BFTW: The Backend

BUILDING FOR THE WEB

http://bit.ly/bftw-day2-qna

JOSÉ PADILLA

WSH & VBSCRIPT

PHP & MYSQL HTML & JAVASCRIPT

HACKER

ENTREPRENEUR

CO-FOUNDER AT BLIMP

jpadilla.com

THE BACKEND

MAKING DEVELOPERS HAPPIER, MORE PRODUCTIVE AND MORE EFFICIENT

“We allow teams to function as independently as possible. Developers
are like artists; they produce their best work if they have the freedom to do so, but they need good tools.” Werner Vogels, CTO at Amazon

TOPICS PATTERNS • HTTP • HTTPS AJAX • WEBSOCKETS •
DATABASES CACHING • ANALYTICS • SECURITY ARCH • APIS • LIVE CODE

WAYS TO WRITE WEB APPS

MONOLITHIC PATTERN

BUILDING A SINGLE COUPLED PROJECT

SERVICE PATTERN

BUILDING VARIOUS SMALL INDEPENDENT WEB SERVICES

HYPERTEXT TRANSFER PROTOCOL

HTTP is simple

1) The client sends a request

GET /v1/cars HTTP/1.1 Host: api.example.com Accept: application/json User-Agent: Mozilla/5.0 (Macintosh)

HTTP METHODS

GET /v1/cars HTTP/1.1

Retrieve the resource from the server

Create a resource on the server

Update the resource on the server

DELETE

Delete the resource from the server

GET /v1/cars HTTP/1.1

Identifies the resource the client wants

REQUEST HEADERS

Host: api.example.com Accept: application/json User-Agent: Mozilla/5.0 (Macintosh)

2) The server returns a response

HTTP/1.1 200 OK Date: Tue, 12 Aug 2014 09:00:00 GMT
Server: ngnix Content-Type: application/json { "message": "Hello World" }

HTTP/1.1 200 OK

STATUS CODES

HTTP/1.1 200 OK

INFORMATIONAL - 1XX 100 Continue 101 Switching Protocols

SUCCESSFUL - 2XX 200 OK 201 Created 202 Accepted 204
No Content

REDIRECTION - 3XX 301 Moved Permanently 302 Found 304 Not
Modified

CLIENT ERROR - 4XX 400 Bad Request 401 Unauthorized 403
Forbidden 404 Not Found 405 Method Not Allowed

SERVER ERROR - 5XX 500 Internal Server Error 502 Bad
Gateway 503 Service Unavailable

RESPONSE HEADERS

Date: Tue, 12 Aug 2014 09:00:00 GMT Server: ngnix Content-Type:
application/json

RESPONSE BODY

{ "message": "Hello World" }

REQUEST + RESPONSES = HTTP

Hypertext Transfer Protocol Secure

Used for secure communication

HTTP + SSL/TLS

Privacy

Data integrity

When to use HTTPS?

Credit card details? Use HTTPS

Users/Passwords? Use HTTPS

USE HTTPS. ALWAYS.

WARNING

HTTPS is not a security silver bullet

Price: $10+ RapidSSL, StartSSL, Thawte...

ssllabs.com

Redirect HTTP to HTTPS

DATABASES CACHING • ANALYTICS • SECURITY ARCH • APIS • CODE EXAMPLE

JavaScript

XMLHttpRequest

Asynchronous JavaScript and XML

SERVER

GET /v1/cars HTTP/1.1 Host: api.example.com Accept: application/json User-Agent: Mozilla/5.0 (Macintosh)
X-Requested-With: XMLHttpRequest

X-Requested-With: XMLHttpRequest

GET ws://websocket.example.com/ HTTP/1.1 Origin: http://example.com Connection: Upgrade Host: websocket.example.com Upgrade:
websocket

HTTP/1.1 101 WebSocket Protocol Handshake Date: Wed, 16 Oct 2013
10:07:34 GMT Connection: Upgrade Upgrade: WebSocket

USE CASES

Real-time data/feeds

Instant messaging and chat

Collaborative editing

Multiplayer games

SQL DATABASES

NOSQL DATABASES

HOW TO CHOOSE?

HOW I CHOSE?

BREAK!

try finding the Monthly Report in the cache if the
data is in the cache: return the cached Monthly Report else: execute complex and time-consuming queries save the generated Monthly Report return the cached Monthly Report

WHEN TO IMPLEMENT CACHING?

MEMCACHED

STATSD

NEW RELIC

LOGGLY

DON'T REINVENT THE WHEEL

UNFILTERED INPUT, UNESCAPED OUTPUT

CROSS-SITE SCRIPTING (XSS)

SQL INJECTION

CROSS-SITE REQUEST FORGERY (CSRF)

DON'T STORE PASSWORDS IN PLAIN TEXT

DON'T EMAIL A USER'S PASSWORD

HASH PASSWORDS WITH PBKDF2

THE TWELVE- FACTOR APP

DECLARATIVE

MAXIMUM PORTABILITY

DEPLOY TO CLOUD

DEV/PROD PARITY

SCALABLE

<?xml version="1.0"?> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:Header> </soap:Header> <soap:Body> <m:GetStockPrice xmlns:m="http://www.example.org/stock"> <m:StockName>IBM</m:StockName>
</m:GetStockPrice> </soap:Body> </soap:Envelope>

REPRESENTATIONAL STATE TRANSFER

RESOURCE-BASED

Verbs (Don't) POST /GetSongs HTTP/1.1

Nouns (Do) GET /songs HTTP/1.1

REPRESENTATIONS

{ "id": 1, "name": "Pretty When You Cry", "album": 1,
"favorite": false }

<song> <id>1</id> <name>Pretty When You Cry</name> <album>1</album> <favorite>false</favorite> </song>

STATELESS

UNIFORM INTERFACE

API = DEV'S UI

USE RESTFUL URLS AND ACTIONS

GET /songs HTTP/1.1 Accept: application/json HTTP/1.1 200 OK Content-Type: application/json
[{ "id": 1, "name": "Pretty When You Cry" }, { "id": 1, "name": "Money Power Glory" }]

GET /songs/1 HTTP/1.1 Accept: application/json HTTP/1.1 200 OK Content-Type: application/json
{ "id": 1, "name": "Pretty When You Cry" }

POST /songs HTTP/1.1 Accept: application/json { "name": "West Coast" }
HTTP/1.1 201 CREATED Content-Type: application/json { "id": 3, "name": "West Coast" }

PUT /songs/3 HTTP/1.1 Accept: application/json { "name": "West Coast (Updated)"
} HTTP/1.1 200 OK Content-Type: application/json { "id": 3, "name": "West Coast (Updated)" }

DELETE /songs/3 HTTP/1.1 Accept: application/json HTTP/1.1 204 NO CONTENT Content-Type:
application/json

USE SSL. ALWAYS.

VERSIONING

GET /v1/songs

FILTERING, SORTING & SEARCHING

GET /songs?sort=-name GET /songs?favorite=true GET /songs?q=ritmo

ALLOW LIMITING FIELDS

GET /songs?fields=id,name

USE JSON

PAGINATION

UPDATES/CREATE SHOULD RETURN REPRESENTATION

CONSUMABLE ERROR PAYLOAD

{ "errors": { "email": "Email is required.", "password": "Password is
required." } }

AUTHENTICATION

COOKIE-BASED

TOKEN-BASED

EFFECTIVELY USE HTTTP STATUS CODES

CHECK OUT JSONAPI.ORG

LANGUAGES & FRAMEWORKS

NODE.JS EXPRESS SAILS.JS METEOR

RUBY SINATRA RUBY ON RAILS

GO REVEL MARTINI

PYTHON DJANGO FLASK

BFTW: The Backend

BFTW: The Backend

More Decks by José Padilla

Other Decks in Technology

Featured

Transcript