Day 105 — Week 3 Review + Recall¶
Month 4 · Week 3 · ⬅ Day 104 · Day 106 ➡ · Journal index
🎯 Learning Objective¶
Consolidate the Week 3 "production handler" stack — validation → structured logging → pagination → config → rate limiting → JWT/RBAC — with closed-book recall, and capture what's still fuzzy.
📚 Topics¶
- Request validation (400 vs 422) & per-request
sloglogging - Pagination/filtering, env config, rate limiting, JWT auth + RBAC
📖 Reading / Sources¶
- Re-skimmed this week's day notes 099–104
-
log/slog·net/mail·crypto/hmac·golang.org/x/time/rate
📝 Notes¶
- Full write-up lives in the week review → Week 3 review.
- The mental model that ties it together: a request enters through middleware (request-id → structured log → rate limit → JWT/RBAC), the handler decodes then validates the body (400 vs 422), reads clamped pagination params, and everything it needs to run came from env config loaded once at boot.
💻 Code Examples¶
No new code today — re-ran this week's runnable examples to check recall:
go run ./examples/month-04/validation
go run ./examples/month-04/reqlog
go run ./examples/month-04/ratelimit
go run ./examples/month-04/jwt
go test ./exercises/month-04/week-3/...
🏋️ Exercises / Practice¶
| Exercise | Status | Link |
|---|---|---|
| Re-solve all Week 3 exercises closed-book | ✅ | exercises/month-04/week-3 |
🐛 Mistakes Made¶
- On recall I first said malformed JSON → 422; it's 400 (syntax). 422 is for a body that decodes but breaks a rule. Re-anchored.
❓ Open Questions¶
- Carried into the week review's action items (cursor cursors/Link headers, distributed rate limiting, refresh-token rotation).
🧠 Active Recall (answer without looking)¶
-
Q: Match each to its status code: malformed JSON · valid body that breaks a rule · over the rate limit · missing token · valid token wrong role.
A
Malformed JSON → 400 · rule violation → 422 · over rate limit → 429 · missing/ invalid token → 401 · authenticated but wrong role → 403. -
Q: What's the one-line rule for verifying a JWT safely?
A
Pin `alg`, recompute the HMAC over the received `header.payload`, compare with `hmac.Equal` (constant-time), check `exp` — and only *then* trust the claims.
🪶 Feynman Reflection¶
Week 1 was the HTTP plumbing, Week 2 was the database behind it; this week was the production layer in between — the cross-cutting concerns every real handler needs. A request is logged, rate-limited, and authenticated by middleware before the handler validates its body and pages its results, all configured from the environment. None of it is the "feature" — all of it is what makes the feature safe to ship.
🕳️ Knowledge Gaps¶
- Observability beyond logs (metrics/tracing) and distributed/shared limiter state — flagged for next week.
✅ Summary¶
Week 3 done: I can validate requests, log every request structurally, paginate safely, configure from env, rate-limit per client, and authenticate/authorize with JWT + RBAC.
⏭️ Next Steps / Prep for Tomorrow¶
- Week 4: tying the service together — testing the HTTP+DB stack end to end and packaging for deploy.
| Time spent | Difficulty | Confidence |
|---|---|---|
| 60 min | 🟦⬜⬜⬜⬜ | 🟦🟦🟦🟦⬜ |
Suggested commit: docs(journal): month 4 week 3 review + recall (day 105)