1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
|
# Sync API v2 (Draft)
The **News app** offers a RESTful API which can be used to sync folders, feeds and items. The API also supports [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS) which means that you can access the API from your browser using JavaScript.
## API Stability Contract
The API level will **change** if the following occurs:
* a required HTTP request header is added
* a required request parameter is added
* a field of a response object is removed
* a field of a response object is changed to a different datatype
* an HTTP response header is removed
* an HTTP response header is changed to a different datatype
* the meaning of an API call changes (e.g. /sync will not sync any more but show a sync timestamp)
The API level will **not change** if:
* a new HTTP response header is added
* an optional new HTTP request header is added
* a new response parameter is added (e.g. each item gets a new field "something": 1)
* The order of the JSON attributes is changed on any level (e.g. "id":3 is not the first field anymore, but the last)
You have to design your app with these things in mind!:
* **Don't depend on the order** of object attributes. In JSON it does not matter where the object attribute is since you access the value by name, not by index
* **Don't limit your app to the currently available attributes**. New ones might be added. If you don't handle them, ignore them
* **Use a library to compare versions**, ideally one that uses semantic versioning
## Authentication
Because REST is stateless you have to re-send user and password each time you access the API. Therefore running ownCloud **with SSL is highly recommended** otherwise **everyone in your network can log your credentials**.
The base URL for all calls is:
https://yourowncloud.com/index.php/apps/news/api/v2
All defined routes in the Specification are appended to this url. To access the sync for instance you'd use the following url:
https://yourowncloud.com/index.php/apps/news/api/v2/sync
Credentials are passed as an HTTP header using [HTTP basic auth](https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side):
Authorization: Basic $CREDENTIALS
where $CREDENTIALS is:
base64(USER:PASSWORD)
This authentication/authorization method will be the recommended default until core provides an easy way to do OAuth
## Request Format
The required request headers are:
* **Accept**: application/json
Any request method except GET:
* **Content-Type**: application/json; charset=utf-8
Any route that allows caching:
* **If-None-Match**: an Etag, e.g. 6d82cbb050ddc7fa9cbb659014546e59. If no previous Etag is known, this header should be omitted
The request body is either passed in the URL in case of a **GET** request (e.g.: **?foo=bar&index=0**) or as JSON, e.g.:
```json
{
"foo": "bar",
"index": 0
}
```
## Response Format
The status codes are:
* **200**: Everything went fine
* **304**: In case the resource was not modified, contains no response body
* **403**: ownCloud Error: The provided authorization headers are invalid. No **error** object is available.
* **404**: ownCloud Error: The route can not be found. This can happen if the app is disabled or because of other reasons. No **error** object is available.
* **4xx**: There was an app related error, check the **error** object
* **5xx**: ownCloud Error: A server error occurred. This can happen if the server is in maintenance mode or because of other reasons. No **error** object is available.
The response headers are:
* **Content-Type**: application/json; charset=utf-8
* **Etag**: A string containing a cache header of maximum length 64, e.g. 6d82cbb050ddc7fa9cbb659014546e59
The response body is a JSON structure that looks like this:
```js
{
"data": {
// payload is in here
},
// if an error occured
"error": {
"code": 1, // an error code that is unique in combination with
// the HTTP status code to distinguish between multiple error types
"message": "Folder exists already" // a translated error message depending on the user's configured server locale
}
}
```
## Security Guidelines
Read the following notes carefully to prevent being subject to security exploits:
* All string fields in a JSON response unless explicitly noted otherwise are provided in without sanitation. This means that if you do not escape it properly before rendering you will be vulnerable to [XSS](https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29) attacks
* Basic Auth headers can easily be decrypted by anyone since base64 is an encoding, not an encryption. Therefore only send them if you are accessing an HTTPS website or display an easy to understand warning if the user chooses HTTP
## Syncing
All routes are given relative to the base API url, e.g.: **/sync** becomes **https://yourowncloud.com/index.php/apps/news/api/v2/sync**
There are two usecases for syncing:
* **Initial sync**: the user does not have any data at all
* **Syncing local and remote changes**: the user has synced at least once and wants submit and receive changes
### Initial Sync
The intial sync happens when a user adds an ownCloud account in your app. In that case you want to download all folders, feeds and unread/starred items. To do this, make the following request:
* **Method**: GET
* **Route**: /sync
* **HTTP headers**:
* **Accept: "application/json"**
* Authorization headers
This will return the following status codes:
* **200**: Successully synced
* Other ownCloud errors, see **Response Format**
and the following HTTP headers:
* **Content-Type**: application/json; charset=utf-8
* **Etag**: A string containing a cache header of maximum size 64, e.g. 6d82cbb050ddc7fa9cbb659014546e59
and the following request body:
```js
{
"data": {
"folders": [{
"id": 3,
"name": "funny stuff"
}, /* etc */],
"feeds": [{
"id": 4,
"name": "The Oatmeal - Comics, Quizzes, & Stories",
"faviconLink": "http://theoatmeal.com/favicon.ico",
"folderId": 3,
"ordering": 0,
"isPinned": true,
"error": {
"code": 1,
"message": ""
}
}, /* etc */],
"items": [{
"id": 5,
"url": "http://grulja.wordpress.com/2013/04/29/plasma-nm-after-the-solid-sprint/",
"title": "Plasma-nm after the solid sprint",
"author": "Jan Grulich (grulja)",
"publishedAt": "2005-08-15T15:52:01+0000",
"updatedAt": "2005-08-15T15:52:01+0000",
"enclosures": [{
"mime": "video/webm",
"url": "http://video.webmfiles.org/elephants-dream.webm"
}],
"body": "<p>At first I have to say...</p>",
"feedId": 4,
"isUnread": true,
"isStarred": true,
"fingerprint": "08ffbcf94bd95a1faa6e9e799cc29054"
}, /* etc */]
}
}
```
Each resource's (aka folder/feed/item) attributes are explained in separate chapters.
**Important**: Read the **Security Guidelines**
### Sync Local And Remote Changes
After the initial sync the app has all folders, feeds and items. Now you want to push changes and retrieve updates from the server. To do this, make the following request:
* **Method**: POST
* **Route**: /sync
* **HTTP headers**:
* **Content-Type: "application/json; charset=utf-8"**
* **Accept: "application/json"**
* **If-None-Match: "6d82cbb050ddc7fa9cbb659014546e59"** (Etag from the previous request to the /sync route)
* Authorization headers
with the following request body:
```js
{
"items": [{
// read and starred
"id": 5,
"isStarred": false,
"isRead": true,
"fingerprint": "08ffbcf94bd95a1faa6e9e799cc29054"
}, {
// only read
"id": 6,
"isRead": true,
"fingerprint": "09ffbcf94bd95a1faa6e9e799cc29054"
}, {
// only starred
"id": 7,
"isStarred": false,
"fingerprint": "18ffbcf94bd95a1faa6e9e799cc29054"
},/* etc */]
}
```
If no items have been read or starred, simply leave the **items** array empty, e.g.:
```js
{
"items": []
}
```
The response will be the same as in the initial sync except if an item's fingerprint is the same as in the database: This means that the contents of the item did not change and in order to preserve bandwidth, only the status is added to the item, e.g.:
```js
{
"data": {
"folders": [/* new or updated folders here */],
"feeds": [/* new or updated feeds here */],
"items": [{
"id": 5,
"isStarred": false,
"isRead": true,
}, /* etc */]
}
}
```
However if an item did change, the full item will be sent to the client
If the HTTP status code was either in the **4xx** or **5xx** range, the exact same request needs to be retried when doing the next sync.
**Important**: Read the **Security Guidelines**
## Folders
Folders are represented using the following data structure:
```json
{
"id": 3,
"name": "funny stuff"
}
```
The attributes mean the following:
* **id**: 64bit Integer, id
* **name**: Abitrary long text, folder's name
### Deleting A Folder
TBD
### Creating A Folder
TBD
### Changing A Folder
TBD
## Feeds
Feeds are represented using the following data structure:
```json
{
"id": 4,
"name": "The Oatmeal - Comics, Quizzes, & Stories",
"faviconLink": "http://theoatmeal.com/favicon.ico",
"folderId": 3,
"ordering": 0,
"isPinned": true,
"error": {
"code": 1,
"message": ""
}
}
```
The attributes mean the following:
* **id**: 64bit Integer, id
* **name**: Abitrary long text, feed's name
* **faviconLink**: Abitrary long text, feed's favicon location, **null** if not found
* **folderId**: 64bit Integer, the feed's folder or **0** in case no folder is specified
* **ordering**: 64bit Integer, overrides the feed's default ordering:
* **0**: Default ordering
* **1**: Oldest first ordering
* **2**: Newest first ordering
* **isPinned**: Boolean, Used to list certain feeds before others. Feeds are first ordered by their **isPinned** value (true before false) and then by their name in alphabetical order
* **error**: error object, only present if an error occurred:
* **code**: The error code:
* **1**: Error occured during feed update
* **message**: Translated error message depending on the user's configured server locale
### Deleting A Feed
TBD
### Creating A feed
TBD
### Changing A Feed
TBD
## Items
Items can either be in the format of:
```json
{
"id": 5,
"url": "http://grulja.wordpress.com/2013/04/29/plasma-nm-after-the-solid-sprint/",
"title": "Plasma-nm after the solid sprint",
"author": "Jan Grulich (grulja)",
"publishedAt": "2005-08-15T15:52:01+0000",
"updatedAt": "2005-08-15T15:52:01+0000",
"enclosures": [{
"mime": "video/webm",
"url": "http://video.webmfiles.org/elephants-dream.webm"
}],
"body": "<p>At first I have to say...</p>",
"feedId": 4,
"isUnread": true,
"isStarred": true,
"fingerprint": "08ffbcf94bd95a1faa6e9e799cc29054"
}
```
or if they did not change in the following format:
```json
{
"id": 5,
"isUnread": true,
"isStarred": true
}
```
The attributes mean the following:
* **id**: 64bit Integer, id
* **url**: Abitrary long text, location of the online resource
* **title**: Abitrary long text, item's title
* **author**: Abitrary long text, name of the author/authors
* **publishedAt**: String representing an ISO 8601 DateTime object, when the item was published
* **updateddAt**: String representing an ISO 8601 DateTime object, when the item was updated
* **enclosures**: A list of enclosure objects,
* **mime**: Mimetype
* **url**: Abitrary long text, location of the enclosure
* **body**: Abitrary long text, **sanitized (meaning does not have to be escape)**, contains the item's content
* **feedId**: 64bit Integer, the item's feed it belongs to
* **isUnread**: Boolean, true if unread, false if read
* **isStarred**: Boolean, true if starred, false if not starred
* **fingerprint**: 64 ASCII characters, hash that is used to determine if an item is the same as an other one. The following behavior should be implemented:
* Items in a stream (e.g. All items, folders, feeds) should be filtered so that no item with the same fingerprint is present.
* When marking an item read, all items with the same fingerprint should also be marked as read.
## Update API
TBD
## Meta Data API
TBD
|
