Chapters

37 Chapters | 3:43:31 |

01

API Docs on Production?

8:22
02

API Tokens? Session Cookies?

8:07
03

API Login Form with json_login

5:36
04

Handling Authentication Errors

3:47
05

On Authentication Success

6:03
06

Logout & Passing API Data to JavaScript

5:45
07

Passing Values to Stimulus

4:32
08

Token Types & The ApiToken Entity

5:59
09

Generating the API Token & Fixtures

5:58
10

Access Token Authenticator

8:56
11

Customizing the OpenAPI Docs

7:31
12

API Token Scopes

5:51
13

Deny Access with The "security" Option

7:11
14

Bootstrapping a Killer Test System

8:18
15

JSON Test Assertions & Seeding the Database

3:41
16

Advanced & Flexible JSON Test Assertions

4:04
17

Testing Authentication

4:59
18

Customizing Browser Globally

3:50
19

Testing Token Authentication

3:24
20

New PUT Behavior

4:46
21

Only Allow Owners to Edit

7:49
22

Allow Admin Users to Edit any Treasure

4:11
23

Security Voter

6:13
24

Conditional Fields by User: ApiProperty

5:13
25

User Test + Plain Password

4:21
26

State Processors: Hashing the User Password

6:55
27

Validation Groups & Patch Formats

8:01
28

Dynamic Groups: Context Builder

8:26
29

Custom Normalizer

5:08
30

Normalizer Decoration & "Normalizer Aware"

6:29
31

Totally Custom Fields

3:24
32

Custom Validator

7:58
33

Validating how Values Change

8:30
34

Auto Setting the "owner"

4:19
35

Query Extension: Auto-Filter a Collection

6:15
36

404 On Unpublished Items

8:00
37

Filtering Relation Collection

5:39

> APIs > API Platform 3 Part 2: Security for your Treasures

Buy Access to Course

17.

Testing Authentication

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

With a Subscription, click any sentence in the script to jump to that part of the video!

Let's create a test to post and create a new treasure. Say public function testPostToCreateTreasure() that returns void. And start the same way as before: $this->browser()->post('/api/treasures'):

            Copy Code

                            Show All Lines

                        52 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 10
                            
            class DragonTreasureResourceTest extends KernelTestCase
        
            {
        
                Show Lines

                                                    // ... lines 13 - 40
                            
                public function testPostToCreateTreasure(): void
        
                {
        
                    $this->browser()
        
                        ->post('/api/treasures', [
        
                Show Lines

                                                    // ... line 45
                            
                        ])
        
                Show Lines

                                                    // ... lines 47 - 48
                            
                    ;
        
                }
        
            }

In this case we need to send data. The second argument to any of these post() or get() methods is an array of options, which can include headers, query parameters or other stuff. One key is json, which you can set to an array, which will be JSON-encoded for you. Start by sending empty JSON... then ->assertStatus(422). To see what the response looks like, add ->dump():

            Copy Code

                            Show All Lines

                        52 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 10
                            
            class DragonTreasureResourceTest extends KernelTestCase
        
            {
        
                Show Lines

                                                    // ... lines 13 - 40
                            
                public function testPostToCreateTreasure(): void
        
                {
        
                    $this->browser()
        
                        ->post('/api/treasures', [
        
                            'json' => [],
        
                        ])
        
                        ->assertStatus(422)
        
                        ->dump()
        
                    ;
        
                }
        
            }

Awesome! Copy the test method name. I want to focus just on this one test. To do that, run:

symfony php bin/phpunit --filter=testPostToCreateTreasure

And... oh! Current response status code is 401, but 422 expected.

Dumped Failed Responses in Browser

When a test fails with browser, it automatically saves the last response to a file... which is awesome. It's actually in the var/ directory. In my terminal, I can hold Command and click to open that in my browser. That is nice. You'll see me do this a bunch of times.

Ok, so this returned a 401 status code. Of course: the endpoint requires authentication! Our app has two ways to authenticate: via the login form and session or via an API token. We're going to test both, starting with the login form.

Logging in during the Test

To log in as a user... that user first needs to exist in the database. Remember: at the start of each test, our database is empty. It's then our job to populate it with whatever we need.

Create a user with UserFactory::createOne(['password' => 'pass']) so that we know what the password will be. Then, before we make the POST request to create a treasure, ->post() to /login and send json with email set to $user->getEmail() - to use whatever random email address Faker chose - then password set to pass. To make sure that worked, ->assertStatus(204):

            Copy Code

                            Show All Lines

                        62 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 5
                            
            use App\Factory\UserFactory;
        
                Show Lines

                                                    // ... lines 7 - 11
                            
            class DragonTreasureResourceTest extends KernelTestCase
        
            {
        
                Show Lines

                                                    // ... lines 14 - 41
                            
                public function testPostToCreateTreasure(): void
        
                {
        
                    $user = UserFactory::createOne(['password' => 'pass']);
        
                    $this->browser()
        
                        ->post('/login', [
        
                            'json' => [
        
                                'email' => $user->getEmail(),
        
                                'password' => 'pass',
        
                            ],
        
                        ])
        
                        ->assertStatus(204)
        
                Show Lines

                                                    // ... lines 54 - 58
                            
                    ;
        
                }
        
            }

That's the status code we're returning after successful authentication.

Let's give this a try! Move over and run the test:

symfony php bin/phpunit --filter=testPostToCreateTreasure

It passes! We're getting the 422 status code and see the validation messages!

Shortcut to Logging in: actingAs()

So... logging in is... just that easy! And I would recommend having a test that specifically POSTs to your login endpoint like we just did, to make sure its working correctly.

However, in all of my other tests... when I simply need to be authenticated to do the real work, there's a faster way to log in. Instead of making the POST request, say ->actingAs($user):

            Copy Code

                            Show All Lines

                        56 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 11
                            
            class DragonTreasureResourceTest extends KernelTestCase
        
            {
        
                Show Lines

                                                    // ... lines 14 - 41
                            
                public function testPostToCreateTreasure(): void
        
                {
        
                Show Lines

                                                    // ... lines 44 - 45
                            
                    $this->browser()
        
                        ->actingAs($user)
        
                Show Lines

                                                    // ... lines 48 - 52
                            
                    ;
        
                }
        
            }

This is a sneaky way of taking the User object and pushing it directly into Symfony's security system without making any requests. It's easier, and faster. And now, we don't care what the password is at all, so we can simplify that.

Let's check it:

symfony php bin/phpunit --filter=testPostToCreateTreasure

Still good!

Testing Successful Treasure Creation

Let's do another POST down here. Keep chaining and add ->post(). Actually... I'm lazy. Copy the existing ->post()... and use that. But this time, send real data: I'll quickly type in some... these can be anything. The last key we need is owner. Right now, we are required to send the owner when we create a treasure. Soon, we'll make that optional: if we don't send it, it will default to whoever is authenticated. But for now, set it to /api/users/ then $user->getId(). Finish with assertStatus(201):

            Copy Code

                            Show All Lines

                        65 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 11
                            
            class DragonTreasureResourceTest extends KernelTestCase
        
            {
        
                Show Lines

                                                    // ... lines 14 - 41
                            
                public function testPostToCreateTreasure(): void
        
                {
        
                    $user = UserFactory::createOne();
        
                    $this->browser()
        
                        ->actingAs($user)
        
                        ->post('/api/treasures', [
        
                            'json' => [],
        
                        ])
        
                        ->assertStatus(422)
        
                        ->post('/api/treasures', [
        
                            'json' => [
        
                                'name' => 'A shiny thing',
        
                                'description' => 'It sparkles when I wave it in the air.',
        
                                'value' => 1000,
        
                                'coolFactor' => 5,
        
                                'owner' => '/api/users/'.$user->getId(),
        
                            ],
        
                        ])
        
                        ->assertStatus(201)
        
                    ;
        
                }
        
            }

Because 201 is what the API returns when an object is created.

Alright, go test, go:

symfony php bin/phpunit --filter=testPostToCreateTreasure

Still passing! We're on a roll! Add a ->dump() to help us debug then a sanity check: ->assertJsonMatches() that name is A shiny thing:

            Copy Code

                            Show All Lines

                        67 lines
            |
            tests/Functional/DragonTreasureResourceTest.php
        
                Show Lines

                                                    // ... lines 1 - 11
                            
            class DragonTreasureResourceTest extends KernelTestCase
        
            {
        
                Show Lines

                                                    // ... lines 14 - 41
                            
                public function testPostToCreateTreasure(): void
        
                {
        
                Show Lines

                                                    // ... lines 44 - 45
                            
                    $this->browser()
        
                Show Lines

                                                    // ... lines 47 - 60
                            
                        ->assertStatus(201)
        
                        ->dump()
        
                        ->assertJsonMatches('name', 'A shiny thing')
        
                    ;
        
                }
        
            }

When we try that:

symfony php bin/phpunit --filter=testPostToCreateTreasure

Sending the Accept: application/ld+json Header

No surprise: all green. But look at the dumped response: it's not JSON-LD! We're getting back standard JSON. You can see it in the Content-Type header: 'application/json', not application/ld+json, which is what I was expecting.

Let's find out what's going on next and fix it globally by customizing how Browser works across our entire test suite.

15 Comments

Sort By

Alkiviadis-D 7 months ago edited

On postToCreateTreasure() test:
login succeeds (status: 204).
post('/api/treasures') returns 401 instead of 422.

While the same testing with /api (swagger) post to /api/treasures returns 422 (the expected).

I do not prefix with 'test' my test methods, I am using the @test keyword in docblock:

`...
/**

 * @test
 * @return void
 */
public function postToCreateTreasure(): void
{

    $user = UserFactory::createOne(['password'=>'pass']);

    $this->browser()
        ->post('/login',[
            'json' => [
                'email'=> $user->getEmail(),
                'password'=> 'pass'
            ]
        ])
        ->assertStatus(204)
        ->post('/api/treasures', [
            'json'=> [],
        ])
        ->assertStatus(422)
        ->dump()
        ;
}
...`

There was 1 failure:

1) App\Tests\Functional\DragonTreasureResourceTest::postToCreateTreasure
Current response status code is 401, but 422 expected.

| Reply |

sadikoff SFCASTS Alkiviadis-D 7 months ago edited

Hi @Alkiviadis-D

Hm looks like session is not working correctly between requests, or maybe login request was not fully successful... have you tried to use ->actingAs($user) shortcut to see if it works correctly?

Cheers!

| Reply |

Alkiviadis-D sadikoff 7 months ago

Okkk.. had a typo inside getRoles(). Sorry for this. Thanks for your help.

| Reply |

sujal_k 8 months ago

What could be the issue ?

{

"title": "An error occurred",
"detail": "You cannot refresh a user from the EntityUserProvider that does not contain an identifier. The user object has to be serialized with its own identifier mapped by Doctrine.",
"status": 500,
"type": "/errors/500",

I get this error,
when I use ->actingAs($user) method , as I'm experimenting on new Symfony 7project, but seems working when using ->login()

| Reply |

Victor SFCASTS sujal_k 7 months ago edited

Hey @sujal_k ,

Does your User entity have $id field? Does that field has the same mapping as in this course code? i.e. it should be :

    #[ORM\Id]
    #[ORM\GeneratedValue]
    #[ORM\Column]
    private ?int $id = null;

Also, make sure you don't have an invalid Doctrine mapping by calling this command:

bin/console doctrine:schema:validate

Ad make sure both mapping and DB are OK.

I hope this helps!

Cheers!

| Reply |

Kriss_G Victor 5 months ago

I'm getting the exact same error.

Started my project from latest ApiPlatform Distribution (AP 3.4, Symfony 6.4). When I log in making POST to json_login path I'm able to fetch resources which require full authetication, but when I swap login process with ->actingAs($user) I get 500 error described above while trying to fetch any resource.

I checked my schema as recommended above (everyting is ok) and my User entity is rather standard (created by make:user). It's id is on place.

Do you have any other ideas what can be wrong here? :(

| Reply |

Victor SFCASTS Kriss_G 5 months ago

Hey Kriss,

Hm, difficult to say without further debugging, probably try to find the place where that error is thrown and before that exception try to dump the actual user to make sure it really has an ID.

Also, if you’re customizing serialization groups, ensure that the identifier field is included in the serialization group used when the API Platform serializes the user.

Cheers!

| Reply |

Kriss_G Victor 4 months ago

Hey Victor,

I performed some further debuging and I discovered that when I use $entityManager to create my $user object like so:

static::bootKernel();
$entityManager = static::$kernel->getContainer()->get('doctrine.orm.entity_manager');
        
$user = new User();
$user->setEmail(self::TEST_USER_EMAIL);
$user->setPassword('password');
$user->setIsConfirmed(true);

$entityManager->persist($user);
$entityManager->flush();

then I'm am able to use $browser->actingAs($user) normaly. Also when I get type of created entity using getMetatadaFor method I get App\Entity\User.

When I create $user using UserFactory and try to get object's type using the same method I get an error:

Doctrine\Persistence\Mapping\MappingException: The class 'AppEntityUserProxy' was not found in the chain configured namespaces App\Entity, Vich\UploaderBundle\Entity, CoopTilleuls\ForgotPasswordBundle\Entity

Looks like there is something wrong with doctrine mapping? Or maybe It's something wrong with UserFactory configuration?
I used ApiPlatform distribution as a starter, created Facotry with make:facotry and didn't mess with doctrine mappings at all, so why would they be wrong... Do you have any idea? :)

| Reply |

Victor SFCASTS Kriss_G 4 months ago edited

Hey Kriss,

Ah, good catch! Yeah, that's actually on purpose, entity factories from the Foundry lib need that to add more magic in tests - those proxy objects helps you to do not worry about the problem with refreshing the entity in tests. But that AppEntityUserProxy actually extends your User class, so instanceof User still should work.

In short, nothing is wrong with this behavior, that's how it's suppose to work in Foundry, you just need to keep this in mind. If it bothers you or causing some issues - you can create objects manually bypassing creating it via Foundry factories.

P.S. Sorry for the long reply, I somehow missed this ticket 🙃

Cheers!

| Reply |

Kriss_G Victor 4 months ago edited

Hey Victor,

thanks for your explanation, however it seems that this does not resolve the issue this thread is about.

Namely: why in the tutorial Ryan was able to use browser->actingAs($user) with $user created with Foundry factory and when I try to do this I get the 500 error mentioned by @sujal_k at the beginning of this thread? And why am I able to use this method when creating user using entity manager?

Do you think it can have something to do with the fact I stared my project from AP Distribution, not from cli installation?

| Reply |

kbond SFCASTS Kriss_G 4 months ago edited

Hey @Kriss_G!

Can you tell me what version of zenstruck/browser & zenstruck/foundry you are using?

composer show zenstruck/browser
composer show zenstruck/foundry

(I'm thinking you may be on foundry 2+ but your browser version does not support it yet - I'm hoping upgrading zenstruck/browser will fix)

--Kevin

| Reply |

Kriss_G kbond 4 months ago edited

Hey Kevin @kbond!,

Indeed, I used foundry v2.1.0 and browser v1.9.0.
I ran composer update zenstruck/browser, which brought my browser version to 1.9.1 and it seems to solve the issue.

I can now use browser->actingAs($user) with $user generated with UserFactory class!

Thank you for your help! :)

Kriss

| Reply |

kbond SFCASTS Kriss_G 4 months ago

Awesome, great to hear!

| Reply |

sujal_k 8 months ago edited

The authentication fails while testing at: 2:33 timestamp, in the video it passes, but in my dummy Symfony 7 project, same code failed, always says 401 as response code,

{
    "error": "Invalid credentials."
}

This is the error I get in response when I dump the /login request in test,

below is the code:

    public function testPostToCreateTreasure(): void
    {
        $user = UserFactory::createOne([ 'password' => 'pass' ]);
        $this->browser()
             ->post('/login', [
                 'json' => [
                     'email'    => $user->getEmail(),
                     'password' => 'pass',
                 ]
             ])->dump()
             ->assertStatus(204)
             ->post('/api/treasures', [
                 'json' => [],
             ])
             ->assertStatus(422)
             ->dump()
        ;
    }

| Reply |

weaverryan SFCASTS sujal_k 7 months ago edited

Hey @sujal_k!

These invalid credentials can be tricky as you can't really see what's going on since the passwords are all hashed. And I don't see any obvious problems. Triple check that the password IS being hashed before saving to the DB. You could also temporarily change the hashing algo to plaintext. It may help you see the underlying problem.

Cheers!

| Reply |

API Platform 3 Symfony 6.2

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.1",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "api-platform/core": "^3.0", // v3.1.2
        "doctrine/annotations": "^2.0", // 2.0.1
        "doctrine/doctrine-bundle": "^2.8", // 2.8.3
        "doctrine/doctrine-migrations-bundle": "^3.2", // 3.2.2
        "doctrine/orm": "^2.14", // 2.14.1
        "nelmio/cors-bundle": "^2.2", // 2.2.0
        "nesbot/carbon": "^2.64", // 2.66.0
        "phpdocumentor/reflection-docblock": "^5.3", // 5.3.0
        "phpstan/phpdoc-parser": "^1.15", // 1.16.1
        "symfony/asset": "6.2.*", // v6.2.5
        "symfony/console": "6.2.*", // v6.2.5
        "symfony/dotenv": "6.2.*", // v6.2.5
        "symfony/expression-language": "6.2.*", // v6.2.5
        "symfony/flex": "^2", // v2.2.4
        "symfony/framework-bundle": "6.2.*", // v6.2.5
        "symfony/property-access": "6.2.*", // v6.2.5
        "symfony/property-info": "6.2.*", // v6.2.5
        "symfony/runtime": "6.2.*", // v6.2.5
        "symfony/security-bundle": "6.2.*", // v6.2.6
        "symfony/serializer": "6.2.*", // v6.2.5
        "symfony/twig-bundle": "6.2.*", // v6.2.5
        "symfony/ux-react": "^2.6", // v2.7.1
        "symfony/ux-vue": "^2.7", // v2.7.1
        "symfony/validator": "6.2.*", // v6.2.5
        "symfony/webpack-encore-bundle": "^1.16", // v1.16.1
        "symfony/yaml": "6.2.*" // v6.2.5
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.4", // 3.4.2
        "mtdowling/jmespath.php": "^2.6", // 2.6.1
        "phpunit/phpunit": "^9.5", // 9.6.3
        "symfony/browser-kit": "6.2.*", // v6.2.5
        "symfony/css-selector": "6.2.*", // v6.2.5
        "symfony/debug-bundle": "6.2.*", // v6.2.5
        "symfony/maker-bundle": "^1.48", // v1.48.0
        "symfony/monolog-bundle": "^3.0", // v3.8.0
        "symfony/phpunit-bridge": "^6.2", // v6.2.5
        "symfony/stopwatch": "6.2.*", // v6.2.5
        "symfony/web-profiler-bundle": "6.2.*", // v6.2.5
        "zenstruck/browser": "^1.2", // v1.2.0
        "zenstruck/foundry": "^1.26" // v1.28.0
    }
}

Previous Chapter

Next Chapter

Testing Authentication

Share this awesome video!

Keep on Learning!

Dumped Failed Responses in Browser

Logging in during the Test

Shortcut to Logging in: actingAs()

Testing Successful Treasure Creation

Sending the Accept: application/ld+json Header

15 Comments

Delete comment?

What PHP libraries does this tutorial use?

Show Lines	// ... lines 1 - 10
	class DragonTreasureResourceTest extends KernelTestCase
	{
Show Lines	// ... lines 13 - 40
	public function testPostToCreateTreasure(): void
	{
	$this->browser()
	->post('/api/treasures', [
Show Lines	// ... line 45
	])
Show Lines	// ... lines 47 - 48
	;
	}
	}

Show Lines	// ... lines 1 - 5
	use App\Factory\UserFactory;
Show Lines	// ... lines 7 - 11
	class DragonTreasureResourceTest extends KernelTestCase
	{
Show Lines	// ... lines 14 - 41
	public function testPostToCreateTreasure(): void
	{
	$user = UserFactory::createOne(['password' => 'pass']);

	$this->browser()
	->post('/login', [
	'json' => [
	'email' => $user->getEmail(),
	'password' => 'pass',
	],
	])
	->assertStatus(204)
Show Lines	// ... lines 54 - 58
	;
	}
	}

Show Lines	// ... lines 1 - 11
	class DragonTreasureResourceTest extends KernelTestCase
	{
Show Lines	// ... lines 14 - 41
	public function testPostToCreateTreasure(): void
	{
Show Lines	// ... lines 44 - 45
	$this->browser()
	->actingAs($user)
Show Lines	// ... lines 48 - 52
	;
	}
	}