Current State
The API is in active development, and authentication will be added in future versions. This page documents the current state and planned authentication strategy.Public Endpoints
All current endpoints are publicly accessible:GET /v1/healthcheck- API health statusPOST /v1/investigations- Create investigationPOST /v1/evidence- Create evidenceGET /v1/evidence/:id- Get evidence by IDPOST /v1/locations- Create locationGET /v1/locations/:id- Get location by ID
backend/cmd/api/routes.go:9-29
Making Requests
Since authentication is not currently implemented, you can make requests directly without any authentication headers:User Context
The API includes user-related fields in data models, indicating future authentication support:- Evidence:
created_by_user_idfield (source:backend/cmd/api/evidence.go:28) - Locations: User-specific vs. community investigations
- Investigations: Associated with user profiles
While these fields exist in the data models, they are not currently enforced or validated by authentication middleware.
Planned Features
Based on the codebase structure, future authentication may include:User Profiles
The data models reference a User structure with:- User ID
- Username
- First and last name
- Profile page URL
- Account status
- Created date
backend/cmd/api/investigations.go:36-44
Resource Ownership
The API will likely implement:- Private Locations: Visible only to the creating user
- Community Locations: Shared with all users
- Evidence Visibility: Public vs. private evidence
- Investigation Tracking: User-specific investigation history
Authentication Methods
Future authentication may include:- API tokens
- Session-based authentication
- OAuth integration
- JWT (JSON Web Tokens)
Security Considerations
Current Security Measures
The API implements several security best practices:- Request Size Limits: Maximum 1 MB request body
- JSON Validation: Strict parsing with unknown field rejection
- Input Sanitization: Type checking and validation
- Timeouts: Connection timeouts prevent resource exhaustion
- Read Timeout: 10 seconds
- Write Timeout: 30 seconds
- Idle Timeout: 1 minute
backend/cmd/api/main.go:71-73 and backend/cmd/api/helpers.go:49-53
Database Security
The API uses prepared statements through Go’sdatabase/sql package, which provides protection against SQL injection attacks.
Connection pooling is configured with:
- Max Open Connections: 25
- Max Idle Connections: 25
- Max Idle Time: 15 minutes
backend/cmd/api/main.go:45-47
Testing Without Authentication
Since no authentication is required, you can test all endpoints freely:Migration Path
When authentication is implemented, the API will likely:- Add authentication middleware to protected routes
- Require authentication tokens in request headers
- Maintain backward compatibility for public endpoints (like healthcheck)
- Associate resources with authenticated users
- Implement role-based access control (RBAC)
This documentation will be updated once authentication is implemented. Check the API version and release notes for authentication updates.
Development Considerations
Environment Configuration
The API supports different environments via the-env flag:
development(default)stagingproduction
backend/cmd/api/main.go:41
Authentication requirements may vary by environment once implemented.
Database Connection
The database connection string is configured via:- Command-line flag:
-db-dsn - Environment variable:
GHOSTPLANET_DB_DSN
backend/cmd/api/main.go:43