REST API Security

RamsesLead · March 18, 2025, 12:06pm

Hi,
PHPMaker 2025

I’ve made my own API_Actions but it seems, that the user is not validated against the token, so every token (expired or not) works - what am I missing?

The sample in the docu shows no security validation so I thought this is handled like the other REST Apis

thanks
Philipp

arbei · March 19, 2025, 2:06am

If you use API_Actions and want to reuse the built-in REST Security, when you add your API action, you need to add the JwtMiddleware, e.g.

$app->get('/hello/{name}', function ($request, $response, $args) {
//...
})->add(JwtMiddleware::class);

However, I recommend using the API controller approach instead.

mansour · April 8, 2025, 6:42am

Hi,
You recommended using the API controller approach. is it work with 2024? if so, please post and example for post and JwtMiddleware enabled.

Thanks

arbei · April 8, 2025, 6:46am

See Example 4 (v2024, which is same)

mansour · April 8, 2025, 6:54am

Thank you for your quick answer. I added the PedraApiController.php file with the following code. is it ok?

<?php

// PedraApiController.php

namespace {ProjectNamespace}; // NOTE: Make sure you use {ProjectNamespace}

use Psr\Container\ContainerInterface;

use Psr\Http\Message\ServerRequestInterface as Request;

use Psr\Http\Message\ResponseInterface as Response;

use {ProjectNamespace}\Attributes\Delete;

use {ProjectNamespace}\Attributes\Get;

use {ProjectNamespace}\Attributes\Map;

use {ProjectNamespace}\Attributes\Options;

use {ProjectNamespace}\Attributes\Patch;

use {ProjectNamespace}\Attributes\Post;

use {ProjectNamespace}\Attributes\Put;

/**

* My API controller

*/

class PedraApiController extends AbstractController

{

$app->post('/getLetterTemplates', function ($request, $response) {

$params = $request->getParsedBody();

... rest of the code ...

})->add(JwtMiddleware::class);

}

thanks

arbei · April 9, 2025, 1:44am

You need to follow the syntax in the example.

cyrus · May 16, 2025, 5:59am

hi
i did it as you say in phpmaker 2024:

$app->get('/hello/{name}', function ($request, $response, $args) {
//...
})->add(JwtMiddleware::class);

,and delete ‘api cache’ but it doesn’t work and still work without JwT , what did i go wrong?

arbei · May 16, 2025, 7:36am

JwtMiddleware only decodes the JWT token (if any) and tries to log user it, it does not (un)authorize user because it does not have any info about the permissions of your own API actions. If you want to authorize the user, you need to do it yourself. For example, if you want to check the user’s user level, you can check Security()->currentUserLevelID(). If the user is not allowed, you should return a 401 response.