🩹 [RTY-260007]: Audit & Validation: TinyURL Backend (Poetry + FastAPI) #7
Description
What happened?
Description
This issue tracks the validation of missing, incomplete, or non-production-ready aspects of the TinyURL backend built using Python, Poetry, and FastAPI.
Goal: ensure the application is correct, secure, scalable, and production-ready.
What did you expect to happen?
Scope
This audit covers:
API correctness
Architecture completeness
Persistence & caching
Error handling
Security
Observability
DevOps readiness
Documentation gaps
Validation Checklist
- Core Functionality
[ ] Short URL generation works consistently
[ ] Short URL resolves correctly with HTTP redirect (301/302 decided & documented)
[ ] Duplicate long URLs handled (same vs new short URL strategy clarified)
[ ] URL validation (invalid / malformed URLs rejected)
- ID / Key Generation
[ ] Key generation strategy documented (Base62 / random / counter)
[ ] Collision handling implemented and tested
[ ] Key length configurable
[ ] Concurrency-safe key generation
- Persistence Layer
[ ] Database choice documented (SQLite / Postgres / Redis / etc.)
[ ] Schema finalized and versioned
[ ] Indexing on short key verified
[ ] DB connection pooling configured
- Caching Strategy
[ ] Cache layer defined (Redis / in-memory / none)
[ ] Cache TTL decided and documented
[ ] Cache fallback to DB works
[ ] Cache invalidation strategy clarified
- API Design & Validation
[ ] Request/response models defined using Pydantic
[ ] Input validation errors return meaningful messages
[ ] Consistent response format across endpoints
[ ] HTTP status codes used correctly
- Error Handling
[ ] Global exception handler implemented
[ ] User-facing errors vs internal errors separated
[ ] Stack traces not leaked in production
[ ] Custom error codes (if any) documented
- Security
[ ] Open redirect vulnerabilities assessed
[ ] Rate limiting implemented or planned
[ ] Abuse prevention strategy documented
[ ] CORS configuration reviewed
[ ] Environment secrets not committed
- Observability
[ ] Structured logging implemented
[ ] Request logging enabled
[ ] Error logs distinguishable from info logs
[ ] Metrics strategy identified (future or present)
- Testing
[ ] Unit tests for core logic
[ ] API tests for endpoints
[ ] Collision test cases included
[ ] Poetry test configuration verified
[ ] Coverage baseline defined
- Configuration & Environment
[ ] .env usage documented
[ ] Dev vs Prod configuration separated
[ ] Default config safe for local usage
[ ] Poetry dependency versions locked
- Deployment Readiness
[ ] ASGI server choice documented (uvicorn / gunicorn)
[ ] Health check endpoint available
[ ] Startup & shutdown hooks reviewed
[ ] Docker support (optional but noted)
- Documentation
[ ] README explains architecture clearly
[ ] Setup instructions verified on fresh machine
[ ] API usage examples included
[ ] Design trade-offs documented
Acceptance Criteria
All checklist items reviewed
Gaps converted into follow-up issues
Architecture decisions documented
App deemed production-ready OR explicitly marked as demo
Anything else we need to know?
This issue is not for feature additions, only for verification, validation, and gap discovery.
What browsers are you seeing the problem on?
No response
Relevant log output
Contact Details
No response
Code of Conduct
- I agree to follow this project's Code of Conduct