mirror/TimeTracker
1
0
Fork 0
mirror of https://github.com/DRYTRIX/TimeTracker.git synced 2026-01-12 14:40:47 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
f6264f24734fffd56487b71f84b91cfb923d6448
TimeTracker/docs/api/API_TOKEN_SCOPES.md
Dries Peeters 29f7186ee8 docs: Reorganize documentation structure for better navigation 
Complete reorganization of project documentation to improve discoverability,
navigation, and maintainability. All documentation has been restructured into
a clear, role-based hierarchy.

## Major Changes

### New Directory Structure
- Created `docs/api/` for API documentation
- Created `docs/admin/` with subdirectories:
  - `admin/configuration/` - Configuration guides
  - `admin/deployment/` - Deployment guides
  - `admin/security/` - Security documentation
  - `admin/monitoring/` - Monitoring and analytics
- Created `docs/development/` for developer documentation
- Created `docs/guides/` for user-facing guides
- Created `docs/reports/` for analysis reports and summaries
- Created `docs/changelog/` for detailed changelog entries (ready for future use)

### File Organization

#### Moved from Root Directory (40+ files)
- Implementation notes → `docs/implementation-notes/`
- Test reports → `docs/testing/`
- Analysis reports → `docs/reports/`
- User guides → `docs/guides/`

#### Reorganized within docs/
- API documentation → `docs/api/`
- Administrator documentation → `docs/admin/` (with subdirectories)
- Developer documentation → `docs/development/`
- Security documentation → `docs/admin/security/`
- Telemetry documentation → `docs/admin/monitoring/`

### Documentation Updates

#### docs/README.md
- Complete rewrite with improved navigation
- Added visual documentation map
- Organized by role (Users, Administrators, Developers)
- Better categorization and quick links
- Updated all internal links to new structure

#### README.md (root)
- Updated all documentation links to reflect new structure
- Fixed 8 broken links

#### app/templates/main/help.html
- Enhanced "Where can I get additional help?" section
- Added links to new documentation structure
- Added documentation index link
- Added admin documentation link for administrators
- Improved footer with organized documentation links
- Added "Complete Documentation" section with role-based links

### New Index Files
- Created README.md files for all new directories:
  - `docs/api/README.md`
  - `docs/guides/README.md`
  - `docs/reports/README.md`
  - `docs/development/README.md`
  - `docs/admin/README.md`

### Cleanup
- Removed empty `docs/security/` directory (moved to `admin/security/`)
- Removed empty `docs/telemetry/` directory (moved to `admin/monitoring/`)
- Root directory now only contains: README.md, CHANGELOG.md, LICENSE

## Results

**Before:**
- 45+ markdown files cluttering root directory
- Documentation scattered across root and docs/
- Difficult to find relevant documentation
- No clear organization structure

**After:**
- 3 files in root directory (README, CHANGELOG, LICENSE)
- Clear directory structure organized by purpose and audience
- Easy navigation with role-based organization
- All documentation properly categorized
- Improved discoverability

## Benefits

1. Better Organization - Documentation grouped by purpose and audience
2. Easier Navigation - Role-based sections (Users, Admins, Developers)
3. Improved Discoverability - Clear structure with README files in each directory
4. Cleaner Root - Only essential files at project root
5. Maintainability - Easier to add and organize new documentation

## Files Changed

- 40+ files moved from root to appropriate docs/ subdirectories
- 15+ files reorganized within docs/
- 3 major documentation files updated (docs/README.md, README.md, help.html)
- 5 new README index files created
- 2 empty directories removed

All internal links have been updated to reflect the new structure.
2025-12-14 07:56:07 +01:00

12 KiB
Raw Blame History

API Token Scopes Reference

Overview

API tokens use scopes to control access to resources. When creating a token, you select which scopes to grant. This document explains each scope and when to use it.

Scope Format

Scopes follow the format: action:resource

  • action: read or write
  • resource: The resource type (e.g., projects, time_entries)

Special scopes:

  • admin:all - Full administrative access to all resources
  • * - Wildcard (admin only)

Available Scopes

Projects

read:projects

Grants: View project information
Endpoints:

  • GET /api/v1/projects - List projects
  • GET /api/v1/projects/{id} - Get project details

Use Cases:

  • Read-only integrations
  • Reporting tools
  • Dashboard displays
  • Project status monitors

Example:

curl -H "Authorization: Bearer YOUR_TOKEN" \
     https://your-domain.com/api/v1/projects

write:projects

Grants: Create, update, and archive projects
Endpoints:

  • POST /api/v1/projects - Create project
  • PUT /api/v1/projects/{id} - Update project
  • DELETE /api/v1/projects/{id} - Archive project

Use Cases:

  • Project management integrations
  • Automated project creation
  • Bulk project updates
  • Project lifecycle automation

Example:

curl -X POST https://your-domain.com/api/v1/projects \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "New Project", "status": "active"}'

Time Entries

read:time_entries

Grants: View time entries and timer status
Endpoints:

  • GET /api/v1/time-entries - List time entries
  • GET /api/v1/time-entries/{id} - Get time entry details
  • GET /api/v1/timer/status - Get timer status

Use Cases:

  • Timesheet exports
  • Reporting and analytics
  • Invoice generation
  • Time tracking dashboards

Permissions:

  • Non-admin users can only see their own time entries
  • Admin users can see all time entries

Example:

curl -H "Authorization: Bearer YOUR_TOKEN" \
     "https://your-domain.com/api/v1/time-entries?start_date=2024-01-01"

write:time_entries

Grants: Create, update, and delete time entries; control timer
Endpoints:

  • POST /api/v1/time-entries - Create time entry
  • PUT /api/v1/time-entries/{id} - Update time entry
  • DELETE /api/v1/time-entries/{id} - Delete time entry
  • POST /api/v1/timer/start - Start timer
  • POST /api/v1/timer/stop - Stop timer

Use Cases:

  • Time tracking integrations
  • Automated time entry creation
  • Timer control from external apps
  • Bulk time entry updates

Example:

curl -X POST https://your-domain.com/api/v1/timer/start \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"project_id": 1}'

Tasks

read:tasks

Grants: View task information
Endpoints:

  • GET /api/v1/tasks - List tasks
  • GET /api/v1/tasks/{id} - Get task details

Use Cases:

  • Task management integrations
  • Kanban board displays
  • Progress tracking
  • Task reporting

Example:

curl -H "Authorization: Bearer YOUR_TOKEN" \
     "https://your-domain.com/api/v1/tasks?project_id=1&status=todo"

write:tasks

Grants: Create, update, and delete tasks
Endpoints:

  • POST /api/v1/tasks - Create task
  • PUT /api/v1/tasks/{id} - Update task
  • DELETE /api/v1/tasks/{id} - Delete task

Use Cases:

  • Task synchronization
  • Automated task creation
  • Task status updates
  • Project planning automation

Example:

curl -X POST https://your-domain.com/api/v1/tasks \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "New Task", "project_id": 1, "status": "todo"}'

Clients

read:clients

Grants: View client information
Endpoints:

  • GET /api/v1/clients - List clients
  • GET /api/v1/clients/{id} - Get client details

Use Cases:

  • CRM integrations
  • Client directories
  • Invoice generation
  • Contact management

Example:

curl -H "Authorization: Bearer YOUR_TOKEN" \
     https://your-domain.com/api/v1/clients

write:clients

Grants: Create, update, and delete clients
Endpoints:

  • POST /api/v1/clients - Create client
  • PUT /api/v1/clients/{id} - Update client
  • DELETE /api/v1/clients/{id} - Delete client

Use Cases:

  • Client data synchronization
  • CRM integration
  • Automated client onboarding
  • Contact management

Example:

curl -X POST https://your-domain.com/api/v1/clients \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "New Client", "email": "client@example.com"}'

Reports

read:reports

Grants: Access reporting and analytics endpoints
Endpoints:

  • GET /api/v1/reports/summary - Get summary reports

Use Cases:

  • Business intelligence tools
  • Custom reporting
  • Analytics dashboards
  • Management reporting

Permissions:

  • Non-admin users can only see their own data
  • Admin users can see all data

Example:

curl -H "Authorization: Bearer YOUR_TOKEN" \
     "https://your-domain.com/api/v1/reports/summary?start_date=2024-01-01&end_date=2024-01-31"

Users

read:users

Grants: View user information
Endpoints:

  • GET /api/v1/users/me - Get current user
  • GET /api/v1/users - List all users (admin only)

Use Cases:

  • User directory
  • Profile information
  • User management
  • Team listings

Permissions:

  • All users can access /users/me
  • Only admins can access /users (requires admin:all)

Example:

curl -H "Authorization: Bearer YOUR_TOKEN" \
     https://your-domain.com/api/v1/users/me

Administrative

admin:all

Grants: Full administrative access to all resources
Endpoints: All API endpoints

Use Cases:

  • Admin automation scripts
  • System integrations
  • Backup tools
  • Migration scripts

⚠️ Warning: This scope grants complete access. Use with extreme caution.

Example:

# Admin can access all user data
curl -H "Authorization: Bearer YOUR_TOKEN" \
     https://your-domain.com/api/v1/users

Scope Combinations

Common Combinations

1. Read-Only Access

read:projects
read:time_entries
read:tasks
read:clients
read:reports

Use For: Dashboards, reporting tools, read-only integrations

2. Time Tracking Integration

read:projects
read:time_entries
write:time_entries
read:tasks

Use For: Time tracking apps, timer integrations

3. Project Management Integration

read:projects
write:projects
read:tasks
write:tasks
read:time_entries

Use For: Project management tools, task synchronization

4. Full User Access (Non-Admin)

read:projects
write:projects
read:time_entries
write:time_entries
read:tasks
write:tasks
read:clients
write:clients
read:reports

Use For: Personal automation, full-featured integrations

5. Admin Access

admin:all

Use For: Administrative tools, system automation

Scope Checking

How Scope Checking Works

  1. Token Authentication: API validates the token
  2. Scope Verification: Checks if token has required scope
  3. Resource Access: Verifies access to specific resource
  4. User Permissions: Applies user-level permissions

Wildcard Scopes

The API supports wildcard patterns:

  • read:* - Read access to all resources
  • write:* - Write access to all resources
  • * - Full access (equivalent to admin:all)

Note: Wildcards are only available for admin users.

Security Best Practices

Principle of Least Privilege

  1. Grant minimum scopes needed for the integration
  2. Avoid admin:all unless absolutely necessary
  3. Create separate tokens for different integrations
  4. Review scopes regularly and revoke unused permissions

Token Management

  1. Separate tokens per integration:

    Token 1: Time tracking app (read:projects, write:time_entries)
Token 2: Reporting tool (read:*, read:reports)
Token 3: Admin script (admin:all)

  2. Set expiration dates for temporary integrations

  3. Monitor token usage in the admin dashboard

  4. Rotate tokens periodically (create new, delete old)

Scope Audit

Regularly review tokens and their scopes:

  1. Navigate to /admin/api-tokens
  2. Review each token's scopes
  3. Remove unused scopes
  4. Delete inactive tokens

Examples by Use Case

Dashboard Integration

Requirements: Display time tracking statistics
Scopes:

read:projects
read:time_entries
read:reports

Why:

  • read:projects - Show project names and details
  • read:time_entries - Display time entries
  • read:reports - Generate statistics

Mobile Timer App

Requirements: Start/stop timer, create time entries
Scopes:

read:projects
read:tasks
read:time_entries
write:time_entries

Why:

  • read:projects - Select project for timer
  • read:tasks - Select task (optional)
  • read:time_entries - Show existing entries
  • write:time_entries - Start/stop timer, create entries

Invoice Generator

Requirements: Read time entries and generate invoices
Scopes:

read:projects
read:clients
read:time_entries
read:reports

Why:

  • read:projects - Get project rates
  • read:clients - Get client billing information
  • read:time_entries - Get billable hours
  • read:reports - Generate summaries

Project Management Sync

Requirements: Two-way sync with external PM tool
Scopes:

read:projects
write:projects
read:tasks
write:tasks
read:time_entries

Why:

  • read:projects / write:projects - Sync projects
  • read:tasks / write:tasks - Sync tasks
  • read:time_entries - Import time tracking

Testing Scopes

Test Token Scopes

  1. Create a test token with limited scopes
  2. Try accessing different endpoints
  3. Verify proper authorization

Example:

# Create token with only read:projects

# This should work:
curl -H "Authorization: Bearer TOKEN" \
     https://your-domain.com/api/v1/projects

# This should fail (403):
curl -X POST https://your-domain.com/api/v1/projects \
  -H "Authorization: Bearer TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "Test"}'

Troubleshooting

"Insufficient permissions" Error

Cause: Token lacks required scope
Solution:

  1. Check error message for required_scope
  2. Create new token with needed scope
  3. Update integration to use new token

Example Error:

{
  "error": "Insufficient permissions",
  "message": "This endpoint requires the 'write:projects' scope",
  "required_scope": "write:projects",
  "available_scopes": ["read:projects", "read:time_entries"]
}

Access Denied for Specific Resource

Cause: User permissions restrict access
Solution:

  • Non-admin users can only access their own resources
  • Use admin token for cross-user access
  • Verify user has permission to access resource

Reference Table

Scope Read Write Admin Required Notes
read:projects View projects
write:projects Manage projects
read:time_entries View own entries
write:time_entries Manage own entries
read:tasks View tasks
write:tasks Manage tasks
read:clients View clients
write:clients Manage clients
read:reports View own reports
read:users Partial /users/me for all, /users admin only
admin:all Full access

Need Help?

  • 📖 API Documentation: docs/REST_API.md
  • 🚀 Quick Start: docs/REST_API_QUICKSTART.md
  • 🔍 Interactive Docs: /api/docs
  • 📋 Implementation Summary: REST_API_IMPLEMENTATION_SUMMARY.md
Reference in New Issue View Git Blame Copy Permalink