I have always struggled with how packages are versioned and published to the npm registry.
My main concern is that you probably want to also add a git tag to your source code when you are releasing a new version, but npm packages have their own versioning system, and include a &quot;version&quot; field in the package.json
Because of this, most of the workflows I have seen, usually involve:
<ol>
<li>Running <code>npm version ...</code>. This will update the &quot;version&quot; field in the package.json file.</li>
<li>Publishing the package to the npm registry, using the version set in previous step.</li>
<li>Committing to git, so that we track the change in package.json file.</li>
<li>Adding a git tag.</li>
<li>Pushing to git remote to track new commit and new tag.</li>
</ol>
<blockquote>
Steps 3 and 4 are frequently done automatically as part of <code>npm version</code>.
</blockquote>
For me this flow has two main problems:
<ul>
<li>
My personal preference is that everything is driven by git tags, making them the single source of truth.
This would allow to just have one manual step -&gt; <code>git tag -a v1.0.0 -m &quot;...&quot; &amp;&amp; git push origin --tags</code>. Then, this would trigger a number of potential automations, including publishing to the npm registry, but also others like creating a release with the appropriate release notes, building release artifacts, etc.
</li>
<li>
The &quot;version&quot; field in the package.json file can very easily become outdated, if you git-tag by mistake before publishing the package, or if pushing the changes fails after <code>npm version ...</code> has been run.
I&#x27;ve seen this happening more often than it seems.
</li>
</ul>
Because of this, my current take when publishing npm packages for my personal projects is:
<ol>
<li>
Get rid of the &quot;version&quot; field from the package.json file. It&#x27;s misleading in source code, as it can very easily be out of date.
The only case where it&#x27;s useful is when the package has been installed and is inside node_modules, as other packages will assume this field to exist and have the right value on it.
In this case it&#x27;s always going to be correct due to the<code>npm version ...</code> + <code>npm publish</code> tandem (see next point).
</li>
<li>
Creating the git tag is the only &quot;manual step&quot;. This triggers an automation running <code>npm version ${GIT_TAG} --git-tag-version=false &amp;&amp; npm publish</code> (this is simplified. You probably also need to build your project and other potential extra steps).
The version to publish is inferred from the git tag (<code>${GIT_TAG}</code> is just a placeholder), and only at this stage we will set the &quot;version&quot; inside package.json, just before the package is published.
</li>
<li>
Other automations that need to happen during releases, can be also triggered now, like publishing release notes, building artifacts, etc.
</li>
</ol>
<blockquote>
As an example, you can see <a target="_blank" rel="noopener noreferrer" href="https://github.com/shlinkio/github-actions/blob/24de7a2b89a9eb11b0acfd184de7187698b051b6/.github/workflows/js-lib-publish.yml">this GitHub actions workflow</a>, which follows this approach.
</blockquote>

I have always struggled with how packages are versioned and published to the npm registry. My main concern is that you probably want to also add a git tag to your source code when you are releasing a new version, but npm packages have their own versioning system, and include a "version" field in…

My current take when publishing packages to the npm registry

A couple of weeks ago I migrated a React project using redux to <a target="_blank" rel="noopener noreferrer" href="https://redux-toolkit.js.org/">Redux Toolkit</a>.
Redux has always been my preferred state management tool for React (which doesn&#x27;t mean I &quot;love&quot; it), but one of its main problems is the amount of boilerplate code it requires.
Because of that I had a couple of helper functions, but there was still some things not properly handled, like proper type inference on reducers and actions (I use TypeScript).
A bit by accident (I think it was on Twitter), I found out about Redux Toolkit (RTK from now on), an official library from the redux team, which provides some opinionated helpers to reduce the amount of boilerplate, and I decided to give it a chance.
These are my impressions.
<h3>TL;DR</h3>
I first started to use it in a proof of concept, and I quickly loved it.
RTK does not &quot;replace&quot; any of the redux principles, so you can progressively adopt it, by replacing small bits of code. My plan was to use it just for some reducers, but I liked it so much that I ended up migrating the whole project in a series of consecutive pull requests.
<h3>A bit of context</h3>
Before the migration, I used to follow the <a target="_blank" rel="noopener noreferrer" href="https://github.com/erikras/ducks-modular-redux">ducks modular pattern</a>, which promotes putting all your action types, action creators and the reducer handling those actions on the same module.
This fits pretty well with RTK, as in most of the cases you will use <a target="_blank" rel="noopener noreferrer" href="https://redux-toolkit.js.org/api/createSlice">slices</a>, and end up exporting the reducer and action creators returned by it, from the same module.
If you use <a target="_blank" rel="noopener noreferrer" href="https://redux-toolkit.js.org/api/createAsyncThunk">async thunks</a>, they usually need to be used by that same slice, so it&#x27;s not a bad idea to export them also from there.
<h3>Why I love it</h3>
There are a couple of reasons for which I loved RTK right away. The main one is that they make an impressive work on making type inference in TypeScript work properly.
<ul>
<li>Slices detect the type of the initial state in order to know what is expected to be passed as <code>state</code> to reducers.</li>
<li>You can infer the type of your store from what is generated by <code>configureStore</code> or <code>combineReducers</code> functions, allowing you to also properly type the <code>dispatch</code> function.</li>
<li>Action creators are generated with the proper param types based on the reducers provided to <code>createSlice</code> or the callback provided to <code>createAsyncThunk</code>.</li>
<li><code>createSlice</code> can consume all the action creators generated by <code>createAsyncThunk</code>, and infer the proper payload for each one of them.</li>
</ul>
Thanks to this, the code is super predictable and potential bugs can be caught sooner.
<blockquote>
More details on how to use RTK with typescript https://redux-toolkit.js.org/usage/usage-with-typescript
</blockquote>
But this is not the only benefit. Other reasons that make it very nice to work with are:
<ul>
<li>It keeps the same concepts from Redux, but removing the boilerplate or your own helper functions if you have them (yes, I didn&#x27;t want to keep all those <code>switch</code> statements everywhere).</li>
<li>It is mostly transparent for the components dispatching the actions or consuming the state.</li>
<li>All the tests covering your reducers/actions/components should keep passing, as the outcome from RTK is the same as if you built everything manually.</li>
<li>It introduces a couple of extra helpers, like <a target="_blank" rel="noopener noreferrer" href="https://redux-toolkit.js.org/rtk-query/overview">RTK query</a> or the <a target="_blank" rel="noopener noreferrer" href="https://redux-toolkit.js.org/api/createListenerMiddleware">listener middleware</a>, which is very useful to dispatch actions as a result of other actions being dispatched.</li>
</ul>
<h3>Challenges I found</h3>
Of course, adopting a new tool always comes with some challenges.
The main &quot;problem&quot; I found is that RTK is a bit opinionated, but that&#x27;s precisely how they manage to reduce boilerplate code, and it&#x27;s also &quot;advertised&quot; in their website, so not a big surprise.
I usually prefer to be in control of everything (configuration over convention), but that&#x27;s just a personal preference, and sometimes it&#x27;s ok to accept a bit of magic for the sake of simplicity.
This caused the next challenges for my particular case:
<ul>
<li>
RTK assumes your project follows a strict <a target="_blank" rel="noopener noreferrer" href="https://redux.js.org/tutorials/fundamentals/part-7-standard-patterns#flux-standard-actions">Flux pattern</a>, meaning your actions always have the properties <code>type</code>, <code>payload</code> and optionally <code>meta</code> and <code>error</code>.
I was not following this pattern (my actions had the payload &quot;mixed&quot; on the first object level), so I had to adapt all my actions first, fix the tests, then migrate the reducer to RTK and make sure the tests kept passing.
<div></div>
</li>
<li>
Immutability is no longer promoted in reducers. Instead, the library requires <a target="_blank" rel="noopener noreferrer" href="https://immerjs.github.io/immer/">immer</a> internally, and using proxies they automatically ensure immutability, even if you &quot;mutate&quot; the state.
This feels a bit counterintuitive at first, because redux always promoted an immutable approach, and the use of immer is not obvious.
However, they have <a target="_blank" rel="noopener noreferrer" href="https://redux-toolkit.js.org/usage/immer-reducers#why-immer-is-built-in">good reasons</a> to do it, and if your reducers return a state object, you can still use the immutable approach. It&#x27;s up to you.
<div></div>
</li>
<li>
Action creators resulting of <code>createAsyncThunk</code> can only have one argument.
This is because the async thunk callback receives a second argument containing the <code>dispatch</code> and <code>getState</code> functions, as well as a couple of other goodies, enforcing this convention to avoid human errors.
<div></div>
</li>
<li>
You cannot dispatch other actions after the callback passed to <code>createAsyncThunk</code>, because it has to return the payload and RTK dispatches the action for you.
However, this is probably something you usually should not be doing, and in my case, I resolved it with the <a target="_blank" rel="noopener noreferrer" href="https://redux-toolkit.js.org/api/createListenerMiddleware">listener middleware</a>, listening for the second action in order to dispatch the second one.
</li>
</ul>
<h3>Conclusion</h3>
My conclusion is that RTK is definitely worth it if you use redux.
It makes code simpler, more predictable and better typed. However, it still requires knowing how redux works internally and what are its patterns, in order to understand why the library exposes the helpers it exposes and why.
For existing redux projects, you can migrate progressively, addressing the challenges bit by bit and not all at once, which simplifies its adoption.
For new projects in which you want to use redux, I would recommend starting right away with RTK.

A couple of weeks ago I migrated a React project using redux to Redux Toolkit. Redux has always been my preferred state management tool for React (which doesn't mean I "love" it), but one of its main problems is the amount of boilerplate code it requires.

Because of that I had a couple of helper…

My experience migrating to Redux Toolkit (RTK)

In 2019, GitHub published their own solution to run automated workflows called GitHub Actions, which allowed those hosting their code in GitHub, to be able to define and run their CI/CD pipelines in the same platform. When it was released, one of the main pain points to use it was that defining…

How to reduce duplication in your GitHub Actions workflows

Recently ReactJS v18 was released. I started to look into its improvements, and checked which of my projects could benefit from them.
The main react-based project I maintain at the moment of writing this article is <a target="_blank" rel="noopener noreferrer" href="https://github.com/shlinkio/shlink-web-client">shlink-web-client</a>, so I naturally created a new branch and started the process.
The update was quite smooth, as most of the other dependencies I was using from the react ecosystem were already updated to support v18. All but one, <a target="_blank" rel="noopener noreferrer" href="https://enzymejs.github.io/enzyme/">enzyme</a>, the testing framework I was using to unit-test react components.
To be precise, I was able to continue running my tests, but some of them (those using <code>mount</code> instead of <code>shallow</code>) were still rendering components with the &quot;old&quot; React v17 approach, causing them to behave as in that version and a warning being printed in the console.
<h3>First fix attempt</h3>
The way enzyme integrates with the react version you are using is through an adapter library. The last official one supports only React v16, but someone released an <a target="_blank" rel="noopener noreferrer" href="https://github.com/wojtekmaj/enzyme-adapter-react-17">unofficial adapter for v17</a> which, with close to 650k weekly downloads, quickly became the way to go.
I checked if there was one for React 18, but sadly there wasn&#x27;t.
Also, the author of the adapter for v17 posted an article indicating <a target="_blank" rel="noopener noreferrer" href="https://dev.to/wojtekmaj/enzyme-is-dead-now-what-ekl">enzyme is dead</a>, he was not going to release one for v18, and publishing one for v17 was a mistake.
With those facts in mind, I started to face what was probably going to be the moment to migrate to <a target="_blank" rel="noopener noreferrer" href="https://testing-library.com/docs/react-testing-library/intro">react testing library</a>.
<h3>Migration strategy</h3>
I decided to follow a migration strategy similar to the one suggested in the article above, but with a couple of modifications:
<ul>
<li>I update to React 18 anyway, as tests still pass.</li>
<li>Migrate right away all tests using <code>mount</code>, as those are the ones behaving differently.</li>
<li>New tests should be written directly with react testing library (RTL from now on).</li>
<li>When an existing test needs to be changed, consider migrating it to RTL, and do it if there&#x27;s time.</li>
<li>Introduce some PR from time to time just migrating a handful of tests.</li>
<li>Once everything is migrated, get rid of everything related with enzyme.</li>
</ul>
<h3>First contact and impressions</h3>
I was a bit sceptical with RTL, as it was focused more on integration tests, instead of unit tests, which meant I had to completely change the mindset to write tests.
It also didn&#x27;t support shallow rendering, meaning that you will end up sometimes rendering a bigger component tree when testing container-like components, potentially causing side effects that could affect your test.
On the other hand there&#x27;s more and more people stating that <a target="_blank" rel="noopener noreferrer" href="https://kentcdodds.com/blog/why-i-never-use-shallow-rendering">shallow rendering is an anti-pattern</a>, and that&#x27;s probably the reason of enzyme getting &quot;discontinued&quot;.
Also, RTL has become the <a target="_blank" rel="noopener noreferrer" href="https://reactjs.org/docs/testing.html#tools">officially recommended framework</a> to test react components, it has become very popular, and it has even joined a wider group of testing libraries under the <a target="_blank" rel="noopener noreferrer" href="https://testing-library.com/"><code>@testing-library</code></a> organization.
The thing is that I started to use it, and I was quickly surprised with how it felt to work with it, and all the benefits it was bringing to my tests.
<h3>Benefits I have experienced</h3>
Once I started migrating the first tests I noticed some benefits:
<ul>
<li>Changing my mindset was actually easier than I thought. The docs are very well written, so it&#x27;s relatively easy to start using RTL.</li>
<li>My tests got simpler, and required less of those nasty global mocks that jest allows (I&#x27;m looking at you, <a target="_blank" rel="noopener noreferrer" href="https://jestjs.io/es-ES/docs/mock-functions#mocking-modules"><code>jest.mock</code></a>).</li>
<li>Tests were way less coupled with implementation details. I moved from testing the component props, to test what the user would see on the screen.</li>
<li>Related with previous point, I started to write my tests by looking at the screen instead of the component&#x27;s implementation.</li>
<li>Changes in source code led to fewer tests requiring to be changed.</li>
<li>A progressive migration was possible, where some tests still use enzyme and others are already using RTL.</li>
</ul>
And overall, it felt good and I have already dedicated a couple of PRs just to migrate more tests.
<h3>Challenges I faced</h3>
But of course, migrating to a new tool always comes with its own challenges, and this was not an exception. I&#x27;ll explain the main ones I have faced so far and how I tackled them:
<ul>
<li>
RTL lets you do some things in a couple of different ways, and the docs may not be super clear about what&#x27;s the recommended option.
For this I recommend reading <a target="_blank" rel="noopener noreferrer" href="https://acel.me/DCMb1">this article</a> from Kent C. Dodds, RTL&#x27;s author, which explains some common mistakes when using the library.
</li>
<li>
At first, I struggled a bit with asynchronous side effects and state changes in components, which can easily end up printing a warning like <code>Warning: An update to MyComponent inside a test was not wrapped in act</code>.
The warning also explains how you are supposed to solve this by wrapping your code in <code>act()</code>, but this warning comes from React, not RTL, and what it is not telling you is that RTL already wraps all needed operations in <code>act()</code>.
What this error usually mean is that you are not waiting for something to happen. <a target="_blank" rel="noopener noreferrer" href="https://acel.me/jnUdT">This other article</a>, also from Kent C. Dodds, explains everything you need to know about the things that can lead to this warning, and how to solve them.
</li>
<li>
Since you start testing from the user point of view, some use cases can be challenging to test without coupling with implementation details. For example, when you have a component which dynamically renders different images or icons, I used to directly check the component properties.
For this I found the best solution was to use <a target="_blank" rel="noopener noreferrer" href="https://jestjs.io/docs/snapshot-testing">jest snapshots</a>. I didn&#x27;t want to manually check which SVG was being rendered in the DOM, just that different ones were being used in every case.
<pre class="language-tsx"><code class="language-tsx">// I went from this...
test(&#x27;...&#x27;, () =&gt; {
 const wrapper = shallow(&lt;MyComp dynamicValue=&quot;foo&quot; /&gt;);
 expect(wrapper.find(FontAwesomeIcon).prop(&#x27;icon&#x27;)).toEqual(someIcon);
})

// To this
test(&#x27;...&#x27;, () =&gt; {
 const { container } = render(&lt;MyComp dynamicValue=&quot;foo&quot; /&gt;);
 expect(container.firstChild).toMatchSnapshot();
})
</code></pre>
</li>
<li>
Something very similar happens if you use some library that renders canvas. There&#x27;s no way to test that from a DOM point of view, which is what RTL does.
In my case I was using <a target="_blank" rel="noopener noreferrer" href="https://www.chartjs.org/">Chart.js</a> to render some charts, so I used <a target="_blank" rel="noopener noreferrer" href="https://github.com/hustcc/jest-canvas-mock">jest-canvas-mock</a>, which exposes a method on the canvas to see which are all the events invoked from the library.
Then I used snapshots again to verify they had the expected &quot;shape&quot;.
<pre class="language-tsx"><code class="language-tsx">// I went from this...
test(&#x27;...&#x27;, () =&gt; {
 const wrapper = shallow(&lt;MyCompWithCanvas /&gt;);
 expect(wrapper.find(Chart).prop(&#x27;data&#x27;).datasets).toEqual(...);
})

// To this
test(&#x27;...&#x27;, () =&gt; {
 const { container } = render(&lt;MyCompWithCanvas /&gt;);
 const events = container.querySelector(&#x27;canvas&#x27;)?.getContext(&#x27;2d&#x27;)?.__getEvents();

 expect(events).toBeTruthy();
 expect(events).toMatchSnapshot();
})
</code></pre>
</li>
</ul>
<h3>Conclusion</h3>
For better or worst, enzyme should no longer be considered an option. If you are starting a new project or are using it on small ones, consider migrating to RTL as soon as possible.
If you are using it in bigger projects, following the process described in this article will probably help you.
In any case, you will get surprised. React testing library is a great tool and provides many benefits over enzyme.
Its main issue is that it&#x27;s not a drop-in replacement for enzyme, so you will have to change a bit your mindset.

Recently ReactJS v18 was released. I started to look into its improvements, and checked which of my projects could benefit from them. The main react-based project I maintain at the moment of writing this article is shlink-web-client, so I naturally created a new branch and started the process.

The…

My experience migrating from enzyme to react testing library

Capturing code coverage for a test suite is a very useful way to know which parts of your source code are actually getting executed by tests. This is useful not only to know if you need to add more tests to your project (in case the coverage is too low), but also, if you want to apply technics like…

Capturing remote code coverage in API tests with PHPUnit

Everyone who regularly visits my blog knows that I&#x27;m an absolute fan of the <a target="_blank" rel="noopener noreferrer" href="https://zendframework.github.io/zend-servicemanager/">Zend\ServiceManager</a> component.
It is always my choice to deal with dependency injection in any kind of project, more now that v3 has been released, which is faster and has a better public API.
The workflow while working with the <code>ServiceManager</code> is usually the same. You create a factory or abstract factory that creates a service and then you register that service into the <code>ServiceManager</code> itself.
Of course you have to optimize your code, and you should try to reuse the same factories whenever possible, and try not to abuse of abstract factories and initializers.
<h3>Detecting a problem</h3>
The thing is that if your project grows, you will end with lots of services, and probably lots of factories too.
There are services that are complicated to create, like the <code>Application</code> object in many frameworks, or services like doctrine&#x27;s <code>EntityManager</code>. They need to check a lot of configuration elements, and not only get some dependencies injected.
The factory pattern is perfect for these kind of services, but there are a lot of services too where you end up creating a factory just to fetch a couple services from the <code>ServiceManager</code> and injecting them in the new service constructor.
This could be an example:
<pre class="language-php"><code class="language-php">namespace Acelaya\Factory;

use Acelaya\Foo;
use Acelaya\MyService;
use Interop\Container\ContainerInterface;
use Zend\ServiceManager\Factory\FactoryInterface;

class MyFactory
{
 public function __invoke(ContainerInterface $container, $requestedName, array $options = null)
 {
 $foo = $container-&gt;get(Foo::class);
 $bar = $container-&gt;get(&#x27;bar&#x27;);
 
 return new MyService($foo, $bar);
 }
}
</code></pre>
In my applications, these kind of services are very usually more than a half of the total registered services, and at the end it is boring and repetitive, and you have to maintain a lot of classes that don&#x27;t really do much.
<h3>Proposing a solution</h3>
So I decided to find a solution that would allow me not to repeat the same task over and over.
After some research and trying some different solutions I ended up creating the <a target="_blank" rel="noopener noreferrer" href="https://github.com/acelaya/zsm-annotated-services">acelaya/zsm-annotated-services</a> package, which allows you to annotate your service constructors and use a common factory which is already provided. It supports both v2 and v3 of the ServiceManager.
By making use of the <code>$requestedName</code> argument that all ServiceManager factories receive (even in v2, although it is not in the FactoryInterface), and assuming that the service name is the fully qualified class name, that factory reads a special <code>@Inject</code> annotation in the service constructor, which contains the name of the services that need to be injected.
This way, the service in the previos example could be defined like this:
<pre class="language-php"><code class="language-php">namespace Acelaya;

use Acelaya\ZsmAnnotatedServices\Annotation\Inject;

class MyService
{
 /**
 * @Inject({Foo::class, &quot;bar&quot;})
 */
 public function __construct(Foo $foo, $bar)
 {
 // [...]
 }
}
</code></pre>
The <code>@Inject</code> annotation receives an array of service names in the same order that they need to be injected in the constructor. Then the provided <code>AnnotatedFactory</code> reads that list and fetches them from the <code>ServiceManager</code>, and finally creates the service and injects the dependencies in the same order. You just need to register the service like this:
<pre class="language-php"><code class="language-php">use Acelaya\MyService;
use Acelaya\ZsmAnnotatedServices\Factory\V3\AnnotatedFactory;
use Zend\ServiceManager\ServiceManager;

return new ServiceManager([
 &#x27;factories&#x27; =&gt; [
 MyService::class =&gt; AnnotatedFactory::class,
 ],
]);
</code></pre>
This is perfect, because we don&#x27;t need to create a new factory for every service. We can always use the provided factory to register many services.
That allows us not to have to maintain so many classes, so many tests and also it means that a lot less includes are going to be done by the autoloader.
Also, using factories instead of abstract factories is faster at runtime.
<h3>Considerations</h3>
There are, however, a couple of things to have in mind while using this package.
Processing the annotations on every request is very slow. That&#x27;s why this package allows you to provide a <a target="_blank" rel="noopener noreferrer" href="https://github.com/doctrine/cache">doctrine/cache</a> adapter where the result of processing the annotations is saved. If you use an in-memory cache adapter (like <code>ApcuAdapter</code>), this package has almost no performance penalty.
In order to register a cache adapter, you just need to register a service with the Acelaya\ZsmAnnotatedServices\Cache key that returns a <code>Doctrine\Common\Cache\Cache</code> instance. The key is provided as a <code>CACHE_SERVICE</code> constant in the <code>AnnotatedFactory</code> class, so the previos example could be improved like this:
<pre class="language-php"><code class="language-php">use Acelaya\MyService;
use Acelaya\ZsmAnnotatedServices\Factory\V3\AnnotatedFactory;
use Doctrine\Common\Cache\ApcuCache;
use Doctrine\Common\Cache\ArrayCache;
use Zend\ServiceManager\ServiceManager;

return new ServiceManager([
 &#x27;factories&#x27; =&gt; [
 MyService::class =&gt; AnnotatedFactory::class,
 AnnotatedFactory::CACHE_SERVICE =&gt; function () {
 return getenv(&#x27;APP_ENV&#x27;) === &#x27;production&#x27; ? new ApcuCache() : new ArrayCache();
 }
 ],
]);
</code></pre>
It is a good idea to provide a non-persistent cache for development environments.
Also, the package has currently some limitations. Some of them will probably get fixed in the future, as new versions are released.
<ul>
<li>It is not possible to perform setter or property injection, just constructor injection. Since setter injection is not a good practice, I&#x27;m not sure if this is going to change.</li>
<li>It is not possible to inject something that is not registered in the container. All the dependencies need to be services themselves.</li>
<li><del>If a service returns an array, you cannot pick just a key from it, but I will probably support this in future versions.</del> Update 2016-04-10. As of v0.2, it is already possible to fetch just one part of an array by using dot notation. For example, config.mail.smtp</li>
<li>The <code>AnnotatedFactory</code> cannot create services that are not identified by their fully qualified class names.</li>
</ul>
Anyway, if there is a service complex enough that you can&#x27;t create with annotations, you can always use regular factories.
<h3>Performance improvements</h3>
Update 2016-05-15
Since I published this article, we have started to use this library in one of my company&#x27;s biggest projects, and this is the result.
At the beginning, I started benchmarking the library by checking how much time was used to create thousands of services with or without it, and the result was that it was a very little bit slower with the <code>AnnotatedFactory</code>.
However, when a project grows, maintainability is also important, not only performance. Also, my benchmarks were made against a non-shared service, but always the same one, which was being created by the same factory.
My surprise was that after performing an important refactoring which allowed us to replace more than 150 factories by the same <code>AnnotatedFactory</code>, performance was improved by about a 20% (while using cache, of course).
I suppose this is due to the fact that the same factory instance is used to create many objects, which reduces the number of autoloader hits, the number of factories instantiated and the number of files included per request.

Everyone who regularly visits my blog knows that I'm an absolute fan of the Zend\ServiceManager component. It is always my choice to deal with dependency injection in any kind of project, more now that v3 has been released, which is faster and has a better public API.

The workflow while working…

Improving Zend\ServiceManager workflow with annotations

I&#x27;m sure you are familiar with those &quot;remember me&quot; checkboxes in login forms. They are a common way to allow a user to keep his/her session in a web application for an extended period of time when he is in a trusted computer.
One could think that it is a small and easy-to-implement feature, but it has indeed a lot of considerations.
I wasn&#x27;t able to properly implement it in the first projects I worked in, and I&#x27;m trying to explain everything I&#x27;ve learned about it in the last years.
<blockquote>
In this article I&#x27;m not going to show you how to implement a persistent login in one or another programming language, but what are the good practices that should be followed when you implement it in the way you want.
</blockquote>
<h3>First thoughts.</h3>
The first thing that one could try is to extend the lifetime of the system that persists the session and identifies the user between requests (usually a cookie).
The problem is that many systems doesn&#x27;t allow to do that in an isolated way, you are forced to extend the lifetime of all sessions. Also, it is not always easy to change the session lifetime dynamically.
So it&#x27;s not a good idea, because the user could be accessing your app from a public computer, and his session could be stolen if he forgets to logout.
Because of this, the best way to do it is to have another element (another cookie) that keeps the persistent session and is used to transparently regenerate the regular session when it expires.
<h3>How to implement it.</h3>
When a user logs in and he has checked the &quot;remember me&quot; field, you will create a cookie with an extended lifetime (for example, 2 weeks).
That cookie will contain a unique token that will identify a user. It should be backed in the database by creating a table that relates the token with a user. It could contain other metadata too, like the client&#x27;s IP address or a flag that says if the session is still valid.
In consecutive requests, your system will keep checking if an authenticated user exists, but if not, instead of redirecting to a login or returning a 403 status, it should check for the persistent login cookie first.
When that cookie exists, you will find the user it belongs to, and authenticate him. Then, you will invalidate the cookie and the session in the database, and generate a new one that will expire in the same date as the previous one. Finally, the new token should be returned in a new persistent login cookie that will replace the previous one by having the same name.
When the user manually logs out, the persistent login cookie should be dropped too.
<h3>Security considerations</h3>
Now you have a basic idea on how to implement it, but there are some security considerations to take into account in order to avoid problems in the future.
The first thing that we have to assume is that persistent sessions have their risks. There is no way to implement a completely secure persistent login, but following this instructions the system will be reasonably secure.
<ul>
<li>Persistent login will be handled by a cookie in the client and a database in the server (or a similar persistence system).</li>
<li>Persistent sessions will have an expiration time, for example 2 weeks. During that time, any regular session will be regenerated by the persistent session. Once it has passed, the user will be prompted to provide his credentials when the regular session expires. The expiration time will be set both in the cookie and in the database.</li>
<li>Persistent login cookies will contain one-time tokens. Once a token has been used it will be invalidated and a new one will be generated.</li>
<li>In order to protect these tokens from <a target="_blank" rel="noopener noreferrer" href="https://en.wikipedia.org/wiki/Cross-site_scripting">XSS</a> attacks in the site, persistent login cookies should be <code>HttpOnly</code>, so that they cannot be read from the browser.</li>
<li>Multiple valid persistent sessions will be allowed.</li>
<li>When a user logs out, its current persistent session in the database and the persistent login cookie will be invalidated.</li>
<li>The user should be able to invalidate all the persistent sessions that are still valid.</li>
<li>Invalid persistent sessions won&#x27;t be deleted. This way, if the user tries to access with an invalid cookie, he will be notified of a possible stolen cookie, and immediately all the other persistent sessions will be invalidated.</li>
<li>When the user changes his/her password, all the persistent sessions should be invalidated.</li>
<li>The token needs to be unique. Just generate some hash including the date and some other field. It doesn&#x27;t need to be super secure, but make sure to not send critical information to the client (like usernames or passwords).</li>
<li>And finally, there should be some operations restricted to users whose regular session has been regenerated by a persistent session, like changing a password or performing some kind of payment. In those cases, the user should be prompted for his current password anyway.</li>
</ul>
Of course, if your system manages critical data, you shouldn&#x27;t implement persistent login at all. I don&#x27;t think you have seen it at any bank application.
In any other case, this should be a good way to go.

I'm sure you are familiar with those "remember me" checkboxes in login forms. They are a common way to allow a user to keep his/her session in a web application for an extended period of time when he is in a trusted computer. One could think that it is a small and easy-to-implement feature, but it…

How to properly implement persistent login

I have spoken many times at this blog about dependency injection, and how the ZF2 ServiceManager is one of the best tools to solve it. You can read these related articles to know more: How to properly use the Zend framework 2 service manager as a dependency injection container Advanced usage of…