More Related Content
Similar to How to Enterprise Node (20)
More from Julián David Duque (7)
How to Enterprise Node
- 1. J U N E 1 9 , 2 0 1 8
C O N F I D E N T I A L
Introduction to Node.js
Enterprise Best Practices
- 2. June 19, 2018
Julián Duque
Solutions Architect - Node.js Collaborator - Community Organizer
@julian_duque / github.com/julianduque
- 3. © 2018 NodeSource C O N F I D E N T I A L3
Agenda
• Introduction & History
• What is Node.js?
• Common Node.js Patterns and Enterprise Best Practices
• Success Stories
- 6. C O N F I D E N T I A L© 2018 NodeSource6
- 7. C O N F I D E N T I A L© 2018 NodeSource7
• 97% of Enterprise Desktops Run Java
• 89% of Desktops (or Computers) in the U.S. Run Java
• 3 Billion Mobile Phones Run Java
• 100% of Blu-ray Disc Players Ship with Java
• 5 Billion Java Cards in Use
• 125 Million TV devices run Java
• 5 of the Top 5 OEM’s Ship Java ME
20 Years of Java: 1995 - 2015
- 8. C O N F I D E N T I A L© 2018 NodeSource8
Desktop Apps
Mobile Devices Embedded Devices
Web ServersWeb UI/RIA
API Services
- 9. © 2018 NodeSource C O N F I D E N T I A L9
In the Spring of 2009,
something changed…
- 10. © 2018 NodeSource C O N F I D E N T I A L10
…JavaScript started to expand
well beyond webpages.
- 12. © 2018 NodeSource C O N F I D E N T I A L12
All of these improvements
were primarily for the UI.
- 15. C O N F I D E N T I A L© 2018 NodeSource15
JavaScript VM + Event Loop + Low Level I/O API
- 16. © 2018 NodeSource C O N F I D E N T I A L16
Node.js connects the ease of a scripting
language (JavaScript) with the power of
Unix network programming.
- 17. © 2018 NodeSource C O N F I D E N T I A L17
JavaScript is a well-known language, making
Node.js immediately accessible to the entire
web development community.
- 19. © 2018 NodeSource19
Node.js has an estimated 7,000,000 users and is growing 100% year-over-year.
Note, only 19,000,000 known software developers worldwide as of 2016.
63%
37%
Other
Node.js
- 20. © 2018 NodeSource C O N F I D E N T I A L20
npm is the fastest growing package
repository in the history of
programming with over 500,000
packages available and over a billion
downloads a week.
- 22. C O N F I D E N T I A L© 2018 NodeSource22
Rank Open Source Technology
TecTechnology
Leader Valuation/Market Cap
1 Linux Red Hat $16 Billion
2 Git GitHub $2 Billion (Private)
3 MySQL Oracle $200 Billion
4 Node.js NodeSource ??? (Private)
5 Docker Docker Inc. $1 Billion (Private)
6 Hadoop Cloudera $3 Billion
7 Elasticsearch Elastic $700 Million (Private)
8 Spark Databricks $513 Million (Private)
9 MongoDB MongoDB Inc. $1.57 Billion (Private)
10 Selenium Sauce Labs $467 Million (Private)
Battery Ventures Open Source Software Index
- 23. C O N F I D E N T I A L© 2018 NodeSource23
What’s driving all this growth?
- 26. C O N F I D E N T I A L© 2018 NodeSource26
- 28. C O N F I D E N T I A L© 2018 NodeSource28
- 30. C O N F I D E N T I A L© 2018 NodeSource30
- 32. C O N F I D E N T I A L© 2018 NodeSource32
- 34. C O N F I D E N T I A L© 2018 NodeSource34
- 35. C O N F I D E N T I A L© 2018 NodeSource35
- 37. C O N F I D E N T I A L© 2018 NodeSource37
- 39. © 2018 NodeSource C O N F I D E N T I A L39
Node.js is a simple platform for developing
… network-centric
… modular
… JavaScript applications
… using asynchronous, event-driven programming
- 40. © 2018 NodeSource C O N F I D E N T I A L40
A Simple Platform
• Node.js’ core consists mostly of essentials: small-core
• The Python lesson: “A standard library is where code goes
to die”
• npm and Node's modularity enables a vibrant ecosystem
• Open source competition begets quality and innovation
- 41. © 2018 NodeSource C O N F I D E N T I A L41
NO DE.JS CO RE API
NO DE.JS BINDINGS
V8
JAVAS CR IPT
ENGINE
LIBUV
OPENSSL
ZLIB
HTTP_PARS ER
CARES
JavaScript
C / C++
- 42. © 2018 NodeSource C O N F I D E N T I A L42
Networking and I/O
• More than ¼ of Node.js core is dedicated to networking
• Designed for I/O-driven, high-throughput workloads
• Used to power the modern web
- 43. © 2018 NodeSource C O N F I D E N T I A L43
Modular
• npm: the world’s largest open source package registry
• The Node.js module system solves most “dependency-
hell” problems
• Encourages anti-monolith development
• The holy-grail of decoupled and reusable coding
- 44. © 2018 NodeSource C O N F I D E N T I A L44
module.exports = function archy (obj, prefix, opts) {
if (prefix === undefined) prefix = '';
if (!opts) opts = {};
var chr = function (s) {
var chars = {
'│' : '|',
'└' : '`',
'├' : '+',
'─' : '-',
'┬' : '-'
};
return opts.unicode === false ? chars[s] : s;
};
if (typeof obj === 'string') obj = { label : obj };
var nodes = obj.nodes || [];
var lines = (obj.label || '').split('n');
var splitter = 'n' + prefix + (nodes.length ? chr('│') : ' ') + ' ';
return prefix
+ lines.join(splitter) + 'n'
+ nodes.map(function (node, ix) {
var last = ix === nodes.length - 1;
var more = node.nodes && node.nodes.length;
var prefix_ = prefix + (last ? ' ' : chr('│')) + ' ';
return prefix
+ (last ? chr('└') : chr('├')) + chr('─')
+ (more ? chr('┬') : chr('─')) + ' '
+ archy(node, prefix_, opts).slice(prefix.length + 2)
;
}).join('')
;
};
“archy”
• 700th most downloaded Node.js package
• Fits on a single slide, very focused
concern
• Easily tested, groked, documented,
shared
This modular pattern is The Node.js Way
- 45. © 2018 NodeSource C O N F I D E N T I A L45
JavaScript on the Server
• Effectively bridge the server/browser divide
• JavaScript for approachability, productivity and
developer joy
• JavaScript is not going anywhere!
- 46. © 2018 NodeSource C O N F I D E N T I A L46
Asynchronous, Event-driven Programming
• Alternative programmer paradigm: Continuation
Passing Style
• API focus on callbacks, events and streams
• Perfect for I/O-driven, high-throughput workloads
• Single-threaded encourages scalable design patterns
- 47. © 2018 NodeSource C O N F I D E N T I A L47
// callbacks
fs.readFile('data.txt', 'utf8', countLines)
function countLines (err, data) {
let lines = data.split('n').length
console.log(`${lines} lines`)
})
// events
server.on('connection', onConnection)
function onConnection (stream) {
console.log('someone connected!')
})
Continuation passing
“Do this when ready”
Thread doesn’t “block” while waiting on I/O
- 48. © 2018 NodeSource C O N F I D E N T I A L48
Node.js is great for:
• Resource orchestration applications
• Network & I/O-driven applications—the web!
Node.js is not so great for:
• CPU intensive workloads
• Systems programming
- 49. © 2018 NodeSource C O N F I D E N T I A L
Common Node.js Patterns
&
Enterprise Best Practices
49
- 50. © 2018 NodeSource C O N F I D E N T I A L50
Emerging Use Cases
• "Front-end/back-end" Pattern
• Back-end Services and APIs
• Internal PaaS's
• Build Tools
• Cryptocurrencies and Blockchain
• Internet of Things
- 52. © 2018 NodeSource C O N F I D E N T I A L52
Runtime Best Practices
• Use LTS releases only, currently Node 8 (Carbon)
• Version must be at least last security release
• OpenSSL compiled in to binary (Use official /
NodeSource builds)
• Use at least Small-ICU compiled into binary
- 53. © 2018 NodeSource C O N F I D E N T I A L53
Runtime Best Practices
• Avoid deprecated APIs
• Use --throw-deprecation
• Avoid experimental features
• Don’t use cluster and domain modules
- 54. © 2018 NodeSource C O N F I D E N T I A L54
Runtime Best Practices
• Do not use synchronous I/O methods
• Avoid fs and child_process sync methods
• crypto sync methods are OK
• Do not use private / internal core module methods
- 56. © 2018 NodeSource C O N F I D E N T I A L56
Security Best Practices
• Don’t use Buffer constructor
• Avoid new Buffer, use Buffer.alloc instead
• Zero-fill on all Buffer creation
• Avoid Buffer.allocUnsafe
• Use operating system provided CA certificates
• With --use-openssl-ca or SSL_CERT_DIR /
SSL_CERT_FILE environment variables
- 58. © 2018 NodeSource C O N F I D E N T I A L58
Web Framework: Basics
• Recommended Framework: express
• Use NGINX / HAProxy as Reverse Proxy
• Use CDN or Reverse Proxy to serve static files, don’t
serve them from Node
• Use middleware recommended by express project
• https://expressjs.com/en/resources/middleware.html
- 59. © 2018 NodeSource C O N F I D E N T I A L59
Web Framework: Security
• Use TLS termination on NGINX or HAProxy
• Use helmet & csurf middleware
• Filter and sanitize user input
• Use current versions of dependencies, rely on tools like
nsp, snyk or N|Solid
- 60. © 2018 NodeSource C O N F I D E N T I A L60
Web Framework: Security
• Use safe-regex to avoid ReDoS
• Use express-session or cookie-session middleware
• Don’t use default secret keys for cookies and sessions
• Set httpOnly: true and secure: true
• Set domain and path as restrictive as possible
• Choose short expires dates
- 61. © 2018 NodeSource C O N F I D E N T I A L61
Web Framework: Performance
• Use gzip compression
• Don’t use Synchronous functions
• Don’t log to terminal when running on production
• Set NODE_ENV=production
• Cache request results via NGINX or Varnish
• Use a load balancer if a single instance can’t handle
traffic
- 62. © 2018 NodeSource C O N F I D E N T I A L62
Web Framework: Error Handling
• Use error handling middleware
• Don’t use domains
• Use try/catch in synchronous or async/await code
• Stop your server when handling a global
uncaughtException or unhandledRejection
- 63. © 2018 NodeSource C O N F I D E N T I A L63
Logging
• Recommended Library: winston
• Use a wrapper to configure logging by environment
and allow switching logging solutions if needed
• Integrate with express through morgan custom
handler
• Don’t let winston handle uncaughtExceptions
- 64. © 2018 NodeSource C O N F I D E N T I A L64
HTTP Client
• Recommended Library: request
• Use request for callback interface
• Use request-promise-native for Promises support
- 65. © 2018 NodeSource C O N F I D E N T I A L65
Other recommendations
• ORM’s can get you into trouble, think carefully when
using them, if needed we recommend: Sequelize
• Utility: lodash
• Testing: Mocha, Chai
- 67. © 2018 NodeSource C O N F I D E N T I A L67
Build Best Practices: Versioning
• Embrace SemVer for software versioning
• Prefer npm client over yarn
• Standardize .npmrc for all developers and projects
• Explicitly set private: true to avoid publishing
• Utilize npm outdated to show packages to update
• Don’t check node_modules into version control
- 68. © 2018 NodeSource C O N F I D E N T I A L68
Build Best Practices: Versioning
• Avoid using git dependencies
• Consider a private registry like npmE, Artifactory,
Sonatype Nexus or verdaccio/sinopia.
• Include package-lock.json or yarn.lock files in
version control
• Lockdown internal npm giving only CI/CD pipeline
publish access
- 69. © 2018 NodeSource C O N F I D E N T I A L69
Build Best Practices: Linting
• Use any ESLint based linter
• standard is recommended
• Define custom eslint rules to suit your needs
- 70. © 2018 NodeSource C O N F I D E N T I A L70
Build Best Practices: Testing
• Unit tests: mocha & chai
• Mocking: nock and proxyquire
• Server Testing: supertest
• Load Testing: k6, siege, locust, gor and JMeter
• Infrastructure: Chaos Monkey
• Test Coverage: nyc/istanbul
• Code Complexity: Plato
- 72. © 2018 NodeSource C O N F I D E N T I A L72
Error handling
• Name your functions, makes debugging easier
• Avoid throw on asynchronous calls, use callback pattern
to bubble up errors back to caller
- 73. © 2018 NodeSource C O N F I D E N T I A L73
Performance
• Look for tasks that can be run in parallel
• Avoid CPU intensive tasks
• Use compression and caching
• Look for places where data can be treated as streams
• Understand V8 data types, garbage collection and when
code de-optimization occur (Last V8 TurboFan compiler
does a great job at optimizing JS code)
- 74. © 2018 NodeSource C O N F I D E N T I A L74
Scaling
• Horizontal Scaling preferred over Vertical
• Focus on keeping application stateless
• You can use JWT for stateless authentication and
session management
• Avoid cluster module or solutions like pm2
• Use NGINX / HAProxy load balancer instead
- 75. © 2018 NodeSource C O N F I D E N T I A L75
Flow Control
• Choose one: Don’t mix and match, if needed use
util.promisify or pify
• Callbacks
• Promises
• Async/Await (Recommended)
- 76. © 2018 NodeSource C O N F I D E N T I A L76
Flow Control
• Use proper error handling
• callbacks: err as first argument, always handle
• Promises: always use .catch
• async/await: always use try/catch
- 77. © 2018 NodeSource C O N F I D E N T I A L77
Flow Control
• Callbacks: use async.js library
• Promises: Promise.all / Promise.race
• async/await: Use JavaScript loops for serial execution,
for parallel there is no idiomatic way to do it so rely on
Promise.all / Promise.race
- 78. © 2018 NodeSource C O N F I D E N T I A L78
Authentication
• Use JSON Web Tokens for API access tokens
• express-session / cookie-session for session management
• Passport.js is a good option to consider as
authentication/authorization framework
- 79. © 2018 NodeSource C O N F I D E N T I A L79
Security
• A Node.js application rarely requires root access
• Do not bind on port 80 or 443 from Node.js
• Always check for vulnerable packages with nsp, snyk or
N|Solid
• Always use latest Node.js security release
- 80. © 2018 NodeSource C O N F I D E N T I A L80
Other recommendations
• Use CI/CD to run security checks, license compliance
and linting
• Consider Containerization: Docker
• Use native process monitoring tools (systemd, upstart)
• Debug with Chrome Developer tools using --inspect
- 82. C O N F I D E N T I A L© 2018 NodeSource82
Crypto as a Service (CaaS)
MasterCard has an internal CaaS offering currently used by digital
payments platforms and is written in Node.js.
MasterCard has bet big on Node.js for their CaaS and is reaping
the benefits of Node’s scalable, non-blocking I/O model.
- 83. C O N F I D E N T I A L© 2018 NodeSource83
Internal Platform as a Service (PaaS)
Many off-the-shelf PaaS offerings (e.g. Heroku) do not have an on-
premise version and for Fidelity, and many in the financial
services industry, a public PaaS is a non-starter for mission
critical applications.
Travell Perkins, CTO at Fidelity, bet on Node.js to build Mako, their
enterprise-grade PaaS to work within their DMZ. Mako is now the
key to Fidelity’s continuous deployment process to provide
customers with the best user experiences with Fidelity’s myriad
applications.
- 84. C O N F I D E N T I A L© 2018 NodeSource84
Redefining “Shipping Software”
PayPal had a successful product that users loved, but the user
interface was dated and took months to even years to release
changes to it.
The User Interface team began reworking frontend services as
independent Node.js apps allowing rapid iteration and
autonomy, thus enabling more extensive A/B testing and a
platform more readily able to address the evolving needs of the
digital payments market.
- 85. C O N F I D E N T I A L© 2018 NodeSource85
Happy Developers Thrive with Node.js
With over 5,000 developers and teams using Node in differing
ways, Capital One has found a way to increase the productivity of
their developers thanks to a drop in context switching for their
front-end teams now writing Node.js services on the back end.
Capital One has three versions of the Enterprise API, mostly built
with Java. Front-end teams have been able to use Node.js as an
orchestration layer to make interfacing with the API more
convenient for front end developers.
- 86. © 2018 NodeSource C O N F I D E N T I A L86
So what is the most compelling
reason to adopt Node.js?
- 88. C O N F I D E N T I A L
Thank you.
Julián Duque
julian@nodesource.com
@julian_duque