CakeDC Blog

TIPS, INSIGHTS AND THE LATEST FROM THE EXPERTS BEHIND CAKEPHP

Two Factor Authentication & CakeDC Use...

Why 2FA?

Nowadays we have noticed that many of the websites or applications that we access offer the option to activate an extra layer of security called Two Factor Authentication, better known as 2FA. Most of our lives happen on our mobile devices and laptops, so it’s not a secret that cyber-thieves would like to gain access to our personal and financial data. This is why adding an extra layer for protecting logins is worth it.  2FA  is an extra layer of security to make sure that someone that is trying to gain access to an account is who they say they are. The first layer is generally a combination of a username and password, and the second layer could ask for a code that is sent to your phone, a fingerprint scan or the name of your best friend. Currently 2FA has become a security standard in the digital world.

How does it work?

First the user will enter his username and password, then instead of getting in immediately into the system, he will be required to provide  additional information. Which could be one of the following options or factors:
  • Something you know : This could be a password, a personal identification number (PIN), answers to a secret question or a specific keystroke pattern.
  • Something you have: This is something the user owns, a physical device, like a mobile phone, an id card, an usb stick, a token, etc.
  • Something you are: This could be face or voice recognition, retina scan,  fingerprint, DNA, handwriting.

CakeDC Users Plugin and 2FA

There are various ways to implement Time-based One-Time Password (TOTP), Short Message Service (SMS), Electronic Mail (Email),  Universal Second Factor (U2F). CakeDC Users Plugin provides the ability to enable in your site TOTP or U2F. 
 

TOTP Google Authenticator

Enabling 2FA Google Authenticator in CakeDC Users Plugin is quite easy, it just takes a few minutes. In case you have not installed CakeDC Users Plugin in your application, follow the installation steps described here. Once you have installed the plugin and your basic login is working, you just need to do the following:
  1. Run the next command: composer require robthree/twofactorauth
  2. In Application::pluginBootstrap() add the following: Configure::write('OneTimePasswordAuthenticator.login', true);
  Once you have 2FA enabled in your site, when you try to login will happen next 
  1. Type your username and password.   
  2. You proceed to the next step where you are asked for the authentication code
    • First time you will be shown a QR code that you need to scan from your authenticator application.   
    • Next time you will only get the input to type your authentication code  
  3. You open the authenticator application to get a secondary code called a one-time password (OTP)—usually six characters in length. There are many options in the market for the authenticator application, some of the most used are: Google Authenticator, Duo Mobile, FreeOTP etc.
  4. You type the 6-digit code into the website, and you’re in!
 

FIDO U2F

If you want something more solid and reliable, then you could use U2F (Universal 2nd Factor) standard created by the FIDO Alliance. With this kind of authentication you use a physical security key, and insert that into your PC, touch the key’s button, and you’re “automatically” logged in.  U2F standard was implemented in CakeDC Users Plugin by using  the YubiKey, the most famous and common example of U2F. To enable 2FA via Yubico follow the next steps:
  1. Run the next command: composer require yubico/u2flib-server:^1.0
  2. In Application::pluginBootstrap() add the following: Configure::write(‘U2f.enabled’, true);
     
Yubico is a hardware based 2FA, it’s a small device with one end that slots into a standard Type-A USB port. You just need to Insert your YubiKey and touch it! You won’t need to manually enter the code. Take into account that you will need to use https to be able to use 2FA features in your applicatins.

So, what to choose for two-factor authentication? There is no universal answer, it will depend on the level of security you are expecting, but start protecting your account by enabling 2FA! In this article you could noticed how easy is to enable 2FA in any CakePHP application by using CakeDC Users Plugin.
  References: https://github.com/CakeDC/users https://en.wikipedia.org/wiki/Multi-factor_authentication https://en.wikipedia.org/wiki/One-time_password https://en.wikipedia.org/wiki/FIDO_Alliance https://en.wikipedia.org/wiki/Universal_2nd_Factor  

Things about CakePHP that you probably...

CakePHP is often more than just a framework to many in the community, but there are some great features and treasures that many may not know about - so join us with your piece of cake and let’s check these out!

Cake Bake

Cake Bake is an incredibly helpful tool for any developer starting up a new application, or adding new functionality to an existing one.

Using your existing database schema (that follows the CakePHP conventions), running the cake bake command will quickly generate a fully working application skeleton with all your database fields and associations. It will even generate sane validation rules and pretty view files for you.  This allows you to concentrate on the features of your application that actually matter, rather than the generic admin CRUD interfaces. Have some kind of structure or class in your application that you regularly need to create? Maybe a specifically formatted view, or adaptor class? Cake Bake allows you to easily extend it and create your own bakeable templates. Find out more about Cake Bake in the CakePHP Cookbook (i.e. the framework docs)

CakePHP standalone packages

CakePHP’s core is built using standalone packages - this means that you aren’t bound to the framework.

The ORM, database, console, log to just name a few are available to use in your own PHP projects - even if you aren’t using CakePHP. Have you checked these out

Interactive console (REPL)

Not many developers are aware that CakePHP ships with an interactive console tool (Or REPL - Read Eval Print Loop).

You can start the console with bin/cake console. This console tool allows you to quickly and easily explore CakePHP and your application. Use it to quickly check if a finder method is working as expected, or to experiment with a specific query. Anything that you can code, you can run in the interactive console, much quicker and easier than coding a class.

Chronos

Chronos is a standalone DateTime library originally based off of Carbon.

The biggest difference between Chronos and Carbon is that Chronos extends DateTimeImmutable instead of DateTime. Chronos is immutable by default. Carbon is not. 

CakePHP Core team

The core team is built up of community members - just like yourself - who contribute their time to improving the framework.

All of their time is volunteered - so if you see them in the support channels, be sure to say hi! How did they get onto the core team you ask? They showed commitment to improving the core and the community.

There are some plugins that are just around to make your life a little easier

While most plugins were developed to add to the functionality of your CakePHP application without too much extra effort, there are some plugins that have been written to actually just make your life easier.

One such plugin is the CakePHP IDE helper, written by dereuromark. This plugin improves your IDE compatibility and uses annotations to make the IDE understand the "magic" of CakePHP - so you can click through the class methods and object chains as well as spot obvious issues and mistakes easier. For a curated list of CakePHP Plugins, grouped by topic, check https://github.com/FriendsOfCake/awesome-cakephp.   What’s your favourite part of the CakePHP framework or community? Let us know!

How not to be a good CakePHP developer...

I have been writing code for almost 20 years. It hasn't always been PHP, the first 6 or 7 years I was very involved with the Java world. While I partially agree with people thinking you can write bad code with PHP (more than other programming languages), I personally think that you can write bad code in any language because bad practices are common for all of them. For instance, you can call functions or initialize variables inside a loop, you can hit database many times, or you can repeat yourself no matter the language you use. That said, I want to list the most common questions that good developers should never ask themselves.   1.  Are you serious? Is it possible to add code to tables / entities? If you want to be a bad CakePHP developer, this is your golden rule. Almost every code we receive for review follow this one. Controllers with thousands of lines and models with just baked code.  That’s wrong because all the logic related to your tables should never be in your controllers (or helpers / views).  


  2.  I love using SQL queries in my code, is it really so bad? The short answer is YES. It’s bad, really bad. It is the greatest source of issues and unpredictable behaviors. It is hard to test but of course if you are asking this question you will probably ask the next one.     3. Tests? Baked tests are enough, aren’t they? Ehm.. no. You won’t be a bad developer if you don’t have 100% coverage. Even more, I don’t like to talk about what coverage is good because it exclusively depends on the project itself. I would say that you should feel good if your core features are fully covered.   4.  Why should I put the code in one place only if you can copy and paste it everywhere? Even most modern IDEs identify this as a bad practice now, but this is something we see in almost every code we get for review. People prefer to copy and paste the same function in multiple classes instead of creating a Component or Behavior or even a library and use it everywhere.     5.  Plugins? What is a plugin? CakePHP has a very large set of available plugins, or you can always start your own plugin and publish it so other people can use it. Plugins are one of the most important features in CakePHP since you can encapsulate a feature or a set of features to use them in multiple projects. Just be careful and don’t overplugin.   6.  How the hell would somebody hash a password? Well, even when you think it's a joke, no, it's not. Some people think hashing a password is not required. CakePHP provides several options for password hashing to secure your application.     7.  Do you document your code? I don’t think it is useful. Having the availability of documentation aids in understanding the intended use, as well as the expected functionality and result of the code's execution. It is pretty easy if you just document your code while you are doing it instead of waiting to have 20 classes to document.     8.  Should I declare variables to execute find methods / DB / Service requests or should I put them inside a for/while loop to "save" memory? Please no, doing external service requests (DB / File / Web Service) from inside a loop affects application performance very badly. You should always try to put the result in a variable and then use it inside the loop.   9.  Who needs coding standards? Coding standards help make code more readable and maintainable. For CakePHP applications, the Cake Conventions and Coding Standards should be applied.     10.  Is it better to make all calculations inside for/while loops level in code instead of calculating at the DB/query level? Data iteration at the DB level offers way better performance than iteration done at the application level.
  To summarize,  for sure there are lots of things to look at, but from my perspective these are the 10 basic questions that can define you as a good (or bad) developer. I hope you've never had these questions before but if you do, don’t worry about it, don’t tell anybody, just follow these recommendations to improve yourself!  

10 Features Of A User Friendly Website

Let’s talk about appealing web presence. There are a lot of factors to consider when determining if a site is “user friendly”, and I’m going to give you some tips to make sure yours makes a good impression.   Here are some of the top must-haves for a good web page:  

1. Layout and design

This is extremely important as it is the first thing a visitor will see. If your layout is scattered, or pages are hard to find, they will be running to the red x. In this case, less is more. I am a firm believer in simple clean layouts - I mean it works for Google, right?  Make sure your pages are seen and easy to access. Make sure your design is aesthetically pleasing, and that is easier than it sounds.  This brings me to the next point.  

2. Good, easy to read content

Not only is accessibility important, but the content that the visitor is reading is a direct reflection on your brand. Users are generally on a website for a very specific reason, and if they have landed on yours, then you need to make sure they know that they are in the right place. It is important to immediately list who you are and what you do. It’s okay to have detailed pages to navigate to, but always make sure your homepage illustrates the services that you provide. Don’t lose a good lead due to bad content, that’s just embarrassing.  Speaking of good leads, a lot of people search for services on the go which means…
 

3. Be mobile compatible 

More than ever, consumers are using mobile devices to browse the web. You can even order groceries for pickup using your phone. It is absolutely essential that your website is mobile friendly - if you want added success. If you aren’t sure how your site appears to mobile users, it’s an easy investigation. If searching for your site via mobile device isn’t enough, Google actually offers tools to do it for you. A good developer and design team can assist in making sure that your website is mobile compatible, but there are also some third party providers that you can rely on after your initial site build, if mobile wasn’t included. Basically… just make sure it happens.
 

4. Have ways to be contacted

If someone is on your site, and can’t find an answer to their questions, do you want them to leave? The answer is no, obviously. It is important to have multiple ways to reach some sort of customer service. I personally like a number, chat, and email option, but I guess that is being demanding.
 

5. Browser compatibility

A lot of times, as we are editing or designing sites, our team will compare screen grabs and the site looks totally different on each one. This is a top priority and it gets fixed ASAP. I really don’t understand why this happens, but it must be combated nonetheless. Mostly, it has to do with sizes, layout, background images, etc. It is just important to make sure that your site looks the same no matter who is looking at it and no matter which browser they choose to do so with. These issues are easy to fix, but sometimes tedious. ALWAYS check each popular browser before deploying.   

6. Speed

I’m impatient, and I don’t care to admit it. I would say most people have a short attention span. If I land on a website and I get the spinning wheel, I will give it a chance. If every page has slow loading speed, I am probably going to move on. It’s easy to tell if it’s a webpage causing the issues, so it’s always better to troubleshoot this ahead of time. Once again, there are a lot of free tools you can use to test your speeds. A good free one to try is: wpengine.com - and they will even provide issues & fixes for your slow page. 
 

7. Hosting

Good speed and function is a result of a good hosting service, too. This is something that may not even cross your mind as you are building your brand and your website, but it is so important. The hosting provider you choose can make or break your impression. Pick wisely, and do your research. There is no reason to risk security or your site breaking every time there is an update. You’ll thank me later for this one
 

8. Security

I mean this goes without explanation, right? Especially for e-commerce sites - online shopping - anything that requires customer information. Nothing will ruin a reputation faster than a compromised system. PLEASE make sure all backend security options are locked tight.
 

9. Be Transparent - and bug free

There are going to be errors. No one is perfect - no website is perfect. I always appreciate when a site provides on-screen error descriptions so that I know where I (or the page) has gone wrong. It opens up the trust door with your visitor, and makes them more likely to stick around or retry the action. This also requires the developer to stay in tune with these errors and provide fixes. We want a robust site, right?  An important thing to remember is always check the status of your webpage, and fix issues fast. Many development companies that offer these services, are avialable to help round the clock. For example, CakeDC offers project management services (see here), which allows client to rely on us for development services long term on the existing projects. 
 

10. Be ever changing

It is important for a business, entrepreneur or developer to adapt. This is especially true for long lasting websites. Say a page has been around for 15 years - things have changed - new features are available… keep up with the times. It is a competitive market that one must always stay in front of. Don’t be afraid of change. 
  Now go… go out there and make your website great again.   

15 Years of CakePHP

This April we will be celebrating 15 years of CakePHP! I can’t help but feel honored to have been a part of this framework, made lasting connections, and help build up the community. As one of the founders of the CakePHP project, I want to express how excited I am about the positive progress that has taken place over the years. We started out with just a few core members, which got us pretty far. Looking back, it’s crazy to see how much our community has grown, and with all of the input, this project has become one of the longest developed PHP framework available today! Our community has always centered on going the extra mile in order to acquire the best results in every aspect. This is not to say that some ups and downs have not hit us along the way in the last 14 years. Indeed, there have been bumps in the road, and some discussions regarding the route the project should take moving forward. Heck, there have even been some individuals who have opted to depart from the team. Other team members have decided to place their feelings down and their dedication in front at all times to work past disagreements in order for CakePHP to continue to evolve in the positive ways it has. Each year, people with diverse visions are joining our core team, and the future for CakePHP is promising. The team is working harder than ever before to keep CakePHP in its reigning position, and promoting it in the open source world for it to continue to impress. Our goals are clear - and if we have anything to say about it, CakePHP is not going anywhere, anytime soon. Our team is certainly stronger and more determined to continue giving the project their all. There are so many things that make the open-source community amazing - I mean think about it: people from different backgrounds, who speak different languages, and who have different beliefs come together and work jointly to attain a common goal. It’s pretty cool. I have worked with open-source software for more than 25-years. Even so, I am still amazed daily on what can be accomplished by such a diverse group of individuals. Actually, I think the rest of the world could take some notes from the open-source community and the benefits that come from people working together. The friends that I have made in the open-source community throughout the years are way too many to name one by one, but I am grateful. This goes on to reflect my awesome experience with it, one that will always be present on my mind. I want to finally express to the CakePHP core team, the CakePHP community, and everyone I have had the pleasure and honor of working with at CakeDC, that I am extremely thankful for absolutely everything. Here is to 15 more years of CakePHP.

We Bake with CakePHP