API Module - Review Week 1

[vherus]

The MDN link did a better job explaining the router, controller, model setup than the slides, and for the exercises where we had to POST objects with multiple key/value pairs the slides had nothing to explain the way that the placeholders and array should be setup (though the exercise itself has clues in the way the mock data was setup). It makes week 1 harder, as I'm trying the figure out some sort of workflow (coding, where to good information online, making sense of that info etc...)

This is referencing Week 1, before the refactor. This student also noted during feelings that there was too much example code in the exercises, making it unnecessarily difficult to figure out the core concepts.

[vherus]

What are some actions we can take here?

• Review week 1's content
• Cut away excess sample code

I'm interested to hear some thoughts about how else we might restructure this week.

[vherus]

https://developer.mozilla.org/en-US/docs/Learn/Server-side/Express_Nodejs/routes

[vherus]

Split and sequence:

Express

• Explain MVC pattern
• Build a simple web app with get & post request
• Build an API with hardcoded data in a file. Query the API using a client

Database + SQL

• server setup, db set up, schemas, tables, rows, columns, select, insert, update, delete, migrations

Express + SQL

• replace hardcoded data with querying a database Authentication
• add authentication to request/response

[vherus]

https://github.com/boolean-uk/cinema-booking-api/blob/main/requirements/3%20-%20Single%20Movie.md

Requirement: Build a route to retrieve a single movie by ID or name; both of these scenarios should be covered by the same route can prove difficult. Suggest adding an easier path for this one, leaving the current one as an optional harder route through the requirement.

[vherus]

Frontend context for the backend work being done should be added. There's a client exercise repo (https://github.com/boolean-uk/cinema-booking-api-client) but some more context would be good

[dearshrewdwit]

@vherus let's include updating the first week of the module today - C4 are approaching the start of the module.

[dearshrewdwit]

Notes from @mikemherron

No validation- we never discussed the concept of "don't trust the client" at all. In some of the examples they are wide open to SQL injection. Time on the importance of validating client input would be useful - both manually and using the various express plugins that exist.

Error handling - a single catch to return a 500 on any error, and sending on the database error message was all we did which is totally unrealistic. A day on proper error handling and using suitable http response codes would be great.

No "logic" - every API method was just fetching a record from the database. Some exercises or examples with any sort of domain logic would be useful.

No data model / presentation separation - Every example just took the data returned from Prisma and sent it back to the client. There was never any discussion about not exposing implementation details of the underlying persistence layer and why it might not be a good idea just to serialise your table structure 1:1 back to the client.

API design and documentation - as discussed at stand up an introduction to how to formally document an API would be a useful modelling-type step.

Code Structure - as previously discussed, every API method was just a super thin layer that made a prisma query with no discussion of separation or where that code would exist.

Middleware - we never really cover the concept of what middleware is and what it does. We just add it in at one point.