Any source of API documentation?

Since the Swagger UI has been broken for a while (I believe it’s this issue?), what’s the most straight-forward API documentation at the moment? I can only find this very limited doc: File: API — Documentation for foodcoops/foodsoft (master)

We currently have a usecase in two coops where we’d like to configure an SSO via Foodsoft to a webshop of a potential supplier. The supplier wants our members to order directly in their system. I thought their developer could create a “login via Foodsoft” option, so our members don’t have to create another account there manually.

The supplier webshop should be able to read:

  • full user name
  • user e-mail
  • user ID
  • ordergroup name
  • ordergroup ID

I’d need to send the Foodsoft API spec to their developer.

Can anyone please help me? Maybe @yksflip?

Or perhaps @mortbauer could you tell me where I can find the code used for the Discourse SSO (login via Foodsoft) so I can forward it as an example? I can’t find it on Github.

hey,

the openapi spec can be generate as followed:

root@01fc097ce1fd:/app# RAILS_ENV=test bundle exec  rails rswag
/usr/local/bin/ruby -I/usr/local/bundle/ruby/2.7.0/gems/rspec-core-3.12.2/lib:/usr/local/bundle/ruby/2.7.0/gems/rspec-support-3.12.1/lib /usr/local/bundle/ruby/2.7.0/gems/rspec-core-3.12.2/exe/rspec --pattern spec/requests/\*\*/\*_spec.rb,\ spec/api/\*\*/\*_spec.rb,\ spec/integration/\*\*/\*_spec.rb --format Rswag::Specs::SwaggerFormatter --dry-run --order defined
DEPRECATION WARNING: swagger_root= is deprecated and will be removed from rswag-api 3.0 (use openapi_root= instead) (called from block in <main> at /app/config/initializers/rswag_api.rb:6)
DEPRECATION WARNING: Rswag::Ui: WARNING: The method will be renamed to "openapi_endpoint" in v3.0 (called from block in <main> at /app/config/initializers/rswag_ui.rb:10)
DEPRECATION WARNING: swagger_root= is deprecated and will be removed from rswag-specs 3.0 (use openapi_root= instead) (called from block in <top (required)> at /app/spec/swagger_helper.rb:9)
DEPRECATION WARNING: swagger_docs= is deprecated and will be removed from rswag-specs 3.0 (use openapi_specs= instead) (called from block in <top (required)> at /app/spec/swagger_helper.rb:17)
DEPRECATION WARNING: swagger_format= is deprecated and will be removed from rswag-specs 3.0 (use openapi_format= instead) (called from block in <top (required)> at /app/spec/swagger_helper.rb:514)
Generating Swagger docs ...
Swagger doc generated at /app/swagger/v1/swagger.yaml

Finished in 0.01514 seconds (files took 2.26 seconds to load)
141 examples, 0 failures

with docker cp foodsoft_foodsoft_1:/app/swagger/v1/swagger.yaml . I copied from the dev container to my local environment.

swagger.yaml.txt (39.0 KB)
(remove the .txt, as discourse doesn’t allow .yaml files :person_shrugging: )

once generated one can also use the webinterface on http://localhost:3000/api-docs/index.html

I think foodcoop-shop has the oauth-flow implemented. Maybe you can use that as a reference.

And this is probable the discourse-sso-plugin ?

See also Foodsoft as an OpenID Connect provider itself? · Issue #875 · foodcoops/foodsoft · GitHub
In the past, I’ve also used a userinfo plugin, but that requires running the app using this endpoint to be on the same domain (shared cookie). The discourse-sso-plugin is probably more to the point for you.

foodsoft-shop does indeed use OAuth. As a client-side app, it does not expose the token to any server-side component. I think Doorkeeper (the component handling the auth at the Foodsoft side) should support various authentication flows / grant types, though I don’t know by head what is configured by default.

Thanks. It would be great if I could send that webinterface to another developer, without them having to run Foodsoft locally … Perhaps this could be hosted on the demo instance, with which one could also test it?
https://demo.foodcoops.net/api-docs/index.html gives an error, a different error for https://app.foodcoops.at/api-docs/index.html.

That one is certainly for logging in to Foodsoft via Discourse. Allegedly also the other way around, but I don’t understand in the code which is for what direction.

Yeah, that’s not applicable in our usecase.

I’m not sure what you mean. Are you talking about authentication via Foodsoft to Foodsoft-Shop using OAuth?

foodsoft-shop is a client-side application talking to the Foodsoft API. It needs a token to be able to work with the Foodsoft REST API. For that, it uses OAuth to let the user login with Foodsoft (redirect to Foodsoft login, then redirect back to foodsoft-shop while supplying a token, this is part of OAuth). You could use this approach to give the supplier access to the user endpoint, so it can get details about the user (you specify scopes to limit access to the read-user related endpoints).

So this is authentication by Foodsoft, with foodsoft-shop getting access to the APIs.

(regarding the swagger)

You can download the swagger file, and modify the endpoint. This needs to include the foodcoop id, so each foodcoop basically has its own swagger file (that might be a reason that the currently server swagger UI doesn’t work, but I haven’t looked into it).
You could host this modified swagger file yourself somewhere, and reference the swagger URL e.g. in https://petstore.swagger.io/ to play with it.

I’m really having trouble doing that. I tried to host it on NextCloud, Dropbox, and WordPress, but it always gives me a CORS error. I tried two WP plugins to enable CORS, but it persists.

#### Fetch error

NetworkError when attempting to fetch resource. https://foodcoops.at/wp-content/uploads/2024/09/Foodsoft API swagger documentation.yaml?_t=1727354301

#### Fetch error

Possible cross-origin (CORS) issue? The URL origin (https://foodcoops.at) does not match the page (https://petstore.swagger.io). Check the server returns the correct 'Access-Control-Allow-*' headers.

I looked at the scopes on localhost and don’t see any way to get the ordergroup ID/name of the logged-in user. So that’s not implemented yet?!

Regarding CORS, yes, it needs to have CORS enabled to be able to be read. Sorry to hear that is such a hassle. What if you use a proxy that enables CORS for you? E.g. you could try

https://api.allorigins.win/raw?url=https://foodcoops.at/wp-content/uploads/2024/09/Foodsoft%20API%20swagger%20documentation.yaml

And using it in the petstore, I see that there are server variables now, so we could make this work with a statically hosted version as well, making the foodcoop id (and server) a variable. Yay!

I looked at the scopes on localhost and don’t see any way to get the ordergroup ID/name of the logged-in user. So that’s not implemented yet?!

So no, I think the transition to rswag really helped us to upgrade Rails and friends, but I think that serving the swagger file became broken.

1 Like

I’m sorry ho hear that the there’s now problems with the swagger file. Maybe we can aggregate all the findings in #998 and I’ll try to find a fix in the near future™