On this page
8. Backend & API
Die API ist ein klassischer Express-Server. Alle Routes sind in apps/api/src/index.ts gemounted.
8.1 Public-Demo-Endpoints (no auth, stateless mode kompatibel)#
| Method | Path | Limit | Zweck |
|---|---|---|---|
| GET | /health | — | Status-Check (db, llm-Verfügbarkeit) |
| POST | /api/generate | 10/min/IP | Markdown → HTML (full pipeline) |
| POST | /api/validate | 10/min/IP | MD validieren ohne Render |
| GET | /api/templates | — | Liste der Starter-Templates |
| POST | /api/convert | 5/min/IP | DOCX/PDF/… → Markdown |
| POST | /api/convert/code-to-mermaid | 5/min/IP | ASCII → Mermaid DSL via LLM |
8.2 Auth-Endpoints#
| Method | Path | Limit | Auth | Zweck |
|---|---|---|---|---|
| POST | /api/auth/register | 5/h/IP | nein | Account erstellen (argon2id) |
| POST | /api/auth/login | 10/15min/IP | nein | Session erstellen (connect.sid) |
| POST | /api/auth/logout | — | ja | Session zerstören |
| GET | /api/auth/me | — | ja | Aktueller User |
8.3 Protected-Endpoints (alle erfordern auth + DB)#
Projekte:
GET /api/projects— ListePOST /api/projects— Neues Projekt (Limit: 10 pro User)PATCH /api/projects/:id— Update (name, designPack, languages, projectType, docsConfig, componentVariants)DELETE /api/projects/:id,POST /api/projects/:id/duplicate
Seiten (genested unter Projekten):
GET /api/projects/:projectId/pages— ListeGET /api/projects/:projectId/pages/manifest— Lightweight (für Sidebar)POST /api/projects/:projectId/pages— Neue SeiteGET/PATCH/DELETE /api/projects/:projectId/pages/:pageIdPOST .../duplicate,PATCH /api/projects/:projectId/pages/reorderPOST .../generate— die Hauptaktion: rendert die SeitePOST .../export— multi-language static export für Deploy
Übersetzungen:
GET/POST/PATCH/DELETE /api/projects/:projectId/pages/:pageId/translations[/:lang]POST .../translate— LLM-Translation triggern
Media:
POST /api/projects/:projectId/media— Upload (multipart, max 100 Assets/Projekt)GET /api/projects/:projectId/media— ListePATCH/DELETE .../media/:assetIdPOST .../media/upload-url— Presigned R2-URL
Deploy & Domain:
POST /api/projects/:projectId/deploy— Cloudflare-Push (Cooldown: 60s)GET .../deployments[/:id]— Liste/DetailPOST .../deployments/:id/rollbackPOST/GET/DELETE .../domain— Custom Domain ManagementGET .../analytics?range=7d|30d|90d— Cloudflare-Zone-Stats
Public Media-Serving:
GET /api/media/:projectId/:filename— 100/min/IP (für Preview-Iframes + Deploys)
8.4 Auth-Flow im Detail#
- Session-Storage: in-memory
MemoryStoreim stateless mode;connect-pg-simplemit der TabellesessionswennDATABASE_URLgesetzt - Cookie:
connect.sid(httpOnly, sameSite=lax, maxAge 7 Tage) - Passwort-Hashing: argon2id, memoryCost 65536, timeCost 3, parallelism 1
- Middlewares:
requireAuth(401 wenn keine Session),optionalAuth(User wenn vorhanden, sonst weiter)
8.5 Services — die Pipeline-Layer#
| Service | Zweck |
|---|---|
llm-client.ts | OpenAI-SDK an OpenRouter; capture'd Node-Native-Fetch (gegen JSDOM-Globals) |
llm-service.ts | Mapper-Prompt-Wrapper, Cache via mdHash in llm_cache-Tabelle |
auto-detect-pipeline.ts | sanitize → sectionize → detect → extract → validate (Default für Landing-Pages) |
docs-pipeline.ts | Alternativer Pfad für layout: docs-Seiten (TOC, Sidebar, Article-Flow) |
deterministic-mapper.ts | LLM-Fallback wenn OPENROUTER_API_KEY nicht gesetzt |
mermaid-ssr.ts | JSDOM-Pre-Render von Mermaid-Fences zu inline SVG |
code-to-mermaid.ts | ASCII → Mermaid DSL (Sonnet 4.5) |
translation-engine.ts | Markdown-Translate (Gemini Flash) |
lang-detect.ts | Sprach-Auto-Detection (franc-min) |
deploy-engine.ts | Cloudflare-Pages-Integration |
media-storage.ts | Lokales FS / Cloudflare R2 mit presigned-URLs |
media-cleanup.ts | Cron-Job für orphaned uploads |
custom-domain.ts | DNS-Validation + Zone-Sync |
analytics.ts | Cloudflare-Zone-Analytics-Pull |