-
Notifications
You must be signed in to change notification settings - Fork 29
/
example.apib
469 lines (315 loc) · 15.2 KB
/
example.apib
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
FORMAT: 1A
HOST: https://api.example.com
# Blueprint Docs
*This API blueprint is subject to change due to technology restrictions, performance optimizations or changing requirements.*
## Authentication
+ This API uses [JWT](http://jwt.io/) for authentication,
+ Every token MUST be refreshed before its expiration time,
+ Token MUST be provided in `Authorization` header,
+ Toke MUST be provided for each request that requires authentication,
+ This API issues a **long-lived access tokens** for consumers. A long-lived JWT generally SHOULD lasts about **30 days**. If no requests are made, the token MUST expire and the user MUST go through the login flow again to get a new one.
> A custom scheme like "JWT" seems to be more appropriate than coercing the OAuth2 Bearer scheme.
### Example Header
```
Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhNnZoQW8zRkc3dDEiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE0NzA1OTg5NzIsImV4cCI6MTQ3MDY4NTM3Mn0.ltA9zZmJKszBJuuV7pTWtY7LzLXrRUfebJDhy_jGMeM
```
### Claims
+ `exp` - The exp ( *expiration time* ) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
+ `iat` - The iat ( *issued at* ) claim identifies the time at which the JWT was issued.
+ `sub` - The aud ( *audience* ) claim identifies the subject of this token (for e.g. a user id).
+ `iss` - The iss ( *issuer* ) claim identifies the principal that issued the JWT.
## Consumer Identification
This API uses `User-Agent` and `Application-Id` headers to identify API consumer. `Application-Id` MUST contain an UUID that uniquely identifies a particular consumer installation.
### Example Headers
```
User-Agent: Mozilla/5.0 (Linux; Android 4.4; Nexus 5 Build/_BuildID_) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36
Application-Id: 6454d937-0a18-44a8-b482-bb48684f1ed4
```
## Filtering, Ordering, Pagination & Searching
### Filtering
This API can filter returned collections based on provided query parameters. Virtually any model field can be used as a filter.
For example, when requesting a list of movies from the /movies endpoint, you may want to limit these to only those of drama genre. This could be accomplished with a request like `GET /movies?genre=drama`. Here, genre is a query parameter that implements a filter.
### Ordering
This API can sort returned collections. A generic query parameter `sort` is used to describe sorting rules. This parameter can take a list of comma separated field, each with a possible unary negative to imply descending sort order.
E.g. `GET /movies?sort=-rating` - Retrieves a list of movies in descending order of user rating.
By default all resources are ordered by their creation time, from newest to oldest.
### Pagination
This API uses the [Link header - RFC 5988](http://tools.ietf.org/html/rfc5988#page-6) to include pagination details.
An example of a Link header is described in [GitHub documentation](https://developer.github.com/guides/traversing-with-pagination/).
This API returns total count of paged resources in `Total-Count` HTTP header.
### Searching
This API uses a generic parameter `search` to expose a full text search mechanism.
## HTTP Methods
This API uses HTTP verbs (methods) as following:
+ `GET` - *Read* - used to **read** (or retrieve) a representation of a resource,
+ `POST` - *Create* - used to **create** new resources. In particular, it's used to create subordinate resources.
+ `PUT` - *Update/Replace* - used for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. On successful request, replaces identified resource with the request body.
+ `PATCH` - *Update/Modify* - used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource.
+ `DELETE` - *Delete* - used to **delete** a resource identified by a URI.
## Localization
This API uses `Accept-Language` header to identify the locale.
`Accept-Language: en`
This header SHOULD be present in every request. If not, API MUST use the **english** language/locale.
## Media Type
Where applicable this API MUST use the JSON media-type. Requests with a message-body are using plain JSON to set or update resource states.
`Content-type: application/json` and `Accept: application/json` headers SHOULD be set on all requests if not stated otherwise.
## Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119](https://www.ietf.org/rfc/rfc2119).
## Representation of Date and Time
All exchange of date and time-related data MUST be done according to ISO 8601 standard and stored in UTC.
When returning date and time-related data `YYYY-MM-DDThh:mm:ss.SSSZ` format MUST be used.
## Resource IDs
This API uses short non-sequential url-friendly unique ids. Every resource id MUST consists of 9 url-friendly characters: `A-Z`, `a-z`, `0-9`, `_` and `-`.
### Example
`a6vhAo3FG7t1`
## Status Codes and Errors
This API uses HTTP status codes to communicate with the API consumer.
+ `200 OK` - Response to a successful GET, PUT, PATCH or DELETE.
+ `201 Created` - Response to a POST that results in a creation.
+ `204 No Content` - Response to a successful request that won't be returning a body (like a DELETE request).
+ `400 Bad Request` - Malformed request; form validation errors.
+ `401 Unauthorized` - When no or invalid authentication details are provided.
+ `403 Forbidden` - When authentication succeeded but authenticated user doesn't have access to the resource.
+ `404 Not Found` - When a non-existent resource is requested.
+ `405 Method Not Allowed` - Method not allowed.
+ `406 Not Acceptable` - Could not satisfy the request Accept header.
+ `415 Unsupported Media Type` - Unsupported media type in request.
### Error response
This API returns both, machine-readable error codes and human-readable error messages in response body when an error is encountered.
#### Example
##### Validation Error
```js
{
"statusCode": 400,
"error": "Bad Request",
"message": "Invalid query parameters",
"data": {
"code": 10003,
"validation": {
"details":[
{
"message": "\"name\" is required",
"path": "name",
"type": "any.required",
"context": {
"key": "name"
}
},{
"message": "\"email\" must be a valid email",
"path": "email",
"type": "string.email",
"context": {
"value": "foo",
"key": "email"
}
}
],
"source": "query",
"keys": [ "name","email" ]
}
}
}
```
##### Generic Error
```js
{
"statusCode": 403,
"error": "Forbidden",
"message": "Your account is suspended and is not permitted to access this feature",
"data": {
"code": 13003
}
}
```
#### Error Codes Dictionary
+ `10003` - Invalid query parameters
+ `10005` - Date is not in ISO 8601 standard
+ `10010` - Invalid Content-Type
+ `10011` - Invalid User-Agent
+ `10012` - Invalid or missing Application-Id
+ `11001` - Invalid or expired token
+ `11003` - Bad authentication data - *Method requires authentication but it was not presented or was wholly invalid.*
+ `11005` - Account not allowed to access this endpoint
+ `13003` - Your account is suspended and is not permitted to access this feature
## Versioning
This API uses `Api-Version` header to identify requested version. Every **minor** version SHOULD be backward compatible. However, **major** versions MAY introduce *breaking changes*.
`Api-Version: 1.0.0`
This header SHOULD be present in every request. If not, API MUST use the newest available major release.
If requested version is not available, API SHOULD try to fall back to the next available minor release.
# Group Authentication
## User login [/auth/login]
Access tokens are required to access nearly all endpoints of this API.
### Retrieve a token [POST]
Allows to retrieve a valid JSON Web Token for username and password.
**Endpoint information**
| | |
|-------------------------|-----|
| Requires authentication | No |
| Has restricted scope | No |
+ Request (application/json)
+ Attributes
+ login: `[email protected]` (string, required) - User email address
+ password: `QXR0mi38a2` (string, required) - User password
+ Response 200 (application/json)
+ Attributes
+ token: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....` (string) - JSON Web Token.
## Refresh a token [POST /auth/refresh-token]
Allows to retrieve a new, valid JSON Web Token based on a valid JSON Web Token.
Expired tokens MUST NOT be refreshed.
**Endpoint information**
| | |
|-------------------------|-----|
| Requires authentication | Yes |
| Has restricted scope | No |
+ Request
+ Headers
Authorization: JWT <token>
+ Response 200 (application/json)
+ Attributes
+ token: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....` (string) - New JWT
## User registration [/auth/register]
### Register a new user [POST]
Creates a new user account.
+ Provided email address MUST be unique.
+ Passwords MUST have at least six characters.
+ Passwords MUST NOT contain the user name or parts of the user’s full name, such as his first name.
+ Passwords MUST use at least three of the four available character types: lowercase letters, uppercase letters, numbers, and symbols.
After successful registration a confirmation email MUST be sent to provided address.
**Endpoint information**
| | |
|-------------------------|-----|
| Requires authentication | No |
**Error codes**
| | | |
|-------|---------| ------------------------------------------- |
| `400` | `4001` | Password doesn't match password guidelines |
| `400` | `3001` | User already exists |
+ Request (application/json)
+ Attributes
+ email: `[email protected]` (string, required) - E-mail address.
+ password: `QXR0mi38a2` (string, required) - User password.
+ Response 201
# Group User
## Current user profile [/users/me]
Current user MUST be identifed by JWT provided in request header.
### Retrieve profile of the current user [GET]
Retrieves the profile of the current user.
**Endpoint information**
| | |
|-------------------------|-----|
| Requires authentication | Yes |
| Has restricted scope | No |
+ Request
+ Headers
Authorization: JWT <token>
+ Response 200 (application/json)
+ Attributes (User)
### Partialy update a profile of the current user [PATCH]
Updates a profile of the current user setting the values of the parameters passed. Any parameters not provided will be left unchanged.
**Endpoint information**
| | |
|-------------------------|-----|
| Requires authentication | Yes |
| Has restricted scope | No |
+ Request (application/json)
+ Headers
Authorization: JWT <token>
+ Attributes
+ name: `Ben` (string) - First name of the user.
+ Response 200 (application/json)
+ Attributes (User)
## User password [/users/me/password]
### Change a password of the current user [PUT]
Changes user password.
After password is changed all access tokens issued for this user prior to password change must be invalidated.
**Endpoint information**
| | |
|-------------------------|-----|
| Requires authentication | Yes |
| Has restricted scope | No |
**Error codes**
| | | |
|-------|---------| ----------------------------------------- |
| `400` | `4001` | Password doesn't match password guidelines |
+ Request (application/json)
+ Headers
Authorization: JWT <token>
+ Attributes
+ old_password: `secret` (string, required)
+ new_password: `$3C6e7` (string, required)
+ Response 200
+ Attributes
+ token: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...` (string) - New JSON Web Token.
## User avatar [/users/me/avatar]
### Set user avatar [POST]
Sets user avatar.
Either upload the raw binary ( **media** parameter) of the file, or its base64-encoded contents ( **media_data** parameter). Use raw binary when possible, because base64 encoding results in larger file sizes.
**Endpoint information**
| | |
|-------------------------|-----|
| Requires authentication | Yes |
| Has restricted scope | No |
**Error codes**
| | | |
|-------|---------| --------------------- |
| `400` | `2001` | File is too large |
| `400` | `2002` | Unsupported file type |
+ Request (multipart/form-data)
+ Headers
Authorization: JWT <token>
+ Response 200
+ Attributes
+ avatar: `https://...` (string) - Public download URL
### Delete user avatar [DELETE]
Restores user avatar to the default one.
**Endpoint information**
| | |
|-------------------------|-----|
| Requires authentication | Yes |
| Has restricted scope | No |
+ Request
+ Headers
Authorization: JWT <token>
+ Response 204
## Users [/users]
### List all users [GET]
Returns a list of users. The users are returned in sorter order, with the most recently created user accounts appearing first.
| | |
|-------------------------|-----|
| Requires authentication | Yes |
| Has restricted scope | No |
+ Request
+ Headers
Authorization: JWT <token>
+ Response 200 (application/json)
+ Attributes (array[User])
## User [/users/{id}]
+ Parameters
+ id: `a6vhAo3FG7t1` (string) - id of the user.
### Retrieve a user [GET]
Retrieves the details of an existing user.
| | |
|-------------------------|-----|
| Requires authentication | Yes |
| Has restricted scope | No |
**Error codes**
| | | |
|-------|---------| ----------------------------- |
| `400` | `1000` | Referenced resource not found |
+ Request
+ Headers
Authorization: JWT <token>
+ Response 200 (application/json)
+ Attributes (User)
+ Response 404
# Data Structures
## Resource (object)
+ id: `a6vhAo3FG7t1` (string, fixed) - Short non-sequential url-friendly unique id.
+ createdAt: `2016-07-01T15:11:09.553Z` (string) - ISO Date/time string. When this resource was created.
+ updatedAt: `2016-07-01T15:11:09.553Z` (string) - ISO Date/time string. When this resource was last updated.
## User (Resource)
+ email: `[email protected]` (string, required) - Login. Unique email address of the user.
+ facebookId: `888047057953991` (number, optional, nullable) - Facebook ID of the user if user account is linked to the Facebook account.
+ name: `John` (string, optional, nullable) - First name of the user.
+ surname: `Doe` (string, optional, nullable) - Last name of the user.
+ avatar (string, optional, nullable) - URL to user avatar.