REST API — add authenticated in-process JSON endpoints to WebServer
Summary¶
main now exposes an authenticated in-process REST surface under /api/v1/...
by extending the existing WebServer.cpp / WebSocket.cpp stack.
The implementation deliberately does not port the experimental named-pipe transport or Node sidecar as runtime architecture. Instead it:
- reuses the current WebServer listener, bind address, port, and HTTPS support
- adds a dedicated JSON route layer in
WebServerJson.cpp - vendors the experimental
nlohmann/json.hppsingle-header library - adapts the experimental command/serializer logic directly in-process
Landed Shape¶
Transport and auth¶
- shared existing WebServer HTTP/HTTPS listener
- no second REST-specific port or listener
- REST auth uses
X-API-Key - REST key is stored hashed in preferences, separate from HTML web-session auth
- HTML web UI remains intact and does not use the REST key
Route surface¶
The landed route surface follows the experimental API parity target:
GET /api/v1/app/versionGET /api/v1/app/preferencesPOST /api/v1/app/preferencesPOST /api/v1/app/shutdownGET /api/v1/stats/globalGET /api/v1/transfersGET /api/v1/transfers/{hash}GET /api/v1/transfers/{hash}/sourcesPOST /api/v1/transfers/addPOST /api/v1/transfers/pausePOST /api/v1/transfers/resumePOST /api/v1/transfers/stopPOST /api/v1/transfers/deletePOST /api/v1/transfers/{hash}/recheckPOST /api/v1/transfers/{hash}/priorityPOST /api/v1/transfers/{hash}/categoryGET /api/v1/uploads/listGET /api/v1/uploads/queuePOST /api/v1/uploads/removePOST /api/v1/uploads/release_slotGET /api/v1/servers/listGET /api/v1/servers/statusPOST /api/v1/servers/connectPOST /api/v1/servers/disconnectPOST /api/v1/servers/addPOST /api/v1/servers/removeGET /api/v1/kad/statusPOST /api/v1/kad/connectPOST /api/v1/kad/disconnectPOST /api/v1/kad/recheck_firewallGET /api/v1/shared/listGET /api/v1/shared/{hash}POST /api/v1/shared/addPOST /api/v1/shared/removePOST /api/v1/search/startGET /api/v1/search/resultsPOST /api/v1/search/stopGET /api/v1/log?limit=N
Supporting runtime changes¶
WebSocket.cppnow preserves request method, request target, request body, andX-API-Keyheader for downstream dispatchLog.cpp/Log.hkeep a bounded recent-log buffer so/api/v1/logcan return recent entries without scraping UI controlsSearchResultsWnd/SearchListexpose the narrow helpers needed for machine-readable search start/status/result retrieval- WebServer options now include a dedicated API-key field
- the experimental
uploadClientDataRate/maxUploadSlotspreference knobs are mapped onto the current broadband upload-budget controller instead of reviving the stale experimental preference storage directly
Explicit Non-Goals In This Slice¶
- no named-pipe transport
- no Node/TypeScript sidecar
- no public SSE or WebSocket push endpoint
- no separate REST privilege split beyond possession of the configured API key
Follow-Up Work¶
FEAT-014remains the follow-up item for OpenAPI docs and any optional external gateway/tooling around the landed in-process REST surfaceCI-008remains the follow-up item for explicit regression coverage of the new REST routes
Acceptance Notes¶
- existing HTML web UI remains present
- REST is additive and JSON-only under
/api/v1/... - HTTPS continues to flow through the existing
WebSocket.cpplistener - experimental command semantics were reused, but the transport architecture was intentionally simplified to in-process WebServer routing