Feature: Add New Public Events API Endpoints#48
Merged
Conversation
Add migration for api_clients table with token hashing, scopes, allowed origins, network restrictions, and rate limiting fields. Include Eloquent model with casts and factory for testing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add FEATURE__PUBLIC_EVENTS_API environment variable (default: false) across .env.base, .env.template, Helm values, and restarters config. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add four middleware classes for the public API: - EnsurePublicEventsApiEnabled: gates access behind feature flag - PublicApiCors: handles CORS headers for cross-origin requests - AuthenticateApiClient: validates bearer tokens against api_clients - EnforceApiClientOrigin: restricts requests to allowed origins Register all four as named aliases in bootstrap/app.php. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add PublicEventController with three endpoints:
- GET /public/v2/events (list with date/pagination filters)
- GET /public/v2/events/{id} (single event)
- GET /public/v2/groups/{id}/events (events by group)
Register public/v2 route group with middleware stack and add
per-client rate limiter (public-api) to bootstrap/app.php.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add three artisan commands for managing API client tokens: - api-clients:create: generate new client with scopes/origins/rate limit - api-clients:revoke: deactivate a client by ID - api-clients:rotate: replace a client's token with a new one Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cover authentication, query token rejection, date filtering, group filtering, network restrictions, origin enforcement, single event visibility, and updated_at window queries. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Document endpoints, authentication, query parameters, visibility rules, CORS behavior, and artisan commands for client management. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
mlahargou
approved these changes
Feb 25, 2026
Member
mlahargou
left a comment
mlahargou
left a comment
There was a problem hiding this comment.
CR 📱 Scanned it. Looks fine to me.
Collaborator
Author
|
QA 👍
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds a token-authenticated public Events API intended for third-party ingestion and display. It allows consumers to fetch approved event data without requiring a user login, keeping events centralized in the platform while enabling external sites/apps to render their own events pages.
CR Notes
We’re shifting direction towards prioritizing organizers/hosts, so creating a separate “public events” page within the app wasn’t the right direction. Instead, we will expose these new endpoints so a separate site (focused on finding/attending repair events) can generate an events page by calling this API.
API Contract
Auth:
Authorization: Bearer <integration_token>Endpoints / Query params:
GET /events:start,end,updated_start,updated_end,page,per_pageRemoved from the contract:
localequery paramnetworksendpointExample response (list)
{ "data": [ { "id": 7, "start": "2026-02-25T23:00:00+00:00", "end": "2026-02-26T01:00:00+00:00", "timezone": "Europe/London", "title": "Seed Repair Cafe", "location": "London, UK", "online": 0, "lat": 51.5074, "lng": -0.1278, "group": { "id": 8, "name": "Seed Group 1771976789", "image": null, "location": { "location": "London, UK", "area": null, "postcode": "", "country": "United Kingdom", "country_code": "GB", "lat": "51.5074", "lng": "-0.1278" }, "networks": [ { "id": 1, "name": "Restarters", "logo": null, "summary": true } ], "updated_at": "2026-02-24T23:46:29+00:00", "archived_at": null, "summary": true }, "description": "Seeded event for API testing", "updated_at": "2026-02-24T23:46:29+00:00", "approved": true, "full": true } ], "meta": { "page": 1, "per_page": 50, "total": 1, "last_page": 1 }, "sync": { "generated_at": "2026-02-24T23:46:42+00:00", "max_updated_at": "2026-02-24T23:46:29+00:00" } }QA Notes
This should be tested on the test cluster.