Backend Development Guidelines @ Squareboat

Version 1 | Date 16th Jan 2023

Development Guidelines
All APIs have relevant backend validations as needed
All APIs are sending a response within 2000ms
Sentry is installed and configured
.env.example and .env are in sync
Following files are not supposed to be committed
.env
firebase credentials
any sort of public or private key
Postman collection has been pushed to docs/ folder
No commented code is present in the codebase
All file uploads are being uploaded to AWS S3 only (or any equivalent cloud service)
File uploads are not stored in publicly accessible location
All images are compressed, deploy serverless image compressor if needed
For Queues, only AWS SQS (or any equivalent cloud service) should be used
Passwords are hashed only using Bcrypt method
Avoid using UUID, and only use ULID (applicable for projects starting in or after January
2023)
Basic SQL Injection checks have been performed
Email notifications are mandatory for the following actions
User’s account getting approved/unapproved
Password changed
Account being deleted
Payment confirmation
Nonce has been implemented for all APIs
OTPs should automatically expire after 10mins, you can use redis for this.
In case of OTPs, resend OTP should remain same as the previous one for next 10 mins
Passwords should be minimum of 6 characters
Password resets should not be possible via link, only OTPs
Throttling limits are defined, ideally 60 requests/minute
Keep JSON responses minified, use includes? and transformers to serve the data
whenever necessary
 Avoid N+1 query problems at all cost, see this link for more info.
CORS has been enabled for appropriate origins only
APIs are versioned (/api/v1 etc)
Use correct HTTP methods, use noun not verbs
API must always be transformed to avoid directly exposing database fields
Auto increment ids should not be visible
POST/PUT/PATCH data should always be sent as JSON data, not as a form data
Response should always be JSON
Dates should always be served in UTC timezone, in “DD-MM-YYYY” format or
“DD-MM-YYYY HH:mm:ss” format
Signup emails should not be from temporary email addresses and providers
SES Bounce Email URL has been handled
No hardcoding of values should be done inside the codebase, everything should come
from configuration file
All strings or lang resources should come from a lang file, and should not be hardcoded.

Logging Guidelines
Debug log should only be limited to local and staging environments.
Third Party API and Webhook interactions should always be logged (requests and
response both)
Errors should be logged appropriately

Database Guidelines
Databases are being backed up every 24 hours
MySQL Indexes have been added to all tables
Any change in the database schema should only be done via apt migration tool, avoid
ALTER TABLE commands at all cost.
Date, timestamps should always be timezone neutral and should always store in UTC
timezone

Essential Development Practices

For all your database operations, only use Repository Design Pattern
No business logic should be written inside the controller, move the business logic to a
service class
No function or method should be of more than 20 lines of code
No file should be more than 100 lines of code
All Files should be formatted before committing
Prefer putting bigger piece of logics into Task class
Code should strictly follow SoC (Separation of Concerns) principle
 In case of NodeJS, one thread should only be listening to one type of event, either http,
cron or queue worker

Restricted Packages
Following list of packages are not allowed to be used
moment
querystring
Any package which doesn’t have more than 100 stars and was last updated 5 months
before is not supposed to be used.

Coding and Designing Guidelines

For API Designing, have a look at GitHub - squareboat/api-guidelines: Squareboat's best
practices for writing REST API's.
For projects using Typescript, we follow Google TypeScript Style Guide
For projects using Laravel, we recommend using PSR-2: Coding Style Guide - PHP-FIG