YoVDO

API Platform 3 Part 2: Security for your Treasures

Offered By: SymfonyCasts

Tags

Symfony Courses Web Development Courses Access Control Courses API Security Courses

Course Description

Overview

Here be dragons! We've built a pretty sweet API for storing dragon treasures... but we've completely neglected one minor detail: security! In this tutorial, we'll secure our API Platform-powered API in every way imaginable... and spin up a nifty test suite along the way:

  • Disabling documentation on production
  • Different types of API authentication
  • Logging in via Ajax & sessions
  • Creating an API Token system with "scopes"
  • Securing your API resources
  • Bootstrapping tests with zenstruck/browser & zenstruck/foundry!
  • How to use PATCH
  • Adding security & securityPostDenormalize to operations & using object
  • Voters
  • Conditional fields based on permissions: #[ApiProperty(security: 'is_granted(...)')]
  • Using a "state processor" to hash user passwords
  • Dynamic serialization groups with a ContextBuilder
  • Completely dynamic fields by decorating the normalizer
  • Preventing "not allowed" data with validation
  • Automatically set the "owner" of an object on create
  • Auto-filter collections with "query extensions"

Sheesh! Let's go!


Syllabus

  • API Docs on Production?
  • API Tokens? Session Cookies?
  • API Login Form with json_login
  • Handling Authentication Errors
  • On Authentication Success
  • Logout & Passing API Data to JavaScript
  • Passing Values to Stimulus
  • Token Types & The ApiToken Entity
  • Generating the API Token & Fixtures
  • Access Token Authenticator
  • Customizing the OpenAPI Docs
  • API Token Scopes
  • Deny Access with The "security" Option
  • Bootstrapping a Killer Test System
  • JSON Test Assertions & Seeding the Database
  • Advanced & Flexible JSON Test Assertions
  • Testing Authentication
  • Customizing Browser Globally
  • Testing Token Authentication
  • New PUT Behavior
  • Only Allow Owners to Edit
  • Allow Admin Users to Edit any Treasure
  • Security Voter
  • Conditional Fields by User: ApiProperty
  • User Test + Plain Password
  • State Processors: Hashing the User Password
  • Validation Groups & Patch Formats
  • Dynamic Groups: Context Builder
  • Custom Normalizer
  • Normalizer Decoration & "Normalizer Aware"
  • Totally Custom Fields
  • Custom Validator
  • Validating how Values Change
  • Auto Setting the "owner"
  • Query Extension: Auto-Filter a Collection
  • 404 On Unpublished Items
  • Filtering Relation Collection

Taught by

Ryan Weaver

Related Courses

Cybersecurity and Its Ten Domains
University System of Georgia via Coursera Bases de données relationnelles : Comprendre pour maîtriser
Inria (French Institute for Research in Computer Science and Automation) via France Université Numerique Desarrollo de Aplicaciones Web: Seguridad
University of New Mexico via Coursera Web Application Development: Security
University of New Mexico via Coursera Computing, Storage and Security with Google Cloud Platform
Google via Coursera