# memberapi.ose.tw backend ## Quick start ```bash cd backend python -m venv .venv source .venv/bin/activate pip install -e . cp .env.example .env ./scripts/start_dev.sh ``` ## Required DB setup 1. Initialize API client whitelist table with `docs/API_CLIENTS_SQL.sql`. 2. Initialize core tables with `backend/scripts/init_schema.sql`. 3. Generate `api_key_hash` and update `api_clients` records, e.g.: ```bash python scripts/generate_api_key_hash.py 'YOUR_PLAIN_KEY' ``` ## Authentik JWT setup - Configure at least one of: - `AUTHENTIK_JWKS_URL` - `AUTHENTIK_ISSUER` (the service infers `/jwks/`) - Optional: - `AUTHENTIK_AUDIENCE` (enables audience claim validation) - `AUTHENTIK_CLIENT_ID` (used by `/auth/login`, fallback to `AUTHENTIK_AUDIENCE`) - `AUTHENTIK_CLIENT_SECRET` (required if your access/id token uses HS256 signing) - `AUTHENTIK_TOKEN_ENDPOINT` (default: `/application/o/token/`) - `AUTHENTIK_USERINFO_ENDPOINT` (optional, default inferred from issuer/base URL; used to fill missing email/name claims) ## Authentik Admin API setup - Required for `/internal/authentik/users/ensure`: - `AUTHENTIK_BASE_URL` - `AUTHENTIK_ADMIN_TOKEN` - `AUTHENTIK_VERIFY_TLS` ## Main APIs - `GET /healthz` - `GET /auth/oidc/url` - `POST /auth/oidc/exchange` - `GET /me` (Bearer token required) - `GET /me/permissions/snapshot` (Bearer token required) - `POST /internal/users/upsert-by-sub` - `GET /internal/permissions/{authentik_sub}/snapshot` - `POST /internal/authentik/users/ensure` - `POST /admin/permissions/grant` - `POST /admin/permissions/revoke` - `GET|POST /admin/systems` - `GET|POST /admin/modules` - `GET|POST /admin/companies` - `GET|POST /admin/sites` - `GET /admin/members` - `GET|POST /admin/permission-groups` - `POST|DELETE /admin/permission-groups/{group_key}/members/{authentik_sub}` - `POST /admin/permission-groups/{group_key}/permissions/grant|revoke` - `GET /internal/systems` - `GET /internal/modules` - `GET /internal/companies` - `GET /internal/sites` - `GET /internal/members`