Support "backend only" applications

[tmtrademarked]

Is your feature request related to a problem? Please describe.
One of our services is logically a "backend only" application using Solidus. We're using Solidus to power the database models, etc as well as provide a friendly framework for an admin user interface. We then use other internal APIs to communicate with it (gRPC, Kafka, etc)

But it seems like the solidus_backend gem ends up including the solidus_api gem under the hood - which means our application technically exposes all of the API routes exposed by a normal Solidus application, which isn't what we want. We don't want to have routes that we aren't explicitly using, since then we have to take care to secure/maintain/monitor those routes as well.

Describe the solution you'd like
Ideally, I'd love to see a world where solidus_backend only mounts the routes needed for the admin interface, not all of the routes of solidus_api. (At least, this is what seems to be happening - I apologize if my understanding of the route framework is incorrect!)

Describe alternatives you've considered
I've looked at removing/aliasing/etc, but thus far, no solution has felt maintainable, especially if solidus_api adds more functionality in the future.

[aldesantis]

@tmtrademarked 👋 Unfortunately, I don't think there's a good way to do what you're asking right now (other than removing all the routes from solidus_api with some hack that leverages Rails internals, but that doesn't seem very robust).

One way we could do it is by creating a preference in solidus_api that determines whether the engine should only create the routes that are required by the backend or all of them, e.g.

# config/initializers/spree.rb

# when true, solidus_api only creates the routes
# that are needed by the backend 
Spree::Api::Config[:backend_routes_only] = true

Would something like that work for your use case?

[tmtrademarked]

Something like that sounds like it would work perfectly! That would be a totally fine solution from my perspective.

[aldesantis]

Got it, I think that makes sense too and we shouldn't have any issues implementing in a backwards-compatible manner, since the setting would be false by default. Can't promise anything right now because I haven't thought through the edge cases yet, but I'll try to do a spike in the next few days. 🙂

[kennyadsl]

I think the way to go here is to remove the dependency we have in solidus_backend from the API by just using Rails. I closed the PR with the implementation proposed by @aldesantis because it didn't go ahead after some reviews, and I think we should change the approach, resolving the issue at its root.

[aldesantis]

I agree. Thinking about this at a higher level, our goal should be to make each gem completely independent of the others (other than solidus_core).

[jarednorman]

Agreed. I would like to see the admin powered by it's own endpoints, rather than this implicit dependency between the two components.