This document provides lessons learned from real world experiences with Node.js applications. It discusses the importance of upgrading to newer Node.js versions for security and features. It also emphasizes the importance of error handling, using promises for async flow control, and scaling applications using Docker containers. Debugging and monitoring Node.js applications for performance is also covered.

1. Real World Lessons on the Pain Points of
Node.js Applications
@Ben_Hall
Ben@BenHall.me.uk
OcelotUproar.com / Katacoda.com

2. @Ben_Hall / Blog.BenHall.me.uk
Ocelot Uproar
WHOAMI?

3. Learn via Interactive Browser-Based Labs
Katacoda.com

4. Agenda
• Creating strong foundation
– Node v6/v7, NPM, Security
• Error Handling
• Async / Promises
• Deploying / Scaling
• Performance
• Debugging

5. Provide an overview of our
node.js experiences and the
tasks we wish we did earlier!

6. Strong Foundations

7. Upgrading from Node v0.10.38
to v6.1.0

9. #nodestats for March: Node 6.x hits 48% share, Node 7.x breaks 15%, 0.10 and 0.12 drop
below 10% share for the first time:
https://mobile.twitter.com/i/web/status/838922927735132160

10. Previous Node Versioning
• Even === Stable
– 0.10, 0.12, 4, 6
• Odd === Beta
– 0.9, 0.11, 5

12. Node Release Stages
• CURRENT: new features (and bug fixes and
security patches)
• ACTIVE LTS: bug fixes (and security patches)
• MAINTENANCE: only security patches

13. Docker to test deployment
• Didn’t need to install anything on host
> docker run -it -v $(pwd):/src -p 3000 node:6
root@container:> npm install
root@container:> npm start

14. Default to Underscore.js ?

15. Fixing NPM

16. Lock down NPM dependencies
because no-one respects SemVer

17. AngularJs 1.2 => 1.3
"dependencies": {
"angular": "^1.2.16”
}

18. Angular 1.2 => 1.3
> angular.element(document)
[#document]
> angular.element(document)
TypeError: undefined is not a function

19. Lock Down Dependencies
Randomly breaking builds and
deployments will occur otherwise

20. $ npm shrinkwrap
Lock down dependencies to what’s
running locally

22. Hard code versions in
package.json
"dependencies": {
"angular": “1.2.23”
}

23. $ npm outdated

25. .npmrc
• https://docs.npmjs.com/misc/config
> cat .npmrc
save=true
save-exact=true

26. npm install -g

28. Replaced Glup, Grunt with Make

29. templates:
handlebars views/templates/*.hbs -f public/js/templates.js
> make templates

30. Security

31. Child Process Exec
child_process.exec(req.query.url, function (err, data) {
console.log(data);
});
https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/windows/sy
stem32/calc.exe
Thanks TrendMicro Antivirus on Windows!
https://code.google.com/p/google-security-research/issues/detail?id=693

32. Cross-Site Request Forgery
var csrf = require('csurf');
var csrfProtection = csrf({ cookie: true });
var parseForm = bodyParser.urlencoded({ extended: false });
app.get('/form', csrfProtection, function(req, res) {
res.render('send', { csrfToken: req.csrfToken() });
});
app.post('/process', parseForm, csrfProtection, function(req, res) {
res.send('data is being processed');
});
https://blog.risingstack.com/node-js-security-checklist/

33. Rate Limiting
var ratelimit = require('koa-ratelimit');
var ipBasedRatelimit = ratelimit({
db: redis.createClient(),
duration: 60000,
max: 10,
id: function (context) {
return context.ip;
}
});
app.post('/login', ipBasedRatelimit, handleLogin);
https://blog.risingstack.com/node-js-security-checklist/

34. Security Audit NPM Packages
> npm install nsp
> nsp check
(+) 18 vulnerabilities found

35. https://nodesecurity.io/
• Root Path Disclosure (2x)
• Regular Expression Denial of Service (10x)
• Incorrect Handling of Non-Boolean Comparisons
During Minification
• Denial-of-Service Extended Event Loop Blocking
• Denial-of-Service Memory Exhaustion
• Symlink Arbitrary File Overwrite
• Remote Memory Disclosure (2x)

36. NPM Credentials Leaks
• https://github.com/ChALkeR/notes/blob/mast
er/Do-not-underestimate-credentials-
leaks.md

40. https://blog.acolyer.org/2017/03/07/thou-shalt-not-depend-on-me-analysing-the-use-of-
outdated-javascript-libraries-on-the-web/

41. Create Strong Foundations

42. Error Handling

43. Wasn’t great from the start

44. Try {} Catch {}

45. Try {} Catch {}

47. Domains haven’t really worked

48. https://raw.githubusercontent.com/strongloop/zone/master/showcase/curl/curl-zone.js
Zones? No. Not really

49. Returning String as Error

50. Strongly typed errors

52. Async Flow Control

54. Promises
Promises… Promises… Never break
your promises.
Personally, I never make promises.

55. http://domenic.me/2012/10/14/youre-missing-the-point-of-promises/

56. Callbacks
So good it’s got it’s own website
callbackhell.com

57. “The goal isn’t about removing
levels of indentation but rather
writing modular code that is easy to
reason about”
Strongloop Blog
http://strongloop.com/strongblog/node-js-callback-hell-promises-generators/

65. Loops + Async Callbacks

66. Loops + Async Callbacks

67. “You can't get into callback hell if
you don't go there.”
Isaac Schlueter

68. Node 7 – Async Await
class Demo {
async greeting() {
const h = await this.world();
return h;
}
world() {
return Promise.resolve('hello world');
}
}
const retval = await demo.greeting();

69. Node 7 – Async Await Errors
async getPersonFullNameWithTryCatch() {
try {
let response = await fetch('./data/person2.json');
}
catch(e) {
console.log('there was an error');
console.log(e);
}
}

70. DEPLOY!

71. Single Threaded

72. CPU Intensive?
Array Filtering / Sorting / Processing

74. Maybe not use Node?
Golang has a great community
Where Node was a few years ago?

75. Have more threads

76. Solved Problem?

77. var cluster = require('cluster');
var http = require('http');
var numCPUs = require('os').cpus().length;
if (cluster.isMaster) {
// Fork workers.
for (var i = 0; i < numCPUs; i++) {
cluster.fork();
}
cluster.on('exit', function(worker, code, signal) {
console.log('worker ' + worker.process.pid + ' died');
});
} else {
// Workers can share any TCP connection
// In this case it is an HTTP server
http.createServer(function(req, res) {
res.writeHead(200);
res.end("hello worldn");
}).listen(8000);
}

78. > NODE_DEBUG=cluster node server.js
23521,Master Worker 23524 online
23521,Master Worker 23526 online
23521,Master Worker 23523 online
23521,Master Worker 23528 online

82. Deploying with Docker

84. Container
https://www.docker.com/whatisdocker/
Container

85. Deploying Node App via Docker
> cat Dockerfile
FROM node:6-onbuild
EXPOSE 3000
> docker build –t my-node-app .
> docker run –p 3000:3000 my-node-app

86. 59,040
environments/day/server

88. 112,320
environments/day/server

89. > docker run -d
-p 80:80
-v /var/run/docker.sock:/tmp/docker.sock:ro
jwilder/nginx-proxy
> docker run --name web
-e VIRTUAL_HOST=www.katacoda.com
my-node-app

90. Load Balancer
Nginx Proxy
Node Node
Node Node
Node Node
Nginx Proxy
Node Node
Node Node
Node Node
Nginx Proxy
Node Node
Node Node
Node Node

91. Health Endpoints
router.get('/_specialfunctions/_check', function(req, res) {
async.parallel([
check_docker,
check_starter,
check_redis,
check_pg
], function(err, results) {
if(err) {
console.log("Health check failed", err);
res.status(500);
return res.json({healthy: false, details: err});
}
res.json({healthy: true});
})
});

92. var check_docker = function(cb) {
docker.ping(function(err) { handle_error('docker', err, cb);});
};
var check_redis = function(cb) {
redis.status(function(err, connected) {
if(err === null && connected === "ready") {
cb();
} else {
handle_error('redis', {msg: 'Not Connected', err: err}, cb);
}
})
};
var check_pg = function(cb) {
pg.status(function(err) { handle_error('postgres', err, cb);});
};

93. Careful!
socket.io and global state

94. Sticky Sessions
Compiled Nginx + OSS Modules

95. Global State as a Service
Microservices FTW!!

96. Code Performance Still Matters

97. Performance

98. > npm install v8-profiler
const profiler = require('v8-profiler')
const fs = require('fs')
var profilerRunning = false
function toggleProfiling () {
if (profilerRunning) {
const profile = profiler.stopProfiling()
console.log('stopped profiling')
profile.export()
.pipe(fs.createWriteStream('./myapp-'+Date.now()+'.cpuprofile'))
.once('error', profiler.deleteAllProfiles)
.once('finish', profiler.deleteAllProfiles)
profilerRunning = false
return
}
profiler.startProfiling()
profilerRunning = true
console.log('started profiling')
}
process.on('SIGUSR2', toggleProfiling)
> kill -SIGUSR2 <pid>

100. JetBrains WebStorm

101. OpenTracing - Zipkin

104. Prometheus + Grafana

106. Debugging

107. require(‘debug’);

108. Webstorm

109. VS Code

110. Profiling Node Applications
March 10, 2017 @ 09:00 Fontaine E

111. Real-Time Monitoring with
Grafana, StatsD and InfluxDB
March 10, 2017 @ 15:00

112. Testing?!

114. Summary
• Upgrade to Node.js v6
• Start looking at ES6 / Node 7
• Security
• Manage your errors
• Forgot making promises
• Scale using Docker

115. Thank you!
@Ben_Hall
Ben@BenHall.me.uk
www.Katacoda.com