From 56f86ccc7dfcf44dc66326086cac2ab51811ce0a Mon Sep 17 00:00:00 2001
From: Johan Jongsma <johan@inou.com>
Date: Sun, 1 Feb 2026 21:09:38 +0000
Subject: [PATCH] Fix API client to use proper JSON endpoints

- Changed to /api/auth/send-code and /api/auth/verify
- Properly check content-type is JSON
- Check for success: true in response
- Backend needs these endpoints added
---
 lib/services/inou_api.dart | 94 ++++++++++++++------------------------
 1 file changed, 35 insertions(+), 59 deletions(-)

diff --git a/lib/services/inou_api.dart b/lib/services/inou_api.dart
index 3381293..e3f66e8 100644
--- a/lib/services/inou_api.dart
+++ b/lib/services/inou_api.dart
@@ -44,31 +44,31 @@ class InouApi {
   Future<String?> sendLoginCode(String email) async {
     try {
       final response = await http.post(
-        Uri.parse('$baseUrl/send-code'),
+        Uri.parse('$baseUrl/api/auth/send-code'),
         headers: {
-          'Content-Type': 'application/x-www-form-urlencoded',
+          'Content-Type': 'application/json',
           'Accept': 'application/json',
         },
-        body: {
+        body: jsonEncode({
           'email': email,
-          'nonce': DateTime.now().millisecondsSinceEpoch.toString(),
-        },
+        }),
       );
       
       debugPrint('send-code response: ${response.statusCode} ${response.body}');
       
-      if (response.statusCode == 200 || response.statusCode == 302) {
-        // Success - code was sent
-        return null;
+      // Check content type - must be JSON
+      final contentType = response.headers['content-type'] ?? '';
+      if (!contentType.contains('application/json')) {
+        return 'API not available (got HTML instead of JSON)';
       }
       
-      // Try to parse error from response
-      try {
-        final json = jsonDecode(response.body);
-        return json['error'] ?? 'Failed to send code';
-      } catch (_) {
-        return 'Failed to send code (${response.statusCode})';
+      final json = jsonDecode(response.body);
+      
+      if (response.statusCode == 200 && json['success'] == true) {
+        return null; // Success
       }
+      
+      return json['error'] ?? 'Failed to send code';
     } catch (e) {
       debugPrint('send-code error: $e');
       return 'Network error: ${e.toString()}';
@@ -80,62 +80,38 @@ class InouApi {
   Future<String?> verifyCode(String email, String code) async {
     try {
       final response = await http.post(
-        Uri.parse('$baseUrl/verify'),
+        Uri.parse('$baseUrl/api/auth/verify'),
         headers: {
-          'Content-Type': 'application/x-www-form-urlencoded',
+          'Content-Type': 'application/json',
           'Accept': 'application/json',
         },
-        body: {
+        body: jsonEncode({
           'email': email,
           'code': code,
-        },
+        }),
       );
       
-      debugPrint('verify response: ${response.statusCode}');
-      debugPrint('verify headers: ${response.headers}');
+      debugPrint('verify response: ${response.statusCode} ${response.body}');
       
-      if (response.statusCode == 200 || response.statusCode == 302) {
-        // Check for session cookie in response
-        final setCookie = response.headers['set-cookie'];
-        if (setCookie != null) {
-          // Parse session token from cookie
-          final sessionMatch = RegExp(r'session=([^;]+)').firstMatch(setCookie);
-          if (sessionMatch != null) {
-            _sessionToken = sessionMatch.group(1);
-            await _saveSession();
-            return null;
-          }
+      // Check content type - must be JSON
+      final contentType = response.headers['content-type'] ?? '';
+      if (!contentType.contains('application/json')) {
+        return 'API not available (got HTML instead of JSON)';
+      }
+      
+      final json = jsonDecode(response.body);
+      
+      if (response.statusCode == 200 && json['success'] == true) {
+        // Get session token from response
+        _sessionToken = json['token'] ?? json['session_token'];
+        _dossierId = json['dossier_id'];
+        if (_sessionToken != null) {
+          await _saveSession();
         }
-        
-        // Try to get token from JSON body
-        try {
-          final json = jsonDecode(response.body);
-          if (json['token'] != null) {
-            _sessionToken = json['token'];
-            _dossierId = json['dossier_id'];
-            await _saveSession();
-            return null;
-          }
-          if (json['session_token'] != null) {
-            _sessionToken = json['session_token'];
-            _dossierId = json['dossier_id'];
-            await _saveSession();
-            return null;
-          }
-        } catch (_) {}
-        
-        // Web redirect flow - we got success but need to handle differently
-        // For mobile, the server should return JSON with token
-        return null; // Assume success for now
+        return null; // Success
       }
       
-      // Try to parse error
-      try {
-        final json = jsonDecode(response.body);
-        return json['error'] ?? 'Invalid or expired code';
-      } catch (_) {
-        return 'Invalid or expired code';
-      }
+      return json['error'] ?? 'Invalid or expired code';
     } catch (e) {
       debugPrint('verify error: $e');
       return 'Network error: ${e.toString()}';