API Platform 3 Part 2: Security for your Treasures
Become a master in API security by creating dynamic fields, voters, and setting object owners automatically with our tutorial.
About this course
Here be dragons! We've built a pretty sweet API for storing dragon treasures... but we've completely neglected one minor detail: security! In this tutorial, we'll secure our API Platform-powered API in every way imaginable... and spin up a nifty test suite along the way:
- Disabling documentation on production
- Different types of API authentication
- Logging in via Ajax & sessions
- Creating an API Token system with "scopes"
- Securing your API resources
- Bootstrapping tests with
zenstruck/browser
&zenstruck/foundry
! - How to use PATCH
- Adding
security
&securityPostDenormalize
to operations & usingobject
- Voters
- Conditional fields based on permissions:
#[ApiProperty(security: 'is_granted(...)')]
- Using a "state processor" to hash user passwords
- Dynamic serialization groups with a
ContextBuilder
- Completely dynamic fields by decorating the normalizer
- Preventing "not allowed" data with validation
- Automatically set the "owner" of an object on create
- Auto-filter collections with "query extensions"
Sheesh! Let's go!
Next courses in the APIs: API Platform 3 section of the APIs Track!
5 Comments
Cool! Thank you for sharing it @Bartlomeij
Hi, thank you very much for this! You help me a lot.
There is only one misunderstunding on the beginng. You provide admin part from the Symfony but in official installation there is next container with pwa in reactjs. Create login form in that like yours was impossible for me.
Thanks and keep going
Hey @hubertinio
I'm afraid I did not fully understand your question. Do you mean that you installed ApiPlatform including the "admin" package? If that's the case yes, you'll find hard (or different) to tweak it to match this tutorial, but the thing here is this tutorial is focus only on the "core" ApiPlatform package, so you should only install that one and follow the tutorial. Or, you can download the starting course code from our site
Cheers!
You are right, I can install that one from the tutorial but I have existing project where admin is in reactjs already
Hey folks! Just a quick fun fact for those diving into the world of ApiPlatform: If you're playing around with an OpenApiFactoryDecorator, you might have noticed everything works like a charm across dev, test, and prod environments when Swagger is enabled. But, guess what happens when you turn off Swagger docs on, let's say, your prod environment? 🥁... You hit an error! Yup, you'll see something like:
The service "App\ApiPlatform\OpenApiFactoryDecorator" has a dependency on a non-existent service "api_platform.openapi.factory".
But fear not, my fellow Symfony enthusiasts! There's a neat trick to avoid this little hiccup. By tweaking our decorator with a bit of configuration magic, we can tell Symfony to just chill and ignore this decorator when it's not needed. Simply slap on an annotation like this:
And voilà! No more errors when Swagger decides to take a day off on your prod environment.