Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Building Your Startup:
Securing an API
May 22, 2017 @ 13:16:19

The TutsPlus.com site has continued their "Building Your Startup" tutorial series with a new post about APIs and security. In this series, they've been using the Yii2 framework to create a calendaring "startup" site. Now they're to the point of adding a "RESTful" API to the system and want to be sure it's secure.

Recently, I introduced you to Yii's simple REST API generation and Meeting Planner's new "RESTful" service API. At that time, I mentioned that these APIs were only loosely secured. Sure, there was a shared secret between the client and the server, but there were a couple of problems.

First, the secret key and user tokens were repeatedly transmitted in query parameters of SSL calls. And there was no other authenticity check for the data, allowing a middle-person attack. In today's episode, I'll guide you through how I secured the API against these weaknesses for a more robust API.

They start off looking at the API security that was previously put in place using an "app ID" and "app secret" values to identify the user. To improve on this, the system is updated to use the "app secret" value to sign the outgoing data via a HMAC hash that is sent along with the request.

tagged: api security tutorial yii2 build startup series hmac rest

Link: https://code.tutsplus.com/tutorials/building-your-startup-securing-an-api--cms-27867

PhalconPHP: A Solution for High-load RESTful APIs
Apr 11, 2017 @ 10:26:37

The Toptal.com blog has a tutorial posted from Andrew Belousoff today sharing what he sees as a solution for high-load RESTful APIs in your application: PhalconPHP.

Suppose you need to create a high-load project based on a PHP MVC framework. You would probably use caching wherever possible. Maybe you would build the project in a single file, or maybe even write your own MVC framework with minimal functionality, or rewrite some parts of another framework. While, yes, this works, it’s a little bit tricky, isn’t it? Fortunately, there is one more solution that makes most of these manipulations unnecessary (save for the cache, perhaps), and this solution is called the PhalconPHP framework.

He starts off the article with a brief introduction to the PhalconPHP framework and some of the recent (2016) benchmarks of its performance against both raw PHP and other smaller, lighter MVC frameworks. With that out of the way he starts in on the creation of a sample project, first pointing out the difference between the "micro" and "full-stack" versions. He chooses the "micro" option for his API and walks you through installation of the framework extension, the directory structure it requires and what the code for the front controller looks like. From there he works up the rest of the code:

  • configuration handling
  • working with the DI container
  • creating the RESTful routes/controllers
  • building models
  • developing some business logic to work with user data

The post ends with a look at performing some testing on the result and mentions the addition of logging and caching functionality. He also points out one of the main disadvantages around using PhalconPHP - that it's an extension and is harder to customize than a PHP-land framework could be.

tagged: phalconphp rest api tutorial introduction framework benchmark

Link: https://www.toptal.com/phalcon/phalcon-php-restful-apis

Programming With Yii2: Building a RESTful API
Apr 06, 2017 @ 10:30:05

The TutsPlus.com site has posted the latest article in their "Programming with Yii2" series today, this time focusing on the creation of a RESTful API with the built-in framework support.

In this Programming With Yii2 series, I'm guiding readers in use of the Yii2 Framework for PHP. You may also be interested in my Introduction to the Yii Framework, which reviews the benefits of Yii and includes an overview of what's new in Yii 2.x.

In today's tutorial, I will review how to build a REST API in Yii to connect your application to the cloud, mobile apps, and other services. I'll guide you through Yii's REST API quick start guide and provide context and examples of common requests.

He starts off with some of the benefits of having a REST API for your Yii2 application and some of the functionality that comes included with the framework. He then starts in on building the base functionality of the API with a controller, a "tree" for the endpoints and configuration of the URL routing. The rest of the post is a set of example requests made to the API with the help of both cURL and the Postman app for Chrome.

tagged: yii2 framework series tutorial build rest api example

Link: https://code.tutsplus.com/tutorials/programming-with-yii2-building-a-restful-api--cms-27513

Esben Petersen:
A modern REST API in Laravel 5 Part 4: Authentication using Laravel Passport
Mar 20, 2017 @ 10:56:15

Esben Petersen has posted the fourth part of his tutorial series covering the creation of a "modern REST API" with Laravel. In this latest article he focuses on authenticating users with the help of an OAuth2 flow.

OAuth is all around us. Most of us have tried to login to a 3rd party service using our Facebook or Google account as a login. This login mechanism is one of many OAuth authentication types. However, you can also use OAuth to generate simple API keys. One of the OAuth authentication types generates API keys based on username and password and is therefore a solid authentication choice for SaaS-style apps. This article will explore how to setup the password grant authentication type in Laravel using Laravel Passport.

The article is broken up into a few different sections, each with explanations and code where appropriate to help illustrate the point:

  • a basic introduction to OAuth2 and grants
  • authentication in single-page applications
  • dependencies to use (and install/configuration)
  • creating the login proxy
  • building a consumer

The final step is an example (using a curl command) to test the API and ensure things are working as expected. The post ends with a more "real world" example of a Slack-style application and linking channels and user but only showing the channels users have access to based on scope.

tagged: tutorial rest api laravel series part4 oauth2 passport

Link: http://esbenp.github.io/2017/03/19/modern-rest-api-laravel-part-4/

Esben Petersen:
A modern REST API in Laravel 5 Part 1: Structure
Mar 09, 2017 @ 10:44:56

Esben Petersen has kicked off his series on creating a modern REST framework in Laravel 5 with part one in the series. This first tutorial focuses on the setup of the application using a "folders by component" approach.

Over time when your API grows in size it also grows in complexity. Many moving parts work together in order for it to function. If you do not employ a scaleable structure you will have a hard time maintaining your API. New additions will cause side effects and breakage in other places etc.

It is important to realize in software development no singular structure is the mother of all structures. It is important to build a toolbox of patterns which you can employ given different situations. This article will serve as an opinionated piece on how such a structure could look.

The tutorial covers structure on three different levels (patterns): application flow, project folder structure and resource folder structure. For each level they cover some of the basic concepts involved and share code showing how it could be implemented including controllers, repositories, middleware and fitting it all into a a resource folder structure.

tagged: laravel rest api laravel5 tutorial series part1 structure

Link: http://esbenp.github.io/2016/04/11/modern-rest-api-laravel-part-1/

Dac Chartrand:
Building a Simple API using Opulence PHP
Jan 30, 2017 @ 11:27:35

Dac Chartrand has written up a post to his site showing you how to create a simple REST API with Opulence, a PHP framework that bills itself as a "modern framework for modern PHP".

This tutorial will show you how to code a simple JSON API using Opulence PHP. We will install Opulence’s skeleton project using composer, then create a ‘user’ database entity, and finally we will match CRUD (Create, Read, Update, Delete) to POST, GET, PUT, and DELETE.

The start of the tutorial helps you get a new Opulence project set up and running including updating the configuration for content type handling and the database connection details. With that set up he moves into the code creating the "User" entity and its matching classes. He builds out the controller, selecting a REST controller from the options and builds out all methods needed for the CRUD user operations. The tutorial finishes with a bit of testing information so you can see the framework in action.

tagged: opulence api rest tutorial simple user framework

Link: http://kizu514.com/blog/building-a-simple-api-using-opulence-php/

Laravel Random Keys with Keygen
Jan 27, 2017 @ 12:44:13

On the Scotch.io site they've posted a new Laravel-related tutorial covering the use of the keygen package to generate random keys via four generator types. These keys can be used for just about anything in your application and can be customized to fit your length and complexity requirements. One thing to note, however, is that the strings it generates are random but should not be considered strong enough to use for actual encryption purposes.

When developing applications, it is usually common to see randomness come into play - and as a result, many programming languages have built-in random generation mechanisms.

[...] When your application is required to generate very simple random character sequences like those enumerated above, then the Keygen package is a good option to go for. Keygen is a PHP package for generating simple random character sequences of any desired length and it ships with four generators, namely: numeric, alphanumeric, token and bytes.

For their example they chose to create a simple REST API service that allows for user creation, viewing users and generating a random (temporary) password using the Keygen package. They start by helping you get the package installed (via Composer) and adding an alias to your Laravel config for "Keygen" to make it easier to access. They then create the user model and add in a "setEmailAttribute" method to verify the email value submitted (for format and uniqueness). Next up is the route definition for the "user" endpoints, creation of the API controller and implementing the Keygen tool to create a random eight digit code for the user. They also include a few strategies to ensure the code generated (and the resulting hash) is unique across all users. The reminder of the post shows the full user creation, and implementing the remaining methods required to view the user's details.

tagged: laravel random key keygen tutorial package rest api

Link: https://scotch.io/tutorials/laravel-random-keys-with-keygen

Cloudflare Blog:
Using Guzzle and PHPUnit for REST API Testing
Dec 30, 2016 @ 10:19:48

On the Cloudflare blog there's a new post with an example of how to test APIs with Guzzle, a popular HTTP client for PHP. In their example they're focusing on the testing of REST APIs.

APIs are increasingly becoming the backbone of the modern internet - whether you're ordering food from an app on your phone or browsing a blog using a modern JavaScript framework, chances are those requests are flowing through an API. Given the need for APIs to evolve through refactoring and extension, having great automated tests allows you to develop fast without needing to slow down to run manual tests to work out what’s broken.

[...] In this post I'll be demonstrating how you can test RESTful APIs in an automated fashion using PHP, by building a testing framework through creative use of two packages - Guzzle and PHPUnit. The resulting tests will be something you can run outside of your API as part of your deployment or CI (Continuous Integration) process.

They start by setting up their testing environment, using Composer to install both the Guzzle HTTP client and the PHPUnit testing tool. They then create the example phpunit.xml configuration file and writing a first test. Their example runs a test against the "/user-agent" endpoint on httpbin.org, verifying that the response code is 200, content type of the return is correct and that the body contains the string "Guzzle". They build on this adding another test for a failure (a 405 response code) from a PUT request on the same endpoint.

tagged: guzzle testing http api rest phpunit tutorial introduction

Link: https://blog.cloudflare.com/using-guzzle-and-phpunit-for-rest-api-testing/

How to Secure a REST API With Lumen
Oct 26, 2016 @ 10:56:58

Over on the TutsPlus.com site there's a new tutorial posted for the Lumen users out there building REST APIs. The post walks you through an authentication method for the API making use of Laravel's included "guard" handling and an API token.

Lumen is Laravel's little brother: a fast, lightweight micro-framework for writing RESTful APIs. With just a little bit of code, you can use Lumen to build a secure and extremely fast RESTful API.

In this video tutorial from my course, Create a REST API With Lumen, you'll learn how to use Lumen's built-in authentication middleware to secure a REST API with Lumen.

The post includes the screencast of the tutorial but it also includes all of the content below that in more developer-friendly text form. Screenshots of the code in various states are also included as well as descriptions of what's happening in the auth process along the way.

tagged: lumen security rest api screencast tutorial

Link: https://code.tutsplus.com/tutorials/how-to-secure-a-rest-api-with-lumen--cms-27442

SitePoint PHP Blog:
RESTful Remote Object Proxies with ProxyManager
Sep 13, 2016 @ 11:03:15

The SitePoint PHP blog has posted a tutorial introducing the use of ProxyManager in RESTful APIs to help interface your API endpoints directly with backend objects for the typical CRUD (create, read, update, delete) handling a REST API provides. ProxyManager is a tool created by Marco Pivetta to creating various kinds of proxies through a set of factory classes.

The proxy pattern is another cool design pattern in software development. A proxy is a class working as an interface to another class or web service. For the sake of simplicity, we’ll refer to proxied classes as subjects throughout the rest of the article. A proxy usually implements the same interface as the subject, so it looks like we’re calling the methods directly on the subject.

They start with a brief overview of proxies and the proxy design pattern for those not familiar then "cut to the chase" and show how to hook in ProxyManager via a custom adapter for the REST endpoints. They help you get all dependencies needed installed (via Composer) and the creation of a simple API using Silex and it's provider handling. They then create the application, set up the front controller and configure the relation between endpoint and proxy. Code is then included to create the required factories, interfaces and mappings. The tutorial wraps up with an example of using the API you've just created.

tagged: rest api tutorial proxymanager example factory classes

Link: https://www.sitepoint.com/restful-remote-object-proxies-with-proxymanager/