Backend API
Server tomonidagi mantiq - ma'lumotlarni qayta ishlash, autentifikatsiya va biznes logikani boshqarish.
Backend API nima?
Backend API - bu frontend (foydalanuvchi interfeysi) va database (ma'lumotlar bazasi) o'rtasidagi ko'prik. U serverda ishlaydi va quyidagi vazifalarni bajaradi:
- Ma'lumotlarni qayta ishlash - frontenddan kelgan so'rovlarni qabul qilish va javob qaytarish
- Biznes logika - ilovaning asosiy qoidalari va hisob-kitoblarni bajarish
- Autentifikatsiya - foydalanuvchilarni aniqlash va ruxsatlarni tekshirish
- Ma'lumotlar bazasi bilan ishlash - CRUD operatsiyalarni bajarish
API (Application Programming Interface) - bu dasturlar o'rtasida muloqot qilish uchun qoidalar to'plami. Web API'lar odatda HTTP protokoli orqali ishlaydi.
Backend API - bu restoran oshxonasi kabi. Foydalanuvchi (mijoz) ofitsiantga (frontend) buyurtma beradi, ofitsiant esa oshpazga (backend) aytadi. Oshpaz taom tayyorlab, ofitsiant orqali mijozga yetkazadi.
Nega kerak?
Frontend to'g'ridan-to'g'ri database bilan ishlasa bo'lmaydimi? Yo'q, va buning bir nechta muhim sababi bor:
Xavfsizlik
Database credentials frontendda bo'lsa, har kim ularga kirishi mumkin. Backend bu ma'lumotlarni yashiradi.
Validatsiya
Foydalanuvchi noto'g'ri ma'lumot yuborishi mumkin. Backend barcha kirishlarni tekshiradi.
Biznes logika
Murakkab hisob-kitoblar, qoidalar, workflow'lar serverda xavfsiz ishlaydi.
Scalability
Bir backend ko'plab frontendlarga (web, mobile, IoT) xizmat qila oladi.
2019-yilda Capital One bankida 100 million mijoz ma'lumotlari o'g'irlandi. Sabab: noto'g'ri API konfiguratsiyasi. Backend xavfsizligi juda muhim!
Asosiy tushunchalar
REST API
REST (Representational State Transfer) - eng keng tarqalgan API arxitekturasi. Asosiy tamoyillari:
- Stateless - har bir so'rov mustaqil, server session saqlamaydi
- Resource-based - URL'lar resurslarni ifodalaydi (/users, /products)
- HTTP methods - CRUD uchun standart metodlar
HTTP Methods
GraphQL
Facebook tomonidan yaratilgan alternativ yondashuv:
- Bitta endpoint - /graphql
- Client tanlaydi - qaysi ma'lumotlar kerakligini client belgilaydi
- Over-fetching yo'q - faqat kerakli fieldlarni olasiz
- Type system - strong typing bilan xavfsizroq
Authentication vs Authorization
- Authentication (AuthN) - "Kim siz?" - foydalanuvchini aniqlash
- Authorization (AuthZ) - "Nima qila olasiz?" - ruxsatlarni tekshirish
Status Codes
HTTP response kodlari natijani bildiradi:
- 2xx - Muvaffaqiyat (200 OK, 201 Created, 204 No Content)
- 4xx - Client xatosi (400 Bad Request, 401 Unauthorized, 404 Not Found)
- 5xx - Server xatosi (500 Internal Error, 503 Service Unavailable)
Amaliy jarayon (step-by-step)
API dizayn va dokumentatsiya
OpenAPI/Swagger yordamida API sxemasini yozing. Endpointlar, metodlar, request/response formatlarini aniqlang.
Loyiha strukturasini yaratish
Frameworkni tanlang (Express, FastAPI, NestJS). Routes, controllers, services, models papkalarini tashkil qiling.
Middleware'larni sozlash
CORS, body parser, authentication, logging, error handling middleware'larini qo'shing.
Database ulanish
ORM (Prisma, TypeORM, SQLAlchemy) yordamida databasega ulanish va modellarni yarating.
Business logic yozish
Service layer'da biznes mantiqini yozing. Controller'larni yengil saqlang.
Input validatsiya
Joi, Zod yoki class-validator bilan barcha kirishlarni tekshiring.
Testing
Unit testlar (Jest, pytest), integration testlar (Supertest), API testlar (Postman/Newman) yozing.
Logging va monitoring
Winston, Pino yoki Python logging bilan loglarni yozing. Health check endpoint qo'shing.
Eng ko'p uchraydigan xatolar
Foydalanuvchi kiritgan barcha ma'lumotlarni tekshirmay database'ga saqlash - SQL injection va boshqa hujumlarga yo'l ochadi.
Parollarni hash'lamasdan saqlash - database buzilsa barcha parollar oshkor bo'ladi. bcrypt yoki Argon2 ishlating.
Stack trace yoki database xatolarini frontendga yuborish - hackerlar uchun qimmatli ma'lumot. Production'da generic xabarlar qaytaring.
Cheksiz so'rovlarga ruxsat berish - DDoS hujumlariga zaif qiladi. IP yoki foydalanuvchi bo'yicha limitlar qo'ying.
OWASP Top 10 ro'yxatini o'rganing va har bir xavfdan himoya chorasini qo'llang. Security-first yondashuv bilan boshlang.
Best practices
- Versioning ishlating: /api/v1/users, /api/v2/users
- Barcha inputlarni validatsiya qiling (server-side, client emas)
- HTTPS faqat - HTTP qabul qilmang
- JWT tokenlarni qisqa muddatli qiling (15-60 daqiqa)
- Rate limiting va throttling o'rnating
- CORS ni to'g'ri sozlang - wildcard (*) ishlatmang production'da
- Pagination ishlating - 1000 ta recordni bir so'rovda qaytarmang
- Consistent error format: {error: {code, message, details}}
- Health check endpoint: GET /health yoki GET /api/status
- Request ID bilan logging - debug osonlashadi
Asboblar va texnologiyalar
Express + TypeScript
Eng mashhur Node.js framework. Yengil, flexible, katta ekotizim.
FastAPI
Python uchun zamonaviy framework. Avtomatik docs, async support, juda tez.
NestJS
Enterprise-grade Node.js framework. Angular-style architecture, TypeScript native.
Mini misol
Express.js bilan oddiy REST API:
const express = require('express'); const app = express(); // Middleware app.use(express.json()); // In-memory database (misol uchun) let users = [ { id: 1, name: 'Ali', email: 'ali@example.com' }, { id: 2, name: 'Vali', email: 'vali@example.com' } ]; // GET - Barcha userlarni olish app.get('/api/users', (req, res) => { res.json({ success: true, data: users }); }); // GET - Bitta userni olish app.get('/api/users/:id', (req, res) => { const user = users.find(u => u.id === parseInt(req.params.id)); if (!user) { return res.status(404).json({ success: false, error: 'User not found' }); } res.json({ success: true, data: user }); }); // POST - Yangi user yaratish app.post('/api/users', (req, res) => { const { name, email } = req.body; // Validatsiya if (!name || !email) { return res.status(400).json({ success: false, error: 'Name and email are required' }); } const newUser = { id: users.length + 1, name, email }; users.push(newUser); res.status(201).json({ success: true, data: newUser }); }); // DELETE - Userni o'chirish app.delete('/api/users/:id', (req, res) => { const index = users.findIndex(u => u.id === parseInt(req.params.id)); if (index === -1) { return res.status(404).json({ success: false, error: 'User not found' }); } users.splice(index, 1); res.status(204).send(); }); // Error handling middleware app.use((err, req, res, next) => { console.error(err.stack); res.status(500).json({ success: false, error: 'Internal server error' }); }); app.listen(3000, () => { console.log('Server running on port 3000'); });
JWT authentication middleware:
const jwt = require('jsonwebtoken'); const authMiddleware = (req, res, next) => { // Header'dan token olish const authHeader = req.headers.authorization; if (!authHeader || !authHeader.startsWith('Bearer ')) { return res.status(401).json({ success: false, error: 'No token provided' }); } const token = authHeader.split(' ')[1]; try { const decoded = jwt.verify(token, process.env.JWT_SECRET); req.user = decoded; next(); } catch (err) { return res.status(401).json({ success: false, error: 'Invalid token' }); } }; module.exports = authMiddleware;
Xavfsizlik va ishonchlilik
- OWASP Top 10 xavflardan himoyalaning: SQL Injection, XSS, CSRF, va boshqalar.
- Parollarni bcrypt yoki Argon2 bilan hash'lang. MD5/SHA1 ishlatmang!
- HTTPS majburiy - HTTP so'rovlarni HTTPS'ga redirect qiling.
- Rate limiting: IP bo'yicha daqiqasiga max 100 so'rov, login uchun 5 urinish.
- Helmet.js (Node.js) yoki security headers middleware ishlating.
- Sensitive data'ni response'da qaytarmang (password hash, internal IDs).
Ko'p so'raladigan savollar (FAQ)
REST - oddiy CRUD operatsiyalar, kichik-o'rta loyihalar uchun. Keng qo'llab-quvvatlanadi, o'rganish oson. GraphQL - murakkab data requirements, ko'p frontend'lar, nested data uchun. Facebook, GitHub, Shopify kabi kompaniyalar GraphQL ishlatadi. Boshida REST bilan boshlash tavsiya etiladi.
HttpOnly cookie - eng xavfsiz, XSS hujumlaridan himoyalangan. localStorage/sessionStorage - qulay, lekin XSS zaif. Access token qisqa muddatli (15 daqiqa), refresh token uzoqroq (7-30 kun). Refresh token rotation ishlating.
Monolith bilan boshlang! Microservices faqat kerak bo'lganda: alohida scaling zarur, turli texnologiyalar kerak, katta jamoa (10+). Ko'p kompaniyalar erta microservices'ga o'tib qiyinchiliklarga duch kelishgan. "Monolith first" yondashuvi tavsiya etiladi.
Uchta asosiy usul: 1) URL path: /api/v1/users (eng keng tarqalgan), 2) Query param: /api/users?version=1, 3) Header: Accept: application/vnd.api+json;version=1. URL path eng tushunarli va debug qilish oson.
10 ta post olasiz (1 query), keyin har bir post uchun author (10 query) = 11 query. Yechim: Eager loading (SQL JOIN), DataLoader (GraphQL), Include/Populate (ORM). Har doim database query'laringizni monitor qiling.
OpenAPI/Swagger - standart format. Swagger UI avtomatik interaktiv docs yaratadi. Postman Collections ham yaxshi variant. Kod bilan birga docs'ni yangilab turing. API-first yondashuv: avval spec, keyin kod.
Consistent format: {success: false, error: {code: "USER_NOT_FOUND", message: "User not found", details: []}}. HTTP status code'larini to'g'ri ishlating. Production'da stack trace qaytarmang. Request ID bilan logging qiling.
Ikki usul: 1) Offset-based: ?page=2&limit=20 (oddiy, lekin katta offset'larda sekin), 2) Cursor-based: ?cursor=abc123&limit=20 (real-time data, katta dataset'lar uchun yaxshi). Response'da total count va next/prev link qaytaring.