A bidirectional API so other apps (Home Assistant, phone shortcuts, scripts, and the coming MCP server) can read and update the homestead. - ApiToken model (sha256-hashed, scoped, with prefix/lastUsed/expiry/revoke) - authenticateRequest() accepts EITHER a NextAuth cookie session OR a Bearer PAT; cookie sessions get full access, tokens are limited to their scopes (write implies read; resource and global wildcards). ApiError + handleApiError - Shared service layer (plants/tasks/locations/plant-types) reused by every endpoint and, later, the MCP server — logic lives once - /api/v1: plants (read + add log), plant-types, locations, tasks (read/create/ complete), and a whoami/discovery root - Settings → API tokens: create with per-resource read/write checkboxes, raw token shown once, revoke; tokens added to backup/restore - Pure tests for scope matching + token hashing; verified end-to-end (401/403/ 201, lastUsedAt) against a running server Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
14 lines
470 B
TypeScript
14 lines
470 B
TypeScript
import { NextResponse } from "next/server";
|
|
import { authenticateRequest, handleApiError } from "@/lib/api/authenticate";
|
|
import { getPlant } from "@/lib/services/plants";
|
|
|
|
// GET /api/v1/plants/:id
|
|
export async function GET(req: Request, { params }: { params: { id: string } }) {
|
|
try {
|
|
const ctx = await authenticateRequest(req, "plants:read");
|
|
return NextResponse.json(await getPlant(ctx, params.id));
|
|
} catch (err) {
|
|
return handleApiError(err);
|
|
}
|
|
}
|