As seen in the recent Uber hack, storing secrets such as API tokens in your project repository can leave your organisation vulnerable to data breaches and extortion. This tutorial demonstrates a simple and effective way to mitigate this kind of threat by leveraging Key module to store API tokens in remote key storage.by Nick Santamaria / 24 November 2017
Even tech giants like Uber are bitten by poor secret management in their applications. The snippet below describes how storing AWS keys in their repository resulted in a data breach, affecting 57 million customers and drivers.Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
Uber could have avoided this breach by storing their API keys in a secret management system. In this tutorial, I'll show you how to do exactly this using the Key module in conjunction with the Lockr key management service.
This guide leverages a brand-new feature of Key module (as of 8.x-1.5) which allows overriding any configuration value with a secret. In this instance we will set up the MailChimp module using the this secure config override capability.Service Set-Up
Before proceeding with the Drupal config, you will need a few accounts:
These third-party services provide us with a simple example. Other services are available.Dependencies
There are a few modules you'll need to add to your codebase.
- Go to /admin/modules and enable the MailChimp, Lockr and Key modules.
- Go to /admin/config/system/lockr
- Use this form to generate a TLS certificate that Lockr uses to authenticate your site. Fill out the form and submit.
- Enter the email address you used for your Lockr account and click Sign up.
- You should be now be re-prompted to log in - enter the email address and password for your Lockr account.
- In another tab, log into the MailChimp dashboard
- Go to the API settings page - https://us1.admin.mailchimp.com/account/api/
- Click Create A Key
- Note down this API key so we can configure in Drupal in the next step.
- In your Drupal tab, go to /admin/config/system/keys and click Add Key
- Create a new Key entity for your MailChimp token. The important values here are:
- Key provider - ensure you select Lockr
- Value - paste the API token you obtained from the MailChimp dashboard.
- Now we need to set up the configuration overrides. Go to /admin/config/development/configuration/key-overrides and click Add Override
- Fill out this form, the important values here are:
- Configuration type: Simple configuration
- Configuration name: mailchimp.settings
- Configuration item: api_key
- Key: The name of the key you created in the previous step.
... and it is that simple.Result
The purpose of this exercise is to ensure the API token for our external services are not saved in Drupal's database or code repository - so lets see what those look like now.MailChimp Config Export - Before
If you configured MailChimp in the standard way, you'd see a config export similar to this. As you can see, the api_key value is in plaintext - anyone with access to your codebase would have full access to your MailChimp account.api_key: 03ca2522dd6b117e92410745cd73e58c-us1 cron: false batch_limit: 100 api_classname: Mailchimp\Mailchimp test_mode: falseMailChimp Config Export - After
With the key overrides feature enabled, the api_key value in this file is now null.api_key: null cron: false batch_limit: 100 api_classname: Mailchimp\Mailchimp test_mode: false
There are a few other relevant config export files - lets take a look at those.Key Entity Export
This export is responsible for telling Drupal where Key module stored the API token. If you look at the key_provider and key_provider_settings values, you'll see that it is pointing to a value stored in Lockr. Still no API token in sight!dependencies: module: - lockr - mailchimp id: mailchimp_token label: 'MailChimp Token' description: 'API token used to authenticate to MailChimp email marketing platform.' key_provider: lockr key_provider_settings: encoded: aes-128-ctr-sha256$nHlAw2BcTCHVTGQ01kDe9psWgItkrZ55qY4xV36BbGo=$+xgMdEzk6lsDy21h9j…. key_input: text_field Key Override Export
The final config export is where the Key entity is mapped to override MailChimp's configuration item.status: true dependencies: config: - key.key.mailchimp_token - mailchimp.settings id: mailchimp_api_token label: 'MailChimp API Token' config_type: system.simple config_name: mailchimp.settings config_item: api_key key_id: mailchimp_tokenConclusion
Hopefully this tutorial shows you how accessible these security-hardening techniques have become.
With this solution implemented, an attacker can not take control of your MailChimp account simply by gaining access to your repository or a database dump. Also remember that this exact technique can be applied to any module which uses the Configuration API to store API tokens.
Why? Here are a few examples of ways popular Drupal modules could harm your organisation if their configs were exposed (tell me about your own worst-case scenarios in the comments!).
- s3fs - An attacker could leak or delete all of the data stored in your bucket. They could also ramp up your AWS bill by storing or transferring terabytes of data.
- SMTP - An attacker could use your own SMTP server against you to send customers phishing emails from a legitimate email address. They could also leak any emails the compromised account has access to.
What other Drupal modules could be made more securing in this way? Post your ideas in the comments!
Go forth, and build secure Drupal projects!
Tagged DrupalSouth, Drupal Security, Security, APIs
Systems Operations Developer
Dated 24 November 2017Add new comment
Is your commerce site ready for the big time? We're talking about Black Fridays, product launches, back-to-school weeks, and any other time you are going to get exponentially more traffic than you would normally get. A lot of people just assume their site/server/staff can handle such increased volume, but unless you've tested it by running 10 or 20 or 50 times the traffic through it, you really don't know.
The problem is that scaling doesn't work in a linear way. Let's say you're currently using 10 percent of your server's capacity. Simple math would indicate that you could handle 10 times as much traffic and be at 100% of capacity, so you should be fine.
But it doesn't necessarily work that way in the real world. It could be that there is some sort of hidden flaw that flares up when that volume of traffic comes through: maybe you hit some sort of race condition, or a caching system starts to cycle too fast, or you get a database bottleneck and everything gets backed up behind it. It could be some little glitch that's easily fixed and everything goes back to normal—but if you fix it halfway through the biggest sales day of the year, it's too late.
So how can you get ready?1. Do performance testing.
Your goal should be to mimic live as much as possible. You don't just want to run the test on your local server. You want to spin up a similar environment, or maybe spin something up at 1/10th of the scale and hit it hard with lots of capacity. Or do it through Amazon and only run it for an hour or something to save on cost.
Once you have your environment, you have to try to simulate actual traffic. You don't want to just hit the home page repeatedly, because that's not how your customers interact with your site. They go through the checkout, and click around on product pages, and search, and log in to their account. They do a whole bunch of random stuff, and you have to try to mimic that. You can't do it perfectly, but you want to hit all the parts of your site and throw a bit of randomness in there to try to get as close to the real experience as possible.
In a perfect world, you would have gone through a similar event like Black Friday already and learned from it. But maybe you're a first-timer. Or maybe you're launching a big new product unlike anything you've had before, and it's backed by a TV spot, and you're expecting a massive volume of sales to follow. So test your site and be sure.2. Prepare for stock issues.
Stock problems can obviously be much worse in a high-volume situation. On a slow day, if an order goes through when you are out of stock, maybe you could just call that person and say oops, sorry, but it's going to take a couple days to fill that order.
But if you have a huge burst of traffic, you might sell 20 items when you only have two in stock. And you can't even get 18 on your next order, and it's going to take six weeks to get that many, and now you have a real problem.
So if that happens, what do you do? How are you handling out-of-stock issues? Do you have messaging to say this is going to be delayed? Are you going to shift customers to alternate recommended products? These are all things you need to consider.3. Set staffing levels appropriately.
You don't want to be in a situation where your website can handle the traffic, but your human workers cannot. In a physical store, everyone knows they need to up the number of sales staff to deal with a huge crush of shoppers. But when it comes to the website, sometimes people forget that someone still needs to put 10 times as many items in boxes, and deal with 10 times as many email complaints, and talk to 10 times as many customers via live chat.
How does your current process scale? How fast does it take you to do an order? Maybe you need to think about automated shipping, or standardized box sizes, or any one of a number of other things that will make your staff's lives easier during high-volume times.Conclusion
As you can see, there are quite a few things that you can do to make sure your opperating smoothly during those peak sales days throughout the year. Some of these things you can do yourself. Some of them you might need some technical support. If support is what you need, or you'd like to discuss this further, contact us. We've been through it all before and can share our experience.
We are looking for a content developer who is able to:
• Sell an idea/lifestyle
• Trigger people’s emotions
• Catch their immediate attention
• Make users convert (call to actions will not be focused on sales but on visiting the shop, scheduling a product test meeting, scheduling repairs/maintenance and scheduling “renting” a product)
• Optimize our local search ranking (Local SEO is really important and therefore SEO optimisation knowledge is an ABSOLUTE MUST)
We did some SEO research, however we expect our writer to be fully capable of further optimizing our research (our research consists of some basic adwords & keywordtool.io analyses).
Furthermore you will receive a fully designed website (which is technically perfectly optimised for SEO & triggering conversions) and it is up to you to create the perfect text!
Do you think you have what it takes? Feel free to reply to this job offering and we will get in touch with you very soon!
Posted On: November 23, 2017 19:11 UTC
Category: Writing > Copywriting
Skills: Content Marketing, Content Writing, Conversion Rate Optimization, Copywriting, SEO Keyword Research, SEO Writing, WordPress
click to apply
As mentioned in my previous post, I’ll be sharing the videos of the various talks by Amazees at Drupal Camp Cape Town 2017, over the upcoming weeks.Jason Lewis Thu, 11/23/2017 - 14:55
First up we have Head of Global Maintenance at Amazee Labs, Bryan Gruneberg, who spoke about "Maintainability and Longevity - Keeping customers and developers happy". Maintaining strong, robust sites that evolve with the client’s needs is of utmost importance to us and was a topic that received a lot of interest from Camp attendees.
Enjoy the Video!
I know there are a lot of share plugins, but which would be the best for this kind of situation, some where I can easily put share buttons on sections of a page and then you can share that section.submitted by /u/Mariciano
Looking for a good WordPress Dev with experience in VUE, Timber, and Twig for website finish - Upwork
- fill it with the (delivered) content incl. a few fullscreen videos,
- fix a few mistakes,
- finish the language switch (English and German), it should recognize the browser language
- change some styles on 5 subpages (like blog posts) to fit the visual style
- build a start screen overlay animation (video preview exists, needs to be re-created in JS).
The WordPress project uses Vue.js, Timber and Twig for the templates and is well documented and executed.
You can visit the stage of the current development status here: https://blut.teegeme-vorschau.de
We hope for completion of the project with a week; two weeks max.
Posted On: November 23, 2017 19:11 UTC
Category: Web, Mobile & Software Dev > Web Development
click to apply
Developers often come across a situation where they are required to reduce database load by caching DB objects in RAM. Here Memcache improves Drupal application performance by moving standard caches out of the database and by caching the results of other expensive database operations.
Note that Drupal doesn’t support Memcache by default, and for this, we need to install it on the server. Let’s see how to install Memcache on the server and configure it with Drupal 8 to reduce the load on the database with every page load.Let’s see how to install Memcache on server
Open the terminal on your local machine and run the following codes:Step 1: sudo apt-get…
From University of British Columbia - Thu, 23 Nov 2017 12:40:05 GMT - View all Vancouver, BC jobs
When you think of training, perhaps you remember an event that you were sent to where you had to learn something boring for your job. The word training does not usually make people smile and jump for joy, that is unless you are talking about Drupal training. These gatherings spread the Drupal knowledge and increase diversity in the community of Drupal developers.
Join us for Global Training Day on November 29th. It will be help online from 9 AM to 4 PM EST. - https://groups.drupal.org/node/517886
A link to the live workshop on Zoom will be provided when you sign up!
The Drupal Association coordinates four dates each year as Global Training Days, designed to offer free and low-cost training events to new-to-Drupal developers and to create more Drupal talent around the world. The community is growing exponentially as more people learn how fun and easy it is to get involved and be productive. Volunteer trainers host these global events in person and online. In 2016, a Global Training Days Working Group was established to run this program. There is a Global Training Days group on Drupal.org that lists trainings around the world - https://groups.drupal.org/global-training-days
Coming up, we have Global Training Day on November 29th. Mauricio Dinarte will be leading the training online. As an introduction to Drupal a person needs to learn certain things that are specific to Drupal and some are not that intuitive. It is important to cover the very basics in terminology and process. An introductory class can include many things, but this list is what Mauricio covers during the day long event:
- Drupal installation requirements and process
- Content types
- Theme regions
- User and permissions
The outcome of a day of training is that everyone walks away understanding the main moving parts of Drupal and a bit about what they do. Of course you will not become a developer overnight, but you will have enough information to build a simple site and then explore more of Drupal on your own. You can follow up with many online tutorials and by joining the Drupal group in your area and attending the meetings. At meetings you will connect with other people at different levels of skill and you will be helped and helpful at the same time! If there is no Drupal group in your area, I suggest you start one. It can start as easily as posting online that you will be at a specific location doing Drupal at a certain time of day - you will be surprised at who may show up. If no one shows up the first time, try again or try a different location. One of the best things about Drupal is the community and how large and connected we are. If you start a group, people will usually help it grow. Bringing new people to Drupal is not only good for increasing the size of the member base, it also brings diversity and reaches people that may never have had an opportunity or access to a free training. The trainings are usually held at a University in or near a city which attracts people from different backgrounds and cultures. We can also reach people that are not in a city or near a school by sharing online.
Have you ever thought about volunteering at a Global Training Days event? We have a blog about organizing your own Global Training Days workshop that can get you started. This is a great way to get to know the people in the community better, up your skills and perhaps share something you have learned. I learned much about programming by assisting developers at sprints and trainings. This is where the real fun begins. Learning does not have to be stressful, and in the Drupal community people are friendly and welcoming. No question is stupid and even those with no experience have valuable skills. Developers love people without prior experience because they make the perfect testing candidates for UI and UX. The down side is that Drupal is so captivating that you will probably not remain a newbie for very long, so enjoy it while it lasts.
One of the true highlights of Global Training Days is seeing all the people around the world gain valuable skills and share knowledge. We hope you can join us.
I am looking for a reddit this wordpress plugin just like this one - any ideas? https://rochdaleherald.co.uk/2016/08/15/rose-gold-for-afternoon-strolls/submitted by /u/theresamaysicr
Last week I switch from years of using Chrome to Firefox 57 because of all the hype about it being fast, and that I'd been suffering from Chrome using up to 10GB of ram. The big issue I hit though was I didn't have Dreditor and there seemed to be no way to install it. I decided to go on using Firefox without Dreditor, and loading Chrome every time I needed to do an in depth patch review.
Then yesterday I saw the latest Commit Strip cartoon, where in a reply @williambl suggested Chrome Store Foxified for converting Chrome plugins to Firefox. First thing I thought was to try the Dreditor Chrome plugin, and it worked.
This morning Berdir suggested "maybe someone will release that thing as a public extension". So I went digging on addons.mozilla.org and found I could download the XPI file Chrome Store Foxified created during the conversion.
So here it is:
Download Dreditor for Firefox now!
GraphQL is becoming more popular every day. Now that we have a beta release of the GraphQL module (mainly sponsored and developed by Amazee Labs) it's easy to turn Drupal into a first-class GraphQL server. In this second post of the series, we'll describe they way Drupal fields are represented in GraphQL and look at a few examples.Blazej Owczarczyk Thu, 11/23/2017 - 09:59
Last week we talked about the new structure of the GraphQL package. We have also looked at the tools bundled with the module - the explorer and the voyager - and we've explored how to fetch a username. Now let's use GraphiQL to assemble queries that are a bit more complex.The Naming
GraphQL naming conventions are slightly different than Drupal's.
- Fields and properties are in camelCase. This means that field_image in Drupal becomes fieldImage in GraphQL and the revision_log property becomes revisionLog.
- Entity types and bundles use camelCase with the first letter capitalized so taxonomy_term becomes TaxonomyTerm and the tags vocabulary becomes TaxonomyTermTags. As we can see bundles are prefixed with the entity type name.
While fields and properties both translate to the same GraphQL structure called Field, entity types and bundles, despite sharing the naming convention, don't. The former is implemented as GraphQL Interfaces and the latter are GraphQL Types (implementing these Interfaces). As an example:
This query contains fields from 3 different GraphQL structures that build upon one another.
- entityId and entityCreated come from the Entity Interface. These fields are available for all entity objects. nodeById query returns a Node Interface which extends Entity Interface.
- title and status are defined in the Node Interface and are available for all nodes, regardless of their content type.
- fieldSubtitle is a field (field_subtitle in Drupal) that has been added to the Article content type. It's not a part of neither Node nor Entity Interfaces, it is only available in the NodeArticle Type. nodebyId can return any node, not just Article, so we need to wrap the fieldSubtitle in a GraphQL Fragment.
If we paste the query into GraphiQL (/graphql/explorer) we'll get a result similar to this one:The Fragments
GraphQL Fragments, as the name implies, are just pieces of a query. They mostly serve two purposes:
- Executing part of a query conditionally - only when the result is of a specified type. In the example above fieldSubtitle will be evaluated only when the node with id 1 is an Article. If it turns out to be a Basic Page, the fragment will be omitted and the response will just be one field shorter without raising any exceptions.
- Reusability. A fragment can be given a name and be used more than once.
There are two fragments in this query. The first one starting on line 3 is an inline fragment. We need it because fieldCategory and fieldTags are only attached to Articles and nodeById can return any node.
The other one, defined on line 18, is a named fragment thanks to which we don't need to repeat the sub-queries for fieldCategory and fieldTags.
This is how the result could look like. Node 1 is an Article, it has 2 tags in one category term.The Aliases
There might be situations when we want to use the same field more than once in a single query, to fetch node 1 and 2 simultaneously for instance. We can do that thanks to GraphQL Aliases
Here we're calling nodeById twice, each time with different arguments and aliases. The former will appear under nodeOne key in the result and the latter will be available under nodeTwo. We've also transformed the inline fragment holding the article fields into a named fragment and used it in both queries to reduce unnecessary repetition.
That's it for this post. In the next one, we'll see how to retrieve the values of Drupal fields and properties.
1- improve the page speed by implementing all related recommendations by gt matrix
2- fix some frontend design issues and inject some content (to be discussed )
Posted On: November 23, 2017 08:42 UTC
Category: Web, Mobile & Software Dev > Scripts & Utilities
Country: United Arab Emirates
click to apply
Posted On: November 23, 2017 08:42 UTC
Category: Admin Support > Personal / Virtual Assistant
Skills: Administrative Support, Content Writing, Data Entry, English, Internet Research, Proofreading, Virtual Assistant, Website Development, WordPress
Country: United States
click to apply
[Help]I can't activate Ultimate Membership Pro Plugin on my Wordpress site. I keep getting this message "An error occurred while activating Indeed Ultimate Membership Pro on Young Professionals Salt Lake City."
I just purchased Wordpress for Business. My plan was to add the Ultimate Membership Pro plugin. I keep getting this error when I try to activate the plugin "An error occurred while activating Indeed Ultimate Membership Pro on Young Professionals Salt Lake City." I have no other themes are plugins installed. Any suggestions?submitted by /u/Slcyuppie