This document describes the quality and security expectations of apps developed for the Happeo platform. These guidelines must be applied before deploying the app.
Note that the guidelines apply to both the frontend and backend components of the custom apps, even when the backend components may not be deployed in Happeo infrastructure.
Security is our responsibility
At Happeo we take security seriously. Apps that do not follow the security and quality standards will not be listed in the Happeo App marketplace.
The settings for a widget stored by a page are not protected. Therefore, app developers must ensure that they do not use the widget settings to store any sensitive information. For such information, developers must develop their own backend service to store the sensitive information in an appropriate secret storage.
The content for a widget stored in a page is not protected. In fact it is indexed and available for searching. Therefore, app developers must ensure that they do not use the widget content to store any sensitive information. For such information, developers must develop their own backend service to store the sensitive information in an appropriate secret storage.
If the App Widget makes HTTP requests to a backend, it must retrieve a JWT from the widget SDK and send it along with the request. The backend must validate the JWT before processing the request.
In case of a Search app, Happeo will automatically add a JWT to each HTTP request sent to the search app. The app must validate the JWT before processing the request.
The JWT is signed by a shared secret when the app is added to Happeo from the Admin UI. This secret must be kept confidential and protected all the time.
To know more about how the authentication works, refer to the article on using external data sources.
The App widget should not make calls to the Happeo internal API in order to prevent unauthorised access to data. We will reject app submissions to the marketplace if there are illegitimate calls made to the Happeo internal API. Administrators of custom Apps must make sure to check the source code for this violation.
The app developers must ensure that their app is not vulnerable to any known security threats, with particular focus on the OWSAP Top 10.
Great quality equals customer satisfaction. Let's strive for that!
The App’s name, description, preview content, support links, etc. must be provided.
The app name must be in title case (each word's first letter capitalized).
The description should mention release notes of the last release briefly.
The visuals must briefly highlight the functionality and the value provided by the app.
The developer must ensure that the app functionality is only what it says in the description.
The app UI must align with Happeo’s design. It is recommended to use the Happeo UI Kit.
Write easy to understand code, comment wherever necessary
Do not minify the code
Add a README.md to explain at least the below:
- Widget functionality
- Widget setup
- Build and Test
The app developer must write test cases for each functionality exposed to the user. It is recommended to write test cases that test backwards compatibility. This is one of the ways we ensure quality.
The app as well as all its dependencies must allow commercial use as the app bundle is deployed in our CDN and used in Happeo.
All updates to an app must be backwards compatible. This means existing app widgets added to pages must work.
If it is impossible to make a backwards compatible update, then the only option is to create a new app.
App must initialize the widget SDK even if the API is not used. This can be done as follows:
const widgetApi = await widgetSDK.api.init(uniqueWidgetId)
The widget contents are supposed to be viewed by widget viewers and hence developers must not store any hidden information there.
The widget settings are supposed to be viewed by widget viewers and hence developers are recommended to not store any hidden information there. It is okay, however, to store configuration computed from the settings declared by the widget.
Apps that do not build, test or package are rejected.
The bundle size must be kept as small as possible. Happeo provides react, react-dom, styled-components, and happeouikit components, which must therefore be externalized.
If the App uses a backend, it must be highly available and fault tolerant.
Updated 10 months ago