I AM LISTENING TO
|
WAS ICH LIEBE
  • Englisch
  • Deutsch


BLOG FILTER



INTRODUCTION

This is not a tutorial, but more like sharing a nice geeky road-trip ;)

I have a pretty good understanding of the Youtube Data API, as I have actively used it on portalZINE TV in the past, to upload videos and dynamically link them to my local post-types.

For one of my latest customer projects (TYPEMYKNIFE / typemyknife.com), the task was a bit more complicated and the goal was to make it as future-proof as it can be with the Google APIs :)

Prerequisites / References to get you started:

portalZINE NMN | Development meets Creativity | youtube data api

THE GOALS

The goal for the setup was to actively synchronize WooCommerce products with linked / attached videos, with their source at Youtube.

As the website is multilingual, WPML integration is critical as well. And as Youtube allows localization of title and description, that can be added into the mix quiet easily in the future ;)

The following product attributes should be mirrored and optimised for Youtube:

  • Product Title
  • Product Description (5000 character limit at Youtube)
    My customer already has a pretty long and detailed description, which is perfect for Youtube!
    We average around 2900-3000 characters.
  • Product Tags (500 character length limit at Youtube)

The following attributes should be integrated into the description to enrich the Youtube description:

  • Introduction
  • Product Link to WooCommerce Product / Shop
  • Socials
  • Legal Information
  • Hash Tags (local post-type to add recurring / important hash tags)
  • Outro

All of these attributes will be collected internally and assigned using a simple template system, which allows the customer to move parts around freely and freely layout the description for Youtube.

The following stats will be collected for review:

  • Products without a video linked (no relation)
  • Products with the same video linked (duplication)
  • Videos without a product in the system
  • Total amount of videos / amount of video-pages (50 videos max per page)
  • Total amount of products with videos

Youtube SEO

These are the relevant key aspects, that help to get your videos more views.

  • Relevant text featuring at least 1,000 characters
  • Keywords that are relevant on Google Search and YouTube and describe your video
  • Hashtags, can also be used within the text
  • Timestamps Links to related content / affiliate links
portalZINE NMN | Development meets Creativity | youtube data api auth

PREPARING AUTH / OAUTH2 AT GOOGLE

In the past access to the Youtube Data API was far easier and less limited, when it comes to offline / none expiring OAuth2 refresh tokens.

When you are building a server-side application that is only available to your customer or moderators, it makes no sense to run that app through the Google App verification. Your app will never be used in public.

The Youtube Data API and its scopes, are defined as sensitive and therefor require third-party security assessment for public access.

The scopes I am requesting are https://www.googleapis.com/auth/youtube.upload + https://www.googleapis.com/auth/youtube.

Because of that its far easier to just setup OAuth 2 in test mode and restrict access to your customer and specific additional accounts only (up to 100 test users allowed). What all these account need, is access to your own or Brand Youtube Channel.

Preparation in the Google Cloud Console:

  • Activate Youtube Data API
  • Create OAuth2 Client ID
    • Name
    • Allowed Redirects
  • Setup OAuth-Consent Screen
    • Name of the App
    • Support Email
    • Logo
    • Allowed Domains
    • Typ: External
    • Setup all test-users, all of these need access to your Youtube channel already

A detailed description can be found here.

You can circumvent verification for the consent screen, by using an organisation setup at Google. Here some infos about that. With that setup offline refresh tokens should work fine.

Update: Just tried that, but wont work with a branded youtube account, even though the cloud user has admin access to it. Not giving up yet, but Google / Youtube really makes it difficult to just have a simple offline solution for specific tasks ;) BTW also forced the login hint, to make sure the right account is logged in : $client->setLoginHint(‚YourWoreksapceAccount‘); !

You might have heard of the „The League of Extraordinary Packages„. It is a group of developers who have banded together to build solid, well tested PHP packages using modern coding standards.

They also offer an OAuth2-client + OAuth2 Google extension that can be used.

SERVER SETUP

On the server, the Google API PHP SDK can be easily integrated using Composer.

In my customer plugin I neatly separated all relevant areas in classes & traits:

  • Online Authentification, with a 60 minute session
  • Offline Authentification, with a 1 week expiration (might explain that in more detail in the future.)
  • Error handling and debug information
  • Listing of videos
  • Updating of videos
  • Updating of tags
  • Updating hashtags
  • Backup old data locally, before update. There should always be an option to restore, especially with 500 videos :)
  • Settings & templates
  • REST routes / endpoints

You can check the expiry time of your access token by accessing:
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=YOUR_TOKEN

„A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of „Testing“ is issued a refresh token expiring in 7 days.“ – Google

Basic Auth example from the SDK:

A simple upload example can be found here .

portalZINE NMN | Development meets Creativity | youtube data api list

UPDATING A SINGLE VIDEO
BULK VIDEO UPDATES

All operations to and from the Youtube Data API are rate limited. What is important for us, are the queries per day.

The default quota is 10.000 queries per day, sounds a lot, but is easily gone after updating 150-200 videos. You can request this limit to be raised, but again a lot of paperwork and questions that are just not needed.

The above limit just means, that you need to cache as many queries as possible, to only query live when needed ;)

Something you learn fast, when experimenting with different things! I hit that limit multiple times in the first few days, with around 500 videos in the queue.

Different operation cost you different amount of units

  • A read operation that retrieves a list of resources — channels, videos, playlists — usually costs 1 unit.
  • A write operation that creates, updates, or deletes a resource usually costs 50 units.
    10.000 / 50 are 200 updates per day :)
  • A search request costs 100 units.
  • A video upload costs 1600 units. Glad we are not handling the upload as well, but technically easy ;)

It also helps to use the Google Developer Playground to testdrive the Youtube Data API with your own credentials while optimising your own code.
You can define your own OAuth 2.0 configuration by clicking the cog in the upper right corner.

I setup the bulk updating to allow splitting it over multiple days, if required. For this an offline refresh token is needed, as the standard token expires after 60 minutes.

My customer can also just update a single video, when changes are applied to the product or a new product has been added.

If more frequent updates are required, I will ask for a raise of the queries per day. You can circumvent the limit by using multiple Google Cloud Platform accounts with new OAuth credentials, but really an overkill right now. I have done that in the past ;)

LAYOUT & DESIGN

The GUI is just based of Bootstrap, to make it simple and clean. Using my own wrapper to make it work within the WordPress admin.

For all ajax operations, I am using htmx and _hyperscript, which I will talk about in another article in the future.

Really neat and clean way to build single page interfaces.

The whole plugin runs of its own REST API endpoint. Just love using WordPress as a headless system.

I used TWIG / Timber for the templates, to separate logic and layout. Timber has been my goto solution for years now. It drives my own and many customer websites.

portalZINE NMN | Development meets Creativity | road ends

CONCLUSION

This has been a lot of fun, maybe a bit too much LOL

I do geek-out about many of my projects, but this experience helped me to bring my WordPress toolbox to the next level. This will help to drive other things in the future.

Working so deeply with the Youtube Data API has been fun and feels so easy now, after all remaining problems have been solved.

Would have loved this during my portalZINE TV days ;)

I you read all this, you just earned yourself a badge for completion ;)

Need something similar or something else? Just say hi and we can talk.

ENJOY CODING ….

readmore

Getting started

„WPML (WordPress Multilingual) makes it easy to build multilingual sites and run them. It’s powerful enough for corporate sites, yet simple for blogs.“ – WPML

I have been running and setting up multilingual websites for more than 12 years. WordPress and related integrations have gladly come a long way to make our life’s a lot easier.

For basic content WPML is almost plug & play, but I do see more and more sites / customers struggling with more complex setups. WPML is one of the most popular multilingual plugins and is used on x00.000 of websites.

Just so you know, WPML is a commercial solution!

Settings for almost everything

The amount of settings has increased a lot over the years and offers possible solutions for almost any content / plugin setup.

But for more complex setups, I would suggest to hire a professional to look over the settings or study the plugin documentation carefully.

Especially with a lot of content, it can quickly increase problems and the need to revisit specific content over and over again.

How to translate

WPML lets you translate any text that comes from themes / theme frameworks (DIVI, Elemetor, Gutenberg …), plugins, menus, slugs, SEO and additionally supported integrations (Gravity Forms, ACF, WooCommerce …).

You can translate content internally for yourself, using translation management to translate with an internal team of translators or get help from external translators / translation services.

The latest version also offers AI translations, which allows you to get a decent start for most of your content.

In addition to the above, WPML String Translation allows you to translate texts that are not in posts, pages and taxonomy. This includes the site’s tagline, general texts in admin screens, widget titles and many other areas.

Is it worth its money

Well, I am a bit biased. I have not looked much at other solutions for the past 5 years, as it offers all I really need.

I have used it on projects from 2 to 15 languages and it scales nicely. At least with proper hosting attached!

Anything can be tweaked through the API, Hooks and custom integrations. I have build additional WPML tools for my customers, to streamline some of the repeating / boring tasks.

Their support is responsive and the forum already provides a huge amount of answers to most of the questions that might come up.

If you develop / maintain multiple customer websites with multilingual content, the investment is quickly
amortized. I do offer WPML to my maintenance package customers, maybe something to consider ;)

Its an essential solution in my WP toolbox.

WPML 4.5

WPML 4.5 is on its way and will include a „Translate Everything“ feature, among other fixes and enhancements.

Translate Everything allows you to translate all of your site’s content automatically as you create it. You can then review the translations on the front-end before publishing.


portalZINE NMN | Development meets Creativity | wpml logo transparent

WPML / Documentation

readmore

Watching from the sidelines

VR has not just arrived, but it finally arrived for me and the masses ;)

I have been watching VR evolving from the sidelines for the past few years. Its been a fun ride, from the first prototypes to what we have now.

The biggest problem in the past, has been image quality and the huge upfront investment for me. With the latest generation all of this has completely changed.

As a developer …

I am constantly keeping up with new technologies and have been diving into WebVR for some time now.

Its so easy to export your own simple Unity VR project into WebVR and integrate it into your own web projects.

Unreal Engine also provides options to work on VR projects. Or build upon the WebXR API.

Microsoft also has a foot in the door, with MRTK (Allows to integrate teleporting easily / Releases).

Oculus Quest 2

With the announcement of the Oculus Quest 2 last year, I finally decided to dive in myself. Standalone VR allows me to concentrate on WebVR and experiment, while still having the option to expand into the linked PC-universe in the future as well.

PC Link / PC Rig / PC VR

I have no plans to invest into a beefy gaming rig yet, but have been trying out cloud solutions using Shadow and Paperspace Gaming / Paperspace $10 Coupon (KS4Q2TA).

Update: Latency is the biggest problem with these solutions and it can be a hit & miss! My Paperspace experience was close to perfect for pure desktop experiences, for VR sadly not :) Can not testdrive Shadow right now, as the waitinglist is already showing September 2021 LOL CRAZY! Local latency can be greatly optimized by using Wi-Fi 6 or Wi-Fi Direct.

With the current GPU prices, building a machine makes hardly any sense. I would love to build a small form-factor PC with a Shuttle XPC for example ;) Maybe later this year ….

I invested in VR-Comfort for now ;) I transformed the Oculus Quest 2 into a FrankenQuest with the DAS-Mod (HTC VR VIVE Deluxe Audio Strap). Loving the new look, audio and perfect weight balance :) Perfect for longer sessions.

Building a VR READY PC in 2021

I am officially infected. I decided to upgrade an old computer to minimum VR specs, to at least tryout PC-VR :)
The final build is ghetto and really a tight fit, but it works perfectly :)

For 2021 and the current shortages, this is a big win! The whole upgrade was about 400 EUR, with 250 EUR for the new GPU.

Here are my current PC-VR specs:

AreaBeforeAfter / Comment
PCFujitsu P900 – i3Nice clean case. Mainboard D2990 (ultra small μATX). Really tiny! This would normally not be my dream mainboard, but I am using what I have :) Trying to keep costs low.
Power SupplyStockEVGA 600 W1. Better cooling and needed power for the GPU.
CPUi3 – 2120i7 2600K . Big change in overall performance.
CPU Cooler & FanStockBe Quiet Pure Rock Slim BK030. (Had to do some mods to install it)
RAM8GBEnough for now.
GPUNVIDIA 1030 GTX – Low profileNVIDIA 1060 6gb Inno3D. That card takes up all slots, had to add a riser card to play with some USB 3.0 cards :)
USB3USB2Inateck PCIe USB 3.0  – KTU3FR-4P , again connected via a riser card!
Make sure that the card gets proper power (green light on the card itself), that is why another Inateck card failed to connect or had random disconnects ;)
That card charges and connects perfectly with the Oculus Quest 2. I was almost giving up and glad I found a working solution ;)
USB LINKUsing a 3m long cable from KIWI Design, works without any problems and has secure fit on the Oculus Quest 2
BluetoothBluetooth 4.0 – Asus BT-400

All that is required, has been added and now the PC VR universe is open for exploration :) As hardware is getting more expensive every week, I updated a second machine with comparable specs and have 2 machines that can run VR with entry /decent specs :)

Interesting Platforms

There are many new platforms providing access to new tools and often an easy access to a broader community. Some of them with nice build tools in VR.

Open Source

OpenXR is an open, royalty-free standard for access to virtual reality and augmented reality platforms and devices. It is developed by a working group managed by the Khronos Group consortium.“

You will find a bunch of efforts on the way, to build the next open multi-platform VR solution.

Building experiences in VR

Building with Unity is always an option, but not the best solution for those that are just getting started or for those that just want a simple starting point to experiment ;)

  • Zoe – Immersive 3D Creation Platform
    Create content directly in VR or using Unity :) Zoe is a perfect tool for Educators & Institutions.
  • A-Frame. A web framework for building 3D/AR/VR experiences. Make 3D worlds with HTML and Entity-Component For Quest, Rift, WMR, SteamVR, mobile, desktop
  • OpenSpace 3D – OpenSpace3D is a free and open-source platform, designed to create virtual and augmented-reality applications or games. If you are a 3D artist, a designer, a lab researcher, or just someone with a lot of passion and curiosity, you don’t need software development skills to use our platform.
  • Amazon Sumerian is a set of tools for creating high-quality virtual reality (VR) experiences on the web. With Sumerian, you can construct an interactive 3D scene without any programming experience, test it in the browser, and publish it as a website that is immediately available to users.
  • Mozilla Spoke – Create 3D social scenes for Hubs
  • Wonderland Engine is a development platform for web-based graphics applications. It comes with an accessible 3D editor application – the Wonderland Editor – and an efficient WebAssembly based runtime that runs in the browser.

VR Office

Another evolving area is the office space. Some of the platforms above already dive into that area, like XRDesktop. But Oculus / Facebook itself is working on its Infinite Office integration.

Other solutions help to mirror your PC within VR and open new ways for collaboration:

The biggest problem is the mirroring of the keyboard. As soon as that is solved, this might become usable. Immerse VR provides an option to overlay a virtual representation of your keyboard, by mapping your real-life keyboard in VR.

Communities

Always important to stay informed. Here some communities are frequently visit:

Tools

  • Oculus TrayTool – It’s a free application that helps you get the most out of your Oculus Rift & Oculus Quest, when connected via Link.

Here to stay

VR is here to stay, I would have never though it would take off 2020 / 2021. But we all face new challenges and technology is evolving to make space for new possibilities.

Not all gaming

While gaming / fitness / social are the entry point for VR currently, this whole market will expand quickly in 2021.

Really looking forward to new possibilities and another facet of my developer life.

Looking forward meeting some of you in the VR-Multiverse :)

Enjoy coding ….

readmore

I am always looking for easy ways to white label the WordPress administration for myself and my clients. A nice personal touch for each project and an easy way to declutter the interface.

These are my personal favorites, that I use on a regular basis.

Admin Themes / Login Page

There are a lot of solutions out there, but many break easily and are really heavy to load. Some of these solutions I tried also break easily on new WordPress Upgrades. The first two below are currently my favorites.

  1. Slate Pro ( Commercial )
    „Slate Pro is a powerful WordPress admin theme plugin that reimagines WordPress with a clean and simplified design. White label your WordPress install with custom colors, a custom login screen, custom admin branding, and more. Slate Pro is now multisite compatible! Network activate to control the look of all sub-sites.“

    Slate Pro is a clean and simple admin theme, that does not try to alter the interface completely. Small changes that make a difference. Color adjustments, logos, simple menu & widget enhancements and login page tweaks. Compared to other solutions it has been a stable experience, even after multiple WordPress Updates.

    This is an install and enjoy solution!
  2. Kodeo Admin UI ( Free – Open Source )
    „Kodeo Admin UI turns your WordPress backend into a clean and modern user interface. All elements are well designed and arranged for the best user experience.“

    Kodeo is another clean interface, that goes further than Slate Pro. Many areas of the admin theme have been changed. It works well with most 3rd party plugins, but I have had problems with some plugins doing their own little interface tweaks.
    With Kodeo your WordPress Admin completely transforms and gives it a really modern & clean look.

    This is an install and tweak solution! You might need to trim certain CSS properties to make it work for everything.

  3. Material WP ( Commercial )
    „Material Design version of the WordPress Admin Interface“

    I have used this once or twice in the past. Its more of a honorable mention. The admin theme transforms the interface completely, but can feel sluggish on slower servers. It has an impressive set of options and gets regular updates.

    This is again an install and tweak solution! It works with most of the 3rd party plugins and Gutenberg, but some things might need to be trimmed by hand.

Menu Editors & User Groups

When sharing the administration with your customer, you often need to make it as simple a possible for them. Depending on your setup, the menu becomes cluttered and overwhelming really fast.

I often trim menus for each user role, to make only those options accessible that are really needed.

  1. Admin Menu Editor Pro ( Free / Commercial )
    This tool has been part of many of my projects and has been a solid solution for years. You can hide & move menus, create new menus, tweak menus by user role, hide plugins and also tweak the admin toolbar with an extra addon.
    Worth every penny! There is a free version available, that might just provide enough functionality for your next project.
  2. Groups ( Free )
    „Groups is designed as an efficient, powerful and flexible solution for group-oriented memberships and content access control. It provides group-based user membership management, group-based capabilities and access control for content, built on solid principles. Groups is light-weight and offers an easy user interface, while it acts as a framework and integrates standard WordPress capabilities and application-specific capabilities along with an extensive API.“

    This plugin allows you to add new user groups easily and can tie into the plugin above.

User Profiles

When sharing the administration with multiple users, its always nice to add some personality to the user profiles as well.

WP User Profiles
„WP User Profiles is a sophisticated way to edit users in WordPress.“

The plugin provides other small addons, like WP User Avatars. Neat plugin to tweak admins, editors and other users.

Admin Dashboard Replacements

  1. cubicFUSION Admin Enhancer (Free)

    portalZINE NMN | Development meets Creativity | cubicfusion logo
    This is a new plugin I am currently working on. The current shortcodes addon can help you integrate dashboard widgets into the dashboard builders below.

    I am also working on my own dashboard builder, that requires none of the solutions below and builds upon WordPress core functionality.

  2. Dashboard Welcome for Elementor (Free)

    portalZINE NMN | Development meets Creativity | elementor 300x102 1
    “Dashboard Welcome by PowerPack Elements gives you full control over the WordPress welcome panel using Elementor.

    You can personalize the dashboard with content and design built with Elementor. You can add heading, contact information, form, video, images, affiliate links, etc.

    While the above plugin is free, you need a Elementor Pro License to use it!

  3. Dashboard Welcome for Beaver Builder (Free)

    portalZINE NMN | Development meets Creativity | beaver builder 300x81 1
    “Welcome by Beaver Addons gives you full control over the WordPress welcome panel using Beaver Builder.

    You can personalize the dashboard with content and design built with Beaver Builder. You can add heading, contact information, form, video, images, affiliate links, etc.”

    Even though the plugin above is free, Beaver Builder is a commercial plugin!

  4. Divi Dashboard Welcome ($22)

    portalZINE NMN | Development meets Creativity | divi
    “Divi Dashboard Welcome gives you control over the WordPress Dashboard Welcome screen …”

    The plugin requires the Divi Page Builder. Both plugins are commercial!

Enjoy
Alex

readmore
18. November 2019

Structured Data – I love it!

You might have heard about Structured Data, Schema.org and JSON-LD.  

Search engines read structured data and use it to enhance search engine results. Structured data helps search engines to understand and categorize page content.

Example

This structured data, in JSON-LD format, describes a simple Article.

Schema.org is a collaborative, community activity with a mission to create, maintain, and promote schemas for structured data on the Internet. But not all structured data endpoints are actually used by Google, Bing or other search engines yet.

Allowed Structured Data

Google provides a detailed overview of structured data allowed and used for search results.

There are basic enhancements you can use, like the Article structured data above. There are also many other more specific uses, like Video, LocalBusiness, Events, FAQ, Job Postings, Recipe and so on. Bing also provides a basic overview, but their documentation is scattered and feels incomplete.

How to integrate Structured Data

If you use a modern CMS, many structured data endpoints are already integrated out of the box (Article, Website, Logo, Person …).

Also modular content management systems often offer additional functionality through plugins, those help integrate structured data directly. Some do it better than others!

But if you really want to dive deep and integrate all those little things, structured data is still far more powerful when added manually. Especially things like events, products, job listings, courses, Q&A can greatly be enhanced by hand.

Alex@portalZINE

Validating Structured Data

Google and Bing offer validation tools for structured data. Both integrate it into their Webmaster Tools. You can also use the JSON-LD Playground to validate the JSON-LD itself or RDFa Play, Structured Data Linter, Facebook Debugger, Schema.org Generator and many other tools.

Need help?

I am a huge structured data fan and have been working with it for years now. I am constantly looking for new supported structured data endpoints, to enhance my own or customer websites & data.

Google constantly updates their documentation and highlights experimental structured data endpoints. Like Speakable for example, that highlights sections of a websites that are best suited for audio playback.

Fresh structured data helps to promote your content and enhance SEO, directly enhancing your discoverability and your search engine position. Your content becomes more meaningful for search engines, making it easier for them to promote it to the right potential user. It also ties into the GO GREEN concept, as you are reducing bounces of your website for users getting offered the wrong content.

Things like recipes and how-tos are already pushed to the top of the search index. A perfect way to promote your website and get noticed.

Have fun using or discovering structured data!

readmore
16. November 2019

Building Low Carbon Websites

I signed the Sustainable Web Manifesto a couple of weeks ago. The manifesto perfectly reflects how I have been handling my business and my projects.

I created a special „GO GREEN“ subsection to talk about the topic in more detail and give you some more context about the areas I can help you with.

We all share and use the web, just as we all share and live on this planet. This manifesto is a public declaration of a shared commitment to create a sustainable internet.

https://www.sustainablewebmanifesto.com/
  1. CLEAN –  The services we provide and services we use will be powered by renewable energy.
  2. EFFICIENT –  The products and services we provide will use the least amount of energy and material resources possible.
  3. OPEN – The products and services we provide will be accessible, allow for the open exchange of information, and allow users to control their data.
  4. HONEST – The products and services we provide will not mislead or exploit users in their design or content.
  5. REGENERATIVE –  The products and services we provide will support an economy that nourishes people and planet.

„If we embrace sustainability in our work, we can create a web that is good for people and planet.“

readmore

Together with my partners in crime (Dorit & Micha), we have finally opened our own personal online store.

We have been selling our single origin coffees (1st Single Malt Whisky Coffee, Basic – Single Origin Arabica, Kill me Quick Espresso -Single Origin Robusta), teas (Kräuterschorle – Kräutertee, Feuerkieker – Schwarztee) and rum (Fortune Teller – Double Aged Barbados Rum) using the Amazon Marketplace for the past 2 years.

No more Amazon

GreenApe has been a side project for the past years and I never wanted to deal with the maintenance of our own store. But its time to move on and do our own thing. Amazon has removed so many useful features over the years or added a new fee on top of other fees. Even though Amazon provides access to a large amount of customers, for small companies the fees build up quickly.

Our own

With our own store we can finally do bundles, coupons again and better optimized shipping. It will also allow me to better testdrive some new interesting features for my customers ;) Yeah its kind of my new toy or shopping lab! Its fun being able to work on untested new SEO features, structured data, merchant tools, shopping ads and tracking of all of those.

Locations

We have been selling in Germany for the past 2 years, but that might be changing in the future depending how well the new store shapes up :)

If you live in Germany, love good coffee, tee or rum … say Hi!

GreenApe – Makes Your Life Better
Homepage
Shop
Contact us

readmore

Development today relies on multiple teams, services, and environments all working in unison. A topic that always comes up, when setting up a new development environment: How do we secure important credentials, while not making it too complicated for the rest of the team?

The key when working with version control systems like Git, is to keep any type of credentials out of the versioning system. These can be API keys, database or email passwords.

Even if its a private repository, development environments might change. It can be a simple staging & live website setup you are maintaining.

.env Files for Environment Variables

The simplest way in PHP is to use .env files to store your credentials outside of the public accessible directory structure. So outside the public_html, but still within the reach of the executing environment to read it. Variables are accessible through $_ENV['yourVar'] or getenv("yourVar"), once included in your code.

To make it simple you can use the popular package vlucas/phpdotenv, which reads and imports the file automatically.

Don’t fool yourself, if an attacker finds a way into your system, these variables can be easily read. This is just hiding the file from public access and provides some convenience while developing or sharing code.

Encrypted .env files

Some people propose to encrypt / decrypt environment variables using a secret key. But if an attacker can access your data, he can also find the secret key.

There are some nice packages that offer just that. You have to decide if those fit your ammo.

  • The psecio/secure_dotenv library provides an easy way to handle the encryption and decryption of the information in your .envfile. @Github
  • johnathanmiller/secure-env-php – Env encryption and decryption library. Prevent committing and exposing vulnerable plain-text environment variables in production environments. The lib provides a nice guided interface to encrypt your .env file. @Github
  • beyondcode/laravel-credential – Add encrypted credentials to your Laravel production environment. You can edit and encrypt using php artisan credentials:edit. @Github

Apache Pull – setting environment variables

The Apache2 environment variables are set in the /etc/apache2/envvars file. These variables are not the same as the environment variables of your Linux system; they are stored and manipulated in an internal Apache structure.

The /etc/apache2/envvars file holds variable definitions such as APACHE_LOG_DIR (the location of Apache log files), APACHE_PID_FILE (the Apache process ID), APACHE_RUN_USERS (the user that run Apache, by defaultwww-data), etc.

You can open and modify this file in a text editor of your choice. This is nice, but far from simple and requires a server restart. This is something which helps you when hardening security on a live deployed setup.

There are dynamic approaches, but you can do some research for that yourself :) Skipped that rabbit hole for now …

Infrastructure Secret Management

Handling secrets completely detached is another possibility. This is surely an overkill for most cases, but using an Infrastructure Secret Management concept might be worth looking into, if you are working on bigger scale projects that involve multiple development teams and setups. These services also often deal with secret rotation.

HashiCorp Vault – „Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.“

You can deploy your own vault on your own infrastructure or test out a hosted version, which is free for Open Source projects. HashiCorp Vault

You will find a bunch of Hashicorp related packages that will help you to integrate a vault into your project workflow (scmrus/php-vault-env , poc-webapp-vault).

While this is nice, you will need to cache / store credentials somewhere, as you don’t want to query the vault on every single access.

The Hashicorp Vault is not the only Infrastructure Secret Management solution. There is a nice Github Gist that lists other solutions and a nice feature matrix.

Amazon also provides a solution called AWS Secrets Manager, which makes a lot of sense, when you build and deploy on AWS already :)

What a rabbit hole, once you start researching solutions :)
Have fun …

readmore

I will use this article to collect interesting tips and tricks about using the Linux cron. This is not so much about setting up a cron, but about little things I use or discovered!

What is a cron ?

The cron daemon is a long-running process that executes commands at specific dates and times. You can use this to schedule activities, either as one-time events or as recurring tasks.

What is the crontab?

For commands that need to be executed repeatedly (e.g., hourly, daily, or weekly), you can use the crontab command. The crontab command creates a crontab file containing commands and instructions for the cron daemon to execute.

Format is: MIN HOUR DOM MON DOW CMD
Minute field
Hour field
Day of month
Day of week
Command

Run every 5 minutes

Run yearly, monthly, weekly, daily or on reboot.
@yearly will run at 00:00 on Jan 1st for every year.
@monthly will run at 00:00 on 1st of every month.
@weekly will run at 00:00 on starting of every week.
@daily will run at 00:00 on every day.
@reboot  will run after the server has been rebooted


TIPS

1. Send cron output via email

2. Use a real cron for WordPress

A real cron does not rely on website activity and executes independently.

Do not forget to disable the virtual WordPress Cron in the wp-config.php!

3. Prevent Emails being sent, when cron executes > /dev/null 2>&1

4. Set Standard Variables

5. Output Redirection

TOOLS

  1. Crontab UI (NodeJS) – Easy way to edit your crontab visually. @Github
  2. Chronis ( >= PHP 7) – Chronis will help you define cron jobs using natural language / YAML and will generate the crontab files for you. @Github
  3. PHP Cron Expression Parser – Standard (V7) compliant crontab expression parser/validator with support for time zones. @Github
  4. PhpGt/Cron (PHP) – Define background jobs in standard crontab format and the Cron Runner will execute them when they are due. Jobs can be either normal scripts, or calls to static functions with automatic autoloading taken care of. @Github
  5. Cronicle (NodeJS) – A simple, distributed task scheduler and runner with a web based UI. @GitHub / Website

readmore

Gatsby is a free and open source framework based on React that helps developers build blazing fast websites and apps.

What they have to say

  • Go Beyond Static Websites. Get all the benefits of static websites with none of the limitations. Gatsby sites are fully functional React apps so you can create high-quality, dynamic web apps, from blogs to e-commerce sites to user dashboards.
  • Use a Modern Stack for Every Site. No matter where the data comes from, Gatsby sites are built using React and GraphQL. Build a uniform workflow for you and your team, regardless of whether the data is coming from the same backend.
  • Load Data From Anywhere. Gatsby pulls in data from any data source, whether it’s Markdown files, a headless CMS like Contentful or WordPress, or a REST or GraphQL API. Use source plugins to load your data, then develop using Gatsby’s uniform GraphQL interface.
  • Performance Is Baked In. Ace your performance audits by default. Gatsby automates code splitting, image optimization, inlining critical styles, lazy-loading, and prefetching resources, and more to ensure your site is fast — no manual tuning required.
  • Host at Scale for Pennies. Gatsby sites don’t require servers so you can host your entire site on a CDN for a fraction of the cost of a server-rendered site. Many Gatsby sites can be hosted entirely free on services like GitHub Pages and Netlify.

What I have to say …

While researching some popular static site generation tools, GatsbyJS comes up often. I have played with NuxtJS and Hugo in the past, but what I REALLY like about GatsbyJS is the plugin / modular system. You can build your website with plain-old React and CSS styles, but make your development more efficient by adding node_modules.

Also being able to import any data source with ease, using GraphQL, is amazing. And when it comes to content management, you can easily hook a headless WordPress or Drupal setup into the mix and consume their REST APIs :)

I am not switching my own website to GatsbyJS anytime soon, but its another tool in my toolbox for future project consideration !

There are many tutorials on Youtube about getting started, maybe something to consider for the next freetime testdrive ;) Enjoy …

GatsbyJS @ Github

readmore