member-backend/README.md

# memberapi.ose.tw backend

## Quick start

```bash
cd backend
python -m venv .venv
source .venv/bin/activate
pip install -e .
cp .env.example .env
./scripts/start_dev.sh
```

## Required DB setup

1. Initialize API client whitelist table with `docs/API_CLIENTS_SQL.sql`.
2. Initialize core tables with `backend/scripts/init_schema.sql`.
3. Generate `api_key_hash` and update `api_clients` records, e.g.:

```bash
python scripts/generate_api_key_hash.py 'YOUR_PLAIN_KEY'
```

## Authentik JWT setup

- Configure at least one of:
  - `AUTHENTIK_JWKS_URL`
  - `AUTHENTIK_ISSUER` (the service infers `<issuer>/jwks/`)
- Optional:
  - `AUTHENTIK_AUDIENCE` (enables audience claim validation)
  - `AUTHENTIK_CLIENT_ID` (used by `/auth/login`, fallback to `AUTHENTIK_AUDIENCE`)
  - `AUTHENTIK_CLIENT_SECRET` (required if your access/id token uses HS256 signing)
  - `AUTHENTIK_TOKEN_ENDPOINT` (default: `<AUTHENTIK_BASE_URL>/application/o/token/`)
  - `AUTHENTIK_USERINFO_ENDPOINT` (optional, default inferred from issuer/base URL; used to fill missing email/name claims)

## Authentik Admin API setup

- Required for `/internal/authentik/users/ensure`:
  - `AUTHENTIK_BASE_URL`
  - `AUTHENTIK_ADMIN_TOKEN`
  - `AUTHENTIK_VERIFY_TLS`

## Main APIs

- `GET /healthz`
- `POST /auth/login`
- `GET /me` (Bearer token required)
- `GET /me/permissions/snapshot` (Bearer token required)
- `POST /internal/users/upsert-by-sub`
- `GET /internal/permissions/{authentik_sub}/snapshot`
- `POST /internal/authentik/users/ensure`
- `POST /admin/permissions/grant`
- `POST /admin/permissions/revoke`
- `GET|POST|PATCH /admin/organizations...`
- `GET|POST|PATCH /admin/members...`
- `GET|POST|DELETE /admin/members/{member_id}/organizations...`
- `GET /internal/members`
- `GET /internal/members/by-sub/{authentik_sub}`
- `GET /internal/organizations`
- `GET /internal/organizations/by-code/{org_code}`
- `GET /internal/members/{member_id}/organizations`