Core Code
Core Code Modern Dev Handbook
NODEJS Contents
Foundations & Runtime
Node.js HOME Node.js Intro: What Problem Does It Solve? Event Loop Explained Get Started: Install Node and Run Your First Script System Requirements and LTS Strategy Node.js vs Browser JavaScript V8, libuv, and the Node Runtime Model Node Architecture: Threads, I/O, and the Main Loop Event Loop Basics (What Actually Runs When) Microtasks vs Macrotasks (Promises vs Timers) Concurrency Model: Non-blocking I/O Explained The process Object: Args, Env, Exit Codes Environment Variables: Patterns and Gotchas TypeScript-first Node: Project Setup (Minimal Tooling) JS vs TS in Node: Quick Differences You’ll See Often Node LTS, Releases, and Upgrade Strategy When NOT to Use Node.js (Real Tradeoffs)
Async Programming
Async in Node: Mental Model Callbacks (Why They Still Matter) Promises Deep Dive (Chaining, States, Errors) Async/Await Under the Hood Error Propagation Across Async Boundaries try/catch Pitfalls with Async Code Timeouts & Retries (Without Making a Mess) AbortController in Node (Canceling Work) Parallel vs Concurrent Work in Node Unhandled Rejections: What to Do in Production Common Async Bugs and How to Avoid Them
Modules & Tooling
Modules Overview: CommonJS vs ES Modules ES Modules in Node (import/export, package.json type) CommonJS (require/module.exports) in Legacy Code How Node Resolves Modules (Paths, Exports, Conditions) package.json Essentials (name, main, exports, types) npm Basics: Installing, Lockfiles, and Reproducibility npm Scripts: Dev/Build/Test Workflow Managing Dependencies: Semver, Updates, and Audits Monorepo Basics (When It Helps, When It Hurts) Project Structure: Feature vs Layer Folders Linting & Formatting (ESLint/Prettier strategy)
Core Modules
fs Basics: Reading and Writing Files Safely path vs URL: Correctly Handling Paths and Links Streams Intro: Why Streams Exist Backpressure: The Real Reason Your Server Slows Down Buffer: Binary Data Without Fear events & EventEmitter: Patterns and Pitfalls crypto Basics: Hashing vs Encryption Timers: setTimeout/setInterval and Drift readline: CLI Input for Real Tools util & Debugging Helpers (inspect, promisify) dns Module: When You Actually Need It
HTTP & Networking
Raw HTTP Server: A Minimal API Without Frameworks Routing Basics Without Express Parsing JSON Bodies Safely Status Codes That Don’t Hurt Users HTTPS/TLS Basics for Backend Devs CORS Basics (and Why It’s Not “A Backend Bug”) HTTP/2 Overview (What Changes, What Doesn’t) WebSockets Overview (When REST Isn’t Enough) Socket.IO vs ws: Tradeoffs HTTP Timeouts (Server, Client, and Proxies) Streaming Responses (SSE/Chunked) Overview
Express.js
Express Intro What Express Is (and What It Isn’t) Express + TypeScript: Minimal Setup Routing Patterns (params, query, nesting) Middleware Concept: The Request Pipeline Error Middleware: One Place to Handle Failures Validation Strategy (DTOs + schema validation) Async Errors in Express (the safe pattern) Request Context (correlation id, per-request state) Serving Static Files (and when not to) Rate Limiting: Basic Protection Security Headers with helmet (baseline) HTTP Logging Middleware (what to log) Express Best Practices Checklist Standard Error Response Format in Express Request Validation Pattern (DTO + schema)
API Design
REST vs RPC: Picking the Right Style Resource Modeling: URLs, nouns, and hierarchy DTOs: Input/Output Shapes That Don’t Leak Internals API Versioning Without Chaos Pagination Patterns (cursor vs offset) Filtering & Sorting Patterns Consistent Error Responses (problem details style) Idempotency for Real APIs (POST without duplicates) OpenAPI/Swagger: Practical Documentation Workflow Auth Integration Points (where auth belongs) Node APIs with Frontend Apps (CORS, cookies, tokens) API Rate Limiting Strategy (Concept) Caching Basics for APIs (Where It Fits)
Database Integration
Connection Pooling Transactions Raw SQL vs Query Builder Repository Pattern Migration Strategy Indexing Basics N+1 Query Problem When MongoDB Makes Sense MongoDB Query Patterns Preventing SQL Injection DB Connection Lifecycle (Open/Close, Pool Hygiene) Query Timeouts and Slow Query Diagnosis
Auth Overview
Session vs JWT Password Hashing Basics Refresh Token Flow (Concept) Auth Middleware Pattern Role-Based Access Control Permission Modeling Cookies vs Authorization Header Common Auth Mistakes
Errors & Logging
Operational vs Programmer Errors Centralized Error Handling Structured Logging Correlation IDs Log Redaction Metrics Basics Monitoring & Alerts Debugging Production HTTP Access Logs (what to capture) Tracing Overview (OpenTelemetry concept)
Testing
Why Testing Matters Node Test Runner Unit Testing Integration Testing Testing Express APIs Mocking Strategy Fixtures & Test Data CI Testing Strategy
Performance
Event Loop Lag Profiling CPU & Memory Cluster Module Worker Threads Child Process Memory Leak Detection Scaling Strategy
Deployment
Environment Strategy Process Managers (PM2) Docker Basics CI/CD Basics Reverse Proxy Concept Production Checklist Health Checks & Readiness Probes
Architecture Patterns
Layered Architecture Clean Architecture in Node Feature-Based Structure Monolith vs Microservices API Gateway Concept Event-Driven Architecture Production Folder Template Boundaries & Dependency Direction (Practical)

Auth Middleware Pattern

Auth middleware is your security gate: verify identity early, attach typed principals to the request, and fail closed with consistent errors.
On this page

Middleware as a Security Boundary

Authentication must happen before business logic. The middleware should validate credentials, construct a trusted principal, attach it to the request, and enforce failure behavior consistently.

Attach a Principal, Not Raw Claims

Do not spread token claims across the app. Create a normalized user context (id, roles, permissions, tenant) and attach it to the request in one place.

Express Middleware Example

import type { Request, Response, NextFunction } from 'express';

type Principal = { userId: string; roles: string[] };

export function requireAuth(req: Request, res: Response, next: NextFunction) {
  const auth = req.headers.authorization;
  if (!auth?.startsWith('Bearer ')) {
    return res.status(401).json({ error: { code: 'UNAUTHORIZED', message: 'Missing token' } });
  }

  const token = auth.slice('Bearer '.length);

  // verifyToken should validate signature + exp and return trusted claims
  const claims = verifyToken(token);

  (req as any).principal = { userId: claims.sub, roles: claims.roles ?? [] } satisfies Principal;
  next();
}

Fail Closed

If verification fails, return 401/403 and stop processing. Do not continue with partial identity. Always log authentication failures with requestId and coarse reason (avoid leaking detail).

Production Details

  • Validate token expiration and issuer/audience
  • Enforce clock skew tolerance intentionally
  • Protect against token replay where applicable
  • Prefer constant-time comparisons for secrets
Role-Based Access Control →