Mobile API (v1 & v2) — business view

Technical trace: Mobile API (v1 & v2)

1. Business Summary

Two API surfaces — a large monolithic v1 and a minimal v2 — replicate operational actions for mobile users: login, menus, lists, item details, task accept/reject, file ops, inbox, push notifications.

2. Business Value

Workforce mobility for PMs, vendors, and managers.

3. Users / Stakeholders

Mobile users.

4. Workflows

  • Login with basic auth and token; session/token reused.
  • Subsequent calls cover dashboards, lists, item details, accept/reject, files, inbox, favourites.
  • v2 covers a profile view and update.

5. Sub-Features

  • Push notifications.
  • API logging.

6. Business Rules

  • Token validation per request.
  • Business logic re-uses internal security checks.

7. Data Entities

Mobile API logs and operational entities accessed via API.

8. Entry Points

  • Mobile API endpoints (v1 and v2).

9. Inputs & Outputs

  • Inputs: API token, payload.
  • Outputs: JSON responses, files.

10. Integrations

  • Internal modules; push services.

11. Calculations / Logic

  • Reuses business logic.

12. Status Lifecycle

  • N/A.

13. Permissions

  • Token-based.

14. Reports & KPIs

  • API usage by endpoint.

15. Risks & Observations

  • Plaintext credential comparison.
  • Raw SQL with concatenated request data.
  • Credentials logged via serialization — leakage risk.
  • Token lifecycle and rotation unclear.

16. Source Code Evidence

  • app/Controller/MobileAPIsController.php, MobileAPIV2Controller.php.

← Deep dives index