Koalati offers a REST API, which is built with API Platform.
Most of the implementation can be understood by reading API Platform's documentation. This document describes the layers that are applied on top of API Platform for Koalati's specific needs.
The API's authentication uses JWT as bearer tokens. This is based on lexik/jwt-authentication-bundle.
Refresh tokens are made available by gesdinet/jwt-refresh-token-bundle.
IDs are always encrypted in serialized data within the application. A few things had to be put in place to make the API Platform work with these encrypted IDs:
App\Api\Routing\EncryptedIriConverterdecorates the defaultapi_platform.iri_converterto automatically encrypt & decrypt resource identifiers in IRIs.App\Api\State\EncryptedIdsCallableProviderdecorates the defaultapi_platform.state_provider.locatorto decrypt IDs when fetching entities (and then lets the default entity providers do their job as usual).
Security checks to make sure the user has access to the API takes place at the
beginning of every API request within the App\Api\Security\AuthenticationJwtListener.
Query filters are used for all entities that have collection endpoints, to ensure the user has access to the entities that are returned.
These filters implement the QueryCollectionExtensionInterface interface and
can be found in the App\Api\Security namespace.
For all operations other than fetching collections of entities, voters are used to check if users have the necessary privileges to go access the target entity and/or to perform the desired action.
By default, the API Platform simply ignores invalid filter values coming from user requests.
To provide better feedback and help the developers who use the API to improve
their implementation, the App\Api\Log\InvalidFilterLogHandler listens for
logs from the API Platform mentioning invalid filter values and throws a Bad
Request error with a messaged detailing which filter value is invalid.
Ex.: Invalid filter value for field author.