For 15 years in development, I managed to take part in the creation of a large number of various projects. I have already made a number of talks on the working architecture of Web applications, but this is only part of the efficient development puzzle. We will consider the whole process from the start of the project to its launch in production. I’ll tell you how we approach the ideas of the “12 Factor App”, how we use the docker, discuss environment deployment issues, security issues, testing issues, discuss the nuances of SDLC and much more.
2. Viktor Turskyi
● CEO and principal software architect
at WebbyLab
● Open source developer
● More than 15 years of experience
● Delivered more than 60 projects of
different scale
● Did projects for 5 companies from
Fortune 500 list
3. How to make development more effective?
Simple mental model for:
● Solution architecture
● Application architecture (https://www.youtube.com/watch?v=TjvIEgBCxZo)
● Development process
● Deployment process
Solved most of the standard edge cases in starter-kit:
● Folders structure
● Configs
● Sessions
● Error handling
● Transactions
● Dependencies management (including 3rd party services)
● Tests etc
6. Engineering productivity group
● Define standard technology stack
● Define standard architecture
● Define the most effective software development approaches
● Define the most effective deployment strategies
● Define the most effective way of production support
● Internal trainings
11. "If you cannot build a monolith what makes you think that you
can build Distributed Microservices"
Simon Brown
12. Microservices drawbacks
● High operational complexity (increases costs)
● Versions compatibility issues (harder to track all dependencies in consistent
state, reduces iterations speed)
● Extremely hard to support transactions (risks of inconsistencies)
● Distribution issues (harder to program)
● Traceability issues (harder to debug)
● Technology diversity (mixing languages increases support costs,
standardization issues, hiring issues etc)
● You need more experienced team (hiring issues)
15. Robert Martin:
“The job of architect is not to make decision, the job of
the architect is to defer decisions as long as possible”
“Good architecture maximizes number of decisions not
made”
https://www.youtube.com/watch?v=o_TH-Y78tt4
16. Martin Fowler:
● But when your components are services with remote communications, then
refactoring is much harder than with in-process libraries.
● Another issue is If the components do not compose cleanly, then all you are
doing is shifting complexity from inside a component to the connections
between components. Not just does this just move complexity around, it
moves it to a place that's less explicit and harder to control.
https://martinfowler.com/bliki/MonolithFirst.html
31. Fat Stupid Ugly Controllers
“The M in MVC: Why Models are Misunderstood and Unappreciated” Pádraic
Brady
http://blog.astrumfutura.com/2008/12/the-m-in-mvc-why-models-are-misunderstoo
d-and-unappreciated/
33. Model (from MVC)/Domain Logic
● Domain model
● Transaction script
● Table module
● Service layer
34. Domain model
An object model of the domain that incorporates both
behavior and data. (M. Fowler)
Works well for medium and large applications
35. Transaction script
Organizes business logic by procedures where each
procedure handles a single request from the presentation (M.
Fowler).
Works well for small projects
43. The way of thinking about Controllers
● Extremely thin layer
● Protects underneath layers from everything related to HTTP
● If you change JSON to XML (or even CLI), only controllers should be rewritten
47. “run” method
Template method in base class
Guarantees that all procedures are kept:
● Data was validated
● “execute” will be called only after validation
● “execute” will receive only clean data
● Checks permissions before calling “execute”
● Throws exception in case of validation errors.
Can do extra work like caching validator objects, etc.
48. The way of thinking about Services
● Belongs to Model layer of MVC
● Contains application logic
● Does not trust any incoming params
● You should keep thin if possible
● Knows nothing about controllers/transport/UI.
● Use cases based API
● Knows about context (what user asks for data)
● Knows when and how to notify user (emails etc)
● Does coordination and security
● Coarse grained API (well suited for remote invocation)
49. Never return objects directly
Whitelist every object
property:
1. You know what you return
(that no internal/secret
data there)
2. Your API is stable
50. Unified approach to validation
● DO NOT TRUST ANY USER INPUT! NEVER!!!
● Declarative validation
● Exclude all fields that do not have validation rules described
● Returns understandable error codes (neither error messages nor numeric
codes)
● It should be clear for the service user what is wrong with his data
51. It should be clear where any code should be! Otherwise you do not architecture.
One of the risks, than you can end up with an “Anemic domain model”
(https://www.martinfowler.com/bliki/AnemicDomainModel.html)
If you have a large project, this can be a reason of project failure as you will
implicitly switch to “transaction script” approach which is not well suited for large
applications.
Be aware of “Anemic domain model” antipattern
53. The way of thinking about Domain Model
● Belongs to Model layer of MVC
● The core part of your application
● You have almost all of your business logic here (not only database access)!!!
● Knows nothing about service layer and upper layers
● Responsible for data storing and data integrity
● Fine grained API (not suited for remote invocation)
60. Transactions with CLS (continuation local storage)
Continuation-local storage works like thread-local storage in threaded
programming, but is based on chains of Node-style callbacks instead of threads.
https://www.npmjs.com/package/cls-hooked
77. Questions
● How do new developers setup working environment?
● How to work with S3 (we do not use localstack)?
● How to work with emails?
● How to run the whole platform?
● How to do migrations?
● How to work with cron?
● Do I need pm2?
● How to build frontend in docker?
81. Questions to solve
Classical sessions or JWT?
Which type of transport to use (Cookie, Query params, Custom headers)?
How to refresh JWT?
CSRF protection?
CORS issues?
How to implement “Force logout”?
Sensitive information
82. Useful links
MonolithFirst by Martin Fowler
Microservice Trade-Offs by Martin Fowler
PresentationDomainDataLayering by Martin Fowler
The Principles of Clean Architecture by Uncle Bob Martin
The Clean Architecture by Robert Martin
Microservice Architecture at Medium
https://12factor.net/
83. NodeJs Starter Kit
● Based on ideas of Clean Architecture
● Works with small and large projects
● Follows 12 factor app approach
● Modern JS (including ES6 for Sequelize)
● Supports both REST API and GraphQL
● Follows security best practices.
● Docker support
● Covered with tests
● Battle tested
● Built on top of express.js
● Users management