The Most Important Lesson From HTMX

00:00

I talk a lot about how much I love HTML

00:03

not specifically like an HTML file or

00:05

the HTML syntax but the power of sending

00:08

static markup from the server to the

00:11

client there A lot of times where you

00:12

might want to send updated UI to the

00:14

user without having to make them refresh

00:16

the whole page there's also a lot of

00:18

things you probably want to do when a

00:19

user clicks a button that can't be done

00:21

on their computer so you're going to

00:22

need the server to be involved in those

00:23

things anyways what I've seen as a

00:25

result is a lot of applications that

00:27

send giant Json payloads to the user

00:30

once they've done something on the

00:31

client and then the JavaScript parses

00:33

that data transforms that into some new

00:35

markup and then renders it on the page

00:37

often very slowly the JavaScript

00:39

necessary to do all of this stuff gets

00:41

massive to the size of tens of megabytes

00:43

for some websites and the resulting

00:45

performances what you would expect not

00:47

great thankfully we're starting to see a

00:49

revolution where we're moving away from

00:51

these giant Json payloads and towards

00:53

sending markup to the user when it makes

00:55

sense but this isn't a new Revolution

00:57

this is actually something that the HTM

00:59

X team has been pushing hard for a while

01:00

all the way back when they used to be

01:02

called intercooler JS they tried to warn

01:05

us but now we're finally hearing it what

01:07

we're talking about here is a response

01:09

to a great tweet from Z the CTO of

01:12

Sentry which was joking about how we got

01:14

tricked into using graphql while I do

01:15

think graph Q has a lot of benefits

01:17

there are negatives too and that's the

01:19

joke here is a lot of people were using

01:21

it when they shouldn't be but these

01:22

continued abstractions where you were

01:24

building more and more complex API

01:26

Solutions so the client could get the

01:28

info it needed this became a very fast

01:30

slippery slope and graphql emphasized

01:33

how slippery that slope had gotten the

01:34

HTM X team replied with a link to a blog

01:37

post from

01:38

2016 about this where they tried to warn

01:41

us and for those who don't know

01:42

intercooler was the old name for HTM X

01:44

so let's take a look at this blog post

01:46

because I love it and I think it's more

01:47

relevant now than it's ever been before

01:50

the API churn to security tradeoff tldr

01:53

heavy clientside logic requires a

01:54

trade-off between API churn or an

01:56

increasingly complex security model the

01:58

problem a recent article by Jean jaac de

02:01

BR titled why I no longer use MVC

02:03

Frameworks sparked a long and

02:04

interesting discussion on Hacker News

02:06

which crystallized a fundamental problem

02:07

I see with the current Trend towards

02:09

heavy client side logic and web apps

02:11

here is the start from that article

02:12

where Jean jaac lays out the problem the

02:14

worst part of my job these days

02:16

designing apis for front end developers

02:17

the conversation inevitably goes as Dev

02:20

so this screen has data elements XYZ

02:23

could you please create an API with the

02:24

response format

02:26

XYZ me okay I don't even argue anymore

02:30

projects end up with a gazillion apis

02:32

tied to screens that change often which

02:34

by Design requires changes in the API

02:36

and before you know it you end up with

02:37

lots of apis and for each API many form

02:40

factors and platform variants to

02:42

summarize if you are designing Network

02:44

API endpoints for a front end you will

02:46

end up tweaking and modifying the API to

02:48

support your UI needs in an ad hoc and

02:50

often chaotic manner by letting

02:51

something that by its nature is

02:53

constantly in flux and fiddly that is

02:55

the UI determine the shape of your API

02:58

you end up thrashing it around trying to

03:00

keep up for the remainder of this

03:01

article I will refer to this problem as

03:03

API churn that's an important piece to

03:05

remember API churn is the enemy that

03:07

we're fighting with all of this so

03:09

what's the solution the solution is if

03:11

you're committed to that client side

03:12

increase the expressiveness of the API

03:14

available on the client side okay so

03:16

what does that mean means you must begin

03:17

surfacing more and more generalized data

03:19

access and mutation functionality on the

03:21

client side you see this General query

03:23

languages like graphql replacing

03:25

multiple rsh in ad hoc API endpoints

03:27

with fewer more expressive endpoints is

03:29

going to be thought of as a move towards

03:31

something like SQL on the client side I

03:34

don't like comparing it to SQL but I get

03:35

what they're trying to say by increasing

03:36

the expressive power of endpoints you

03:39

the API designer no longer need to worry

03:41

about getting an API just right rather

03:43

the frontend developer has control over

03:45

how and what is returned or what is

03:47

modified and your API stays stable as

03:50

the UI needs change sounds great but

03:53

wait a second there's a problem with

03:54

this solution problem these increasingly

03:56

expressive endpoints is that you're also

03:57

putting them not just in the hands of

03:59

your front end de but also the hands of

04:00

potentially hostile users the browser is

04:02

about the least secure Computing

04:04

environment I can imagine and anything

04:06

that the front end devs can do can also

04:07

be done by a hostile user like this

04:09

graphql query if you don't make this

04:12

really secure you're going to have users

04:14

able to hit it and get info they

04:15

probably shouldn't like salary this is

04:17

terrifying and a lot of graphql stuff

04:19

wasn't set up properly I have a video

04:21

about how putting your logic in your

04:22

database is terrifying and the reason a

04:24

lot of people were stuck doing things

04:25

like that is because they have these

04:27

generic API layers that don't know

04:29

enough about the intent of how it's

04:31

being used to first off expose data

04:33

correctly but more importantly to

04:35

authenticate the user properly to make

04:36

sure they should or shouldn't have

04:38

access to that data it's utter chaos and

04:39

I've seen so many code bases drowning in

04:42

this particular style of mess and oops

04:45

you had better darn well not show that

04:46

information so now you have to build

04:48

context sensitive field level security

04:50

so on every query on every field in

04:53

every query you have to work really hard

04:55

to make sure your fields are properly

04:58

secured so now every single key being

05:00

returned by your API ever has to have

05:02

its own security model around it you can

05:04

see how chaotic and hard to maintain

05:06

that gets really

05:07

fast as I just said this is incredibly

05:10

complicated and when this security issue

05:13

was brought up on Hacker News the

05:15

response was it doesn't belong in the

05:16

spec it belongs in the implementation

05:18

but yes the reference implementation

05:19

graph qjs should probably be updated to

05:21

demonstrate Access Control at the time

05:23

the go2 example for graphql and web apps

05:25

was graph qjs and they didn't have data

05:27

Access Control implemented in it so

05:28

people just copy the default

05:30

implementation didn't have any security

05:32

which is terrifying I literally laughed

05:34

out loud when I read this this is a

05:36

major major issue and anyone who

05:37

considers increasing client side

05:39

expressiveness as the answer to API

05:41

churn needs to have a very good answer

05:42

for it I totally agree this isn't just a

05:45

security problem there's also so many

05:47

technical challenges in implementing

05:48

things in this way where it's just hard

05:49

to build and maintain a generic way to

05:52

get data to the client security is one

05:54

part design of the schema is one part

05:56

implementation details libraries you're

05:57

choosing all of this stuff gets really

05:59

complex really fast but what if there

06:01

was a better way this again is about

06:03

trust the core problem again is that in

06:05

putting more expressive tools in the

06:06

hands of your client side devs you are

06:08

also inadvertently letting them slip

06:10

into the hands of adversarial users

06:12

there is a fundamental tension therefore

06:14

between how much you can give your

06:15

developers and how much of a security

06:17

headache this power will turn out to be

06:18

in an Ideal World you will give your UI

06:20

developers everything they could

06:21

possibly need in an open and expressive

06:23

query layer and that would let them tune

06:25

the structure and return the data of a

06:26

query just so for those hot complicated

06:29

quer I that always end up dominating

06:30

system performance what if I told you

06:32

there was a place that exists where you

06:33

can do this such a place does exist it's

06:35

called the server side see where we're

06:37

going guys don't know if you expected

06:39

this but I just tricked yell into

06:40

watching yet another server components

06:42

video because this article could be

06:44

summarized as the arguments for Server

06:46

components and or how server components

06:49

replace graphql they solve this problem

06:51

really really well you see on the server

06:54

side code is trusted you can give your

06:56

developers a completely open and

06:57

flexible data access and and update API

07:00

because you to a first order

07:01

approximation trust them give them the

07:03

power of say a structured query language

07:06

and that's totally fine it's not even

07:08

controversial when you do that because

07:10

that power isn't going to the user it's

07:12

just in the layer between the HTML the

07:14

user sees and the server that has that

07:16

data when you give your frontend devs

07:17

the ability to generate their front ends

07:19

on the server a lot of these problems go

07:22

away really fast and it's funny that I'm

07:24

bringing this up because a lot of the

07:26

reason people are so hesitant with the

07:27

new server component model and the new

07:29

nextjs model is they think it's less

07:31

secure and they don't trust frontend

07:32

devs to do it right the harsh reality is

07:34

these backend devs have gotten so good

07:35

at these security models because they're

07:37

a necessary evil in order to use

07:39

something like graphql while yes front

07:41

and devs need to think a little bit

07:42

about security Now the benefit that

07:44

comes with it is they don't have to

07:45

think about security anywhere near as

07:46

much and we're not building these crazy

07:48

chaotic systems so that you can add one

07:50

additional key to your query on the

07:52

client side the solution to the problem

07:54

with the solution so if you want to

07:55

avoid this API churn and security

07:57

complexity trade-off is's a great way to

07:58

do it move things back to the server

08:00

side one way to do it without

08:01

sacrificing modern web usability is to

08:03

use something like intercooler into do

08:04

your HTML rendering and domain Logic on

08:06

the server in a trusted environment

08:08

you'll also get a lot of other benefits

08:09

from this approach hate without tears a

08:11

programming model that you likely

08:13

already have close to a decade of

08:14

experience with and so on this is an old

08:16

article and my audience probably doesn't

08:18

have a decade of experience with things

08:19

that were already old at the time seven

08:21

years ago but that point aside let me

08:23

know if you want me to do a hate OS

08:24

video because it's a pretty cool pattern

08:27

where do they actually say what it

08:28

stands for always forget the acronym

08:30

stands for hyper media as the engine of

08:32

application state so your HTML is

08:34

actually the thing that defines the

08:36

state of the page it's a really cool

08:37

pattern it's really nice seeing this

08:39

being rediscovered with a new error of

08:41

HTM X if you want a long video about

08:43

that let me know in the comments this

08:45

video isn't about that this video is

08:46

about the value of replacing your apis

08:49

with end points that serve HTML the core

08:51

point of this article is that in order

08:53

to make Dynamic front ends without

08:56

having the server run the HTML you now

08:58

have to deal with with a massive

09:00

security issue architecture issue and

09:02

utter chaos in order to increase the

09:04

expressiveness so client side developers

09:06

can do the things they need to do to

09:07

make good applications this is what's so

09:09

cool about this model and this is why I

09:11

think both HTM X and server components

09:14

are the future of how we build full

09:15

stack applications these security models

09:18

already feel so Antiquated and the

09:20

moment you start playing with either

09:21

HDMX or server components you're going

09:23

to realize just how much more complex

09:25

things were than they needed to be yes

09:26

there are more things you need to know

09:28

about well those things are simpler and

09:30

the result is better software so what do

09:32

you think are we being too aggressive

09:34

with the killing of apis or should we be

09:36

doing more work on the server than we

09:37

are today I'm obviously in favor of

09:39

moving more of the stuff to the server

09:41

it makes everything easier and it makes

09:43

frontend developers more capable of

09:44

delivering great software but how do you

09:46

feel about it let me know in the

09:47

comments and tell me if I should do that

09:48

ha to OAS video because something I want

09:50

to talk a bit more about if you want to

09:51

learn the truth about HTM X I'll pin a

09:53

video in the corner with that and if

09:54

You' already seen that or you're not

09:55

interested the video below should be

09:56

pretty good too thank you guys as always

09:58

appreciate you all a ton peace nerds