Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Christoph Rumpel:
Laravel Response Caching and CSP
Mar 19, 2018 @ 10:55:41

Christoph Rumpel has posted a guide for the Laravel users out there that have wanted to implement a Content Security Policy (CSP) in their application. A CSP helps to prevent cross-site scripting issues by locking down the images, scripts, resources, etc. that can be used in your application.

Caching is lovely, and the Content Security Policy is incredible. But when you put them together... Let me show you the problems I encountered, and how I fixed them.

He starts by describing the setup he was working with and improvements he was making (using the Spatie Laravel ResponseCache package to improve the performance of his site). As a part of the refactor he decided to implement a CSP but had an issue where the nonces on the included scripts didn't change like they did in development. To resolve the issue he created a middleware that takes the response and, after calling the other middleware, append the header to the response instance. Full code for the solution is included in the post.

tagged: contentsecuritypolicy csp laravel cache output response middleware

Link: https://christoph-rumpel.com/2018/03/laravel-response-caching-and-csp

Frequently Asked Questions About Laravel based APIs
Mar 15, 2018 @ 10:35:09

On the Pineco.de site there's a new post that answers some of the frequently asked questions they've heard about APIs in Laravel-based applications.

Developing APIs are getting more and more popular, but still, it’s a bit blurry field for many developers. We collected some common questions and tried to answer them in one place.

Their list of questions includes:

  • "What does RESTful mean?"
  • "How does API authentication work?"
  • "Why Laravel has a “web” and an “api ” middleware group?"
  • "How can I test my APIs?"

For each there's a brief summary of the issue and links to other sources (documentation and packages) to help answer or fix the issue.

tagged: laravel api faq question rest authentication middleware testing

Link: https://pineco.de/frequently-asked-questions-about-laravel-based-apis/

Christoph Rumpel:
Content Security Policy 101
Mar 15, 2018 @ 09:52:43

In a new post to his site Christoph Rumpel shares an introduction to the use of Content Security policies to prevent client-side security issues in your applications. While his examples are more Laravel-specific, the concepts can be applied to just about any framework or home-grown solution.

As more and more services get digital these days, security has become a significant aspect of every application. Especially when it comes to third-party code, it is tough to guarantee safety. But in general, XSS and Code Injection is a big problem these days. Content Security Policy provides another layer of security that helps to detect and protect different attacks. Today, I will introduce this concept and its main features, as well as show real-world examples.

He starts with a general look at web application security vulnerabilities and, more specifically, cross-site scripting issues. These are the ones that a Content Security Policy (CSP) can help prevent. He then covers the basics of the CSP header and gets into the implementation. In his example he sets up the addition of the CSP header as a middleware so that it's included on every request. With the default header all resources are blocked so he walks through the process of restoring access to the scripts, fonts and styles his blog needs to work correctly.

With the basics covered he then gets into a few more advanced features of CSP policies such as nonces for resource identification, iframe handling and the submission of forms. The post ends with a recommendation of the Laravel CSP package for use in Laravel applications. If you're looking for something more framework agnostic you might want to look into ParagonIE's CSP Builder library.

tagged: contentsecuritypolicy csp beginner tutorial laravel middleware framework

Link: https://christoph-rumpel.com/2018/03/content-security-policy-101

Cees-Jan Kiewiet:
ReactPHP with RecoilPHP: Creating for/http-middleware-psr15-adapter
Feb 09, 2018 @ 11:21:13

Cees-Jan Kiewiet is back with the latest tutorial in his series covering ReactPHP and RecoilPHP. In the previous parts he introduced some of the basic concepts and set up the first bits of code combining ReactPHP and RecoilPHP. In this latest tutorial (part three) he shows how to integrate this with a PSR-15 compliant middleware to evaluate response time.

There are more uses for coroutines than just making working with promises easier. In this post we're diving into the details on how they are used by the Friends of ReactPHP in the PSR-15 Middleware adapter for react/http.

When we started discussing how middleware for react/http should work we also look at the state of PSR-15 at the time. We decided against implementing it directly because of the fully blocking nature of PSR-15, in favour of callable. Which turned into an even better decision when return type hints where added to it to PSR-15. Now I love PSR-15, and middleware in general, which is why I created for/http-middleware-psr15-adapter to bridge the gap.

He starts with the code required to create a normal PSR-15 middleware and recreating the same functionality in a ReactPHP middleware. The article then shows how to use the package he developed to transform the middleware "on the fly" to enable it to be used both as a normal PSR-15 middleware and as a ReactPHP middleware. He ends the post with a word of caution and a bit of advice about using this method of rewriting - basically that just because you can doesn't mean you should.

tagged: reactphp recoil psr15 middleware translate onthefly package tutorial part3 series

Link: https://blog.wyrihaximus.net/2018/02/reactphp-with-recoilphp-party-three-http-middleware-psr-15-adapter/

Zend Framework Blog:
Expressive 3 Alpha 3
Feb 09, 2018 @ 09:39:48

On the Zend Framework blog today project lead Matthew Weier O'Phinney has posted an announcement about the latest (alpha) release of the Zend Expressive framework: Zend Expressive 3 Alpha 3.

Today, we pushed the final changes and fixes that culminated in the Expressive Installer and Skeleton 3.0.0alpha3 release!

The alpha releases have a ton of great features; keep reading to find out more!

The post then walks you through the installation process (slightly different since it's an alpha) and shows the creation of a sample middleware via the command line tooling. The tutorial then shows the creation of a request handler and how to configure it in the router. The post ends with a look ahead it what's next for the framework on its roadmap including several features that need completion before v3 of Zend Expressive can be called complete.

tagged: zendexpressive zendframework v3alpha3 tutorial install middleware handler

Link: https://framework.zend.com/blog/2018-02-08-expressive-3-alpha3.html

Matthew Weier O'Phinney:
Jan 24, 2018 @ 10:43:53

In a new post to his site Matthew Weier O'Phinney, lead developer on Zend Framework and representative in the PHP-FIG, covers the acceptance of PSR-15 by the group. PSR-15 relates to the creation of server request handlers and middleware that can use PSR-7 formatted messages.

Yesterday, following a unanimous vote from its Core Committee, PHP-FIG formally accepted the proposed PSR-15, HTTP Server Handlers standard.

This new standard defines interfaces for request handlers and middleware. These have enormous potential impact on the PHP ecosystem, as they provide standard mechanisms for writing HTTP-facing, server-side applications. Essentially, they pave the way for developers to create re-usable web components that will work in any application that works with PSR-15 middleware or request handlers!

He starts with a bit of background around the initial idea of the standard and some of the discussions that came up around it. The initial draft of the standard was modified to more correctly handle issues around response modification and the use of "handlers" for request/response manipulation. He then covers the final version of the standard, defined in the standard's documentation and enforceable via the psr/server-handler interface. Finally he covers how to use this to create re-usable middleware and an example using Expressive.

tagged: phpfig psr15 standard request response middleware handler

Link: https://mwop.net/blog/2018-01-23-psr-15.html

Sergey Zhuk:
ReactPHP HTTP Server Middleware
Dec 20, 2017 @ 12:29:11

Sergey Zhuk has a new post to his site showing how to define and use middleware in your ReactPHP application.

What exactly is middleware? In real application when the request comes to the server it has to go through the different request handlers. For example, it could be authentication, validation, ACL, logger, caching and so on. Consider the request-response circle as an onion and when a request comes in, it has to go through the different layers of this onion, to get to the core. And every middleware is a layer of the onion.

He starts off with a simple example of a ReactPHP-based server that just responds to all requests with a "Hello world" message. I includes some logging functionality that he then refactors out into middleware. This logging records the HTTP method used, time of the request and the URL requested - all things the code can get from the request object. Code is included showing the refactoring out to the middleware and injecting it into the ReactPHP application. He then updates it to check for the existence of a file and, if so, returns the results as a stream. Finally he covers updates to the response inside the middleware, changing the HTTP status code and content returned based on the results of various checks.

tagged: reactphp middleware tutorial refactor request response

Link: http://sergeyzhuk.me/2017/12/20/reactphp-http-middleware/

Nwanze Franklin:
Deep dive into middlewares in Laravel
Dec 14, 2017 @ 12:46:48

Nwanze Franklin has posted a tutorial to the Dev.to site sharing a deep dive into middlewares in Laravel. Middleware is a powerful tool that can allow you to work with the request and response objects in your application in a more reproducible and contained manner.

What is a Laravel middleware? It is a feature in Laravel which provides a mechanism for filtering HTTP requests entering your application. This allows you to hook into Laravel request processing work flow to perform some kind of logic that decides how your application works.

What would you use middleware for? Protecting your routes, setting headers on HTTP responses, logging requests to your application, sanitizing incoming parameters, enable site-wide maintenance mode [and] manipulating responses generated by your application.

The tutorial then starts in on the code, showing how to create a custom middleware and the code that's generated by the artisan command. It covers the differences between global and route middleware, how to register a middleware and assigning it to a route. It ends with a look at using parameters in middleware and how to access them from the controller.

tagged: middleware laravel tutorial introduction framework route global

Link: https://dev.to/franko4don/deep-dive-into-middlewares-in-laravel-doo

TJ Miller:
An Approach to Testing Middleware
Nov 29, 2017 @ 09:06:19

TJ Miller has posted an article where he shares some suggestions about testing middleware in your applications. Since middleware is usually only executed as a part of the normal request/response cycle it is difficult to test in isolation.

I’ve always tested middleware in one of two ways, a unit test with mocks and asserting the callback in the handle method or integration tests on application routes.

[...] I wanted to find a simple approach that verified the following: middleware is active and configured correctly (global, group, single use) [and that the] middleware is functioning correctly

He briefly discusses the difference between unit testing and integration testing before showing how to set up unit tests for a Laravel-based middleware: a check for a JSON response, testing to ensure logging is working as expected and that a middleware is correctly assigned to a route.

tagged: testing unittest integration middleware laravel tutorial

Link: https://medium.com/@sixlive/an-approach-to-testing-middleware-c547fc942848

Rob Allen:
Implementing CORS in Zend Expressive
Nov 15, 2017 @ 09:20:13

In a new post to his site Rob Allen shows you how to implement CORS in a Zend Expressive application through the use of a simple middleware wrapper that sends the appropriate headers.

On a recent project, I needed to implement CORS support for my Expressive API. The easiest way to do this is to use Mike Tuupola's PSR-7 CORS Middleware.

As this is a standard Slim-Style PSR-7 middleware implementation, we need to wrap it for Expressive, so we make a factory. [...] We then register this in our AppConfigProvider::getDependencies() by adding to the factories key.

He includes the code and configuration changes required to make it all work and includes example output of a request (with headers) from a curl call to the API. He also includes a section on working with JSON error responses and ProblemDetails for when there are issues related to the current CORS policy definition.

tagged: cors tutorial zendexpressive middleware json error problemdetails

Link: https://akrabat.com/implementing-tuupola-cors-in-expressive/