Chapters

37 Chapters | 3:43:31 |

01

API Docs on Production?

8:22
02

API Tokens? Session Cookies?

8:07
03

API Login Form with json_login

5:36
04

Handling Authentication Errors

3:47
05

On Authentication Success

6:03
06

Logout & Passing API Data to JavaScript

5:45
07

Passing Values to Stimulus

4:32
08

Token Types & The ApiToken Entity

5:59
09

Generating the API Token & Fixtures

5:58
10

Access Token Authenticator

8:56
11

Customizing the OpenAPI Docs

7:31
12

API Token Scopes

5:51
13

Deny Access with The "security" Option

7:11
14

Bootstrapping a Killer Test System

8:18
15

JSON Test Assertions & Seeding the Database

3:41
16

Advanced & Flexible JSON Test Assertions

4:04
17

Testing Authentication

4:59
18

Customizing Browser Globally

3:50
19

Testing Token Authentication

3:24
20

New PUT Behavior

4:46
21

Only Allow Owners to Edit

7:49
22

Allow Admin Users to Edit any Treasure

4:11
23

Security Voter

6:13
24

Conditional Fields by User: ApiProperty

5:13
25

User Test + Plain Password

4:21
26

State Processors: Hashing the User Password

6:55
27

Validation Groups & Patch Formats

8:01
28

Dynamic Groups: Context Builder

8:26
29

Custom Normalizer

5:08
30

Normalizer Decoration & "Normalizer Aware"

6:29
31

Totally Custom Fields

3:24
32

Custom Validator

7:58
33

Validating how Values Change

8:30
34

Auto Setting the "owner"

4:19
35

Query Extension: Auto-Filter a Collection

6:15
36

404 On Unpublished Items

8:00
37

Filtering Relation Collection

5:39

> APIs > API Platform 3 Part 2: Security for your Treasures

Buy Access to Course

18.

Customizing Browser Globally

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

With a Subscription, click any sentence in the script to jump to that part of the video!

Our test works... but the API is sending us back JSON, not JSON-LD. Why?

When we made the GET request earlier, we did not include an Accept header to indicate which format we wanted back. But... JSON-LD is our API's default format, so it sent that back.

However, when we make a ->post() request with the json key, that adds a Content-Type header set to application/json - which is fine - but it also adds an Accept header set to application/json. Yup, we're telling the server that we want plain JSON back, not JSON-LD.

I want to use JSON-LD everywhere. How can we do that? The second argument to ->post() can be an array or an object called HttpOptions. Say HttpOptions::json()... and then pass the array directly. Let me... get my syntax right:

            Copy Code

                            Show All Lines

                        66 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 7
                            
            use Zenstruck\Browser\HttpOptions;
        
                Show Lines

                                                    // ... lines 9 - 12
                            
            class DragonTreasureResourceTest extends KernelTestCase
        
            {
        
                Show Lines

                                                    // ... lines 15 - 42
                            
                public function testPostToCreateTreasure(): void
        
                {
        
                Show Lines

                                                    // ... lines 45 - 52
                            
                        ->post('/api/treasures', HttpOptions::json([
        
                            'name' => 'A shiny thing',
        
                            'description' => 'It sparkles when I wave it in the air.',
        
                            'value' => 1000,
        
                            'coolFactor' => 5,
        
                            'owner' => '/api/users/'.$user->getId(),
        
                        ]))
        
                Show Lines

                                                    // ... lines 60 - 62
                            
                    ;
        
                }
        
            }

So far, this is equivalent to what we had before. But now we can change some options by saying ->withHeader() passing Accept and application/ld+json:

            Copy Code

                            Show All Lines

                        66 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 12
                            
            class DragonTreasureResourceTest extends KernelTestCase
        
            {
        
                Show Lines

                                                    // ... lines 15 - 42
                            
                public function testPostToCreateTreasure(): void
        
                {
        
                Show Lines

                                                    // ... lines 45 - 52
                            
                        ->post('/api/treasures', HttpOptions::json([
        
                            'name' => 'A shiny thing',
        
                            'description' => 'It sparkles when I wave it in the air.',
        
                            'value' => 1000,
        
                            'coolFactor' => 5,
        
                            'owner' => '/api/users/'.$user->getId(),
        
                        ])->withHeader('Accept', 'application/ld+json'))
        
                Show Lines

                                                    // ... lines 60 - 62
                            
                    ;
        
                }
        
            }

We could have also done this with the array of options: it has a key called headers. But the object is kind of nice.

Let's make sure this fixes things. Run the test:

symfony php bin/phpunit --filter=testPostToCreateTreasure

Globally Sending the Header

And... we're back to JSON-LD! It's got the right fields and the application/ld+json response Content-Type header.

So.... that's cool... but doing this every time we make a request to our API in the tests is... mega lame. We need this to happen automatically.

A nice way to do that is to leverage a base test class. Inside of tests/, actually inside of tests/Functional/, create a new PHP class called ApiTestCase. I'm going to make this abstract and extend KernelTestCase:

            Copy Code

                            Show All Lines

                        27 lines
            |
            tests/Functional/ApiTestCase.php
        
                Show Lines

                                                    // ... lines 1 - 2
                            
            namespace App\Tests\Functional;
        
            use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
        
                Show Lines

                                                    // ... lines 6 - 9
                            
            abstract class ApiTestCase extends KernelTestCase
        
            {
        
                Show Lines

                                                    // ... lines 12 - 25
                            
            }

Inside, add the HasBrowser trait. But we're going to do something sneaky: we're going to import the browser() method but call it baseKernelBrowser:

            Copy Code

                            Show All Lines

                        27 lines
            |
            tests/Functional/ApiTestCase.php
        
                Show Lines

                                                    // ... lines 1 - 7
                            
            use Zenstruck\Browser\Test\HasBrowser;
        
            abstract class ApiTestCase extends KernelTestCase
        
            {
        
                use HasBrowser {
        
                    browser as baseKernelBrowser;
        
                }
        
                Show Lines

                                                    // ... lines 15 - 25
                            
            }

Why the heck are we doing that? Re-implement the browser() method... then call $this->baseKernelBrowser() passing it $options and $server. But now call another method: ->setDefaultHttpOptions(). Pass this HttpOptions::create() then ->withHeader(), Accept, application/ld+json:

            Copy Code

                            Show All Lines

                        27 lines
            |
            tests/Functional/ApiTestCase.php
        
                Show Lines

                                                    // ... lines 1 - 5
                            
            use Zenstruck\Browser\HttpOptions;
        
                Show Lines

                                                    // ... lines 7 - 9
                            
            abstract class ApiTestCase extends KernelTestCase
        
            {
        
                Show Lines

                                                    // ... lines 12 - 15
                            
                protected function browser(array $options = [], array $server = [])
        
                {
        
                    return $this->baseKernelBrowser($options, $server)
        
                        ->setDefaultHttpOptions(
        
                            HttpOptions::create()
        
                                ->withHeader('Accept', 'application/ld+json')
        
                        )
        
                    ;
        
                }
        
            }

Done! Back in our real test class, extend ApiTestCase: get the one that's from our app:

            Copy Code

                            Show All Lines

                        65 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 11
                            
            class DragonTreasureResourceTest extends ApiTestCase
        
            {
        
                Show Lines

                                                    // ... lines 14 - 63
                            
            }

That's it! When we say $this->browser(), it now calls our browser() method, which changes that default option. Celebrate by removing withHeader()... and you could revert back to the array of options with a json key if you want.

Let's try it.

symfony php bin/phpunit --filter=testPostToCreateTreasure

And... uh oh. That's a strange error:

Cannot override final method _resetBrowserClients()

This... is because we're importing the trait from the parent class and our class... which makes the trait go bananas. Remove the one inside our test class:

            Copy Code

                            Show All Lines

                        65 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 8
                            
            use Zenstruck\Browser\Test\HasBrowser;
        
                Show Lines

                                                    // ... lines 10 - 11
                            
            class DragonTreasureResourceTest extends ApiTestCase
        
            {
        
                use HasBrowser;
        
                Show Lines

                                                    // ... lines 15 - 63
                            
            }

we don't need it anymore. I'll also do a little cleanup on my use statements.

And now:

symfony php bin/phpunit --filter=testPostToCreateTreasure

Got it! We get back JSON-LD with zero extra work. Remove that dump():

            Copy Code

                            Show All Lines

                        65 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 11
                            
            class DragonTreasureResourceTest extends ApiTestCase
        
            {
        
                Show Lines

                                                    // ... lines 14 - 41
                            
                public function testPostToCreateTreasure(): void
        
                {
        
                Show Lines

                                                    // ... lines 44 - 45
                            
                    $this->browser()
        
                Show Lines

                                                    // ... lines 47 - 59
                            
                        ->dump()
        
                Show Lines

                                                    // ... line 61
                            
                    ;
        
                }
        
            }

Next: let's write another test that uses our API token authentication.

13 Comments

Sort By

Jared 1 year ago edited

I created an abstract ApiTestCase class, but while running the tests, I got the following error:

/www # symfony php bin/phpunit 
PHP Fatal error:  Uncaught Error: Class "Functional\ApiTestCase" not found in /www/tests/Functional/DragonTreasureResourceTest.php:10

| Reply |

Jared Jared 1 year ago

I fixed that. You should use the proper namespace in your test classes: namespace App\Tests\Functional;

| Reply |

MolloKhan SFCASTS Jared 1 year ago

Yep, otherwise the files can't be found. Cheers!

| Reply |

Thomas-G 1 year ago

Hello and first of all thank you for the great course.

I currently have a question:
I wrote a unit test that checks the user login for a disabled user. In my CustomAuthenticator (i login against ldap and database) an AuthenticationException is thrown in the 'authenticate' method. This is converted into a 'JsonResponse' in 'onAuthenticationFailure' with the error message and http status code 401.
Although the Accept header in the test method is set to 'application/ld+json', the result is only 'application/json'.

How can I get Hydra when I return a JsonResponse with http status 4xx myself?
For successful API queries I correctly get 'application/ld+json'.

I would be very happy about your help.

Many greetings from Germany,
Thomas

| Reply |

sadikoff Thomas-G 1 year ago edited

Hey @Thomas-G

You can use examples from this page https://symfony.com/doc/current/controller/error_pages.html to achieve what you want. The best section for you I think will be error listener, at this point you will be able to modify headers.

Cheers!

1 | Reply |

Thomas-G sadikoff 1 year ago

Hello and thank you for your answer.
Is this really the right way to solve this problem?
What exactly would I have to do in this error listener to get a Hydra error message? Do you perhaps have an example?

Best regards,
Thomas

| Reply |

sadikoff Thomas-G 1 year ago

hm. I'm sorry I probably wasn't attentive...

Looking deeper into the issue, I did some tests on API Platform demo, and it looked like it should work fine. Have you tried to make the request in a different way? For example, directly from Postman or curl?

Cheers.

1 | Reply |

Thomas-G sadikoff 1 year ago

No, I didn't make any requests with Postman or curl. Don't think this will change anything, but I'll try it out next Monday when I get back to the office.

Have a nice weekend and thank you again for your efforts.

Greetings,
Thomas

| Reply |

Thomas-G Thomas-G 1 year ago

Hello again,

I have now tested requests with Postman. As expected, no Ld+Json is provided here either.

Have you implemented a custom authenticator as a test, which returns a JsonResponse with an error message and a status code 401 in the "onAuthenticationFailure" method? Then you will notice that only “normal” JSON is delivered to the client.

I probably have a mistake in my thinking and need to do something to make it work the way I want it to.

Best regards,
Thomas

| Reply |

Julien-H 1 year ago

Hi,

I have this warning for each test where i loggin the user with factory :

$this->adminUser = UserFactory::createOne([
			'roles' => ['ROLE_ADMIN'],
			'password' => 'pass',
		])->object();

Unfortunately, I can't find the solution if anyone has any ideas...

Remaining indirect deprecation notices (25)

  5x: While adding an entity of class App\Entity\User with an ID hash of "1" to the identity map,
another object of class App\Entity\User was already present for the same ID. This will trigger
an exception in ORM 3.0.

IDs should uniquely map to entity object instances. This problem may occur if:

- you use application-provided IDs and reuse ID values;
- database-provided IDs are reassigned after truncating the database without
clearing the EntityManager;
- you might have been using EntityManager#getReference() to create a reference
for a nonexistent ID that was subsequently (by the RDBMS) assigned to another
entity.

Otherwise, it might be an ORM-internal inconsistency, please report it.

| Reply |

Victor SFCASTS Julien-H 1 year ago

Hey Julien,

Seems that is indirect deprecation which means it should be fixed itself in the future after you upgrade your dependencies to a newer version. In your case, it seems it will be gone after you upgrade to ORM 3.0, so you can just ignore it (though it may also require more dependencies to be upgraded as well like e.g. Doctrine bundle that may depend on ORM), so far no work on your side is needed :)

Cheers!

| Reply |

Stefan-G Victor 2 months ago

I have encountered the same issue, but instead of just a warning I got an exception and my entire testsuite failed executing.

I've looked around for a while, since the error seems rather cryptic, until I finally checked the documentation at https://symfony.com/bundles/ZenstruckFoundryBundle/current/index.html#database-reset again and realized, that I didn't add the use Factories; line at the top of my test case. Since the previous examples (running with --filter=....) ran fine, I didn't think it was necessary.

So if you're using a newer version of Symfony/Doctrine/Foundry, you should add use Factories; to your test case or else the EntityManager will not be cleared between execution of your test cases and you might get an error like that.

| Reply |

kbond SFCASTS Stefan-G 2 months ago edited

Hey @Stefan-G,

Thanks for pointing that out! We did notice this a while back and added a note about it to a previous chapter.

since the error seems rather cryptic

Darn, we've been trying to make this error more helpful but it's a bit hacky and we can't seem to catch every scenario.

Regardless, I'm glad you solved the issue!
Kevin

| Reply |

API Platform 3 Symfony 6.2

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.1",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "api-platform/core": "^3.0", // v3.1.2
        "doctrine/annotations": "^2.0", // 2.0.1
        "doctrine/doctrine-bundle": "^2.8", // 2.8.3
        "doctrine/doctrine-migrations-bundle": "^3.2", // 3.2.2
        "doctrine/orm": "^2.14", // 2.14.1
        "nelmio/cors-bundle": "^2.2", // 2.2.0
        "nesbot/carbon": "^2.64", // 2.66.0
        "phpdocumentor/reflection-docblock": "^5.3", // 5.3.0
        "phpstan/phpdoc-parser": "^1.15", // 1.16.1
        "symfony/asset": "6.2.*", // v6.2.5
        "symfony/console": "6.2.*", // v6.2.5
        "symfony/dotenv": "6.2.*", // v6.2.5
        "symfony/expression-language": "6.2.*", // v6.2.5
        "symfony/flex": "^2", // v2.2.4
        "symfony/framework-bundle": "6.2.*", // v6.2.5
        "symfony/property-access": "6.2.*", // v6.2.5
        "symfony/property-info": "6.2.*", // v6.2.5
        "symfony/runtime": "6.2.*", // v6.2.5
        "symfony/security-bundle": "6.2.*", // v6.2.6
        "symfony/serializer": "6.2.*", // v6.2.5
        "symfony/twig-bundle": "6.2.*", // v6.2.5
        "symfony/ux-react": "^2.6", // v2.7.1
        "symfony/ux-vue": "^2.7", // v2.7.1
        "symfony/validator": "6.2.*", // v6.2.5
        "symfony/webpack-encore-bundle": "^1.16", // v1.16.1
        "symfony/yaml": "6.2.*" // v6.2.5
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.4", // 3.4.2
        "mtdowling/jmespath.php": "^2.6", // 2.6.1
        "phpunit/phpunit": "^9.5", // 9.6.3
        "symfony/browser-kit": "6.2.*", // v6.2.5
        "symfony/css-selector": "6.2.*", // v6.2.5
        "symfony/debug-bundle": "6.2.*", // v6.2.5
        "symfony/maker-bundle": "^1.48", // v1.48.0
        "symfony/monolog-bundle": "^3.0", // v3.8.0
        "symfony/phpunit-bridge": "^6.2", // v6.2.5
        "symfony/stopwatch": "6.2.*", // v6.2.5
        "symfony/web-profiler-bundle": "6.2.*", // v6.2.5
        "zenstruck/browser": "^1.2", // v1.2.0
        "zenstruck/foundry": "^1.26" // v1.28.0
    }
}

Previous Chapter

Next Chapter

Customizing Browser Globally

Share this awesome video!

Keep on Learning!

Globally Sending the Header

13 Comments

Delete comment?

What PHP libraries does this tutorial use?

Show Lines	// ... lines 1 - 7
	use Zenstruck\Browser\HttpOptions;
Show Lines	// ... lines 9 - 12
	class DragonTreasureResourceTest extends KernelTestCase
	{
Show Lines	// ... lines 15 - 42
	public function testPostToCreateTreasure(): void
	{
Show Lines	// ... lines 45 - 52
	->post('/api/treasures', HttpOptions::json([
	'name' => 'A shiny thing',
	'description' => 'It sparkles when I wave it in the air.',
	'value' => 1000,
	'coolFactor' => 5,
	'owner' => '/api/users/'.$user->getId(),
	]))
Show Lines	// ... lines 60 - 62
	;
	}
	}

Show Lines	// ... lines 1 - 12
	class DragonTreasureResourceTest extends KernelTestCase
	{
Show Lines	// ... lines 15 - 42
	public function testPostToCreateTreasure(): void
	{
Show Lines	// ... lines 45 - 52
	->post('/api/treasures', HttpOptions::json([
	'name' => 'A shiny thing',
	'description' => 'It sparkles when I wave it in the air.',
	'value' => 1000,
	'coolFactor' => 5,
	'owner' => '/api/users/'.$user->getId(),
	])->withHeader('Accept', 'application/ld+json'))
Show Lines	// ... lines 60 - 62
	;
	}
	}

Show Lines	// ... lines 1 - 2
	namespace App\Tests\Functional;

	use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
Show Lines	// ... lines 6 - 9
	abstract class ApiTestCase extends KernelTestCase
	{
Show Lines	// ... lines 12 - 25
	}

Show Lines	// ... lines 1 - 7
	use Zenstruck\Browser\Test\HasBrowser;

	abstract class ApiTestCase extends KernelTestCase
	{
	use HasBrowser {
	browser as baseKernelBrowser;
	}
Show Lines	// ... lines 15 - 25
	}

Show Lines	// ... lines 1 - 5
	use Zenstruck\Browser\HttpOptions;
Show Lines	// ... lines 7 - 9
	abstract class ApiTestCase extends KernelTestCase
	{
Show Lines	// ... lines 12 - 15
	protected function browser(array $options = [], array $server = [])
	{
	return $this->baseKernelBrowser($options, $server)
	->setDefaultHttpOptions(
	HttpOptions::create()
	->withHeader('Accept', 'application/ld+json')

	)
	;
	}
	}

Show Lines	// ... lines 1 - 11
	class DragonTreasureResourceTest extends ApiTestCase
	{
Show Lines	// ... lines 14 - 63
	}

Show Lines	// ... lines 1 - 8
	use Zenstruck\Browser\Test\HasBrowser;
Show Lines	// ... lines 10 - 11
	class DragonTreasureResourceTest extends ApiTestCase
	{
	use HasBrowser;
Show Lines	// ... lines 15 - 63
	}