Enable OCS API routes

[WeberSamuel]

Enable the easy external use of the collectives routes by turning them into a documented OCS API.

Use cases

• I'm trying to create and list collectives automatically. However using the internal API as referenced in #228. I always get the response "CSRF check failed". Hence, I propose to create API-Controllers similar to how Nextcloud Deck is using it.
• https://github.com/nextcloud/collectives/issues/228#issuecomment-1348283545
• https://github.com/nextcloud/collectives/issues/228#issuecomment-1828571933

Alternatives

Maybe one could give me a hint on how to get around the default CSRF check?

[juliushaertl]

In case we want to expose we should probably think about switching to an OCS-API directly which can be used on both web and clients.

[WeberSamuel]

The current manual, however, recommends implementing a REST Api, as OCS is only for compatibility reasons: https://docs.nextcloud.com/server/latest/developer_manual/basics/controllers.html

In my case, exposing the API was as simple as changing the inherited class from Controller to APIController and add the @CORS and @NoCSRFRequired attributes to the functions.

Of course, it would be great if the API could be exposed officially.

[juliushaertl]

CORS is not implemented properly unfortunately, so the common way to implement routes that can be reused by web and external clients would be OCS. This is the approach that works and is also used across Nextcloud apps.

Upstream issue for reference on the CORS problems https://github.com/nextcloud/server/issues/37319

[max-nextcloud]

I started some preparation for this in #988 by isolating the API related code on the client side.