blog: cruds

This commit is contained in:
Araozu 2024-10-26 07:50:17 -05:00
parent 4cc9406bc2
commit 3bf622200b
3 changed files with 148 additions and 4 deletions

View File

@ -67,12 +67,14 @@ pre.astro-code>code .line::before {
} }
#blog blockquote { #blog blockquote {
border-left: 5px solid var(--c-border-1); border-left: 5px solid var(--c-border-2);
padding-left: 1rem; padding-left: 1rem;
padding-top: 0.5rem; padding-top: 0.25rem;
padding-bottom: 0.5rem; padding-bottom: 0.25rem;
margin-bottom: 0.5rem;
} }
@media (prefers-color-scheme: dark) { @media (prefers-color-scheme: dark) {
.astro-code { .astro-code {
background-color: var(--shiki-dark-bg) !important; background-color: var(--shiki-dark-bg) !important;

View File

@ -5,7 +5,7 @@ description: |
I diskile Java/Go's verbosity. I like Rust/Zig I diskile Java/Go's verbosity. I like Rust/Zig
syntax sugar and semantics. syntax sugar and semantics.
pubDate: "2024-07-26" pubDate: "2024-07-26"
tags: ["tech", "languajes", "java", "rust", "go", "verbosity"] tags: ["tech", "languages", "java", "rust", "go", "verbosity"]
image: image:
url: "/img/blog/en/langs/cover.jpg" url: "/img/blog/en/langs/cover.jpg"
alt: "Image of a kid eating sweets and other eating vegetables." alt: "Image of a kid eating sweets and other eating vegetables."

View File

@ -0,0 +1,142 @@
---
layout: ../../../layouts/BlogLayout.astro
title: Wrongly overengineered CRUDs
description: How did we get here?
pubDate: "2024-10-26"
tags: ["javascript", "typescript", "react", "next", "nest", "security", "htmx"]
image:
url: ""
alt: ""
caption: ""
---
How did we get here?
<p>
<img src="https://htmx.org/img/memes/bellcurve.png" alt="A bell curve image, showing html+backend on both ends, and a learning path from roadmap.sh in the middle." style=" max-height: initial;" />
</p>
## Our projects
As a preface, the work I do involves building systems for many companies.
It's like building a mini ERP, suited for the needs of each company.
We have a fixed amount of time to do it, usually 5-6 months, each project
usually has 2-3 person working on it, and there are multiple projects
running in parallel.
And most of the apps are just CRUDs.
## Our definitely (wrongly) overengineered tech stack
Since we start new projects every 5-6 months we have the opportunity
to use brand-new technology. If the project I'm currently in didn't start
2 weeks ago, we would've been using Nextjs 15, which was released last
monday.
So, what is our bleeding edge web stack for building CRUD apps?
### Split back/frontend
Welcome to 2017. We split those and communicate between using JSON.
However (at least in my project) we were all involved. I worked on
backend and front, my colleage 1 does too, and colleage 2 worked
both but it looks like they will be doing only front-end.
But what is more weird about this split is:
### Nextjs for the **frontend**
We use Nextjs, a full-stack framework, as a front-end only thing.
We generate a static bundle and ship it along our backend.
How ironic that we use React Server Components, but those end
up being statically rendered.
### Redux (toolkit)
Again, welcome to 2017. We have all our endpoints as global state,
managed with mutations and queries.
### tailwind, shadcn, etc
Other less controvertial things are tailwind for styles,
shadcn for premade components. The small things.
### Nestjs (typescript) for the backend
REST APIs written in JavaScript.
I gues this wouldn't be that bad, except for the fact that
JS is a trash language (fight me), and we could use something
better.
I'm not asking for Rust. I'm not even asking for Go. But can
we please use dotnet or java?
On the topic of backend, we use Prisma as an ORM. Personally,
I rawdog my SQL, so I don't know about the latest and greatest
ORM technologies. But something I will say is that, to create
a user and assign it some roles, Prisma generated and executed
47 SQL queries. Something to think about.
---
All of this, to render tables, forms and buttons. We don't need
any fancy interactivity. At most, we need some polling to get
the most up to date data.
## Security? Never met her.
The stack might be overengineered, sure, but is it wrong?
These are preferences, see, we could replace Next with Svelte
and Nest with Go and it would be the same right? Right?
I think the problem of modern webdev is that we have prioritized
moving **blazingly fast** over anything else. We take a lot of
technologies that are **blazingly fast** to develop with on small
apps, that when composed together, become a mess to mantain.
Because with this structure and only 3 CRUDs, the frontend already
has like 30 `.ts` and `.tsx` files for all the complexity. And,
ironically, the thing is so big that is fragile.
But I know that something is fundamentally bad when things like
the following happen.
What motivated to write this post was something the lead told me.
We have a manual implementation of RBAC on the backend. But,
no API endpoints check for permissions (authorization). All they
do is check for credentials (authentication). So, the conversation
went something like this:
> Me: Hey, I was looking at the endpoints and noticed that
there are no checks for authorization. Any user with any role
with any permission can do anything, as long as they are logged in.
Am I missing something?
> Lead: Right. We don't do that. I thought we could just check those
roles and permissions in the frontend, and disable some buttons
or hide them. That should be enough.
> Me: But, you know we must also secure the backend right? We can't
rely on ui checks, anyoune can send an http request, and those
should also be secure, right?
> Lead: Nah, I don't think it's worth the effort. If we also work on
security on the backend we will miss our deadlines. Disabling and
hiding buttons in the frontend should be enough.
> Me: 🤨😑🤮🫠
to be continued...