Blog

Magento 2 REST API Response Formats

Published: March 28, 2017

Tags:

The Magento 2 REST API can return responses in XML or JSON format. This is done based on the Accept HTTP Header. Per the developer documentation..

HTTP headers

Accept

Optional. Specifies the format of the response body. Default is JSON.

Accept: application/FORMAT

Where FORMAT is either JSON or XML.

If you omit this header, the response is returned in JSON format.

http://devdocs.magento.com/guides/v2.0/get-started/gs-web-api-request.html#http-headers

Here, I’ll dive into the code, to investigate how this works…

Magento 2 REST API method return processing

Published: March 27, 2017

Tags:

If you’re getting started with the Magento 2 REST API you’ll find a good amount of resources documenting basic usage. Overall, it’s a big improvement over the Magento 1 REST API, in my opinion. However, one thing that I couldn’t find good information on is how Magento processes the result that your method returns.

As such, I spent a while digging through the code to understand. Here I’ll detail the (not exactly sane) way that Magento will process your method’s return value.

Accessing the admin front name programmatically in Magento 2

Published: March 23, 2017

Tags:

Recently I was working on some Magento 2 code where I needed to programmatically determine the admin front name. If you run a Google search you’ll pretty quickly find the canonical answer for Magento 1

Mage::getConfig()->getNode('admin/routers/adminhtml/args/frontName')

However, even after reading through two pages of Google results, I was not able to find an answer for Magento 2.

Measuring round-trip time with nping

Published: March 21, 2017

Tags:

Recently, I was debugging a performance issue where a site was spending an above average amount of time running HGETs against a Redis instance. I came upon this snippet of text from Redis’ benchmarking documentation.

Network bandwidth and latency usually have a direct impact on the performance. It is a good practice to use the ping program to quickly check the latency between the client and server hosts is normal before launching the benchmark

https://redis.io/topics/benchmarks#factors-impacting-redis-performance

However when I went to ping the server running Redis I didn’t have much luck…

$ ping -c 10 -W 1 172.24.16.119
PING 172.24.16.119 (172.24.16.119) 56(84) bytes of data.

--- 172.24.16.119 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9999ms

GROUP-ing a product collection the right way with groupByAttribute

Published: March 12, 2017

Tags:

Recently, I was reworking the implementation of a featured products widget which showed up on the home page. In order to show a variety of products we decided to GROUP BY manufacturer. This way only one product would show up per brand. The initial implementation looked something like this…

$collection = Mage::getModel('catalog/product')->getCollection();

// Do some other logic

$collection->getSelect()->group('e.manufacturer_value')

This was working fine in dev (and production). However, when I merged some new code into the develop branch and deployed it to staging I started getting exceptions.

Magento's "Use HTTP Only" Cookie Setting

Published: March 8, 2017

Recently, while checking out Mozilla Observatory I learned about the HttpOnly Set-Cookie directive. If you’re not familiar with it, here’s an explanation from MDN…

HTTP-only cookies aren’t accessible via JavaScript through the Document.cookie property, the XMLHttpRequest and Request APIs to prevent attacks against cross-site scripting (XSS).

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Directives

The “HttpOnly” name is a bit confusing and is sometimes misinterpreted as having something do to with HTTP vs HTTPS. However, that is not the case. The idea is that the cookie is made available to the server as part of the HTTP request (“HTTP only”). However, the browser has no access to it.

This provides a layer of security against XSS as, even if an attacker is able to get malicious script to execute on a web page, the attacker won’t be able to access precious cookies, which are often the only key needed to compromise a user (or admin) account.

This got me interested in investigating how Magento manages that flag. I decided to dig in to get a better understanding. Here, I’ll documented my findings…