 |
VOOZH | about |
|
VOOZH | about |
The Customer API provides REST endpoints for customer authentication, profile management, and order access. This API uses token-based authentication via Laravel Sanctum and supports ability-based access control to differentiate between active and guest customers.
For customer authentication on the frontend web interface, see Customer Authentication. For customer account management in the admin panel, see Customer Administration.
The Customer API enables external applications and single-page applications (SPAs) to integrate with the GP247/Shop customer system. It provides authenticated access to customer data, order history, and profile information through standard REST endpoints.
The API implements:
Sources: src/Routes/Api/auth.php1-41 src/Api/Front/MemberAuthController.php1-142
Diagram: Customer API Request Flow and Component Relationships
This diagram shows how API requests flow through the routing layer, authentication middleware, controller logic, and data access layers before returning JSON responses.
Sources: src/Routes/Api/auth.php4-40 src/Api/Front/MemberAuthController.php13-141
The API routes are defined with dynamic namespace resolution to support both package-level and application-level controller overrides.
Diagram: Route Registration and Namespace Resolution Logic
The system checks for application-level controller overrides before falling back to package controllers, enabling customization without modifying core files.
Sources: src/Routes/Api/auth.php13-17 src/Routes/Api/auth.php19-37
| Method | Path | Description | Request Body | Response |
|---|---|---|---|---|
| POST | /login | Authenticate customer and generate access token | email, password, remember_me (optional) | Token object with expiration |
Sources: src/Routes/Api/auth.php19 src/Api/Front/MemberAuthController.php27-69
All protected endpoints require the Authorization: Bearer {token} header.
| Method | Path | Description | Abilities Required | Response |
|---|---|---|---|---|
| GET | /logout | Revoke current access token | User or User Guest | Success message |
| GET | /info | Get current customer profile | User or User Guest | Customer object |
| GET | /member/order/list | List customer orders with pagination | User or User Guest | Paginated order list |
| GET | /member/order/detail/{id} | Get single order details | User or User Guest | Order object |
Sources: src/Routes/Api/auth.php21-38 src/Api/Front/MemberAuthController.php87-140
Diagram: Authentication Flow with Token Creation and Ability Assignment
The authentication process validates credentials, determines customer status, assigns appropriate abilities, and sets token expiration based on the remember_me flag.
Sources: src/Api/Front/MemberAuthController.php27-69
The system uses two distinct ability scopes configured in the application config:
api_scope_user: Full access scope for active customers (status = 1)api_scope_user_guest: Limited access scope for inactive/guest customers (status = 0)Token abilities are assigned during login based on the customer's status field in the shop_customer table:
src/Api/Front/MemberAuthController.php45-49
The middleware checks these abilities on each protected request:
Sources: src/Api/Front/MemberAuthController.php45-51 src/Routes/Api/auth.php8-11 src/Routes/Api/auth.php22-25
Token expiration is controlled by two configuration values:
| Config Key | Purpose | Applied When |
|---|---|---|
gp247-config.api.auth.api_remmember | Extended expiration in days | remember_me is true |
gp247-config.api.auth.api_token_expire_default | Default expiration in days | remember_me is false or absent |
The expiration timestamp is calculated using Carbon:
src/Api/Front/MemberAuthController.php54-59
Sources: src/Api/Front/MemberAuthController.php54-59
| Field | Rule | Description |
|---|---|---|
email | required, string, email | Valid email address |
password | required, string | Customer password |
remember_me | boolean | Optional flag for extended token expiration |
src/Api/Front/MemberAuthController.php29-33
Returns HTTP 401 when credentials are invalid:
src/Api/Front/MemberAuthController.php37-40
Sources: src/Api/Front/MemberAuthController.php27-69
Revokes the current access token, preventing further use.
The logout method deletes the current access token from the database:
src/Api/Front/MemberAuthController.php87-94
Sources: src/Api/Front/MemberAuthController.php87-94
Returns the authenticated customer's profile data.
The method returns the authenticated user object directly:
src/Api/Front/MemberAuthController.php96-99
Returns the complete ShopCustomer model attributes including:
Sources: src/Api/Front/MemberAuthController.php96-99
Retrieves paginated list of customer orders with details and totals.
src/Api/Front/MemberAuthController.php106-122
The query includes:
with('details'): Eager loads order line items from shop_order_detail tablewith('orderTotal'): Eager loads financial breakdown from shop_order_total tablewhere('customer_id', $customer->id): Filters orders by authenticated customerorderBy('created_at', 'desc'): Returns newest orders firstjsonPaginate(): Applies pagination with JSON-friendly response formatSources: src/Api/Front/MemberAuthController.php106-122
Retrieves a single order with full details and totals.
src/Api/Front/MemberAuthController.php124-140
The query ensures customers can only access their own orders by filtering on both customer_id and the requested order id.
Returns the complete order object with nested relationships:
Sources: src/Api/Front/MemberAuthController.php124-140
The API uses a dedicated customer guard for authentication:
src/Api/Front/MemberAuthController.php101-104
This guard is referenced in the middleware configuration:
The customer-api guard must be configured in the application's config/auth.php to use Laravel Sanctum with the ShopCustomer model as the provider.
Sources: src/Api/Front/MemberAuthController.php101-104 src/Routes/Api/auth.php23
The MemberAuthController extends RootFrontController from the GP247/Front package and uses the AuthTrait:
src/Api/Front/MemberAuthController.php13-15
The trait provides shared authentication logic including:
mappingValidator(): Maps validation rules for customer datavalidator(): Validates input data using mapped rulessrc/Api/Front/MemberAuthController.php75-79
This validation method is available for use in the controller but is not currently called by the existing API methods. It provides a hook for custom validation logic if needed.
Sources: src/Api/Front/MemberAuthController.php13-15 src/Api/Front/MemberAuthController.php75-79
All API endpoints follow a consistent error response structure:
or
The error field is an integer flag:
0: Success1: Error conditionSources: src/Api/Front/MemberAuthController.php37-40 src/Api/Front/MemberAuthController.php118-121 src/Api/Front/MemberAuthController.php136-139
Diagram: Customer API Integration with Core Systems
The Customer API integrates with the Customer System for authentication and profile data, the Order System for order retrieval, the Configuration System for API settings, and the Authentication System for shared validation logic.
Sources: src/Api/Front/MemberAuthController.php1-142 src/Routes/Api/auth.php1-41
Refresh this wiki