-
Carsten Rose authoredCarsten Rose authored
==== REST
- https://en.wikipedia.org/wiki/Representational_state_transfer
- https://restfulapi.net
- https://poe-php.de/tutorial/rest-einfuehrung-in-die-api-erstellung
- https://blog.restcase.com/top-5-rest-api-security-guidelines/
General Concept
-
There is one PHP file to handle all REST calls:
typo3conf/ext/qfq/Classes/Api/rest.php
-
All further endpoints are appended after rest.php, seperated by '/'. Example:
The argument 'myEmail' is just to show how GET variables will be submitted.
-
Each
level
is a QFQ form. In the above example:restPerson
andrestAddress
-
A QFQ form will be enabled for REST calls via field 'Permit REST'. Possible options: get, insert (post), update (put), delete
-
An optional HTML header token based 'authorization' is supported.
-
At least one
level
(= form name) has to be given. -
Multiple
level/id
tuple are possible. -
Only the last level will be used. The last
level
becomes automaticallyform
in STORE_TYPO3. -
The last
id
becomes automaticallyr
in STORE_TYPO3. -
Previous
level
andid
are accessible via{{_id1:C}}
,{{_form1:C:alnumx}}
,{{_id2:C}}
,{{_form2:C:alnumx}}
, ... -
Import/Export data has to be/is JSON encoded.
-
The following settings has no impact to QFQ forms called via REST:
form.Permit New
,form.Permit Edit
HTML Requests
GET - export
Example:
curl -X GET "http://localhost/qfq/typo3conf/ext/qfq/Classes/Api/rest.php/restPerson"
Details:
- no
id
orid=0
(example: 1, 123): The result ofForm.parameter.restSqlList
will be generated. -
id>0
(example: 1, 123): the result ofForm.parameter.restSqlData
will be generated. - The whole resultset will be JSON encoded.
- It's not possible to render subrecords. This has to be done via a sub level (next form).
- Future: If this is not sufficient, a possible solution might be a
report
-notation (special FormElement), which do not implode all output, but leave the rows/cells intact as an array - the json_encode will then to the rest.
POST - insert
Example:
curl -X POST "http://localhost/qfq/typo3conf/ext/qfq/Classes/Api/rest.php/restPerson" -d '{"name":"Miller","firstname":"Jonni"}'
Details:
- The data has to be JSON encoded transferred to the REST API.
- The JSON stream will be decoded to an array and copied to $_POST.
- The further process is identically to a standard 'form submit'.
- There should be no
id
given orid=0
.
PUT - update
Example:
curl -X PUT "http://localhost/qfq/typo3conf/ext/qfq/Classes/Api/rest.php/restPerson/1" -d '{"name":"Miller","firstname":"Jonni"}'
Details:
- The data has to be JSON encoded transferred to the REST API.
- The JSON stream will be decoded to an array and copied to $_POST.
- The further process is identically to a standard 'form submit'.
- There have to be an
id>0
.
Delete
Example:
curl -X DELETE "http://localhost/qfq/typo3conf/ext/qfq/Classes/Api/rest.php/restPerson/1"
Details:
- The data has to be JSON encoded transferred to the REST API.
- The JSON stream will be decoded to an array and copied to $_POST.
- The further process is identically to a standard 'form submit'.
- There have to be an
id>0
.
Header Token Authorization
Example:
curl -X GET -H 'Authorization: Token token="mySuperSecretToken"' "http://localhost/qfq/typo3conf/ext/qfq/Classes/Api/rest.php/restPerson/"
Static token
Per form configure form.parameter.restToken=mySuperSecretToken
.
Dynamic token
The client supplied authorization token is available via the client store: {{Authorization:C:alnumx}}
.
Take the Client token and check if it saved in a table with all user token:
form.parameter.restToken={{SELECT a.token FROM Auth AS a WHERE a.token='{{Authorization:C:alnumx}}' }}
DEBUG
Append the GET variable ?XDEBUG_SESSION_START=1
Example:
curl -X POST "http://localhost/qfq/typo3conf/ext/qfq/Classes/Api/rest.php/restPerson?XDEBUG_SESSION_START=1" -d '{"name":"Miller","firstname":"Jonni"}'
PhpStorm with activated debugger will stop at any breakpoint and 'stepping' through the code is possible.