On the Complexity of Software

Today I want to create a simple TODO list web app that can have nested lists, and support many users. Sounds simple, right?

My first step would be to choose one language or framework to implement my back end. There are several possible solutions: PHP with Laravel, Nodejs with JavaScript, Spring with Java, Rails with Ruby, Django with Python, .NET with C#, among many others. I have never developed a back end with Python so I choose Django. For databases I can choose among MySQL, PostgreSQL, MariaDB, Cassandra, SQLite, MongoDB, and others. I go with PostgreSQL, I have been working with it in my last projects and until now it has been a great tool. I still have to choose what to use for the web app. Again I have many possibilities: pure JavaScript, jQuery, AngularJS, Angular, React, Vue, Knockout, etc. I like a web component based solution, and I have heard awesome experiences with React, therefore I include React in my stack. So far so good.

I start the development with the definition of my models. Right now I just need two: users and lists. Fortunately for me, the Django admin app already has a user model defined so I can reuse it. My list model requires nested list, I need a way to emulate a graph structure in a flat table. I can use a field in my list structure to points to its father id, and when the list is in the root, it can has a father id of 0. To get all the root lists for a given user I can define an endpoint /api/lists and the model will query the database to get all the lists with user id equal to... wait, how do I get the user id?

It seems that Django by default uses cookie authentication expecting a form post, since I'm using a React app with... Damn, I forgot to add a library for API communication. Again I can choose from XmlHTTPRequest, jQuery ajax, the new fetch API, Axios, etc. I go with Axios. Ok, let's continue. Since I'm using a React app with Axios to consume a REST API, I need an authentication endpoint. Combine form posts with REST API is a little cumbersome, so my authentication endpoint will just return an authentication token, and this token will be saved in the browser for future requests. How can I generate this token? I can use OAuth, JWT, my own implementation, etc. For OAauth I need new tables in my database, with JWT I just need a secret key or a SSL file, for commodity I chose JWT. Finally I have my authentication endpoint and I can send the user id in the authentication token.

Hey wait, how can I prevent that having the user id, a second user can see the lists of the first user? Gosh, I need to check in every endpoint that the accessing list belongs only to the authenticated user. It is a easy implementation but I need to remember to do this for every endpoint in my API. And I'm not yet done with the list creation! I am exhausted...

To be continued...

On the Complexity of Software
Share this