2 isolated APIs in 1 OTP app (optional read: full requirements)

---

API design

• no noob trap umbrella
• both APIs major versioned

Degree of isolation
Shared	OTP app (this repo)	Supervisor	Ecto layer (Contexts = CRUD bags)
Separate between APIs	Endpoints (= Bandit servers)	Ports	Routers (PrivateAPI / PublicAPI)	Telemetry
Separate between API versions	Controllers (usage)	Views	Templates (if need be)	"ActionParams" (definition)

---

Test-Driven Development

• the test suite at a glance (ExUnit, Mimic mocks)
  • hand-rolled factories to see what they'd have to look like (next time: ExMachina)
  • 3 scrapers involved: tested with ExVCR using a custom CassetteCase
• de facto 100% test coverage, as controller tests double as integration -//-

---

Security

• .secret_code fields not stored in the DB: SHA256 hash & salt stored instead (spec)
• PublicAPI exposed to the public - bearer token authentication (plug, spec)
  • .ids are of type :uuid (foils enumeration attacks)
• PrivateAPI internal to the company - no authentication, instead whitelist IPs/SSH keys with your cloud provider