Written in Golang
- The language of choice for containerized environments
(Docker and Kubernetes are both written in Go).
- Lighter memory footprint than our Spring Boot apps (see this gist).
- More performant.
- Way faster build / startup times than Spring Boot.
- More maintainable / less boilerplate / fewer lines of code.
- DB connection retries (Spring will fail if DB isn’t up).
- Able to configure frequency of scheduled tasks, unlike Spring’s
@Scheduled(fixedDelay = 500).
- Async functions feel natural. No more creating new files just to invoke
- Alpine Postgres DB uses 8MB (no data).
- Golang server (e.g.,
auth) takes 10MB (under no load).
- Alpine RabbitMQ uses 80MB (under no load). Not much I can do about that.
- So I could easily run 20 Golang REST APIs and still only use 440MB (well under a Raspberry Pi’s 1GB RAM).
Insanely fast build times!
$ time go build -o ./bin/alpaca-auth ./services/auth
1.52s user 0.59s system 130% cpu 1.618 total
Running feels instantaneous. Doing a
./gradlew bootRun on a Spring Boot app, on the other hand, takes nearly 15 seconds.
Fewer lines of code!
tokei reports 3293 LOC.
In Java, the lines of code could easily be 4 times this.
Microservices, not monolith!
Here’s the original RFC
that about decomposing the original monolith.
Microservices lead to
- independent development (easier to onboard developers, less surface area for stuff to go wrong)
- independent deployment (no need to bring everything down to update one thing)
- independent scaling (e.g., the CPU-intensive password hashing service need not be tethered to everything else)
- Postgres instead of MySQL.
- There is no official Alpine MySQL Docker image as of Jan 2018.
- Snowflake PKs.
- 8-bytes instead of 16-byte UUID PKs. (see PR #5).
- Snowflakes are harder to guess, but not unguessable, like Tweet IDs.
- Where we need unguessability, such as with any of our (reset, 2FA, or confirmation) codes, we use v4 UUIDs.
- Cursor pagination.
- Better varchar constraints: 50 for names (see Facebook), 25 for usernames (compromise between Github’s 39 and Twitter’s 15).
- Salt is stored on Password, not Account, per OWASP.
- “Generate a unique salt upon creation of each stored credential (not just per user or system wide)”
- Dropping LUDS
in favor of password complexity, with Dropbox’s zxcvbn.
- Passwords and accounts no longer expire.
- Self-calibrating iteration count. App will determine how many password hash
iterations it must perform such that hashing takes roughly a second, or some other given value.
- “Multi-factor” instead of “two-factor”.
- “Claims” instead of “roles”.
- Security – Backup codes
- Security – “New device”, based on IP address/MAC address combination
- Security – support YubiKeys
- Security – support Authy, Google Authenticator
- Database – look into CockroachDB
- Ability to merge accounts