Atwix Magenews - April 2019
Roman Glushko Avatar

Welcome to the April edition of the Atwix MageNews! We’ve prepared a roundup of the most exciting news that happened in Magento Community over the last month.
PageBuilder and Magento 2.3.1 releases, code quality tools, security updates and much more. You’ll find it all below, so let’s get started!

Not to Miss

Magento 2.3.1

These days Magento released a new minor version of 2.3.1 and the release notes are truly amazing. First of all – yes, PageBuilder is generally available now and all Magento Commerce merchants have a chance to give it a spin. Moving forward, payment methods have been improved, too. PayPal integration has been upgraded and it will support additional payment options and smart payment buttons that simplify the checkout process. Old Authorize.Net integration has been replaced to avoid issues related to MD5 hash algorithm deprecation.

On the infrastructure side now Magento 2.3.1 will support Redis 5, ElasticSearch 6 and PHP 7.2. Also, Magento took care of the upgrade process and wrote a composer plugin that will help to upgrade Magento between major versions. This is not even the half of it… Learn more from the references below.

More Info:
[Magento DevDocs] 2.3.x Release Information
[Magento DevDocs] Page Builder Docs
[Magento] 2.3.1, 2.2.8 and 2.1.17 Security Update
[PayPal] Smart Payment Buttons Overview

Adobe Commerce Cloud. What Does It Mean?

At the Adobe Summit 2019, Adobe announced the availability of Adobe Commerce Cloud. It will be built on Magento Commerce and deeply integrate with Analytics, Marketing and Advertising Clouds. Earlier, the Magento Engcom Team started the Adobe Experience Platform Connector project. Adobe intends to integrate Magento with the existing services in the Adobe Experience Platform and close an e-commerce gap in their offering.

More Info:
[TechCrunch] Adobe launches its Commerce Cloud, based on its Magento acquisition
[Magento] Unveiling Adobe Commerce Cloud at Adobe Summit 2019
[Github] The Adobe Experience Platform Connector for Magento

Community Experience

MageTestFest 2019

In the middle of March, in the beautiful city of Florence, Magento re-iterated their vision at the MageTestFest 2019. Improving code quality of Magento projects and testing approaches is going to continue being one of the primary objectives. Slides are available for those who did not make it there.

More Info:
[MAGETESTFEST] Slides from MAGETESTFEST 2019
[bitExpert] Tools to improve the quality of your Magento project

Static Storefront for Magento

Working on Magento 2 PWA adoption, Adobe started updating its technology stack. This brought GraphQL support and opened new opportunities for frontend implementations. We’ve already heard much about official Magento PWA studio, Vue Storefront, DEITY Falcon or Front Commerce… But today we are going to review a new idea which is as simple as a pre-generated frontend for Magento using Gatsby.js.

Gatsby.js is a React-based data-agnostic static generator for blazing fast websites. It uses GraphQL to connect to any data source and currently two data-source plugins are available for Magento 2. One of them is from Stanislav Smovdorenko who works on a sample static theme for Magento. Dive deeper into the advantages of such approach and the current state of the static theme project.

More Info:
[Medium] Benefits of a static storefront for Magento
[GitHub] mobelop/gatsby-source-magento2
[GitHub] maru3l/gatsby-source-magento

Make Magento 2.3 Small Again

Integer_net proceeds to work on an idea of removing Magento core modules that are not used in the projects. This time they’ve touched a list of modules that come from the latest major release – Magento 2.3. Read more about which modules can be removed and which can’t:

More Info:
[integer_net] Make Magento 2 small again
[integer_net] Removing unused core modules from Magento 2 – the right way

Hello World!

Sometimes it can be super helpful to be able to give external services access to your local environment. Just imagine testing of webhooks or IPN without that! Ngrok is here to help us. It uses a publicly accessible proxy to forward traffic to your localhost using ngrok application. Find more about using Ngrok with Magento below.

More Info:
[Michiel-Gerritsen.com] Share your local Magento environment with the world
[ngrok.com] Ngrok – secure introspectable tunnels to localhost

Open Source

Magento PhpStorm Plugin

Magento updated their PhpStorm integration for Magento 2. The new version includes improved go-to features and bugfixes:

[JetBrains] Magento PhpStorm – Plugins

MageTestFest Aftermath

A few useful tools have been reviewed at the MageTestFest presentations:

Php Inspections (EA Extended) – a PHPStorm plugin for Static Code Analysis of PHP code
CaptainHook – an easy to use and very flexible git hook lib for php developers
Infection PHP – a fault-based testing technique which provides a testing criterion called the Mutation Score Indicator
Deptrac – a tool that keeps track of the architecture layer relations
Symfony Security Monitoring – a tool for checking project dependencies on well-known vulnaribilities
Eris – a property-based testing tools to the PHP and PHPUnit ecosystem

Magento Coding Standards

The initial version of Magento Coding Standards is available now. The project is intended to consolidate MEQP and Magento 2 core rules, make static checks consistent and store all Magento related sniffer rules in the one place.

More Info:
[Github] Magento Coding Standards v1.0.0 – Release Notes
[Github] Magento Coding Standards Project

Architecture

PhpStan and Magento

We will be able to use PhpStan which is a PHP static analyzing tool to make code quality checks more advanced. It works much faster than often used PHPMD tool and in the long term scenario, PhpStan may replace it completely. Also, PhpStan provides several levels of checks which should help integrate it into existing codebases.

More Info:
[Github] Proposal – Add PHPStan to Magento static checks

Security

Unauthenticated SQL Injection in Magento

Magento Community drew attention to the latest security updates for Magento 2.2 and Magento 2.3.0.
As it turned out, it contains fixes for a pretty critical security issue related to recently viewed and compared products feature.
The security issue is an SQL injection that could give the ability to disclose database information.
It’s highly recommended to either perform an upgrade, apply a patch or block the affected route.
The issue affects Magento 2.2.0-2.2.7 and Magento 2.3.0 instances.

More Info:

[Github] Patch for Magento Commerce Cloud Deployment Tools

Payflow Credit Card Validation Attack

A way to exploit unprotected Magento Payflow integrations and brute force credit card credentials has recently been discovered.
It involves using Paypal service for validation of credit card data and Magento Payflow API for getting authorization tokens. The token is used to perform $0 transactions for checking credit card validity. As a result, Paypal may suspend merchant accounts and charge substantial fees. The website performance may also degrade during the attack.

More Info:

[Magento DevBlog] Targeted carding activity on merchants using Payflow Pro
[Magento Support] PayPal Payflow Pro active carding activity

Authorize.Net Direct Post and SHA-512

Authorize.Net has previously announced that they will deprecate MD5 based hash algorithms starting from June 28th, 2019. This would affect Magento merchants that are using Authorize.Net Direct Post payment method. In response to that, Magento released patches that will help to adjust the relevant logic without a full Magento upgrade. Also, starting from Magento 2.3.1, the Authorize.Net integration has been rebuilt and a new solution includes updated SHA-512 algorithm.

More Info:
[Magento TechResources] Magento2 – Authorize.net Direct Post Signature Key patch

Upcoming Events. Don’t Miss!

– April 3-4th – IRX 2019, Birmingham, UK
– April 12-13th – Magento Meetup and Contribution Day by Atwix in Kyiv, Kyiv, Ukraine
– April 18th – Meet Magento Netherlands, The Hague, Netherlands

Want more?

Need help with Magento customisations? Atwix would be happy to help!

Make sure to be the first for our April MageNews digest – subscribe to our blog.
See you in a month!