search

enjin / platform

Enjin Platform is the most powerful and advanced open-source framework for building NFT platforms.
GNU Lesser General Public License v3.0
11 stars 10 forks source link

[PLA-1896] Upgrade to use Enjin Platform v1.9.0 #44

Closed leonardocustodio closed 2 months ago

leonardocustodio commented 2 months ago

PR Type

enhancement, configuration changes, dependencies

Description

Changes walkthrough 📝

Relevant files
Configuration changes
9 files
cache.php
Add cache configuration file with multiple store options 
configs/core/config/cache.php
  • Added new cache configuration file.
  • Defined default cache store and various cache stores.
  • Included cache key prefix configuration.
    		•  +107/-0 
    reverb.php
    Add Reverb configuration file with server and application settings
    configs/core/config/reverb.php
  • Added new Reverb configuration file.
  • Defined default Reverb server and server details.
  • Included Reverb applications management configuration.
    		•  +91/-0   
    session.php
    Add session configuration file with detailed settings       
    configs/core/config/session.php
  • Added new session configuration file.
  • Defined default session driver and session lifetime.
  • Included session encryption and cookie settings.
    		•  +217/-0 
    .env
    Update environment variables for application and Reverb configuration
    configs/core/.env
  • Updated environment variables for application configuration.
  • Added new variables for Reverb server and session settings.
  • Modified existing variables for network and cache settings.
    		•  +37/-14 
    Dockerfile
    Update Dockerfile with additional dependencies and node setup
    configs/core/Dockerfile
  • Updated Dockerfile to install additional dependencies.
  • Changed node and npm installation process.
    		•  +1/-1     
    horizon.conf
    Enable autostart for Horizon in supervisor configuration 
    configs/core/supervisor/conf.d/horizon.conf - Changed autostart setting for Horizon to true.
    		+1/-1     
    reverb.conf
    Add supervisor configuration for Reverb service                   
    configs/core/supervisor/conf.d/reverb.conf
  • Added new supervisor configuration for Reverb.
  • Defined process settings and log file location.
    		•  +10/-0   
    supervisord.conf
    Update supervisor configuration to run in foreground         
    configs/core/supervisor/supervisord.conf - Added `nodaemon=true` setting to supervisor configuration.
    		+1/-0     
    docker-compose.yml
    Update docker-compose services to use version 1.9.0           
    docker-compose.yml
  • Updated service images to use version 1.9.0.
  • Modified service configurations for various components.
    		•  +7/-7     
    Enhancement
    1 files
    start.sh
    Update start script for role-based service execution         
    configs/core/start.sh
  • Updated start script for different roles.
  • Changed websocket role to run horizon and reverb.
    		•  +2/-3     
    Dependencies
    1 files
    composer.json
    Update composer.json with new dependencies and PHP version
    configs/core/composer.json
  • Updated PHP and Laravel framework version requirements.
  • Added new dependencies for Laravel Reverb.
  • Updated development dependencies.
    		•  +13/-13 

    💡 PR-Agent usage: Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

    github-actions[bot] commented 2 months ago

    PR Reviewer Guide 🔍

    ⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪
    🧪 No relevant tests
    🔒 Security concerns

    No explicit security vulnerabilities detected in the code changes, but the configuration settings in `configs/core/config/reverb.php` and `configs/core/config/session.php` could potentially lead to security risks if not properly managed in different environments.
    ⚡ Key issues to review

    Hardcoded Values
    The cache configuration uses hardcoded default values for various cache stores (e.g., 'file', 'memcached', 'redis'). Consider making these configurable to enhance flexibility and environment-specific configurations. Security Concern
    The Reverb configuration allows all origins (`allowed_origins` set to `['*']`). This can expose the application to cross-origin resource sharing (CORS) issues. It's recommended to restrict this to known origins. Security Settings
    The session configuration defaults to non-secure settings (e.g., `SESSION_SECURE_COOKIE` set to false). For production environments, consider enforcing HTTPS for cookies.
    github-actions[bot] commented 2 months ago

    PR Code Suggestions ✨

    CategorySuggestion                                                                                                                                    Score
    Security
    Enable HTTPS-only cookies by default to enhance security ___ **To enhance security, consider enabling HTTPS-only cookies by default in the session
    configuration, especially if the application is expected to run under HTTPS.** [configs/core/config/session.php [172]](https://github.com/enjin/platform/pull/44/files#diff-fe3461bf42eb5b0ac5047e06a4370eb000ad6d8384cf08f065187d64043a8719R172-R172) ```diff -'secure' => env('SESSION_SECURE_COOKIE'), +'secure' => env('SESSION_SECURE_COOKIE', true), ```
    Suggestion importance[1-10]: 9 Why: Enabling HTTPS-only cookies by default significantly enhances the security of the application by ensuring that cookies are only sent over secure connections, which is crucial for protecting sensitive session data.
    		9
    Set the 'same_site' cookie attribute to 'strict' by default to enhance security ___ **To prevent potential session fixation attacks, consider setting the 'same_site'
    attribute of cookies to 'strict' by default.** [configs/core/config/session.php [202]](https://github.com/enjin/platform/pull/44/files#diff-fe3461bf42eb5b0ac5047e06a4370eb000ad6d8384cf08f065187d64043a8719R202-R202) ```diff -'same_site' => env('SESSION_SAME_SITE', 'lax'), +'same_site' => env('SESSION_SAME_SITE', 'strict'), ```
    Suggestion importance[1-10]: 8 Why: Setting the 'same_site' attribute to 'strict' by default helps prevent CSRF attacks by ensuring that cookies are only sent in a first-party context, thereby enhancing the security of the application.
    		8
    Best practice
    Use dynamic environment-based values for cache key prefixes to prevent collisions ___ **It is recommended to avoid using hardcoded values for cache key prefixes. Instead,
    use a dynamic value based on the environment to prevent cache key collisions across
    different environments.** [configs/core/config/cache.php [105]](https://github.com/enjin/platform/pull/44/files#diff-b25244b19b630e5fe8dc90fefb8753ffbd5f52b2033107449f1a36dd27f9ee3bR105-R105) ```diff -'prefix' => env('CACHE_PREFIX', Str::slug(env('APP_NAME', 'laravel'), '_') . '_cache_'), +'prefix' => env('CACHE_PREFIX', Str::slug(env('APP_NAME', env('APP_ENV', 'production')), '_') . '_cache_'), ```
    Suggestion importance[1-10]: 8 Why: This suggestion improves the maintainability and robustness of the application by ensuring that cache key prefixes are unique across different environments, reducing the risk of cache key collisions.
    		8
    Maintainability
    Use a more descriptive environment variable name for 'max_request_size' ___ **For the 'max_request_size' configuration, consider adding a more descriptive
    environment variable name that reflects its purpose and unit, such as bytes.** [configs/core/config/reverb.php [38]](https://github.com/enjin/platform/pull/44/files#diff-ae0a3e5b853721099e6ccee6ca0017a22c23006f406227862dd476402c6bed90R38-R38) ```diff -'max_request_size' => env('REVERB_MAX_REQUEST_SIZE', 10_000), +'max_request_size' => env('REVERB_MAX_REQUEST_SIZE_BYTES', 10_000), ```
    Suggestion importance[1-10]: 7 Why: This suggestion improves code readability and maintainability by making the purpose and unit of the 'max_request_size' configuration more explicit, which helps developers understand the configuration more easily.
    		7