Tampilan
Ringkasan & Autentikasi API
Mount point
API di-mount di app.js menjadi 4 grup:
| Prefix | Router file | Isi |
|---|---|---|
/api/v1 | routes/index.js | API utama (user, admin, company, billing, domain, reports, suppression) |
/public | routes/publicRouter.js | Endpoint publik (download setup script) |
/callback | routes/callbackRoutes.js | Webhook SparkPost |
/api/internal | routes/internalRoutes.js | Endpoint internal (API key) |
Dokumentasi Swagger tersedia di /api-docs (judul placeholder "Library API", coverage parsial).
Daftar router
| File | Mount |
|---|---|
routes/index.js | /api/v1 |
routes/userRoutes.js | /api/v1/users |
routes/adminRoutes.js | /api/v1/admins |
routes/billingsAdminRoutes.js | /api/v1/admins/billings |
routes/packagesAdminRoutes.js | /api/v1/admins/packages |
routes/reportsAdminRoutes.js | /api/v1/admins/reports |
routes/companyAdminRoutes.js | /api/v1/admins/companies |
routes/domainAdminRoutes.js | /api/v1/admins/domains |
routes/userAdminRoutes.js | /api/v1/admins/users |
routes/userNotifAdminRoutes.js | /api/v1/admins/notification |
routes/suppressionAdminRoutes.js | /api/v1/admins/suppression |
routes/userNotifRoutes.js | /api/v1/users/notification |
routes/zimbraRoutes.js | /api/v1/zimbras |
routes/companyRoutes.js | /api/v1/companies |
routes/reportsRoutes.js | /api/v1/reports |
routes/billingRoutes.js | /api/v1/billings |
routes/domainRoutes.js | /api/v1/domains |
routes/suppressionRoutes.js | /api/v1/suppression |
routes/internalRoutes.js | /api/internal |
routes/publicRouter.js | /public |
routes/callbackRoutes.js | /callback |
Model autentikasi (JWT)
Helper token: helpers/token.helper.js. Verifikasi di middleware/auth.js (membaca header Authorization: Bearer <token>).
| Token | Secret env | Payload | Masa berlaku |
|---|---|---|---|
| Access (user) | ACCESS_TOKEN_SECRET | { userUuid, contactUuid, companyUuid, isAdmin: false } | default 1m |
| Access (admin) | ACCESS_TOKEN_SECRET | { adminUuid, roleId, roleName } | 1m |
| Refresh | REFRESH_TOKEN_SECRET | { uuid, isAdmin } | 1d |
| Verification | VERIFICATION_TOKEN_SECRET | verifikasi email | 1d |
| Reset password | RESET_TOKEN_SECRET | { uuid, email } | 1d |
Access token 1 menit
Access token berumur 1 menit, jadi klien harus sering refresh via POST /api/v1/refresh. Lihat Known Issues.
Alur login & refresh
- Login user:
POST /api/v1/users/login(controllers/user/login/). - Login admin:
POST /api/v1/admins/login(controllers/admin/loginAdmin/). - Refresh:
POST /api/v1/refresh— verifikasi refresh token, cekBlacklistToken, terbitkan access token baru. - Revoke:
POST /api/v1/revoke— masukkan refresh token ke blacklist.
Middleware
| File | Fungsi |
|---|---|
middleware/auth.js | Auth JWT access token. Set req.user (user atau admin, terdeteksi dari URL admins atau payload adminUuid). |
middleware/isAdmin.js | RBAC admin: superAdmin, admin, accounting (cek AdminRole.name dari DB). |
middleware/isUser.js | Pastikan user hanya mengakses company miliknya. |
middleware/internalApiKeyAuth.js | Auth API key (x-api-key/Bearer) vs INTERNAL_API_KEY (timing-safe). |
middleware/upload.js | Upload Multer in-memory (image/PDF, maks 2 MB). |
middleware/not-found.js | 404 'Route does not exist'. |
middleware/error-handler.js | Penanganan error terpusat (Multer, CustomAPIError, fallback 500). |
RBAC admin
Format response
Helper: helpers/response.helper.js.
Sukses:
json
{ "status": "success", "code": 200, "msg": "...", "data": {} }Gagal:
json
{ "status": "failed", "code": 400, "msg": "...", "data": null, "error": { "msg": "..." } }Inkonsistensi
Sebagian controller memakai response.helper, sebagian membangun JSON manual, sebagian melempar CustomAPIError. Ini perlu distandarkan saat migrasi (lihat Known Issues).