Chapters

37 Chapters | 3:43:31 |

01

¿Documentos API en producción?

8:22
02

¿Token API? ¿Cookies de sesión?

8:07
03

Formulario de inicio de sesión API con json_login

5:36
04

Manejo de errores de autenticación

3:47
05

En Autenticación correcta

6:03
06

Cerrar sesión y pasar datos de la API a JavaScript

5:45
07

Pasar valores a Stimulus

4:32
08

Tipos de token y la entidad ApiToken

5:59
09

Generar el token de la API y los accesorios

5:58
10

Autenticador de token de acceso

8:56
11

Personalizar los documentos de OpenAPI

7:31
12

Ámbitos de los tokens de la API

5:51
13

Denegar el acceso con la opción "seguridad

7:11
14

Poner en marcha un sistema de pruebas asesino

8:18
15

Aserciones de la prueba JSON y siembra de la base de datos

3:41
16

Aserciones de prueba JSON avanzadas y flexibles

4:04
17

Probar la autenticación

4:59
18

Personalizar el navegador globalmente

3:50
19

Probar la autenticación por token

3:24
20

Nuevo comportamiento PUT

4:46
21

Permitir editar sólo a los propietarios

7:49
22

Permitir que los usuarios administradores editen cualquier tesoro

4:11
23

Votante de seguridad

6:13
24

Campos condicionales por usuario: ApiProperty

5:13
25

Prueba de Usuario + Contraseña Simple

4:21
26

Procesadores de Estado: Hashing de la contraseña de usuario

6:55
27

Grupos de validación y formatos de parche

8:01
28

Grupos Dinámicos: Creador de Contextos

8:26
29

Normalizador personalizado

5:08
30

Decoración del normalizador y "Normalizer Aware" (consciente del normalizador)

6:29
31

Campos totalmente personalizados

3:24
32

Validador personalizado

7:58
33

Validar cómo cambian los valores

8:30
34

Configuración automática del "propietario

4:19
35

Extensión de consulta: Autofiltrar una colección

6:15
36

404 En Artículos No Publicados

8:00
37

Filtrar la colección de relaciones

5:39

> APIs > API Platform 3: Seguridad para tus tesoros

Buy Access to Course

19.

Probar la autenticación por token

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

With a Subscription, click any sentence in the script to jump to that part of the video!

¿Qué tal una prueba como ésta... pero en la que iniciamos sesión con una clave API? Creemos un nuevo método: función pública testPostToCreateTreasureWithApiKey():

            Copy Code

                            Show All Lines

                        73 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 10
                            
            class DragonTreasureResourceTest extends ApiTestCase
        
            {
        
                Show Lines

                                                    // ... lines 13 - 61
                            
                public function testPostToCreateTreasureWithApiKey(): void
        
                {
        
                Show Lines

                                                    // ... lines 64 - 70
                            
                }
        
            }

Esto empezará más o menos igual que antes. Copiaré la parte superior de la prueba anterior, quitaré el actingAs()... y añadiré un dump() cerca de la parte inferior:

            Copy Code

                            Show All Lines

                        73 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 10
                            
            class DragonTreasureResourceTest extends ApiTestCase
        
            {
        
                Show Lines

                                                    // ... lines 13 - 61
                            
                public function testPostToCreateTreasureWithApiKey(): void
        
                {
        
                    $this->browser()
        
                        ->post('/api/treasures', [
        
                            'json' => [],
        
                        ])
        
                        ->dump()
        
                        ->assertStatus(422)
        
                    ;
        
                }
        
            }

Así, como antes, estamos enviando datos no válidos y esperamos un código de estado 422.

Copia ese nombre de método, luego gira y ejecuta sólo esta prueba:

symfony php bin/phpunit --filter=testPostToCreateTreasureWithApiKey

Y... ninguna sorpresa: obtenemos un código de estado 401 porque no estamos autenticados.

Enviemos una cabecera Authorization, pero una no válida para empezar. Pasa una claveheaders configurada en una matriz con Authorization y luego la palabra Bearer y luego... foo.

Esto debería seguir fallando:

symfony php bin/phpunit --filter=testPostToCreateTreasureWithApiKey

Y... ¡lo hace! Pero con un mensaje de error diferente: invalid_token. ¡Qué bien!

Utilizar un código real

Para pasar un token real, tenemos que introducir un token real en la base de datos. Hazlo con $token = ApiTokenFactory::createOne():

            Copy Code

                            Show All Lines

                        82 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 12
                            
            class DragonTreasureResourceTest extends ApiTestCase
        
            {
        
                Show Lines

                                                    // ... lines 15 - 63
                            
                public function testPostToCreateTreasureWithApiKey(): void
        
                {
        
                    $token = ApiTokenFactory::createOne([
        
                Show Lines

                                                    // ... line 67
                            
                    ]);
        
                Show Lines

                                                    // ... lines 69 - 79
                            
                }
        
            }

¿Necesitamos controlar algún campo de esto? En realidad sí. Abre DragonTreasure. Si nos desplazamos hacia arriba, la operación Post requiere ROLE_TREASURE_CREATE:

            Copy Code

                            Show All Lines

                        245 lines
            |
            src/Entity/DragonTreasure.php
        
                Show Lines

                                                    // ... lines 1 - 27
                            
            #[ApiResource(
        
                Show Lines

                                                    // ... lines 29 - 30
                            
                operations: [
        
                Show Lines

                                                    // ... lines 32 - 37
                            
                    new Post(
        
                        security: 'is_granted("ROLE_TREASURE_CREATE")',
        
                    ),
        
                Show Lines

                                                    // ... lines 41 - 49
                            
                ],
        
                Show Lines

                                                    // ... lines 51 - 64
                            
            )]
        
                Show Lines

                                                    // ... lines 66 - 83
                            
            class DragonTreasure
        
            {
        
                Show Lines

                                                    // ... lines 86 - 243
                            
            }

Cuando nos autenticamos a través del formulario de acceso, gracias a role_hierarchy, siempre tenemos eso. Pero cuando utilizamos una clave API, para obtener ese rol, el token necesita el ámbito correspondiente.

Para asegurarnos de que lo tenemos, en la prueba, establece la propiedad scopes enApiToken::SCOPE_TREASURE_CREATE:

            Copy Code

                            Show All Lines

                        82 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 4
                            
            use App\Entity\ApiToken;
        
                Show Lines

                                                    // ... lines 6 - 12
                            
            class DragonTreasureResourceTest extends ApiTestCase
        
            {
        
                Show Lines

                                                    // ... lines 15 - 63
                            
                public function testPostToCreateTreasureWithApiKey(): void
        
                {
        
                    $token = ApiTokenFactory::createOne([
        
                        'scopes' => [ApiToken::SCOPE_TREASURE_CREATE]
        
                    ]);
        
                Show Lines

                                                    // ... lines 69 - 79
                            
                }
        
            }

Ahora pasa esto a la cabecera: $token->getToken(). Ah... y déjame arreglarscopes: que debería ser una matriz:

            Copy Code

                            Show All Lines

                        82 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 12
                            
            class DragonTreasureResourceTest extends ApiTestCase
        
            {
        
                Show Lines

                                                    // ... lines 15 - 63
                            
                public function testPostToCreateTreasureWithApiKey(): void
        
                {
        
                    $token = ApiTokenFactory::createOne([
        
                        'scopes' => [ApiToken::SCOPE_TREASURE_CREATE]
        
                    ]);
        
                Show Lines

                                                    // ... line 69
                            
                    $this->browser()
        
                        ->post('/api/treasures', [
        
                Show Lines

                                                    // ... line 72
                            
                            'headers' => [
        
                                'Authorization' => 'Bearer '.$token->getToken()
        
                            ]
        
                        ])
        
                Show Lines

                                                    // ... lines 77 - 78
                            
                    ;
        
                }
        
            }

¡Creo que ya estamos listos! Ejecuta la prueba:

symfony php bin/phpunit --filter=testPostToCreateTreasureWithApiKey

Y... ¡ya está! ¡Vemos los bonitos 422 errores de validación!

Probar un token con un alcance incorrecto

Hagamos una prueba para asegurarnos de que no tenemos acceso si a nuestro token le falta este ámbito. Copia todo el método de prueba... y pégalo a continuación. LlámalotestPostToCreateTreasureDeniedWithoutScope().

Esta vez, cambia scopes por otra cosa, como SCOPE_TREASURE_EDIT. A continuación, ahora esperamos un código de estado 403:

            Copy Code

                            Show All Lines

                        98 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 12
                            
            class DragonTreasureResourceTest extends ApiTestCase
        
            {
        
                Show Lines

                                                    // ... lines 15 - 80
                            
                public function testPostToCreateTreasureDeniedWithoutScope(): void
        
                {
        
                    $token = ApiTokenFactory::createOne([
        
                        'scopes' => [ApiToken::SCOPE_TREASURE_EDIT]
        
                    ]);
        
                    $this->browser()
        
                        ->post('/api/treasures', [
        
                            'json' => [],
        
                            'headers' => [
        
                                'Authorization' => 'Bearer '.$token->getToken()
        
                            ]
        
                        ])
        
                        ->assertStatus(403)
        
                    ;
        
                }
        
            }

Esta vez, vamos a ejecutar todas las pruebas:

symfony php bin/phpunit

Y... ¡todo verde! Un 422 y luego un 403. Ve a eliminar los volcados de ambos puntos.

Por cierto, si utilizas mucho los tokens de la API en tus pruebas, pasar la cabecera Authorizationpuede resultar molesto. Browser tiene una forma en la que podemos crear un objeto Browser personalizado con métodos personalizados. Por ejemplo, podrías añadir un método authWithToken(), pasar un array de ámbitos, y entonces crearía ese token y lo pondría en la cabecera

$this->browser()
    ->authWithToken([ApiToken::SCOPE_TREASURE_CREATE])
    // ...
;

Esto no funciona en absoluto ahora mismo, pero consulta la documentación de Browser para aprender cómo hacerlo.

Siguiente: en la API Platform 3.1, el comportamiento de la operación PUT está cambiando. Hablemos de cómo, y de lo que tenemos que hacer en nuestro código para prepararnos para ello.

14 Comments

Sort By

Rodrypaladin 1 year ago edited

For those who need it, I always got a 415 response and in the error document that I created, it appeared

{ "@context": "/api/contexts/Error", "@type": "hydra:Error", "hydra:title": "An error occurred", "hydra:description": "The content-type \"application/json\" is not supported. Supported MIME types are \"application/ld+json\".", .....more ....

I had to add the Content-Type in the headers to fix it and continue with the flow of the course.

'headers' => [
     'Authorization' => 'Bearer ' . $token->getToken(),
     'Content-Type' => 'application/ld+json'
]

1 | Reply |

Victor SFCASTS Rodrypaladin 1 year ago edited

Hey @Rodrypaladin ,

I see in this chapter we allow application/json content type as well along with application/ld+json. Probably your config is different? Anyway, thanks for this tip!

Cheers!

| Reply |

Rodrypaladin Victor 1 year ago

I don't know if my configuration is different. I only know that from the very first moment following the course, in the Patch applications I have had to incorporate it if necessary.

The important thing is that I was able to solve it by my own means.

| Reply |

Victor SFCASTS Rodrypaladin 1 year ago edited

Hey @Rodrypaladin ,

Good catch on solving this yourself 👍

Cheers!

| Reply |

NinjaScareCrow 1 year ago

I'm following this awesome tutorial using Symfony 7.2 ;)

I'm getting the following error on the second test (testPostToCreateTreasure):

App\Tests\Functional\DragonTreasureResourceTest::testPostToCreateTreasure
Doctrine\ORM\Exception\EntityIdentityCollisionException: While adding an entity of class App\Entity\User with an ID hash of "1" to the identity map,
another object of class App\Entity\User was already present for the same ID. This exception
is a safeguard against an internal inconsistency - IDs should uniquely map to
entity object instances. This problem may occur if:

- you use application-provided IDs and reuse ID values;
- database-provided IDs are reassigned after truncating the database without
clearing the EntityManager;
- you might have been using EntityManager#getReference() to create a reference
for a nonexistent ID that was subsequently (by the RDBMS) assigned to another
entity.

Otherwise, it might be an ORM-internal inconsistency, please report it.

Naturally, the rest of the tests then fail because Entity Manager is closed after the afore mentioned failure.

Been Googling for a while now, and I can't seem to find anything that relates to the issue I'm having.
I'm guessing I need to clear the Entity Manager... I'm just not exactly sure how to do that correctly from inside a test case.
Everything I've tried so far doesn't work... so I'm hoping someone maybe has a solution to this minor headache ^_^

Appreciate the help... and keep up the good work :D

| Reply |

Victor SFCASTS NinjaScareCrow 1 year ago edited

Hey @NinjaScareCrow ,

Hm, if your database is truncated between tests but somehow the entity manager isn't cleared, Doctrine might still hold references to old entities in memory. You can try to clear the entity manager manually in the beginning of your test, or in the setUp() method called before each test, something like this:

protected function setUp(): void
{
    parent::setUp();
    $this->entityManager = self::$container->get('doctrine')->getManager();
    $this->entityManager->clear(); // Clears the EntityManager before each test
}

I wonder if it helps with that test failure.

Cheers!

| Reply |

NinjaScareCrow Victor 1 year ago

Hey Victor

Unfortunately that didn't work :(
I had to adapt it slightly as self::$container doesn't exist.

protected function setUp(): void
{
    parent::setUp();
    $this->entityManager = self::bootKernel()->getContainer()->get('doctrine')->getManager();
    $this->entityManager->clear();
}

I'm still getting the same error on the second test when I rull all the tests using symfony php bin/phpunit.
I even tried getting the entity manager and clearing it at the beginning of the test cases, but that also didn't work.

Any other ideas? ;)

| Reply |

MolloKhan SFCASTS NinjaScareCrow 1 year ago edited

Hey @NinjaScareCrow

How are you restoring your database after each test? Are you using the dama bundle?

Cheers!

| Reply |

TristanoMilano 1 year ago

So, my app has two firewalls configured. One for the API called "api" (using LexikJWTAuthenticationBundle) and one for the Web-Admin-Backend ("main") using "knpuniversity/oauth2-client-bundle" in combination with "stevenmaguire/oauth2-keycloak".

That means, that different from Chtioui's config, the API-Tokens are created externally, meaning that in my TestClass inside the setUp() function I do the following:

public function setUp(): void
    {
        parent::setUp();
        $accessTokenProvider = self::getContainer()->get(AccessTokenProvider::class);
        $this->token = $accessTokenProvider->getAccessToken();
        $entityManager = self::getContainer()->get(EntityManagerInterface::class);
        $this->user = $entityManager->getRepository(User::class)->findOneBy(['email' => 'adminUser@email.com']);
        $this->postAuthenticationToken = new PostAuthenticationToken($this->user, 'main', $this->user->getRoles());
    }

And in the test function that test the secured API-Endpoint, I can do the following:

public function testApiRouteIsOnlyAccessibleWithValidToken(): void
    {
        $this->browser()
            ->get('/api/speakers', [
                'headers' => [
                    'Authorization' => 'Bearer ' . $this->token,
                    'Content-Type' => 'application/ld+json',
                    'Accept' => 'application/ld+json',
                ]
            ])
            ->assertJson()
            ->assertJsonMatches('"hydra:totalItems"', 10)
        ;

But now I also wanted to test a web-route, but that somehow is not possible.

If I try:

    public function testAccessWebRouteWithAuthenticationViaActingAsHelper(): void
    {
        $this->browser()
            ->actingAs($this->postAuthenticationToken->getUser(), 'main')
            ->get('/')
            ->dump('.container-xl')
            ->assertStatus(200);
    }

I get a 500 response, an in the dump from the template it says:

   ┐
   ├ The last request threw an exception: Twig\Error\RuntimeError - An exception has been thrown during the rendering of a te... token has no "profileUrl" attribute.").
   ├                                                                                                                                                                    
   ├ Failure Context:                                                                                                                                                   
   ├                                                                                                                                                                    
   ├ [0]                                                                                                                                                                
   ├ 'Twig\Error\RuntimeError'                                                                                                                                          
   ├                                                                                                                                                                    
   ├ [1]                                                                                                                                                                
   ├ 'An exception has been thrown during the rendering of a template ("This token has no "profileUrl" attribute.").'

The profileUrl is set in the KeycloakAuthenticator, in which a PostAuthenticationToken is set, which is why I also create one of these in the setup cuntion with the Admin-User I created in the fixtures.

Then I try to do the following:

    public function testAdminRouteWithPostAuthToken(): void
    {
        $this->browser()
            ->setDefaultHttpOptions([
                'headers' => [
                    'Authorization' => 'Bearer ' . $this->postAuthenticationToken,
                ]
            ])
            ->get('/')
            ->assertStatus(200);
    }

But that does not seem to work, because my app still thinks, that I am logged out.

Any ideas on what I am doing wrong?

Thanks in advance.

| Reply |

weaverryan SFCASTS TristanoMilano 1 year ago

Hey @TristanoMilano!

Sorry for my super slow reply! Hmm, this is tricky. Here's what I can tell you:

The ->actingAs() method from browser is a wrapper around the ->loginUser() method of Symfony - https://github.com/symfony/symfony/blob/9e810dea50cb47deb8500ad7ffb56d5a5622b46e/src/Symfony/Bundle/FrameworkBundle/KernelBrowser.php#L103
When you pass that a user, it creates its own TestBrowserToken object - https://github.com/symfony/symfony/blob/9e810dea50cb47deb8500ad7ffb56d5a5622b46e/src/Symfony/Bundle/FrameworkBundle/KernelBrowser.php#L113

So, it may be that simple. Your user is getting logged in, but instead of a PostAuthenticationToken with this profileUrl set, it's a TestBrowserToken with no attribute set.

If that's true, you may need to write your own fake authentication logic in your test that mimics the loginUser() method from Symfony... but with your token.

Let me know if that helps!

Cheers!

| Reply |

Chtioui 2 years ago

Hello symfonycasts Team !
i'm using LexikJWTAuthenticationBundle to handle token authentication everything works fine until I tried to update a user's login credentials (password & email) with the PATCH operation the update request succedeed but i've got token this error : "Invalid credentials" after finishing updating the user I want to understand something here do we need to login again the user after updating his login credentials or therre is any other solution to generate a new token after the user updates his login credentials?
Cheers!

| Reply |

weaverryan SFCASTS Chtioui 2 years ago

Hey @Chtioui!

Hmm very interesting! So, you're using LexikJWTAuthenticationBundle with "stateless" authentication is that correct? What I mean is: you send the JWT with every API request, right? You do not rely on just "logging in once" and then using the session to authenticate you on future request. Let me know if that assumption is incorrect :).

Anyways, if you ARE using "stateless" authentication, then I have no idea what's happening yet :P.

But if you ARE relying on session authentication, then I still don't totally know what's happening, but I can offer some info. On each request, Symfony attempts to load the User object from the session. It then checks to see if some of the important fields on that User object (the one that was stored in the session) have since changed in the database - for example, if the password has been changed. If any of these fields have changed, it does NOT load your User (i.e. it effectively logs you out). This is a security mechanism so that if you change your password on one computer because someone hacked your account, it will log ALL devices out of your account immediately. The logic for this is here: https://github.com/symfony/symfony/blob/0eb03203c800b11bac4496a3e84c75e2966d5507/src/Symfony/Component/Security/Http/Firewall/ContextListener.php#L281-L321

However, normally, if you change your password on a request, then at the end of that request, when Symfony serializes the User into the session, it will serialize the User object that contains the NEW hashed password. And so, in the next request, everything will work fine.

So, something feels weird to me. Can you tell me a bit more about your situation - are you using stateless auth or session-based auth? When exactly do you get the "Invalid credentials" error - is that on the NEXT request? Are you sending a JWT on that? What does your JWT contain?

Cheers!

1 | Reply |

Chtioui weaverryan 2 years ago

Hello @weaverryan,

-Yes i'm using stateless authentication with the LexikJWTAuthenticationBundle and i'm using the user's username and password for generating the JWT token.
-I get the "Invalid credentials" error on the next request and the user is no longer authenticated in my web app.

-I think whats happening is normal because the user is updating his login credentials (username & password in my case) that's why i'm getting the error "Invalid credentials" with the status 401 also I get this error only when update the user's login credentials but if I update other properties of the user's class everything works fine and I got no errors from the api response.

-I want to know if there is any mechanism to integrate to solve the problem or do I need to authenticate again the user after he updates one of his login credentials.

*firewalls in security.yaml:

security firewall

    firewalls:
        api:
            pattern: ^/api/
            stateless: true
            provider: app_user_provider
            jwt: ~
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            json_login:
                check_path: /authentication_token
                username_path: username
                password_path: password
                success_handler: lexik_jwt_authentication.handler.authentication_success
                failure_handler: lexik_jwt_authentication.handler.authentication_failure
            refresh_jwt:
                check_path: /authentication_token/refresh # or, you may use the `api_refresh_token` route name
            logout:
                path: app_logout

Lexik bundle file configuration:

Lexic bundle configuration file

lexik_jwt_authentication:
    secret_key: '%env(resolve:JWT_SECRET_KEY)%'
    public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
    pass_phrase: '%env(JWT_PASSPHRASE)%'
    token_ttl: 1800 # 30min in seconds 1800

Cheers!

| Reply |

weaverryan SFCASTS Chtioui 2 years ago

Hey @Chtioui!

Hmm. If the user changes their username, it DOES make sense that you would lose authentication since the username is what's added to the JWT... and then that username is read from the JWT to find the user. So if you change the username, that user won't be found. To fix that, you could change your JWT to use the id instead, which is probably safer anyways. I'm not sure exactly how you're supposed to do this - but the https://symfony.com/bundles/LexikJWTAuthenticationBundle/current/2-data-customization.html seems to be close.

I don't understand why changing the password is also causing problems - but you did mention that:

Yes i'm using stateless authentication with the LexikJWTAuthenticationBundle and i'm using the user's username and password for generating the JWT token

So perhaps you're adding and using the password in the token in some manual way already.

Anyways, to fix the issue, you'll need to either:

A) Re-authenticate after this (as you know is already possible)
or
B) Somehow send back a fresh JWT from the user endpoint where you update the email/password. I'm not sure how standard this is... but in theory, you could register an event listener that could add a custom response header - e.g. X-JWT to this endpoint. It's a non-trivial problem. You might, inside User::setPlainPassword() and setUsername() set some flag on your User like $this->needsNewJWT = true. Then register a ResponseListener and look for that (you can get the User object via $request->attributes->get('data').

I hope this gives you some hints :)

Cheers!

| Reply |

API Platform 3 Symfony 6.2

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.2",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "api-platform/core": "^3.0", // v3.1.2
        "doctrine/annotations": "^2.0", // 2.0.1
        "doctrine/doctrine-bundle": "^2.8", // 2.8.3
        "doctrine/doctrine-migrations-bundle": "^3.2", // 3.2.2
        "doctrine/orm": "^2.14", // 2.14.1
        "nelmio/cors-bundle": "^2.2", // 2.2.0
        "nesbot/carbon": "^2.64", // 2.66.0
        "phpdocumentor/reflection-docblock": "^5.3", // 5.3.0
        "phpstan/phpdoc-parser": "^1.15", // 1.16.1
        "symfony/asset": "6.2.*", // v6.2.5
        "symfony/console": "6.2.*", // v6.2.5
        "symfony/dotenv": "6.2.*", // v6.2.5
        "symfony/expression-language": "6.2.*", // v6.2.5
        "symfony/flex": "^2", // v2.2.4
        "symfony/framework-bundle": "6.2.*", // v6.2.5
        "symfony/property-access": "6.2.*", // v6.2.5
        "symfony/property-info": "6.2.*", // v6.2.5
        "symfony/runtime": "6.2.*", // v6.2.5
        "symfony/security-bundle": "6.2.*", // v6.2.6
        "symfony/serializer": "6.2.*", // v6.2.5
        "symfony/twig-bundle": "6.2.*", // v6.2.5
        "symfony/ux-react": "^2.6", // v2.7.1
        "symfony/ux-vue": "^2.7", // v2.7.1
        "symfony/validator": "6.2.*", // v6.2.5
        "symfony/webpack-encore-bundle": "^1.16", // v1.16.1
        "symfony/yaml": "6.2.*" // v6.2.5
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.4", // 3.4.2
        "mtdowling/jmespath.php": "^2.6", // 2.6.1
        "phpunit/phpunit": "^9.5", // 9.6.3
        "symfony/browser-kit": "6.2.*", // v6.2.5
        "symfony/css-selector": "6.2.*", // v6.2.5
        "symfony/debug-bundle": "6.2.*", // v6.2.5
        "symfony/maker-bundle": "^1.48", // v1.48.0
        "symfony/monolog-bundle": "^3.0", // v3.8.0
        "symfony/phpunit-bridge": "^6.2", // v6.2.5
        "symfony/stopwatch": "6.2.*", // v6.2.5
        "symfony/web-profiler-bundle": "6.2.*", // v6.2.5
        "zenstruck/browser": "^1.2", // v1.2.0
        "zenstruck/foundry": "^1.26" // v1.28.0
    }
}

Previous Chapter

Next Chapter

Probar la autenticación por token

Share this awesome video!

Keep on Learning!

Utilizar un código real

Probar un token con un alcance incorrecto

14 Comments

Delete comment?

What PHP libraries does this tutorial use?

Show Lines	// ... lines 1 - 10
	class DragonTreasureResourceTest extends ApiTestCase
	{
Show Lines	// ... lines 13 - 61
	public function testPostToCreateTreasureWithApiKey(): void
	{
Show Lines	// ... lines 64 - 70
	}
	}

Show Lines	// ... lines 1 - 12
	class DragonTreasureResourceTest extends ApiTestCase
	{
Show Lines	// ... lines 15 - 63
	public function testPostToCreateTreasureWithApiKey(): void
	{
	$token = ApiTokenFactory::createOne([
Show Lines	// ... line 67
	]);
Show Lines	// ... lines 69 - 79
	}
	}

Show Lines	// ... lines 1 - 27
	#[ApiResource(
Show Lines	// ... lines 29 - 30
	operations: [
Show Lines	// ... lines 32 - 37
	new Post(
	security: 'is_granted("ROLE_TREASURE_CREATE")',
	),
Show Lines	// ... lines 41 - 49
	],
Show Lines	// ... lines 51 - 64
	)]
Show Lines	// ... lines 66 - 83
	class DragonTreasure
	{
Show Lines	// ... lines 86 - 243
	}

Show Lines	// ... lines 1 - 4
	use App\Entity\ApiToken;
Show Lines	// ... lines 6 - 12
	class DragonTreasureResourceTest extends ApiTestCase
	{
Show Lines	// ... lines 15 - 63
	public function testPostToCreateTreasureWithApiKey(): void
	{
	$token = ApiTokenFactory::createOne([
	'scopes' => [ApiToken::SCOPE_TREASURE_CREATE]
	]);
Show Lines	// ... lines 69 - 79
	}
	}