api

Time parsing bugs are common in APIs: clients send different formats, empty strings, or timezone-less values. I like making time parsing explicit by wrapping time.Time and implementing UnmarshalJSON. The wrapper accepts RFC3339, treats null as “unset,

Offset pagination falls apart as soon as rows are inserted or deleted between page fetches—users see duplicates or missing items. Cursor pagination fixes that with stable ordering and ‘seek’ queries. I use a compound cursor that includes both the prim

Rate limiting prevents API abuse by restricting request frequency per user or IP. Laravel's RateLimiter facade defines limits in RouteServiceProvider. I apply limiters via middleware—throttle:api for the default API limiter. Custom limiters use closur

Network failures and client retries can cause duplicate request processing, leading to duplicate charges, double-created resources, or inconsistent state. Idempotency keys solve this by tracking processed requests and returning cached responses for du

Strong parameters prevent mass assignment vulnerabilities by explicitly permitting allowed attributes. For nested associations like a post with embedded images or comments, I use nested permit calls. Arrays of primitives use [] syntax, while hashes of

I create custom permission classes to encapsulate authorization logic outside of views. This IsOwnerOrReadOnly pattern is useful for resources where anyone can read but only the owner can modify. By implementing has_object_permission, I can make granu

Cross-Origin Resource Sharing (CORS) enables frontend apps on different domains to access your API. I use django-cors-headers for production-ready CORS handling. I configure CORS_ALLOWED_ORIGINS for specific domains in production and use CORS_ALLOW_AL

For list endpoints, the frontend needs predictable pagination metadata, not just an array. I return items plus pageInfo (endCursor, hasNextPage) so building infinite scroll is straightforward and the API stays extensible if you later add totals (which

Most handler bugs I debug are really input bugs: oversized bodies, unexpected fields, or clients sending arrays when the API expects an object. A dedicated decode helper makes behavior consistent. This pattern wraps the request body with http.MaxBytes

API docs shouldn’t be a wiki page that drifts from reality. I generate an OpenAPI spec from code-adjacent definitions so changes get reviewed alongside implementation. The frontend benefits too: typed clients, mock servers, and even contract tests bec

A lot of handler complexity disappears if you reject bad requests early. I enforce the HTTP method (POST, PUT, etc.) and require Content-Type: application/json before attempting to decode. This prevents confusing errors where clients send form-encoded

Traditional offset-based pagination becomes unreliable and slow for large datasets when records are frequently inserted or deleted—users can miss items or see duplicates across pages. Cursor-based pagination solves this by using an opaque token that e