Jump to content

New Module: AppApi


Sebi

Recommended Posts

Hello friends!
I have another module for you, which will make your daily work as a Processwire developer easier.

Introducing:
AppApi

This module helps you to create api-endpoints, to which an app or an external service can connect to.

Features

  • Simple routing definition
  • Authentication - Three different authentication-mechanisms are ready to use.
  • Access-management via UI
  • Multiple different applications with unique access-rights and authentication-mechanisms can be defined

The documentation has become quite extensive, so have a look at the Github repository for details:

A special thanks goes to Thomas Aull , whose module RestApi was the starting point to this project. This module is not meant to replace this module because it does a great job. But if you want to connect and manage multiple apps or need other authentication methods, this module might help you.

I am already very curious about your feedback and would be glad if the module helps you a little bit.

  • Like 28
  • Thanks 6
Link to comment
Share on other sites

  • 2 weeks later...

Hello everyone,

I'm having a problem when trying to make a request to the API using HTTPs.
Whenever I use HTTPS to make the request I get an object not found error.
When using HTTP I don't have such an error. However I require HTTPS to make authentication calls from outside processwire with double JWT token.
I use XAMPP to set up my localhost. I did redirect my localhost to use a domain name and also had to use a different port (other than default) for my mysql port since I already had something listening to the default port.
Accessing my processwire application from localhost works with https but it is not secure. 

Any of you know what i'm doing wrong?

Kind regards,

 

2020-08-06 13_41_11-Window.png

2020-08-06 13_40_15-Window.png

Link to comment
Share on other sites

Hi @Krevolution,

glad to hear that you could solve the problem by yourself.

I'm the author of the AppApi-module your using. If you encounter more problems or questions regarding AppApi, feel free to mention me via @Sebi. That makes sure, that I get a notification about it.

Anyway, I am pleased that you use the module!

Link to comment
Share on other sites

I really like to use Insomnia testing api-calls. It's a stand-alone tool for Mac, Windows and Linux. And the free plan suits perfectly for all my needs - the paid functions are primary focuses on collaboration features for teams.

  • Like 3
Link to comment
Share on other sites

Yeah this is pretty awesome! Since I'm struggeling with carving out time for the RestApi module over the last year (sorry again for not giving your PR much love @Sebi) I'm pretty happy someone is pushing things forward :) Actually I'm thinking maybe this module should be the official continuation of my RestApi Module. For me it looks like it is more advanced and as far as I can tell by creating a single endpoint the way things are used would be quite similar. What do you think?

I'm gonna check it out myself now :)

  • Like 2
Link to comment
Share on other sites

I already have the first request: I was planning to, instead using a hook to intercept the request to play out the api it would be better to (again) use a page in the regular ProcessWire tree for the following reasons:

  • Multi Language does not work with the current solution
  • Caching with ProCache does not work with the current solution
  • It is harder for users of the API module to use Subdirectories

Also another request by a user was to move the API routes in `/templates` so it would be included in exports with the site profile export module.

  • Like 1
Link to comment
Share on other sites

Two more things:

  • Can you enable Issues in your respository on github?
  • I'm getting an error in this line: https://github.com/Sebiworld/AppApi/blob/master/classes/Router.php#L275
    Changing it to
    if ($last_error && $last_error['type'] === E_ERROR) {

    fixes it. (This was already suggested by someone some time ago on the RestApi module).
    I was providing a PR, but since AppApi is a fork of RestApi, when I try to fork it, it just goes back to my module 😅

  • Like 1
Link to comment
Share on other sites

@Sebi i'm trying to delete a page using the api like so:

public static function deletePage($data){
        if(property_exists($data, 'clients')) {
            foreach($data->clients as $client) {
                if ($client->changeType == 0) {
                    if(property_exists($client, 'id')) {
                        $p = wire('pages')->get($client->id);
                        wire('pages')->trash($p);
                    }
                }
            }
        }
    }
'package' => [
	['OPTIONS', 'update-package', ['POST']],
	['POST', 'update-package', Package::class, 'updatePackage', ["auth" => false]],
	['DELETE', 'delete-page', Package::class, 'deletePage', ["auth" => false]]
],

for some reason I get an error ->
"Trying to get property 'id' of non-object"

After some research I found that the error is located in the isDeletable check from pagesEditor inside the wire.

image.png.c33304a6e9948a47ed64dbb99d1f0bc6.png

more specifically the last else if check. When I bypass this whole block it works to delete so the id is fine.

Any suggestions?

Kind regards.

Link to comment
Share on other sites

Hi @thomasaull,

nice to hear that you like what I did to your module 😅 I would really appreciate it if we could work together on the next developments. For my projects a good and flexible Api connection is very important. Therefore I hope that we can improve the module even more.

So, let me answer your comments one after another:

if ($last_error && $last_error['type'] === E_ERROR) {

Consider that as fixed. I just pushed version 1.0.3 with a few documentation-fixes and this bugfix. Thank you for this hint!

I activated Github-Issues for the repository as well. I think, issues and/or pull requests on Github will be a better way to work on new features and bugfixes, since this forum-post would become long and more and more confusing. I additionally contacted Github whether it is possible to remove the fork-connection to your RestApi-repository.

Link to comment
Share on other sites

 

On 8/7/2020 at 11:52 AM, thomasaull said:

I already have the first request: I was planning to, instead using a hook to intercept the request to play out the api it would be better to (again) use a page in the regular ProcessWire tree for the following reasons:

  • Multi Language does not work with the current solution
  • Caching with ProCache does not work with the current solution
  • It is harder for users of the API module to use Subdirectories

I'm not sure, if I understand you right: Do you want to trigger an api-call on a different hook? Do you have an example, maybe a code-snippet, how you would do it? What I like on the current way is, that you do not need to create a page or a file in the templates-directory. So you can have a complex existing site, install the module and the module would work without the need to change something in the pagetree. But that can be only a matter of opinion, I think that other ways would also have advantages.

I'm currently trying out a multi-language site and will give you an update if I could find a practicable way to implement this. My experiences with caching are, to be honest, very limited so far. So if anybody knows about it and could suggest improvements, that would be great!

On 8/7/2020 at 11:52 AM, thomasaull said:

Also another request by a user was to move the API routes in `/templates` so it would be included in exports with the site profile export module.

I think I can make the path to api-routes easily configurable, so it can be moved to /templates if the user needs it there.

On 8/7/2020 at 11:59 AM, thomasaull said:

Another thing which would make usage of this module easier for users of the RestApi module would be to have an option to not have to use ApiKeys to access the API

I think that could be solved by some kind of default-application, that is called if no api-key is found in a request. It's a little complicated, because the module needs the api-key to choose the corresponding application.

Apikeys bring a bunch of benefits, which a default-application without an apikey cannot have. We would not be able to block old apikeys. We make it easier for bots to scrape our page. And it could be confusing, when we just forget to add the apikey-header and will be sent to the default-application without an error. 

I would consider that as a future improvement, but I think it needs some more thought before implementing it. 

So, thanks again @thomasaull for your comments. Can you please make issues on Github out of this?

Link to comment
Share on other sites

On 8/7/2020 at 5:42 PM, Krevolution said:

After some research I found that the error is located in the isDeletable check from pagesEditor inside the wire.

image.png.c33304a6e9948a47ed64dbb99d1f0bc6.png

more specifically the last else if check. When I bypass this whole block it works to delete so the id is fine.

Any suggestions?

Kind regards.

I tried it out and could reproduce the error in my configuration as well. The problem here is not your $page that you want to delete. The problem is, that $this->wire('page') is null, because you requested no special page which processwire can use as its current page. I would consider that as a processwire-bug, it could easily prevented by adding a check if $this->wire('page') contains a page. What do you think? Maybe @ryan can add something to it?

On 8/7/2020 at 5:42 PM, Krevolution said:

public static function deletePage($data){ if(property_exists($data, 'clients')) { foreach($data->clients as $client) { if ($client->changeType == 0) { if(property_exists($client, 'id')) { $p = wire('pages')->get($client->id); wire('pages')->trash($p); } } } } }

Nevertheless, I would like to suggest something about your code example. Please be aware, that you must make sure, that only valid page-ids will be accepted and only valid client-pages will be deleted. If I send a request with an id like 0, I could try to delete the root-page if I want to. Please check everything, that comes from an api-request and sanitize these values. This is how I would do it:

public static function deletePage($data){
	if (!property_exists($data, 'clients')) { throw new \Exception('No clients found', 400); }
	foreach($data->clients as $client) {
		if ($client->changeType == 0) {
			if(!property_exists($client, 'id')) { continue; }

			$p = wire('pages')->get(wire('sanitizer')->int($client->id));
			if(!$p->id || $p->template->name !== 'client') { continue; }

			wire('pages')->trash($p);
		}
	}
}

 

Link to comment
Share on other sites

On 8/7/2020 at 11:52 AM, thomasaull said:
  • Caching with ProCache does not work with the current solution

For what it is worth, I use this intermediate solution to use ProCache in combination with the RestAPI module:  https://processwire.com/talk/topic/20006-module-restapi/?do=findComment&comment=186881.

Which gives me:
1. site.url/rest-api => live data
2. site.url/api => served by ProCache

Of course this would only be useful for (static) pages that don't require any authentication or whatsoever. 

 

  • Like 1
Link to comment
Share on other sites

Recently i have released the new version 1.0.4 of AppApi.

In this version I use ProcessPageView::pageNotFound instead of the previous used ProcessPageView::execute hook. This hook is triggered later in ProcessWire's boot process, which should allow features like multi-language fields and other modules to initialize before the api tries to access their values. Let me know, if it worked for you!

Besides that you can now configure the path to the Routes.php file, that is located under site/api/Routes.php per default. If you need to have it somewhere else, you can set any location (relative to ProcessWire's root directory) in the module's settings.

Thanks to @thomasaull and @spoetnik for supporting me with issues and comments in the AppApi Github repository!  

  • Like 4
Link to comment
Share on other sites

  • 3 months later...

Sorry for all the questions ... Its not clear to me currently how version numbers or api keys or users are related and can be used to auth against a certain route... is that something we have to build into the api call to test the signed in user and their restrictions? be cool if this was tired into the auth stage/routes as you have all the parts there available but not tied together for some reason...?

Link to comment
Share on other sites

@benbyf I'm going to try to give you some answers:

  • What do you mean by „the log wasn't created for this module"? Can you clarify your question a bit?
  • You can disable auth for certain routes by setting `"auth" => false` in the route options. This is not explicitly documented at the moment, but here is an example where it's set to true: https://github.com/Sebiworld/AppApi#example-listing-users
  • Version numbers are a way to make breaking changes to your API and check for that in the client (e.g. if the client requests API v1 but the newer v2 should be used you can return a warning which the client displays to the user (e.g. to update the software, refresh the website, …)
  • API Keys are way to guard your API to only be accessed by your apps. This is not possible in the browser, since the code would be readable but certainly for complied Apps
  • If you want to restrict API access of certain user roles (`superadmin` is allowed more than `editor`) you'll have to add this logic by yourself in the route methods (it's basically ProcessWire API from there)
Link to comment
Share on other sites

Thanks! @thomasaull

  1. I mean on the settings page the is a link to a log, which when clicked takes you to the logs overview page with an error saying the log you were trying to access doesnt exist.
  2. disabling auth doesnt create an open endpoint as you still need an apikey to access anything without an error
  3. sounds good but how do you implement this as there is nothing in the docs?
  4. ?
  5. cool beans, but my comment still stands 🙂
Link to comment
Share on other sites

@benbyf

  1. I see… I guess you'll have to wait for an answer from @Sebi for this one
  2. That's right actually, I just checked the source, apparently there is no way to access the API without an API Key. The `auth` option only says, if a guest is allowed to access the endpoint. What's holding you back to use an API Key?
  3. I think the way to do it is to generate a new API Key for the new version. As soon as the client for the new version is released you can delete the old version. The clients which are still on the old version will get an Error like "API Key not valid" or similar which you can use in your client to guide the user to do whatever you want from there 😉
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...