Web Services in Drupal

Drupal has a rapidly developing and powerful set of tools for working with web services. More and more sites are moving to a decoupled CMS architecture. Even if you are not creating a fully decoupled site, exposing aspects of your site through a web service API is a common task in modern web development. This series will teach you everything you need to know in order to use Drupal core and contributed modules to build a web services API with Drupal as the backend.

This series looks at important topics regarding the architecture of your API like presentation versus content, security, and documentation. It also examines common pitfalls in REST APIs and how to address them in order to ensure consistency and performance. Throughout the series the examples are primarily focused on creating a REST API that uses the JSON API specification, but the concepts apply equally well to GraphQL or other formats.

For the purpose of this series, we are going to talk about APIs as the collection of features provided by Drupal modules that allow us to read and write content (nodes, taxonomy terms, users, etc.) and configuration (blocks, menus, permissions, etc.) using HTTP messages. During the course of this series, we will assume some level of familiarity with HTTP concepts such as its methods (often called verbs) and headers. However, we'll provide links to additional resources for these concepts along the way, just in case you need a refresher.

Note: Just getting started with the idea of decoupling, or the concept of headless Drupal? Take a look at our Decoupled Drupal series to learn what these terms mean, and when and why you might want to build a web services API with Drupal. Then come back here and learn how to do exactly that.

Author, Mateu Aguiló Bosch

We are very honored to present this series written by Mateu Aguiló Bosch (e0ipso). Mateu is one of the creators of the Drupal JSON API module, amongst others, and a member of the Drupal 8 API-first initiative team. He's also part of the team that created Contenta CMS, an API-first Drupal distribution designed to be a great platform for decoupled Drupal projects.

Tutorials in this course
Categories
Drupal 8, 9, and 10
More information

The term web services has been around for quite a while. Given that web services is such a broad topic, let's define what web services are and how we are going to refer to them throughout this series so we are all on the same page.

This tutorial is an introduction to web services that will help you:

  • Learn what a web service is.
  • Understand that this series focuses on HTTP web services, and mostly on REST principles.
  • Get some examples of APIs in the wild and what type of consumers they have.

By the end of this tutorial, you'll be able to define what web services are, and how we'll use the term in the context of these tutorials.

More information

Traditional Drupal development using the render pipeline allows you to ignore the pitfalls of mixing content and presentation logic in your data model. In a scenario with multiple distribution channels, this separation becomes of critical importance.

In this tutorial we will learn how to:

  • Understand the importance of presentation and content separation (delivering clean content, not caring about how to show that content)
  • Develop strategies to avoid these presentational problems with minimal damage to the content API

By the end of this tutorial you'll have a better understanding of why keeping presentation data out of your content model is important, and some tips for doing so.

More information

Identifing the fields in your data model that contain presentation data is an important part of documenting and planning your API. Examining your existing data model will help put you in the correct mindset when creating or changing it. It is important to reflect on the implications of each field for each hypothetical consumer (even consumers your API is not serving). This process will improve your content model and your API.

In this tutorial we will:

  • Go through the article content type's data model
  • Locate any fields that contain presentation data

The article model is created out of the box by Drupal when using the standard installation profile.

By the end of this tutorial you'll know how to do these checks, and identify presentation data in your content model, on any content type in your project.

More information

In the last several years REST has been the de facto standard for web services. However, there are several common problems when developing websites and digital experiences with the traditional REST implementations. Luckily, those issues have solutions, either complete or partial.

Modern web service specifications like JSON:API and GraphQL implement those solutions, although they differ slightly in their implementation.

In this tutorial we will learn about:

  • The problems of traditional REST implementations
  • Common solutions to those problems, and how JSON:API and GraphQL deal with them

By the end of this tutorial you'll be able to explain some of the common pitfalls of REST-based APIs, and how JSON:API and GraphQL address those issues.

Categories
Drupal 8, 9, and 10
More information

The JSON:API module is our recommended starting point for creating REST APIs with Drupal. JSON:API module is now part of Drupal core as of 8.7, so installing the module no longer requires a separate download step.

In this tutorial we'll:

  • Walk through installing the JSON:API module for Drupal
  • Look at what you get out of the box with the JSON:API module

By the end of this tutorial you should be able to install the JSON:API module, and know what tools it provides you with.

Categories
Drupal 8, 9, and 10
More information

Being able to retrieve resources from an API is a fundamental first step.

In this tutorial we will learn how to:

  • Issue an HTTP request to extract information about a node from the JSON:API server
  • Examine the response from the server

By the end of this tutorial you should know how to use an HTTP Get request to return a resource from the JSON:API server, and know what the default response for the resource will contain.

Categories
Drupal 8, 9, and 10
More information

Drupal allows for a rich data model where entity reference fields can be used to relate any number of different items together in different ways. The data models that you can build with Drupal are often prolific in relationships, which means we need a way to handle these in our API. While Drupal treats a field with a string, and a field with an entity reference the same, JSON:API distinguishes between attributes and relationships.

In this tutorial we'll:

  • Look at how JSON:API represents relationships between two or more resources
  • How to distinguish between an attribute and a relationship in a response object
  • Learn about what information is available for each relationship and how we can use it

By the end of this tutorial, you should have a better understanding of how the JSON:API specification represents relationships modeled using Drupal entity reference fields.

Categories
Drupal 8, 9, and 10
More information

JSON:API includes a way to request a list of entities of a given resource from the server. Collections are the best way to find content based on filters, and to build listings into the consumers. Moreover, collections can be combined with all the options you can apply to a single resource, like sparse fieldsets and includes.

In this tutorial we'll:

  • Learn about what collections are in JSON:API
  • Learn how to request, sort, and paginate lists of content

By the end of this tutorial you should know how to retrieve a list of resources from the JSON:API server, and how to optionally sort and paginate the items in the list.

Categories
Drupal 8, 9, and 10
More information

Embedding resources at the consumer's demand is one of the crucial features of a modern API. We mentioned in Modern Web Services with JSON:API and GraphQL that multiple round trips to the server is harmful for performance. This issue can be overcome by making a request that embeds any required related resources into the response for the resource we're retrieving.

In this tutorial, we'll learn how to use JSON:API's include parameter to embed resources in a response.

By the end of this tutorial, you should be able to make a single request that retrieves multiple embeded resources in order to improve the performance of your application when interacting with a JSON:API server.

Categories
Drupal 8, 9, and 10
More information

By default, the JSON:API returns all the available data for an object in its response. Using JSON:API sparse fieldsets you can increase the performance of your consumer application by reducing the fields in the returned response object to just those that you need.

In this tutorial, we will learn how to reduce the output to get exactly the information that we need from the API.

This is one of the most important features of modern APIs like JSON:API.

By the end of this tutorial, you'll know what sparse fieldsets are, the role they fulfill, and how to use them when requesting data from a JSON:API server.

Categories
Drupal 8, 9, and 10
More information

Collections are a very powerful feature because they allow us to access multiple items at the same time. However, in many situations we do not want to access all the entities of a given type, but only the ones that meet some specific criteria. In order to reduce the set of entities in the collection to the ones we care about, we use filters.

In this tutorial we will:

  • Look at the filter query string parameter and how it can be used with JSON:API collections
  • Learn how to use filters in combination with the JSON:API module for Drupal to reduce the list of entities in a collection

By the end of this tutorial you should be able to request a list of entities in the form of a JSON:API collection and filter that list to include only the entities that match a specific set of requirements.

More information

Includes and filters are really powerful features. When combined together you can achieve almost any query your consumer application needs. Fancy filters we mentioned in a previous tutorial allow us to filter a collection based on fields of related entities, in addition to the fields directly under that entity.

In this tutorial we will:

  • Learn about filtering based on data in related resources
  • Filter based on multiple conditions and multi-value fields
  • Demonstrate how to filter a collection of articles based on author or tags

By the end of this tutorial you should be able to use nested filters in conjunction with relationships to further refine the list of content returned in a JSON:API collection.

Categories
Drupal 8, 9, and 10
More information

When you are implementing an HTTP API for a decoupled project, one of the critical, but often overlooked, aspects is the API documentation. Documenting your API will allow front-end developers (and you six months from now) to learn how to use that particular API.

In Drupal, there are several modules that can read your site configuration and generate documentation for you automatically.

In this tutorial we're going to:

  • Learn about the importance of good documentation.
  • Decide whether or not to use an existing specification for our API such as JSON:API or GraphQL.
  • Review options for automatically generating documentation.

By the end of this tutorial you'll be able to decide whether or not using an existing documentation specification is a good fit for your project, and choose an option based on those available for use with Drupal.

More information

It is important to have good up-to-date documentation about your web services. Doing so will boost developer productivity in a decoupled project. Drupal offers several tools that help maintain your API documentation with minimal effort.

In this tutorial we'll:

  • Learn about the JSON schema format for describing data structures
  • Generate schemas for our fake articles REST resource
  • Visualize those schemas in a human-readable format

By the end of this tutorial you should be able to generate documentation for your REST resources that is kept up-to-date automatically by Drupal.

More information

In a monolithic architecture (non-decoupled) there is an implicit proof that the user in the front-end is the same one in the back-end. This empowers the front-end to offload all the authentication and authorization to the back-end, typically using a session cookie. In a decoupled architecture there will be multiple consumers, and some of them will not support using cookies. There are several alternatives to session cookies to authenticate our requests in a decoupled project.

In this tutorial we will:

  • Learn about authorization versus authentication
  • The impact on a decoupled project of having logged in users
  • Learn about the available options for authentication when using a Drupal back-end.

By the end of this tutorial you should be able to explain the difference between authentication and authorization and know how to get started implementing both in a Drupal-backed web services API.

More information

The Simple OAuth module can be used to configure Drupal as an OAuth 2 authentication provider. Doing so will allow third-party applications to authenticate users using any of the OAuth flows, and validate their roles and permissions.

If you're creating applications that access Drupal's data and need to act like a logged-in user you'll want to use OAuth for authentication. There are 2 steps to accomplishing this: first, you'll need to set up Drupal to act as an authentication provider (this tutorial). Second, you'll need to make the appropriate HTTP requests to obtain an access token, which is covered in the next tutorial, Make an Authenticated Request Using OAuth 2.

In this tutorial we will:

  • Learn how to install the Simple OAuth Drupal module
  • Configure the Simple OAuth module so we can generate tokens that can authenticate users in Drupal
  • Demonstrate what the responses generated by the Simple OAuth module look like

By the end of this tutorial you should know how to install and configure the Simple OAuth module.

More information

In order to authenticate a request against the API server, we need to send an authentication token along with the request. For that we need to first obtain the token from the server. The various ways we can get a token from the server are called grants. Using one of them, we will obtain an access token and a refresh token.

In this tutorial we will:

  • Learn how OAuth 2 grants work
  • Learn how to generate and request authentication tokens
  • Learn how to generate and request refresh tokens

By the end of this tutorial you should be able to exchange a user name and password for OAuth 2 authentication and refresh tokens so that your API client can make authenticated requests.

More information

In the previous tutorials, we learned to install and configure the Simple OAuth module. We also learned how to generate authentication tokens using different grants. In this tutorial, we will learn how to use a token to authenticate a request for a given Drupal user, and:

  • Check if a particular route supports a specific type of authentication, oauth2 in particular
  • Send an authentication token, like the ones we acquired in the previous tutorial in order to prove to Drupal that the request is made by a specific user

By the end of this tutorial you should be able to make authenticated requests, as a specific user, to your API.

More information

JavaScript applications are the most common type of consumers. They are commonly used to create a website that runs in a web browser. Running decoupled applications in the browser will involve Cross-Origin Resource Sharing (CORS), which requires some setup on the Drupal side in order to work.

In this tutorial we'll:

  • Learn about what CORS is and when/why we need to care about it
  • Configure Drupal to return an appropriate CORS header, enabling browser-based consumers access to our API

By the end of this tutorial you will have a better understanding of CORS, and how to configure Drupal to serve an API that works with CORS.

More information

Often, web services require the user to create content. Votes on content, ratings, comments, and user-submitted stories are good examples of this. The JSON:API module supports the creation of entities by sending data in POST requests.

In this tutorial we will:

  • Add an appropriate set of HTTP headers to a request that generates a new entity
  • Construct a JSON object for the entity we want to create
  • Issue a POST request that creates a new article node in Drupal

By the end of this tutorial you should be able to create a POST request that creates a new entity of any type via the JSON:API.

More information

Whenever we need our consumer application to change the contents of an entity we will need to issue a PATCH request. The JSON:API module will process that request and update the entity with the provided values.

In this tutorial, we'll:

  • Define the appropriate HTTP headers for a PATCH request
  • Construct the JSON object used to update an entity
  • Issue a PATCH request that will update an entity in our Drupal backend

By the end of this tutorial, you should know how to update content via the JSON:API.

More information

Occasionally we need to remove entities from the backend using the API. REST APIs, and in particular JSON:API, use the HTTP DELETE method to accomplish this.

In this tutorial we'll create a request for deleting a single entity. By the end of this tutorial you should be able to issue requests that can delete any entity via JSON:API.

Categories
Drupal 8, 9, and 10
More information

Sometimes unexpected things happen and Drupal needs to generate an error. The JSON:API specification describes how the server should return those errors. Understanding what to expect allows consumers to plan for errors and react gracefully.

In this tutorial we will:

  • Discuss how HTTP errors are used in conjunction with JSON:API
  • Learn about how JSON:API embeds information about the error encountered into the response object

By the end of this tutorial, you should have a basic understanding of the types of errors you can expect to receive when making JSON:API requests and what you can do to handle them.

More information

When you enable the JSON:API module you're significantly increasing the attack surface of your application. So it's a good idea to make sure that you understand the implications of doing so, and how to mitigate potential security issues. In most cases it doesn't require much work to do, but it's worth taking the time to make sure you've done it right.

In this tutorial we'll learn:

  • What JSON:API already does to keep you secure
  • How to protect against common attacks
  • How to limit access to resources exposed by JSON:API

By the end of this tutorial you should know what to look for when auditing your JSON:API configuration to help prevent against common attacks.

This course appears in the following guides:
Categories
Site Building, Theming, Module Development
Drupal 9, 10
Categories
Theming
Drupal 7, 8, 9, and 10