Download the PHP package stratoss/phalcon2rest without Composer

On this page you can find all versions of the php package stratoss/phalcon2rest. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package phalcon2rest

Phalcon2Rest

A base project for APIs using the Phalcon2 framework

This project is a fork of cmoore4's PhalconRest, but modified to work correctly with Phalcon2. It is including latest phpleague's OAuth2 Server at the moment (5.x) and using Json Web Tokens (JWT). Rate limiting is implemented as well.

The Phalcon framework is an awesome PHP framework that exists as a C-extension to the language. This allows it to be incredibly fast. But aside from its quickness, it is an amazingly powerful framework with excellent documentation that follows many best practises of modern software development. This includes using the Direct Injection pattern to handle service resolution across classes, a PSR-0 compliant autoloader, MVC architecture (or not), caching handlers for database, flatfile, redis, etc.. and a ton of additional features.

The purpose of this project is to establish a base project with Phalcon that uses the best practices from the Phalcon Framework to implement best practises of API Design.

Writing routes that respond with JSON is easy in any of the major frameworks. What I've done here is to go beyond that and extend the framework such that APIs written using this project are pragmatically REST-ish and have conveniance methods and patterns implemented that are more than a simple 'echo json_encode($array)'.

Provided are robust Error messages, controllers that parse searching strings and partial responses, response classes for sending multiple MIME types based on the request, and examples of how to implement authentication in a few ways, as well as a few templates for implementing common REST-ish tasks.

It is highly recommended to read through the index.php, Exceptions\HttpException.php and Modules\V1\Controllers\RestController.php files.

General information and complete documentation using the OAuth2 server could be found here

API Assumptions

URL Structure

Request Bodies

Request bodies will be submitted as valid JSON.

The Fields

Search

Searches are determined by the 'q' parameter. Following that is a parenthesis enclosed list of key:value pairs, separated by commas.

ex: q=(name:Jonhson,city:Oklahoma)

Partial Responses

Partial responses are used to only return certain explicit fields from a record. They are determined by the 'fields' paramter, which is a list of field names separated by commas, enclosed in parenthesis.

ex: fields=(id,name,location)

Limit and Offset

Often used to paginate large result sets. Offset is the record to start from, and limit is the number of records to return.

ex: limit=20&offset=20 will return results 21 to 40

Return Type

Overrides any accept headers. JSON is assumed otherwise. Return type handler must be implemented.

ex: type=csv

Suppressed Error Codes

Some clients require all responses to be a 200 (Flash, for example), even if there was an application error. With this parameter included, the application will always return a 200 response code, and clients will be responsible for checking the response body to ensure a valid response.

ex: suppress_error_codes=true

Installation

Getting composer

Installing the project & dependencies (expecting phalcon2 to be loaded as a module!)

Public / Private keys used for JWT signing Sample keys are generated in the ssl folder, you must regenerate your own set before going to production!

Responses

All route controllers must return an array. This array is used to create the response object.

Retrieving access token using password grant

Retrieving access token using client_credentials grant

Exchanging refresh token for a new set of refresh token + access token

Retrieving access token using implicit grant

Checkout Modules/V1/Controllers/AuthorizeController.php. Extra step must be taken in order to auth the user.

For simplicity assuming that the process started with a POST request to https://domain/v1/authorize sending POST data "response_type=token&client_id=1&scope=basic" and successful client auth, the response would be a redirect to

http://example.com/super-app#access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6IjBjZDUxMDRkZDg2YTg0OThhZWUyZGQzOGNlYzgzYzRkMTU4MmE4YjM4ZmZjYWY3ZDQ2MjZiZTY0NWUxN2Q0MjJjZWJmMDRlNWY2YjBjNWUxIn0.eyJhdWQiOiIxIiwianRpIjoiMGNkNTEwNGRkODZhODQ5OGFlZTJkZDM4Y2VjODNjNGQxNTgyYThiMzhmZmNhZjdkNDYyNmJlNjQ1ZTE3ZDQyMmNlYmYwNGU1ZjZiMGM1ZTEiLCJpYXQiOjE0NjI3ODg0NzcsIm5iZiI6MTQ2Mjc4ODQ3NywiZXhwIjoxNDYyNzkyMDc3LCJzdWIiOiIxIiwic2NvcGVzIjpbImJhc2ljIl19.mI8E7KVG6NGxBqbZ6nVojtOXbvRCQzjnNcBSRHAbF2SyoKQlQTGAfDmGNxozfKoNh7G60Il84NKYVvwhC3S3-jLhsEgVA0UePnVnGq4V84M0yMBtLJY3puLSIOAoAGuvUjMjSlxNJnqXZ68R3oD1vi3dmA7MVeSELbii2apAyo4&token_type=bearer&expires_in=3600

Retrieving access code using authorization code grant

Checkout Modules/V1/Controllers/AuthorizeController.php. Extra step must be taken in order to auth the user.

For simplicity assuming that the process started with a POST request to https://domain/v1/authorize sending POST data "response_type=code&client_id=1&scope=basic" and successful client auth, the response would be a redirect to

http://example.com/super-app?code=ReoVHgGRnMj6IVhAUDUvunKKCi2BvGxfsJ8nGMj%2FIO2ITr6u7%2FJ7epKAIEG%2F0KZMk5Cc5GhWouG8zYHgGwzAHSztOS%2FKKp8krH5rm6e4pIkmhYvy9TCDUF1fdSo0axfZTQm1V9Ja8Ww3GN%2BeMvpmoKCXPNB8VEOs7smkTI9EGJGjVC2bS26ZJKWGuIV1UqyUKEeSiNfvhAqzeZWF2fXhGDDxmawtIPo7C3Vhs9ZW035P%2FKcugRxdT5t5MTkB%2BgRllqNGLo1DCnXvSB9E9H6KOEraMMYdqzcX4YNX8TseBrJINBJM7JUZkjFqQ176DXfnI7ULN7R%2FUJrRwWNdPMuHwQ%3D%3D

JSON

JSON is the default response type. The responses will look like this:

An envelope can be included in responses via the 'envelope=true' query parameter. This will return the record set and the meta information as the body.

Often times, database field names are snake_cased. However, when working with an API, developers generally prefer JSON fields to be returned in camelCase (many API requests are from browsers, in JS). This project will by default convert all keys in a records response from snake_case to camelCase.

This can be turned off for your API by setting the JSONResponse's function "convertSnakeCase(false)".

CSV

CSV is the other implemented handler. It uses the first record's keys as the header row, and then creates a csv from each row in the array. The header row can be toggled off for responses.

Errors

Phalcon2Rest\Exceptions\HttpException extends PHP's native exceptions. Throwing this type of exception returns a nicely formatted JSON response to the client.

Returns this:

Example Controller

The Example Controller sets up a route at /example and implements all of the above query parameters. You can mix and match any of these queries:

api.example.local/v1/example?q=(author:Stanimir Stoyanov)

api.example.local/v1/example?fields=(id,title)

api.example.local/v1/example/1?fields=(author)&envelope=false

api.example.local/v1/example?type=csv

api.example.local/v1/example?q=(year:2010)&offset=1&limit=2&type=csv&fields=(id,author)

Rate Limiting

There are 3 rate limiters implemented, configured in config/config.ini

How many request for access token are permitted

[access_token_limits]

r1 = 5

This line sets a limit of 1 request per 5 seconds per IP for /access_token & /authorize endpoints.

How many unauthorized requests

[api_unauthorized_limits]

r10 = 60

This line sets a limit of 10 requests per 1 minute per IP for every other request, when authorization header is missing / is invalid. OPTIONS requests are counted here too.

Everything else

[api_common_limits]

r600 = 3600

600 requests per hour for all authorized consumers. Users and clients are counted separately here.

Tracking the rate limiter

Each requests returns the X-Rate-Limit-* headers, e.g.

When the limit is reached:

What about CORS?

By extending a controller with RestController we're providing base CORS policy.

The controller will be inspected and Access-Control-Allow-Methods will be populated with all valid methods found.

Please note that there is no way to safely authorize the user with the OPTIONS method, so those requests are counted in the rate limiter as unauthorized ones.

Performance optimization

By default FileCache is used, which is extremely slow. Consider using memcached or redis. In the project we're using sqlite3 as database. Consider using MySQL/PostgreSQL/MongoDB or something else with caching up-front.

Anything else?

Revocation of access/refresh tokens are not implemented as this is strongly individual.

Check out Components\Oauth2\Repositories\AccessTokenRepository.php and Components\Oauth2\Repositories\RefreshTokenRepository.php

Each access has unique identifier (jti) which could be used for revocation.

The tokens could be easily debugged using tool like JWT.io


All versions of phalcon2rest with dependencies

PHP Build Version
Package Version
Requires league/oauth2-server Version 5.*
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package stratoss/phalcon2rest contains the following files

Loading the files please wait ....