Trongate Framework Documentation

trOnGAtE

Welcome
- Table of Contents
- Welcome To The Revolution
- Trongate's Free Forever Promise
- About These Docs
Getting Started
- A Word About MariaDB And MySQL
- Installing PHP and MySQL
- Let's Get Trongate!
Basics Concepts
- A Few Words About Coding Style
- The Structure of a Trongate Web App
- Introducing Modular HAVC
- The Problem With MVC
- Isn't this the same as HMVC?
- What's Inside A Module?
Understanding Routing
- What Is Routing?
- 404 Error Pages
- How Basic URL Routing Works
- Reading Values From The URL
- Preventing Methods From Being Invoked Via The URL
- Advanced Custom Routing
Controllers
- What Is A Controller?
- The Structure Of A Controller
- Defining A Default Controller
Views
- Understanding View Files
- An Example Of A View File Being Used
- Passing Data Into View Files
- Returning Views Output As A Variable
- Best Practices
The File Asset Manager
- Why We Need A File Asset Manager
- Basic Example - Part 1
- Basic Example - Part 2
- The Module Assets Trigger
- Additional Information
Modules Calling Modules
- Calling Another Module From A Controller
- Calling Another Module From A View
Super Modules & Sub Modules
- Complete Video Tutorial
- What Are Super Modules And Sub Modules?
- Accessing Sub Modules Via The URL
- Loading View Files From Within Sub Modules
- Accessing Sub Modules From Other Modules
Templates
- What Are Templates?
- How To Create Your Own Website Template
- Loading Templates
- Passing Information Into Templates
- Passing View Files Into Templates
- Template Partials
- About The Admin Template
Trongate CSS
- Introducing Trongate CSS
- Features and Benefits
- Trongate CSS Examples
- JavaScript Components
- Trongate CSS Video Tutorial
- Working With YouTube Videos
Helpers Explained
- Helpers Introduction
- The URL Helper
- The Form Helper
- The Form Validation Helper
- The Flashdata Helper
- The File Validation Helper
- The Pagination Helper
- Other Helpful Features
Form Handling
- Trongate's Approach To Form Handling
- Getting Started With Form Building
- Creating A Books Database Table
- Manually Building A Form
- Improving Our Form
- Form Validation (The Pipe Method)
- Form Validation (The Array Method)
- Displaying Form Validation Errors
- A Closer Look At The Post Method
- Repopulating Forms
- Creating Records
- Reading Records
- Table Joins
- Updating Records
- Deleting Records
- Custom Validation Callbacks
- CSRF Protection
Database Interaction
- How Trongate Works With Databases
- Getting Started
- How To Use Debug Mode
- The 'Get' Method
- The 'Get Where' Method
- The 'Get Where Custom' Method
- The 'Get One Where' Method
- The 'Get Many Where' Method
- The 'Count' Method
- The 'Count Where' Method
- The 'Count Rows' Method
- The 'Get Max' Method
- The 'Insert' Method
- The 'Update' Method
- The 'Delete' Method
- The 'Query' Method
- The 'Query Bind' Method
- The 'Insert Batch' Method
- Graphical Query Builder Video Tutorial
Uploading Files
- A General Overview Of File Uploading
- Building An Uploader Form
- Understanding The Upload Process
- Uploading Pictures
Working With Images
- How To Build Picture Uploaders - Video Demo
- Understanding Single Picture Uploaders
- The Submit Upload Method
- A Closer Look At Picture Settings
- The Drag 'n' Drop Multi File Uploader
- Controlling How Multi-File Uploaders Behave
The Module Import Wizard
- What Problem Does This Solve?
- How To Use The Module Import Wizard
Authorization and Authentication
- Section Introduction
- What We Are Trying To Achieve
- How Trongate's Token System Works
- The Three Security Tables
- Generating Tokens (JavaScript Friendly Version)
- Generating Tokens (PHP Friendly Version)
- Fetching User Data From Tokens (JavaScript friendly version)
- Fetching User Data From Tokens (PHP Friendly Version)
- More Useful Features
- Destroying Tokens (JavaScript Friendly Version)
- Destroying Tokens (PHP Friendly Version)
- Understanding HTTP Response Status Codes
The API Explorer
- An Introduction To The Trongate API Explorer
- API Terminology Explained
- Trongate's Built-In Endpoints
- Getting Started With The API Explorer
- Building Your Api Settings File
- Testing Your API Endpoints
- Optional Additional Parameters
- Before Hooks And After Hooks - General Overview
- Before Hooks - Deep Dive
- After Hooks - Deep Dive
- Querying Endpoints
- Understanding API Authorization
- How To Attach Tokens To Requests
- Wide Open Authorization
- Role Based Authorization
- ID Based Authorization
- User ID Segment Authorization
- User Code Segment Authorization
- User Owned Segment Authorization
- Custom API Endpoints
Before You Launch
- Hiding Your Admin Login URL
- Pre Launch Checklist
- Web Hosting Advice

switch to dark mode

Generating Tokens (JavaScript Friendly Version)

Now, with the assumption that your database is ready for action, let's explore how to generate security tokens with Trongate. The instructions here have been designed to be JavaScript friendly.

Testing Token Management

If you are in 'dev' mode, you should be able to access Trongate's API Manager. This is a feature that will help you to easily test your token management. The URL for handling 'trongate_tokens' is,

http://localhost/your_app/api/explorer/trongate_tokens

Just To Let You Know

Obviously, you would have to replace the URL above with a URL that uses your app's base URL, as defined inside /config/config.php.

Trongate's API Manager

Inside your 'modules' folder, there's a module named 'trongate_tokens'. This module contains a controller file with a PHP class named, 'Trongate_tokens'. This class can be used to generate security tokens.

The 'Generate Token' API Endpoint

Trongate apps contain an API endpoint that can be used to generate tokens via HTTP POST requests. The URL for generating tokens is your base URL followed by trongate_tokens/generate.

Just To Let You Know

If you are eager to disable this endpoint, open up Trongate_tokens.php (it's inside the trongate_tokens module) and add a die(); statement at the beginning of the 'generate' method. For example,

    function generate() {

    die();  //disable this endpoint!

    /*
        generate token by POST (for devs who like JavaScript)
        $posted data may contain:
        user_id ~ int(11) : required
        expiry_date ~ int(10) : optional
    */

    if ($_SERVER["REQUEST_METHOD"] !== 'POST') {
        http_response_code(403);
        echo 'Forbidden';
        die();
    } else {
        //fetch posted data
        $posted_data = file_get_contents('php://input');
        $input = (array) json_decode($posted_data);
        $data = $this->_pre_token_validation($input);
    }

    $token = $this->_generate_token($data);
    http_response_code(200);
    echo $token;
}

Required Parameters

In order to generate a token, you will be required to post a 'user_id' value. This should be a numeric value that represents the ID, on the trongate_users table, that corresponds with the user who is requesting a new token.

You may also, if you wish, submit an optional 'expiry_date'. The expiry_date should be a Unix timestamp representing the date and time when token should expire.

Did You Know?

In PHP, Unix timestamps are ten digit numeric values.

Top Tip

Use PHP's in-built time() function to generate a Unix timestamp that represents now. Combining the time() function with a little arithmetic can allow us to easily generate meaningful expiry dates in PHP. For example, there are 86,400 seconds in a day. To get an expiry date that is three days into the future we could say:

<?php
$expiry_date = time() + (86400*3);
?>

The screenshot below show an example of Trongate's API Manager being used to test token generation where a user_id and expiry_date have been submitted. As you can see (near the top right hand side) the server has responded with a '200' status code and a token has been issued.

generating a token with Trongate's API Manager

Did You Know?

If you do not submit a token expiry date, Trongate will use the default token lifespan as a fallback. The default token lifespan is set at the top of the Trongate_tokens class and it has a value of 86400 seconds (i.e., one day).

Token Generation For Live Apps

Once your Trongate app is in a live environment - in other words, your ENV value (as declared in config.php) is no longer set to 'dev' - then token generation becomes a little more strict.

Clearly, it would be a security risk if we allowed anyone to generate tokens simply by submitting a user_id to a known endpoint.

Therefore, in live environments you will be required to add your own additional validation code inside the _pre_token_validation() method, as declared in Trongate_tokens.php. By default, this method contains the following code:

    function _pre_token_validation($input) {
    if (ENV !== 'dev') {
        //add your own validation code here!
        echo 'Forbidden (no validation tests available)';
        http_response_code(403);
        die();
    }

    if (!isset($input['user_id'])) {
        http_response_code(400);
        echo 'No user_id submitted!';
        die();
    } elseif(!is_numeric($input['user_id'])) {
        http_response_code(400);
        echo 'Non-numeric user_id submitted!';
        die();
    }

    return $input;
    }

Your job, therefore, would be to add your own custom validation tests inside the first IF statement of the _pre_token_validation() method. The precise code that will make up your validation tests is a decision for you, the developer, and falls outwith the scope of this documentation. However, for clarity, here is the method again - this time a few lines removed and comments indicating where you should add your own validation tests:

function _pre_token_validation($input) {
    if (ENV !== 'dev') {
        //add your own validation tests here
        //for example, check posted username and password
    }

    if (!isset($input['user_id'])) {
        http_response_code(400);
        echo 'No user_id submitted!';
        die();
    } elseif(!is_numeric($input['user_id'])) {
        http_response_code(400);
        echo 'Non-numeric user_id submitted!';
        die();
    }

    return $input;
}

Did You Know?

In PHP, the following two lines of code can be used to accept parameters that have been posted via conventional JavaScript post requests:

$posted_data = file_get_contents('php://input');
$data = (array) json_decode($posted_data);

HELP & SUPPORT

If you have a question or a comment relating to anything you've see here, please goto the Help Bar.