Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/GaelCeballos/Smart_Enviro_Backend/llms.txt

Use this file to discover all available pages before exploring further.

Smart Enviro Backend is structured around three distinct layers that never share authentication mechanisms. At the hardware layer, ESP32 microcontrollers authenticate exclusively with a static device_token stored in the devices table — no session cookies, no bearer headers. In the middle sits the Laravel 11 API server (PHP 8.4 + Laravel Sanctum), which routes requests, enforces access control, and persists all telemetry to MySQL. At the top, mobile apps and web dashboards authenticate with Sanctum Bearer tokens obtained at login, then call the full suite of device-management and sensor-history endpoints.

System Components

ComponentRole
ESP32 DevicesAuthenticate with device_token query param; call GET /api/device/sync to receive commands and config; push readings via POST /api/sensor-data
Laravel APIPHP 8.4 application handling routing, auth:sanctum middleware, business logic via controllers, and persistence to MySQL
Mobile/Web ClientAuthenticates with a Sanctum Bearer token; discovers and claims unowned devices; toggles actuator states; queries sensor history
MySQL 8.xPersists all application data across six tables: users, devices, device_properties, sensor_types, sensor_data, device_logs

Request Flow

Mobile/Web Client Flow

1

Register

Client calls POST /api/register with name, email, password, and password_confirmation. Returns 201 Created on success — no token is issued at registration.
2

Login

Client calls POST /api/login with email and password. On success the API creates a Sanctum token, stores its plain-text value in users.current_token, and returns it in the response body.
3

Call Protected Endpoints

Every subsequent request includes the token as Authorization: Bearer {token}. The auth:sanctum middleware validates the token and resolves the authenticated user.
4

Logout

Client calls DELETE /api/logout. The API deletes the current Sanctum access token and sets users.current_token back to null, immediately invalidating the session.

ESP32 Device Flow

1

Boot and Sync

On startup the device calls GET /api/device/sync?device_token={token}. The API looks up the device by its token, verifies it is active, updates last_seen_at and is_online, then returns the current command and any config properties the device should apply.
2

Push Sensor Readings

At each measurement interval the device posts to POST /api/sensor-data with device_token in the request body alongside the sensor readings. The API validates the token, resolves the device, and writes one sensor_data row per reading.
3

Receive Updated Control State

Both the sync response (command + config) and the sensor-data store response (device_control block) return the latest commanded state (ON, OFF, or STANDBY) so the ESP32 can update its behaviour without a persistent connection. The sync response includes the full config key-value map of device properties; the sensor-data response includes derived control flags such as auto_water and humidity_threshold.

Route Groups

There are three distinct route groups defined in routes/api.php:

1. Public Routes — No Authentication Required

MethodURIHandler
POST/api/loginAuthController@login
POST/api/registerAuthController@register
GET/api/device/syncDeviceSyncController@sync
These endpoints are intentionally unauthenticated. device/sync relies on the device_token query parameter for its own device-level authorization rather than Sanctum middleware.

2. Protected Routes — auth:sanctum Middleware

MethodURIHandler
GET/api/my-devicesUserDeviceController@index
GET/api/my-devices/{id}UserDeviceController@show
POST/api/my-devices/{id}/toggleUserDeviceController@toggleState
PUT/api/my-devices/{id}/propertiesUserDeviceController@updateProperty
GET/api/devices/availableUserDeviceController@listAvailable
POST/api/devices/{id}/addUserDeviceController@addDevice
GET/api/sensor-data/historySensorDataController@getHistory
DELETE/api/logoutAuthController@logout
GET/api/userClosure — returns authenticated user
GET /api/sensor-data/history is declared before the apiResource registration so that Laravel’s router matches it as a named route rather than treating history as a {sensor_data} wildcard segment.

3. API Resource Routes — sensor-data

The apiResource registration for sensor-data excludes the update method, leaving four actions:
MethodURIHandlerAuth
GET/api/sensor-dataSensorDataController@indexNone
POST/api/sensor-dataSensorDataController@storedevice_token in body
GET/api/sensor-data/{sensor_data}SensorDataController@showNone
DELETE/api/sensor-data/{sensor_data}SensorDataController@destroyNone

Single-Session Enforcement

Smart Enviro Backend allows only one active session per user account at any given time. This is enforced through the current_token column added to the users table:
  • Login — after issuing a new Sanctum token the API saves its plain-text value to users.current_token. If current_token is already non-null when a login request arrives, the API returns 409 Conflict with {"status": "error", "message": "Cuenta en uso en otro dispositivo"} and does not issue a new token.
  • Logout — the API deletes the Sanctum token record and sets current_token back to null, freeing the account for a fresh login.
The current_token column stores the raw Sanctum plain-text token. This column is declared in the #[Hidden] attribute on the User model so it is never serialised into API responses.

Data Model

Full schema reference for all six MySQL tables, column types, constraints, and Eloquent relationships.

Authentication

How Sanctum Bearer tokens and device_token strings work, with curl examples for every auth flow.

Build docs developers (and LLMs) love