API — User profile¶
Reference organization
In PerfShop, the user profile management endpoints are exposed under the /api/auth prefix (not /api/users), by the UserController. They are documented in detail in the Authentication page to preserve consistency with their direct neighbor AuthController.
This page serves as a quick entry point to locate the profile endpoints.
Profile-related endpoints¶
| Method | Endpoint | Reference page |
|---|---|---|
GET |
/api/auth/status |
auth.md § GET /api/auth/status |
GET |
/api/auth/me |
auth.md § GET /api/auth/me |
PUT |
/api/auth/me |
auth.md § PUT /api/auth/me |
Why not /api/users?¶
Historically, PerfShop has hosted profile management under /api/auth for two reasons:
-
Lifecycle consistency:
login,logout,meandstatusbelong to the same conceptual domain ("who am I and am I logged in"). Grouping them under a single prefix simplifies frontend routing. -
Strict role separation:
/api/usersdoes not exist on the public side. TheUserController(public) uses/api/auth, while administrative account management goes through/api/admin/users— seeadmin.md.
This choice is deliberate: it avoids routing collisions and reflects the business roles (end user under /auth, administration under /admin).
Profile fields¶
The user profile contains the following information:
| Field | Type | Description | Validation |
|---|---|---|---|
id |
Long | Internal identifier | Read-only |
email |
string | Login email | Email format, unique |
civility |
string | Title (M, Mme, Mx) |
Whitelist |
firstName |
string | First name | 2–100 characters |
lastName |
string | Last name | 2–100 characters |
birthDate |
ISO date | Date of birth | Age ≥ 16 and ≤ 120 |
phone |
string | Phone | National format per country |
street |
string | Street + number | 5–200 characters |
postalCode |
string | Postal code | National format |
city |
string | City | 2–100 characters |
region |
string | Region (optional) | 2–100 characters |
country |
string | ISO 3166-1 alpha-2 code | Whitelist in ValidationService.getCountries() |
Per-country validation rules are handled by ValidationService. See the profile validation section in auth.md for the accepted format details.
Chaos affecting the profile¶
Three chaos families touch the user profile:
Security chaos¶
- S3 — Exposed BCrypt hash (level 1+) —
GET /api/auth/meexposes the password hash - S9 — Mass Assignment (level 3+) —
PUT /api/auth/meacceptsemailandpasswordwithout whitelist
Business chaos¶
- A9 — Log poisoning (level 3+) — Free-text fields are logged without escaping
- SQL injection (level 2+) —
postalCodeandcountrycan trigger aDataIntegrityViolationException
Full details are in the auth.md page and in the respective chaos pages.
Related links¶
- auth.md — full documentation of
/api/auth/*endpoints - admin.md — administrative user account management
- Security chaos — S3, S9
- Business chaos — A9