How to Enterprise Node

J U N E 1 9 , 2 0 1 8
C O N F I D E N T I A L
Introduction to Node.js
Enterprise Best Practices

June 19, 2018
Julián Duque
Solutions Architect - Node.js Collaborator - Community Organizer
@julian_duque / github.com/julianduque

© 2018 NodeSource C O N F I D E N T I A L3
Agenda
• Introduction & History
• What is Node.js?
• Common Node.js Patterns and Enterprise Best Practices
• Success Stories

Pattern Recognition

• 97% of Enterprise Desktops Run Java
• 89% of Desktops (or Computers) in the U.S. Run Java
• 3 Billion Mobile Phones Run Java
• 100% of Blu-ray Disc Players Ship with Java
• 5 Billion Java Cards in Use
• 125 Million TV devices run Java
• 5 of the Top 5 OEM’s Ship Java ME
20 Years of Java: 1995 - 2015

Desktop Apps
Mobile Devices Embedded Devices
Web ServersWeb UI/RIA
API Services

In the Spring of 2009,
something changed…

…JavaScript started to expand
well beyond webpages.

All of these improvements
were primarily for the UI.

Until Autumn of 2009…

JavaScript VM + Event Loop + Low Level I/O API

Node.js connects the ease of a scripting
language (JavaScript) with the power of
Unix network programming.

JavaScript is a well-known language, making
Node.js immediately accessible to the entire
web development community.

© 2018 NodeSource18
Node.js is the fastest growing
open source project in the world.

Node.js has an estimated 7,000,000 users and is growing 100% year-over-year.
Note, only 19,000,000 known software developers worldwide as of 2016.
63%
37%
Other
Node.js

npm is the fastest growing package
repository in the history of
programming with over 500,000
packages available and over a billion
downloads a week.

Rank Open Source Technology
TecTechnology
Leader Valuation/Market Cap
1 Linux Red Hat $16 Billion
2 Git GitHub $2 Billion (Private)
3 MySQL Oracle $200 Billion
4 Node.js NodeSource ??? (Private)
5 Docker Docker Inc. $1 Billion (Private)
6 Hadoop Cloudera $3 Billion
7 Elasticsearch Elastic $700 Million (Private)
8 Spark Databricks $513 Million (Private)
9 MongoDB MongoDB Inc. $1.57 Billion (Private)
10 Selenium Sauce Labs $467 Million (Private)
Battery Ventures Open Source Software Index

What’s driving all this growth?

Desktop Apps
API Services

© 2018 NodeSource C O N F I D E N T I A L
What is Node.js?
38

Node.js is a simple platform for developing
    … network-centric
    … modular
    … JavaScript applications
    … using asynchronous, event-driven programming

A Simple Platform
• Node.js’ core consists mostly of essentials: small-core
• The Python lesson: “A standard library is where code goes
to die”
• npm and Node's modularity enables a vibrant ecosystem
• Open source competition begets quality and innovation

NO DE.JS CO RE API
NO DE.JS BINDINGS
V8
JAVAS CR IPT
ENGINE
LIBUV
OPENSSL
ZLIB
HTTP_PARS ER
CARES
JavaScript
C / C++

Networking and I/O
• More than ¼ of Node.js core is dedicated to networking
• Designed for I/O-driven, high-throughput workloads
• Used to power the modern web

Modular
• npm: the world’s largest open source package registry
• The Node.js module system solves most “dependency-
hell” problems
• Encourages anti-monolith development
• The holy-grail of decoupled and reusable coding

module.exports = function archy (obj, prefix, opts) {
if (prefix === undefined) prefix = '';
if (!opts) opts = {};
var chr = function (s) {
var chars = {
'│' : '|',
'└' : '`',
'├' : '+',
'─' : '-',
'┬' : '-'
};
return opts.unicode === false ? chars[s] : s;
};
if (typeof obj === 'string') obj = { label : obj };
var nodes = obj.nodes || [];
var lines = (obj.label || '').split('n');
var splitter = 'n' + prefix + (nodes.length ? chr('│') : ' ') + ' ';
return prefix
+ lines.join(splitter) + 'n'
+ nodes.map(function (node, ix) {
var last = ix === nodes.length - 1;
var more = node.nodes && node.nodes.length;
var prefix_ = prefix + (last ? ' ' : chr('│')) + ' ';
return prefix
+ (last ? chr('└') : chr('├')) + chr('─')
+ (more ? chr('┬') : chr('─')) + ' '
+ archy(node, prefix_, opts).slice(prefix.length + 2)
;
}).join('')
;
};
“archy”
• 700th most downloaded Node.js package
• Fits on a single slide, very focused
concern
• Easily tested, groked, documented,
shared
This modular pattern is The Node.js Way

JavaScript on the Server
• Eﬀectively bridge the server/browser divide
• JavaScript for approachability, productivity and
developer joy
• JavaScript is not going anywhere!

Asynchronous, Event-driven Programming
• Alternative programmer paradigm: Continuation
Passing Style
• API focus on callbacks, events and streams
• Perfect for I/O-driven, high-throughput workloads
• Single-threaded encourages scalable design patterns

// callbacks
fs.readFile('data.txt', 'utf8', countLines)
function countLines (err, data) {
let lines = data.split('n').length
console.log(`${lines} lines`)
})
// events
server.on('connection', onConnection)
function onConnection (stream) {
console.log('someone connected!')
})
Continuation passing 
“Do this when ready”
Thread doesn’t “block” while waiting on I/O

Node.js is great for:
• Resource orchestration applications
• Network & I/O-driven applications—the web!
Node.js is not so great for:
• CPU intensive workloads
• Systems programming

Common Node.js Patterns
&
Enterprise Best Practices
49

Emerging Use Cases
• "Front-end/back-end" Pattern
• Back-end Services and APIs
• Internal PaaS's
• Build Tools
• Cryptocurrencies and Blockchain
• Internet of Things

Runtime Best Practices
51

• Use LTS releases only, currently Node 8 (Carbon)
• Version must be at least last security release
• OpenSSL compiled in to binary (Use oﬀicial /
NodeSource builds)
• Use at least Small-ICU compiled into binary

• Avoid deprecated APIs
• Use --throw-deprecation
• Avoid experimental features
• Don’t use cluster and domain modules

• Do not use synchronous I/O methods
• Avoid fs and child_process sync methods
• crypto sync methods are OK
• Do not use private / internal core module methods

Security Best Practices
55

Security Best Practices
• Don’t use Buﬀer constructor
• Avoid new Buffer, use Buffer.alloc instead
• Zero-fill on all Buﬀer creation
• Avoid Buffer.allocUnsafe
• Use operating system provided CA certificates
• With --use-openssl-ca or SSL_CERT_DIR /
SSL_CERT_FILE environment variables

Enterprise Web Stack
57

Web Framework: Basics
• Recommended Framework: express
• Use NGINX / HAProxy as Reverse Proxy
• Use CDN or Reverse Proxy to serve static files, don’t
serve them from Node
• Use middleware recommended by express project
• https://expressjs.com/en/resources/middleware.html

Web Framework: Security
• Use TLS termination on NGINX or HAProxy
• Use helmet & csurf middleware
• Filter and sanitize user input
• Use current versions of dependencies, rely on tools like
nsp, snyk or N|Solid

Web Framework: Security
• Use safe-regex to avoid ReDoS
• Use express-session or cookie-session middleware
• Don’t use default secret keys for cookies and sessions
• Set httpOnly: true and secure: true
• Set domain and path as restrictive as possible
• Choose short expires dates

Web Framework: Performance
• Use gzip compression
• Don’t use Synchronous functions
• Don’t log to terminal when running on production
• Set NODE_ENV=production
• Cache request results via NGINX or Varnish
• Use a load balancer if a single instance can’t handle
traﬀic

Web Framework: Error Handling
• Use error handling middleware
• Don’t use domains
• Use try/catch in synchronous or async/await code
• Stop your server when handling a global
uncaughtException or unhandledRejection

Logging
• Recommended Library: winston
• Use a wrapper to configure logging by environment
and allow switching logging solutions if needed
• Integrate with express through morgan custom
handler
• Don’t let winston handle uncaughtExceptions

HTTP Client
• Recommended Library: request
• Use request for callback interface
• Use request-promise-native for Promises support

Other recommendations
• ORM’s can get you into trouble, think carefully when
using them, if needed we recommend: Sequelize
• Utility: lodash
• Testing: Mocha, Chai

Build Best Practices
66

Build Best Practices: Versioning
• Embrace SemVer for software versioning
• Prefer npm client over yarn
• Standardize .npmrc for all developers and projects
• Explicitly set private: true to avoid publishing
• Utilize npm outdated to show packages to update
• Don’t check node_modules into version control

Build Best Practices: Versioning
• Avoid using git dependencies
• Consider a private registry like npmE, Artifactory,
Sonatype Nexus or verdaccio/sinopia.
• Include package-lock.json or yarn.lock files in
version control
• Lockdown internal npm giving only CI/CD pipeline
publish access

Build Best Practices: Linting
• Use any ESLint based linter
• standard is recommended
• Define custom eslint rules to suit your needs

Build Best Practices: Testing
• Unit tests: mocha & chai
• Mocking: nock and proxyquire
• Server Testing: supertest
• Load Testing: k6, siege, locust, gor and JMeter
• Infrastructure: Chaos Monkey
• Test Coverage: nyc/istanbul
• Code Complexity: Plato

Techniques for Enterprise Node.js
71

Error handling
• Name your functions, makes debugging easier
• Avoid throw on asynchronous calls, use callback pattern
to bubble up errors back to caller

Performance
• Look for tasks that can be run in parallel
• Avoid CPU intensive tasks
• Use compression and caching
• Look for places where data can be treated as streams
• Understand V8 data types, garbage collection and when
code de-optimization occur (Last V8 TurboFan compiler
does a great job at optimizing JS code)

Scaling
• Horizontal Scaling preferred over Vertical
• Focus on keeping application stateless
• You can use JWT for stateless authentication and
session management
• Avoid cluster module or solutions like pm2
• Use NGINX / HAProxy load balancer instead

Flow Control
• Choose one: Don’t mix and match, if needed use
util.promisify or pify
• Callbacks
• Promises
• Async/Await (Recommended)

Flow Control
• Use proper error handling
• callbacks: err as first argument, always handle
• Promises: always use .catch
• async/await: always use try/catch

Flow Control
• Callbacks: use async.js library
• Promises: Promise.all / Promise.race
• async/await: Use JavaScript loops for serial execution,
for parallel there is no idiomatic way to do it so rely on
Promise.all / Promise.race

Authentication
• Use JSON Web Tokens for API access tokens
• express-session / cookie-session for session management
• Passport.js is a good option to consider as
authentication/authorization framework

Security
• A Node.js application rarely requires root access
• Do not bind on port 80 or 443 from Node.js
• Always check for vulnerable packages with nsp, snyk or
N|Solid
• Always use latest Node.js security release

Other recommendations
• Use CI/CD to run security checks, license compliance
and linting
• Consider Containerization: Docker
• Use native process monitoring tools (systemd, upstart)
• Debug with Chrome Developer tools using --inspect

Node.js Success Stories
81

Crypto as a Service (CaaS)
MasterCard has an internal CaaS oﬀering currently used by digital
payments platforms and is written in Node.js.
MasterCard has bet big on Node.js for their CaaS and is reaping
the benefits of Node’s scalable, non-blocking I/O model.

Internal Platform as a Service (PaaS)
Many oﬀ-the-shelf PaaS oﬀerings (e.g. Heroku) do not have an on-
premise version and for Fidelity, and many in the financial
services industry, a public PaaS is a non-starter for mission
critical applications.
Travell Perkins, CTO at Fidelity, bet on Node.js to build Mako, their
enterprise-grade PaaS to work within their DMZ. Mako is now the
key to Fidelity’s continuous deployment process to provide
customers with the best user experiences with Fidelity’s myriad
applications.

Redefining “Shipping Software”
PayPal had a successful product that users loved, but the user
interface was dated and took months to even years to release
changes to it.
The User Interface team began reworking frontend services as
independent Node.js apps allowing rapid iteration and
autonomy, thus enabling more extensive A/B testing and a
platform more readily able to address the evolving needs of the
digital payments market.

Happy Developers Thrive with Node.js
With over 5,000 developers and teams using Node in diﬀering
ways, Capital One has found a way to increase the productivity of
their developers thanks to a drop in context switching for their
front-end teams now writing Node.js services on the back end.
Capital One has three versions of the Enterprise API, mostly built
with Java. Front-end teams have been able to use Node.js as an
orchestration layer to make interfacing with the API more
convenient for front end developers.

So what is the most compelling
reason to adopt Node.js?

Agility.

C O N F I D E N T I A L
Thank you.
Julián Duque
julian@nodesource.com
@julian_duque

How to Enterprise Node

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to How to Enterprise Node

Similar to How to Enterprise Node (20)

More from Julián David Duque

More from Julián David Duque (7)

Recently uploaded

Recently uploaded (20)

How to Enterprise Node