安全性
- SSL 憑證及加密傳送 (HTTPS)
- 資料再以 private key 做 AES CBC 方式加密
- 對某些重要的值使用 private key 以 sha1 產生 signature 參數做驗證
- token &
Access-Control-Allow-Origin (CSRF)
- htmlspecialchars (XSS)
- SQL injection
設計 RESTful API 注意地方
避免使用 cookie, 因違反無狀態協議, 如果只用來記錄 client 資料不維護狀態, 那麼還是可以使用
session 則完全違反 REST 的無狀態性
解決方式是 client 登入後產生 token, 再從 url 帶 token 過來
驗證身份方法1. 永遠使用 ssl, 就不用每次讓用戶對每次請求簽名
驗證身份方法2. server 將 token 加/解密對應到 session ID, application server 再用 session ID 取得用戶資料判斷權限
增加網站效能
server
- ELB (HA), auto-scaling
- nginx 取代 apache
後端
- background job
- cache 靜態頁面
- memcache / redis
前端
- js/css minify & combine
- 圖片用另一個 domain 避免 browser 一次只能發幾個 request 的限制, 也避免帶到不必要的 cookie
- 一開始先載 lazy_image, 放真正圖片連結在 data-original= 最後再用 js 將 load 正確圖片
mysql
- 使用 in 代替 or
- slow query
- Mysql set index
- master - slave
關於 App
- 手機裡的 App 會有個 UUID,不同的 App UUID 也會不一樣,即使同 App
- App 重新安裝 UUID 會是新的,或者 UUID 好像也有過期時間 (e.g. 180 天)
- 當 app 下載完 UUID 就會像 e.g. APN 註冊,所以 Push Notification 才知道要推給誰
- app 可以自已選擇要不要濾掉 notification,也就是其實發送成功但忽略它
- Android 的 GCM 沒有分環境,都是用 Production; APN 有分環境有分 Sandbox 及 Production
Storage
- 手機本身有兩個儲存的方式,一個是 sqlite,另一個是 local storage
- sqlite 是一個檔案,所以讀寫要開檔跟關檔
- local storage 是 key-value 型態,直接用就可以了
Notification Title
- 如果 app 在前景 android 可以攔截, 並且指定要給的 title, 如果 app 在背景會由系統自行判斷, 如果 notification json format 有 title 的話會使用 title 的值當 notification title
Distributed System (Sub/Pub)
- MQTT
- 主要用在 IoT
- MQTT is a lightweight protocol working only with a broker in the middle with no concept of queue (it can store messages when a client is offline using the “clean session” feature). It has another feature over AMQP like the “will” testment. It supports only pub/sub and have no metadata in the messages.
- mqtt over websocket, 讓 app/website 使用 websocket 連接 server, 利用 mqtt 做 sub/pub 功能
- AMQP
- AMQP is more oriented to messaging than MQTT. It was created by JP Morgan for business transactions.
- MQTT vs AMQP
- The first big difference with MQTT is that AMQP 1.0 is a peer-to-peer protocol : you can use it between two peers, no need for a broker in the middle. Of course it’s used for communication with broker providing store-and-forward mechanism. You can use it for request/reply pattern and for pub/sub.
- kafka
- 主要用在 log 收集
- 每個 topic 劃分多個 partition
- 內部實現不用 cache, 都存在硬碟
- data 會批量壓縮傳送
- kafka 會將 data 儲存下來, 訂購的可以自已控制 pull
- Redis pub/sub
Log 系統
- CloudWatch Log agent 丟到 cloudwatch 或是直接用 Kinesis agent 丟到 Kinesis Streams
- 上面任一方法 -> Kinesis Firehose (log) -> s3
- 上面任一方法 -> Kinesis Firehose (log) -> Kinesis Analytics (SQL query) -> Firehose (result) -> s3
- ELK stack : ElasticSearch(搜尋引擎) + Kibana(顯示圖表/結果) + Logstash (收集 log, 也可用 filebeat/FluentD)
- Telegraf / Collectd + InfluxDB + Grafana 易安裝
- Fluentd + Prometheus + Grafana
2,3,4 都要自已架, 成本也高
ref:
DST 時間 (日光節約時間)
某些國家會調整當地時間以符合日光節約時間,當程式在處理不同國家時間時就要注意了,將時間轉成 dst 存下來,
可以使用別人寫好的第三方來轉,下次取時再將 utc 轉成 dst 撈出來。
Functional programming
Functional programming is a programming paradigm that emphasizes the use of functions to transform and manipulate data, rather than modifying the state of objects.
In functional programming, functions are treated as first-class citizens, which means they can be passed as arguments to other functions,
returned as values from other functions, and composed together to build more complex functionality.
This approach is in contrast to imperative programming, where the state of objects is changed through commands and statements.
The goal of functional programming is to write code that is easy to reason about, test, and maintain by eliminating side effects and promoting immutability and purity of functions.
Common functional programming languages include Haskell, Lisp, and Erlang.
Dynamic programming
Dynamic programming is a method for solving problems by breaking them down into smaller sub-problems and solving each sub-problem only once to obtain solutions for larger problems.
The solutions to the sub-problems are stored in a table, so that they can be reused instead of recomputing them, thus saving time and increasing efficiency.
Dynamic programming is often used to solve optimization problems, such as finding the shortest path between two points or the longest common subsequence of two strings, among others.
如果 MIME 類型與 URL 的 MIME 類型不匹配,則不允許讀取該檔案
我還不是很了解這個實際判斷的方式是什麼, 但我加上 cookie 後, 就可以下載 google drive 的檔案了
CORS
chrome 會先發一個 method: OPTIONS 的 request 測試是否通, 但不會幫你加上 body 及 header
Proxy vs Reverse Proxy
Proxy 後面的 server 有直接對外
Reverse Proxy 後面 server 沒有直接對外
Concurrency vs Parallelism
- Concurrency
- deal with multiple tasks at once by interleaving execution or giving an illusion of simultaneity
- e.g. Imagine a cooking scenario where you have multiple chefs working together to prepare a meal. Each chef focuses on a specific task, such as chopping vegetables, cooking the main course, or baking a dessert.
- Parallelism
- execute tasks simultaneously on multiple processors or cores (at the exect same time)
- e.g. Picture a scenario where a single chef is handling a multitasking situation in the kitchen. The chef might work on chopping vegetables, while a pot is simmering on the stove, and bread is baking in the oven.
Testing
Unit Testing
- The minimum units can be method/function/class.
- Unit testing is the lowest level of testing you can do. It is usually testing a method inside a class. Unit tests do not interact with other classes directly, but instead with mocks. This makes unit tests isolated and easy to debug and refactor.
Integration Testing
- Testing involves in other services such as S3, I/O, etc., like testing APIs.
- Integration testing touches more than one class. Hence, it tests the integration between classes i.e dependencies. It is used to test if the database is giving us the correct results, if an external API is providing us with correct data etc. It tests the real classes and functionalities rather than using mocks. It is significantly slower compared to unit tests to run, since they interact with databases and external providers.
Functional Testing
- Functional testing is a type of testing that tests a whole feature which may call a lot of dependencies. Typically you would test a route for a correct response, or a Controller method that relates to a certain feature in the application. They are slower than integration tests as they touch a lot more dependencies.
Acceptance Testing
- Acceptance testing is the highest level of testing. It only cares if the feature works through the vantage point of customers. The test flow goes through the website clicking and submitting forms and expecting correct results. We use tools like Selenium for this purpose.
Regression Testing
To make sure your new feature won’t break the existing functionality of the application. You have to run all of the tests including itself’s test.
- Rerunning the previously conducted tests
- Comparing current results with previously executed test results
Test Doubles
- Stub: Stub is an object that holds predefined data and uses it to answer calls during tests. It is used when we cannot or don’t want to involve objects that would answer with real data or have undesirable side effects.
- An example can be an object that needs to grab some data from the database to respond to a method call. Instead of the real object, we introduced a stub and defined what data should be returned.
- me: Return a predefined data when calls is made.
- Mock: Mocks are objects that register calls they receive. In test assertion we can verify on Mocks that all expected actions were performed.
- We don’t want to send e-mails each time we run a test. Moreover, it is not easy to verify in tests that a right email was send. Only thing we can do is to verify the outputs of the functionality that is exercised in our test. In other worlds, verify that e-mail sending service was called.
- me: Use a object to make sure the method was called. Don’t care about whether the method works or not.
- PHP Mock Example
- Fake: The fake implementation will not engage database, but will use a simple collection to store data. This allows us to do integration test of services without starting up a database and performing time consuming requests.
- me: Use a set of predefined data, instead of real data from database.
ref: