Yep! You ❤️your new API Platform-powered API! It's just missing... well... any type of security! This is a big & important topic, so let's take it head-on in part 2 of our API Platform tutorial:
API token security? Or tried-and-true session based login form security?
CSRF protection? SameSite Cookies? Ice Cream?
Security firewall setup for json_login authentication
Authorization & roles: restricting access to your operations!
Encoding user's password (during user creation/update)
API Platform custom data persister
Dynamic serialization groups: showing different fields based on the user
Custom normalizer for dynamic fields based on user
Custom validator to control what data a user can set
Woh. Let's do this!
Overview
Syllabus
- 01. Hello API Security + API Docs on Production?
- 02. API Auth 101: Session? Cookies? Tokens?
- 03. Login with json_login
- 04. Authentication Errors
- 05. Login Success & the Session
- 06. On Authentication Success
- 07. Logout & Passing API Data to JS on Page Load
- 08. SameSite Cookies & CSRF Attacks
- 09. ApiResource access_control
- 10. Bootstrapping a Test Suite
- 11. Backport the API Platform 2.5 Test Tools
- 12. Api Tests & Assertions
- 13. Logging in Inside the Test
- 14. Resetting the Database Between Tests
- 15. Base Test Class full of Goodies
- 16. ACL: Only Owners can PUT a CheeseListing
- 17. ACL & previousObject
- 18. Access Control & Voters
- 19. Adding the plainPassword Field
- 20. Data Persister: Encoding the Plain Password
- 21. Validation Groups
- 22. Conditional Field Setup
- 23. Testing, Updating Roles & Refreshing Data
- 24. Context Builder & Service Decoration
- 25. Context Builder: Dynamic Fields/Groups
- 26. Automatic Serialization Groups
- 27. Resource Metadata Factory: Dynamic ApiResource Options
- 28. Dynamic Groups without Caching
- 29. Custom Normalizer: Object-by-Object Dynamic Fields
- 30. Diving into the Normalizer Internals
- 31. A "Normalizer Aware" Normalizer
- 32. Normalizer & Completely Custom Fields
- 33. Locking down the CheeseListing.owner Field
- 34. Custom Validator
- 35. Security Logic in the Validator
- 36. Auto-set the Owner: Entity Listener
- 37. Query Extension: Auto-Filter a Collection
- 38. Automatic 404 on Unpublished Items
- 39. Filtering Related Collections
Taught by
Niels van der Molen