https://github.com/drupal-graphql/drupal-decoupled-app might be useful.
- We want frontend (React) and backend (Drupal) in one repository to have pull requests that can change both at a time.
- Add a "frontend" folder for React
- PHP vendor folder is committed (no composer runs on deployment)
We need to run 2 domains:
- example.com (React frontend with Next.js server)
- backend.example.com (Drupal backend with Nginx/PHP)
GraphQL:
- https://www.drupal.org/project/graphql (start with 3.x, look into 4.x)
- https://www.drupal.org/project/graphql_search_api
JSON API (fallback for use cases that are difficult in GraphQL)
We need a module/config that blocks all access to the HTML Drupal backend except for admin users.
- Git pull
- Drupal: drush updb -y
- Drupal: drush cr
- Drupal: sync images/static assets to web folder
- React: npm install?
- Next.js server: reload?
How does the React client in the browser know that a new version was deployed and refreshes itself?
How can we cache npm install in case a dependency goes missing?
- Cookies?
- JSON web tokens? https://www.drupal.org/project/jwt
- OAuth simple_oauth module
requirement:
- when I'm logged in in as admin the front end, I'm automatically logged in in the backend
- dev sites: how do we protect them from public access if Authorization header is used for JWT/OAuth? Basic Auth does not work in that case?
- How dow we translate user facing strings in React?
- Is there an API module that fecthes translation strings from the Drupal backend?
- User login: how do you get a JWT from a user name + password? How can we avoid writing this security critical code ourselves (flood protection, check if user blocked etc.)
- how does graphQL protect against CSRF?
- how do you protect the graphQL API against bots, for example the user registration endpoint?
- how do you invalidate JWTs if you want to log out all users? What is a good expiration time for JWTs?
- Types: when should we define our own types? For example a String as JWTAccessToken?
- Errors vs. violations in GraphQL