Web API ======= The web API is consumed by the `Sulu CMS`_ frontend and by public mobile apps. It uses the same prefix as the :doc:`/rest_api/index` plus ``/web``, therefore the standard prefix normally is ``/api/web``. All endpoints below must be prefixed with this and your domain name. .. code-block:: text https://tag.example.com/api/web .. _`Sulu CMS`: http://docs.sulu.io/en/latest/ .. _Web API vs REST API: Web API vs REST API ------------------- **Authentication and Privileges** The :doc:`/rest_api/index` is available for high privilege devices, the apps consuming it are issued dedicated credentials that can be revoked at any time, their source code is not public and no build is released to the public. The :doc:`/web_api/index` is available for public apps and the mobile site, it uses a loose authentication based on a unique code assigned to each delegate and allows changes only to the owner's record. Some of its method might also implement rate limiting or throttling to prevent abuse. **Time Travel** Time travel is not allowed for the Web API, sending a "recordedAt" timestamp against an interaction is forbidden, such value is always set to the current timestamp. **State** The state of a delegate is always calculated server-side, this is to prevent duplication of the logic on both server and client. A client is free to perform additional checks, but in case of a conflict the server state should prevail. **Session** Another big difference is that the Web API is **stateful** or **stateful-like**, and implements security measures to prevent *XSS* and *CSRF* attacks. These measures are based on the session kept through HTTP Cookie for Angular/React apps. .. _`GET /delegate/myself`: GET /delegate/myself -------------------- Returns the current **delegate state**. While the **UI state** is stored only in the client local storage, the data state is always computer server side, the client might guess it and keep track of it locally to improve performance but should always rely on the server version if local and remote state don't match. Fear not, every request meant to have an effect on the state will return the updated state, so you probably need to call this just once and react to you own actions according to what the state has become. The state includes all delegate information, including delegate connections, joined devices and check-ins. See the example below: .. code-block:: json { "delegate": { "data": [], "barcode": "0123456789", "id": 4, "email": "giovanni@satellite.co.nz", "sources": [ "admin" ], "createdAt": "2017-10-09T14:32:14+13:00", "updatedAt": "2017-10-10T14:42:39+13:00" }, "unlockDelegates": [], "relations": { "join": { "4-1-0": { "recordedAt": 1507520650, "delegate_id": 4, "device_id": 1 } }, "checkIn": { "4-1-0": { "recordedAt": 1507520624, "delegate_id": 4, "device_id": 1 } }, "connect": { "4-1-4": { "recordedAt": 1507590718, "delegate_id": 4, "device_id": 1, "targetDelegate_id": 4 } }, "connected": { "4-1-4": { "recordedAt": 1507590693, "delegate_id": 4, "device_id": 1, "targetDelegate_id": 4 } }, "booking": { "4-2-0": { "recordedAt": 1507599562, "delegate_id": 4, "device_id": 2 } }, "invite": { "4-2-6": { "recordedAt": 1507599627, "delegate_id": 4, "device_id": 2, "targetDelegate_id": 6 }, "4-2-5": { "recordedAt": 1507599734, "delegate_id": 4, "device_id": 2, "targetDelegate_id": 5 } }, "notifyInvitees": { "4-2-0": { "recordedAt": 1507599759, "delegate_id": 4, "device_id": 2 } } } } .. note:: This is fundamentally different from the REST :ref:`rest_api_get_delegate_idtype_id` in that this processes all delegate data and history to provide a snapshot of the current state. Also this might contain session derived information. Another difference is that your current state is cached for a while, until it gets flagged as stale or an action clears it. GET /delegate/list ------------------ Returns all *visible* delegates and their public details. Depending on your current data state, in particular your connections you might see more details against delegates that have accepted to connect with you. .. code-block:: json [ { "id": 4, "firstName": "Giovanni", "lastName": "Gioffreda", "email": "giovanni@satellite.co.nz" }, { "id": 5, "firstName": "John", "lastName": "Doe" }, { "id": 6, "firstName": "Jane", "lastName": "Doe" }, { "id": 14, "firstName": "Walter", "lastName": "White" }, { "id": 20, "firstName": "Barry", "lastName": "Smith" } ] .. note:: See `Web API vs REST API`_. GET /device/list ---------------- Return all *visible* devices and their public details. Depending on your current data state, in particular your joins and check-ins you might see more details against devices you've interacted with. By default this method returns only sessions, if you are looking for another device type you can specify the type you want in your query (the first two calls are equivalent): .. code-block:: text /device/list /device/list?type=session /device/list?type=room /device/list?type=bookable .. include:: /partial/devices.rst Below is a response: .. code-block:: json [ { "id": 2, "name": "Meeting Table 1", "code": "mt1", "startAt": 1507662000, "endAt": 1507698000 }, { "id": 3, "name": "Meeting Table 2", "code": "mt2", "startAt": 1507662000, "endAt": 1507698000 } ] .. note:: See `Web API vs REST API`_. POST /device-interaction/log ---------------------------- Posts a device interaction. Returns the current state as per `GET /delegate/myself`_. Below you find some sample requests .. code-block:: js // posting a check-in to session with ID 2 { "device_id": 2, "interactionType": "check-in" } .. code-block:: js // joining the session with ID 2 { "device_id": 2, "interactionType": "join" } .. code-block:: js // booking meeting table with ID 3 { "device_id": 3, "interactionType": "book" } .. code-block:: js // invite delegate ID 14 to the booked meeting table with ID 3 { "device_id": 3, "interactionType": "invite", "targetDelegate_id": 14 } .. include:: /partial/device_interactions.rst POST /lead ---------- Posts a lead. Returns the current state as per `GET /delegate/myself`_.