From 4919c48f44a432dcda0f232976acdff72c428651 Mon Sep 17 00:00:00 2001 From: Sue Smith Date: Wed, 24 Sep 2014 17:18:25 +0100 Subject: [PATCH 1/4] Update api-endpoints.md --- docs/api-endpoints.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/api-endpoints.md b/docs/api-endpoints.md index da63a74..4e1b72b 100644 --- a/docs/api-endpoints.md +++ b/docs/api-endpoints.md @@ -74,6 +74,9 @@ See the following overview of the available BadgeKit API endpoints - browse to t * **POST** /systems/:slug/badges/:slug/instances * **POST** /systems/:slug/issuers/:slug/badges/:slug/instances * **POST** /systems/:slug/issuers/:slug/programs/:slug/badges/:slug/instances + * **POST** /systems/:slug/badges/:slug/instances/bulk + * **POST** /systems/:slug/issuers/:slug/badges/:slug/instances/bulk + * **POST** /systems/:slug/issuers/:slug/programs/:slug/badges/:slug/instances/bulk * **DELETE** /systems/:slug/badges/:slug/instances/:email * **DELETE** /systems/:slug/issuers/:slug/badges/:slug/instances/:email * **DELETE** /systems/:slug/issuers/:slug/programs/:slug/badges/:slug/instances/:email From 3f329507ec8affe3cb0d423d6b74e80a9bd74194 Mon Sep 17 00:00:00 2001 From: Sue Smith Date: Wed, 24 Sep 2014 17:48:42 +0100 Subject: [PATCH 2/4] Update issuing.md --- docs/issuing.md | 83 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) diff --git a/docs/issuing.md b/docs/issuing.md index 9b229b0..cffb603 100644 --- a/docs/issuing.md +++ b/docs/issuing.md @@ -31,6 +31,10 @@ Issuing is the process of awarding a badge to a specific earner. In BadgeKit API * `POST /systems/:slug/badges/:slug/instances` * `POST /systems/:slug/issuers/:slug/badges/:slug/instances` * `POST /systems/:slug/issuers/:slug/programs/:slug/badges/:slug/instances` +* [Create Multiple Badge Instances](#create-multiple-badge-instances) + * `POST /systems/:slug/badges/:slug/instances/bulk` + * `POST /systems/:slug/issuers/:slug/badges/:slug/instances/bulk` + * `POST /systems/:slug/issuers/:slug/programs/:slug/badges/:slug/instances/bulk` * [Delete an Instance](#delete-an-instance) * `DELETE /systems/:slug/badges/:slug/instances/:email` * `DELETE /systems/:slug/issuers/:slug/badges/:slug/instances/:email` @@ -274,6 +278,85 @@ The assertion URL represents the location of the badge assertion. A badge assert } ``` +## Create Multiple Badge Instances + +The API supports bulk issuing of badges. The endpoint allows a particular badge to be issued to multiple earner email addresses. + +### Expected request + +``` +POST /systems/:slug/badges/:slug/instances/bulk +POST /systems/:slug/issuers/:slug/badges/:slug/instances/bulk +POST /systems/:slug/issuers/:slug/programs/:slug/badges/:slug/instances/bulk +``` + +Requests can be sent as `application/json`, `application/x-www-form-urlencoded` or `multipart/form-data`. + +| Parameters | Required | Description | +|:-----------------------|-----------------|--------------------------| +| **emails** | required | Array of email addresses for the earners the badge is being issued to. | + +### Expected response + +``` +HTTP/1.1 201 Created +Content-Type: application/json +``` + +```json +{ + "status": "created", + "instances": [{ + "slug": "abcdefghi123456789abcdefghi123456789", + "email": "earner@somedomain.com", + "expires": null, + "issuedOn": "2014-05-29T10:16:01.654Z", + "claimCode": "abcde12345", + "assertionUrl": "http://issuersite.com/public/assertions/abcdefghi123456789abcdefghi123456789", + "badge": null + }, + ... + ] +} +``` + +The bulk issuing route does not accept the claim code parameter. If the badge has already been issued to an email address in the passed array, it will not be issued again and the returned array will not contain a badge instance for that email. Similarly, if an email address was included twice in the array, only one instance will be created and returned. + +#### Response structure + +* status +* instances `[ ]` + * slug + * email + * expires + * issuedOn + * claimCode + * assertionUrl + * [badge](badges.md) + +#### Potential errors + +* **Invalid data** + +``` + HTTP/1.1 400 Bad Request + Content-Type: application/json +``` + +```json + { + "code": "ValidationError", + "message": "Could not validate required fields", + "details": [ + { + "field": "email", + "value": "..." + }, + ... + ] + } +``` + ## Delete an Instance Delete a badge instance within a system, issuer or program context. From 87d702bbe108d771b6239c0cc0a97dd782c91385 Mon Sep 17 00:00:00 2001 From: Sue Smith Date: Wed, 24 Sep 2014 18:29:44 +0100 Subject: [PATCH 3/4] Update assessment.md --- docs/assessment.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/assessment.md b/docs/assessment.md index b727ce7..dc06376 100644 --- a/docs/assessment.md +++ b/docs/assessment.md @@ -91,10 +91,11 @@ GET /systems/:slug/issuers/:slug/programs/:slug/badges/:slug/applications #### Available request parameters +* **`processed`** - boolean indicating whether to return processed or unprocessed applications * **`page`:** - page of results to return * **`count`:** - count of results to return per page -e.g. `/systems//applications?count=2&page=1` +e.g. `/systems//applications?processed=true&count=2&page=1` ### Expected response From c73020b4a7970aaa4924c4bf5ef740fec8120166 Mon Sep 17 00:00:00 2001 From: Sue Smith Date: Thu, 2 Oct 2014 16:16:10 +0100 Subject: [PATCH 4/4] Update authorization.md --- docs/authorization.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/authorization.md b/docs/authorization.md index 67b3809..6f78b85 100644 --- a/docs/authorization.md +++ b/docs/authorization.md @@ -2,7 +2,7 @@ ## Overview -Authorization is done by generating a JWT token for each request and putting it in the HTTP `Authorization` header with the auth-scheme `JWT`, under the auth-param `token`. Example (line breaks are for display purposes only): +Authorization is carried out by generating a JWT token for each request and putting it in the HTTP `Authorization` header with the auth-scheme `JWT`, under the auth-param `token`. Example (_line breaks are for display purposes only_): ``` Authorization: JWT token="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJrZXkiO\ @@ -33,7 +33,9 @@ Use the `HS256` (HMAC-SHA256) algorithm. Example header: ### Secret -Ask one of us for the secret. +If you're running your own self-hosted instance of BadgeKit, the secret should be whatever you set as `MASTER_SECRET` in your environment configuration. + +If you're using the Mozilla hosted version of BadgeKit - get in touch with the team for the secret. ### Example in JavaScript ```js @@ -60,7 +62,7 @@ var token = jws.sign({ ## Purpose of Each Claim * **key**: To look up the secret used to sign the token. -* **exp**: General protection against replay attacks: a short lived token has limited opportunity for re-use. -* **method**: Protection from replay attacks against the same URL with a different method, e.g., converting a POST request into a DELETE request. -* **path**: Protection from replay attacks with the same method but against a new URL, e.g, using the same token for a POST to `/systems/chicago` as the token for a POST to `/systems/new-york`. +* **exp**: General protection against replay attacks - a short lived token has limited opportunity for re-use. +* **method**: Protection from replay attacks against the same URL with a different method, e.g. converting a `POST` request into a `DELETE` request. +* **path**: Protection from replay attacks with the same method but against a new URL, e.g using the same token for a `POST` to `/systems/chicago` as the token for a `POST` to `/systems/new-york`. * **body**: Protection from data tampering; ensures the data that the client intended to send is the data received.