Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Headless Drupal and Security

Headless Drupal and Security

"The front-end moves faster than Drupal, whether Drupal likes it or not" This reference from "The state of the Front-end" session at DrupalCon Amsterdam explains that we need different ways to retrieve content from a Drupal site for an easy integration with new front-end frameworks and other 3rd-party applications. This allows non-experienced front-end developers to start theming Drupal using the tools they are used to, providing at the same time multiple integrations with other platforms through APIs. Currently there is a debate about how to achieve this and what direction Drupal will take in the future. In this workshop there will be explained different approaches to solve common problems and what possible solutions are provided by Drupal and its contributed modules. You can join this discussion, share your thoughts and experiences with others, and help Drupal to go on the right track. The session will also include a case study of a React application and what authentication methods are suitable for decoupled apps and Drupal.

Ruben Teijeiro

June 08, 2018
Tweet

More Decks by Ruben Teijeiro

Other Decks in Technology

Transcript

  1. UX

  2. API-First Initiative Making Drupal API-frst means making the data stored

    and managed by Drupal available for other software. https://www.drupal.org/node/2757967
  3. JSON API Generate an API server that implements the {json:api}

    specifcation. https://www.drupal.org/project/jsonapi https://www.drupal.org/project/jsonapi_extras
  4. • Full inline editing (WYSIWYG) • Zero latency editing •

    No page reloads • Instant previewing • “App feeling” for editor experience • Easy access to information for visitors (aka non-editors) like in a standard decoupled scenario
  5. • Page – Content Entity • Fields - Entity references

    to Paragraphs • Accordion • Moodboard • Text • Image • …
  6. JOSE JSON Object Signing and Encryption JWT – JWS –

    JWE https://jwt.io https://speakerdeck.com/rdegges/jwts-suck-and-are-stupid
  7. JWT - JSON Web Tokens Avoid server-side storage for sessions

    but any kind of session implementation will be interceptable if you don't use TLS, including JWT http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why- your-solution-doesnt-work/
  8. JWS - JSON Web Signatures A standard that is supposed

    to provide message authentication or digital signatures. Two ways to attack a standards-compliant JWS library to achieve trivial token forgery: • Send a header that specifes the none algorithm be used • Send a header that specifes the HS256 algorithm when the application normally signs messages with an RSA public key. https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
  9. JWE - JSON Web Encryption Encryption leaves a lot of

    room for potential implementation errors, especially when asymmetric (a.k.a. public-key) encryption is involved. Public-key cryptography should be avoided if possible. https://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json- encryption.html
  10. (local): Tamper-proof, short-lived immutable data stored on client machines. e.g.

    remember me on this computer cookies, which secure a unique ID that are used in a database lookup upon successful validation to provide long-term user authentication across multiple browsing sessions.