# How can we enforce better Magento extensions? ## and get rid of the weak #### by Jisse Reitsma (Yireo)
# );sse Reitsma - <!-- .element: class="fragment" -->Founder of Yireo - <!-- .element: class="fragment" -->Trainer of Magento 2 developers - <!-- .element: class="fragment" -->Creator of MageTestFest & Reacticon - <!-- .element: class="fragment" -->Organizer of usergroups, hackathons - <!-- .element: class="fragment" -->Magento Master 2017-2019 Mover - <!-- .element: class="fragment" -->Member of ExtDN (Magento Ext Dev Network)
<img src="images/generic/extdn-large.png"/>
# How can we enforce better Magento extensions?
# We can't
# My talk - <!-- .element: class="fragment" -->Obvious points about extension quality - <!-- .element: class="fragment" -->Bits of psychology - <!-- .element: class="fragment" -->Bits of ranting - <!-- .element: class="fragment" -->Enlighted points - <!-- .element: class="fragment" -->A lot of bullet points like these
# Obvious points about extension quality - <!-- .element: class="fragment" -->Comply to the coding standards - Magento Coding Standard (consolidation project) - <!-- .element: class="fragment" -->Add testing - Unit tests, integration tests, MFTF, acceptance tests - <!-- .element: class="fragment" -->Don't inject the ObjectManager - Except in factories, proxies, builders, tests and more - <!-- .element: class="fragment" -->Don't overwrite core preferences - Unless your module's purpose is exactly that - <!-- .element: class="fragment" -->And so on ...
# Review of a bad extension
# Review of a bad extension (1 of 3) - <!-- .element: class="fragment" -->Dependencies - No `require` dependencies with framework or modules - PHP compatibility with PHP 5.5 (for an Magento 2 extension) - Not all dependencies are in `module.xml` - <!-- .element: class="fragment" -->Coding standards - Prefixing internal variables with an underscore - Code not formatted in PSR-1 or PSR-2 - Long methods with too many features - More than 10 code indents in a single class (Object Calisthenics)
# Review of a bad extension (2 of 3) - ObjectManager stuff - Injecting ObjectManager instead of using DI properly - Calling upon the ObjectManager in PHTML templates via a hidden `factory()` method - Injecting dependencies via constructor DI and then not using those dependencies - Injecting too many dependencies via constructor DI: Code should be SOLID - Suddenly calling upon ObjectManager::getInstance somewhere in the code - Intercepting with an around() plugin where before() or after() is enough already - Relying on the ObjectManager to `get()` a singleton instance, and then still writing your own singleton method - <!-- .element: class="fragment" -->Manual database queries - Manual SQL queries to write to configuration instead of using `\Magento\Framework\App\Config\Storage\WriterInterface` - Defining your own models & collections and then still resorting to manual SQL queries to call upon your tables - Inserting default configuration values via Setup-class instead of using `etc/config.xml` - Manual SQL queries in Setup-classes
# Review of a bad extension (3 of 3) - Theming stuff - Using helpers in General - Too much logic in PHTML templates - Adding CSS instead of LESS - `<argument name="template" translate="true" xsi:type="string">sample.phtml</argument>` - templates are not translatable - <!-- .element: class="fragment" -->Small stuff - Call-to-home via `controller_action_predispatch` event in backend - Base module that does a lot of hard work to add notifications on each backend page - No custom acl.xml for own backend pages and configuration settings (but still defining resources) - Adding inline HTML into a field render class, instead of using a PHTML template - Overriding classes using a DI preference rewrite, instead of using plugins or composition - Extending a class for no reason
# Rating: D (Mordor)
# Why is this bad? - No requirements in composer, so no proper versioning - Not extensible by other developers - More CSS loaded in head - Hard to create theming overrides This is costing money.
# Areas where bad extension cost - Conflicts - Extensibility - Interoperability - Security
# Bits of psychology
# Bits of psychology - <!-- .element: class="fragment" -->Self-interest - <!-- .element: class="fragment" -->Extension providers want to sell extensions - <!-- .element: class="fragment" -->Merchants want to save money where they can - <!-- .element: class="fragment" -->Developers want to go home at 17:00 - <!-- .element: class="fragment" -->Their managers want to drive Porshes - <!-- .element: class="fragment" -->Stubbornness - <!-- .element: class="fragment" -->None of the groups above wants to change - <!-- .element: class="fragment" -->You are always right. The other one is wrong. - <!-- .element: class="fragment" -->You don't want your friends to be bullied at.
# Conclusion: Change is hard.
# My conclusion: Change needs to be enforced.
# Measuring quality with provider X - <!-- .element: class="fragment" -->Not complying to coding standards - Not true for all modern X extensions - <!-- .element: class="fragment" -->No automated tests - X is now gradually implementing unit tests and integration tests - X is also one of the first extension vendors implementing MFTF - <!-- .element: class="fragment" -->Bad usage of `ObjectManager` - Last time I checked an X extension, they did all correctly - <!-- .element: class="fragment" -->And a lot of people are happy with X - X extensions work with X extensions - Fair pricing of extensions
# Rating: 87.42
# What does "rating" mean?
# Quality checking - Doing it yourself - PHPCS, PHPStan, PHPMD - Security scanners: mwscan, eComscan - Magento Marketplace validation - PHPCS, MFTF, Varnish tests - Testing - Unit, integration, end-to-end, functional
# Validation sites - NrJudge - Triplecheck.io (And Magento Marketplace)
# Different environments - Magento 2.1, 2.2, 2.3 - PHP 7.0, 7.1, 7.2 - With and without Varnish - In Developer Mode and Production Mode - <!-- .element: class="fragment" -->Oh and let's add this later to it as well: - GraphQL, Apollo Server, PWA - ElasticSearch 5, 6 - MySQL 5.6, 5.7, 8 (Oracle, MariaDb, Percona)
# The problem of rating - <!-- .element: class="fragment" -->How to calculate the score? - Take average of X rules with Yes/No answer? - Number of unique PHPCS Warnings divided by number of rules? - What about false positives? Manual checking? - <!-- .element: class="fragment" -->What to do with the rating? - Strike 3 and you're out? - When do you stop guiding an extension developer? - <!-- .element: class="fragment" -->When to rate? - Every time a new release is uploaded? (free CI tool) - <!-- .element: class="fragment" -->Edge cases - What about 1000s of low level warnings? - What about 1 major security issue?
# Rating is hard ## So let's focus on the really really bad extensions first
# If really really bad extensions are rated so badly, still using them is straight-out stupid. But a reality check shows that people are still using bad extensions everywhere.
# How to drop the legacy?
# Legacy in the Magento Marketplace - <!-- .element: class="fragment" -->Magento Marketplace grew too quickly - Replacement of MagentoConnect legacy - Initial extension submission got in, but no checks for additional versions - <!-- .element: class="fragment" -->Coding standards were (are?) not mature yet - Is using `json_encode` a security hazard? - How to check for bad usage with the Object Manager? Tests? Factories?
# Changes in Magento Marketplace - MFTF becomes more important - Automated testing is now done on every release - EQP2 is going to open up tooling to the community - Rating extensions is currently being investigated - Kicking out extensions is currently being investigated
<h1>The night is darkest just before the dawn.</h1> <h1 class="fragment">And I promise you, the dawn is coming.</h1> <h4 class="fragment">Harvey (Two-Face) Dent from "The Dark Knight"<br/>before he changes into a psychotic SoB</h4>
# Challenges in the market - <!-- .element: class="fragment" -->Two Face Magento - Magento versus Adobe - Community versus high-end enterprise - <!-- .element: class="fragment" -->PWA versus monolithic - Drop the Knockout legacy and go PWA - Extension quality remains for backend only - It is unsure how Magento extensions should extend React/Vue behaviour - <!-- .element: class="fragment" -->Market is shifting - Small shop owners move elsewhere (Shopware, BigCommerce) - Serious shop owners spend more on custom development ($$$) - And how do extensions fit into this new market? - <!-- .element: class="fragment" -->Brexit - Mwoahahaha
# What can we do together?
# What can we do together? - <!-- .element: class="fragment" -->Drop bad extensions - Stop using bad extensions, because they cost money - Call out in the community for same features but good extension instead - Promote knowledge on why bad extensions are bad - <!-- .element: class="fragment" -->Help with the relevant Magento projects - Magento Coding Standard (PHPCS) - Slack channels (marketplace, phpcs, testing) - Promote MFTF, Integration Testing, Unit Testing and other code quality tools - Send comments on bad extensions to the Magento Marketplace team - <!-- .element: class="fragment" -->Help ExtDN do its real work - Spread the word on good extensions - Spread our flyers on quality and standards - Feedback: Send us your poor and your weak! [jisse@yireo.com](mailto:jisse@yireo.com)
# Drop the legacy
# All right # Thanks