string]string{"error": "invalid request"}, http.StatusBadRequest)
+			return
+		}
+		if strings.TrimSpace(req.Content) == "" {
+			s.respondJSON(w, r, map[string]string{"error": "content required"}, http.StatusBadRequest)
+			return
+		}
+		msgID, err := s.params.Database.SendDM(r.Context(), uid, targetID, req.Content)
+		if err != nil {
+			s.log.Error("send dm failed", "error", err)
+			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)
+			return
+		}
+		s.respondJSON(w, r, map[string]any{"id": msgID, "status": "sent"}, http.StatusCreated)
+	}
+}
+
+// HandleGetDMs returns direct messages with a user.
+func (s *Handlers) HandleGetDMs() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		uid, _, ok := s.requireAuth(w, r)
+		if !ok {
+			return
+		}
+		targetNick := chi.URLParam(r, "nick")
+		targetID, err := s.params.Database.GetUserByNick(r.Context(), targetNick)
+		if err != nil {
+			s.respondJSON(w, r, map[string]string{"error": "user not found"}, http.StatusNotFound)
+			return
+		}
+		afterID, _ := strconv.ParseInt(r.URL.Query().Get("after"), 10, 64)
+		limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
+		msgs, err := s.params.Database.GetDMs(r.Context(), uid, targetID, afterID, limit)
+		if err != nil {
+			s.log.Error("get dms failed", "error", err)
+			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)
+			return
+		}
+		s.respondJSON(w, r, msgs, http.StatusOK)
+	}
+}
+
+// HandlePoll returns all new messages (channels + DMs) for the user.
+func (s *Handlers) HandlePoll() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		uid, _, ok := s.requireAuth(w, r)
+		if !ok {
+			return
+		}
+		afterID, _ := strconv.ParseInt(r.URL.Query().Get("after"), 10, 64)
+		limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
+		msgs, err := s.params.Database.PollMessages(r.Context(), uid, afterID, limit)
+		if err != nil {
+			s.log.Error("poll messages failed", "error", err)
+			s.respondJSON(w, r, map[string]string{"error": "internal error"}, http.StatusInternalServerError)
+			return
+		}
+		s.respondJSON(w, r, msgs, http.StatusOK)
+	}
+}
+
+// HandleServerInfo returns server metadata (MOTD, name).
+func (s *Handlers) HandleServerInfo() http.HandlerFunc {
+	type response struct {
+		Name string `json:"name"`
+		MOTD string `json:"motd"`
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		s.respondJSON(w, r, &response{
+			Name: s.params.Config.ServerName,
+			MOTD: s.params.Config.MOTD,
+		}, http.StatusOK)
+	}
+}
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -7,6 +7,7 @@ import (
 	"log/slog"
 	"net/http"

+	"git.eeqj.de/sneak/chat/internal/config"
 	"git.eeqj.de/sneak/chat/internal/db"
 	"git.eeqj.de/sneak/chat/internal/globals"
 	"git.eeqj.de/sneak/chat/internal/healthcheck"
@@ -20,6 +21,7 @@ type Params struct {

 	Logger      *logger.Logger
 	Globals     *globals.Globals
+	Config      *config.Config
 	Database    *db.Database
 	Healthcheck *healthcheck.Healthcheck
 }
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -1,9 +1,12 @@
 package server

 import (
+	"io/fs"
 	"net/http"
 	"time"

+	"git.eeqj.de/sneak/chat/web"
+
 	sentryhttp "github.com/getsentry/sentry-go/http"
 	"github.com/go-chi/chi"
 	"github.com/go-chi/chi/middleware"
@@ -45,4 +48,47 @@ func (s *Server) SetupRoutes() {
 			r.Get("/metrics", http.HandlerFunc(promhttp.Handler().ServeHTTP))
 		})
 	}
+
+	// API v1
+	s.router.Route("/api/v1", func(r chi.Router) {
+		r.Get("/server", s.h.HandleServerInfo())
+		r.Post("/register", s.h.HandleRegister())
+		r.Get("/me", s.h.HandleMe())
+
+		// Channels
+		r.Get("/channels", s.h.HandleListChannels())
+		r.Get("/channels/all", s.h.HandleListAllChannels())
+		r.Post("/channels/join", s.h.HandleJoinChannel())
+		r.Delete("/channels/{channel}/part", s.h.HandlePartChannel())
+		r.Get("/channels/{channel}/members", s.h.HandleChannelMembers())
+		r.Get("/channels/{channel}/messages", s.h.HandleGetMessages())
+		r.Post("/channels/{channel}/messages", s.h.HandleSendMessage())
+
+		// DMs
+		r.Get("/dm/{nick}/messages", s.h.HandleGetDMs())
+		r.Post("/dm/{nick}/messages", s.h.HandleSendDM())
+
+		// Polling
+		r.Get("/poll", s.h.HandlePoll())
+	})
+
+	// Serve embedded SPA
+	distFS, err := fs.Sub(web.Dist, "dist")
+	if err != nil {
+		s.log.Error("failed to get web dist filesystem", "error", err)
+	} else {
+		fileServer := http.FileServer(http.FS(distFS))
+		s.router.Get("/*", func(w http.ResponseWriter, r *http.Request) {
+			// Try to serve the file; if not found, serve index.html for SPA routing
+			f, err := distFS.(fs.ReadFileFS).ReadFile(r.URL.Path[1:])
+			if err != nil || len(f) == 0 {
+				indexHTML, _ := distFS.(fs.ReadFileFS).ReadFile("index.html")
+				w.Header().Set("Content-Type", "text/html; charset=utf-8")
+				w.WriteHeader(http.StatusOK)
+				_, _ = w.Write(indexHTML)
+				return
+			}
+			fileServer.ServeHTTP(w, r)
+		})
+	}
 }