// Single client for the Car Control API Server. The web app never talks to
// PocketBase directly — only to these endpoints (proxied to the API Server in
// dev via vite.config.js).
// Default API base: the Vite env override, else the same-origin "/api" (proxied
// to the API Server in dev). A user can override this at runtime via the login
// screen's "Server settings" — stored in localStorage and used for every call.
export const DEFAULT_API_BASE = import.meta.env.VITE_API_BASE || "/api";
const SERVER_KEY = "cc_server_url";
// Resolved fresh on each request so changing it takes effect without a reload.
function apiBase() {
return localStorage.getItem(SERVER_KEY) || DEFAULT_API_BASE;
}
export function getServerUrl() {
return localStorage.getItem(SERVER_KEY) || "";
}
// Persist a custom API base URL (trailing slashes trimmed). Empty/blank clears
// the override, falling back to the default.
export function setServerUrl(url) {
const trimmed = (url || "").trim().replace(/\/+$/, "");
if (trimmed) localStorage.setItem(SERVER_KEY, trimmed);
else localStorage.removeItem(SERVER_KEY);
}
export const TOKEN_KEY = "cc_token";
export const USER_KEY = "cc_user";
function authHeader() {
const t = localStorage.getItem(TOKEN_KEY);
return t ? { Authorization: "Bearer " + t } : {};
}
async function handleResponse(res, path) {
// An expired/invalid token on any non-login call ends the session.
if (res.status === 401 && path !== "/auth/login") {
localStorage.removeItem(TOKEN_KEY);
localStorage.removeItem(USER_KEY);
if (location.pathname !== "/login") location.href = "/login";
throw new Error("Session expired — please log in again.");
}
if (res.status === 204) return null;
const text = await res.text();
const data = text ? JSON.parse(text) : null;
if (!res.ok) {
const msg = (data && (data.error || data.message)) || res.statusText;
throw new Error(msg);
}
return data;
}
async function request(path, options = {}) {
const res = await fetch(apiBase() + path, {
headers: { "Content-Type": "application/json", ...authHeader(), ...(options.headers || {}) },
...options,
});
return handleResponse(res, path);
}
// Like request(), but for multipart/form-data bodies (file uploads) — the
// browser sets its own Content-Type (with boundary), so we must not.
async function requestForm(path, options = {}) {
const res = await fetch(apiBase() + path, { headers: { ...authHeader() }, ...options });
return handleResponse(res, path);
}
// Fetches a binary response (image, export file) as a Blob, since it needs the
// Authorization header — a plain
or can't attach one.
async function requestBlob(path) {
const res = await fetch(apiBase() + path, { headers: authHeader() });
if (res.status === 401) return handleResponse(res, path);
if (!res.ok) throw new Error("Request failed: " + res.statusText);
const filename = (res.headers.get("Content-Disposition") || "").match(/filename="([^"]+)"/)?.[1];
return { blob: await res.blob(), filename };
}
export const api = {
// Auth
login: (email, password) =>
request("/auth/login", { method: "POST", body: JSON.stringify({ email, password }) }),
me: () => request("/auth/me"),
// Cars
listCars: () => request("/cars"),
getCar: (id) => request(`/cars/${id}`),
createCar: (body) => request("/cars", { method: "POST", body: JSON.stringify(body) }),
updateCar: (id, body) => request(`/cars/${id}`, { method: "PATCH", body: JSON.stringify(body) }),
deleteCar: (id) => request(`/cars/${id}`, { method: "DELETE" }),
// Sharing (owner-only). A share grants another user read or write access.
listCarShares: (carId) => request(`/cars/${carId}/shares`),
addCarShare: (carId, email, permission) =>
request(`/cars/${carId}/shares`, { method: "POST", body: JSON.stringify({ email, permission }) }),
removeCarShare: (carId, userId) =>
request(`/cars/${carId}/shares/${userId}`, { method: "DELETE" }),
// Service records
listCarServices: (carId) => request(`/cars/${carId}/service-records`),
createService: (body) =>
request("/service-records", { method: "POST", body: JSON.stringify(body) }),
updateService: (id, body) =>
request(`/service-records/${id}`, { method: "PATCH", body: JSON.stringify(body) }),
deleteService: (id) => request(`/service-records/${id}`, { method: "DELETE" }),
// Parts
listCarParts: (carId) => request(`/cars/${carId}/parts`),
createPart: (body) => request("/parts", { method: "POST", body: JSON.stringify(body) }),
updatePart: (id, body) =>
request(`/parts/${id}`, { method: "PATCH", body: JSON.stringify(body) }),
deletePart: (id) => request(`/parts/${id}`, { method: "DELETE" }),
// Admin — user management (admin role only)
listUsers: () => request("/admin/users"),
createUser: (body) => request("/admin/users", { method: "POST", body: JSON.stringify(body) }),
updateUser: (id, body) => request(`/admin/users/${id}`, { method: "PATCH", body: JSON.stringify(body) }),
setUserPassword: (id, newPassword) =>
request(`/admin/users/${id}/password`, { method: "POST", body: JSON.stringify({ newPassword }) }),
deleteUser: (id) => request(`/admin/users/${id}`, { method: "DELETE" }),
// Settings — account/profile/appearance
getMe: () => request("/me"),
updateMe: (body) => request("/me", { method: "PATCH", body: JSON.stringify(body) }),
changePassword: (oldPassword, newPassword) =>
request("/me/password", { method: "POST", body: JSON.stringify({ oldPassword, newPassword }) }),
requestVerification: () => request("/me/verify/request", { method: "POST" }),
uploadAvatar: (file) => {
const form = new FormData();
form.append("avatar", file);
return requestForm("/me/avatar", { method: "POST", body: form });
},
deleteAvatar: () => request("/me/avatar", { method: "DELETE" }),
getAvatarBlob: () => requestBlob("/me/avatar"),
// Settings — privacy & security (active sessions)
listSessions: () => request("/sessions"),
revokeSession: (id) => request(`/sessions/${id}`, { method: "DELETE" }),
revokeOtherSessions: () => request("/sessions", { method: "DELETE" }),
// Settings — advanced / danger zone
exportData: () => requestBlob("/me/export"),
importData: (payload) => request("/me/import", { method: "POST", body: JSON.stringify(payload) }),
requestAccountDeletion: (confirmEmail) =>
request("/me/delete", { method: "POST", body: JSON.stringify({ confirmEmail }) }),
cancelAccountDeletion: () => request("/me/delete/cancel", { method: "POST" }),
finalizeAccountDeletion: () => request("/me", { method: "DELETE" }),
};