Mobile API (v1 & v2)

1. Business Summary

Two API surfaces (v1 large monolithic, v2 minimal) for mobile clients reproducing operational actions: login, menus, lists, item details, task accept/reject, file ops, inbox, push notifications.

2. Business Value

Workforce mobility (PMs, vendors, managers).

3. Users / Stakeholders

Mobile users.

4. Workflows

• Login (HTTP basic auth from SystemSetting.API_credentials) + token validation.
• Subsequent calls reuse session/token.
• Actions: sidebar, getList, ajaxData, getItemDetails, acceptTask, rejectTask, getInbox, getItemMessages, uploadFiles, downloadAttachment, downloadAllTaskFilesAsZip, getListCounts, getListOfFavorites.
• v2: View, updateProfile.

5. Sub-Features

• Push notifications.
• Logging to api_logs table.

6. Business Rules

• Token validation per request.
• Reuses internal security checks.

7. Data Entities

MobileApiLogsDetail, plus operational entities accessed via API.

8. Entry Points

• mobile_apis/* (v1).
• mobile_apiv2/* (v2).

9. Inputs & Outputs

• Inputs: API token, payload.
• Outputs: JSON responses, files.

10. Integrations

• Internal modules; push services.

11. Calculations / Logic

• Reuses business logic.

12. Status Lifecycle

• N/A.

13. Permissions

• Token-based.

14. Reports & KPIs

• API usage by endpoint.

15. Risks & Observations

• Plaintext credential comparison.
• Raw SQL with concatenated request data.
• Credentials logged via serialize() — leakage risk.
• Token lifecycle and rotation unclear.

16. Source Code Evidence

• app/Controller/MobileAPIsController.php (~7,097 LOC).
• app/Controller/MobileAPIV2Controller.php.
• app/Model/MobileApiLogsDetail.php.