My project consists of two main components - ASP.NET Core Web API and React SPA.
I want to allow users to extend their UI experience by developing their own plugins. Plugins should be stored somehow within the back-end (e.g. in a database) and consumed by the front-end.
I wonder what is the best way of implementing this without allowing for any vulnerabilities?
You didn't share the extent at which you wanted the user-base to participate. You must also account for how you want to allow these contributions to happen, not just the way in which their code is entertained by your program.
Allowing users to pitch in to the user experience by creating plugins is an extremely slippery slope where the tug between not compromising the experience for the user and ensuring that you're hydrating these extensions in a secure manner is never ending. Generally, there are two reasons for this.
One:Simply, exploits are everywhere. As long as we continue introducing new or updated code, we will also be introducing exploits to patch.Two:What people want is going to change, so you may have solid parameters set up for appropriately and securely loading extensions in your solution, but they will need to frequently be revisited.Regardless of the scope of 'who', you need legal agreements if you are set on facilitating this on a non-free service or program (or if the program/service accepts payment within the application).
I know this was extremely general, but I hope that I got the point across about the considerations that need to be made when giving the ability to add/alter to people not tied to the product itself.