36c1fe805e
Move /api/cms/user and /api/skydive/applications to a new /api/auth domain. Users and API key applications are identity/access concerns, not CMS or skydive content. The auth domain provides a clear boundary for future middleware hardening (rate limiting, audit logging, etc). docs: add ADR 0014
2.7 KiB
2.7 KiB
Extract user and application routes into a dedicated auth domain
- Status: accepted
- Date: 2026-05-01
Context and Problem Statement
User authentication/registration routes (/api/cms/user) were grouped under the CMS domain, and API key application routes (/api/skydive/applications) were grouped under the Skydive domain. Neither resource is domain-specific content: users and applications are identity and access management concerns shared across all domains.
Decision Drivers
- The domain prefix should reflect what a resource is, not which feature first needed it.
/api/cms/userimplies users are CMS content;/api/skydive/applicationsimplies API keys are skydive data — both are misleading.- A dedicated
authdomain makes the security boundary explicit and easier to apply targeted middleware (rate limiting, stricter CORS, etc.) in the future.
Considered Options
- Keep routes in their current domains
- Move only users out of CMS, leave applications in skydive
- Create a dedicated
authdomain for both
Decision Outcome
Chosen option: "dedicated auth domain", because both resources are identity/access concerns and grouping them together makes the API surface self-documenting.
Changes made:
src/routes/api/auth/created withusers.routes.js,applications.routes.js, andindex.js/userremoved fromsrc/routes/api/cms/index.js/applicationsremoved fromsrc/routes/api/skydive/index.js/authdomain registered insrc/routes/api/index.js- Frontend
user.service.tsandapplications.service.tsupdated:_apiDomainchanged from/cmsand/skydiveto/auth
Resulting routes: /api/auth/user/* and /api/auth/applications/*.
Positive Consequences
- API domain structure matches resource semantics — auth concerns are isolated from content and feature domains.
- A single place to tighten auth-specific middleware (rate limiting, IP allowlists, audit logging) without touching other domains.
Negative Consequences
- Breaking change on the API surface — any client other than the Angular frontend calling the old paths must be updated.
Pros and Cons of the Options
Keep routes in current domains
- Good, because no migration effort.
- Bad, because the domain prefix actively misleads — users are not CMS content, applications are not skydive data.
Move only users out of CMS
- Good, because smaller change.
- Bad, because applications in skydive remains wrong, and two related resources end up in different places.
Dedicated auth domain
- Good, because both resources land where their semantics say they belong.
- Good, because the auth boundary is explicit and ready for future hardening.
- Bad, because it is a breaking change requiring a coordinated update of all consumers.