Using API platform to build ticketing system (translations, time zones, ...)

Transcript

1. Using API platform to build ticketing
   system
   Antonio Perić-Mažar, Locastic
   Paula Čučuk, Locastic
   18.10.2019. - #sfday
   

   View Slide

2. Antonio
   Perić-Mažar
   CEO @ Locastic
   Co-founder @ Litto
   Co-founder @ Tinel Meetup
   t: @antonioperic
   m: [email protected]
   

   View Slide

3. Paula Čučuk
   Lead Backend Developer @ Locastic
   Partner @ Locastic
   t: @paulala_14
   m: [email protected]
   

   View Slide

4. Locastic
   Helping clients create web
   and mobile apps since 2011
   • UX/UI
   • Mobile apps
   • Web apps
   • Training & Consulting
   www.locastic.com
   @locastic
   

   View Slide

5. View Slide

6. • API Platform & Symfony
   • Ticketing platform: GFNY (franchise business)
   • ~ year and half in production
   • ~ 60 000 tickets released & race results stored in DB
   • ~ 20 000 users/racers,
   • ~ 60 users with admin roles
   • 48 events in 26 countries, users from 82 countries
   • 8 different languages including Hebrew and Indonesian
   Context & our
   Experience
   

   View Slide

7. • Social network
   • chat based
   • matching similar to Tinder :)
   • few CRM/ERP applications
   Context & our
   Experience
   

   View Slide

8. What is API platform ?
   

   View Slide

9. –Fabien Potencier (creator of Symfony), SymfonyCon 2017
   “API Platform is the most advanced API platform,
   in any framework or language.”
   

   View Slide

10. • full stack framework dedicated to API-Driven projects
    • contains a PHP library to create a fully featured APIs supporting
    industry standards (JSON-LD, Hydra, GraphQL, OpenAPI…)
    • provides ambitious Javascript tooling to consume APIs in a snap
    • Symfony official API stack (instead of FOSRestBundle)
    • shipped with Docker and Kubernetes integration
    API Platform
    

    View Slide

11. • creating, retrieving, updating and deleting (CRUD) resources
    • data validation
    • pagination
    • filtering
    • sorting
    • hypermedia/HATEOAS and content negotiation support (JSON-LD
    and Hydra, JSON:API, HAL…)
    API Platform built-in
    features:
    

    View Slide

12. • GraphQL support
    • Nice UI and machine-readable documentations (Swagger UI/
    OpenAPI, GraphiQL…)
    • authentication (Basic HTP, cookies as well as JWT and OAuth through
    extensions)
    • CORS headers
    • security checks and headers (tested against OWASP
    recommendations)
    API Platform built-in
    features:
    

    View Slide

13. • invalidation-based HTTP caching
    • and basically everything needed to build modern APIs.
    API Platform built-in
    features:
    

    View Slide

14. Creating Simple CRUD
    in a minute
    

    View Slide

15. Create
    Entity
    Step One
    // src/Entity/Greeting.php
    namespace App\Entity;
    class Greeting
    {
    private $id;
    public $name = '';
    public function getId(): int
    {
    return $this->id;
    }
    }
    

    View Slide

16. Create
    Mapping
    Step Two
    # config/doctrine/Greeting.orm.yml
    App\Entity\Greeting:
    type: entity
    table: greeting
    id:
    id:
    type: integer
    generator: { strategy: AUTO }
    fields:
    name:
    type: string
    length: 100
    

    View Slide

17. Add
    Validation
    Step Three
    # config/validator/greeting.yaml
    App\Entity\Greeting:
    properties:
    name:
    - NotBlank: ~
    

    View Slide

18. Expose
    Resource
    Step Four # config/api_platform/resources.yaml
    resources:
    App\Entity\Greeting: ~
    

    View Slide

19. View Slide

20. View Slide

21. View Slide

22. View Slide

23. Serialization Groups
    

    View Slide

24. User Management &
    Security
    

    View Slide

25. • Avoid using FOSUserBundle
    • not well suited with API
    • Use Doctrine User Provider
    • simple and easy to integrate
    User management
    

    View Slide

26. // src/Entity/User.php
    namespace App\Entity;
    use Symfony\Component\Security\Core\User\UserInterface;
    use Symfony\Component\Serializer\Annotation\Groups;
    class User implements UserInterface
    {
    /**
    * @Groups({"user-read"})
    */
    private $id;
    /**
    * @Groups({"user-write", "user-read"})
    */
    private $email;
    /**
    * @Groups({"user-read"})
    */
    private $roles = [];
    /**
    * @Groups({"user-write"})
    */
    private $plainPassword;
    private $password;
    … getters and setters …
    }
    

    View Slide

27. // src/Entity/User.php
    namespace App\Entity;
    use Symfony\Component\Security\Core\User\UserInterface;
    use Symfony\Component\Serializer\Annotation\Groups;
    class User implements UserInterface
    {
    /**
    * @Groups({"user-read"})
    */
    private $id;
    /**
    * @Groups({"user-write", "user-read"})
    */
    private $email;
    /**
    * @Groups({"user-read"})
    */
    private $roles = [];
    /**
    * @Groups({"user-write"})
    */
    private $plainPassword;
    private $password;
    … getters and setters …
    }
    # config/doctrine/User.orm.yml
    App\Entity\User:
    type: entity
    table: users
    repositoryClass: App\Repository\UserRepository
    id:
    id:
    type: integer
    generator: { strategy: AUTO }
    fields:
    email:
    type: string
    length: 255
    password:
    type: string
    length: 255
    roles:
    type: array
    

    View Slide

28. // src/Entity/User.php
    namespace App\Entity;
    use Symfony\Component\Security\Core\User\UserInterface;
    use Symfony\Component\Serializer\Annotation\Groups;
    class User implements UserInterface
    {
    /**
    * @Groups({"user-read"})
    */
    private $id;
    /**
    * @Groups({"user-write", "user-read"})
    */
    private $email;
    /**
    * @Groups({"user-read"})
    */
    private $roles = [];
    /**
    * @Groups({"user-write"})
    */
    private $plainPassword;
    private $password;
    … getters and setters …
    }
    # config/doctrine/User.orm.yml
    App\Entity\User:
    type: entity
    table: users
    repositoryClass: App\Repository\UserRepository
    id:
    id:
    type: integer
    generator: { strategy: AUTO }
    fields:
    email:
    type: string
    length: 255
    password:
    type: string
    length: 255
    roles:
    type: array
    # config/api_platform/resources.yaml
    resources:
    App\Entity\User:
    attributes:
    normalization_context:
    groups: ['user-read']
    denormalization_context:
    groups: ['user-write']
    

    View Slide

29. use ApiPlatform\Core\DataPersister\ContextAwareDataPersisterInterface;
    use App\Entity\User;
    use Doctrine\ORM\EntityManagerInterface;
    use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
    class UserDataPersister implements ContextAwareDataPersisterInterface
    {
    private $entityManager;
    private $userPasswordEncoder;
    public function __construct(EntityManagerInterface $entityManager, UserPasswordEncoderInterface $userPasswordEncoder)
    {
    $this->entityManager = $entityManager;
    $this->userPasswordEncoder = $userPasswordEncoder;
    }
    public function supports($data, array $context = []): bool
    {
    return $data instanceof User;
    }
    public function persist($data, array $context = [])
    {
    /** @var User $data */
    if ($data->getPlainPassword()) {
    $data->setPassword(
    $this->userPasswordEncoder->encodePassword($data, $data->getPlainPassword())
    );
    $data->eraseCredentials();
    }
    $this->entityManager->persist($data);
    $this->entityManager->flush($data);
    return $data;
    }
    public function remove($data, array $context = [])
    {
    $this->entityManager->remove($data);
    $this->entityManager->flush();
    }
    

    View Slide

30. • Lightweight and simple authentication system
    • Stateless: token signed and verified server-side then stored client-
    side and sent with each request in an Authorization header
    • Store the token in the browser local storage
    JSON Web Token (JWT)
    

    View Slide

31. View Slide

32. View Slide

33. • API Platform allows to easily add a JWT-based authentication to your
    API using LexikJWTAuthenticationBundle.
    • Maybe you want to use a refresh token to renew your JWT. In this
    case you can check JWTRefreshTokenBundle.
    User authentication
    

    View Slide

34. View Slide

35. User security
    checker
    Security
    namespace App\Security;
    use App\Exception\AccountDeletedException;
    use App\Security\User as AppUser;
    use Symfony\Component\Security\Core\Exception\AccountExpiredException;
    use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticat
    use Symfony\Component\Security\Core\User\UserCheckerInterface;
    use Symfony\Component\Security\Core\User\UserInterface;
    class UserChecker implements UserCheckerInterface
    {
    public function checkPreAuth(UserInterface $user)
    {
    if (!$user instanceof AppUser) {
    return;
    }
    // user is deleted, show a generic Account Not Found message.
    if ($user->isDeleted()) {
    throw new AccountDeletedException();
    }
    }
    public function checkPostAuth(UserInterface $user)
    {
    if (!$user instanceof AppUser) {
    return;
    }
    // user account is expired, the user may be notified
    if ($user->isExpired()) {
    throw new AccountExpiredException('...');
    }
    }
    }
    

    View Slide

36. User security
    checker
    Security
    # config/packages/security.yaml
    # ...
    security:
    firewalls:
    main:
    pattern: ^/
    user_checker: App\Security\UserChecker
    # ...
    

    View Slide

37. Resource and
    operation
    level
    Security
    # api/config/api_platform/resources.yaml
    App\Entity\Book:
    attributes:
    security: 'is_granted("ROLE_USER")'
    collectionOperations:
    get: ~
    post:
    security: 'is_granted("ROLE_ADMIN")'
    itemOperations:
    get: ~
    put:
    security_: 'is_granted("ROLE_ADMIN")
    or object.owner == user'
    

    View Slide

38. Resource and
    operation
    level using
    Voters
    Security
    # api/config/api_platform/resources.yaml
    App\Entity\Book:
    itemOperations:
    get:
    security_: 'is_granted('READ', object)'
    put:
    security_: 'is_granted('UPDATE', object)'
    

    View Slide

39. • A JWT is self-contained, meaning that we can trust into its payload
    for processing the authentication. In a nutshell, there should be no
    need for loading the user from the database when authenticating a
    JWT Token, the database should be hit only once for delivering the
    token.
    • It means you will have to fetch the User entity from the database
    yourself as needed (probably through the Doctrine EntityManager).
    JWT tip
    A database-less user
    provider
    

    View Slide

40. JWT tip
    A database-less user
    provider
    # config/packages/security.yaml
    security:
    providers:
    jwt:
    lexik_jwt: ~
    security:
    firewalls:
    api:
    provider: jwt
    guard:
    # ...
    

    View Slide

41. Creating
    multi-language APIs
    

    View Slide

42. • Locastic Api Translation Bundle
    • Translation bundle for ApiPlatform based on Sylius translation
    • It requires two entities: Translatable & Translation entity
    • Open source
    • https://github.com/Locastic/ApiPlatformTranslationBundle
    • https://locastic.com/blog/having-troubles-with-implementing-
    translations-in-apiplatform/
    Creating
    multi-language APIs
    

    View Slide

43. POST
    translation
    example
    Multi-language API
    {
    "datetime":"2017-10-10",
    "translations": {
    "en":{
    "title":"test",
    "content":"test",
    "locale":"en"
    },
    "de":{
    "title":"test de",
    "content":"test de",
    "locale":"de"
    }
    }
    }
    

    View Slide

44. Get response by locale
    GET /api/posts/1?locale=en
    
    {
    "@context": "/api/v1/contexts/Post",
    "@id": "/api/v1/posts/1')",
    "@type": "Post",
    "id": 1,
    "datetime":"2019-10-10",
    "title":"Hello world",
    "content":"Hello from Verona!"
    }
    

    View Slide

45. Get response with all translations
    GET /api/posts/1?groups[]=translations
    {
    "@context": "/api/v1/contexts/Post",
    "@id": "/api/v1/posts/1')",
    "@type": "Post",
    "id": 1,
    "datetime":"2019-10-10",
    "translations": {
    "en":{
    "title":"Hello world",
    "content":"Hello from Verona!",
    "locale":"en"
    },
    "it":{
    "title":"Ciao mondo",
    "content":"Ciao da Verona!",
    "locale":"it"
    }
    }
    }
    

    View Slide

46. • Endpoint for creating new language
    • Creates all Symfony translation files when new language is added
    • Endpoint for editing each language translation files
    Adding languages and
    translations
    dynamically
    

    View Slide

47. Manipulating
    the Context
    Context
    namespace App\Entity;
    use ApiPlatform\Core\Annotation\ApiResource;
    use Symfony\Component\Serializer\Annotation\Groups;
    /**
    * @ApiResource(
    * normalizationContext={"groups"={"book:output"}},
    * denormalizationContext={"groups"={"book:input"}}
    * )
    */
    class Book
    {
    // ...
    /**
    * This field can be managed only by an admin
    *
    * @var bool
    *
    * @Groups({"book:output", "admin:input"})
    */
    public $active = false;
    /**
    * This field can be managed by any user
    *
    * @var string
    *
    * @Groups({"book:output", "book:input"})
    */
    public $name;
    // ...
    }
    

    View Slide

48. Manipulating
    the Context
    Context
    # api/config/services.yaml
    services:
    # ...
    'App\Serializer\BookContextBuilder':
    decorates: 'api_platform.serializer.context_builder'
    arguments: [ '@App\Serializer\BookContextBuilder.inner' ]
    autoconfigure: false
    

    View Slide

49. // api/src/Serializer/BookContextBuilder.php
    namespace App\Serializer;
    use ApiPlatform\Core\Serializer\SerializerContextBuilderInterface;
    use Symfony\Component\HttpFoundation\Request;
    use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
    use App\Entity\Book;
    final class BookContextBuilder implements SerializerContextBuilderInterface
    {
    private $decorated;
    private $authorizationChecker;
    public function __construct(SerializerContextBuilderInterface $decorated, AuthorizationCheckerInterface
    $authorizationChecker)
    {
    $this->decorated = $decorated;
    $this->authorizationChecker = $authorizationChecker;
    }
    public function createFromRequest(Request $request, bool $normalization, ?array $extractedAttributes = null): array
    {
    $context = $this->decorated->createFromRequest($request, $normalization, $extractedAttributes);
    $resourceClass = $context['resource_class'] ?? null;
    if ($resourceClass === Book::class && isset($context['groups']) && $this->authorizationChecker-
    >isGranted('ROLE_ADMIN') && false === $normalization) {
    $context['groups'][] = 'admin:input';
    }
    return $context;
    }
    }
    

    View Slide

50. Symfony Messanger
    Component
    

    View Slide

51. • The Messenger component helps applications send and receive
    messages to/from other applications or via message queues.
    • Easy to implement
    • Making async easy
    • Many transports are supported to dispatch messages to async
    consumers, including RabbitMQ, Apache Kafka, Amazon SQS and
    Google Pub/Sub.
    Symfony Messenger
    

    View Slide

52. View Slide

53. View Slide

54. • Allows to implement the Command Query Responsibility Segregation
    (CQRS) pattern in a convenient way.
    • It also makes it easy to send messages through the web API that will
    be consumed asynchronously.
    • Async import, export, image processing… any heavy work
    Symfony Messenger &
    API Platform
    

    View Slide

55. CQRS
    Symfony Messenger & API Platform
    App\Entity\PasswordResetRequest:
    collectionOperations:
    post:
    status: 202
    itemOperations: []
    attributes:
    messenger: true
    output: false
    

    View Slide

56. CQRS
    Symfony Messenger & API Platform
    namespace App\Handler;
    use App\Entity\PasswordResetRequest;
    use Symfony\Component\Messenger\Handler\MessageHandlerInterfac
    final class PasswordResetRequestHandler implements MessageHand
    {
    public function __invoke(PasswordResetRequest $forgotPassw
    {
    // do some heavy things
    }
    }
    namespace App\Entity;
    final class PasswordResetRequest
    {
    public $email;
    }
    

    View Slide

57. CQRS
    /w DTO
    Symfony Messenger & API Platform
    App\Entity\User:
    collectionOperations:
    post:
    status: 202
    itemOperations: []
    attributes:
    messenger: “input”
    input: “ResetPasswordRequest::class”
    output: false
    // api/src/Entity/User.php
    namespace App\Entity;
    use ApiPlatform\Core\Annotation\ApiResource;
    use App\Dto\ResetPasswordRequest;
    final class User
    {
    }
    

    View Slide

58. CQRS
    /w DTO
    Symfony Messenger & API Platform
    // api/src/Handler/ResetPasswordRequestHandler.php
    namespace App\Handler;
    use App\Dto\ResetPasswordRequest;
    use Symfony\Component\Messenger\Handler\MessageHandlerInterface;
    final class ResetPasswordRequestHandler implements MessageHandle
    {
    public function __invoke(ResetPasswordRequest $forgotPasswor
    {
    // do something with the resource
    }
    }
    // api/src/Dto/ResetPasswordRequest.php
    namespace App\Dto;
    use Symfony\Component\Validator\Constraints as Assert;
    final class ResetPasswordRequest
    {
    public $var;
    }
    

    View Slide

59. namespace App\DataPersister;
    use ApiPlatform\Core\DataPersister\ContextAwareDataPersisterInterface;
    use App\Entity\ImageMedia;
    use Doctrine\ORM\EntityManagerInterface;
    use Symfony\Component\Messenger\MessageBusInterface;
    class ImageMediaDataPersister implements ContextAwareDataPersisterInterface
    {
    private $entityManager;
    private $messageBus;
    public function __construct(EntityManagerInterface $entityManager, MessageBusInterface $messageBus)
    {
    $this->entityManager = $entityManager;
    $this->messageBus = $messageBus;
    }
    public function supports($data, array $context = []): bool
    {
    return $data instanceof ImageMedia;
    }
    public function persist($data, array $context = [])
    {
    $this->entityManager->persist($data);
    $this->entityManager->flush($data);
    $this->messageBus->dispatch(new ProcessImageMessage($data->getId()));
    return $data;
    }
    public function remove($data, array $context = [])
    {
    $this->entityManager->remove($data);
    $this->entityManager->flush();
    $this->messageBus->dispatch(new DeleteImageMessage($data->getId()));
    }
    }
    

    View Slide

60. namespace App\EventSubscriber;
    use ApiPlatform\Core\EventListener\EventPriorities;
    use App\Entity\Book;
    use Symfony\Component\EventDispatcher\EventSubscriberInterface;
    use Symfony\Component\HttpFoundation\Request;
    use Symfony\Component\HttpKernel\Event\ViewEvent;
    use Symfony\Component\HttpKernel\KernelEvents;
    use Symfony\Component\Messenger\MessageBusInterface;
    final class BookMailSubscriber implements EventSubscriberInterface
    {
    private $messageBus;
    public function __construct(MessageBusInterface $messageBus)
    {
    $this->messageBus = $messageBus;
    }
    public static function getSubscribedEvents()
    {
    return [
    KernelEvents::VIEW => ['sendMail', EventPriorities::POST_WRITE],
    ];
    }
    public function sendMail(ViewEvent $event)
    {
    $book = $event->getControllerResult();
    $method = $event->getRequest()->getMethod();
    if (!$book instanceof Book || Request::METHOD_POST !== $method) {
    return;
    }
    // send to all users 2M that new book has arrived
    this->messageBus->dispatch(new SendEmailMessage(‘new-book’, $book->getTitle()));
    }
    }
    

    View Slide

61. • problem:
    • different objects from source and in our database
    • multiple sources of data (3rd party)
    • DataTransform transforms from source object to our object
    • exporting to CSV files
    Using DTOs with import
    and export
    

    View Slide

62. resources:
    App\Entity\Order:
    collectionOperations:
    get: ~
    exports:
    method: POST
    path: '/orders/export'
    formats:
    csv: ['text/csv']
    pagination_enabled: false
    output: "OrderExport::class"
    normalization_context:
    groups: ['order-export']
    

    View Slide

63. Real-time applications
    with API platform
    

    View Slide

64. View Slide

65. • Redis + NodeJS
    • Pusher
    • ReactPHP
    • …
    • but to be honest PHP is not build for realtime :)
    Real-time applications
    with API platform
    

    View Slide

66. View Slide

67. • Fast, written in Go
    • native browser support, no lib nor SDK required (built on top of HTTP and server-sent
    events)
    • compatible with all existing servers, even those who don't support persistent
    connections (serverless architecture, PHP, FastCGI…)
    • Automatic HTTP/2 and HTTPS (using Let's Encrypt) support
    • CORS support, CSRF protection mechanism
    • Cloud Native, follows the Twelve-Factor App methodology
    • Open source (AGPL)
    • …
    Mercure
    

    View Slide

68. resources:
    App\Entity\Greeting:
    attributes:
    mercure: true
    const eventSource = new EventSource('http://localhost:3000/hub?topic=' +
    encodeURIComponent('http://example.com/greeting/1'));
    eventSource.onmessage = event => {
    // Will be called every time an update is published by the server
    console.log(JSON.parse(event.data));
    }
    

    View Slide

69. Testing
    

    View Slide

70. View Slide

71. • Unit tests
    • test your logic, refactor your code using SOLID priciples
    • Integration tests
    • validation
    • 3rd party integrations
    • database queries
    • Functional tests
    • response code, header and content (expected fields in expected format)
    Type of tests
    

    View Slide

72. • Ask yourself: “Am I sure the code I tested works as it should?”
    • 100% coverage doesn’t guarantee your code is fully tested and
    working
    • Write test first is just one of the approaches
    • Legacy code:
    • Start replicating bugs with tests before fixing them
    • Test at least most important and critical parts
    Testing tips and tricks
    

    View Slide

73. Handy testing tools
    

    View Slide

74. PHP Matcher
    Library that enables you to check your response against patterns.
    

    View Slide

75. Faker
    Library for generating random data
    

    View Slide

76. Postman tests
    Newman + Postman
    

    View Slide

77. • Infection - tool for mutation testing
    • PHPStan - focuses on finding errors in your code without actually
    running it
    • Continuous integration (CI) -  enables you to run your tests on git on
    each commit
    Tools for checking test
    quality
    

    View Slide

78. Api Platform is awesome!
    Conclusion
    

    View Slide

79. Thank you!
    

    View Slide

80. Questions?
    Antonio Perić-Mažar
    t: @antonioperic
    m: [email protected]
    Paula Čučuk
    t: @paulala_14
    m: [email protected]
    

    View Slide