Chapters

37 Chapters | 3:43:31 |

01

API Docs on Production?

8:22
02

API Tokens? Session Cookies?

8:07
03

API Login Form with json_login

5:36
04

Handling Authentication Errors

3:47
05

On Authentication Success

6:03
06

Logout & Passing API Data to JavaScript

5:45
07

Passing Values to Stimulus

4:32
08

Token Types & The ApiToken Entity

5:59
09

Generating the API Token & Fixtures

5:58
10

Access Token Authenticator

8:56
11

Customizing the OpenAPI Docs

7:31
12

API Token Scopes

5:51
13

Deny Access with The "security" Option

7:11
14

Bootstrapping a Killer Test System

8:18
15

JSON Test Assertions & Seeding the Database

3:41
16

Advanced & Flexible JSON Test Assertions

4:04
17

Testing Authentication

4:59
18

Customizing Browser Globally

3:50
19

Testing Token Authentication

3:24
20

New PUT Behavior

4:46
21

Only Allow Owners to Edit

7:49
22

Allow Admin Users to Edit any Treasure

4:11
23

Security Voter

6:13
24

Conditional Fields by User: ApiProperty

5:13
25

User Test + Plain Password

4:21
26

State Processors: Hashing the User Password

6:55
27

Validation Groups & Patch Formats

8:01
28

Dynamic Groups: Context Builder

8:26
29

Custom Normalizer

5:08
30

Normalizer Decoration & "Normalizer Aware"

6:29
31

Totally Custom Fields

3:24
32

Custom Validator

7:58
33

Validating how Values Change

8:30
34

Auto Setting the "owner"

4:19
35

Query Extension: Auto-Filter a Collection

6:15
36

404 On Unpublished Items

8:00
37

Filtering Relation Collection

5:39

> APIs > API Platform 3 Part 2: Security for your Treasures

Buy Access to Course

34.

Auto Setting the "owner"

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

With a Subscription, click any sentence in the script to jump to that part of the video!

Every DragonTreasure must have an owner... and to set that, when you POST to create a treasure, we require that field. I think we should make that optional. So, in the test, stop sending the owner field:

            Copy Code

                            Show All Lines

                        181 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 12
                            
            class DragonTreasureResourceTest extends ApiTestCase
        
            {
        
                Show Lines

                                                    // ... lines 15 - 41
                            
                public function testPostToCreateTreasure(): void
        
                {
        
                Show Lines

                                                    // ... lines 44 - 45
                            
                    $this->browser()
        
                Show Lines

                                                    // ... lines 47 - 51
                            
                        ->post('/api/treasures', HttpOptions::json([
        
                Show Lines

                                                    // ... lines 53 - 56
                            
                            'owner' => '/api/users/'.$user->getId(),
        
                        ]))
        
                Show Lines

                                                    // ... lines 59 - 60
                            
                    ;
        
                }
        
                Show Lines

                                                    // ... lines 63 - 179
                            
            }

When this happens, let's automatically set it to the currently-authenticated user.

Make sure the test fails. Copy the method name... and run it:

symfony php bin/phpunit --filter=testPostToCreateTreasure

Nailed it. Got a 422, 201 expected. That 422 is a validation error from the owner property: this value should not be null.

Removing the Owner Validation

If we're going to make it optional, we need to remove that Assert\NotNull:

            Copy Code

                            Show All Lines

                        253 lines
            |
            src/Entity/DragonTreasure.php
        
                Show Lines

                                                    // ... lines 1 - 88
                            
            class DragonTreasure
        
            {
        
                Show Lines

                                                    // ... lines 91 - 136
                            
                #[Assert\NotNull]
        
                Show Lines

                                                    // ... line 138
                            
                private ?User $owner = null;
        
                Show Lines

                                                    // ... lines 140 - 251
                            
            }

And now when we try the test:

symfony php bin/phpunit --filter=testPostToCreateTreasure

Well hello there gorgeous 500 error! Probably it's because the null owner_id is going kaboom when it hits the database. Yup!

Using the State Processors

So: how can we automatically set this field when it's not sent? In the previous API Platform 2 tutorial, I did this with an entity listener, which is a fine solution. But in API Platform 3, just like when we hashed the user password, there's now a really nice system for this: the state processor system.

As a reminder, our POST and PATCH endpoints for DragonTreasure already have a state processor that comes from Doctrine: it's responsible for saving the object to the database. Our goal will feel familiar at this point: to decorate that state process so we can run extra code before saving.

Like before, start by running:

php bin/console make:state-processor

Call it DragonTreasureSetOwnerProcessor:

            Copy Code

                            Show All Lines

                        15 lines
            |
            src/State/DragonTreasureSetOwnerProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 2
                            
            namespace App\State;
        
            use ApiPlatform\Metadata\Operation;
        
            use ApiPlatform\State\ProcessorInterface;
        
            class DragonTreasureSetOwnerProcessor implements ProcessorInterface
        
            {
        
                public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
        
                {
        
                    // Handle the state
        
                }
        
            }

Over in src/State/, open that up. Ok, let's decorate! Add the construct method with private ProcessorInterface $innerProcessor:

            Copy Code

                            Show All Lines

                        21 lines
            |
            src/State/DragonTreasureSetOwnerProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 5
                            
            use ApiPlatform\State\ProcessorInterface;
        
                Show Lines

                                                    // ... lines 7 - 9
                            
            class DragonTreasureSetOwnerProcessor implements ProcessorInterface
        
            {
        
                public function __construct(private ProcessorInterface $innerProcessor)
        
                {
        
                }
        
                Show Lines

                                                    // ... lines 15 - 19
                            
            }

Tip

In API Platform 3.2 and higher, you should return $this->innerProcessor->process(). This is also a safe thing to do in 3.0 & 3.1.

Then down in process(), call that! This method doesn't return anything - it has a void return - so we just need $this->innerProcessor - don't forget that part like I am - ->process() passing $data, $operation, $uriVariables and $context:

            Copy Code

                            Show All Lines

                        21 lines
            |
            src/State/DragonTreasureSetOwnerProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 9
                            
            class DragonTreasureSetOwnerProcessor implements ProcessorInterface
        
            {
        
                Show Lines

                                                    // ... lines 12 - 15
                            
                public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
        
                {
        
                    $this->innerProcessor->process($data, $operation, $uriVariables, $context);
        
                }
        
            }

Now, to make Symfony use our state processor instead of the normal one from Doctrine, add #[AsDecorator]... and the id of the service is api_platform.doctrine.orm.state.persist_processor:

            Copy Code

                            Show All Lines

                        21 lines
            |
            src/State/DragonTreasureSetOwnerProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 6
                            
            use Symfony\Component\DependencyInjection\Attribute\AsDecorator;
        
            #[AsDecorator('api_platform.doctrine.orm.state.persist_processor')]
        
            class DragonTreasureSetOwnerProcessor implements ProcessorInterface
        
            {
        
                Show Lines

                                                    // ... lines 12 - 19
                            
            }

Cool! Now, everything that uses that service in the system will be passed our service instead... and then the original will be passed into us.

Decorating Multiple Times is Ok!

Oh, and there's something cool going on. Look at UserHashPasswordStateProcessor. We're decorating the same thing there! Yea, we're decorating that service twice, which is totally allowed! Internally, this will create a, sort of, chain of decorated services.

Ok, let's get to work setting the owner. Autowire our favorite Security service so we can figure out who is logged in:

            Copy Code

                            Show All Lines

                        27 lines
            |
            src/State/DragonTreasureSetOwnerProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 7
                            
            use Symfony\Bundle\SecurityBundle\Security;
        
                Show Lines

                                                    // ... lines 9 - 11
                            
            class DragonTreasureSetOwnerProcessor implements ProcessorInterface
        
            {
        
                public function __construct(private ProcessorInterface $innerProcessor, private Security $security)
        
                {
        
                }
        
                Show Lines

                                                    // ... lines 17 - 25
                            
            }

Then, before we do the saving, if $data is an instanceof DragonTreasure and $data->getOwner() is null and $this->security->getUser() - making sure the user is logged in - then $data->setOwner($this->security->getUser()):

            Copy Code

                            Show All Lines

                        27 lines
            |
            src/State/DragonTreasureSetOwnerProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 11
                            
            class DragonTreasureSetOwnerProcessor implements ProcessorInterface
        
            {
        
                Show Lines

                                                    // ... lines 14 - 17
                            
                public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
        
                {
        
                    if ($data instanceof DragonTreasure && $data->getOwner() === null && $this->security->getUser()) {
        
                        $data->setOwner($this->security->getUser());
        
                    }
        
                    $this->innerProcessor->process($data, $operation, $uriVariables, $context);
        
                }
        
            }

That should do it! Run that test:

symfony php bin/phpunit --filter=testPostToCreateTreasure

Yikes! Allowed memory size exhausted. I smell recursion! Because... I'm calling process() on myself: I need $this->innerProcessor->process():

            Copy Code

                            Show All Lines

                        27 lines
            |
            src/State/DragonTreasureSetOwnerProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 11
                            
            class DragonTreasureSetOwnerProcessor implements ProcessorInterface
        
            {
        
                Show Lines

                                                    // ... lines 14 - 17
                            
                public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
        
                {
        
                Show Lines

                                                    // ... lines 20 - 23
                            
                    $this->innerProcessor->process($data, $operation, $uriVariables, $context);
        
                }
        
            }

Now:

symfony php bin/phpunit --filter=testPostToCreateTreasure

A passing test is so much cooler than recursion. And the owner field is now optional!

Next: we currently return all treasures from our GET collection endpoint, including unpublished treasures. Let's fix that by modifying the query behind that endpoint to hide them.

15 Comments

Sort By

Nuri 2 years ago

process method should return the result, otherwise you get NULL response in the response body

    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = [])
    {
        if ($data instanceof DragonTreasure && $data->getOwner() === null && $this->security->getUser()) {
            $data->setOwner($this->security->getUser());
        }
        return $this->innerProcessor->process($data, $operation, $uriVariables, $context);
    }

1 | Reply |

weaverryan SFCASTS Nuri 2 years ago

Hey @Nuri!

I think you're right - it was a (I believe) non-intentional change in API Platform 3.2. I've just added a note for this (I had a note in an earlier chapter already). And you weren't the only one tripping over this :) - https://github.com/SymfonyCasts/api-platform3/issues/43 - I appreciate the reports.

Cheers!

| Reply |

Zaz 1 year ago edited

hi i'm stuck here
i'm using api 3.3.1 and symfony 7.1

namespace App\State;

use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Entity\Park;
use App\Entity\User;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\DependencyInjection\Attribute\AsDecorator;

#[AsDecorator('api_platform.doctrine.orm.state.persist_processor')]
class ParkSetOwnerProcessor implements ProcessorInterface
{
    public function __construct(private ProcessorInterface $innerProcessor, private Security $security)
    {
    }
    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []):mixed
    {

        $user = $this->security->getUser();

        assert($user instanceof User);

        assert($data instanceof Park );

        if ($data instanceof Park  && $this->security->getUser()) {
       
            $data->setOwner($user);
        }
        return $this->innerProcessor->process($data, $operation, $uriVariables, $context);
    }
}

my test:

    public function testPostToCreatePark(): void
    {
        $user = UserFactory::createOne(['password' => 'pass']);
        $this->browser()
            ->actingAs($user)
            ->post('/api/parks',  [
                'json' => [
                    'name' => 'A shiny thing',
                    //'owner' => '/api/users/'.$user->getId(),
                ],
            ])
            ->assertStatus(201);
    }

the owner part on my Park entity:

    #[Groups(['park:read', 'park:write'])]
    #[Assert\Valid]
    #[IsValidOwner]
    #[ApiFilter(SearchFilter::class, strategy: 'exact')]
    #[ORM\ManyToOne(targetEntity: User::class, cascade: ['persist', 'remove'], inversedBy: 'parks')]
    #[ORM\JoinColumn(name: 'owner_id', referencedColumnName: 'id', nullable: false)]
    private ?User $owner = null;

    public function getOwner(): ?User
    {
        return $this->owner;
    }

    public function setOwner(User $owner): self
    {
        $this->owner = $owner;
        return $this;
    }

i'm getting an error i can't understand:

[critical] Uncaught PHP Exception Doctrine\Persistence\Mapping\MappingException: "The class 'AppEntityUserProxy' was not found in the chain configured namespaces App\Entity" at MappingException.php line 26

| Reply |

Zaz Zaz 1 year ago

i finally manage to make it works. To make it i had to add an Authorization Header (i'm using JWT). But in the tutorial i don't how the user is authenticated in the test:

you have :

`public function testPostToCreateTreasure(): void

{
    $user = UserFactory::createOne();
    $this->browser()
        ->actingAs($user)`

So where is the authentication happening ? how could the test pass if you don't authenticate ? i am missing something ?
Thanks and great tut by the way.

| Reply |

Zaz Zaz 1 year ago

Ok i think i found the "problem".
It is because i am using JWT for the connexion and actingAs apparently is using the PHP sessions as far as i understand.
I tried without actingAS and put only the authorisation header with my token and the test pass.

thanks

1 | Reply |

MolloKhan SFCASTS Zaz 1 year ago edited

Hey @Zaz

Thank you for sharing your solution. As far as I know, the actingAs() method is a quick way to log in as any user in your tests, but it does not goes through the login process, it's more like a hack

Cheers!

1 | Reply |

Cameron 2 years ago

It appears that the custom processor runs after the security annotations. So when this is set: object.getOwnerUser() on an entity's security annotation - the test just fails :-(

new Post(
            securityPostDenormalize: 'is_granted("NON_REASSIGN", object) and object.getOwnerUser() == user'
        ),

I could put security logic into the processor, but it feels like it belongs in the security annotations as: 'object.getOwnerUser() == user'.

ideally the processor would set ownerUser to: the currently logged in user (when it's not set explicitly via the post) and throw a 403 when the owner is set incorrectly. Or is this not the right approach? I'm just a little confused about how these two concepts work together in a real app.

| Reply |

MolloKhan SFCASTS Cameron 2 years ago edited

Hey @Cameron

Sorry for the late reply. Yea, sometimes the execution order can cause you trouble. Have you tried moving your security logic into a voter? Or, in this case, it may make sense to use a constraint validation on the owner property.

Cheers!

| Reply |

Cameron MolloKhan 2 years ago

I was able to get it it work by gwtting the voter to only act if there was an error, then it passes through to the processor. But it wasnt clear how to design api logic for both of these elements as theres some interplay / considerations

| Reply |

MolloKhan SFCASTS Cameron 2 years ago

Yea, it seems to me this is a flaw on ApiPlatform, and this is not the only case. In this video Ryan talks about another runtime condition that may cause you trouble. I think your approach is correct unless we're missing something. Have you tried asking in the ApiPlatform slack channel? They may know more about how to handle this edge-case

| Reply |

Rsteuber 2 years ago

When will this finally be ready?

| Reply |

weaverryan SFCASTS Rsteuber 2 years ago

Hey @Rsteuber!

I JUST recorded the audio today - it'll probably be a week or two before the video is out, but you refresh, you'll see the final "script" for this chapter (though, code blocks will come later). Also, if you download the code, what we do in this chapter is already in there. I hope that helps!

Cheers!

| Reply |

Rsteuber weaverryan 2 years ago

Hmm, it seems I can't download the source code yet. Guess i have to wait when it is released.

Cheers :)

| Reply |

MolloKhan SFCASTS Rsteuber 2 years ago edited

Hey @Rsteuber

Yea, the download button it's disabled for non-published chapters, but if you only want to download the course code, you can go to any other chapter and download it there

Cheers!

| Reply |

Rsteuber weaverryan 2 years ago

Hey Ryan, Yes thank you so very much! It really helps :)

| Reply |

API Platform 3 Symfony 6.2

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.2",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "api-platform/core": "^3.0", // v3.1.2
        "doctrine/annotations": "^2.0", // 2.0.1
        "doctrine/doctrine-bundle": "^2.8", // 2.8.3
        "doctrine/doctrine-migrations-bundle": "^3.2", // 3.2.2
        "doctrine/orm": "^2.14", // 2.14.1
        "nelmio/cors-bundle": "^2.2", // 2.2.0
        "nesbot/carbon": "^2.64", // 2.66.0
        "phpdocumentor/reflection-docblock": "^5.3", // 5.3.0
        "phpstan/phpdoc-parser": "^1.15", // 1.16.1
        "symfony/asset": "6.2.*", // v6.2.5
        "symfony/console": "6.2.*", // v6.2.5
        "symfony/dotenv": "6.2.*", // v6.2.5
        "symfony/expression-language": "6.2.*", // v6.2.5
        "symfony/flex": "^2", // v2.2.4
        "symfony/framework-bundle": "6.2.*", // v6.2.5
        "symfony/property-access": "6.2.*", // v6.2.5
        "symfony/property-info": "6.2.*", // v6.2.5
        "symfony/runtime": "6.2.*", // v6.2.5
        "symfony/security-bundle": "6.2.*", // v6.2.6
        "symfony/serializer": "6.2.*", // v6.2.5
        "symfony/twig-bundle": "6.2.*", // v6.2.5
        "symfony/ux-react": "^2.6", // v2.7.1
        "symfony/ux-vue": "^2.7", // v2.7.1
        "symfony/validator": "6.2.*", // v6.2.5
        "symfony/webpack-encore-bundle": "^1.16", // v1.16.1
        "symfony/yaml": "6.2.*" // v6.2.5
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.4", // 3.4.2
        "mtdowling/jmespath.php": "^2.6", // 2.6.1
        "phpunit/phpunit": "^9.5", // 9.6.3
        "symfony/browser-kit": "6.2.*", // v6.2.5
        "symfony/css-selector": "6.2.*", // v6.2.5
        "symfony/debug-bundle": "6.2.*", // v6.2.5
        "symfony/maker-bundle": "^1.48", // v1.48.0
        "symfony/monolog-bundle": "^3.0", // v3.8.0
        "symfony/phpunit-bridge": "^6.2", // v6.2.5
        "symfony/stopwatch": "6.2.*", // v6.2.5
        "symfony/web-profiler-bundle": "6.2.*", // v6.2.5
        "zenstruck/browser": "^1.2", // v1.2.0
        "zenstruck/foundry": "^1.26" // v1.28.0
    }
}

Previous Chapter

Next Chapter

Auto Setting the "owner"

Share this awesome video!

Keep on Learning!

Removing the Owner Validation

Using the State Processors

Decorating Multiple Times is Ok!

15 Comments

Delete comment?

What PHP libraries does this tutorial use?

Show Lines	// ... lines 1 - 12
	class DragonTreasureResourceTest extends ApiTestCase
	{
Show Lines	// ... lines 15 - 41
	public function testPostToCreateTreasure(): void
	{
Show Lines	// ... lines 44 - 45
	$this->browser()
Show Lines	// ... lines 47 - 51
	->post('/api/treasures', HttpOptions::json([
Show Lines	// ... lines 53 - 56
	'owner' => '/api/users/'.$user->getId(),
	]))
Show Lines	// ... lines 59 - 60
	;
	}
Show Lines	// ... lines 63 - 179
	}

Show Lines	// ... lines 1 - 88
	class DragonTreasure
	{
Show Lines	// ... lines 91 - 136
	#[Assert\NotNull]
Show Lines	// ... line 138
	private ?User $owner = null;
Show Lines	// ... lines 140 - 251
	}

Show Lines	// ... lines 1 - 2
	namespace App\State;

	use ApiPlatform\Metadata\Operation;
	use ApiPlatform\State\ProcessorInterface;

	class DragonTreasureSetOwnerProcessor implements ProcessorInterface
	{
	public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
	{
	// Handle the state
	}
	}

Show Lines	// ... lines 1 - 5
	use ApiPlatform\State\ProcessorInterface;
Show Lines	// ... lines 7 - 9
	class DragonTreasureSetOwnerProcessor implements ProcessorInterface
	{
	public function __construct(private ProcessorInterface $innerProcessor)
	{
	}
Show Lines	// ... lines 15 - 19
	}

Show Lines	// ... lines 1 - 9
	class DragonTreasureSetOwnerProcessor implements ProcessorInterface
	{
Show Lines	// ... lines 12 - 15
	public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
	{
	$this->innerProcessor->process($data, $operation, $uriVariables, $context);
	}
	}

Show Lines	// ... lines 1 - 6
	use Symfony\Component\DependencyInjection\Attribute\AsDecorator;

	#[AsDecorator('api_platform.doctrine.orm.state.persist_processor')]
	class DragonTreasureSetOwnerProcessor implements ProcessorInterface
	{
Show Lines	// ... lines 12 - 19
	}

Show Lines	// ... lines 1 - 7
	use Symfony\Bundle\SecurityBundle\Security;
Show Lines	// ... lines 9 - 11
	class DragonTreasureSetOwnerProcessor implements ProcessorInterface
	{
	public function __construct(private ProcessorInterface $innerProcessor, private Security $security)
	{
	}
Show Lines	// ... lines 17 - 25
	}

Show Lines	// ... lines 1 - 11
	class DragonTreasureSetOwnerProcessor implements ProcessorInterface
	{
Show Lines	// ... lines 14 - 17
	public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
	{
	if ($data instanceof DragonTreasure && $data->getOwner() === null && $this->security->getUser()) {
	$data->setOwner($this->security->getUser());
	}

	$this->innerProcessor->process($data, $operation, $uriVariables, $context);
	}
	}