From 5664fb7e0a5a1f55bab102eb7e114063b3d64150 Mon Sep 17 00:00:00 2001 From: Shawn Date: Thu, 21 May 2026 17:58:05 -0400 Subject: [PATCH] t_54f0a481: Add API investigation findings doc --- API.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 API.md diff --git a/API.md b/API.md new file mode 100644 index 0000000..841fd1c --- /dev/null +++ b/API.md @@ -0,0 +1,24 @@ +# api-investigation.md — copied from kanban investigation task t_54f0a481 + +## Key Findings + +### Architecture +- **Seed** (`/login/`) — Vue 3.5 SPA auth page +- **Application** (`/cs1/`, `/cs4/`) — ASP.NET MVC behind Azure Application Gateway +- **Machine List page** at `/cs4/VueMachineList/` (modern SPA) + +### Auth Flow (httpx-compatible) +1. `GET /login/api/DataContext/GenerateAntiForgeryState` → CSRF token +2. `POST /login/api/SignIn/SignIn/en-US` with `__RequestVerificationToken` header + `{Email, Password, FormsAuthReturnUrl}` +3. Cookies are set automatically: `ASP.NET_SessionId`, `.ASPXAUTH`, `ApplicationGatewayAffinity`, `AeonPrincipalCacheVersion` + +### Export +- **Endpoint**: `POST /cs4/VueMachineList/ExcelExport` +- StreamSaver.js streams result as "Machine List.xlsx" +- 60+ configurable columns +- Credentials via env: `CANTALOUPE_EMAIL`, `CANTALOUPE_PASSWORD` + +### Recommendation +Start with httpx-only (Option A). Fall back to Playwright-for-login (Option B) if needed. + +See full investigation at: `~/.hermes/kanban/boards/cantaloupe-downloader/workspaces/t_54f0a481/investigation-findings.md`