AI VOID
DATE: 2026.01.01 00:00 CLEARANCE: PUBLIC

Chapter 3: API Design

// table of contents

Chapter 3: API Design

Introduction

The API (Application Programming Interface) is the backbone of the Grocery Manager application, enabling seamless communication between the client-side user interface, backend services, and external platforms like WhatsApp. A well-designed API is critical for the application’s scalability, maintainability, and user experience, especially given its collaborative nature and real-time requirements. This chapter outlines the principles, endpoints, contracts, and integration patterns that govern our API design, leveraging the capabilities of Next.js, PostgreSQL, Redis, and AWS/Kubernetes for a robust and performant system.

3.1 API Design Principles

Our API design adheres to the following core principles to ensure clarity, consistency, and resilience:

  1. RESTfulness: We primarily adopt RESTful principles for resource-oriented endpoints, using standard HTTP methods (GET, POST, PUT, DELETE) to perform operations on resources. This promotes intuitive understanding and ease of integration.
  2. Resource-Oriented Naming: Endpoints are named using nouns representing resources (e.g., /api/families, /api/lists), not actions. Actions are inferred from HTTP methods.
  3. Statelessness: Each request from a client to the server contains all the information needed to understand the request. The server does not store any client context between requests.
  4. Version Control: APIs will be versioned (e.g., /api/v1/families) to allow for future evolution without breaking existing clients. This is crucial for long-term maintainability.
  5. Security First: All API interactions are secured with appropriate authentication and authorization mechanisms. Data integrity and confidentiality are paramount.
  6. Idempotency: Repeated identical requests (especially for PUT, DELETE) will have the same effect as a single request. This is vital for reliable operations in distributed systems.
  7. Clear Contracts: Request and response payloads are well-defined using JSON schemas, ensuring predictable data exchange.
  8. Meaningful Error Handling: API responses include clear and consistent error messages with appropriate HTTP status codes to facilitate debugging and error recovery.

3.2 Core API Endpoints and Contracts

The application’s core functionality revolves around managing families, grocery lists, items, and orders. Below are the primary resource domains and example endpoints, along with their expected contracts.

3.2.1 User Management

Manages user profiles, authentication, and family membership.

  • POST /api/v1/auth/register: Register a new user.
    • Request: {"email": "user@example.com", "password": "secure_password", "name": "John Doe"}
    • Response (201 Created): {"id": "user_id_uuid", "email": "user@example.com", "name": "John Doe"}
  • POST /api/v1/auth/login: Authenticate a user.
    • Request: {"email": "user@example.com", "password": "secure_password"}
    • Response (200 OK): {"token": "jwt_token", "user": {"id": "user_id_uuid", "email": "user@example.com"}}
  • GET /api/v1/users/me: Get current user’s profile.
    • Response (200 OK): {"id": "user_id_uuid", "email": "user@example.com", "name": "John Doe", "familyId": "family_id_uuid"}

3.2.2 Family Management

Enables creation, joining, and management of family units.

  • POST /api/v1/families: Create a new family.
    • Request: {"name": "Smith Family"}
    • Response (201 Created): {"id": "family_id_uuid", "name": "Smith Family", "ownerId": "user_id_uuid"}
  • GET /api/v1/families/{familyId}: Get details of a specific family.
    • Response (200 OK): {"id": "family_id_uuid", "name": "Smith Family", "members": [{"id": "user_id_uuid", "name": "John Doe"}], "lists": [...]}
  • POST /api/v1/families/{familyId}/invite: Generate an invitation link/code for a family.
    • Request: {"email": "new_member@example.com"} (Optional, for direct invites)
    • Response (200 OK): {"inviteCode": "unique_code_string"}
  • POST /api/v1/families/join: Join a family using an invite code.
    • Request: {"inviteCode": "unique_code_string"}
    • Response (200 OK): {"message": "Successfully joined family", "familyId": "family_id_uuid"}

3.2.3 Grocery List Management

Handles creation, modification, and sharing of grocery lists.

  • POST /api/v1/families/{familyId}/lists: Create a new grocery list for a family.
    • Request: {"name": "Weekly Groceries", "description": "Items needed for the week"}
    • Response (201 Created): {"id": "list_id_uuid", "name": "Weekly Groceries", "familyId": "family_id_uuid", "createdAt": "..."}
  • GET /api/v1/families/{familyId}/lists: Get all grocery lists for a family.
    • Response (200 OK): [{"id": "list_id_uuid", "name": "Weekly Groceries", "itemCount": 5}, ...]
  • GET /api/v1/lists/{listId}: Get details of a specific grocery list, including items.
    • Response (200 OK): {"id": "list_id_uuid", "name": "Weekly Groceries", "items": [{"id": "item_id_uuid", "name": "Milk", "quantity": 1, "checked": false}, ...]}
  • PUT /api/v1/lists/{listId}: Update a grocery list’s metadata.
    • Request: {"name": "Updated List Name"}
    • Response (200 OK): {"id": "list_id_uuid", "name": "Updated List Name", ...}
  • DELETE /api/v1/lists/{listId}: Delete a grocery list.
    • Response (204 No Content)

3.2.4 List Item Management

Manages individual items within a grocery list.

  • POST /api/v1/lists/{listId}/items: Add a new item to a grocery list.
    • Request: {"name": "Milk", "quantity": 1, "unit": "liter"}
    • Response (201 Created): {"id": "item_id_uuid", "name": "Milk", "quantity": 1, "checked": false, "listId": "list_id_uuid"}
  • PUT /api/v1/lists/{listId}/items/{itemId}: Update an item’s details (e.g., quantity, checked status).
    • Request: {"quantity": 2, "checked": true}
    • Response (200 OK): {"id": "item_id_uuid", "name": "Milk", "quantity": 2, "checked": true, ...}
  • DELETE /api/v1/lists/{listId}/items/{itemId}: Remove an item from a list.
    • Response (204 No Content)

3.2.5 Order Management (WhatsApp Integration)

Facilitates sending grocery lists to vendors via WhatsApp.

  • POST /api/v1/lists/{listId}/order: Generate and send a grocery list as an order via WhatsApp.
    • Request: {"vendorPhoneNumber": "+1234567890", "messageTemplate": "..."}
    • Response (202 Accepted): {"message": "Order initiated, check WhatsApp for delivery status."}

3.3 Integration Patterns

Our API design leverages Next.js’s App Router features, real-time capabilities with Redis, and external service integrations.

3.3.1 Next.js App Router: Server Actions and API Routes

Next.js App Router significantly impacts how we define and interact with our “APIs.”

  • Server Actions: For mutations (POST, PUT, DELETE operations) that originate from UI forms or interactive elements, Server Actions are the preferred pattern. They offer a direct, type-safe way to perform server-side data mutations without explicit API route definitions, enhancing developer experience and performance.
    • Use Case: Adding a grocery item, toggling an item’s checked status, creating a new list.
  • API Routes (/app/api/...): Traditional API routes remain essential for:
    • Public-facing endpoints that require standard HTTP request/response patterns (e.g., webhook receivers, third-party integrations).
    • Complex data fetching where a pure RESTful interface is beneficial (e.g., detailed reports, paginated lists with advanced filtering).
    • When a client other than the Next.js frontend needs to interact with the backend (e.g., a mobile app, external service).
    • Use Case: WhatsApp integration, user authentication, general data fetching.
  • React Server Components (RSC): For initial data fetching and rendering of UI components on the server. This is not an “API” in the traditional sense but dictates how much data is fetched before the client-side JavaScript takes over, optimizing initial load times.
    • Use Case: Displaying a user’s lists on the dashboard page.

Next.js API Interaction Flow

graph TD A["Client Browser"] -->|"User Action (e.g., Form Submit)"| B{"Next.js Frontend"} B -->|"1. Server Action Call"| C["Next.js Server (Server Action)"] B -->|"2. API Route Call (fetch /api/...)"| D["Next.js Server (API Route)"] C -->|"Prisma ORM"| E["PostgreSQL Database"] D -->|"Prisma ORM"| E C -->|"Publish Event"| F["Redis Pub/Sub"] D -->|"Publish Event"| F F -->|"Subscribe Event"| G["Next.js Server (WebSocket Handler)"] G -->|"WebSocket"| A D -->|"External API Call"| H["WhatsApp API"]

3.3.2 Real-time Collaboration (Redis Pub/Sub, WebSockets)

For features like collaborative list editing, real-time updates are crucial.

  • Redis Pub/Sub: Acts as a message broker for broadcasting changes across connected clients. When a user modifies a list item (e.g., checks it off), the backend publishes an event to a Redis channel specific to that list.
  • WebSockets: A dedicated WebSocket server (managed within our Next.js backend or as a separate service) subscribes to relevant Redis channels. It then pushes updates to all connected clients viewing that specific list, ensuring all family members see changes instantly.

3.3.3 External Services (WhatsApp Integration)

Integrating with WhatsApp for sending grocery lists to vendors involves:

  • Dedicated API Route: An API route (POST /api/v1/lists/{listId}/order) handles the request from the client.
  • Python Microservice/Function: Given Python’s strong ecosystem for messaging and scripting, a Python-based microservice or AWS Lambda function can be invoked by the Next.js backend to interact with the WhatsApp Business API. This decouples the messaging logic and allows for specialized handling (e.g., message formatting, retry logic).
  • Asynchronous Processing: Sending messages to external APIs should be asynchronous to prevent blocking the main request thread. A message queue (e.g., AWS SQS, Redis Queue) can be used to queue these requests, with the Python service processing them.
sequenceDiagram participant C as Client (Next.js Frontend) participant N as Next.js Server (API Route) participant P as Python Service (AWS Lambda/Container) participant W as WhatsApp API C->>N: POST /api/v1/lists/{listId}/order (Send order) activate N N->>N: Validate Request & Authorize User N->>P: Invoke Python Service (via HTTP/RPC/Queue) activate P P->>P: Format Grocery List for WhatsApp P->>W: Send Message to Vendor activate W W-->>P: Message Sent Confirmation deactivate W P-->>N: Success/Failure Status deactivate P N-->>C: 202 Accepted (Order initiated) deactivate N

3.4 Data Modeling and API Contract Alignment

Our PostgreSQL database, managed with Prisma ORM, directly influences our API contracts. Prisma’s schema definitions serve as the source of truth for our data models, ensuring consistency between the database, backend logic, and API payloads.

Example Prisma Schema Snippet:

// prisma/schema.prisma
model Family {
  id        String    @id @default(uuid())
  name      String
  ownerId   String
  owner     User      @relation("OwnedFamilies", fields: [ownerId], references: [id])
  members   User[]    @relation("FamilyMembers")
  lists     GroceryList[]
  createdAt DateTime  @default(now())
  updatedAt DateTime  @updatedAt
}

model GroceryList {
  id          String      @id @default(uuid())
  name        String
  description String?
  familyId    String
  family      Family      @relation(fields: [familyId], references: [id], onDelete: Cascade)
  items       ListItem[]
  createdAt   DateTime    @default(now())
  updatedAt   DateTime    @updatedAt
}

model ListItem {
  id          String      @id @default(uuid())
  name        String
  quantity    Int         @default(1)
  unit        String?
  checked     Boolean     @default(false)
  listId      String
  list        GroceryList @relation(fields: [listId], references: [id], onDelete: Cascade)
  createdAt   DateTime    @default(now())
  updatedAt   DateTime    @updatedAt
}

This Prisma schema directly maps to the JSON structures described in Section 3.2. For instance, a GroceryList query would return id, name, description, familyId, createdAt, updatedAt, and potentially an array of ListItem objects, mirroring the relations defined.

3.5 Scalability and Performance Considerations

  • Caching (Redis): Frequently accessed, less volatile data (e.g., family details, user profiles) will be cached in Redis to reduce database load and improve response times. Redis is also used for session management and real-time pub/sub.
  • Pagination, Filtering, Sorting: All list-based API endpoints (e.g., GET /api/v1/families/{familyId}/lists) will support pagination (?page=1&limit=10), filtering (?status=active), and sorting (?sortBy=name&order=asc) to efficiently handle large datasets.
  • Rate Limiting: API endpoints will implement rate limiting to prevent abuse and ensure fair usage, protecting backend resources. This can be implemented at the ingress (Kubernetes Ingress Controller, AWS API Gateway) or within the Next.js application.
  • Database Indexing: PostgreSQL tables will be appropriately indexed on frequently queried columns (e.g., familyId on GroceryList, listId on ListItem) to optimize query performance.
  • Connection Pooling: Database connection pooling (managed by Prisma and optimized for serverless/container environments) will be configured to efficiently reuse database connections.

3.6 Security Considerations

  • Authentication: NextAuth.js (or similar) will be used for robust authentication, supporting various providers (email/password, social logins). JWTs (JSON Web Tokens) will be used for stateless session management.
  • Authorization: Role-Based Access Control (RBAC) will govern access to resources. For example, only family members can view/edit their family’s lists, and list owners might have additional privileges. Middleware or decorators will enforce these rules on API endpoints and Server Actions.
  • Input Validation: All incoming API requests (payloads, query parameters) will undergo strict server-side validation to prevent injection attacks and ensure data integrity. Zod or similar schema validation libraries will be used.
  • CORS (Cross-Origin Resource Sharing): Properly configured to allow requests only from trusted origins (our frontend domain).
  • HTTPS Everywhere: All API communication will occur over HTTPS to encrypt data in transit.
  • Environment Variable Management: Sensitive information (API keys, database credentials) will be stored securely using AWS Secrets Manager and accessed via environment variables, never hardcoded.

Best Practices

  • API Versioning: As established, /api/v1/ prefix ensures backward compatibility and allows for graceful evolution.
  • Comprehensive Documentation: Use OpenAPI/Swagger specifications to document all API endpoints, request/response schemas, authentication requirements, and error codes. This aids both frontend and future third-party developers.
  • Consistent Error Handling: Return standardized JSON error objects with clear messages, internal error codes, and appropriate HTTP status codes (e.g., 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 500 Internal Server Error).
  • Observability: Implement robust logging (structured logs to AWS CloudWatch), monitoring (Prometheus/Grafana on Kubernetes), and tracing (AWS X-Ray) for all API interactions to quickly identify and diagnose issues.
  • Thorough Testing: Implement unit tests for individual API handlers/Server Actions, integration tests for service interactions (e.g., API to DB), and end-to-end tests covering critical user flows.
  • Asynchronous Operations: For long-running tasks (like sending WhatsApp messages), use asynchronous processing with message queues to prevent timeouts and improve user experience.

Implementation Examples

Next.js API Route Example (/app/api/v1/lists/[listId]/route.ts)

// app/api/v1/lists/[listId]/route.ts
import { NextResponse } from 'next/server';
import { auth } from '@/lib/auth'; // Custom auth utility
import prisma from '@/lib/prisma'; // Prisma client
import { z } from 'zod'; // For validation

const updateListSchema = z.object({
  name: z.string().min(1).optional(),
  description: z.string().optional(),
});

export async function GET(
  request: Request,
  { params }: { params: { listId: string } }
) {
  const session = await auth();
  if (!session) {
    return NextResponse.json({ message: 'Unauthorized' }, { status: 401 });
  }

  try {
    const list = await prisma.groceryList.findUnique({
      where: { id: params.listId },
      include: {
        items: {
          orderBy: { createdAt: 'asc' },
        },
        family: {
          select: { members: { select: { id: true } } },
        },
      },
    });

    if (!list) {
      return NextResponse.json({ message: 'List not found' }, { status: 404 });
    }

    // Authorization: Check if user is a member of the family that owns the list
    const isFamilyMember = list.family.members.some(member => member.id === session.user.id);
    if (!isFamilyMember) {
      return NextResponse.json({ message: 'Forbidden' }, { status: 403 });
    }

    return NextResponse.json(list);
  } catch (error) {
    console.error('Error fetching list:', error);
    return NextResponse.json({ message: 'Internal Server Error' }, { status: 500 });
  }
}

export async function PUT(
  request: Request,
  { params }: { params: { listId: string } }
) {
  const session = await auth();
  if (!session) {
    return NextResponse.json({ message: 'Unauthorized' }, { status: 401 });
  }

  const body = await request.json();
  const validation = updateListSchema.safeParse(body);

  if (!validation.success) {
    return NextResponse.json({ errors: validation.error.errors }, { status: 400 });
  }

  try {
    // Authorization check (similar to GET, omitted for brevity but crucial)
    const updatedList = await prisma.groceryList.update({
      where: { id: params.listId },
      data: validation.data,
    });
    return NextResponse.json(updatedList);
  } catch (error) {
    console.error('Error updating list:', error);
    return NextResponse.json({ message: 'Internal Server Error' }, { status: 500 });
  }
}

Next.js Server Action Example (/app/dashboard/[familyId]/[listId]/actions.ts)

// app/dashboard/[familyId]/[listId]/actions.ts
'use server'; // Mark this file as server-only

import { auth } from '@/lib/auth';
import prisma from '@/lib/prisma';
import { revalidatePath } from 'next/cache';
import { z } from 'zod';

const createListItemSchema = z.object({
  listId: z.string().uuid(),
  name: z.string().min(1, "Item name cannot be empty."),
  quantity: z.coerce.number().min(1).default(1),
  unit: z.string().optional(),
});

export async function createListItem(formData: FormData) {
  const session = await auth();
  if (!session) {
    return { success: false, message: 'Unauthorized' };
  }

  const data = {
    listId: formData.get('listId'),
    name: formData.get('name'),
    quantity: formData.get('quantity'),
    unit: formData.get('unit'),
  };

  const validation = createListItemSchema.safeParse(data);
  if (!validation.success) {
    return { success: false, errors: validation.error.flatten().fieldErrors };
  }

  try {
    // Authorization: Ensure user is part of the family that owns the list
    const list = await prisma.groceryList.findUnique({
      where: { id: validation.data.listId },
      select: { family: { select: { members: { select: { id: true } } } } },
    });

    if (!list || !list.family.members.some(member => member.id === session.user.id)) {
        return { success: false, message: 'Forbidden: You do not have access to this list.' };
    }

    const newItem = await prisma.listItem.create({
      data: {
        listId: validation.data.listId,
        name: validation.data.name,
        quantity: validation.data.quantity,
        unit: validation.data.unit,
      },
    });

    // Revalidate the path to show the new item immediately on the client
    revalidatePath(`/dashboard/${list.familyId}/${validation.data.listId}`);

    // Publish event for real-time updates
    // await redis.publish(`list:${validation.data.listId}`, JSON.stringify({ type: 'ITEM_ADDED', item: newItem }));

    return { success: true, item: newItem };
  } catch (error) {
    console.error('Error creating list item:', error);
    return { success: false, message: 'Failed to create item' };
  }
}

// Example for toggling an item's checked status
export async function toggleListItemChecked(itemId: string, listId: string, checked: boolean) {
  const session = await auth();
  if (!session) {
    return { success: false, message: 'Unauthorized' };
  }

  try {
    // Authorization check
    const list = await prisma.groceryList.findUnique({
      where: { id: listId },
      select: { family: { select: { members: { select: { id: true } } } } },
    });

    if (!list || !list.family.members.some(member => member.id === session.user.id)) {
        return { success: false, message: 'Forbidden: You do not have access to this list.' };
    }

    const updatedItem = await prisma.listItem.update({
      where: { id: itemId, listId: listId },
      data: { checked: checked },
    });

    revalidatePath(`/dashboard/${list.familyId}/${listId}`);
    // await redis.publish(`list:${listId}`, JSON.stringify({ type: 'ITEM_UPDATED', item: updatedItem }));

    return { success: true, item: updatedItem };
  } catch (error) {
    console.error('Error toggling list item:', error);
    return { success: false, message: 'Failed to update item status' };
  }
}

Common Pitfalls

  • Over-fetching/Under-fetching: Returning too much data (over-fetching) or not enough (under-fetching) can lead to inefficient API calls. Design endpoints to return precisely what the client needs or provide options for eager loading/field selection.
  • Lack of Versioning: Failing to version APIs can lead to breaking changes for existing clients when updates are deployed, causing significant disruption.
  • Inadequate Error Handling: Generic error messages or inconsistent error structures make debugging difficult for consumers.
  • Security Vulnerabilities: Neglecting authentication, authorization, input validation, or using insecure communication can expose sensitive data or allow unauthorized access.
  • N+1 Query Problem: Inefficient database queries where fetching a list of parent entities leads to N additional queries for their children. Prisma’s include and select can mitigate this.
  • Ignoring Idempotency: For critical write operations, if a request fails and is retried, it might lead to duplicate records or unintended side effects if not handled idempotently.
  • Tight Coupling: Overly specific API designs that tightly couple the client to the server’s internal data structures can hinder future evolution. Use abstractions where possible.
  • Blocking I/O for External Calls: Synchronously waiting for external APIs (like WhatsApp) can block server resources and degrade performance. Always use asynchronous patterns for such integrations.

Summary

The API design for the Grocery Manager application is centered on providing a robust, scalable, and secure interface for collaborative family management. By adhering to RESTful principles, leveraging Next.js App Router’s Server Actions and API Routes, integrating real-time capabilities with Redis, and securely interacting with external services like WhatsApp, we aim to deliver a seamless user experience. Detailed endpoint contracts, coupled with strong security measures, performance considerations, and a commitment to best practices, ensure the API serves as a solid foundation for the application’s current and future development.