extension-backend
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseExtension Backend
扩展后端
Build a secure, maintainable backend API for a Chrome extension. Recommended stack: NestJS + MongoDB (Mongoose).
为Chrome扩展构建安全、可维护的后端API,推荐技术栈:NestJS + MongoDB (Mongoose)。
When to Activate
何时启用
Activate this skill when extension work requires:
- License verification / payment webhooks
- User authentication / account management
- Data sync across devices
- External API proxy (hide API keys from extension)
- Any server-side logic
当扩展开发需要以下能力时启用本技能:
- 许可证验证 / 支付webhooks
- 用户认证 / 账户管理
- 跨设备数据同步
- 外部API代理(对扩展隐藏API密钥)
- 任意服务端逻辑
Workflow (Execute This)
工作流程(按此执行)
Step 1: Ask user to confirm requirements
步骤1:询问用户确认需求
- Do you need a backend? (explain why: API keys, auth, payments, sync)
- Stack preference: NestJS + MongoDB (recommended) or custom?
- Hosting target: Vercel / Railway / Fly.io / AWS / self-hosted?
- Features needed (pick from):
- User auth (Google OAuth via chrome.identity)
- License/subscription verification
- Payment webhooks (Stripe, Paddle, etc.)
- Data sync / storage API
- External API proxy
- Rate limiting
- 你是否需要搭建后端?(解释用途:API密钥托管、认证、支付、数据同步)
- 技术栈偏好:NestJS + MongoDB(推荐)还是自定义技术栈?
- 部署目标:Vercel / Railway / Fly.io / AWS / 自托管?
- 所需功能(从以下选项选择):
- 用户认证(通过chrome.identity实现Google OAuth)
- 许可证/订阅验证
- 支付webhooks(Stripe、Paddle等)
- 数据同步 / 存储API
- 外部API代理
- 限流功能
Step 2: Fetch framework docs
步骤2:获取框架文档
Use skill to fetch latest docs:
docs-seeker- NestJS: https://docs.nestjs.com/
- Mongoose: https://mongoosejs.com/docs/
- TypeScript style: https://google.github.io/styleguide/tsguide.html
- JavaScript style: https://google.github.io/styleguide/jsguide.html
使用技能获取最新文档:
docs-seeker- NestJS: https://docs.nestjs.com/
- Mongoose: https://mongoosejs.com/docs/
- TypeScript 代码规范: https://google.github.io/styleguide/tsguide.html
- JavaScript 代码规范: https://google.github.io/styleguide/jsguide.html
Step 3: Scaffold the backend
步骤3:搭建后端脚手架
bash
npx @nestjs/cli new extension-backend --strict --package-manager pnpm
cd extension-backend
pnpm add @nestjs/mongoose mongoose @nestjs/config class-validator class-transformer
pnpm add helmet @nestjs/throttler
pnpm add -D @types/expressbash
npx @nestjs/cli new extension-backend --strict --package-manager pnpm
cd extension-backend
pnpm add @nestjs/mongoose mongoose @nestjs/config class-validator class-transformer
pnpm add helmet @nestjs/throttler
pnpm add -D @types/expressStep 4: Project structure
步骤4:项目结构
src/
├── main.ts # Bootstrap, CORS, helmet, validation
├── app.module.ts # Root module
├── config/
│ └── configuration.ts # Env-based config
├── auth/
│ ├── auth.module.ts # Auth module
│ ├── auth.controller.ts # POST /auth/verify-token
│ ├── auth.service.ts # Token validation logic
│ └── guards/auth.guard.ts # Global auth guard
├── license/
│ ├── license.module.ts
│ ├── license.controller.ts # GET /license/verify
│ ├── license.service.ts # License CRUD
│ └── schemas/license.schema.ts # Mongoose schema
├── webhook/
│ ├── webhook.module.ts
│ ├── webhook.controller.ts # POST /webhook/stripe
│ └── webhook.service.ts # Process payment events
└── common/
├── filters/http-exception.filter.ts
├── interceptors/logging.interceptor.ts
└── dto/ # Shared DTOssrc/
├── main.ts # 启动引导、CORS、helmet、参数验证
├── app.module.ts # 根模块
├── config/
│ └── configuration.ts # 基于环境变量的配置
├── auth/
│ ├── auth.module.ts # 认证模块
│ ├── auth.controller.ts # POST /auth/verify-token
│ ├── auth.service.ts # 令牌校验逻辑
│ └── guards/auth.guard.ts # 全局认证守卫
├── license/
│ ├── license.module.ts
│ ├── license.controller.ts # GET /license/verify
│ ├── license.service.ts # 许可证CRUD操作
│ └── schemas/license.schema.ts # Mongoose schema
├── webhook/
│ ├── webhook.module.ts
│ ├── webhook.controller.ts # POST /webhook/stripe
│ └── webhook.service.ts # 处理支付事件
└── common/
├── filters/http-exception.filter.ts
├── interceptors/logging.interceptor.ts
└── dto/ # 公共DTOStep 5: Essential endpoints
步骤5:核心端点
| Method | Endpoint | Purpose | Auth |
|---|---|---|---|
| POST | | Verify Google OAuth token | No |
| GET | | Check user subscription status | Yes |
| POST | | Receive payment events | Signature |
| GET | | Health check | No |
| 方法 | 端点 | 用途 | 认证方式 |
|---|---|---|---|
| POST | | 校验Google OAuth令牌 | 无 |
| GET | | 查询用户订阅状态 | 需要 |
| POST | | 接收支付事件 | 签名校验 |
| GET | | 健康检查 | 无 |
Step 6: Security checklist
步骤6:安全检查清单
See for implementation details.
references/security-patterns.md- Helmet middleware enabled
- CORS restricted to origin
chrome-extension://<ID> - Rate limiting (ThrottlerModule)
- Input validation (class-validator on all DTOs)
- Webhook signature verification
- No secrets in response bodies
- MongoDB injection prevention (Mongoose sanitizes by default)
- HTTPS only in production
查看获取实现细节。
references/security-patterns.md- 已启用Helmet中间件
- CORS仅允许来源访问
chrome-extension://<ID> - 已配置限流(ThrottlerModule)
- 已开启输入校验(所有DTO都配置了class-validator)
- 已实现webhook签名校验
- 响应体中不包含敏感信息
- 已防范MongoDB注入(Mongoose默认会做参数清理)
- 生产环境仅支持HTTPS访问
References
参考资料
- — Bootstrap, modules, CORS, env config
references/nestjs-setup.md - — Auth guard, rate limiting, webhook verification, CORS
references/security-patterns.md - — Schemas, services, queries, indexes
references/mongoose-patterns.md - — Endpoints the extension calls, token flow
references/extension-api-patterns.md
- — 启动引导、模块、CORS、环境变量配置
references/nestjs-setup.md - — 认证守卫、限流、webhook校验、CORS
references/security-patterns.md - — Schemas、服务、查询、索引
references/mongoose-patterns.md - — 扩展调用的端点、令牌流转
references/extension-api-patterns.md
Related Skills
相关技能
- — Payment gateway integration (calls this backend)
extension-payment - — Extension-side feature development
extension-dev - — Security audit for both extension and backend
extension-analyze
- — 支付网关集成(调用当前后端)
extension-payment - — 扩展端功能开发
extension-dev - — 扩展和后端的安全审计
extension-analyze