Create a REST API using basic PHP with Token Authentication - Real world example of a to-do list API | Michael S. | Skillshare

Create a REST API using basic PHP with Token Authentication - Real world example of a to-do list API

Michael S., Mobile Systems Developer

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
43 Lessons (14h 40m)
    • 1. Introduction

    • 2. Course Contents and Project Scenario

    • 3. What is REST?

    • 4. Software Set up

    • 5. Task API Requirements

    • 6. Authentication API Requirements

    • 7. Demo of Completed API - What we will be building within this course

    • 8. Tasks Database and Task Table Creation

    • 9. Set Up API Folder Structure

    • 10. Create the Response Model

    • 11. Set Up The Database Connection

    • 12. Create The Task Model

    • 13. GET - Get a Single Task

    • 14. DELETE - Delete a Single Task

    • 15. GET - Get All Complete and Incomplete Tasks

    • 16. GET - Get All Tasks

    • 17. GET - Get All Tasks With Pagination

    • 18. POST - Create a Task

    • 19. PATCH - Update a Task

    • 20. Mid Course Review - What we have done so far

    • 21. Introduction to Token Based Authentication

    • 22. Users Table Creation

    • 23. POST - Create a User (Sign up user API)

    • 24. Sessions Table Creation

    • 25. POST - Create a Session (Log user in API)

    • 26. DELETE - Delete a Session (Log user out API)

    • 27. PATCH - Refresh a Session (Get new access token API)

    • 28. Update Tasks Table - Add User Assignment

    • 29. Add Authentication to our Tasks API

    • 30. Course Conclusion and Demo Client Application

    • 31. BONUS Section 01 - What is CORS And How Do We Allow This On Our REST API

    • 32. BONUS Section 02 - Adding Image Upload Functionality To Our API Intro

    • 33. BONUS Section 02 - Demo of Image Upload API

    • 34. BONUS Section 02 - Implement Folder Structure To Store The File Uploads

    • 35. BONUS Section 02 - Task Image Database Table Creation

    • 36. BONUS Section 02 - Implement The Image Model

    • 37. BONUS Section 02 - Implement The Image Route Logic

    • 38. BONUS Section 02 - POST - Implement The Upload Image Route

    • 39. BONUS Section 02 - GET - Implement The Get Image Attributes Route

    • 40. BONUS Section 02 - GET - Implement The Getting Of The Actual Image File

    • 41. BONUS Section 02 - PATCH - Implement The Update Image Attributes Route

    • 42. BONUS Section 02 - DELETE - Implement The Image Deletion Route

    • 43. BONUS Section 02 - Integrate Images Into Task API


About This Class


In this course I will be showing you how to create RESTful web services with PHP, no third party frameworks or paid software is needed.

We will be covering the basics of what REST is and how to implement the basics using pure vanilla PHP, at the end of this course you should be able to create a basic RESTful web service that you can allow other people to use.

The course will follow a scenario that we have been given and that is to implement a web service which can record a list of tasks, basically a to-do list. We will be implementing each requirement one at a time and then we will add on the ability for this API to become a multi user service. So each user can securely have their own task list.

To do this we will be implementing an authentication concept called Token based authentication and we will be exploring this further within the course, Token based authentication is a lot more secure than just basic password authentication and is now a best practice among the industry.

We will be starting at the beginning and building as we go, as long as you know the basics of PHP, such as variables, if statements, loops, arrays and some basic object orientated programming concepts you should be able to follow this course to the end.

We will also be using MySQL for the database to store the tasks and we will be building and changing the database as we go, and again you don't need to be an expert on MySQL but just need to know the fundamentals such as basic select, update, delete SQL statements and concepts such as primary keys and foreign keys.

The RESTful api can then be used by web and mobile apps (both iOS and Android).

BONUS SECTION 01 ADDED - for CORS (Cross-Origin Resource Sharing) which will allow you to adjust this API to run on a different domain/subdomain than your front end application.

BONUS SECTION 02 ADDED - for teaching you how to upload images/files against a task, we will go through the changes we need to make to the API to allow uploading of images to a task. We will then allow you to associate image attributes such as title and filename against the image as well as being able to download the image and delete the image.


1. Introduction: Hello and welcome to my course. I am Michael Spinks, and in this course I will be sure knew how to create rest full Web services. With PHP no third party free works appeared software is needed. We'll be covering the basics of what rest is and how table Amend the beer six years in pure vanilla PHP. At the end of this course, you should be able to create a basic rest ful Web service that you can allow other people to use. The course will follow a scenario that we have been given. It is to implement a Web service which can record a list of tasks. Basically, a to do list will be implemented, each requirement one at a time. Then we will add on the ability for this E p I to become a multi user service. So each user can security have their own tests first. To do this, we'll be implementing an authentication concept called Talk and Beer Store Syndication, and we will be exploring this further within the course. Talking baseball syndication is a lot more secure than just basic password authentication and is now the best practice among the industry. We'll be starting at the beginning and building is weak or as long as you know the basics of PHP, such as variables. If statements loops in arrears, you should be able to follow this call through to the end. We'll also be using my SQL for the date appears to stall the tasks they were building and changing the database as we go. And again, you don't need to be an expert in my SQL, but you just need to know the fundamentals such as basic select, updated delete statement and concepts such as primary keys and foreign keys. Okay, let's get started. 2. Course Contents and Project Scenario: Okay, This is what we're going to cover throughout this calls. I will try and keep the Syria through minimum to get under the practical tasks quicker because no one really likes the born theory part. However, the theory I've added is necessary just working grasp of fundamentals. We'll be starting by giving you a brief overview of our given scenario so you can start thinking about the requirements and actually to give you an idea of what we're actually going to produce, where they're going to run through the basics of rest and how it is implemented. Then before we can start, I'll show you what software we're going to use. This is all free and downloadable off the Internet. We will then download and install the software together. Although this is basic, it is good to do this together because they were all starting from the same point. Well, then, throw specific requirements for the FBI. This is the actual de deal on what the FBI needs to do well, then get on and actually start the Rembrandt Asian by first creating the deer dubious and setting up the tables be used appeared to be my admin for that and will be guiding you through, basically, step by step. The next is where the largest amount of workers don't. This is the actual implementation of the PHP court. This includes testing at every stage to make sure it first all works, and second, it'll fulfills the requirements from of scenario. Then we'll move on to the talkin baseball's indication. This can be a little dry, although it's really good to understand how it works. I'll explain the basics of this and talk you through how and why. This is now an industry best practice. We will build the authentication module, which will then be used to security, authenticate users Well, then go back to our A p i court and not in the authentication requirement and re factor the court where needed. Although this should be kept to the minimum. This is where we'll fulfill the requirements to only allow users to view, update and delete that one tasks, and then finally, we'll run through. The FBI from Started finished demonstrating the A P I and two went, including authentication. Then there's a bit of a bonus material. I'll show you a quick sort of client application and I've developed, although really sort of thrown together to show you how this a P I can be used with an iPhone up, for example. So this is a story, a way of being given. We need a build a task list system that will allow users to log in and create updated and delete tasks. Each user's task will be private of them, and other users will not be able to view or modify them. Were responsible for the database back end the Web services on the authentication module. However, we're not responsible for the front end. All the service set up this is beyond the scope of this course. 3. What is REST?: So what is arrest? Really? A P I rest stands for representational steer transfer rest api Eisen interferes. That is stainless. So if each requests the receiving system doesn't know anything about any previous requests . He uses a client server model by your request to response architecture utilises the standard http verbs and status courts such as get posed patch and delete. This allows you to create read update until the theater this is also known as crude is important or that rest is not a standard. It is a set of principles that, if any p I was to follow would make a rest ful. Rest is generally preferred over sort. Dude would simply implementation, and Morsi uses Jason for the response output. Jason is simpler and less for Boston XML, which is what syllabuses. We'll be using Jason exclusively in this course. Examples of what an e. P. I can be used for our Lord and update their to use neckline application. This may be mobile or desktop application. So, for example, if you use Facebook on a smartphone when you request your friend list that calls a Facebook G p I to retrieve the friend list or It could be the fact that your blood in image from your smartphone to share with your friends on the social networks such as Facebook the FBI usage is hidden from the user is a client application carries out the necessary actions using the API eyes on the uses behalf. Example. Usage of arrest. Feli api I to get user details of a user with an idea of one is get slash users slash one the slash one is the user i. D. So how was it implemented? The rest Filippi eyes implemented using the CPI verbs that is sent with a request post is used to create. Get is used to retrieve patches. Usedto idiot Put is used to replace and delete has used for delete the most common verbs that a used deer, the deer get and paused when using a Web roses such as Google crawl and you click a link toe open appeared. This is a get request, as you were getting or retrieving the data that is on the peered from the server. If you ever filled out a form on a website and press the submit button, then you reviews paused as you have posted the form theater to the server. The post request will usually have a request body, as you were supplying some deer did to the server for the service of process. The survey takes requests and process it and then replies with a response. This includes any output as well as the HDP Response Court. So for the request, get uses slash one to get the user with i d. One That would reply, for example, with a status court of 200 which basically means walk here. That was received and it worked, and then it respond back with the body in the request. So, for example, we have an I d hear of Want the name of the user in an age of the user. The http status cords, the common ones listed here. But there's many more. There's a good website and put it on screen. Now for http. Steelers courts have a look at this website and you'll be able to see a lot more detail about what each theater's called means. So 200 is used for or care. If you were creating a user by using the post create, then that should respond back if it was successful with 21 response. Accord 400 is basically used for if something is not formatted correctly on the request, so see it had mandatory fields for creating a user such as name, and you sort of forgot to put that in or missed it out on purpose. What should reply back with is a 41 record, which is about request because you've missed out of military data. The 41 court is for unauthorized. So, basically, if you if you go to an end point and you haven't logged in or you don't have access furniture before warn unauthorized. Basically telling you that you need to authenticate 43 sort of goes hand in hand with for a one. If you have authenticated Butch, you don't have access. So, for example, if you are a general user and only administrative users can perform in action such as reset someone's password or something like that. So if you're a general user and you try to be set someone's past bridge, it should be a 43 forbidden because you are not allowed to do that on your administrator is four or four. You're probably seeing generally browse and using a Web browser anywhere. It's where you click on the link and the links dead, so the end point is not available. So if we go to sees, get slash users slash five. In a user with the idea of five doesn't exist, you should get a full for her four or five. Is method not allowed? Saw apart from these methods? Down this left hand side here, there's this many more, but these are the general ones are used in a rest API I. If we try and delete all users using the route, delete slash users that shouldn't be allowed because generally utility uses one of the time . Whereas if you paused, which is create slash users that should lower you to create one user. If you were deleting the user, you would delete did the beginning the verb slash users slash i D. So you delete that one user now. Obviously, if you try and delete all users using delete slash users, you should get a four or five method not allowed. The conflict of four or nine error is if you try and create a duplicate. So say you create user that has a duplicate years and am, for example, that should return a four relying conflict Error 500 error is usually the processing on the server has field, and usually what will happen is you'll get a 500 arrow with the generic response or depending how you call this. It might actually respond with an appropriate error message. So to call the FBI's will use you are Ln points thes air known as roots or out, depending where you come from. In the beginning you have the verb, so that's the get or the post or the delete, and then you have the Web address, and then the road itself is slash, and on this occasion it's slash product, so slash products route would return a list of all products. If we specify a product idea at the end of the roots or slash products slash i d. If we just go over here, the right hand side slash products slash one that would return the product details of one product with an idea of war north that of root can carry out different actions depending on what http verb is used. So, for example, if we use the same route as we did before. So the slash products route and was want to get to opposed, so that should mean create a product. So there's the U R L in point, and they're obviously the route is slash product. You would pose that, but you would have to include Jason Body. This law makes sense once with sort of demo and go through building the FBI so they should create the product and then also return. It is part of the response for its it's advisable to use knowns. So, for example, slash users or slash products or slash jobs, it's best practice. Also have in point is pure ALS. Since it doesn't matter if you're retrieving, warn user or many users, the endpoint would be consistent. For example, slash users. If you re just returned one, you wouldn't have slash user slash one. You would have slash users slash one. So also a good rule is never used. Routes like get user, create user or delete user. These don't follow the rest principles as your mix and verbs with knowns. For example, get use a keep the verbs for use in the http request, such as get paused delete patch and the now and is part of the route, so slash users. So in theory, if you wanted to get users, you just get slash uses. 4. Software Set up: Okay, that's enough theory for the time being, will now get on to install and setting up the software. The software we use and throw this course is mumps, which is the Development Web application server. This is PHP Apache and my sequel, All Building. As part of that, you'll get a Web application called PHP. My admin. This is used for administrating the my sequel. The obvious Moving On will install Adam. This is a chord editor. It's free, open source, and it's very good. Next following that will install a program called Postman. This allows you to test out the AP ice. Okay, we'll start by installing bump. So if you fire up Google crop, it's typing month. Good is anything usually the first hit Mom taught in four Click and then you'll have mumps on my improve. We're just going to install a month because it's freak, although I do recommend proof you have different websites that you got a horse and develop click free downloads and what we want is month and mom pro or 5.2. I'm obviously on a Mac, but if you're on wooden doors, you can follow along on this one instead starts downloading. Okay, that's no downloaded. So the bottom click on it once I should ask you to install it. Just follow the with the three. Continue. Continue. Continue. Obviously read and accept the user license. I'm just gonna click install. I've got a touch. I d on my Macs. I'll just use me. Fingerprint installs use. It just takes a few seconds. Not too long. Okay, That's installed. Click clause moved to trash cause we'll be using the installer again. Okay, the next thing we're going to install is Adam. So just in your address bar, just go to Google. And I'm just going to type Adam editor in the Google. Do you do the first? It It's Adam. Don't, Are you? If you want to go straight to it, click. Adam. I thought about detected. I'm on a Mac. So this Quick down Lord, this year's it takes just a few seconds to download. It's not very big at all. Click on the download of the bottom left. Whom does it full up. There you go. All we're gonna do is drug that to my applications on the left hand side. Let's it installed. We're going to know to leave the install a zip file close. Okay, the last thing we're going to get is the program called Postman. So of course, Google again. Just type in post mine here p I and it's usually the top hit. Click the Link. I don't know the up cheesy platform like to say where on a map, So I'll click the Mac want. But if you're on Windows, flick the Windows one. Okay, that should have started to down Lord Out, kid. That's no. Don't click on the download A file on the left hand side. It unzips it. And all the do is just drag and drop that in applications exactly the same as we did for Adam. Okay, that's applications installed. So first of all, we'll fire up Adam just to make sure works assassinates because it's don't order from the Internet. Wish you wanna continue press a woman. Okay? He is our court after that. So the next thing will check is to make sure Postman's installed it is post month. Exactly the same to double check that you want to open it because it's downloaded from the Internet. Click open. Okay, There's Postman, and we're going to the detail of this leader, que the next thing. This is the big Warren and it's called Bump. And what we want to find is it's a factory of folder within the applications for Let Cold Month double click on that and a bit of a sort of brief guide here. We're going to be put in the files into HT docks. That's where we're developed. Court files will be put. That is sort of the route, or of the Web site that would develop it. Okay, so the first thing I want to do is open month and then click start service. This is not your Apache Web server on my SQL server. You get this page. So basically that means mumps all installed, all working now, going back to what was said before there was another bit of software, it was actually Web app called PHP my admin. And this slows you too sort of developed or implemented it obvious access that you go to tools on this pitch. Then you got PHP my admin click that takes its page p my outman from the fund size up a little bit just so you can see you see here less. The databases on the left tops across the top will get into this further afterwards. Started developing the database. Okay, that's the software. All installed will move on to the next video. 5. Task API Requirements: now one of the requirements. The deal of actually what we're going to be building. So the requirements for the FBI itself are in most returning Jason Response for all routes . This is so there's a consistent former returned. So client applications, in order, expect it should have been a concussion where appropriate caution allows the FBI to return results from cash if it is called within a certain amount of time. This lightens the Lord on the service, and it can deliver a response from its own cash, meaning it doesn't have to send the request back to the server. You need to use this with caution door as if you update the task. You will always want to get the latest version from the server and not the cash version. Next, the task itself needs an i. D. The title, a description the deadline did in a completion status. So after make sure we implement these fields within the deer dubious and also return them on the FBI is part of the response. Now there are a few different routes that are needing to be implemented. Remember, a route is Justin endpoint that you call e g forward slash tasks or forward slash tasks. Forward slash one to get task one. So the 1st 1 to return is a list of all tasks within the system. Remember, eventually this will be per user. The ruble for this will be slashed. Tusks next depend on how many tasks you store. It's a good idea to allow pigeon of results. For example, if this was being used as a shop e a p I. That returns all the list of products instead of tasks the stock enough thousands of products, it wouldn't be good practice or a good user experience to return thousands of products of once. This can be slow and take up a lot of server resources. Feature request. So what we do is below a certain amount to be returned. Perpich, for example, 20 per page. We then create a route to call the next page, which will then return the next set of results. The root for this will be slashed tasks slash page slash wall or slash tasks. Slash paid slash to for pH, too. We will then need to return the details of just one task isn't task. I d. The root for this will be slashed. Tasks slash one To get task I d want the A P. I must also be able to return either just incomplete or complete tasks only. And as previously mentioned, this will repair user as well. The root for this will either be slashed tasks slash complete or slash tasks slashing complete. So that is all of the return task route. Now we need to be able to delete a task for a given i d. And for this the route will be slashed. Tasks slash worn, for example. For task I d. One or slash tasks slashed to next, we need to allow away for a test to be updated. We won't be updated in the task i d. Is. This is a system generated identify, so we'll just allow for the title description. Deadline did and completion status to be updated, although you might know one rubbed it all of the details at once, so it should allow just, for example, a title to be updated and leave all the other details. The With ER. Once the task has been updated, it should return the updated task in the response. The root for this will be slash tasks slash warn where one is a task i d Finally, we need to allow a new test we created. Once the task is being created, it should return the newly created task in the response, the root for this will be slashed tasks. Okay, that's the end of these FBI requirements. Next will move on to the authentication requirements. 6. Authentication API Requirements: the next center requirements off for the authentication. E p i. The authentication, your P I will allow users to log in and log out. This will be needed to allow our task list the FBI to function on a per user basis, just like our task list FBI. All the responses should be in Jason Former The details recorded for use There are an internal i. D. Full name unique using him the hashed password. So not playing text because if the database is compromised and anyone could see the user's password, and we all know that uses mostly have to see him password for multiple systems. Along with that, there should be an active status, which can be used to make the user non current. So if a user leaves or he just wanted disable their account for some reason, there's also a field recall the amount of incorrect log in attempts. This will help implement a lockout system. For example, if it user attempts to log in incorrectly three times, the account can be locked out. The Tesla's system should allow a user to be logged in on multiple devices at once. E g. This smartphone tablet or the desktop local into a new device should not love them out of the other devices. We will need to use a concept known recessions for this, and we'll go into the details of this leader. This should be a retrial. Our new user to be created so user can use a client application to sign up. For example, the root for this will be slash users. We need to allow a user to create a new session by authentic in. This is known as logging in the roof, For this will be slashed sessions. We should always allow using lock out of their system. Know that they are. The sessions will be unaffected, and the root for this will be slash sessions slash session I. D. So, for example, slash lesson slash five and has mentioned early on in the course will be used in access talking, which happened living her life spot. So you must create a route that would allow the users to refresh the access Talking wonders expired, although this will be hidden from the user and the client application will deal with this. Behind the scenes, the root for this will be slashed sessions slash session I d, for example, slash sessions slash five. Okay, so now we have a list of requirements for the task for STP I, as well as the authentication FBI we can now move on to implement in a my SQL database, which will be used to store the tasks the users in the sessions. 7. Demo of Completed API - What we will be building within this course: Now that we have ran throw requirements, it is a good time to show you what we will be producing. So you can understand how our solution will work. This is a whistle stop tour of the FBI. But don't worry. We'll be going into much more detail. As we implement each requirement, we're going to start at the beginning where we will sign up. A new user log in Is that user create a couple of tasks, retrieve them tasks in a list? Oh, dear. The task and then delete the tasks we've created. Well, then finally log out the user. This will demonstrate the use of each TDP verbs as well as the response status Causeway of previously run through to Demo. This were used postman to call the FBI. It's the 1st 4 will open four smile. So I got postman here. This is what we used to test the a p I. So you can see you get the verb on the left hand side of see the ones that we spoke about. What's get posed. Patch delete. The first example I'm gonna show you is what happens when we try enlist the tasks. But we're not logged in as a user. So first of all, um, we type in the local web address for our development server, which is month, if you remember correctly. And that is local host party. Did it slash? Now the route that we're going to use if you remember going back to our FBI requirements Waas to get a list of all tasks, it was slashed tasks. So you see here slash tusks and I'm just going to send that request so you can see here that this is the body that we get returned in the response. So you see there will have a status court of four or one Now, this is not in the http header. This is what we've put in the wrapper for the response. The real status quarters over here, just to the right slate and see steered us for a one. Authorization required basically means we're not locked in as a user. We've got a message is a real here, which is basically a list of all messages. So you see here the access talking is missing from the header and access talking cannot be blank. And you can see here that our data is no, basically is not because they're not locked in. So the first thing we need to do is create a user because this is a fresh system. There's nothing exists. Saw to demo that we want to create a new tab at the top. Just leave here cause will be returning to this shortly to create new top. No, if you remember going back to our requirements to create a new user, what we use for create is paused. So we'll select post taping over development server again. Local Horst poor dated it, and then it's slash uses. Remember, it's plural. And what we're doing is creating a user to post slash users. No, what we need for this if we go to we need a body because we're sending theater to the server. So the click body and what it accepts is GSR. Remember in this course were dealing exclusively with Jason. So if you click raw with a plain text here, select Jason and what would do we have to create the Jason body and we've got 33 mandatory fields for this one. So the 1st 1 is full name, so we just created obviously the body. So we're going to send this to the server to create our user. So full near. I'm just going to see Michael s the next monetary field is that using him? So using them on, we'll just call that Michael and the next warnings password. So obviously, this is where the user can create the wrong password, so it's not very secure, but we'll just see if password one So that's the body set up. So in theory, this should create the user. So what I'm gonna do, make sure that's on post is send this. You can see here if I just increase this. We gotta stay this court of two or one which, if you remember, rightly was created. And you can see this over here, just to the right. You got the HDP had a here to one created Success is true because it carried out the task that we wanted to do successfully. We'll get a message user created. And then what happens is it's good practice to then return the user. So it's user I d warn full name of what we put in Michael s using here. Michael would never, ever return the password in plain text ever. You wouldn't even return the hashed password, To be honest, wanted stored in the database that should never then be exposed anyway. So now that we've got a user we need a log in Is that user? So what we're gonna do is create a new tab it across the top here, Andi, remember, from our requirements, it hard creates a session. So that was slash sessions. So when you log in as a user, you are creating a session. So what we're gonna do with doing to create So it's opposed again. And then we'll type in our local Horst Weps address slash sessions. So obviously, this is a create, so there's a body for this as well. So if I click on body, click raw again and then change text to Jason, create the GS on body and what you need here is toe log in as a user. Normally, what you send is a user name and password. So using him, Andi, I was waas michael and password. Look, if remember rightly that waas password war. Like I say, that's not a very secure password put good for demo purposes. So What should happen now is it should create the session. Just as a vivid example. I'm just gonna miss Take the password. I'm just going to see a password, even though the correct password is password one and what you should find. If I then submit this post request, I should get a forewarn authorization required. So basically, I have type in the past. Waiting correctly on Peerless obviously is just demo purposes. So status called for a war, and then a message using your or password is incorrect. Would never really explores whether it was the using him or the password. It's just to hide, basically. You know what? Watch could be wrong just to stop people from trying to guess. Actually, I've got the right use name, but it's the wrong password. So just to proceed to a bit further will just take in the correct classroom, which was Password one and what we'll do. We'll just resubmit this and this time it should log in. So send that. We should get back There you go steered us to one. Remember too Well, one is created, so it's created a session for us. It's successfully logged. Two Sim So what? We get back and these are important. We'll talk a lot about access, tokens and refresh tokens in a later video. But just for this purpose, I'll just show you what here forgot session ideas worn. So that's our session. We could have multiple sessions, Remember if we log in a different device on different devices, But what we need is this access talking. You see, it's just a random long string that's, you know you would you would probably never guess this to be fair and remember that it changes quite frequently, so it will expire. So you can see here the access talking expires in, and that's in seconds. It is stage. We're not too bothered about that because I'm just de morninto go into more detail once we implement these requirements. So now that we've got the access talk and this is what you need to provide on every request for the tasks that were going to be coming out, so I'm just gonna take a copy of that a copy. Okay, Now what we'll do is you can see I will been top across the top here for the get request. Remember the first time we try to log in. So the first time we try to retrieve a task we weren't locked in, so it's easy access. Talking is missing, except so we're gonna do now is actually hopefully get a list of tasks now at that At this stage, it will be blank because we haven't actually create any tasks yet. So what you dio is you send the access talking that we've just copied as part of a header for the http request. So in the key here, these are sort of the head of parameters that we're going to send. The one that you need to put this in is the authorization headed. So you see the authorization and then the value. All we're going to do is right, click pieced, and that's our access talk. And remember, that's that's kind of the temporal password that were given for a limited amount of time. So now I've got that. What we should do is be able to send this request now in an should return, get retrieve a list of tasks like I see it should be blank. So click send. So you see, this time it was successful. 200 isn't OK, that's fine. Success is true. No messages and in the data, we have rules return zero. And then what this would be would be a list of tasks at the moment. Obviously this non So now what we'll do, We'll actually create one. So I'm just gonna leave these tops open because we may need them later. What we're going to do now is just create a new task for every request that we send to do with create the leader of deer tasks or retrieve. We need this access talking. So I'm just gonna make sure that's copied. I'm gonna need it, go to create a new top, and remember, Post is used to create. That's what we'll do is we'll type in our and local Web developments ever, which is obviously a local Horst using month. That's what non party did it remember to create a new task. It's slash tasks because we haven't got any I d. We're not. We're not making an idea up to create a task that is system generate. That's what we do is we send opposed request to just slash tasks. Obviously, with post, you have to provide a body. So go on the body. Click on raw changes to Jason. Start the Jason body now. A task hard man, three fields. But we're going to do is we're just going to supply all of the fields that's required. Now what? Is he going back to? The requirements we hade the task title Tusk description, Test deadline. Andi completed status. So if we start with title, Andi will give this. I don't know. Just in example, could grass That's an easy one. That on a to do list. And then what we'll do is we'll give it a scripture description. Um, well, just make a brief. So, um, could the grasp on bond We'd the past a good example. So next it was a deadline. So will write deadline. November rightly. This was actually a no optional field with not every task has it deadline, but will specify it. Just assure you how to build up all the fields that were going toe resend and in the request. So deadline, um, on this wasa dead formats saw, um, I'll just put 10 or warn slash 2019 a minimal putsch. Five oclock in the afternoon. So I'm here in the UK So this is the 10th of January 2019 at 5 p.m. So the next field waas completion status or completed and at the moment we're going to see this is no, it is not completed. So what should happen here is that you create a task for us on return the task in the response. So if we send and there you go basically forgot to add the access talking. So that was a good example there off someone just trying to send tasks or create tasks and not having a valid session. So if remember rightly, you should always send the access talking in the header off the request. So in here, remember, it was authorization. Paste it in there. So that's our access talkin now. What should happen is for just go back to body just to show you it should now create this task for me. You can see there. The task has now created stairs to warn that it created success. It's true message Tusk created. Now what you'll see here in the theater is the list of tasks bs agree, and there's only one is obviously only created one rules returned one. And now in the tasks, we actually have the task that we submitted, obviously the ideas generated from the system. So we don't provide that title description deadline and then a completion status. So what we'll do is we'll just quickly create another Tusk will just write something like, um, clean friends spell clean the windows and then description what I'm gonna do, I'm gonna miss description out on this one because you don't have to have a description is quite self explanatory, and this one doesn't have a deadline. So what I'm gonna do, I'm going to get rid of deadline as well. So the monetary fields are title and completed. Now, what happens is for if I don't supply the completed status, so I'm just gonna get rid of this temporarily and then just submit this request. Remember, our access talkin is already in the header from this request, so we'll send and you can see there to 400 error, which is basically you haven't created the request correctly. You're missing some some mandatory data, and obviously the messages completed field is mandatory and must be supplied because we're only supplied title. So just put out back in. So I've got the title in the completion status. So for send that you'll now see we've created a second task. So rules returned. One task I d to clean the windows. See, There's nor description. It's no and it hasn't got a deadline. That's also know completed is no. People haven't completed then yet. So now if we go back to tasks so we'll ignore that's the creation. So now we should have some tasks to return. So if you go back to our original request, we've got the slash tasks which should list them all for obviously I will user remember, our authorization key is already in. There were access talk and I've already got that stored in there. And you see, on the last time before we created any tasks, there was nothing returned. This time, we should have two tasks. Will create a two for this use. So now if you click, send So there you go up to 200 status, just like before. Success is true, nor messages. The data, however, now has the list of tasks or or he's turned this to. You have got tasks so you can see here that we've got task one and then Tusk to So there you go and say that we're locked in. We've now got our list of tasks, So the next one, the demo, would be to update a task. Now, what we're gonna do is we're gonna up their task to, and we're going to give it a description. Basically, that's all we're going to do. So I'm going to create a new tab across the top because it's a total different request. Create a new top. Now, remember that an update is a patch. We're actually updated in the tasks or patch on for just taping. I were local for service again and then slash tasks. Now, remember what didn't task with an i d for go back with an idea of two world did in this task. So we need to supply this I d difficult backdrop, a new request, So tasks slash too. So look, Deon, task to I remember we need to supply. I were access talking in our request header. So if we type in, remember its authorization, remember and then paste our access talking in there. So now obviously with a patchwork did and something. So we need to supply a body. So we'll click on body again exactly like we did with the post rule and then Jason Data. So now what we need to do we need to supply the list of field with the values that you warned Opiate for task to remember Tusk to. So, like I say, we're going Teoh, Just give it a description because it doesn't have one so description, and then we'll have something. Like which one was this one again? Nothing was clean. The windows? Yeah. Clean the windows. Okay. We'll give a description off clean windows on the frames. Okay. Like a C. You could supply multiple fields like we did before so you could update the title on the completion status if you want. You just put a comma and then completed and then changed to a why. But we don't have to look interest up that one field at a time if you want, so I'll actually remove that. We just want up their description. So you see, there were supplied our access talking in the header, which is there. We have also provided the field of Rwanda of debt and obviously the value here. So if we send this, what should get is a 200 which is okay, so that's actually updated the task. We've got a message. I see his task updated and it actually returns the updated task. So rules returned one tasks and see here now that I d to title clean the windows. But now it has a description. Also, we didn't update the deadline and we didn't update the completion status. So now if we go back to the slash tasks request which gets all tasks, remember, for a user, this is the response from our last request that was sent. So now if we just basically refresh up by just sending it again, you can see i d to clean the windows. And now we've obviously got our description. So that's a deer that that task fight. So next. What want to do is just demonstrate the delish in. So we're going to delete number two first. So if I create a new request here and remember, the verb this time is delete. That's what we're going to be doing on the route for this. Is it GDP local? Horst it it it slash tasks exactly the same as the updating request is supply Which task you want to delete? So I could see this is tasked to we're going to delete this time on, Remember, for any sort of action on these tasks, you have to supply your access talking in the authorization. That's all for Pierce that in there and what should happen now, This should delete this task. So send that. So you see, they had stairs to 200. Success was true in the task being deleted. Obviously there's nothing to return because we believe that that task So for quickly just go back to Howard slash tasks again just to refresh the list of tasks that we have is a user. Send that Now we've only got one task. So what we'll do is we'll quickly delete this task as well. So recorded the delish in requested this top right again on a you see here in the u R l hear the route. Remember, it was slashed tusks slash i d. So that's slash war now, because it's task I d one remember, we've already got authorisation access talking key in there, so we'll do send so you see now that task with an idea one has also been deleted. So now if you go back tro list of tasks, requests and then just refresh that you see, Now we're still look, didn't still find, but we just don't have any tasks to return. So now that we're doing that, what you would do is a good user is then log out if you finished with it. Um, a lot of people don't like out of applications now, but I just wanted them all this to show you that we will look out, so create a new request and remember anything to do with log in, log out is a session. So just like we did with the tasks before, we're action you to delete the session. So if you change the verb to delete and then type in our you are l, which was local Horst 40. Idiot. Idiot. Remember, it's a session sort slash sessions. But now we're actually deleting a session. So now we need the i d. I remember when we created the session, I we logged in. We did get a session, I d returned. So if I could just find the tab across the top. No, that was the use of one next one. So this one was a creation of section being, say, our session I d was worn like I say, obviously, the more people log in, look out that section I d Number will rise. So now we've got the session ideas. One will go back to our delete, give it an idea. So slash sessions slash one. Now, obviously, what you do, you still need to provide your authorisation access talking because otherwise anyone will be able to log anyone else out. So there you go of peace. That our access talking in there. See, this hasn't expired yet. So what we'll do is we'll click send. So you see now, status cord is 200 which is an orc. A success was true and the debtor returned back. Basically what session we've logged out off. I deleted. So now if we just try and go back to our slash tasks which originally listed the list of tasks for a user with our access talking, we should in theory, not get anything back. We should get an error. So there you go. We get a 41 ever, which is invalid access talking Because, remember, even though we've just being using this, we've now just logged out of that session. So hopefully that gives you a bit of an overview of actually what we're going to be doing in this course. I just thought it would be a good sort of I wouldn't I wouldn't say a quick video because actually stayed in a little bit longer than expected to Demel this. But I just wanted to make sure we hit all the deals. Just so you understand what we're actually going to be creating and why we make certain decisions throughout the course. So with that being said, you've had the demo will now get onto some of the practical work. 8. Tasks Database and Task Table Creation: So now we move on to momentum, my sequel databases. So first of all, we need to going applications on your computer, and then we'll open the month applications were going to bump and then open the month up. What we need to do is click start service. This may well be already be running from your previous session. If not, just click it. So from the man home pitch, we need to go to tools. And as we spoke about before the manage of my sequel databases, you open an application called PHP. My admin. So we take that. So we'll have Here is tops across the top databases down the left. Now, ever see our new dear Dubious doesn't exist yet, so we need to create it. So click on the databases top from here on you to create the database. So give the database a near So I was will be tasks DB Neither coalition at its default is utf e. It's general case insensitive. That's fine for what we need could create. Okay, so now we need to create the table. I was create the table based on what I'm going to store in it. So Well, pretty Fix it with tbl on because we're storing tusks in this, it's tbl tasks. Now the number of columns is how many fields or what information we're gonna store against each task. So going back around requirements, it basically said that we need to store an internal i d. The title, the description, the deadline and a completed status. So that's five altogether. So changes defaults to five there, and then we'll click Go. So this is the table structure that we're designing. So these would be the names of the fields down the left. And then, obviously you're types what we'll do. We'll just start filling this out based on our requirements. So the 1st 1 was an identify a soldier's call that I d. Now it defaults to end. Now, if I just leave the you have a text to appear. You can say that ranges roughly about 2,000,000,002 0.1 billion, which is a lot. But because this is gonna be a multi user system, then tasks are deleted, created sort of all the time now, two billion. It is a lot, but it can get used up pretty quickly. So what? We'll do is we'll use something big bigger than that. So what? We'll chooses a big UNT, and if I leave the Harbor text to appear on that, he will see their. That's why. Well, that's a big number. It's about nine quintillion. Nothing that is so that that's plenty enough for us. So it's like begins, and then what we'll do is we're gonna set. It is a primary key, cause an intern like identifier for a task click Go on this thought of index creation screen because that's fine. We'll just leave it at the default called Primary like okay and then won't want to do is auto increment, so we'll turn that on. So basically what that means is that the task each task will get its own unique reference number starting at 1234 except for one of their normally like to do is give each field a comment. It's helpful for me if I come back to this, so I know what each feel actually refers to. So what we'll do here is call this task i D. And we'll just say it was the primary second spell thing. Go. Okay, so that's that road done. The next rule is for the test title. Sorry, I'm just racking me, bringing their just forgot for a second. So test title. So we'll give this title. The default isn't, but what we need to do is change that two of our char. So I was text and numbers will default that to turn in 55 characters in length. The test title really shouldn't be any bigger than that. To be fair, you don't want to store a lot of detail on that. That's what the test descriptions for. So the test title. If we school all the way over to the right onside at a comment task title, and just to make you know that what we're doing here, this null column basically says, if you can allow Newell's or not so blank values, basically. So when in an I D. We don't want to, because it system generated. Every task must have an i D. So we'll also follow that with this. With the title, every task must have a title, so we'll leave. That is not know, basically moving on the next one. Walls description spell again, so this one would be bigger than 205 characters because a lot of the time this is the details of the task and maybe step by step instructions and might be a history of what's already being carried out on the task. So it will do well changes to something bigger. And what we want for that is something like medium text. That should be big enough. A task might not have a description. To be fair, the title might just be no, if it's a simple task. So what we're gonna do on this one is allow a know little value so this one can be blank. Not every task must have a description will also give it a comment. So this is task plus description. Okay, Next, It was the deadline day it wasn't it. So we'll call this one deadline on for the type. We will give it a day, a time. The reason we don't give it a D. It is because the task might actually have a deadline of See tomorrow, five. PM So one actually specify the time and that as well. So we'll choose dear time. Now go back to know again the task, Max, you might not have a deadline. They might just be known gone thing or something that can be doing at any time. So what we'll do, we'll actually allowing no value for the deadline. So it can't just be blank and it won't have it. Won't have a deadline. Did we'll give it a comment? So task deadline Did it can't moving on the next one. Was the completed status sore completed? Now what we're gonna do for this because it only stores either yes or no? Why? Or an end? When you gonna allow them values to be selected? No, for the type. For this, we will choose its called enumeration. And you know, so you click that you'll then see, we get to edit the values so select edit, and then because we're only storing two values were going to delete these two rules in the bottom. I'm going into the values in here. So the 1st 1 is why for guests this is completed or the next one is in for nor not completed. We'll click go on that to see of them. So this one, actually what we want to do is default this to know. So if someone specifies a task but doesn't give a completed value. We want always default that to know so in the default will select us to find. And then we'll select end for that. We'll also give it a comment Tusk completion status. And then what we'll do is because we've put because we've already sort of set a default. It's not gonna be no anyway, so we'll just leave that as not know and finally will give the table some comments. So tasks table and then we'll click. See that? The bottom right hand side. What they should do is then create the table as we've specified in this requirement. Okay, so now you can see that the tables actually created based on exactly what we said. So what we're gonna do here just so I've got some test data in here is actually just populated it using this system because the first tax tasks were actually going to implement are to retrieve tasks using the A P I. But because we haven't got fantastic sin, it'll just end up blank. So we're just gonna put some test theater in here. So it would do is across the top. We've got insert you click that and what we're gonna do is just literally write anything you want in here just so you can see that's different. So we're gonna do is probably died round about five or so this or you've got something to see. So we've got a title. So I'm just gonna make this really simple. I'm just gonna call a task warn and then just go up through that. And then for this I'm just going right description worn, and we'll just do it that way. We'll do some with the deadline some without, so we won't give this one. A deadline will leave a blank and then completion. Obviously even see it defaults to end, which is what we specified. So you can see underneath they it's got Ignore what won't take that. Basically, this allows us to create a new rule or a new task. So we'll call this task to description to, and we'll give this one a deadline. So if you click the little calendar right beside it, we'll pick it. Did, which is in the future will pick the 15th of January for me and their mobile do is we'll just give it the time. So 13 30 After you've selected that, just click off. You can see that it steered in there, completed the default of, Nor will just leave after the time being. We'll click Gore. You see, that's inserted two rules. So what we need to do is just do exactly the same. Another sort of twice us or so we're gonna insert again at the top, creating New Once or Task three and then call this description. Three. We'll give this one a deadline. Let's do some random times. We're going to say this one is completed just so we're going, obviously test out their completed an incomplete ones we'll take. Ignore again and they will create a new task. And that's task for Give it a description. We'll give this one a deadline to see him. You could say I'm just picking random values here and we'll leave that one not completed. Booklet. Go on that I will do another another pay A basically will go to insert title. So this is test five description. Five. I believe this would believe this deadline Blank would also say yes to complete on this. One can take ignore. Got title will give this one task six and then description six. Good job order cracks working there because I'm up to useless a typing, and then we'll select another tight deadline. We'll leave. That one is completed. No. So click on that. And then what we should have is. And if we go to browse at this top left sand side, this tab at the top should now see all the tasks that we've created. So I can say that we've got the ideas which is also incremental the wheel. We don't have to specify that it does it itself. So I've got a title that could be things like Cut the grass will take the rubbish out description. Like I say, you don't always need that. So actually could have excluded it on one of them actually made a title there. So what I can do is just double click and then just take them before they're things here that's actually updated that. No, a deadline. You can see there that we've actually specified to without a deadline. And the others with the deadline didn't see here that two out of our six tasks are actually complete. Okay, Now, let's don't will move on to the next part 9. Set Up API Folder Structure: now that the database is being created, will now move on to set up the folder structure for our court files. So the full destruction looks a bit like this. You can design the full of structure how you want, but I recommend this following the M V C model. However, because of an E p I, there's not necessarily a view. There's only in output from the controller, so anyway will start from the top. So we ht docks. That is the 1,000,000 root folder that serves to the Web. So your Web several have a fruitful that home folder, and anything in here will be accessible over the Internet. We won't really put any files in here. A search will actually build a structure below that. So within that HT Docks folder will actually have another fuller. Now you'll see here I've got a fuller called V one. That means version one a little bit about version with the A P eyes Over time, the A P. I will change now because more and more people will be using ups that connect your air P I or you have APS that need to be supported on older versions of devices and things like that . What would do was actually version the FBI. So any new changes will go into a version to version three, etcetera. We're normally what we do is set. It's sort of a beer slain for version one, and that's it. Nor changes will then happen after that's publicized, because I could, you know, you even went to change. And that could cause an issue with the client that someone else has developed that uses your way. P I So any new changes will go into aversion to folder or version three, etcetera. So within the version, one will take this one this example cause this is our first version that we're building. We have a control of folder on a model faller, so Legacy will follow in the M V C cordoned style. For this or model view controller, the view is things like a web in the fierce or something like that that the user uses like a nap. Obviously, we're not doing anything like that. We are just focus and directly on the FBI, so we would necessarily have a view. The controller is where the logic stored so within the control of file. You basically have any logic in there that handled any errors or process, and that needs to happen within the model. We'll have to. Models at the end of this will have a tasks model Onda response model. The task model will. How's TheStreet landed structure for what a task should look like. So it will provide methods like said, a title or set a description and within their methods within that model, you'll have the logic that dictate what a valid value is for title. So that can control things like length of text passed into the title or valid characters. Or, if it has to be a number, only that sort of thing. So you build your model up to store the details of a task, and that provides the validation for the task. Like I say when we implement the task, I'll sort of go through and discuss the model with you. The other one that will be building is the response model. Who actually doing that next? The response is going back to our demo that assured here the response is the standard output that comes out of the FBI now. It's always good to keep a standard output across the board because then it's predictable when people try to use it. You know what each field is. The standard status cords that will be using people will then understand them. You create some documentation if it is a complex AP, I. So what we'll do is we'll go and create these full of struck this full destruction now. So if we go into our applications folder on obviously I'm on a Mac, so you normally do that fire. I mean, I've got a shocker applications, but you always drive applications. And because we're using month, we're going, UM, AMP. And I think I mentioned previously that HT Docks is our home route faller. Anything within here will get served out to the Internet. So going tht docks on the first full full that we're going to create is the version fuller so well, like I say, we're using version one, so we'll just tie very one. So now how the vision want fallen. So we'll go into that folder and then what we'll do. We'll create a new fuller, and we'll call this one Controller Andi. We'll create a new folder and call this one model. So now that we've got the full this structure created that will allow us to now implement our court files. 10. Create the Response Model: in this video, we're going to implement the response object model. The response object model is responsible for the return of the Jason response to the end, user or client. So let's get started. The first thing we need to do is to create an HT access file, and this is a bit of a configuration file for Apache. What I'm gonna use this four is to display any errors on the screen. Now, in a production environment, you wouldn't do this just for our development purposes. We are going to enable the display of errors just in case we make any along the way, it makes it easy to troubleshoot. So first things first open about him and what we need to do is at our project folder to Adam. Is it the minute it is just a blank editor. Now, the project folder is the full the structure that would create in the previous lesson. So to do that, go to file Art project folder Gordy application Fallar in the mumps HT docks, Invasion one. We're going to stay here in the root of version one, so make sure you click version one and click open since they on the left hand side with God , Version one, and then we've got our controller and model folders. Ignore these DS store full. Is there hidden files for the Mac operating system? These won't have any bearing on what we're doing. So in the roots of the version one folder, we need to create a new file called HT Access. And this is an Apache configuration file. So for right, click on V one new file. It asks for a name, and this is important. It is dot h t access. It's important that you have the dot percenter. See, Now we've got the HT access file on the left hand side. So the first thing we need to do is start in some configuration. No, for this, all we need to do is tie PHP on the school flag on it is display errors on. So what we're gonna do here is tell Apache two if he is a PHP era, just a short on the screen. Like I say, you wouldn't do this in a production environment. But for our development, it is very handy in case we'd make a typo or some sort of mistake. So if you see if that so control and s or command s if you're on a Mac and we'll just close that down because that's all we're going to use this file for at the moment. Okay, Now we move on to actually create the response object file sore in the model we need to create a new model to response model. It's going to be responsible for returning the standard consistent Jason response to the client. Right. Click on model. Got a new file. We'll call this response dot PHP. I was working. Spell it correctly. Response the PHP. Well, presenter. So I've got a blank PHP file. So what we need to do is create the initial tag, and because we're not having any HTML or anything in here, you don't have to at the end. PHP tag. You can if you want. For we're not going to. Okay, so the first thing we're going to do is create the class. The class is called response. Create some space here. Okay. As part of the response, we have some Deiter or items that we want to return to the user. So what we're gonna do is create some private variables to stall this data until we're ready to send the response back. So if you remember from our demo, the response returns items such as success flag, whether that's true or false. Http Status court, for example, a 44 or 200. Any messages such as you forgot to enter a mandatory field. The data, which is the things like the list of tasks or the user details So we're going to do is create these variables now. So the 1st 1 we need to do is the success favorable. So private success. And the next one is the status, courts or private and will call us http, steer discord. The next thing we're gonna do is messages. This is an Arria because you can have more than one message held. So we'll initialize the surreal just to be happy. Private will call this messages on like a C will initialize it to be a blank, empty area. The next thing we're going to do is the debt of variable on missile store. The deal ever returning. So a private data, um on the next two variables were going to implement are used for in our internal processes within this. So the first what we gotta do is private to cash in will set this initially to false. So the cash bearable. What we're gonna do, we can cash the response to a request. So, for example, if we or if a client requests to return all of their tasks, we can catch that response. So if then the client refreshes or requests their list of tasks within C 20 seconds or 30 seconds, we don't have to go back to the server, call the database and return the details. From there, we can just cash that response and return the cash response from the client. So that seems any sort of additional Lord on the server or anything like that. You don't want to cash every response. So that's why we initially set this to false. And what we'll do is as we generate the response. If we need a cash it, we will explicitly see it to cash it. The things that you wouldn't want to cash are credentials, access, talking's anything like that. You definitely don't want to do that. It's a security risk, and you don't want to do that. So, like I say, it will set this initially to false. And where we see appropriate, we will enable the cashed for that response Clear. The last variable we're going to implement is something called response data. So private response did A on this is an empty area. Now, what would do is after we've built all this off, we create an array which has the structure. And then PHP has a function called Jason and Cord, which converts Honoria to Jason Response. So just makes it easier to return a nice sort of response in Jason format and you'll see that as well, Obviously build it up. So now we're going to create some functions. Um, if you know anything about object oriented programming, you'll know that it's good practice to create public getters and set us rather than manipulating variables directly in the object. So what we're gonna do, we're going to run through a set of setters to enable us to set these variables or set values to these variables. So we'll just start at the top, will create the set success. So Pisa public functions and we'll call this set success and what we'll do here we will pass in its success value. Okay, so what we need to do is copy this value from here and put it into the object variable. Just next relation of watch. These underscores our This is just my court and practice anything that is instance variables to this object. Not any other variable within a method or function I always put underscores. It just allows me when I'm reading the cord to see actually which variable I am talking about, whether it's a local one to the function or whether it's ah ah, class or an object variable that I'm talking about just makes it easier to read and understand. Okay, so the first thing you need to do is this on success? Want to set this to success? So you see, here all we're doing is setting this or this object success. Sometimes it's important to note that you don't have a dollar sign here. Don't put the dollar symbol there. It's an easy mistake to make because actually, when you define the variables, you too. But when you use a number, you don't. So if you do get an error in records, just double check that you haven't got a dollar sign when you're using this. So what do we were signing this success that will pass into this function to the instance Variable. So that's that. Okay, So the next thing we need to do is http status Cort. So we'll just do exactly Sam public function set. You cheated, Pete, Steal this court. Exactly the same will pass in any http status court and excited Sam this and then underscore, http. Status court equals passed in one. If you still court. Okay, so lets them too. Don't. So the message is area. It's slightly different. Andi will create that one now for public function will call this our message because don't forget, it is injurious or not set in the mess