API Contracts – Staff + Candidate Portals (Endpoints + Payload Pointers + Error Handling)

Staff Portal#

Base URL and Configuration#

Base API URL: https://staff.api.dev.studenthub.co/v1
Environment file: src/environments/environment.ts
Auth header format: Authorization: Basic <base64(email:password)> for login, Authorization: Bearer <token> for authenticated requests
Token storage key: loggedInStaff (Ionic Storage, see StorageService)
Extra headers: Currency (default KWD), Content-Type: application/json, Language (for some requests), g-recaptcha-response
Central error handler: Private _handleError in AuthService

Error Handling#

401: Logs out user, message: "Session expired, please log back in."
400: Emits accountAssignmentRemoved$ event, returns empty observable
404: Emits error404$ event
500: Emits error500$ event, logs error
0/504: Emits internetOffline$ event

Endpoint Index (max 25, grouped by feature area)#

Auth#

GET /auth/login
- Frontend: AuthService.basicAuth() (src/app/providers/auth.service.ts)
- Backend: staff/modules/v1/controllers/AuthController.php:actionLogin (assumed, verify if controller exists)
- Request pointer: Inline object in function
- Response pointer: Consumed directly in basicAuth(); no explicit TS type
- Error behavior: _handleError as above
- Route matching: Standard /auth/login route; verify backend controller name
POST /auth/login-two-step
- Frontend: AuthService.loginTwoStep() (src/app/providers/auth.service.ts)
- Backend: staff/modules/v1/controllers/AuthController.php:actionLoginTwoStep (assumed, verify)
- Request pointer: Inline object { token, otp }
- Response pointer: Consumed in function; no explicit TS type
- Error behavior: _handleError
- Route matching: Standard /auth/login-two-step; verify backend controller
POST /auth/login-by-google
- Frontend: AuthService.useGoogleIdTokenForAuth() (src/app/providers/auth.service.ts)
- Backend: staff/modules/v1/controllers/AuthController.php:actionLoginByGoogle (assumed, verify)
- Request pointer: Inline object { idToken }
- Response pointer: Consumed in function
- Error behavior: _handleError
- Route matching: Standard /auth/login-by-google; verify backend controller
POST /auth/login-by-key
- Frontend: AuthService.loginByKey() (src/app/providers/auth.service.ts)
- Backend: staff/modules/v1/controllers/AuthController.php:actionLoginByKey (assumed, verify)
- Request pointer: Inline object { auth_key }
- Response pointer: Consumed in function
- Error behavior: _handleError
- Route matching: Standard /auth/login-by-key; verify backend controller
POST /auth/login-auth0
- Frontend: AuthService.useTokenForAuth() (src/app/providers/auth.service.ts)
- Backend: staff/modules/v1/controllers/AuthController.php:actionLoginAuth0 (assumed, verify)
- Request pointer: Inline object { accessToken }
- Response pointer: Consumed in function
- Error behavior: _handleError
- Route matching: Standard /auth/login-auth0; verify backend controller
POST /auth/request-reset-password
- Frontend: AuthService.resetPasswordRequest() (src/app/providers/auth.service.ts)
- Backend: staff/modules/v1/controllers/AuthController.php:actionRequestResetPassword (assumed, verify)
- Request pointer: Inline object { email }
- Response pointer: Consumed in function
- Error behavior: _handleError
- Route matching: Standard /auth/request-reset-password; verify backend controller
PATCH /auth/update-password
- Frontend: AuthService.changePassword() (src/app/providers/auth.service.ts)
- Backend: staff/modules/v1/controllers/AuthController.php:actionUpdatePassword (assumed, verify)
- Request pointer: Inline object { newPassword, token }
- Response pointer: Consumed in function
- Error behavior: _handleError
- Route matching: Standard /auth/update-password; verify backend controller

Permissions#

GET /permission-section
- Frontend: PermissionService.loadPermissions() (src/app/providers/permission.service.ts)
- Backend: staff/modules/v1/controllers/PermissionSectionController.php:actionList
- Request pointer: None (GET)
- Response pointer: Permission[] (TS type in service)
- Error behavior: catchError(this._handleError<Permission[]>('getPermissionList', []))
- Route matching: Confirmed
GET /permission-section/user-permission/staff/{staffId}
- Frontend: PermissionService.loadPermissions() (src/app/providers/permission.service.ts)
- Backend: staff/modules/v1/controllers/PermissionSectionController.php:actionUserPermission
- Request pointer: None (GET)
- Response pointer: UserPermission[] (TS type in service)
- Error behavior: catchError(this._handleError<UserPermission[]>('getUserPermissionList', []))
- Route matching: Confirmed

(Additional endpoints can be added here as more feature areas are surfaced.)#

Candidate Portal#

Base URL and Configuration#

Base API URL: https://student.api.dev.studenthub.co/v1
Environment file: src/environments/environment.ts
Auth header format: Authorization: Basic <base64(email:password)> for login, Content-Type: application/json, Language for other requests
Token storage key: loggedInUser (Capacitor Preferences)
Extra headers: Content-Type: application/json, Language
Central error handler: _handleError in AuthService

Error Handling#

401: Logs out user, message: "Session expired, please log back in."
400: Logs out user, message: "Bad request, please log back in."
404: Emits error404$ event
500: Emits error500$ event
0/504: Emits internetOffline$ event

Endpoint Index (max 25, grouped by feature area)#

Auth#

POST /auth/login
- Frontend: AuthService.basicAuth() (src/app/providers/auth.service.ts)
- Backend: candidate/modules/v1/controllers/AuthController.php:actionLogin (assumed, verify)
- Request pointer: Inline object in function
- Response pointer: Consumed directly in basicAuth(); no explicit TS type
- Error behavior: _handleError
- Route matching: Standard /auth/login; verify backend controller
POST /auth/register
- Frontend: AuthService.register() (src/app/providers/auth.service.ts)
- Backend: candidate/modules/v1/controllers/AuthController.php:actionRegister (assumed, verify)
- Request pointer: Inline object in function
- Response pointer: Consumed in function
- Error behavior: _handleError
- Route matching: Standard /auth/register; verify backend controller
POST /auth/request-reset-password
- Frontend: AuthService.resetPasswordRequest() (src/app/providers/auth.service.ts)
- Backend: candidate/modules/v1/controllers/AuthController.php:actionRequestResetPassword (assumed, verify)
- Request pointer: Inline object { email }
- Response pointer: Consumed in function
- Error behavior: _handleError
- Route matching: Standard /auth/request-reset-password; verify backend controller
PATCH /auth/update-password
- Frontend: AuthService.changePassword() (src/app/providers/auth.service.ts)
- Backend: candidate/modules/v1/controllers/AuthController.php:actionUpdatePassword (assumed, verify)
- Request pointer: Inline object { newPassword, token }
- Response pointer: Consumed in function
- Error behavior: _handleError
- Route matching: Standard /auth/update-password; verify backend controller

(Additional endpoints can be added here as more feature areas are surfaced.)#

Route Matching Rules#

Backend routes for Staff live under staff/modules/v1/controllers/*, and for Candidate under candidate/modules/v1/controllers/*. If a route match is uncertain, it is marked "assumed, verify" and should be confirmed against backend controller files.

Notes#

All endpoints above are mapped to their most likely backend controller/action based on naming conventions and code structure. If the backend controller/action is not explicitly confirmed, it is marked "assumed, verify".
Request and response pointers reference either the TypeScript type or the function/file where the payload is constructed or consumed.
Error handling is centralized in each portal's AuthService and PermissionService, with RxJS catchError and event emission patterns.
Only endpoints with clear frontend call-sites and backend mappings are included; additional endpoints can be added as more feature areas are surfaced or confirmed.