Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

SymfonyCasts

API Platform Part 2: Security

via SymfonyCasts

Overview

Yep! You ❤️your new API Platform-powered API! It's just missing... well... any type of security! This is a big & important topic, so let's take it head-on in part 2 of our API Platform tutorial:

  • API token security? Or tried-and-true session based login form security?
  • CSRF protection? SameSite Cookies? Ice Cream?
  • Security firewall setup for json_login authentication
  • Authorization & roles: restricting access to your operations!
  • Encoding user's password (during user creation/update)
  • API Platform custom data persister
  • Dynamic serialization groups: showing different fields based on the user
  • Custom normalizer for dynamic fields based on user
  • Custom validator to control what data a user can set

Woh. Let's do this!

Syllabus

  • Hello API Security + API Docs on Production?
  • API Auth 101: Session? Cookies? Tokens?
  • Login with json_login
  • Authentication Errors
  • Login Success & the Session
  • On Authentication Success
  • Logout & Passing API Data to JS on Page Load
  • SameSite Cookies & CSRF Attacks
  • ApiResource access_control
  • Bootstrapping a Test Suite
  • Backport the API Platform 2.5 Test Tools
  • Api Tests & Assertions
  • Logging in Inside the Test
  • Resetting the Database Between Tests
  • Base Test Class full of Goodies
  • ACL: Only Owners can PUT a CheeseListing
  • ACL & previousObject
  • Access Control & Voters
  • Adding the plainPassword Field
  • Data Persister: Encoding the Plain Password
  • Validation Groups
  • Conditional Field Setup
  • Testing, Updating Roles & Refreshing Data
  • Context Builder & Service Decoration
  • Context Builder: Dynamic Fields/Groups
  • Automatic Serialization Groups
  • Resource Metadata Factory: Dynamic ApiResource Options
  • Dynamic Groups without Caching
  • Custom Normalizer: Object-by-Object Dynamic Fields
  • Diving into the Normalizer Internals
  • A "Normalizer Aware" Normalizer
  • Normalizer & Completely Custom Fields
  • Locking down the CheeseListing.owner Field
  • Custom Validator
  • Security Logic in the Validator
  • Auto-set the Owner: Entity Listener
  • Query Extension: Auto-Filter a Collection
  • Automatic 404 on Unpublished Items
  • Filtering Related Collections

Taught by

Niels van der Molen and Ryan Weaver

Reviews

Start your review of API Platform Part 2: Security

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.