backend-developer
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseBackend Developer Skill
后端开发者技能指南
Purpose
用途
Provides comprehensive expertise in server-side application development across multiple frameworks, languages, and deployment strategies. Specializes in building scalable APIs, database design, authentication systems, and production-ready backend infrastructure.
提供涵盖多框架、多语言及多种部署策略的服务器端应用开发全方位专业指导,专注于构建可扩展API、数据库设计、身份认证系统及可投入生产的后端基础设施。
When to Use
适用场景
- Building REST or GraphQL APIs
- Designing database schemas and models
- Implementing authentication and authorization
- Setting up server infrastructure
- Creating microservices or monolithic backends
- Optimizing backend performance
- Deploying server applications to production
- Need multi-framework backend guidance (Express, FastAPI, Django, Spring)
- 构建REST或GraphQL API
- 设计数据库模式与模型
- 实现身份认证与授权
- 搭建服务器基础设施
- 创建微服务或单体后端
- 优化后端性能
- 将服务器应用部署到生产环境
- 需要多框架后端指导(Express、FastAPI、Django、Spring)
Quick Start
快速入门
Invoke this skill when:
- Building server-side APIs (REST, GraphQL) in Node.js, Python, Java, or Go
- Implementing authentication/authorization (JWT, OAuth2, session-based)
- Designing database schemas and ORM integration
- Setting up backend testing (unit, integration, E2E)
- Implementing middleware (logging, validation, error handling)
- Deploying backend services to Kubernetes, AWS, GCP, or Azure
- Optimizing backend performance (caching, query optimization, rate limiting)
Do NOT invoke when:
- Only frontend development needed → Use frontend-developer or nextjs-developer
- Database-specific optimization required → Use database-optimizer or postgres-pro
- API design without implementation → Use api-designer
- GraphQL-specific architecture → Use graphql-architect
- DevOps/infrastructure only → Use devops-engineer or cloud-architect
在以下场景调用此技能:
- 在Node.js、Python、Java或Go中构建服务器端API(REST、GraphQL)
- 实现身份认证/授权(JWT、OAuth2、基于会话)
- 设计数据库模式并集成ORM
- 搭建后端测试(单元测试、集成测试、端到端测试)
- 实现中间件(日志、验证、错误处理)
- 将后端服务部署到Kubernetes、AWS、GCP或Azure
- 优化后端性能(缓存、查询优化、限流)
请勿在以下场景调用:
- 仅需前端开发→使用frontend-developer或nextjs-developer
- 需要数据库特定优化→使用database-optimizer或postgres-pro
- 仅需API设计无需实现→使用api-designer
- 仅需GraphQL特定架构→使用graphql-architect
- 仅需DevOps/基础设施→使用devops-engineer或cloud-architect
Framework Support
框架支持
Node.js/TypeScript
Node.js/TypeScript
- Express.js, NestJS, Koa.js, Fastify
- Express.js, NestJS, Koa.js, Fastify
Python
Python
- FastAPI, Django, Flask, Tornado
- FastAPI, Django, Flask, Tornado
Java
Java
- Spring Boot, Quarkus, Micronaut
- Spring Boot, Quarkus, Micronaut
Go
Go
- Gin, Echo, Fiber
- Gin, Echo, Fiber
Decision Framework
决策框架
Backend Framework Selection
后端框架选择
Backend Framework Selection
├─ JavaScript/TypeScript
│ ├─ Need rapid development + type safety → NestJS
│ ├─ Need lightweight/fast performance → Fastify
│ └─ Need simplicity + ecosystem → Express.js
│
├─ Python
│ ├─ Need async + high performance → FastAPI
│ └─ Need batteries-included → Django (+ DRF)
│
├─ Java
│ └─ Enterprise-ready → Spring Boot
│
└─ Go
└─ High-performance services → Gin or Fiber后端框架选择
├─ JavaScript/TypeScript
│ ├─ 需要快速开发+类型安全 → NestJS
│ ├─ 需要轻量/高性能 → Fastify
│ └─ 需要简洁性+生态系统 → Express.js
│
├─ Python
│ ├─ 需要异步+高性能 → FastAPI
│ └─ 需要一站式解决方案 → Django (+ DRF)
│
├─ Java
│ └─ 企业级就绪 → Spring Boot
│
└─ Go
└─ 高性能服务 → Gin或FiberAuthentication Strategy Matrix
身份认证策略矩阵
| Scenario | Strategy | Complexity | Security |
|---|---|---|---|
| Stateless API (mobile, SPA) | JWT | Low | Medium |
| Third-party login | OAuth 2.0 | Medium | High |
| Traditional web app | Session-based | Low | High |
| Microservices | JWT + API Gateway | High | High |
| Enterprise SSO | SAML 2.0 | High | Very High |
| 场景 | 策略 | 复杂度 | 安全性 |
|---|---|---|---|
| 无状态API(移动端、SPA) | JWT | 低 | 中 |
| 第三方登录 | OAuth 2.0 | 中 | 高 |
| 传统Web应用 | 基于会话 | 低 | 高 |
| 微服务 | JWT + API网关 | 高 | 高 |
| 企业级单点登录 | SAML 2.0 | 高 | 极高 |
Database & ORM Selection
数据库与ORM选择
Database & ORM Decision
├─ Relational (SQL)
│ ├─ Node.js/TypeScript
│ │ ├─ Need type safety + migrations → Prisma
│ │ └─ Need flexibility → TypeORM or Sequelize
│ ├─ Python
│ │ ├─ Async required → Tortoise ORM or SQLModel
│ │ └─ Sync / Django → Django ORM or SQLAlchemy
│ └─ Java
│ └─ JPA (Hibernate) or jOOQ
│
└─ NoSQL
├─ Document store → MongoDB (Mongoose for Node.js)
└─ Key-value → Redis (caching, sessions)数据库与ORM决策
├─ 关系型(SQL)
│ ├─ Node.js/TypeScript
│ │ ├─ 需要类型安全+迁移 → Prisma
│ │ └─ 需要灵活性 → TypeORM或Sequelize
│ ├─ Python
│ │ ├─ 需要异步 → Tortoise ORM或SQLModel
│ │ └─ 同步/Django → Django ORM或SQLAlchemy
│ └─ Java
│ └─ JPA(Hibernate)或jOOQ
│
└─ 非关系型(NoSQL)
├─ 文档型存储 → MongoDB(Node.js使用Mongoose)
└─ 键值型 → Redis(缓存、会话)Best Practices
最佳实践
- Always validate input - Use provided validation middleware
- Handle errors gracefully - Use generated error handlers
- Write tests - Use test templates for consistency
- Use environment variables - Never hardcode secrets
- Implement logging - Use provided logging configuration
- Monitor performance - Set up metrics and alerts
- Security first - Use provided authentication setup
- Version your API - Follow versioning patterns
- Document your code - Generate API docs automatically
- Deploy safely - Use provided deployment scripts
- 始终验证输入 - 使用提供的验证中间件
- 优雅处理错误 - 使用生成的错误处理器
- 编写测试 - 使用测试模板保证一致性
- 使用环境变量 - 绝不要硬编码机密信息
- 实现日志记录 - 使用提供的日志配置
- 监控性能 - 搭建指标与告警
- 安全优先 - 使用提供的身份认证设置
- API版本化 - 遵循版本化规范
- 文档化代码 - 自动生成API文档
- 安全部署 - 使用提供的部署脚本
Common Patterns
常见模式
Repository Pattern
仓储模式
- Separation of concerns
- Easy testing
- Swappable implementations
- 关注点分离
- 易于测试
- 可替换实现
Service Layer
服务层
- Centralized business rules
- Transaction management
- Error handling
- 集中式业务规则
- 事务管理
- 错误处理
Middleware Stack
中间件栈
- Authentication
- Authorization
- Validation
- Logging
- Error handling
- 身份认证
- 授权
- 验证
- 日志记录
- 错误处理
Troubleshooting
故障排查
Common Issues
常见问题
Database connection errors
- Check connection string
- Verify database is running
- Check network connectivity
- Review connection pool settings
Authentication failures
- Verify JWT secret
- Check token expiration
- Validate token format
- Review middleware order
Build failures
- Check TypeScript configuration
- Verify dependencies are installed
- Review error messages
- Check for syntax errors
Deployment issues
- Verify Docker image builds
- Check Kubernetes pods
- Review logs
- Verify environment variables
数据库连接错误
- 检查连接字符串
- 验证数据库是否运行
- 检查网络连通性
- 查看连接池设置
身份认证失败
- 验证JWT密钥
- 检查令牌过期时间
- 验证令牌格式
- 查看中间件顺序
构建失败
- 检查TypeScript配置
- 验证依赖是否已安装
- 查看错误信息
- 检查语法错误
部署问题
- 验证Docker镜像构建
- 检查Kubernetes Pod状态
- 查看日志
- 验证环境变量
Quality Checklist
质量检查清单
Security
安全
- Input validation on all endpoints (Zod/Joi)
- Password hashing (bcrypt cost 10+ or Argon2)
- SQL injection prevention (parameterized queries)
- Rate limiting on auth endpoints
- Security headers (Helmet.js)
- Environment variables for secrets
- 所有端点都做输入验证(Zod/Joi)
- 密码哈希(bcrypt成本10+或Argon2)
- 防止SQL注入(参数化查询)
- 认证端点限流
- 安全头(Helmet.js)
- 使用环境变量存储机密信息
Authentication & Authorization
身份认证与授权
- Strong JWT secret (256-bit)
- Short-lived access tokens (15min)
- Refresh token rotation
- Authorization checks on protected routes
- 强JWT密钥(256位)
- 短生命周期访问令牌(15分钟)
- 刷新令牌轮换
- 受保护路由的授权检查
Error Handling
错误处理
- Global error handler
- Async error handling (express-async-errors)
- Clear validation error messages
- 404 handling for unknown endpoints
- 全局错误处理器
- 异步错误处理(express-async-errors)
- 清晰的验证错误信息
- 未知端点的404处理
Performance
性能
- Database connection pooling
- Query optimization (no N+1)
- Caching (Redis for sessions, rate limiting)
- Response compression (gzip/brotli)
- 数据库连接池
- 查询优化(避免N+1问题)
- 缓存(Redis用于会话、限流)
- 响应压缩(gzip/brotli)
Testing
测试
- Unit tests for services/repositories
- Integration tests for API endpoints
- >80% coverage for critical paths
- Separate test database
- 服务/仓储的单元测试
- API端点的集成测试
- 关键路径覆盖率>80%
- 独立的测试数据库
Additional Resources
额外资源
- Detailed Technical Reference: See REFERENCE.md
- Code Examples & Patterns: See EXAMPLES.md
- 详细技术参考:查看REFERENCE.md
- 代码示例与模式:查看EXAMPLES.md