PROGRAM STUDI TEKNIK INFORMATIKA

FAKULTAS ILMU KOMPUTER

UNIVERSITAS ESA UNGGUL JAKARTA
Nama Tim : 1. Andhika Bhaskara 20170801374
2. Muh Sukma Saputra 20170801358
3. Sari Putra Tunggal Dewi 20170801373
4. Siti Aisyah 20170801357
5. Vegi Syam Merkury 20170801368
Mata Kuliah : CQI611 Arsitektur Berbasis Layanan EU301 7568
Dosen : Pak Armando Parhusip, S.T, MTI

1. Kode Program
Barang.php

<?php

use Restserver\Libraries\REST_Controller;
defined('BASEPATH') OR exit('No direct script access allowed');

require APPPATH . '/libraries/REST_Controller.php';

require APPPATH . '/libraries/Format.php';

class Barang extends REST_Controller{

public function __construct(){

parent::__construct();
$this->load->model('M_Barang','barang');
$this->method['index_get']['limit'] = 1;
}

function index_get(){
$id = $this->get('id');

if($id == null){
$barang = $this->barang->getBarang();
 }else{
$barang = $this->barang->getBarang(id);
}

$this->response(
$barang,
REST_Controller::HTTP_OK
);
}

function index_post(){
$kode = $this->post('kode', true);
$nama_barang = $this->post('nama_barang', true);
$jenis = $this->post('jenis', true);
$harga = $this->post('harga', true);
$stok = $this->post('stok', true);

$data = [
'kode' => $kode,
'nama_barang' => $nama_barang,
'jenis' => $jenis,
'harga' => $harga,
'stok' => $stok
];

$result = $this->barang->createBarang($data);

$this->response(
$result,
REST_Controller::HTTP_OK
);
}

function index_put(){
$kode = $this->put('kode');

$nama_barang = $this->put('nama_barang', true);

$jenis = $this->put('jenis', true);
$harga = $this->put('harga', true);
$stok = $this->put('stok', true);

$data = [
'nama_barang' => $nama_barang,
'jenis' => $jenis,
'harga' => $harga,
 'stok' => $stok
];

$result = $this->barang->updateBarang($data,$kode);

$this->response(
$result,
REST_Controller::HTTP_OK
);
}

function index_delete(){
$id = $this->delete('id');

$result = $this->barang->deleteBarang($id);

$this->response(
$result,
REST_Controller::HTTP_OK
);
}

}
?>

Rest.php

<?php

defined('BASEPATH') OR exit('No direct script access allowed');

/*
|-----------------------------------------------------------------------
---
| HTTP protocol
|-----------------------------------------------------------------------
---
|
| Set to force the use of HTTPS for REST API calls
|
*/
$config['force_https'] = FALSE;
/*
|-----------------------------------------------------------------------
---
| REST Output Format
|-----------------------------------------------------------------------
---
|
| The default format of the response
|
| 'array': Array data structure
| 'csv': Comma separated file
| 'json': Uses json_encode(). Note: If a GET query string
| called 'callback' is passed, then jsonp will be returned
| 'html' HTML using the table library in CodeIgniter
| 'php': Uses var_export()
| 'serialized': Uses serialize()
| 'xml': Uses simplexml_load_string()
|
*/
$config['rest_default_format'] = 'json';

/*
|-----------------------------------------------------------------------
---
| REST Supported Output Formats
|-----------------------------------------------------------------------
---
|
| The following setting contains a list of the supported/allowed formats
.
| You may remove those formats that you don't want to use.
| If the default format $config['rest_default_format'] is missing within
| $config['rest_supported_formats'], it will be added silently during
| REST_Controller initialization.
|
*/
$config['rest_supported_formats'] = [
'json',
'array',
'csv',
'html',
'jsonp',
'php',
'serialized',
 'xml',
];

/*
|-----------------------------------------------------------------------
---
| REST Status Field Name
|-----------------------------------------------------------------------
---
|
| The field name for the status inside the response
|
*/
$config['rest_status_field_name'] = 'status';

/*
|-----------------------------------------------------------------------
---
| REST Message Field Name
|-----------------------------------------------------------------------
---
|
| The field name for the message inside the response
|
*/
$config['rest_message_field_name'] = 'error';

/*
|-----------------------------------------------------------------------
---
| Enable Emulate Request
|-----------------------------------------------------------------------
---
|
| Should we enable emulation of the request (e.g. used in Mootools reque
st)
|
*/
$config['enable_emulate_request'] = TRUE;

/*
|-----------------------------------------------------------------------
---
| REST Realm
|-----------------------------------------------------------------------
---
|
| Name of the password protected REST API displayed on login dialogs
|
| e.g: My Secret REST API
|
*/
$config['rest_realm'] = 'REST API';

/*
|-----------------------------------------------------------------------
---
| REST Login
|-----------------------------------------------------------------------
---
|
| Set to specify the REST API requires to be logged in
|
| FALSE No login required
| 'basic' Unsecured login
| 'digest' More secured login
| 'session' Check for a PHP session variable. See 'auth_source' to set t
he
| authorization key
|
*/
$config['rest_auth'] = FALSE;

/*
|-----------------------------------------------------------------------
---
| REST Login Source
|-----------------------------------------------------------------------
---
|
| Is login required and if so, the user store to use
|
| '' Use config based users or wildcard testing
| 'ldap' Use LDAP authentication
| 'library' Use a authentication library
|
| Note: If 'rest_auth' is set to 'session' then change 'auth_source' to
the name of the session variable
|
*/
$config['auth_source'] = 'ldap';

/*
|-----------------------------------------------------------------------
---
| Allow Authentication and API Keys
|-----------------------------------------------------------------------
---
|
| Where you wish to have Basic, Digest or Session login, but also want t
o use API Keys (for limiting
| requests etc), set to TRUE;
|
*/
$config['allow_auth_and_keys'] = TRUE;
$config['strict_api_and_auth'] = TRUE; // force the use of both api and
auth before a valid api request is made

/*
|-----------------------------------------------------------------------
---
| REST Login Class and Function
|-----------------------------------------------------------------------
---
|
| If library authentication is used define the class and function name
|
| The function should accept two parameters: class-
>function($username, $password)
| In other cases override the function _perform_library_auth in your con
troller
|
| For digest authentication the library function should return already a
stored
| md5(username:restrealm:password) for that username
|
| e.g: md5('admin:REST API:1234') = '1e957ebc35631ab22d5bd6526bd14ea2'
|
*/
$config['auth_library_class'] = '';
$config['auth_library_function'] = '';

/*
|-----------------------------------------------------------------------
---
| Override auth types for specific class/method
|-----------------------------------------------------------------------
---
|
| Set specific authentication types for methods within a class (controll
er)
|
| Set as many config entries as needed. Any methods not set will use th
e default 'rest_auth' config value.
|
| e.g:
|
| $config['auth_override_class_method']['deals']['view'] = 'no
ne';
| $config['auth_override_class_method']['deals']['insert'] = '
digest';
| $config['auth_override_class_method']['accounts']['user'] =
'basic';
| $config['auth_override_class_method']['dashboard']['*'] = 'n
one|digest|basic';
|
| Here 'deals', 'accounts' and 'dashboard' are controller names, 'view',
'insert' and 'user' are methods within. An asterisk may also be used to
specify an authentication method for an entire classes methods. Ex: $co
nfig['auth_override_class_method']['dashboard']['*'] = 'basic'; (NOTE: l
eave off the '_get' or '_post' from the end of the method name)
| Acceptable values are; 'none', 'digest' and 'basic'.
|
*/
// $config['auth_override_class_method']['deals']['view'] = 'none';
// $config['auth_override_class_method']['deals']['insert'] = 'digest';
// $config['auth_override_class_method']['accounts']['user'] = 'basic';
// $config['auth_override_class_method']['dashboard']['*'] = 'basic';

// ---Uncomment list line for the wildard unit test

// $config['auth_override_class_method']['wildcard_test_cases']['*'] = '
basic';

/*
|-----------------------------------------------------------------------
---
| Override auth types for specific 'class/method/HTTP method'
|-----------------------------------------------------------------------
---
|
| example:
|
| $config['auth_override_class_method_http']['deals']['view']
['get'] = 'none';
| $config['auth_override_class_method_http']['deals']['insert
']['post'] = 'none';
| $config['auth_override_class_method_http']['deals']['*']['o
ptions'] = 'none';
*/

// ---Uncomment list line for the wildard unit test

// $config['auth_override_class_method_http']['wildcard_test_cases']['*'
]['options'] = 'basic';

/*
|-----------------------------------------------------------------------
---
| REST Login Usernames
|-----------------------------------------------------------------------
---
|
| Array of usernames and passwords for login, if ldap is configured this
is ignored
|
*/
$config['rest_valid_logins'] = ['admin' => '1234'];

/*
|-----------------------------------------------------------------------
---
| Global IP White-listing
|-----------------------------------------------------------------------
---
|
| Limit connections to your REST server to White-listed IP addresses
|
| Usage:
| 1. Set to TRUE and select an auth option for extreme security (client'
s IP
| address must be in white-list and they must also log in)
| 2. Set to TRUE with auth set to FALSE to allow White-
listed IPs access with no login
| 3. Set to FALSE but set 'auth_override_class_method' to 'white-
list' to
| restrict certain methods to IPs in your white-list
|
*/
$config['rest_ip_whitelist_enabled'] = FALSE;

/*
|-----------------------------------------------------------------------
---
| REST Handle Exceptions
|-----------------------------------------------------------------------
---
|
| Handle exceptions caused by the controller
|
*/
$config['rest_handle_exceptions'] = TRUE;

/*
|-----------------------------------------------------------------------
---
| REST IP White-list
|-----------------------------------------------------------------------
---
|
| Limit connections to your REST server with a comma separated
| list of IP addresses
|
| e.g: '123.456.789.0, 987.654.32.1'
|
| 127.0.0.1 and 0.0.0.0 are allowed by default
|
*/
$config['rest_ip_whitelist'] = '';

/*
|-----------------------------------------------------------------------
---
| Global IP Blacklisting
|-----------------------------------------------------------------------
---
|
| Prevent connections to the REST server from blacklisted IP addresses
|
| Usage:
| 1. Set to TRUE and add any IP address to 'rest_ip_blacklist'
|
*/
$config['rest_ip_blacklist_enabled'] = FALSE;

/*
|-----------------------------------------------------------------------
---
| REST IP Blacklist
|-----------------------------------------------------------------------
---
|
| Prevent connections from the following IP addresses
|
| e.g: '123.456.789.0, 987.654.32.1'
|
*/
$config['rest_ip_blacklist'] = '';

/*
|-----------------------------------------------------------------------
---
| REST Database Group
|-----------------------------------------------------------------------
---
|
| Connect to a database group for keys, logging, etc. It will only conne
ct
| if you have any of these features enabled
|
*/
$config['rest_database_group'] = 'default';

/*
|-----------------------------------------------------------------------
---
| REST API Keys Table Name
|-----------------------------------------------------------------------
---
|
| The table name in your database that stores API keys
|
*/
$config['rest_keys_table'] = 'keys';
/*
|-----------------------------------------------------------------------
---
| REST Enable Keys
|-----------------------------------------------------------------------
---
|
| When set to TRUE, the REST API will look for a column name called 'key
'.
| If no key is provided, the request will result in an error. To overrid
e the
| column name see 'rest_key_column'
|
| Default table schema:
| CREATE TABLE `keys` (
| `id` INT(11) NOT NULL AUTO_INCREMENT,
| `user_id` INT(11) NOT NULL,
| `key` VARCHAR(40) NOT NULL,
| `level` INT(2) NOT NULL,
| `ignore_limits` TINYINT(1) NOT NULL DEFAULT '0',
| `is_private_key` TINYINT(1) NOT NULL DEFAULT '0',
| `ip_addresses` TEXT NULL DEFAULT NULL,
| `date_created` INT(11) NOT NULL,
| PRIMARY KEY (`id`)
| ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
|
*/
$config['rest_enable_keys'] = TRUE;

/*
|-----------------------------------------------------------------------
---
| REST Table Key Column Name
|-----------------------------------------------------------------------
---
|
| If not using the default table schema in 'rest_enable_keys', specify t
he
| column name to match e.g. my_key
|
*/
$config['rest_key_column'] = 'key';

/*
|-----------------------------------------------------------------------
---
| REST API Limits method
|-----------------------------------------------------------------------
---
|
| Specify the method used to limit the API calls
|
| Available methods are :
| $config['rest_limits_method'] = 'IP_ADDRESS'; // Put a limit per ip ad
dress
| $config['rest_limits_method'] = 'API_KEY'; // Put a limit per api key
| $config['rest_limits_method'] = 'METHOD_NAME'; // Put a limit on metho
d calls
| $config['rest_limits_method'] = 'ROUTED_URL'; // Put a limit on the r
outed URL
|
*/
$config['rest_limits_method'] = 'API_KEY';

/*
|-----------------------------------------------------------------------
---
| REST Key Length
|-----------------------------------------------------------------------
---
|
| Length of the created keys. Check your default database schema on the
| maximum length allowed
|
| Note: The maximum length is 40
|
*/
$config['rest_key_length'] = 40;

/*
|-----------------------------------------------------------------------
---
| REST API Key Variable
|-----------------------------------------------------------------------
---
|
| Custom header to specify the API key

| Note: Custom headers with the X- prefix are deprecated as of

| 2012/06/12. See RFC 6648 specification for more details
|
*/
$config['rest_key_name'] = 'API-TOKEN';

/*
|-----------------------------------------------------------------------
---
| REST Enable Logging
|-----------------------------------------------------------------------
---
|
| When set to TRUE, the REST API will log actions based on the column na
mes 'key', 'date',
| 'time' and 'ip_address'. This is a general rule that can be overridden
in the
| $this->method array for each controller
|
| Default table schema:
| CREATE TABLE `logs` (
| `id` INT(11) NOT NULL AUTO_INCREMENT,
| `uri` VARCHAR(255) NOT NULL,
| `method` VARCHAR(6) NOT NULL,
| `params` TEXT DEFAULT NULL,
| `api_key` VARCHAR(40) NOT NULL,
| `ip_address` VARCHAR(45) NOT NULL,
| `time` INT(11) NOT NULL,
| `rtime` FLOAT DEFAULT NULL,
| `authorized` VARCHAR(1) NOT NULL,
| `response_code` smallint(3) DEFAULT '0',
| PRIMARY KEY (`id`)
| ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
|
*/
$config['rest_enable_logging'] = FALSE;

/*
|-----------------------------------------------------------------------
---
| REST API Logs Table Name
|-----------------------------------------------------------------------
---
|
| If not using the default table schema in 'rest_enable_logging', specif
y the
| table name to match e.g. my_logs
|
*/
$config['rest_logs_table'] = 'logs';

/*
|-----------------------------------------------------------------------
---
| REST Method Access Control
|-----------------------------------------------------------------------
---
| When set to TRUE, the REST API will check the access table to see if
| the API key can access that controller. 'rest_enable_keys' must be ena
bled
| to use this
|
| Default table schema:
| CREATE TABLE `access` (
| `id` INT(11) unsigned NOT NULL AUTO_INCREMENT,
| `key` VARCHAR(40) NOT NULL DEFAULT '',
| `all_access` TINYINT(1) NOT NULL DEFAULT '0',
| `controller` VARCHAR(50) NOT NULL DEFAULT '',
| `date_created` DATETIME DEFAULT NULL,
| `date_modified` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON
UPDATE CURRENT_TIMESTAMP,
| PRIMARY KEY (`id`)
| ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
|
*/
$config['rest_enable_access'] = FALSE;

/*
|-----------------------------------------------------------------------
---
| REST API Access Table Name
|-----------------------------------------------------------------------
---
|
| If not using the default table schema in 'rest_enable_access', specify
the
| table name to match e.g. my_access
|
*/
$config['rest_access_table'] = 'access';
/*
|-----------------------------------------------------------------------
---
| REST API Param Log Format
|-----------------------------------------------------------------------
---
|
| When set to TRUE, the REST API log parameters will be stored in the da
tabase as JSON
| Set to FALSE to log as serialized PHP
|
*/
$config['rest_logs_json_params'] = FALSE;

/*
|-----------------------------------------------------------------------
---
| REST Enable Limits
|-----------------------------------------------------------------------
---
|
| When set to TRUE, the REST API will count the number of uses of each m
ethod
| by an API key each hour. This is a general rule that can be overridden
in the
| $this->method array in each controller
|
| Default table schema:
| CREATE TABLE `limits` (
| `id` INT(11) NOT NULL AUTO_INCREMENT,
| `uri` VARCHAR(255) NOT NULL,
| `count` INT(10) NOT NULL,
| `hour_started` INT(11) NOT NULL,
| `api_key` VARCHAR(40) NOT NULL,
| PRIMARY KEY (`id`)
| ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
|
| To specify the limits within the controller's __construct() method, ad
d per-method
| limits with:
|
| $this->method['METHOD_NAME']['limit'] = [NUM_REQUESTS_PER_HOUR];
|
| See application/controllers/api/example.php for examples
*/
$config['rest_enable_limits'] = TRUE;

/*
|-----------------------------------------------------------------------
---
| REST API Limits Table Name
|-----------------------------------------------------------------------
---
|
| If not using the default table schema in 'rest_enable_limits', specify
the
| table name to match e.g. my_limits
|
*/
$config['rest_limits_table'] = 'limits';

/*
|-----------------------------------------------------------------------
---
| REST Ignore HTTP Accept
|-----------------------------------------------------------------------
---
|
| Set to TRUE to ignore the HTTP Accept and speed up each request a litt
le.
| Only do this if you are using the $this-
>rest_format or /format/xml in URLs
|
*/
$config['rest_ignore_http_accept'] = FALSE;

/*
|-----------------------------------------------------------------------
---
| REST AJAX Only
|-----------------------------------------------------------------------
---
|
| Set to TRUE to allow AJAX requests only. Set to FALSE to accept HTTP r
equests
|
| Note: If set to TRUE and the request is not AJAX, a 505 response with
the
| error message 'Only AJAX requests are accepted.' will be returned.
|
| Hint: This is good for production environments
|
*/
$config['rest_ajax_only'] = FALSE;

/*
|-----------------------------------------------------------------------
---
| REST Language File
|-----------------------------------------------------------------------
---
|
| Language file to load from the language directory
|
*/
$config['rest_language'] = 'english';

/*
|-----------------------------------------------------------------------
---
| CORS Check
|-----------------------------------------------------------------------
---
|
| Set to TRUE to enable Cross-
Origin Resource Sharing (CORS). Useful if you
| are hosting your API on a different domain from the application that
| will access it through a browser
|
*/
$config['check_cors'] = FALSE;

/*
|-----------------------------------------------------------------------
---
| CORS Allowable Headers
|-----------------------------------------------------------------------
---
|
| If using CORS checks, set the allowable headers here
|
*/
$config['allowed_cors_headers'] = [
'Origin',
'X-Requested-With',
 'Content-Type',
'Accept',
'Access-Control-Request-Method'
];

/*
|-----------------------------------------------------------------------
---
| CORS Allowable Methods
|-----------------------------------------------------------------------
---
|
| If using CORS checks, you can set the methods you want to be allowed
|
*/
$config['allowed_cors_methods'] = [
'GET',
'POST',
'OPTIONS',
'PUT',
'PATCH',
'DELETE'
];

/*
|-----------------------------------------------------------------------
---
| CORS Allow Any Domain
|-----------------------------------------------------------------------
---
|
| Set to TRUE to enable Cross-Origin Resource Sharing (CORS) from any
| source domain
|
*/
$config['allow_any_cors_domain'] = FALSE;

/*
|-----------------------------------------------------------------------
---
| CORS Allowable Domains
|-----------------------------------------------------------------------
---
|
| Used if $config['check_cors'] is set to TRUE and $config['allow_any_co
rs_domain']
| is set to FALSE. Set all the allowable domains within the array
|
| e.g. $config['allowed_origins'] = ['http://www.example.com', 'https://
spa.example.com']
|
*/
$config['allowed_cors_origins'] = [];

/*
|-----------------------------------------------------------------------
---
| CORS Forced Headers
|-----------------------------------------------------------------------
---
|
| If using CORS checks, always include the headers and values specified
here
| in the OPTIONS client preflight.
| Example:
| $config['forced_cors_headers'] = [
| 'Access-Control-Allow-Credentials' => 'true'
| ];
|
| Added because of how Sencha Ext JS framework requires the header
| Access-Control-Allow-Credentials to be set to true to allow the use of
| credentials in the REST Proxy.
| See documentation here:
| http://docs.sencha.com/extjs/6.5.2/classic/Ext.data.proxy.Rest.html#cf
g-withCredentials
|
*/
$config['forced_cors_headers'] = [];
2. Output
a. XSS

Gambar diatas menjelaskan bahwa pada fungsi pungsi PUT dan POST ditambahkan validasi
XSS agar Ketika terdapat injeksi data berupa html, program dapan meng ‘Clean’ data
tersebut.

Pada proses edit data diatas misalkan terdapat injeksi berupa html pada salah satu kolom
yaitu kolom ‘nama_barang’.
 Namun Ketika kita lihat di database, data tersebut sudah terclean.

b. API TOKEN

Pada gambar diatas telah ditambahkan validasi token pada program ini dimana fungsi ini
digunakan agar program dapat diakses dengan cara yang legal.

Buat table ‘keys’ pada PhpMyAdmin dan input token yang akan menjadi validasi pada
program.
 Pada gambar diatas, program akan mengembalikan message ‘Invalid API Key’ jika tidak
dimasukan token pada request tersebut.

c. LIMIT

Gambar diatas yaitu untuk menambahkan atau mengurangi limit setiap request pada api.

Tambah table baru pada PhpMyAdmin yaitu table limits.

Tambah configurasi pada controller.