ogt-docs-rules-code-back

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

OGT Docs - Rules Code Back

OGT 文档 - 后端代码规则

Backend-specific coding standards for APIs, databases, and services.

适用于API、数据库和服务的后端专属编码规范。

Overview

概述

Backend rules establish consistent patterns for API design, database operations, service architecture, and server-side logic.

mermaid

flowchart TB
    subgraph back ["docs/rules/code/back/"]
        API["api/"]
        DB["database/"]
        SVC["services/"]
        AUTH["auth/"]
        VALID["validation/"]
    end

    API --> |patterns| A1["REST design"]
    API --> |patterns| A2["response format"]
    DB --> |patterns| D1["queries"]
    SVC --> |patterns| S1["architecture"]
    AUTH --> |patterns| AU1["tokens"]

后端规则为API设计、数据库操作、服务架构和服务器端逻辑建立统一模式。

mermaid

flowchart TB
    subgraph back ["docs/rules/code/back/"]
        API["api/"]
        DB["database/"]
        SVC["services/"]
        AUTH["auth/"]
        VALID["validation/"]
    end

    API --> |patterns| A1["REST design"]
    API --> |patterns| A2["response format"]
    DB --> |patterns| D1["queries"]
    SVC --> |patterns| S1["architecture"]
    AUTH --> |patterns| AU1["tokens"]

When to Use

适用场景

Creating API design standards
Defining database patterns
Establishing service architecture
Writing authentication rules
Setting validation patterns

创建API设计标准
定义数据库模式
建立服务架构
编写认证规则
设置校验模式

Folder Structure

目录结构

docs/rules/code/back/
├── api/                            # API design
│   ├── rest_design/
│   ├── response_format/
│   ├── versioning/
│   └── error_responses/
│
├── database/                       # Database patterns
│   ├── queries/
│   ├── migrations/
│   ├── naming/
│   └── transactions/
│
├── services/                       # Service architecture
│   ├── structure/
│   ├── dependencies/
│   └── error_handling/
│
├── auth/                           # Authentication
│   ├── tokens/
│   ├── sessions/
│   └── permissions/
│
└── validation/                     # Input validation
    ├── request_validation/
    └── sanitization/

docs/rules/code/back/
├── api/                            # API设计
│   ├── rest_design/
│   ├── response_format/
│   ├── versioning/
│   └── error_responses/
│
├── database/                       # 数据库模式
│   ├── queries/
│   ├── migrations/
│   ├── naming/
│   └── transactions/
│
├── services/                       # 服务架构
│   ├── structure/
│   ├── dependencies/
│   └── error_handling/
│
├── auth/                           # 认证
│   ├── tokens/
│   ├── sessions/
│   └── permissions/
│
└── validation/                     # 输入校验
    ├── request_validation/
    └── sanitization/

Example: docs/rules/code/back/api/rest_design/

示例：docs/rules/code/back/api/rest_design/

rule.md

markdown

undefined

markdown

undefined

Rule: RESTful API Design

规则：RESTful API设计

Summary

概述

APIs MUST follow RESTful conventions for resource naming, HTTP methods, and status codes.

API必须遵循RESTful约定进行资源命名、HTTP方法和状态码的使用。

The Rules

规则细则

1. Resource Naming

1. 资源命名

MUST use plural nouns for collections.


GET /api/users # Collection
GET /api/users/123 # Single resource
POST /api/users # Create

必须使用复数名词表示资源集合。


GET /api/users # 资源集合
GET /api/users/123 # 单个资源
POST /api/users # 创建资源

2. HTTP Methods

2. HTTP方法

Method	Use Case	Idempotent
GET	Retrieve	Yes
POST	Create	No
PUT	Replace	Yes
PATCH	Update	Yes
DELETE	Remove	Yes

方法	使用场景	幂等性
GET	检索资源	是
POST	创建资源	否
PUT	替换资源	是
PATCH	更新资源	是
DELETE	删除资源	是

3. Status Codes

3. 状态码

Code	Use When
200	Successful GET/PUT/PATCH
201	Successful POST
204	Successful DELETE
400	Invalid input
401	Not authenticated
403	Not authorized
404	Not found
422	Validation failed

状态码	使用场景
200	GET/PUT/PATCH请求成功
201	POST请求成功
204	DELETE请求成功
400	输入无效
401	未认证
403	未授权
404	资源不存在
422	校验失败

Examples

示例

Correct

正确示例

typescript

router.get('/users', async (ctx) => {
  ctx.status = 200;
  ctx.body = { data: users };
});

router.post('/users', async (ctx) => {
  const user = await userService.create(ctx.request.body);
  ctx.status = 201;
  ctx.body = { data: user };
});

typescript

router.get('/users', async (ctx) => {
  ctx.status = 200;
  ctx.body = { data: users };
});

router.post('/users', async (ctx) => {
  const user = await userService.create(ctx.request.body);
  ctx.status = 201;
  ctx.body = { data: user };
});

Incorrect

错误示例

typescript

// BAD - verbs in URL
router.post('/api/createUser', ...);

// BAD - wrong status
router.post('/users', async (ctx) => {
  ctx.status = 200;  // Should be 201
});

---

typescript

// 错误 - URL中使用动词
router.post('/api/createUser', ...);

// 错误 - 状态码使用不当
router.post('/users', async (ctx) => {
  ctx.status = 200;  // 应使用201
});

---

Example: docs/rules/code/back/database/queries/

示例：docs/rules/code/back/database/queries/

rule.md

markdown

undefined

markdown

undefined

Rule: Database Queries

规则：数据库查询

Summary

概述

Database queries MUST be parameterized, efficient, and properly scoped.

数据库查询必须使用参数化写法，保证高效性和正确的作用域。

The Rules

规则细则

1. Always Parameterize

1. 始终使用参数化查询

typescript

// CORRECT
await db.query('SELECT * FROM users WHERE id = $1', [userId]);

// FORBIDDEN - SQL injection
await db.query(`SELECT * FROM users WHERE id = ${userId}`);

typescript

// 正确写法
await db.query('SELECT * FROM users WHERE id = $1', [userId]);

// 禁止使用 - 存在SQL注入风险
await db.query(`SELECT * FROM users WHERE id = ${userId}`);

2. Select Only Needed Columns

2. 仅选择需要的列

typescript

// CORRECT
await db.query("SELECT id, name FROM users WHERE id = $1", [id]);

// AVOID
await db.query("SELECT * FROM users WHERE id = $1", [id]);

typescript

// 正确写法
await db.query("SELECT id, name FROM users WHERE id = $1", [id]);

// 应避免
await db.query("SELECT * FROM users WHERE id = $1", [id]);

3. Always Limit Results

3. 始终限制查询结果

typescript

// CORRECT
await db.query("SELECT * FROM posts LIMIT $1 OFFSET $2", [limit, offset]);

typescript

// 正确写法
await db.query("SELECT * FROM posts LIMIT $1 OFFSET $2", [limit, offset]);

4. Avoid N+1 Queries

4. 避免N+1查询问题

typescript

// BAD - N+1
for (const user of users) {
  user.posts = await db.query("SELECT * FROM posts WHERE user_id = $1", [
    user.id,
  ]);
}

// GOOD - batch
const posts = await db.query("SELECT * FROM posts WHERE user_id = ANY($1)", [
  userIds,
]);

typescript

// 错误 - N+1查询
for (const user of users) {
  user.posts = await db.query("SELECT * FROM posts WHERE user_id = $1", [
    user.id,
  ]);
}

// 正确 - 批量查询
const posts = await db.query("SELECT * FROM posts WHERE user_id = ANY($1)", [
  userIds,
]);

5. Use Transactions

5. 使用事务

typescript

await db.transaction(async (trx) => {
  await trx.query("UPDATE accounts SET balance = balance - $1 WHERE id = $2", [
    amount,
    fromId,
  ]);
  await trx.query("UPDATE accounts SET balance = balance + $1 WHERE id = $2", [
    amount,
    toId,
  ]);
});

---

typescript

await db.transaction(async (trx) => {
  await trx.query("UPDATE accounts SET balance = balance - $1 WHERE id = $2", [
    amount,
    fromId,
  ]);
  await trx.query("UPDATE accounts SET balance = balance + $1 WHERE id = $2", [
    amount,
    toId,
  ]);
});

---

Example: docs/rules/code/back/services/structure/

示例：docs/rules/code/back/services/structure/

rule.md

markdown

undefined

markdown

undefined

Rule: Service Structure

规则：服务结构

Summary

概述

Services MUST follow consistent structure with clear separation of concerns.

服务必须遵循统一结构，明确关注点分离原则。

The Rules

规则细则

1. Single Responsibility

1. 单一职责原则

typescript

// CORRECT - focused services
class UserService { /* user operations */ }
class AuthService { /* authentication */ }
class EmailService { /* email sending */ }

typescript

// 正确 - 职责聚焦的服务
class UserService { /* 用户操作相关 */ }
class AuthService { /* 认证相关 */ }
class EmailService { /* 邮件发送相关 */ }

2. Dependency Injection

2. 依赖注入

typescript

// CORRECT
class UserService {
  constructor(
    private db: Database,
    private emailService: EmailService,
  ) {}
}

// INCORRECT - hard to test
class UserService {
  private db = new Database();
}

typescript

// 正确写法
class UserService {
  constructor(
    private db: Database,
    private emailService: EmailService,
  ) {}
}

// 错误 - 难以测试
class UserService {
  private db = new Database();
}

3. Domain-Specific Errors

3. 领域特定错误

typescript

// CORRECT
class UserNotFoundError extends Error {
  constructor(public userId: string) {
    super(`User not found: ${userId}`);
  }
}

// INCORRECT
throw new Error("Not found");

typescript

// 正确写法
class UserNotFoundError extends Error {
  constructor(public userId: string) {
    super(`User not found: ${userId}`);
  }
}

// 错误写法
throw new Error("Not found");

4. Method Naming

4. 方法命名规范

Operation	Pattern
Get single	`findById`
Get multiple	`findAll`
Create	`create`
Update	`update`
Delete	`delete`

---

操作类型	命名模式
获取单个资源	`findById`
获取多个资源	`findAll`
创建资源	`create`
更新资源	`update`
删除资源	`delete`

---

Example: docs/rules/code/back/auth/tokens/

示例：docs/rules/code/back/auth/tokens/

rule.md

markdown

undefined

markdown

undefined

Rule: Authentication Tokens

规则：认证令牌

Summary

概述

Tokens MUST be securely generated, stored, and validated.

令牌必须安全生成、存储和校验。

The Rules

规则细则

1. Secure Generation

1. 安全生成令牌

typescript

// CORRECT
import { randomBytes } from 'crypto';
const token = randomBytes(32).toString('hex');

// INCORRECT - predictable
const token = Date.now().toString();

typescript

// 正确写法
import { randomBytes } from 'crypto';
const token = randomBytes(32).toString('hex');

// 错误 - 可预测性高
const token = Date.now().toString();

2. Token Expiration

2. 令牌过期时间

Token Type	Max Lifetime
Access Token	15-60 minutes
Refresh Token	7-30 days
Password Reset	1 hour

令牌类型	最长有效期
Access Token	15-60分钟
Refresh Token	7-30天
Password Reset	1小时

3. Secure Storage

3. 安全存储

Context	Storage
Browser	httpOnly cookie
Mobile	Secure storage
Server	Hashed in DB

场景	存储方式
浏览器	httpOnly cookie
移动端	安全存储
服务器	数据库中哈希存储

4. Full Validation

4. 完整校验

typescript

async function validateToken(token: string): Promise<User> {
  const payload = jwt.verify(token, secret);
  const user = await userService.findById(payload.userId);
  if (!user || !user.isActive) throw new InvalidTokenError();
  return user;
}

typescript

async function validateToken(token: string): Promise<User> {
  const payload = jwt.verify(token, secret);
  const user = await userService.findById(payload.userId);
  if (!user || !user.isActive) throw new InvalidTokenError();
  return user;
}

5. Revocation

5. 令牌吊销

typescript

async function logout(userId: string, refreshToken: string) {
  await db.refreshTokens.delete({ where: { token: hashToken(refreshToken) } });
}

---

typescript

async function logout(userId: string, refreshToken: string) {
  await db.refreshTokens.delete({ where: { token: hashToken(refreshToken) } });
}

---

Creating Backend Rules

创建后端规则

mermaid

flowchart TD
    A[Identify Pattern] --> B{Category}

    B -->|API| C[api/]
    B -->|Database| D[database/]
    B -->|Services| E[services/]
    B -->|Auth| F[auth/]

    C --> G[Create Rule Folder]
    D --> G
    E --> G
    F --> G

    G --> H[Write rule.md]
    H --> I[Add examples.md]
    I --> J[Security review if auth/db]

mermaid

flowchart TD
    A[识别模式] --> B{分类}

    B -->|API| C[api/]
    B -->|数据库| D[database/]
    B -->|服务| E[services/]
    B -->|认证| F[auth/]

    C --> G[创建规则目录]
    D --> G
    E --> G
    F --> G

    G --> H[编写rule.md]
    H --> I[添加examples.md]
    I --> J[若涉及认证/数据库则进行安全评审]

Signal Files Reference

信号文件参考

Signal	Content	Purpose
`.version`	JSON	Schema version
`.enforced_by`	List	Tools that enforce
`.security_review`	Date	Last security review

信号文件	内容格式	用途
`.version`	JSON	架构版本标识
`.enforced_by`	列表	执行规则的工具
`.security_review`	日期	最近一次安全评审时间