Delivering backend - Case study

D
C
21 /03/2018 - TRUG
Michał Poczwardowski
[email protected]
dmp @ 3cityIT slack

View Slide

Agenda
● Intro
● Stack
● Code Samples
● Patterns
● 3rd-parties
● Security Audit

View Slide

View Slide

Questions
● Client? Huge Business (from scratch - after PDS) / corpo
● Problem Domain? Recruitment / Employer Branding
● Team? Netguru + outside agency (responsible for UI and visuals)
● Stack? Grape API + ActiveAdmin for Backend / Frontend@Ember

View Slide

From scratch (1st commit)
rails new
--database=postgresql
--skip-test
--skip-coffee
--skip-action-cable
--skip-yarn

View Slide

README.md

View Slide

README.md - minimum!
● Project stack
● Project setup
● Detailed info about used patterns and solutions
● Known Issues
● How to get into staging?
● How to get into production?
● Deployments explained
● Default seeds

View Slide

Codebeat

View Slide

Stack / Gemfile (tip: keep them organized) #1
# rails
gem "rails", "~> 5.1.3"
# general gems
gem "aasm"
gem "activeadmin"
gem "acts-as-taggable-on"
gem "acts_as_list"
gem "dry-monads"
gem "jbuilder", "~> 2.5"
gem "pg", "~> 0.18"
gem "puma", "~> 3.7"
gem "rails-i18n", "~> 5.0.0"
gem "redis-namespace"
gem "rollbar"
gem "sidekiq"

View Slide

Stack / Gemfile #2
# authentication & authorization
gem "devise"
gem "devise_security_extension", git: "https://github.com/phatworx/devise_security_extension.git"
# => rubygems.org devise_security_extension 0.10.0 version does not support rails 5.1
# => raising undefined method "before_filter" error
gem "doorkeeper"
gem "pundit"
gem "rack-attack"
gem "rack-cors"

View Slide

Stack / Gemfile #3
# grape + jsonapi
gem "grape"
gem "grape-jsonapi-resources"
gem "grape-middleware-logger"
gem "grape-swagger"
gem "grape-swagger-rails"
gem "hashie-forbidden_attributes" # to make grape params validation work

View Slide

Stack / Gemfile #4
# 3rd parties - APIs and processing
gem "cloudinary"
gem "griddler"
gem "griddler-sendgrid"
gem "httpi" # picked as a connection wizard because already needed by savon
gem "nokogiri"
gem "recaptcha", require: "recaptcha/rails"
gem "savon", "~> 2"

View Slide

API - (almost) JSONAPI compliant (+ swagger)

View Slide

Endpoints Base
class API::V1::Users::Base < Core
namespace :users do
mount ChangePassword
mount Me
mount Register
route_param :id, type: Integer do
before { @user = User.find(params[:id]) }
mount Delete
mount Show
mount Update
end
end
# app/controllers/api/v1/users/base.rb

View Slide

Example Endpoint - just authorize and service call
class API::V1::Users::ChangePassword < Base
desc "Change user password using current one"
helpers Params
helpers API::V1::Helpers::JSONAPIParams
before { doorkeeper_authorize! }
params do
use :jsonapi_data_attributes,
required: [{ name: "current-password", type: String, desc: "Current user password" }],
use: [{ predefined: :_password_confirmable }]
end
patch "change-password" do
authorize current_user, :change_password?
assure_rightness ::UserServices::ChangePasswordUsingCurrent.call(current_user, jsonapi_attributes(params))
end
end
# app/controllers/api/v1/users/change_password.rb

View Slide

ApplicationService
class UserServices::Register < ApplicationServiceInTransaction
def call(attributes)
Right(attributes)
.bind(method(:ensure_agreements))
.bind { |attrs| ::GeneralServices::InjectModelIdsFromListInAttributes.call(attrs, :city) }
.bind(method(:create_user))
end
private
def ensure_agreements(attributes)
return Right(attributes) if required_agreements?(attributes)
Left(I18n.t("user.registration.no_required_agreements"))
end
(...)
end
end
# app/services/user_services/register.rb

View Slide

Models without logic and before/after actions
class Message < ApplicationRecord
belongs_to :author, class_name: "User", optional: true
belongs_to :conversation
has_many :activity_records, as: :trackable
validates :content, presence: true
end

View Slide

dry-monads http://dry-rb.org/gems/dry-monads/
Result
The Result monad is useful to express a series of computations that might
return an error object with additional information.
The Result mixin has two type constructors: Success and Failure. The Success
can be thought of as “everything went success” and the Failure is used when
“something has gone wrong”. // http://dry-rb.org/gems/dry-monads/result/

View Slide

Why handle services using Either/Success monad
● .succcess? and .failure? work the same for every service,
● chainability,
● universal error handling - the same interface for all services
● ApplicationServiceInTransaction,
● extract logic into shared pieces

View Slide

Integrations aka 3rd parties
● KENEXA - WSDL/SOAP requests - recruitment cloud software, poorly
documented, a lot of pain
● Sendgrid Inbound Parse - handling incoming emails
● Cloudinary - assets images/videos

View Slide

What could be done better?
● JSONAPI - jsonapi-resources creates links that are not correct

View Slide

Security Audit

View Slide

https://securityheaders.io

View Slide

Secure headers https://github.com/twitter/secureheaders
SecureHeaders::Configuration.default do |config|
# CSP stands for Content Security Policy
config.csp = {
base_uri: %w('self'), block_all_mixed_content: true, child_src: %w('self'), connect_src: [],
default_src: %w('self'), font_src: %w('self' data:), form_action: %w('self'), frame_ancestors: [],
img_src: %w('self'), manifest_src: %w('self'), media_src: [], object_src: %w('self'), plugin_types: [],
report_uri: [], sandbox: false, script_src: %w('self'), style_src: %w('self' 'unsafe-inline'),
upgrade_insecure_requests: false, worker_src: %w('self'),
}
config.referrer_policy = %w(no-referrer-when-downgrade)
end
# config/initializers/secure_headers.rb

View Slide

Questions / Thanks!

View Slide

Delivering backend - Case study

Delivering backend - Case study

Michał Poczwardowski

More Decks by Michał Poczwardowski

Other Decks in Programming

Featured

Transcript