3 minutes reading time (687 words)

Playing with the Joomla Web Services (API) - part 3


[ this article is part of a series ]

5. How to launch any of the scripts automatically

Given the fact that our scripts here are independent of Joomla

  • we can put them on our own website
  • or even on another server (if we trust its owner of course, since being able to see the Token means being a Super User)

Lauching any of the scripts can be simply done:

  • by opening the corresponding URL in a browser
    • either directly
    • either for example thanks to a nice button in the backend
  • by calling this URL in any piece of code (PHP or other)
  • by setting up a Cron job calling this URL
    • either via the tool provided by your host (free)
    • either via some online tool providing cron tasks (in general paid)
  • by setting up a Task Scheduler in Joomla

So obviously it means that you can automate the execution of the creation / update of your Joomla Articles at any time interval.

5.1. Example 1: via a nice button in the backend

In Joomla 4 it has become even easier than before to create a Custom HTML Module in the backend.

Take advantage of this feature to create a nice interface to your Users.

5.2. Example 2: via Joomla Task Scheduler

The Task Scheduler is a new feature introduced with Joomla 4.

6. Be the only one who can run your scripts

If somebody know that you have a script called for example api-test.php, this person could flood your websites with request on that url.

A typical way to avoir that is on Apache servers is to create a htpsswd, meaning you have to

  • add a few lines in your .htaccess
  • add a .htpsswd file, to which your .htaccess lines will refer with the correct path (for exemple /YOUR_PATH/public_html/.htpasswd)

When a htpsswd is enabled, you get a popup asking for the defined username & password before accessing.

You can typically

But we need to be more specific because

  1. we only want to block our scripts, not our whole website.
  2. we only want to block our scripts if they are launched in the browser, not if they are launched by the website itself
    • either via some code
    • either via the Task Scheduler

Let us first show a good example of such an .htaccess rule:

<FilesMatch "^api*">
AuthType Basic
AuthBasicProvider file
AuthUserFile /YOUR_PATH/public_html/.htpasswd
AuthName secure
Require valid-user
Require ip

7. Change the API Token if needed

If you have any reason to think that your API key is not private any more (like me after having shared this presentation) then simply Edit the User in question, go to the Joomla API Token tab and click on Reset

  • the old Token is revoked
  • a new key is displayed, which you can now paste in all your scripts

If a script having a wrong or revoked Token is called then it will display the following error message: “forbidden”

7.1. How did restrict the rule to our scripts

Let’s suppose that all my scripts filenames start with api.

Then I want to have this htpsswd popup asking only for the files starting with api.

This is why in the snippet of .htaccess below we have <FilesMatch "^api*">

7.2. How did we allow the scripts if launched by the website itself

See the line Require ip

  • corresponds to the localhost. In some cases it is enough
  • in my case though, when launching my script with Joomla’s Task Scheduler, my script was blocked: I also had to allow explicitely the IP of my server
    • Q: So how did I find the IP address of my server?
    • A: Simply by checking the IP address given for “A Record” for my Domain Name, with any online tool like https://www.ns-lookup.io/

7.3. More information

For more information about this kind of .htaccess rules, see https://httpd.apache.org/docs/2.4/upgrading.html

How I learned Joomla - Alison Meeks
The 15th edition of the Dutch JoomlaDays!


Already Registered? Login Here
No comments made yet. Be the first to submit a comment

By accepting you will be accessing a service provided by a third-party external to https://magazine.joomla.org/