slug: building-a-marketplace
author: Rijk van Zanten
This week we announced the Directus Marketplace Beta - a new way to discover and install extensions in Directus projects across Cloud and self-hosted instances.
This has been a long time coming, and I wanted to take some time and reflect on what it actually takes to put together a Marketplace for such a mature and well-adopted project.
The term ‘marketplace’ can come with a lot of baggage, and even internally, it took a while decide where on the spectrum our offering will lie.
On one end, we have the "open listing" approach. This offers maximum freedom and diversity, but comes at the cost of potential quality and security issues. Users need to exercise caution and rely heavily on reviews and reputation. Think of the Chrome Extensions Store - where anyone can publish new browser extensions.
On the other side, we have the "highly-controlled submission-based store" model. This ensures a consistent user experience and quality, but limits variety and requires significant resources for curation and review. Think of the iOS App Store with strict submission criteria
For Directus, we often for an open "listing" approach. This aligns with our philosophy of being community-first and empowers users to contribute diverse modules and extensions. However, we acknowledge the need for some guardrails to maintain platform integrity and user trust.
Many extension authors distribute extensions by publishing packages on npm. We decided to piggyback off this to power the Marketplace search so we could highlight already-published extensions, allow authors to control publishing of new versions, and to use npm to ‘host’ code.
While we use npm as a data source for the new Directus Extensions Registry, it goes beyond simply copying listings. We've implemented a custom API (based on Directus) that empowers users with better search and filtering.
Security is also paramount, and owning the Registry ensures it is taken seriously. It empowers us to store additional data related to extensions, including the ability to block or delist them if necessary. This ensures the marketplace remains a trustworthy source for users.
We're constantly innovating, and the registry will be no exception. We envision a future where extensions and authors can have a "verified" status and also exploring the possibility of incorporating extensions from sources beyond npm. This could, of course, mean sources that are accessed behind a paywall which will reward extension authors for their contributions.
Running external code in Directus poses a non-zero risk, and that’s unfortunately the reality of externally-contributed extensions whatever model we choose to take. There are really three types of risk - security, stability, and liability.
Security is the number one consideration above all others - after all, Directus can directly access your data. For this reason, the Marketplace will only surface extensions which are client-side or sandboxed on the server-side. Sandboxed extensions must explicitly request permissions both internally and to make external requests. This model is expected of an “App Store”.