The document discusses several pain points experienced with Node.js applications and solutions for resolving them. It covers creating a strong foundation by upgrading to Node.js v5, locking down NPM dependencies, handling errors properly with try/catch blocks and promises, deploying applications using Docker for scaling, addressing security issues, and using tools like debug and profilers to improve performance.

1. Real World Lessons on the Pain Points of
Node.js Applications
@Ben_Hall
Ben@BenHall.me.uk
OcelotUproar.com / Katacoda.com

2. @Ben_Hall / Blog.BenHall.me.uk
Tech Support > Tester > Developer >
Founder
Software Development Studio
WHOAMI?

3. Agenda
• Creating strong foundation
– Node v5, NPM, Security
• Error Handling
• Async/Promises
• Deploying / Scaling
• Performance
• Debugging

4. Provide overview of the main
point points we’ve
experienced and how we
resolved them

5. Strong Foundations

6. Upgrading from Node v0.10.38
to v5.3.0

8. https://github.com/nodejs/node/wiki/
API-changes-between-v0.10-and-v4
• The domain module has been scheduled for
deprecation, awaiting an alternative for those
who absolutely need domains.
• fs.exists() is now deprecated. It is suggested to
use either fs.access() or fs.stat(). Please read the
documentation carefully.
• Updated setImmediate() to process the full queue
each turn of the event loop, instead of one per
queue.

9. https://nodejs.org/en/blog/release/v5
.0.0/
• Breaking changes.
• When parsing HTTP, don't add duplicates of the
following headers
• HTTP methods and header names must now conform
to the RFC 2616 "token" rule
• zlib: Decompression now throws on truncated input
• buffer: Removed both 'raw' and 'raws' encoding types
from Buffer, these have been deprecated for a long
time.

10. Docker to test deployment
• Didn’t need to install anything on host
> docker run -it -v $(pwd):/src -p 3000 node:5
root@container:> npm install
root@container:> npm start

11. Default to Underscore.js ?

12. Fixing NPM

13. Lock down NPM dependencies
because no-one respects SemVer

14. AngularJs 1.2 => 1.3
"dependencies": {
"angular": "^1.2.16”
}

15. Angular 1.2 => 1.3
> angular.element(document)
[#document]
> angular.element(document)
TypeError: undefined is not a function

16. Lock Down Dependencies
Randomly breaking builds and
deployments will occur otherwise

17. $ npm shrinkwrap
Lock down dependencies to what’s
running locally

19. Hard code versions in
package.json
"dependencies": {
"angular": “1.2.23”
}

20. $ npm outdated

22. .npmrc
• https://docs.npmjs.com/misc/config
> cat .npmrc
save=true
save-exact=true

23. npm install -g

25. Replaced Glup, Grunt with Make
• Bugs, Bugs everywhere!

26. templates:
handlebars views/templates/*.hbs -f public/js/templates.js
> make templates

27. Security

28. Cover Your Bases
• Barry Dorrans, Troy Hunt, Niall Merrigan
• Troy Hunt and Barry Dorrans sessions
• A security testers toolkit - Niall Merrigan
• https://vimeo.com/131641274
• Going beyond OWASP - Barry Dorrans
• https://vimeo.com/131642364

29. Child Process Exec
child_process.exec(req.query.url, function (err, data) {
console.log(data);
});
https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/windows/sy
stem32/calc.exe
Thanks TrendMicro Antivirus on Windows!
https://code.google.com/p/google-security-research/issues/detail?id=693

30. Cross-Site Request Forgery
var csrf = require('csurf');
var csrfProtection = csrf({ cookie: true });
var parseForm = bodyParser.urlencoded({ extended: false });
app.get('/form', csrfProtection, function(req, res) {
res.render('send', { csrfToken: req.csrfToken() });
});
app.post('/process', parseForm, csrfProtection, function(req, res) {
res.send('data is being processed');
});
https://blog.risingstack.com/node-js-security-checklist/

31. Rate Limiting
var ratelimit = require('koa-ratelimit');
var ipBasedRatelimit = ratelimit({
db: redis.createClient(),
duration: 60000,
max: 10,
id: function (context) {
return context.ip;
}
});
app.post('/login', ipBasedRatelimit, handleLogin);
https://blog.risingstack.com/node-js-security-checklist/

32. Security Audit NPM Packages
> npm install nsp
> nsp check
(+) 18 vulnerabilities found

33. https://nodesecurity.io/
• Root Path Disclosure (2x)
• Regular Expression Denial of Service (10x)
• Incorrect Handling of Non-Boolean Comparisons
During Minification
• Denial-of-Service Extended Event Loop Blocking
• Denial-of-Service Memory Exhaustion
• Symlink Arbitrary File Overwrite
• Remote Memory Disclosure (2x)

34. NPM Credentials Leaks
• https://github.com/ChALkeR/notes/blob/mast
er/Do-not-underestimate-credentials-
leaks.md

35. Create Strong Foundations

36. Error Handling

37. Wasn’t great from the start

38. Try {} Catch {}

39. Try {} Catch {}

41. Domains haven’t really worked

42. https://raw.githubusercontent.com/strongloop/zone/master/showcase/curl/curl-zone.js
Zones? No. Not really

43. Returning String as Error

44. Strongly typed errors

46. Generators + Error Handling

47. Async Flow Control

49. Promises
Promises… Promises… Never break
your promises.
Personally, I never make promises.

50. http://domenic.me/2012/10/14/youre-missing-the-point-of-promises/

51. Not part of the Node
Makes integration more difficult.
Makes swapping code in / out more
painful.

52. Callbacks
So good it’s got it’s own website
callbackhell.com

53. “The goal isn’t about removing
levels of indentation but rather
writing modular code that is easy to
reason about”
Strongloop Blog
http://strongloop.com/strongblog/node-js-callback-hell-promises-generators/

61. Loops + Async Callbacks

62. Loops + Async Callbacks

63. “You can't get into callback hell if
you don't go there.”
Isaac Schlueter

64. Generators are coming!
See Node >=0.11.2

65. http://blog.alexmaccaw.com/how-yield-will-transform-node

66. http://blog.alexmaccaw.com/how-yield-will-transform-node

67. DEPLOY!

68. Single Threaded

69. CPU Intensive?
Array Filtering / Sorting / Processing

71. Have more threads

72. Solved Problem?

73. var cluster = require('cluster');
var http = require('http');
var numCPUs = require('os').cpus().length;
if (cluster.isMaster) {
// Fork workers.
for (var i = 0; i < numCPUs; i++) {
cluster.fork();
}
cluster.on('exit', function(worker, code, signal) {
console.log('worker ' + worker.process.pid + ' died');
});
} else {
// Workers can share any TCP connection
// In this case it is an HTTP server
http.createServer(function(req, res) {
res.writeHead(200);
res.end("hello worldn");
}).listen(8000);
}

74. > NODE_DEBUG=cluster node server.js
23521,Master Worker 23524 online
23521,Master Worker 23526 online
23521,Master Worker 23523 online
23521,Master Worker 23528 online

78. Deploying with Docker

80. Container
https://www.docker.com/whatisdocker/
Container

81. Deploying Node App via Docker
> cat Dockerfile
FROM node:5-onbuild
EXPOSE 3000
> docker build –t my-node-app .
> docker run –p 3000:3000 my-node-app

82. 59,040
environments/day/server

84. 112,320
environments/day/server

85. > docker run -d
-p 80:80
-v /var/run/docker.sock:/tmp/docker.sock:ro
jwilder/nginx-proxy
> docker run --name web
-e VIRTUAL_HOST=www.katacoda.com
my-node-app

86. Load Balancer
Nginx Proxy
Node Node
Node Node
Node Node
Nginx Proxy
Node Node
Node Node
Node Node
Nginx Proxy
Node Node
Node Node
Node Node

87. Health Endpoints
router.get('/_specialfunctions/_check', function(req, res) {
async.parallel([
check_docker,
check_starter,
check_redis,
check_pg
], function(err, results) {
if(err) {
console.log("Health check failed", err);
res.status(500);
return res.json({healthy: false, details: err});
}
res.json({healthy: true});
})
});

88. var check_docker = function(cb) {
docker.ping(function(err) { handle_error('docker', err, cb);});
};
var check_redis = function(cb) {
redis.status(function(err, connected) {
if(err === null && connected === "ready") {
cb();
} else {
handle_error('redis', {msg: 'Not Connected', err: err}, cb);
}
})
};
var check_pg = function(cb) {
pg.status(function(err) { handle_error('postgres', err, cb);});
};

89. Careful!
socket.io and global state

90. Sticky Sessions
Compiled Nginx + OSS Modules

91. Global State as a Service
Microservices FTW!!

92. Code Performance Still Matters

93. Performance

94. var Ocelite = require('ocelite');
var db = new Ocelite();
db.init('data.db', ['user'], function() {
db.save('user', {name: 'Barbara Fusinska', twitter: 'basiafusinska'}, ['twitter'],
function() {
db.get('user', 'twitter', 'basiafusinska', function(err, obj) {
console.log(obj);
});
});
});

95. > npm install v8-profiler
const profiler = require('v8-profiler')
const fs = require('fs')
var profilerRunning = false
function toggleProfiling () {
if (profilerRunning) {
const profile = profiler.stopProfiling()
console.log('stopped profiling')
profile.export()
.pipe(fs.createWriteStream('./myapp-'+Date.now()+'.cpuprofile'))
.once('error', profiler.deleteAllProfiles)
.once('finish', profiler.deleteAllProfiles)
profilerRunning = false
return
}
profiler.startProfiling()
profilerRunning = true
console.log('started profiling')
}
process.on('SIGUSR2', toggleProfiling)
> kill -SIGUSR2 <pid>

97. JetBrains WebStorm

98. Debugging

99. require(‘debug’);

100. Webstorm

101. VS Code

103. Summary
• Update to Node.js v5
• Start using ES6
• Security
• Manage your errors
• Forgot making promises
• Scale using Docker

104. Thank you!
@Ben_Hall
Ben@BenHall.me.uk
Blog.BenHall.me.uk
www.Katacoda.com
www.OcelotUproar.com