Ain_el_Aql_backend / docs /API_REFERENCE.md
Pant0x's picture
Deploy Ain El Aql Backend to HF Spaces (no secrets)
f315c76
|
Raw
History Blame Contribute Delete
8.42 kB
# API Reference
Base URL is the deployed backend host.
Recommended production backend host:
- Railway service URL for this repository
Current public model-service host (used by backend when `MODEL_INFERENCE_PROVIDER=remote`):
- `https://pant0x-ealpr-ocr.hf.space`
## Authentication Model
Most business endpoints require:
- `Authorization: Bearer <supabase_access_token>`
- For device integrations, backend can also accept:
- `Authorization: Bearer <barrier_token>`
- Enabled when `BARRIER_API_TOKEN` or `BARRIER_API_TOKENS` is configured.
Auth behavior is controlled by backend env config.
### Backend auth endpoints
1. `POST /auth/register`
- JSON body:
- `first_name` (recommended)
- `last_name` (recommended)
- `username` (required)
- `phone` or `phone_number` (required)
- `password` (required)
- `email` (optional)
- `nid` or `national_id` (optional)
- legacy fallback: `full_name` or `name` (optional)
- optional vehicle payload fields:
- `plate_letters_ar`, `plate_numbers_ar`
- `plate_letters_en`, `plate_numbers_en`
- `car_model`, `car_color`
- or nested under `vehicle` object
- Returns user object + session tokens.
- `user.full_name` is derived from `first_name + last_name`.
- Register contract is idempotent for OTP-created users: if OTP verify already created/authenticated a user for the same email, register finalizes profile/password instead of failing on duplicate email for the same account.
2. `POST /auth/login`
- JSON body:
- `identifier` (username OR phone OR email OR nid)
- `password`
- Also accepts direct keys (`username`, `phone`, `email`, `nid`) instead of `identifier`.
- Returns user object + session tokens.
3. `POST /auth/otp/request`
- JSON body:
- `purpose` (`register`, `vehicle_verify`, `profile_update`)
- `channel` (`email` or `phone`)
- contact value (`email` or `phone`) unless inferable from authenticated profile
- optional `redirect_to` for email OTP link flows
- Sends OTP via Supabase auth.
- For `purpose=register|signup`, backend forces `create_user=true` to ensure new emails/phones can receive OTP for account creation.
- For non-register purposes, `create_user` from client is still honored.
- If OTP signup is disabled in provider config for register flow, API returns a clear contract error:
`OTP signup is disabled in backend auth configuration (otp_disabled). purpose=register cannot proceed with OTP until OTP signups are enabled.`
4. `POST /auth/otp/verify`
- JSON body:
- `channel` (`email` or `phone`)
- `otp_token`
- contact value (`email` or `phone`)
- optional `verify_type`
- Verifies OTP and returns auth session payload.
## Endpoint Catalog
### Authentication
1. `POST /auth/register`
2. `POST /auth/login`
3. `POST /auth/otp/request`
4. `POST /auth/otp/verify`
5. `POST /auth/forgot-password`
- JSON body:
- `identifier` (username OR phone OR email OR nid)
- optional `redirect_to` URL (HTTPS or app deep-link scheme)
- Backend always forwards a reset redirect URL to Supabase:
- payload `redirect_to` if provided, otherwise
- `PASSWORD_RESET_REDIRECT_URL` env, otherwise
- `<backend-host>/auth/reset-password-page`
6. `POST /auth/reset-password`
- JSON body:
- `access_token`
- `new_password`
7. `POST /auth/reset-password/resolve-token`
- JSON body:
- one of: `access_token`, `token_hash`, `code`
- optional: `type` (defaults to `recovery`), `email`
- Resolves Supabase recovery links that provide `token_hash`/`code` into a usable access token.
8. `GET /auth/reset-password-page`
- Hosted reset page that reads token from the recovery link, submits to `/auth/reset-password`, then shows a success view and auto-opens the app deep link.
9. `GET /auth/reset-password-bridge`
- Bridge page that opens mobile deep link reset flow (`ainelaql://auth/reset`) and provides browser fallback.
### User profile
1. `PUT /profile/update`
- JSON body (any subset):
- `first_name`
- `last_name`
- `full_name`
- `phone` or `phone_number`
- `email`
- Updates profile metadata and mirrors auth metadata.
- `full_name` is always normalized from `first_name + last_name` (legacy `full_name` input is still accepted and split into parts).
### Vehicles (multi-vehicle CRUD)
1. `POST /vehicles/add`
2. `GET /vehicles/my`
- Optional query: `include_inactive=true|false`
3. `PUT /vehicles/{id}`
4. `DELETE /vehicles/{id}`
5. `POST /vehicles/verify`
- OTP-backed ownership verification for a vehicle.
### Notifications
1. `POST /notifications/fcm-token`
- Stores or updates FCM token for the authenticated user.
2. `GET /notifications/my`
- Returns latest notification events for the authenticated user.
- Notification events are server-generated (service role).
- Authenticated users can only update their own `read_at` state; they cannot create, delete, or edit notification content.
### Health and diagnostics
1. `GET /`
- Lightweight service entry endpoint.
- Returns links to docs and health endpoints.
2. `GET /health`
- Service health, inference provider wiring, and pricing config snapshot.
3. `GET /supabase/health`
- Supabase readiness checks (tables, buckets, auth wiring).
4. `GET /models`
- Inference provider details and local model info when local loading is enabled.
### Inference and session events
1. `POST /predict`
- Input: `multipart/form-data`
- Required: `image`
- Optional: `event_type`, `parking_location`, `camera_source`
- Auth:
- Supabase user token (mobile/web/staff clients), or
- barrier token (camera/barrier devices)
- Returns AI output + pricing + gate decision + persistence metadata.
2. `POST /model/infer`
- Input: `multipart/form-data`
- Required: `image`
- Intended for backend-to-backend model inference calls.
- Requires `MODEL_SERVICE_ENABLE_LOCAL_ENDPOINT=true` in the model runtime.
- If `MODEL_SERVICE_SHARED_SECRET` is configured, caller must send the configured header.
### Operations feeds
1. `GET /events/entered-cars`
2. `GET /events/leaving-cars-within-5-minutes`
3. `GET /events/left-cars`
4. `GET /events/inside-cars`
5. `GET /parking/history`
Common optional query params:
- `limit`
- `for_user_id` (global-scope roles: `admin`, `security`, `barrier`)
### Location pricing and occupancy
1. `GET /parking/locations`
- Returns pricing defaults + garage occupancy + per-location pricing/occupancy blocks.
- Occupancy includes breakdown fields:
- `inside_from_registered_sessions`
- `inside_from_inferred_unmatched`
2. `GET /parking/occupancy`
- Returns occupancy-focused response for dashboards.
- Uses same occupancy breakdown fields under each location.
### Payments and gate flow
1. `POST /payments/paymob/create`
2. `POST /payments/paymob/webhook`
3. `POST /payments/manual/cash-confirm`
4. `POST /gate/decision`
`POST /gate/decision` can be called by:
- session owner
- staff roles (`admin`, `security`)
- `barrier` role token
### Maintenance
1. `POST /admin/maintenance/weekly-refresh`
## Key Response Blocks (Flutter-critical)
From `/predict` and feed/history responses, consume:
1. `plate_info` and normalized `plate` sections
2. `app_registration`
3. `payment_status`
4. `pricing`
5. `gate_decision`
6. `left_within_5_minutes`
7. image fields under `user_page` and `admin_page`
8. Supabase persistence IDs/paths under `supabase`
9. `inference_provider` (`local` or `remote`)
For `GET /events/inside-cars` and `GET /parking/history`, some items can include:
1. `inferred_unmatched=true`
2. `plate` object (`key`, `arabic`, `english`)
3. `event_count`
These rows are inferred from unmatched OCR event streams (events that are not linked to a registered vehicle/session).
## Status and Error Behavior
- `400`: validation/input formatting issues
- `401`: missing/invalid auth token
- `403`: role/scope violations
- `404`: missing session/resource
- `502/503`: upstream or integration failures (Supabase/Paymob/service config)
## Testing Minimum
1. `GET /health`
2. `GET /supabase/health`
3. `POST /predict` for entry
4. `POST /predict` for exit
5. `GET /parking/locations`
6. `GET /parking/occupancy`