1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
# Initial setup
```mermaid
---
Service lifecycle
---
stateDiagram-v2
uninit : Awaiting setup
inservice : In service
[*] --> uninit
uninit --> inservice : POST /api/setup
inservice --> [*]
```
New instances of this service require an initial setup step before they can fully enter service. This setup is performed online, via the API endpoints in this section.
## Requests before setup completed
Before the service is set up, all API endpoints, other than those specifically documented as exceptions, will return a status of
`503 Service Unavailable` to all requests.
Initial setup can be completed only once.
## `POST /api/setup`
Initial setup performs the following tasks:
- Create the first user for the service.
This is the only user that does not require an [invitation](./invitations.md).
**This endpoint does not require an `identity` cookie.**
**This endpoint can be called before initial setup.**
### Request
```json
{
"name": "example username",
"password": "the plaintext password"
}
```
The request must have the following fields:
| Field | Type | Description |
| :--------- | :----- | :------------------------------------------- |
| `name` | string | The initial login's name. |
| `password` | string | The initial login's password, in plain text. |
<!-- Reproduced in invitations.md. Edit in both places. -->
The proposed `name` must be valid. The precise definition of valid is still up in the air, but, at minimum:
- It must be non-empty.
- It must not be "too long." (Currently, 64 characters is too long.)
- It must begin with a printing character.
- It must end with a printing character.
- It must not contain runs of multiple whitespace characters.
### Success
<!-- This prose is duplicated from authentication.md, with small changes for context. If you edit it here, edit it there, too. -->
This endpoint will respond with a status of
`200 Okay` when successful. The body of the response will be a JSON object describing the newly-created user:
```json
{
"id": "Uabcd1234",
"name": "Andrea"
}
```
The response will include the following fields:
| Field | Type | Description |
| :----- | :----- | :------------------------------------------------------------------------------------------------------------------------------------------------- |
| `id` | string | A unique identifier for the newly-created user. This can be used to associate the user with other events, or to make API calls targeting the user. |
| `name` | string | The user's name. |
The returned name may not be identical to the name requested, as the name will be converted to [normalization form C](http://www.unicode.org/reports/tr15/) automatically. The returned name will include this normalization; the service will use the normalized name elsewhere, and does not store the originally requested name.
The provided password will also be converted to normalization form C. However, the normalized password is not returned to the client.
The response will include a `Set-Cookie` header for the
`identity` cookie, providing the client with a newly-minted identity token associated with the initial user created for this request. See the [authentication](./authentication) section for details on how this cookie may be used.
The cookie will expire if it is not used regularly.
### Name not valid
This endpoint will respond with a status of `400 Bad Request` if the proposed `name` is not valid.
### Setup previously completed
Once completed, this operation cannot be performed a second time. Subsequent requests to this endpoint will respond with a status of
`409 Conflict`.
|
