REST module final report

This is my final report (for now) on the Restful Web Services module I have been working on for Drupal 8. I'm looking for further funding to finish off some remaining tasks, so if you want to support any professional effort just contact me.

Read the previous status report if you are not fully up to date. Thanks again to Acquia and epiqo for this opportunity to focus on Drupal core development.

What do we have so far?

• We have full CRUD support for EntityNG with GET, POST, PATCH and DELETE HTTP requests. We also have PUT as additional update operation, but we are currently discussing the removal of PUT support for EntityNG in core.
• Configurable serialization formats: resources can be requested in JSON and XML out of the box. Also, HAL is planned as the future canonical format in Drupal core. Note that REST module allows contributed modules to add or replace any format they would like to support without any change to the implemented CRUD logic.
• Configurable HTTP methods: it is possible to configure which HTTP operation should be allowed for a resource. Example: GET is allowed on node resources, but PATCH, POST and DELETE is forbidden.
• Views data export: we have a display plugin in REST module that allows you to easily create a customized listing of resources and their fields. That collection is also available in all the serialization formats like XML and JSON.
• Entity and field level access control: REST module needs to respect access grants that restrict certain entities or fields from being viewed or edited. The work on this is not yet committed, but it is pretty far already as you can see in the field level access issue and the REST access control issue.
• CSRF security: allowing cookie/session based authentication in REST APIs opens the door for some possible CSRF vulnerabilities on write operations, so we introduced a X-CSRF-Token header that is required for such requests. This is a common pattern in other web frameworks as well, like Django and Ruby on Rails.

So that are some solid accomplishments so far, but ...

Work left to get REST module working in a more useful way

• EntityNG conversion: REST module does not work at all for now, because most entities have not been converted to EntityNG yet. We can test and play with the entity_test entity, but it is really time now to make nodes, users, terms and all the others ready to be used with REST.
• Entity validation: when entities are POSTed or PATCHed over the REST API we want to prevent that invalid data gets to the database. Therefore we want to use a common system shared with Drupal's form API to check the input data against constraints and return validation errors if needed. Work has not started here, because the underlying validation system and the typed data API is not ready right now.
• Authentication support for HTTP Basic Auth and possibly OAuth: using web services with cookie/session based authentication is a bit ugly, so we need alternative authentication mechanisms that are widely used. HTTP Basic Auth could make it into Drupal core, OAuth is surely a high priority feature for Drupal 8 contrib.
• Module documentation on drupal.org: we don't have a general page yet that explains the workings of REST module and we don't have more detailed API documentation. Some things are still subject to change, but I think we can safely start documenting at least the architecture now.
• REST configuration per entity bundle: it might be useful to only enable the REST API for a certain bundle instead of all bundles of the entity type. Example: I might want to expose node blog articles, but not node static pages and surely not node intranet pages. You could argue that we have covered that with the mentioned access control from above anyway, but it might be even more clean if me make the bundles explicitly configurable to be excluded or included.

As always: feel free to jump in where you want and take part in the REST issue queue.

Thank you all!