Skip to content


api-gateway service is the only public endpoint of the architecture.
The API Gateway enforces authentication, authorization, rate limits and others policies on incoming requests before dispatching them to the right micro service.

Technical stack

Library Role Version
Express HTTP framework 4.17.1
express-openapi-validator Swagger-based syntax validation of incoming requests 4.13.4 Message broker interface latest
bcrypt Passwords hash library 5.0.1
helmet Express security helper 5.0.1
passport Authentication middleware 0.5.2


Events & API

Produced events :

  • gateway.login.succeeded
  • gateway.login.failed



Development standards and quality measurement

The required quality level corresponds to the recommended SonarQube Quality Gate:

  • 80% minimum code coverage
  • 3 % max of duplicated lines
  • Level A in Maintabily, Reliability and Security


Any action is logged into two different ways:

  • Trace of the HTTP call if there is one (produced at the Gateway API level)
  • Transcription of the action as an event (produced by the service handling the action)

In both cases, all the usual contextual information is included (provided by the common bootstrap between the backend services).\ As a minimum, this information should include : :

  • Correlation id
  • User id
  • Workspace id
  • Timestamp
  • Log criticality


Technical errors (aka unexpected errors) such as a timeout on a REST service call are caught by the service and logged with the full stack trace.

If this error occurs during the processing of an HTTP request, the caller simply receives a generic "Internal Error".

In addition to the error logs, the error is also transmitted as a generic error event.

Both in the log and in the event, the usual contextual information is included as much as possible (see Logs).


Company Social Responsability (CSR)


The code should be formatted using Prettier, using the version specified in the package.json