Custom module causing “Circular dependency” error after upgrading to Magento 2.3.2

I have a custom module with a plugin for Magento\Framework\Encryption\Encryptor that seems to be causing issues after upgrading to Magento 2.3.2 (from 2.3.1.) When I disable the module, everything works fine. When I enable it, I get “No commands in the namespace” for any namespace I try to use. When I run bin/magento list I get a more detailed error message:

In ServiceManager.php line 1130:    An abstract factory could not create an instance of magentosetupconsolecommandbackupcommand(alias: Magento\Setup\Console\Command\BackupCommand).   In ServiceManager.php line 941:    An exception was raised while creating "Magento\Setup\Console\Command\BackupCommand"; no instance returned   In Di.php line 865:    Missing instance/object for parameter maintenanceMode for Magento\Setup\Console\Command\BackupCommand::__construct   In ServiceManager.php line 1130:    An abstract factory could not create an instance of magentoframeworkappmaintenancemode(alias: Magento\Framework\App\MaintenanceMode).   In ServiceManager.php line 941:    An exception was raised while creating "Magento\Framework\App\MaintenanceMode"; no instance returned   In Developer.php line 55:    Circular dependency: Magento\Framework\Logger\Monolog depends on Magento\Framework\Cache\InvalidateLogger and vice versa. 

I’m fairly certain that it’s the plugin on Encryptor causing this, because when I remove that plugin from di.xml the error goes away.

I’ve also tried commenting out all of the methods from the plugin, so that it’s just an empty class, but the error persists. It appears to be the bare fact that there is a plugin registered for that class that is causing the error.

Any ideas why this might be? I’m not sure why enabling a plugin would appear to cause an error somewhere else entirely, especially when that plugin doesn’t even have any methods in it.

Leverage browser caching, Amazon Pay Module & Google Recaptcha Module

Is there a way i can cache the following external contents? it is lowering my page score.

https://coin.amazonpay.com/cs/uedata (expiration not specified) https://coin.amazonpay.com/rb/checkStatus (expiration not specified) https://static-na.payments-amazon.com/OffAmazonPayments/us/js/Widgets.js?nomin (20 minutes) https://static-na.payments-amazon.com/v2/login.js (20 minutes) https://www.google-analytics.com/analytics.js (2 hours) https://www.google.com/recaptcha/api.js?onload=globalOnRecaptchaOnLoadCallback&render=explicit (5 minutes) https://www.google.com/recaptcha/api.js?onload=recaptchaOnload&render=explicit

How to place custom template (phtml) file in local module direcotry instead of default template directory

I am creating a new module for my Magento project where I have a few template files which get appended to >catalog_product_view catalog_category_default checkout_cart_index and few other pages.

Currently, I have placed my module configuration file in design/fontend/base/default/layout/modulename_subfolder.xml and template file is placed at

design/frontend/base/default/template/modulename/subfolder/my_product_view.phtml 

I want to move this XML and phtml files to local/modulename/subfolder

I have tried creating the same folder structure in my module folder but it didn’t work

design/fontend/base/default/layout/modulename_subfolder.xml

<layout version="0.1.0">   <catalog_product_view>     <reference name="content">       <block type="core/template" name="modulename_subfolder_product_view_block" template="modulename/subfolder/my_catalog_product_view.phtml" />     </reference>   </catalog_product_view> </layout> 

Moving a vendor module to new cron group in magento 2

We are utilizing the Firebear module to import product and pricing data which run in the default cron group. The import takes quite a bit of time/resources so it was recommended to move the Firebear cron to its own group. The Firebear crontab.xml is currently setup like so:

vagrant/tmp/vendor/firebear/importexport/etc/crontab.xml 
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Cron:etc/crontab.xsd">     <group id="default">     <job name="importexport_jobs_run_id" instance="Firebear\ImportExport\Cron\RunImportJobs" method="execute">     <schedule>*/1 * * * *</schedule>     </job>     <job name="importexport_export_jobs_run_id" instance="Firebear\ImportExport\Cron\RunExportJobs" method="execute">         <schedule>*/1 * * * *</schedule>     </job>     </group> </config> 

At a high level I will need to: 1 – create new cron group 2 – override Firebear crontab to run in new group

Any help on the process to accomplish this will be much appreciated.

How to properly inject PriceResolverInterface to my module class

I am trying to inject via the constructor a \Magento\ConfigurableProduct\Pricing\Price\PriceResolverInterface

So that I can properly resolve configurable product prices, however whenever I add it, dependency injection fails unlike other classes.

e.g.

    public function __construct(         ProductRepositoryInterface $  productRepository,         CategoryRepositoryInterface $  categoryRepository,         LoggerInterface $  logger,         SearchCriteriaBuilderFactory $  searchCriteriaBuilderFactory,         CollectionFactory $  collectionFactory,         Product $  productModel,         Data $  helper,         \Magento\Framework\Filesystem\DirectoryList $  directoryList,         StoreManagerInterface $  storeManager,         \Magento\ConfigurableProduct\Model\Product\Type\Configurable $  configurableType,         State $  state,         PriceResolverInterface $  configurableRegularPrice     ) 

yields

PHP Fatal error:  Uncaught Error: Cannot instantiate interface Magento\ConfigurableProduct\Pricing\Price\PriceResolverInterface in /private/magento/2x/default/httpdocs/vendor/magento/framework/ObjectManager/Factory/Dynamic/Developer.php:50 Stack trace: #0 /private/magento/2x/default/httpdocs/vendor/magento/framework/ObjectManager/ObjectManager.php(70): Magento\Framework\ObjectManager\Factory\Dynamic\Developer->create('Magento\Configu...') #1 /private/magento/2x/default/httpdocs/vendor/magento/framework/ObjectManager/Factory/AbstractFactory.php(160): Magento\Framework\ObjectManager\ObjectManager->get('Magento\Configu...') #2 /private/magento/2x/default/httpdocs/vendor/magento/framework/ObjectManager/Factory/AbstractFactory.php(246): Magento\Framework\ObjectManager\Factory\AbstractFactory->resolveArgument(Array, 'Magento\Configu...', NULL, 'configurableReg...', 'Vendor\Module...') #3 /private/magento/2x/default/httpdocs/vendor/magento/framework/ObjectManager/Factory/Dynamic/Developer.php(34): Magento\Framework\ObjectManage in /private/magento/2x/default/httpdocs/vendor/magento/framework/ObjectManager/Factory/Dynamic/Developer.php on line 50 

I’ve tried injecting various different stuff from configurableproduct module and it keeps failing.

other things I’ve tried

\Magento\ConfigurableProduct\Pricing\Price\RegularPriceResolver

\Magento\ConfigurableProduct\Pricing\Price\FinalPriceResolver

Could someone explain to me why those classes won’t work with the normal constructor dependency injection system and what I need to do to get them to work?

THanks in advance

Does the use of a Hardware Security Module improve the security of a password storage?


Basic Assumptions

Let us assume I work for a company, which aims to authenticate users using traditional usernames and passwords. The company currently uses a slow key-derivation function to hash passwords, such as Argon2, scrypt or PBKDF2.

It is further assumed that a network HSM can calculate the HMAC of a string with a stored key, but cannot calculate a KDF on its own.

The Idea

One of the developers now had an idea of using a Hardware Security Module to further secure the credentials. He had the idea to use the HMAC of the password as the input for the key derivation function. Since the actual key for the HMAC function is stored inside the HSM and can’t be extracted. So here in pseudo-code is once the old login code, and the new login code:

// Old Login Code function Authenticate(input) {     user = DB.getUser(input.username);     if (user == null) return false; //User does not exist      kdf = Argon2id;     return kdf.verify(user.password, input.password); } 

And here is the new login code:

// New Login Code function Authenticate(input) {     user = DB.getUser(input.username);     if (user == null) return false; //User does not exist      kdf = Argon2id;      keyedHash = HSM.getHMAC(input.password, useInternalKey=true);     return kdf.verify(user.password, keyedHash); } 

My Reasoning

This seems to overall improve the security, because an attacker who is able to steal the database, would also need access to the HSM to attempt to crack the keys. Even if an attacker knows their own password, the key stored inside the HSM is sufficiently long that attempting to brute-force the key would not be feasible.

While an attacker with control over the database might be able to send password candidates to the HSM to get the keyed hashes in return, it will:

  • severely limit the amount of candidates the attacker can attempt per second
  • likely cause the network administrators to see unusual network traffic and detect the breach

Possible Downsides

I am aware of “Never Roll Your Own!”, and I believe that this is not “my own algorithm”.

Furthermore, I understand that, should the HSM ever lose the key, users would now not be able to log in anymore. This problem could be solved with using a backup HSM and storing the key there as well.

My question

Does this scheme make any sense? Does it actually prevent an attacker from being able to recover passwords? Or is it just an excuse for the IT team to spend lots of money to get a shiny new thing?