Initial release

Author: mowens3

.github/workflows/drupal-module.yml

@@ -0,0 +1,76 @@
+name: Drupal Module
+
+on:
+  pull_request:
+    paths:
+      - "**/*.php"
+      - "**/*.yml"
+      - "composer.json"
+      - "tests/**"
+      - ".github/workflows/drupal-module.yml"
+  push:
+    paths:
+      - "**/*.php"
+      - "**/*.yml"
+      - "composer.json"
+      - "tests/**"
+      - ".github/workflows/drupal-module.yml"
+
+jobs:
+  phpunit:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - drupal: "^10"
+            php: "8.2"
+          - drupal: "^11"
+            php: "8.3"
+
+    env:
+      SIMPLETEST_BASE_URL: "http://127.0.0.1"
+      SIMPLETEST_DB: "sqlite://localhost/sites/default/files/db.sqlite"
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: "${{ matrix.php }}"
+          tools: composer:v2
+          extensions: gd
+
+      - name: Create Drupal project
+        run: composer create-project drupal/recommended-project:${{ matrix.drupal }} drupal --no-interaction --prefer-dist
+
+      - name: Install dependency modules
+        run: |
+          cd drupal
+          composer require drupal/jsonapi_frontend:^1 --no-interaction --prefer-dist -W
+
+      - name: Install module from this repo
+        run: |
+          mkdir -p drupal/web/modules/contrib/jsonapi_frontend_layout
+          rsync -a --delete \
+            --exclude ".git" \
+            --exclude "drupal" \
+            --exclude ".github" \
+            ./ drupal/web/modules/contrib/jsonapi_frontend_layout/
+
+      - name: Install Drupal test dependencies
+        run: |
+          cd drupal
+          composer require --dev drupal/core-dev:${{ matrix.drupal }} --no-interaction --prefer-dist -W
+
+      - name: Prepare test directories
+        run: |
+          mkdir -p drupal/web/sites/default/files
+          mkdir -p drupal/web/sites/simpletest/browser_output
+          chmod -R 777 drupal/web/sites/default/files
+          chmod -R 777 drupal/web/sites/simpletest/browser_output
+
+      - name: Run PHPUnit
+        run: |
+          cd drupal/web
+          ../vendor/bin/phpunit -c core modules/contrib/jsonapi_frontend_layout/tests

.gitignore

@@ -0,0 +1,4 @@
+.idea/
+.DS_Store
+vendor/
+

LICENSE

@@ -0,0 +1,33 @@
+# JSON:API Frontend Layout Builder
+
+`jsonapi_frontend_layout` is an optional add-on for `jsonapi_frontend` that exposes a normalized Layout Builder tree for true headless rendering.
+
+## What it does
+
+- Adds `GET /jsonapi/layout/resolve?path=/about-us&_format=json`
+- Internally calls `jsonapi_frontend`’s resolver so aliases, redirects, language negotiation, and access checks behave the same
+- When the resolved path is an entity rendered with Layout Builder, the response includes a `layout` tree (sections + components)
+
+## Install
+
+```bash
+composer require drupal/jsonapi_frontend_layout
+drush en jsonapi_frontend_layout
+```
+
+## Usage
+
+```http
+GET /jsonapi/layout/resolve?path=/about-us&_format=json
+```
+
+The response matches `/jsonapi/resolve` and adds a `layout` object when applicable:
+
+- `layout.sections[]` includes `layout_id`, `layout_settings`, and normalized `components[]`
+- Supported component types (MVP): `field_block`, `extra_field_block`, `inline_block`
+
+## Notes
+
+- This module is intentionally read-only and mirrors `jsonapi_frontend` caching behavior (anonymous cacheable; authenticated `no-store`).
+- For rendering, you still fetch the resolved `jsonapi_url` (entity) and any referenced block content via JSON:API.
+

README.md

@@ -0,0 +1,16 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+Please do **not** open public issues or pull requests for security vulnerabilities.
+
+Preferred: report privately using GitHub Security Advisories for this repository.
+
+If private reporting is not available for you, contact the maintainers via the Drupal.org project page and clearly indicate that the report is security-sensitive.
+
+## What to include
+
+- A clear description of the vulnerability and impact
+- Steps to reproduce (or a proof of concept)
+- Affected versions (Drupal core version, module version, and relevant config)
+- Any suggested mitigation or fix (if you have one)

SECURITY.md

@@ -0,0 +1,30 @@
+{
+  "name": "drupal/jsonapi_frontend_layout",
+  "type": "drupal-module",
+  "description": "Optional Layout Builder integration for jsonapi_frontend. Exposes a normalized Layout Builder tree for true headless rendering.",
+  "keywords": [
+    "Drupal",
+    "JSON:API",
+    "headless",
+    "decoupled",
+    "layout builder",
+    "layout"
+  ],
+  "license": "GPL-2.0-or-later",
+  "homepage": "https://www.drupal.org/project/jsonapi_frontend_layout",
+  "support": {
+    "issues": "https://www.drupal.org/project/issues/jsonapi_frontend_layout",
+    "source": "https://git.drupalcode.org/project/jsonapi_frontend_layout"
+  },
+  "repositories": [
+    {
+      "type": "composer",
+      "url": "https://packages.drupal.org/8"
+    }
+  ],
+  "require": {
+    "drupal/core": "^10.3 || ^11",
+    "drupal/jsonapi_frontend": "^1.0.7"
+  }
+}
+

composer.json

@@ -0,0 +1,10 @@
+name: 'JSON:API Frontend Layout Builder'
+type: module
+description: 'Optional Layout Builder integration for jsonapi_frontend: exposes a normalized layout tree for true headless rendering.'
+core_version_requirement: ^10 || ^11
+package: 'Web services'
+dependencies:
+  - jsonapi_frontend:jsonapi_frontend
+  - drupal:layout_builder
+  - drupal:block_content
+

jsonapi_frontend_layout.info.yml

@@ -0,0 +1,9 @@
+jsonapi_frontend_layout.resolve:
+  path: '/jsonapi/layout/resolve'
+  defaults:
+    _controller: '\Drupal\jsonapi_frontend_layout\Controller\LayoutResolverController::resolve'
+  requirements:
+    _access: 'TRUE'
+    _format: 'json'
+  methods: [GET]
+

jsonapi_frontend_layout.routing.yml

@@ -0,0 +1,7 @@
+services:
+  jsonapi_frontend_layout.layout_tree_builder:
+    class: Drupal\jsonapi_frontend_layout\Service\LayoutTreeBuilder
+    arguments:
+      - '@plugin.manager.layout_builder.section_storage'
+      - '@entity_type.manager'
+

jsonapi_frontend_layout.services.yml

@@ -0,0 +1,180 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\jsonapi_frontend_layout\Controller;
+
+use Drupal\Core\Cache\CacheableJsonResponse;
+use Drupal\Core\Cache\CacheableMetadata;
+use Drupal\Core\Controller\ControllerBase;
+use Drupal\Core\Entity\ContentEntityInterface;
+use Drupal\jsonapi_frontend\Service\PathResolverInterface;
+use Drupal\jsonapi_frontend_layout\Service\LayoutTreeBuilder;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Layout-aware resolver endpoint.
+ */
+final class LayoutResolverController extends ControllerBase {
+
+  private const CONTENT_TYPE = 'application/vnd.api+json; charset=utf-8';
+
+  public function __construct(
+    private readonly PathResolverInterface $resolver,
+    private readonly LayoutTreeBuilder $layoutTreeBuilder,
+  ) {}
+
+  public static function create(ContainerInterface $container): self {
+    return new self(
+      $container->get('jsonapi_frontend.path_resolver'),
+      $container->get('jsonapi_frontend_layout.layout_tree_builder'),
+    );
+  }
+
+  public function resolve(Request $request): CacheableJsonResponse {
+    $path = (string) $request->query->get('path', '');
+
+    if (trim($path) === '') {
+      return $this->errorResponse(
+        status: 400,
+        title: 'Bad Request',
+        detail: 'Missing required query parameter: path',
+      );
+    }
+
+    $langcode = $request->query->get('langcode');
+    $langcode = is_string($langcode) && $langcode !== '' ? $langcode : NULL;
+
+    $result = $this->resolver->resolve($path, $langcode);
+
+    $cacheable = new CacheableMetadata();
+    $cacheable->setCacheMaxAge($this->getCacheMaxAge());
+    $cacheable->addCacheTags(['config:jsonapi_frontend.settings']);
+    $cacheable->addCacheContexts([
+      'url.query_args:path',
+      'url.query_args:langcode',
+      'url.site',
+    ]);
+
+    // Mirror jsonapi_frontend's language fallback cache behavior.
+    $config = $this->config('jsonapi_frontend.settings');
+    $langcode_fallback = (string) ($config->get('resolver.langcode_fallback') ?? 'site_default');
+    if ($langcode_fallback === 'current') {
+      $cacheable->addCacheContexts(['languages:language_content']);
+    }
+
+    // If this resolved to an entity, attempt to attach a layout tree.
+    if (($result['resolved'] ?? FALSE) === TRUE && ($result['kind'] ?? NULL) === 'entity' && is_array($result['entity'] ?? NULL)) {
+      $entity = $this->loadResolvedEntity($result['entity'], $langcode);
+      if ($entity) {
+        $cacheable->addCacheableDependency($entity);
+        $layout = $this->layoutTreeBuilder->build($entity, $cacheable);
+        if ($layout) {
+          $result['layout'] = $layout;
+        }
+      }
+    }
+
+    $response = new CacheableJsonResponse($result, 200, [
+      'Content-Type' => self::CONTENT_TYPE,
+    ]);
+
+    $response->addCacheableDependency($cacheable);
+    $this->applySecurityHeaders($response, $cacheable->getCacheMaxAge());
+
+    return $response;
+  }
+
+  /**
+   * Load the resolved entity (by UUID) from a resolver result.
+   *
+   * @param array{type?: mixed, id?: mixed, langcode?: mixed} $entity_info
+   *   The "entity" object from jsonapi_frontend.
+   */
+  private function loadResolvedEntity(array $entity_info, ?string $langcode): ?ContentEntityInterface {
+    $resource_type = $entity_info['type'] ?? NULL;
+    $uuid = $entity_info['id'] ?? NULL;
+
+    if (!is_string($resource_type) || !is_string($uuid) || $resource_type === '' || $uuid === '') {
+      return NULL;
+    }
+
+    $parts = explode('--', $resource_type, 2);
+    if (count($parts) !== 2) {
+      return NULL;
+    }
+
+    [$entity_type_id] = $parts;
+    if ($entity_type_id === '') {
+      return NULL;
+    }
+
+    $definition = $this->entityTypeManager()->getDefinition($entity_type_id, FALSE);
+    if (!$definition || !$definition->entityClassImplements(ContentEntityInterface::class)) {
+      return NULL;
+    }
+
+    $storage = $this->entityTypeManager()->getStorage($entity_type_id);
+    $entities = $storage->loadByProperties(['uuid' => $uuid]);
+    $entity = $entities ? reset($entities) : NULL;
+
+    if (!$entity instanceof ContentEntityInterface) {
+      return NULL;
+    }
+
+    // Apply the negotiated langcode from the resolver response if possible.
+    $resolved_langcode = $entity_info['langcode'] ?? NULL;
+    $resolved_langcode = is_string($resolved_langcode) && $resolved_langcode !== '' ? $resolved_langcode : $langcode;
+    if ($resolved_langcode && method_exists($entity, 'hasTranslation') && $entity->hasTranslation($resolved_langcode)) {
+      $entity = $entity->getTranslation($resolved_langcode);
+    }
+
+    // Re-check view access (defense in depth).
+    return $entity->access('view') ? $entity : NULL;
+  }
+
+  private function errorResponse(int $status, string $title, string $detail): CacheableJsonResponse {
+    $response = new CacheableJsonResponse([
+      'errors' => [
+        [
+          'status' => (string) $status,
+          'title' => $title,
+          'detail' => $detail,
+        ],
+      ],
+    ], $status, [
+      'Content-Type' => self::CONTENT_TYPE,
+    ]);
+
+    $cacheable = new CacheableMetadata();
+    $cacheable->setCacheMaxAge(0);
+    $response->addCacheableDependency($cacheable);
+    $this->applySecurityHeaders($response, 0);
+
+    return $response;
+  }
+
+  private function getCacheMaxAge(): int {
+    if (!$this->currentUser()->isAnonymous()) {
+      return 0;
+    }
+
+    $config = $this->config('jsonapi_frontend.settings');
+    $max_age = (int) ($config->get('resolver.cache_max_age') ?? 0);
+
+    return max(0, $max_age);
+  }
+
+  private function applySecurityHeaders(CacheableJsonResponse $response, int $max_age): void {
+    $response->headers->set('X-Content-Type-Options', 'nosniff');
+
+    if ($max_age > 0) {
+      $response->headers->set('Cache-Control', 'public, max-age=' . $max_age);
+    }
+    else {
+      $response->headers->set('Cache-Control', 'no-store');
+    }
+  }
+
+}