Download the PHP package stratoss/phalcon2rest without Composer
On this page you can find all versions of the php package stratoss/phalcon2rest. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package phalcon2rest
Phalcon2Rest
A base project for APIs using the Phalcon2 framework
This project is a fork of cmoore4's PhalconRest, but modified to work correctly with Phalcon2. It is including latest phpleague's OAuth2 Server at the moment (5.x) and using Json Web Tokens (JWT). Rate limiting is implemented as well.
The Phalcon framework is an awesome PHP framework that exists as a C-extension to the language. This allows it to be incredibly fast. But aside from its quickness, it is an amazingly powerful framework with excellent documentation that follows many best practises of modern software development. This includes using the Direct Injection pattern to handle service resolution across classes, a PSR-0 compliant autoloader, MVC architecture (or not), caching handlers for database, flatfile, redis, etc.. and a ton of additional features.
The purpose of this project is to establish a base project with Phalcon that uses the best practices from the Phalcon Framework to implement best practises of API Design.
Writing routes that respond with JSON is easy in any of the major frameworks. What I've done here is to go beyond that and extend the framework such that APIs written using this project are pragmatically REST-ish and have conveniance methods and patterns implemented that are more than a simple 'echo json_encode($array)'.
Provided are robust Error messages, controllers that parse searching strings and partial responses, response classes for sending multiple MIME types based on the request, and examples of how to implement authentication in a few ways, as well as a few templates for implementing common REST-ish tasks.
It is highly recommended to read through the index.php, Exceptions\HttpException.php
and Modules\V1\Controllers\RestController.php files.
General information and complete documentation using the OAuth2 server could be found here
API Assumptions
URL Structure
Request Bodies
Request bodies will be submitted as valid JSON.
The Fields
Search
Searches are determined by the 'q' parameter. Following that is a parenthesis enclosed list of key:value pairs, separated by commas.
ex: q=(name:Jonhson,city:Oklahoma)
Partial Responses
Partial responses are used to only return certain explicit fields from a record. They are determined by the 'fields' paramter, which is a list of field names separated by commas, enclosed in parenthesis.
ex: fields=(id,name,location)
Limit and Offset
Often used to paginate large result sets. Offset is the record to start from, and limit is the number of records to return.
ex: limit=20&offset=20 will return results 21 to 40
Return Type
Overrides any accept headers. JSON is assumed otherwise. Return type handler must be implemented.
ex: type=csv
Suppressed Error Codes
Some clients require all responses to be a 200 (Flash, for example), even if there was an application error. With this parameter included, the application will always return a 200 response code, and clients will be responsible for checking the response body to ensure a valid response.
ex: suppress_error_codes=true
Installation
Getting composer
Installing the project & dependencies (expecting phalcon2 to be loaded as a module!)
Public / Private keys used for JWT signing
Sample keys are generated in the ssl folder, you must regenerate your own set before going to production!
Responses
All route controllers must return an array. This array is used to create the response object.
Retrieving access token using password grant
Retrieving access token using client_credentials grant
Exchanging refresh token for a new set of refresh token + access token
Retrieving access token using implicit grant
Checkout Modules/V1/Controllers/AuthorizeController.php. Extra step must be taken in order to auth the user.
For simplicity assuming that the process started with a POST request to https://domain/v1/authorize
sending POST data "response_type=token&client_id=1&scope=basic"
and successful client auth, the response would be a redirect to
http://example.com/super-app#access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6IjBjZDUxMDRkZDg2YTg0OThhZWUyZGQzOGNlYzgzYzRkMTU4MmE4YjM4ZmZjYWY3ZDQ2MjZiZTY0NWUxN2Q0MjJjZWJmMDRlNWY2YjBjNWUxIn0.eyJhdWQiOiIxIiwianRpIjoiMGNkNTEwNGRkODZhODQ5OGFlZTJkZDM4Y2VjODNjNGQxNTgyYThiMzhmZmNhZjdkNDYyNmJlNjQ1ZTE3ZDQyMmNlYmYwNGU1ZjZiMGM1ZTEiLCJpYXQiOjE0NjI3ODg0NzcsIm5iZiI6MTQ2Mjc4ODQ3NywiZXhwIjoxNDYyNzkyMDc3LCJzdWIiOiIxIiwic2NvcGVzIjpbImJhc2ljIl19.mI8E7KVG6NGxBqbZ6nVojtOXbvRCQzjnNcBSRHAbF2SyoKQlQTGAfDmGNxozfKoNh7G60Il84NKYVvwhC3S3-jLhsEgVA0UePnVnGq4V84M0yMBtLJY3puLSIOAoAGuvUjMjSlxNJnqXZ68R3oD1vi3dmA7MVeSELbii2apAyo4&token_type=bearer&expires_in=3600
Retrieving access code using authorization code grant
Checkout Modules/V1/Controllers/AuthorizeController.php. Extra step must be taken in order to auth the user.
For simplicity assuming that the process started with a POST request to https://domain/v1/authorize
sending POST data "response_type=code&client_id=1&scope=basic"
and successful client auth, the response would be a redirect to
http://example.com/super-app?code=ReoVHgGRnMj6IVhAUDUvunKKCi2BvGxfsJ8nGMj%2FIO2ITr6u7%2FJ7epKAIEG%2F0KZMk5Cc5GhWouG8zYHgGwzAHSztOS%2FKKp8krH5rm6e4pIkmhYvy9TCDUF1fdSo0axfZTQm1V9Ja8Ww3GN%2BeMvpmoKCXPNB8VEOs7smkTI9EGJGjVC2bS26ZJKWGuIV1UqyUKEeSiNfvhAqzeZWF2fXhGDDxmawtIPo7C3Vhs9ZW035P%2FKcugRxdT5t5MTkB%2BgRllqNGLo1DCnXvSB9E9H6KOEraMMYdqzcX4YNX8TseBrJINBJM7JUZkjFqQ176DXfnI7ULN7R%2FUJrRwWNdPMuHwQ%3D%3D
JSON
JSON is the default response type. The responses will look like this:
An envelope can be included in responses via the 'envelope=true' query parameter. This will return the record set and the meta information as the body.
Often times, database field names are snake_cased. However, when working with an API, developers generally prefer JSON fields to be returned in camelCase (many API requests are from browsers, in JS). This project will by default convert all keys in a records response from snake_case to camelCase.
This can be turned off for your API by setting the JSONResponse's function "convertSnakeCase(false)".
CSV
CSV is the other implemented handler. It uses the first record's keys as the header row, and then creates a csv from each row in the array. The header row can be toggled off for responses.
Errors
Phalcon2Rest\Exceptions\HttpException extends PHP's native exceptions. Throwing this type of exception returns a nicely formatted JSON response to the client.
Returns this:
Example Controller
The Example Controller sets up a route at /example and implements all of the above query parameters. You can mix and match any of these queries:
api.example.local/v1/example?q=(author:Stanimir Stoyanov)
api.example.local/v1/example?fields=(id,title)
api.example.local/v1/example/1?fields=(author)&envelope=false
api.example.local/v1/example?type=csv
api.example.local/v1/example?q=(year:2010)&offset=1&limit=2&type=csv&fields=(id,author)
Rate Limiting
There are 3 rate limiters implemented, configured in config/config.ini
How many request for access token are permitted
[access_token_limits]
r1 = 5
This line sets a limit of 1 request per 5 seconds per IP for /access_token & /authorize endpoints.
How many unauthorized requests
[api_unauthorized_limits]
r10 = 60
This line sets a limit of 10 requests per 1 minute per IP for every other request, when authorization header is missing / is invalid. OPTIONS requests are counted here too.
Everything else
[api_common_limits]
r600 = 3600
600 requests per hour for all authorized consumers. Users and clients are counted separately here.
Tracking the rate limiter
Each requests returns the X-Rate-Limit-* headers, e.g.
When the limit is reached:
What about CORS?
By extending a controller with RestController we're providing base CORS policy.
The controller will be inspected and Access-Control-Allow-Methods will be populated with all valid methods found.
Please note that there is no way to safely authorize the user with the OPTIONS method, so those requests are counted in the rate limiter as unauthorized ones.
Performance optimization
By default FileCache is used, which is extremely slow. Consider using memcached or redis. In the project we're using sqlite3 as database. Consider using MySQL/PostgreSQL/MongoDB or something else with caching up-front.
Anything else?
Revocation of access/refresh tokens are not implemented as this is strongly individual.
Check out Components\Oauth2\Repositories\AccessTokenRepository.php and Components\Oauth2\Repositories\RefreshTokenRepository.php
Each access has unique identifier (jti) which could be used for revocation.
The tokens could be easily debugged using tool like JWT.io
