A fully functional REST API for an e-commerce platform built with Django REST Framework. This API supports buyer, seller, and admin roles with comprehensive e-commerce functionality.
-
Authentication & Authorization
- JWT-based authentication for all endpoints
- Registration, login, profile management
- Role-based access control (Buyer, Seller, Admin)
- Multi-factor authentication support
-
Product Management
- Product catalog with categories
- Advanced search, filtering, and sorting
- Stock management
-
Shopping Cart
- Add/remove items
- Update quantities
- Calculate totals
-
Order Management
- Order creation and tracking
- Status updates (pending, processing, shipped, delivered, cancelled)
-
Review System
- Product ratings and reviews
- User feedback management
-
Messaging
- Communication between buyers and sellers
- Order-related messaging
-
Advanced Features
- Pagination for all list endpoints
- Input validation and error handling
- Comprehensive API documentation
- Global search functionality
- Enhanced Security Features (See Security Enhancements)
- Backend: Django 5.2, Django REST Framework
- Database: SQLite (development), PostgreSQL (production)
- Authentication: JWT via djangorestframework-simplejwt
- API Documentation: Swagger/OpenAPI via drf-yasg
- Filtering: django-filter
- Security: django-csp, django-environ, cryptography
bazaar_mate/
├── apps/
│ ├── users/ # User authentication and profiles
│ ├── products/ # Product catalog and categories
│ ├── cart/ # Shopping cart functionality
│ ├── orders/ # Order management
│ ├── reviews/ # Product reviews and ratings
│ └── messaging/ # Messaging system
├── api/ # Global API components
├── bazaar_mate/ # Project settings and configuration
├── static/ # Static files
├── media/ # Media files
├── tests/ # Unit and integration tests
├── requirements.txt # Project dependencies
└── manage.py # Django management script
POST /api/token/- Obtain JWT tokenPOST /api/token/refresh/- Refresh access tokenPOST /api/auth/register/- User registrationPOST /api/auth/login/- User loginPOST /api/auth/logout/- User logout (revoke token)POST /api/auth/refresh/- Refresh access tokenGET /api/auth/profile/- Get user profilePUT /api/auth/profile/- Update user profile
GET /api/products/- List products (with filtering and pagination)POST /api/products/- Create product (seller/admin only)GET /api/products/{id}/- Get product detailsPUT /api/products/{id}/- Update product (seller/admin only)DELETE /api/products/{id}/- Delete product (seller/admin only)
GET /api/products/categories/- List categoriesPOST /api/products/categories/- Create category (admin only)GET /api/products/categories/{id}/- Get category detailsPUT /api/products/categories/{id}/- Update category (admin only)DELETE /api/products/categories/{id}/- Delete category (admin only)
GET /api/cart/- View cartPOST /api/cart/add/- Add item to cartPUT /api/cart/update/{id}/- Update cart itemDELETE /api/cart/remove/{id}/- Remove item from cart
GET /api/orders/- List ordersPOST /api/orders/- Create orderGET /api/orders/{id}/- Get order detailsPUT /api/orders/{id}/- Update order status
GET /api/reviews/products/{product_id}/- List product reviewsPOST /api/reviews/products/{product_id}/- Create reviewGET /api/reviews/{id}/- Get review detailsPUT /api/reviews/{id}/- Update reviewDELETE /api/reviews/{id}/- Delete review
GET /api/messages/orders/{order_id}/- List order messagesPOST /api/messages/orders/{order_id}/- Send messageGET /api/messages/{id}/- Get message detailsPUT /api/messages/{id}/- Update messageDELETE /api/messages/{id}/- Delete message
GET /api/search/?q={query}- Global search across products and categories
This API includes comprehensive security enhancements to protect sensitive data and prevent common vulnerabilities:
- Strong JWT implementation with short-lived access tokens (15 minutes)
- Rotating refresh tokens with blacklist support
- Token revocation on logout or password change
- Rate limiting for authentication endpoints (5 attempts/minute)
- Minimum 12-character password requirements
- Mandatory uppercase, lowercase, digit, and special character
- Prevention of common password patterns
- PBKDF2 secure password hashing
- Field-level encryption for sensitive data (phone numbers, messages)
- Environment-based secret management
- HTTPS enforcement in production
- Content Security Policy (CSP) implementation
- HTTP Strict Transport Security (HSTS)
- XSS and content type sniffing protection
- Proper CORS configuration
- Comprehensive .gitignore to prevent sensitive file commits
- Environment variable management with .env.example template
For detailed information about all security enhancements, see SECURITY_ENHANCEMENTS.md.
To access protected endpoints, you first need to obtain a JWT token:
# Register a new user (optional)
curl -X POST http://localhost:8000/api/auth/register/ \
-H "Content-Type: application/json" \
-d '{
"username": "testuser",
"email": "test@example.com",
"password": "StrongPass123!",
"role": "buyer"
}'
# Obtain access and refresh tokens
curl -X POST http://localhost:8000/api/token/ \
-H "Content-Type: application/json" \
-d '{
"username": "testuser",
"password": "StrongPass123!"
}'This will return:
{
"refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
"access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
}- Set the request method to POST
- Set the URL to
http://localhost:8000/api/token/ - In the "Body" tab, select "raw" and "JSON"
- Enter the credentials:
{
"username": "testuser",
"password": "StrongPass123!"
}- Click "Send"
Once you have the access token, include it in the Authorization header for all protected requests:
# Access a protected endpoint
curl -X GET http://localhost:8000/api/products/ \
-H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
# Create a new product (requires seller or admin role)
curl -X POST http://localhost:8000/api/products/ \
-H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..." \
-H "Content-Type: application/json" \
-d '{
"title": "New Product",
"description": "Product description",
"price": "29.99",
"stock": 100,
"category": 1
}'- Set the request method and URL for the endpoint you want to test
- In the "Headers" tab, add a new header:
- Key:
Authorization - Value:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...(your access token)
- Key:
- Click "Send"
Access tokens expire after 15 minutes. To get a new access token:
curl -X POST http://localhost:8000/api/token/refresh/ \
-H "Content-Type: application/json" \
-d '{
"refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
}'- Set the request method to POST
- Set the URL to
http://localhost:8000/api/token/refresh/ - In the "Body" tab, select "raw" and "JSON"
- Enter the refresh token:
{
"refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
}- Click "Send"
The API implements role-based access control:
- Buyers: Can view products, manage cart, place orders, write reviews
- Sellers: Can manage their own products, view their orders
- Admins: Full access to all endpoints
Some endpoints will return 403 Forbidden if you don't have the required role.
The API returns appropriate HTTP status codes:
200 OK: Successful GET, PUT requests201 Created: Successful POST requests204 No Content: Successful DELETE requests400 Bad Request: Invalid request data401 Unauthorized: Missing or invalid authentication403 Forbidden: Insufficient permissions404 Not Found: Resource not found
-
Clone the repository:
git clone https://github.com/RajeshBasnet-dev/ecommerce-API.git cd ecommerce-API -
Create a virtual environment:
python -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate
-
Install dependencies:
pip install -r requirements.txt
-
Create a .env file:
cp .env.example .env # Edit .env with your configuration -
Run migrations:
python manage.py migrate
-
Create a superuser:
python manage.py createsuperuser
-
Run the development server:
python manage.py runserver
-
Access the API documentation:
- Swagger UI: http://localhost:8000/swagger/
- ReDoc: http://localhost:8000/redoc/
The API supports advanced filtering and sorting for list endpoints:
?min_price=10- Products with price >= 10?max_price=100- Products with price <= 100?category=electronics- Products in electronics category?seller=john- Products from seller john?in_stock=true- Products that are in stock?title=phone- Products with "phone" in title?description=smart- Products with "smart" in description?is_active=true- Active products only
?ordering=price- Sort by price (ascending)?ordering=-price- Sort by price (descending)?ordering=title- Sort by title (ascending)?ordering=-created_at- Sort by creation date (descending)
?page=2- Get page 2?page_size=50- Get 50 items per page (max 100)
Use the global search endpoint to search across products and categories:
GET /api/search/?q=search_term
Most endpoints require authentication. To authenticate:
- Register a new user or use existing credentials
- Obtain a JWT token:
POST /api/token/ { "username": "your_username", "password": "your_password" } - Include the token in the Authorization header:
Authorization: Bearer your_access_token_here
- Buyers: Can view products, manage cart, place orders, write reviews
- Sellers: Can manage their own products, view their orders
- Admins: Full access to all endpoints
Run the test suite:
python manage.py test- Fork the repository
- Create a feature branch
- Commit your changes
- Push to the branch
- Create a pull request
This project is licensed under the MIT License - see the LICENSE file for details.