SDSM:Pending Changes: Difference between revisions
(Add item about dependency laravel-eloquent-uuid) |
(Add item on timeout broken on sub-directory based apps) |
||
Line 18: | Line 18: | ||
[[#top|RETURN]] | [[#top|RETURN]] | ||
== SDS Laravel: Fixes to Broken Behavior == | |||
=== 2024 May 20: Timeout Feature Broken In Sub-Directory Hosted Apps === | |||
''SDS Laravel'' has a security feature such that if a user is inactive for | |||
a period of time, 15 minutes typically, they will be automatically logged | |||
out of the app. The app displays a countdown timer on the top right hand | |||
corner of the screen that ticks for every second of activity. Javascript | |||
code running in the client web browser will normally reset the countdown to | |||
the full amount whenever a user interface (UI) event occurs that it | |||
considers continued user activity, such as mouse movement over the screen. | |||
This feature is implemented partly by the web client invoking the | |||
<code>/session</code> endpoint on the server. | |||
That invocation fails on any ''SDS Laravel'' app instance that is hosted at | |||
a web address which is a sub-directory of the base url (meaning it is based | |||
at an address like <code>https://foo.com/bar</code> rather than at an | |||
address like just <code>https://foo.com</code>). This is because the web | |||
client is trying to unconditionally treat every app instance as if it is | |||
hosted directly at the base url with respect to its attempts to invoke the | |||
<code>/session</code> endpoint, and so it is invoking the wrong web address | |||
for instances that are at sub-directory urls. | |||
As a result, for broken app instances, while the first UI activity | |||
indicating continued user activity will reset the countdown timer displayed | |||
on screen to the user, all subsequent UI activity will have no effect on | |||
the timer, and it will not reset, and the server will not be aware of this | |||
activity. Only a full page load like clicking a link to a new page will | |||
register as activity and reset the timer. | |||
This breakage affects all ''SDS Laravel'' instances at | |||
https://sdsdev.smus.ca which are in sub-directories. | |||
The primary change of this task fixes the problem by making the web client | |||
respect the actual location of the app when invoking <code>/session</code>. | |||
Mainly it is a 1-line change in the Laravel Blade template file | |||
<code>resources/views/layouts/main.blade.php</code> to use | |||
<code><nowiki>url: '{{route('session')}}'</nowiki></code> rather than | |||
<code>url: '/session'</code>. | |||
An additional change of this task is to fix a problem where the | |||
app's background image doesn't display for the same underlying reason. The | |||
problem is that the web client is trying to load the image | |||
<code>public/images/body.png</code> from the wrong location. The fix | |||
updates 1 line in the CSS file <code>public/css/smus_custom.css</code> to | |||
<code>background: url('../images/body.png')</code> from | |||
<code>background: url('/images/body.png')</code>; the newly-relative url is | |||
relative to the location of the CSS file itself. | |||
There is still additional broken behavior related to static asset loading | |||
like the background image example, affecting custom fonts for example, but | |||
these references are in the generated file <code>public/css/app.css</code> | |||
as parts of third-party dependencies, and so these were left alone. | |||
== SDS Laravel: Internal Design Changes == | == SDS Laravel: Internal Design Changes == |
Revision as of 17:58, 20 May 2024
This document consists of multiple parts; for a directory to all of the
parts, see SDSM:Index.
Description
This part of the SDS Modernization (SDSM) document enumerates a not necessarily exhaustive list of pending changes or improvements that were made to SDS, made by Darren Duncan if by whom is not otherwise specified.
It is similar to the Historical Changes part but that it describes work which was prepared and published in a Git branch but it was deemed premature to merge it to the trunk, such as due to a desire for more testing first, or because it was possibly unfinished; in contrast, Historical is for work that was merged to trunk.
SDS Laravel: Fixes to Broken Behavior
2024 May 20: Timeout Feature Broken In Sub-Directory Hosted Apps
SDS Laravel has a security feature such that if a user is inactive for a period of time, 15 minutes typically, they will be automatically logged out of the app. The app displays a countdown timer on the top right hand corner of the screen that ticks for every second of activity. Javascript code running in the client web browser will normally reset the countdown to the full amount whenever a user interface (UI) event occurs that it considers continued user activity, such as mouse movement over the screen.
This feature is implemented partly by the web client invoking the
/session
endpoint on the server.
That invocation fails on any SDS Laravel app instance that is hosted at
a web address which is a sub-directory of the base url (meaning it is based
at an address like https://foo.com/bar
rather than at an
address like just https://foo.com
). This is because the web
client is trying to unconditionally treat every app instance as if it is
hosted directly at the base url with respect to its attempts to invoke the
/session
endpoint, and so it is invoking the wrong web address
for instances that are at sub-directory urls.
As a result, for broken app instances, while the first UI activity indicating continued user activity will reset the countdown timer displayed on screen to the user, all subsequent UI activity will have no effect on the timer, and it will not reset, and the server will not be aware of this activity. Only a full page load like clicking a link to a new page will register as activity and reset the timer.
This breakage affects all SDS Laravel instances at https://sdsdev.smus.ca which are in sub-directories.
The primary change of this task fixes the problem by making the web client
respect the actual location of the app when invoking /session
.
Mainly it is a 1-line change in the Laravel Blade template file
resources/views/layouts/main.blade.php
to use
url: '{{route('session')}}'
rather than
url: '/session'
.
An additional change of this task is to fix a problem where the
app's background image doesn't display for the same underlying reason. The
problem is that the web client is trying to load the image
public/images/body.png
from the wrong location. The fix
updates 1 line in the CSS file public/css/smus_custom.css
to
background: url('../images/body.png')
from
background: url('/images/body.png')
; the newly-relative url is
relative to the location of the CSS file itself.
There is still additional broken behavior related to static asset loading
like the background image example, affecting custom fonts for example, but
these references are in the generated file public/css/app.css
as parts of third-party dependencies, and so these were left alone.
SDS Laravel: Internal Design Changes
2024 May 7: Replace model attrs "dates" with "casts"
Laravel supported a "dates" model attribute through version 9, and then Laravel 10 removed it. The function of this was to enumerate database/model fields that were supposed to be automatically converted to Carbon DateTime objects; so under Laravel 8, any "dates" declarations would be respected, while under Laravel 10 they would be ignored.
Compare:
- https://laravel.com/api/9.x/Illuminate/Database/Eloquent/Concerns/HasAttributes.html
- https://laravel.com/api/10.x/Illuminate/Database/Eloquent/Concerns/HasAttributes.html
As a result, simply upgrading SDS Laravel from Laravel 8 to 10 resulted
in many parts of the app breaking in various ways including when simply
visiting the post-login home screen, as PHP died with errors like
Call to a member function format() on int
.
To fix this, any instances of protected $dates = ['x',...]
in model classes were replaced with
protected $casts = ['x'=>'datetime',...]
which was the more modern way to get the same functionality, which exists
in both Laravel 8 and 10. For the few model classes that already had other
$casts
declarations, the replacements were merged with those.
The changes of this task were not merged to trunk yet because it was deemed important to give each instance of the changed 51 model classes more thorough testing before merging than they had received as of 2024 May 7. One key reason for this is the idea that the fields in question might not all be date+time, and rather may be date-only or time-only. All SDS Laravel screens accessible from a main menu item were found to load and at a glance seemed to display correctly, with these changes included, but that is as far as any testing went as of 2024 May 7. (There are 2 such screens that didn't load, but they didn't load prior to these changes either, and that is a separate concern.)
As of 2024 May 7, the changes of this task have been bundled with the changes of the task upgrading SDS Laravel from Laravel 8 to 10, so the sum changes would receive the necessary thorough testing together before being merged to trunk. However, since the changes of this task do not depend on the upgrade, it is possible that a subset of them may be fully tested and merged sooner when other changes using the same models occur.
SDS Laravel: Changes to Third-Party Dependencies
2024 May 16: Stop requiring laravel-eloquent-uuid
SDS Laravel uses serially generated integers in most of its database tables for their primary key fields, but for a small number of tables it instead uses generated UUIDs for their primary key fields.
Prior to the performance of this task, the third-party PHP library
dependency goldspecdigital/laravel-eloquent-uuid
version
v8.0.1
was used to empower such UUID use, since Laravel
Eloquent itself did not support these prior to version 9.3. While we can
make use of equivalent functionality built-in to Laravel once we upgrade
to Laravel 10, we can't while we are on Laravel 8.
Fundamentally, the feature in question that we use is summed up by a single
very small PHP trait defined in a single file of a few dozen lines of code.
This is the case both for the goldspecdigital
version used
prior to this task and the Laravel built-in that can be used later.
Here is a description of the built-in feature in Laravel 9.3+:
https://laravel.com/docs/11.x/eloquent#uuid-and-ulid-keys
Regardless of which of these options is used, most of core UUID-specific
functionality is provided by the third-party PHP library
ramsey/uuid
, and Laravel 8+ itself already has this as its own
dependency for other reasons.
The primary change of this current task is to clone the single PHP file
from goldspecdigital
that we actually use into SDS Laravel
itself, as the new file app/Models/Traits/Uuid.php
, and to
update composer.json
to remove the explicit external
dependency on goldspecdigital/laravel-eloquent-uuid
. In the
process, the fully-qualified PHP trait name was renamed to
App\Models\Traits\Uuid
from
GoldSpecDigital\LaravelEloquentUUID\Database\Eloquent\Uuid
,
but it had no other changes of any kind.
The only 5 other app PHP source files that directly used it were updated to account for the new name:
- app/Models/Application/Application.php
- app/Models/User.php
- app/Models/User/Student.php
- app/Models/User/Teacher.php
- app/Models/User/UserContract.php
These further 3 files also referenced the trait but commented out, so not current users but possible past or future users:
- app/Models/Application/AppUser.php
- app/Models/User/Address.php
- app/Models/User/Guardian.php
Another change made by this current task was to delete the single PHP file
app/Models/Traits/Uuids.php
as it appeared to be unused.
Note that goldspecdigital/laravel-eloquent-uuid
had a newer
version 10.x
that was explicitly compatible with Laravel 10,
however a source comparison of the 2 versions found that they were actually
identical in every way aside from adding a half dozen PHP type annotations
in the source code and changing the composer.json
to require
Laravel 10 instead of 8.
As such, it was actually the Uuid.php
file from version 10
cloned by this task rather than the one from version 8, so we benefitted
from the added PHP type annotations, and the behavior should be identical.
The net effect of this task was to maintain exactly the same app behavior while dropping a hard external dependency, this reducing our overall complexity and simplifying the later task of upgrading to Laravel 10.
It is expected that the future upgrade to Laravel 10 will take the next step and remove this cloned trait file, and its users will use the Larvel 10 built-in instead.
2024 May 3: Upgrade Laravel from 8.x to 10.x
This task updated composer.json
to require the latest
PHP-8.1-compatible major version of the PHP library dependency Laravel from
8.x to 10.x.
To be more specific, it made these dependency changes:
- barryvdh/laravel-debugbar (^3.7 to ^3.13.5)
- directorytree/ldaprecord-laravel (^2.7.3 unchanged but upgrade exists)
- etern8ty/beanstream (dev-master unchanged but upgrade exists)
- fakerphp/faker (^1.23.1 unchanged)
- fideloper/proxy (^4.4.2 removed as Laravel has its upgrade built-in)
- goldspecdigital/laravel-eloquent-uuid (^8.0.1 to ^10.0)
- guzzlehttp/guzzle (^7.8.1 unchanged)
- intervention/image (^2.7.2 unchanged but upgrade exists)
- juliomotol/laravel-auth-timeout (^3.1.1 to ^4.1)
- lab404/laravel-impersonate (^1.7.5)
- laravel/framework (^8.83.27 to ^10.48.10)
- laravel/helpers (^1.7 unchanged but possibly no longer needed)
- laravel/pint (^1.15.3 added but not yet used)
- laravel/sail (^1.29.1 added but not yet used)
- laravel/sanctum (^3.3.3 added but not yet used)
- laravel/tinker (^2.9 unchanged)
- laravel/ui (^3.4.6 to 4.5.1)
- mockery/mockery (^1.6.11 unchanged)
- nunomaduro/collision (^5.11 to ^7.10)
- phpunit/phpunit (^10.5.20 unchanged)
- spatie/laravel-ignition (^1.6.4 to ^2.7)
- staudenmeir/eloquent-has-many-deep (^1.14.4 to ^1.19.3)
Note that juliomotol/laravel-auth-timeout
version 4.1 requires
Laravel version 9 or greater so it can not be upgraded from 3.1.1 prior to
the Laravel 10 upgrade.
This task also updated app/Http/Middleware/TrustProxies.php
to
be compatible with the replacement of fideloper/proxy
with a
Laravel built-in. The changes were in 2 spots.
First was this substitution:
use Fideloper\Proxy\TrustProxies as Middleware;
use Illuminate\Http\Middleware\TrustProxies as Middleware;
Second was this substitution:
protected $headers = Request::HEADER_X_FORWARDED_ALL;
protected $headers = Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_X_FORWARDED_AWS_ELB;
This task also updated
app/Http/Middleware/AuthTimeoutMiddleware.php
to be
compatible with the juliomotol/laravel-auth-timeout
upgrade.
There was this 1 substitution:
use JulioMotol\AuthTimeout\Middleware\AuthTimeoutMiddleware as BaseMiddleware;
use JulioMotol\AuthTimeout\Middlewares\CheckAuthTimeout as BaseMiddleware;
This task also explored upgrades to some other PHP library dependencies but they were excluded due to requiring more substantial code changes for compatibility, and will be returned to later.