BloomTech’s Downfall: A Long Time Coming

Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

SymfonyCasts

API Platform 3 Part 2: Security for your Treasures

via SymfonyCasts

Go to class Write review

Overview

Here be dragons! We've built a pretty sweet API for storing dragon treasures... but we've completely neglected one minor detail: security! In this tutorial, we'll secure our API Platform-powered API in every way imaginable... and spin up a nifty test suite along the way:

  • Disabling documentation on production
  • Different types of API authentication
  • Logging in via Ajax & sessions
  • Creating an API Token system with "scopes"
  • Securing your API resources
  • Bootstrapping tests with zenstruck/browser & zenstruck/foundry!
  • How to use PATCH
  • Adding security & securityPostDenormalize to operations & using object
  • Voters
  • Conditional fields based on permissions: #[ApiProperty(security: 'is_granted(...)')]
  • Using a "state processor" to hash user passwords
  • Dynamic serialization groups with a ContextBuilder
  • Completely dynamic fields by decorating the normalizer
  • Preventing "not allowed" data with validation
  • Automatically set the "owner" of an object on create
  • Auto-filter collections with "query extensions"

Sheesh! Let's go!

Syllabus

  • API Docs on Production?
  • API Tokens? Session Cookies?
  • API Login Form with json_login
  • Handling Authentication Errors
  • On Authentication Success
  • Logout & Passing API Data to JavaScript
  • Passing Values to Stimulus
  • Token Types & The ApiToken Entity
  • Generating the API Token & Fixtures
  • Access Token Authenticator
  • Customizing the OpenAPI Docs
  • API Token Scopes
  • Deny Access with The "security" Option
  • Bootstrapping a Killer Test System
  • JSON Test Assertions & Seeding the Database
  • Advanced & Flexible JSON Test Assertions
  • Testing Authentication
  • Customizing Browser Globally
  • Testing Token Authentication
  • New PUT Behavior
  • Only Allow Owners to Edit
  • Allow Admin Users to Edit any Treasure
  • Security Voter
  • Conditional Fields by User: ApiProperty
  • User Test + Plain Password
  • State Processors: Hashing the User Password
  • Validation Groups & Patch Formats
  • Dynamic Groups: Context Builder
  • Custom Normalizer
  • Normalizer Decoration & "Normalizer Aware"
  • Totally Custom Fields
  • Custom Validator
  • Validating how Values Change
  • Auto Setting the "owner"
  • Query Extension: Auto-Filter a Collection
  • 404 On Unpublished Items
  • Filtering Relation Collection

Taught by

Ryan Weaver

Reviews

Start your review of API Platform 3 Part 2: Security for your Treasures

Go to class

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Sign up for free
Someone learning on their laptop while sitting on the floor.