…extra good friend, it also creates an OpenAPI specification. Check it out: go to /api/docs.json. Hello giant OpenAPI spec document! Notice it says swagger: "2.0". OpenAPI version 3 is still pretty new, so API Platform 2 still uses the old format. Add …

…make life easier... and because this class will stay simple, so it's not a big deal. The moment we do this... API Platform recognizes that id as the identifier, and our operations are looking good. While we're here, let's also tweak the…

Before we go further into API platform, we need to have a quick heart-to-heart about CSRF attacks. This is a complex topic... so I'll try to hit the highlights. If you're consuming your API from JavaScript, you have two basic options…

The access control system in API Platform instantly gives you a lot of power: you can check for a simple role or write more complex logic and... it works! But... it's also ugly. And... it can get even uglier! What if I said that…

… Let's call our entity DragonTreasure. Then it asks us a question that you maybe haven't seen before - Mark this class as an API platform resource? It asks because API Platform is installed. Say no because we're going to do this step manually…

…CheeseListingRepository. Nothing special there. Right now, the only property the entity has is id. So, what did answering "yes" to the API Platform resource question give us? This tiny annotation right here: @ApiResource. The real question is: what does that activate? We'll see that…

…How do they log in? Honestly, that is the trickiest part... and it has really nothing to do with API Platform. We're authenticating via the json_login authenticator and a session cookie. That's a great solution for many applications. But in the bonus…

…and take user:read off of $title and user:read off of $price: Thanks to this change, when API Platform goes to serialize these two array fields, it will realize that there are no embedded properties and return an array of IRI strings. But... surprise…

It took some work - especially getting the update to work before API Platform 2.6 - but our input & output DTO system is alive! Though... our logic for converting from CheeseListing to input, input to CheeseListing and CheeseListing to output is... not super organized. This code…

…doing. It's class decoration: an object-oriented strategy for extending classes. It's really easy to do in Symfony and API Platform leverages it a lot. Whenever you do decoration, you will always create a constructor that accepts the interface that you're decorating…

…we'll use to run our tests. No surprise, Symfony has tools for testing and these can be used to test an API. Heck, API Platform even has their own tools built on top of those to make testing an API even easier. And yet…

…But then, securityPostDenormalize returned false. In that case, API Platform will revert the isPublished property back to its original value: it will change it from false back to true. Oh, and by the way, securityPostDenormalize is not executed on GET requests: it only happens when…

…for DragonTreasureApi. This might seem weird, but it's technically okay... because this dragonTreasures array is going to be rendered as IRI strings... and the only thing API Platform needs to build that IRI is... the id! Check it out! Remove the dump and reload…

…ready! As soon as you create a class that implements DataPersisterInterface, API Platform will immediately start using that. This means that, whenever an object is saved - or removed - it will now call supports() on our data persister to see if we know how to handle…

…the changes? The answer is with a "resource metadata factory"... which is... at least at first... as dark and scary as the name sounds. Inside the ApiPlatform/ directory, create a new class called AutoGroupResourceMetadataFactory. Make this implement ResourceMetadataFactoryInterface and then take a break... cause we…

…to the API endpoint, open a new tab, and paste that in. Whoa! This... returned HTML? But a second ago, Swagger said that it made a GET request to that URL... and it returned JSON. What's going on? One feature of API Platform is…

…If we search for isPublished in here... yep! There's the model describing isPublished as type boolean. The best part is that API Platform is generating this by... just looking at our code! For example, it sees that coolFactor has an integer type: so it…

…our routes. But when we try the collection endpoint... we get a 400 error: Unable to generate an IRI for the item of type DailyQuest. So API Platform loaded our two DailyQuest objects... but when it tried to generate the @id property (the IRI), for…

…Now we need to tell Symfony to use it. Internally, PersistProcessor from API Platform is a service. We're going to tell Symfony that whenever anything needs that PersistProcessor service, it should be passed our service instead... but also that Symfony should pass us the…

…and "post" inside. Then itemOperations with {"get", "put", "delete"}. A lot of mastering API Platform comes down to learning about what options you can pass inside this annotation. This is basically the default configuration: we want all five operations. So not surprisingly, when we refresh…