Rules Hub

Coding Rules Library

← Back to all rules

Rule priority, scope & exceptions

Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).

PriorityP0 — correctness, security, data loss, prod-impactingScopeUniversal — language-agnostic, broadly applicable

Exceptions / tradeoffs (EN)Iznimke / tradeoffi (HR)

fullstack ruleP0universalStack: node

authapiheaderscontracts

Trace auth ownership through the full call chain

Before adding auth props or headers, trace the whole request path and use only the auth mechanism actually consumed by the target route or service.

Created: Mar 4, 2026

Bad example

Old codets

1	`const response = await fetch('/api/portfolios/1/dividends', {`
2	`headers: {`
3	`'x-auth-token': authToken,`
4	`},`
5	`});`
6
7	`const result = await WsUserService.getPortfolioDividends({`
8	`id,`
9	`sessionCookie,`
10	`authToken,`
11	`});`

Explanation (EN)

The code pushes authToken through the stack without checking whether the route actually needs it. This creates redundant props, dead validation, and misleading auth behavior.

Objašnjenje (HR)

Kod gura authToken kroz stack bez provjere treba li ga route stvarno. To stvara redundantne propse, dead validaciju i misleading auth ponasanje.

Good example

New codets

1	`const response = await fetch('/api/portfolios/1/dividends');`
2
3	`const result = await WsUserService.getPortfolioDividends({`
4	`id,`
5	`sessionCookie,`
6	`});`

Explanation (EN)

The request uses only the auth mechanism actually required by the call chain. The contract stays minimal and the auth model remains easy to reason about.

Objašnjenje (HR)

Request koristi samo auth mehanizam koji call chain stvarno zahtijeva. Contract ostaje minimalan, a auth model je lak za razumjeti.

Notes (EN)

Explicitly identify whether auth is handled by session cookie, auth token, server-side service credentials, or no auth at all before adding headers or props.

Bilješke (HR)

Izricito odredi je li auth rijesen session cookiejem, auth tokenom, server-side service credentialima ili bez autha prije dodavanja headera ili propsova.

Exceptions / Tradeoffs (EN)

If a route intentionally accepts multiple auth mechanisms, that must be visible in the handler contract and documented in code.

Iznimke / Tradeoffi (HR)

Ako route namjerno prima vise auth mehanizama, to mora biti vidljivo u handler contractu i dokumentirano u kodu.

Login required