After completing a lot of discussions on what API calls we should have, we decided to go with four basic sets of API calls- courses
for course related information, instructors
for calls that instructors would use (to see the list of students for instance), students
for calls that would be used by students and tests
for test related calls.
The next task was to decide the access levels. We decided to have five.
define("ADMIN_ACCESS_LEVEL", 1);
define("INSTRUCTOR_ACCESS_LEVEL", 2);
define("STUDENT_ACCESS_LEVEL", 3);
define("TOKEN_ACCESS_LEVEL", 4);
define("PUBLIC_ACCESS_LEVEL", 5);
The TOKEN_ACCESS_LEVEL
gives access to anyone with a valid access token, which would be passed as a header x-AT-API-TOKEN
. Those calls that do not require a token would have a PUBLIC_ACCESS_LEVEL
.
The next step was to start with a few basic calls. I had already worked on a dummy class with Toro to demonstrate the handling of different kinds of variables. For obvious reasons, the two that I had to start with were /login/
and /logout/
.
The existing code that handled the login in ATutor (/include/login_functions.inc.php
) wasn't really modular and couldn't be reused by me. Therefore, I had to check how it worked and emulate the same.
I came up with a rudimentary version of the login function by adding checks for the status of the account. I am yet to put checks for the number of login attempts though.
On successful login, you are provided the API token, which you must use in every subsequent API call.
The token is generated by hashing a combination of the member_id
, timestamp and a random number. It is then stored in a table along with an expiry date, which is 24 hours from the time of generation or last modification.
The logout function is also fairly simple. It removes the entry for the token in the database and returns a success message.
You can check the latest code here.