Building a plugin system without runtime, storage, or shared JavaScript context
4 days ago
- #Plugin Systems
- #Software Architecture
- #Localization Tools
- Tolgee Apps enable rapid experimentation by allowing plugins to extend the Tolgee platform via iframes, API access, webhooks, and UI decorators without modifying core code.
- Key architecture decisions include: no plugin storage on Tolgee's platform, no plugin code running on Tolgee's runtime, and using sandboxed iframes for UI to ensure security and isolation.
- Apps are defined by a JSON manifest specifying metadata, UI modules, scopes, and webhooks, with iframes communicating via postMessage and using short-lived JWT tokens for API access.
- The auth model uses tokens for identity and enforces permissions by intersecting app scopes with user permissions, enabling instant revocation without a token blocklist.
- UI decorators allow dynamic annotations on translation keys via a plugin-hosted endpoint, enabling features like warnings or badges without Tolgee storing plugin data.
- A PoC was built with AI assistance in about 4 weeks, highlighting AI's speed but also its tendency to bypass proper security practices, requiring careful review.
- Future plans include a production-ready rewrite with thorough testing and code review, building on learnings from the hackathon and PoC phase.