# Business API Design Specification - `Register User` A Business API is a set of logical actions centered around a main data object. These actions can range from simple CRUD operations to complex workflows that implement intricate business logic. While the term “API” traditionally refers to an interface that allows software systems to interact, in Mindbricks a Business API represents a broader concept. It encapsulates a business workflow around a data object, going beyond basic CRUD operations to include rich, internally coordinated actions that can be fully designed and customized. This document provides an in-depth explanation of the architectural design of the `registerUser` Business API. It is intended to guide backend architects and developers in maintaining the current design. Additionally, frontend developers and frontend AI agents can use this document to understand how to properly consume this API on the client side. ## Main Data Object and CRUD Operation The `registerUser` Business API is designed to handle a `create` operation on the `User` data object. This operation is performed under the specified conditions and may include additional, coordinated actions as part of the workflow. ## API Description This api is used by public users to register themselves ## API Options * **Auto Params** : `true` Determines whether input parameters should be auto-generated from the schema of the associated data object. Set to `false` if you want to define all input parameters manually. * **Raise Api Event** : `true` Indicates whether the Business API should emit an API-level event after successful execution. This is typically used for audit trails, analytics, or external integrations. The event will be emitted to the `user-registered` Kafka Topic Note that the DB-Level events for `create`, `update` and `delete` operations will always be raised for internal reasons. * **Active Check** : `` Controls how the system checks if a record is active (not soft-deleted or inactive). Uses the `ApiCheckOption` to determine whether this is checked during the query or after fetching the instance. * **Read From Entity Cache** : `false` If enabled, the API will attempt to read the target object from the Redis entity cache before querying the database. This can improve performance for frequently accessed records. ## API Controllers A Mindbricks Business API can be accessed through multiple interfaces, including REST, gRPC, WebSocket, Kafka, or Cron. The controllers listed below map the business workflow to a specific interface, enabling consistent interaction regardless of the communication channel. ### REST Controller The `registerUser` Business API includes a REST controller that can be triggered via the following route: `/v1/registeruser` By sending a request to this route using the service API address, you can execute this Business API. Parameters can be provided in multiple HTTP locations, including the URL path, URL query, request body, and request headers. Detailed information about these parameters is provided in the **Parameters** section. ### gRPC Controller The `registerUser` Business API includes a gRPC controller that can be triggered via the following function: `registerUser()` By calling this gRPC endpoint using a gRPC client, you can execute the Business API. Note that all parameters must be provided as function arguments, regardless of their HTTP location configuration, which is relevant only for the REST controller. ### MCP Tool REST controllers also expose the Business API as a tool in the MCP, making it accessible to AI agents. This `registerUser` Business API will be registered as a tool on the MCP server within the service binding. ## API Parameters The `registerUser` Business API has 8 parameters that must be sent from the controller. Note that all parameters, except session and Redis parameters, should be provided by the client. Business API parameters can be: * **Auto-generated by Mindbricks** — inferred from the CRUD type and the property definitions of the main data object when the `autoParameters` option is enabled. * **Custom parameters added by the architect** — these can supplement or override the auto-generated parameters. ### Regular Parameters | Name | Type | Required | Default | Location | Data Path | | ----------------------------------------------- | --------------------- | -------------------------------------- | -------------------------------------------------------------------- | --------------------------- | ------------------------------ | | | | | | | | | `userId` | `ID` | `No` | `-` | `body` | `userId` | | **Description:** | This id paremeter is used to create the data object with a given specific id. Leave null for automatic id. | | | | | | | | | | | | | `avatar` | `String` | `No` | `-` | `body` | `avatar` | | **Description:** | The avatar url of the user. If not sent, a default random one will be generated. | | | | | | | | | | | | | `socialCode` | `String` | `No` | `-` | `body` | `socialCode` | | **Description:** | Send this social code if it is sent to you after a social login authetication of an unregistred user. The users profile data will be complemented from the autheticated social profile using this code. If you provide the social code there is no need to give full profile data of the user, just give the ones that are not included in social profiles. | | | | | | | | | | | | | `password` | `String` | `Yes` | `-` | `body` | `password` | | **Description:** | The password defined by the the user that is being registered. | | | | | | | | | | | | | `fullname` | `String` | `Yes` | `-` | `body` | `fullname` | | **Description:** | The fullname defined by the the user that is being registered. | | | | | | | | | | | | | `email` | `String` | `Yes` | `-` | `body` | `email` | | **Description:** | The email defined by the the user that is being registered. | | | | | | | | | | | | | `preferredLanguage` | `String` | `No` | `-` | `body` | `preferredLanguage` | | **Description:** | User's preferred language for the application interface | | | | | | | | | | | | | `bio` | `Text` | `No` | `-` | `body` | `bio` | | **Description:** | User's biography or profile description | | | | | | | | | | | | ### Parameter Transformations Some parameters are post-processed using **transform scripts** after being read from the request but before validation or workflow execution. Only parameters with a `transform` script are listed below. * `avatar`: ```javascript this.avatar = runMScript(() => (this.socialProfile?.avatar ?? (this.avatar ? this.avatar : `https://gravatar.com/avatar/${LIB.common.md5(this.email ?? 'nullValue')}?s=200&d=identicon`)), {"path":"services[0].businessLogic[13].customParameters[0].transform"}) ``` * `password`: ```javascript this.password = runMScript(() => (this.socialProfile ? this.password ?? LIB.common.randomCode() : this.password), {"path":"services[0].businessLogic[13].customParameters[2].transform"}) ``` * `fullname`: ```javascript this.fullname = runMScript(() => (this.socialProfile?.fullname ?? this.fullname), {"path":"services[0].businessLogic[13].customParameters[3].transform"}) ``` * `email`: ```javascript this.email = runMScript(() => (this.socialProfile?.email ?? this.email), {"path":"services[0].businessLogic[13].customParameters[4].transform"}) ``` ## AUTH Configuration The **authentication and authorization configuration** defines the core access rules for the `registerUser` Business API. These checks are applied **after parameter validation** and before executing the main business logic. While these settings cover the most common scenarios, more **fine-grained or conditional access control**—such as permissions based on object context, nested memberships, or custom workflows—should be implemented using explicit actions like `PermissionCheckAction`, `MembershipCheckAction`, or `ObjectPermissionCheckAction`. ### Login Requirement This API is **public** and can be accessed without login (`loginRequired = false`). --- ### Ownership Checks --- ### Role and Permission Settings - **Absolute roles** (bypass all auth checks): Users with any of the following roles will bypass all authentication and authorization checks, including ownership, membership, and standard role/permission checks: `[superAdmin]` --- ## Data Clause Defines custom field-value assignments used to modify or augment the default payload for `create` and `update` operations. These settings override values derived from the session or parameters if explicitly provided.", Note that a default data clause is always prepared by Mindbricks using data property settings, however any property in the data clause can be override by Data Clause Settings. **Custom Data Clause Override** ```js { emailVerified: runMScript(() => (this.socialProfile?.emailVerified ?? false), {"path":"services[0].businessLogic[13].dataClause.customData[0].value"}), roleId: runMScript(() => (this.socialProfile?.roleId ?? 'user'), {"path":"services[0].businessLogic[13].dataClause.customData[1].value"}), } ``` **Actual Data Clause** The business api will use the following data clause. Note that any calculated value will be added to the data clause in the api manager. ```js { id: this.userId, email: this.email, password: this.hashString(this.password), fullname: this.fullname, avatar: this.avatar, preferredLanguage: this.preferredLanguage, bio: this.bio, emailVerified: runMScript(() => (this.socialProfile?.emailVerified ?? false), {"path":"services[0].businessLogic[13].dataClause.customData[0].value"}), roleId: runMScript(() => (this.socialProfile?.roleId ?? 'user'), {"path":"services[0].businessLogic[13].dataClause.customData[1].value"}), isActive: true, _archivedAt: null, } ``` ## Business Logic Workflow ### [1] Step : startBusinessApi Manager initializes context, populates session and request objects, prepares internal structures for parameter handling and workflow execution. You can use the following settings to change some behavior of this step. `apiOptions`, `restSettings`, `grpcSettings`, `kafkaSettings`, `sseSettings`, `cronSettings` --- ### [2] Step : readParameters Manager reads input parameters, normalizes missing values, applies default type casting, and stores them in the API context. You can use the following settings to change some behavior of this step. `customParameters`, `redisParameters` --- ### [3] Step : transposeParameters Manager transforms parameters, computes derived values, flattens or remaps arrays/objects, and adjusts formats for downstream processing. --- ### [4] Step : checkParameters Manager executes built-in validations: required field checks, type enforcement, and basic business rules. Prevents operation if validation fails. --- ### [5] Action : validateEmail **Action Type**: `ValidationAction` Validates that the provided email address has a valid format ```js class Api { async validateEmail() { const isValid = runMScript( () => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(this.email), { path: "services[0].businessLogic[13].actions.validationActions[0].validationScript", }, ); if (!isValid) { throw new BadRequestError("InvalidEmailFormat"); } return isValid; } } ``` --- ### [6] Action : fetchArchivedUser **Action Type**: `FetchObjectAction` Check and get if any deleted user(in 30 days) exists with the same identifier ```js class Api { async fetchArchivedUser() { // Fetch Object on childObject user const userQuery = runMScript( () => ({ $and: [ { email: this.email, isActive: false }, { _archivedAt: { $gte: new Date(Date.now() - 30 * 24 * 60 * 60 * 1000), }, }, ], }), { path: "services[0].businessLogic[13].actions.fetchObjectActions[0].whereClause", }, ); const { convertUserQueryToSequelizeQuery } = require("common"); const scriptQuery = convertUserQueryToSequelizeQuery(userQuery); // get object from db const data = await getUserByQuery(scriptQuery); return data ? { id: data["id"], } : null; } } ``` --- ### [7] Action : checkArchivedUser **Action Type**: `ValidationAction` Prevents re-register of a user when their profile is still in 30days archive ```js class Api { async checkArchivedUser() { const isError = runMScript(() => this.archivedUser?.email != null, { path: "services[0].businessLogic[13].actions.validationActions[1].validationScript", }); if (isError) { throw new BadRequestError("YourProfileIsArchivedPleaseLoginToRestore"); } return isError; } } ``` --- ### [8] Step : checkBasicAuth Manager performs authentication and authorization checks: verifies session, user roles, permissions, and tenant restrictions. You can use the following settings to change some behavior of this step. `authOptions` --- ### [9] Step : buildDataClause Manager constructs the final data object for creation, fills auto-generated fields (IDs, timestamps, owner fields), and ensures schema consistency. You can use the following settings to change some behavior of this step. `dataClause` --- ### [10] Step : mainCreateOperation Manager executes the database insert operation, updates indexes/caches, and triggers internal post-processing like linked default records. --- ### [11] Step : buildOutput Manager shapes the response: masks sensitive fields, resolves linked references, and formats output according to API contract. --- ### [12] Action : writeVerificationNeedsToResponse **Action Type**: `AddToResponseAction` Set if email or mobile verification needed ```js class Api { async writeVerificationNeedsToResponse() { try { this.output["emailVerificationNeeded"] = runMScript( () => !this.user?.emailVerified, { path: "services[0].businessLogic[13].actions.addToResponseActions[0].context[0].contextValue", }, ); this.output["mobileVerificationNeeded"] = runMScript(() => false, { path: "services[0].businessLogic[13].actions.addToResponseActions[0].context[1].contextValue", }); return true; } catch (error) { console.error("AddToResponseAction error:", error); throw error; } } } ``` --- ### [13] Action : autoLoginAfterRegister **Action Type**: `FunctionCallAction` If no email or mobile verification is needed after registration, automatically create a login session and return the access token in the registration response. This provides a seamless register-and-login experience. ```js class Api { async autoLoginAfterRegister() { try { return await runMScript( () => (async () => await (async () => { try { if ( this.output.emailVerificationNeeded || this.output.mobileVerificationNeeded ) return; const identifier = this.output[this.dataName]?.email; if (!identifier) return; const { createSessionManager } = require("sessionLayer"); const sm = createSessionManager(); await sm.setLoginToRequest(this.request, null, { userField: "email", subjectClaim: identifier, }); this.output.accessToken = sm.accessToken; this.output.autoLoginSession = sm.session; this.request.autoLoginToken = sm.accessToken; console.log( "Auto-login after registration successful for:", identifier, ); } catch (autoLoginErr) { console.log( "Auto-login after registration failed:", autoLoginErr.message, ); } })())(), { path: "services[0].businessLogic[13].actions.functionCallActions[0].callScript", }, ); } catch (err) { console.error("Error in FunctionCallAction autoLoginAfterRegister:", err); throw err; } } } ``` --- ### [14] Step : sendResponse Manager sends the response to the client and finalizes internal tasks like flushing logs or updating session state. --- ### [15] Step : raiseApiEvent Manager triggers API-level events (Kafka, WebSocket, async workflows) as the final internal step. --- ## Rest Usage ### Rest Client Parameters Client parameters are the api parameters that are visible to client and will be populated by the client. Note that some api parameters are not visible to client because they are populated by internal system, session, calculation or joint sources. The `registerUser` api has got 6 regular client parameters | Parameter | Type | Required | Population | | ---------------------- | ---------------------- | -------- | ---------------------------- | | avatar | String | false | request.body?.["avatar"] | | password | String | true | request.body?.["password"] | | fullname | String | true | request.body?.["fullname"] | | email | String | true | request.body?.["email"] | | preferredLanguage | String | false | request.body?.["preferredLanguage"] | | bio | Text | false | request.body?.["bio"] | ### REST Request To access the api you can use the **REST** controller with the path **POST /v1/registeruser** ```js axios({ method: 'POST', url: '/v1/registeruser', data: { avatar:"String", password:"String", fullname:"String", email:"String", preferredLanguage:"String", bio:"Text", }, params: { } }); ``` ### REST Response The API response is encapsulated within a JSON envelope. Successful operations return an HTTP status code of 200 for get, list, update, or delete requests, and 201 for create requests. Each successful response includes a `"status": "OK"` property. For error handling, refer to the "Error Response" section. Following JSON represents the most comprehensive form of the **`user`** object in the respones. However, some properties may be omitted based on the object's internal logic. ```json { "status": "OK", "statusCode": "201", "elapsedMs": 126, "ssoTime": 120, "source": "db", "cacheKey": "hexCode", "userId": "ID", "sessionId": "ID", "requestId": "ID", "dataName": "user", "method": "POST", "action": "create", "appVersion": "Version", "rowCount": 1, "user": { "id": "ID", "email": "String", "password": "String", "fullname": "String", "avatar": "String", "roleId": "String", "emailVerified": "Boolean", "preferredLanguage": "String", "bio": "Text", "isActive": true, "recordVersion": "Integer", "createdAt": "Date", "updatedAt": "Date", "_owner": "ID" } } ```