backend-ultimate
1
总安装量
1
周安装量
#44059
全站排名
安装命令
npx skills add https://github.com/shajar5110/hackathon-ii-phase-3 --skill backend-ultimate
Agent 安装分布
replit
1
windsurf
1
cline
1
trae
1
opencode
1
cursor
1
Skill 文档
ð¥ ULTIMATE BACKEND MASTERY – 25+ YEARS EXPERT LEVEL
Enterprise-grade backend architecture with genius-level optimization, comprehensive security hardening, advanced architectural patterns, and complete coverage across all frameworks, databases, and deployment strategies.
TABLE OF CONTENTS
- Core Architecture Decision Trees
- Route Protection & Middleware (PERFECTION)
- Authentication Systems (ALL METHODS)
- Authorization & RBAC
- API Design (REST, GraphQL, WebSockets, gRPC)
- Database Patterns & ORM
- Caching Strategies
- Message Queues & Async Jobs
- Security Hardening (COMPREHENSIVE)
- Performance Optimization
- Microservices & Advanced Patterns
- Monitoring, Logging, Tracing
- Testing (Unit, Integration, E2E, Load, Security)
- Deployment (Docker, Kubernetes, CI/CD)
- Real-World Implementations
PART 1: CORE ARCHITECTURE & DECISION TREES
Backend Technology Decision Matrix
Need to build a backend?
STEP 1: Choose Primary Framework
ââ Need high performance + async? â FastAPI (Python)
ââ Need full JavaScript ecosystem? â Express/Node.js
ââ Need type safety + performance? â Node.js with TypeScript
ââ Need full-stack with backend? â Next.js API routes
ââ Need extreme performance + concurrency? â Go/Rust
STEP 2: Choose Database(s)
ââ Relational data + complex queries? â PostgreSQL
ââ Document storage + flexibility? â MongoDB
ââ Cache layer + sessions? â Redis
ââ Full-text search? â Elasticsearch
ââ Time-series data? â TimescaleDB/InfluxDB
ââ All of above â Use what fits each use case
STEP 3: Choose API Style
ââ Simple CRUD operations? â REST
ââ Complex data requirements? â GraphQL
ââ Real-time features needed? â WebSockets
ââ Internal services? â gRPC
ââ Combination? â Use all, not monolithic
STEP 4: Choose Architectural Pattern
ââ Starting small? â Monolith (with modular structure)
ââ Need scaling? â Microservices
ââ Heavy background work? â Event-driven
ââ Complex business logic? â DDD (Domain-Driven Design)
ââ Combination? â Hybrid approach
STEP 5: Choose Deployment
ââ Single server? â Docker + systemd
ââ Multiple servers? â Docker + Docker Compose
ââ Enterprise scale? â Kubernetes
ââ Serverless? â AWS Lambda / Google Cloud Functions
ââ Cloud native? â Managed services (RDS, ElastiCache, etc.)
Project Structure – Next-Generation Backend
backend/
âââ src/
â âââ core/ // Core infrastructure
â â âââ config.ts // Configuration management
â â âââ env.ts // Environment validation (Zod)
â â âââ database.ts // Database connections
â â âââ cache.ts // Cache setup (Redis)
â â
â âââ middleware/ // Global middleware (PERFECTION)
â â âââ authentication.ts // JWT/session verification
â â âââ authorization.ts // RBAC enforcement
â â âââ validation.ts // Input validation (Zod)
â â âââ error-handling.ts // Centralized errors
â â âââ logging.ts // Request logging
â â âââ rate-limiting.ts // DDoS protection
â â âââ cors.ts // CORS handling
â â âââ helmet.ts // Security headers
â â âââ request-id.ts // Correlation IDs
â â âââ compression.ts // Response compression
â â
â âââ routes/ // API endpoints (PROTECTED)
â â âââ auth.routes.ts // Authentication endpoints
â â âââ user.routes.ts // User endpoints
â â âââ products.routes.ts // Product endpoints
â â âââ orders.routes.ts // Order endpoints
â â âââ admin.routes.ts // Admin endpoints (admin only)
â â
â âââ controllers/ // Business logic
â â âââ auth.controller.ts
â â âââ user.controller.ts
â â âââ product.controller.ts
â â âââ order.controller.ts
â â
â âââ services/ // Core services
â â âââ auth.service.ts // Auth logic
â â âââ user.service.ts
â â âââ product.service.ts
â â âââ order.service.ts
â â âââ email.service.ts // Email sending
â â âââ payment.service.ts // Payment processing
â â âââ notification.service.ts // Notifications
â â
â âââ models/ // Database models
â â âââ user.model.ts
â â âââ product.model.ts
â â âââ order.model.ts
â â âââ schema.ts // Validation schemas
â â
â âââ repositories/ // Data access layer
â â âââ user.repository.ts
â â âââ product.repository.ts
â â âââ order.repository.ts
â â
â âââ guards/ // Route protection (PERFECTION)
â â âââ auth.guard.ts // Is authenticated?
â â âââ role.guard.ts // Has role?
â â âââ permission.guard.ts // Has permission?
â â âââ rate-limit.guard.ts // Rate limit check?
â â
â âââ pipes/ // Data transformation
â â âââ validation.pipe.ts
â â âââ parse-int.pipe.ts
â â
â âââ interceptors/ // Request/response handling
â â âââ logging.interceptor.ts
â â âââ transform.interceptor.ts
â â âââ error.interceptor.ts
â â
â âââ decorators/ // Custom decorators
â â âââ @Auth()
â â âââ @Role('admin')
â â âââ @Permission('create:user')
â â âââ @RateLimit(5, '1m')
â â
â âââ utils/
â â âââ security.ts // Encryption, hashing
â â âââ validation.ts // Input validation
â â âââ jwt.ts // JWT utilities
â â âââ pagination.ts // Pagination helpers
â â âââ error-handling.ts // Error utilities
â â
â âââ queue/ // Background jobs
â â âââ jobs/
â â â âââ send-email.job.ts
â â â âââ process-payment.job.ts
â â â âââ generate-report.job.ts
â â âââ queue.ts // Queue setup
â â
â âââ events/ // Event-driven architecture
â â âââ user.events.ts
â â âââ order.events.ts
â â âââ event-bus.ts
â â
â âââ types/ // TypeScript types
â â âââ auth.types.ts
â â âââ user.types.ts
â â âââ api.types.ts
â â âââ database.types.ts
â â
â âââ main.ts // Entry point
â
âââ tests/
â âââ unit/
â âââ integration/
â âââ e2e/
â âââ load/
â
âââ docker/
â âââ Dockerfile
â âââ docker-compose.yml
â
âââ kubernetes/
â âââ deployment.yaml
â âââ service.yaml
â âââ ingress.yaml
â
âââ .env.example
âââ .env.local // gitignored
âââ docker-compose.yml
âââ .dockerignore
âââ .eslintrc.json
âââ .prettierrc.json
âââ tsconfig.json
âââ jest.config.js
âââ package.json
âââ README.md
PART 2: ROUTE PROTECTION & MIDDLEWARE (PERFECTION)
2.1 Authentication Middleware
// src/middleware/authentication.ts
import { NextFunction, Request, Response } from 'express';
import jwt from 'jsonwebtoken';
import { UnauthorizedError } from '@/utils/error-handling';
/**
* Express authentication middleware
* Verifies JWT token and attaches user to request
* PERFECTION: Handles all edge cases
*/
export function authenticationMiddleware() {
return (req: Request, res: Response, next: NextFunction) => {
try {
// Extract token from multiple sources
let token = extractToken(req);
if (!token) {
throw new UnauthorizedError('No token provided');
}
// Verify token signature and expiration
const decoded = jwt.verify(token, process.env.JWT_SECRET!);
// Check if token is blacklisted (revoked)
if (isTokenBlacklisted(decoded.jti)) {
throw new UnauthorizedError('Token has been revoked');
}
// Attach user to request for later use
(req as any).user = {
id: decoded.sub,
email: decoded.email,
role: decoded.role,
permissions: decoded.permissions,
sessionId: decoded.jti,
};
// Store token expiration for refresh logic
(req as any).tokenExp = decoded.exp;
next();
} catch (error) {
if (error instanceof jwt.TokenExpiredError) {
res.status(401).json({ error: 'Token expired' });
} else if (error instanceof jwt.JsonWebTokenError) {
res.status(401).json({ error: 'Invalid token' });
} else {
next(error);
}
}
};
}
/**
* Extract token from Authorization header, cookies, or query
*/
function extractToken(req: Request): string | null {
// 1. Check Authorization header (Bearer token)
const authHeader = req.headers.authorization;
if (authHeader?.startsWith('Bearer ')) {
return authHeader.slice(7);
}
// 2. Check HTTP-only cookie
if (req.cookies?.accessToken) {
return req.cookies.accessToken;
}
// 3. Check custom header
if (req.headers['x-access-token']) {
return req.headers['x-access-token'] as string;
}
// 4. Don't extract from query string (XSS vulnerability)
// if (req.query?.token) { ... } // NEVER DO THIS
return null;
}
/**
* Check if token is in blacklist (revoked)
*/
function isTokenBlacklisted(jti: string): boolean {
// In production: Check Redis or database
// For now: Simple in-memory cache
return cache.exists(`blacklist:${jti}`);
}
2.2 Authorization Middleware (RBAC)
// src/middleware/authorization.ts
import { NextFunction, Request, Response } from 'express';
import { ForbiddenError } from '@/utils/error-handling';
/**
* Role-based access control middleware
* PERFECTION: Enforces roles at route level
*/
export function requireRole(...allowedRoles: string[]) {
return (req: Request, res: Response, next: NextFunction) => {
const user = (req as any).user;
if (!user) {
res.status(401).json({ error: 'Unauthorized' });
return;
}
if (!allowedRoles.includes(user.role)) {
// Log unauthorized attempt
logSecurityEvent({
type: 'unauthorized_access',
userId: user.id,
requiredRole: allowedRoles,
userRole: user.role,
endpoint: req.path,
method: req.method,
});
throw new ForbiddenError(
`This endpoint requires one of roles: ${allowedRoles.join(', ')}`
);
}
next();
};
}
/**
* Permission-based access control
* PERFECTION: Fine-grained permissions
*/
export function requirePermission(...permissions: string[]) {
return (req: Request, res: Response, next: NextFunction) => {
const user = (req as any).user;
if (!user) {
res.status(401).json({ error: 'Unauthorized' });
return;
}
// Check if user has at least one required permission
const hasPermission = permissions.some((perm) =>
user.permissions?.includes(perm)
);
if (!hasPermission) {
logSecurityEvent({
type: 'insufficient_permissions',
userId: user.id,
requiredPermissions: permissions,
userPermissions: user.permissions,
endpoint: req.path,
});
throw new ForbiddenError(
`This endpoint requires one of permissions: ${permissions.join(', ')}`
);
}
next();
};
}
/**
* Resource-based access control
* PERFECTION: Check ownership
*/
export function canAccessResource(
resourceOwnerField: string = 'userId'
) {
return async (req: Request, res: Response, next: NextFunction) => {
const user = (req as any).user;
const resourceId = req.params.id;
if (!user) {
res.status(401).json({ error: 'Unauthorized' });
return;
}
// Fetch resource
const resource = await db.query(
`SELECT * FROM resources WHERE id = $1`,
[resourceId]
);
if (!resource) {
res.status(404).json({ error: 'Resource not found' });
return;
}
// Check ownership
if (resource[resourceOwnerField] !== user.id && user.role !== 'admin') {
logSecurityEvent({
type: 'resource_access_denied',
userId: user.id,
resourceId,
ownerId: resource[resourceOwnerField],
});
throw new ForbiddenError('You do not have access to this resource');
}
// Attach resource for later use
(req as any).resource = resource;
next();
};
}
2.3 Route-Level Protection (Express Example)
// src/routes/protected.routes.ts
import { Router } from 'express';
import { authenticationMiddleware } from '@/middleware/authentication';
import { requireRole, requirePermission } from '@/middleware/authorization';
import { validateInput } from '@/middleware/validation';
import { rateLimitGuard } from '@/middleware/rate-limiting';
import { userController } from '@/controllers/user.controller';
import { createUserSchema, updateUserSchema } from '@/models/user.model';
const router = Router();
/**
* Public endpoints (no protection)
*/
router.post('/auth/login', userController.login);
router.post('/auth/register', userController.register);
/**
* Protected endpoints (authentication required)
*/
router.use(authenticationMiddleware());
// Get current user profile
router.get(
'/users/me',
userController.getCurrentUser
);
// Update own profile
router.patch(
'/users/me',
validateInput(updateUserSchema),
userController.updateProfile
);
/**
* Admin-only endpoints (role required)
*/
router.use(requireRole('admin'));
// List all users (admin only)
router.get(
'/users',
userController.listUsers
);
// Delete user (admin only)
router.delete(
'/users/:id',
userController.deleteUser
);
/**
* Permission-based endpoints
*/
router.post(
'/users',
requirePermission('create:user'),
validateInput(createUserSchema),
userController.createUser
);
/**
* Rate-limited endpoints
*/
router.post(
'/exports/generate',
rateLimitGuard({ maxRequests: 5, windowMs: 60000 }), // 5 per minute
userController.generateExport
);
export const protectedRoutes = router;
2.4 FastAPI Route Protection (Python)
# src/middleware/authentication.py
from fastapi import Depends, HTTPException, status, Request
from fastapi.security import HTTPBearer, HTTPAuthCredentials
import jwt
from typing import Optional, Dict, Any
security = HTTPBearer()
class User:
def __init__(
self,
id: str,
email: str,
role: str,
permissions: list[str],
):
self.id = id
self.email = email
self.role = role
self.permissions = permissions
async def get_current_user(
credentials: HTTPAuthCredentials = Depends(security),
) -> User:
"""
Verify JWT token and return current user
PERFECTION: Complete authentication
"""
token = credentials.credentials
try:
# Verify token signature
payload = jwt.decode(
token,
os.getenv("JWT_SECRET"),
algorithms=["HS256"],
options={
"verify_signature": True,
"verify_exp": True,
"verify_aud": False,
},
)
user_id: str = payload.get("sub")
if user_id is None:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid token",
)
# Check if token is blacklisted
if cache.exists(f"blacklist:{payload.get('jti')}"):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Token has been revoked",
)
user = User(
id=payload.get("sub"),
email=payload.get("email"),
role=payload.get("role"),
permissions=payload.get("permissions", []),
)
return user
except jwt.ExpiredSignatureError:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Token expired",
)
except jwt.InvalidTokenError:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid token",
)
def require_role(*allowed_roles: str):
"""Check if user has required role"""
async def check_role(user: User = Depends(get_current_user)) -> User:
if user.role not in allowed_roles:
log_security_event({
"type": "unauthorized_access",
"user_id": user.id,
"required_role": allowed_roles,
"user_role": user.role,
})
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail=f"Required role: {', '.join(allowed_roles)}",
)
return user
return check_role
def require_permission(*permissions: str):
"""Check if user has required permission"""
async def check_permission(
user: User = Depends(get_current_user),
) -> User:
if not any(perm in user.permissions for perm in permissions):
log_security_event({
"type": "insufficient_permissions",
"user_id": user.id,
"required_permissions": permissions,
"user_permissions": user.permissions,
})
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail=f"Required permission: {', '.join(permissions)}",
)
return user
return check_permission
# src/routes/users.py
from fastapi import APIRouter, Depends
from src.middleware.authentication import (
get_current_user,
require_role,
require_permission,
User,
)
router = APIRouter()
# Public endpoint
@router.post("/auth/login")
async def login(credentials: LoginRequest):
# Login logic
pass
# Protected endpoint (authentication required)
@router.get("/users/me")
async def get_current_user_profile(
user: User = Depends(get_current_user),
):
return {"id": user.id, "email": user.email}
# Admin-only endpoint
@router.get("/users")
async def list_users(
user: User = Depends(require_role("admin")),
):
return {"users": [...]}
# Permission-based endpoint
@router.post("/users")
async def create_user(
user_data: UserCreate,
user: User = Depends(require_permission("create:user")),
):
return {"id": "...", "email": user_data.email}
# Resource ownership check
@router.get("/orders/{order_id}")
async def get_order(
order_id: str,
current_user: User = Depends(get_current_user),
):
order = await db.get_order(order_id)
# Check ownership or admin
if order.user_id != current_user.id and current_user.role != "admin":
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="You do not have access to this resource",
)
return order
2.5 Global Middleware Chain (Express)
// src/main.ts
import express from 'express';
import helmet from 'helmet';
import cors from 'cors';
import compression from 'compression';
import cookieParser from 'cookie-parser';
import rateLimit from 'express-rate-limit';
const app = express();
/**
* Security middleware (PERFECTION)
*/
// Helmet: Set security headers
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
},
},
hsts: {
maxAge: 31536000, // 1 year
includeSubDomains: true,
preload: true,
},
frameguard: { action: 'deny' },
noSniff: true,
xssFilter: true,
}));
// CORS: Control cross-origin requests
app.use(cors({
origin: process.env.ALLOWED_ORIGINS?.split(','),
credentials: true,
optionsSuccessStatus: 200,
}));
// Rate limiting: Prevent abuse
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // Limit each IP to 100 requests per windowMs
message: 'Too many requests from this IP',
standardHeaders: true, // Return rate limit info in headers
skip: (req) => req.path === '/health', // Skip health checks
});
app.use(limiter);
/**
* Body parsing middleware
*/
app.use(express.json({ limit: '10mb' }));
app.use(express.urlencoded({ limit: '10mb', extended: true }));
app.use(cookieParser());
/**
* Compression middleware
*/
app.use(compression());
/**
* Request logging middleware
*/
app.use(loggingMiddleware());
/**
* Custom middleware (PERFECTION)
*/
// Request ID for tracing
app.use(requestIdMiddleware());
// Input validation globally
app.use(globalValidationMiddleware());
// Error handling (must be last)
app.use(errorHandlingMiddleware());
/**
* Routes
*/
app.use('/api/auth', authRoutes);
app.use('/api/users', userRoutes);
app.use('/api/products', productRoutes);
app.use('/api/orders', orderRoutes);
/**
* 404 handler
*/
app.use((req, res) => {
res.status(404).json({ error: 'Not found' });
});
app.listen(process.env.PORT || 3000);
PART 3: AUTHENTICATION SYSTEMS (ALL METHODS)
3.1 JWT Implementation (Production-Grade)
// src/utils/jwt.ts
import jwt from 'jsonwebtoken';
import { randomBytes } from 'crypto';
/**
* Generate JWT with all security features
* PERFECTION: Rotation, expiration, blacklisting
*/
export function generateJWT(
userId: string,
email: string,
role: string,
permissions: string[],
expiresIn: string = '15m'
): { token: string; expiresAt: number } {
const now = Math.floor(Date.now() / 1000);
const jti = randomBytes(16).toString('hex');
const payload = {
sub: userId,
email,
role,
permissions,
jti,
iat: now,
exp: now + getExpirationSeconds(expiresIn),
nbf: now,
aud: 'api',
iss: 'auth-service',
};
const token = jwt.sign(payload, process.env.JWT_SECRET!, {
algorithm: 'HS256',
});
return {
token,
expiresAt: payload.exp * 1000,
};
}
/**
* Verify JWT with complete security checks
*/
export function verifyJWT(token: string): any {
try {
return jwt.verify(token, process.env.JWT_SECRET!, {
algorithms: ['HS256'],
audience: 'api',
issuer: 'auth-service',
});
} catch (error) {
if (error instanceof jwt.TokenExpiredError) {
throw new Error('Token expired');
}
throw new Error('Invalid token');
}
}
/**
* Refresh token pair (access + refresh)
*/
export function generateTokenPair(
userId: string,
email: string,
role: string,
permissions: string[]
) {
const accessToken = generateJWT(userId, email, role, permissions, '15m');
const refreshToken = generateJWT(userId, email, role, permissions, '7d');
return { accessToken, refreshToken };
}
/**
* Revoke token (add to blacklist)
*/
export async function revokeToken(jti: string): Promise<void> {
await cache.setex(`blacklist:${jti}`, 86400, '1');
}
function getExpirationSeconds(expiresIn: string): number {
const units: Record<string, number> = {
s: 1,
m: 60,
h: 3600,
d: 86400,
};
const match = expiresIn.match(/^(\d+)([smhd])$/);
if (!match) return 900;
return parseInt(match[1]) * units[match[2]];
}
3.2 Multi-Factor Authentication
// src/services/mfa.service.ts
import speakeasy from 'speakeasy';
import QRCode from 'qrcode';
export async function generateMFASecret(email: string) {
const secret = speakeasy.generateSecret({
name: `MyApp (${email})`,
issuer: 'MyApp',
length: 32,
});
const qrCode = await QRCode.toDataURL(secret.otpauth_url);
return {
secret: secret.base32,
qrCode,
};
}
export function verifyMFAToken(secret: string, token: string): boolean {
return speakeasy.totp.verify({
secret,
encoding: 'base32',
token,
window: 2,
});
}
export async function enableMFA(
userId: string,
secret: string,
mfaToken: string
): Promise<void> {
if (!verifyMFAToken(secret, mfaToken)) {
throw new Error('Invalid MFA token');
}
await db.user.update({
where: { id: userId },
data: {
mfaEnabled: true,
mfaSecret: secret,
},
});
}
3.3 OAuth2 (Google)
// src/services/oauth.service.ts
import { google } from 'googleapis';
const oauth2Client = new google.auth.OAuth2(
process.env.GOOGLE_CLIENT_ID,
process.env.GOOGLE_CLIENT_SECRET,
process.env.GOOGLE_REDIRECT_URI
);
export function getGoogleAuthURL(): string {
return oauth2Client.generateAuthUrl({
access_type: 'offline',
scope: [
'https://www.googleapis.com/auth/userinfo.email',
'https://www.googleapis.com/auth/userinfo.profile',
],
state: generateRandomState(),
});
}
export async function exchangeCodeForTokens(code: string) {
try {
const { tokens } = await oauth2Client.getToken(code);
const ticket = await oauth2Client.verifyIdToken({
idToken: tokens.id_token,
audience: process.env.GOOGLE_CLIENT_ID,
});
const payload = ticket.getPayload();
return {
email: payload.email,
name: payload.name,
picture: payload.picture,
googleId: payload.sub,
};
} catch (error) {
throw new Error('OAuth authentication failed');
}
}
PART 4: AUTHORIZATION & RBAC
4.1 Permission Management
// src/services/permission.service.ts
export async function userHasPermission(
userId: string,
requiredPermission: string
): Promise<boolean> {
const user = await db.user.findUnique({
where: { id: userId },
include: { role: { include: { permissions: true } } },
});
if (user?.role?.name === 'admin') {
return true;
}
const hasRolePermission = user?.role?.permissions.some(
(p) => p.name === requiredPermission
);
if (hasRolePermission) {
return true;
}
const hasUserPermission = await db.userPermission.findFirst({
where: {
userId,
permission: { name: requiredPermission },
OR: [
{ expiresAt: null },
{ expiresAt: { gt: new Date() } },
],
},
});
return !!hasUserPermission;
}
export async function grantTemporaryPermission(
userId: string,
permissionName: string,
expiresIn: number
): Promise<void> {
const permission = await db.permission.findUnique({
where: { name: permissionName },
});
if (!permission) {
throw new Error('Permission not found');
}
await db.userPermission.create({
data: {
userId,
permissionId: permission.id,
expiresAt: new Date(Date.now() + expiresIn),
},
});
}
export async function revokePermission(
userId: string,
permissionName: string
): Promise<void> {
await db.userPermission.deleteMany({
where: {
userId,
permission: { name: permissionName },
},
});
}
4.2 Audit Logging
// src/services/audit.service.ts
export async function auditLog(
userId: string,
action: string,
resource: string,
resourceId: string,
changes?: Record<string, any>,
ipAddress?: string,
userAgent?: string
): Promise<void> {
await db.auditLog.create({
data: {
userId,
action,
resource,
resourceId,
changes,
ipAddress,
userAgent,
timestamp: new Date(),
},
});
}
export async function getAuditTrail(
resource: string,
resourceId: string,
limit: number = 50
): Promise<any[]> {
return db.auditLog.findMany({
where: { resource, resourceId },
orderBy: { timestamp: 'desc' },
take: limit,
});
}
PART 5: API DESIGN PATTERNS
5.1 RESTful API
// src/controllers/product.controller.ts
export async function listProducts(req: Request, res: Response) {
const { page = 1, limit = 20, category, sort = 'createdAt' } = req.query;
const where = category ? { category } : {};
const [products, total] = await Promise.all([
db.product.findMany({
where,
skip: (parseInt(page as string) - 1) * parseInt(limit as string),
take: parseInt(limit as string),
orderBy: { [sort as string]: 'desc' },
}),
db.product.count({ where }),
]);
res.json({
data: products,
pagination: {
page: parseInt(page as string),
limit: parseInt(limit as string),
total,
pages: Math.ceil(total / parseInt(limit as string)),
},
});
}
export async function createProduct(req: Request, res: Response) {
const { name, price, description, stock } = req.body;
if (!name || !price) {
return res.status(400).json({ error: 'Missing required fields' });
}
const product = await db.product.create({
data: {
name,
price: parseFloat(price),
description,
stock: parseInt(stock) || 0,
},
});
await auditLog(
(req as any).user.id,
'CREATE',
'product',
product.id,
product,
req.ip
);
res.status(201).json({ data: product });
}
export async function updateProduct(req: Request, res: Response) {
const { id } = req.params;
const updates = req.body;
const product = await db.product.update({
where: { id },
data: updates,
});
await auditLog(
(req as any).user.id,
'UPDATE',
'product',
id,
updates,
req.ip
);
res.json({ data: product });
}
export async function deleteProduct(req: Request, res: Response) {
const { id } = req.params;
await db.product.delete({
where: { id },
});
await auditLog(
(req as any).user.id,
'DELETE',
'product',
id,
null,
req.ip
);
res.json({ message: 'Product deleted' });
}
5.2 WebSockets Real-Time
// src/services/websocket.service.ts
import { WebSocketServer } from 'ws';
import { verifyJWT } from './jwt.service';
export function setupWebSocketServer(server: any) {
const wss = new WebSocketServer({ server });
wss.on('connection', (ws, req) => {
const token = extractTokenFromURL(req.url);
let userId: string;
try {
const decoded = verifyJWT(token);
userId = decoded.sub;
} catch {
ws.close(1008, 'Unauthorized');
return;
}
(ws as any).userId = userId;
ws.on('message', async (data) => {
try {
const message = JSON.parse(data.toString());
switch (message.type) {
case 'subscribe':
subscribeToChannel(ws, message.channel);
break;
case 'publish':
publishToChannel(message.channel, message.payload);
break;
case 'ping':
ws.send(JSON.stringify({ type: 'pong' }));
break;
}
} catch (error) {
ws.send(JSON.stringify({
type: 'error',
message: 'Invalid message',
}));
}
});
ws.on('close', () => {
unsubscribeAll(ws);
});
});
return wss;
}
function publishToChannel(channel: string, payload: any) {
// Broadcast logic
}
function subscribeToChannel(ws: any, channel: string) {
if (!ws.channels) ws.channels = [];
ws.channels.push(channel);
}
function unsubscribeAll(ws: any) {
if (ws.channels) {
ws.channels = [];
}
}
function extractTokenFromURL(url: string): string {
const match = url.match(/token=([^&]+)/);
return match ? match[1] : '';
}
PART 6: ERROR HANDLING & LOGGING
6.1 Centralized Error Handler
// src/utils/error-handling.ts
export class AppError extends Error {
constructor(
public statusCode: number,
message: string,
public code?: string
) {
super(message);
Object.setPrototypeOf(this, AppError.prototype);
}
}
export class BadRequestError extends AppError {
constructor(message: string) {
super(400, message, 'BAD_REQUEST');
}
}
export class UnauthorizedError extends AppError {
constructor(message: string) {
super(401, message, 'UNAUTHORIZED');
}
}
export class ForbiddenError extends AppError {
constructor(message: string) {
super(403, message, 'FORBIDDEN');
}
}
export class NotFoundError extends AppError {
constructor(message: string) {
super(404, message, 'NOT_FOUND');
}
}
export function errorHandler(
err: any,
req: any,
res: any,
next: any
) {
console.error('Error:', {
message: err.message,
stack: err.stack,
url: req.originalUrl,
method: req.method,
ip: req.ip,
});
if (err instanceof AppError) {
return res.status(err.statusCode).json({
error: {
message: err.message,
code: err.code,
},
});
}
res.status(500).json({
error: {
message: 'Internal server error',
code: 'INTERNAL_ERROR',
},
});
}
6.2 Logging System
// src/utils/logger.ts
import winston from 'winston';
export const logger = winston.createLogger({
level: process.env.LOG_LEVEL || 'info',
format: winston.format.json(),
defaultMeta: { service: 'backend-api' },
transports: [
new winston.transports.File({
filename: 'logs/error.log',
level: 'error',
}),
new winston.transports.File({
filename: 'logs/combined.log',
}),
...(process.env.NODE_ENV !== 'production'
? [new winston.transports.Console({
format: winston.format.simple(),
})]
: []),
],
});
export function loggingMiddleware(req: any, res: any, next: any) {
const start = Date.now();
res.on('finish', () => {
const duration = Date.now() - start;
logger.info({
method: req.method,
url: req.originalUrl,
status: res.statusCode,
duration,
ip: req.ip,
userId: req.user?.id,
});
});
next();
}
PART 7: ENVIRONMENT & ENTRY POINT
7.1 Type-Safe Configuration
// src/core/env.ts
import { z } from 'zod';
const envSchema = z.object({
NODE_ENV: z.enum(['development', 'production', 'test']),
PORT: z.coerce.number().default(3000),
DATABASE_URL: z.string(),
REDIS_URL: z.string(),
JWT_SECRET: z.string().min(32),
JWT_AUDIENCE: z.string(),
JWT_ISSUER: z.string(),
GOOGLE_CLIENT_ID: z.string(),
GOOGLE_CLIENT_SECRET: z.string(),
STRIPE_API_KEY: z.string(),
ALLOWED_ORIGINS: z.string().transform(s => s.split(',')),
LOG_LEVEL: z.enum(['error', 'warn', 'info', 'debug']).default('info'),
});
export const env = envSchema.parse(process.env);
7.2 Application Entry Point
// src/main.ts
import express from 'express';
import { env } from './core/env';
import { setupMiddleware } from './middleware';
import { setupRoutes } from './routes';
import { errorHandler } from './utils/error-handling';
const app = express();
setupMiddleware(app);
setupRoutes(app);
app.use(errorHandler);
const server = app.listen(env.PORT, () => {
console.log(`Server running on port ${env.PORT}`);
});
process.on('SIGTERM', () => {
console.log('Shutting down gracefully');
server.close(() => {
console.log('HTTP server closed');
process.exit(0);
});
});
This completes PARTS 1-7 with CORE ARCHITECTURE, ROUTE PROTECTION, MIDDLEWARE, AUTHENTICATION, AUTHORIZATION, API DESIGN, and ERROR HANDLING in PERFECTION!