DEV Community: Abhishek Sharma The latest articles on DEV Community by Abhishek Sharma (@abhishek_sharma_a9792aee8). https://dev.to/abhishek_sharma_a9792aee8 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1904340%2F8b4e504b-61b0-4e3e-a1c7-a6f1bec45410.png DEV Community: Abhishek Sharma https://dev.to/abhishek_sharma_a9792aee8 en What Happens When Your API Has 10,000 Rows? I Added Pagination and Caching to Find Out Abhishek Sharma Tue, 21 Apr 2026 11:10:13 +0000 https://dev.to/abhishek_sharma_a9792aee8/what-happens-when-your-api-has-10000-rows-i-added-pagination-and-caching-to-find-out-2jkk https://dev.to/abhishek_sharma_a9792aee8/what-happens-when-your-api-has-10000-rows-i-added-pagination-and-caching-to-find-out-2jkk <p>In <a href="https://dev.to/abhishek_sharma_a9792aee8/tests-update-delete-and-the-refactor-i-didnt-plan-5g2o">Part 4</a>, I finished full CRUD and wrote my first Go tests. The API worked — but I was the only user, hitting it from my terminal with 10 test entries.</p> <p>Then I asked: <em>what happens when there are 10,000 rows?</em></p> <p>Two days, two features. Both taught me things I didn't expect.</p> <h2> Day 16: Pagination </h2> <p><code>GET /entries</code> was returning every row in the database for a user. Fine when I have 10 test entries. A disaster with 10,000.</p> <p>Pagination is simple in principle — you add <code>?page=1&amp;limit=10</code> to the URL and only fetch that slice. The implementation taught me something about Go's "fail gracefully" philosophy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">page</span> <span class="o">:=</span> <span class="m">1</span> <span class="c">// default</span> <span class="n">limit</span> <span class="o">:=</span> <span class="m">10</span> <span class="c">// default</span> <span class="n">pageStr</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Query</span><span class="p">()</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"page"</span><span class="p">)</span> <span class="k">if</span> <span class="n">pageStr</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="k">if</span> <span class="n">p</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">Atoi</span><span class="p">(</span><span class="n">pageStr</span><span class="p">);</span> <span class="n">err</span> <span class="o">==</span> <span class="no">nil</span> <span class="o">&amp;&amp;</span> <span class="n">p</span> <span class="o">&gt;</span> <span class="m">0</span> <span class="p">{</span> <span class="n">page</span> <span class="o">=</span> <span class="n">p</span> <span class="p">}</span> <span class="p">}</span> <span class="n">limitStr</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Query</span><span class="p">()</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"limit"</span><span class="p">)</span> <span class="k">if</span> <span class="n">limitStr</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="k">if</span> <span class="n">l</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">Atoi</span><span class="p">(</span><span class="n">limitStr</span><span class="p">);</span> <span class="n">err</span> <span class="o">==</span> <span class="no">nil</span> <span class="o">&amp;&amp;</span> <span class="n">l</span> <span class="o">&gt;</span> <span class="m">0</span> <span class="o">&amp;&amp;</span> <span class="n">l</span> <span class="o">&lt;=</span> <span class="m">100</span> <span class="p">{</span> <span class="n">limit</span> <span class="o">=</span> <span class="n">l</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Notice what's NOT there: no <code>400 Bad Request</code> if you pass <code>?page=abc</code>. Invalid params just silently fall back to defaults. I went back and forth on this — should I return an error?</p> <p>Decided no. Pagination params are optional hints, not required inputs. If you pass garbage, you get the first page. The API keeps working. This feels more correct for a read endpoint.</p> <p>The database query uses <code>LIMIT</code> and <code>OFFSET</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">entries</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">created_at</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="err">$</span><span class="mi">2</span> <span class="k">OFFSET</span> <span class="err">$</span><span class="mi">3</span> </code></pre> </div> <p>Where <code>OFFSET = (page - 1) * limit</code>. The response now includes <code>total</code>, <code>page</code>, <code>limit</code>, and <code>entries</code> — so clients can calculate how many pages exist.</p> <h2> Day 17: In-Memory Caching </h2> <p>Pagination meant a COUNT query on every GET request to return the total. <code>SELECT COUNT(*) FROM entries WHERE user_id = ?</code> is cheap with 10 rows, expensive at scale.</p> <p>I built a simple in-memory cache:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">CacheEntry</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">value</span> <span class="k">interface</span><span class="p">{}</span> <span class="n">Expiration</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="p">}</span> <span class="k">type</span> <span class="n">Cache</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">data</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="n">CacheEntry</span> <span class="n">mu</span> <span class="n">sync</span><span class="o">.</span><span class="n">RWMutex</span> <span class="c">// ← this is the key part</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">Cache</span><span class="p">)</span> <span class="n">Get</span><span class="p">(</span><span class="n">key</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="k">interface</span><span class="p">{},</span> <span class="kt">bool</span><span class="p">)</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">RLock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">c</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">RUnlock</span><span class="p">()</span> <span class="n">entry</span><span class="p">,</span> <span class="n">exists</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">data</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="k">if</span> <span class="o">!</span><span class="n">exists</span> <span class="o">||</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">After</span><span class="p">(</span><span class="n">entry</span><span class="o">.</span><span class="n">Expiration</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="no">false</span> <span class="p">}</span> <span class="k">return</span> <span class="n">entry</span><span class="o">.</span><span class="n">value</span><span class="p">,</span> <span class="no">true</span> <span class="p">}</span> </code></pre> </div> <p>The <code>sync.RWMutex</code> was new to me. Regular <code>Mutex</code> blocks everything — only one goroutine at a time. <code>RWMutex</code> is smarter: multiple goroutines can <em>read</em> simultaneously, but <em>writing</em> requires exclusive access.</p> <p>For a cache that's read far more often than written, this matters.</p> <p>Cache invalidation: when a user creates or deletes an entry, I delete their cached count:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">cache</span><span class="o">.</span><span class="n">Delete</span><span class="p">(</span><span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"count:user:%d"</span><span class="p">,</span> <span class="n">userID</span><span class="p">))</span> </code></pre> </div> <p>The cache key includes the user ID so different users never see each other's counts. Simple, but it took me a few minutes to think through why I needed that.</p> <h2> What I Learned </h2> <p><strong>Pagination defaults beat errors.</strong> For optional hints like <code>page</code> and <code>limit</code>, failing gracefully is better UX than returning a 400. Save strict validation for required inputs.</p> <p><strong><code>sync.RWMutex</code> vs <code>sync.Mutex</code>.</strong> Read-heavy data structures should use <code>RWMutex</code>. Multiple goroutines can read simultaneously — only writes need exclusive access.</p> <p><strong>Cache keys need scope.</strong> <code>count:user:42</code> not just <code>count</code>. Otherwise all users share the same cached value — a subtle bug that only shows up with multiple users.</p> <h2> The API Now </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /entries?page=1&amp;limit=10 → paginated, cached COUNT POST /entries → creates entry, invalidates cache DELETE /entries?id=X → deletes entry, invalidates cache </code></pre> </div> <p>The API no longer dumps every row on every request. The database isn't hit for the count on repeated reads. Small changes, but the kind that matter when traffic is real.</p> <h2> What's Next </h2> <p>In Part 6, I'll cover <strong>rate limiting and Redis</strong> — the week I started thinking about abuse prevention and why in-memory solutions break the moment you run more than one server instance.</p> <p><em>This is Part 5 of the "Learning Go in Public" series. <a href="https://dev.to/abhishek_sharma_a9792aee8/why-i-decided-to-learn-go-and-what-my-first-commit-looked-like-38ii">Part 1</a> | <a href="https://dev.to/abhishek_sharma_a9792aee8/i-stopped-watching-tutorials-and-started-building-a-rest-api-in-go-4e84">Part 2</a> | <a href="https://dev.to/abhishek_sharma_a9792aee8/building-authentication-from-scratch-in-go-no-libraries-no-magic-2c46">Part 3</a> | <a href="https://dev.to/abhishek_sharma_a9792aee8/tests-update-delete-and-the-refactor-i-didnt-plan-5g2o">Part 4</a></em></p> go buildinpublic backend webdev Tests, UPDATE, DELETE — And the Refactor I Didn't Plan Abhishek Sharma Mon, 20 Apr 2026 11:04:33 +0000 https://dev.to/abhishek_sharma_a9792aee8/tests-update-delete-and-the-refactor-i-didnt-plan-5g2o https://dev.to/abhishek_sharma_a9792aee8/tests-update-delete-and-the-refactor-i-didnt-plan-5g2o <p>In <a href="https://dev.to/abhishek_sharma_a9792aee8/building-authentication-from-scratch-in-go-no-libraries-no-magic-2c46">Part 3</a>, I built authentication — JWT tokens, bcrypt hashing, middleware that wraps handlers like Russian dolls. The API had four endpoints and was fully protected.</p> <p>But it could only create and read entries. No updating. No deleting. And zero tests.</p> <p>This post is about the week I added the missing CRUD operations, wrote my first Go tests, and accidentally refactored the entire project structure — all because one test file exposed a design flaw I couldn't unsee.</p> <h2> UPDATE: Harder Than I Expected </h2> <p>Adding a PATCH endpoint sounded simple. It wasn't. The tricky part wasn't the database query — it was <strong>ownership validation</strong>.</p> <p>When a user sends <code>PATCH /entries?id=5</code>, I can't just update entry 5. I need to verify that entry 5 <em>belongs to this user</em>. Otherwise any authenticated user could edit anyone's entries.</p> <p>Here's the handler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">UpdateEntry</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Parse entry ID from query string</span> <span class="n">entryId</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">Atoi</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Query</span><span class="p">()</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"id"</span><span class="p">))</span> <span class="c">// Get user ID from context (set by AuthMiddleware)</span> <span class="n">userID</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">()</span><span class="o">.</span><span class="n">Value</span><span class="p">(</span><span class="s">"user_id"</span><span class="p">)</span><span class="o">.</span><span class="p">(</span><span class="kt">int64</span><span class="p">)</span> <span class="c">// Validate all fields...</span> <span class="k">if</span> <span class="n">req</span><span class="o">.</span><span class="n">Text</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="c">/* 400 */</span> <span class="p">}</span> <span class="k">if</span> <span class="n">req</span><span class="o">.</span><span class="n">Mood</span> <span class="o">&lt;</span> <span class="m">1</span> <span class="o">||</span> <span class="n">req</span><span class="o">.</span><span class="n">Mood</span> <span class="o">&gt;</span> <span class="m">10</span> <span class="p">{</span> <span class="c">/* 400 */</span> <span class="p">}</span> <span class="c">// The key line — WHERE clause checks BOTH id AND user_id</span> <span class="n">rowsAffected</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">db</span><span class="o">.</span><span class="n">UpdateEntry</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">entryId</span><span class="p">,</span> <span class="n">userID</span><span class="p">,</span> <span class="n">req</span><span class="o">.</span><span class="n">Text</span><span class="p">,</span> <span class="n">req</span><span class="o">.</span><span class="n">Mood</span><span class="p">,</span> <span class="n">req</span><span class="o">.</span><span class="n">Category</span><span class="p">)</span> <span class="k">if</span> <span class="n">rowsAffected</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="c">// Entry doesn't exist OR doesn't belong to this user</span> <span class="n">errorResponse</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusNotFound</span><span class="p">,</span> <span class="s">"Entry not found or access denied"</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The database query uses <code>WHERE id = ? AND user_id = ?</code>. If the entry exists but belongs to someone else, <code>rowsAffected</code> is 0. Same response as "entry doesn't exist." This is intentional — you don't want to leak information about other users' data.</p> <p>I wrote an 8-test PowerShell script to verify every edge case: update your own entry, try to update someone else's, update with missing fields, update with mood out of range. All passing.</p> <h2> DELETE: The Same Pattern, Simpler </h2> <p>Once UPDATE worked, DELETE took 20 minutes. Same ownership pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">DeleteEntry</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">entryId</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">Atoi</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Query</span><span class="p">()</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"id"</span><span class="p">))</span> <span class="n">userID</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">()</span><span class="o">.</span><span class="n">Value</span><span class="p">(</span><span class="s">"user_id"</span><span class="p">)</span><span class="o">.</span><span class="p">(</span><span class="kt">int64</span><span class="p">)</span> <span class="n">rowsAffected</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">db</span><span class="o">.</span><span class="n">DeleteEntry</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">entryId</span><span class="p">,</span> <span class="n">userID</span><span class="p">)</span> <span class="k">if</span> <span class="n">rowsAffected</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="n">errorResponse</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusNotFound</span><span class="p">,</span> <span class="s">"Entry not found or access denied"</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">respondJSON</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span><span class="p">,</span> <span class="n">CreateEntryResponse</span><span class="p">{</span> <span class="n">Success</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="n">Message</span><span class="o">:</span> <span class="s">"Entry deleted successfully"</span><span class="p">,</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Same <code>WHERE id = ? AND user_id = ?</code>. Same ownership check. Same ambiguous error message. I didn't realize it at the time, but this was my first Go <strong>pattern</strong> — I was copying the structure from UPDATE and it just worked.</p> <p>Seven tests. All green.</p> <h2> The Accidental Refactor </h2> <p>Here's where things got interesting. I was writing tests when I noticed something ugly: my <code>models/entry.go</code> had database functions mixed in with struct definitions. The <code>Entry</code> struct and <code>InsertEntry()</code> were in the same file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>models/ entry.go ← struct definitions AND database functions?? models.go ← more structs </code></pre> </div> <p>This was wrong. The whole point of separating <code>models/</code> from <code>db/</code> is separation of concerns. Models define <em>what</em> data looks like. DB defines <em>how</em> it's stored and retrieved.</p> <p>So I refactored:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>models/ models.go ← ALL struct definitions (Entry, User, requests, responses) db/ db.go ← ALL database operations (Insert, Update, Delete, Get) </code></pre> </div> <p>I moved every database function from <code>models/entry.go</code> into <code>db/db.go</code>. Deleted the old file. Updated all imports.</p> <p>This wasn't planned. It happened because writing tests forced me to think about where things belong. When you import a package for testing, messy boundaries become obvious.</p> <h2> My First Real Tests </h2> <p>I had been testing with PowerShell scripts — <code>curl</code>-style commands that hit a running server. Those are integration tests. Useful, but slow and fragile.</p> <p>Go has <code>testing</code> and <code>httptest</code> built into the standard library. No Jest, no Mocha, no test runner to install. You just:</p> <ol> <li>Create a file ending in <code>_test.go</code> </li> <li>Write functions starting with <code>Test</code> </li> <li>Run <code>go test</code> </li> </ol> <p>Here's my first handler test:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">TestCreateEntry</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">body</span> <span class="o">:=</span> <span class="n">strings</span><span class="o">.</span><span class="n">NewReader</span><span class="p">(</span> <span class="s">`{"text":"feeling good","mood":8,"category":"mood"}`</span><span class="p">,</span> <span class="p">)</span> <span class="c">// Create a fake HTTP request</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span><span class="p">,</span> <span class="s">"/entries"</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span> <span class="c">// Inject user_id into context (normally AuthMiddleware does this)</span> <span class="n">ctx</span> <span class="o">:=</span> <span class="n">context</span><span class="o">.</span><span class="n">WithValue</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">Context</span><span class="p">(),</span> <span class="s">"user_id"</span><span class="p">,</span> <span class="kt">int64</span><span class="p">(</span><span class="m">1</span><span class="p">))</span> <span class="n">req</span> <span class="o">=</span> <span class="n">req</span><span class="o">.</span><span class="n">WithContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="c">// Record the response</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="c">// Call the handler directly — no server needed</span> <span class="n">CreateEntry</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="c">// Assert</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusCreated</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"expected 201, got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Two things blew my mind:</p> <p><strong><code>httptest.NewRequest</code></strong> — you create a fake HTTP request with any method, URL, and body. No actual network call. No server running. It's just a struct.</p> <p><strong><code>httptest.NewRecorder</code></strong> — captures whatever the handler writes. Status code, headers, body. You inspect it after the handler returns.</p> <p>The test for invalid input was almost as satisfying:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">TestCreateEntry_MissingText</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">body</span> <span class="o">:=</span> <span class="n">strings</span><span class="o">.</span><span class="n">NewReader</span><span class="p">(</span><span class="s">`{"text":"","mood":8,"category":"mood"}`</span><span class="p">)</span> <span class="n">req</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span><span class="p">,</span> <span class="s">"/entries"</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span> <span class="n">ctx</span> <span class="o">:=</span> <span class="n">context</span><span class="o">.</span><span class="n">WithValue</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">Context</span><span class="p">(),</span> <span class="s">"user_id"</span><span class="p">,</span> <span class="kt">int64</span><span class="p">(</span><span class="m">1</span><span class="p">))</span> <span class="n">req</span> <span class="o">=</span> <span class="n">req</span><span class="o">.</span><span class="n">WithContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="n">rec</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewRecorder</span><span class="p">()</span> <span class="n">CreateEntry</span><span class="p">(</span><span class="n">rec</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"expected 400, got %d"</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Empty text → 400. Invalid mood → 400. Missing auth → 401. Each scenario is three lines of setup, one function call, one assertion.</p> <p>Coming from JavaScript testing where you install Jest, configure Babel, mock fetch, set up test databases... Go's approach felt almost too simple. But it works.</p> <h2> What I Learned This Week </h2> <p><strong>The ownership pattern is reusable.</strong> <code>WHERE id = ? AND user_id = ?</code> with <code>rowsAffected == 0</code> handles both "not found" and "not yours" in one query. I've used this pattern three times now (GET, UPDATE, DELETE) and it's always the same.</p> <p><strong>Refactoring happens when you test.</strong> I didn't plan to restructure the project. But the moment I tried to write a test that imported <code>models</code>, the messy boundaries became obvious. Tests are a design feedback tool, not just a verification tool.</p> <p><strong>Go testing is minimal and that's the point.</strong> No assertions library. No mocking framework. Just <code>if got != want { t.Errorf() }</code>. It forces you to write tests that are readable without any DSL knowledge.</p> <h2> Where the API Stands Now </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>POST /register → Create account (public) POST /login → Get JWT token (public) POST /entries → Create entry (protected) GET /entries → List entries (protected) PATCH /entries?id=X → Update entry (protected + ownership) DELETE /entries?id=X → Delete entry (protected + ownership) GET /health → Health check (public) </code></pre> </div> <p>Six real endpoints. Full CRUD. Authentication. Authorization with ownership validation. 18 tests passing. And a project structure that finally makes sense.</p> <h2> What's Next </h2> <p>In Part 5, I'll cover the week I added <strong>pagination, caching, and rate limiting</strong> — the features that made me think about what happens when this API isn't just me hitting it from PowerShell anymore.</p> <p><em>This is Part 4 of the "Learning Go in Public" series. <a href="https://dev.to/abhishek_sharma_a9792aee8/why-i-decided-to-learn-go-and-what-my-first-commit-looked-like-38ii">Part 1</a> | <a href="https://dev.to/abhishek_sharma_a9792aee8/i-stopped-watching-tutorials-and-started-building-a-rest-api-in-go-4e84">Part 2</a> | <a href="https://dev.to/abhishek_sharma_a9792aee8/building-authentication-from-scratch-in-go-no-libraries-no-magic-2c46">Part 3</a></em></p> go buildinpublic testing backend Building Authentication From Scratch in Go — No Libraries, No Magic Abhishek Sharma Fri, 17 Apr 2026 13:18:54 +0000 https://dev.to/abhishek_sharma_a9792aee8/building-authentication-from-scratch-in-go-no-libraries-no-magic-2c46 https://dev.to/abhishek_sharma_a9792aee8/building-authentication-from-scratch-in-go-no-libraries-no-magic-2c46 <p>In <a href="https://dev.to/abhishek_sharma_a9792aee8/i-stopped-watching-tutorials-and-started-building-a-rest-api-in-go-51h5">Part 2</a>, I had a working REST API with two endpoints. You could create entries and query them. But anyone could hit the API — no login, no tokens, no protection.</p> <p>This post is about the day I decided to build authentication from scratch, and the Go pattern that changed how I think about HTTP servers.</p> <h2> The Plan </h2> <p>I needed three things:</p> <ol> <li> <strong>Register</strong> — hash a password, save the user</li> <li> <strong>Login</strong> — verify credentials, return a JWT token</li> <li> <strong>Middleware</strong> — block unauthenticated requests before they reach any handler</li> </ol> <p>No auth libraries. No Passport.js equivalent. Just <code>golang-jwt/jwt</code> for token creation and <code>golang.org/x/crypto/bcrypt</code> for password hashing.</p> <h2> Registration: My First Time Hashing a Password </h2> <p>Here's what the register handler looked like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">Register</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">req</span> <span class="n">RegisterRequest</span> <span class="n">json</span><span class="o">.</span><span class="n">NewDecoder</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span><span class="o">.</span><span class="n">Decode</span><span class="p">(</span><span class="o">&amp;</span><span class="n">req</span><span class="p">)</span> <span class="c">// Validate</span> <span class="k">if</span> <span class="n">req</span><span class="o">.</span><span class="n">Email</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="c">/* 400 */</span> <span class="p">}</span> <span class="k">if</span> <span class="o">!</span><span class="n">strings</span><span class="o">.</span><span class="n">Contains</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">Email</span><span class="p">,</span> <span class="s">"@"</span><span class="p">)</span> <span class="p">{</span> <span class="c">/* 400 */</span> <span class="p">}</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">Password</span><span class="p">)</span> <span class="o">&lt;</span> <span class="m">6</span> <span class="p">{</span> <span class="c">/* 400 */</span> <span class="p">}</span> <span class="c">// Hash password — NEVER store plain text</span> <span class="n">passwordHash</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">bcrypt</span><span class="o">.</span><span class="n">GenerateFromPassword</span><span class="p">(</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">Password</span><span class="p">),</span> <span class="n">bcrypt</span><span class="o">.</span><span class="n">DefaultCost</span><span class="p">,</span> <span class="p">)</span> <span class="c">// Save to database</span> <span class="n">userID</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">db</span><span class="o">.</span><span class="n">CreateUser</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">Email</span><span class="p">,</span> <span class="kt">string</span><span class="p">(</span><span class="n">passwordHash</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>Two things I learned here:</p> <p><strong><code>bcrypt.DefaultCost</code> is 10.</strong> That means it runs the hashing algorithm 2^10 = 1,024 times. Slow on purpose — makes brute-force attacks impractical. I spent 20 minutes reading about why a slower hash function is a <em>feature</em>, not a bug.</p> <p><strong><code>[]byte()</code> everywhere.</strong> bcrypt's functions take byte slices, not strings. Coming from JavaScript where everything is just a string, I kept forgetting to convert. Go makes you think about data types at every step.</p> <h2> Login: Creating My First JWT </h2> <p>The login flow taught me more about Go than any tutorial:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// 1. Get user from database</span> <span class="n">userID</span><span class="p">,</span> <span class="n">passwordHash</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">db</span><span class="o">.</span><span class="n">GetUserByEmail</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">Email</span><span class="p">)</span> <span class="c">// 2. Compare password with stored hash</span> <span class="n">err</span> <span class="o">=</span> <span class="n">bcrypt</span><span class="o">.</span><span class="n">CompareHashAndPassword</span><span class="p">(</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">passwordHash</span><span class="p">),</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">Password</span><span class="p">),</span> <span class="p">)</span> <span class="c">// 3. Create JWT claims</span> <span class="n">claims</span> <span class="o">:=</span> <span class="n">jwt</span><span class="o">.</span><span class="n">MapClaims</span><span class="p">{</span> <span class="s">"user_id"</span><span class="o">:</span> <span class="n">userID</span><span class="p">,</span> <span class="s">"exp"</span><span class="o">:</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="m">24</span> <span class="o">*</span> <span class="n">time</span><span class="o">.</span><span class="n">Hour</span><span class="p">)</span><span class="o">.</span><span class="n">Unix</span><span class="p">(),</span> <span class="p">}</span> <span class="c">// 4. Sign the token</span> <span class="n">token</span> <span class="o">:=</span> <span class="n">jwt</span><span class="o">.</span><span class="n">NewWithClaims</span><span class="p">(</span><span class="n">jwt</span><span class="o">.</span><span class="n">SigningMethodHS256</span><span class="p">,</span> <span class="n">claims</span><span class="p">)</span> <span class="n">tokenString</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">token</span><span class="o">.</span><span class="n">SignedString</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="n">secret</span><span class="p">))</span> </code></pre> </div> <p>I left this comment in my code at the time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Why Unix()? JWT needs simple numbers, not complex Go time objects</span> <span class="c">// Example: time.Now().Unix() = 1736359530 (just a number)</span> <span class="c">// Add 24 hours = add 86400 seconds (24 * 60 * 60 = 86400)</span> </code></pre> </div> <p>Again — verbose, maybe obvious to experienced devs. But I was explaining JWT to <em>myself</em> while building it. That's the whole point of learning in public.</p> <p>One security detail I got right: the error message for a wrong password is <code>"Invalid email or password"</code> — same as for a non-existent email. You never want to reveal whether an account exists.</p> <h2> The Middleware Pattern That Changed Everything </h2> <p>This is the part I'm most proud of from this phase. Go doesn't have middleware built in like Express. You build it yourself:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">AuthMiddleware</span><span class="p">(</span><span class="n">next</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span> <span class="p">{</span> <span class="k">return</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="c">// 1. Get token from "Authorization: Bearer &lt;token&gt;"</span> <span class="n">authHeader</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"Authorization"</span><span class="p">)</span> <span class="n">tokenString</span> <span class="o">:=</span> <span class="n">strings</span><span class="o">.</span><span class="n">TrimPrefix</span><span class="p">(</span><span class="n">authHeader</span><span class="p">,</span> <span class="s">"Bearer "</span><span class="p">)</span> <span class="c">// 2. Validate token</span> <span class="n">claims</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">validateToken</span><span class="p">(</span><span class="n">tokenString</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">errorResponseAuth</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusUnauthorized</span><span class="p">,</span> <span class="s">"Invalid token"</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// 3. Extract user_id and add to request context</span> <span class="n">userID</span> <span class="o">:=</span> <span class="n">claims</span><span class="p">[</span><span class="s">"user_id"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">float64</span><span class="p">)</span> <span class="n">ctx</span> <span class="o">:=</span> <span class="n">context</span><span class="o">.</span><span class="n">WithValue</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">(),</span> <span class="s">"user_id"</span><span class="p">,</span> <span class="kt">int64</span><span class="p">(</span><span class="n">userID</span><span class="p">))</span> <span class="c">// 4. Call next handler with updated context</span> <span class="n">next</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">WithContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Read that again. <strong>A function that takes a handler and returns a new handler.</strong> The returned handler does the auth check <em>first</em>, and only calls the original handler if the token is valid.</p> <p>In <code>main.go</code>, using it looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Public routes — no protection</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/register"</span><span class="p">,</span> <span class="n">handlers</span><span class="o">.</span><span class="n">Register</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/login"</span><span class="p">,</span> <span class="n">handlers</span><span class="o">.</span><span class="n">Login</span><span class="p">)</span> <span class="c">// Protected route — wrapped with AuthMiddleware</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/entries"</span><span class="p">,</span> <span class="n">handlers</span><span class="o">.</span><span class="n">AuthMiddleware</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span> <span class="o">==</span> <span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span> <span class="p">{</span> <span class="n">handlers</span><span class="o">.</span><span class="n">CreateEntry</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span> <span class="o">==</span> <span class="n">http</span><span class="o">.</span><span class="n">MethodGet</span> <span class="p">{</span> <span class="n">handlers</span><span class="o">.</span><span class="n">GetEntries</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">)</span> <span class="p">}</span> <span class="p">}))</span> </code></pre> </div> <p><code>AuthMiddleware(handler)</code> — that's it. One wrapper function. No framework, no plugin system, no decorator syntax. Just a function wrapping another function.</p> <p>This is the moment Go clicked for me at a deeper level. Functions are values. You can pass them around, wrap them, chain them. Middleware isn't a framework feature — it's just <em>how functions work</em>.</p> <h2> The <code>context.WithValue</code> Trick </h2> <p>The most clever part of Go's auth pattern: how you pass the user ID from middleware to the handler.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Middleware sets it:</span> <span class="n">ctx</span> <span class="o">:=</span> <span class="n">context</span><span class="o">.</span><span class="n">WithValue</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">(),</span> <span class="s">"user_id"</span><span class="p">,</span> <span class="kt">int64</span><span class="p">(</span><span class="n">userID</span><span class="p">))</span> <span class="n">next</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">WithContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">))</span> <span class="c">// Handler reads it:</span> <span class="n">userID</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">()</span><span class="o">.</span><span class="n">Value</span><span class="p">(</span><span class="s">"user_id"</span><span class="p">)</span><span class="o">.</span><span class="p">(</span><span class="kt">int64</span><span class="p">)</span> </code></pre> </div> <p>No global variables. No session objects. The user ID travels <em>with the request itself</em>. Every handler that needs to know who's making the request just reads it from the context.</p> <p>Coming from Express where you'd do <code>req.user = decoded</code>, this felt more explicit and safer. The data is scoped to the request, not bolted onto a mutable object.</p> <h2> One Thing That Tripped Me Up </h2> <p>JWT numbers come back as <code>float64</code>, not <code>int64</code>. This line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">userID</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">claims</span><span class="p">[</span><span class="s">"user_id"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">float64</span><span class="p">)</span> </code></pre> </div> <p>I originally wrote <code>.(int64)</code> and couldn't figure out why it kept failing. Turns out JSON (which JWT uses internally) doesn't distinguish between integers and floats — everything is a number. Go's JSON decoder maps all numbers to <code>float64</code>.</p> <p>Took me an hour of debugging. Now I'll never forget it.</p> <h2> What the API Looked Like After This </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>POST /register → Create account (public) POST /login → Get JWT token (public) POST /entries → Create entry (protected) GET /entries → List entries (protected) GET /health → Health check (public) GET /ping → Ping (public) </code></pre> </div> <p>Four real endpoints. Authentication. Authorization. No frameworks. Just Go's standard library plus two packages for JWT and bcrypt.</p> <h2> What's Next </h2> <p>In Part 4, I'll cover the week I added <strong>testing, UPDATE, and DELETE</strong> — and why writing tests <em>after</em> the code changed how I thought about designing handlers.</p> <p><em>This is Part 3 of the "Learning Go in Public" series. <a href="https://dev.to/abhishek_sharma_a9792aee8/why-i-decided-to-learn-go-and-what-my-first-commit-looked-like-38ii">Part 1</a> | <a href="https://dev.to/abhishek_sharma_a9792aee8/i-stopped-watching-tutorials-and-started-building-a-rest-api-in-go-51h5">Part 2</a></em></p> go buildinpublic authentication backend I Stopped Watching Tutorials and Started Building a REST API in Go Abhishek Sharma Thu, 16 Apr 2026 13:32:21 +0000 https://dev.to/abhishek_sharma_a9792aee8/i-stopped-watching-tutorials-and-started-building-a-rest-api-in-go-4e84 https://dev.to/abhishek_sharma_a9792aee8/i-stopped-watching-tutorials-and-started-building-a-rest-api-in-go-4e84 <p>In my <a href="https://dev.to/abhishek_sharma_a9792aee8/why-i-decided-to-learn-go-and-what-my-first-commit-looked-like-38ii">last post</a>, I talked about my first week learning Go — the confusion, the messy first commit, and why I picked Go over sticking with JavaScript.</p> <p>This post is about the moment things changed: I stopped writing practice files and started building a real project.</p> <h2> The Decision </h2> <p>After a week of writing <code>structs.go</code>, <code>maps-practice.go</code>, and <code>interfaces-tutorial.go</code>, I was learning syntax but not learning to <em>build</em>. I could explain what a goroutine is but couldn't wire up an HTTP endpoint.</p> <p>So I picked a project: a <strong>personal analytics backend</strong>. A REST API where I could log daily entries — mood, productivity notes, whatever — and query them later. Simple enough to be achievable, real enough to force me to learn.</p> <h2> Day 1: The Skeleton </h2> <p>My first backend commit had just 3 files that mattered:</p> <p><strong><code>cmd/server/main.go</code></strong> — the entry point:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">godotenv</span><span class="o">.</span><span class="n">Load</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"No .env file found"</span><span class="p">)</span> <span class="p">}</span> <span class="n">dbPath</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"DB_PATH"</span><span class="p">)</span> <span class="k">if</span> <span class="n">dbPath</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">dbPath</span> <span class="o">=</span> <span class="s">"./data.db"</span> <span class="p">}</span> <span class="n">err</span> <span class="o">=</span> <span class="n">db</span><span class="o">.</span><span class="n">InitDB</span><span class="p">(</span><span class="n">dbPath</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"Failed to initialize database: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">db</span><span class="o">.</span><span class="n">CloseDB</span><span class="p">()</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/health"</span><span class="p">,</span> <span class="n">handlers</span><span class="o">.</span><span class="n">HealthHandler</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/ping"</span><span class="p">,</span> <span class="n">handlers</span><span class="o">.</span><span class="n">PingHandler</span><span class="p">)</span> <span class="n">log</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Server starting on port %s"</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">ListenAndServe</span><span class="p">(</span><span class="s">":"</span><span class="o">+</span><span class="n">port</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Two endpoints. <code>/health</code> returns "ok". <code>/ping</code> returns the current time. That's it. That was my entire backend.</p> <p>But here's what I learned just from this:</p> <ul> <li> <code>http.HandleFunc</code> registers a function to a URL path — Go's router is that simple</li> <li> <code>http.ListenAndServe</code> blocks and listens forever — no framework needed</li> <li> <code>defer db.CloseDB()</code> — Go's <code>defer</code> runs when the function exits, perfect for cleanup</li> </ul> <p><strong><code>internal/db/db.go</code></strong> — database connection:</p> <p>I used SQLite because it's a single file — no Docker, no Postgres setup, no connection strings. Just <code>./data.db</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">InitDB</span><span class="p">(</span><span class="n">path</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">var</span> <span class="n">err</span> <span class="kt">error</span> <span class="n">DB</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">sql</span><span class="o">.</span><span class="n">Open</span><span class="p">(</span><span class="s">"sqlite"</span><span class="p">,</span> <span class="n">path</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to open database: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Create tables</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">DB</span><span class="o">.</span><span class="n">Exec</span><span class="p">(</span><span class="s">`CREATE TABLE IF NOT EXISTS entries ( id INTEGER PRIMARY KEY AUTOINCREMENT, user_id INTEGER NOT NULL, text TEXT NOT NULL, mood INTEGER CHECK(mood &gt;= 1 AND mood &lt;= 10), created_at DATETIME DEFAULT CURRENT_TIMESTAMP )`</span><span class="p">)</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> </code></pre> </div> <p>The <code>%w</code> in <code>fmt.Errorf</code> wraps the original error — you can unwrap it later. I didn't understand why this mattered until weeks later when I needed to check error types.</p> <h2> Day 2: The First Real Endpoint </h2> <p>This is where it clicked. I wrote <code>POST /entries</code> — my first handler that actually does something:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">CreateEntry</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Method not allowed"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusMethodNotAllowed</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">var</span> <span class="n">req</span> <span class="n">CreateEntryRequest</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">NewDecoder</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span><span class="o">.</span><span class="n">Decode</span><span class="p">(</span><span class="o">&amp;</span><span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">respondJSON</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">,</span> <span class="n">CreateEntryResponse</span><span class="p">{</span> <span class="n">Success</span><span class="o">:</span> <span class="no">false</span><span class="p">,</span> <span class="n">Message</span><span class="o">:</span> <span class="s">"Invalid request body"</span><span class="p">,</span> <span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Validate: user_id &gt; 0, text not empty, mood 1-10</span> <span class="k">if</span> <span class="n">req</span><span class="o">.</span><span class="n">UserID</span> <span class="o">&lt;=</span> <span class="m">0</span> <span class="p">{</span> <span class="c">/* return 400 */</span> <span class="p">}</span> <span class="k">if</span> <span class="n">req</span><span class="o">.</span><span class="n">Text</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="c">/* return 400 */</span> <span class="p">}</span> <span class="k">if</span> <span class="n">req</span><span class="o">.</span><span class="n">Mood</span> <span class="o">&lt;</span> <span class="m">1</span> <span class="o">||</span> <span class="n">req</span><span class="o">.</span><span class="n">Mood</span> <span class="o">&gt;</span> <span class="m">10</span> <span class="p">{</span> <span class="c">/* return 400 */</span> <span class="p">}</span> <span class="c">// Insert into database</span> <span class="n">id</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">db</span><span class="o">.</span><span class="n">InsertEntry</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">UserID</span><span class="p">,</span> <span class="n">req</span><span class="o">.</span><span class="n">Text</span><span class="p">,</span> <span class="n">req</span><span class="o">.</span><span class="n">Mood</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">respondJSON</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">,</span> <span class="n">CreateEntryResponse</span><span class="p">{</span> <span class="n">Success</span><span class="o">:</span> <span class="no">false</span><span class="p">,</span> <span class="n">Message</span><span class="o">:</span> <span class="s">"Failed to create entry"</span><span class="p">,</span> <span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="n">respondJSON</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusCreated</span><span class="p">,</span> <span class="n">CreateEntryResponse</span><span class="p">{</span> <span class="n">Success</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="n">Message</span><span class="o">:</span> <span class="s">"Entry created"</span><span class="p">,</span> <span class="n">ID</span><span class="o">:</span> <span class="n">id</span><span class="p">,</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Look at the pattern: <strong>validate → process → respond. Early returns everywhere.</strong> No nesting. No else blocks. If something's wrong, respond with an error and <code>return</code> immediately.</p> <p>This is the Go way, and it's brilliant. Coming from JavaScript where I'd chain <code>.then().catch()</code> or wrap everything in try/catch, this felt refreshing. Every failure point is explicit.</p> <h2> What I Learned About <code>http.ResponseWriter</code> vs <code>*http.Request</code> </h2> <p>This confused me for days. Why is <code>w</code> not a pointer but <code>r</code> is?</p> <ul> <li> <code>*http.Request</code> is a <strong>pointer to a struct</strong> — it's huge (headers, URL, cookies, body). Copying it would be wasteful.</li> <li> <code>http.ResponseWriter</code> is an <strong>interface</strong>. In Go, interfaces are already a small wrapper that points to the real data. You don't need a pointer to a pointer.</li> </ul> <p>The rule I learned: <em>If you see a type without `</em>` but you can still call methods that modify things, it's probably an interface.*</p> <h2> The Comments I Left for Myself </h2> <p>My code from this commit is packed with comments like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// "Read the JSON data from the request and put it into our req variable."</span> <span class="c">// Step-by-step:</span> <span class="c">// r.Body = the data the client sent</span> <span class="c">// json.NewDecoder(r.Body) = create a JSON reader</span> <span class="c">// .Decode(&amp;req) = convert JSON into our struct</span> </code></pre> </div> <p>These comments are verbose and probably "wrong" by clean code standards. But they're exactly what I needed at the time — explanations in my own words, written while the concept was clicking.</p> <p>I'm keeping them. They're documentation of learning, not documentation of code.</p> <h2> The Moment It Felt Real </h2> <p>I ran <code>go run cmd/server/main.go</code>, opened another terminal, and typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://localhost:8080/entries <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"user_id": 1, "text": "First entry!", "mood": 8}'</span> </code></pre> </div> <p>And got back:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"success"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Entry created"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Data went into a real database. I could query it back with <code>GET /entries</code>. It was two endpoints and a SQLite file, but it was <em>mine</em>. I built it with zero frameworks, just Go's standard library.</p> <p>That's when Go stopped being a language I was studying and became a tool I was building with.</p> <h2> What's Next </h2> <p>In Part 3, I'll cover the scariest part of this project: <strong>adding authentication from scratch</strong>. JWT tokens, bcrypt password hashing, and the middleware pattern that changed how I think about HTTP — all without a single auth library.</p> <p><em>This is Part 2 of the "Learning Go in Public" series. <a href="https://dev.to/abhishek_sharma_a9792aee8/why-i-decided-to-learn-go-and-what-my-first-commit-looked-like-38ii">Part 1 is here.</a></em></p> go buildinpublic backend beginners Why I Decided to Learn Go — And What My First Commit Looked Like Abhishek Sharma Fri, 03 Apr 2026 13:58:53 +0000 https://dev.to/abhishek_sharma_a9792aee8/why-i-decided-to-learn-go-and-what-my-first-commit-looked-like-38ii https://dev.to/abhishek_sharma_a9792aee8/why-i-decided-to-learn-go-and-what-my-first-commit-looked-like-38ii <p>On November 5, 2025, I pushed my first commit to a repo called <code>Go_learn</code>.</p> <p>The commit message: <em>"Started learning Go lang scratch lessons."</em></p> <p>54 files. 5,365 lines. Variables, loops, structs, maps, goroutines, interfaces — everything I'd learned in a week, all dumped into one massive push because I didn't know any better.</p> <p>That repo is still public. The messy files are still there. And this is the first post in a series where I'm going to walk through every stage of what happened next.</p> <h2> Why Go? </h2> <p>I was coming from JavaScript and the MERN stack. I could build things. But I kept hitting a wall — I didn't truly understand what was happening under the hood. Express hides the HTTP details. Mongoose hides the database details. npm hides... everything.</p> <p>I wanted a language that would force me to understand things, not abstract them away.</p> <p>Go kept showing up. Backend roles I was interested in listed it. The standard library supposedly had everything you needed. No frameworks, no magic. And the syntax looked almost too simple to be real.</p> <p>So I opened VS Code and typed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="s">"fmt"</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Hello, World!"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>And immediately got confused.</p> <h2> The First Week: Where's My Semicolons? </h2> <p>Coming from JavaScript, Go felt alien. Some things that tripped me up in the first few days:</p> <p><strong>Exported vs unexported names.</strong> I spent an embarrassing amount of time wondering why <code>myVariable</code> in one file wasn't accessible from another. In Go, only names starting with a capital letter are exported. In JavaScript, everything is just... there.</p> <p><strong>No classes.</strong> Go has structs and methods, but no inheritance. I kept trying to think in OOP patterns and Go kept saying "no, just use composition." It took a while to stop fighting it.</p> <p><strong>Error handling everywhere.</strong> My first Go functions looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">result</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">someFunction</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"something went wrong:"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> </code></pre> </div> <p>I wrote <code>if err != nil</code> about 200 times that first week. It felt tedious. (Spoiler for a future post: I now think it's one of Go's best features.)</p> <p><strong>No generics... then generics.</strong> I learned Go right after generics were added, but every tutorial and StackOverflow answer was from the pre-generics era. Confusing when you're starting out.</p> <h2> What My First Commit Actually Contained </h2> <p>I organized my learning into numbered folders:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>01-basics/ → hello.go, types.go, functions.go 02-control-flow/ → loops.go, switch.go 03-data-structures → structs.go, maps.go, interfaces.go 05-concurrency/ → goroutines-basic.go, channels-basic.go, worker-pool.go 06-projects/ → number-guessing-game.go, todo-list.go 07-Pointers/ → pointers.go, nil-pointers-explained.go 08-errors/ → errors.go 09-packages/ → go modules guide </code></pre> </div> <p>Yes, I skipped folder 04. No, I don't know why. It's still missing.</p> <p>Every file is packed with comments — I was essentially writing tutorials for myself. Here's an actual snippet from <code>structs.go</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Structs are like blueprints for creating custom types</span> <span class="c">// Think of them like objects in JavaScript, but typed and explicit</span> <span class="k">type</span> <span class="n">Person</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Name</span> <span class="kt">string</span> <span class="n">Age</span> <span class="kt">int</span> <span class="p">}</span> </code></pre> </div> <p>These files are messy, verbose, and sometimes wrong. I'm keeping every single one of them in the repo. They're the proof that I started from zero.</p> <h2> The Moment It Clicked </h2> <p>By the end of week one, I built two small projects: a <strong>number guessing game</strong> and a <strong>CLI todo list</strong>. Neither is impressive. But writing them forced me to combine everything — structs, slices, loops, user input, error handling — into something that actually ran.</p> <p>That's when Go stopped feeling like syntax to memorize and started feeling like a tool I could build with.</p> <h2> What's Coming Next </h2> <p>In the next post, I'll talk about the decision that accelerated everything: <strong>stopping the tutorials and building a real backend project.</strong> I started a personal analytics REST API using only Go's standard library — no gin, no fiber, no frameworks. Just <code>net/http</code>, <code>database/sql</code>, and a lot of <code>if err != nil</code>.</p> <p>Follow along — I'll be posting each stage of this journey as its own article. The messy commits, the breakthroughs, the mistakes. All of it.</p> <p><em>This is Part 1 of the "Learning Go in Public" series.</em></p> go buildinpublic backend beginners