v2.apib

FORMAT: 1A
HOST: https://inbdpa.api.hscc.bdpa.org/v2

# InBDPA API (VERSION 2)

> We're looking for feedback! If you have any opinions or ideas, contact us on Slack.

Based on [simple REST principles](https://restfulapi.net), the InBDPA API returns JSON data responses to requests. This is the API used by teams and their apps for the BDPA National High School Computer Competition. It contains all of the data teams' apps must interact with. The API is live and will ideally remain online indefinitely.

The base address of the InBDPA API is https://inbdpa.api.hscc.bdpa.org/V where `V` is the version of the API you want to use (either `V = v1` or `V = v2`). Each version of the API provides a set of endpoints with their own unique path and requirements.

[The source code behind the API is available on GitHub](https://github.com/nhscc/inbdpa.api.hscc.bdpa.org). If you have any trouble, [open an issue there](https://github.com/nhscc/inbdpa.api.hscc.bdpa.org/issues/new) or contact us on Slack.

> Notice: due to financial constraints, the oldest documents in the system will be dropped from the API to make room for the new. That is: `<item>_id`s are not guaranteed to exist forever!

## Migration Guide

Changes between version 1 and version 2:

- New [Articles documentation](#/reference/0/article-endpoints) with new article-related CRUD endpoints
    - The number of articles in the system is now reported by the [/info (GET)](#/reference/0/info-endpoints/info-get) endpoint and must be included in relevant output.
- Improved session tracking API
    - [Sessions](#/data-structures/0/session) now track the user and the view
    - New [/sessions (GET)](#/reference/0/session-endpoints/sessions-get) and [/sessions/:session_id (GET)](#/reference/0/session-endpoints/sessions-session-id-get) endpoints.
    - New session endpoints specific to users ([/users/:user_id/sessions (GET)](#/reference/0/user-endpoints/users-user-id-sessions-get)), opportunities ([/opportunities/:opportunity_id/sessions (GET)](#/reference/0/opportunity-endpoints/opportunities-opportunity-id-sessions-get)), and articles ([/articles/:article_id/sessions (GET)](#/reference/0/article-endpoints/articles-article-id-sessions-get)).
    - Deprecation of the [/sessions/count-for/user/:user_id (GET)](https://hsccrkby0uo4.docs.apiary.io/#/reference/0/session-endpoints/sessions-count-for-user-user-id-get) and [/sessions/count-for/opportunity/:opportunity_id (GET)](https://hsccrkby0uo4.docs.apiary.io/#/reference/0/session-endpoints/sessions-count-for-opportunity-opportunity-id-get) endpoints.
        - Active session counts are now included in the [User](#/data-structures/0/user) and [Opportunity](#/data-structures/0/opportunity) (and [Article](#/data-structures/0/article)) response objects under the `sessions` property.
    - [/sessions (POST)](#/reference/0/session-endpoints/sessions-post) now allows a [nullable](https://apiblueprint.org/documentation/mson/specification.html#353-type-attribute) `user_id` parameter.
        - Example: if `user-A` loads `user-E`'s profile via the [Profile view](https://github.com/nhscc/problem-statements/blob/main/2023/inbdpa/inbdpa-part-1.md#requirement-3), then your solution must create a new session that includes `user-A`'s `user_id`, the "profile" view type, and `user-E`'s ID as the ID of the viewed item.
- [/users (POST)](#/reference/0/user-endpoints/users-post) now requires a `fullName` property. Similarly, users' full names are now included in the [User](#/data-structures/0/user) response objects under the `fullName` property.

Any API calls using deprecated endpoints need to be updated to use the new endpoint.

> Be advised: **the V1 API will be disabled several hours into the competition**. For posterity, V1 endpoints will be re-enabled after ~72 hours.

## Requesting a Key

To access the majority of this API's endpoints requires a key. If your team needs a key, or to replace a lost or stolen key, either use our Slack bot (BDPABot) to manage your team's keys or contact us on Slack.

When you get your key, include it as your request's [Authorization header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization) and you will be immediately authenticated into the system. For example: `Authorization: bearer your-special-api-key-here`.

## Rules of API Access

1. Do not bombard the API with requests or you risk permanent IP/subnet ban. **Limit your apps to no more than 10 requests per second per API key**. If your app ends up sending too many requests over some time period, you'll get a `HTTP 429` response along with a monotonically increasing soft ban (starting at 15 minutes). Similarly, the size of requests is strictly limited, so you must limit the amount of data you're sending. When you send a request that is too large (>100KB), it will fail with a `HTTP 413` response.

2. **Do not reveal your API key to anyone** not on your own team. It is how the API identifies your team. Do not upload it to GitHub or leave it lying around in your source code. Save it to a file and `.gitignore` it or save it to an environment variable.

3. Since the API is live, you might be able to see or interact with content posted by other teams. If this is the case, please do not post anything inappropriate.

4. If you have a relevant feature request or you encounter any vulnerabilities, errors, or other issues, don't hesitate to contact NHSCC staff via Slack or [open an issue on GitHub](https://github.com/nhscc/inbdpa.api.hscc.bdpa.org). For significant enough finds, bonus points may be awarded. On the other hand, abusing any vulnerability or bug may result in disqualification.

5. **The API was built to randomly return errors every so often**. That means your app must be prepared to deal with `HTTP 555` and other bad responses. However, if you're consistently getting `HTTP 5xx` errors back to back, then something is wrong. Please report this if it happens.

6. All responses are raw JSON. All request payloads must be sent as raw JSON. `JSON.stringify()` and `JSON.parse()` or whatever language equivalent is available to you is your friend!

## Request Methods

This API is based on [simple REST principles](https://restfulapi.net). Resources are accessed via standard HTTPS requests in UTF-8 format to an API endpoint. This API understands the following HTTP request methods:

| METHOD | MEANING |
|-----   |-----    |
| GET    | Return data about something |
| POST   | Create something new        |
| PATCH    | Modify something            |
| PATCH  | Partially modify something  |
| DELETE | Delete something            |

## Rate Limits

As said earlier, do not bombard the API with requests. If you do, the API will soft ban you for fifteen minutes the first time before accepting requests from your API key or IP address again. Each following time this happens within a certain period, your ban time will quadruple.

So **limit your apps to no more than 10 requests per second per API key**. You know you've been soft banned if you receive an `HTTP 429` response. Check the JSON response for the `retryAfter` key, which represents for how long your API key and/or IP are banned from making further requests (in milliseconds).

If this is the first time you've been banned, you can use the Slack bot to unban yourself immediately. If the Slack bot is not available or this is not the first time you've been banned, contact us on Slack.

## Pagination

Endpoints that might return a lot of items (users, documents, etc) are paginated via [range queries](https://en.wikipedia.org/wiki/Range_query_(database)). Such endpoints optionally accept an `after` parameter, which is an `<item>_id` or other identifier that determines which API item is returned first. That is: the first item will be the first `<item>_id` that comes *after* the `after` `<item>_id`. Omitting the `after` parameter returns the first 100 items in the system.

For example, given the following dataset and an API with a default result size (or "page" size) of 3:

```JavaScript
[
    { item_id: 0xabc123, name: 'Item 1 name' },
    { item_id: 0xabc124, name: 'Item 2 name' },
    { item_id: 0xabc125, name: 'Item 3 name' },
    { item_id: 0xabc126, name: 'Item 4 name' },
    { item_id: 0xabc127, name: 'Item 5 name' },
]
```

Suppose we issued the following requests to an API:

`/api?after=0xabc123`: responds with an array of 3 items: *0xabc124* through *0xabc126*
`/api?after=0xabcXYZ`: responds with an array of 0 items since `item_id` *0xabcXYZ* doesn't exist
`/api?after=0xabc124`: responds with an array of 3 items: *0xabc125* through *0xabc127*
`/api?after=0xabc127`: responds with an array of 0 items since there is nothing after *0xabc127*
`/api?after=0xabc125`: responds with an array of 2 items: *0xabc126* and *0xabc127*

## Status Codes

This API will issue responses with one of the following status codes:

| STATUS | MEANING |
|-----   |-----    |
| 200    | Your request completed successfully. |
| 400    | Your request was malformed or otherwise bad. Check the requirements. |
| 401    | Session is not authenticated. Put your API key in the header! |
| 403    | Session is not authorized. You tried to do something you can't do. |
| 404    | The resource (or endpoint) was not found. Check your syntax. |
| 405    | Bad method. The endpoint does not support your request's method. |
| 413    | Your request was too large and was dropped. Max body size is 100KB. |
| 415    | Your request was made using the wrong Content-Type header value. |
| 429    | You've been rate limited. Try your request again after a few minutes. |
| 4xx    | Your request was malformed in some way. |
| 5xx    | Something happened on the server that is outside your control. |

## Response Schema

All responses issued by the API will follow one of the two following schemas.

### Success Schema

When a request you've issued succeeds, the response will look like the following:

```json
{
    "success": "true",
    // any other data you requested
}
```

Note that all time data is represented as the number of milliseconds elapsed since January 1, 1970 00:00:00 UTC, or the same thing that is returned by JavaScript's `Date.now()` method.

### Error Schema

When a request you've issued fails, along with the non-200 status code, the response will look like the following:

```json
{
    "error": "an error message describing what went wrong",
    // any other relevant data (like retryAfter)
}
```

## CORS Support

The API has full support for Cross Origin Resource Sharing (CORS) for AJAX requests.

## Tips for Debugging

- Are you using the right method?
- Use this documentation (click "see example," then click "Try console") or use [Postman](https://www.postman.com/downloads) to play with the API.
- Expect a raw JSON response body that you must parse manually, not raw text or something else.
- Are you sending properly formatted JSON payloads in your request body when necessary?
- Try outputting to stdout, use `console.log`, or output to some log file when API requests are made and responses received.
- All time data is represented as [the number of milliseconds elapsed since January 1, 1970 00:00:00 UTC](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/now).
- Are you sending the correct headers? You need to specify the `Authorization: bearer your-special-api-key-here` header for all requests and the `'content-type': 'application/json'` header when making POST and PATCH requests.
- Are you [encoding your URI components](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent) properly, especially when you're trying to send the API [JSON objects](https://developer.mozilla.org/en-US/docs/Learn/JavaScript/Objects/JSON) via [GET request](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods)?

## Globally Unique IDs

To retrieve data about one or more API items, you must know that item's `<item>_id`. These and other IDs are globally unique within the API. That is: no two items will ever have the same ID in any instance. Use this fact to your advantage.

## Article Endpoints [/articles]

These endpoints deal with [CRUD operations](https://nordicapis.com/crud-vs-rest-whats-the-difference) on articles.

- [/articles (GET)](#/reference/0/article-endpoints/articles-get)
- [/articles (POST)](#/reference/0/article-endpoints/articles-post)
- [/articles/:article_id (GET)](#/reference/0/article-endpoints/articles-article-id-get)
- [/articles/:article_id (PATCH)](#/reference/0/article-endpoints/articles-article-id-patch)
- [/articles/:article_id (DELETE)](#/reference/0/article-endpoints/articles-article-id-delete)
- [/articles/:article_id/sessions (GET)](#/reference/0/article-endpoints/articles-article-id-sessions-get)

### /articles (GET) [GET /articles{?after,updatedAfter}]

Retrieves all articles in the system in [FIFO](https://en.wikipedia.org/wiki/FIFO_(computing_and_electronics)) order.

Retrievals are limited to at most 100 results per query. Supports [range queries](https://en.wikipedia.org/wiki/Range_query_(database)) using `after`.

+ Parameters
    + `after` (optional, article_id) - <span style="color: gray">[optional]</span> Return only those results that occur *after* `after` in the result list.
    + `updatedAfter` (optional, number) - <span style="color: gray">[optional]</span> Return only those users with [`updatedAt`](#/data-structures/0/article) greater than `updatedAfter`.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + articles (array[Article]) - An array of article objects. Empty if there are no articles left to show.

    + Body

            {
                "success": true,
                "articles": [
                    {
                        "article_id": "5eee34b3ca37750008547373",
                        "title": "Epidemic Of Unpaid Internships Requiring Masters Degrees",
                        "views": 1250,
                        "sessions": 210,
                        "contents": "...",
                        "keywords": ["epidemic", "unpaid", "internship", "degree"],
                        "createdAt": 1579345909352,
                        "updatedAt": 1579345909687,
                        "creator_id": "5eee34b3ca37750008547375"
                    },
                        {
                        "article_id": "5eee34b3ca37750008547374",
                        "title": "\"It's Totally Ethical!\" Says CEO On Yacht In Response To Complaints Over 50-Year Experience Requirement For Unpaid Internships",
                        "views": 987,
                        "sessions": 0,
                        "contents": "...",
                        "keywords": ["it's", "a", "metaphor", "for", "capitalism"],
                        "createdAt": 1579347789639,
                        "updatedAt": 1579347789639,
                        "creator_id": "5eee34b3ca37750008547376"
                    }
                ]
            }


### /articles (POST) [POST /articles]

Creates a new article.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

    + Attributes
        + title: `"My Little Article"` (string) - The title of the article.
        + contents (string) - The Markdown contents describing the article.
        + creator_id: `"5eee34b3ca37750008547375"` (string) - The ID of the user that created the article.
        + keywords (array[string]) - An array of keyword strings associated with the article and its contents.

    + Body

            {
                "title": "Unpaid Internship Requiring Masters Degree",
                "contents": "...",
                "creator_id": "5eee34b3ca37750008547375"
                "keywords": ["epidemic", "unpaid", "internship", "degree"]
            }

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + article (Article) - The newly created article object.

    + Body

            {
                "success": true,
                "article": {
                    "article_id": "5eee34b3ca37750008547374",
                    "title": "Epidemic Of Unpaid Internships Requiring Masters Degrees",
                    "views": 125,
                    "sessions": 21,
                    "contents": "...",
                    "keywords": ["epidemic", "unpaid", "internship", "degree"],
                    "createdAt": 1579345909352,
                    "updatedAt": 1579345909687,
                    "creator_id": "5eee34b3ca37750008547375"
                }
            }

### /articles/:article_id (GET) [GET /articles/{article_id}]

Retrieve an article by its `article_id`.

+ Parameters
    + `article_id`: `5eee34b3ca37750008547375` (article_id) - <span style="color: darkred">[required]</span> ID of the article.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + article (Article) - The requested article object.

    + Body

            {
                "success": true,
                "article": {
                    "article_id": "5eee34b3ca37750008547374",
                    "title": "Epidemic Of Unpaid Internships Requiring Masters Degrees",
                    "views": 125,
                    "sessions": 21,
                    "contents": "...",
                    "keywords": ["epidemic", "unpaid", "internship", "degree"],
                    "createdAt": 1579345909352,
                    "updatedAt": 1579345909687,
                    "creator_id": "5eee34b3ca37750008547375"
                }
            }

### /articles/:article_id (PATCH) [PATCH /articles/{article_id}]

Update an article (`article_id`) in the system. The article's `updatedAt` timestamp is also updated.

+ Parameters
    + `article_id`: `5eee34b3ca37750008547375` (article_id) - <span style="color: darkred">[required]</span> ID of the article.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

    + Attributes (object)
        + title: `"My Little Article"` (optional, string) - The title of the article.
        + contents (optional, string) - The Markdown contents describing the article.
        + views: `"increment"` (optional, string) - If the views should be incremented. If this property is present, it must have the value `"increment"`.

    + Body

            {
                "title": `"My BIG Article!"`,
                "views": "increment"
            }

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.

    + Body

            {
                "success": true
            }

### /articles/:article_id (DELETE) [DELETE /articles/{article_id}]

Completely and permanently remove an article from the system.

+ Parameters
    + `article_id`: `5eee34b3ca37750008547375` (article_id) - <span style="color: darkred">[required]</span> ID of the article.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.

    + Body

            {
                "success": true
            }

### /articles/:article_id/sessions (GET) [GET /articles/{article_id}/sessions{?after}]

Retrieves all sessions in the system associated with a specific article (`article_id`) and in [FIFO](https://en.wikipedia.org/wiki/FIFO_(computing_and_electronics)) order.

Retrievals are limited to at most 100 results per query. Supports [range queries](https://en.wikipedia.org/wiki/Range_query_(database)) using `after`.

+ Parameters
    + `article_id`: `5eee34b3ca37750008547375` (article_id) - <span style="color: darkred">[required]</span> ID of the article.
    + `after` (optional, session_id) - <span style="color: gray">[optional]</span> Return only those results that occur *after* `after` in the result list.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + sessions (array[Session]) - An array of session objects. Empty if there are no sessions left to show.

    + Body

            {
                "success": true,
                "sessions": [
                    {
                        "session_id": "5eee34b3ca37750008547374",
                        "user_id": null,
                        "view": "article",
                        "viewed_id": "5ec8adf06e38137ff2e58770",
                        "createdAt": 1579345900770,
                        "updatedAt": 1579345900770
                    },
                    {
                        "session_id": "5eee34b3ca37750008547373",
                        "user_id": "5ec8adf06e38e58770ff2136",
                        "view": "article",
                        "viewed_id": "5ec8adf06e38137ff2e58770",
                        "createdAt": 1579345900655,
                        "updatedAt": 1579345998766
                    },
                    {
                        "session_id": "5ec8adff2e5877f0813706e3",
                        "user_id": "5ec8adf06e38e58770ff2137",
                        "view": "article",
                        "viewed_id": "5ec8adf06e38137ff2e58770",
                        "createdAt": 1579345900650,
                        "updatedAt": 1579345900650
                    }
                ]
            }

## Info Endpoints [/info]

These endpoints allow retrieval of statistics describing the entire system.

- [/info (GET)](#/reference/0/info-endpoints/info-get)

### /info (GET) [GET /info]

Get metadata about the entire system.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + info (Info) - Metadata about the entire system.

    + Body

            {
                "success": true,
                "info": {
                    "articles": 60608,
                    "opportunities": 17,
                    "sessions": 5,
                    "users": 3,
                    "views": 91356
                }
            }

## Opportunity Endpoints [/opportunities]

These endpoints deal with [CRUD operations](https://nordicapis.com/crud-vs-rest-whats-the-difference) on opportunities.

- [/opportunities (GET)](#/reference/0/opportunity-endpoints/opportunities-get)
- [/opportunities (POST)](#/reference/0/opportunity-endpoints/opportunities-post)
- [/opportunities/:opportunity_id (GET)](#/reference/0/opportunity-endpoints/opportunities-opportunity-id-get)
- [/opportunities/:opportunity_id (PATCH)](#/reference/0/opportunity-endpoints/opportunities-opportunity-id-patch)
- [/opportunities/:opportunity_id (DELETE)](#/reference/0/opportunity-endpoints/opportunities-opportunity-id-delete)
- [/opportunities/:opportunity_id/sessions (GET)](#/reference/0/opportunity-endpoints/opportunities-opportunity-id-sessions-get)

### /opportunities (GET) [GET /opportunities{?after,updatedAfter}]

Retrieves all opportunities in the system in [FIFO](https://en.wikipedia.org/wiki/FIFO_(computing_and_electronics)) order.

Retrievals are limited to at most 100 results per query. Supports [range queries](https://en.wikipedia.org/wiki/Range_query_(database)) using `after`.

+ Parameters
    + `after` (optional, opportunity_id) - <span style="color: gray">[optional]</span> Return only those results that occur *after* `after` in the result list.
    + `updatedAfter` (optional, number) - <span style="color: gray">[optional]</span> Return only those users with [`updatedAt`](#/data-structures/0/opportunity) greater than `updatedAfter`.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + opportunities (array[Opportunity]) - An array of opportunity objects. Empty if there are no opportunities left to show.

    + Body

            {
                "success": true,
                "opportunities": [
                    {
                        "opportunity_id": "5eee34b3ca37750008547374",
                        "title": "Unpaid Internship Requiring Masters Degree",
                        "views": 521,
                        "sessions": 13,
                        "contents": "...",
                        "createdAt": 1579345900650,
                        "updatedAt": 1579345900650,
                        "creator_id": "5eee34b3ca37750008547376"
                    },
                    {
                        "opportunity_id": "5eee34b3ca37750008547375",
                        "title": "Unpaid Internship Requiring 50 Years Experience",
                        "views": 44,
                        "sessions": 6,
                        "contents": "...",
                        "createdAt": 1579345900650,
                        "updatedAt": 1579345900650,
                        "creator_id": "5eee34b3ca37750008547376"
                    }
                ]
            }


### /opportunities (POST) [POST /opportunities]

Creates a new opportunity.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

    + Attributes
        + title: `"My Little Opportunity"` (string) - The title of the opportunity.
        + contents (string) - The Markdown contents describing the opportunity.
        + creator_id: `"5eee34b3ca37750008547375"` (string) - The ID of the user that created the opportunity.

    + Body

            {
                "title": "Unpaid Internship Requiring Masters Degree",
                "contents": "...",
                "creator_id": "5eee34b3ca37750008547375"
            }

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + opportunity (Opportunity) - The newly created opportunity object.

    + Body

            {
                "success": true,
                "opportunity": {
                    "opportunity_id": "5eee34b3ca37750008547374",
                    "title": "Unpaid Internship Requiring Masters Degree",
                    "views": 0,
                    "sessions": 0,
                    "contents": "...",
                    "createdAt": 1579345900650,
                    "updatedAt": 1579345900650,
                    "creator_id": "5eee34b3ca37750008547375"
                }
            }

### /opportunities/:opportunity_id (GET) [GET /opportunities/{opportunity_id}]

Retrieve an opportunity by its `opportunity_id`.

+ Parameters
    + `opportunity_id`: `5eee34b3ca37750008547375` (opportunity_id) - <span style="color: darkred">[required]</span> ID of the opportunity.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + opportunity (Opportunity) - The requested opportunity object.

    + Body

            {
                "success": true,
                "opportunity": {
                    "opportunity_id": "5eee34b3ca37750008547374",
                    "title": "Unpaid Internship Requiring Masters Degree",
                    "views": 521,
                    "sessions": 12,
                    "contents": "...",
                    "createdAt": 1579345900650,
                    "updatedAt": 1579345900650,
                    "creator_id": "5eee34b3ca37750008547375"
                }
            }

### /opportunities/:opportunity_id (PATCH) [PATCH /opportunities/{opportunity_id}]

Update an opportunity (`opportunity_id`) in the system. The opportunity's `updatedAt` timestamp is also updated.

+ Parameters
    + `opportunity_id`: `5eee34b3ca37750008547375` (opportunity_id) - <span style="color: darkred">[required]</span> ID of the opportunity.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

    + Attributes (object)
        + title: `"My Little Opportunity"` (optional, string) - The title of the opportunity.
        + contents (optional, string) - The Markdown contents describing the opportunity.
        + views: `"increment"` (optional, string) - If the views should be incremented. If this property is present, it must have the value `"increment"`.

    + Body

            {
                "title": `"My BIG Opportunity!"`
            }

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.

    + Body

            {
                "success": true
            }

### /opportunities/:opportunity_id (DELETE) [DELETE /opportunities/{opportunity_id}]

Completely and permanently remove an opportunity from the system.

+ Parameters
    + `opportunity_id`: `5eee34b3ca37750008547375` (opportunity_id) - <span style="color: darkred">[required]</span> ID of the opportunity.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.

    + Body

            {
                "success": true
            }

### /opportunities/:opportunity_id/sessions (GET) [GET /opportunities/{opportunity_id}/sessions{?after}]

Retrieves all sessions in the system associated with a specific opportunity (`opportunity_id`) and in [FIFO](https://en.wikipedia.org/wiki/FIFO_(computing_and_electronics)) order.

Retrievals are limited to at most 100 results per query. Supports [range queries](https://en.wikipedia.org/wiki/Range_query_(database)) using `after`.

+ Parameters
    + `opportunity_id`: `5eee34b3ca37750008547375` (opportunity_id) - <span style="color: darkred">[required]</span> ID of the opportunity.
    + `after` (optional, session_id) - <span style="color: gray">[optional]</span> Return only those results that occur *after* `after` in the result list.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + sessions (array[Session]) - An array of session objects. Empty if there are no sessions left to show.

    + Body

            {
                "success": true,
                "sessions": [
                    {
                        "session_id": "5eee34b3ca37750008547374",
                        "user_id": null,
                        "view": "opportunity",
                        "viewed_id": "5ec8adf06e38137ff2e58770",
                        "createdAt": 1579345900770,
                        "updatedAt": 1579345900770
                    },
                    {
                        "session_id": "5eee34b3ca37750008547373",
                        "user_id": "5ec8adf06e38e58770ff2136",
                        "view": "opportunity",
                        "viewed_id": "5ec8adf06e38137ff2e58770",
                        "createdAt": 1579345900655,
                        "updatedAt": 1579345998766
                    },
                    {
                        "session_id": "5ec8adff2e5877f0813706e3",
                        "user_id": "5ec8adf06e38e58770ff2137",
                        "view": "opportunity",
                        "viewed_id": "5ec8adf06e38137ff2e58770",
                        "createdAt": 1579345900650,
                        "updatedAt": 1579345900650
                    }
                ]
            }

## Session Endpoints [/sessions]

These endpoints deal with [CRUD operations](https://nordicapis.com/crud-vs-rest-whats-the-difference) on active viewer sessions.

- [/sessions (GET)](#/reference/0/session-endpoints/sessions-get)
- [/sessions (POST)](#/reference/0/session-endpoints/sessions-post)
- [/sessions/:session_id (GET)](#/reference/0/session-endpoints/sessions-session-id-get)
- [/sessions/:session_id (PATCH)](#/reference/0/session-endpoints/sessions-session-id-patch)
- [/sessions/:session_id (DELETE)](#/reference/0/session-endpoints/sessions-session-id-delete)

### /sessions (GET) [GET /sessions{?after,updatedAfter}]

Retrieves all sessions in the system in [FIFO](https://en.wikipedia.org/wiki/FIFO_(computing_and_electronics)) order.

Retrievals are limited to at most 100 results per query. Supports [range queries](https://en.wikipedia.org/wiki/Range_query_(database)) using `after`.

+ Parameters
    + `after` (optional, session_id) - <span style="color: gray">[optional]</span> Return only those results that occur *after* `after` in the result list.
    + `updatedAfter` (optional, number) - <span style="color: gray">[optional]</span> Return only those results with [`updatedAt`](#/data-structures/0/user) greater than `updatedAfter`.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + sessions (array[Session]) - An array of session objects. Empty if there are no sessions left to show.

    + Body

            {
                "success": true,
                "sessions": [
                    {
                        "session_id": "5eee34b3ca37750008547374",
                        "user_id": null,
                        "view": "auth",
                        "viewed_id": null,
                        "createdAt": 1579345900770,
                        "updatedAt": 1579345900770
                    },
                    {
                        "session_id": "5eee34b3ca37750008547373",
                        "user_id": "5ec8adf06e38e58770ff2136",
                        "view": "profile",
                        "viewed_id": "5ec8adf06e38e58770ff2137",
                        "createdAt": 1579345900655,
                        "updatedAt": 1579345998766
                    },
                    {
                        "session_id": "5ec8adff2e5877f0813706e3",
                        "user_id": "5ec8adf06e38e58770ff2137",
                        "view": "article",
                        "viewed_id": "5ec8adf06e38137ff2e58770",
                        "createdAt": 1579345900650,
                        "updatedAt": 1579345900650
                    }
                ]
            }

### /sessions (POST) [POST /sessions]

Make the API aware of an active session, which represents one client (`user_id`) interacting with one view (`view` + `viewed_id`). Active sessions expire 30 seconds after their creation unless they are [renewed](#/reference/0/session-endpoints/sessions-session-id-patch), which will reset the 30-second timer.

Example usage: if `user-A` clicks a link to `user-B`'s profile, which loads the Profile view, your solution would create a new session where `view = 'profile'` and `viewed_id = user-B's-user-id`. You would then continually [renew](#/reference/0/session-endpoints/sessions-session-id-patch) that session every so often until `user-A` navigates away from `user-B`'s profile.

Note that possible values for `viewed_id` are: an `article_id` (only if `view === 'article'`), a `user_id` (only if `view === 'profile'`), an `opportunity_id` (only if `view === 'opportunity'`), or `null`.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

    + Attributes (object)
        + user_id: `"5ec8adf06e38e58770ff2137"` (string, nullable) - A unique immutable MongoDB ID representing the user associated with this session or `null` if this session is unauthenticated.
        + view: `"article"` (string) - The view this session is associated with. Possible values are: `"article"`, `"profile"`, `"opportunity"`, `"admin"`, `"auth"`, or `"home"`.
        + viewed_id: `"5ec8adf06e38137ff2e58770"` (string, nullable) - A unique immutable MongoDB ID corresponding to the `view` item associated with this session, or `null`.

    + Body

            {
                "user_id": null,
                "view": "auth",
                "viewed_id": null
            }

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + `session_id` (string) - A unique immutable MongoDB ID representing the newly created active session.

    + Body

            {
                "success": true,
                "session_id": "5ec8adf06e38137ff2e58648"
            }

### /sessions/:session_id (GET) [GET /sessions/{session_id}]

Retrieve a session by their `session_id`.

Example usage: if `user-A` clicks a link to `user-B`'s profile, which loads the Profile view, there exists a session (`session_id`) where `view = 'profile'` and `viewed_id = user-B's-user-id`. This session would be continually [renewed](#/reference/0/session-endpoints/sessions-session-id-patch) until `user-A` navigates away from `user-B`'s profile.

Note that possible values for `viewed_id` are: an `article_id` (only if `view === 'article'`), a `user_id` (only if `view === 'profile'`), an `opportunity_id` (only if `view === 'opportunity'`), or `null`.

+ Parameters
    + `session_id`: `5eee34b3ca37750008547375` (session_id) - <span style="color: darkred">[required]</span> ID of the session.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + session (Session) - The requested session object.

    + Body

            {
                "success": true,
                "session":  {
                    "session_id": "5ec8adf06e38137ff2e58648",
                    "user_id": null,
                    "view": "auth",
                    "viewed_id": null,
                    "createdAt": 1579345900770,
                    "updatedAt": 1579345900770
                }
            }

### /sessions/:session_id (PATCH) [PATCH /sessions/{session_id}]

Renew an active session to indicate that a client (user) is still accessing a view. Renewing an active session resets the 30-second expiry period.

> Hint: your solution should keep renewing the same session every so often until the client navigates away from the current view, closes the browser, etc. If the client navigates from one URL to another without changing views, your solution should still create a new session instead of renewing the existing one.

+ Parameters
    + `session_id`: `5eee34b3ca37750008547375` (session_id) - <span style="color: darkred">[required]</span> ID of the session.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.

    + Body

            {
                "success": true
            }

### /sessions/:session_id (DELETE) [DELETE /sessions/{session_id}]

Delete (manually expire) an active session.

+ Parameters
    + `session_id`: `5eee34b3ca37750008547375` (session_id) - <span style="color: darkred">[required]</span> ID of the session.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.

    + Body

            {
                "success": true
            }

## User Endpoints [/users]

These endpoints deal with [CRUD operations](https://nordicapis.com/crud-vs-rest-whats-the-difference) on users.

- [/users (GET)](#/reference/0/user-endpoints/users-get)
- [/users (POST)](#/reference/0/user-endpoints/users-post)
- [/users/:user_id (GET)](#/reference/0/user-endpoints/users-user-id-get)
- [/users/:username (GET)](#/reference/0/user-endpoints/users-username-get)
- [/users/:user_id (PATCH)](#/reference/0/user-endpoints/users-user-id-patch)
- [/users/:user_id (DELETE)](#/reference/0/user-endpoints/users-user-id-delete)
- [/users/:user_id/auth (POST)](#/reference/0/user-endpoints/users-user-id-auth-post)
- [/users/:user_id/connections (GET)](#/reference/0/user-endpoints/users-user-id-connections-get)
- [/users/:user_id/connections/:connection_id (POST)](#/reference/0/user-endpoints/users-user-id-connections-connection-id-post)
- [/users/:user_id/connections/:connection_id (DELETE)](#/reference/0/user-endpoints/users-user-id-connections-connection-id-delete)
- [/users/:user_id/sessions (GET)](#/reference/0/user-endpoints/users-user-id-sessions-get)

### /users (GET) [GET /users{?after,updatedAfter}]

Retrieves all users in the system in [FIFO](https://en.wikipedia.org/wiki/FIFO_(computing_and_electronics)) order.

Retrievals are limited to at most 100 results per query. Supports [range queries](https://en.wikipedia.org/wiki/Range_query_(database)) using `after`.

+ Parameters
    + `after` (optional, user_id) - <span style="color: gray">[optional]</span> Return only those results that occur *after* `after` in the result list.
    + `updatedAfter` (optional, number) - <span style="color: gray">[optional]</span> Return only those users with [`updatedAt`](#/data-structures/0/user) greater than `updatedAfter`.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + users (User) - An array of user objects. Empty if there are no users left to show.

    + Body

            {
                "success": true,
                "users": [
                    {
                        "user_id": "5eee34b3ca37750008547372",
                        "salt": "01048140c7eca69abc74c16dfd418bda",
                        "username": "dummyuser1",
                        "email": "dummy@email.com",
                        "fullName": "Dummy User One",
                        "type": "administrator",
                        "views": 1234,
                        "sessions": 12,
                        "sections": {
                            "about": null,
                            "experience": [],
                            "education": [],
                            "volunteering": [],
                            "skills": []
                        },
                        "createdAt": 1579345900650,
                        "updatedAt": 1579345900650
                    },
                    {
                        "user_id": "5eee34b3ca37750008547373",
                        "salt": "c16dfd418bda01048140c7eca69abc74",
                        "username": "dummy-user-2",
                        "email": "dummy2@email.com",
                        "fullName": null,
                        "type": "staff",
                        "views": 5678,
                        "sessions": 12,
                        "sections": {
                            "about": null,
                            "experience": [],
                            "education": [],
                            "volunteering": [],
                            "skills": []
                        },
                        "createdAt": 1579345900650,
                        "updatedAt": 1579345900650
                    }
                ]
            }

### /users (POST) [POST /users]

Creates a new user.

Note that the API manages all user credentials. Passwords must **NEVER** be stored in any form ever (locally in your app or database or anywhere else), but are instead communicated as a special one-way "login key".

The [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API) and [Password-Based Key Derivation Function #2 (PBKDF2)](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/deriveKey#pbkdf2) must be used to derive this key. Here is [an example](https://codepen.io/xunnamius/pen/XWZzLmz) using the Web Crypto API to derive a login key and salt from a password. Once this login key is derived, it and the salt must be sent to the API for storage.

**NOTICE: all teams should use 100,000 iterations for PBKDF2 to make cross-app logins easier for the judges!**

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

    + Attributes
        + username: `"thehill"` (string) - The user's unique username within the system. Must be lowercase alphanumeric (`-` and `\_` are allowed).
        + email: `"h@hillaryclinton.com"` (string) - The user's email address.
        + fullName: `"Hillary Rodham Clinton"` (string) - This user's real full name.
        + salt (string) - A 16-byte (32 characters) hex string representing a salt corresponding to the login key.
        + key (string) - A 64-byte (128 characters) hex string representing a login key.
        + type: `"inner"` (string) - The type of this user. Possible values are: `"inner"`, `"staff"`, or `"administrator"`.

    + Body

            {
                "username": "thehill",
                "email": "h@hillaryclinton.com",
                "fullName": "Hillary Rodham Clinton",
                "salt": "01048140c7eca69abc74c16dfd418bda",
                "key": "3ab51f05b268492084d737b62a20e6f2cc6696a21edff5dc249a55aa4236ee933a9599b14860caa21017677156f16d0508f4deda1cbe0bea5ffcad8fa331b77e",
                "type": "inner"
            }

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + user (User) - The newly created user object.

    + Body

            {
                "success": true,
                "user": {
                    "user_id": "5eee34b3ca37750008547374",
                    "salt": "01048140c7eca69abc74c16dfd418bda",
                    "username": "thehill",
                    "email": "h@hillaryclinton.com",
                    "fullName": "Hillary Rodham Clinton",
                    "type": "inner",
                    "views": 0,
                    "sessions": 0,
                    "sections": {
                        "about": null,
                        "experience": [],
                        "education": [],
                        "volunteering": [],
                        "skills": []
                    },
                    "createdAt": 1579345900650,
                    "updatedAt": 1579345900650
                }
            }

### /users/:user_id (GET) [GET /users/{user_id}]

Retrieve a user by their `user_id`.

+ Parameters
    + `user_id`: `5eee34b3ca37750008547375` (user_id) - <span style="color: darkred">[required]</span> ID of the user.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + user (User) - The requested user object.

    + Body

            {
                "success": true,
                "user": {
                    "user_id": "5eee34b3ca37750008547375",
                    "salt": "01048140c7eca69abc74c16dfd418bda",
                    "username": "bernie4All",
                    "email": "b@berniesanders.com",
                    "fullName": "Bernard Sanders",
                    "type": "administrator",
                    "views": 1234,
                    "sessions": 12,
                    "sections": {
                        "about": null,
                        "experience": [],
                        "education": [],
                        "volunteering": [],
                        "skills": []
                    },
                    "createdAt": 1579345900650,
                    "updatedAt": 1579345900650
                }
            }

### /users/:username (GET) [GET /users/{username}]

Retrieve a user by their `username`.

+ Parameters
    + `username`: `bernie4All` (string) - <span style="color: darkred">[required]</span> username of the user.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + user (User) - The requested user object.

    + Body

            {
                "success": true,
                "user": {
                    "user_id": "5eee34b3ca37750008547375",
                    "salt": "01048140c7eca69abc74c16dfd418bda",
                    "username": "bernie4All",
                    "email": "b@berniesanders.com",
                    "type": "administrator",
                    "views": 1234,
                    "sections": {
                        "about": null,
                        "experience": [],
                        "education": [],
                        "volunteering": [],
                        "skills": []
                    },
                    "createdAt": 1579345900650,
                    "updatedAt": 1579345900650
                }
            }

### /users/:user_id (PATCH) [PATCH /users/{user_id}]

Update a user (`user_id`) in the system. Can be used to change a user's password (i.e. their `key` and `salt`), their email, and other properties. See [/users (POST)](#/reference/0/user-endpoints/users-post) for more information on the derivation of a login key and salt.

The user's `updatedAt` timestamp is also updated.

When updating a user's `sections`, the patch will be applied at the section level. For example, submitting `{ "sections": { "about": "My new about page" }}` would overwrite the entire `sections.about` section, but would not overwrite `sections.education`, `sections.volunteering`, or `sections.skills`.

+ Parameters
    + `user_id`: `5eee34b3ca37750008547375` (user_id) - <span style="color: darkred">[required]</span> ID of the user.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

    + Attributes (object)
        + salt (optional, string) - A 16-byte (32 characters) hex string representing an updated salt corresponding to the updated login key. Must be present if `key` is present.
        + key (optional, string) - A 64-byte (128 characters) hex string representing an updated login key. Must be present if `salt` is present.
        + email (optional, string) - The user's updated email address.
        + sections (optional, UserSections) - The user's updated section information.
        + fullName (optional, string) - The user's updated full name.
        + type: `"inner"` (string) - The type of this user. Possible values are: `"inner"`, `"staff"`, or `"administrator"`.
        + views: `"increment"` (optional, string) - If the views should be incremented. If this property is present, it must have the value `"increment"`.

    + Body

            {
                "salt": "01048140c7eca69abc74c16dfd418bda",
                "key": "3ab51f05b268492084d737b62a20e6f2cc6696a21edff5dc249a55aa4236ee933a9599b14860caa21017677156f16d0508f4deda1cbe0bea5ffcad8fa331b77e"
            }

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.

    + Body

            {
                "success": true
            }

### /users/:user_id (DELETE) [DELETE /users/{user_id}]

Completely and permanently remove a user from the system. Note that deleting a user will _not_ delete their opportunities.

+ Parameters
    + `user_id`: `5eee34b3ca37750008547375` (user_id) - <span style="color: darkred">[required]</span> ID of the user.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.

    + Body

            {
                "success": true
            }

### /users/:user_id/auth (POST) [POST /users/{user_id}/auth]

Attempt to authenticate the credentials of a specific user.

To check if a given username (corresponding to `user_id`) and password combination is valid, follow the same process as in [the example](https://codepen.io/xunnamius/pen/XWZzLmz) to derive a login key _using the salt accessible via the user endpoint_. Send the newly derived login key to the API via this endpoint and, if it matches the key stored in the API, you will receive an `HTTP 200` status code response. If the user credentials could not be authenticated, you will receive a `HTTP 403` status code instead.

See [/users (POST)](#/reference/0/user-endpoints/users-post) for more information on the derivation of a login key and salt.

+ Parameters
    + `user_id`: `5eee34b3ca37750008547375` (user_id) - <span style="color: darkred">[required]</span> ID of the user.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

    + Attributes (object)
        + key (string) - A 64-byte (128 characters) hex string representing a login key derived using PBKDF#2.

    + Body

            {
                "key": "3ab51f05b268492084d737b62a20e6f2cc6696a21edff5dc249a55aa4236ee933a9599b14860caa21017677156f16d0508f4deda1cbe0bea5ffcad8fa331b77e"
            }

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.

    + Body

            {
                "success": true
            }

+ Response 403 (application/json)
See an example (HTTP 403)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.

### /users/:user_id/connections (GET) [GET /users/{user_id}/connections{?after}]

Retrieve a user's first-order connections in [FIFO](https://en.wikipedia.org/wiki/FIFO_(computing_and_electronics)) order.

+ Parameters
    + `user_id`: `5eee34b3ca37750008547375` (user_id) - <span style="color: darkred">[required]</span> ID of the user.
    + `after` (optional, connection_id) - <span style="color: gray">[optional]</span> Return only those results that occur *after* `after` in the result list.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + connections (array[string]) - The user's first-order connections as `user_id`s.

    + Body

            {
                "success": true,
                "connections": [
                    "5eee34b3ca37750008547375",
                    "5eee34b3ca37750008547376",
                    "5eee34b3ca37750008547377",
                    "5eee34b3ca37750008547378",
                    "5eee34b3ca37750008547379",
                    "5eee34b3ca37750008547380"
                ]
            }

### /users/:user_id/connections/:connection_id (POST) [POST /users/{user_id}/connections/{connection_id}]

Add a first-order connection between users `user_id` and `connection_id`.

The user's `updatedAt` timestamp is also updated.

+ Parameters
    + `user_id`: `5eee34b3ca37750008547375` (user_id) - <span style="color: darkred">[required]</span> ID of the first user.
    + `connection_id`: `5eee34b3ca37750008547376` (connection_id) - <span style="color: darkred">[required]</span> ID of the second user.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.

    + Body

            {
                "success": true
            }

### /users/:user_id/connections/:connection_id (DELETE) [DELETE /users/{user_id}/connections/{connection_id}]

Remove a first-order connection between users `user_id` and `connection_id`.

The user's `updatedAt` timestamp is also updated.

+ Parameters
    + `user_id`: `5eee34b3ca37750008547375` (user_id) - <span style="color: darkred">[required]</span> ID of the first user.
    + `connection_id`: `5eee34b3ca37750008547376` (connection_id) - <span style="color: darkred">[required]</span> ID of the second user.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.

    + Body

            {
                "success": true
            }

### /users/:user_id/sessions (GET) [GET /users/{user_id}/sessions{?after}]

Retrieves all sessions in the system associated with a specific user profile (`user_id`) and in [FIFO](https://en.wikipedia.org/wiki/FIFO_(computing_and_electronics)) order.

Retrievals are limited to at most 100 results per query. Supports [range queries](https://en.wikipedia.org/wiki/Range_query_(database)) using `after`.

+ Parameters
    + `user_id`: `5eee34b3ca37750008547375` (user_id) - <span style="color: darkred">[required]</span> ID of the user.
    + `after` (optional, session_id) - <span style="color: gray">[optional]</span> Return only those results that occur *after* `after` in the result list.

+ Request

    + Headers

            Authorization: bearer your-special-api-key-here
            content-type: application/json

+ Response 200 (application/json)
See an example (HTTP 200)

    + Attributes (object)
        + success (boolean) - If the request succeeded. Always `true` when status code is 200 and `false` or `undefined` otherwise.
        + sessions (array[Session]) - An array of session objects. Empty if there are no sessions left to show.

    + Body

            {
                "success": true,
                "sessions": [
                    {
                        "session_id": "5eee34b3ca37750008547374",
                        "user_id": null,
                        "view": "profile",
                        "viewed_id": "5ec8adf06e38137ff2e58770",
                        "createdAt": 1579345900770,
                        "updatedAt": 1579345900770
                    },
                    {
                        "session_id": "5eee34b3ca37750008547373",
                        "user_id": "5ec8adf06e38e58770ff2136",
                        "view": "profile",
                        "viewed_id": "5ec8adf06e38137ff2e58770",
                        "createdAt": 1579345900655,
                        "updatedAt": 1579345998766
                    },
                    {
                        "session_id": "5ec8adff2e5877f0813706e3",
                        "user_id": "5ec8adf06e38e58770ff2137",
                        "view": "profile",
                        "viewed_id": "5ec8adf06e38137ff2e58770",
                        "createdAt": 1579345900650,
                        "updatedAt": 1579345900650
                    }
                ]
            }

## Data Structures

### Article (object)
+ article_id: `"5ec8adf06e38137ff2e58770"` (string) - A unique immutable MongoDB ID representing this article. Generated automatically by the server.
+ creator_id: `"5ec8adf06e38e58770ff2137"` (string) - A unique immutable MongoDB ID representing the user that created this article.
+ title: `"Chasing Gold Coins"` (string) - The title of this article.
+ views: `9001` (number) - The total number of views this article has received.
+ sessions: `12` (number) - The total number of active sessions currently viewing this article.
+ contents (string) - The Markdown contents that constitute this article.
+ keywords (array[string]) - An array of keyword strings associated with this article and its contents.
+ createdAt: `1579345900650` (number) - When this article was first created [in milliseconds since the unix epoch](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/now). Generated automatically by the server.
+ updatedAt: `1579345900650` (number) - When this article was last updated [in milliseconds since the unix epoch](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/now). Generated automatically by the server.

### Info (object)

+ articles (number) - The number of articles across the entire system.
+ opportunities (number) - The current number of opportunities in the system.
+ sessions (number) - The current number of sessions in the system.
+ users (number) - The current number of users in the system.
+ views (number) - The number of views across the entire system.

### Opportunity (object)

+ opportunity_id: `"5ec8adf06e38137ff2e58770"` (string) - A unique immutable MongoDB ID representing this opportunity. Generated automatically by the server.
+ creator_id: `"5ec8adf06e38e58770ff2137"` (string) - A unique immutable MongoDB ID representing the user that created this opportunity.
+ title: `"My Little Opportunity"` (string) - The title of this opportunity.
+ views: `9001` (number) - The total number of views this opportunity has received.
+ sessions: `12` (number) - The total number of active sessions currently viewing this opportunity.
+ contents (string) - The Markdown contents describing this opportunity.
+ createdAt: `1579345900650` (number) - When this opportunity was first created [in milliseconds since the unix epoch](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/now). Generated automatically by the server.
+ updatedAt: `1579345900650` (number) - When this opportunity was last updated [in milliseconds since the unix epoch](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/now). Generated automatically by the server.

### Session (object)

+ session_id: `"5ec8adff2e5877f0813706e3"` (string) - A unique immutable MongoDB ID representing this session. Generated automatically by the server.
+ user_id: `"5ec8adf06e38e58770ff2137"` (string, nullable) - A unique immutable MongoDB ID representing the user associated with this session or `null` if this session is unauthenticated.
+ view: `"article"` (string) - The view this session is associated with. Possible values are: `"article"`, `"profile"`, `"opportunity"`, `"admin"`, `"auth"`, or `"home"`.
+ viewed_id: `"5ec8adf06e38137ff2e58770"` (string, nullable) - A unique immutable MongoDB ID corresponding to the `view` item associated with this session, or `null`.
+ createdAt: `1579345900650` (number) - When this session was first created [in milliseconds since the unix epoch](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/now). Generated automatically by the server.
+ updatedAt: `1579345900650` (number) - When this session was last updated [in milliseconds since the unix epoch](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/now). Generated automatically by the server.

### UserSections (object)

+ about (string, nullable) - The contents of a user's About section.
+ experience (array[UserSectionEntry]) - The contents of a user's Experience section.
+ education (array[UserSectionEntry]) - The contents of a user's Education section.
+ volunteering (array[UserSectionEntry]) - The contents of a user's Volunteering section.
+ skills (array[string]) - The contents of a user's Skills section.

### UserSectionEntry (object)

+ title (string) - The name of the entry.
+ startedAt (number) - When this entry began [in milliseconds since the unix epoch](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/now).
+ endedAt (number, nullable) - When this entry ended [in milliseconds since the unix epoch](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/now) or `null` if it is ongoing.
+ location (string) - The location of this entry.
+ description (string) - The description of this entry.

### User (object)

+ user_id: `"5ec8adf06e38137ff2e58770"` (string) - A unique immutable MongoDB ID representing this user. Generated automatically by the server.
+ salt: `"2d6843cfd2ad23906fe33a236ba842a5"` (string) - A 16-byte (32 characters) hex string representing a salt corresponding to the login key.
+ username: `"Oforce1"` (string) - This user's unique username within the system. Must be lowercase alphanumeric (`-` and `\_` are allowed).
+ email: `"o@barackobama.com"` (string) - This user's unique email address within the system.
+ fullName: `"Barack Hussein Obama"` (string, nullable) - This user's real full name.
+ type (string) - The type of this user. Possible values are: `"inner"`, `"staff"`, or `"administrator"`.
+ views: `1234` (number) - The total number of views this user's profile has received.
+ sections (UserSections) - This user's sectional information (e.g. Experience, Education, etc).
+ sessions: `12` (number) - The total number of active sessions currently viewing this user's profile.
+ createdAt: `1579345900650` (number) - When this user was first created [in milliseconds since the unix epoch](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/now). Generated automatically by the server.
+ updatedAt: `1579345900650` (number) - When this user was last updated [in milliseconds since the unix epoch](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/now). Generated automatically by the server.