Remove default value for APP_SECRET

[JoshuaBehrens]

Having a secret generated for you is fun until you use gitleaks. AFAIK the secret should be different for each hosting stage (prod, quality, test, dev, ...) so forcing one to generate a value for each stage would be a better approach. One could also ignore .env in gitleaks but eventually you are ignoring the most vulnerable file for leaked secrets

[github-actions]

Thanks for the PR 😍

How to test these changes in your application

1. Add the Shopware flex endpoint in your composer.json to https://raw.githubusercontent.com/shopware/recipes/flex/pull-140/index.json.

   # When jq is installed
   jq '.extra.symfony.endpoint |= [ "https://raw.githubusercontent.com/shopware/recipes/flex/pull-140/index.json" ] + .' composer.json > composer.tmp && mv composer.tmp composer.json

   or manually

   "endpoint": [
       "https://raw.githubusercontent.com/shopware/recipes/flex/pull-140/index.json",
       "https://raw.githubusercontent.com/shopware/recipes/flex/main/index.json",
       "flex://defaults"
   ]

2. Install the package(s) related to this recipe:

   composer req 'shopware/core:^6.7'

Diff between recipe versions

In order to help with the review stage, I'm in charge of computing the diff between the various versions of patched recipes.
I'm going keep this comment up to date with any updates of the attached patch.

shopware/core

6.4 vs 6.6

diff --git a/shopware/core/6.4/bin/ci b/shopware/core/6.6/bin/ci
index e9f453b..661c0fa 100755
--- a/shopware/core/6.4/bin/ci
+++ b/shopware/core/6.6/bin/ci
@@ -3,7 +3,6 @@
 
 use Shopware\Core\Framework\Adapter\Kernel\KernelFactory;
 use Shopware\Core\Framework\Plugin\KernelPluginLoader\ComposerPluginLoader;
-use Shopware\Core\HttpKernel;
 use Symfony\Bundle\FrameworkBundle\Console\Application;
 use Symfony\Component\Console\Input\ArgvInput;
 
@@ -39,18 +38,12 @@ return static function (array &$context) {
         $_SERVER['DATABASE_URL'] = 'mysql://_placeholder.test';
     }
 
-    if (method_exists(KernelFactory::class, "create")) {
-        $kernel = KernelFactory::create(
-            environment: $env,
-            debug: $debug,
-            classLoader: $classLoader,
-            pluginLoader: new ComposerPluginLoader($classLoader, null)
-        );
-    } else {
-        $kernel = new HttpKernel($env, $debug, $classLoader);
-        $kernel->setPluginLoader(new ComposerPluginLoader($classLoader, null));
-        $kernel = $kernel->getKernel();
-    }
+    $kernel = KernelFactory::create(
+        environment: $env,
+        debug: $debug,
+        classLoader: $classLoader,
+        pluginLoader: new ComposerPluginLoader($classLoader, null),
+    );
 
     $application = new Application($kernel);
     $kernel->boot();
diff --git a/shopware/core/6.4/bin/console b/shopware/core/6.6/bin/console
index 6ec51be..5d89fb3 100755
--- a/shopware/core/6.4/bin/console
+++ b/shopware/core/6.6/bin/console
@@ -4,7 +4,6 @@
 use Shopware\Core\Framework\Adapter\Kernel\KernelFactory;
 use Shopware\Core\Framework\Plugin\KernelPluginLoader\DbalKernelPluginLoader;
 use Shopware\Core\Framework\Plugin\KernelPluginLoader\StaticKernelPluginLoader;
-use Shopware\Core\HttpKernel;
 use Shopware\Core\Kernel;
 use Symfony\Bundle\FrameworkBundle\Console\Application;
 use Symfony\Component\Console\Input\ArgvInput;
@@ -40,25 +39,16 @@ return static function (array &$context) {
         $context['INSTALL'] = true;
     }
 
-    if (trim($context['DATABASE_URL'] ?? '') === '') {
-        // fake DATABASE_URL
-        $_SERVER['DATABASE_URL'] = 'mysql://_placeholder.test';
-    } else if (!isset($context['INSTALL'])) {
-        $pluginLoader = new DbalKernelPluginLoader($classLoader, null, \Shopware\Core\Kernel::getConnection());
+    if (trim($context['DATABASE_URL'] ?? '') !== '' && !isset($context['INSTALL'])) {
+        $pluginLoader = new DbalKernelPluginLoader($classLoader, null, Kernel::getConnection());
     }
 
-    if (method_exists(KernelFactory::class, "create")) {
-        $kernel = KernelFactory::create(
-            environment: $env,
-            debug: $debug,
-            classLoader: $classLoader,
-            pluginLoader: $pluginLoader
-        );
-    } else {
-        $kernel = new HttpKernel($env, $debug, $classLoader);
-        $kernel->setPluginLoader($pluginLoader);
-        $kernel = $kernel->getKernel();
-    }
+    $kernel = KernelFactory::create(
+        environment: $env,
+        debug: $debug,
+        classLoader: $classLoader,
+        pluginLoader: $pluginLoader
+    );
 
     $application = new Application($kernel);
     $kernel->boot();
diff --git a/shopware/core/6.4/config/packages/shopware.yaml b/shopware/core/6.4/config/packages/shopware.yaml
deleted file mode 100644
index 0ecf72d..0000000
--- a/shopware/core/6.4/config/packages/shopware.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-# Using the webupdater will overwrite this file. Create a second file z-shopware.yaml to override the config
-
-shopware:
-    auto_update:
-        # Disables the auto updater in the UI
-#        enabled: false
-    admin_worker:
-# The Admin worker should be disabled on production server.
-#       enable_admin_worker: false
diff --git a/shopware/core/6.4/manifest.json b/shopware/core/6.6/manifest.json
index c3ef08c..45b95ac 100644
--- a/shopware/core/6.4/manifest.json
+++ b/shopware/core/6.6/manifest.json
@@ -40,7 +40,7 @@
     "env": {
         "APP_ENV": "prod",
         "APP_URL": "http://127.0.0.1:8000",
-        "APP_SECRET": "%generate(secret)%",
+        "APP_SECRET": "",
         "INSTANCE_ID": "%generate(secret)%",
         "BLUE_GREEN_DEPLOYMENT": "0",
         "DATABASE_URL": "mysql://root:root@localhost/shopware",
@@ -62,8 +62,7 @@
         "!/var/.htaccess",
         "/auth.json",
         "/install.lock",
-        "public/asset-manifest.json",
-        "files/asset-manifest.json"
+        "public/asset-manifest.json"
     ],
     "composer-scripts": {
         "assets:install": "symfony-cmd"
diff --git a/shopware/core/6.4/post-install.txt b/shopware/core/6.6/post-install.txt
index 36869a6..18d1b8f 100644
--- a/shopware/core/6.4/post-install.txt
+++ b/shopware/core/6.6/post-install.txt
@@ -19,8 +19,3 @@
     5. Optional: Open the Mail catcher with symfony open:local:webmail
 
   * Read the documentation at https://developer.shopware.com/
-
-  * Warning if updating from older versions of the production template:
-
-    There might be old `require-dev` dependencies in your `composer.json` file. Please remove them before updating shopware/core to versions >= v6.4.
-    You can do it using this command: composer config --unset require-dev
diff --git a/shopware/core/6.4/public/index.php b/shopware/core/6.6/public/index.php
index eb330c6..61c8694 100644
--- a/shopware/core/6.4/public/index.php
+++ b/shopware/core/6.6/public/index.php
@@ -2,13 +2,9 @@
 
 use Shopware\Core\DevOps\Environment\EnvironmentHelper;
 use Shopware\Core\Framework\Plugin\KernelPluginLoader\ComposerPluginLoader;
-use Shopware\Core\HttpKernel;
 use Shopware\Core\Installer\InstallerKernel;
-use Symfony\Component\HttpFoundation\Request;
 use Shopware\Core\Framework\Adapter\Kernel\KernelFactory;
 use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\HttpKernel\HttpKernelInterface;
-use Symfony\Component\HttpKernel\TerminableInterface;
 
 $_SERVER['SCRIPT_FILENAME'] = __FILE__;
 
@@ -34,62 +30,20 @@ return function (array $context) {
     $appEnv = $context['APP_ENV'] ?? 'dev';
     $debug = (bool) ($context['APP_DEBUG'] ?? ($appEnv !== 'prod'));
 
-    $trustedProxies = $context['TRUSTED_PROXIES'] ?? false;
-    if ($trustedProxies) {
-        Request::setTrustedProxies(
-            explode(',', $trustedProxies),
-            Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO
-        );
-    }
-
-    $trustedHosts = $context['TRUSTED_HOSTS'] ?? false;
-    if ($trustedHosts) {
-        Request::setTrustedHosts(explode(',', $trustedHosts));
-    }
-
     if (!EnvironmentHelper::getVariable('SHOPWARE_SKIP_WEBINSTALLER', false) && !file_exists(dirname(__DIR__) . '/install.lock')) {
         return new InstallerKernel($appEnv, $debug);
     }
 
-    if (method_exists(KernelFactory::class, "create")) {
-        $pluginLoader = null;
-        if (EnvironmentHelper::getVariable('COMPOSER_PLUGIN_LOADER', false)) {
-            $pluginLoader = new ComposerPluginLoader($classLoader, null);
-        }
-
-        return KernelFactory::create(
-            environment: $appEnv,
-            debug: $debug,
-            classLoader: $classLoader,
-            pluginLoader: $pluginLoader
-        );
-    }
-
-    $shopwareHttpKernel = new HttpKernel($appEnv, $debug, $classLoader);
+    $pluginLoader = null;
 
     if (EnvironmentHelper::getVariable('COMPOSER_PLUGIN_LOADER', false)) {
-        $shopwareHttpKernel->setPluginLoader(
-            new ComposerPluginLoader($classLoader, null)
-        );
+        $pluginLoader = new ComposerPluginLoader($classLoader, null);
     }
 
-    return new class($shopwareHttpKernel) implements HttpKernelInterface, TerminableInterface {
-        private HttpKernel $httpKernel;
-
-        public function __construct(HttpKernel $httpKernel)
-        {
-            $this->httpKernel = $httpKernel;
-        }
-
-        public function handle(Request $request, int $type = self::MAIN_REQUEST, bool $catch = true): Response
-        {
-            return $this->httpKernel->handle($request, $type, $catch)->getResponse();
-        }
-
-        public function terminate(Request $request, Response $response): void
-        {
-            $this->httpKernel->terminate($request, $response);
-        }
-    };
+    return KernelFactory::create(
+        environment: $appEnv,
+        debug: $debug,
+        classLoader: $classLoader,
+        pluginLoader: $pluginLoader
+    );
 };
-

6.6 vs 6.7

diff --git a/shopware/core/6.6/bin/build-js.sh b/shopware/core/6.7/bin/build-js.sh
old mode 100755
new mode 100644
diff --git a/shopware/core/6.6/bin/ci b/shopware/core/6.7/bin/ci
old mode 100755
new mode 100644
diff --git a/shopware/core/6.6/bin/console b/shopware/core/6.7/bin/console
old mode 100755
new mode 100644
diff --git a/shopware/core/6.6/manifest.json b/shopware/core/6.7/manifest.json
index 45b95ac..6902307 100644
--- a/shopware/core/6.6/manifest.json
+++ b/shopware/core/6.7/manifest.json
@@ -40,7 +40,7 @@
     "env": {
         "APP_ENV": "prod",
         "APP_URL": "http://127.0.0.1:8000",
-        "APP_SECRET": "",
+        "APP_SECRET": "%generate(secret)%",
         "INSTANCE_ID": "%generate(secret)%",
         "BLUE_GREEN_DEPLOYMENT": "0",
         "DATABASE_URL": "mysql://root:root@localhost/shopware",
diff --git a/shopware/core/6.6/public/.htaccess.dist b/shopware/core/6.7/public/.htaccess.dist
index 62601e5..dab5148 100644
--- a/shopware/core/6.6/public/.htaccess.dist
+++ b/shopware/core/6.7/public/.htaccess.dist
@@ -26,6 +26,7 @@ DirectoryIndex index.php
     RewriteRule ^ - [L]
 
     # Rewrite all other queries to the front controller.
+    RewriteCond %{REQUEST_URI} !^/(theme|media|thumbnail|bundles|css|fonts|js|recovery|sitemap) [NC]    
     RewriteRule ^ %{ENV:BASE}/index.php [L]
 </IfModule>
 

[shyim]

This breaks new shopware installation as app secret is required

[JoshuaBehrens]

@shyim I understand, that we cannot really merge it like this. Can you follow up on my thoughts though? Maybe I am not on the right track ^^'

[shyim]

I think this should be solved with docs 🤔 to also follow how Symfony itself handles this