7.8 KiB
7.8 KiB
User API
Workspace reference: GSP-WORKSPACE.md
Scope
This file documents the externally reachable API and webhook surfaces discovered in the repository.
Primary files:
Panel/ogp_api.phpPanel/status_api.phpPanel/sso.phpPanel/modules/website/login.phpPanel/modules/website/sso.phpPanel/modules/website/order.php
Panel Automation API
Main endpoint:
Panel/ogp_api.php
Transport:
- GET, POST, or JSON request body
- response is usually JSON
setting/getreturns plain text
Authentication:
- token-based
- token created through
token/create - host allowlist can be enforced with
api_authorized.hostsandapi_authorized.fwd_hosts
Important notes:
- the API is not a public anonymous API
- some routes are meaningful for normal users
- many routes are effectively admin-only because they mutate remote servers, create homes, or manage users
Authentication Endpoints
| Endpoint | Auth | Purpose | Parameters | Returns |
|---|---|---|---|---|
ogp_api.php?token/create |
panel username/password | issue API token | user, password |
JSON token payload |
ogp_api.php?token/test |
token | verify token | token |
role/status |
User-Visible Game Server Actions
| Endpoint | Auth | Purpose | Parameters | Returns |
|---|---|---|---|---|
gamemanager/start |
token + home access | start server | ip, port, optional mod_key |
JSON status |
gamemanager/stop |
token + home access | stop server | ip, port, optional mod_key |
JSON status |
gamemanager/restart |
token + home access | restart server | ip, port, optional mod_key |
JSON status |
gamemanager/rcon |
token + home access | send RCON/console command | ip, port, optional mod_key, command |
JSON command result |
gamemanager/update |
token + home access | update server | ip, port, optional mod_key, type, optional manual_url |
JSON status |
litefm/list |
token + home access | list files | ip, port, relative_path |
JSON listing |
litefm/get |
token + home access | read file | ip, port, relative_path |
JSON file content |
litefm/save |
token + home access | write file | ip, port, relative_path, contents |
JSON status |
litefm/remove |
token + home access | delete file | ip, port, relative_path |
JSON status |
addonsmanager/list |
token | list add-on templates | token |
JSON list |
addonsmanager/install |
token + home access | install named add-on | ip, port, addon_id |
JSON status |
steam_workshop/install |
token + home access | legacy Workshop install | ip, port, optional mod_key, mods_list |
JSON status |
server_content/run_scheduled_action |
token + home access | trigger typed server-content action | home_id, action, optional options |
JSON status |
Admin-Oriented API Routes
| Endpoint | Auth | Purpose | Parameters | Returns |
|---|---|---|---|---|
server/list |
admin token | list remote agents | token |
JSON list |
server/status |
admin token | status of remote agent | remote_server_id |
JSON status |
server/restart |
admin token | restart agent | remote_server_id |
JSON status |
server/create |
admin token | create remote agent record | agent connection fields | JSON status |
server/remove |
admin token | remove remote agent record | remote_server_id |
JSON status |
server/add_ip |
admin token | add IP to agent | remote_server_id, ip |
JSON status |
server/remove_ip |
admin token | remove IP from agent | remote_server_id, ip |
JSON status |
server/list_ips |
admin token | list assigned IPs | remote_server_id |
JSON list |
server/edit_ip |
admin token | edit assigned IP | remote_server_id, old_ip, new_ip |
JSON status |
user_games/list_games |
token | list game configs | system, architecture |
JSON list |
user_games/list_servers |
token | list homes visible to token | none | JSON list |
user_games/create |
admin token | create game home | remote server, config, port, passwords, slots, affinity, nice | JSON status |
user_games/clone |
admin token | clone home | origin + new home fields | JSON status |
user_games/set_expiration |
admin token | change home expiry | home_id, timestamp |
JSON status |
user_admin/* |
admin token | user CRUD and assignments | varies | JSON status |
gamemanager_admin/reorder |
admin token | reorder homes in UI | token | JSON status |
setting/get |
token | read setting | setting_name |
plain text or -1 |
Public Status API
Endpoint:
Panel/status_api.php?token=...
Authentication:
- shared query token stored in
status_api_local.php
Purpose:
- public, read-only node summary
- intended for lightweight dashboards or public status pages
Behavior:
- caches agent stats locally for 30 seconds
- probes agents with TCP reachability
- normalizes CPU, memory, and disk stats when available
Returns:
- JSON object with
generated_atandnodes[]
Scheduler-As-API
The scheduler does not call agents directly at runtime. It stores cron lines on the agent that usually call back into:
Panel/ogp_api.php?gamemanager/*Panel/ogp_api.php?server_content/run_scheduled_action
This makes ogp_api.php part of the internal scheduler runtime contract.
Website Account, SSO, And Order Entry
| Endpoint | Auth | Purpose | Parameters | Returns |
|---|---|---|---|---|
Panel/modules/website/login.php |
Panel user credentials | create a website session against the shared Panel user table | username/password form | website session and redirect |
Panel/modules/website/logout.php |
website session | destroy website session | none | redirect to website home |
Panel/modules/website/sso.php?destination=panel |
website session | create a one-time token for Panel login | optional trusted return path | redirect to Panel/sso.php |
Panel/sso.php?token=... |
one-time SSO token | create normal Panel session | token | redirect to Panel page |
Panel/sso.php?destination=website |
Panel session | create a one-time token for website login | optional trusted return path | redirect to website SSO endpoint |
Panel/modules/website/sso.php?token=... |
one-time SSO token | create website session | token | redirect to website page |
Panel/modules/website/order.php |
website session for checkout continuation | validate catalog service and start order intent | service_id |
order page or login redirect |
SSO tokens are stored in OGP_DB_PREFIXsso_tokens as SHA-256 hashes, expire in 30-60 seconds, and are marked used after successful validation. Tokens never contain passwords, password hashes, permanent API keys, or PHP session IDs.
The old Website/api/create_order.php, Website/api/capture_order.php, Website/api/log_error.php, and Website/webhook.php compatibility files are not present in this repository checkout. Until an active payment runtime is connected, the website order page validates service intent and sends customers to support rather than claiming checkout is complete.
Webhooks
| Endpoint | Source | Purpose | Auth Model |
|---|---|---|---|
| none active in this checkout | PayPal | payment processing must be reconnected before public checkout is enabled | document gateway-specific signature verification before use |
Security Controls
| Control | Where |
|---|---|
| token auth | Panel/ogp_api.php |
| host allowlist | api_authorized.hosts, api_authorized.fwd_hosts, settings/api_hosts.php |
| role / ownership checks | inside api_* handlers in ogp_api.php |
| one-time SSO token hash storage | OGP_DB_PREFIXsso_tokens |
Search Coverage Used For This Document
rg -n "^function api_" Panel/ogp_api.phpsed -n '1,240p' Panel/ogp_api.phpsed -n '1,240p' Panel/status_api.phpsed -n '1,220p' Panel/sso.phpsed -n '1,220p' Panel/modules/website/sso.php