When you enable the JSON:API module you're significantly increasing the attack surface of your application. So it's a good idea to make sure that you understand the implications of doing so, and how to mitigate potential security issues. In most cases it doesn't require much work to do, but it's worth taking the time to make sure you've done it right.

In this tutorial we'll learn:

• What JSON:API already does to keep you secure
• How to protect against common attacks
• How to limit access to resources exposed by JSON:API

By the end of this tutorial you should know what to look for when auditing your JSON:API configuration to help prevent against common attacks.

By default, the JSON:API returns all the available data for an object in its response. Using JSON:API sparse fieldsets you can increase the performance of your consumer application by reducing the fields in the returned response object to just those that you need.

In this tutorial, we will learn how to reduce the output to get exactly the information that we need from the API.

This is one of the most important features of modern APIs like JSON:API.

By the end of this tutorial, you'll know what sparse fieldsets are, the role they fulfill, and how to use them when requesting data from a JSON:API server.

Whenever we need our consumer application to change the contents of an entity we will need to issue a PATCH request. The JSON:API module will process that request and update the entity with the provided values.

In this tutorial, we'll:

• Define the appropriate HTTP headers for a PATCH request
• Construct the JSON object used to update an entity
• Issue a PATCH request that will update an entity in our Drupal backend

By the end of this tutorial, you should know how to update content via the JSON:API.

In the last several years REST has been the de facto standard for web services. However, there are several common problems when developing websites and digital experiences with the traditional REST implementations. Luckily, those issues have solutions, either complete or partial.

Modern web service specifications like JSON:API and GraphQL implement those solutions, although they differ slightly in their implementation.

In this tutorial we will learn about:

• The problems of traditional REST implementations
• Common solutions to those problems, and how JSON:API and GraphQL deal with them

By the end of this tutorial you'll be able to explain some of the common pitfalls of REST-based APIs, and how JSON:API and GraphQL address those issues.

In the previous tutorials, we learned to install and configure the Simple OAuth module. We also learned how to generate authentication tokens using different grants. In this tutorial, we will learn how to use a token to authenticate a request for a given Drupal user, and:

• Check if a particular route supports a specific type of authentication, oauth2 in particular
• Send an authentication token, like the ones we acquired in the previous tutorial in order to prove to Drupal that the request is made by a specific user

By the end of this tutorial you should be able to make authenticated requests, as a specific user, to your API.

In order to authenticate a request against the API server, we need to send an authentication token along with the request. For that we need to first obtain the token from the server. The various ways we can get a token from the server are called grants. Using one of them, we will obtain an access token and a refresh token.

In this tutorial we will:

• Learn how OAuth 2 grants work
• Learn how to generate and request authentication tokens
• Learn how to generate and request refresh tokens

By the end of this tutorial you should be able to exchange a user name and password for OAuth 2 authentication and refresh tokens so that your API client can make authenticated requests.

The Simple OAuth module can be used to configure Drupal as an OAuth 2 authentication provider. Doing so will allow third-party applications to authenticate users using any of the OAuth flows, and validate their roles and permissions.

If you're creating applications that access Drupal's data and need to act like a logged-in user you'll want to use OAuth for authentication. There are 2 steps to accomplishing this: first, you'll need to set up Drupal to act as an authentication provider (this tutorial). Second, you'll need to make the appropriate HTTP requests to obtain an access token, which is covered in the next tutorial, Make an Authenticated Request Using OAuth 2.

In this tutorial we will:

• Learn how to install the Simple OAuth Drupal module
• Configure the Simple OAuth module so we can generate tokens that can authenticate users in Drupal
• Demonstrate what the responses generated by the Simple OAuth module look like

By the end of this tutorial you should know how to install and configure the Simple OAuth module.

The term web services has been around for quite a while. Given that web services is such a broad topic, let's define what web services are and how we are going to refer to them throughout this series so we are all on the same page.

This tutorial is an introduction to web services that will help you:

• Learn what a web service is.
• Understand that this series focuses on HTTP web services, and mostly on REST principles.
• Get some examples of APIs in the wild and what type of consumers they have.

By the end of this tutorial, you'll be able to define what web services are, and how we'll use the term in the context of these tutorials.

Do you know some PHP and want to learn how to create a custom page at a custom URL in Drupal? You're in the right place.

Every web framework has the same job: provide a way for developers to map user-accessible URLs with code that builds the page. Routes, controllers, and responses are what module developers use to create pages at custom URLs in a Drupal site.

In this tutorial, we'll:

• Define what routes, controllers, and responses are.
• Explain the routing workflow that Drupal uses to match a URL to a route.
• Define routing system-related terms like parameter and upcasting.

By the end of this tutorial, you should be able to explain how a developer uses routes, controllers, and responses to create custom pages in a module.

Want to know if the person that's viewing your custom block is authenticated? Need to change the elements visible on the page based on a user's permissions or roles? Want to display a welcome message for users returning to your site?

All of these things require knowing who the user is that's currently accessing a page. This can be accomplished by using the current_user service to load an object that contains information about the current user as well as methods for checking permissions, and retrieving additional information.

In this tutorial we'll:

• Define what "current user" means
• Use the current_user service to retrieve an implementation of \Drupal\Core\Session\AccountInterface
• Retrieve information about, and check the permissions of, the current user

By the end of this tutorial you should be able to retrieve and make use of information about the applications current user in order to perform logic in your code that customizes the response for different users.

React is a JavaScript library that makes it easy to create interactive user interfaces. Drupal is a content management system with a powerful web services API. React and Drupal can work together in a couple of different ways. This series of tutorials explores some of those options, and the related concepts and terminology.

Our goal is to provide you with some baseline information you can use to get started integrating React and Drupal together. After you've completed these tutorials you should be able to better envision how to use these two technologies to solve some of your own issues. We hope you'll come away from this with enough knowledge to start exploring further on your own. We link to external resources liberally, and encourage you to explore beyond the examples we provide, read the linked resource, and dig in. There's no substitute for exploration and experimenting with real code when it comes to learning these things.

In this series we'll:

• Introduce the technical side of React, terminology, and information about where to find more resources
• Learn about using Drupal, and the JSON:API module, to turn Drupal into a powerful web services API provider
• Learn about the use cases for adding React to a Drupal site
• Walk through increasingly complex code examples that start with a "Hello World!" application, and end with a fully decoupled application that can list, create, update, and delete content in Drupal
• Learn about how to authenticate a Drupal user via an API using React
• Contrast, through example code and use cases, the differences between integrating React into an existing Drupal theme or module and creating a stand-alone React application
• And more!

Before we start writing any React code, let's go over some basic concepts and terminology. Throughout this series we'll assume you're familiar with these things. They'll come up again and again as you work on projects that involve React, so it's worth taking the time to learn them.

In this tutorial we'll cover the following at a high level, and provide links to resources:

• Why choose React?
• What are React components?
• What are hooks, state, and JSX?
• The role of build tools when developing React applications

By the end of this tutorial you should have a firm grasp of the fundamental concepts and terminology necessary to start creating React applications.

React and Drupal can be used together in two different ways: fully decoupled, also known as headless; or progressively decoupled.

In this tutorial we'll talk about the differences between these two approaches, including:

• Defining what each method refers to
• Considerations regarding hosting, performance, and access

Then we'll link to lots of additional reading materials so you can gain a deeper understanding of the subject.

By the end of this tutorial you should be able to define what decoupled and progressively decoupled mean, and how they differ from one another.

Writing a React application requires including the React JavaScript library in the page, writing some React-specific JavaScript, and then binding it to a specific DOM element on the page. You may also want to include existing packages from the npm ecosystem, and use modern JavaScript (ES6+) features, which necessitates setting up a build toolchain for your JavaScript using a tool like Webpack or Parcel.

There are a lot of different ways you could go about setting this all up. Do you add React via a theme or a module? Do you need a build tool? Should you use Webpack, or Babel, or Parcel, or something else? While we can't possibly cover all the different approaches, we can help you figure out what is required, and you can adapt our suggestions to meet your needs.

In this tutorial we'll:

• Create a new custom theme with the required build tools to develop React applications
• Add a DOM element for our React application to bind to
• Create a "Hello, World" React component to verify everything is working

By the end of this tutorial you'll know how to configure everything necessary to start writing React within a Drupal theme.