Please enable JavaScript.

Coggle requires JavaScript to display documents.

API - Coggle Diagram

- - - - app.get('/files/*filepath', (req, res) => { req.params.filepath })
      - app.get('/{*splat}', (req, res) => { req.params.splat }) // []
    - - app.get('/:file{.:ext}', (req, res) => { req.params })
    - - app.get(/a/, (req, res) => {})
      - app.get(/.*fly$/, (req, res) => {})
    - - app.get('/users/:userId/books/:bookId', (req, res) => {req.params})
    - - app.get('/user/:id', (req, res, next) => { return next('route') })
      - app.get('/user/:id', (req, res) => {})
    - - app.get('/test/b', (req, res, next) => {}, (req, res) => {});
    - - const cb0 = (req, res, next) => {}; const db1 = (req, res, next) => {}; app.get('/example/d', [cb0, cb1], (req, res, next) => {}, (req, res) => {})
    - - app.route('/book').get((req, res) => {}).post(req, res) =>{}).put((req, res) => {})
    - - const router = express.Router(); router.use(middleware); router.get('/', (req, res) => {}) const posts = require('./posts'); app.use('/posts', posts)
      - merge parent path parameters:
        const router = express.Router({ mergeParams: true });
  - - - execute any code
      - change req or res
      - end req-res cycle, if not end, must call next()
      - call next middleware in the stack
    - - next is just 3rd arg passed to the middleware func, not of node or express
    - - export const middleware = (options) => (req, res, next) => {}; app.use(middleware({...options})
    - - app level, bind to instance of app by using:
        
        app.use()
        
        app.use((req, res, next) => { ... next(); }); app.use('/user/:id', (req, res, next) => { ... next(); }); app.use('/user/:id', (req, res, next) => { next(); }, (req, res, next) => { next(); }; );
        
        app.METHOD (GET|PUT|POST)
        
        To skip the rest of the middleware functions from a router middleware stack, call next('route') to pass control to the next route.
        next('route') will work only in middleware functions that were loaded by using the app.METHOD() or router.METHOD() functions.
        app.get('/user/:id', (req, res, next) => { if (xxx) next('route') else next(); }, (req, res, next) => { res.send('xxx'); } );
        
        middleware in array
        
        app.get('/user/:id', [middleware1, middleware2], (req, res, next) => {}))
    - - const router = express.Router()
      - router.use()
      - router.METHOD()
    - - app.use((err, req, res, next) => { console.error(err.stack); res.stats(500).send('sth wrong'); });
    - - express.static
      - express.json: parse incoming req with JSON payloads
      - express.urlencoded: parse incoming req with URL-encoded payloads
  - - - Pug (default): npm install pug --save
      - Handlebars
      - EJS
    - - views: app.set('views', './views')
      - view engine: app.set('view engine', 'pug')
    - - index.pug:
        html head title = title body h1= message
      - app.get('/', (req, res) => { res.render('index', { title: 'Hey', message: 'Hello there!' }); });
  - - - synchronous code inside router handler & middleware require no extra work. throws an error, Express will catch and process it.
        app.get('/', (req, res) => { throw new Error('BROKEN'); });
      - asynchronous functions invoked by route handlers and middleware, must pass them to the next() function for Express to catch and process.
        app.get('/', (req, res, next) => { fs.readFile('/file-not-exits', (err, data) => { if (err) { next(err); // pass errors to Express. } else { res.send(data); } }); });
      - Express 5, router handlers and middleware that return a Promise will call next(value) automatically when they reject or throw an error.
        app.get('/user/:id', async (req, res, next) => { const user = await getUserById(req,params.id); res.send(user); });
        If you pass anything to the next() function (except the string 'route'), Express regards the current request as being an error and will skip any remaining non-error handling routing and middleware functions.
      - If the callback in a sequence provides no data, only errors, you can simplify this code as follows:
        app.get('/', [ function (req, res, next) { fs.writeFile('/inaccessible-paht', 'data', next); }, function (req, res) { res.send('OK'); }, ]);
      - You must catch errors that occur in asynchronous code invoked by route handlers or middleware and pass them to Express for processing.
        app.get('.', (req, res, next) => { setTimeout(() => { try { throw new Error('BROKEN'); } catch (err) { next(err); } },100); });
        Use promises to avoid try ... catch:
        app.get('.', (req, res, next) => { Promise.resolve().then(() => { throw new Error('BROKEN'); }).catch(next); });
      - Use a chain of handlers to rely on synchronous error catching, by reducing the asynchronous code to something trivial.
        app.get('/', [ function (req, res, next) { fs.readFile('/maybe-valid', 'utf-8', (err, data) => { res.locals.data = data; next(err); }); }, function (req, res) { res.locals.data = res.locals.data.split(',')[1]; res.send(res.locals.data); }, ]);
    - - info added to response
        
        res.statusCode, from
        
        err.status, or
        
        err.statusCode
        
        if outside 4xx or 5xx, set to 500
      - res.statusMessage
      - body
        
        production: HTML of the status code message
        
        otherwise: err.stack
      - any headers specified in an err.headers object
    - - 4 args: (err, req, res, next)
      - define error-handling middleware last after other app.use() and routes calls
        const bodyParser = require('body-parser'); const methodOverride = require('method-override'); app.use(bodyParser.urlencoded({ extended: true }); app.use(bodyParser.json()); app.use(methodOverride()); app.use((err, req, res, next) => {});
      - organizational, several error handling middleware functions
        app.use(logErrors); app.use(clientErrorHandler); app.use(errorHandler);
  - - - DEBUG: Enables/disables specific debugging namespaces
      - DEBUG_COLORS: Use colors or not in the debug output
      - DEBUG_DEPTH
      - DEBUG_FD: File descriptor to write debug output to
      - DEBUG_SHOW_HIDDEN: Shows hidden properties on inspected objects
  - - - true: the client’s IP address is understood as the left-most entry in the X-Forwarded-For header
        X-Forwarded-For: 203.0.113.195, 198.51.100.10
      - false: (default), the app is understood as directly facing the client and the client’s IP address is derived from req.socket.remoteAddress
    - - preconfiged
        
        loopback: 127.0.0.1/8, ::1/128
        
        linklocal: 169.254.0.0/16, fe80::/10
        
        uniquelocal - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7
      - app.set('trust proxy', 'loopback')
        app.set('trust proxy', 'loopback, 123.123.123.123');
        app.set('trust proxy', 'loopback, linklocal, uniquelocal');
        app.set('trust proxy', ['loopback', 'linklocal', 'uniquelocal']);
    - - app.set('trust proxy', (ip) => { if (ip === '127.0.0..1' || ip = '123.123,123.123') return true; else return false; })
    - - req.hostname <-- X-Forwarded-Host header set by client or proxy
      - req.protocol <- X-Forwarded-Proto can be set by proxy, https, http or invalid
      - req.ip, req.ips <- X-Forwarded-For header starting at the first untrusted address
  - - - npm install mysql
        const mysql = require('mysql'); const connection = myusql.createConnection({ host: 'localhost', user: 'dbuser', password: 'secret', database: 'my_db', }); connection.connect(); connection.query('SELECT XXX',(err, rows, fields) => {}); connection.end();
    - - npm install pg-promise
    - - npm install redis
    - - npm install sqlite3
  - - - express.request
      - express.response
    - - app.request
      - app.response
        
        app.response.sendStatus = function (statusCode, type, message) { return this.contentType(type).status(statusCode).send(message); }; res.sendStatus(404, 'application/json', '{"error":"resource not found"}');
    - - assigned
        
        req.baseUrl, req.originalUrl
      - defined as getters
        
        req.secure, req.ip
        
        Object.defineProperty(app.request, 'ip', { configurable: true, enumerable: true, get() { return this.get('Client-IP'); }, })
  - - - Use gzip compression: app.use(compression());
        high-traffic: at reverse proxy level, no need compression middleware, like nginx
      - don't use synchronous functions, use --trace-sync-io command line flag to pring warning and stack trace
      - logging correctly
        
        for debugging
        
        use a special debugging module like debug with DEBUG env to control level
        
        for app activity (tracking traffic, API calls)
        
        use a logging library like Pino
      - Handle exceptions properly
        
        use try-catch (for sync code)
        app.get('/search', (req, res) => { setImmediate(() => { const jsonStr = req.query.params; try { const jsonObj = JSON.parse(jsonStr); res.send('Success'); } catch (e) { res.status(400).send('Invalid JSOn string'); } }); });
        
        Use promises (for async code)
        // in route handler app.get('/', async (req, res, next) => { const data = await userData(); // if promise fails, it will automatically call `next(err)` to handle the error res.send(data); }); app.use((err, req, res, next) => { res.status(error.status ?? 500).send({ error: err.message }); }); // in middleware app.use(async (req, res, next) => { req.locals.user = await getUser(req); next(); });
        
        Best practice: use the next() function to propagate errors through the middleware chain
        
        best to catch the error in the middleware and handle it without relying on separate error-handling middleware.
        
        NOT TO DO: listen for the uncaughtException event
    - - set NODE_ENV=production
      - ensure app automatically restarts
        
        Use a process manager, PM2
        
        Use the init system of OS, systemd, filename ending in .service
        [Unit] Description=<Awesome Express App> [Service] Type=simple ExecStart=/usr/local/bin/node </projects/myapp/index.js> WorkingDirectory=</projects/myapp> User=nobody Group=nogroup Environment=NODE_ENV=production LimitNOFILE=infinity LIMITCORE=infinity StandardInput=null StandardOutput=syslog StandardError=syslog Restart=always [Install] WantedBy=multi-user.target
        
        Run app in cluster in multi-core system with Redis to share state
        
        Using node's cluster module
        
        Using PM2
        
        pm2 start npm --name my-app -i 4 -- start
        pm2 start npm --name my-app -i max -- start
        
        in ecosystem.config.js, setting exec_mode to cluster and instances to the number of workers to start
        pm2 scale my-app +3
        pm2 scale my-app 2
      - Cache request results
        
        Varnish
        
        Nginx
      - Use a load balancer with multiple instances
        Use Redis for session affinity or sticky sessions
        
        Nginx
        
        HAProxy
      - Use a reverse proxy
        
        Nginx
        
        HAProxy
  - - - Prevent open redirects, must validate the incoming URL
    - - app.disable('x-powered-by');
      - Custom error handler
        
        app.use((req, res, next) => { res.status(404).send('Sorry cannot find that!'); })
        
        app.use((err, req, res, next) => { res.status(500).send('Something broke!'); })
    - - express-session, stores session data on server, save session ID in cookie, default in memory not designed for prod env, for prod use session stores.
      - cookie-session, cookie-base storage, visible to the client, if need keep secure, use express-session
      - Don't use default session cookie name
        
        const session = require('express-session'); app.set('trust proxy', 1); app.use( session({ secret: 's3cur3', name: 'sessionId', }) );
      - Set cookie security options
        
        secure, over HTTPS
        
        httpOnly, Ensures the cookies is sent only over HTTP(S), not client JS
        
        domain, compare agist the domain of the server, if match, check path
        
        path, the path of the cookie
        
        expires, set expiration date for the persistent cookies
        
        const session = require('cookie-session'); const express = require('express'); const app = express(); const expiryDate = new Date(Date.now() + 60 * 60 * 1000); app.use( session({ name: 'session', keys: ['key1', 'key2'], cookie: { secure: true, httpOnly: true, domain: 'example.com', path: 'foo/bar', expires: expiryDate, }, }) );
    - - num of consecutive failed attempts by same user name and IP
      - num of failed attempts from an IP over long time, block IP
    - - npm audit
      - more secure, Snyk
        
        npm install -g snyk
        $ snyk test
    - - filer & sanitize user input to protect against XSS
      - defend SQL injection by using parameterized queries or prepared statements
      - use sqlmap to detect SQL injection
      - use nmap and sslyze to test SSL cipers
      - use safe-regex to test regular expressions
  - - - const server = app.listen(port); process.on('SIGTERM', () => { debug('SIGTERM signal received: closing HTTP server'); server.close(() => { debug('HTTP server closed'); }); });
    - - liveness: determines when to restart a container
      - readiness: determines when a container is ready to start accepting traffic
  - - - const express = require('express'); const app = express();
      - methods
        
        express.json([options]):
        middleware parses incoming requests with JSON payloads and is based on body-parser.