Scott.Idem/OSIT-AE-API-FastAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: import SearchFilter in api_crud_v3.py to resolve NameError

Browse Source
This commit is contained in:
Scott Idem
2026-01-07 14:25:58 -05:00
parent 6d13b952c4
commit cf96d93246
3 changed files with 54 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
documentation/V3_FRONTEND_API_GUIDE.md
View File

@@ -202,35 +202,44 @@ Use the `q` property in your search body for a keyword search.
}
```
## 6. Authentication in V3
## 6. Authentication and Security in V3 (Mandatory)
V3 supports multiple authentication methods. The backend resolves these automatically.
Implemented in January 2026, the V3 architecture enforces strict **Multi-Tenant Isolation** and requires valid authentication for nearly all requests.
### A. Standard Requests (Header)
For most API calls, use the standard Bearer token in the `Authorization` header.
### A. Authentication Requirement
Most API calls now require a standard Bearer token in the `Authorization` header.
```ts
// Example: Setting the JWT in headers
headers: {
"Authorization": `Bearer ${user_jwt_token}`
}
* **Mandatory:** V3 CRUD endpoints require a valid JWT or an administrative bypass header.
* **Account Isolation:** The backend automatically filters all results based on the `account_id` found in your JWT. You cannot access data belonging to another account even if you know the ID.
* **Status Codes:**
* `401 Unauthorized`: Your JWT is invalid or expired.
* `403 Forbidden`: No authentication provided, or you attempted to access an object belonging to a different account.
**Example Request Header:**
```http
Authorization: Bearer <your_jwt_token>
```
### B. Secure File Downloads (URL Parameter)
**Crucial for `hosted_file` and `event_file`**: To allow browsers to download files without complex header modifications, you can pass the JWT directly in the URL.
### B. Role-Based Access
The API performs background checks on the user's role stored in the system:
* **Managers/Admins:** Can see and edit most data within their account.
* **Super Users:** Can bypass account isolation (reserved for system maintenance).
### C. Secure File Downloads (URL Parameter)
For `hosted_file` and `event_file`, browsers often need to download files without complex header modifications. In these cases, you can pass the JWT directly in the URL.
```ts
// Example: Creating a secure download link
// Example: Creating a secure download link for a browser
// GET /v3/crud/hosted_file/{id}/?jwt={token}
const downloadUrl = `${BASE_URL}/hosted_file/${fileId}/?jwt=${jwtToken}`;
const downloadUrl = `${BASE_URL}/v3/crud/hosted_file/${fileId}/?jwt=${jwtToken}`;
```
### C. Legacy Fallback (X-Account-ID)
For development and backward compatibility, the `X-Account-ID` header is still supported but should be phased out in favor of JWT.
### D. Administrative Bypass (Utility/Dev only)
For development utilities and automated scripts, the `X-No-Account-ID: true` header grants full administrative access. **Never use this in a public-facing application.**
---
## 5. Best Practices for V3
## 7. Best Practices for V3
1. **Use `view` for Rich Data**: Instead of manually joining data in separate calls, use `?view=enriched` or `?view=detail` if defined in the backend.
2. **Hybrid Search**: Use query parameters for simple toggles (enabled/hidden) and the POST body for complex logic.