Core Code
Core Code Modern Dev Handbook
NODEJS Contents
Foundations & Runtime
Node.js HOME Node.js Intro: What Problem Does It Solve? Event Loop Explained Get Started: Install Node and Run Your First Script System Requirements and LTS Strategy Node.js vs Browser JavaScript V8, libuv, and the Node Runtime Model Node Architecture: Threads, I/O, and the Main Loop Event Loop Basics (What Actually Runs When) Microtasks vs Macrotasks (Promises vs Timers) Concurrency Model: Non-blocking I/O Explained The process Object: Args, Env, Exit Codes Environment Variables: Patterns and Gotchas TypeScript-first Node: Project Setup (Minimal Tooling) JS vs TS in Node: Quick Differences You’ll See Often Node LTS, Releases, and Upgrade Strategy When NOT to Use Node.js (Real Tradeoffs)
Async Programming
Async in Node: Mental Model Callbacks (Why They Still Matter) Promises Deep Dive (Chaining, States, Errors) Async/Await Under the Hood Error Propagation Across Async Boundaries try/catch Pitfalls with Async Code Timeouts & Retries (Without Making a Mess) AbortController in Node (Canceling Work) Parallel vs Concurrent Work in Node Unhandled Rejections: What to Do in Production Common Async Bugs and How to Avoid Them
Modules & Tooling
Modules Overview: CommonJS vs ES Modules ES Modules in Node (import/export, package.json type) CommonJS (require/module.exports) in Legacy Code How Node Resolves Modules (Paths, Exports, Conditions) package.json Essentials (name, main, exports, types) npm Basics: Installing, Lockfiles, and Reproducibility npm Scripts: Dev/Build/Test Workflow Managing Dependencies: Semver, Updates, and Audits Monorepo Basics (When It Helps, When It Hurts) Project Structure: Feature vs Layer Folders Linting & Formatting (ESLint/Prettier strategy)
Core Modules
fs Basics: Reading and Writing Files Safely path vs URL: Correctly Handling Paths and Links Streams Intro: Why Streams Exist Backpressure: The Real Reason Your Server Slows Down Buffer: Binary Data Without Fear events & EventEmitter: Patterns and Pitfalls crypto Basics: Hashing vs Encryption Timers: setTimeout/setInterval and Drift readline: CLI Input for Real Tools util & Debugging Helpers (inspect, promisify) dns Module: When You Actually Need It
HTTP & Networking
Raw HTTP Server: A Minimal API Without Frameworks Routing Basics Without Express Parsing JSON Bodies Safely Status Codes That Don’t Hurt Users HTTPS/TLS Basics for Backend Devs CORS Basics (and Why It’s Not “A Backend Bug”) HTTP/2 Overview (What Changes, What Doesn’t) WebSockets Overview (When REST Isn’t Enough) Socket.IO vs ws: Tradeoffs HTTP Timeouts (Server, Client, and Proxies) Streaming Responses (SSE/Chunked) Overview
Express.js
Express Intro What Express Is (and What It Isn’t) Express + TypeScript: Minimal Setup Routing Patterns (params, query, nesting) Middleware Concept: The Request Pipeline Error Middleware: One Place to Handle Failures Validation Strategy (DTOs + schema validation) Async Errors in Express (the safe pattern) Request Context (correlation id, per-request state) Serving Static Files (and when not to) Rate Limiting: Basic Protection Security Headers with helmet (baseline) HTTP Logging Middleware (what to log) Express Best Practices Checklist Standard Error Response Format in Express Request Validation Pattern (DTO + schema)
API Design
REST vs RPC: Picking the Right Style Resource Modeling: URLs, nouns, and hierarchy DTOs: Input/Output Shapes That Don’t Leak Internals API Versioning Without Chaos Pagination Patterns (cursor vs offset) Filtering & Sorting Patterns Consistent Error Responses (problem details style) Idempotency for Real APIs (POST without duplicates) OpenAPI/Swagger: Practical Documentation Workflow Auth Integration Points (where auth belongs) Node APIs with Frontend Apps (CORS, cookies, tokens) API Rate Limiting Strategy (Concept) Caching Basics for APIs (Where It Fits)
Database Integration
Connection Pooling Transactions Raw SQL vs Query Builder Repository Pattern Migration Strategy Indexing Basics N+1 Query Problem When MongoDB Makes Sense MongoDB Query Patterns Preventing SQL Injection DB Connection Lifecycle (Open/Close, Pool Hygiene) Query Timeouts and Slow Query Diagnosis
Auth Overview
Session vs JWT Password Hashing Basics Refresh Token Flow (Concept) Auth Middleware Pattern Role-Based Access Control Permission Modeling Cookies vs Authorization Header Common Auth Mistakes
Errors & Logging
Operational vs Programmer Errors Centralized Error Handling Structured Logging Correlation IDs Log Redaction Metrics Basics Monitoring & Alerts Debugging Production HTTP Access Logs (what to capture) Tracing Overview (OpenTelemetry concept)
Testing
Why Testing Matters Node Test Runner Unit Testing Integration Testing Testing Express APIs Mocking Strategy Fixtures & Test Data CI Testing Strategy
Performance
Event Loop Lag Profiling CPU & Memory Cluster Module Worker Threads Child Process Memory Leak Detection Scaling Strategy
Deployment
Environment Strategy Process Managers (PM2) Docker Basics CI/CD Basics Reverse Proxy Concept Production Checklist Health Checks & Readiness Probes
Architecture Patterns
Layered Architecture Clean Architecture in Node Feature-Based Structure Monolith vs Microservices API Gateway Concept Event-Driven Architecture Production Folder Template Boundaries & Dependency Direction (Practical)

Refresh Token Flow (Concept)

Refresh tokens enable short-lived access tokens without re-login, but they must be treated like credentials: rotate, store safely, and revoke aggressively.
On this page

Why Refresh Tokens Exist

Short-lived access tokens reduce the blast radius of token theft. Refresh tokens allow the client to obtain new access tokens without prompting the user to log in repeatedly.

Access Token vs Refresh Token

  • Access token: short TTL (minutes), used on every request
  • Refresh token: longer TTL (days/weeks), used only to refresh

Rotation Is Not Optional

In production, refresh tokens should be rotated: each refresh issues a new refresh token and invalidates the old one. This limits replay if a token is stolen.

Refresh Flow Example

POST /auth/refresh
Cookie: refresh_token=rt_...

# Response
{
  "accessToken": "eyJhbGciOi...",
  "expiresIn": 900
}
Set-Cookie: refresh_token=rt_new; HttpOnly; Secure; SameSite=Lax

Storage and Revocation

Store refresh tokens server-side (hashed) with metadata: userId, deviceId, issuedAt, lastUsedAt, and revokedAt. Support device-level logout by revoking a single refresh token record, and global logout by revoking all records for a user.

Production Pitfalls

  • Long-lived access tokens (defeats the model)
  • No rotation (stolen token remains valid)
  • Storing refresh tokens in localStorage (XSS risk)
Auth Middleware Pattern →