Skip to content

Instantly share code, notes, and snippets.

@nrktkt

nrktkt/beefy5L.md

Last active February 17, 2021 08:18
Show Gist options
  • Save nrktkt/23d82452ea08d29251a7875e7a7d7b24 to your computer and use it in GitHub Desktop.
Save nrktkt/23d82452ea08d29251a7875e7a7d7b24 to your computer and use it in GitHub Desktop.
Download ZIP
Beefy 5 Layer Architecture
Raw
beefy5L.md

Much like the gross, tasty burrito of the same name, this backend architecture has five layers.

  1. Surface
  2. Authentication
  3. Authorization
  4. Service
  5. Client

Layers

Surface Layer

Protocol level exposure to the outside world. This could be REST HTTP routes, JSON-RPC, GraphQL, or any number of things.

Authentication (authn)

This layer identifies the who/what is trying to perform the operation

Authorization (authz)

Given the identity from the authn layer, the authz layer confirms the operation should be permitted. It also prevents the outer layers from accidentally invoking the service layer directly.

Service

The service layer contains the actual logic of the operation. It may utilize clients to this end.

Client

The client layer is a wrapper around external systems that might be used by the service. These could be databases or other persistence layers, 3rd party APIs, or other services. Clients contain no logic themselves, but naturally whatever they wrap will have its own logic.

What do you mean "wrapping"?

It depends on what's being wrapped

  • opaque interfaces - might wrap any of the below, the client doesn't know what's behind it and only knows the interface contract
  • databases - typically come in the form of a database access library or ORM to facilitate communication over the network to the database
  • 3rd party APIs - could be classes which implement HTTP requests and convert responses to domain models
  • other services - simply the exposed methods of other services, either in the same process or over the network

Pros and Cons

Pros

  • Clean segmentation between external and internal operations
    • in terms of with vs without authz
    • in terms of protocol concerns vs native code access
  • OWASP A5:2017 won't compile

Cons

  • Beefy - adding a new operation requires that operation to be added in three layers (surface, authz, service)
    • plus the client layer for CRUD apps that have the service layer and database loosely coupled
    • this can compound if you have an abstraction (eg. Java interface) for the service and/or database

Mitigation

  • Consider if tight coupling with the database is right for your service
  • Consider testing needs of services and difficulty to abstract into an interface down the road
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment