Veranstaltungen-APP/API_AUTHENTICATION_GUIDE.md

API Authentication Guide - Mobile App Integration

Overview

Your Laravel application is now fully configured with Laravel Sanctum token-based authentication, perfect for mobile app development.

System Status ✅

Completed Features

• ✅ User authentication with email/password
• ✅ Role-based access control (user, organizer, admin)
• ✅ Token generation and validation
• ✅ Protected API endpoints
• ✅ User favorites system
• ✅ Event management with permissions

Test Users Available

All passwords are password123

Email	Role	Purpose
user@example.com	user	Regular user - can view events & favorites
organizer@example.com	organizer	Can create/update/delete own events
admin@example.com	admin	Full system access

---

API Endpoints

1. Authentication Endpoints (PUBLIC)

Login

POST /api/auth/login
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "password123"
}

Response (200):
{
  "success": true,
  "message": "Login erfolgreich",
  "user": {
    "id": 1,
    "name": "Test User",
    "email": "user@example.com",
    "role": "user",
    "created_at": "2025-04-14T08:42:12.000000Z",
    "updated_at": "2025-04-14T08:42:12.000000Z"
  },
  "token": "1|PZHueLvJEr6d9mU1d4J7FUVJiPh0LD1Uy6S2Qc"
}

Register

POST /api/auth/register
Content-Type: application/json

{
  "name": "New User",
  "email": "newuser@example.com",
  "password": "password123",
  "password_confirmation": "password123",
  "role": "user"  // Optional: "user" (default), "organizer", or "admin"
}

Response (201): Similar to login response with new user token

2. Protected Endpoints (REQUIRE auth:sanctum)

All protected endpoints require the token in the Authorization header:

Authorization: Bearer YOUR_TOKEN_HERE

Get Current User

GET /api/auth/me
Authorization: Bearer 1|PZHueLvJEr6d9mU1d4J7FUVJiPh0LD1Uy6S2Qc

Update Profile

PUT /api/auth/profile
Authorization: Bearer YOUR_TOKEN
Content-Type: application/json

{
  "name": "Updated Name",
  "email": "newemail@example.com"
}

Change Password

POST /api/auth/change-password
Authorization: Bearer YOUR_TOKEN
Content-Type: application/json

{
  "current_password": "password123",
  "password": "newpassword123",
  "password_confirmation": "newpassword123"
}

Logout

POST /api/auth/logout
Authorization: Bearer YOUR_TOKEN

3. Public Event Endpoints

List All Events

GET /api/events

Get Event Details

GET /api/events/{id}

Get Available Locations

GET /api/events/locations/list

Get Available Categories

GET /api/events/categories/list

4. Protected Event Management (Organizers Only)

Get My Events

GET /api/events/my-events
Authorization: Bearer YOUR_TOKEN

Create Event (Organizer/Admin Only)

POST /api/events
Authorization: Bearer YOUR_TOKEN
Content-Type: application/json

{
  "title": "New Event",
  "description": "Event description",
  "category": "Music",
  "location_id": 1,
  "website_url": "https://...",
  "contact_email": "contact@...",
  "contact_phone": "+49..."
}

Update Event (Creator Only)

PUT /api/events/{id}
Authorization: Bearer YOUR_TOKEN
Content-Type: application/json

{
  "title": "Updated Title",
  "description": "Updated description",
  ...
}

Delete Event (Creator Only)

DELETE /api/events/{id}
Authorization: Bearer YOUR_TOKEN

5. Favorites System

Toggle Favorite

POST /api/events/{id}/toggle-favorite
Authorization: Bearer YOUR_TOKEN

Get My Favorites

GET /api/events/favorites
Authorization: Bearer YOUR_TOKEN

---

Mobile App Integration

Authentication Flow

1. User enters email and password
   ↓
2. POST /api/auth/login
   ↓
3. Receive token from response
   ↓
4. Store token securely (e.g., keychain on iOS, Keystore on Android)
   ↓
5. Include token in all subsequent API calls:
   Authorization: Bearer {token}
   ↓
6. If token expires/401 error, prompt re-login

Token Storage Best Practices

iOS (Swift):

// Store in Keychain
try keychain.store(token, key: "api_token")
let token = try keychain.retrieveString("api_token")

Android (Kotlin):

// Store in Encrypted SharedPreferences
val token = encryptedSharedPreferences.getString("api_token", null)
encryptedSharedPreferences.edit().putString("api_token", token).apply()

Flutter:

import 'package:flutter_secure_storage/flutter_secure_storage.dart';

const storage = FlutterSecureStorage();
await storage.write(key: "api_token", value: token);
String? token = await storage.read(key: "api_token");

Request Headers

GET /api/auth/me HTTP/1.1
Host: localhost:8000
Authorization: Bearer 1|PZHueLvJEr6d9mU1d4J7FUVJiPh0LD1Uy6S2Qc
Content-Type: application/json
Accept: application/json

---

Error Handling

Typical HTTP Responses

Status	Meaning	Action
200	Success	Process response data
201	Created	Resource successfully created
400	Bad Request	Check request format/validation
401	Unauthorized	Token invalid/expired - re-login
403	Forbidden	User lacks permission for this action
404	Not Found	Resource doesn't exist
500	Server Error	Report to developer

Error Response Format

{
  "success": false,
  "message": "Error description",
  "errors": {
    "field_name": ["Validation error message"]
  }
}

---

Role-Based Permissions

Feature	user	organizer	admin
View events	✅	✅	✅
Create event	❌	✅	✅
Edit own event	❌	✅	✅
Delete own event	❌	✅	✅
Manage favorites	✅	✅	✅
Admin panel	❌	❌	✅

---

Environment Details

• Server: http://localhost:8000
• API Base: http://localhost:8000/api
• Database: MySQL 5.7
• Auth Method: Laravel Sanctum (Personal Access Tokens)
• Token Format: UUID|plaintext_token

---

Troubleshooting

401 Unauthorized

• Token might be expired
• Token format incorrect
• Token not included in header
• Solution: Re-login to get new token

403 Forbidden

• Your user role doesn't have permission
• Solution: Use appropriate user role for action

422 Unprocessable Entity

• Validation error in request data
• Check response errors field for details
• Ensure all required fields are provided

---

Next Steps for Mobile Development

1. Authentication Flow

   • Create login screen with email/password fields
   • Implement token storage using platform-specific secure storage
   • Create auto-login using stored token

2. Event Listing

   • Fetch events from /api/events
   • Implement pagination if needed
   • Add search/filter functionality

3. Event Details

   • Show event location, description, contact info
   • Allow authenticated users to favorite events

4. User Profile

   • Display user info from /api/auth/me
   • Allow profile updates and password changes

5. Event Management (for Organizers)

   • Create events form
   • Edit/delete own events
   • View analytics

---

Support & Documentation

• Laravel Sanctum Docs: https://laravel.com/docs/11.x/sanctum
• API Response Examples: See docs/API_RESPONSES.md
• Example Queries: See docs/EXAMPLE_QUERIES.php

---

Last Updated: April 2025 Status: ✅ Production Ready for Mobile App Development