PHP REST API - Authentication, Catalog, Orders, Reservations, and Admin
OPEN https://tormasecurity.hu FOR AN INSTANT EXPERIENCE
This project is a PHP REST API for the Torma Security Solutions application. It includes user authentication, role-based admin operations, product catalog endpoints, order management, reservation workflows, and documentation routing.
The API uses the torma MySQL database (see API/database/torma.sql).
Features
- User signup and login
- JWT-based authentication
- Role-based authorization (user/admin)
- Product catalog browsing and filtering
- User order and reservation management
- Admin management for users, products, orders, and reservations
- Rate limiting for sensitive routes
- CORS support
- Quartz documentation endpoints under
/documentation
Project Structure
API/
├── config/
│ └── config.php # Environment and application config
├── controllers/
│ ├── AuthController.php # Authentication and profile endpoints
│ ├── ProductController.php # Public product endpoints
│ ├── OrderController.php # User order endpoints
│ ├── ReservationController.php # User/public reservation endpoints
│ ├── AdminController.php # Admin user/order/product endpoints
│ └── AdminReservationController.php # Admin reservation endpoints
├── database/
│ ├── Database.php # Database connection wrapper
│ └── torma.sql # Schema, procedures, seed data
├── middleware/
│ └── AuthMiddleware.php # Auth and admin guards
├── models/
│ ├── User.php
│ ├── Product.php
│ ├── Order.php
│ └── Reservation.php
├── utils/
│ ├── JWT.php
│ └── RateLimiter.php
├── .htaccess
├── index.php # Router and API entrypoint
└── README.mdRequirements
- PHP 7.4+ (PHP 8.x recommended)
- MySQL 5.7+ or MariaDB 10.2+
- Apache with
mod_rewrite(or equivalent rewrite config) - PDO extension enabled
- JSON extension enabled
Setup
1) Import the Database
mysql -u root -p < API/database/torma.sqlOr manually:
- Create a database named
torma - Import
API/database/torma.sql
2) Configure the API
Edit API/config/config.php and set:
DB_HOSTDB_NAMEDB_USERDB_PASSJWT_SECRET(use a strong random value in production)JWT_EXPIRATIONDEBUG_MODE
3) Run the API
From the API directory:
php -S localhost:8000Health check:
GET http://localhost:8000/Authentication
Authenticated routes require:
Authorization: Bearer <token>API Endpoints
Public Authentication
POST /signupPOST /login
Authenticated Profile
GET /profilePUT /profile/usernamePUT /profile/password
Public Product Catalog
GET /productsGET /products/facetsGET /products/allGET /products/catsGET /products/subcatsGET /products/brandsGET /products/tagsGET /products/namesGET /products/by-brand/{brandName}GET /products/{id}/brandGET /products/{id}
GET /products supports optional query params:
catsubcatbrandtagsearchmin_pricemax_pricepage(default: 1)limit(default: 50, max: 100)
Orders (Authenticated)
POST /ordersGET /ordersGET /orders/{id}POST /orders/{id}/itemsPATCH /orders/{id}/items/{productId}PUT /orders/{id}/items/{productId}DELETE /orders/{id}
Reservations
Authenticated:
POST /reservationsGET /reservationsPATCH /reservations/{id}PUT /reservations/{id}DELETE /reservations/{id}
Public:
POST /reservations/public
Admin (Admin Role Required)
Users:
GET /admin/usersGET /admin/users/{id}PUT /admin/users/{id}/roleDELETE /admin/users/{id}
Dashboard:
GET /admin/dashboard
Orders:
GET /admin/ordersGET /admin/orders/summaryGET /admin/orders/status-optionsPATCH /admin/orders/{id}/statusPUT /admin/orders/{id}/status
Products:
POST /admin/productsPUT /admin/products/{id}PATCH /admin/products/{id}DELETE /admin/products/{id}PATCH /admin/products/{id}/quantity/add
Reservations:
GET /admin/reservationsPATCH /admin/reservations/{id}/durationPUT /admin/reservations/{id}/duration
Documentation Endpoints
The API serves Quartz documentation under /documentation.
Main routes:
GET /documentationGET /documentation/architectureGET /documentation/backend-apiGET /documentation/databaseGET /documentation/frontendGET /documentation/securityGET /documentation/setupGET /documentation/testingGET /documentation/tags
Supporting static assets are also served under /documentation/... (CSS, JS, JSON, XML, SVG).
Example Requests
Signup
curl -X POST http://localhost:8000/signup \
-H "Content-Type: application/json" \
-d '{"username":"testuser","email":"test@example.com","password":"password123"}'Login
curl -X POST http://localhost:8000/login \
-H "Content-Type: application/json" \
-d '{"username":"testuser","password":"password123"}'Get Profile
curl -X GET http://localhost:8000/profile \
-H "Authorization: Bearer YOUR_TOKEN_HERE"List Products
curl -X GET "http://localhost:8000/products?cat=CCTV&search=camera&limit=10"Get Admin Users
curl -X GET http://localhost:8000/admin/users \
-H "Authorization: Bearer ADMIN_TOKEN_HERE"Default Admin Account
Based on the current torma.sql seed data:
- Username:
john_doe - Email:
john@example.com - Password:
password123
For any non-local environment, change this password immediately.
Security Notes
- JWT token auth is used for protected endpoints.
- Authorization is role-based for admin routes.
- SQL access uses PDO and parameterized/procedure-based calls.
- Rate limiting is applied to sensitive actions (for example login/signup/admin mutations).
- CORS headers are configured in
index.php.
Configuration Reference
Key values in API/config/config.php:
DB_HOST: Database hostDB_NAME: Database nameDB_USER: Database usernameDB_PASS: Database passwordJWT_SECRET: JWT signing secretJWT_EXPIRATION: Token lifetime in secondsDEBUG_MODE: Enables/disables detailed error output