REST API
The API files are located in the
/api
folder.The structure of these files is simple; there is a list of endpoints that connect directly to the relevant controller method.
api.post('/api/account', use(accountController.create));
Each controller call is wrapped in a HOC (higher-order component) called
use
. This is a middleware function that catches any errors in the controller methods and then passes these to a global error handler – this prevents you from having to use try...catch
in your application.You can protect any API route and make it accessible to only a specific user level or API key scope using the
auth.verify
middleware method. You simply pass the user permission as the first argument, and an optional API scope as the second.// protect using a user permission
api.get('/api/user', auth.verify('user'), use(userController.get));
// protect using a user permission and api scope
api.get('/api/user', auth.verify('user', 'account.read'), use(userController.get));
You can access the API using one of two methods:
- 1.
- 2.Using an API key
Bearer tokens are JWTs that are used to authenticate the user. You can use a Bearer token with the API by passing it in the
Authorization
header.Bearer your_jwt
API keys can be created by either an owner or developer permission and can be used to access any endpoint that has an API scope (see Protected Routes above).
API keys are stored in the database in plain text to remove the decryption overhead on each API call, and so the user can retrieve an API key if they lose it.
For most applications this is acceptable, if your database is breached and the API keys are stolen, an attacker already has access to all of your data, so encryption provides minimal protection in this scenario.
The following example demonstrates how to make an API request in Javascript with the Axios package and Basic authentication.
const res = await axios({
url: 'https://yourdomain.com/api/user'
method: 'POST',
data: {
email: 'kyle',
password: 'test1'
},
headers: {
Authorization: 'Basic YOUR_API_KEY'
},
});
API requests are globally rate-limited as defined by the
throttle
settings in config. The following end points have their own lower rate limits for security purposes:- POST /api/account
- POST /api/user
- POST /api/user/auth
- POST /api/user/password/reset/request
- POST /api/user/password/reset
Every API request is logged in the
log
table by default. You can toggle this on or off using the ENABLE_API_LOGS
environment variable.ENABLE_API_LOGS=true
There is a swagger file included in
api/spec.yaml
with documentation and examples for each endpoint using the OpenAPI 3.0 spec. You can import this into Postman for easy testing.Last modified 3d ago