Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Laravel News:
Getting Started with Signed Routes in Laravel
Mar 21, 2018 @ 09:58:26

On the Laravel News site there's a tutorial showing you how to use a feature that's been added in the latest release of the Laravel framework: signed routes. These signed routes allow you to create routes that work with signatures and help with their validation.

In the latest Laravel 5.6.12 Release a new signed URLs feature was introduced. In this article, we’ll work on enabling signed URLs in an application and look at a few options of how to use them.

The tutorial starts by helping you update your installation to the latest version and change the configuration to add the new ValidateSignature middleware to the route middleware list. They also provide an example of a route definition that contains several "id" type of values that could potentially be modified by an attacker. It then shows how to use the Url helper to generate a new signed route that includes a signature based on the URL contents. The tutorial also provides an example of temporary URL signatures that will include a timeout value as a part of the hash so it will expire after a certain amount of time.

tagged: signed route signature integrity laravel tutorial introduction

Link: https://laravel-news.com/signed-routes

Deploy PHP Web Applications Using Laravel Forge
Mar 20, 2018 @ 11:09:46

The TutsPlus.com site has posted a new tutorial showing you how to make use of the Laravel Forge service to deploy your PHP applications. Laravel Forge provides the configuration and automation tools to deploy your applications to servers on your own accounts (like DigitalOcean or AWS).

Developers love to automate things—for every process between development and production, they are keen to have a script that makes their workflow easier. This is also the case with deployment. The process of pushing the final build and deploying the app should be as easy as pressing a Deploy now button, but that is not what happens most of the time.

[...] Don't let the Laravel brand name mislead you. Apart from Laravel, you can use the service to host WordPress, Symphony, Statamic, or any other web project as long as it's PHP. Personally, I like Laravel Forge for its simplicity and ease of getting used to.

In this tutorial, I am going to take you through the steps to hook Laravel Forge with AWS and explore what it has to offer.

The tutorial starts with an overview of the service and what kind of setup and configuration the resulting servers have (by default). It then covers the various configuration options available and walks you through the process of setting it up with your AWS account. It also includes details about the server management system Forge provides, site management, SSH key addition and PHP/MySQL configuration. A few other helpful hints are also tossed in at the end covering task scheduling, daemons, monitoring and network/firewall configuration.

tagged: application deployment laravelforge laravel tutorial aws introduction

Link: https://code.tutsplus.com/tutorials/deploy-php-web-application-using-laravel-forge--cms-30329

Laravel Excel - Lessons Learned
Mar 20, 2018 @ 10:49:33

On the Maatwebsite Medium.com site they've posted a retrospective of their last several years of work on the Laravel Excel Open Source package.

Laravel Excel (https://github.com/Maatwebsite/Laravel-Excel) turned 4 years last November and has reached almost 6 million Packagist downloads. A good time to reflect on 4,5 years of open source development.

The article starts with a bit of history behind the initial development of the package as a simple wrapper around PHPExcel. It covers some of the initial syntax of the tool and features included from the start. The project moved on to v1.x with a complete rewrite and then into v2.x with support for the Laravel v5.x framework releases. It then talks about their "support conundrum" as they reached 1 (then, later, 6) million package downloads. They cover some of the usual project support issues, a reduction in their work on the package and how they worked to "fix it for everyone".

The post also talks about their "open source rehab" and how it changed their view from its recent "because 1 million people use it" back to making a difference in developers' lives. It finishes up talking about some of the "lessons learned" in how it worked with Laravel, a retrospective on its current state and a look forward at Laravel Excel v3.0.

tagged: laravel laravelexcel package opensource lesson learn motivation

Link: https://medium.com/@maatwebsite/laravel-excel-lessons-learned-7fee2812551

Christop Rumpel:
Content Security Policy, Hash-Algorithm and Turbolinks
Mar 20, 2018 @ 09:31:47

Following up on his previous Content Security Policy and Laravel posts, Christoph Rumpel continues the series and looks at how to fix his site's integration with Turbolinks. Turbolinks makes it easier to load only partial portions of a site when links are clicked rather than reloading the entire page.

My last week was all about Content Security Policy (CSP). It was an emotional rollercoaster. I loved the concept of CSP and was happy that I managed to integrate it into my site. But then I noticed that caching and Turbolinks weren't working anymore because of the CSP nonces. I had to turn them off. Then yesterday, I found a way to use CSP nonces with the Laravel Response Caching package. I was super excited about it.

Still, Turbolinks weren't working.

He starts by describing the issue with the CSP policy and the Turbolinks tool, mostly that the nonces in the response header no longer match the ones in the embedded script tags of the new content. He ended up finding a solution in the hash-algorithm CSP directive. This allowed him to create a hash of the requested script and validate it without the need for a nonce. He includes the code changes to his previous Laravel Response Cache middleware setting this hash-algorithm directive on the script tag output.

tagged: contentsecuritypolicy csp laravel response hashalgorithm turbolinks

Link: https://christoph-rumpel.com/2018/03/content-security-policy-hash-algorithm-and-turbolinks

Christoph Rumpel:
Laravel Response Caching and CSP
Mar 19, 2018 @ 10:55:41

Christoph Rumpel has posted a guide for the Laravel users out there that have wanted to implement a Content Security Policy (CSP) in their application. A CSP helps to prevent cross-site scripting issues by locking down the images, scripts, resources, etc. that can be used in your application.

Caching is lovely, and the Content Security Policy is incredible. But when you put them together... Let me show you the problems I encountered, and how I fixed them.

He starts by describing the setup he was working with and improvements he was making (using the Spatie Laravel ResponseCache package to improve the performance of his site). As a part of the refactor he decided to implement a CSP but had an issue where the nonces on the included scripts didn't change like they did in development. To resolve the issue he created a middleware that takes the response and, after calling the other middleware, append the header to the response instance. Full code for the solution is included in the post.

tagged: contentsecuritypolicy csp laravel cache output response middleware

Link: https://christoph-rumpel.com/2018/03/laravel-response-caching-and-csp

Laravel News:
Getting Started with Laravel Model Events
Mar 16, 2018 @ 09:47:09

The Laravel News site has a tutorial posted that introduces you to model events in Eloquent models and how to use them effectively in your code.

Laravel Model events allow you to tap into various points in a model’s lifecycle, and can even prevent a save or delete from happening. The Laravel model events documentation outlines how you can hook into these events with event classes, but this article aims to build upon and fill in a few additional details on setting up events and listeners.

The article starts with an overview of the different types of events available on the models and a brief summary of when each are fired. It then walks you through the process of registering events and where to configure the event-to-handler relationship. The artisan make:event command can then generate the skeleton code for you. In this class you can then add the handler method and then configure it in the providers. Finally it shows an example of how to test the event, stopping the save event and using observers to group the event handling.

tagged: laravel eloquent model event tutorial introduction

Link: https://laravel-news.com/laravel-model-events-getting-started

Frequently Asked Questions About Laravel based APIs
Mar 15, 2018 @ 10:35:09

On the Pineco.de site there's a new post that answers some of the frequently asked questions they've heard about APIs in Laravel-based applications.

Developing APIs are getting more and more popular, but still, it’s a bit blurry field for many developers. We collected some common questions and tried to answer them in one place.

Their list of questions includes:

  • "What does RESTful mean?"
  • "How does API authentication work?"
  • "Why Laravel has a “web” and an “api ” middleware group?"
  • "How can I test my APIs?"

For each there's a brief summary of the issue and links to other sources (documentation and packages) to help answer or fix the issue.

tagged: laravel api faq question rest authentication middleware testing

Link: https://pineco.de/frequently-asked-questions-about-laravel-based-apis/

Christoph Rumpel:
Content Security Policy 101
Mar 15, 2018 @ 09:52:43

In a new post to his site Christoph Rumpel shares an introduction to the use of Content Security policies to prevent client-side security issues in your applications. While his examples are more Laravel-specific, the concepts can be applied to just about any framework or home-grown solution.

As more and more services get digital these days, security has become a significant aspect of every application. Especially when it comes to third-party code, it is tough to guarantee safety. But in general, XSS and Code Injection is a big problem these days. Content Security Policy provides another layer of security that helps to detect and protect different attacks. Today, I will introduce this concept and its main features, as well as show real-world examples.

He starts with a general look at web application security vulnerabilities and, more specifically, cross-site scripting issues. These are the ones that a Content Security Policy (CSP) can help prevent. He then covers the basics of the CSP header and gets into the implementation. In his example he sets up the addition of the CSP header as a middleware so that it's included on every request. With the default header all resources are blocked so he walks through the process of restoring access to the scripts, fonts and styles his blog needs to work correctly.

With the basics covered he then gets into a few more advanced features of CSP policies such as nonces for resource identification, iframe handling and the submission of forms. The post ends with a recommendation of the Laravel CSP package for use in Laravel applications. If you're looking for something more framework agnostic you might want to look into ParagonIE's CSP Builder library.

tagged: contentsecuritypolicy csp beginner tutorial laravel middleware framework

Link: https://christoph-rumpel.com/2018/03/content-security-policy-101

Laravel News:
Testing Vue components with Laravel Dusk
Mar 14, 2018 @ 13:09:52

On the Laravel News site there's a new post showing how you can test Vue.js applications with Laravel Dusk, a testing tool created by the Laravel project to make it easier to create integration tests that are run with a ChromeDriver.

Adding tests to a project is always beneficial for different aspects, but choosing the right strategy could be a struggle for many developers.

The problem multiplies itself when you are using different tools or frameworks, and although “having as many tests as you can” sounds like a good idea, at least in theory, in practice this can be very different. The following is an interesting article from the Twitter team about their thoughts on Feature Testing.

Taylor Otwell shared Twitter’s article on his Bi-Weekly Laravel Tips newsletter, subscribe if you haven’t done yet. Let’s build a simple to-do list using Vue.js and Laravel to illustrate how to add Browser testing using Laravel dusk.

They starts with the controller code to create "tasks" functionality for read/write/update/delete that includes request validation, model binding and JSON responses. It then includes the code to create the first "task" tests for each of the CRUD operations. With those basics in place, the tutorial then gets into the Vue.js side, showing how to test a simple TasksComponent.vue file and its functionality.

tagged: laravel dusk testing crud task vuejs tutorial

Link: https://laravel-news.com/testing-vue-components-with-laravel-dusk

Laravel News:
User Defined Schedules in Laravel
Mar 09, 2018 @ 11:43:31

On the Laravel News site there's a new post looking at the use of user-defined schedules and some of the "hidden" features the Laravel framework provides to allow for even more customization.

Recently Adam Wathan and Taylor Otwell have used Basecamp to track what they are doing every day–a tech diary. Notably, they are using the check-in feature which allows you to schedule questions to be sent to members about almost anything. Taylor and Adam are using it for “What did you work on today?”

It’s not that it’s the same time of day or even that it’s only weekdays which peaked my curiosity but the fact every check-in has a custom schedule defined by a user. In Laravel, we can quickly schedule a job to run every weekday at 4 pm, and we can use a custom timezone. But out of the box, we cannot set a different schedule for every individual check-in. We would have to store a cron expression and manually check every minute if it’s due.

After some "source code diving" the author figured out that the Schedulable trait allows you to define a more customized version of a schedule to fit your needs, making it simple to implement in any class or model. Code examples of these changes are included in the post as well as some next steps to have it implemented more widely either in the Laravel core or a package.

tagged: laravel schedule custom trait tutorial example

Link: https://laravel-news.com/user-defined-schedules-in-laravel