COMP3512

winter 2024

lec-php-09

Here comes JS!

I still have some index cards....

...anyone want one?

Project Marking Scheme

is up

Any questions?

let's talk about these things today:

​◉ Remember lab-01? You consumed an API!
◉ What's a prepared statement - and why should I use them?
​◉ Can we clean this up at all?

API endpoints

​◉ How do I do user authentication for the Project?

Password Authentication

Before I forget!

I didn't have time to cover how to add and delete rows in DB tables using PDO...and you totally need to do that for the Project!

Looks like you've got some investigation to do....

How do I do user authentication for the Project?

The Functional Requirements for the Project have a few checkboxes you might be wondering about.

Wait...what administrator table?!?

Yeah. You have to make that.

You might be wondering what it needs to hold.

It must have a username field and a password field, right?

Are you crazy?!?!? You NEVER store passwords in a database table!

Why is that a bad idea? 🤔

What should you store instead? 🤔

Uh...a hash?

What's that? 🤔

It's what produced by a one-way math function that takes in text and spits out...hashed text.

hashing-playground/hash.php

What's that password_verify()?

It's a super-convenient method - that you must use!

hashing-playground/verify.php

PUTTING IT ALL TOGETHER

  1. Create an administrator table with username and hash fields. They can be VARCHAR(255).
  2. Add rows for each administrator you need, using their username and a hash of their password that you create by calling password_hash() with the proper args. You can just copy-paste the result of calling the function into the table using the Database Client extension.
    1. Don't forget to add JP's entry!
  3. Alter the code you currently use in your form to validate the username and password so that it now looks up the hash for the username logging in and verifies it using password_verify().

⚠️Look for opportunities to make helper functions!

BRAIN BREAK

Remember lab-01?

Where'd this word come from?

We got it from this URL:

https://random-word-form.herokuapp.com/random/adjective

Let's go there twice.

I'll go once with a Guest session.

Then once again in my "normal" session.

I have a browser extension that will affect how the response is displayed.

It doesn't look like a "normal" web page, does it?

Looking in the Response, we can see something interesting about the Content-Type header

Compare this to what we see if we go to
https://random-word-form.herokuapp.com

Here's another one.

This time, we'll go here with the Thunder Client extension that we have in our lab and Project Codespaces.

Going to the headers in the extension, we again Content-Type is application/json, not text/html

https://rickandmortyapi.com/api/character/

https://rickandmortyapi.com/api/character/?name=morty&status=dead

-and-

In both of these examples, we have NOT been visiting web pages!

Instead, we are consuming a RESTful API.

An API -  Application Programming Interface -  is basically a set of rules for communicating with another system.

With our adjectives and Rick/Morty examples, the "rules" were URLs with a specific format.

Remember the Java API? Those are rules for communicating with the Java programming language.

When we write code that consumes a RESTful API, we're writing code that says: "Hey - I want some data. Give it to me."

The other side says, "Sure - as long as you go to the right URL, I'll give you the data you want."

BTW - we'll just use "API" from now on. The RESTful part will be assumed.

We'll call this "right URL" the API endpoint.

How do we write our own API endpoint?

You'll be delighted to know this is a very straightforward process.

1. Validate the request.

2a. If the request isn't valid, respond with some kind of error in the desired format and with the desired status.

2b. If the request is valid, gather the information being requested, then respond in the desired format and with a 200 status.

Your endpoint should have clear rules for what's valid or not.

Lab-05 gives a reasonable example of this.

The Project, however, needs some work!
I'll get on that soon.

1. Validate the request

2a. If the request isn't valid, respond with some kind of error in the desired format and with the desired status.

How does https://random-word-form.herokuapp.com/random/adjective do it?

How does https://rickandmortyapi.com/api/character do it?

  • Try bad URL paths.
  • Try bad keys.
  • Try bad values.

What content type are we getting? 🤔

What status are we getting? 🤔

2b. If the request is valid, gather the information being requested, then respond in the desired format and with a 200 status.

How does https://random-word-form.herokuapp.com/random/adjective do it?

How does https://rickandmortyapi.com/api/character do it?

What content type are we getting? 🤔

What status are we getting? 🤔

Let's do this!

Let's build an API endpoint that delivers how much of a given cheese is in stock at a given store.

  • cheese is delivered by a name query parameter
  • store is delivered by a store-id query parameter

If either parameter is missing or has an unknown value, we'll respond with a 404 status and the
JSON { "message": "Bad request."}

Otherwise, we'll respond with the
JSON {
"cheese": "<requested cheese>",
"stock": #

}

api/stock.php

Our Endpoint

lec-php-09

By Jordan Pratt

Made with Slides.com

lec-php-09

API creation | password_hash() | password_verify()

  • 178

More from Jordan Pratt