API Platform 2.0 released: creating powerful web APIs has never been so easy

api-platform-demo

After 1 year of development and more than 700 commits authored by a hundred contributors across the world, the new major release of API Platform is immediately available for download.

API Platform is a PHP 7 framework dedicated to the creation of modern and powerful web APIs. It is especially adapted to build API-centric information systems relying on hypermediaLinked Data; and consumed by Single-Page Applications (using Javascript libraries such as React or Angular) and mobile apps.

API Platform 2 has been built with 3 strong opinions in mind:

  • Creating an API must be an easy and quick process: any web developper should be able to create a REST API in just a few minutes including CRUD support, data validation, filtering and sorting, autogenerated documentation, OAuth and JWT authentication, CORS and other security HTTP headers, caching
  • Modern open formats must be supported out of the box, without requiring any extra work for the developper: Swagger/OpenAPI, JSON-LD, Hydra, HAL, API Problem (RFC 7807) and Schema.org are supported out of the box, the powerful abstraction layer of the framework easily allows adding support for other emerging API formats (JSONAPI and GraphQL support is in progress)
  • Every feature of the framework must be extensible, overridable and modular

API Platform v2 is a massive rewrite of the framework, with tons of new features and bug fixes. The whole design has been rethinked, but let’s take a tour of the major new features and changes:

Revamped Config and Metadata: Exposing an API is a Matter of Seconds

Thanks to the new configuration system and the new metadata component, to create a high grade hypermedia API you just have to modelize your data model as a set of PHP classes then to add some annotations. Example:

This single class is enough to get a working API with the following features:

  • basic CRUD operations
  • data validation and error serialization
  • JSON-LD, Swagger, Hydra support (a lot of other formats can easily be added, see below)
  • pagination
  • an awesome UI and an extensive human-readable documentation reusing PHPDoc’s data and PHP metadata like types (see below)

Checkout our demo to play with a more advanced example (source code, only 2 classes)!

Hypermedia relations are handled out of the box. Leveraging any other feature of API Platform is just a matter of adding a few lines of configuration. Learn more in our getting started guide.

If you don’t like annotations, you can use XML or YAML configuration files instead. If you don’t like the Doctrine ORM (or doesn’t want to tight the exposed data model to the internal model of the database); or if you don’t want to use the Symfony validator, you can create adapters to hook your custom code and use your preferred libraries. API Platform is designed to be fully extensible.

Docker Integration

API Platform’s official distribution is shipped with a Docker setup adapted to API devlopment. It includes a Apache + PHP 7 and a MySQL image. To get an API Platform app up and running on your computer, type the following commands in the main directory:

The app is up and running, browse http://localhost to get started.

API Platform’s images can be deployed easily in production using Docker Swarm (Amazon Web Services, Azure…) or Google Container Engine (with Kubernetes).

A Data Model Generator on Steroid

Instead of crafting your own data model, why not reusing an open vocabulary like the very popular Schema.org and feel the power of Linked Data and Semantic Web? Yes, just like Google but for free.

Since its first release, API Platform comes with a handy code generator allowing to bootstrap a whole PHP data model including classes, properties, getters and setters, full PHPDoc, Doctrine mappings, API Platform’s external vocabulary mappings and validation annotations.

This generator has been updated to match the new configuration format of API Platform 2 and to allow generating custom classes and properties.

The following config file contains a selection of Schema.org’s types and properties. When using the generator to create the corresponding data model, a working API is created without writing a single line of PHP:

Learn more about the generator in the docs and the demo application.

Content Negotiation and Built-in Support for JSON-LD, Hydra, HAL, YAML, CSV and XML

API Platform now natively supports content negotiation (only JSON-LD and Hydra was previously supported) as well as most popular API formats. To be able to retrieve or send resources in a specifc format, you enable them in the configuration file:

This config enable all built-in formats (Symfony 3.2, actually in RC stage, is required for YAML and CSV support). Then, you can request the format you want through the UI using the proper Accept HTTP header, or by adding the format name as extension of any URL of the API (example: https://demo.api-platform.com/books.jsonld).

Support for formats not supported by default can be added by writing custom adapters.

Learn more about content negotiation in API Platform.

A Powerful UI and Automatic Swagger 2 Docs

API Platform 2 generates an extensive Swagger 2/OpenAPI documentation. All URLs and types are automatically described thanks to our powerful metadata extraction system.

A web interface built on top of Swagger UI is also automatically available. Request any API’s URL using a web browser and (thanks to the Accept header sent by the browser), API Platform will display the request sent to the API and the received response in a nice web interface. It will also display a human-readable documentation of the current operation.

api-platform-ui

Browse the homepage to see the documentation of all available operations, including the description of resources and properties extracted from PHP metadata. Use the sandbox to play with your API.

New Filters and Extension Mechanism

Several new built-in filters have been added. In addition to the existing search, date and range filters, the following are now available:

  • boolean: filter by a boolean property
  • numeric: search numeric fields

The filters are now available directly from the UI and documented in both Swagger and Hydra formats.

Learn how to add filters to your API collections.

Filters are now implemented using the brand new extension system. This system allows to hook to the database query generation process and to customize them. It’s particularly useful to implement security features.

Learn how to leverage the extension mechanism to filter the result of an entrypoint depending of the role of the connected user in the documentation.

Secure by default, tested against OWASP’s recommendations for REST APIs

API Platform 2 follows OWASP’s security recommendations for all its built-in features. We created a test suite to ensure that all recommendations applying to API Platform are followed and documented.

Checkout what API Platform 2 do to secure your API.

Improved performance

We are continuously improving the performance of API Platform and Symfony components it uses (like the Serializer or the PropertyAccess component). This new version is faster than v1 and automatically optimizes SQL queries regarding current serialization groups.

API Platform 2 is also compatible with PHP PM. When using it, API response times are divided by 10.

Availability as Standalone Components, Decoupled from Symfony and Doctrine

API Platform is designed as a set of standalone PHP components: the metadata system; JSON-LD, Hydra, Swagger, HAL serializers, Doctrine and Symfony components bridges…

All those components can be used separately to create your own APIs. For now, the Core library must be downloaded, but a subtree split to allow specific component installation will be available for the 2.1 version. Specific classes can already be used separately of the standard distribution, and without Symfony.

We also moved the code generic enough directly to Symfony. For instance the new Symfony’s PropertyInfo component has been extracted from API Platform.  Some new bug fixes and new features and like the MaxDepth as well as YAML and CSV support for the Symfony Serializer has been done while working on API Platform.

Doctrine has never been mandatory to use API Platform, but the set of interfaces to implement to use another persistence system has been rethought and is now documented.

Quality and QA improvements

We dramatically improved the quality of the API Platform code base for this v2. API Platform v1 was already well tested through Behat. In v2 we added a lot of unit tests to prevent bugs and prove that every class respect SOLID principles. The code coverage is now of 96%. Our test suite is automatically run both on Linux (using Travis) and Windows (using AppVeyor).

We also used Scrutinizr and SensioLabs Insight to detect bad practices and improve the overall quality of our code base. API Platform is rated 8.7/10 on Scrutinizr and has the Platinum medal (best rating) on Insight.

Documentation Rewrite and New Website

The documentation has been improved, almost all new features documented and the Getting Started guide fully rewrote. A new website built with React and Redux has also been created. It supports universal rendering and provides a powerful search engine thanks to Algolia’s DocSearch.

A Growing Community

API Platform it’s more than 100 contributors, an awesome core team (Amrouche HamzaAntoine BluchetSamuel ROZETeoh Han HuiThéo FIDRYVincent CHALAMON and myself), workshops and conferences talks across the world (don’t miss the workshop at the Berlin’s Symfony Con next week).

API Platform has been in the top GitHub trending PHP repositories several times during past months (and 1st one time) beside great projects like Laravel, Symfony and WordPress and has now more than 1k stars.

It’s amazing! Thanks to everybody having worked on the code base, contributed to the documentation or evangelized about the solution, you rock!

Training, development, professional services and workshops are also provided worldwide by Les-Tilleuls.coop, API Platform’s creators.

What’s next

The release of API Platform v2 is just the first step! We’re already working on new features and some of them are already ready to be merged in the 2.1 branch including:

More to come! Stay tuned!

If you haven’t already done it, it’s time to give a try to API Platform!

Petite introduction à l’auto-défense numérique

Présentation effectuée pour la première fois samedi 5 novembre pour la CNT Lille :

Services de renseignement des États, multinationales du web (GAFAM), employeurs voir proches indiscrets… à l’heure de l’omniprésence du web dans nos vies, nous sommes tous fichés et surveillés. Cependant, il existe des méthodes (plus ou moins efficaces) qui permettent de limiter les dégâts.
Au cours d’un atelier pratique destiné aux débutants, nous découvrirons les principes généraux des techniques de fichage et de surveillance puis manipulerons quelques outils permettant de s’en protéger sur ordinateur et sur téléphone mobile.

 

[Slides] Forum PHP: Create Symfony apps as quickly as with Laravel and keep your code framework-agnostic

Slides of my talk at AFUP’s Forum PHP 2016.

You’ll learn about RAD and autowiring, the ADR pattern, framework agnostic controllers, PSR-7, PSR-15 and PSR-17.

[Slides] Take Off Conf 2016: Creating a hypermedia API in 5 minutes with API Platform

This morning I was speaking about the API Platform framework at the Take Off Conf in my hometown of Lille. Take a look at my slides, and learn how to create a fully featured hypermedia API in a few minutes!

ADR pattern, autowiring, DunglasActionBundle: Symfony controllers redesigned

Here are the slides of the talk I gave yesterday at the Symfony meetup (sfPot) of Lille. I was presenting DunglasActionBundle, a refinement of the the Symfony controller system and talking about services autowiring and the ADR pattern.

The first alpha of API Platform 2.0 is available!

The first alpha of API Platform 2.0 has been released!

Take a look to this presentation to discover changes and new features of this version:

These slides have been presented first in the sfPot conference of Paris (May 17, 2016).

DunglasActionBundle 0.3.0 released!

DunglasActionBundle is an alternative controller system for the Symfony framework relying on autowiring and inspirited by the ADR pattern. Thanks to this bundle, controllers, commands and event listeners are automatically detected and registered as services. All their dependencies are also automatically registered. See the GitHub repository for an extensive documentation.

A lot of work have been done in  during the last months to improve the reliability and the usability of the bundle. Today I’m proud to announce a new release of this bundle (0.3.0). It is available on GitHub and includes the following changes:

  • Actions and controllers (src/*Bundle/Action and src/*Bundle/Controller directories), commands ( src/*Bundle/Command) and event listeners ( src/*Bundle/EventListener) are auto-registered by default
  • The name of auto-registered services are now the Fully Qualified Name of the registred class
  • Directories containing classes to auto-register as services are now configurable
  • Directories of third-party bundles (vendor/) are not tracked by default anymore
  • It’s not necessary anymore to clear the cache manually when a new class is added or removed from a tracked directory
  • If the class of an automatically registred service implements the ContainerAwareInterface, the container is automatically injected into it
  • It’s now possible to automatically add custom tags to auto-registered services
  • The custom routing annotation loader has been removed thanks to a bug fix in Symfony core (this feature still works out of the box)
  • The “autodiscover” feature has been removed, paths must be configured explicitly (regex supported)
  • The bundle can now be configured using the XML format
  • PHP 5.5 support has been added
  • Lot of a bug fixes

Thanks to @Ener-Getick, @stof and @weaverryan for their contributions and good design advices.

If you like this bundle, please give it a star on GitHub!

 

DunglasActionBundle: Symfony controllers, redesigned

Today is my birthday, but – unusually – I offer the gift: DunglasActionBundle – a replacement for the Symfony controller subsystem.

Since few months, a lot of discussions and experimentations are occurring in the Symfony world to find a better and moderner way to  create controllers.

During the past summer, I’ve already switched the API Platform project from the traditional controller system to a variant of the ADR pattern.

Thanks to the support of autowiring I’ve introduced in the version 2.8 of the Dependency Injection Component, it’s now possible to create a generic (and I hope superior) replacement for the controller system of the full stack framework.

With this new system, no more inherited controller class, no more traits, only a plain old callable!

It is as convenient as the original but doesn’t suffer from its drawbacks:

  • Action classes are automatically registered as services by the bundle
  • Dependencies of action classes are explicitly injected in the constructor (no more ugly access to the service container)
  • Dependencies of action classes are automatically injected using the autowiring feature of the Dependency Injection Component
  • Only one action per class thanks to the __invoke() method (but you’re still free to create classes with more than 1 action if you want to)
  • 100% compatible with common libraries and bundles including SensioFrameworkExtraBundle annotations

DunglasActionBundle allows to create reusable, framework agnostic (especially when used with the PSR-7 bridge) and easy to unit test actions.

Guess what, it plays very well with the new Symfony micro framework too!

Installation

As usual, use Composer to install this bundle:

Then add the bundle in your application kernel:

Optional: to use the @Route annotation add the following lines in app/config/routing.yml:

Usage

  1. Create an invokable class in the Action\ namespace of your bundle:

There is not step 2! You’re already done.

All classes inside of the Action/ directory of your project bundles are automatically registered as services. By convention, those services follow this pattern: action.The\Fully\Qualified\Class\Name.

For instance, the class in the example is automatically registered with the name action.AppBundle\Action\MyAction.

Thanks to the autowiring feature of the Dependency Injection Component, you can just typehint dependencies you need in the constructor, they will be automatically injected.

Service definition can easily be customized by explicitly defining a service named according to the same convention:

This bundle also hooks into the Routing Component (if it is available): when the @Route annotation is used as in the example, the route is automatically registered: the bundle guesses the service to map with the path specified in the annotation.

Dive into the TestBundle to discover more examples such as using custom services with ease (no configuration at all) or classes containing several actions.

Using the Symfony Micro Framework

You might be interested to see how this bundle can be used together with the Symfony “Micro” framework.

Here we go:

Amazing isn’t it?

Want to see a more advanced example? Checkout our test micro kernel.

You like this bundle? Give it a star on GitHub!

Making the Symfony PropertyAccess Component 84% faster in 2.8… and counting

Update 12/06/15: I’ve opened a PR making the PropertyAccess Component 84% faster than before. It implements strategies explained at the end of this post.

This PropertyAccess component allows to access to a property of an object (or a to a key of an array) regardless of the access strategy that must be used. It is smart enough to access directly to  public  properties and to use getters, setters, issers, adders, removers, magic methods and so on for private  and protected ones. It is also allows to access a property trough an object graph using a straightforward notation:  $propertyAccessor->getValue($rootObject, 'foo.bar.baz'); .

As you may know, some components of the Symfony framework including Form and the Serializer (see the ObjectNormalizer) rely heavily on it. The JSON-LD normalizer of the API Platform framework also use it intensively. In fact, more than 250+ open source projects rely on the PropertyAccess component (and it has been installed more than 1M times).

It’s a convenient and popular piece of software. But this convenience has a cost: the PropertyAccess component is slow: internally, it uses the PHP Reflection API to guesses what’s the strategy needed to read or write a property.

When using this component in a loop (ex: to normalize a collection of objects to an associative array using the ObjectNormalizer), its slowness become a significant problem.

Here is a benchmark for the PropertyAccess component:

And here is the profile generated by the awesome Blackfire.io: with Symfony 2.7.6:

As you can see the logic to guess the access strategy is executed at each loop iteration. As the structure of a PHP class generally never changes at runtime, a possible optimisation path is to guess the strategy to use for the property of a given class during the first iteration then cache it in an array. This way, the cached access strategy can be reused without extra computations every other time during the current execution thread.

Let’s try that:

Symfony PropertyAccess performance improvement

(Click on the image to read the full Pull Request description and the related code).

Thanks to this new caching strategy, the PropertyAccessor Component included in Symfony 2.7.7 (and more recent versions) is now 54% faster according to the same benchmark:

But the component can be even more optimized.

For instance, the constructor of the Symfony\Component\PropertyAccess\PropertyPath  class uses a slow regular expression. This constructor is still called at each iteration in a loop. The result of the regular expression isn’t cached:

A similar cache mechanism should be used to avoid executing the same regular expression at each iteration. I’ve started to work on a patch doing that, but it still needs some work before being ready to be merged in Symfony. This patch improves the performance of the PropertyAccess of 20% more. Using both patches, the component is 70% faster than in 2.7.6.

There is another promising way to improve the performance of this component: for now the access strategy is always guessed the first time a property is accessed during an execution thread (e.g. when handling an HTTP request). Using a permanent cache system (such as APC or Redis trough the Doctrine Cache library) in complement of the in-memory array would allow to guess the strategy only one time, (e.g. during the first HTTP request), then reuse it for each next executions. Symfony 3.1 will have this feature.

By the way, a similar optimization has been done on the ObjectNormalizer. It needs to know the list of properties of an object to normalize it. This list wasn’t cached either. In Symfony 2.8, it’s done:

Capture d’écran 2015-12-01 à 22.55.40

Thanks to this patch and to the optimization of the PropertyAccess component, the ObjectNormalizer is 40% faster in Symfony 2.8/3.0 than in Symfony 2.7.6!

My slides about API Platform from AFUP’s Forum PHP 2015

My slides from this morning at Forum PHP Paris about API Platform:

Open the slides in full screen