Chapters

37 Chapters | 3:43:31 |

01

¿Documentos API en producción?

8:22
02

¿Token API? ¿Cookies de sesión?

8:07
03

Formulario de inicio de sesión API con json_login

5:36
04

Manejo de errores de autenticación

3:47
05

En Autenticación correcta

6:03
06

Cerrar sesión y pasar datos de la API a JavaScript

5:45
07

Pasar valores a Stimulus

4:32
08

Tipos de token y la entidad ApiToken

5:59
09

Generar el token de la API y los accesorios

5:58
10

Autenticador de token de acceso

8:56
11

Personalizar los documentos de OpenAPI

7:31
12

Ámbitos de los tokens de la API

5:51
13

Denegar el acceso con la opción "seguridad

7:11
14

Poner en marcha un sistema de pruebas asesino

8:18
15

Aserciones de la prueba JSON y siembra de la base de datos

3:41
16

Aserciones de prueba JSON avanzadas y flexibles

4:04
17

Probar la autenticación

4:59
18

Personalizar el navegador globalmente

3:50
19

Probar la autenticación por token

3:24
20

Nuevo comportamiento PUT

4:46
21

Permitir editar sólo a los propietarios

7:49
22

Permitir que los usuarios administradores editen cualquier tesoro

4:11
23

Votante de seguridad

6:13
24

Campos condicionales por usuario: ApiProperty

5:13
25

Prueba de Usuario + Contraseña Simple

4:21
26

Procesadores de Estado: Hashing de la contraseña de usuario

6:55
27

Grupos de validación y formatos de parche

8:01
28

Grupos Dinámicos: Creador de Contextos

8:26
29

Normalizador personalizado

5:08
30

Decoración del normalizador y "Normalizer Aware" (consciente del normalizador)

6:29
31

Campos totalmente personalizados

3:24
32

Validador personalizado

7:58
33

Validar cómo cambian los valores

8:30
34

Configuración automática del "propietario

4:19
35

Extensión de consulta: Autofiltrar una colección

6:15
36

404 En Artículos No Publicados

8:00
37

Filtrar la colección de relaciones

5:39

> APIs > API Platform 3: Seguridad para tus tesoros

Buy Access to Course

34.

Configuración automática del "propietario

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

With a Subscription, click any sentence in the script to jump to that part of the video!

Cada DragonTreasure debe tener un owner... y para establecerlo, cuando POSTpara crear un tesoro, requerimos ese campo. Creo que deberíamos hacerlo opcional. Así que, en la prueba, deja de enviar el campo owner:

            Copy Code

                            Show All Lines

                        181 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 12
                            
            class DragonTreasureResourceTest extends ApiTestCase
        
            {
        
                Show Lines

                                                    // ... lines 15 - 41
                            
                public function testPostToCreateTreasure(): void
        
                {
        
                Show Lines

                                                    // ... lines 44 - 45
                            
                    $this->browser()
        
                Show Lines

                                                    // ... lines 47 - 51
                            
                        ->post('/api/treasures', HttpOptions::json([
        
                Show Lines

                                                    // ... lines 53 - 56
                            
                            'owner' => '/api/users/'.$user->getId(),
        
                        ]))
        
                Show Lines

                                                    // ... lines 59 - 60
                            
                    ;
        
                }
        
                Show Lines

                                                    // ... lines 63 - 179
                            
            }

Cuando esto ocurra, configurémoslo automáticamente para el usuario autenticado actualmente.

Asegúrate de que la prueba falla. Copia el nombre del método... y ejecútalo:

symfony php bin/phpunit --filter=testPostToCreateTreasure

Falló. Obtuve un 422, 201 esperado. Ese 422 es un error de validación de la propiedad owner: este valor no debe ser nulo.

Eliminar la validación del propietario

Si vamos a hacerlo opcional, tenemos que eliminar ese Assert\NotNull:

            Copy Code

                            Show All Lines

                        253 lines
            |
            src/Entity/DragonTreasure.php
        
                Show Lines

                                                    // ... lines 1 - 88
                            
            class DragonTreasure
        
            {
        
                Show Lines

                                                    // ... lines 91 - 136
                            
                #[Assert\NotNull]
        
                Show Lines

                                                    // ... line 138
                            
                private ?User $owner = null;
        
                Show Lines

                                                    // ... lines 140 - 251
                            
            }

Y ahora cuando intentemos la prueba

symfony php bin/phpunit --filter=testPostToCreateTreasure

¡Hola magnífico error 500! Probablemente se deba a que el nulo owner_id hace kaboom cuando llega a la base de datos. ¡Yup!

Utilizar los procesadores de estado

Entonces: ¿cómo podemos establecer automáticamente este campo cuando no se envía? En el tutorial anterior de la API Platform 2, lo hice con un oyente de entidad, que es una buena solución. Pero en la API Platform 3, al igual que cuando hicimos hash de la contraseña de usuario, ahora hay un sistema muy bueno para esto: el sistema de procesadores de estado.

Como recordatorio, nuestras rutas POST y PATCH para DragonTreasure ya tienen un procesador de estado que proviene de Doctrine: es el responsable de guardar el objeto en la base de datos. Llegados a este punto, nuestro objetivo te resultará familiar: decorar ese proceso de estado para que podamos ejecutar código adicional antes de guardar.

Como antes, empieza ejecutando:

php bin/console make:state-processor

Llámalo DragonTreasureSetOwnerProcessor:

            Copy Code

                            Show All Lines

                        15 lines
            |
            src/State/DragonTreasureSetOwnerProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 2
                            
            namespace App\State;
        
            use ApiPlatform\Metadata\Operation;
        
            use ApiPlatform\State\ProcessorInterface;
        
            class DragonTreasureSetOwnerProcessor implements ProcessorInterface
        
            {
        
                public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
        
                {
        
                    // Handle the state
        
                }
        
            }

En src/State/, ábrelo. Vale, ¡a decorar! Añade el método construct con private ProcessorInterface $innerProcessor:

            Copy Code

                            Show All Lines

                        21 lines
            |
            src/State/DragonTreasureSetOwnerProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 5
                            
            use ApiPlatform\State\ProcessorInterface;
        
                Show Lines

                                                    // ... lines 7 - 9
                            
            class DragonTreasureSetOwnerProcessor implements ProcessorInterface
        
            {
        
                public function __construct(private ProcessorInterface $innerProcessor)
        
                {
        
                }
        
                Show Lines

                                                    // ... lines 15 - 19
                            
            }

Luego abajo en process(), ¡llama a eso! Este método no devuelve nada - tiene un retorno void - así que sólo necesitamos $this->innerProcessor - no olvides esa parte como estoy haciendo yo - ->process() pasando $data, $operation, $uriVariables y$context:

            Copy Code

                            Show All Lines

                        21 lines
            |
            src/State/DragonTreasureSetOwnerProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 9
                            
            class DragonTreasureSetOwnerProcessor implements ProcessorInterface
        
            {
        
                Show Lines

                                                    // ... lines 12 - 15
                            
                public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
        
                {
        
                    $this->innerProcessor->process($data, $operation, $uriVariables, $context);
        
                }
        
            }

Ahora, para hacer que Symfony utilice nuestro procesador de estado en lugar del normal de Doctrine, añade #[AsDecorator]... y el id del servicio esapi_platform.doctrine.orm.state.persist_processor:

            Copy Code

                            Show All Lines

                        21 lines
            |
            src/State/DragonTreasureSetOwnerProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 6
                            
            use Symfony\Component\DependencyInjection\Attribute\AsDecorator;
        
            #[AsDecorator('api_platform.doctrine.orm.state.persist_processor')]
        
            class DragonTreasureSetOwnerProcessor implements ProcessorInterface
        
            {
        
                Show Lines

                                                    // ... lines 12 - 19
                            
            }

¡Genial! Ahora, a todo lo que utilice ese servicio en el sistema se le pasará nuestro servicio en su lugar... y luego se nos pasará el original.

¡Decorar varias veces está bien!

Ah, y está pasando algo guay. Mira UserHashPasswordStateProcessor. ¡Estamos decorando lo mismo ahí! Sí, estamos decorando ese servicio dos veces, ¡lo que está totalmente permitido! Internamente, esto creará una especie de cadena de servicios decorados.

Bien, pongámonos a trabajar en la configuración del propietario. Conecta automáticamente nuestro servicio favorito Security para que podamos averiguar quién ha iniciado sesión:

            Copy Code

                            Show All Lines

                        27 lines
            |
            src/State/DragonTreasureSetOwnerProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 7
                            
            use Symfony\Bundle\SecurityBundle\Security;
        
                Show Lines

                                                    // ... lines 9 - 11
                            
            class DragonTreasureSetOwnerProcessor implements ProcessorInterface
        
            {
        
                public function __construct(private ProcessorInterface $innerProcessor, private Security $security)
        
                {
        
                }
        
                Show Lines

                                                    // ... lines 17 - 25
                            
            }

Entonces, antes de que hagamos el guardado, si $data es un instanceof DragonTreasurey $data->getOwner() es nulo y $this->security->getUser() -asegurándonos de que el usuario está conectado- entonces $data->setOwner($this->security->getUser()):

            Copy Code

                            Show All Lines

                        27 lines
            |
            src/State/DragonTreasureSetOwnerProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 11
                            
            class DragonTreasureSetOwnerProcessor implements ProcessorInterface
        
            {
        
                Show Lines

                                                    // ... lines 14 - 17
                            
                public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
        
                {
        
                    if ($data instanceof DragonTreasure && $data->getOwner() === null && $this->security->getUser()) {
        
                        $data->setOwner($this->security->getUser());
        
                    }
        
                    $this->innerProcessor->process($data, $operation, $uriVariables, $context);
        
                }
        
            }

¡Eso debería bastar! Ejecuta esa prueba:

symfony php bin/phpunit --filter=testPostToCreateTreasure

¡Caramba! Tamaño de memoria permitido agotado. ¡Me huele a recursión! Porque... Me estoy llamando aprocess(): Necesito $this->innerProcessor->process():

            Copy Code

                            Show All Lines

                        27 lines
            |
            src/State/DragonTreasureSetOwnerProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 11
                            
            class DragonTreasureSetOwnerProcessor implements ProcessorInterface
        
            {
        
                Show Lines

                                                    // ... lines 14 - 17
                            
                public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
        
                {
        
                Show Lines

                                                    // ... lines 20 - 23
                            
                    $this->innerProcessor->process($data, $operation, $uriVariables, $context);
        
                }
        
            }

Ahora:

symfony php bin/phpunit --filter=testPostToCreateTreasure

Una prueba superada mola mucho más que la recursividad. ¡Y el campo propietario ahora es opcional!

Siguiente: actualmente devolvemos todos los tesoros de nuestro punto final de colección GET, incluidos los tesoros no publicados. Arreglémoslo modificando la consulta detrás de ese punto final para ocultarlos.

15 Comments

Sort By

Nuri 2 years ago

process method should return the result, otherwise you get NULL response in the response body

    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = [])
    {
        if ($data instanceof DragonTreasure && $data->getOwner() === null && $this->security->getUser()) {
            $data->setOwner($this->security->getUser());
        }
        return $this->innerProcessor->process($data, $operation, $uriVariables, $context);
    }

1 | Reply |

weaverryan SFCASTS Nuri 2 years ago

Hey @Nuri!

I think you're right - it was a (I believe) non-intentional change in API Platform 3.2. I've just added a note for this (I had a note in an earlier chapter already). And you weren't the only one tripping over this :) - https://github.com/SymfonyCasts/api-platform3/issues/43 - I appreciate the reports.

Cheers!

| Reply |

Zaz 1 year ago edited

hi i'm stuck here
i'm using api 3.3.1 and symfony 7.1

namespace App\State;

use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Entity\Park;
use App\Entity\User;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\DependencyInjection\Attribute\AsDecorator;

#[AsDecorator('api_platform.doctrine.orm.state.persist_processor')]
class ParkSetOwnerProcessor implements ProcessorInterface
{
    public function __construct(private ProcessorInterface $innerProcessor, private Security $security)
    {
    }
    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []):mixed
    {

        $user = $this->security->getUser();

        assert($user instanceof User);

        assert($data instanceof Park );

        if ($data instanceof Park  && $this->security->getUser()) {
       
            $data->setOwner($user);
        }
        return $this->innerProcessor->process($data, $operation, $uriVariables, $context);
    }
}

my test:

    public function testPostToCreatePark(): void
    {
        $user = UserFactory::createOne(['password' => 'pass']);
        $this->browser()
            ->actingAs($user)
            ->post('/api/parks',  [
                'json' => [
                    'name' => 'A shiny thing',
                    //'owner' => '/api/users/'.$user->getId(),
                ],
            ])
            ->assertStatus(201);
    }

the owner part on my Park entity:

    #[Groups(['park:read', 'park:write'])]
    #[Assert\Valid]
    #[IsValidOwner]
    #[ApiFilter(SearchFilter::class, strategy: 'exact')]
    #[ORM\ManyToOne(targetEntity: User::class, cascade: ['persist', 'remove'], inversedBy: 'parks')]
    #[ORM\JoinColumn(name: 'owner_id', referencedColumnName: 'id', nullable: false)]
    private ?User $owner = null;

    public function getOwner(): ?User
    {
        return $this->owner;
    }

    public function setOwner(User $owner): self
    {
        $this->owner = $owner;
        return $this;
    }

i'm getting an error i can't understand:

[critical] Uncaught PHP Exception Doctrine\Persistence\Mapping\MappingException: "The class 'AppEntityUserProxy' was not found in the chain configured namespaces App\Entity" at MappingException.php line 26

| Reply |

Zaz Zaz 1 year ago

i finally manage to make it works. To make it i had to add an Authorization Header (i'm using JWT). But in the tutorial i don't how the user is authenticated in the test:

you have :

`public function testPostToCreateTreasure(): void

{
    $user = UserFactory::createOne();
    $this->browser()
        ->actingAs($user)`

So where is the authentication happening ? how could the test pass if you don't authenticate ? i am missing something ?
Thanks and great tut by the way.

| Reply |

Zaz Zaz 1 year ago

Ok i think i found the "problem".
It is because i am using JWT for the connexion and actingAs apparently is using the PHP sessions as far as i understand.
I tried without actingAS and put only the authorisation header with my token and the test pass.

thanks

1 | Reply |

MolloKhan SFCASTS Zaz 1 year ago edited

Hey @Zaz

Thank you for sharing your solution. As far as I know, the actingAs() method is a quick way to log in as any user in your tests, but it does not goes through the login process, it's more like a hack

Cheers!

1 | Reply |

Cameron 2 years ago

It appears that the custom processor runs after the security annotations. So when this is set: object.getOwnerUser() on an entity's security annotation - the test just fails :-(

new Post(
            securityPostDenormalize: 'is_granted("NON_REASSIGN", object) and object.getOwnerUser() == user'
        ),

I could put security logic into the processor, but it feels like it belongs in the security annotations as: 'object.getOwnerUser() == user'.

ideally the processor would set ownerUser to: the currently logged in user (when it's not set explicitly via the post) and throw a 403 when the owner is set incorrectly. Or is this not the right approach? I'm just a little confused about how these two concepts work together in a real app.

| Reply |

MolloKhan SFCASTS Cameron 2 years ago edited

Hey @Cameron

Sorry for the late reply. Yea, sometimes the execution order can cause you trouble. Have you tried moving your security logic into a voter? Or, in this case, it may make sense to use a constraint validation on the owner property.

Cheers!

| Reply |

Cameron MolloKhan 2 years ago

I was able to get it it work by gwtting the voter to only act if there was an error, then it passes through to the processor. But it wasnt clear how to design api logic for both of these elements as theres some interplay / considerations

| Reply |

MolloKhan SFCASTS Cameron 2 years ago

Yea, it seems to me this is a flaw on ApiPlatform, and this is not the only case. In this video Ryan talks about another runtime condition that may cause you trouble. I think your approach is correct unless we're missing something. Have you tried asking in the ApiPlatform slack channel? They may know more about how to handle this edge-case

| Reply |

Rsteuber 2 years ago

When will this finally be ready?

| Reply |

weaverryan SFCASTS Rsteuber 2 years ago

Hey @Rsteuber!

I JUST recorded the audio today - it'll probably be a week or two before the video is out, but you refresh, you'll see the final "script" for this chapter (though, code blocks will come later). Also, if you download the code, what we do in this chapter is already in there. I hope that helps!

Cheers!

| Reply |

Rsteuber weaverryan 2 years ago

Hmm, it seems I can't download the source code yet. Guess i have to wait when it is released.

Cheers :)

| Reply |

MolloKhan SFCASTS Rsteuber 2 years ago edited

Hey @Rsteuber

Yea, the download button it's disabled for non-published chapters, but if you only want to download the course code, you can go to any other chapter and download it there

Cheers!

| Reply |

Rsteuber weaverryan 2 years ago

Hey Ryan, Yes thank you so very much! It really helps :)

| Reply |

API Platform 3 Symfony 6.2

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.2",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "api-platform/core": "^3.0", // v3.1.2
        "doctrine/annotations": "^2.0", // 2.0.1
        "doctrine/doctrine-bundle": "^2.8", // 2.8.3
        "doctrine/doctrine-migrations-bundle": "^3.2", // 3.2.2
        "doctrine/orm": "^2.14", // 2.14.1
        "nelmio/cors-bundle": "^2.2", // 2.2.0
        "nesbot/carbon": "^2.64", // 2.66.0
        "phpdocumentor/reflection-docblock": "^5.3", // 5.3.0
        "phpstan/phpdoc-parser": "^1.15", // 1.16.1
        "symfony/asset": "6.2.*", // v6.2.5
        "symfony/console": "6.2.*", // v6.2.5
        "symfony/dotenv": "6.2.*", // v6.2.5
        "symfony/expression-language": "6.2.*", // v6.2.5
        "symfony/flex": "^2", // v2.2.4
        "symfony/framework-bundle": "6.2.*", // v6.2.5
        "symfony/property-access": "6.2.*", // v6.2.5
        "symfony/property-info": "6.2.*", // v6.2.5
        "symfony/runtime": "6.2.*", // v6.2.5
        "symfony/security-bundle": "6.2.*", // v6.2.6
        "symfony/serializer": "6.2.*", // v6.2.5
        "symfony/twig-bundle": "6.2.*", // v6.2.5
        "symfony/ux-react": "^2.6", // v2.7.1
        "symfony/ux-vue": "^2.7", // v2.7.1
        "symfony/validator": "6.2.*", // v6.2.5
        "symfony/webpack-encore-bundle": "^1.16", // v1.16.1
        "symfony/yaml": "6.2.*" // v6.2.5
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.4", // 3.4.2
        "mtdowling/jmespath.php": "^2.6", // 2.6.1
        "phpunit/phpunit": "^9.5", // 9.6.3
        "symfony/browser-kit": "6.2.*", // v6.2.5
        "symfony/css-selector": "6.2.*", // v6.2.5
        "symfony/debug-bundle": "6.2.*", // v6.2.5
        "symfony/maker-bundle": "^1.48", // v1.48.0
        "symfony/monolog-bundle": "^3.0", // v3.8.0
        "symfony/phpunit-bridge": "^6.2", // v6.2.5
        "symfony/stopwatch": "6.2.*", // v6.2.5
        "symfony/web-profiler-bundle": "6.2.*", // v6.2.5
        "zenstruck/browser": "^1.2", // v1.2.0
        "zenstruck/foundry": "^1.26" // v1.28.0
    }
}

Previous Chapter

Next Chapter

Configuración automática del "propietario

Share this awesome video!

Keep on Learning!

Eliminar la validación del propietario

Utilizar los procesadores de estado

¡Decorar varias veces está bien!

15 Comments

Delete comment?

What PHP libraries does this tutorial use?

Show Lines	// ... lines 1 - 12
	class DragonTreasureResourceTest extends ApiTestCase
	{
Show Lines	// ... lines 15 - 41
	public function testPostToCreateTreasure(): void
	{
Show Lines	// ... lines 44 - 45
	$this->browser()
Show Lines	// ... lines 47 - 51
	->post('/api/treasures', HttpOptions::json([
Show Lines	// ... lines 53 - 56
	'owner' => '/api/users/'.$user->getId(),
	]))
Show Lines	// ... lines 59 - 60
	;
	}
Show Lines	// ... lines 63 - 179
	}

Show Lines	// ... lines 1 - 88
	class DragonTreasure
	{
Show Lines	// ... lines 91 - 136
	#[Assert\NotNull]
Show Lines	// ... line 138
	private ?User $owner = null;
Show Lines	// ... lines 140 - 251
	}

Show Lines	// ... lines 1 - 2
	namespace App\State;

	use ApiPlatform\Metadata\Operation;
	use ApiPlatform\State\ProcessorInterface;

	class DragonTreasureSetOwnerProcessor implements ProcessorInterface
	{
	public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
	{
	// Handle the state
	}
	}

Show Lines	// ... lines 1 - 5
	use ApiPlatform\State\ProcessorInterface;
Show Lines	// ... lines 7 - 9
	class DragonTreasureSetOwnerProcessor implements ProcessorInterface
	{
	public function __construct(private ProcessorInterface $innerProcessor)
	{
	}
Show Lines	// ... lines 15 - 19
	}

Show Lines	// ... lines 1 - 9
	class DragonTreasureSetOwnerProcessor implements ProcessorInterface
	{
Show Lines	// ... lines 12 - 15
	public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
	{
	$this->innerProcessor->process($data, $operation, $uriVariables, $context);
	}
	}

Show Lines	// ... lines 1 - 6
	use Symfony\Component\DependencyInjection\Attribute\AsDecorator;

	#[AsDecorator('api_platform.doctrine.orm.state.persist_processor')]
	class DragonTreasureSetOwnerProcessor implements ProcessorInterface
	{
Show Lines	// ... lines 12 - 19
	}

Show Lines	// ... lines 1 - 7
	use Symfony\Bundle\SecurityBundle\Security;
Show Lines	// ... lines 9 - 11
	class DragonTreasureSetOwnerProcessor implements ProcessorInterface
	{
	public function __construct(private ProcessorInterface $innerProcessor, private Security $security)
	{
	}
Show Lines	// ... lines 17 - 25
	}

Show Lines	// ... lines 1 - 11
	class DragonTreasureSetOwnerProcessor implements ProcessorInterface
	{
Show Lines	// ... lines 14 - 17
	public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
	{
	if ($data instanceof DragonTreasure && $data->getOwner() === null && $this->security->getUser()) {
	$data->setOwner($this->security->getUser());
	}

	$this->innerProcessor->process($data, $operation, $uriVariables, $context);
	}
	}