mohd-faraz

_blogs

// blogs / 20260510.md

Dev Log: May 10 Wrap-up

2026-05-10
#FastAPI#Firebase#Backend Engineering#Security

Overview

Today was all about the plumbing. I spent the majority of my time in the backend, tearing things apart to make them more modular and finally getting the authentication and deployment configs where they need to be. It's that necessary "foundation work" that doesn't look like much on the surface but makes life way easier down the road.

What I Worked On

Modularizing the Backend

My main file was starting to feel like a junk drawer, so I spent some time refactoring the core logic into a more modular structure. I pulled the authentication routes into their own dedicated module. It’s much cleaner now—handling things like password decryption, token verification, and role-based access without cluttering the entry point of the app.

I also integrated a check to fetch user roles directly from the database after a successful login. It's a small step, but decoupling the auth logic from the main application flow makes the whole system feel a lot more professional and maintainable.

Hardening Security and CORS

CORS is one of those things that’s easy to ignore until you actually try to hit your API from a frontend. I moved away from the "allow everything" approach and locked down the allowed origins to just my production and local development URLs.

I also spent some time tweaking the deployment configuration to handle headers correctly on the hosting platform. It’s always a bit of a back-and-forth dance with OPTIONS requests and preflight checks, but I've got it to a point where the frontend can communicate securely with the backend without any annoying browser blocks.

Smarter Firebase Initialization

I refactored how the backend connects to our database and auth service. Previously, it was a bit rigid, but now it’s much more flexible. I set up a fallback system that looks for a local service account file during development but switches to environment variables when deployed. This makes the CI/CD pipeline way more resilient since I don't have to worry about managing physical JSON keys in the cloud environment.

Wrapping Up

It wasn't a day of big visual changes, but the backend feels solid now. Everything is where it should be, and the security layers are actually in place instead of just being "to-do" items. Tomorrow, I'll probably get back into the frontend to start consuming these new auth patterns.