Atwix MageNews – April 2019

Welcome to the April edition of the Atwix MageNews! We’ve prepared a roundup of the most exciting news that happened in Magento Community over the last month.
PageBuilder and Magento 2.3.1 releases, code quality tools, security updates and much more. You’ll find it all below, so let’s get started!

Not to Miss

Magento 2.3.1

These days Magento released a new minor version of 2.3.1 and the release notes are truly amazing. First of all – yes, PageBuilder is generally available now and all Magento Commerce merchants have a chance to give it a spin. Moving forward, payment methods have been improved, too. PayPal integration has been upgraded and it will support additional payment options and smart payment buttons that simplify the checkout process. Old Authorize.Net integration has been replaced to avoid issues related to MD5 hash algorithm deprecation.

On the infrastructure side now Magento 2.3.1 will support Redis 5, ElasticSearch 6 and PHP 7.2. Also, Magento took care of the upgrade process and wrote a composer plugin that will help to upgrade Magento between major versions. This is not even the half of it… Learn more from the references below.

In case you missed, 2.3.1 dropped with the long-awaited Page Builder feature, @PayPal Smart Buttons, MSI updates, expanded GraphQL coverage of cart, and oodles more!

MOS, MC, MCC notes here: https://t.co/taVkDi6Ddc pic.twitter.com/sKur8tz3OZ

— Ben Marks (@BenMarks) March 27, 2019

More Info:
– [Magento DevDocs] 2.3.x Release Information
– [Magento DevDocs] Page Builder Docs
– [Magento] 2.3.1, 2.2.8 and 2.1.17 Security Update
– [PayPal] Smart Payment Buttons Overview

Adobe Commerce Cloud. What Does It Mean?

At the Adobe Summit 2019, Adobe announced the availability of Adobe Commerce Cloud. It will be built on Magento Commerce and deeply integrate with Analytics, Marketing and Advertising Clouds. Earlier, the Magento Engcom Team started the Adobe Experience Platform Connector project. Adobe intends to integrate Magento with the existing services in the Adobe Experience Platform and close an e-commerce gap in their offering.

Adobe Commerce Cloud strategy is creating a fully integrated solution powered by #Magento + @AdobeExpCloud technologies. @adobe is seeking to meld ecosystems drawing more of @Magento community greatness into the AEM #CMC portfolio #AdobeSummit pic.twitter.com/UUIwTwj0sy

— David Alger (@blackbooker) March 26, 2019

More Info:
– [TechCrunch] Adobe launches its Commerce Cloud, based on its Magento acquisition
– [Magento] Unveiling Adobe Commerce Cloud at Adobe Summit 2019
– [Github] The Adobe Experience Platform Connector for Magento

Community Experience

MageTestFest 2019

In the middle of March, in the beautiful city of Florence, Magento re-iterated their vision at the MageTestFest 2019. Improving code quality of Magento projects and testing approaches is going to continue being one of the primary objectives. Slides are available for those who did not make it there.

More Info:
– [MAGETESTFEST] Slides from MAGETESTFEST 2019
– [bitExpert] Tools to improve the quality of your Magento project

Static Storefront for Magento

Working on Magento 2 PWA adoption, Adobe started updating its technology stack. This brought GraphQL support and opened new opportunities for frontend implementations. We’ve already heard much about official Magento PWA studio, Vue Storefront, DEITY Falcon or Front Commerce… But today we are going to review a new idea which is as simple as a pre-generated frontend for Magento using Gatsby.js.

Gatsby.js is a React-based data-agnostic static generator for blazing fast websites. It uses GraphQL to connect to any data source and currently two data-source plugins are available for Magento 2. One of them is from Stanislav Smovdorenko who works on a sample static theme for Magento. Dive deeper into the advantages of such approach and the current state of the static theme project.

More Info:
– [Medium] Benefits of a static storefront for Magento
– [GitHub] mobelop/gatsby-source-magento2
– [GitHub] maru3l/gatsby-source-magento

Make Magento 2.3 Small Again

Integer_net proceeds to work on an idea of removing Magento core modules that are not used in the projects. This time they’ve touched a list of modules that come from the latest major release – Magento 2.3. Read more about which modules can be removed and which can’t:

More Info:
– [integer_net] Make Magento 2 small again
– [integer_net] Removing unused core modules from Magento 2 – the right way

Hello World!

Sometimes it can be super helpful to be able to give external services access to your local environment. Just imagine testing of webhooks or IPN without that! Ngrok is here to help us. It uses a publicly accessible proxy to forward traffic to your localhost using ngrok application. Find more about using Ngrok with Magento below.

More Info:
– [Michiel-Gerritsen.com] Share your local Magento environment with the world
– [ngrok.com] Ngrok – secure introspectable tunnels to localhost

Open Source

Magento PhpStorm Plugin

Magento updated their PhpStorm integration for Magento 2. The new version includes improved go-to features and bugfixes:

– [JetBrains] Magento PhpStorm – Plugins

MageTestFest Aftermath

A few useful tools have been reviewed at the MageTestFest presentations:

– Php Inspections (EA Extended) – a PHPStorm plugin for Static Code Analysis of PHP code
– CaptainHook – an easy to use and very flexible git hook lib for php developers
– Infection PHP – a fault-based testing technique which provides a testing criterion called the Mutation Score Indicator
– Deptrac – a tool that keeps track of the architecture layer relations
– Symfony Security Monitoring – a tool for checking project dependencies on well-known vulnaribilities
– Eris – a property-based testing tools to the PHP and PHPUnit ecosystem

Magento Coding Standards

The initial version of Magento Coding Standards is available now. The project is intended to consolidate MEQP and Magento 2 core rules, make static checks consistent and store all Magento related sniffer rules in the one place.

🚀 @Magento Coding Standard v1.0.0 is here!
🙌 Kudos to @LarsRoettig @mzeis @fschmengler @Maderlock @theigorgorin https://t.co/AO2whVgcUh

— Olena Orobei (@LenaOrobei) March 27, 2019

More Info:
– [Github] Magento Coding Standards v1.0.0 – Release Notes
– [Github] Magento Coding Standards Project

Architecture

PhpStan and Magento

We will be able to use PhpStan which is a PHP static analyzing tool to make code quality checks more advanced. It works much faster than often used PHPMD tool and in the long term scenario, PhpStan may replace it completely. Also, PhpStan provides several levels of checks which should help integrate it into existing codebases.

More Info:
– [Github] Proposal – Add PHPStan to Magento static checks

Security

Unauthenticated SQL Injection in Magento

Magento Community drew attention to the latest security updates for Magento 2.2 and Magento 2.3.0.
As it turned out, it contains fixes for a pretty critical security issue related to recently viewed and compared products feature.
The security issue is an SQL injection that could give the ability to disclose database information.
It’s highly recommended to either perform an upgrade, apply a patch or block the affected route.
The issue affects Magento 2.2.0-2.2.7 and Magento 2.3.0 instances.

Magento 2 exploit was published hours ago. Do block the attack in Nginx (but also apply patch!):

location ~ /catalog/product_frontend_action/synchronize/ {
return 404;
}

— gwillem (@gwillem) March 29, 2019

More Info:

– [Github] Patch for Magento Commerce Cloud Deployment Tools

Payflow Credit Card Validation Attack

A way to exploit unprotected Magento Payflow integrations and brute force credit card credentials has recently been discovered.
It involves using Paypal service for validation of credit card data and Magento Payflow API for getting authorization tokens. The token is used to perform $0 transactions for checking credit card validity. As a result, Paypal may suspend merchant accounts and charge substantial fees. The website performance may also degrade during the attack.

More Info:

– [Magento DevBlog] Targeted carding activity on merchants using Payflow Pro
– [Magento Support] PayPal Payflow Pro active carding activity

Authorize.Net Direct Post and SHA-512

Authorize.Net has previously announced that they will deprecate MD5 based hash algorithms starting from June 28th, 2019. This would affect Magento merchants that are using Authorize.Net Direct Post payment method. In response to that, Magento released patches that will help to adjust the relevant logic without a full Magento upgrade. Also, starting from Magento 2.3.1, the Authorize.Net integration has been rebuilt and a new solution includes updated SHA-512 algorithm.

More Info:
– [Magento TechResources] Magento2 – Authorize.net Direct Post Signature Key patch

Upcoming Events. Don’t Miss!

– April 3-4th – IRX 2019, Birmingham, UK
– April 12-13th – Magento Meetup and Contribution Day by Atwix in Kyiv, Kyiv, Ukraine
– April 18th – Meet Magento Netherlands, The Hague, Netherlands

Want more?

Need help with Magento customisations? Atwix would be happy to help!

Make sure to be the first for our April MageNews digest – subscribe to our blog.
See you in a month!

Cookie	Duration	Description
__jid	1 day	Used to add comments to the website and remember the user's Disqus login credentials across websites that use said service.
cf_ob_info	past	The cf_ob_info cookie is set by Cloudflare to provide information on HTTP Status Code returned by the origin web server, the Ray ID of the original failed request and the data center serving the traffic.
cf_use_ob	past	Cloudflare sets this cookie to improve page load times and to disallow any security restrictions based on the visitor's IP address.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
li_gc	2 years	Linkeding cookie that stores the user's cookie consent state for the current domain
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	Google Analytics cookie. Used to identify unique users and expires after two years
_gat	1 day	Used by Google Analytics to throttle request rate
_gid	24 hours	Google Analytics cookie. Used to identify user and expires in 24 hours.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar cookie. Used to detect the first pageview session of a user. 30 minutes duration. Boolean true/false data type.
_hjFirstSeen	User session	Hotjar cookie. Identifies a new user’s first session. Used by Recording filters to identify new user sessions. Session duration. Boolean true/false data type.
_hjIncludedInPageviewSample	30 minutes	Hotjar cookie. Set to determine if a user is included in the data sampling defined by your site's pageview limit. 30 minutes duration. Boolean true/false data type.
_hjIncludedInSessionSample	30 minutes	Hotjar cookie. Set to determine if a user is included in the data sampling defined by your site's daily session limit. 30 minutes duration. Boolean true/false data type.
_hjRecordingLastActivity	User session	Hotjar cookie. Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes
_hjSession_2881021	30 minutes	Hotjar cookie. Holds current session data. Ensures subsequent requests in the session window are attributed to the same session. 30 minutes duration. JSON data type.
_hjSessionRejected	User session	Hotjar cookie. If present, set to '1' for the duration of a user's session, when Hotjar has rejected the session from connecting to our WebSocket due to server overload. Applied in extremely rare situations to prevent severe performance issues. Session duration. Boolean true/false data type.
_hjSessionUser_2881021	1 year	Hotjar cookie. Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID. 365 days duration. JSON data type.
_hjTLDTest	User session	Hotjar cookie. Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
AnalyticsSyncHistory	29 days	Linkedin cookie. Used in connection with data-synchronization with third-party analysis service.
disqus_unique	1 year	Disqus cookie. Collects statistics related to the user's visits to the website, such as number of visits, average time spent on the website and loaded pages.
https://#.#/	User session	leadfeeder.com cookie. Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
juggler/event.gif	User session	Disqus cookie. Identifies the visitor across devices and visits, in order to optimize the chat-box function on the website.

Cookie	Duration	Description
aet-dismiss	User session	Disqus cookie. Necessary for the functionality of the website's comments system
drafts.queue		Disqus cookie. Necessary for the functionality of the website's comments system
lang		Linkedin cookie. Remembers the user's selected language version of a website
submitted_posts_cache	User session	Disqus cookie. Necessary for the functionality of the website's comments system

Cookie	Duration	Description
_hjRecordingEnabled	User session	Hotjar cookie. This cookie is used to identify the visitor and optimize ad-relevance by collecting visitor data from multiple websites – this exchange of visitor data is normally provided by a third-party data-center or ad-exchange.
_lfa	2 years	Leadfeeder cookie. Used to store and track audience reach and expires in 2 years.
_lfa_expiry	persistent	Leadfeeder cookie. : Contains the expiry-date for the cookie with corresponding name
_lfa_test_cookie_stored	1 day	Leadfeeder cookie. Used in context with Account-Based-Marketing (ABM). The cookie registers data such as IP-addresses, time spent on the website and page requests for the visit. This is used for retargeting of multiple users rooting from the same IP-addresses. ABM usually facilitates B2B marketing purposes
ads/ga-audiences	User session	Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behaviour across websites.
badges-message	Persistent	Disqus cookie. Used for comments functionality
bcookie	2 years	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
bscookie	2 years	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
lidc	1 day	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
UserMatchHistory	29 days	Linkedin cookie. Ensures visitor browsing-security by preventing cross-site request forgery. This cookie is essential for the security of the website and visitor.