API Sequences
Backend API akislari - Authentication, Checkout, Token management sequence diyagramlari.
Client Login - Email OTP (K-001)
SequenceMusteri giris akisi - Email ile OTP isteme ve dogrulama. Guest session destegi mevcut.
sequenceDiagram
autonumber
participant U as User (Client)
participant F as Frontend
participant API as Backend API
participant DB as Database
participant SMS as Email Service
U->>F: Enter email address
F->>API: POST /api/client/auth/request-otp
Note right of API: {email: "user@example.com"}
API->>DB: Check user exists
alt User not found
API->>DB: Create new user record
end
API->>API: Generate 6-digit OTP
API->>DB: Store OTP (expires 5 min)
API->>SMS: Send OTP via Email
SMS-->>U: Email with OTP code
API-->>F: 200 OK {message: "OTP sent"}
U->>F: Enter OTP code
F->>API: POST /api/client/auth/verify-otp
Note right of API: {email, otp: "123456"}
API->>DB: Validate OTP
alt OTP Valid
API->>DB: Mark OTP as used
API->>API: Generate JWT tokens
API-->>F: 200 OK {accessToken, refreshToken, user}
F->>F: Store tokens in localStorage
F-->>U: Redirect to dashboard
else OTP Invalid/Expired
API-->>F: 401 Invalid OTP
F-->>U: Show error message
end
Auth Method
Email + OTP
OTP Length
6 digits
OTP Expiry
5 minutes
Decision Ref
K-001
| Method | Endpoint | Description | Auth |
|---|---|---|---|
| POST | /api/client/auth/request-otp |
Request OTP code via Email | Public |
| POST | /api/client/auth/verify-otp |
Verify Email OTP code | Public |
| POST | /api/client/auth/guest-session |
Create guest session for checkout | Public |
Guest Session Flow
sequenceDiagram
participant U as Guest User
participant F as Frontend
participant API as Backend API
U->>F: Click "Checkout as Guest"
F->>API: POST /api/client/auth/guest-session
Note right of API: {deviceId: "uuid"}
API->>API: Create temporary guest record
API->>API: Generate limited JWT
API-->>F: 200 OK {guestToken, guestId}
F->>F: Store guestToken
F-->>U: Continue to checkout
Note over U,API: Guest can complete purchase
but cannot access profile/history
but cannot access profile/history
Admin Login - Email & SMS OTP
SequenceYonetici giris akisi - System Admin ve Project Admin icin hem Email hem SMS OTP destegi.
sequenceDiagram
autonumber
participant A as Admin User
participant F as Admin Panel
participant API as Backend API
participant DB as Database
participant MSG as Email/SMS Service
A->>F: Enter email/phone
A->>F: Select OTP method (Email/SMS)
alt Email OTP
F->>API: POST /api/{admin-type}/auth/email/request-otp
Note right of API: {email: "admin@company.com"}
API->>MSG: Send Email
else SMS OTP
F->>API: POST /api/{admin-type}/auth/sms/request-otp
Note right of API: {phone: "+90532..."}
API->>MSG: Send SMS
end
API->>DB: Check admin in allowed_domains
alt Domain not allowed
API-->>F: 403 Domain not allowed
F-->>A: Show "Contact Super Admin"
end
API->>API: Generate OTP
API->>DB: Store OTP with admin context
MSG-->>A: OTP via Email/SMS
API-->>F: 200 OK
A->>F: Enter OTP
alt Email OTP Verify
F->>API: POST /api/{admin-type}/auth/email/verify-otp
else SMS OTP Verify
F->>API: POST /api/{admin-type}/auth/sms/verify-otp
end
API->>DB: Validate OTP + Load permissions
API->>API: Generate JWT with permissions claim
API-->>F: 200 OK {accessToken, refreshToken, admin, permissions[]}
F->>F: Store tokens + cache permissions
F-->>A: Redirect to admin dashboard
Admin Types
System Admin, Project Admin
OTP Methods
Email + SMS
Domain Whitelist
Required
Permissions
JWT Claim
| Admin Type | Email Endpoints | SMS Endpoints |
|---|---|---|
| System Admin |
/api/system-admin/auth/email/request-otp/api/system-admin/auth/email/verify-otp
|
/api/system-admin/auth/sms/request-otp/api/system-admin/auth/sms/verify-otp
|
| Project Admin |
/api/project-admin/auth/email/request-otp/api/project-admin/auth/email/verify-otp
|
/api/project-admin/auth/sms/request-otp/api/project-admin/auth/sms/verify-otp
|
Checkout Flow
SequenceE-commerce checkout akisi - Cart validation, Order creation, Payment processing.
sequenceDiagram
autonumber
participant U as User
participant F as Frontend
participant API as Backend API
participant DB as Database
participant PG as Payment Gateway
participant INV as Inventory
rect rgb(40, 40, 40)
Note over U,INV: Step 1: Cart Validation
U->>F: Review cart & click Checkout
F->>API: POST /api/checkout/validate
Note right of API: {tickets[], addOns[]}
API->>DB: Check product availability
API->>DB: Check session capacity
API->>DB: Apply campaign discounts
API-->>F: 200 OK {validatedItems, pricing, matchedCampaigns[]}
F-->>U: Show final price breakdown
end
rect rgb(40, 40, 40)
Note over U,INV: Step 2: Checkout & Payment
U->>F: Enter payment details
F->>API: POST /api/checkout
Note right of API: {guest, tickets[], addOns[], payment{cardDetails}}
API->>INV: Reserve tickets (session)
API->>DB: Create Order (status: PENDING)
API->>DB: Create Payment record
API->>PG: Initiate 3D Secure payment
PG-->>F: Redirect to 3DS page
end
rect rgb(40, 40, 40)
Note over U,INV: Step 3: Payment Confirmation
U->>PG: Complete 3DS verification
PG->>API: Payment callback (success/fail)
alt Payment Success
API->>DB: Update Payment (status: CAPTURED)
API->>DB: Update Order (status: CONFIRMED)
API->>INV: Confirm ticket reservation
API-->>F: 200 OK {order, payment}
F-->>U: Show success + tickets
else Payment Failed
API->>DB: Update Payment (status: FAILED)
API->>DB: Update Order (status: CANCELLED)
API->>INV: Release reserved tickets
API-->>F: 400 Payment failed
F-->>U: Show error + retry option
end
end
Payment Method
Credit Card (3DS)
Inventory
Session-based reservation
Campaigns
Auto-applied discounts
Guest Support
Yes
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/checkout/validate |
Validate cart items, check availability, calculate discounts |
| POST | /api/checkout |
Process checkout - create order, initiate payment |
| POST | /api/orders/{id}/confirm |
Confirm order after successful payment |
| GET | /api/orders/{id}/public |
Get order details (public access with order ID) |
| DELETE | /api/orders/{id} |
Cancel an order |
Session Ticket Reservation
sequenceDiagram
participant API as Backend API
participant DB as Database
Note over API,DB: Reserve Flow
API->>DB: POST /api/products/{productId}/sessions/{sessionId}/reserve
Note right of DB: {quantity: 2, orderId: "..."}
DB->>DB: Decrement availableCapacity
DB->>DB: Create reservation record
DB-->>API: 200 OK {reserved: true}
Note over API,DB: Release Flow (on cancel/timeout)
API->>DB: POST /api/products/{productId}/sessions/{sessionId}/release
DB->>DB: Increment availableCapacity
DB->>DB: Delete reservation record
DB-->>API: 200 OK {released: true}
Token Lifecycle
SequenceJWT token yonetimi - Access token refresh, logout, force logout akislari.
sequenceDiagram
autonumber
participant U as User/Admin
participant F as Frontend
participant API as Backend API
participant DB as Database
rect rgb(40, 40, 40)
Note over U,DB: Token Refresh Flow
F->>F: Access token expired (401)
F->>API: POST /api/{user-type}/session/refresh
Note right of API: {refreshToken: "..."}
API->>DB: Validate refresh token
alt Token Valid
API->>API: Generate new access token
API->>DB: Rotate refresh token (optional)
API-->>F: 200 OK {accessToken, refreshToken}
F->>F: Update stored tokens
F->>F: Retry original request
else Token Invalid/Expired
API-->>F: 401 Unauthorized
F->>F: Clear tokens
F-->>U: Redirect to login
end
end
rect rgb(40, 40, 40)
Note over U,DB: Logout Flow
U->>F: Click Logout
F->>API: POST /api/{user-type}/session/logout
Note right of API: {} (uses Bearer token)
API->>DB: Invalidate refresh token
API->>DB: Add to token blacklist
API-->>F: 200 OK
F->>F: Clear all tokens
F-->>U: Redirect to login
end
rect rgb(40, 40, 40)
Note over U,DB: Force Logout Flow (Admin)
U->>F: Select user to force logout
F->>API: POST /api/{admin-type}/session/force-logout
Note right of API: {adminId: "target-admin-id"}
API->>DB: Check requester permissions
API->>DB: Invalidate target's all tokens
API-->>F: 200 OK {message: "User logged out"}
end
Access Token
Short-lived (15-30 min)
Refresh Token
Long-lived (7-30 days)
Token Storage
localStorage / httpOnly cookie
Rotation
On refresh (optional)
| User Type | Refresh | Logout | Force Logout |
|---|---|---|---|
| System Admin | /api/system-admin/session/refresh |
/api/system-admin/session/logout |
/api/system-admin/session/force-logout |
| Project Admin | /api/project-admin/session/refresh |
/api/project-admin/session/logout |
/api/project-admin/session/force-logout |