Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Headless Drupal and Security

Ruben Teijeiro
June 08, 2018
Technology
0
530

Headless Drupal and Security

"The front-end moves faster than Drupal, whether Drupal likes it or not" This reference from "The state of the Front-end" session at DrupalCon Amsterdam explains that we need different ways to retrieve content from a Drupal site for an easy integration with new front-end frameworks and other 3rd-party applications. This allows non-experienced front-end developers to start theming Drupal using the tools they are used to, providing at the same time multiple integrations with other platforms through APIs. Currently there is a debate about how to achieve this and what direction Drupal will take in the future. In this workshop there will be explained different approaches to solve common problems and what possible solutions are provided by Drupal and its contributed modules. You can join this discussion, share your thoughts and experiences with others, and help Drupal to go on the right track. The session will also include a case study of a React application and what authentication methods are suitable for decoupled apps and Drupal.

Ruben Teijeiro

June 08, 2018
Tweet

More Decks by Ruben Teijeiro

See All by Ruben Teijeiro
Creating an enterprise level editorial experience for Drupal 8 using React
rteijeiro
0
310
Ambitious Editorial Experiences with Headless Drupal - Frontend United Utrecht 2018
rteijeiro
0
150
Headless Drupal - DrupalCamp Spain 2018
rteijeiro
0
59
Headless Drupal - DCTransylvania 2018
rteijeiro
0
110

Other Decks in Technology

See All in Technology
Next'24 事例セッションの紹介とクラウド資格を活用したキャリア形成について語りMuscle
yasumuusan
1
430
KubeConにproposalを送りたい人へのアドバイス
sat
PRO
3
210
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
750
Tableau事例紹介 / Tableau Case Study of Eureka
kazuya_araki_tokyo
1
180
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
5
160
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
4
890
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
140
ChatGPT for IT Service Management (IT Pro)
dahatake
7
1.5k
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
280
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
480
On Your Data を超えていく!
hirotomotaguchi
2
650
プロトタイピングによる不確実性の低減 / Reducing Uncertainty through Prototyping
ohbarye
5
370

Featured

See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
990
Done Done
chrislema
178
15k
Automating Front-end Workflow
addyosmani
1356
200k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
125
32k
Fantastic passwords and where to find them - at NoRuKo
philnash
37
2.5k
Creatively Recalculating Your Daily Design Routine
revolveconf
210
11k
Code Review Best Practice
trishagee
55
15k
Building Adaptive Systems
keathley
31
1.9k
Become a Pro
speakerdeck
PRO
11
4.5k
Building Your Own Lightsaber
phodgson
99
5.7k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k

Transcript

  1. Headless Drupal #HeadlessDrupal

  2. Ruben Teijeiro @rteijeiro Drupal Hero

  3. drupalhero.es

  4. 1xINTERNET.de

  5. Conil

  6. Front-end technologies evolve faster than Back-end technologies

  7. None

  8. Web Applications Software Evolution

  9. Custom Development from Scratch

  10. Popular CMSs

  11. Web Applications Architecture Evolution

  12. Corporative Website

  13. None
  14. None
  15. None

  16. Monolithic Application

  17. None

  18. Microservices

  19. Web Trends

  20. Mobile Web/Apps

  21. Browserless Devices

  22. Internet of Things

  23. Market Trends

  24. Content Repositories https://www.acquia.com/products-services/acquia-content-hubvid

  25. Digital Assets Management

  26. Commercial API-frst CMSs https://www.contentful.com

  27. Open Source API-frst CMSs https://getdirectus.com

  28. What is Drupal doing to catch up with this trends?

  29. Loosely Coupled Architecture

  30. I love Twig!! Drupal 8 Front-end is @mortendk Certifed

  31. Dynamic Page Cache https://www.drupal.org/docs/ 8/core/modules/dynamic- page-cache/overview

  32. Big Pipe https://www.drupal.org/docs/8/core/modules/bigpipe/overview

  33. Big Pipe https://www.drupal.org/docs/8/core/modules/bigpipe/overview

  34. UX

  35. Accessibility

  36. Multilingual

  37. Security

  38. Drupalgeddon III

  39. Major remote code execution vulnerability CVE-2018-7600 https://www.drupal.org/sa-core-2018-002 CVE-2018-7602 https://www.drupal.org/sa-core-2018-004

  40. None
  41. None

  42. API-First Drupal

  43. Headless Drupal

  44. Decoupling

  45. Decouple Frontend

  46. Visitor-facing Experience

  47. None
  48. None
  49. None

  50. Accessible Solutions

  51. https://www.drupal.org/project/alexa https://www.youtube.com/watch?v=pZ-tBUdmzpo

  52. Artifcial Intelligence

  53. Chatbots https://www.youtube.com/watch?v=n7XyB1BoDF4

  54. Mixed Reality

  55. Augmented Reality https://www.youtube.com/watch?v=ZroFBG7-P7Q https://www.youtube.com/watch?v=t_5ZaC8YQ_8

  56. Editorial Experience

  57. https://developer.wordpress.com/calypso

  58. Drupal 9?

  59. Drupal Initiatives

  60. API-First Initiative Making Drupal API-frst means making the data stored

    and managed by Drupal available for other software. https://www.drupal.org/node/2757967

  61. JSON API Generate an API server that implements the {json:api}

    specifcation. https://www.drupal.org/project/jsonapi https://www.drupal.org/project/jsonapi_extras

  62. GraphQL https://www.drupal.org/project/graphql http://graphql.org/swapi-graphql @thefubhy

  63. RELAXed Web Services https://www.drupal.org/project/relaxed @dickolsson

  64. Workfow Initiative https://www.drupal.org/node/2721129

  65. http://www.drupaldeploy.org

  66. Progressive Web Apps @nod_ https://www.drupal.org/project/pwa

  67. @prestonso https://github.com/acquia/waterwheel.js https://github.com/acquia/waterwheel.swift

  68. @wimleers https://github.com/acquia/reservoir

  69. Contenta CMS http://www.contentacms.org Contenta is an API-First Drupal distribution

  70. Enhanced Editorial Experiences With Drupal and React

  71. Decoupled In-Place Editing App Drupal 8 + JSON API +

    React

  72. • Full inline editing (WYSIWYG) • Zero latency editing •

    No page reloads • Instant previewing • “App feeling” for editor experience • Easy access to information for visitors (aka non-editors) like in a standard decoupled scenario
  73. None

  74. • Page – Content Entity • Fields - Entity references

    to Paragraphs • Accordion • Moodboard • Text • Image • …
  75. None
  76. None

  77. Pain Points

  78. Performance Complex data structure for JSON- API Possible Solution: GraphQL

  79. Content lock for collaborative editing Possible solutions: • Middleware: Nodejs

    instance • Entity reference revisions

  80. UX Limitations Possible solutions: • Improve editorial experience

  81. Security

  82. JOSE JSON Object Signing and Encryption JWT – JWS –

    JWE https://jwt.io https://speakerdeck.com/rdegges/jwts-suck-and-are-stupid

  83. JWT - JSON Web Tokens Avoid server-side storage for sessions

    but any kind of session implementation will be interceptable if you don't use TLS, including JWT http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why- your-solution-doesnt-work/

  84. JWS - JSON Web Signatures A standard that is supposed

    to provide message authentication or digital signatures. Two ways to attack a standards-compliant JWS library to achieve trivial token forgery: • Send a header that specifes the none algorithm be used • Send a header that specifes the HS256 algorithm when the application normally signs messages with an RSA public key. https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

  85. JWE - JSON Web Encryption Encryption leaves a lot of

    room for potential implementation errors, especially when asymmetric (a.k.a. public-key) encryption is involved. Public-key cryptography should be avoided if possible. https://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json- encryption.html

  86. What should we use then?

  87. PASETO Platform-Agnostic SEcurity Tokens Specifcation and reference implementation for secure

    stateless tokens https://github.com/paragonie/paseto

  88. (local): Tamper-proof, short-lived immutable data stored on client machines. e.g.

    remember me on this computer cookies, which secure a unique ID that are used in a database lookup upon successful validation to provide long-term user authentication across multiple browsing sessions.

  89. (public): Transparent claims provided by a third party. e.g. Authentication

    and authorization protocols (OAuth 2, OIDC).

  90. Demo?

  91. More about Security at Drupal HackCamp

  92. Friday 15:30 – Room Softescu

  93. Saturday 11:00 – Room Softescu

  94. Saturday 12:00 – Room Optaros

  95. Saturday 14:00 – Room Softescu JS and Security

  96. Sunday 14:00 – Room Optaros

  97. Resources https://dri.es/working-toward-a-javascript-driven-drupal- administration-interface https://www.drupal.org/project/drupal/issues/2926656 https://github.com/jsdrupal/drupal-admin-ui https://wimleers.com/blog/api-first-drupal-two-big-maintainability- milestones https://www.lullabot.com/articles/drupal-javascript-initiative-the-road- to-a-modern-administration-ui https://www.drupal.org/project/jsdrupal

  98. Join the Code Sprints!!

  99. drupalsurfcamp.com

  100. None
  101. None
  102. None

  103. Questions? ?

  104. What did you think? Please rate this session https://www.surveymonkey.com/r/QTLXNVQ

  105. Thanks!