Authorization

API Platform is configured to register all routes under the /api prefix. This means that all routes are protected by the Symfony security system. In packages/security.yaml, we added an access_control for /api. We also have configured the security system to use JWT tokens. This means that all requests to the API must have a valid JWT token in the Authorization header.

API Platform security

Some of the API endpoints can be restricted to certain roles. This is done by adding the security attribute to the @ApiResource annotation. The value of the security attribute is an array of security expressions. The security expressions are evaluated by Symfony's security system. If the expression evaluates to true, the user is allowed to access the resource.

Example:

#[ApiResource(
    operations: [
        new GetCollection(
            uriTemplate: '/flows',
            order: ['name' => 'ASC'],
            normalizationContext: ['groups' => ['collection'], 'skip_null_values' => false]
        ),
        new Get(
            normalizationContext: ['groups' => ['detail', 'flow_detail'], 'skip_null_values' => false]
        ),
        new Post(
            security: "is_granted('ROLE_ADMINISTRATOR')",
            securityMessage: "Access Denied: You don't have the rights to perform the action."
        ),
// ...

)]
class Flow

Neither the endpoints for retrieving all flows (new GetCollection) nor the endpoint for retrieving a single flow (new Get) are restricted. Only Symfony's access control rule applies, so that anonymous users are not allowed to access the API.

The endpoint for creating a new flow (new Post) is restricted to users with the role ROLE_ADMINISTRATOR. If the user does not have the role ROLE_ADMINISTRATOR, the API will return a 403 Forbidden response.