Major API restructuring

seacatauth/audit/handler.py

@@ -26,7 +26,7 @@ def __init__(self, app, audit_service):
 		self.AuditService = audit_service
 
 		web_app = app.WebContainer.WebApp
-		web_app.router.add_put("/audit/prune", self.prune_old_audit_entries)
+		web_app.router.add_put("/admin/audit/prune", self.prune_old_audit_entries)
 
 	@asab.web.rest.json_schema_handler({
 		"type": "object",

seacatauth/authn/handler.py

@@ -43,23 +43,21 @@ def __init__(self, app, authn_svc):
 		self.CommunicationService = app.get_service("seacatauth.CommunicationService")
 
 		web_app = app.WebContainer.WebApp
-		web_app.router.add_put(r"/public/login.prologue", self.login_prologue)
-		web_app.router.add_put(r"/public/login/{lsid}", self.login)
-		web_app.router.add_put(r"/public/login/{lsid}/smslogin", self.smslogin)
-		web_app.router.add_put(r"/public/login/{lsid}/webauthn", self.webauthn_login)
-		web_app.router.add_put(r"/public/logout", self.logout)
-		web_app.router.add_put("/impersonate", self.impersonate)
-		web_app.router.add_post("/impersonate", self.impersonate_and_redirect)
+		web_app.router.add_put("/public/login-prologue", self.login_prologue)
+		web_app.router.add_put("/public/login/{lsid}", self.login)
+		web_app.router.add_put("/public/login/{lsid}/smslogin", self.smslogin)
+		web_app.router.add_put("/public/login/{lsid}/webauthn", self.webauthn_login)
+		web_app.router.add_put("/public/logout", self.logout)
+		web_app.router.add_put("/admin/impersonate", self.impersonate)
+		web_app.router.add_post("/admin/impersonate", self.impersonate_and_redirect)
 
 		# Public endpoints
 		web_app_public = app.PublicWebContainer.WebApp
-		web_app_public.router.add_put(r"/public/login.prologue", self.login_prologue)
-		web_app_public.router.add_put(r"/public/login/{lsid}", self.login)
-		web_app_public.router.add_put(r"/public/login/{lsid}/smslogin", self.smslogin)
-		web_app_public.router.add_put(r"/public/login/{lsid}/webauthn", self.webauthn_login)
-		web_app_public.router.add_put(r"/public/logout", self.logout)
-		web_app_public.router.add_put("/impersonate", self.impersonate)
-		web_app_public.router.add_post("/impersonate", self.impersonate_and_redirect)
+		web_app_public.router.add_put("/public/login.prologue", self.login_prologue)
+		web_app_public.router.add_put("/public/login/{lsid}", self.login)
+		web_app_public.router.add_put("/public/login/{lsid}/smslogin", self.smslogin)
+		web_app_public.router.add_put("/public/login/{lsid}/webauthn", self.webauthn_login)
+		web_app_public.router.add_put("/public/logout", self.logout)
 
 	@asab.web.rest.json_schema_handler({
 		"type": "object",

seacatauth/authn/webauthn/handler.py

@@ -28,19 +28,11 @@ def __init__(self, app, webauthn_svc):
 		self.WebAuthnService = webauthn_svc
 
 		web_app = app.WebContainer.WebApp
-		web_app.router.add_get('/public/webauthn/register-options', self.get_registration_options)
-		web_app.router.add_put('/public/webauthn/register', self.register_credential)
-		web_app.router.add_delete('/public/webauthn/{wacid}', self.remove_credential)
-		web_app.router.add_put('/public/webauthn/{wacid}', self.update_credential)
-		web_app.router.add_get('/public/webauthn', self.list_credentials)
-
-		# Public endpoints
-		web_app_public = app.PublicWebContainer.WebApp
-		web_app_public.router.add_get('/public/webauthn/register-options', self.get_registration_options)
-		web_app_public.router.add_put('/public/webauthn/register', self.register_credential)
-		web_app_public.router.add_delete('/public/webauthn/{wacid}', self.remove_credential)
-		web_app_public.router.add_put('/public/webauthn/{wacid}', self.update_credential)
-		web_app_public.router.add_get('/public/webauthn', self.list_credentials)
+		web_app.router.add_get("/account/webauthn/register-options", self.get_registration_options)
+		web_app.router.add_put("/account/webauthn/register", self.register_credential)
+		web_app.router.add_delete("/account/webauthn/{wacid}", self.remove_credential)
+		web_app.router.add_put("/account/webauthn/{wacid}", self.update_credential)
+		web_app.router.add_get("/account/webauthn", self.list_credentials)
 
 
 	@access_control()

seacatauth/authz/rbac/handler.py

@@ -24,8 +24,8 @@ def __init__(self, app, rbac_svc):
 		self.RBACService = rbac_svc
 
 		web_app = app.WebContainer.WebApp
-		web_app.router.add_get("/rbac/{resources}", self.rbac)
-		web_app.router.add_get("/rbac/{tenant}/{resources}", self.rbac)
+		web_app.router.add_get("/admin/rbac/{resources}", self.rbac)
+		web_app.router.add_get("/admin/rbac/{tenant}/{resources}", self.rbac)
 
 	@access_control()
 	async def rbac(self, request, *, tenant):

seacatauth/authz/resource/handler.py

@@ -27,11 +27,11 @@ def __init__(self, app, rbac_svc):
 		self.ResourceService = app.get_service("seacatauth.ResourceService")
 
 		web_app = app.WebContainer.WebApp
-		web_app.router.add_get("/resource", self.list)
-		web_app.router.add_get("/resource/{resource_id}", self.get)
-		web_app.router.add_post("/resource/{resource_id}", self.create_or_undelete)
-		web_app.router.add_put("/resource/{resource_id}", self.update)
-		web_app.router.add_delete("/resource/{resource_id}", self.delete)
+		web_app.router.add_get("/admin/resource", self.list)
+		web_app.router.add_get("/admin/resource/{resource_id}", self.get)
+		web_app.router.add_post("/admin/resource/{resource_id}", self.create_or_undelete)
+		web_app.router.add_put("/admin/resource/{resource_id}", self.update)
+		web_app.router.add_delete("/admin/resource/{resource_id}", self.delete)
 
 
 	@access_control("seacat:resource:access")

seacatauth/authz/role/handler/role.py

@@ -27,12 +27,12 @@ def __init__(self, app, role_svc):
 		self.RoleService = role_svc
 
 		web_app = app.WebContainer.WebApp
-		web_app.router.add_get("/role", self.list_all)
-		web_app.router.add_get("/role/{tenant}", self.list)
-		web_app.router.add_get("/role/{tenant}/{role_name}", self.get)
-		web_app.router.add_post("/role/{tenant}/{role_name}", self.create)
-		web_app.router.add_delete("/role/{tenant}/{role_name}", self.delete)
-		web_app.router.add_put("/role/{tenant}/{role_name}", self.update)
+		web_app.router.add_get("/admin/role", self.list_all)
+		web_app.router.add_get("/admin/role/{tenant}", self.list)
+		web_app.router.add_get("/admin/role/{tenant}/{role_name}", self.get)
+		web_app.router.add_post("/admin/role/{tenant}/{role_name}", self.create)
+		web_app.router.add_delete("/admin/role/{tenant}/{role_name}", self.delete)
+		web_app.router.add_put("/admin/role/{tenant}/{role_name}", self.update)
 
 
 	@access_control("authz:superuser")

seacatauth/authz/role/handler/roles.py

@@ -28,11 +28,11 @@ def __init__(self, app, role_svc):
 		self.RBACService = app.get_service("seacatauth.RBACService")
 
 		web_app = app.WebContainer.WebApp
-		web_app.router.add_get("/roles/{tenant}/{credentials_id}", self.get_roles_by_credentials)
-		web_app.router.add_put("/roles/{tenant}/{credentials_id}", self.set_roles)
-		web_app.router.add_put("/roles/{tenant}", self.get_roles_batch)
-		web_app.router.add_post("/role_assign/{credentials_id}/{tenant}/{role_name}", self.assign_role)
-		web_app.router.add_delete("/role_assign/{credentials_id}/{tenant}/{role_name}", self.unassign_role)
+		web_app.router.add_get("/admin/roles/{tenant}/{credentials_id}", self.get_roles_by_credentials)
+		web_app.router.add_put("/admin/roles/{tenant}/{credentials_id}", self.set_roles)
+		web_app.router.add_put("/admin/roles/{tenant}", self.get_roles_batch)
+		web_app.router.add_post("/admin/role-assign/{credentials_id}/{tenant}/{role_name}", self.assign_role)
+		web_app.router.add_delete("/admin/role-assign/{credentials_id}/{tenant}/{role_name}", self.unassign_role)
 
 	@access_control("seacat:role:access")
 	async def get_roles_by_credentials(self, request, *, tenant):

seacatauth/client/handler.py

@@ -26,13 +26,13 @@ def __init__(self, app, client_svc):
 		self.ClientService = client_svc
 
 		web_app = app.WebContainer.WebApp
-		web_app.router.add_get("/client", self.list)
-		web_app.router.add_get("/client/features", self.features)
-		web_app.router.add_get("/client/{client_id}", self.get)
-		web_app.router.add_post("/client", self.register)
-		web_app.router.add_post("/client/{client_id}/reset_secret", self.reset_secret)
-		web_app.router.add_put("/client/{client_id}", self.update)
-		web_app.router.add_delete("/client/{client_id}", self.delete)
+		web_app.router.add_get("/admin/client", self.list)
+		web_app.router.add_get("/admin/client/features", self.features)
+		web_app.router.add_get("/admin/client/{client_id}", self.get)
+		web_app.router.add_post("/admin/client", self.register)
+		web_app.router.add_post("/admin/client/{client_id}/reset-secret", self.reset_secret)
+		web_app.router.add_put("/admin/client/{client_id}", self.update)
+		web_app.router.add_delete("/admin/client/{client_id}", self.delete)
 
 
 	@access_control("seacat:client:access")

seacatauth/cookie/handler.py

@@ -91,13 +91,13 @@ def __init__(self, app, cookie_svc, session_svc, credentials_svc):
 		web_app = app.WebContainer.WebApp
 		web_app.router.add_post("/nginx/introspect/cookie", self.nginx)
 		web_app.router.add_post("/nginx/introspect/cookie/anonymous", self.nginx_anonymous)
-		web_app.router.add_get("/cookie/entry", self.bouncer_get)
-		web_app.router.add_post("/cookie/entry", self.bouncer_post)
+		web_app.router.add_get("/public/cookie", self.bouncer_get)
+		web_app.router.add_post("/public/cookie", self.bouncer_post)
 
 		# Public endpoints
 		web_app_public = app.PublicWebContainer.WebApp
-		web_app_public.router.add_get("/cookie/entry", self.bouncer_get)
-		web_app_public.router.add_post("/cookie/entry", self.bouncer_post)
+		web_app_public.router.add_get("/public/cookie", self.bouncer_get)
+		web_app_public.router.add_post("/public/cookie", self.bouncer_post)
 
 		# TODO: Insecure, back-compat only - remove after 2024-03-31
 		if asab.Config.getboolean("seacatauth:introspection", "_enable_insecure_legacy_endpoints", fallback=False):
@@ -150,8 +150,6 @@ async def nginx(self, request):
 					Authorization failed because of the End-User's or the Client's insufficient permissions.
 		"""
 		client_id = request.query.get("client_id")
-		if client_id is None:
-			raise ValueError("No 'client_id' parameter specified in cookie introspection query.")
 
 		# TODO: Also check query for scope and validate it
 

seacatauth/credentials/change_password/handler.py

@@ -27,13 +27,12 @@ def __init__(self, app, change_password_svc):
 		self.ChangePasswordService = change_password_svc
 
 		web_app = app.WebContainer.WebApp
-		web_app.router.add_put("/password", self.admin_request_password_change)
-		web_app.router.add_put("/public/password-change", self.change_password)
+		web_app.router.add_put("/admin/password", self.admin_request_password_change)
+		web_app.router.add_put("/account/password-change", self.change_password)
 		web_app.router.add_put("/public/password-reset", self.reset_password)
 		web_app.router.add_put("/public/lost-password", self.lost_password)
 
 		web_app_public = app.PublicWebContainer.WebApp
-		web_app_public.router.add_put("/public/password-change", self.change_password)
 		web_app_public.router.add_put("/public/password-reset", self.reset_password)
 		web_app_public.router.add_put("/public/lost-password", self.lost_password)
 

seacatauth/credentials/handler.py

@@ -36,31 +36,23 @@ def __init__(self, app, credentials_svc):
 
 		web_app = app.WebContainer.WebApp
 
-		web_app.router.add_get("/credentials", self.list_credentials)
-		web_app.router.add_put("/idents", self.get_idents_from_ids)
-		web_app.router.add_put("/usernames", self.get_idents_from_ids)  # TODO: Back compat. Remove once UI adapts to the new endpoint.
-		web_app.router.add_get("/locate", self.locate_credentials)
-		web_app.router.add_get("/credentials/{credentials_id}", self.get_credentials)
-		web_app.router.add_get("/last_login/{credentials_id}", self.get_last_login_data)
-
-		web_app.router.add_post("/credentials/{provider}", self.create_credentials)
-		web_app.router.add_put("/credentials/{credentials_id}", self.update_credentials)
-		web_app.router.add_delete("/credentials/{credentials_id}", self.delete_credentials)
-
-		web_app.router.add_put("/public/credentials", self.update_my_credentials)
-		web_app.router.add_get("/public/last_login", self.get_my_last_login_data)
-
-		# Providers
-		web_app.router.add_get("/provider/{provider_id}", self.get_provider_info)
-		web_app.router.add_get("/providers", self.list_providers)
-		web_app.router.add_get("/public/provider", self.get_my_provider_info)
-		web_app.router.add_put("/enforce-factors/{credentials_id}", self.enforce_factors)
-
-		# Public endpoints
-		web_app_public = app.PublicWebContainer.WebApp
-		web_app_public.router.add_put("/public/credentials", self.update_my_credentials)
-		web_app_public.router.add_get("/public/provider", self.get_my_provider_info)
-		web_app_public.router.add_get("/public/last_login", self.get_my_last_login_data)
+		web_app.router.add_get("/admin/credentials", self.list_credentials)
+		web_app.router.add_put("/admin/idents", self.get_idents_from_ids)
+		web_app.router.add_get("/admin/locate", self.locate_credentials)
+		web_app.router.add_get("/admin/credentials/{credentials_id}", self.get_credentials)
+		web_app.router.add_get("/admin/last-login/{credentials_id}", self.get_last_login_data)
+
+		web_app.router.add_post("/admin/credentials/{provider}", self.create_credentials)
+		web_app.router.add_put("/admin/credentials/{credentials_id}", self.update_credentials)
+		web_app.router.add_delete("/admin/credentials/{credentials_id}", self.delete_credentials)
+
+		web_app.router.add_get("/admin/provider/{provider_id}", self.get_provider_info)
+		web_app.router.add_get("/admin/providers", self.list_providers)
+		web_app.router.add_put("/admin/enforce-factors/{credentials_id}", self.enforce_factors)
+
+		web_app.router.add_get("/account/provider", self.get_my_provider_info)
+		web_app.router.add_put("/account/credentials", self.update_my_credentials)
+		web_app.router.add_get("/account/last-login", self.get_my_last_login_data)
 
 
 	@access_control("seacat:credentials:access")

seacatauth/credentials/registration/handler.py

@@ -34,9 +34,11 @@ def __init__(self, app, registration_svc, credentials_svc):
 		self.AuditService = app.get_service("seacatauth.AuditService")
 
 		web_app = app.WebContainer.WebApp
-		web_app.router.add_post("/{tenant}/invite", self.admin_create_invitation)
-		web_app.router.add_post("/invite/{credentials_id}", self.resend_invitation)
-		web_app.router.add_post("/public/{tenant}/invite", self.public_create_invitation)
+		web_app.router.add_post("/admin/{tenant}/invite", self.admin_create_invitation)
+		web_app.router.add_post("/admin/invite/{credentials_id}", self.resend_invitation)
+
+		web_app.router.add_post("/account/{tenant}/invite", self.public_create_invitation)
+
 		web_app.router.add_post("/public/register", self.request_self_invitation)
 		web_app.router.add_get("/public/register/{registration_code:[-_=a-zA-Z0-9]{16,}}", self.get_registration)
 		web_app.router.add_put("/public/register/{registration_code:[-_=a-zA-Z0-9]{16,}}", self.update_registration)
@@ -45,7 +47,6 @@ def __init__(self, app, registration_svc, credentials_svc):
 
 		web_app_public = app.PublicWebContainer.WebApp
 		web_app_public.router.add_post("/public/register", self.request_self_invitation)
-		web_app_public.router.add_post("/public/{tenant}/invite", self.public_create_invitation)
 		web_app_public.router.add_get("/public/register/{registration_code:[-_=a-zA-Z0-9]{16,}}", self.get_registration)
 		web_app_public.router.add_put("/public/register/{registration_code:[-_=a-zA-Z0-9]{16,}}", self.update_registration)
 		web_app_public.router.add_post(