components-web-app / api-components-bundle Goto Github PK
View Code? Open in Web Editor NEWCreates a flexible API for a website's structure, reusable components and common functionality.
Home Page: https://docs.api.cwa.rocks
License: MIT License
Creates a flexible API for a website's structure, reusable components and common functionality.
Home Page: https://docs.api.cwa.rocks
License: MIT License
If a resource is added to the database that extends AbstractPageData it will require a PageTemplate to be set and if the Route is not set, it should be generated from a value from a 'getter'/property and slugified.
PHP supported versions are: 7.2, 7.3 and 7.4. Update GitHub workflows to test with each of those versions to ensure the bundle is bootable of each of them
The security implementation around restricted pages and the components within the pages needs to be addressed.
...
It seems prudent to address the serialization groups on the AbstractUser class. E.g. the oldPassword
property only needs deserializing during a password update. Validation groups applied already as we use the form components to create the forms for the front-end to use. But serialization groups not applied yet. Maybe good to do with the context builder. TBD.
Thank you for the suggestion/idea @vincentchalamon
There may a demand for the publishable feature to be extracted and functionality enhanced in a separate bundle.
Features may include:
This way it could be used with any Symfony project also using Doctrine to easily configure entities that should be publishable.
This feature is a big part of the ACB and would require a lot of work to be as flexible as required outside of this bundle. TBD
I have been battling with my own thoughts on the best way to implement this. Please take a look at how the bundle configuration can currently be used to determine route security and perhaps we can discuss the flexibility of this for applications.
The results need to be able to be the following:
Any input and discussion is greatly appreciated.
When a collection component needs to be filtered on SSR loading we need to be able to pass the querystring to the collection. Need to think about how to handle this where it will be able to support multiple collections on a page so we know which filter parameters we want to pass to each collection component.
Should probably use a sub-request for collections instead of current functionality. E.g.
function getCollection() {
$subRequest = Request::create($path, $method, [], [], [], [], $body);
try {
return $this->kernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
} catch (\Exception $e) {
// handle
}
}
composer require --dev friends-of-behat/mink friends-of-behat/mink-browserkit-driver friends-of-behat/mink-extension
behat/symfony2extension
is replaced by friends-of-behat/symfony-extension
.
Also, dama/doctrine-test-bundle
will help to reset the database on each Behat scenario using doctrine transaction.
This is required to populate a user on most front-end applications including the Nuxt auth module we are implementing in CWA Nuxt Module.
Full review required.
output class
of these resources automatically if not specified by the user so that the Data Transformers are runWe are already detecting the format type on custom actions (e.g. for forms). But currently we deserialize the submitted data using json_decode. We could easily deserialize the data using the detected format instead so that the formats can be handled in line with whatever we have configured our API to accept.
By default the published feature means a user will automatically be editing a draft resource if available. It may be needed to make another change to the published resource. If we allow this using the 'published=true' querystring with the request then we would also need to ensure the 'publishedAt' date cannot be modified, possibly with a validator.
Not failing locally, locally uses higher phpunit version - possibly the issue. Need to check.
Need to add tests for using Amazon S3 with private files to check how it is handled. Perhaps a temporary token is generated which expires shortly afterwards... I hope! If not, then we need to ensure it acts in this way.
For the actual uploaded file (not imagine) we will be hitting an endpoint for the given resource. This means an application developer can hook into events to prevent access to the resource and therefore prevent access to the download....
Maybe address in alpha...
As all our applications will have user functionality, and therefore require emails, it makes sense to include a Symfony Mailer extension so that we have an easy to customise template that will be used for security procedures, but the main application can also use to send branded emails to customers or their own email (e.g. for contact form).
A component group should be able to restrict which components are allowed within it. This is low priority because to begin with, web developers/trusted workers will be adding the components - so would not add a "Hero" to a navigation (for example).
Often it will be needed that when a form is submitted, we simply need to persist that object to the database. We are doing this already for the user registrations and new email address form types.
I have seen this done before on other packages but cannot remember where.
So the config would be something like:
services:
'app.listener.contact_form':
class: Silverback\ApiComponentBundle\EventListener\Form\EntityPersister
arguments:
$formType: App\Form\ContactType
$dataClass: App\Entity\ContactSubmission
New notification email if email address changed with auto password reset link added. Otherwise the new user can change the user's password. May need to be a new backup password change key so that this cannot be overwritten by a hacker changing email and then doing a password reset request...
Change of plan. See PR.
Should look into storing doctrine migrations in configured Flysystem storage.
In version 1 of ACB, some routes and components could be configured so that they are only available to users with specific roles. The ability to restrict routes and even which components/resources can be modified by which users needs to be addressed.
Perhaps we can primarily be using the API Platform security features once the main security firewall is passed by knowing the user is an admin? There are also some default serialization groups put into the context based on the logged in user's roles. The issue arises when we need to determine which individual resource in the database should be able to be accessed by a user. E.g. a navigation item.
We may even want to add a property to the component's output so that the front-end knows that it will need reloading if the user's login status is changed...
Big feature to TBD...
Implement features to allow for Dynamic Pages
Possibly use Message Handler as described here for tasks we have custom actions for at the moment. Not urgent right now as we would need to add instructions on configuring RabbitMQ or something as the transport.
https://api-platform.com/docs/core/messenger/
vulnerability highlighted by @vincentchalamon - thank you.
The front-end application should be able to detect whether a component/resource is persisted to a database. It could be that a DataPopulator has added pseudo-resources to the output (perhaps some components created automatically using some other data). E.g. if there are a list of events and they need to appear in a navigation, a DataPopulator may add some navigation link resources to the output programatically. The front-end should not be able to do anything to modify this component/location.
Some exceptions thrown are vague or inaccurate. With little experience of throwing the proper exception messages and how best to structure this, it'd be best for a more experienced developer to take a look through and quickly create exception classes with best-practices.
We must re-introduce the functionality from version 1 for standard security features. This includes:
We need to introduce tests to ensure code is working as expected and to prevent regression.
This includes unit and functional tests. We must also ensure that we get a good mutation score for the tests.
Target: 90% test coverage + 80% mutation score
^^ These targets are a little arbitrary at the moment due to a lack of experience writing tests. I'm not sure whether they will be achievable within budget for the current stage, but it is important to make a start. We can adjust these 1st stage targets and we progress and add a less important issue to increase coverage and mutation score at a later date if required.
Full review required
Process for verifying an email address not yet tested. Need to test this functionality works with behat scenarios.
Update login docs at the same time
controler.service_arguments
tag on Action services@author
on each class or nowhere (configure php_cs.dist accordingly)Currently there is basic support for handling files with this bundle using FileTrait
and FilterInterface
. This is limited for a number of reasons. We also use LiipImagine bundle for resizing images.
In v2 we should be using FlySystem v2 - it is in Alpha 3, but as this is a new bundle, and we will write many tests, this is the best option for longer term stability. To support the new Silverback\Files
annotation the user must have a FlySystem adapter configured. We will NOT be using a bundle for this. The FlySystem implementation is very straight forward and another bundle would over-complicate this. It would also prevent us from supporting the latest version when released as the packages have to handle many more use-cases than this bundle. We can create a simple interface and tag where the application developer is able to have a factory to provide the FlySystem adapter.
We will not support ANY other implementation of file systems for the time being. FlySystem is flexible enough, handles local files as well as the ability to create adapters for any system. However for Silverback use cases, S3 and Swift object storage is supported and all we required other than local storage.
The downside is that LiipImagineBundle required OneUp FlySystem Bundle. However, implementing our own Resolver and Loader is trivial.
Another bundle option is VichUploaderBundle - while it is well documented and many people use it, the failing builds, especially in Symfony v5 are a concern. It has a number of features ACB v1 implemented in different ways such as v1 uses a metadata object to return extended information about image files. We also detect whether the files are supported by Imagine, generate thumbnails/image versions and return an array of image data objects for each image variation. For these reasons we will be implementing our own File handing system. We also do not need to be quite as flexible as VichUploaderBundle and want to implement a single file upload endpoint to handle all upload requests for API resources, rather than an endpoint for each resource as documented in API Platform.
The Files feature will begin to be re-worked in the next week and this issue is a point of reference for the work to be undertaken.
Some user actions should possibly not be actions and adhere to REST API standards for their endpoints.
Review required and testing of many user functionalities needed as well.
Sub routes may be nested. E.g. /about/contact and /about/history could use the same hero and tab navigation on the hero and the nested page changes.
This works on v1 but the structure and functionality of this needs to be worked out for v2. v1 is very messy and unclear how this functionality is really working.
It would be good to allow a bundle configuration of a security expression defining those that are able to manage other users.
/.gitattributes export-ignore
/.github export-ignore
/.gitignore export-ignore
/.scrutinizer.yml export-ignore
/Api Component Bundle Work Overview.docx export-ignore
/.php_cs.dist export-ignore
/docs export-ignore
/behat.yml.dist export-ignore
/infection.json.dist export-ignore
/phpunit.xml.dist export-ignore
/travis.php.ini export-ignore
/tests export-ignore
/features export-ignore
This bundle should follow Symfony supported versions: 3.4 (LTS), 4.4 (LTS) and 5.0 (latest).
extra.symfony.require
version and test for each supported version (using matrix)Any resource should allow to be linked with a 'draft' version. Drafts should be able to have a 'publish' date/time. Database time should be UTC, but front-end will set local time with full timestamp stating the timezone that it is being set in.
Draft versions should be created automatically as a resource is being modified.
When a draft component needs to be published, we want to copy the draft component into the original component so the original ID will stay the same.
Applies to:
Other resources will simply edit. Perhaps apply this with a trait/interface in case we want to apply this to other resources in future?
This issue needs some thought and discussion. It is a large feature of this bundle.
If a resource that is being edited is a draft, validation should take place, however the data should still save in the database where possible.
The only exception to this should be if a value is NULL and the database will not allow this.
When a resource is being changed to 'published' or a 'publish date' is being set, the validation will run and prevent this change if it fails.
If a resource is in a 'published' state validation will prevent the resource from being saved.
Docs need a lot more attention and work. Many features not documented, e.g. groups added to components and many options and guidance on each of the resources/objects.
Dynamic pages needs documenting too with examples. Dynamic content resources can be created and properties added which are components. A component position can refer to the property in the dynamic content and will overwrite an existing component in that location when outputted. Dynamic content are routable resources. Further functionality should be added with data transformers.
Currently put assets within the views
directory in the bundle. I feel this is wrong but was simple way to reference them and possibly allow css and image to be overridden?
I'm not sure, best practices advice required.
Minimally these are needed
When adding a ComponentPosition it should automatically populate the sort value if not defined with the next number available sequentially.
On create or update, if the sort value is defined, the API should prevent a duplicate sort value by also adjusting all other resources sort values which would be affected. So the existing position sort value that is the same as the new/updated entity will increase and this will cascade to the next entity etc.
You may have a component which can only be added to specific component groups. If there is a boolean on components whereby if the value is true
the component can only be added to component groups that specifically allow it, then the user-interface becomes cleaner by not listing these components to be added to every component group, and the restriction will mean the component must be used properly.
We should implement best practices with refresh tokens, no exposing them to the end user and securely regenerating new JWT tokens. Invalidate refresh tokens once used and create a new one, and remove on logout.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.