New Module: AppApi

[Sebi]

Hello friends!
I have another module for you, which will make your daily work as a Processwire developer easier.

Introducing:
AppApi

This module helps you to create api-endpoints, to which an app or an external service can connect to.

Features

• Simple routing definition
• Authentication - Three different authentication-mechanisms are ready to use.
• Access-management via UI
• Multiple different applications with unique access-rights and authentication-mechanisms can be defined

The documentation has become quite extensive, so have a look at the Github repository for details:

• Installation
• Defining Applications
  • Api-Keys
  • PHP-Session (Recommended for on-site usage)
  • Single JWT (Recommended for external server-calls)
  • Double JWT (Recommended for apps)
• Creating Endpoints
  • Output Formatting
  • Error Handling
  • Example: Listing Users
  • Example: Universal Twack Api
    • Routes
    • Page Handlers
    • File Handlers

A special thanks goes to Thomas Aull , whose module RestApi was the starting point to this project. This module is not meant to replace this module because it does a great job. But if you want to connect and manage multiple apps or need other authentication methods, this module might help you.

I am already very curious about your feedback and would be glad if the module helps you a little bit.

[Sebi]

Good news!

We are live now!
AppApi has been approved and now appears in the modules directory: https://modules.processwire.com/modules/app-api/

Thank you for your many reactions to the release - I hope it helps you build the best apis you can imagine!

[Krevolution]

Hello everyone,

I'm having a problem when trying to make a request to the API using HTTPs.
Whenever I use HTTPS to make the request I get an object not found error.
When using HTTP I don't have such an error. However I require HTTPS to make authentication calls from outside processwire with double JWT token.
I use XAMPP to set up my localhost. I did redirect my localhost to use a domain name and also had to use a different port (other than default) for my mysql port since I already had something listening to the default port.
Accessing my processwire application from localhost works with https but it is not secure. 

Any of you know what i'm doing wrong?

Kind regards,

 

[Krevolution]

[SOLVED] found a fix myself I followed: https://medium.com/@ajtech.mubasheer/setup-https-in-xampp-for-localhost-bc3d01393f31 to allow https as localhost for my xampp setup and I can now do api calls to https:// ?

[Sebi]

Hi @Krevolution,

glad to hear that you could solve the problem by yourself.

I'm the author of the AppApi-module your using. If you encounter more problems or questions regarding AppApi, feel free to mention me via @Sebi. That makes sure, that I get a notification about it.

Anyway, I am pleased that you use the module!

[Pixrael]

Free Postman alternative:

https://chrome.google.com/webstore/detail/apidebug-http-test/ieoejemkppmjcdfbnfphhpbfmallhfnc
https://chrome.google.com/webstore/detail/postwoman-http接口调试插件/hoeapaidnfedjfbdghipliboclcighij

PS: same extension, different name

[Sebi]

I really like to use Insomnia testing api-calls. It's a stand-alone tool for Mac, Windows and Linux. And the free plan suits perfectly for all my needs - the paid functions are primary focuses on collaboration features for teams.

[thomasaull]

Yeah this is pretty awesome! Since I'm struggeling with carving out time for the RestApi module over the last year (sorry again for not giving your PR much love @Sebi) I'm pretty happy someone is pushing things forward :) Actually I'm thinking maybe this module should be the official continuation of my RestApi Module. For me it looks like it is more advanced and as far as I can tell by creating a single endpoint the way things are used would be quite similar. What do you think?

I'm gonna check it out myself now :)

[thomasaull]

I already have the first request: I was planning to, instead using a hook to intercept the request to play out the api it would be better to (again) use a page in the regular ProcessWire tree for the following reasons:

• Multi Language does not work with the current solution
• Caching with ProCache does not work with the current solution
• It is harder for users of the API module to use Subdirectories

Also another request by a user was to move the API routes in `/templates` so it would be included in exports with the site profile export module.

[thomasaull]

Another thing which would make usage of this module easier for users of the RestApi module would be to have an option to not have to use ApiKeys to access the API

[thomasaull]

Two more things:

• Can you enable Issues in your respository on github?
• I'm getting an error in this line: https://github.com/Sebiworld/AppApi/blob/master/classes/Router.php#L275
  Changing it to

  if ($last_error && $last_error['type'] === E_ERROR) {

  fixes it. (This was already suggested by someone some time ago on the RestApi module).
  I was providing a PR, but since AppApi is a fork of RestApi, when I try to fork it, it just goes back to my module ?

[Krevolution]

@Sebi i'm trying to delete a page using the api like so:

public static function deletePage($data){
        if(property_exists($data, 'clients')) {
            foreach($data->clients as $client) {
                if ($client->changeType == 0) {
                    if(property_exists($client, 'id')) {
                        $p = wire('pages')->get($client->id);
                        wire('pages')->trash($p);
                    }
                }
            }
        }
    }

'package' => [
	['OPTIONS', 'update-package', ['POST']],
	['POST', 'update-package', Package::class, 'updatePackage', ["auth" => false]],
	['DELETE', 'delete-page', Package::class, 'deletePage', ["auth" => false]]
],

for some reason I get an error ->
"Trying to get property 'id' of non-object"

After some research I found that the error is located in the isDeletable check from pagesEditor inside the wire.

more specifically the last else if check. When I bypass this whole block it works to delete so the id is fine.

Any suggestions?

Kind regards.

[Sebi]

Hi @thomasaull,

nice to hear that you like what I did to your module ? I would really appreciate it if we could work together on the next developments. For my projects a good and flexible Api connection is very important. Therefore I hope that we can improve the module even more.

So, let me answer your comments one after another:

if ($last_error && $last_error['type'] === E_ERROR) {

Consider that as fixed. I just pushed version 1.0.3 with a few documentation-fixes and this bugfix. Thank you for this hint!

I activated Github-Issues for the repository as well. I think, issues and/or pull requests on Github will be a better way to work on new features and bugfixes, since this forum-post would become long and more and more confusing. I additionally contacted Github whether it is possible to remove the fork-connection to your RestApi-repository.

[Sebi]

 

  On 8/7/2020 at 9:52 AM, thomasaull said:

I already have the first request: I was planning to, instead using a hook to intercept the request to play out the api it would be better to (again) use a page in the regular ProcessWire tree for the following reasons:

• Multi Language does not work with the current solution
• Caching with ProCache does not work with the current solution
• It is harder for users of the API module to use Subdirectories

Expand  

I'm not sure, if I understand you right: Do you want to trigger an api-call on a different hook? Do you have an example, maybe a code-snippet, how you would do it? What I like on the current way is, that you do not need to create a page or a file in the templates-directory. So you can have a complex existing site, install the module and the module would work without the need to change something in the pagetree. But that can be only a matter of opinion, I think that other ways would also have advantages.

I'm currently trying out a multi-language site and will give you an update if I could find a practicable way to implement this. My experiences with caching are, to be honest, very limited so far. So if anybody knows about it and could suggest improvements, that would be great!

  On 8/7/2020 at 9:52 AM, thomasaull said:

Also another request by a user was to move the API routes in `/templates` so it would be included in exports with the site profile export module.

Expand  

I think I can make the path to api-routes easily configurable, so it can be moved to /templates if the user needs it there.

  On 8/7/2020 at 9:59 AM, thomasaull said:

Another thing which would make usage of this module easier for users of the RestApi module would be to have an option to not have to use ApiKeys to access the API

Expand  

I think that could be solved by some kind of default-application, that is called if no api-key is found in a request. It's a little complicated, because the module needs the api-key to choose the corresponding application.

Apikeys bring a bunch of benefits, which a default-application without an apikey cannot have. We would not be able to block old apikeys. We make it easier for bots to scrape our page. And it could be confusing, when we just forget to add the apikey-header and will be sent to the default-application without an error. 

I would consider that as a future improvement, but I think it needs some more thought before implementing it. 

So, thanks again @thomasaull for your comments. Can you please make issues on Github out of this?

[Sebi]

  On 8/7/2020 at 3:42 PM, Krevolution said:

After some research I found that the error is located in the isDeletable check from pagesEditor inside the wire.

more specifically the last else if check. When I bypass this whole block it works to delete so the id is fine.

Any suggestions?

Kind regards.

Expand  

I tried it out and could reproduce the error in my configuration as well. The problem here is not your $page that you want to delete. The problem is, that $this->wire('page') is null, because you requested no special page which processwire can use as its current page. I would consider that as a processwire-bug, it could easily prevented by adding a check if $this->wire('page') contains a page. What do you think? Maybe @ryan can add something to it?

  On 8/7/2020 at 3:42 PM, Krevolution said:

public static function deletePage($data){ if(property_exists($data, 'clients')) { foreach($data->clients as $client) { if ($client->changeType == 0) { if(property_exists($client, 'id')) { $p = wire('pages')->get($client->id); wire('pages')->trash($p); } } } } }

Expand  

Nevertheless, I would like to suggest something about your code example. Please be aware, that you must make sure, that only valid page-ids will be accepted and only valid client-pages will be deleted. If I send a request with an id like 0, I could try to delete the root-page if I want to. Please check everything, that comes from an api-request and sanitize these values. This is how I would do it:

public static function deletePage($data){
	if (!property_exists($data, 'clients')) { throw new \Exception('No clients found', 400); }
	foreach($data->clients as $client) {
		if ($client->changeType == 0) {
			if(!property_exists($client, 'id')) { continue; }

			$p = wire('pages')->get(wire('sanitizer')->int($client->id));
			if(!$p->id || $p->template->name !== 'client') { continue; }

			wire('pages')->trash($p);
		}
	}
}

 

[thomasaull]

@Sebi I created issues for my requests except the API Keys question (I thought this might have been a low hanging fruit, but it looks like it's a bit more complicated)

[eelkenet]

  On 8/7/2020 at 9:52 AM, thomasaull said:

• Caching with ProCache does not work with the current solution

Expand  

For what it is worth, I use this intermediate solution to use ProCache in combination with the RestAPI module:  https://processwire.com/talk/topic/20006-module-restapi/?do=findComment&comment=186881.

Which gives me:
1. site.url/rest-api => live data
2. site.url/api => served by ProCache

Of course this would only be useful for (static) pages that don't require any authentication or whatsoever. 

 

[Sebi]

Recently i have released the new version 1.0.4 of AppApi.

In this version I use ProcessPageView::pageNotFound instead of the previous used ProcessPageView::execute hook. This hook is triggered later in ProcessWire's boot process, which should allow features like multi-language fields and other modules to initialize before the api tries to access their values. Let me know, if it worked for you!

Besides that you can now configure the path to the Routes.php file, that is located under site/api/Routes.php per default. If you need to have it somewhere else, you can set any location (relative to ProcessWire's root directory) in the module's settings.

Thanks to @thomasaull and @spoetnik for supporting me with issues and comments in the AppApi Github repository!  

[benbyf]

HELLO! Some reason the log wasn't created for this module, wondered if this was something anyone had a view on or needed fixed. I'm running PW 3.0.148

[benbyf]

Hi @Sebi I saw that form_version associated with an aplication apikey doesnt get checked at all on request, is it worth adding it, when filled, to the routes... e.g. when blank route to /api/test when 1 route to /api/v1/test ?

[benbyf]

Also, anyway to create a no apikey GET endpoint. could make this using templates but be nice it it was part of the same system

[benbyf]

Sorry for all the questions ... Its not clear to me currently how version numbers or api keys or users are related and can be used to auth against a certain route... is that something we have to build into the api call to test the signed in user and their restrictions? be cool if this was tired into the auth stage/routes as you have all the parts there available but not tied together for some reason...?

[thomasaull]

@benbyf I'm going to try to give you some answers:

• What do you mean by „the log wasn't created for this module"? Can you clarify your question a bit?
• You can disable auth for certain routes by setting `"auth" => false` in the route options. This is not explicitly documented at the moment, but here is an example where it's set to true: https://github.com/Sebiworld/AppApi#example-listing-users
• Version numbers are a way to make breaking changes to your API and check for that in the client (e.g. if the client requests API v1 but the newer v2 should be used you can return a warning which the client displays to the user (e.g. to update the software, refresh the website, …)
• API Keys are way to guard your API to only be accessed by your apps. This is not possible in the browser, since the code would be readable but certainly for complied Apps
• If you want to restrict API access of certain user roles (`superadmin` is allowed more than `editor`) you'll have to add this logic by yourself in the route methods (it's basically ProcessWire API from there)

[benbyf]

Thanks! @thomasaull

1. I mean on the settings page the is a link to a log, which when clicked takes you to the logs overview page with an error saying the log you were trying to access doesnt exist.
2. disabling auth doesnt create an open endpoint as you still need an apikey to access anything without an error
3. sounds good but how do you implement this as there is nothing in the docs?
4. ?
5. cool beans, but my comment still stands ?

[thomasaull]

@benbyf

1. I see… I guess you'll have to wait for an answer from @Sebi for this one
2. That's right actually, I just checked the source, apparently there is no way to access the API without an API Key. The `auth` option only says, if a guest is allowed to access the endpoint. What's holding you back to use an API Key?
3. I think the way to do it is to generate a new API Key for the new version. As soon as the client for the new version is released you can delete the old version. The clients which are still on the old version will get an Error like "API Key not valid" or similar which you can use in your client to guide the user to do whatever you want from there ?