YoVDO

API Platform Part 2: Security

Offered By: SymfonyCasts

Tags

API Security Courses Access Control Courses Authorization Courses Cookies Courses Serialization Courses

Course Description

Overview

Yep! You ❤️your new API Platform-powered API! It's just missing... well... any type of security! This is a big & important topic, so let's take it head-on in part 2 of our API Platform tutorial:

  • API token security? Or tried-and-true session based login form security?
  • CSRF protection? SameSite Cookies? Ice Cream?
  • Security firewall setup for json_login authentication
  • Authorization & roles: restricting access to your operations!
  • Encoding user's password (during user creation/update)
  • API Platform custom data persister
  • Dynamic serialization groups: showing different fields based on the user
  • Custom normalizer for dynamic fields based on user
  • Custom validator to control what data a user can set

Woh. Let's do this!


Syllabus

  • Hello API Security + API Docs on Production?
  • API Auth 101: Session? Cookies? Tokens?
  • Login with json_login
  • Authentication Errors
  • Login Success & the Session
  • On Authentication Success
  • Logout & Passing API Data to JS on Page Load
  • SameSite Cookies & CSRF Attacks
  • ApiResource access_control
  • Bootstrapping a Test Suite
  • Backport the API Platform 2.5 Test Tools
  • Api Tests & Assertions
  • Logging in Inside the Test
  • Resetting the Database Between Tests
  • Base Test Class full of Goodies
  • ACL: Only Owners can PUT a CheeseListing
  • ACL & previousObject
  • Access Control & Voters
  • Adding the plainPassword Field
  • Data Persister: Encoding the Plain Password
  • Validation Groups
  • Conditional Field Setup
  • Testing, Updating Roles & Refreshing Data
  • Context Builder & Service Decoration
  • Context Builder: Dynamic Fields/Groups
  • Automatic Serialization Groups
  • Resource Metadata Factory: Dynamic ApiResource Options
  • Dynamic Groups without Caching
  • Custom Normalizer: Object-by-Object Dynamic Fields
  • Diving into the Normalizer Internals
  • A "Normalizer Aware" Normalizer
  • Normalizer & Completely Custom Fields
  • Locking down the CheeseListing.owner Field
  • Custom Validator
  • Security Logic in the Validator
  • Auto-set the Owner: Entity Listener
  • Query Extension: Auto-Filter a Collection
  • Automatic 404 on Unpublished Items
  • Filtering Related Collections

Taught by

Niels van der Molen and Ryan Weaver

Related Courses

Django Features and Libraries
University of Michigan via Coursera Django Features and Libraries
University of Michigan via edX Secured Login Registration System in PHP - Email Activation
Udemy PHP: Complete Registration and Login with Email Verification
Udemy Programador web: Cookies y Sesiones en PHP
Udemy