74 lines
No EOL
2.2 KiB
Text
74 lines
No EOL
2.2 KiB
Text
---
|
|
description: Keep business logic in the backend to ensure security and compatibility
|
|
globs: **/*.{ts,js,go}
|
|
---
|
|
<rule>
|
|
When implementing features that involve business logic:
|
|
|
|
1. Keep critical business logic in the backend:
|
|
- Data validation and sanitization
|
|
- ID/UUID generation
|
|
- Timestamp management
|
|
- Access control and authorization
|
|
- Complex calculations or data transformations
|
|
- Relationship management and graph traversal
|
|
- Link extraction and validation
|
|
|
|
2. Frontend should only handle:
|
|
- UI state management
|
|
- User input collection
|
|
- Data display and formatting
|
|
- Basic input validation for UX
|
|
- UI-specific transformations
|
|
- Relationship visualization
|
|
|
|
3. Security-sensitive operations must always be in backend:
|
|
- Cryptographic operations
|
|
- Token generation/validation
|
|
- Password handling
|
|
- Session management
|
|
|
|
4. When in doubt about where to place logic:
|
|
- If it affects data integrity → backend
|
|
- If it requires secure execution → backend
|
|
- If it needs to work without JavaScript → backend
|
|
- If it's purely for display/interaction → frontend
|
|
|
|
5. Data synchronization guidelines:
|
|
- Backend owns the source of truth for relationships
|
|
- Frontend should never compute relationships locally
|
|
- Use backend-provided relationship data for display
|
|
- Cache relationship data in frontend stores
|
|
- Update relationship cache on mutations
|
|
- Preload relationships when beneficial for UX
|
|
|
|
metadata:
|
|
priority: high
|
|
version: 1.1
|
|
</rule>
|
|
|
|
examples:
|
|
- input: |
|
|
# Bad: Generating UUIDs in frontend
|
|
const id = crypto.randomUUID();
|
|
output: |
|
|
// Backend generates ID
|
|
const response = await api.createResource(data);
|
|
const { id } = response;
|
|
|
|
- input: |
|
|
# Bad: Validating permissions in frontend
|
|
if (user.hasPermission('edit')) { ... }
|
|
output: |
|
|
// Let backend handle authorization
|
|
const response = await api.updateResource(id, data);
|
|
if (response.status === 403) {
|
|
showError('Not authorized');
|
|
}
|
|
|
|
- input: |
|
|
# Bad: Computing relationships in frontend
|
|
const links = content.match(/\[\[(.*?)\]\]/g);
|
|
output: |
|
|
// Use backend-provided relationships
|
|
const { linksTo, linkedBy } = await api.getNote(id); |