-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API for Asset CRUD Operations and Authentication Middleware #14
base: main
Are you sure you want to change the base?
API for Asset CRUD Operations and Authentication Middleware #14
Conversation
Wiz Scan Summary
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good job with the readme, very descriptive 👍
"github.com/dgrijalva/jwt-go" | ||
) | ||
|
||
func extractAssetIDFromPath(r *http.Request) string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't find where this method is being used
|
||
var JwtKey = []byte(os.Getenv("SECRET_KEY")) | ||
|
||
type Claims struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What approach would you choose to avoid including JWT definitions and processes in the repository layer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would have used a service layer approach so I could adhere to the single responsibility principle. This pattern, utilized in many frameworks, including NestJs which I am familiar with, enforces good design practices.
- All JWT-related operations would have been moved to a separate file.
- A new file containing a service would have been responsible for handling the business logic.
- I would have retained the
store/store.go
, which in my case represents the repository layer, for database-related operations only.
Hello @petpalioudakis 👋
|
Hello @NikosMas First of all, I would like to thank you for taking the time to review my code. I have to admit that I am not very familiar with Go. Due to my busy schedule, I implemented patterns based on my knowledge of other programming languages in the limited time I had available. I will try to answer the questions you asked me in order. 1. Regarding your assumption of not applying ownership verifications on the CRUD operations: What are your thoughts on this assumption? This assumption was made to simplify the implementation for the initial assignment. By assuming all users have administrative privileges, it allowed for a straightforward demonstration of basic CRUD operations without incorporating complex authorization logic. What would you do if you had to remove this assumption? If ownership verification had to be implemented, the following steps would be taken:
Why didn't you choose a NoSQL database, such as MongoDB?
3. I see you used one table for assets and favorites: How would you handle the assets entity if you had to split it from the favorites one? To separate the assets and favorites, I would:
Here a Schema Example: CREATE TABLE assets (
id SERIAL PRIMARY KEY,
type VARCHAR(50) NOT NULL,
description TEXT NOT NULL,
data TEXT NOT NULL
);
CREATE TABLE favorites (
id SERIAL PRIMARY KEY,
user_id INT NOT NULL,
asset_id INT NOT NULL,
FOREIGN KEY (user_id) REFERENCES users(id),
FOREIGN KEY (asset_id) REFERENCES assets(id)
); Advantages:
Scalability Considerations:
4. Regarding the error handling: Is there anything that you would do to avoid SQL errors like this one reaching the API response? To improve error handling and prevent SQL errors from propagating to the API response:
5. If you had to add tests, which part of your implementation would you choose to test first? Priority Areas for Testing:
|
Hi again @petpalioudakis, thank you for your detailed responses and the time you spent on my comments! I have one last question though: |
Hello @NikosMas I am aware that this library has been archived, but as it was an assignment and not a production-level project, I decided to use it to save time. I have already implemented the JWT-related code in an older project I worked on three years ago when I was testing migration from PHP-implemented APIs to Go or Python. |
Assumptions:
All users are assumed to have administrative privileges, granting them access to all asset CRUD operations without ownership verification.