DEV Community: Bernardo Cassina

Firebase Functions Express Typescript Project Guide Part 2

Bernardo Cassina — Tue, 14 May 2024 14:45:53 +0000

Requirements

Understanding about Promises and async/await in Javascript.

In this part we will create a REST API to perform CRUD operations in a Pets resource. We will be able to use this API to interact with our Pets Firestore Collection like dogs or cats.

First it is important to understand the Best Practices of REST API Design, please read this article.

Note: Remember to build the Functions project every time you make a new change with npm run buil this will recreate the lib directory.

0. Design First Path

Now, that you have read about the best practices let’s design our paths. Let’s say that our default URL will be http://127.0.0.1:5001/my-project/us-central1/api
First we want to create Pets, so our first path should be /pets . This endpoint will create a brand new pet and it should return the new resource created along with its database ID, so we can identify it later.
The HTTP method we use to create a new resource is POST so we will create a new function that accepts a POST request and creates a new Pet

It will look something like this:

app.post("/pets", (req: Request, res: Response) => // create a new pet );

1. Create Pet Model

Now that we created our first POST path, we now we want to create Pets, but how would a pet look like, what properties should it have? Let’s use a simple example, let’s say a pet has these properties:
```
Pet
    - id
  - category
  - name
  - tags
```

Now all of this properties need a Firestore Type like boolean, string or number. Let’s define them:

Pet
    - id: string;
  - category: string;
  - name: string;
  - tags: Array of strings;

Now we have the properties for our Pet model, we need to use the power of Typescript to define this model in our code.
First let’s define what Typescript uses interfaces and types for [GPT complete this part]

Now that we now how interfaces and types work, let’s create our Pet interface:

interface Pet {
    id: string;
  category: string;
  name: string;
  tags: string[]; // Array of strings
}

Now, probably we want to have explicit categories, so we don’t pets without a valid category, we can do that with a Type:
```
type PetCategory = 'dog' | 'cat' | 'bird'
```

And the we update our Pet interface:

interface Pet {
    id: string;
  category: PetCategory;
  name: string;
  tags: string[]; // Array of strings
}

This way we will make sure only strings of those values can be passed to a Pet interface and if not, the TS compiler will throw an error.
Now that we have our type and interfaces, let’s add them to our code. The good practice is to create separate files for them an import them as necessary. Let’s create an interfaces.ts and types.ts inside the src directory next to the index.ts file.

The content of the types file should be:

export type PetCategory = "dog" | "cat" | "bird";

And the interfaces file should look like this:

// We create a relative import to use the PetCategory type in our interface
import {PetCategory} from "./types";

export interface Pet {
    id: string;
    category: PetCategory;
    name: string;
    tags: string[]; // Array of strings
}

Great! Now we have a new Pet model.

2. Initialize Firestore

First let’s add the Firestore emulator, otherwise all calls will be added to your Firebase Project’s Firestore Database you created un part 1 and we want to test in our local environment first.

Let’s modify the serve script in package.json file to add Firestore emulators:

"serve": "npm run build && firebase emulators:start --only=functions,firestore"

Let’s run npm serve and you should see something like this:

i  firestore: Firestore Emulator logging to firestore-debug.log
✔  firestore: Firestore Emulator UI websocket is running on 9150.

...

┌───────────┬────────────────┬─────────────────────────────────┐
│ Emulator  │ Host:Port      │ View in Emulator UI             │
├───────────┼────────────────┼─────────────────────────────────┤
│ Functions │ 127.0.0.1:5001 │ http://127.0.0.1:4000/functions │
├───────────┼────────────────┼─────────────────────────────────┤
│ Firestore │ 127.0.0.1:8080 │ http://127.0.0.1:4000/firestore │
└───────────┴────────────────┴─────────────────────────────────┘

Now let’s initialize Firestore in the main.ts file:

...other code

// Import Firebase admin to use Firestore
import * as admin from "firebase-admin";

// Import the Pet interface
import {Pet} from "./interfaces";

// Initialize Firebase Admin SDK
admin.initializeApp();

// Firestore database reference
const db = admin.firestore();

Let’s also use express.json in our express app to parse requests:


...other code

const app = express();

// Middleware to parse JSON requests
app.use(express.json());

Now build the project to update the emulators server

3. Create new Pet

Let’s write a function to create the new Pet, but first read this:

// Define a POST route for creating new pets
app.post("/pets", async (req: Request, res: Response) => {
  // Extract the new pet data from the request body
  const newPet: CreatePetBody = req.body;

  try {
    // Add the new pet to the "pets" collection in Firestore
    const docRef = await db.collection("pets").add(newPet);

    // Create a pet document with the generated ID and pet data
    const petDocument: PetDocument = {id: docRef.id, ...newPet};

    // Send the created pet document as the response with status 201
    res.status(201).send(petDocument);
  } catch (error) {
    // Send an error response with status 500 if something goes wrong
    res.status(500).send("Error creating new pet: " + error);
  }
});

Now build the project to update the emulators server
Open postman, create a new POST request to the default URL and the path /pets
Select the Body, then select Raw and JSON

Now add the following:

{
    "category": "dog",
    "name": "Buddy",
    "tags": ["friendly", "playful"]
}

If it worked, the Postman response should look like this:

{
    "id": "Jth82AgC7CIMxxXQKPEF",
    "category": "dog",
    "name": "Buddy",
    "tags": [
        "friendly",
        "playful"
    ]
}

Now we can use that id to retrieve that specific pet in the future and if you go to http://localhost:4000/firestore you should see the new data in the emulator

4. What if some parameters are missing?

So what happens if someone tries to create a Pet without a name? We will create a Document that looks like this:

{
    "id": "Jth82AgC7CIMxxXQKPEF",
    "category": "dog",
    "tags": [
        "friendly",
        "playful"
    ]
}

This is not correct and can lead to data corruption, we need to make sure we are persisting the data following our interfaces and type models. So let’s add a check:
```
if (!newPet.name) {
    res.status(400).send("Bad request: missing name");
  }
```

Also we should check that the category is passed as an argument:

if (!newPet.category) {
    res.status(400).send("Bad request: missing category");
  }

Try to create a pet without category or name, you should receive a Bad request: missing name response
What about the tags? The tags is an array of strings, we can either set it as an empty array or as an optional property. Let’s add it as optional, modify the interface to add a ? that tells typescript this is an optional property:
```
import {PetCategory} from "./types";

export interface Pet {
    category: PetCategory;
    name: string;
    tags?: string[]; // Optional ? Array of strings
}
```
Cool. Now we can create Pets.

5. GET Pets and filter by category and tag

After creating the Pets, it’s time to read those Pets:

Read this first to learn how to get data from Firestore

Now let’s get all our pets:

app.get("/pets", async (req: Request, res: Response) => {
  try {
    // Reference to the pets collection
    // CollectionReference: https://firebase.google.com/docs/reference/node/firebase.firestore.CollectionReference
    const petsRef: admin.firestore.Query = db.collection("pets");

    // Fetch pets from Firestore
    // This declaration returns a Firestore QuerySnapshot:
    // https://firebase.google.com/docs/reference/node/firebase.firestore.QuerySnapshot
    const snapshot = await petsRef.get();

    // Why do we need to iterate over docs? We need to iterate
    // over docs to convert each document into a usable object
    const pets: PetResponse[] = snapshot.docs
      .map((docSnapshot: admin.firestore.QueryDocumentSnapshot) => {
        // What is "as"? "as" is a TypeScript type assertion,
        // telling the compiler that docSnapshot.data() is of type Pet
        const pet: Pet = docSnapshot.data() as Pet;

        // Return the data along with the Document ID
        // Combining the document ID with the pet data into one object
        return {
          id: docSnapshot.id,
          data: pet,
        };
      });

    // Send the processed and filtered pets as the response
    res.status(200).send(pets);
  } catch (error) {
    // Send an error response with status 500 if something goes wrong
    res.status(500).send("Error reading pets: " + error);
  }
});

So what if we want to search for pets that have only the dog category. In REST API design, we can do that with query parameters added to our path like so:
```
...api/pets?category=dog
```

We can other queries as well:

...api/pets?category=dog&tag=intelligent

This way we can tell Firestore to filter the results like this:
```
db.collection('pets').where('category', '==', 'dog');
```
So the final code should look like this:

app.get("/pets", async (req: Request, res: Response) => {
  try {
    // Get query parameters
    const {category, tag} = req.query;

    // Reference to the pets collection
    // CollectionReference: https://firebase.google.com/docs/reference/node/firebase.firestore.CollectionReference)
    let petsRef: admin.firestore.Query = db.collection("pets");

    // Apply category filter if provided
    if (category) {
      petsRef = petsRef.where("category", "==", category);
    }

    // Apply category filter if provided
    if (tag) {
      petsRef = petsRef.where("tag", "==", tag);
    }

    // Fetch pets from Firestore
    // This declaration returns a Firestore QuerySnapshot:
    // https://firebase.google.com/docs/reference/node/firebase.firestore.QuerySnapshot
    const snapshot = await petsRef.get();

    // What's going on? Why do we need to iterate over docs?
    const pets: PetResponse[] = snapshot.docs
      .map((docSnapshot: admin.firestore.QueryDocumentSnapshot) => {
        // What's going on here? What is "as"?
        const pet: Pet = docSnapshot.data() as Pet;

        // Return the data along with the Document ID
        return {
          id: docSnapshot.id,
          data: pet,
        };
      });

    // Send the processed and filtered pets as the response
    res.status(200).send(pets);
  } catch (error) {
    // Send an error response with status 500 if something goes wrong
    res.status(500).send("Error reading pets: " + error);
  }
});

Hell yeah! Now we have created and filtered virtual animals.

Firebase Functions Express Typescript Project Guide Part 1

Bernardo Cassina — Tue, 14 May 2024 01:16:20 +0000

This guide will walk you through setting up your Mac for development with Node.js, Firebase, and Firestore, including creating a simple Express app within a Firebase Functions project.

Prerequisites

Basic command line knowledge
Mac computer with admin access
Mac with XCode installed
Postman Installed
Create a Firebase Project before hand

Setup

0. Create a Firebase Project

Login into your google account
Go to the Firebase Console
Create a new project and name it however you like, we’ll use the name my-project for this example.
Don’t set Google Analytics, not necessary
After your Project is ready, you’ll be redirected to the project overview page
On the left Sidenav, click the settings icon, select Project settings
Look for your Project ID
Now go to the Firestore page here
Select the default location
Select Start in test mode
After the DB has been created, you’ll see an empty Database 😬
That’s all we need to know now, well come back to the console later

1. Install Homebrew and Java

Homebrew is a package manager for macOS. It simplifies the installation of software on macOS.
After installation, verify it by running:
```
brew --version
```
Tu use the Firebase Emulators, we need to install the Java JDK, you can do it with homebrew, although there are other methods.

2. Install Node.js 18 Using nvm

Install Guide
Note: the example is for Node 16 although you should install Node 18 nvm, although with nvm you can have multiple node versions and choose between them 😉
nvm allows you to manage multiple installations of Node.js.
After installing nvm and Node 18 , verify installation by running:
```
node --version
```

3. Make sure `npm` is installed

Verify by running:
```
npm --version
```

4. Install Firebase CLI

The firebase CLI is…
Install it globally by runnning:
```
npm install -g firebase-tools
```
Verify the installation:
```
firebase --version
```

5. Create a New Firebase Functions TypeScript Project

To use Firebase products like Functions, Firestore, Auth, and others, we need to create a new Firebase project.
Note: this project is different from your Firebase Console Project where we will deploy this Typescript project. To be clear: one is the code project and the other, a container in Firebase Console to deploy our code project.

Initialize your project:

# In a terminal, change to your existing Develop directory:
cd my-dev-directory
# Create a new directory to store the project
mkdir my-firebase-project
# Move into the new directory
cd my-firebase-project
# Login into Firebase
firebase login

That command will prompt a URL or open your browser so you can login with your google account.
After successful login, Initialize the Firebase project
```
# Initialize Firebase
firebase init
```
This will prompt different Firebase features to start the project, read the instructions thoroughly and then choose these options:
- Select to use Firestore
- Select to use Functions
- Select to use Emulators
- Leave all others features disabled
- When prompted to select a project, choose the one you first created from the list
- When prompted, select all defaults for the Firestore Setup
- For the Functions Setup
- Select TypeScript when prompted
- Choose to use ESLint when prompted
- Choose to install dependencies with npm, this will run npm install in the project and create the node_modules directory
- For the Emulators Setup choose the Functions and Firestore emulators
- Leave all defaults for the next options
- Choose to download the emulators now ( this is what you need the Java SDK for)
- Verify your project directory running:
```
ls -la
# The output should look like this
total 40
drwxr-xr-x   8   staff   256 May 13 15:33 .
drwxr-xr-x   7   staff   224 May 13 15:07 ..
-rw-r--r--   1   staff    68 May 13 15:33 .firebaserc
-rw-r--r--   1   staff  1166 May 13 15:33 .gitignore
-rw-r--r--   1   staff   650 May 13 15:33 firebase.json
-rw-r--r--   1   staff    44 May 13 15:31 firestore.indexes.json
-rw-r--r--   1   staff   755 May 13 15:30 firestore.rules
drwxr-xr-x  10   staff   320 May 13 15:32 functions
```
- Now you have installed a new Firebase Functions Project!

Installing Project Dependencies

Open the project in your Code Editor

The directory structure should look like this:

# Project Structure Overview

- `functions-express-ts-project-guide`
  - `functions`
    - `node_modules`
    - `src`
      - `index.ts`
      - `.eslintrc.js`
      - `.gitignore`
      - `package.json`
      - `package-lock.json`
      - `tsconfig.dev.json`
      - `tsconfig.json`
    - `.firebaserc`
    - `.gitignore`
    - `firebase.json`
    - `firestore.indexes.json`
    - `firestore.rules`

### functions
This directory contains all the source code and configuration for Firebase Functions.

#### node_modules
- **Purpose:** Contains all the npm packages that are installed as dependencies for the project. Managed by npm.

#### src
This directory holds the TypeScript source files for the Firebase Functions.

##### index.ts
- **Purpose:** The main entry point for Firebase Functions, contains the TypeScript code for defining cloud functions.

##### .eslintrc.js
- **Purpose:** Configuration file for ESLint, a tool for identifying and reporting on patterns found in ECMAScript/JavaScript code, aiming to make code more consistent and avoiding bugs.

##### .gitignore
- **Purpose:** Specifies intentionally untracked files that Git should ignore. Files already tracked by Git are not affected.

##### package.json
- **Purpose:** Defines npm package dependencies for the project, as well as build scripts and project metadata.

##### package-lock.json
- **Purpose:** Automatically generated file which specifies the exact versions of all npm dependencies that were installed for the project. Ensures a consistent environment for all installations of the dependencies.

##### tsconfig.dev.json
- **Purpose:** The TypeScript compiler configuration file for development environments, may differ slightly in settings from production to enable better debugging or more verbose logging.

##### tsconfig.json
- **Purpose:** The TypeScript compiler configuration file for the project. Defines options required to compile the project.

#### .firebaserc
- **Purpose:** Firebase CLI runtime configuration file. Stores aliases and project specific settings used by Firebase.

#### .gitignore (in functions directory)
- **Purpose:** Similar to the src .gitignore, but for the entire functions directory.

#### firebase.json
- **Purpose:** Firebase configuration file which defines rules and settings for your Firebase project, like hosting behavior and cloud functions paths.

#### firestore.indexes.json
- **Purpose:** Configuration file for defining indexes in Firestore. Helps improve query performance.

#### firestore.rules
- **Purpose:** Security rules file for Firestore. Defines what data can be accessed by whom, securing your Firestore data based on authentication and authorization.

Open the index.ts file
You should see an auto generated code, let’s remove all the code for now
This will be our entry file and we need to create a new Express application

1. Install Express

Let’s firs install express by running:

# Important: First, move into the functions directory, this is where the package.json file lives.
# We will run all our commands from this directory.
cd functions
# Install Express
npm install express
# You should see express on your package.json file dependencies

If you take a look at the package.json there’s auto generated content by the Firebase CLI, there are already some scripts, dependencies, and all we need to start developing

2. Do some code

Add the following to the index.ts file and read it carefull:

// For our API we will use the Functions 2nd Gen HTTP Request trigger
// See this: https://firebase.google.com/docs/functions/http-events?gen=2nd
// Import onRequest from firebase-functions for HTTP triggers.
import {onRequest} from "firebase-functions/v2/https";

// Import the entire Express module. This allows us to use its
// functionalities to create and manage the server.
import * as express from "express";

// Import the Request and Response types from the 'express' module.
// These types are used to type the request and response objects in
// route handlers, providing type checking and IntelliSense features in the IDE.
import {Request, Response} from "express";

// Create a new Express application by calling `express()`.
// This `app` object encapsulates all the functionalities of an
// Express application.
// It's used to configure routes, middleware, and to start the server.
const app = express();

// Define a route handler for HTTP GET requests to the root URL ("/").
// This sets up the server to respond to GET requests at the
// specified path. Here, the path is the root URL.
// eslint-disable max-len
// `req` (request) and `res` (response) are parameters typed with
// `Request` and `Response` to enhance type safety and tooling support.
// The handler function sends the text "Hello World!" back to the
// client when the root URL is accessed.
app.get("/", (req: Request, res: Response) => res.send("Hello World!"));

// Export the `app` instance as `api`. This exported `api` can be used
// elsewhere, particularly in Firebase Functions, to handle
// HTTP requests. This allows the `api` to act as a
// serverless function in the Firebase ecosystem.
exports.api = onRequest(app);

Now build the project to update the emulators server with npm run build this will create a lib directory which will be the one to actually deploy to the Cloud Functions.

3. Start the Emulators

Now, go back the package.json file.
See the command serve , run it with npm run serve

You’ll see something like this:

✔  functions: Loaded functions definitions from source: api.
# Important: this is the URL you will use to call the API
✔  functions[us-central1-api]: http function initialized (http://127.0.0.1:5001/my-project/us-central1/api).

┌─────────────────────────────────────────────────────────────┐
│ ✔  All emulators ready! It is now safe to connect your app. │
│ i  View Emulator UI at http://127.0.0.1:4000/               │
└─────────────────────────────────────────────────────────────┘

┌───────────┬────────────────┬─────────────────────────────────┐
│ Emulator  │ Host:Port      │ View in Emulator UI             │
├───────────┼────────────────┼─────────────────────────────────┤
│ Functions │ 127.0.0.1:5001 │ http://127.0.0.1:4000/functions │

Go to http://localhost:4000/ and you should see the Emulators interface, although only the Functions emulator is running for now in the URL: http://127.0.0.1:5001/my-project/us-central1/api
Open Postman
Create a new Request and do a GET to the URL
The Response should be "Hello World!"

That's it! you have now created a Hello World with Firebase Functions, Express and Typescript. In part 2 we will cover initializing Firestore and performing the CRUD operations for a Pets REST API.

Keep it cool and secure: do's and don'ts for managing Web App secrets

Bernardo Cassina — Sat, 06 Jan 2024 17:54:38 +0000

The security of your web application abides by the strength of your secrets.

Severe data breaches and systems that got totally hijacked for cryptocurrency mining aren't just tales from the tech-crypt, they're real, heavy, and far too prevalent.

Every other day we're hearing about some massive data breach or a bunch of servers turned into crypto-mining zombies. These aren't just wake-up calls; they're blaring alarms telling us to keep our digital house locked down tight.

Forget about the headache of cleaning up after an attack; it's the trust you lose, the customers that give you the side-eye, and the reputation you've built up taking a major hit. So yeah, staying on top of our security game is more than a good idea; it's essential to keeping everything we've worked for safe and sound.

Keeping your API keys, passwords, and other sensitive intel secure isn't just about playing defense, it's about preserving your cool reputation, your customers' privacy, and the trust of your team.

As we roll into the do's and don'ts of managing these crucial secrets, let's stay open-minded and remember that:

Adopting the right practices isn't just a laid-back suggestion; it's the key to maintaining a robust and trustworthy application.
There are likely more insights and strategies beyond what I've shared. So, I warmly invite you to contribute your thoughts and additional do's and don'ts in the comments.

Do's

Store your secrets like you’d keep your most precious item - in a cool, safe place, away from prying eyes.

Use Environment Variables

Environment are a way of keeping your info out of the codebase and reducing the risk of a bummer exposure.

Consider using tools like Gitlab CI/CD variables or Github secrets to fortify their security and seamlessly integrate them during the build process, tailored to your specific environment.

While environment variables are a common method for storing secrets, it's important to be aware of their potential risks, as highlighted in this Trend Micro article.

Environment variables are not inherently secure, as they are not encrypted and can be exposed to unauthorized access. Before using them, ensure that your deployment environment is secure and consider additional protective measures like access controls. Regularly review and audit your use of environment variables to prevent unintended exposure of sensitive information.

Employ a Secret Management Tool

For a more comprehensive and robust secret management solution, get your hands on tools like GCP Secret Manager, or HashiCorp Vault. They're like the security guards of your secrets, providing a safe house, access control, and keeping logs of who’s been snooping around.

I think this is a better alternative to using plain environment variables for storing API keys or secrets since they will be treated as encrypted secrets in a vault.

Environment Variables vs Secret Management Tool example

With Firebase Functions you can use Google Secret Manager and have a Parameterized configuration for both secrets and environment variables.

Environment Variables

You can create an env variable via an .env file or via deployment runtime or emulators. The following is a basic example, please see the Firebase Docs for a full example.


import { defineString } from 'firebase-functions/params';


export const baseStripeAPIURL: ConfigParameter = defineString('BASE_STRIPE_API_URL');

Secrets

You can create a secret using the firebase SDK:


firebase functions:secrets:set STRIPE_KEY

And then access the secret like so:


import { defineSecret } from 'firebase-functions/params';

export const stripeKey: ConfigParameter = defineSecret('STRIPE_KEY');

Encrypt secrets

Make sure your secrets are as unreadable as ancient hieroglyphs to those not in the know. Encryption is the magic spell here, with AES-256 being the incantation of choice.

Rotate secrets regularly

Rotate secrets at industry-recommended intervals, such as every 3-6 months, based on your application's threat model.

Regularly switching things up minimizes the fallout from any leaks. You can create a calendar and notifications to remind you when to change your secrets, this can be simplified with a Secret Management Tool as well.

Implement Least Privilege Access

Granting access to your system is like handing out backstage passes to a concert; you should only give them to those who absolutely need to be there. This approach minimizes the potential chaos if things go south.

Begin by assigning the bare minimum level of privilege necessary, then cautiously elevate permissions if additional access is required for specific tasks.

Consider also the temporal aspect of access—some may only need certain privileges for a limited period. Once their task is complete, or the time expires, revoke those privileges promptly. This way, you maintain a tight, secure environment, just as you would ensure only the essential crew is backstage during the show

Audit and monitor access to your secrets

Regularly check who's got the backstage pass to your secrets and keep a watchful eye on access logs. Stay alert for any oddball activity that could spell trouble, like an uninvited guest at your chill gathering. You can use tools like Cloud Audit Logs or Cloud Armor

Secure your deployment pipeline

Ensure the path to rolling out your application is as secure as a locked diary. Use CI/CD tools that vibe with secret management and put up a "No Trespassing" sign to restrict access to the deployment process. You can use a tool like Gitlab CI/CD

Use environment-specific secrets

Divide your secrets: one for development, testing, and production. This way, you prevent an accidental leak during a soundcheck from ruining the main show.

Ensure backup security

Ensuring the security of your backups is as important as securing your primary data. Encrypting backup data protects it even if accessed by unauthorized parties.

Regularly test and update your backup security measures to ensure they provide strong protection, making them an integral part of your data security strategy.

Educate your team

Gather your band members and make sure they're in tune with the importance of secret management. It's like teaching them the chords to a complex song – they need to understand and follow the best practices to hit the right notes.

Informed employees are a company's first and most effective line of defense.

It's important that they don't perceive this as a burdensome task. Providing informative and engaging learning content can help motivate your team about cybersecurity.

Implement MFA

Implement Multi Factor Authentication as an essential layer of security for accessing secrets, significantly reducing the risk of unauthorized access.

Don'ts

Don't hardcode secrets

Never embed your secrets directly into your source code or configuration files.

This practice, while convenient, is similar to leaving personal notes open in public spaces — it can inadvertently expose sensitive information. Instead, securely manage your secrets using environment variables or secret management tools to keep them protected.

Don't share secrets unnecessarily

Avoid passing around your secrets like a hot potato unless it's absolutely necessary. Each service should have its own private stash to minimize the drama if something goes sideways.

Don't use predictable secrets

Steer clear of secrets that are as predictable as a broken record. Always opt for strong, randomly generated passwords and keys that no one can guess.

Don't ignore alerts

Heed the call when your security system sounds the alarm. Swiftly investigate any unusual activity or unauthorized alterations to your secrets – they might be signaling a problem you can't afford to ignore.

These alerts act as an early warning system, helping to prevent potential breaches and maintain the integrity of your security measures.

Don't neglect regular audits

Regularly reviewing your secret management practices ensures they remain effective and up-to-date. Stay hip to the latest security trends and tweak your strategies to stay ahead of the curve.

Don't overlook API limits

Be mindful of the rate limits of any APIs you're using. Exceeding these limits can disrupt service and potentially lead to security vulnerabilities, so it's important to stay within the prescribed boundaries.

Don't store secrets in client-side code

Storing secrets in the client-side of your application can make them easily accessible to others. Instead, keep secrets server-side where they can be more securely managed and controlled, reducing the risk of exposure.

Don't rely on obscurity

Relying solely on hiding information is not a secure strategy. Adopt a comprehensive approach that includes encrypting data, enforcing strict access controls, and regularly monitoring for suspicious activities. A proactive and layered security strategy offers far more protection than simply hoping secrets remain undiscovered.

Don't neglect code reviews

Ensure code containing secret access or usage undergoes thorough code reviews to identify and mitigate potential vulnerabilities.

Conclusion

By abiding by these do's and don'ts, you're not just throwing a security blanket over your application; you're actively engaging in a righteous quest to protect your digital realm.

Security isn't a one-and-done deal. It's a continuous journey, a vibe you maintain. So, stay informed, stay cool, and most importantly, keep those secrets safe. Your application, your team, and your customers will thank you.

There are likely more insights and strategies beyond what I've shared. So, I warmly invite you to contribute your thoughts and additional do's and don'ts in the comments.

Let's learn and grow together in our quest for better security.

Thank you for reading ✌️😬

Understanding Stock Options: A Guide to Employee Equity

Bernardo Cassina — Tue, 28 Nov 2023 12:40:17 +0000

As a software developer in the tech industry, you've likely come across job offers that feature stock options as part of the compensation package. But what exactly are these "options," and more importantly, how do they translate into real-world financial benefits for you?

We go uncover not only the benefits but also the critical aspects to scrutinize stock options. These warnings are key to ensuring that a seemingly lucrative offer doesn’t lead you astray. It's essential, whether you're evaluating a new job offer or charting your tech career path, to understand the full spectrum of stock options. This insight is vital for making decisions that truly benefit your career and financial future.

What on earth are Stock Options?

Stock Options are not equivalent to owning shares in a company, at least not immediately. They represent a right, but not an obligation, to purchase shares of the company at a predetermined price at a later date. This purchase is called exercising your options. Think of it as a promise that you may buy a part of the company in the future, at a price set today.

In the realm of stock options, you'll encounter primarily two types: incentive stock options (ISOs) and non-qualified stock options (NSOs). The key distinction between them lies in their tax treatment and timing. For an in-depth exploration of these differences, Carta offers a detailed blog post which delves into these nuances. We won't cover these specifics extensively here, but this external resource can provide you with a deeper understanding.

How Stock Options Work

Setting The Stage

When a company is either starting up or hiring, it often creates an Employee Stock Options Pool (ESOP). This pool is like a reserved section for the potential high performers the company wishes to attract. However, establishing this pool requires approval from the company's Board of Directors and shareholders.

The Golden Ticket Offer

Consider this scenario: XYZ Technologies offers you a position and includes Stock Options in your compensation package. The number of options you receive might depend on your role, salary, and other factors. For example, if your yearly salary is $120K and the Stock Options value is calculated using a 0.5 multiplier, you would receive Stock Options valued at $60K.

Sample Offer

Yearly Salary: $120K

Stock Options Value: $60K

Vesting Period: 4 years (with a 1-year cliff)

Vesting Start Date: 01/01/2023

Fully Vested Date: 01/01/2027

Post Termination Exercise Period: 6 months

Stock Option Price: $2.00

Total Stock Options: 30,000

Understanding Vesting and Exercise

1 Year Cliff: If you leave the company before completing a year, you forfeit all options.
4 Year Vesting Period: After the 1-year cliff, 25% of your options become eligible for conversion to company shares each year. So you would vest 25% or 7,500 options each year.
Post Termination Exercise Period: If you leave the company, you have a set period, in this case, 6 months, to exercise your options. And if you don’t, you will lose them forever. So be aware of any notifications and verify with your company about the Post Termination Exercise Period before leaving.

Red Flags

A founder I once advised responded dismissively when I suggested explaining equity to their employees, saying, ‘There’s no need to explain equity; they wouldn’t understand it anyway.’ This attitude is a major red flag. Be vigilant for such warning signs:

Lack of Transparency: Hidden details about the company's financial status.
Lack of Clarity: Unclear Stock Options plans.
Failure to Vest: Delayed vesting without legitimate reasons.
Unfavorable Terms Upon Exit: Disadvantageous terms for employees.
Inadequate Documentation: Missing or incomplete documentation.
Unwillingness to Discuss Valuation: Founders reluctant to talk about the company's valuation.
Overly Complex Structures: Complicated Stock Options plans.
Changes in Plan Without Notification: Unannounced alterations to the Stock Options plan.
Unrealistic Vesting Schedules: Non-standard vesting timelines.
No Legal Counsel: Discouragement from seeking legal advice.
High Turnover Rates: Frequent changes in key personnel.
Dilution Concerns: Unclear policies on share dilution.
Absence of an Exit Strategy: No clear plan for liquidity events.
Excessive Control and Restrictions: Overly restrictive Stock Options agreements.

Exercising Stock Options

Four years later, let's assume your options' value has increased significantly. If the per-option value rises to $5.00, your 30,000 options now represent a $150,000 value, a substantial increase from the initial $60,000.

Exercising Stock Options can be a financially rewarding decision, but it comes with its own set of complexities, particularly regarding tax implications.

It's important to note that each company may have its own set of rules and conditions for exercising stock options. These can include specific timelines, procedures, and restrictions that you need to be aware of. Always thoroughly review your company’s stock option plan and seek clarification on any points you don't fully understand. This due diligence is vital to ensure you're fully informed and can make the most of your stock options without any unwelcome surprises. Here's what you need to know:

Tax Implications of Exercising Options

Immediate Tax Consequences: When you exercise Stock Options, especially Non-Qualified Stock Options (NSOs), the difference between the exercise price and the fair market value of the stock is treated as ordinary income and is subject to income tax.
Alternative Minimum Tax (AMT): For Incentive Stock Options (ISOs), the spread on exercise can trigger the Alternative Minimum Tax, which could significantly impact your tax liability.
Capital Gains Tax: If you hold the shares after exercising and sell them later, any appreciation since the exercise date is subject to capital gains tax. The rate depends on how long you've held the shares before selling.

Timing of Exercise and Sale

Holding Period: The decision of when to exercise and sell can greatly affect your tax situation. For ISOs, if you hold the shares for at least one year after exercise and two years after the grant date, you may qualify for long-term capital gains tax rates on any further appreciation.
Market Considerations: Timing can also be influenced by market conditions and your perception of the company's future prospects.

Financial Planning Considerations

Diversification: Owning a significant portion of your wealth in a single company's stock can be risky. Consider the role of these shares within your broader investment portfolio.
Liquidity Needs: Exercising options requires paying the exercise price, and you may need liquidity to cover this cost and potential taxes.
Personal Financial Goals: Align your decision to exercise options with your overall financial goals and life events, such as purchasing a home or planning for retirement.

Seek Professional Advice

Tax Advisor Consultation: A tax professional can help you understand the implications of exercising your options and plan for the tax consequences.
Financial Planner: A financial planner can assist in integrating this decision into your broader financial strategy, considering your personal circumstances and market conditions.

Benefits of Stock Options

Stock options can be a pivotal part of your compensation, offering more than just monetary value. Here’s how they enhance your package:

Growth and Wealth Accumulation

Company Success: As your company flourishes, the value of your stock options can soar, positioning you for significant financial gains.
Long-Term Benefits: They're not just immediate rewards; stock options are tools for future wealth, potentially outpacing standard salary increments.

Alignment and Flexibility

Personal Investment: Holding stock options aligns your success with the company’s, deepening your engagement and potentially boosting motivation.
Control: You have the flexibility to exercise these options based on your financial strategy, market conditions, and personal goals.

Tax Advantages

For ISOs: They may offer favorable tax treatment, with potential savings if you meet specific holding requirements.

While stock options can be lucrative, it's crucial to weigh them within the broader context of your career and financial planning.

The Path to Cashing In

There are several avenues for employees to cash in on their Stock Options, each with its specificities:

Secondary Markets: Platforms like SharesPost or EquityZen.
Buybacks by the Company: Company-initiated share repurchase programs.
Selling to Other Employees or Insiders: Internal transactions within the company.
External Private Investors: Sales to venture capitalists or private investors.
Acquisition: Share sales during a company acquisition.
IPO: Public share sales post-IPO.
Tender Offers: Buyout offers from investors or the company.
Merger or Business Combination: Stock conversions in case of a merger.
Stock Option Loan Programs: Loans using Stock Options as collateral.
Stock Swap with Another Company: Exchanging stocks between companies.

Conclusion

Years later, if the company goes public or its valuation increases significantly, the financial benefits can be substantial. However, it's crucial to understand the terms and conditions associated with Stock Options and seek professional advice when necessary.

Remember, both founders and employees play a role in the effective management of Stock Options.

Founders must educate their employees on the nuances and be transparent about it, while employees must proactively understand the terms and conditions, or ask the right questions if you notice any red flags.

Thank you for reading ✌️😬

External links

Disclaimer: The information provided in this blog post, including all examples and scenarios, is for illustrative and educational purposes only. It should not be construed as financial or legal advice. Stock Options and related financial decisions can be complex and vary greatly depending on individual circumstances and the specific details of each company's Stock Options plan. We strongly recommend consulting with qualified financial advisors, tax professionals, and legal counsel before making any decisions based on the information provided in this blog post. The author and publisher of this blog post are not responsible for any financial losses or legal issues arising from the use of the information contained herein. Always do your own due diligence and seek professional advice tailored to your specific situation.

API Checklist: Are You Production-Ready?

Bernardo Cassina — Mon, 27 Nov 2023 20:44:23 +0000

Ensuring your APIs are production-ready

APIs (Application Programming Interfaces) have emerged as the backbone of modern software development. From small-scale apps to enterprise-level solutions, APIs drive the interconnectedness of our digital ecosystem. But, with great power comes great responsibility. As developers, it's not enough to just create an API; it must be robust, reliable, and truly production-ready. Enter the API Checklist, a guide for helping your APIs stand tall and proud in the production landscape.

API Checklist

The API Checklist was born out of a desire to streamline and enhance developer teams processes. I am a fan of well written documentation and recognized that having a step-by-step guide could significantly elevate the quality of the APIs a team delivers. Instead of getting lost in the details or sidetracked by tight timelines, this checklist serves as a roadmap, ensuring that every essential aspect of API development is addressed. It's a tool that helps us maintain high standards, promotes consistency across projects, and ultimately leads to more reliable and robust APIs, well-suited for the demands of real-world applications.

Why Focus on Production Readiness?

A well-structured, thoroughly tested, and secure API is a foundational pillar of any successful software application. Production readiness transcends basic functionality; it encompasses scalability, security, documentation, and maintainability. Here’s why it’s crucial:

Reliability: A production-ready API can handle peak loads and unexpected traffic spikes without buckling, ensuring consistent service to users.
Security: In an era where data breaches are rampant, a secure API is non-negotiable. It’s about safeguarding your data and your users' trust.
User Experience: An API that seamlessly integrates and operates smoothly enhances the overall user experience of your application.
Future Scalability: Building with production in mind means your API can grow with your user base and feature set, avoiding costly overhauls down the line.

What's in the API Checklist?

The API Checklist spans various critical areas, from design consistency and error handling to security and performance. Each point in the checklist prompts you to scrutinize aspects of your API you might not have considered. Here’s a sneak peek:

Design & Consistency: Is your API in harmony with your existing ecosystem? Does it follow RESTful principles?
Security: Have you armored your API against common vulnerabilities?
Documentation: Is your API’s documentation clear, thorough, and accessible?
Monitoring & Logging: Can you efficiently track your API’s health and performance?

Got ideas to make our API Checklist even cooler? I’m all ears. Shoot your suggestions for improvement or any nifty tips you've got up your sleeve in this repo.

Thank you for reading ✌️😬

DEV Community: Bernardo Cassina

Firebase Functions Express Typescript Project Guide Part 2

Requirements

0. Design First Path

1. Create Pet Model

2. Initialize Firestore

3. Create new Pet

4. What if some parameters are missing?

5. GET Pets and filter by category and tag

Firebase Functions Express Typescript Project Guide Part 1

Prerequisites

Setup

0. Create a Firebase Project

1. Install Homebrew and Java

2. Install Node.js 18 Using nvm

3. Make sure npm is installed

4. Install Firebase CLI

5. Create a New Firebase Functions TypeScript Project

Installing Project Dependencies

1. Install Express

2. Do some code

3. Start the Emulators

Keep it cool and secure: do's and don'ts for managing Web App secrets

Do's

Use Environment Variables

Employ a Secret Management Tool

Environment Variables vs Secret Management Tool example

Environment Variables

Secrets

Encrypt secrets

Rotate secrets regularly

Implement Least Privilege Access

Audit and monitor access to your secrets

Secure your deployment pipeline

Use environment-specific secrets

Ensure backup security

Educate your team

Implement MFA

Don'ts

Don't hardcode secrets

Don't share secrets unnecessarily

Don't use predictable secrets

Don't ignore alerts

Don't neglect regular audits

Don't overlook API limits

Don't store secrets in client-side code

Don't rely on obscurity

Don't neglect code reviews

Conclusion

Understanding Stock Options: A Guide to Employee Equity

What on earth are Stock Options?

How Stock Options Work

Setting The Stage

The Golden Ticket Offer

Understanding Vesting and Exercise

Red Flags

Exercising Stock Options

Tax Implications of Exercising Options

Timing of Exercise and Sale

Financial Planning Considerations

Seek Professional Advice

Benefits of Stock Options

Growth and Wealth Accumulation

Alignment and Flexibility

Tax Advantages

The Path to Cashing In

Conclusion

External links

API Checklist: Are You Production-Ready?

Ensuring your APIs are production-ready

API Checklist

Why Focus on Production Readiness?

What's in the API Checklist?

3. Make sure `npm` is installed