Trongate Framework Documentation

trOnGAtE

Welcome
- Table of Contents
- Welcome To The Revolution
- Trongate's Free Forever Promise
- About These Docs
Getting Started
- A Word About MariaDB And MySQL
- Installing PHP and MySQL
- Let's Get Trongate!
Basics Concepts
- A Few Words About Coding Style
- The Structure of a Trongate Web App
- Introducing Modular HAVC
- The Problem With MVC
- Isn't this the same as HMVC?
- What's Inside A Module?
Understanding Routing
- What Is Routing?
- 404 Error Pages
- How Basic URL Routing Works
- Reading Values From The URL
- Preventing Methods From Being Invoked Via The URL
- Advanced Custom Routing
Controllers
- What Is A Controller?
- The Structure Of A Controller
- Defining A Default Controller
Views
- Understanding View Files
- An Example Of A View File Being Used
- Passing Data Into View Files
- Returning Views Output As A Variable
- Best Practices
The File Asset Manager
- Why We Need A File Asset Manager
- Basic Example - Part 1
- Basic Example - Part 2
- The Module Assets Trigger
- Additional Information
Modules Calling Modules
- Calling Another Module From A Controller
- Calling Another Module From A View
Super Modules & Sub Modules
- Complete Video Tutorial
- What Are Super Modules And Sub Modules?
- Accessing Sub Modules Via The URL
- Loading View Files From Within Sub Modules
- Accessing Sub Modules From Other Modules
Templates
- What Are Templates?
- How To Create Your Own Website Template
- Loading Templates
- Passing Information Into Templates
- Passing View Files Into Templates
- Template Partials
- About The Admin Template
Trongate CSS
- Introducing Trongate CSS
- Features and Benefits
- Trongate CSS Examples
- JavaScript Components
- Trongate CSS Video Tutorial
- Working With YouTube Videos
Helpers Explained
- Helpers Introduction
- The URL Helper
- The Form Helper
- The Form Validation Helper
- The Flashdata Helper
- The File Validation Helper
- The Pagination Helper
- Other Helpful Features
Form Handling
- Trongate's Approach To Form Handling
- Getting Started With Form Building
- Creating A Books Database Table
- Manually Building A Form
- Improving Our Form
- Form Validation (The Pipe Method)
- Form Validation (The Array Method)
- Displaying Form Validation Errors
- A Closer Look At The Post Method
- Repopulating Forms
- Creating Records
- Reading Records
- Table Joins
- Updating Records
- Deleting Records
- Custom Validation Callbacks
- CSRF Protection
Database Interaction
- How Trongate Works With Databases
- Getting Started
- How To Use Debug Mode
- The 'Get' Method
- The 'Get Where' Method
- The 'Get Where Custom' Method
- The 'Get One Where' Method
- The 'Get Many Where' Method
- The 'Count' Method
- The 'Count Where' Method
- The 'Count Rows' Method
- The 'Get Max' Method
- The 'Insert' Method
- The 'Update' Method
- The 'Delete' Method
- The 'Query' Method
- The 'Query Bind' Method
- The 'Insert Batch' Method
- Graphical Query Builder Video Tutorial
Uploading Files
- A General Overview Of File Uploading
- Building An Uploader Form
- Understanding The Upload Process
- Uploading Pictures
Working With Images
- How To Build Picture Uploaders - Video Demo
- Understanding Single Picture Uploaders
- The Submit Upload Method
- A Closer Look At Picture Settings
- The Drag 'n' Drop Multi File Uploader
- Controlling How Multi-File Uploaders Behave
The Module Import Wizard
- What Problem Does This Solve?
- How To Use The Module Import Wizard
Authorization and Authentication
- Section Introduction
- What We Are Trying To Achieve
- How Trongate's Token System Works
- The Three Security Tables
- Generating Tokens (JavaScript Friendly Version)
- Generating Tokens (PHP Friendly Version)
- Fetching User Data From Tokens (JavaScript friendly version)
- Fetching User Data From Tokens (PHP Friendly Version)
- More Useful Features
- Destroying Tokens (JavaScript Friendly Version)
- Destroying Tokens (PHP Friendly Version)
- Understanding HTTP Response Status Codes
The API Explorer
- An Introduction To The Trongate API Explorer
- API Terminology Explained
- Trongate's Built-In Endpoints
- Getting Started With The API Explorer
- Building Your Api Settings File
- Testing Your API Endpoints
- Optional Additional Parameters
- Before Hooks And After Hooks - General Overview
- Before Hooks - Deep Dive
- After Hooks - Deep Dive
- Querying Endpoints
- Understanding API Authorization
- How To Attach Tokens To Requests
- Wide Open Authorization
- Role Based Authorization
- ID Based Authorization
- User ID Segment Authorization
- User Code Segment Authorization
- User Owned Segment Authorization
- Custom API Endpoints
Before You Launch
- Hiding Your Admin Login URL
- Pre Launch Checklist
- Web Hosting Advice

switch to dark mode

Custom API Endpoints

Throughout this chapter, everything we've been doing has involved using Trongate's built-in API endpoints - all of which invoke code that's inside Api.php, which is inside the engine folder. Even with before hooks, after hooks and authorization rules in place, we're still ultimately falling back upon endpoints that have been pre-built into the framework.

However, there may be situations when you'd like to build your own API endpoints. That is, API endpoints that do not call upon or use any of Trongate's built-in endpoints.

The Most Basic Custom Endpoint That's Possible

Strictly speaking, an API endpoint is just a URL that has been designed to issue responses to HTTP requests. So, the PHP code below could produce an acceptable and perfectly valid API endpoint:

function hello() {
    echo 'hello';
}

Even without declaring the hello() method on an api.json file and even without actively declaring an HTTP response status code, the method above would still behave like a valid endpoint. In fact, PHP would automatically issue an HTTP response status code of 200 for us, whenever a method like hello() is invoked.

Therefore, to be clear, we do not need to declare any of our custom endpoints inside any api.json file. We can simply write our own methods and forget about everything covered in this chapter! However, declaring a method - like the one shown above - inside an api.json file has two benefits:

We can test our method inside the Trongate API Explorer
We can easily apply advanced authorization rules to our endpoint

Declaring A Custom Endpoint

The process for declaring a custom API endpoint, within an api.json file, is fundamentally the same as before. The only key difference is the 'url_segments' property. For custom API endpoints, the first URL segment (as defined by 'url_segments') should represent the module to be loaded and the second segment should represent the method to be invoked.

For example, suppose you had a method called hello(), inside a 'members' module. Such a method could be declared inside an api.json file with the following syntax:

  "Hello": {
    "url_segments": "members/hello",
    "request_type": "GET",
    "description": "Say hello",
    "authorization": "*"
}

Applying Security Rules

Trongate's token based API authorization system can be applied to a custom endpoint by adding the following line of code onto the start of a given method:

api_auth();

Let's Test This!

Let's create a method inside a controller file called hello(). We'll use precisely the same code as above, only this time, we'll add API authorization. This gives us:

â€‹function hello() {
    api_auth();
    echo 'hello';
}â€‹

Just To Let You Know

For this demonstration, we'll assume that our hello() method is inside a 'members' module. However, it could be inside any valid Trongate module.

Now, if you open your browser and navigate to your custom endpoint, you'll find that API authorization is now being enforced. As a matter of fact, if you don't have authorization rules declared - for your custom endpoint - then you'll see a warning on your screen, telling you why the endpoint has not been activated!

endpoint not activated alert

Did You Know?

When a custom API endpoint, like the one described, above is accessed, Trongate will attempt to read a security token from the header of the inbound HTTP request. However, if a valid Trongate security token is not found, in the header, then Trongate will revert to checking cookies and session data for a valid token.

WARNING!

The normal mechanisms for declaring before hooks and after hooks (on an api.json file) will not work for custom API endpoints. In instances where you'd like your custom endpoint to invoke other methods, just use ordinary PHP code.

Practical Example

Let's assume that we have an app that contains a module named 'members'. On our Members.php controller file, we could have a method that loads information relating to the members' account records. In a real-world situation, this kind of information might be private and we may wish to refuse access to everyone except:

users who have a role of 'admin'
users who can be matched with the particular record being queried

To make this as simple as possible, let's start with a basic PHP method that attempts to read a hypothetical 'member code' from a URL and then fetch a record, from the database, where a record is found to match our code:

function account($member_code) {
    $member_obj = $this->model->get_one_where('code', $member_code, 'members');

    if ($member_obj == false) {
        http_response_status(400); //bad request!
        echo 'Invalid member code';
        die();
    } else {
        http_response_code(200);
        echo json_encode($member_obj);
    }

}

As things stand, our method above would successfully fetch a record and return a JSON object, provided all required table columns and correlating data were in place. However, this API endpoint would be wide open! So, anyone who happened to have a valid 'member code' could access private information relating to member accounts.

To solve this, we could combine Role Based Authorization with User Owned Segment Authorization. Our goals here would be:

to use Role Based Authorization to check if the end user has a role of 'admin'
to use User Owned Segment authorization to check if the record being fetched belongs to the end user.

Just To Let You Know

With Trongate, end users only have to pass one API authorization test to be granted access to a secure API endpoint.

Our two required authorization tests could be applied to an API endpoint setting with the following code:

"authorization": {
    "roles": ["admin"],
    "userOwnedSegment": {
        "column": code,
        "segmentNum": 3
    }
}

Just To Let You Know

For this example to be meaningful, we have to assume that we have a 'members' database table that has a column called 'code' and another column called 'trongate_user_id'.

ADDING API AUTHORIZATION TO OUR CUSTOM ENDPOINT METHOD

To add API Authorization to our custom endpoint, we have to add 'api_auth()' onto the start of our account() method. This leaves us with a method that has the following PHP code:

â€‹function account($member_code) {
    api_auth();
â€‹    $member_obj = $this->model->get_one_where('code', $member_code, 'members');

â€‹    if ($member_obj == false) {
â€‹        http_response_status(400); //bad request!
â€‹        echo 'Invalid member code';
â€‹        die();
â€‹    } else {
â€‹        http_response_code(200);
â€‹        echo json_encode($member_obj);
â€‹    }

â€‹}

DECLARING OUR CUSTOM API ENDPOINT SETTINGS

The code for declaring our custom API endpoint setting could take the following form:

"Fetch Account": {
â€‹    "url_segments": "members/account",
â€‹    "request_type": "GET",
â€‹    "description": "Fetch account information",â€‹
    "authorization": {
â€‹        "roles": ["admin"],
â€‹        "userOwnedSegment": {
            "column": code,
â€‹            "segmentNum": 3
â€‹        }
    }
}

HELP & SUPPORT

If you have a question or a comment relating to anything you've see here, please goto the Help Bar.