swtl

Session, cookie, JWT, token, SSO, and OAuth 2.0 - what are they? These terms relate to managing user identity when logging into websites. You declare who you are (identification), your identity is verified (authentication), and you're granted appropriate permissions (authorization). Many solutions exist and continue to emerge. From simple to more complex: 🔹WWW-Authenticate is very basic. The browser prompts for username and password. It lacks control over the login lifecycle, so is rarely used today. 🔹Session-cookie is prevalent in browsers. Servers maintain session storage, and browsers store session IDs in cookies. Mobile apps can use cookies in web views but often prefer tokens for native functions. 🔹Tokens are encoded data used for validation, allowing clients to avoid sending credentials repeatedly. They ensure data integrity but aren't always encrypted. 🔹JWT provides a standardized format for tokens. They are digitally signed to ensure their authenticity. Because JWTs can hold session or user data in their claims, servers don't need to store this information separately for verification. 🔹SSO (single sign-on) lets you log in once then access multiple sites. Uses central authentication service (CAS) to maintain cross-site info. 🔹OAuth 2.0 authorizes one site to access your info on another site. – Subscribe to our weekly newsletter to get a Free System Design PDF (158 pages): https://t.co/kNfv0DVDdf

𝗔 𝗥𝗶𝘀𝗸-𝗯𝗮𝘀𝗲𝗱 𝗔𝗽𝗽𝗿𝗼𝗮𝗰𝗵 𝗧𝗼 𝗦𝗼𝗳𝘁𝘄𝗮𝗿𝗲 𝗔𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲 In the book "𝗝𝘂𝘀𝘁 𝗘𝗻𝗼𝘂𝗴𝗵 𝗦𝗼𝗳𝘁𝘄𝗮𝗿𝗲 𝗔𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲" by George Fairbanks, the author introduces Risk-Driven Software Architecture. A risk-based approach to software architecture involves identifying and 𝗽𝗿𝗶𝗼𝗿𝗶𝘁𝗶𝘇𝗶𝗻𝗴 𝘁𝗵𝗲 𝗿𝗶𝘀𝗸𝘀 𝗮𝘀𝘀𝗼𝗰𝗶𝗮𝘁𝗲𝗱 𝘄𝗶𝘁𝗵 𝗮 𝘀𝗼𝗳𝘁𝘄𝗮𝗿𝗲 𝘀𝘆𝘀𝘁𝗲𝗺 and then designing the architecture to mitigate those risks. The idea is to focus on the risks most critical to the project's success and address them first rather than trying to address every possible risk. To 𝗶𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁 a risk-based approach, you first need to 𝗶𝗱𝗲𝗻𝘁𝗶𝗳𝘆 𝘁𝗵𝗲 𝗽𝗼𝘁𝗲𝗻𝘁𝗶𝗮𝗹 𝗿𝗶𝘀𝗸𝘀 𝗮𝘀𝘀𝗼𝗰𝗶𝗮𝘁𝗲𝗱 𝘄𝗶𝘁𝗵 𝘆𝗼𝘂𝗿 𝘀𝘆𝘀𝘁𝗲𝗺. This can be done through various methods, such as 𝗰𝗼𝗻𝗱𝘂𝗰𝘁𝗶𝗻𝗴 𝗮 𝗿𝗶𝘀𝗸 𝗮𝗻𝗮𝗹𝘆𝘀𝗶𝘀, reviewing historical data from similar projects, or consulting with subject matter experts. Once the risks have been identified, they should be prioritized based on their potential impact on the project, the likelihood of occurrence, and the feasibility of mitigation. Next, the 𝘀𝗼𝗳𝘁𝘄𝗮𝗿𝗲 𝗮𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲 𝘀𝗵𝗼𝘂𝗹𝗱 𝗯𝗲 𝗱𝗲𝘀𝗶𝗴𝗻𝗲𝗱 𝘄𝗶𝘁𝗵 𝘁𝗵𝗲 𝗶𝗱𝗲𝗻𝘁𝗶𝗳𝗶𝗲𝗱 𝗿𝗶𝘀𝗸𝘀 𝗶𝗻 𝗺𝗶𝗻𝗱. Addressing the most critical risks may involve trade-offs between architectural qualities, such as performance, scalability, and maintainability. For example, if security is identified as a critical risk, the architecture may need to rank secure communication channels, access control mechanisms, and encryption over other qualities. The book introduces related concepts of 𝗖𝗼𝗺𝗽𝗼𝗻𝗲𝗻𝘁𝘀, 𝗣𝗼𝗿𝘁𝘀, 𝗮𝗻𝗱 𝗖𝗼𝗻𝗻𝗲𝗰𝘁𝗼𝗿𝘀. We've all heard the word "component" a thousand times differently. The context surrounding the term "component" was more explicit in Fairbanks' work, and "Ports and Connectors" helped cement the idea of what a Component may be in an actual system. An 𝗲𝘅𝗮𝗺𝗽𝗹𝗲 𝗼𝗳 𝘁𝗵𝗶𝘀 𝗮𝗽𝗽𝗿𝗼𝗮𝗰𝗵 𝗶𝗻 𝗵𝗲𝗮𝗹𝘁𝗵𝗰𝗮𝗿𝗲 would be that such software systems must follow strict patient privacy and data security regulations. A risk-based approach can help identify the most critical risks and design the architecture to meet regulatory requirements. For example, the architecture may rank secure data transmission, authentication, and access control mechanisms to protect patient information. It's important to note that a risk-based approach is 𝗻𝗼𝘁 𝗮 𝗼𝗻𝗲-𝘁𝗶𝗺𝗲 𝗽𝗿𝗼𝗰𝗲𝘀𝘀. As the project progresses and new information becomes available, the identified risks may change, and the architecture may need adaptation. 𝗥𝗲𝗴𝘂𝗹𝗮𝗿 𝗿𝗲𝘃𝗶𝗲𝘄𝘀 𝗮𝗻𝗱 𝘂𝗽𝗱𝗮𝘁𝗲𝘀 𝘁𝗼 𝘁𝗵𝗲 𝗿𝗶𝘀𝗸 𝗮𝘀𝘀𝗲𝘀𝘀𝗺𝗲𝗻𝘁 and architecture design are essential to ensure the system remains secure and functional. #softwareengineering #softwaredesign #softwarerchitecture

The buyer pays in USD, and the European seller receives euros. How does this work? This process is called foreign exchange. Suppose Bob (the buyer) needs to pay 100 USD to Alice (the seller), and Alice can only receive EUR. The diagram below illustrates the process. 1. Bob sends 100 USD via a third-party payment provider. In our example, it is Paypal. The money is transferred from Bob’s bank account (Bank B) to Paypal’s account in Bank P1. 2. Paypal needs to convert USD to EUR. It leverages the foreign exchange provider (Bank E). Paypal sends 100 USD to its USD account in Bank E. 3. 100 USD is sold to Bank E’s funding pool. 4. Bank E’s funding pool provides 88 EUR in exchange for 100 USD. The money is put into Paypal’s EUR account in Bank E. 5. Paypal’s EUR account in Bank P2 receives 88 EUR. 6. 88 EUR is paid to Alice’s EUR account in Bank A. Now let’s take a close look at the foreign exchange (forex) market. It has 3 layers: 🔹 Retail market. Funding pools are parts of the retail market. To improve efficiency, Paypal usually buys a certain amount of foreign currencies in advance. 🔹 Wholesale market. The wholesale business is composed of investment banks, commercial banks, and foreign exchange providers. It usually handles accumulated orders from the retail market. 🔹 Top-level participants. They are multinational commercial banks that hold lots of money from different countries. When Bank E’s funding pool needs more EUR, it goes upward to the wholesale market to sell USD and buy EUR. When the wholesale market accumulates enough orders, it goes upward to top-level participants. Steps 3.1-3.3 and 4.1-4.3 explain how it works. If you have any questions, please leave a comment. What foreign currency did you find difficult to exchange? And what company have you used for foreign currency exchange? – Subscribe to our weekly newsletter to get a Free System Design PDF (158 pages): https://t.co/FIzCeaWsZV

Would it be nice if the code we wrote automatically turned into architecture diagrams? I recently discovered a Github repo that does exactly this: Diagram as Code for prototyping cloud system architectures. 𝐖𝐡𝐚𝐭 𝐝𝐨𝐞𝐬 𝐢𝐭 𝐝𝐨? - Draw the cloud system architecture in Python code. - Diagrams can also be rendered directly inside the Jupyter Notebooks. - No design tools are needed. - Supports the following providers: AWS, Azure, GCP, Kubernetes, Alibaba Cloud, Oracle Cloud, etc. Github repo: github. com/mingrammer/diagrams – Subscribe to our weekly newsletter to get a Free System Design PDF (158 pages): https://t.co/uc5M7CdXXC

Do you believe that Google, Meta, Uber, and Airbnb put almost all of their code in one repository? This practice is called a monorepo. Monorepo vs. Microrepo. Which is the best? Why do different companies choose different options? Monorepo isn't new; Linux and Windows were both created using Monorepo. To improve scalability and build speed, Google developed its internal dedicated toolchain to scale it faster and strict coding quality standards to keep it consistent. Amazon and Netflix are major ambassadors of the Microservice philosophy. This approach naturally separates the service code into separate repositories. It scales faster but can lead to governance pain points later on. Within Monorepo, each service is a folder, and every folder has a BUILD config and OWNERS permission control. Every service member is responsible for their own folder. On the other hand, in Microrepo, each service is responsible for its repository, with the build config and permissions typically set for the entire repository. In Monorepo, dependencies are shared across the entire codebase regardless of your business, so when there's a version upgrade, every codebase upgrades their version. In Microrepo, dependencies are controlled within each repository. Businesses choose when to upgrade their versions based on their own schedules. Monorepo has a standard for check-ins. Google's code review process is famously known for setting a high bar, ensuring a coherent quality standard for Monorepo, regardless of the business. Microrepo can either set their own standard or adopt a shared standard by incorporating best practices. It can scale faster for business, but the code quality might be a bit different. Google engineers built Bazel, and Meta built Buck. There are other open-source tools available, including Nix, Lerna, and others. Over the years, Microrepo has had more supported tools, including Maven and Gradle for Java, NPM for NodeJS, and CMake for C/C++, among others. Over to you: Which option do you think is better? Which code repository strategy does your company use? – Subscribe to our weekly newsletter to get a Free System Design PDF (158 pages): https://t.co/FIzCeaWsZV

A Roadmap for Full-Stack Development. A full-stack developer needs to be proficient in a wide range of technologies and tools across different areas of software development. Here’s a comprehensive look at the technical stacks required for a full-stack developer. 🔹 1. Frontend Development Frontend development involves creating the user interface and user experience of a web application. 🔹 2. Backend Development Backend development involves managing the server-side logic, databases, and integration of various services. 🔹 3. Database Development Database development involves managing data storage, retrieval, and manipulation. 🔹 4. Mobile Development Mobile development involves creating applications for mobile devices. 🔹 5. Cloud Computing Cloud computing involves deploying and managing applications on cloud platforms. 🔹 6. UI/UX Design UI/UX design involves designing the user interface and experience of applications. 🔹 7. Infrastructure and DevOps Infrastructure and DevOps involve managing the infrastructure, deployment, and continuous integration/continuous delivery (CI/CD) of applications.

How to improve API performance? Here are 5 tips: 1. 𝗣𝗮𝗴𝗶𝗻𝗮𝘁𝗶𝗼𝗻 Pagination is a common optimization technique when result sets are large. By streaming results back to the client in pages, service responsiveness can be improved. 2. 𝗔𝘀𝘆𝗻𝗰𝗵𝗿𝗼𝗻𝗼𝘂𝘀 𝗟𝗼𝗴𝗴𝗶𝗻𝗴 Synchronous logging writes to disk on every API call, slowing down the system. With asynchronous logging, logs are first sent to a lock-free buffer and control is immediately returned. The buffer contents are then flushed periodically to disk, significantly reducing I/O overhead. 3. 𝗖𝗮𝗰𝗵𝗶𝗻𝗴 Frequently accessed data can be cached for fast retrieval. Clients can query the cache first instead of hitting the database directly every time. For cache misses, the database can be queried as a fallback. In-memory caches like Redis provide faster data access compared to databases. 4. 𝗣𝗮𝘆𝗹𝗼𝗮𝗱 𝗖𝗼𝗺𝗽𝗿𝗲𝘀𝘀𝗶𝗼𝗻 Request and response payloads can be compressed using algorithms such as gzip to reduce transmitted data volume. This speeds up upload and download times. 5. 𝗖𝗼𝗻𝗻𝗲𝗰𝘁𝗶𝗼𝗻 𝗣𝗼𝗼𝗹𝗶𝗻𝗴 Opening and closing database connections has significant overhead. Using a pool of open connections avoids this. The connection pool manages lifecycle events internally. What other performance optimization tricks have you found useful for APIs? – Subscribe to our weekly newsletter to get a Free System Design PDF (158 pages): https://t.co/kNfv0DVDdf

𝗪𝗵𝗮𝘁 𝗶𝘀 𝗘𝘃𝗲𝗻𝘁-𝗗𝗿𝗶𝘃𝗲𝗻 𝗔𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲? Event-driven architecture is a software design pattern that operates in real-time. The program's flow is determined by events such as user actions, sensor outputs, or messages from other programs or services. In this architecture, events trigger the execution of specific processes or functions, ensuring immediate responsiveness. We usually implement it with microservices. Some examples of events include a user clicking a button, placing a new order, or uploading a file. This architecture has three key components: 𝟭. 𝗣𝗿𝗼𝗱𝘂𝗰𝗲𝗿𝘀: These components or services generate events when something notable happens. 𝟮. 𝗖𝗼𝗻𝘀𝘂𝗺𝗲𝗿𝘀: These are components or services that listen to specific events and react accordingly. 𝟯. 𝗖𝗵𝗮𝗻𝗻𝗲𝗹𝘀 (𝗼𝗿 𝗕𝗿𝗼𝗸𝗲𝗿𝘀): This is how events are transmitted from producers to consumers. Popular examples include message queues (like RabbitMQ) and streaming platforms (like Apache Kafka). They work as follows: An event producer detects a significant change and creates an event message. The message is sent to an event channel, which delivers it to interested event consumers. Event consumers process the event and perform actions as needed. There are multiple benefits of this architecture: 𝟭. 𝗦𝗰𝗮𝗹𝗮𝗯𝗶𝗹𝗶𝘁𝘆. Components can be scaled independently to handle varying loads. 𝟮. 𝗟𝗼𝗼𝘀𝗲 𝗰𝗼𝘂𝗽𝗹𝗶𝗻𝗴. Components are less dependent on each other, making the system more flexible and accessible to change. 𝟯. 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗶𝘃𝗲𝗻𝗲𝘀𝘀. Applications can react to events in real-time or near real-time. 𝟰. 𝗥𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝗰𝗲. Failure in one component doesn't affect others. It also includes some 𝗱𝗶𝘀𝗮𝗱𝘃𝗮𝗻𝘁𝗮𝗴𝗲𝘀, such as increased complexity in design and debug issues and consistency in ensuring that events are processed correctly. Some use cases include: 🔹 𝗜𝗼𝗧 𝗦𝘆𝘀𝘁𝗲𝗺𝘀: Managing data from multiple sensors. 🔹 𝗥𝗲𝗮𝗹-𝘁𝗶𝗺𝗲 𝗱𝗮𝘁𝗮 𝗽𝗿𝗼𝗰𝗲𝘀𝘀𝗶𝗻𝗴: One of its strengths is processing and analyzing data immediately upon generation. 🔹 𝗠𝗶𝗰𝗿𝗼𝘀𝗲𝗿𝘃𝗶𝗰𝗲𝘀: It complements microservices well, allowing services to communicate asynchronously and remain loosely coupled. #softwareengineering #programming #softwaredesign

What is a webhook? The diagram below shows a comparison between polling and webhook. Assume we run an eCommerce website. The clients send orders to the order service via the API gateway, which goes to the payment service for payment transactions. The payment service then talks to an external payment service provider (PSP) to complete the transactions. There are two ways to handle communications with the external PSP. 🔹 1. Short polling After sending the payment request to the PSP, the payment service keeps asking the PSP about the payment status. After several rounds, the PSP finally returns with the status. Short polling has two drawbacks: 1) Constant polling of the status requires resources from the payment service. 2) The External service communicates directly with the payment service, creating security vulnerabilities. 🔹 2. Webhook We can register a webhook with the external service. It means: call me back at a certain URL when you have updates on the request. When the PSP has completed the processing, it will invoke the HTTP request to update the payment status. In this way, the programming paradigm is changed, and the payment service doesn’t need to waste resources to poll the payment status anymore. What if the PSP never calls back? We can set up a housekeeping job to check payment status every hour. Webhooks are often referred to as reverse APIs or push APIs because the server sends HTTP requests to the client. We need to pay attention to 3 things when using a webhook: 1) We need to design a proper API for the external service to call. 2) We need to set up proper rules in the API gateway for security reasons. 3) We need to register the correct URL at the external service. – Subscribe to our weekly newsletter to get a Free System Design PDF (158 pages): https://t.co/FIzCeaWsZV

𝗪𝗵𝗮𝘁 𝗔𝗿𝗲 𝗔𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗮𝗹 𝗖𝗵𝗮𝗿𝗮𝗰𝘁𝗲𝗿𝗶𝘀𝘁𝗶𝗰𝘀? ISO/IEC 25010 is a standard that defines a model for software product quality and provides a set of quality characteristics (also called "ilities"). It is part of the ISO/IEC 25000 series and concerns software product quality. The model introduced in ISO/IEC 25010 is known as 𝘁𝗵𝗲 𝗦𝘆𝘀𝘁𝗲𝗺 𝗮𝗻𝗱 𝗦𝗼𝗳𝘁𝘄𝗮𝗿𝗲 𝗤𝘂𝗮𝗹𝗶𝘁𝘆 𝗠𝗼𝗱𝗲𝗹. The most important architectural characteristics defined by ISO/IEC 25010 are: 𝟭. 𝗙𝘂𝗻𝗰𝘁𝗶𝗼𝗻𝗮𝗹𝗶𝘁𝘆: This refers to the set of attributes that bear on the existence of a group of functions and their specified properties.  🔹 𝗦𝘂𝗶𝘁𝗮𝗯𝗶𝗹𝗶𝘁𝘆: Appropriateness of functions for specified tasks.  🔹 𝗙𝘂𝗻𝗰𝘁𝗶𝗼𝗻𝗮𝗹 𝗰𝗼𝗺𝗽𝗹𝗲𝘁𝗲𝗻𝗲𝘀𝘀: The degree to which the set of functions covers all the specified tasks and user objectives.  🔹 𝗙𝘂𝗻𝗰𝘁𝗶𝗼𝗻𝗮𝗹 𝗰𝗼𝗿𝗿𝗲𝗰𝘁𝗻𝗲𝘀𝘀: The degree to which a system performs its required functions. 𝟮. 𝗣𝗲𝗿𝗳𝗼𝗿𝗺𝗮𝗻𝗰𝗲 𝗘𝗳𝗳𝗶𝗰𝗶𝗲𝗻𝗰𝘆: This pertains to the performance relative to the resources used under stated conditions.  🔹 𝗧𝗶𝗺𝗲 𝗯𝗲𝗵𝗮𝘃𝗶𝗼𝗿: Degree to which a product or system's response and processing times and throughput rates meet requirements when performing its functions.  🔹 𝗥𝗲𝘀𝗼𝘂𝗿𝗰𝗲 𝘂𝘀𝗲: The degree to which the amounts and types of resources a product or system uses meet requirements when performing its functions.  🔹 𝗖𝗮𝗽𝗮𝗰𝗶𝘁𝘆: Degree to which a product's or system parameter's largest limits meet requirements. 𝟯. 𝗖𝗼𝗺𝗽𝗮𝘁𝗶𝗯𝗶𝗹𝗶𝘁𝘆: The capability of two or more systems or components to exchange information and perform their required functions while sharing the same hardware or software environment.  🔹 𝗖𝗼-𝗲𝘅𝗶𝘀𝘁𝗲𝗻𝗰𝗲: Degree to which a product can perform its functions efficiently while sharing a familiar environment and resources without detrimental impact on any other product.  🔹 𝗜𝗻𝘁𝗲𝗿𝗼𝗽𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆: Degree to which two or more systems, products, or components can exchange information and use the information that has been exchanged. 𝟰. 𝗨𝘀𝗮𝗯𝗶𝗹𝗶𝘁𝘆: The degree to which specified users can use a product or system to achieve goals with effectiveness, efficiency, and satisfaction in a specified context.  🔹 𝗔𝗽𝗽𝗿𝗼𝗽𝗿𝗶𝗮𝘁𝗲𝗻𝗲𝘀𝘀 𝗿𝗲𝗰𝗼𝗴𝗻𝗶𝘇𝗮𝗯𝗶𝗹𝗶𝘁𝘆: The degree to which users can recognize whether a product or system is appropriate for their needs.  🔹 𝗟𝗲𝗮𝗿𝗻𝗮𝗯𝗶𝗹𝗶𝘁𝘆: The degree to which specified users can use a product or system to achieve the goals of learning to use the product or system with effectiveness, efficiency, freedom from risk, and satisfaction in a specified context of use.  🔹 𝗢𝗽𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆: The degree to which a product or system has attributes that make it easy to operate and control. #softwareengineering #softwarearchitecture #softwaredesign

Double charging a customer is VERY BAD. How do we avoid it? When we design the payment system, it is important to guarantee that the payment system executes a payment order exactly-once. At the first glance, exactly-once delivery seems very hard to tackle, but if we divide the problem into two parts, it is much easier to solve. Mathematically, an operation is executed exactly-once if: 1. It is executed at least once. 2. At the same time, it is executed at most once. We now explain how to implement at least once using retry and at most once using idempotency check. 𝐑𝐞𝐭𝐫𝐲 Occasionally, we need to retry a payment transaction due to network errors or timeout. Retry provides the at-least-once guarantee. For example, as shown in Figure 10, the client tries to make a $10 payment, but the payment keeps failing due to a poor network connection. Considering the network condition might get better, the client retries the request and this payment finally succeeds at the fourth attempt. 𝐈𝐝𝐞𝐦𝐩𝐨𝐭𝐞𝐧𝐜𝐲 From an API standpoint, idempotency means clients can make the same call repeatedly and produce the same result. For communication between clients (web and mobile applications) and servers, an idempotency key is usually a unique value that is generated by clients and expires after a certain period of time. A UUID is commonly used as an idempotency key and it is recommended by many tech companies such as Stripe and PayPal. To perform an idempotent payment request, an idempotency key is added to the HTTP header: <idempotency-key: key_value>. If you have any questions or I missed anything, please leave a comment. – Subscribe to our weekly newsletter to get a Free System Design PDF (158 pages): https://t.co/FIzCeaWsZV