This document discusses lessons learned from building two serverless applications: Commercial Search and Property Tour Pro. It summarizes the architectures of each application and the technologies used, including Netlify, Prerender.io, Algolia, Firebase, Cloudinary, DocRaptor, and Auth0. It also discusses why AWS Serverless was not used and provides an overview of the security approaches taken for each application component. The document advocates for a 10X product development approach focused on business needs, frequent iterations, and minimizing dependencies.

1. 10X Product Development
Lessons Learned and Detailed Architectures from Building Two Serverless Applications
@joeemison
May 2016

2. Joe Emison @joeemison
ASSERTIONS
Product-market fit is paramount.
10X software developers do not exist.
10X product development does.
2

3. Joe Emison @joeemison
ASSERTIONS
• Spend development time on business-specific code
• Don’t make things people won’t use
• Don’t build things you can buy (rent)
• Stop regressions
• Maximize iterations with customers
• Big changes
• Frequent deploys
• Minimize dependences
• Don’t make developers wait (IT Ops, DBAs, Other Devs)
• Don’t make developers stop (incomplete specifications)
3
10X Product Development
Pick your development processes, staffing, and stack based on the above

4. Joe Emison @joeemison
COMMERCIAL SEARCH
• Zillow/Trulia/Realtor.com for Commercial Real Estate
• Demo: Search, Details, Find Broker, Login, Add Listing
4
https://www.commercialsearch.com/

5. Joe Emison @joeemison
COMMERCIAL SEARCH
5
https://www.commercialsearch.com/
Netlify
- HTML
- CSS
- JS
Prerender.io
User Browser
Algolia
- Full Text Search
- Facet Search
- Geo Search
Auth Firebase
ETL / Queue Servers

6. Joe Emison @joeemison
COMMERCIAL SEARCH
• Launched in 4 months with 2 developers
• 13,307 lines of TypeScript
• 95%+ Developer Efficiency (developers deliver at estimates, few regressions)
• Conceptually: Microservices architecture, but we only wrote the core
• If we were using ElasticSearch, we’d need a proxy middle tier between Angular and ES
• If we used a more traditional way of handling images (e.g., RoR with image-handling
libraries), we’d have another language and servers to support for availability (and have to
update for security)
• If we hosted our static assets on our own web server, we’d have those servers to support
for availability (and have to update for security)
6
https://www.commercialsearch.com/

7. Joe Emison @joeemison
LESSONS LEARNED / PAIN POINTS
• The Firebase dashboard has some limits with larger datasets (but API works fine)
• Developer learning curve from RDBMS to Firebase is non-trivial, but not insane
• Cloudinary configurations are non-obvious; need to use their (very good) support
• Algolia needs new dependent indices for each sort criteria/direction
7

8. Joe Emison @joeemison
PROPERTY TOUR PRO
• Tour Book (PDF, mobile web) generator for commercial
real estate brokers
• Demo: Login with LinkedIn, Add Property, View Amenities,
Crop Image, Export PDF
8
https://www.propertytourpro.com/

9. Joe Emison @joeemison
PROPERTY TOUR PRO
9
https://www.propertytourpro.com/
DocRaptor
(PDF Generation)
User
Brower
Firebase
Auth0
Firebase Hosting
- HTML
- CSS
- JS
Auth0 Webtask
(simple secure JS code runner)

10. Joe Emison @joeemison
LESSONS LEARNED / PAIN POINTS
• Don’t use AngularFire – triple-binding just gets too slow
• CORS (and private API keys) means that you can’t hit third-party APIs
directly; use Webtask
• Auth0 is great, but documentation is frustrating
• DocRaptor doesn’t compress PDFs/images well, so you have to do that
through Cloudinary
10

11. Joe Emison @joeemison
WHY NOT AWS?
• AWS Serverless is about back-end processing, which we have largely outsourced
• AWS Serverless is complicated: IAM + Cognito + API Gateway + Lambda
• Compare: Auth0 Webtask to Lambda + API Gateway + IAM + Cognito
• Compare: Firebase to Lambda + API Gateway + IAM + Cognito + DynamoDB
• Compare: Firebase Queues to Lambda + API Gateway + IAM + Cognito + SQS
• Serverless Framework, so many support libraries for Lambda are examples of
what’s missing in the product
11

12. Joe Emison @joeemison
SECURITY
12
• Netlify
– Read-only assets (code for client)
• Algolia
– Read-only based on API key shared with client
that has strict rate limits by session + IP
– Authenticated users could each have own API
key (but not implemented yet)
• Cloudinary
– Images uploaded into moderated queue
(WebPurify human-driven moderation)
– Retrieval of images forced through watermarking
transformation
• Firebase
– Advanced security rules evaluated as JavaScript
expressions; uses Firebase Auth
– Each listing has a set of users that can edit it
– User prefs only read / write by individual users
– Rate limits on retrieval

13. Joe Emison @joeemison
SECURITY
13

14. Joe Emison @joeemison
READ MORE / CONTACT ME
InformationWeek: http://j.mp/emisonIW
Network Computing: http://j.mp/emisonNC
The New Stack: http://j.mp/emisonTNS
14
@joeemison