EWG
Company
EWG is a fintech company that provides specialist services to the fiduciary, corporate, and fund sectors.
Team
EWG has a core development team; however, the Lightspeed API project, which I was initially tasked with designing and building, was structured as an independent initiative where I served as the sole developer.
Challenge
Lightspeed’s core functionality is to perform CRUD operations on beneficiaries, payments, and conversions. To address the complexities of provisioning new accounts and ensuring the correct security permissions, I also developed an admin API for user management.
Some of the key aspects I implemented during the project included:
Security: Security is at the core of Lightspeed. MTLS and OAuth2 were implemented as industry-standard mechanisms. Additionally, I employed a multi-layered approach that included PostgreSQL row-level security, custom Lambda authorizers, and custom permissions scoped on a per-account, per-endpoint basis.
JWS Signature: As Lightspeed is based on the open banking specification, I incorporated a JWS Signature header requirement into the specification. This addition ensures non-repudiation by providing verifiable proof in case a client disputes a transaction.
Rate Limiting: The service used by EWG is subject to rate limits, making it essential to implement rate limiting for Lightspeed as well. The upstream service also needed to be shared between Lightspeed and the core EWG application. I implemented custom rate limiting using DynamoDB, both on an overall and per-client basis, for methods that called the upstream service. Additionally, I applied API Gateway’s rate limits on a per-client basis for all endpoints.
Documentation: Since the Lightspeed API is intended for use by other developers, comprehensive documentation was essential. I created and published an OpenAPI specification, along with generated HTML documentation derived from the specification. To facilitate onboarding, I developed detailed onboarding documentation and provided client scripts/PowerShell modules for Mac and Windows. These supported onboarding via Mac Keychain Access, Windows MMC Certificates, and OpenSSL. Additionally, I built sample projects in Node.js and C# to help clients onboard quickly. These projects demonstrated connecting via MTLS and both creating and validating JWS Signatures.
DevOps IAC: I utilized a combination of CloudFormation for setting up initial IAM roles, Terraform for the base infrastructure, and the Serverless Framework to deploy the Lambda code.
DevOps CI/CD: I developed comprehensive unit tests, achieving approximately 95% test coverage. Additionally, I created end-to-end (E2E) tests to validate each endpoint, ensuring that security permissions functioned as expected and confirming the correctness of endpoint behavior. The unit tests were executed as a CI job on pull requests to the main branch. The E2E tests were run post-deployment in non-production environments, with a read-only E2E test suite executed after production deployment. The build server underwent several iterations. Initially, I created a Docker container to run the GitHub Actions self-hosted runner job, which was managed via an EC2 Auto Scaling Group with scheduled start and stop times. GitHub OIDC was integrated with AWS, and GitHub Actions jobs were restricted on a per-repo and per-environment basis to assume the appropriate deployment role within the correct AWS account. In the second iteration, we migrated to using CodeBuild to run the GitHub Actions jobs, decommissioning the EC2 Auto Scaling Group.
Load Testing: I created a suite of JMeter tests configured via CSV files to simulate various load scenarios. The test suite included three different personas, each running specific scenarios. Each line in the CSV file could define a persona and a throughput limit, ensuring adherence to the specified rate limits. The clients required MTLS certificates, OAuth logins, and JWS signatures for their requests, all of which were implemented within JMeter. Additionally, 429 responses were not treated as errors; they were relabeled as ‘429: name’ to enable clearer displays in JMeter outputs and for separate tracking.
Videos: I used ClipChamp to create instructional videos demonstrating how to use Postman to call various endpoints for clients. Additionally, I produced an overview demo video showcasing Lightspeed and its full functionality. This demo was featured at the Digital Jersey launch event, and a short clip from the demo is available here.
Results
Overall, Lightspeed was a success and EWG was very happy with the system.