Latest Entries »

I’m currently building a backend API for a site which requires requests to be signed with an access token header. My problem is, the default @Security annotation feature doesn’t fit with our requirements, because we don’t actually have any users on our site! We actually consume our clients SOAP service, which is where all the important data is stored.

Currently, in a typical controller action, I have the following code:

/**
 *@Rest\Put("/auth/change-password")
 */
public function changePasswordAction(Request $request)
{
 $tokenId = $paramFetcher->get('token');
 $tokenSvc = $this->get('Our\SuperbBundle\Service\TokenService');

 // Check the token exists and is valid
 // throws exception if not found or expired
 $tokenSvc->findToken($tokenId); 
 // actual change password logic here
}

We are going to have several controllers with multiple calls, so we don’t want to add this in every single controller action, so we will create our own custom annotation.

<?php

namespace Our\CustomerZoneBundle\Annotation;

/**
 * Class SecureToken
 * @package Our\CustomerZoneBundle\Annotation
 * @Annotation
 */
class SecureToken
{
}

The next thing we do is create an Annotation listener, which I’ll explain below:

<?php

namespace Our\CustomerZoneBundle\EventListener;

use Doctrine\Common\Annotations\AnnotationReader;
use Doctrine\Common\Util\ClassUtils;
use Our\CustomerZoneBundle\Annotation\SecureToken;
use Our\CustomerZoneBundle\Model\Exception\TokenException;
use Our\CustomerZoneBundle\Service\TokenService;
use ReflectionClass;
use ReflectionObject;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\FilterControllerEvent;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

class SecureTokenAnnotationListener
{
    /** @var AnnotationReader $reader */
    protected $reader;

    /** @var RequestStack $requestStack */
    protected $requestStack;

    /** @var TokenService $tokenService */
    protected $tokenService;

    /**
     * SecureTokenAnnotationListener constructor.
     * @param AnnotationReader $reader
     * @param RequestStack $stack
     * @param TokenService $tokenService
     */
    public function __construct(AnnotationReader $reader, RequestStack $stack, TokenService $tokenService)
    {
        $this->reader = $reader;
        $this->requestStack = $stack;
        $this->tokenService = $tokenService;
    }

    /**
     * @param FilterControllerEvent $event
     */
    public function onKernelController(FilterControllerEvent $event)
    {
        $controller = $event->getController();
        /*
         * $controller passed can be either a class or a Closure.
         * This is not usual in Symfony2 but it may happen.
         * If it is a class, it comes in array format
         *
         */
        if (!is_array($controller)) {
            return;
        }

        /** @var Controller $controllerObject */
        list($controllerObject, $methodName) = $controller;

        $request = $this->requestStack->getCurrentRequest();
        $cookies = $request->cookies;
        $mkzCookie = $cookies->get('mkz');

        // Override the response only if the annotation is used for method or class
        if ($this->hasSecureTokenAnnotation($controllerObject, $methodName)) {
            try {
                if (!$mkzCookie) {
                    throw new TokenException(TokenException::ERROR_NOT_FOUND, 404);
                }
                $this->tokenService->findToken($mkzCookie);
            } catch (TokenException $e) {
                throw new AccessDeniedHttpException($e->getMessage(), $e);
            }
        }
    }

    /**
     * @param Controller $controllerObject
     * @param string $methodName
     * @return bool
     */
    private function hasSecureTokenAnnotation(Controller $controllerObject, string $methodName) : bool
    {
        $tokenAnnotation = SecureToken::class;

        $hasAnnotation = false;

        // Get class annotation
        // Using ClassUtils::getClass in case the controller is an proxy
        $classAnnotation = $this->reader->getClassAnnotation(
            new ReflectionClass(ClassUtils::getClass($controllerObject)), $tokenAnnotation
        );

        if ($classAnnotation) {
            $hasAnnotation = true;
        }

        // Get method annotation
        $controllerReflectionObject = new ReflectionObject($controllerObject);
        $reflectionMethod = $controllerReflectionObject->getMethod($methodName);
        $methodAnnotation = $this->reader->getMethodAnnotation($reflectionMethod, $tokenAnnotation);

        if ($methodAnnotation) {
            $hasAnnotation = true;
        }

        return $hasAnnotation;
    }
}

Our event listener uses the annotation reader class, and takes the request object. When the event triggers, the onKernelController() method is called, where we get the Access Token cookie from the request. Then it checks for the @SecureToken annotation, which can either cover an entire class, or can be set in individual method docblocks.

Next, we hook up the service autowiring in the config services.yml:

our.event_listener.secure_token:
    class: Our\CustomerZoneBundle\EventListener\SecureTokenAnnotationListener
    autowire: true
    tags:
        - { name: kernel.event_listener, event: kernel.controller }

Symfony autowiring is pretty cool. the autowire true key allows Symfony to take care of object instantiation, so we don’t even need to fetch the annotation reader or request for the constructor!

Finally, we add our annotation to our method, and remove our check from inside the method:

/**
 * @Rest\Put("/auth/change-password")
 * @SecureToken
 */
public function changePasswordAction(Request $request)
{
    // actual change password logic here
}

Now using whatever HTTP client you like (POSTman 😉 !) when we add our Access Token cookie header, the check happens automatically! Removing the cookie now gives us a 403 response! Success! Have fun! 😀

Advertisements

I had an issue on this old legacy site in work where I was writing a basic acceptance test where it clicks all the links in the top section of the home page. The problem was that one of the links opened another window using JavaScript. So I had to reconfigure Codeception to get it running.

There are various different drivers that codeception uses, PhpBrowser which doesn’t do JS, Selenium WebDriver does, and you have several options; you could install Selenium, chrome headless browser, or phantomjs. I chose phantomjs, as it was easiest (for me) to get up and running on a non X Server.

First up, you’ll need phantomjs. Go download it, unpack the zip, move the folder somewhere, and then symlink the bin/phantomjs to /usr/bin/phantomjs.

Next, launch phantomjs like so:

phantomjs --webdriver=4444 --ignore-ssl-errors=true --ssl-protocol=any

Now, in your YAML:

# Codeception Test Suite Configuration

# suite for acceptance tests.
# Run the following command FIRST:
# phantomjs --webdriver=4444 --ignore-ssl-errors=true --ssl-protocol=any

# RUN `build` COMMAND AFTER ADDING/REMOVING MODULES.

class_name: WebGuy
modules:
     enabled:
         - WebDriver
         - WebHelper
     config:
         WebDriver:
             url: 'https://USER:PASS@YOUR_URL_HERE'
             browser: phantomjs
             capabilities:
                 acceptSslCerts: true

If you have a site using HTTP Basic Auth, put USER:PASSWORD@ in yopur URL, if not, remove it.

Now in your acceptance test, you can write:

$i->click('Nouvel abonnement');
$i->switchToWindow('webformswin');

Note that, in your Javascript, when you run the open window function, you specify a name. This is the name you use, and not the title from the HTML <head> section!

And there you have it! We can now test with javascript functionality!

find text within a bunch of files within a folder simply by typing this:

grep -nr 'whatever' .

Where r is recursive, and n gives you the line number. 🙂

It’s something to do with using PHP FPM / Fast CGI, and auth headers being disable for that.

So we add this to the directory entry of the .htaccess:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

You now have your missing header back!

Devving on Windows is a PITA.

Anyway, ever seen a message like this?

warning: LF will be replaced by CRLF in tests/unit/Del/Console/CommandTest.php.
The file will have its original line endings in your working directory.
warning: LF will be replaced by CRLF in tests/unit/Del/Console/CommandTest.php.
The file will have its original line endings in your working directory.

We only want LF. To squelch this crap, run the following:

git config core.autocrlf false

Yay.

Today I had the mammoth task of checking through 512 git commits to find a piece of code that broke something.

Usually i would git log, look back however many commits, and then do a git reset –hard COMMIT_NUMBER, then check if it worked. If it did, I would git pull back to the HEAD again, and try a resetting back to a more recent commit, until I found the bad code.

Never again! Git bisect to the rescue!

Find any good commit in the past, and note the commit number. Find any bad commit where the code is broken, and note the commit number.

Now, do the following:

git bisect start
git bisect good 514d83c
git bisect bad b27f38e

capture

Git checks out the middle commit between the good and bad ones. At this point I reloaded my page to see if the code was working or not. The code was working, so I then told git that it was good:

git bisect good

capture

Again the code was working, so as you can see I ran it again. Each time, git bisect jumps half way, iterating and narrowing down the options. Keep doing this and checking your code until it breaks, then say:

git bisect bad

Here’s the rest of the output:

capture

Now we have the exact commit number, and can do a git diff to find out what you did wrong! 🙂

Once you have the commit in question, tell git bisect that you are finished:

git bisect reset

I am amazed that I’m only just finding out about this awesome feature of Git! I’m sure you’ll love it too, try it!

Have fun!

Debugging a Twig View

Just a quick note here to save future hunting.

Ever seen this crap error message?

An exception has been thrown during the rendering of a templat

It totally sucks, right? And then you try debugging with XDebug, only to find you can’t most of the time, since Twig uses eval().

Anyway, to save you looking, if you set a breakpoint where that message is thrown you can get to see your own Exception:

vendor/twig/twig/lib/Twig/Template.php

Look at line 401 (this may have changed in later versions):

} catch (Exception $e) {
    throw new Twig_Error_Runtime(sprintf('An exception has been thrown during the rendering of a template ("%s").', $e->getMessage()), -1, $this->getTemplateName(), $e);
}

You can now see your Exception!

In PHPStorm, you can do a regex find and replace. To upgrade a crappy old site using <?, just use the following regex:

#<\?(?!=|php|xml)#

https://regex101.com/r/yD6dK5/5

Apple Wireless Mouse on Windows

So I left my work laptop’s PSU in Scotland. Oops! I also left my cheap mouse alongside it (I hate the touchpad thingy). So that left me with my Apple Wireless Magic Mouse, the touch sensitive one.

Once you hook it up with Bluetooth, you’ll notice the touch scroll doesn’t work. 😦
So let’s fix that!

As you know, Mac can run Windows using a thing called Bootcamp, which has the drivers we need. Download either the 32 or 64 bit version depending which Windows you are running. https://support.apple.com/kb/DL1336?locale=en_US

Using 7-zip or something similar, right click the downloaded exe and and extract it somewhere. Once extracted, go into the BootCamp31ToBootCamp303 folder.

Look for a file called Binary.MultiTouchMouse_Bin. Right click on that, and extract the files somewhere. These are our drivers!

Once you’ve done that, run DPInst.exe, which will install the drivers.

Scroll now works! But ah! Macs scroll the opposite way around, like a touch screen, we push the page up or down. If you’d like to flip the scroll “wheel”, do the following:

  • Open Control Panel > Devices & Printers > Bluetooth Devices
  • Right click and choose Properties
  • Select HID compliant mouse, and click properties
  • Choose the Details Tab
  • Select Device Instance Path, note the value
  • Open regedit (Start > regedit)
  • HKEY_LOCAL_MACHINE
  • System
  • Current Control Set
  • Enum
  • HID
  • Now follow the device instance path from the mouse properties
  • Device Parameters
  • Double Click FlipFlopWheel
  • Change 0 to 1 (turn flip flop wheel on)
  • Now disconnect and reconnect your mouse

Your mouse now works exactly the same way in Windows as it does on your Mac. Have fun!

DOMDocuments are cool, and a really nice way of dealing with HTML in an OO fashion. However, sometimes, we have an HTML string element which we need to add to our Document. Here’s how you do it:

    function createNodesFromHTML(DOMDocument $doc,$str) 
    {
        $nodes = array();
        $d = new DOMDocument();
        $d->loadHTML("<html>{$str}</html>");
        $child = $d->documentElement->firstChild->firstChild;
        while($child) {
            $nodes[] = $doc->importNode($child,true);
            $child = $child->nextSibling;
        }
        return $nodes;
    }


        $dom = new DOMDocument();
        $icon = '<i class="fa fa-remove"></i>'; // This is our string

        $button = $dom->createElement('a');
        $button->setAttribute('href', '/whatever/delete/12345');
        $button->setAttribute('class', 'btn btn-sm btn-danger');
        
        // This is us turning the string(s) into nodes we can add
        $nodes = createNodesFromHTML($dom, $icon);
        $button->appendChild($nodes[0]);
        
        $dom->appendChild($button);
        echo $dom->saveHTML();