Much like the gross, tasty burrito of the same name, this backend architecture has five layers.
- Surface
- Authentication
- Authorization
- Service
- Client
Protocol level exposure to the outside world. This could be REST HTTP routes, JSON-RPC, GraphQL, or any number of things.
This layer identifies the who/what is trying to perform the operation
Given the identity from the authn layer, the authz layer confirms the operation should be permitted. It also prevents the outer layers from accidentally invoking the service layer directly.
The service layer contains the actual logic of the operation. It may utilize clients to this end.
The client layer is a wrapper around external systems that might be used by the service. These could be databases or other persistence layers, 3rd party APIs, or other services. Clients contain no logic themselves, but naturally whatever they wrap will have its own logic.
It depends on what's being wrapped
- opaque interfaces - might wrap any of the below, the client doesn't know what's behind it and only knows the interface contract
- databases - typically come in the form of a database access library or ORM to facilitate communication over the network to the database
- 3rd party APIs - could be classes which implement HTTP requests and convert responses to domain models
- other services - simply the exposed methods of other services, either in the same process or over the network
- Clean segmentation between external and internal operations
- in terms of with vs without authz
- in terms of protocol concerns vs native code access
- OWASP A5:2017 won't compile
- Beefy - adding a new operation requires that operation to be added in three layers (surface, authz, service)
- plus the client layer for CRUD apps that have the service layer and database loosely coupled
- this can compound if you have an abstraction (eg. Java interface) for the service and/or database
- Consider if tight coupling with the database is right for your service
- Consider testing needs of services and difficulty to abstract into an interface down the road