-
Notifications
You must be signed in to change notification settings - Fork 0
API Design
This page contains information on the API design.
In general, most routes other than /auth/login and /auth/token-exchange require authentication. This is done using the Authorization HTTP header and a bearer token. Once a fully-exchanged token has been issued to a user, it can be used as follows:
Authorization: Bearer <token>GET /locations
{
"locations": [
{
"name": string,
"id": string,
"location": {
"latitude": number,
"longitude": number,
},
},
{...},
...,
],
}GET /locations/{id}/products?search=string
{
"products": [
{
"name": string,
"id": string,
"thumbnail": string[url] | null,
"amount": number,
},
...,
],
}GET /locations/{id}/products/{id}
{
"name": string,
"id": string,
"thumbnail": string[url] | null,
"nutritional_facts": string[url] | null,
"amount": number,
}POST /locations
{
"name": string,
"transact_identifier": string,
"location": {
"latitude": number,
"longitude": number,
},
}{
"id": string,
"name": string,
"transact_identifier": string,
"location": {
"latitude": number,
"longitude": number,
},
}PATCH /locations/{id}
{
"name": string | null,
"transact_identifier": string | null,
"location": {
"latitude": number,
"longitude": number,
} | null,
}{
"id": string,
"name": string,
"transact_identifier": string,
"location": {
"latitude": number,
"longitude": number,
},
}DELETE /locations/{id}
Returns 204 (no content) upon success
GET /products?search=string
{
"products": [
{
"name": string,
"id": string,
"thumbnail": string[url] | null,
"nutritional_facts": string[url] | null,
},
...,
],
}GET /products/{id}
{
"name": string,
"id": string,
"thumbnail": string[url] | null,
"nutritional_facts": string[url] | null,
"amounts": {
"string(id)": number | null,
},
}PATCH /products/{id}
This route includes new values for the modifiable fields ("id" and "name" are read-only).
{
"nutrition"?: string[url] | null,
"thumbnail"?: string[url] | null,
}{
"id": string,
"thumbnail": string[url] | null,
"nutritional_facts": string[url] | null,
}GET /announcements
{
"announcements": [
{
"id": string,
"title": string,
"body": string,
"timestamp": string,
},
...,
],
}POST /announcements
{
"title": string,
"body": string,
"timestamp": string,
}{
"id": string,
"title": string,
"body": string,
"timestamp": string,
}PATCH /announcements/{id}
{
"title"?: string | null,
"body"?: string | null,
}{
"id": string,
"title": string,
"body": string,
"timestamp": string,
}DELETE /announcements/{id}
Returns 204 (no content) upon success
GET /memberships
{
"memberships": [
{
"username": string,
"admin_access": bool,
},
...,
],
}GET /memberships/{username}
{
"username": string,
"admin_access": bool,
}POST /memberships
{
"username": string,
"admin_access": bool,
}{
"username": string,
"admin_access": bool,
}DELETE /memberships/{username}
Returns 204 (no content) upon success
PATCH /memberships/{username}
{
"admin_access?": bool,
}{
"username": string,
"admin_access": bool,
}POST /upload
The request body is a multi-part form data:
file: <file binary data>{
"url": string,
}GET /auth/login?redirect_uri=string
The login route redirects to the GT Single Sign-On service and authenticates via CAS. After the user signs in, they are redirected back to whatever URL they originally gave in the redirect_uri query parameter, with the addition that ?code=XXXX is added to the URI (which is used during token exchange). This imitates the OAuth 2 Authorization Code grant flow, although it doesn't exactly conform to the spec.
POST /auth/token-exchange
<auth_code_from_login>
{
"token": string,
"session": {
"username": string,
"first_name": string,
"last_name": string,
"issued_at": string[rfc 3339],
"expires_after": number | null,
},
"permissions": {
"admin_access": boolean,
},
}GET /auth/session
{
"session": {
"username": string,
"first_name": string,
"last_name": string,
"issued_at": string[rfc 3339],
"expires_after": number | null,
},
"permissions": {
"admin_access": boolean,
},
}GET /health
Returns a 204 (no content)