Senior Backend Engineer
Backend development patterns, API design, database optimization, and security practices.
Table of Contents
-
Quick Start
-
Tools Overview
-
API Scaffolder
-
Database Migration Tool
-
API Load Tester
-
Backend Development Workflows
-
API Design Workflow
-
Database Optimization Workflow
-
Security Hardening Workflow
-
Reference Documentation
-
Common Patterns Quick Reference
Quick Start
Generate API routes from OpenAPI spec
python scripts/api_scaffolder.py openapi.yaml --framework express --output src/routes/
Analyze database schema and generate migrations
python scripts/database_migration_tool.py --connection postgres://localhost/mydb --analyze
Load test an API endpoint
python scripts/api_load_tester.py https://api.example.com/users --concurrency 50 --duration 30
Tools Overview
- API Scaffolder
Generates API route handlers, middleware, and OpenAPI specifications from schema definitions.
Input: OpenAPI spec (YAML/JSON) or database schema Output: Route handlers, validation middleware, TypeScript types
Usage:
Generate Express routes from OpenAPI spec
python scripts/api_scaffolder.py openapi.yaml --framework express --output src/routes/
Output:
Generated 12 route handlers in src/routes/
- GET /users (listUsers)
- POST /users (createUser)
- GET /users/{id} (getUser)
- PUT /users/{id} (updateUser)
- DELETE /users/{id} (deleteUser)
...
Created validation middleware: src/middleware/validators.ts
Created TypeScript types: src/types/api.ts
Generate from database schema
python scripts/api_scaffolder.py --from-db postgres://localhost/mydb --output src/routes/
Generate OpenAPI spec from existing routes
python scripts/api_scaffolder.py src/routes/ --generate-spec --output openapi.yaml
Supported Frameworks:
-
Express.js (--framework express )
-
Fastify (--framework fastify )
-
Koa (--framework koa )
- Database Migration Tool
Analyzes database schemas, detects changes, and generates migration files with rollback support.
Input: Database connection string or schema files Output: Migration files, schema diff report, optimization suggestions
Usage:
Analyze current schema and suggest optimizations
python scripts/database_migration_tool.py --connection postgres://localhost/mydb --analyze
Output:
=== Database Analysis Report ===
Tables: 24
Total rows: 1,247,832
MISSING INDEXES (5 found):
orders.user_id - 847ms avg query time, ADD INDEX recommended
products.category_id - 234ms avg query time, ADD INDEX recommended
N+1 QUERY RISKS (3 found):
users -> orders relationship (no eager loading)
SUGGESTED MIGRATIONS:
1. Add index on orders(user_id)
2. Add index on products(category_id)
3. Add composite index on order_items(order_id, product_id)
Generate migration from schema diff
python scripts/database_migration_tool.py --connection postgres://localhost/mydb
--compare schema/v2.sql --output migrations/
Output:
Generated migration: migrations/20240115_add_user_indexes.sql
Generated rollback: migrations/20240115_add_user_indexes_rollback.sql
Dry-run a migration
python scripts/database_migration_tool.py --connection postgres://localhost/mydb
--migrate migrations/20240115_add_user_indexes.sql --dry-run
- API Load Tester
Performs HTTP load testing with configurable concurrency, measuring latency percentiles and throughput.
Input: API endpoint URL and test configuration Output: Performance report with latency distribution, error rates, throughput metrics
Usage:
Basic load test
python scripts/api_load_tester.py https://api.example.com/users --concurrency 50 --duration 30
Output:
=== Load Test Results ===
Target: https://api.example.com/users
Duration: 30s | Concurrency: 50
THROUGHPUT:
Total requests: 15,247
Requests/sec: 508.2
Successful: 15,102 (99.0%)
Failed: 145 (1.0%)
LATENCY (ms):
Min: 12
Avg: 89
P50: 67
P95: 198
P99: 423
Max: 1,247
ERRORS:
Connection timeout: 89
HTTP 503: 56
RECOMMENDATION: P99 latency (423ms) exceeds 200ms target.
Consider: connection pooling, query optimization, or horizontal scaling.
Test with custom headers and body
python scripts/api_load_tester.py https://api.example.com/orders
--method POST
--header "Authorization: Bearer token123"
--body '{"product_id": 1, "quantity": 2}'
--concurrency 100
--duration 60
Compare two endpoints
python scripts/api_load_tester.py https://api.example.com/v1/users https://api.example.com/v2/users
--compare --concurrency 50 --duration 30
Backend Development Workflows
API Design Workflow
Use when designing a new API or refactoring existing endpoints.
Step 1: Define resources and operations
openapi.yaml
openapi: 3.0.3 info: title: User Service API version: 1.0.0 paths: /users: get: summary: List users parameters: - name: limit in: query schema: type: integer default: 20 post: summary: Create user requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateUser'
Step 2: Generate route scaffolding
python scripts/api_scaffolder.py openapi.yaml --framework express --output src/routes/
Step 3: Implement business logic
// src/routes/users.ts (generated, then customized) export const createUser = async (req: Request, res: Response) => { const { email, name } = req.body;
// Add business logic const user = await userService.create({ email, name });
res.status(201).json(user); };
Step 4: Add validation middleware
Validation is auto-generated from OpenAPI schema
src/middleware/validators.ts includes:
- Request body validation
- Query parameter validation
- Path parameter validation
Step 5: Generate updated OpenAPI spec
python scripts/api_scaffolder.py src/routes/ --generate-spec --output openapi.yaml
Database Optimization Workflow
Use when queries are slow or database performance needs improvement.
Step 1: Analyze current performance
python scripts/database_migration_tool.py --connection $DATABASE_URL --analyze
Step 2: Identify slow queries
-- Check query execution plans EXPLAIN ANALYZE SELECT * FROM orders WHERE user_id = 123 ORDER BY created_at DESC LIMIT 10;
-- Look for: Seq Scan (bad), Index Scan (good)
Step 3: Generate index migrations
python scripts/database_migration_tool.py --connection $DATABASE_URL
--suggest-indexes --output migrations/
Step 4: Test migration (dry-run)
python scripts/database_migration_tool.py --connection $DATABASE_URL
--migrate migrations/add_indexes.sql --dry-run
Step 5: Apply and verify
Apply migration
python scripts/database_migration_tool.py --connection $DATABASE_URL
--migrate migrations/add_indexes.sql
Verify improvement
python scripts/database_migration_tool.py --connection $DATABASE_URL --analyze
Security Hardening Workflow
Use when preparing an API for production or after a security review.
Step 1: Review authentication setup
// Verify JWT configuration const jwtConfig = { secret: process.env.JWT_SECRET, // Must be from env, never hardcoded expiresIn: '1h', // Short-lived tokens algorithm: 'RS256' // Prefer asymmetric };
Step 2: Add rate limiting
import rateLimit from 'express-rate-limit';
const apiLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100, // 100 requests per window standardHeaders: true, legacyHeaders: false, });
app.use('/api/', apiLimiter);
Step 3: Validate all inputs
import { z } from 'zod';
const CreateUserSchema = z.object({ email: z.string().email().max(255), name: z.string().min(1).max(100), age: z.number().int().positive().optional() });
// Use in route handler const data = CreateUserSchema.parse(req.body);
Step 4: Load test with attack patterns
Test rate limiting
python scripts/api_load_tester.py https://api.example.com/login
--concurrency 200 --duration 10 --expect-rate-limit
Test input validation
python scripts/api_load_tester.py https://api.example.com/users
--method POST
--body '{"email": "not-an-email"}'
--expect-status 400
Step 5: Review security headers
import helmet from 'helmet';
app.use(helmet({ contentSecurityPolicy: true, crossOriginEmbedderPolicy: true, crossOriginOpenerPolicy: true, crossOriginResourcePolicy: true, hsts: { maxAge: 31536000, includeSubDomains: true }, }));
Reference Documentation
File Contains Use When
references/api_design_patterns.md
REST vs GraphQL, versioning, error handling, pagination Designing new APIs
references/database_optimization_guide.md
Indexing strategies, query optimization, N+1 solutions Fixing slow queries
references/backend_security_practices.md
OWASP Top 10, auth patterns, input validation Security hardening
Common Patterns Quick Reference
REST API Response Format
{ "data": { "id": 1, "name": "John" }, "meta": { "requestId": "abc-123" } }
Error Response Format
{ "error": { "code": "VALIDATION_ERROR", "message": "Invalid email format", "details": [{ "field": "email", "message": "must be valid email" }] }, "meta": { "requestId": "abc-123" } }
HTTP Status Codes
Code Use Case
200 Success (GET, PUT, PATCH)
201 Created (POST)
204 No Content (DELETE)
400 Validation error
401 Authentication required
403 Permission denied
404 Resource not found
429 Rate limit exceeded
500 Internal server error
Database Index Strategy
-- Single column (equality lookups) CREATE INDEX idx_users_email ON users(email);
-- Composite (multi-column queries) CREATE INDEX idx_orders_user_status ON orders(user_id, status);
-- Partial (filtered queries) CREATE INDEX idx_orders_active ON orders(created_at) WHERE status = 'active';
-- Covering (avoid table lookup) CREATE INDEX idx_users_email_name ON users(email) INCLUDE (name);
Common Commands
API Development
python scripts/api_scaffolder.py openapi.yaml --framework express python scripts/api_scaffolder.py src/routes/ --generate-spec
Database Operations
python scripts/database_migration_tool.py --connection $DATABASE_URL --analyze python scripts/database_migration_tool.py --connection $DATABASE_URL --migrate file.sql
Performance Testing
python scripts/api_load_tester.py https://api.example.com/endpoint --concurrency 50 python scripts/api_load_tester.py https://api.example.com/endpoint --compare baseline.json