4.9 KiB
4.9 KiB
Backend Quality Checklist
API Endpoint Quality
RESTful Design
- Resource-Based URLs - Nouns not verbs (/users not /getUsers)
- HTTP Methods - GET, POST, PATCH, DELETE used correctly
- Status Codes - Appropriate status codes (200, 201, 400, 401, 404, 500)
- Idempotency - PUT and DELETE are idempotent
- Versioning - API versioned (e.g., /api/v1/)
Request Handling
- Input Validation - All inputs validated (Zod, Joi, class-validator)
- Type Safety - TypeScript types for request/response
- Query Parameters - Pagination, filtering, sorting supported
- Request Size Limits - Body size limited (express.json limit)
- Rate Limiting - Rate limits applied per route
Response Formatting
- Consistent Format - Standardized response structure
- Error Responses - Consistent error format with details
- Pagination - Cursor or offset pagination with metadata
- Field Filtering - Ability to select fields if needed
- Timestamps - ISO 8601 format timestamps
Authentication & Authorization
- Authentication - JWT, OAuth, or session-based implemented
- Token Expiration - Access tokens expire (15-60 minutes)
- Refresh Tokens - Refresh token strategy implemented
- Password Hashing - bcrypt or argon2 with proper rounds
- Authorization Middleware - Role-based checks on protected routes
- CORS - Properly configured CORS headers
- Rate Limiting - Stricter limits on auth endpoints
Database Operations
- ORM Usage - Prisma, TypeORM, or similar ORM used
- Parameterized Queries - No raw SQL with string concatenation
- Transactions - Multi-step operations use transactions
- Connection Pooling - Connection pool configured
- Indexes - Indexes on frequently queried fields
- N+1 Prevention - No N+1 query problems
- Pagination - Large datasets paginated
Error Handling
- Global Error Handler - Centralized error handling middleware
- Custom Error Classes - Typed error classes for different errors
- Error Logging - Errors logged with context
- Error Responses - User-friendly error messages
- Stack Traces - Stack traces in development, hidden in production
- Unhandled Rejections - Process handlers for unhandled promises
Security
- Helmet.js - Security headers configured
- SQL Injection - Protected via parameterized queries
- XSS Prevention - Input sanitization
- CSRF Protection - CSRF tokens or SameSite cookies
- Secrets Management - Environment variables, no hardcoded secrets
- Dependency Scanning - npm audit or Snyk in CI
- HTTPS Only - Redirect HTTP to HTTPS in production
- Input Sanitization - All user inputs sanitized
Performance
- Response Time - < 200ms for p95
- Caching - Redis caching for frequently accessed data
- Database Optimization - Queries optimized with EXPLAIN
- Compression - Response compression enabled
- Connection Reuse - HTTP keep-alive enabled
- Background Jobs - Long-running tasks in queue (Bull, BullMQ)
Testing
- Unit Tests - Business logic covered (>85%)
- Integration Tests - API endpoints tested (Supertest)
- Database Tests - Database operations tested
- Authentication Tests - Auth flows tested
- Error Cases - Error scenarios tested
- CI Integration - Tests run on every commit
TypeScript Quality
- Strict Mode - TypeScript strict mode enabled
- DTO Types - DTOs typed with Zod or class-validator
- Service Interfaces - Services have TypeScript interfaces
- No Any - No
anytypes (useunknown) - Type Guards - Type guards for runtime type checking
Logging & Monitoring
- Structured Logging - JSON logs with correlation IDs
- Log Levels - Appropriate log levels (error, warn, info, debug)
- Error Tracking - Sentry or similar integrated
- Performance Monitoring - APM tool integrated
- Health Checks - /health endpoint implemented
- Metrics - Prometheus or similar metrics
API Documentation
- OpenAPI/Swagger - API documented with OpenAPI spec
- Example Requests - Example requests in documentation
- Authentication - Auth requirements documented
- Error Codes - All error codes documented
- Rate Limits - Rate limits documented
Code Quality
- Separation of Concerns - Controller, Service, Repository layers
- DRY Principle - No code duplication
- Function Size - Functions under 50 lines
- Dependency Injection - Dependencies injected, not hardcoded
- Configuration - Environment-based configuration
Quality Rating: ⭐⭐⭐⭐⭐
Ready for Production: [ ] Yes [ ] No