September 21, 2018

REST API implementation with dynamic routing

This is a simple REST API implementation written in PHP. It is designed to be very dynamic and easy to re-use.

The magic for the routing happens in the .htaccess file. It routes the incoming calls to the main file that handles the requests.

RewriteEngine On

# create a person (HTTP POST)
RewriteRule ^api/v1/persons/create/?$ api.php?class=person&method=create [QSA,L]

# update a person (HTTP PUT), <id>
RewriteRule ^api/v1/persons/([A-Za-z0-9-]+)/?$ api.php?class=person&method=update&id=$1 [QSA,L]

The Helper class contains some basic functions that are commonly used.

class Helpers {
    /**
     * Sanitize a given string
     * @param value
     * @return value
     */
    public static function sanitizeString($value){
        $value = filter_var(trim($value), FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);
        return $value;
    }

    /**
     * Sanitize a given array
     * @param array
     * @return array
     */
    public static function sanitizeArray($array){
        if(is_array($array)){
            foreach($array as $arraykey=>$arrayvalue){
                if(is_array($arrayvalue)){
                    $array[$arraykey] = Helpers::sanitizeArray($arrayvalue);
                }
                else if(strlen($arrayvalue) > 0) {
                    $array[$arraykey] = Helpers::sanitizeString($arrayvalue);
                }
            }
        }
        return $array;
    }
}

The BaseClass represents a class that can be used for Models that need dynamic accessor methods [1].

class BaseClass {
    /**
     * Dynamic getters and setters
     * @param method, params
     */
    public function __call($method, $params){
        $pre = substr($method, 0, 3);
        $var = lcfirst(substr($method, 3));
        if($pre == 'get'){
            return $this->{$var};
        }
        else if($pre == 'set'){
            $this->{$var} = $params[0];
        }
        else if($pre == 'out'){
            return htmlspecialchars($this->$var, ENT_QUOTES, 'UTF-8'); //prevent XSS
        }
    }
}

This is the main API class which processes the incoming data and intercepts every call to the API. This can be very useful if you want to log these requests in just one place.

class MyAPI extends BaseClass {
    protected $data = [];

    /**
     * Saves the passed data into the object instance,
     * so that the subclasses can access this data
     */
    public function __construct(){
        $rawinput = file_get_contents('php://input');
        $this->data['input'] = Helpers::sanitizeArray(json_decode($rawinput,true));
    }

    /**
     * Magic method to intercept all the API calls
     * @param method<string>, args<array>
     */
    public function __call($method, $args){
        /**
         * Log all the API calls
         */
        if(strpos($method,'__log') !== false){
            $method = str_replace('__log','',$method);
            if(method_exists($this,$method)){
                $this->{$method}($args[0]); //call the implemented method
            }
        }
        else {
            /**
             * Dynamic accessor methods
             */
            return parent::__call($method, $args);
        }
    }
}

The endpoints and actions are defined in the class of the resource (eg. Person)

class Person extends MyAPI {
    /**
     * POST /v1/person/create
     * creates a new person
     *
     * params
     * - firstname <string>
     * - lastname <string>
     * - ...
     */
    public function create($args){
        $response = ['responseCode' => 'OK', 'id' => 123];
        http_response_code(201);
        header('Content-Type: application/json');
        echo json_encode($response);
    }

    /**
     * PUT /v1/person/<id>
     * updates the persons data
     *
     * params
     * - firstname <string>
     * - lastname <string>
     * - ...
     */
    public function update($args){
        $response = ['responseCode' => 'OK'];
        http_response_code(200);
        header('Content-Type: application/json');
        echo json_encode($response);
    }
}

This is the entry point of the API. It instantiates the requested class and calls the corresponding method. The interceptor logs the requests and forwards the request to the right object. For security reasons it checks if the method exists and won't allow other calls.

/**
 * Content-Type: application/json; charset=utf-8
 * Accept: application/json
 */
namespace MyProject\API;

/* require_once for all the required classes here */

//instantiate the requested classes and call the specified methods based on the routing
if(isset($_GET['class']) && in_array(strtolower($_GET['class']),['person'])){
    $class = '\MyProject\API\\'.ucfirst($_GET['class']);
    $reflectionClass = new \ReflectionClass($class);
    $classMethods = $reflectionClass->getMethods();
    $obj = new $class;
    $method = $_GET['method']??'';
    if($obj instanceof MyAPI && !in_array($method,['__call','__construct']) && method_exists($obj,$method) && in_array($method,array_column($classMethods,'name'))){
        //call the logging method before the actual method (inspired by aspect-oriented programming)
        $obj->{$method.'__log'}($_GET);
    }
}

To test the API you can simply call it using CURL with the given data

# create a person
curl -X POST \
https://{your-domain}/api/v1/persons/create \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{"firstname":"Anakin","lastname":"Skywalker"}'  

# update a person
curl -X PUT \
https://{your-domain}/api/v1/persons/123 \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{"firstname":"Darth","lastname":"Vader"}'

Sources:

[1] https://blog.cipher.digital/article/dynamic-getters-and-setters-in-php

Tags: php, rest, api

« back

010100100110000101101110011001000110111101101101010000110110100101110000011010000110010101110010

About the author

human, software engineer, tech enthusiast, security researcher

E-Mail: blog@cipher.digital