Feat: netlify deployments for frontend

[usu]

As per Santa Claus wish from @manuelmeister:
Allows automatic netlify deployment of the frontend for each pull request. These frontend-deployments are then hard-wired to https://dev-api.ecamp3.ch

CORS is more or less disabled on dev to allow this. This is needed, because Netlify doesn't support custom domains for Preview Deployments (=Deployment for each PR).

Disabling CORS however needs to be triggered explicitly. Default behavior is (almost) the same as before (with the exception of one PR on LexikBundle that still needs to be merged).

A working demo is available under https://vermillion-travesseiro-ea7e4b.netlify.app/ and is connected to my own test API at https://api-ecamp3.mybytes.ch/

Once this PR is merged, I can setup the netlify workflows from our main Netlify account.

[netlify]

✅ Deploy Preview for ecamp3-frontend-preview ready!

Name	Link
🔨 Latest commit	5d806ea
🔍 Latest deploy log	https://app.netlify.com/sites/ecamp3-frontend-preview/deploys/638b7dfb8b1d57000893b21f
😎 Deploy Preview	https://deploy-preview-3194--ecamp3-frontend-preview.netlify.app/
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[manuelmeister]

Woooooooh 🤩😍, nice so cool!

[carlobeltrame]

Nice job, but at the same time a lot of alarm bells going off in my head when reading this.

I have to say overall I'm not a fan of opening these multiple security holes just for faster previews. I see the value of the quick frontend previews especially right now that the frontend is being worked on much more than the API. But opening CORS on dev will definitely bite us and community developers in the future, when we (or they) make first steps in developing more API clients on different domains. Such new clients will then work on dev but fail on prod. And also in general, this widens the gap between prod and dev deployments. So in my comments, I am trying to limit on all fronts the amount of security weakening which we perform.

I'd like to say right now, these preview deployments are no alternative to writing frontend tests and E2E tests. I see them only as a cheap and mobile-friendly alternative for previewing some simple UI change. They will not work for all features, and they do not replace a comprehensive code review. And I'd rather invest more time into improving the resource usage and developer setup of our application instead of creating many kinds of feature branch deployments which might or might not work for a new feature.

Is there some way to limit these frontend previews to only PRs which include solely frontend changes and no changes in the API etc.? (And ideally also exclude renovate and dependabot PRs, because these are rarely tested manually, but instead CI should handle them).

[carlobeltrame]

Can we implement a proper list of allowed origins for print as well, instead of an official "security hole switch"?

[carlobeltrame]

Can we limit these security holes to only the dev deployment, not the feature branch deployments? Or would it make sense to deploy a separate, deliberately insecure backend which is only used for the netlify frontend previews?

[carlobeltrame]

Can we modify lexik so that it only returns the header and payload information of the token in the response body? The reason that lexik does not want to return the token in the payload is reportedly that JS code should never have access to the full JWT token. I think lexik supports customizing the response body: https://github.com/lexik/LexikJWTAuthenticationBundle/blob/2.x/Resources/doc/2-data-customization.rst#adding-custom-data-or-headers-to-the-jwt

[carlobeltrame]

I don't really like that we will ship this in production, but I see no quick and easy way around it right now.

[carlobeltrame]

Can you set the default in the helm chart to true? I know it's not respected by lexik yet, but as soon as lexik supports it we should make true the default.

[carlobeltrame]

Maybe add a comment which still indicates (via an example or written description) that this value may be a regex, may assert on the protocol, etc.

[carlobeltrame]

Is the store really the correct place for this? This value will be undefined on deployments where we --set php.jwt.emptyBody='false' (which I expect for any production environment). If you put this value into the store, it signifies to me that any component may use this value, which will then break on production. In this case I would prefer a local let variable in the top scope of this file, so that only code in this file can access it.

[carlobeltrame]

Why this change? Was the old implementation wrong?

[carlobeltrame]

If you agree with removing the token from the store, don't forget to revert this

[manuelmeister]

Core Team Decision

• Deployment Optimierungen (chore(deploy): performance + autoscalers #3192) hat nicht die gewünschten Verbesserungen gebracht
• 5 Frontend PRs im Browser gleichzeitig anschauen nicht möglich (aktuell nur Dev + ein zusätzliches Deployment)
• Wir streben eine zusätzliche Lösung mit einem dezidierten Endpunkt an, erst wenn eine generelle Verbesserung am ganzen Kubernetes Cluster erfolgt ist.

Anforderungen an den Deployment Prozess:

• Zwischen Push und Live 2min

Anforderungen an Netlify:

• 4 gleichzeitige Deployments möglich (Dev, Endpunkt, 2 PR deployments)

[BacLuc]

can we close this PR?

[usu]

Will be closed due to several improvements on PR deployments, notably:
#3237
#3584