<form.io> is an open source product that enables developers to define APIs using forms. At a high level the platform generates both the API as well as the user interface for the forms.
The basic building entity on <form.io> is a resource with attributes which are added using forms and configured with form validation rules. Permissions are used to manage fine grained access control to resources. APIs are of limited value if they do not include business logic so actions are available at the resource level which includes typical tasks such as authentication, password reset, webhooks for third party integration and out-of-the-box third party integration with office 365, hubspot, email and SQL queries. As part of API generation, the platform also generates Swagger documentation. To learn more about the motivation and other aspects of the platform, InfoQ spoke to Travis Tidwell, CTO and co-founder of <form.io>.
InfoQ: What is the motivation behind <form.io>? Who is the target audience?
Travis Tidwell: Web 3.0 is here, and next generation applications are powering the modern world. But application developers continue to be challenged by the new demands that come with them. An expanding universe of device interfaces, machine-to-machine communication, data sharing across 3rd-party platforms, and integrations into legacy systems all converge on the developer; requiring them to adopt fundamental changes in how applications are designed and built. This paradigm shift to Web 3.0 has led to a dramatic emphasis on the creation and management of APIs, which can often overshadow the applications themselves. APIs give application data the power of portability and integration, but can be difficult and time-consuming to implement. Front-end developers have the expertise to create the applications, but APIs have long been the sole domain of the backend developer, until now.
Created as a tool for front-end developers, <form.io> eliminates the burdens of traditional API creation and management. Our open-source platform is based on the natural connection between FORMs and APIs.
InfoQ: What affordances do forms provide that enables good/pragmatic API design?
Travis Tidwell: For starters, every RESTful API requires an interface schema which is used to define the resources and data fields which then must be paired with well defined validation criteria. Provided this schema, the API design must incorporate all the necessary responses for both successful and invalid requests against that interface. As it turns out, all of these requirements and definitions can be easily represented with an HTML form definition. Because of this, an advanced form building technology in the hands of a capable developer can provide a means to visually create a robust API interface.
Where the rubber meets the road is when you pair this innovation with configurable backend actions that can execute and perform customized behavior when the form is submitted. Pairing these innovations together provides the developer a very powerful tool that enables them to create very complex applications without having to write any backend business logic.
InfoQ: What is under the hood? At a high level, how does it work?
Travis Tidwell: Form.io takes advantage of a number of recent technology advances to achieve a result that would have been very hard if created with older technologies. For starters, the entire stack is JavaScript; from the front-end application to the backend API platform written in Node.js. Even the database utilizes JavaScript based NoSQL to keep each data record as a complete JSON entity. This technology stack is typically called the M.E.A.N stack and has risen to the forefront as an enabling technology for Web 3.0 applications.
It all works through a strict separation between the front-end application and the backend API platform. In many software platforms, the server is typically responsible for sending the HTML interface to the client, and every hit to the server is the next page request from the user. While this method has worked well for many years, we are now in a time where web applications are no longer being built to cater to human interaction, but now must adapt to be able to handle multiple interfaces utilized by machines and humans alike.
Form.io is much different in that the server never sends an interface to the client. In fact, our https://form.io application is hosted on a CDN and only communicates to the server via RESTful API’s. As it turns out, this separation is also a major technology advantage with forms generated with Form.io. Every form utilizes a single JSON schema that not only automatically configures the RESTful API, but also dynamically generates the form on the front-end application. The result is a behavior that feels very native to the developer where they do not need to concern themselves with that separation thus being able to focus all of their attention on building amazing apps.
InfoQ: What are the various authentication mechanisms for authenticating resources?
Travis Tidwell: We will complete an OAuth offering very soon. We provide the application developer with a flexible and customizable authentication system where they can define any authentication methods based on the resources they create. For example, ifthey wish to authenticate based on a Member ID instead of an email address, Form.io provides them the ability to configure their authentication to utilize that field within their resource form.
In addition, we also allow the developer to authenticate against any Resource within our system instead of having a global “user” table where all authentications must be directed. We are able to provide this through our Resource system in addition to our Roles & Permissions system. This system assigns Roles to Resource submissions, and uses that relationship as the mechanism to determine which RESTful endpoints an authenticated user has access to.
InfoQ: How do you ensure JWT token security?
Travis Tidwell: Our authentication system uses JWT tokens signed with the secure HMAC SHA256 algorithm. Each token generated tells our platform which Resource they were authenticated against as well as what Roles they have within our system.
InfoQ: What is the recommended path to integrate with 3rd party APIs?
Travis Tidwell: Our core Open Source platform opens up the ability for developers to contribute Actions to our form system that will enable the integration to 3rd party API’s. We also provide per-form Webhook capabilities that allow the developer to hook up form submissions to their own backend applications which can then serve as a proxy to any 3rd party API they chose.
InfoQ: What are the pre-requisites on the app end to support <form.io>?
Travis Tidwell: Currently we require Angular.js as the application framework to utilize <form.io> integration. We are utilizing Bower to manage these dependencies which you can find out more by looking at our bower file here. https://github.com/formio/ngFormio/blob/develop/bower.json
We will be supporting other frameworks such as Reflect, jQuery and others so stay tuned!
InfoQ: Why did you choose to open source on GitHub? Which open source license?
Travis Tidwell: <form.io> was founded on the principle of Open-source software development and is committed to serving the Open-source community. It is our belief that we will achieve the most widespread adoption amongst developers by being built on Open Source business strategies which allow the business benefit from the community support and enhancements of our Open Source products. This is something that we take very seriously and are very proud of our Open Source offerings. As for licenses, we are currently planning on incorporating the MIT license for front-end libraries and a GPL license for the backend core platform.
InfoQ: What are some upcoming features you want to share with the InfoQ community?
Travis Tidwell: <form.io> will leverage our comprehensive Roles and Permissions capabilities to bring to market a robust new "Teams" capability allowing developers to work co-synchronously with customized teams of developers, selected on a project by project basis.
<<form.io> will also deliver a more comprehensive dashboard of detailed analytic and data management tools to enable the developer to manage their applications effectively. Additionally, being committed to the community sharing principles of Open Source software, <form.io> has plans to introduce meaningful new capabilities that will change the way developers share various elements of their applications with other developers. Lastly, <form.io> is rolling out numerous security and cross-platform data integration tools that will extend and deepen the existing offering.