API Platform — list all operations and its options, for example “security”

If you are developing serious API Platform app, you probably want to have a full preview of all exposed operations an its options, so that you can review and check if everything is set up correctly.

The most important thing that you want to check is security (access control) of exposed operations.

That is not available with the default API Platform set up, and I will show you how you can do it.

Just to note, I am using SYMFONY 6.2.* and API Platform 3.1.*

Here is a code how you can fetch all available operations in API Platform:

use ApiPlatform\Metadata\HttpOperation;
use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
use ApiPlatform\Metadata\Resource\Factory\ResourceNameCollectionFactoryInterface;  

//...

public function __construct(
    private readonly ResourceMetadataCollectionFactoryInterface $resourceMetadataCollectionFactory,
    private readonly ResourceNameCollectionFactoryInterface     $resourceExtractor,
)
{
}

//...

$classes = $this->resourceExtractor->create();
foreach ($classes as $class) {
  foreach ($this->resourceMetadataCollectionFactory->create($class) as $resourceMetadata) {
      foreach ($resourceMetadata->getOperations() as $operation) {
          /** @var HttpOperation $operation */
          $method = $operation->getMethod();
          $uri = $operation->getUriTemplate();

          echo 'method=' . $method . ', uri=' . $uri . PHP_EOL;
      }
  }
}

If you try to run this code, you will see something like this:

method=GET,  uri=/orders{._format}
method=POST, uri=/orders{._format}
method=PUT,  uri=/orders/{id}{._format}
...

Now you can list all of your operations and check if some of them are missing, or if some of them are redundant.

We are using ResourceMetadataCollectionFactoryInterface to fetch all entities (classes) which are tagged as ApiResource:

use ApiPlatform\Metadata\ApiResource;

//..

#[ApiResource]
class Order
{
//...

That is basically the same thing that is API Platform doing when operations are generated and cached.

Now when we have all the entities, we are fetching metadata about API Platform entity with ResourceNameCollectionFactoryInterface.

And finally, now when we have API Platform metadata about each API Platform entity we can get all operations from this entity with getOperations.

Now when we have all operations on the list we can print and show many things from operation to check everything you want to check, but in this example we will check the security of each operation:

foreach ($resourceMetadata->getOperations() as $operation) {
  /** @var HttpOperation $operation */
  $method = $operation->getMethod();
  $uri = $operation->getUriTemplate();
  
  $security = $operation->getSecurity();
  
  echo 'method=' . $method . ', uri=' . $uri, ', security=' . $security . PHP_EOL;
}

It will look something like this:

method=GET,  uri=/orders{._format},      security=is_granted("VIEW_ORDER")
method=POST, uri=/orders{._format},      security=is_granted("VIEW_ORDER")
method=PUT,  uri=/orders/{id}{._format}, security=is_granted("VIEW_ORDER")
...

Now you can check if security for some operation is not set properly, or it is missing, etc.

Some operations might use securityPostDenormalize property instead of security, so we can do something like this:

$security = $operation->getSecurity();
$securityPostDenormalize = $operation->getSecurityPostDenormalize();
$security = $security ?? $securityPostDenormalize;

echo 'method=' . $method . ', uri=' . $uri, ', security=' . $security . PHP_EOL;

And for the summary, I gave you a basic idea how to check and control operations and its property in API Platform, it ups to you how you want to adjust the above code example to fit your needs, enjoy!