Added some documentation to the API

docs/api/authentication.md

@@ -0,0 +1,61 @@
+---
+title: Authentication
+layout: default
+parent: API
+nav_order: 2
+---
+
+# Authentication
+
+To use API endpoints, the external application has to authenticate itself, so that Part-DB knows which user is accessing the data and which permissions
+the application should have during the access. Authentication is always bound to a specific user, so the external applications is acting on behalf of a
+specific user. This user limits the permissions of the application, so that it can only access data, which the user is allowed to access.
+
+The only method currently available for authentication is to use API tokens:
+
+## API tokens
+
+An API token is a long alphanumeric string, which is bound to a specific user and can be used to authenticate as this user, when accessing the API.
+The API token is passed via the `Authentication` HTTP header during the API request, like the following: `Authentication: Bearer tcp_sdjfks....`.
+
+{: .important }
+> Everbody who knows the API token can access the API as the user, which is bound to the token. So you should treat the API token like a password
+> and keep it secret. Only share it with trusted applications.
+
+API tokens can be created and managed on the user settings page in the API token section. You can create as many API tokens as you want and also delete them again.
+When deleting a token, it is immediately invalidated and can not be used anymore, which means that the application can not access the API anymore with this token.
+
+
+### Token permissions and scopes
+
+API tokens are ultimately limited by the permissions of the user, which belongs to the token. That means that the token
+can only access data, which the user is allowed to access, no matter the token permissions.
+
+But you can further limit the permissions of a token by choosing a specific scope for the token. The scope defines which
+subset of permissions the token has, which can be less than the permissions of the user. For example you can have a user
+with full read and write permissions, but create a token with only read permissions, which can only read data, but not 
+change anything in the database.
+
+{: .warning }
+> In general you should always use the least possible permissions for a token, to limit the possible damage, which can be done with a stolen token or a bug in the application.
+> Only use the full or admin scope, if you really need it, as they could potentially be used to do a lot of damage to your Part-DB instance.
+
+Following token scopes are available:
+
+* **Read-Only**: The token can only read non-sensitive data (like parts, but no users or groups) from the API and can not change anything.
+* **Edit**: The token can read and write non-sensitive data via the API. This includes creating, updating and deleting data. This should be enough for most applications.
+* **Admin**: The token can read and write all data via the API, including sensitive data like users and groups. This should only be used for trusted applications, which need to access sensitive data, and perform administrative actions.
+* **Full**: The token can do anything the user can do, including changing the users password and create new tokens. This should only be used for highly trusted applications!!
+
+Please note, that in early versions of the API, there might be no endpoints yet, to really perform the actions, which would be allowed by the token scope.
+
+### Expiration date
+
+API tokens can have an expiration date, which means that the token is only valid until the expiration date. After that
+the token is automatically invalidated and can not be used anymore. The token is still listed on the user settings page,
+and can be deleted there, but the code can not be used to access Part-DB anymore after the expiration date.
+
+### Get token information
+
+When authenticating with an API token, you can get information about the currently used token by accessing the `/api/tokens/current` endpoint.
+It gives you information about the token scope, expiration date and the user, which is bound to the token and the last time the token was used.

docs/api/index.md

@@ -0,0 +1,11 @@
+---
+layout: default
+title: API
+nav_order: 7
+has_children: true
+---
+
+# API
+
+Part-DB provides a REST API to access the data stored in the database.
+In this section you can find information about the API and how to use it.

docs/api/intro.md

@@ -0,0 +1,71 @@
+---
+title: Introduction
+layout: default
+parent: API
+nav_order: 1
+---
+
+# Introduction
+
+Part-DB provides a [REST API](https://en.wikipedia.org/wiki/REST) to programmatically access the data stored in the database.
+This allows external applications to interact with Part-DB, extend it or integrate it into other applications.
+
+{: .warning }
+> This feature is currently in beta. Please report any bugs you find.
+> The API should not be considered stable yet and could change in future versions, without prior notice.
+> Also be aware, that there might be security issues in the API, which could allow attackers to access or edit data via the API, which
+> they normally should be able to access. So currently you should only use the API with trusted users and trusted applications.
+
+Part-DB uses [API Platform](https://api-platform.com/) to provide the API, which allows for easy creation of REST APIs with Symfony and gives you a lot of features out of the box.
+See the [API Platform documentation](https://api-platform.com/docs/core/) for more details about the API Platform features and how to use them.
+
+## Enable the API
+
+The API is available under the `/api` path, but not reachable without proper permissions.
+You have to give the users, which should be able to access the API the proper permissions (Misceallaneous -> API).
+Please note that there are two relevant permissions, the first one allows users to access the `/api/` path at all and showing the documentation,
+and the second one allows them to create API tokens which is needed for authentication of external applications.
+ 
+## Authentication
+
+To use API endpoints, the external application has to authenticate itself, so that Part-DB knows which user is accessing the data and
+which permisions the application should have. Basically this is done by creating a API token for a user and then passing it on every request 
+with the `Authorization` header as bearer token, so you add a header `Authorization: Bearer <your token>`.
+
+See [Authentication chapter]({% link api/authentication.md %}) for more details.
+
+## API endpoints
+
+The API is split into different endpoints, which are reachable under the `/api/` path of your Part-DB instance (so `https://your-part-db.local/api/`).
+There are various endpoints for each entity type (like `part`, `manufacturer`, etc.), which allow you to read and write data and some special endpoints like `search` or `statistics`.
+
+For example all API endpoints for managing categories are available under `/api/categories/`. Depending on the exact path and the HTTP method used, you can read, create, update or delete categories.
+For most entities, there are endpoints like this:
+* **GET**: `/api/categories/` - List all categories in the database (with pagination of the results)
+* **POST**: `/api/categories/` - Create a new category
+* **GET**: `/api/categories/{id}` - Get a specific category by its ID
+* **DELETE**: `/api/categories/{id}` - Delete a specific category by its ID
+* **UPDATE**: `/api/categories/{id}` - Update a specific category by its ID. Only the fields which are sent in the request are updated, all other fields are left unchanged. Be aware that you have to set the [JSON Patch](https://en.wikipedia.org/wiki/JSON_Patch) content type header (`Content-Type: application/merge-patch+json`) for this to work.
+
+A full (interactive) list of endpoints can be displayed when visiting the `/api/` path in your browser, when you are logged in with a user, which is allowed to access the API.
+There is also a link to this page, on the user settings page in the API token section.
+This documentation also list all available fields for each entity type and the allowed operations.
+
+## Formats
+
+The API supports different formats for the request and response data, which you can control via the `Accept` and `Content-Type` headers.
+You should use [JSON-LD](https://json-ld.org/) as format, which is basically JSON with some additional metadata, which allows 
+to describe the data in a more structured way and also allows to link between different entities. You can achieve this by setting `Accept: application/ld+json` header to the API requests.
+
+## OpenAPI schema
+
+Part-DB provides a [OpenAPI](https://swagger.io/specification/) (formally Swagger) schema for the API under `/api/docs.json` (so `https://your-part-db.local/api/docs.json`).
+This schema is a machine readable description of the API, which can be imported in software to test the API or even automatically generate client libraries for the API.
+
+API generators which can generate a client library for the API from the schema are available for many programming languages, like [OpenAPI Generator](https://openapi-generator.tech/). 
+
+## Interactive documentation
+
+Part-DB provides an interactive documentation for the API, which is available under `/api/docs` (so `https://your-part-db.local/api/docs`).
+You can pass your API token in the form on the top of the page, to authenticate yourself and then you can try out the API directly in the browser.
+This is a great way to test the API and see how it works, without having to write any code.

src/Entity/UserSystem/ApiToken.php

@@ -44,7 +44,7 @@ use Symfony\Component\Validator\Constraints\NotBlank;
 #[UniqueEntity(fields: ['name', 'user'])]
 
 #[ApiResource(
-    uriTemplate: '/current.{_format}',
+    uriTemplate: '/tokens/current.{_format}',
     description: 'A token used to authenticate API requests.',
     operations: [new Get(openapiContext: ['summary' => 'Get information about the API token that is currently used.'])],
     normalizationContext: ['groups' => ['token:read', 'api:basic:read'], 'openapi_definition_name' => 'Read'],