After 1 year of slowly growing PHP-CRUD-API another milestone is reached. Today SQLite support, the fourth supported database engine, is added to the project. This feature is added in order to facilitate fast prototyping as SQLite is easy to install and configure. I want to thank Antoine Weber for his feature request and contribution to deliver this feature. A few months ago I did some research on the feasibility of a SQLite implementation. I found that there were sufficient reflection methods available for the full functionality of the reflective REST API. Other DBMS systems provide reflection using the INFORMATION_SCHEMA, which is a SQL standard. I found out that SQLite has similar functionality, but with non-standard “pragma” statements. These statements are equally powerful, but less flexible as they cannot be combined with “SELECT” or “WHERE” clauses. ...

In a previous post I announced a attempts at high performance web server implementations in some popular languages (Java, Go, C# and JavaScript). Today I will show you a C# implementation and give you instructions on how to get it running on your own machine. Source code for HttpListener example Below you find a nice and short web server written in C# that I found online. using System; using System.IO; using System.Net; using System.Text; using System.Threading; class WebServer { HttpListener _listener; public WebServer(string address) { _listener = new HttpListener(); _listener.Prefixes.Add(address); } public void Start() { _listener.Start(); while (true) { HttpListenerContext request = _listener.GetContext(); ThreadPool.QueueUserWorkItem(ProcessRequest, request); } } void ProcessRequest(object listenerContext) { var context = (HttpListenerContext)listenerContext; context.Response.StatusCode = (int)HttpStatusCode.OK; context.Response.AddHeader("Content-Type","text/html; charset=utf-8"); var msg = Encoding.UTF8.GetBytes("<h1>Hello World</h1>"); context.Response.ContentLength64 = msg.Length; context.Response.OutputStream.Write(msg, 0, msg.Length); context.Response.OutputStream.Close(); } static void Main(string[] args) { (new WebServer("http://localhost:8000/")).Start(); } } Save this file as “hello.cs” in your project folder. ...

Consider the following well-crafted text about the malfunctioning of the collaboration between development and operations, posted anonymously to a developer forum I visit regularly: NoOps: Developer operations manifesto This is not pretty, but it must be said. We are tired. The madness must stop. We create software, the product that identifies our company. We are academic software engineers, trained to understand our work. We show responsible behaviour, creating as much value as possible. We do not like meetings, documentation or other waste in this process. We prevent problems by writing tests and by using versioned environments. We fix problems immediately, reducing the impact of issues dramatically. We are not flawless, but that is neither your problem, nor your duty to solve. ...

In my previous post I announced a attempts at high performance web server implementations in some popular languages (Java, Go, C# and JavaScript). Today I will show you a Java implementation and give you instructions on how to get it running on your own machine. Jetty for high performance Jetty is a Web server and “javax.servlet” container that can be easily embedded in devices, tools, frameworks, application servers, and clusters. Jetty is known to be the web application of choice of Yahoo’s Hadoop Cluster, Google’s AppEngine PaaS and Yahoo’s Zimbra SaaS. Because it was used for such important projects, I expected that it would be hard to implement, but the opposite turned out to be true. ...

In today’s era of web based micro-services (HTTP APIs) building small simple high performance web servers is of vital importance. In this blog post background information is given on the expected performance of implementations in popular programming languages. This post will be followed up by attempts at high performance implementations in some of these languages (Java, Go, C# and JavaScript). Do not expect benchmarks or absolute numbers, but do expect source code that you can easily run on your machine, so that you can do the benchmarking yourself. ...

Today I stumbled upon “PostgREST”, a generated PostgreSQL REST API. I have built PHP-CRUD-API, a similar tool, for MySQL in PHP. PostgREST is a standalone web server that turns your database directly into a RESTful API. The structural constraints and permissions in the database determine the API endpoints and operations. This great software is written by Joe Nelson and has acquired over 6000 stars on Github and has it’s own website on postgrest.com. ...

I did a basic implementation of a JWT authentication scheme in PHP. It has no dependencies, so you can simply incorporate the two functions below in any existing application. I have been writing about JavaScript Web Token security earlier this month. It is a token standard that is well described on JWT.io. <?php function getVerifiedClaims($token,$time,$leeway,$ttl,$algorithm,$secret) { $algorithms = array('HS256'=>'sha256','HS384'=>'sha384','HS512'=>'sha512'); if (!isset($algorithms[$algorithm])) return false; $hmac = $algorithms[$algorithm]; $token = explode('.',$token); if (count($token)<3) return false; $header = json_decode(base64_decode(strtr($token[0],'-_','+/')),true); if (!$secret) return false; if ($header['typ']!='JWT') return false; if ($header['alg']!=$algorithm) return false; $signature = bin2hex(base64_decode(strtr($token[2],'-_','+/'))); if ($signature!=hash_hmac($hmac,"$token[0].$token[1]",$secret)) return false; $claims = json_decode(base64_decode(strtr($token[1],'-_','+/')),true); if (!$claims) return false; if (isset($claims['nbf']) && $time+$leeway<$claims['nbf']) return false; if (isset($claims['iat']) && $time+$leeway<$claims['iat']) return false; if (isset($claims['exp']) && $time-$leeway>$claims['exp']) return false; if (isset($claims['iat']) && !isset($claims['exp'])) { if ($time-$leeway>$claims['iat']+$ttl) return false; } return $claims; } function generateToken($claims,$time,$ttl,$algorithm,$secret) { $algorithms = array('HS256'=>'sha256','HS384'=>'sha384','HS512'=>'sha512'); $header = array(); $header['typ']='JWT'; $header['alg']=$algorithm; $token = array(); $token[0] = rtrim(strtr(base64_encode(json_encode((object)$header)),'+/','-_'),'='); $claims['iat'] = $time; $claims['exp'] = $time + $ttl; $token[1] = rtrim(strtr(base64_encode(json_encode((object)$claims)),'+/','-_'),'='); if (!isset($algorithms[$algorithm])) return false; $hmac = $algorithms[$algorithm]; $signature = hash_hmac($hmac,"$token[0].$token[1]",$secret,true); $token[2] = rtrim(strtr(base64_encode($signature),'+/','-_'),'='); return implode('.',$token); } $algorithm = 'HS256'; $secret = 'secret'; $time = time(); $leeway = 5; // seconds $ttl = 30; // seconds $claims = array('sub'=>'1234567890','name'=>'John Doe','admin'=>true); // test that the functions are working $token = generateToken($claims,$time,$ttl,$algorithm,$secret); echo "$token\n"; $claims = getVerifiedClaims($token,$time,$leeway,$ttl,$algorithm,$secret); var_dump($claims); Important notes Note that this implementation supports “HS” (HMAC based) signature algorithm with “iat” (issued at), “nbf” (not before) and “exp” (expires) fields. It does NOT support the “RS” (RSA based) and “ES” (Eliptic Curve based) signature algorithms. It also does NOT check the “iss” (issuer), “sub” (subject), “aud” (audience), “jti” (JWT token identifier) or “kid” (key identifier) fields. Please read the documentation on JWT.io to find out whether or not that matters to you. ...

If you are following this blog, then you know I’m working a lot on API software architectures. I noticed that a lot of people that are building an API are actually building the same thing (except for the data model they expose). Typically they simply expose their tables using JSON REST operations (typically Create, Read, Update and Delete) or they expose their more sophisticated stored procedures via their API. This post is about that last category. ...

On c2.com I read a quote by Jeff Mantei on the OnReflection page: I think of reflection as the ability to reason about the structures and processes of a programming system within the programming system itself. - Jeff Mantei I was thinking of another definition saying: Reflection is when the logic of an information system is based on the meta-information of that system. But after giving it some serious thought I believe Jeff is much better. His quote is not only a very concise definition of reflection, but he is also not cheating by using the word “meta”, as I did, which has a lot to do with reflection. ...

This post will discuss how to use JSON Web Token (JWT) to separate your authentication from you API endpoints and how to do so securely in a Single Page Application (SPA). JSON Web Token (JWT) A JSON Web Token is an alternative for the combination of a session cookie and a server side session object. It typically contains the authentication and authorization “claims”. The user identifier (a technical primary key or something uniquely identifying the user, such as an email address) is almost always on of the claims (called the “subject”). Typically you may also have the role of that user in the application as a claim. These claims are sent to the server using a “Authorization” request header and can be trusted, because they are signed by the issuer (typically your authentication service). ...