MYOB Production Configuration
Externalized hardcoded MYOB credentials and endpoints into environment variables in 3.4.2
Overview
v3.4.2 focused on a single urgent fix: removing hardcoded MYOB sandbox credentials and URLs from the codebase and replacing them with environment-driven configuration.
What Was Hardcoded
Six full MYOB endpoint URLs pointing to https://sbx-firsttosite.myobadvanced.com/entity/... were class constants in MyobClient.php. Credentials were hardcoded in getCredentials(): username, password, and company name - all pointing at the sandbox instance.
What Was Externalized
The MyobClient constructor now accepts 7 injected parameters via services.yaml from environment variables:
| Variable | Purpose |
|---|---|
MYOB_BASE_URL | Base MYOB instance URL |
MYOB_ENTITY_PATH | Entity API path prefix |
MYOB_NAME | API username |
MYOB_PASSWORD | API password |
MYOB_TENANT | Tenant identifier |
MYOB_COMPANY | Company name (omitted if tenant is set) |
MYOB_BRANCH | Branch identifier |
The six hardcoded full-URL constants were replaced with relative path constants (e.g., AUTH_LOGIN_PATH = '/entity/auth/login'), combined with the injected base URL via new getter methods (getLoginEndpoint(), getInvoiceEndpoint(), etc.).
This was both a security fix (exposed password in source) and a prerequisite for switching from the sandbox to the production MYOB instance.
Files Touched
| File | Change |
|---|---|
Library/Myob/MyobClient.php | Modified - bulk of changes |
config/services.yaml | Modified - DI wiring for 7 env vars |
Controller/Api/ProjectInvoiceController.php | Modified - call-site update |
Library/Myob/InvoiceProcessor.php | Modified - call-site update |
Changelog Reference
fix: externalize MYOB client production configuration(#660)