Vapor
Server-side Swift web framework with type-safe routing, Fluent ORM, and async/await support
Details
SwiftRules
balanced
- Group routes with shared middleware using `app.grouped("prefix", AuthMiddleware())` — never register auth middleware at the application level when it only applies to specific route groups: `let protected = app.grouped("api", "v1").grouped(UserAuthenticator(), User.guardMiddleware())`
- Decode request bodies by conforming to `Content` (combining `Codable` + Vapor helpers) and calling `req.content.decode(MyDTO.self)` — never read raw body bytes manually for structured data.
- Throw `Abort` with an explicit HTTP status and reason for all error paths — never return a 200 with an error body, and never let internal errors surface raw to clients: `throw Abort(.notFound, reason: "User \(id) does not exist")`
- Prevent N+1 query problems with Fluent's `.with(\.$relation)` eager loading — each relation requires only one additional query regardless of result count: `let posts = try await Post.query(on: req.db).with(\.$author).with(\.$tags).all()`
- Hash passwords with Bcrypt and use `BearerAuthenticator` for token-based APIs — reserve `BasicAuthenticator` for the login endpoint that issues tokens only, then protect all other routes with `User.guardMiddleware()`.
- Implement custom error types as `struct` (not `enum`) conforming to both `AbortError` and `DebuggableError` — `AbortError` controls the HTTP status returned to clients; `DebuggableError` gives Vapor source-location info in server logs.