Lance Cleveland

A Boring Article About Geometry (Is this point in a polygon?)

Unless you are a math nerd you will likely skip this article right about… now.

For those math nerds that are still reading, I learned something new today that I found interesting.   It makes perfect sense and is one of those “why didn’t I think of this” moments.  Working on a territories algorithm for Store Locator Plus presented a problem I’ve not had to solve in the past 4 years of building the production.   How do you determine if a given point on earth is inside of an area that is described by a series of locations that represent the boundary of a territory.  In plain English – “When a user says ‘I am here’, is ‘here’ within the territory serviced by a company?”

A location and the territory it covers.

A location and the territory it covers.

Point In Polygon Algorithms

There are a number of ways to determine if ‘here’ is inside a given area.  In mathematics locating ‘here’ in a territory can be directly associated with the point in polygon problem.   ‘Here’ is the point where the user is now and the latitude/longitude combination represent the x,y coordinates for that point.   The polygon is described as a series of latitude/longitude (x,y) coordinates that form the outline of a polygon.   You can now employ a number of algorithms to calculate if a point is inside the polygon, such as the “Winding number” algorithm.   However my favorite is the “Even Odd Rule” algorithm due to its simplicity and the speed at which it can be computed.    Winding number uses “circular math” which involves things like sine and cosine which are computationally expensive.

Even Odd Rule

Even Odd Rule uses the given point and creates a ray from that point that traverses at least one side of the polygon.   If the ray crosses an even number of borders it is outside the polygon.  if it crosses an odd number it is in the polygon.   There is a caveat where if it is ON the border it will be considered “outside” but that can be a matter of semantics ; “you said INSIDE not on the edge”.   Also , for territories the < 1 meter of distance that Store Locator Plus uses with floating point decimals representing latitude/longitude, it is probably fine to lose that 1 meter to the “on the border” rule.

Tracing a ray from a point through a polygon.

Tracing a ray from a point through a polygon.

Calculating the number of “border crossings” is fairly easy and operates quickly unless you have an extremely complex polygon with thousands of points prescribing the border.  That won’t be the case for my product.  The efficiency and accuracy of this algorithm is perfect.

Sometimes you can discover beauty in the simplicity of what otherwise can seem like a complex problem by using math to describe your world.

Yes I know.  I’m a math geek.

Bitbucket Permission Denied / Conq

Hopefully this article will save at least one other person an hour of their life trying to figure out why they cannot clone a Bitbucket repository when using SSH.

My projects are broken into several teams, each with their own developer and administrator users.  Each team has a number of repositories that are being managed.  There is one common denominator; I have admin access to all repositories.   That means my Bitbucket user should have full read/write/admin privileges on all repos.    Yet no matter how many different keys I added to my Bitbucket user account it would not allow me to clone several repositories.

For those that want the short answer of what worked… use the “long form” SSH URL.

While I typically use the “short form”, as noted below, this absolutely would NOT work for certain repositories or different pre-shared keys even on a repository that uses the “short form”.   Sadly the short form is what Bitbucket serves up when you look at the clone interface on their website.  Here is a short form of the above URL:

Secure Access To Repos

With private repositories you always want to use some form of authentication to prevent people with the URL from cloning your project.   Your options with Bitbucket are to use an API Key , use OAuth, or setup SSH access with shared keys.    API Keys can be nice but you need to have an app that will manage your “handshake” with Bitbucket and interface with your git app or sytem-level network stacks.   OAuth is similar but allows more control with a user/password type setup so you lock out one person whereas the API key is an “everybody/nobody” solution.    SSH is already setup on any system you will use and with a little effort you can quickly learn how to create your public/private keys and share them.

Setting Up SSH

For Linux/OSX systems you can quickly setup your SSH keys by logging into the account you will using to do the clone.    You will need a .ssh directory and will generate your SSH keys.    There are plenty of articles on how to do that including Set up SSH on the Bitbucket site.   In short you will run ssh-keygen, copy the id_rsa.pub contents and add it under your user account in Bitbucket.

Cloning Your Repo

Normally you can just go to your directory and do something like this:

Maybe that is a bad example since that repository is wide open and won’t require security, but the concept is the same.    The problem is that for some repositories you get something like this:

That is very special.  It appears to be unique to Bitbucket , though I’ve not researched that so don’t take that statement as fact.   It also seems to only occur if you are running ssh-agent as instructed on that “Set up SSH” article cited above.

If you are not running SSH you may see this instead:

No “conq” but essentially the same message.

If you follow the “debugging SSH connections” article on Bitbucket they tell you to run the ssh -Tv git@bitbucket.org command to get some clues as to why your authentication failed.   The problem is that my SSH sessions were NOT failing when tracing the connection.  I was getting a valid connection to my user account on Bitbucket.

Finally, after all other possible solutions failed I tried the alternate URL format.   It cloned the repository.

Magic.  Black magic.   Possibly even evil.   But it works.

Hopefully this saves you from creating a dozen different SSH keys on a half-dozen different servers.  It may save you from setting up alternate identities or complex SSH authentication models.   You probably don’t even need to run an ssh-agent if you only have a single key for your login.    In short this simple trick may save you a lot of frustration.

And some people wonder why I’m bald.   Lifestyle choice?  Nah.  I’m just another code geek that has been at this for a long time.

 

Performance Issues? Check Your Indexes

Any of the tech geeks that have worked for me in the past have heard me say it a million times.

“Check your indexes , people!”

It is the single-most overlooked issue that often yields the biggest performance gains on any SQL driven data system like WordPress, for example.

I cannot tell you how many times a junior coder or systems person has walked into my office and asked me to help them resolve an application performance problem.   The first thing I ask them is if the problem is data related.  The very next question is “have you checked your indexes?”.  More times than I can count  they find an improper or missing index.  Using SQL tools like ‘explain’ and building a proper index for the query that is causing problems can yield big performance gains with little effort.

Today I ran into a performance problem using my WordPress Dev Kit plugin that serves plugin updates to my WordPress plugin customers.   The dashboard on the sales site was horrendously slow.   The admin panel would take up to a full minute to load.    Building the right index on my data table brought that time down to less than 3 seconds.

Finding The Problem

I started by installing and enabling Query Monitor on my site.   This allowed me to see what was taking so long to execute.    The first report, a red herring, was the 18,000 entries from the wp_options table that was being loaded.

Turns out there were 15,000+ entries for _site_transient_brute_loginable , all of which were set to autoload.  That means WordPress was loading all 15,000 outdated and obsolete Brute Protect transients.

Query Monitor Output

Query Monitor Output

After deleting those 15,000 entries, Query Monitor brought me to the real culprit.  There were 4 database queries that were running slowly.  ONE of the queries was coming from my WPDK plugin.    It was only selecting 20 records , the 20 most recent entries, from a table with only a few data points.    However that table has 800,000+ rows and grows by a few thousand on a daily basis.

Fixing The Problem

The problem is that even though I was only asking for 20 records the “select the newest” was the problem.   MySQL had to read the ENTIRE database to find which 20 records were the newest.   Adding a simple index to the table fixed that issue.   Building an index on the lastupdated field allows the order by lastupdated DESC clause to utilize the index and read only 20 nodes from the index to fetch the record.    It is MUCH faster.  As in 57 seconds faster on a 60 second query.

MySQL Command Line Create Index

MySQL Command Line Create Index

As I’ve said before… CHECK YOUR INDEXES PEOPLE!

 

Using PHP Anonymous Functions In WordPress

Recently I published an article “Adding WordPress REST API Security To Basic CRUD Operations” where the permissions callback points directly to a function:

This style of defining a function call is known in PHP as an anonymous function.   The example is based on an example provided by the WordPress REST API documentation.   The problem with such a method is that it is not supported on older versions of PHP;  the anonymous function was introduced in PHP 5.3.  To exacerbate the problem, WordPress recommends PHP version 5.6 but will run on PHP version 5.2.4.    As such many hosting companies opt to take the path of least-effort and run the oldest version of PHP they can.  That means they are running PHP 5.2.4.

Guess what happens when a customer runs your plugin or theme that uses anonymous functions on PHP 5.2.4?  It breaks.

How do you fix the issue?

Use named functions.   Anywhere you use an anonymous function you can use a named function.    In the example above we can convert the anonymous function to a method within the class that is setting up our REST route:

 

Adding WordPress REST API Security To Basic CRUD Operations

Work has been underway adding REST API functionality to the Store Locator Plus plugin.   Most people are familiar with the basic concept of using REST to fetch data from a remote server.   We use this every day when surfing the web using the basic premise of an HTTP GET protocol.   In short this is the simplest form of a REST “read” operation.   Go here, get this thing and show it to me.

REST APIs get more exciting when  you talk about adding basic create/update/delete operations proving the full CRUD functionality via the REST protocol.    The issue with using REST for these operations , especially via the WordPress REST API , is that you are now exposing your data via  service that anyone with even a touch of technical prowess can now create, update, or delete data elements from your site.     In the case of our locator plugin, we don’t want any random person to send a simple HTTP request to our server and delete a location.

The WordPress REST API provides a simple mechanism for adding security to these types of requests.   It uses the built-in WordPress user authentication and roles-and-capabilities to ensure a user has permission to alter the specific object, in our case location data, before handling the REST request.   To employ this security you will need two things;  A plugin that manages authentication requests  and the addition of a permission_callback parameter to your register_rest_route() call within your plugin/theme class that is managing your REST API.

The first part, adding a plugin, is easily handled by fetching one of the git repositories listed at the WordPress REST API documentation site.   You can choose either Basic Authentication (very weak security) or oAuth (much better option).   Using Basic Authentication is great for development and is what I use when testing RESTful services via phpStorm 2016 with its built-in RESTful service applet.

The second part, adding a permission_callback parameter, is done in the coding of your plugin or them that is managing your REST requests.   This can be handled using a simple anonymous function that returns the results of the WordPress current_user_can() function.     In Store Locator Plus we check to make sure the the user, authenticated with one of the above plugins as part of the source of the REST request, has the capability  of ‘manage_slp_user’ assigned.   By default this is assigned to all admin users when Store Locator Plus is installed.   The register_rest_route call looks like this:

This setup will check that the REST request has passed authentication and that the user identified with the request has the manage_slp_user capability before executing the add_location method in our REST API class.

Adding security on your POST/PUT/PATCH REST requests is as simple as that.

There are a lot of other tricks built into the WordPress REST API. Keep track of this blog to watch for more articles on WordPress development as I share what I’ve learned each week.

%d bloggers like this: