Business API Design Specification - Delete Favorite
A Business API is a set of logical actions centered around a main data object. These actions can range from simple CRUD operations to complex workflows that implement intricate business logic.
While the term “API” traditionally refers to an interface that allows software systems to interact, in Mindbricks a Business API represents a broader concept. It encapsulates a business workflow around a data object, going beyond basic CRUD operations to include rich, internally coordinated actions that can be fully designed and customized.
This document provides an in-depth explanation of the architectural
design of the deleteFavorite Business API. It is intended
to guide backend architects and developers in maintaining the current
design. Additionally, frontend developers and frontend AI agents can
use this document to understand how to properly consume this API on
the client side.
Main Data Object and CRUD Operation
The deleteFavorite Business API is designed to handle a
delete operation on the Favorite data
object. This operation is performed under the specified conditions and
may include additional, coordinated actions as part of the workflow.
API Description
Unfavorite (remove favorite) the given listing for current user. Decrements favoriteCount on related listing when possible.
API Frontend Description By The Backend Architect
AI Dev: Use this API to unfavorite a listing. On success, update UI (remove highlight) and decrement displayed favorite count. If not found, treat as idempotent success for best UX.
API Options
-
Auto Params :
trueDetermines whether input parameters should be auto-generated from the schema of the associated data object. Set tofalseif you want to define all input parameters manually. -
Raise Api Event :
trueIndicates whether the Business API should emit an API-level event after successful execution. This is typically used for audit trails, analytics, or external integrations. The event will be emitted to thefavorite-deletedKafka Topic Note that the DB-Level events forcreate,updateanddeleteoperations will always be raised for internal reasons. -
Active Check : `` Controls how the system checks if a record is active (not soft-deleted or inactive). Uses the
ApiCheckOptionto determine whether this is checked during the query or after fetching the instance. -
Read From Entity Cache :
falseIf enabled, the API will attempt to read the target object from the Redis entity cache before querying the database. This can improve performance for frequently accessed records.
API Controllers
A Mindbricks Business API can be accessed through multiple interfaces, including REST, gRPC, WebSocket, Kafka, or Cron. The controllers listed below map the business workflow to a specific interface, enabling consistent interaction regardless of the communication channel.
REST Controller
The deleteFavorite Business API includes a REST
controller that can be triggered via the following route:
/v1/favorites/:favoriteId
By sending a request to this route using the service API address, you can execute this Business API. Parameters can be provided in multiple HTTP locations, including the URL path, URL query, request body, and request headers. Detailed information about these parameters is provided in the Parameters section.
MCP Tool
REST controllers also expose the Business API as a tool in the MCP,
making it accessible to AI agents. This
deleteFavorite Business API will be registered as a tool
on the MCP server within the service binding.
API Parameters
The deleteFavorite Business API has 3 parameters that
must be sent from the controller. Note that all parameters, except
session and Redis parameters, should be provided by the client.
Business API parameters can be:
-
Auto-generated by Mindbricks — inferred from the
CRUD type and the property definitions of the main data object when
the
autoParametersoption is enabled. - Custom parameters added by the architect — these can supplement or override the auto-generated parameters.
Regular Parameters
| Name | Type | Required | Default | Location | Data Path |
|---|---|---|---|---|---|
favoriteId |
ID |
Yes |
- |
urlpath |
favoriteId |
| Description: | This id paremeter is used to select the required data object that will be deleted | ||||
listingId |
ID |
Yes |
- |
query |
listingId |
| Description: | Target listing being favorited… The parameter is used to query data. | ||||
userId |
ID |
Yes |
- |
session |
userId |
| Description: | User who favorited the listing… The parameter is used to query data. | ||||
Parameter Transformations
Some parameters are post-processed using
transform scripts after being read from the request
but before validation or workflow execution. Only parameters with a
transform script are listed below.
No parameters are transformed in this API.
AUTH Configuration
The
authentication and authorization configuration
defines the core access rules for the
deleteFavorite Business API. These checks are applied
after parameter validation and before executing the
main business logic.
While these settings cover the most common scenarios, more
fine-grained or conditional access control—such as
permissions based on object context, nested memberships, or custom
workflows—should be implemented using explicit actions like
PermissionCheckAction,
MembershipCheckAction, or
ObjectPermissionCheckAction.
Login Requirement
This API requires login (loginRequired = true). Requests from non-logged-in users will return a
401 Unauthorized error. Login is necessary
but not sufficient, as additional role, permission,
or other authorization checks may still apply.
Ownership Checks
This Business API enforces ownership of the main data object before executing the operation.
-
The check is performed after fetching the object instance.
If the current user is not the owner, the API will respond with 403 Forbidden.Note: Ownership checks are applied only if the objects have an owner field.
Role and Permission Settings
-
Absolute roles (bypass all auth checks):
Users with any of the following roles will bypass all authentication and authorization checks, including ownership, membership, and standard role/permission checks:
[admin, superAdmin]
Where Clause
Defines the criteria used to locate the target record(s) for the main
operation. This is expressed as a query object and applies to
get, list, update, and
delete APIs. All API types except list are
expected to affect a single record.
If nothing is configured for (get, update, delete) the id fields will be the select criteria.
Select By: A list of fields that must be matched
exactly as part of the WHERE clause. This is not a filter — it is a
required selection rule. In single-record APIs (get,
update, delete), it defines how a unique
record is located. In list APIs, it scopes the results to
only entries matching the given values. Note that
selectBy fields will be ignored if
fullWhereClause is set.
The business api configuration has a selectBy setting:
‘[’']`
Full Where Clause An MScript query expression that
overrides all default WHERE clause logic. Use this for fully
customized queries. When fullWhereClause is set,
selectBy is ignored, however additional selects will
still be applied to final where clause.
The business api configuration has no
fullWhereClause setting.
Additional Clauses A list of conditionally applied MScript query fragments. These clauses are appended only if their conditions evaluate to true. If no condition is set it will be applied to the where clause directly.
The business api configuration has no additionalClauses setting.
Actual Where Clause This where clause is built using whereClause configuration (if set) and default business logic.
{$and:[{id:this.favoriteId},{isActive:true}]}
Delete Options
Use these options to set delete specific settings.
useSoftDelete: true If true, the record will be
marked as deleted (isActive: false) instead of removed.
The implementation depends on the data object’s soft delete
configuration.
Business Logic Workflow
[1] Step : startBusinessApi
Manager initializes context, prepares request/session objects, and sets up internal structures for parameter handling and milestone execution.
You can use the following settings to change some behavior of this
step. apiOptions, restSettings,
grpcSettings, kafkaSettings,
socketSettings, cronSettings
[2] Step : readParameters
Manager reads and normalizes parameters, applies defaults, and stores them in the context for downstream steps.
You can use the following settings to change some behavior of this
step. customParameters, redisParameters
[3] Step : transposeParameters
Manager executes parameter transform scripts, computes derived values, and remaps objects or arrays as needed for later processing.
[4] Step : checkParameters
Manager runs built-in validations including required field checks, type enforcement, and deletion preconditions. Stops execution if validation fails.
[5] Step : checkBasicAuth
Manager validates session, user roles, permissions, and tenant-specific access rules to enforce basic auth restrictions.
You can use the following settings to change some behavior of this
step. authOptions
[6] Step : buildWhereClause
Manager generates the query conditions, applies ownership and parent checks, and ensures the clause is correct for the delete operation.
You can use the following settings to change some behavior of this
step. whereClause
[7] Action : fetchTargetListingOnDelete
Action Type: FetchObjectAction
Fetch the related listing for count decrement.
class Api {
async fetchTargetListingOnDelete() {
// Fetch Object on childObject listing
const userQuery = {
$and: [{ id: this.listingId }, { isActive: true }],
};
const { convertUserQueryToElasticQuery } = require("common");
const scriptQuery = convertUserQueryToElasticQuery(userQuery);
const elasticIndex = new ElasticIndexer("listing");
const data = await elasticIndex.getOne(scriptQuery);
return data
? {
id: data["id"],
favoriteCount: data["favoriteCount"],
}
: null;
}
}
[8] Step : fetchInstance
Manager fetches the target record, applies filters from WHERE clause, and writes the instance to the context for further checks.
[9] Step : checkInstance
Manager performs object-level validations such as lock status, soft-delete eligibility, and multi-step approval enforcement.
[10] Step : mainDeleteOperation
Manager executes the delete query, updates related indexes/caches, and handles soft/hard delete logic according to configuration.
You can use the following settings to change some behavior of this
step. deleteOptions
[11] Action : decFavoriteCount
Action Type: UpdateCrudAction
Decrement favoriteCount on related listing if found.
class Api {
async decFavoriteCount() {
// Aggregated Update Operation on childObject listing
const params = {
favoriteCount: Math.max(0, (this.targetListing.favoriteCount ?? 1) - 1),
};
const userQuery = { id: this.listingId };
const { convertUserQueryToSequelizeQuery } = require("common");
const query = convertUserQueryToSequelizeQuery(userQuery);
// Remote object - call inter-service M2M edge function
const { InterService } = require("common-service");
const options = {};
const result = await InterService.callListingm2mUpdateListingByQuery(
{
body: { dataClause: params, query: query },
},
options,
);
if (!result || result.status !== 200) {
throw new HttpServerError(
`Inter-service call failed: ${result?.message || "Unknown error"}`,
);
}
const updatedResult = result.content;
if (!updatedResult) return null;
// if updated record is in main data update main data
if (this.dbResult) {
for (const item of updatedResult) {
if (item.id == this.dbResult.id) {
Object.assign(this.dbResult, item);
this.favorite = this.dbResult;
}
}
}
if (updatedResult.length == 0) return null;
if (updatedResult.length == 1) return updatedResult[0];
return updatedResult;
}
}
[12] Step : buildOutput
Manager shapes the response payload, masks sensitive fields, and formats related cleanup results for output.
[13] Step : sendResponse
Manager delivers the response to the client and finalizes any temporary internal structures.
[14] Step : raiseApiEvent
Manager triggers asynchronous API events, notifies queues or streams, and performs final cleanup for the workflow.
Rest Usage
Rest Client Parameters
Client parameters are the api parameters that are visible to client and will be populated by the client. Note that some api parameters are not visible to client because they are populated by internal system, session, calculation or joint sources.
The deleteFavorite api has got 2 regular client
parameters
| Parameter | Type | Required | Population |
|---|---|---|---|
| favoriteId | ID | true | request.params?.[“favoriteId”] |
| listingId | ID | true | request.query?.[“listingId”] |
REST Request
To access the api you can use the REST controller with the path DELETE /v1/favorites/:favoriteId
axios({
method: 'DELETE',
url: `/v1/favorites/${favoriteId}`,
data: {
},
params: {
listingId:'"ID"',
}
});
REST Response
The API response is encapsulated within a JSON envelope. Successful
operations return an HTTP status code of 200 for get, list, update, or
delete requests, and 201 for create requests. Each successful response
includes a "status": "OK" property.
For error handling, refer to the “Error Response” section.
Following JSON represents the most comprehensive form of the
favorite object in the respones.
However, some properties may be omitted based on the object’s internal
logic.
{
"status": "OK",
"statusCode": "200",
"elapsedMs": 126,
"ssoTime": 120,
"source": "db",
"cacheKey": "hexCode",
"userId": "ID",
"sessionId": "ID",
"requestId": "ID",
"dataName": "favorite",
"method": "DELETE",
"action": "delete",
"appVersion": "Version",
"rowCount": 1,
"favorite": {
"id": "ID",
"favoritedAt": "Date",
"listingId": "ID",
"userId": "ID",
"isActive": false,
"recordVersion": "Integer",
"createdAt": "Date",
"updatedAt": "Date",
"_owner": "ID"
}
}