roadmap.sh’s Post

Want to level up from simple CRUD projects? Build a secure RESTful To-Do List API that lets users create, update, and track their tasks with authentication.

New Feature Drop: GraphQL Mock Server For months, the need for a "GraphQL Mock Server" was the single most requested feature from our clients. The core issue: generic mocks can't keep pace with complex GraphQL schema and scenarios, leading to fragile client tests and slowing development. Our team took that feedback and engineered a solution for true parallel development - GraphQL Mock Servers, now one of the core features of our platform. What's inside: • Intelligent, Reliable Data: No more static JSON. AI-powered mocking analyzes your schema to generate realistic, contextual data that strictly honors Non-Null and List constraints. • Instant Contract-First Development: Simply upload your SDL or use live introspection to immediately provision a hosted, working endpoint. • Full Testing Coverage: Test every scenario, from complex data fetching (Queries), state changes (Mutations), real-time streams (Subscriptions), and efficient network loading (Batch Queries). • Resilience Testing, on Demand: Use the powerful Rules Engine to proactively inject chaos. Force specific GraphQL errors, or HTTP status codes (403/500), or inject latencies to ensure that your client is robust. If you or your teams are currently blocked by an unfinished GraphQL backend, this feature is specifically engineered to solve that bottleneck.

I'm happy to share another 𝗦𝘆𝗻𝘁𝗮𝘅𝗶𝗹𝗶𝘁𝗬 𝗡𝗲𝘅𝘁 𝗔𝗽𝗽 𝗖𝗟𝗜 — 𝗧𝗵𝗲 𝗨𝗹𝘁𝗶𝗺𝗮𝘁𝗲 𝗡𝗲𝘅𝘁.𝗷𝘀 𝗦𝘁𝗮𝗿𝘁𝗲𝗿 𝗳𝗼𝗿 𝗠𝗼𝗱𝗲𝗿𝗻 𝗦𝗮𝗮𝗦 & 𝗔𝗜 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺𝘀 project I recently worked for the developers. The 𝗦𝘆𝗻𝘁𝗮𝘅𝗶𝗹𝗶𝘁𝗬 𝗡𝗲𝘅𝘁 𝗔𝗽𝗽 𝗖𝗟𝗜 empowers developers to bootstrap scalable, production-ready Next.js 14+ applications in seconds using: 𝙣𝙥𝙭 𝙘𝙧𝙚𝙖𝙩𝙚-𝙨𝙮𝙣𝙩𝙖𝙭𝙞𝙡𝙞𝙩𝙮-𝙣𝙚𝙭𝙩-𝙖𝙥𝙥@𝙡𝙖𝙩𝙚𝙨𝙩 This CLI generates a feature rich, enterprise-grade architecture with authentication, theming, database ORM, API utilities, and state management all preconfigured and ready for immediate development. It’s designed to eliminate repetitive boilerplate setup so teams can focus on innovation, not initialization. 𝗞𝗲𝘆 𝗙𝗲𝗮𝘁𝘂𝗿𝗲𝘀: • Authentication: Built-in Clerk integration with OAuth, email, and social logins. • Theming System: Dark/light theme persistence powered by Skiper UI and HeroUI. • State Management: Lightweight global state management using Zustand with TypeScript support. • Database Ready: Integrated Prisma ORM setup for PostgreSQL, easily customizable for other databases. • API Framework: Unified API response handlers and data provider abstractions for UI integration. • Middleware + Proxy: Route protection, server proxy handling, and secure server-side communication. • Folder Architecture: Clean, modular structure designed for scalability and maintainability. • Environment System: .env preconfiguration for backend services, API keys, and AI integrations. 𝗢𝘃𝗲𝗿𝗰𝗼𝗺𝗶𝗻𝗴 𝗖𝗼𝗺𝗽𝗹𝗲𝘅𝗶𝘁𝗶𝗲𝘀: • Authentication and user management • UI theming and component libraries • ORM and database schema setup • State management wiring • Secure middleware and API routing 𝗚𝗶𝘁𝗛𝘂𝗯: https://lnkd.in/d9Fchc-T 𝗻𝗽𝗺: https://lnkd.in/dBxHPdde 𝗻𝗽𝘅: npx create-syntaxility-next-app@latest my-app

The source defines the structure of the video and explicitly lists the key concepts and evidence that must be included, all drawn from the project log: 1. The Debugging Focus: The most important part of the video is defined as the real-world debugging process. 2. The Initial Symptom: The script must mention that the application deployed, but the browser showed a generic error: "Error interacting with the database". 3. The Method: The script must explain that the real error was hidden and was found by going into AWS CloudWatch Logs. 4. The Root Cause: The central finding required for the video is the specific error: Error: Object of type Decimal is not JSON serializable. 5. The Fix: The script must show the one-line code fix: visit_count = int(visit_count). 6. The Final Proof: The script must conclude by showing the visit count going from 8 to 9 upon refreshing the page. Log Verification (Sources,,) All of these mandated points correspond precisely to Bug 3: Runtime Error (The "Decimal" Bug) and the subsequent successful resolution detailed in the project log: • The log confirms the problem: "The app deployed, but visiting the URL returned... 'Error interacting with the database.'". • The log confirms the debug method: "I went to the AWS Console and opened the CloudWatch Logs for my Lambda function.". • The log confirms the root cause: "The logs showed the real error: Error: Object of type Decimal is not JSON serializable.". • The log confirms the fix: "I edited my app.py file and added one line of code (visit_count = int(visit_count))". • The log confirms the success: "The browser returned... your 8 visit... I refreshed the page, and it returned: your 9 visit.".

🚀 Day 10 of #30 days of Backend: Authentication, Roles & Security Layers Today’s sprint was all about access control — locking down the FastPay API so users and admins have clearly defined privileges. After completing database design, payment seeding, and performance optimization earlier, it was time to give the system real-world structure: users, roles, permissions, and secure authentication. 🧩 Here’s what was built: ✅ 1. Users Table (with Roles) A robust users table tied to the roles table via role_id was designed Each user automatically gets a role — “User” by default — ensuring clean access segregation from day one. ✅ 2. Secure Password Storage Before saving passwords, bcrypt hashing was implemented to ensure credentials are never stored in plain text. Security-first thinking: no shortcuts, no leaks. ✅ 3. JWT-Based Authentication System A full signup + login flow was built using jsonwebtoken. Each authenticated user gets a signed token for 7 days — lightweight, stateless, and production-ready. ✅ 4. Admin-Only Access Layer To avoid the risk of random users signing up as admins, a protected route was created: POST /api/auth/admin/create — accessible only to existing admins verified via middleware. ✅ 5. Auth Middleware A dedicated middleware now handles: Token validation (verifyToken) Role-based access control (requireAdmin) Every protected route now checks for who you are, not just what you send. ✅ 6. Clean Routing Architecture Refactored everything into separate controllers and routes to keep the codebase clean: /api/auth → Auth endpoints /api/payments → Payment services /api/system → System endpoints /api-docs → Swagger documentation . 🔒 Key Lesson: Authentication isn’t just about logging users in, it’s about building trust boundaries in your system. A secure API is one that knows who’s allowed to do what. 🧠 Tech Stack Recap Node.js + Express PostgreSQL + Knex.js JWT for authentication bcrypt for password hashing Redis for rate-limiting Swagger for documentation 📈 Each day, this project gets more production-ready. By the end of this sprint, FastPay won’t just be a backend project — it’ll be a secure, and scalable payment API.

🚀 Top 5 common ways to improve API performance every backend developer should know! 📄 𝟏. 𝐏𝐚𝐠𝐢𝐧𝐚𝐭𝐢𝐨𝐧 - When your API returns large datasets (e.g., list of users, products, or orders), sending everything at once is slow and memory-heavy. Pagination splits results into smaller chunks (pages). Example: • 𝙶𝙴𝚃 /𝚞𝚜𝚎𝚛𝚜?𝚙𝚊𝚐𝚎=𝟸&𝚕𝚒𝚖𝚒𝚝=𝟸𝟶 🛢️ 𝟐. 𝐂𝐚𝐜𝐡𝐢𝐧𝐠 - Frequently accessed data can be stored in a cache to speed up retrieval. Clients check the cache before querying the database, with data storage solutions like Redis offering faster access due to in-memory storage. 🗜️ 𝟑. 𝐏𝐚𝐲𝐥𝐨𝐚𝐝 𝐂𝐨𝐦𝐩𝐫𝐞𝐬𝐬𝐢𝐨𝐧 - Before sending a response, the server can compress the data using algorithms like GZIP, Brotli, etc. The client decompresses it automatically. Benefits: • Greatly reduces data transfer size (especially for JSON). • Improves speed over slow networks. • No change needed on client side — browsers or HTTP clients handle it. 🔗 𝟒. 𝐂𝐨𝐧𝐧𝐞𝐜𝐭𝐢𝐨𝐧 𝐏𝐨𝐨𝐥 - Each API request often needs to connect to a database or another service. Creating a new connection each time is expensive — it takes time and system resources. - Connection pooling reuses existing open connections instead of creating new ones for every request. Benefits: • Reduces connection overhead. • Reduces latency and improves throughput. • Prevents “too many connections” errors under load. ⚡ 𝟓. 𝐀𝐬𝐲𝐧𝐜𝐡𝐫𝐨𝐧𝐨𝐮𝐬 𝐋𝐨𝐠𝐠𝐢𝐧𝐠 - Normally, when your API handles a request, it might write logs (e.g., to a file or database). If this logging happens synchronously, the API waits for the log operation to finish before sending the response — which slows down performance. - Asynchronous logging makes the logging run in the background, so the request can finish faster. - This approach involves sending logs to a lock-free buffer and returning immediately, rather than dealing with the disk on every call. Logs are periodically flushed to the disk, significantly reducing I/O overhead. 👉 Over to you: 𝑾𝒉𝒂𝒕 𝒐𝒕𝒉𝒆𝒓 𝒘𝒂𝒚𝒔 𝒅𝒐 𝒚𝒐𝒖 𝒖𝒔𝒆 𝒕𝒐 𝒊𝒎𝒑𝒓𝒐𝒗𝒆 𝑨𝑷𝑰 𝒑𝒆𝒓𝒇𝒐𝒓𝒎𝒂𝒏𝒄𝒆? (Image Credit: - ByteByteGo)

𝙒𝙝𝙮 𝙈𝙤𝙨𝙩 “𝙁𝙖𝙨𝙩” 𝙎𝙮𝙨𝙩𝙚𝙢𝙨 𝘽𝙚𝙘𝙤𝙢𝙚 𝙎𝙡𝙤𝙬 𝙞𝙣 𝙋𝙧𝙤𝙙𝙪𝙘𝙩𝙞𝙤𝙣 Every developer has had that moment, the app runs perfectly in dev, but once it hits production, it starts crawling. Here’s what usually goes wrong 👇🏽 1️⃣ Your local setup hides latency. When everything runs on localhost, network latency is near zero. But in production, every API call, DB connection, or external service adds milliseconds and they add up. 2️⃣ Too many synchronous dependencies. Your backend waits for everything to finish in sequence, external APIs, file uploads, email services, etc. The fix? Offload heavy or slow tasks to background jobs. Use queues like RabbitMQ, Kafka, or BullMQ (for Node.js). 3️⃣ Chatty services. Microservices make sense until they start sending too many small requests to each other. Batch them, use caching, or merge endpoints to cut unnecessary round trips. 4️⃣ Logging in the wrong way. Developers love logs until they realize console.log can block event loops or flood I/O. Use async loggers or structured logging tools like Winston, Pino, or Serilog. 5️⃣ Database queries. That innocent .findAll() with no limit? It can destroy performance when the table hits millions of rows. Always paginate. Always index. Always measure query plans.

🗂️ Day 3: (Building in public: OpsFlow - Authorization - The Part Most Developers Get Wrong) Built the task management core today. Projects, tasks, members. Standard CRUD stuff. Except it's not. The Real Challenge: Not "can users create tasks?" but "can THIS user modify THIS specific task?" Here's where most apps fail: ❌ Authorization in middleware: `app.use('/tasks', verifyToken, taskRoutes)` Problem: Every task route needs different rules. Update = different from delete. ✅ Authorization in service layer: ```typescript async deleteTask(taskId: string, userId: string) {  const task = await Task.findById(taskId);  const project = await Project.findById(task.project);     // Resource-level check, not route-level  if (!project.hasAccess(userId)) {   throw new AuthorizationError();  }     // Action-level check  if (task.createdBy !== userId && !project.isOwner(userId)) {   throw new AuthorizationError("Only creator or owner can delete");  } } ``` Why this scales: 1. Business rules stay in one place 2. Can be tested independently 3. Flexible per-resource rules 4. Clear error messages The pattern I followed: • Project owners can do everything • Members can view + create tasks • Task creators can edit their tasks • Owners override all permissions Also added: • Pagination (page, limit, total) for list endpoints • Filtering (status, priority, assignee) • MongoDB indexes on query fields • Proper population of related data What I learned: Security isn't a feature you add. It's a constraint you design around from day one. Middleware is for "who are you?" Service layer is for "what can you do?" For juniors: Start with "deny by default" - explicitly allow what's needed, not the reverse. How do you handle resource-level authorization in your stack? #SoftwareArchitecture #Authorization #NodeJS #APIDesign #Security

𝐁𝐮𝐢𝐥𝐝𝐢𝐧𝐠 𝐚 𝐑𝐞𝐝𝐢𝐬 𝐂𝐥𝐢𝐞𝐧𝐭 𝐟𝐫𝐨𝐦 𝐒𝐜𝐫𝐚𝐭𝐜𝐡 𝐢𝐧 𝐆𝐨 About one and half year ago, I built redis-cli-lite as a simple learning project but it evolved into a week of deep dive journey to network protocols, concurrency, and system design. No GPTs. No “vibe coding.” Just pure Go and a lot of coffee. After being inactive for a while, I thought I’d finally share it with the community! Although it looks production-ready, I’ll admit there are more minimal alternatives out there. Still, this one was all about learning by doing. Technical Highlights Custom RESP Protocol Implementation • Built a complete Redis Serialization Protocol (RESP) parser/tokenizer from scratch • Implemented all RESP data types: Simple Strings, Errors, Integers, Bulk Strings, and Arrays • Leveraged Go 1.18+ generics for type-safe operations Advanced Concurrency & Performance • Channel-based connection pooling for concurrent operations • Automatic retry with graceful failure handling • Context-based monitoring for real-time pool health Security-First Design • Full TLS/SSL support with certificate validation • SAN (Subject Alternative Name) certificate implementation • Secure TCP connections for production-grade deployments Dual-Mode Architecture • CLI tool for quick ops: redis-cli-lite localhost 6379 • Embeddable Go library with a clean API • Layered design: cmd / client / api / serializer Production-Ready Features • TLS/SSL support • Comprehensive unit test coverage • Type-safe API (no string-based ops) • Pretty-print output & structured error handling Why It Matters This project wasn’t just about learning Go — it was about building real systems: implementing protocols, managing concurrency, and designing secure, maintainable architecture. If you’re looking for a lightweight, dependency-minimal Redis client in Go or just curious on how good/bad of a job this strange dude did, it might be worth checking out. 🔗 GitHub: https://lnkd.in/dyv3JH3b As library: ``` api, err := api.Initialize("localhost", 6379, 10, nil) if err != nil { panic(err) } resp, err := api.Ping() ``` As cli tool:

"without persistence, you can't simulate any operation that mutates data. And those operations are the ones with the highest probability of generating misalignment between API designers and stakeholders." https://lnkd.in/dPQSCcBg