Using API platform to build ticketing system (translations, time zones, ...) #sfday #verona

Using API platform to build ticketing
system
Antonio Perić-Mažar, Locastic
Paula Čučuk, Locastic
18.10.2019. - #sfday

Antonio
Perić-Mažar
CEO @ Locastic
Co-founder @ Litto
Co-founder @ Tinel Meetup
t: @antonioperic
m: antonio@locastic.com

Paula Čučuk
Lead Backend Developer @ Locastic
Partner @ Locastic
t: @paulala_14
m: paula@locastic.com

Locastic
Helping clients create web
and mobile apps since 2011
• UX/UI
• Mobile apps
• Web apps
• Training & Consulting
www.locastic.com
@locastic

• API Platform & Symfony
• Ticketing platform: GFNY (franchise business)
• ~ year and half in production
• ~ 60 000 tickets released & race results stored in DB
• ~ 20 000 users/racers,
• ~ 60 users with admin roles
• 48 events in 26 countries, users from 82 countries
• 8 different languages including Hebrew and Indonesian
Context & our
Experience

• Social network
• chat based
• matching similar to Tinder :)
• few CRM/ERP applications
Context & our
Experience

–Fabien Potencier (creator of Symfony), SymfonyCon 2017
“API Platform is the most advanced API platform,
in any framework or language.”

• full stack framework dedicated to API-Driven projects
• contains a PHP library to create a fully featured APIs supporting
industry standards (JSON-LD, Hydra, GraphQL, OpenAPI…)
• provides ambitious Javascript tooling to consume APIs in a snap
• Symfony official API stack (instead of FOSRestBundle)
• shipped with Docker and Kubernetes integration
API Platform

• creating, retrieving, updating and deleting (CRUD) resources
• data validation
• pagination
• filtering
• sorting
• hypermedia/HATEOAS and content negotiation support (JSON-LD
and Hydra, JSON:API, HAL…)
API Platform built-in
features:

• GraphQL support
• Nice UI and machine-readable documentations (Swagger UI/
OpenAPI, GraphiQL…)
• authentication (Basic HTP, cookies as well as JWT and OAuth through
extensions)
• CORS headers
• security checks and headers (tested against OWASP
recommendations)
features:

• invalidation-based HTTP caching
• and basically everything needed to build modern APIs.
features:

Creating Simple CRUD
in a minute

Create
Entity
Step One
<?php
// src/Entity/Greeting.php
namespace AppEntity;
class Greeting
{
private $id;
public $name = '';
public function getId(): int
{
return $this->id;
}
}

Create
Mapping
Step Two
# config/doctrine/Greeting.orm.yml
AppEntityGreeting:
type: entity
table: greeting
id:
id:
type: integer
generator: { strategy: AUTO }
fields:
name:
type: string
length: 100

Add
Validation
Step Three
# config/validator/greeting.yaml
AppEntityGreeting:
properties:
name:
- NotBlank: ~

Expose
Resource
Step Four # config/api_platform/resources.yaml
resources:
AppEntityGreeting: ~

• Avoid using FOSUserBundle
• not well suited with API
• Use Doctrine User Provider
• simple and easy to integrate
User management

// src/Entity/User.php
use SymfonyComponentSecurityCoreUserUserInterface;
use SymfonyComponentSerializerAnnotationGroups;
class User implements UserInterface
{
/**
* @Groups({"user-read"})
*/
private $id;
/**
* @Groups({"user-write", "user-read"})
*/
private $email;
/**
*/
private $roles = [];
/**
* @Groups({"user-write"})
*/
private $plainPassword;
private $password;
… getters and setters …
}

{
/**
*/
private $id;
/**
*/
private $email;
/**
*/
/**
*/
private $password;
}
# config/doctrine/User.orm.yml
AppEntityUser:
type: entity
table: users
repositoryClass: AppRepositoryUserRepository
id:
id:
type: integer
fields:
email:
type: string
length: 255
password:
type: string
length: 255
roles:
type: array

{
/**
*/
private $id;
/**
*/
private $email;
/**
*/
/**
*/
private $password;
}
# config/doctrine/User.orm.yml
AppEntityUser:
type: entity
table: users
repositoryClass: AppRepositoryUserRepository
id:
id:
type: integer
fields:
email:
type: string
length: 255
password:
type: string
length: 255
roles:
type: array
# config/api_platform/resources.yaml
resources:
AppEntityUser:
attributes:
normalization_context:
groups: ['user-read']
denormalization_context:
groups: ['user-write']

use ApiPlatformCoreDataPersisterContextAwareDataPersisterInterface;
use AppEntityUser;
use DoctrineORMEntityManagerInterface;
use SymfonyComponentSecurityCoreEncoderUserPasswordEncoderInterface;
class UserDataPersister implements ContextAwareDataPersisterInterface
{
private $entityManager;
private $userPasswordEncoder;
public function __construct(EntityManagerInterface $entityManager, UserPasswordEncoderInterface $userPasswordEncoder)
{
$this->entityManager = $entityManager;
$this->userPasswordEncoder = $userPasswordEncoder;
}
public function supports($data, array $context = []): bool
{
return $data instanceof User;
}
public function persist($data, array $context = [])
{
/** @var User $data */
if ($data->getPlainPassword()) {
$data->setPassword(
$this->userPasswordEncoder->encodePassword($data, $data->getPlainPassword())
);
$data->eraseCredentials();
}
$this->entityManager->persist($data);
$this->entityManager->flush($data);
return $data;
}
public function remove($data, array $context = [])
{
$this->entityManager->remove($data);
$this->entityManager->flush();
}

• Lightweight and simple authentication system
• Stateless: token signed and verified server-side then stored client-
side and sent with each request in an Authorization header
• Store the token in the browser local storage
JSON Web Token (JWT)

• API Platform allows to easily add a JWT-based authentication to your
API using LexikJWTAuthenticationBundle.
• Maybe you want to use a refresh token to renew your JWT. In this
case you can check JWTRefreshTokenBundle.
User authentication

User security
checker
Security
<?php
namespace AppSecurity;
use AppExceptionAccountDeletedException;
use AppSecurityUser as AppUser;
use SymfonyComponentSecurityCoreExceptionAccountExpiredException;
use SymfonyComponentSecurityCoreExceptionCustomUserMessageAuthenticat
use SymfonyComponentSecurityCoreUserUserCheckerInterface;
class UserChecker implements UserCheckerInterface
{
public function checkPreAuth(UserInterface $user)
{
if (!$user instanceof AppUser) {
return;
}
// user is deleted, show a generic Account Not Found message.
if ($user->isDeleted()) {
throw new AccountDeletedException();
}
}
public function checkPostAuth(UserInterface $user)
{
if (!$user instanceof AppUser) {
return;
}
// user account is expired, the user may be notified
if ($user->isExpired()) {
throw new AccountExpiredException('...');
}
}
}

User security
checker
Security
# config/packages/security.yaml
# ...
security:
firewalls:
main:
pattern: ^/
user_checker: AppSecurityUserChecker
# ...

Resource and
operation
level
Security
# api/config/api_platform/resources.yaml
AppEntityBook:
attributes:
security: 'is_granted("ROLE_USER")'
collectionOperations:
get: ~
post:
security: 'is_granted("ROLE_ADMIN")'
itemOperations:
get: ~
put:
security_: 'is_granted("ROLE_ADMIN")
or object.owner == user'

Resource and
operation
level using
Voters
Security
# api/config/api_platform/resources.yaml
AppEntityBook:
itemOperations:
get:
security_: 'is_granted('READ', object)'
put:
security_: 'is_granted('UPDATE', object)'

• A JWT is self-contained, meaning that we can trust into its payload
for processing the authentication. In a nutshell, there should be no
need for loading the user from the database when authenticating a
JWT Token, the database should be hit only once for delivering the
token.
• It means you will have to fetch the User entity from the database
yourself as needed (probably through the Doctrine EntityManager).
JWT tip
A database-less user
provider

JWT tip
A database-less user
provider
# config/packages/security.yaml
security:
providers:
jwt:
lexik_jwt: ~
security:
firewalls:
api:
provider: jwt
guard:
# ...

• Locastic Api Translation Bundle
• Translation bundle for ApiPlatform based on Sylius translation
• It requires two entities: Translatable & Translation entity
• Open source
• https://github.com/Locastic/ApiPlatformTranslationBundle
• https://locastic.com/blog/having-troubles-with-implementing-
translations-in-apiplatform/
Creating
multi-language APIs

POST
translation
example
Multi-language API
{
"datetime":"2017-10-10",
"translations": {
"en":{
"title":"test",
"content":"test",
"locale":"en"
},
"de":{
"title":"test de",
"content":"test de",
"locale":"de"
}
}
}

Get response by locale
GET /api/posts/1?locale=en

{
"@context": "/api/v1/contexts/Post",
"@id": "/api/v1/posts/1')",
"@type": "Post",
"id": 1,
"datetime":"2019-10-10",
"title":"Hello world",
"content":"Hello from Verona!"
}

Get response with all translations
GET /api/posts/1?groups[]=translations
{
"@context": "/api/v1/contexts/Post",
"@id": "/api/v1/posts/1')",
"@type": "Post",
"id": 1,
"datetime":"2019-10-10",
"translations": {
"en":{
"title":"Hello world",
"content":"Hello from Verona!",
"locale":"en"
},
"it":{
"title":"Ciao mondo",
"content":"Ciao da Verona!",
"locale":"it"
}
}
}

• Endpoint for creating new language
• Creates all Symfony translation files when new language is added
• Endpoint for editing each language translation files
Adding languages and
translations
dynamically

Manipulating
the Context
Context
use ApiPlatformCoreAnnotationApiResource;
/**
* @ApiResource(
* normalizationContext={"groups"={"book:output"}},
* denormalizationContext={"groups"={"book:input"}}
* )
*/
class Book
{
// ...
/**
* This field can be managed only by an admin
*
* @var bool
*
* @Groups({"book:output", "admin:input"})
*/
public $active = false;
/**
* This field can be managed by any user
*
* @var string
*
* @Groups({"book:output", "book:input"})
*/
public $name;
// ...
}

Manipulating
the Context
Context
# api/config/services.yaml
services:
# ...
'AppSerializerBookContextBuilder':
decorates: 'api_platform.serializer.context_builder'
arguments: [ '@AppSerializerBookContextBuilder.inner' ]
autoconfigure: false

// api/src/Serializer/BookContextBuilder.php
namespace AppSerializer;
use ApiPlatformCoreSerializerSerializerContextBuilderInterface;
use SymfonyComponentHttpFoundationRequest;
use SymfonyComponentSecurityCoreAuthorizationAuthorizationCheckerInterface;
use AppEntityBook;
final class BookContextBuilder implements SerializerContextBuilderInterface
{
private $decorated;
private $authorizationChecker;
public function __construct(SerializerContextBuilderInterface $decorated, AuthorizationCheckerInterface
$authorizationChecker)
{
$this->decorated = $decorated;
$this->authorizationChecker = $authorizationChecker;
}
public function createFromRequest(Request $request, bool $normalization, ?array $extractedAttributes = null): array
{
$context = $this->decorated->createFromRequest($request, $normalization, $extractedAttributes);
$resourceClass = $context['resource_class'] ?? null;
if ($resourceClass === Book::class && isset($context['groups']) && $this->authorizationChecker-
>isGranted('ROLE_ADMIN') && false === $normalization) {
$context['groups'][] = 'admin:input';
}
return $context;
}
}

• The Messenger component helps applications send and receive
messages to/from other applications or via message queues.
• Easy to implement
• Making async easy
• Many transports are supported to dispatch messages to async
consumers, including RabbitMQ, Apache Kafka, Amazon SQS and
Google Pub/Sub.
Symfony Messenger

• Allows to implement the Command Query Responsibility Segregation
(CQRS) pattern in a convenient way.
• It also makes it easy to send messages through the web API that will
be consumed asynchronously.
• Async import, export, image processing… any heavy work
Symfony Messenger &
API Platform

CQRS
Symfony Messenger & API Platform
AppEntityPasswordResetRequest:
post:
status: 202
itemOperations: []
attributes:
messenger: true
output: false

CQRS
<?php
namespace AppHandler;
use AppEntityPasswordResetRequest;
use SymfonyComponentMessengerHandlerMessageHandlerInterfac
final class PasswordResetRequestHandler implements MessageHand
{
public function __invoke(PasswordResetRequest $forgotPassw
{
// do some heavy things
}
}
<?php
final class PasswordResetRequest
{
public $email;
}

CQRS
/w DTO
AppEntityUser:
post:
status: 202
itemOperations: []
attributes:
messenger: “input”
input: “ResetPasswordRequest::class”
output: false
// api/src/Entity/User.php
use ApiPlatformCoreAnnotationApiResource;
use AppDtoResetPasswordRequest;
final class User
{
}

CQRS
/w DTO
// api/src/Handler/ResetPasswordRequestHandler.php
namespace AppHandler;
use AppDtoResetPasswordRequest;
use SymfonyComponentMessengerHandlerMessageHandlerInterface;
final class ResetPasswordRequestHandler implements MessageHandle
{
public function __invoke(ResetPasswordRequest $forgotPasswor
{
// do something with the resource
}
}
// api/src/Dto/ResetPasswordRequest.php
namespace AppDto;
use SymfonyComponentValidatorConstraints as Assert;
final class ResetPasswordRequest
{
public $var;
}

<?php
namespace AppDataPersister;
use ApiPlatformCoreDataPersisterContextAwareDataPersisterInterface;
use AppEntityImageMedia;
use DoctrineORMEntityManagerInterface;
use SymfonyComponentMessengerMessageBusInterface;
class ImageMediaDataPersister implements ContextAwareDataPersisterInterface
{
private $entityManager;
private $messageBus;
public function __construct(EntityManagerInterface $entityManager, MessageBusInterface $messageBus)
{
$this->entityManager = $entityManager;
$this->messageBus = $messageBus;
}
public function supports($data, array $context = []): bool
{
return $data instanceof ImageMedia;
}
public function persist($data, array $context = [])
{
$this->entityManager->persist($data);
$this->entityManager->flush($data);
$this->messageBus->dispatch(new ProcessImageMessage($data->getId()));
return $data;
}
public function remove($data, array $context = [])
{
$this->entityManager->remove($data);
$this->entityManager->flush();
$this->messageBus->dispatch(new DeleteImageMessage($data->getId()));
}
}

namespace AppEventSubscriber;
use ApiPlatformCoreEventListenerEventPriorities;
use AppEntityBook;
use SymfonyComponentEventDispatcherEventSubscriberInterface;
use SymfonyComponentHttpFoundationRequest;
use SymfonyComponentHttpKernelEventViewEvent;
use SymfonyComponentHttpKernelKernelEvents;
use SymfonyComponentMessengerMessageBusInterface;
final class BookMailSubscriber implements EventSubscriberInterface
{
private $messageBus;
public function __construct(MessageBusInterface $messageBus)
{
$this->messageBus = $messageBus;
}
public static function getSubscribedEvents()
{
return [
KernelEvents::VIEW => ['sendMail', EventPriorities::POST_WRITE],
];
}
public function sendMail(ViewEvent $event)
{
$book = $event->getControllerResult();
$method = $event->getRequest()->getMethod();
if (!$book instanceof Book || Request::METHOD_POST !== $method) {
return;
}
// send to all users 2M that new book has arrived
this->messageBus->dispatch(new SendEmailMessage(‘new-book’, $book->getTitle()));
}
}

• problem:
• different objects from source and in our database
• multiple sources of data (3rd party)
• DataTransform transforms from source object to our object
• exporting to CSV files
Using DTOs with import
and export

resources:
AppEntityOrder:
get: ~
exports:
method: POST
path: '/orders/export'
formats:
csv: ['text/csv']
pagination_enabled: false
output: "OrderExport::class"
normalization_context:
groups: ['order-export']

Real-time applications
with API platform

• Redis + NodeJS
• Pusher
• ReactPHP
• …
• but to be honest PHP is not build for realtime :)
Real-time applications
with API platform

• Fast, written in Go
• native browser support, no lib nor SDK required (built on top of HTTP and server-sent
events)
• compatible with all existing servers, even those who don't support persistent
connections (serverless architecture, PHP, FastCGI…)
• Automatic HTTP/2 and HTTPS (using Let's Encrypt) support
• CORS support, CSRF protection mechanism
• Cloud Native, follows the Twelve-Factor App methodology
• Open source (AGPL)
• …
Mercure

resources:
AppEntityGreeting:
attributes:
mercure: true
const eventSource = new EventSource('http://localhost:3000/hub?topic=' +
encodeURIComponent('http://example.com/greeting/1'));
eventSource.onmessage = event => {
// Will be called every time an update is published by the server
console.log(JSON.parse(event.data));
}

• Unit tests
• test your logic, refactor your code using SOLID priciples
• Integration tests
• validation
• 3rd party integrations
• database queries
• Functional tests
• response code, header and content (expected fields in expected format)
Type of tests

• Ask yourself: “Am I sure the code I tested works as it should?”
• 100% coverage doesn’t guarantee your code is fully tested and
working
• Write test first is just one of the approaches
• Legacy code:
• Start replicating bugs with tests before fixing them
• Test at least most important and critical parts
Testing tips and tricks

PHP Matcher
Library that enables you to check your response against patterns.

Faker
Library for generating random data

Postman tests
Newman + Postman

• Infection - tool for mutation testing
• PHPStan - focuses on finding errors in your code without actually
running it
• Continuous integration (CI) - enables you to run your tests on git on
each commit
Tools for checking test
quality

Api Platform is awesome!
Conclusion

Questions?
Antonio Perić-Mažar
t: @antonioperic
m: antonio@locastic.com
Paula Čučuk
t: @paulala_14
m: paula@locastic.com

Using API platform to build ticketing system (translations, time zones, ...) #sfday #verona

More Related Content

What's hot (20)

Similar to Using API platform to build ticketing system (translations, time zones, ...) #sfday #verona (20)

More from Antonio Peric-Mazar (20)

Recently uploaded (20)

Using API platform to build ticketing system (translations, time zones, ...) #sfday #verona