Symfony World 2020


Les jeudi 3 décembre et vendredi 4 décembre

https://live.symfony.com/2020-world/schedule

Présentation


C'est une conférence portant sur l'écosystème PHP et Symfony.
L'audience Ă©tant mondiale et donc partiellement confinĂ©e en cette annĂ©e 2020 de la  Covid19, les confĂ©rences ont Ă©tĂ© prĂ©sentĂ©es en visio.
Des présentations ont été enregistrées et des sessions de questions/réponses ont été animées en live par les intervenants (lorsque la technique était au rendez-vous, car cette même année 2020 c'est celle où on arrive à faire atterrir des lanceurs de fusée usagés sur des barges drones complètement automatisés, mais où faire transiter de la vidéo à travers le monde reste trop compliqué)

Le contenu était très intéressant, la période était celle des 15 ans de Symfony, de la sortie de PHP 8 et donc des très nombreuses autres sorties liées à cette mise à jour majeure.
En effet, nombre de projets profitent de ce genre de période d'engouement autour d'une nouvelle version de PHP pour proposer nombre de nouveautés.
API Platform, Symfony UX, Elasticsearch, Composer 2, ainsi que de nombreux composants Symfony (composants logiciels PHP indépendants) ont été à l'honneur.

J'ai pu enregistrer une grosse partie des différentes présentations, si quelqu'un veut la vidéo n'hésitez pas à me faire signe !


Voici les notes que j'ai pu prendre pendant les conférences et retravaillées pour en améliorer la compréhension après coup sur mon temps libre :

Compte rendu


Conférences en anglais donc notes en anglais.

Opening keynote by F Potencier
New Security
Symfony is easy, new projects made easy with composer, symfony CLI bin, etc
Security (with maker bundle console commands symfony/maker-bundle)
1st create User entity
  • make:user
2nd create Auth
  • make:auth
3rd create registration-form
  • make:registration-form

Migration the good way:
Create migration :
  • make:migration
Execute available migration(s)
  • doctrine:migrations:migrate

And done! You can register and login.
Mail confirmation can be catched with mailcatcher : symfony open:local:webmail (see https://symfony.com/doc/current/setup/symfony_server.html#docker-integration)

New login magic link in SF5.2 : passwordless login link auth and 2FA/MFA https://github.com/scheb/2fa

What's next ?
Larger! Laaaarger! LAAAAARGEEER ecosystem!!

JS ? RLY
SF1 was tide up with Prototype lib
SF2 => JS is a mess, so no lib to link with
But now we have webpack encore, solid with JS tools, npm and shit, but its not real JS code
Time to add something, light n solid.
Requirements : Works everywhere, easy to test, accessible
Symfony UX project = progressive enhancements (not new JS framework)
Deep integration with Flex and webpack encore
So, simple as :
  • composer req symfony/ux-(magic!) (cropper, dropzone, lazyimg, swup)

Shows demos with new libs, differences with book version :
Real Symfony forms, no magic (really?)
Swup : alternative to SPA
 BlurHash, lazy image progressive enhancements : displays blurred image while real image is downloaded
(Titouan Galopin (LREM) SF UX lead)
https://symfony.com/blog/new-in-symfony-the-ux-initiative-a-new-javascript-ecosystem-for-symfony



T Galopin about Symfony UX project in practice
New JS ecosystem for Symfony
JS global ecosystem is large
1 Stimulus
2 Flex n webpack encore
3 swup (transition lib)

Stimulus tool/framework in rails (modest js fw for you existing html code)
Replace parts of your existing html and augmente it (adds magic?)
Stimulus just links your favorite JS code to your html (err...)
(Demos shows something like any JS framework with data-source and stuff)
Stimulus helps for:
Organizing JS (yeah!!! \o/) like rest of symfony code, nice
Avoiding complexity, ok
Reuse existing code, implement bridges between libs, SF and your code
User Experiences like global : Swup page transition lib, it replace links by ajax calls and browser history hijack. (I was doing this in 2014, so ok, that's future I guess)




What's new with API Platform by K Dunglas
Install whole ecosystem with docker-compose (easy)
Design first, have to describe data as a set of DTO data transfer object
Bonus : autodoc
REST route as auto-registered thanks to metadata
Lots a builtin methods too
Automatic Persistence, for scaffolding. Implement your own when needed
 SymfonyMakerBundle integration
New in 2.6 :
PHP 8 support (constructor arguments promotion, annotations)
Default config for operations and resources to avoid annotations duplication (yeah!)
Access control rules for properties (eg: admin only properties like entity real id, real email or smth)

Client generator : Scaffold client apps
Support for  VueJS,  TypeScript, React + Redux, and 2.6new : Next.js (React framework)

New symfony-docker with Caddie webserver and all the scaffolding stuff to quick break things

Future: 2.8 and 3.0 (without 2.8 deprecations and PHP8 only)



Dependency Injection Demystified by Alex M Turek
Details about DI, ok. To much information.
DI config is compiled in cache, to avoid its costly autoconfig to be computed at each request.
Compiled in var/cache/<env>/...
Tags (tags in services.yaml) makes services discoverable during compilation

Multiple sources for one interface problem: (eg: books from Doctrine and books from a webservice)
same tags for both sources (book_loader)
compilerPasses (là je suis largué)

Services should be immutable, if not you have to clean off the state after use.
_instanceof is config file related



Elasticsearch with Symfony, from development to production - Damien Alexandre
https://jolicode.github.io/elasticsearch-php-conf/slides/symfonyworld2020.html
ES is a tool, not a solution
Lucene distributed
If you need just txtsearch, use something else
Lot of hype around ES. ES is very complicated. Even if it does a lot of thing, choose wisely
ES not for critical data, not primary datastore. You cannot store data in ES you cannot afford to lose
A node is ES instance. Its reponsible for shards, a lucene instance storing index

Elastica is object abstraction for ES
Each query DSL is an object.
Elastica is maybe better than FOSElascticaBundle because
Associative array is hard to read, hard to use, a bad practice, not typed.
Use DTO instead.
Serialize object and store them is ES

Jane PHP code generator
Generate perfect plain PHP Normalizer

Search results
Each result, each hit
Elastically small lib for Elastica, collection of tools

Protips
Index creation : mappings lot of repetition, so use yaml instead json
Two files, one for analyzers and one for mappings (yet to be merged after)
YAML > JSON
Index versionning : index immutable, so sometime you need to destroy and recreate, but not in production !
So use aliases, they're names put on top of indexes versions
Dynamic mapping : don't use them, lead to random results and data loss
Put dynamic to false in mappings config
You sould never rely to default config of ES
NEVER
It's a good thing to define mappings
Fields no to be display shoud not be stored in lucene
There is no correlating between object and map
Don't do indexing synchronously : resources consuming and if ES down update is loss
Use Symfony Messenger instead, to index asynchronously
With Elastica just use Interface from Elastically to switch to SF Messenger sync!
Security : don't put ES on the web, like never

Use Kibana!
Local Kibana with server ES

Emoji : meaningful, so index emoji name or meaning, with jolicode/emoji-search or smthg

YAML, DTO,  HttpClient Messenger Serializer, Elastica, Managed Hosting (to avoid upgrading and monitoring ES)



New Security component
Since first release in 2010 there was no major change since.
Its a massive complexity component, inspired by Java Spring. Powerful but complex.
No one understand it. (no shit)
Old one is old and complicated. New one is new.
Almost 10 years after the old improvements batch.
No difference with old User class.
Same for Voter.
Internal Auth part is the only to change.
security.yaml change a bit
No more anonymous user
A line to activate new security mode (enable_authenticator_manager)
All existing auth system still works
guard->auth switch to custom_auth
All checks and steps are in the new Authenticators. It returns Passport (new) (who you are informations) who contains Badges (stamps)  UserBadge,  PasswordBadge,  CsrfBadge
Event system to validate badges
Listener to validate, mitigate, rehash password, check user, remember me

New Authenticator
First there is supports() method
then authenticate() method
then gather credentiels from Request
and return a Passport with  UserBadge($email, $user) and  PassportCredentials($password)
And all other things will be handled centralized
Except CSRF and Pass upgrade rehash, so we attach  CsrfTokenBadge to Passport

Symfony/rate-limiter component to enable auto login throttling

Events are the real magic
 CheckPassportEvent
-> has Passport and badges
then  AuthenticatedTokenCreatedEvent
-> has auth token
 LoginSuccessEvent
-> has all
Failed
-> same + auth exception
 AuthSuccessEvent -> find but  LoginSuccessEvent is better

Public_access instead of anonx
2FA no longer require hacks



DAY 2

Symfony is more used this year than previous (100 components downloads by second againt 40 last year)
5 new Core-team members and 350 new contriburs
Who is paying for server load? Plz consider buying or giving at symfony.com
PHP8 support, planned since several months.
To test, use `composer config platform.php 7.4.99` (or 8.0.0 ?)
Symfony switch from master to main branch for ALL repos
Symfony 5 book, buy print or read it for free online
Symfony company products news...



For the Users - tech, ethics and you - Mark Nottingham
With power comes responsability (RLY?)
More tech won't fix tech problems
Tech is political
We need more power control, but how ?
Inspiring
Yeah...



Composer 2 - Nils Adermann, Jordi Boggiano
New upgrade, as painless as possible (thanks)
News features, better error handling, new BC breaks support, etc
Why 2.0 ?
Speeding Composer
I/O level : network and memory
CPU level : unpacking
2.0 BC breaks with plugins (don't know any)
Complexity explanation, with lots of n complexity growth
Now Composer requires ext-curl to allow parallel request (yay)
Parallel unzip too (congrats guys), so requires unzip package too
So, Composer 2.0 is faster and use less memory, as needed
And, we can expect more reproductibility between composer install and update
Composer update search for updates and build composer.lock
Composer install just installs from composer.lock information
Best logging to understand difference between upgrade/downgrade of lock file or vendor files
(Unlike other speakers Jordi talks really quick, hard to follow)
Testing projects with PHP8:
Don't use --ignore-platform-reqs flag
Use instead --ignore-platform-req=php flag
New! partial update of a specific package version:
composer update symfony/http-foundation:5.0.*

So, upgrade composer. It's nice and easy for who doesn't use plugins.
composer self-update --2
or downgrade
composer self-update --1



DDD
Be prepared, he saids
What's the point?
DDD -> Blue book
Complexe business system to software
Purpose is to simply transposer business logic to software
Domain is business related
Software must use same words as business
Cars example
Sale object care about differents things as Car object
So, we need a bounded context around some business behavior
DDD entity is a class with identity properties
Aggregates : concept of the domain (cars, sales)
Aggregate root : entry point into the aggregate
(lost the point)

DDD layers :
Model / Domain
Infrastructure
Application
UI -> ignored in Symfony

Put all src content into a new App folder
Create an other folder for  AcmeVet, an other Scheduling folder, and Domain, Infra and App folders in
Real life : Always use service to create valid objects
Put all properties creation logic in its own class
 AppointementId needs to be like, so put this like logic in a class
Ptn je comprends rien
Interfaces, Abstract,

Bref, DDD ça a l'air cool mais très complexe voire trop compliqué.
Donc je suppose qu'on en a pas si besoin de ça. Quand on maitrisera les architectures de base peut-être.



Password Hashing and You by Chris Holland
https://hivewind.com/download/2890/
How to secure encryption key? It's the difficult part, especially on a shared system like a webserver.
Store password: need to store it without knowing it (original password).
Hashing password is not simple hashing.
Do not use : SHA(0,1,2,512,etc) variants, nor MD(4,5,etc) variants
Password cracking / recovery
https://github.com/hashcat/hashcat
Password length is important, less than 9 characters long is instant to guess.
Password hashing server side is a deadend.
So, why should we get rid of password ?
 WebAuthN(.io)

Rainbow tables where used to crack weakly hashed password database, like with MD5 or SHA1.
A salt was used to avoid rainbow table weakness. Salt is random. So password should be bruteforced, and longer the pass, longer the time to bruteforce it.

See owasp.org for software security related info, hashing algorythm ranking, etc
Eg: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html



With Symfony 4.4, your secrets will be well kept! - Grégoire Hébert
Create keys for each env



What's new in PHP 8.0? - Nikita Popov
https://stitcher.io/blog/php-8-before-and-after
Named arguments !! (awesome to fix arguments order randomness in standard library)
https://stitcher.io/blog/why-we-need-named-params-in-php
https://stitcher.io/blog/php-8-named-arguments
Contructor properties promotion
https://stitcher.io/blog/constructor-promotion-in-php-8
Attributes (to replace parsed annotations)
https://stitcher.io/blog/attributes-in-php-8
Union types null|false|array|string|lol
Use strict mode from PHP7 ! `declare(strict_types = 1);`
Mixed types
Match expression (yeees!!!!)
https://stitcher.io/blog/php-8-match-or-switch
match() return a value, has a default  UnhandledMatchException, strict comparison, it's really cool
Nullsafe Operator
https://stitcher.io/blog/php-8-nullsafe-operator
$user?->getId(), like user is null no problem its safe ! and nestable
$session?->getUser()?->getId();
Deprecated removed
And many more

Number to string comparison changes
`'42foo' == 42` is no longer true (yay!)

 PhpStorm 2020.3 version adds PHP8 support