docs: align API reference and data model docs with code reality

API Reference (9 files updated):
- Marketplace API: corrected offer endpoints (scoped under /purchase-requests/:id/offers),
  marked phantom /search /stats /seller/:sellerId /withdraw routes as NOT IMPLEMENTED,
  documented PUT→PATCH mismatches, removed invalid SellerOffer 'active' status
- Dispute API: corrected resolve schema (action enum), categories (no 'fraud'),
  removed 'under_review' status, added security callouts (3 unguarded endpoints),
  route shadowing documented, all socket events marked as TODO stubs
- Notification API: corrected mark-all-read method+path, fixed broken GET /:id,
  added unread-count-update event, 90-day TTL documented
- Payment API: /create→/save, removed 10+ phantom endpoints, fixed release/refund
  paths (no /shkeeper/ segment), added 3 unauthenticated endpoint security warnings,
  stats undercounting documented, export privilege gap documented
- Authentication API: 8-digit→6-digit code, no-complexity warning on reset-with-code,
  rate limiter counts all attempts, passkey stub claims removed, deleteAccount bug noted
- Admin API: PUT→PATCH bug documented, wrong status values documented, hard vs soft
  delete clarified, scanner no-auth security bug, 3 NOT IMPLEMENTED endpoints
- Chat API: file upload wrong endpoint bug, archive PUT→PATCH bug, rate limits added
- Points API: corrected redeem schema, referral triggers on 'completed' only,
  leaderboard period ignored, removed 'refund' PointTransaction type
- Socket Events: removed request-cancelled, notification-read; added unread-count-update;
  dispute events all stubs; referral-signup is auth-domain not points-domain

Data Models (3 files updated):
- SellerOffer: removed 'active' from status enum, withdrawOffer() is dead code
- PurchaseRequest: added pending_payment/active statuses, added 'urgent' urgency,
  corrected description minimum (5 chars), removed finalized/archived
- Dispute: corrected action enum, categories (no fraud), removed under_review,
  security callout on unguarded status/resolve endpoints

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Siavash Sameni
2026-05-29 14:57:47 +04:00
parent a1f056e6a5
commit 9698ec5809
12 changed files with 287 additions and 75 deletions

View File

@@ -5,6 +5,8 @@ tags: [api, marketplace, reference]
# Marketplace API
> **Last updated:** 2026-05-29 — aligned with code (see [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md))
All marketplace endpoints live under `/api/marketplace/*`. The router is composed of several files mounted from `app.ts`:
- New controller-pattern routes: [`backend/src/services/marketplace/controllerRoutes.ts`](../../backend/src/services/marketplace/controllerRoutes.ts) (`marketplaceControllerRouter`)
@@ -96,6 +98,16 @@ The buyer-facing CRUD plus seller-side workflow endpoints. Model: [[PurchaseRequ
**Auth required:** Bearer JWT
**Query params:** `status`, `categoryId`, `urgency`, `search`, `page`, `limit`, `sortBy`, `sortOrder`
> **Note:** Use query params on this endpoint for filtering/searching. The separate search and stats endpoints documented in earlier versions do not exist — see below.
### ⚠️ NOT IMPLEMENTED: GET /api/marketplace/purchase-requests/search
This endpoint does not exist. Use query params (`search`, `status`, `categoryId`, etc.) on `GET /api/marketplace/purchase-requests` instead.
### ⚠️ NOT IMPLEMENTED: GET /api/marketplace/purchase-requests/stats
This endpoint does not exist in the backend.
### GET /api/marketplace/purchase-requests/my
**Description:** Shortcut for the caller's own purchase requests.
@@ -112,6 +124,8 @@ The buyer-facing CRUD plus seller-side workflow endpoints. Model: [[PurchaseRequ
**Description:** Buyer edits draft / pending request fields.
**Auth required:** Bearer JWT (owner)
> ⚠️ **KNOWN BUG:** The frontend sends `PUT` but the backend registers `PATCH`. Requests from clients using `PUT` will receive `404`. Use `PATCH`.
### PATCH /api/marketplace/purchase-requests/:id/status
**Description:** Transition the request status (`draft``pending``payment``processing``delivery``delivered``seller_paid``completed`, or `cancelled`).
@@ -213,10 +227,15 @@ Six-digit codes the buyer hands to the seller at handover. Backed by `deliverySe
Model: [[SellerOffer]].
Valid `status` values: `pending | accepted | rejected | withdrawn`
> **Note:** The status value `active` does not exist on SellerOffer. Earlier docs were incorrect.
### POST /api/marketplace/purchase-requests/:id/offers
**Description:** Submit an offer against a purchase request.
**Description:** Submit an offer against the purchase request identified by `:id` in the path. The purchase request must be in `pending`, `received_offers`, or `active` status.
**Auth required:** Bearer JWT (seller)
**Path param:** `:id` — the `purchaseRequestId` (not a body field)
**Request body:**
```ts
{
@@ -248,11 +267,21 @@ Model: [[SellerOffer]].
**Description:** Fetch a specific seller's offer on a request.
**Auth required:** No
### ⚠️ NOT IMPLEMENTED: GET /api/marketplace/offers/request/:requestId
This endpoint does not exist. Use `GET /api/marketplace/purchase-requests/:id/offers` instead.
### ⚠️ NOT IMPLEMENTED: GET /api/marketplace/offers/seller/:sellerId
This endpoint does not exist. `getOffersBySeller()` is an internal service method and is not exposed via HTTP.
### PATCH /api/marketplace/offers/:id
**Description:** Seller edits their pending offer (price, delivery estimate, notes).
**Auth required:** Bearer JWT (offer owner)
> ⚠️ **KNOWN BUG:** The frontend sends `PUT` but the backend registers `PATCH`. Requests from clients using `PUT` will receive `404`. Use `PATCH`.
### DELETE /api/marketplace/offers/:id
**Description:** Seller withdraws their offer.
@@ -260,9 +289,13 @@ Model: [[SellerOffer]].
### PUT /api/marketplace/offers/:id/status
**Description:** Direct status mutation (admin override / counter-offer states).
**Description:** Direct status mutation (admin override / counter-offer states). This is also the correct way to withdraw an offer programmatically — send `{ status: 'withdrawn' }`.
**Auth required:** Bearer JWT
**Request body:** `{ status: "pending" | "accepted" | "rejected" | "withdrawn" | "countered" }`
**Request body:** `{ status: "pending" | "accepted" | "rejected" | "withdrawn" }`
### ⚠️ NOT IMPLEMENTED: POST /api/marketplace/offers/:id/withdraw
This endpoint does not exist. To withdraw an offer use `PUT /api/marketplace/offers/:id/status` with `{ status: 'withdrawn' }`.
### POST /api/marketplace/purchase-requests/:id/select-offer