KIIT-KAFFE-deploy / docs /02-api.md
Kush-Singh-26
Initial HF Spaces deploy: single-container Apache/PHP + MariaDB on port 7860
7845020
|
Raw
History Blame Contribute Delete
7.99 kB

API Documentation

Overview

This document describes the API endpoints for the KIIT Kafe Campus 25 Ordering System. All API endpoints return JSON responses and are located in the /api directory.

Common Patterns

  • All endpoints return JSON with a status field indicating success or error
  • Successful responses include relevant data in additional fields
  • Error responses include a message field describing the issue
  • Database connection is handled via include "db.php" in each endpoint
  • Session management is used for authentication state

Endpoints

Authentication

POST /api/login.php

Authenticates a user and establishes a session.

Request Body:

{
  "email": "string",
  "password": "string"
}

Success Response:

{
  "status": "success",
  "user": {
    "id": "integer",
    "name": "string",
    "email": "string",
    "phone": "string",
    "role": "string"
  }
}

Error Responses:

  • Missing fields: {"status": "error", "message": "Missing fields"}
  • Invalid password: {"status": "error", "message": "Invalid password"}
  • User not found: {"status": "error", "message": "User not found"}

POST /api/logout.php

Ends the current user session.

Request: No body required

Success Response:

{
  "status": "success",
  "message": "Logged out successfully"
}

POST /api/signup.php

Creates a new user account.

Request Body:

{
  "name": "string",
  "email": "string",
  "password": "string",
  "phone": "string"
}

Success Response:

{
  "status": "success",
  "message": "Account created successfully"
}

Error Responses:

  • Missing fields: {"status": "error", "message": "Missing fields"}
  • Email already exists: {"status": "error", "message": "Email already exists"}

POST /api/forgot_password.php

Initiates password reset process.

Request Body:

{
  "email": "string"
}

Response: Always returns success for security (to prevent email enumeration)

{
  "status": "success",
  "message": "If the email exists, reset instructions have been sent"
}

POST /api/get_session.php

Checks if a user is currently logged in and returns session data.

Request: No body required

Success Response:

{
  "status": "success",
  "user": {
    "id": "integer",
    "name": "string",
    "email": "string",
    "phone": "string",
    "role": "string"
  }
}

Error Response:

{
  "status": "error",
  "message": "Not logged in"
}

POST /api/update_profile.php

Updates the currently logged-in user's profile information.

Request Body:

{
  "name": "string",
  "email": "string",
  "phone": "string",
  "password": "string" // optional
}

Success Response:

{
  "status": "success",
  "message": "Profile updated successfully"
}

Error Responses:

  • Missing fields: {"status": "error", "message": "Missing fields"}
  • Email already exists: {"status": "error", "message": "Email already exists"}

Menu & Cart

GET /api/menu.php

Retrieves all menu items with stock levels and popularity data.

Request: No parameters required

Success Response:

[
  {
    "id": "integer",
    "name": "string",
    "description": "string",
    "price": "float",
    "category": "string",
    "image_url": "string",
    "stock": "integer",
    "popularity": "integer",
    "emoji": "string",
    "cat": "string",
    "img": "string",
    "sub": "string"
  }
]

Order Management

POST /api/create_order.php

Creates a new order from cart items.

Request Body:

{
  "order_code": "string",
  "user_id": "integer",
  "total": "float",
  "payment_method": "string", // "Cash" or "UPI"
  "items": [
    {
      "id": "integer",
      "name": "string",
      "qty": "integer",
      "price": "float"
    }
  ]
}

Success Response:

{
  "status": "success",
  "order_id": "integer"
}

Error Responses:

  • Missing fields: {"status": "error", "message": "Missing fields"}
  • Insufficient stock: {"status": "error", "message": "Insufficient stock for item: {item_name}"}
  • Order failed: {"status": "error", "message": "Order failed: {error_message}"}

POST /api/get_orders.php

Retrieves all orders (admin only).

Request: No parameters required

Success Response:

[
  {
    "id": "integer",
    "order_code": "string",
    "user_id": "integer",
    "total": "float",
    "status": "string", // Pending, Preparing, Completed, Failed, Invalid
    "payment_method": "string", // Cash or UPI
    "created_at": "timestamp"
  }
]

POST /api/get_user_orders.php

Retrieves orders for the currently logged-in user.

Request: No parameters required

Success Response:

[
  {
    "id": "integer",
    "order_code": "string",
    "total": "float",
    "status": "string",
    "payment_method": "string",
    "created_at": "timestamp"
  }
]

POST /api/get_order_status.php

Gets the status of a specific order.

Request Body:

{
  "order_id": "integer"
}

Success Response:

{
  "status": "string" // Pending, Preparing, Completed, Failed, Invalid
}

POST /api/cancel_order.php

Cancels an order (admin only).

Request Body:

{
  "order_id": "integer"
}

Success Response:

{
  "status": "success",
  "message": "Order cancelled successfully"
}

POST /api/validate_cart.php

Validates that cart items are still in stock before checkout.

Request Body:

{
  "items": [
    {
      "id": "integer",
      "qty": "integer"
    }
  ]
}

Success Response:

{
  "status": "success"
}

Error Response:

{
  "status": "error",
  "message": "Insufficient stock for item: {item_name}"
}

Admin Functions

POST /api/admin_menu_actions.php

Handles admin actions on menu items (add, edit, delete).

Request Body:

{
  "action": "string", // add, edit, delete
  "food_id": "integer", // required for edit/delete
  "name": "string",
  "description": "string",
  "price": "float",
  "category": "string",
  "image_url": "string"
}

Success Response:

{
  "status": "success",
  "message": "{action} successful"
}

POST /api/admin_order_actions.php

Handles admin actions on orders (update status).

Request Body:

{
  "order_id": "integer",
  "status": "string" // Pending, Preparing, Completed, Failed, Invalid
}

Success Response:

{
  "status": "success",
  "message": "Order status updated successfully"
}

POST /api/admin_stats.php

Retrieves statistics for admin dashboard.

Request: No parameters required

Success Response:

{
  "total_users": "integer",
  "total_orders": "integer",
  "total_revenue": "float",
  "top_items": [
    {
      "name": "string",
      "total_sold": "integer"
    }
  ],
  "recent_orders": [
    {
      "order_code": "string",
      "total": "float",
      "status": "string",
      "created_at": "timestamp"
    }
  ]
}

GET /api/setup_db.php

Initializes the database with tables and sample data.

Request: No parameters required

Success Response:

{
  "status": "success",
  "message": "Database setup completed successfully"
}

Security Notes

  1. Passwords are compared directly in login.php (should be hashed in production)
  2. No CSRF protection implemented
  3. No rate limiting on authentication endpoints
  4. Admin endpoints rely on client-side role checking (should be verified server-side)
  5. SQL injection is prevented through prepared statements in most endpoints

Error Handling

  • All endpoints wrap database operations in try-catch blocks
  • Transactions are used for operations that modify multiple tables
  • On error, transactions are rolled back to maintain data consistency
  • Database connection errors return a generic message to avoid information leakage