Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
搞懂 React 和 Rails 作為前後端分離夥伴的麻煩事
Search
tsechingho
August 01, 2023
Programming
270
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
搞懂 React 和 Rails 作為前後端分離夥伴的麻煩事
tsechingho
August 01, 2023
More Decks by tsechingho
See All by tsechingho
Rails 前後端分離方案的良好作法與利弊分析
tsechingho
0
170
有效結構化你的 Rails 專案
tsechingho
0
250
Suit up for frontend and backend development
tsechingho
2
260
gem 'webpack-rails'
tsechingho
0
340
ReactJS and Webpack for Rails
tsechingho
8
800
Ruby on bioinformatics
tsechingho
1
960
extend rails application by rails engine
tsechingho
0
350
ajax nested form and ajax upload in rails
tsechingho
2
870
Other Decks in Programming
See All in Programming
ふつうのFeature Flag実践入門
irof
7
3.7k
Oxlintのカスタムルールの現況
syumai
6
1.1k
Spec Driven Development | AI Summit Lisbon
danielsogl
PRO
0
180
AI 時代のソフトウェア設計の学び方
masuda220
PRO
29
12k
Composerを使ったサプライチェーン攻撃の様子を眺めてみる #phpstudy
o0h
PRO
2
240
DynamoDBには集計系のクエリがないけどなんとかしたい
musan
1
130
LLM Plugin for Node-REDの利用方法と開発について
404background
0
170
Hunting Vulnerabilities in Symfony with LLMs
vinceamstoutz
0
540
Webフレームワークの ベンチマークについて
yusukebe
0
160
The ROI of Quarkus for Spring Boot Applications
hollycummins
0
110
Modding RubyKaigi for Myself
yui_knk
0
920
The NotImplementedError Problem in Ruby
koic
1
710
Featured
See All Featured
The Illustrated Guide to Node.js - THAT Conference 2024
reverentgeek
1
380
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.4k
Building Applications with DynamoDB
mza
96
7.1k
Context Engineering - Making Every Token Count
addyosmani
9
960
Highjacked: Video Game Concept Design
rkendrick25
PRO
1
390
Stop Working from a Prison Cell
hatefulcrawdad
274
21k
The Curious Case for Waylosing
cassininazir
1
380
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
techseoconnect
PRO
0
180
How to Talk to Developers About Accessibility
jct
2
230
16th Malabo Montpellier Forum Presentation
akademiya2063
PRO
0
140
Rebuilding a faster, lazier Slack
samanthasiow
85
9.5k
WENDY [Excerpt]
tessaabrams
11
38k
Transcript
⿈碼科技 TSECHINGHO 2023/07/30 搞懂 React 和 Rails 作為前後端分離夥伴的麻煩事 COSCUP
2023 - Ruby track
前後端架構
RAILS / API END REACT / WEB NEXT / REMIX
/ VITE NGINX CLIENT CREDENTIALS GOOGLE APPLE FACEBOOK SSO DOORKEEPER Browser / CRS VPC AMAZON GITHUB REACT / MOBILE Frontend Backend AUTHORIZATION_CODE / PASSWORD / IMPLICIT AUTHORIZATION_CODE / CLIENT CREDENTIALS / IMPLICIT SSR / SSG
RAILS / API END REACT / WEB NGINX SSO DOORKEEPER
VPC RAILS / VIEW REACT / MOBILE GOOGLE APPLE FACEBOOK AMAZON GITHUB Frontend Backend AUTHORIZATION_CODE / CLIENT CREDENTIALS / IMPLICIT AUTHORIZATION_CODE / PASSWORD / IMPLICIT CSR Browser / CRS
RAILS / API END REACT / WEB NGINX SSO DOORKEEPER
VPC INDEX.HTML VITE COMPILE REACT / MOBILE GOOGLE APPLE FACEBOOK AMAZON GITHUB Frontend Backend AUTHORIZATION_CODE / CLIENT CREDENTIALS / IMPLICIT AUTHORIZATION_CODE / PASSWORD / IMPLICIT CSR Browser / CRS
Next.js
RAILS / API END REACT / WEB NEXT NGINX CLIENT
CREDENTIALS GOOGLE APPLE FACEBOOK SSO DOORKEEPER Browser / CRS VPC AMAZON GITHUB REACT / MOBILE Frontend Backend AUTHORIZATION_CODE / PASSWORD / IMPLICIT AUTHORIZATION_CODE / CLIENT CREDENTIALS / IMPLICIT SSR / SSG
Next.js 伺服器端與⽤⼾端⽤的 程式或資料未區分開 • Server 端 Only 的資料,不要傳到 Client
端 • Index.getInitialProps = async () => {} • Server 端與 Client 端都會執⾏ • getServerSideProps = async () => {} • 僅會在 Server 端執⾏ • getStaticProps = async () => {} • Server 端的環境變數,不要傳到 Client 端 • process.env.PRIVATE_API_ENDPOINT • process.env.CLIENT_SECRET • SSR 和 CSR 的程式混在⼀起 • SSR 和 CSR 的 API Client 不易區分 • Redux actions 也要區分 • Server 端需要哪些 API endpoint ? • Cookies 使⽤ • CSR 可讀 Server 端給的 initial token • sameSite: “strict”, httpOnly, secure • Sever 端安全管理 • Nginx Proxy
CSR with Rails View
RAILS / API END REACT / WEB NGINX SSO DOORKEEPER
VPC RAILS / VIEW REACT / MOBILE GOOGLE APPLE FACEBOOK AMAZON GITHUB Frontend Backend AUTHORIZATION_CODE / CLIENT CREDENTIALS / IMPLICIT AUTHORIZATION_CODE / PASSWORD / IMPLICIT CSR Browser / CRS
Rails View • Initial Page for React • Controller/Action •
Public • Nginx • Initial Props • JSON in data attributes • JSON in script tag document.querySelector('#initial-props') • SSR for SEO • ⽤ Rails view 獨立做⼀份不需登入的⾴⾯? • ⽤ React 做所有需要登入的⾴⾯? • Asset compile & deploy 獨立?Node 環境 • Manifest.json 管理 • ENV 和 Setting 管理 <script id="initial-props" type="application/json"> { "auth": { "accessToken": "xxx", "expiredAt": "ooo" } } </script>
CSR on AWS S3 / Nginx
RAILS / API END REACT / WEB NGINX SSO DOORKEEPER
VPC INDEX.HTML VITE COMPILE REACT / MOBILE GOOGLE APPLE FACEBOOK AMAZON GITHUB Frontend Backend AUTHORIZATION_CODE / CLIENT CREDENTIALS / IMPLICIT AUTHORIZATION_CODE / PASSWORD / IMPLICIT CSR Browser / CRS
CSR 容易遇到的狀況 • ENV 暴露在外 • 讀檔案內容不⽅便 => 只能給後端處理 •
沒地⽅寫暫存檔案 => 只能存 localStorage • SessionStorage / LocalStorage 使⽤ • CSR 存 cache API 資料 • CSR 存 access token, refresh token • 第三⽅ OAuth 登入應對(Google, Apple) • 和⾃有 API 的 Token 驗證與交換 • 效能不佳的狀況 • 視訊 (優化 backend 不⼀定能有效解決) • 照相機 • 畫圖 (canvas) • 截圖 (解析度, 尺⼨) 在 memory 少的狀況下 • Compile & Deploy • Assets 可直接放 CDN 或 AWS S3
Rails API End Point
Public / User / Manager ⾴⾯ • CSR to SSR
API to RAILS API • Access token 取得⽅式安全,依賴後端溝通 • 可⽤在 Public ⾴⾯ • 可⽤在登入後的⾴⾯ • CSR to RAILS API • Access token 取得⽅式不安全 • 不建議⽤在 Public ⾴⾯ • 適合⽤在登入後的⾴⾯
Rails APIs • Restful API • Open API v3 •
Swagger ⽂件撰寫 • GraphQL ⽀援 • CORS 管理 • User Authorization 辨識 • Access token 和 user_id 對應 • OAuth Scope 實作 • Doorkeeper OAuth 2 Grant Flow • authorization_code • client_credentials • implicit • password • 辨識 OAuth Application 來源 (CRS/SSR) • 辨識第三⽅ OAuth Provider (Google, Apple) • Access Token 驗證
Demo with Next.js https://github.com/goldenio/rails-nextjs-demo
RAILS / API END REACT / WEB NEXT NGINX GOOGLE
APPLE FACEBOOK SSO DOORKEEPER Browser VPC AMAZON GITHUB Frontend Backend CLIENT CREDENTIALS (BAD) + API ACCESS with TOKEN AUTHORIZATION_CODE / CLIENT CREDENTIALS / IMPLICIT SSG
RAILS / API END REACT / WEB NEXT NGINX CLIENT
CREDENTIALS GOOGLE APPLE FACEBOOK SSO DOORKEEPER Browser VPC AMAZON GITHUB Frontend Backend API ACCESS with TOKEN AUTHORIZATION_CODE / CLIENT CREDENTIALS / IMPLICIT SSG
RAILS / API END REACT / WEB NEXT NGINX CLIENT
CREDENTIALS GOOGLE APPLE FACEBOOK SSO DOORKEEPER Browser VPC AMAZON GITHUB Frontend Backend AUTHORIZATION_CODE / CLIENT CREDENTIALS / IMPLICIT SSG API ACCESS with TOKEN
RAILS / API END REACT / WEB NEXT NGINX CLIENT
CREDENTIALS GOOGLE APPLE FACEBOOK SSO DOORKEEPER Browser / CRS VPC AMAZON GITHUB Frontend Backend AUTHORIZATION_CODE / CLIENT CREDENTIALS / IMPLICIT SSR API ACCESS with TOKEN /api/users
Recap
什麼原因要前後端分離 • ⼤公司應該以各團隊的需求為主 • PM 與設計團隊⽅便前期 Demo 作業 • 前端團隊和後端團隊⽅便各⾃維護
Feature, Repo, Infra, Deploy 作業 • DevOps 團隊基於安全、效能等要求 • ⼩公司應該以專案的特性為主 • 客⼾要求 • 團隊技術推進
• Repo 規劃:Mono repository 或 multiple repositories 看團隊運作 • 環境變數:前後端減少重複定義,不要隨意暴露到
Client 端 • 專案設定值:Single source,前後端減少重複定義,分清楚 development 和 production 的設定 • Asset 管理:統⼀由 Rails 或 Node.js 端編譯檔案,管理 manifest.json • 開發環境:保持前後端完整性,有 https 網址可⽤,需容易除錯 • 部署:⾃動化部署前後端,是否要 Docker 化 • Nginx 設定:規劃好 Location 與 Proxy,靜態檔案對應 • Credentials 取得:注意安全性,使⽤合適的 Grant 模式 • Credentials 保存:注意安全性,存放在適當的地⽅(SessionStorage、LocalStorage、Cookies) • 多樣登入⽅式的 token 交換:注意雙向認證,有效時間,Refresh ⽅式 • API 規劃:是否依⾓⾊(Public / User / Manager)區分端點,是否⽤ token 辨識⾓⾊與使⽤情境 • CSR 安全:CORS 管理 • CSR 和 SSR 區分:程式容易辨識 • E2E 溝通準則:請寫⽂件說明
View Component + Lookbook + Tailwind Alpine.js +
Turbo + Stimulus
tsechingho
irof
syumai
danielsogl
masuda220
o0h
musan
404background
vinceamstoutz
yusukebe
hollycummins
yui_knk
koic
reverentgeek
irinanazarova
mza
addyosmani
rkendrick25
hatefulcrawdad
cassininazir
techseoconnect
jct
akademiya2063
samanthasiow
tessaabrams
