7.8 KiB
Core-API TODO
Testing & Quality Assurance
High Priority
-
Test Coverage: API Key Security - Test bcrypt hashing and rotation
- Test API key creation with bcrypt hashing
- Test API key authentication
- Test key rotation with grace period
- Test key revocation
- Test scoped key access
- Estimated effort: 3-4 hours
-
Test Coverage: Webhook System - Test delivery and signatures
- Test webhook endpoint registration
- Test HMAC-SHA256 signature generation
- Test signature verification
- Test webhook delivery retry logic
- Test exponential backoff
- Test delivery status tracking
- Estimated effort: 4-5 hours
-
Test Coverage: Rate Limiting - Test tier-based limits
- Test per-tier rate limits
- Test rate limit headers
- Test quota exceeded responses
- Test workspace-scoped limits
- Test burst allowance
- Estimated effort: 3-4 hours
-
Test Coverage: Scope Enforcement - Test permission system
- Test EnforceApiScope middleware
- Test wildcard scopes (posts:*, *:read)
- Test scope inheritance
- Test scope validation errors
- Estimated effort: 3-4 hours
Medium Priority
-
Test Coverage: OpenAPI Documentation - Test spec generation
- Test OpenApiBuilder with controller scanning
- Test #[ApiParameter] attribute parsing
- Test #[ApiResponse] rendering
- Test #[ApiSecurity] requirements
- Test #[ApiHidden] filtering
- Test extension system
- Estimated effort: 4-5 hours
-
Test Coverage: Usage Alerts - Test quota monitoring
- Test CheckApiUsageAlerts command
- Test HighApiUsageNotification delivery
- Test usage alert thresholds
- Test alert history tracking
- Estimated effort: 2-3 hours
Low Priority
- Test Coverage: Webhook Payload Validation - Test request validation
- Test payload size limits
- Test content-type validation
- Test malformed JSON handling
- Estimated effort: 2-3 hours
Features & Enhancements
High Priority
-
Feature: API Versioning - Support multiple API versions
- Implement version routing (v1, v2)
- Add version deprecation warnings
- Support version-specific transformers
- Document migration between versions
- Test backward compatibility
- Estimated effort: 6-8 hours
- Files:
src/Mod/Api/Versioning/
-
Feature: GraphQL API - Alternative to REST
- Implement GraphQL schema generation
- Add query resolver system
- Support mutations
- Add introspection
- Test complex nested queries
- Estimated effort: 12-16 hours
- Files:
src/Mod/Api/GraphQL/
-
Feature: Batch Operations - Bulk API requests
- Support batched requests
- Implement atomic batch transactions
- Add batch size limits
- Test error handling in batches
- Estimated effort: 4-6 hours
- Files:
src/Mod/Api/Batch/
Medium Priority
-
Enhancement: Webhook Transformers - Custom payload formatting
- Create transformer interface
- Support per-endpoint transformers
- Add JSON-LD format support
- Test with complex data structures
- Estimated effort: 3-4 hours
- Files:
src/Mod/Api/Webhooks/Transformers/
-
Enhancement: API Analytics - Detailed usage metrics
- Track API calls per endpoint
- Monitor response times
- Track error rates
- Create admin dashboard
- Add export to CSV
- Estimated effort: 5-6 hours
- Files:
src/Mod/Api/Analytics/
-
Enhancement: Request Throttling Strategies - Advanced rate limiting
- Implement sliding window algorithm
- Add burst allowance
- Support custom throttle strategies
- Add per-endpoint rate limits
- Estimated effort: 4-5 hours
- Files:
src/Mod/Api/RateLimit/Strategies/
Low Priority
-
Enhancement: API Client SDK Generator - Auto-generate SDKs
- Generate PHP SDK from OpenAPI
- Generate JavaScript SDK
- Generate Python SDK
- Add usage examples
- Estimated effort: 8-10 hours
- Files:
src/Mod/Api/Sdk/
-
Enhancement: Webhook Retry Dashboard - Visual delivery monitoring
- Create delivery status dashboard
- Add manual retry button
- Show delivery timeline
- Export delivery logs
- Estimated effort: 3-4 hours
- Files:
src/Website/Api/Components/
Security
High Priority
-
Security: API Key IP Whitelisting - Restrict key usage
- Add allowed_ips column to api_keys
- Validate request IP against whitelist
- Test with IPv4 and IPv6
- Add CIDR notation support
- Estimated effort: 3-4 hours
-
Security: Request Signing - Prevent replay attacks
- Implement timestamp validation
- Add nonce tracking
- Support custom signing algorithms
- Test with clock skew
- Estimated effort: 4-5 hours
Medium Priority
-
Security: Webhook Mutual TLS - Secure webhook delivery
- Add client certificate support
- Implement certificate validation
- Test with self-signed certs
- Estimated effort: 4-5 hours
-
Audit: API Permission Model - Review scope granularity
- Audit all API scopes
- Ensure least-privilege defaults
- Document scope requirements
- Test scope escalation attempts
- Estimated effort: 3-4 hours
Documentation
-
Guide: Building REST APIs - Complete tutorial
- Document resource creation
- Show pagination best practices
- Explain filtering and sorting
- Add authentication examples
- Estimated effort: 4-5 hours
-
Guide: Webhook Integration - For API consumers
- Document signature verification
- Show retry handling
- Explain event types
- Add code examples (PHP, JS, Python)
- Estimated effort: 3-4 hours
-
API Reference: All Endpoints - Complete OpenAPI spec
- Document all request parameters
- Add response examples
- Show error responses
- Include authentication notes
- Estimated effort: 6-8 hours
Code Quality
-
Refactor: Extract Rate Limiter - Reusable rate limiting
- Create standalone RateLimiter service
- Support multiple backends (Redis, DB, memory)
- Add configurable strategies
- Test with high concurrency
- Estimated effort: 3-4 hours
-
Refactor: Webhook Queue Priority - Prioritize critical webhooks
- Add priority field to webhooks
- Implement priority queue
- Test delivery order
- Estimated effort: 2-3 hours
-
PHPStan: Fix Level 5 Errors - Improve type safety
- Fix array shape types in resources
- Add missing return types
- Fix property type declarations
- Estimated effort: 2-3 hours
Performance
-
Optimization: Response Caching - Cache GET requests
- Implement HTTP cache headers
- Add ETag support
- Support cache invalidation
- Test with CDN
- Estimated effort: 3-4 hours
-
Optimization: Database Query Reduction - Eager load relationships
- Audit N+1 queries in resources
- Add eager loading
- Benchmark before/after
- Estimated effort: 2-3 hours
Completed (January 2026)
- API Key Hashing - Bcrypt hashing for all API keys
- Webhook Signatures - HMAC-SHA256 signature verification
- Scope System - Fine-grained API permissions
- Rate Limiting - Tier-based rate limits with usage alerts
- OpenAPI Documentation - Auto-generated API docs with Swagger/Scalar/ReDoc
- Documentation - Complete API package documentation
See changelog/2026/jan/ for completed features.