Spotta Folderkiezer - Subscribe to your favourite magazines

Publishing / Media


Spotta is the shopping aid that helps to easily obtain benefits and inspiration that are relevant to consumers. They are a proud part of PostNL and the largest magazine subscription platform in the Netherlands. With more than 60 years of experience, they can build on a strong delivery network with national coverage and an enormous amount of data. From 1,000 employees who make their products and services possible every day, to their network of 24,000 deliverers. Finalist helped Spotta during the transformation of all their platforms to Drupal, and in this specific case they have also builded

Case description

The Folderkiezer website is a handy tool that allows visitors to compile their ideal and personalized brochure package. This specifically concerns advertising brochures with which you can obtain interesting benefits. Visitors can create an account on the site, compile a brochure package, and the package is then sent to the home address of the person concerned. In addition, the visitor has the option to change his or her data and also to state an absence (for example, because the person in question is going on holiday and therefore no brochures have to be delivered).
The front end is based on “component based atomic design” with BEM using Drupal 8 twig files extensively, for maximum code reusability. No personal data is stored in the Drupal database. Almost all (user) data is sent and received through custom APIs. Login is done with KeyCloak through OpenID Connect and user management is done outside Drupal.

Case goals and results

Personalization and privacy need to go hand-in-hand in creating a personalized brochure package, whilst blending online and off-line experiences.
The AVG/GDPR has been in force throughout the EU since May 2018. The customer attached great importance to this privacy interest. These were the goals:
• The starting point of the site design was that no user data could be stored on the site.
• The customer data was on the Spotta server.
• Authentication had to be done with the help of OAuth 2.0.
• Drupal was mainly used to deliver a number of content pages.
Despite this setup, the visitor has to get the feeling that the folder selector site was his "home place". Within this site he can create his account, change his data and compile (or modify) his brochure package. Behind the scenes, however, OAuth2 is first authorized (for this a connection was made with a so-called KeyCloack server) and all user data resides on the Spotta server (such as the choice of the composed folder package).
This setup has of course been successfully completed. The user can quickly and to his heart's content select folders or change data, without being bothered by faltering connections or slow connections to external services.


During development of the website the Spotta API was not yet ready. So simple wrapper functions were used that returned static data to build the rest of the site.
After the API was delivered this could be tested locally, and everything seemed to go well. Creating users, logging in, deleting: everything worked great. But then the customer went testing, and (thankfully) they did that with multiple users at the same time.

It turned out that the implementation contained a major error: when retrieving the access token, each user was given the token of the last logged-in user and the data from this user was retrieved from the Spotta API server. Quite a "privacy leak."
During debugging, it turned out that the plug-in implementation indeed always overwrites the token and does not store per user. Normally this is not necessary either because the user is logged in to Drupal and the token is no longer needed afterwards.
In this case, however, we still needed the token per user because the token was used for the requests to the Spotta API (where the user data could only be stored).
After some research, it turned out that this could be solved by using the hook_openid_connect_post_authorize (). It turned out to be the easiest and quickest to write the code yourself, to handle the retrieval and renewal of the token.

Learning moments:
• Working with an API that "the next sprint really is finished" is a bad plan.
• You can only really test once it has arrived.
• Always test with multiple accounts at the same time.
• Tutorials do not address real life problems.
• There (sometimes) can be bugs, even in Drupal 8!
• Private tempstores for anonymous users did not work.
• Always use standard clients and services, but don't be afraid to make something yourself if they don't work.

Community contributions

On September the 12th this case has been used as the basis for a Drupal Techtalk.

Why should this case win the splash awards?

Personalization and privacy go hand-in-hand in creating a personalized brochure package, whilst blending online and offline experiences.
As a consumer I have the possibility to read my brochures online as well as offline. My offline brochures are a personalized package delivered to my doorstep.
This provides real and measurable advertising value whilst giving the consumer tangible advantages, like relevant discounts. Sustainability is underlined by automatically reducing waste in brochures that are thrown away.
The privacy of the consumer is guaranteed, in accordance with GDPR (AVG) directives.
The digital dialogue with the target audience is extended to the physical living room.
This blend of online and offline is perfectly catered for by open source Drupal.

Fun fact: Spotta is one of the launching customers of Finalist more than 30 years ago and has remained a happy and loyal customer ever since!