Stop leaking and implying logic in your Frontend

Want to learn more about software architecture and design? Join thousands of developers getting weekly updates!
🚀mailchi.mp/63c7a0b3ff38/codeopinion

It reminds me of the debate around catching exceptions vs. validating the data first: Instead of checking if an operation failed, and what it's status code is, we provide a way to check if an operation can be made (in this case by returning a list of possible operations in each state change)

the poor man's HATEOAS

After working on a system with convoluted business logic for a few years, we found ourselves using the same pattern. The only "real" alternative (and ONLY if you control the clients and the installed versions) is exposing your entire suite of business logic rules to the frontend, which allows introspection by anyone including adversaries and other nefarious users. So it's really not an alternative!

While this is a possible solution, I would prefer the BFF pattern where a distinct UI controller lives on the server side and translates the business model states to ui model states.

I don't really agree with the argument that this allows you to easily evolve/change the API because clients can still have the old version of the page loaded after you have changed the API. That seems like a difficult problem to solve if you don't want to be strict about breaking changes on the API in traditional sense

Rather than a list I feel an object is better.
set power for example could provide a min/max field or even a strongly typed reason on why the action is unavailable.
UI can just do {actions.setPower && } (react example) rather than looking through an array too making composition a breeze.

I've never really thought about this problem, so this was an interesting watch. But I'm also not sure how I feel about attaching operations to a response, because it feels like the API would have to presume to know too much about a client - like what the end user is capable of doing or the screen from which the command was given.
What if a specific user doesn't have security clearance for altering the toaster's strength? Is that operation only included in the response after the API has calculated what John Doe has permission to do? Or is that command always available?
What if there is a different screen that the front end redirects to that is read-only? Should the operations collection be empty in that case?
What if the user only has access to the toaster for the next ten minutes? Should the operations list include a time at which all the buttons are disabled?
What if the command was successfully processed but the operations list wasn't able to be calculated? Are all of our controls disabled potentially for no reason?
Maybe this doesn't matter from a practical standpoint. There are numerous ways of handling the above scenarios. But the line between an endpoint doing its job and doing too much is too gray for my current understanding.

I wonder... is there a library/framework that implements this pattern? Both as a server and as a "client side gode gen" type of deal.
I'm aware of general purpose swagger client gens and swagger outputting libs, but due to the wider possibilities, they don't assume state relations like what this pattern entails.

Sounds similar to Scott Washlin concept of 'designing with capabilities' i heard of few years ago. Any of you know any enterprise grade software that does that and it works well?

how to use this pattern with CQRS without duplicating business logic?
Should I generate possible operations on command side and persist them with my model?

What if I need to post some data with operation? Client still need to know the data structure. If client should know about data structure then it may know about url.

How to use hypermedia if a method is a post with complex objects as parameter?

Does this pattern has a name?