Piggybak: End of Year Update
Over the last few months, my coworkers and I have shared several updates on Piggybak progress (October 2012 Piggybak Roadmap , November 2012 Piggybak Roadmap Status Update). Piggybak is an open source, mountable as a Rails Engine, Ruby on Rails ecommerce platform developed and maintained by End Point. Here’s a brief background on Piggybak followed by an end of year update with some recent Piggybak news.
A Brief Background
Over the many years that End Point has been around, we’ve amassed a large amount of experience in working with various ecommerce frameworks, open source and proprietary. A large portion of End Point’s recent development work (we also offer database, hosting, and Liquid Galaxy support) has been with Interchange, a Perl-based open source ecommerce framework, and Spree, a Ruby on Rails based open sourced ecommerce framework. Things came together for Piggybak earlier this year when a new client project prompted the need for a more flexible and customizable Ruby on Rails ecommerce solution. Piggybak also leveraged earlier work that I did with light-weight Sinatra-based cart functionality.
Jump ahead a few months, and now Piggybak is a strong base for …
ecommerce piggybak rails
Find your Perl in Other Shells
Often when programming, it turns out the best tools for the job are system tools, even in an excellent language like Perl. Perl makes this easy with a number of ways you can allocate work to the underlying system: backtick quotes, qx(), system(), exec(), and open(). Virtually anyone familiar with Perl is familiar with most or all of these ways of executing system commands.
What’s perhaps less familiar, and a bit more subtle, is what Perl really does when handing these off to the underlying system to execute. The docs for exec() tell us the following:
exec LIST
exec PROGRAM LIST
[snip]
If there is more than one argument in LIST, or if LIST is an
array with more than one value, calls execvp(3) with the
arguments in LIST. If there is only one scalar argument or an
array with one element in it, the argument is checked for shell
metacharacters, and if there are any, the entire argument is
passed to the system's command shell for parsing (this is
"/bin/sh -c" on Unix platforms, but varies on other platforms).
That last parenthetical is a key element when we “shell …
perl
Redirect from HTTP to HTTPS before basic auth
While reviewing PCI scan results for a client I found an issue where the scanner had an issue with a private admin URL requesting basic http auth over HTTP. The admin portion of the site has its own authentication method and it is served completely over HTTPS. We have a second layer of protection with basic auth, but the issue is the username and password could be snooped on since it can be accessed via HTTP.
The initial research and attempts at fixing the problem did not work out as intended. Until I found this blog post on the subject. The blog laid out all of the ways that I had already tried and then a new solution was presented.
I followed the recommended hack which is to use SSLRequireSSL in a location matching the admin and a custom 403 ErrorDocument. This 403 ErrorDocument does a bit of munging of the URL and redirects from HTTP to HTTPS. The instructions in the blog did have one issue, in our environment I could not serve the 403 document from the admin, I had to have it in an area that could be accessed by HTTP and by the public. I’m not sure how it could work being served from a URL that requires ssl and is protected by basic auth. The reason that this hack …
apache audit hosting security
Announcing Ruby gem: email_verifier
How many times have you tried to provide a really nice validation solution for our fields containing user emails? Most of the time, the best we can come up with is some long and incomprehensible regex we find on StackOverflow or somewhere else on the Internet.
But that’s really only a partial solution. As much as email format correctness is a tricky thing to get right using regular expressions, it doesn’t provide us with any assurance that user entered email address in reality exists.
But it does a great job at finding out some typos and misspellings… right?
Yes - but I’d argue that it doesn’t cover full range of that kind of data entry errors. The user could fill in ‘whatever’ and traditional validation through regexes would do a great job at finding out that it’s not really an email address. But what I’m concerned with here are all those situations when I fat finger kaml@endpoint.com instead of kamil@endpoint.com.
Some would argue at this point that it’s still recoverable since I can find out about the error on the next page in a submission workflow, but I don’t want to spend another something-minutes on going through …
ruby rails
SFTP virtual users with ProFTPD and Rails: Part 1
I recently worked on a Rails 3.2 project that used the sweet PLupload JavaScript/Flash upload tool to upload files to the web app. To make it easier for users to upload large and/or remote files to the app, we also wanted to let them upload via SFTP. The catch was, our users didn’t have SFTP accounts on our server and we didn’t want to get into the business of creating and managing SFTP accounts. Enter: ProFTPD and virtual users.
ProFTPD’s virtual users concept allows you to point ProFTPD at a SQL database for your user and group authentication. This means SFTP logins don’t need actual system logins (although you can mix and match if you want). Naturally, this is perfect for dynamically creating and destroying SFTP accounts. Give your web app the ability to create disposable SFTP credentials and automatically clean up after the user is done with them, and you have a self-maintaining system.
Starting from the inside-out, you need to configure ProFTPD to enable virtual users. Here are the relevant parts from our proftpd.conf:
##
# Begin proftpd.conf excerpt. For explanation of individual config directives, see the
# great ProFTPD docs at …
database mysql postgres ruby rails sysadmin
Verify Addresses the Easy Way with SmartyStreets
Adding an address form is a pretty common activity in web apps and even more so with ecommerce web apps. Validations on forms allow us to guide the user to filling out all required fields and to make sure the fields conform to basic formats. Up until now going further with addresses to verify they actually exist in the real world was a difficult enough task that most developers wouldn’t bother with it. Imagine though the cost to the merchant who ships something to the wrong state because the customer accidently selected “SD” (South Dakota) when they thought they were selecting “SC” (South Carolina), a simple enough mistake to make and one that wouldn’t be caught by most address forms. In today’s ecommerce world customers expect deliveries to be fast and reliable, and in this case the customer would have to wait until the package is returned to the merchant with “Address Unknown” only to have to wait even longer for the reshipment. Even worse for the merchant, maybe the package never gets returned.
SmartyStreets is a new API web app that I implemented for our client Mobixa, a web app that allows people to sell their used …
ecommerce javascript api
Advanced Product Options (Variants) in Piggybak
About a month ago, Tim Case and I developed and released a Piggybak extension piggybak_variants, which provides advanced product optioning (or variant) support in Piggybak. Piggybak is an open source Ruby on Rails ecommerce platform developed and maintained by End Point. Here, I discuss the background and basics of the extension.
Motivation & Background
The motivation for this extension was the common ecommerce need for product options (e.g. size, color), where each variation shares high-level product information such as a title and description, but variants have different options, quantities available, and prices. Having been intimately familiar with Spree, another open source Ruby on Rails ecommerce framework, we decided to borrow similarities of Spree’s product optioning data model after seeing its success in flexibility over many projects. The resulting model is similar to Spree’s data model, but a bit different due to the varied nature in Piggybak’s mountability design.

Spree’s data model for advanced product optioning. A product has many variants. Each variant has and belongs to many option values. A product also has many options, which define …
ecommerce piggybak rails
Lazy AJAX
Don’t do this, at least not without a good reason. It’s not the way to design AJAX interfaces from scratch, but it serves well in a pinch, where you have an existing CGI-based page and you don’t want to spend a lot of time rewriting it.
I was in a hurry, and the page involved was a seldom-used administration page. I was attempting to convert it into an AJAX-enabled setup, wherein the page would stand still, but various parts of it could be updated with form controls, each of which would fire off an AJAX request, and use the data returned to update the page.
However, one part of it just wasn’t amenable to this approach, or at least not quick-and-dirty. This part had a relatively large amount of inline interpolated (Interchange) data (if you don’t know what Interchange is, you can substitute “PHP” in that last sentence and you’ll be close enough.) I wanted to run the page back through the server-side processing, but only cared about (and would discard all but) one element of the page.
My lazy-programmer’s approach was to submit the page itself as an AJAX request:
$.ajax({
url: '/@_MV_PAGE_@',
data: { …
interchange javascript jquery