AgentSkillsCN

backend-core

无语言依赖的后端模式:API 设计、身份验证、安全性、数据库。 适用于:设计 API、实现身份验证、保护端点、建模数据。 触发词:“API 设计”、“REST API”、“GraphQL”、“身份验证”、“JWT”、“OAuth”、“安全性”、“OWASP”、“数据库 Schema”、“迁移”、“SQL”。

SKILL.md
--- frontmatter
name: backend-core
description: |
  Language-agnostic backend patterns: API design, authentication, security, databases.
  Use when: designing APIs, implementing auth, securing endpoints, modeling data.
  Triggers: "api design", "rest api", "graphql", "authentication", "jwt", "oauth",
  "security", "owasp", "database schema", "migrations", "sql".
tags: [backend, patterns, api, authentication, security, database]
category: development

Backend Core Patterns

Quick Reference

TopicWhen to UseReference
API DesignREST/GraphQL/gRPC endpointsapi-design.md
AuthenticationJWT, OAuth, sessions, magic linksauthentication.md
SecurityInput validation, OWASP, rate limitingsecurity.md
DatabasesSchema design, migrations, queriesdatabases.md

API Design Decision Tree

code
What type of API?
├─ Public API → REST + OpenAPI spec
├─ Internal microservices → gRPC (performance) or REST (simplicity)
├─ Real-time → WebSocket or SSE
└─ Complex queries → GraphQL

Auth Decision Tree

code
Auth method?
├─ SPA/Mobile → JWT (access + refresh tokens)
├─ Server-rendered → Session cookies
├─ Third-party login → OAuth 2.0 / OIDC
├─ Passwordless → Magic link (email) or WebAuthn
└─ API-to-API → API keys or mTLS

Security Essentials

Always:

  • Validate all inputs at boundaries
  • Use parameterized queries (never string concat SQL)
  • Hash passwords with bcrypt/argon2 (cost ≥ 10)
  • HTTPS everywhere, HSTS headers
  • Rate limit auth endpoints

Never:

  • Store secrets in code or git
  • Trust client-side validation alone
  • Log sensitive data (passwords, tokens, PII)
  • Use MD5/SHA1 for passwords

Database Patterns

code
Schema design:
├─ Start normalized (3NF)
├─ Denormalize only for proven bottlenecks
├─ Always have created_at, updated_at
├─ Use UUIDs for public IDs, integers for internal FKs
└─ Soft delete (deleted_at) for important data

Anti-patterns

Don'tDo Instead
N+1 queriesEager load / batch queries
SELECT *Select only needed columns
No indexes on WHERE/JOIN columnsAdd indexes
Storing files in DBUse object storage (S3, R2)
God objectsBounded contexts, single responsibility