The latest articles on Forem by ThankGod Chibugwum Obobo (@actocodes). https://forem.com/actocodes https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3695202%2F9eabbead-6f92-4be9-9ca2-eb8ab9548c27.jpg https://forem.com/actocodes en ThankGod Chibugwum Obobo Sun, 12 Apr 2026 17:00:00 +0000 https://forem.com/actocodes/production-logging-best-practices-how-to-balance-observability-with-security-1jo9 https://forem.com/actocodes/production-logging-best-practices-how-to-balance-observability-with-security-1jo9 <p>Logging is the backbone of production observability. Without it, debugging a live incident is like navigating in the dark, you know something is wrong but have no way to trace why or where. Yet logging done carelessly introduces its own risks: sensitive user data written to disk, credentials captured in request logs, and compliance violations hiding in plain text files.</p> <p>The challenge every engineering team faces is not <em>whether</em> to log, but <em>what</em> to log, <em>how</em> to structure it, and <em>who</em> gets access to it.</p> <p>This guide covers production logging best practices that give your team the observability they need, without turning your log aggregator into a liability.</p> <h2> Why Logging Strategy Matters in Production </h2> <p>Poorly designed logging creates two equally dangerous failure modes:<br> <strong>Too little logging</strong> means you're flying blind during incidents. No request context, no error trail, no performance baseline. Mean time to resolution (MTTR) skyrockets because engineers spend hours reconstructing what happened.</p> <p><strong>Too much logging</strong> or logging the wrong things, creates serious security and compliance risks:</p> <ul> <li>Passwords captured in login request bodies</li> <li>Credit card numbers logged from payment payloads</li> <li>Session tokens recorded in access logs</li> <li>Personally Identifiable Information (PII) written to third-party log aggregators</li> <li>HIPAA or GDPR violations from retaining sensitive health or user data</li> </ul> <p>A mature logging strategy threads this needle deliberately, maximizing signal while minimizing exposure.</p> <h2> Log Levels: Using Them Correctly </h2> <p>Log levels are the first layer of control. Using them correctly keeps your logs actionable and your signal-to-noise ratio high.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Level</th> <th>When to Use</th> </tr> </thead> <tbody> <tr> <td><strong>ERROR</strong></td> <td>Unrecoverable failures that require immediate attention, exceptions, service crashes, failed critical operations</td> </tr> <tr> <td><strong>WARN</strong></td> <td>Recoverable issues that indicate something is wrong but hasn't broken yet, retry attempts, deprecated API usage, slow queries</td> </tr> <tr> <td><strong>INFO</strong></td> <td>Normal application lifecycle events, service startup, job completion, significant state transitions</td> </tr> <tr> <td><strong>DEBUG</strong></td> <td>Detailed diagnostic information useful during development and troubleshooting, never enabled in production by default</td> </tr> <tr> <td><strong>VERBOSE / TRACE</strong></td> <td>Highly granular execution flow, only for deep debugging in isolated environments</td> </tr> </tbody> </table></div> <p>A common mistake is logging everything at <code>INFO</code> or <code>ERROR</code>. This floods your aggregator with noise (making alerts meaningless) or misses important context entirely. Be deliberate: if a message doesn't require human attention, it doesn't belong at <code>ERROR</code>.</p> <h2> Structured Logging: JSON Over Plain Text </h2> <p>Plain text logs are human-readable but machine-hostile. Parsing <code>"[2025-04-06 10:23:11] ERROR: User not found for ID 42"</code> requires regex and breaks the moment the format changes.</p> <p><strong>Structured logging</strong> emits logs as JSON objects, making them directly queryable in any log aggregator (Datadog, ELK, Loki, CloudWatch):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"User not found"</span><span class="p">,</span><span class="w"> </span><span class="nl">"context"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UsersService"</span><span class="p">,</span><span class="w"> </span><span class="nl">"userId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"usr_8f3a2c"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"req_9d1b4e"</span><span class="p">,</span><span class="w"> </span><span class="nl">"statusCode"</span><span class="p">:</span><span class="w"> </span><span class="mi">404</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-04-06T10:23:11.412Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"environment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"production"</span><span class="p">,</span><span class="w"> </span><span class="nl">"service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"users-service"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Every field is indexable, filterable, and alertable. You can instantly query "all 404 errors in the users-service in the last hour" without parsing a single string.</p> <h3> Setting Up Structured Logging in NestJS with Pino </h3> <p><strong>Pino</strong> is the fastest structured logger for Node.js with native JSON output and minimal overhead:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>nestjs-pino pino-http pino-pretty </code></pre> </div> <p>Configure it in your <code>AppModule</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app.module.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LoggerModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">nestjs-pino</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span> <span class="nx">LoggerModule</span><span class="p">.</span><span class="nf">forRoot</span><span class="p">({</span> <span class="na">pinoHttp</span><span class="p">:</span> <span class="p">{</span> <span class="na">level</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">LOG_LEVEL</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">info</span><span class="dl">'</span><span class="p">,</span> <span class="na">transport</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span> <span class="p">?</span> <span class="p">{</span> <span class="na">target</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pino-pretty</span><span class="dl">'</span> <span class="p">}</span> <span class="c1">// human-readable in development</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="c1">// raw JSON in production</span> <span class="na">redact</span><span class="p">:</span> <span class="p">{</span> <span class="na">paths</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">req.headers.authorization</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">req.headers.cookie</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">req.body.password</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">req.body.creditCard</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="na">censor</span><span class="p">:</span> <span class="dl">'</span><span class="s1">[REDACTED]</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppModule</span> <span class="p">{}</span> </code></pre> </div> <p>The <code>redact</code> configuration is critical, it automatically censors sensitive fields before they ever reach your log output. More on this in the next section.</p> <h2> Redacting Sensitive Data </h2> <p>Sensitive data leaking into logs is one of the most common and costly compliance failures. It often happens accidentally, a developer logs <code>req.body</code> for debugging and forgets to remove it before merging.</p> <h3> What to Always Redact </h3> <ul> <li> <strong>Authentication:</strong> passwords, tokens, API keys, session IDs, JWTs</li> <li> <strong>Payment data:</strong> credit card numbers, CVVs, bank account numbers</li> <li> <strong>PII:</strong> full names combined with identifiers, email addresses in certain contexts, phone numbers, dates of birth</li> <li> <strong>Health data:</strong> any field that could be classified as PHI under HIPAA</li> <li> <strong>Infrastructure secrets:</strong> database connection strings, internal IPs, service credentials</li> </ul> <h3> Redaction Strategies </h3> <p><strong>Field-level redaction</strong> (as shown with Pino's <code>redact</code> config) is the most reliable approach, it operates at the logger level before output, regardless of what gets passed in.</p> <p>For custom redaction logic, implement a sanitization utility:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/common/utils/sanitize-log.util.ts</span> <span class="kd">const</span> <span class="nx">SENSITIVE_KEYS</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">([</span> <span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">secret</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">creditCard</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ssn</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">apiKey</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">refreshToken</span><span class="dl">'</span><span class="p">,</span> <span class="p">]);</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">sanitizeForLog</span><span class="p">(</span><span class="nx">obj</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">):</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">fromEntries</span><span class="p">(</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">entries</span><span class="p">(</span><span class="nx">obj</span><span class="p">).</span><span class="nf">map</span><span class="p">(([</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">])</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="nx">key</span><span class="p">,</span> <span class="nx">SENSITIVE_KEYS</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="nx">key</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">())</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">[REDACTED]</span><span class="dl">'</span> <span class="p">:</span> <span class="nx">value</span><span class="p">,</span> <span class="p">])</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Use this utility whenever logging request payloads or user-supplied data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User registration attempt</span><span class="dl">'</span><span class="p">,</span> <span class="na">payload</span><span class="p">:</span> <span class="nf">sanitizeForLog</span><span class="p">(</span><span class="nx">dto</span><span class="p">),</span> <span class="p">});</span> </code></pre> </div> <h3> Never Log Full Request Bodies Indiscriminately </h3> <p>Logging <code>req.body</code> wholesale in a middleware is a common antipattern. Instead, log only specific, known-safe fields:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Dangerous — logs everything including passwords</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">({</span> <span class="na">body</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">body</span> <span class="p">});</span> <span class="c1">// ✅ Safe — log only what you explicitly need</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Login attempt</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="c1">// safe — not a secret</span> <span class="na">ip</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">ip</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h2> Request Correlation with Trace IDs </h2> <p>In a distributed system, a single user action triggers calls across multiple services. Without a shared identifier, correlating logs across services is nearly impossible.</p> <p><strong>Request correlation IDs</strong> (also called trace IDs) solve this by attaching a unique identifier to every request at the entry point (API Gateway or first service), then propagating it through every downstream call via headers.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/common/middleware/correlation-id.middleware.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Injectable</span><span class="p">,</span> <span class="nx">NestMiddleware</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">NextFunction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">v4</span> <span class="k">as</span> <span class="nx">uuidv4</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">uuid</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CorrelationIdMiddleware</span> <span class="k">implements</span> <span class="nx">NestMiddleware</span> <span class="p">{</span> <span class="nf">use</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="nx">NextFunction</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">correlationId</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-correlation-id</span><span class="dl">'</span><span class="p">]</span> <span class="k">as</span> <span class="kr">string</span><span class="p">)</span> <span class="o">??</span> <span class="nf">uuidv4</span><span class="p">();</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-correlation-id</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="nx">correlationId</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-correlation-id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">correlationId</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Include the <code>correlationId</code> in every log entry. When an incident occurs, you can filter your entire log aggregator by a single ID and see the complete request journey across every service, with timestamps, durations, and error context.</p> <h2> Log Retention and Access Control </h2> <p>Storing logs indefinitely is a compliance and cost problem. Define a <strong>retention policy</strong> that balances operational need with regulatory requirements:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Log Type</th> <th>Recommended Retention</th> </tr> </thead> <tbody> <tr> <td>Application errors</td> <td>90 days</td> </tr> <tr> <td>Access / audit logs</td> <td>1-7 years (varies by regulation)</td> </tr> <tr> <td>Debug logs</td> <td>7-14 days</td> </tr> <tr> <td>Security events</td> <td>1-2 years</td> </tr> </tbody> </table></div> <p>Beyond retention, control <strong>who can access logs</strong>:</p> <ul> <li>Logs containing any PII should be <strong>access-controlled</strong> - not every engineer needs to read production user data.</li> <li>Use <strong>role-based access</strong> in your log aggregator (Datadog, Splunk, ELK) to restrict sensitive log streams.</li> <li>Enable <strong>audit logging on your log aggregator itself</strong> - knowing who queried which logs is part of your compliance story.</li> <li>Consider <strong>log encryption at rest</strong> for any aggregator storing sensitive application data.</li> </ul> <h2> Alerting: Turning Logs Into Action </h2> <p>Logs without alerts are archives, not observability. Define alert rules on your log aggregator for conditions that require immediate human attention:</p> <ul> <li> <strong>Error rate spike:</strong> more than X <code>ERROR</code> level logs per minute</li> <li> <strong>Authentication failures:</strong> repeated 401s from the same IP (brute force indicator)</li> <li> <strong>Downstream service failures:</strong> sustained connection errors to a dependency</li> <li> <strong>Zero logs:</strong> a sudden absence of logs from a service may indicate it has crashed</li> </ul> <p>Keep alert thresholds tuned, too sensitive and engineers become desensitized to noise; too lenient and real incidents go undetected.</p> <h2> Logging Antipatterns to Avoid </h2> <p><strong>Logging in a tight loop:</strong> logging inside high-frequency loops or hot paths creates I/O pressure and can degrade application performance. Sample logs or aggregate counters instead.</p> <p><strong>Using console.log in production:</strong> <code>console.log</code> bypasses your structured logger, produces unstructured output, and cannot be controlled by log level configuration. Replace all instances with your logger before deploying.</p> <p><strong>Logging and rethrowing without context:</strong> catching an exception, logging it, and rethrowing it without adding context creates duplicate log entries with no additional signal. Add context or don't log, pick one.</p> <p><strong>Storing logs locally on application servers:</strong> local log files are lost when containers restart or servers are terminated. Always ship logs to an external aggregator in real time.</p> <h2> Recommended Tooling </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Category</th> <th>Tool</th> </tr> </thead> <tbody> <tr> <td>Logger (Node.js)</td> <td>Pino, Winston</td> </tr> <tr> <td>Log aggregation</td> <td>Datadog, ELK Stack, Grafana Loki</td> </tr> <tr> <td>Distributed tracing</td> <td>OpenTelemetry, Jaeger, Tempo</td> </tr> <tr> <td>Alerting</td> <td>PagerDuty, Grafana Alerting, Datadog Monitors</td> </tr> <tr> <td>Compliance scanning</td> <td>Nightfall, Presidio (PII detection in logs)</td> </tr> </tbody> </table></div> <h2> Conclusion </h2> <p>Production logging is not a feature you bolt on after launch, it's a foundational engineering practice that determines how quickly your team can detect, diagnose, and resolve incidents. Done well, it's invisible to users and invaluable to engineers. Done poorly, it's either useless noise or a ticking compliance time bomb.</p> <p>The formula is straightforward: <strong>use structured JSON logs, redact sensitive fields at the logger level, correlate requests with trace IDs, enforce retention policies, and alert on what matters.</strong> Everything else is tuning.</p> <p>Observability and security are not in conflict, with the right logging architecture, they reinforce each other.</p> <p><em>What log aggregator does your team use in production? Share your stack in the comments - we'd love to hear how different teams approach this.</em></p> observability sitereliabilityengineering softwareengineering logging ThankGod Chibugwum Obobo Sun, 05 Apr 2026 17:00:00 +0000 https://forem.com/actocodes/secure-error-handling-in-apis-how-to-implement-global-filters-and-prevent-sensitive-data-leaks-31ke https://forem.com/actocodes/secure-error-handling-in-apis-how-to-implement-global-filters-and-prevent-sensitive-data-leaks-31ke <p>Error handling is one of the most overlooked attack surfaces in API security. While developers focus on authentication, authorization, and input validation, a poorly configured error response can silently leak database schemas, internal file paths, stack traces, and environment details handing attackers a roadmap to your system.</p> <p>The solution is <strong>secure, centralized error handling</strong>, intercepting all exceptions at a global level, sanitizing what gets returned to the client, and ensuring that internal details stay internal.</p> <p>In this guide, you'll learn how to implement global exception filters in <strong>NestJS</strong>, design a secure error response schema, prevent sensitive data leaks, and structure error handling for both development and production environments.</p> <h2> Why API Error Responses Are a Security Risk </h2> <p>Consider this typical unhandled exception response from an Express or NestJS app in development mode:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"statusCode"</span><span class="p">:</span><span class="w"> </span><span class="mi">500</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"QueryFailedError: column </span><span class="se">\"</span><span class="s2">usr.emailAdress</span><span class="se">\"</span><span class="s2"> does not exist"</span><span class="p">,</span><span class="w"> </span><span class="nl">"stack"</span><span class="p">:</span><span class="w"> </span><span class="s2">"QueryFailedError: column </span><span class="se">\"</span><span class="s2">usr.emailAdress</span><span class="se">\"</span><span class="s2"> does not exist</span><span class="se">\n</span><span class="s2"> at PostgresQueryRunner (/app/node_modules/typeorm/src/...)</span><span class="se">\n</span><span class="s2"> at /app/src/users/users.service.ts:42:18"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This single response reveals:</p> <ul> <li>The <strong>database engine</strong> (PostgreSQL via TypeORM)</li> <li>The <strong>exact column name</strong> that failed, confirming your schema structure</li> <li>The <strong>internal file path</strong> of your application</li> <li>The <strong>ORM library</strong> and version in use</li> <li>The <strong>service layer architecture</strong> of your backend</li> </ul> <p>This type of information disclosure is classified under <strong>OWASP API Security Top 10 - API3: Excessive Data Exposure</strong> and is trivially exploitable by anyone probing your API.</p> <h2> The Secure Error Response Standard </h2> <p>Before writing any code, define what a safe error response looks like. A production API error should expose only:</p> <ul> <li>A <strong>generic status code</strong> (HTTP standard)</li> <li>A <strong>user-friendly message</strong> that reveals nothing about internals</li> <li>A <strong>unique error ID</strong> for traceability in logs (without exposing logs to the client)</li> <li>Optionally, a <strong>machine-readable error code</strong> for client-side handling </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"statusCode"</span><span class="p">:</span><span class="w"> </span><span class="mi">500</span><span class="p">,</span><span class="w"> </span><span class="nl">"errorCode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"INTERNAL_SERVER_ERROR"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"An unexpected error occurred. Please try again later."</span><span class="p">,</span><span class="w"> </span><span class="nl">"errorId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"a3f92c1d-8e44-4b2e-9f3a-1c7d5b2e4a8f"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-04-04T10:23:45.123Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/users"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>errorId</code> is critical, it allows your support team to correlate the client-facing error to a detailed internal log entry, without ever exposing that detail publicly.</p> <h2> Implementing a Global Exception Filter in NestJS </h2> <p>NestJS provides a built-in exception filter system. By default, it catches <code>HttpException</code> instances and returns structured responses, but unhandled errors (database failures, third-party timeouts, unexpected nulls) fall through as raw 500 responses.</p> <p>A <strong>global exception filter</strong> intercepts every thrown exception, handled or not, and applies consistent, secure formatting.</p> <h3> Step 1: Create the Global Exception Filter </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/common/filters/global-exception.filter.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ExceptionFilter</span><span class="p">,</span> <span class="nx">Catch</span><span class="p">,</span> <span class="nx">ArgumentsHost</span><span class="p">,</span> <span class="nx">HttpException</span><span class="p">,</span> <span class="nx">HttpStatus</span><span class="p">,</span> <span class="nx">Logger</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">v4</span> <span class="k">as</span> <span class="nx">uuidv4</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">uuid</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Catch</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">GlobalExceptionFilter</span> <span class="k">implements</span> <span class="nx">ExceptionFilter</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">logger</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Logger</span><span class="p">(</span><span class="nx">GlobalExceptionFilter</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="k">catch</span><span class="p">(</span><span class="nx">exception</span><span class="p">:</span> <span class="nx">unknown</span><span class="p">,</span> <span class="nx">host</span><span class="p">:</span> <span class="nx">ArgumentsHost</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ctx</span> <span class="o">=</span> <span class="nx">host</span><span class="p">.</span><span class="nf">switchToHttp</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">getResponse</span><span class="o">&lt;</span><span class="nx">Response</span><span class="o">&gt;</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">request</span> <span class="o">=</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">getRequest</span><span class="o">&lt;</span><span class="nx">Request</span><span class="o">&gt;</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">errorId</span> <span class="o">=</span> <span class="nf">uuidv4</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">timestamp</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">statusCode</span> <span class="o">=</span> <span class="nx">HttpStatus</span><span class="p">.</span><span class="nx">INTERNAL_SERVER_ERROR</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">message</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">An unexpected error occurred. Please try again later.</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">errorCode</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">INTERNAL_SERVER_ERROR</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">exception</span> <span class="k">instanceof</span> <span class="nx">HttpException</span><span class="p">)</span> <span class="p">{</span> <span class="nx">statusCode</span> <span class="o">=</span> <span class="nx">exception</span><span class="p">.</span><span class="nf">getStatus</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">exceptionResponse</span> <span class="o">=</span> <span class="nx">exception</span><span class="p">.</span><span class="nf">getResponse</span><span class="p">();</span> <span class="c1">// Use the HttpException message but sanitize it</span> <span class="nx">message</span> <span class="o">=</span> <span class="k">typeof</span> <span class="nx">exceptionResponse</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">exceptionResponse</span> <span class="p">:</span> <span class="p">(</span><span class="nx">exceptionResponse</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">message</span> <span class="o">||</span> <span class="nx">message</span><span class="p">;</span> <span class="nx">errorCode</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">resolveErrorCode</span><span class="p">(</span><span class="nx">statusCode</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Log the full error internally - never send this to the client</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="nx">errorId</span><span class="p">,</span> <span class="nx">statusCode</span><span class="p">,</span> <span class="nx">path</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="nx">exception</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Unknown error</span><span class="dl">'</span><span class="p">,</span> <span class="na">stack</span><span class="p">:</span> <span class="nx">exception</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">stack</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Send the sanitized response to the client</span> <span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">statusCode</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="nx">statusCode</span><span class="p">,</span> <span class="nx">errorCode</span><span class="p">,</span> <span class="nx">message</span><span class="p">,</span> <span class="nx">errorId</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">,</span> <span class="nx">path</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">resolveErrorCode</span><span class="p">(</span><span class="nx">statusCode</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">codes</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">number</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="mi">400</span><span class="p">:</span> <span class="dl">'</span><span class="s1">BAD_REQUEST</span><span class="dl">'</span><span class="p">,</span> <span class="mi">401</span><span class="p">:</span> <span class="dl">'</span><span class="s1">UNAUTHORIZED</span><span class="dl">'</span><span class="p">,</span> <span class="mi">403</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORBIDDEN</span><span class="dl">'</span><span class="p">,</span> <span class="mi">404</span><span class="p">:</span> <span class="dl">'</span><span class="s1">NOT_FOUND</span><span class="dl">'</span><span class="p">,</span> <span class="mi">409</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CONFLICT</span><span class="dl">'</span><span class="p">,</span> <span class="mi">422</span><span class="p">:</span> <span class="dl">'</span><span class="s1">UNPROCESSABLE_ENTITY</span><span class="dl">'</span><span class="p">,</span> <span class="mi">429</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TOO_MANY_REQUESTS</span><span class="dl">'</span><span class="p">,</span> <span class="mi">500</span><span class="p">:</span> <span class="dl">'</span><span class="s1">INTERNAL_SERVER_ERROR</span><span class="dl">'</span><span class="p">,</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">codes</span><span class="p">[</span><span class="nx">statusCode</span><span class="p">]</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">INTERNAL_SERVER_ERROR</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Step 2 - Register the Filter Globally </h3> <p>Apply the filter at the application level so it catches exceptions from every controller, service, and middleware:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/main.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NestFactory</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AppModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./app.module</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">GlobalExceptionFilter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./common/filters/global-exception.filter</span><span class="dl">'</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">bootstrap</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">NestFactory</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">AppModule</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">useGlobalFilters</span><span class="p">(</span><span class="k">new</span> <span class="nc">GlobalExceptionFilter</span><span class="p">());</span> <span class="k">await</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">);</span> <span class="p">}</span> <span class="nf">bootstrap</span><span class="p">();</span> </code></pre> </div> <p>Registering via <code>useGlobalFilters()</code> ensures the filter runs outside the dependency injection scope, catching even bootstrap-level errors.</p> <h2> Handling Validation Errors Securely </h2> <p>NestJS's <code>ValidationPipe</code> throws <code>BadRequestException</code> with a detailed array of validation failures. These are safe to return, they contain field-level feedback with no internal details. Ensure your filter preserves this structure for 400 errors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// In GlobalExceptionFilter - extend the HttpException branch</span> <span class="k">if </span><span class="p">(</span><span class="nx">exception</span> <span class="k">instanceof</span> <span class="nx">HttpException</span><span class="p">)</span> <span class="p">{</span> <span class="nx">statusCode</span> <span class="o">=</span> <span class="nx">exception</span><span class="p">.</span><span class="nf">getStatus</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">exceptionResponse</span> <span class="o">=</span> <span class="nx">exception</span><span class="p">.</span><span class="nf">getResponse</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">statusCode</span> <span class="o">===</span> <span class="mi">400</span> <span class="o">&amp;&amp;</span> <span class="k">typeof</span> <span class="nx">exceptionResponse</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Preserve validation error details for client-side form handling</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">statusCode</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="nx">statusCode</span><span class="p">,</span> <span class="na">errorCode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">VALIDATION_ERROR</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Request validation failed.</span><span class="dl">'</span><span class="p">,</span> <span class="na">errors</span><span class="p">:</span> <span class="p">(</span><span class="nx">exceptionResponse</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">message</span><span class="p">,</span> <span class="c1">// array of field errors</span> <span class="nx">errorId</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">,</span> <span class="nx">path</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This gives clients enough information to display helpful form errors, without leaking anything about internals.</p> <h2> Environment-Aware Error Detail </h2> <p>During local development, stack traces are invaluable. In production, they're a liability. Use an environment flag to control detail level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">isDevelopment</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// In the catch method — add debug info only in development</span> <span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">statusCode</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="nx">statusCode</span><span class="p">,</span> <span class="nx">errorCode</span><span class="p">,</span> <span class="nx">message</span><span class="p">,</span> <span class="nx">errorId</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">,</span> <span class="nx">path</span><span class="p">,</span> <span class="p">...(</span><span class="nx">isDevelopment</span> <span class="o">&amp;&amp;</span> <span class="p">{</span> <span class="na">debug</span><span class="p">:</span> <span class="p">{</span> <span class="na">originalMessage</span><span class="p">:</span> <span class="nx">exception</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">stack</span><span class="p">:</span> <span class="nx">exception</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">stack</span> <span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">});</span> </code></pre> </div> <p>This pattern ensures developers get rich error context locally, while production clients always receive the sanitized version.</p> <h2> Preventing Information Leaks Beyond the Filter </h2> <p>The global filter handles runtime exceptions, but sensitive data can leak through other vectors too. Address these proactively:</p> <h3> Disable the X-Powered-By Header </h3> <p>By default, Express advertises the framework in response headers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">NestFactory</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">AppModule</span><span class="p">,</span> <span class="p">{</span> <span class="na">rawBody</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">getHttpAdapter</span><span class="p">().</span><span class="nf">getInstance</span><span class="p">().</span><span class="nf">disable</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-powered-by</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <h3> Sanitize Database Error Messages </h3> <p>ORM errors (TypeORM, Prisma) contain raw SQL and schema details. Never let them propagate as <code>HttpException</code> messages. Catch them at the service layer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="nf">findUser</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersRepository</span><span class="p">.</span><span class="nf">findOneOrFail</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Log the ORM error internally, throw a clean HttpException</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Database error in findUser</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">NotFoundException</span><span class="p">(</span><span class="dl">'</span><span class="s1">User not found.</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Avoid Reflecting User Input in Error Messages </h3> <p>Never echo back user-supplied values in error messages, this can enable reflected XSS or information probing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Unsafe — reflects user input</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">BadRequestException</span><span class="p">(</span><span class="s2">`User with email </span><span class="p">${</span><span class="nx">dto</span><span class="p">.</span><span class="nx">email</span><span class="p">}</span><span class="s2"> already exists`</span><span class="p">);</span> <span class="c1">// Safe — generic message</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ConflictException</span><span class="p">(</span><span class="dl">'</span><span class="s1">An account with this email already exists.</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <h2> Structured Logging for Traceability </h2> <p>The <code>errorId</code> in your response is only useful if your logging system captures it with full context. Use a structured logger like <strong>Winston</strong> or <strong>Pino</strong> to ensure every log entry is queryable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="nx">errorId</span><span class="p">,</span> <span class="c1">// correlates to client-facing error</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">id</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">method</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">,</span> <span class="nx">statusCode</span><span class="p">,</span> <span class="na">exceptionType</span><span class="p">:</span> <span class="nx">exception</span><span class="p">?.</span><span class="kd">constructor</span><span class="p">?.</span><span class="nx">name</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="nx">exception</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Unknown</span><span class="dl">'</span><span class="p">,</span> <span class="na">stack</span><span class="p">:</span> <span class="nx">exception</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">stack</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>With this structure, when a user reports an issue with their <code>errorId</code>, your team can instantly pull the full context from your log aggregator (Datadog, ELK, CloudWatch), without ever having exposed that detail publicly.</p> <h2> Security Checklist </h2> <p>Before shipping your error handling to production, verify the following:</p> <ul> <li>Stack traces never appear in API responses</li> <li>Database error messages are caught and replaced at the service layer</li> <li>ORM or driver names are not present in any response body or header</li> <li> <code>X-Powered-By</code> header is disabled</li> <li>Validation errors return field names but never internal paths or schema details</li> <li>Every unhandled exception generates a unique <code>errorId</code> and is logged with full context</li> <li> <code>NODE_ENV</code> controls debug detail visibility</li> <li>User input is never reflected verbatim in error messages</li> </ul> <h2> Conclusion </h2> <p>Secure error handling is not just about user experience, it's a critical layer of your API's defense-in-depth strategy. A single unhandled exception that leaks a stack trace can give an attacker everything they need to probe your system further.</p> <p>By implementing a <strong>global exception filter</strong> in NestJS, you establish a single, auditable point of control over every error your API emits. Pair it with environment-aware detail levels, structured logging, and service-layer ORM sanitization, and you've closed one of the most commonly overlooked API security gaps.</p> <p>The rule is simple: <strong>log everything internally, expose nothing externally.</strong></p> apisecurity errors softwareengineering backenddevelopment ThankGod Chibugwum Obobo Sun, 29 Mar 2026 17:00:00 +0000 https://forem.com/actocodes/shift-left-testing-how-to-automate-qaqc-pipelines-with-sonarqube-and-github-actions-2kln https://forem.com/actocodes/shift-left-testing-how-to-automate-qaqc-pipelines-with-sonarqube-and-github-actions-2kln <p>Finding a bug in production costs significantly more to fix than catching it during development. This is the core argument behind <strong>shift-left testing</strong>, the practice of moving quality checks earlier in the software development lifecycle, closer to where code is written rather than where it is deployed.</p> <p>With <strong>SonarQube</strong> for static code analysis and <strong>GitHub Actions</strong> for CI/CD automation, teams can enforce code quality, detect security vulnerabilities, and measure test coverage on every single pull request, automatically, and before a single line merges to main.</p> <p>This guide walks you through setting up a fully automated QA/QC pipeline from scratch, including SonarQube configuration, GitHub Actions integration, quality gate enforcement, and practical tips for rolling it out to your team.</p> <h2> What Is Shift-Left Testing? </h2> <p><strong>Shift-left</strong> refers to moving testing and quality assurance activities to the left side of the development timeline, earlier in the process. Instead of QA happening after development is complete, it becomes a continuous activity embedded into every step of the workflow.</p> <p>In practice, shift-left means:</p> <ul> <li>Running <strong>static analysis</strong> on every commit.</li> <li>Enforcing <strong>code coverage thresholds</strong> in CI before merging.</li> <li>Scanning for <strong>security vulnerabilities</strong> at the PR level, not post-deployment.</li> <li>Providing <strong>instant feedback</strong> to developers in their existing workflow (GitHub PRs).</li> </ul> <p>The result is shorter feedback loops, fewer regressions, and significantly reduced cost of quality.</p> <h2> Why SonarQube? </h2> <p><strong>SonarQube</strong> is one of the most widely adopted static analysis platforms in the industry. It supports 30+ programming languages and provides deep analysis across four dimensions:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Dimension</th> <th>What It Checks</th> </tr> </thead> <tbody> <tr> <td><strong>Bugs</strong></td> <td>Logic errors and runtime issues</td> </tr> <tr> <td><strong>Vulnerabilities</strong></td> <td>Security weaknesses (OWASP Top 10)</td> </tr> <tr> <td><strong>Code Smells</strong></td> <td>Maintainability issues and technical debt</td> </tr> <tr> <td><strong>Coverage</strong></td> <td>Unit test coverage percentage</td> </tr> </tbody> </table></div> <p>SonarQube is available as a <strong>self-hosted</strong> open-source Community Edition or as <strong>SonarCloud</strong>, a fully managed SaaS version ideal for teams who don't want to manage infrastructure.</p> <p>For this guide, we'll use <strong>SonarCloud</strong>, it integrates natively with GitHub and requires no server setup.</p> <h2> Step 1 - Set Up SonarCloud </h2> <ol> <li>Go to <a href="https://sonarcloud.io" rel="noopener noreferrer">sonarcloud.io</a> and sign in with your GitHub account.</li> <li>Create a new <strong>Organization</strong> linked to your GitHub organization or personal account.</li> <li>Import the repository you want to analyze.</li> <li>SonarCloud will generate a <strong>Project Key</strong> and <strong>Organization Key</strong>, save these for later.</li> <li>Generate a <strong>SonarCloud Token</strong> from your account security settings.</li> </ol> <p>Store the token as a GitHub Actions secret:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GitHub Repo → Settings → Secrets and Variables → Actions → New Repository Secret Name: SONAR_TOKEN Value: &lt;your-sonarcloud-token&gt; </code></pre> </div> <h2> Step 2 - Add a SonarCloud Configuration File </h2> <p>Create a <code>sonar-project.properties</code> file in your repository root. This tells SonarCloud where to find your source code, tests, and coverage reports:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c"># sonar-project.properties </span><span class="py">sonar.projectKey</span><span class="p">=</span><span class="s">your_org_your_project</span> <span class="py">sonar.organization</span><span class="p">=</span><span class="s">your-sonarcloud-org</span> <span class="py">sonar.projectName</span><span class="p">=</span><span class="s">Your Project Name</span> <span class="py">sonar.projectVersion</span><span class="p">=</span><span class="s">1.0</span> <span class="c"># Source and test directories </span><span class="py">sonar.sources</span><span class="p">=</span><span class="s">src</span> <span class="py">sonar.tests</span><span class="p">=</span><span class="s">src</span> <span class="py">sonar.test.inclusions</span><span class="p">=</span><span class="s">**/*.spec.ts,**/*.test.ts</span> <span class="c"># Coverage report path (generated by your test runner) </span><span class="py">sonar.javascript.lcov.reportPaths</span><span class="p">=</span><span class="s">coverage/lcov.info</span> <span class="c"># Exclusions </span><span class="py">sonar.exclusions</span><span class="p">=</span><span class="s">**/node_modules/**,**/dist/**,**/*.spec.ts</span> </code></pre> </div> <p>Adjust paths to match your project structure. For Java projects, replace the JavaScript-specific properties with the appropriate <code>sonar.java.*</code> equivalents.</p> <h2> Step 3 - Configure Your Test Runner for Coverage </h2> <p>SonarQube needs a coverage report to measure how much of your code is tested. For a <strong>Node.js/TypeScript</strong> project using Jest, configure coverage output in <code>jest.config.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// jest.config.ts</span> <span class="k">export</span> <span class="k">default</span> <span class="p">{</span> <span class="na">preset</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ts-jest</span><span class="dl">'</span><span class="p">,</span> <span class="na">testEnvironment</span><span class="p">:</span> <span class="dl">'</span><span class="s1">node</span><span class="dl">'</span><span class="p">,</span> <span class="na">collectCoverage</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">coverageDirectory</span><span class="p">:</span> <span class="dl">'</span><span class="s1">coverage</span><span class="dl">'</span><span class="p">,</span> <span class="na">coverageReporters</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">lcov</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">text</span><span class="dl">'</span><span class="p">],</span> <span class="na">collectCoverageFrom</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">src/**/*.ts</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">!src/**/*.spec.ts</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">!src/main.ts</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p>Running <code>jest</code> will now generate a <code>coverage/lcov.info</code> file, the format SonarCloud expects.</p> <h2> Step 4 - Create the GitHub Actions Workflow </h2> <p>Now wire everything together in a GitHub Actions workflow. This pipeline runs on every pull request and push to <code>main</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/quality.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Code Quality &amp; Security</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">,</span> <span class="nv">develop</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">,</span> <span class="nv">develop</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">sonarcloud</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SonarCloud Analysis</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="c1"># Required for SonarCloud blame data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Node.js</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests with coverage</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test -- --coverage</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SonarCloud Scan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">SonarSource/sonarcloud-github-action@master</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">SONAR_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_TOKEN }}</span> </code></pre> </div> <p>The <code>fetch-depth: 0</code> is critical, it fetches full Git history so SonarCloud can accurately attribute code changes to authors and compute new vs overall code metrics.</p> <h2> Step 5 - Enforce Quality Gates </h2> <p>A <strong>Quality Gate</strong> is a set of conditions that must pass before code is considered releasable. SonarCloud ships with a default "Sonar Way" quality gate that checks:</p> <ul> <li>Coverage on new code ≥ 80%</li> <li>Duplicated lines on new code ≤ 3%</li> <li>Maintainability rating on new code = A</li> <li>Reliability rating on new code = A</li> <li>Security rating on new code = A</li> </ul> <p>When a pull request fails a quality gate, SonarCloud posts a comment directly on the PR and marks the check as failed, blocking the merge if branch protection rules are configured.</p> <p>To enforce this, enable <strong>branch protection</strong> on your main branch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GitHub Repo → Settings → Branches → Add Rule ✅ Require status checks to pass before merging ✅ Select: SonarCloud Code Analysis </code></pre> </div> <p>Now no PR can merge to <code>main</code> without passing the quality gate.</p> <h3> Customizing Quality Gates </h3> <p>For mature codebases, you may want stricter thresholds. In SonarCloud, navigate to your organization's <strong>Quality Gates</strong> section and create a custom gate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>New Code Coverage ≥ 85% New Blocker Issues = 0 New Critical Issues = 0 New Security Hotspots = 0 </code></pre> </div> <p>Tune these thresholds progressively, start lenient and tighten as your team addresses existing debt.</p> <h2> Step 6 - Viewing Results in Pull Requests </h2> <p>Once the workflow is active, every PR gets automated feedback directly in GitHub:</p> <ul> <li>A <strong>SonarCloud check</strong> appears in the PR status checks, pass or fail.</li> <li>An inline <strong>PR comment</strong> summarizes new issues, coverage delta, and quality gate status.</li> <li>Developers can click through to the <strong>SonarCloud dashboard</strong> for detailed findings, including the exact line, severity, and remediation guidance for every issue.</li> </ul> <p>This tight GitHub integration is what makes shift-left practical, developers get quality feedback in the same place they're already reviewing code, with no context switching required.</p> <h2> Going Further: Adding ESLint and Prettier to the Pipeline </h2> <p>SonarQube handles deep static analysis, but pairing it with <strong>ESLint</strong> (style and logic rules) and <strong>Prettier</strong> (formatting) gives you a complete quality layer. Add them as a separate job in the same workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">lint</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lint &amp; Format Check</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run lint</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run format:check</span> </code></pre> </div> <p>With all three tools running in parallel, ESLint, Prettier, and SonarCloud, your CI pipeline covers style, logic, security, and coverage in a single unified workflow.</p> <h2> SonarQube for IDE: Catch Issues Before You Commit </h2> <p>Waiting for a CI pipeline to flag a quality issue still means a context switch, you push code, trigger a workflow, and then come back to fix a problem you'd already moved past. <strong>SonarQube for IDE</strong> (formerly SonarLint) closes that gap by bringing the same analysis engine directly into your editor, giving you real-time feedback as you type.</p> <h3> What It Does </h3> <p>SonarQube for IDE runs locally and surfaces bugs, vulnerabilities, and code smells inline, the same rules that SonarCloud applies in CI, but without leaving your editor. Issues appear as squiggly underlines with descriptions and remediation guidance, similar to how a compiler highlights syntax errors.</p> <p>Key features:</p> <ul> <li> <strong>Real-time analysis</strong> on the file you're editing, with no manual trigger required.</li> <li> <strong>Consistent rules</strong>, when connected to your SonarCloud project, it syncs your team's active quality profile so everyone is checking against the same ruleset.</li> <li> <strong>Detailed explanations</strong>, each issue includes why it's a problem, the risk it poses, and how to fix it, directly in the IDE panel.</li> <li> <strong>Security hotspot detection</strong>, flags sensitive code paths (e.g., hardcoded credentials, unsanitized inputs) at the point of authoring.</li> </ul> <h3> Supported IDEs </h3> <p>SonarQube for IDE is available as a plugin for:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>IDE</th> <th>Plugin Name</th> </tr> </thead> <tbody> <tr> <td><strong>VS Code</strong></td> <td>SonarQube for IDE (VS Code Marketplace)</td> </tr> <tr> <td><strong>IntelliJ IDEA / WebStorm / PyCharm</strong></td> <td>SonarQube for IDE (JetBrains Marketplace)</td> </tr> <tr> <td><strong>Eclipse</strong></td> <td>SonarLint (Eclipse Marketplace)</td> </tr> </tbody> </table></div> <h3> Installation (VS Code) </h3> <ol> <li>Open the <strong>Extensions</strong> panel (<code>Ctrl+Shift+X</code> / <code>Cmd+Shift+X</code>).</li> <li>Search for <strong>SonarQube for IDE</strong> and install it.</li> <li>Reload VS Code, analysis starts immediately with default rules.</li> </ol> <h3> Connected Mode: Sync with SonarCloud </h3> <p>By default, the plugin uses a standard set of built-in rules. For team consistency, enable <strong>Connected Mode</strong> to bind it to your SonarCloud project:</p> <ol> <li>Open the Command Palette (<code>Ctrl+Shift+P</code>) and run <strong>SonarQube: Connect to SonarQube Cloud</strong>.</li> <li>Authenticate with your SonarCloud token.</li> <li>Select your <strong>Organization</strong> and <strong>Project Key</strong>.</li> </ol> <p>Once connected, the IDE enforces the same quality profile and suppression decisions as your CI pipeline. Issues that your team has marked <em>Won't Fix</em> in SonarCloud won't appear in your editor either, reducing noise and keeping the signal relevant.</p> <h3> How It Complements the CI Pipeline </h3> <p>SonarQube for IDE and SonarCloud are not redundant, they operate at different points in the workflow and catch different things:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>SonarQube for IDE</th> <th>SonarCloud (CI)</th> </tr> </thead> <tbody> <tr> <td><strong>When</strong></td> <td>While typing</td> <td>On push / PR</td> </tr> <tr> <td><strong>Scope</strong></td> <td>Current file</td> <td>Full codebase</td> </tr> <tr> <td><strong>Coverage analysis</strong></td> <td>No</td> <td>Yes</td> </tr> <tr> <td><strong>New vs. overall code</strong></td> <td>No</td> <td>Yes</td> </tr> <tr> <td><strong>Blocks merge</strong></td> <td>No</td> <td>Yes (Quality Gate)</td> </tr> <tr> <td><strong>Best for</strong></td> <td>Preventing issues</td> <td>Enforcing standards</td> </tr> </tbody> </table></div> <p>Think of the IDE plugin as your first line of defense and SonarCloud as the safety net. Most issues should be caught and fixed before a commit is ever pushed, with the CI pipeline acting as a final, authoritative check for the whole team.</p> <h2> Common Pitfalls to Avoid </h2> <p><strong>Ignoring the quality gate on legacy code:</strong> SonarCloud's default quality gate focuses on <em>new code</em>, not the overall codebase. This makes adoption practical: you're held accountable only for what you write going forward, not the full history of technical debt.</p> <p><strong>Skipping <code>fetch-depth: 0</code>:</strong> Without full Git history, SonarCloud cannot compute new vs. existing issues accurately. Always set this in your checkout step.</p> <p><strong>Setting coverage thresholds too high too soon:</strong> A 90% coverage requirement on day one will block every PR. Start at 60–70%, fix the gaps, then raise the bar incrementally.</p> <p><strong>Treating all issues as equal:</strong> Prioritize <strong>Blocker</strong> and <strong>Critical</strong> severity issues for immediate action. <strong>Major</strong> and <strong>Minor</strong> issues can be tracked as technical debt and addressed in dedicated cleanup sprints.</p> <h2> Conclusion </h2> <p>Shifting left is not just about adding tools to a pipeline, it's a cultural shift toward shared ownership of quality. By integrating <strong>SonarQube (SonarCloud)</strong> and <strong>GitHub Actions</strong>, you make code quality a first-class citizen of your development workflow: automated, visible, and enforced before any code reaches production.</p> <p>Start with the basic setup, enforce quality gates on new code, and iterate on your thresholds as your team builds the habit. The earlier you catch issues, the cheaper and faster they are to fix, and the more confidence your team has in every release.</p> <p><em>Already using SonarQube self-hosted instead of SonarCloud? The GitHub Actions integration works the same way, just swap the SonarCloud action for the generic SonarScanner and point it at your server URL.</em></p> softwareengineering codequality sonarqube githubactions ThankGod Chibugwum Obobo Sun, 22 Mar 2026 17:00:00 +0000 https://forem.com/actocodes/infrastructure-as-code-is-still-code-how-to-lint-and-format-terraform-and-ansible-5cn9 https://forem.com/actocodes/infrastructure-as-code-is-still-code-how-to-lint-and-format-terraform-and-ansible-5cn9 <p>When developers talk about code quality, they usually mean application code, running ESLint, enforcing Prettier, and integrating static analysis into CI pipelines. But <strong>Infrastructure as Code (IaC)</strong> deserves the same treatment.</p> <p>Terraform configurations and Ansible playbooks are real code. They define production environments, manage sensitive resources, and get reviewed in pull requests. Yet many teams apply zero linting or formatting standards to them, leading to inconsistent style, subtle misconfigurations, and security vulnerabilities that slip past reviewers.</p> <p>This guide covers the essential tools and practices for linting and formatting <strong>Terraform</strong> and <strong>Ansible</strong>, and how to integrate them into your CI/CD pipeline for consistent, reviewable, production-grade infrastructure code.</p> <h2> Why Code Quality Matters for IaC </h2> <p>The consequences of poor-quality IaC are more severe than messy application code:</p> <ul> <li> <strong>Misconfigurations cause outages.</strong> A wrong variable type or missing validation in a Terraform module can destroy or misconfigure production infrastructure.</li> <li> <strong>Security vulnerabilities are harder to spot.</strong> Open security groups, overly permissive IAM roles, and unencrypted storage buckets often hide in unreviewed or inconsistently formatted configs.</li> <li> <strong>Drift compounds over time.</strong> Without enforced standards, IaC files written by different engineers diverge in style, making diffs harder to read and reviews less effective.</li> <li> <strong>Onboarding suffers.</strong> New team members struggle to understand inconsistently structured playbooks and modules.</li> </ul> <p>Treating IaC with the same rigor as application code pays dividends in reliability and team velocity.</p> <h2> Linting and Formatting Terraform </h2> <h3> Formatting with <code>terraform fmt</code> </h3> <p>Terraform ships with a built-in formatter. Running <code>terraform fmt</code> rewrites your <code>.tf</code> files to conform to the canonical HCL style, consistent indentation, aligned <code>=</code> signs, and normalized block structures.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Format all .tf files recursively</span> terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> <span class="c"># Check formatting without writing changes (useful in CI)</span> terraform <span class="nb">fmt</span> <span class="nt">-check</span> <span class="nt">-recursive</span> </code></pre> </div> <p>Make <code>-check</code> mode part of your CI pipeline. A non-zero exit code signals a formatting violation and fails the build, enforcing that all merged code is properly formatted.</p> <h3> Validation with <code>terraform validate</code> </h3> <p>Before linting, ensure your configuration is syntactically and semantically valid:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init <span class="nt">-backend</span><span class="o">=</span><span class="nb">false </span>terraform validate </code></pre> </div> <p>This catches undefined variables, incorrect resource references, and invalid argument types, without making any API calls to your cloud provider.</p> <h3> Deep Linting with TFLint </h3> <p><code>terraform validate</code> only checks syntax. <strong>TFLint</strong> goes further, it analyzes your configurations against provider-specific rules, catches deprecated syntax, and flags likely bugs.</p> <p>Install TFLint and initialize provider plugins:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>tflint <span class="c"># macOS</span> <span class="c">#or</span> curl <span class="nt">-s</span> https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash <span class="c">#linux</span> <span class="c">#or</span> choco <span class="nb">install </span>tflint <span class="c">#windows</span> <span class="c">#or</span> scoop <span class="nb">install </span>tflint <span class="c">#windows</span> <span class="c">#or</span> <span class="nb">alias </span><span class="nv">tflint</span><span class="o">=</span><span class="s2">"docker run --rm -v </span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span><span class="s2">:/data -t ghcr.io/terraform-linters/tflint"</span> <span class="c">#docker</span> tflint <span class="nt">--init</span> </code></pre> </div> <p>Configure it with a <code>.tflint.hcl</code> file in your repo root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># .tflint.hcl</span> <span class="nx">plugin</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"0.27.0"</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"github.com/terraform-linters/tflint-ruleset-aws"</span> <span class="p">}</span> <span class="nx">rule</span> <span class="s2">"terraform_naming_convention"</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">rule</span> <span class="s2">"terraform_unused_declarations"</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>Then run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tflint <span class="nt">--recursive</span> </code></pre> </div> <p>TFLint will flag issues like invalid instance types, deprecated resource arguments, and naming convention violations, all before any infrastructure is provisioned.</p> <h3> Security Scanning with Trivy or Checkov </h3> <p>Linting catches style and syntax issues. Security scanning catches <strong>misconfigurations</strong> and for IaC, this is critical.</p> <p><strong>Checkov</strong> is a static analysis tool purpose-built for IaC security:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>checkov checkov <span class="nt">-d</span> <span class="nb">.</span> <span class="nt">--framework</span> terraform </code></pre> </div> <p>It checks for issues like:</p> <ul> <li>S3 buckets with public access enabled</li> <li>Security groups open to <code>0.0.0.0/0</code> </li> <li>Unencrypted RDS instances</li> <li>Missing CloudTrail logging</li> </ul> <p><strong>Trivy</strong> offers similar coverage and integrates well into container-based CI environments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>trivy config ./terraform </code></pre> </div> <p>Run both as non-blocking checks early in adoption, then graduate them to hard failures as your team addresses existing violations.</p> <h2> Linting and Formatting Ansible </h2> <h3> Linting with ansible-lint </h3> <p><strong>ansible-lint</strong> is the standard linting tool for Ansible playbooks, roles, and task files. It enforces best practices defined by the Ansible community and catches common mistakes.</p> <p>Install and run it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>ansible-lint ansible-lint playbooks/ </code></pre> </div> <p>Common issues it catches:</p> <ul> <li>Missing <code>name</code> on tasks (makes logs unreadable)</li> <li>Use of deprecated modules</li> <li>Command and shell tasks that should use native Ansible modules</li> <li>Missing <code>become</code> escalation where required</li> <li>Incorrect YAML formatting</li> </ul> <h3> Configuring ansible-lint </h3> <p>Customize rules with a <code>.ansible-lint</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .ansible-lint</span> <span class="na">warn_list</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">experimental</span> <span class="na">skip_list</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">yaml[line-length]</span> <span class="c1"># skip line length for long task names</span> <span class="na">exclude_paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">.cache/</span> <span class="pi">-</span> <span class="s">molecule/</span> </code></pre> </div> <p>You can also use <strong>profiles</strong> to enforce stricter rule sets as your team matures:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ansible-lint <span class="nt">--profile</span> production playbooks/ </code></pre> </div> <p>Profiles range from <code>min</code> (basic safety checks) to <code>production</code> (full best-practice enforcement).</p> <h3> Formatting YAML with Prettier or yamllint </h3> <p>Ansible playbooks are YAML and YAML is notoriously whitespace-sensitive. Enforce consistent formatting using <strong>yamllint</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>yamllint yamllint playbooks/ </code></pre> </div> <p>Configure it with a <code>.yamllint</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .yamllint</span> <span class="na">extends</span><span class="pi">:</span> <span class="s">default</span> <span class="na">rules</span><span class="pi">:</span> <span class="na">line-length</span><span class="pi">:</span> <span class="na">max</span><span class="pi">:</span> <span class="m">120</span> <span class="na">indentation</span><span class="pi">:</span> <span class="na">indent-sequences</span><span class="pi">:</span> <span class="s">consistent</span> <span class="na">truthy</span><span class="pi">:</span> <span class="na">allowed-values</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">true'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">false'</span><span class="pi">]</span> </code></pre> </div> <p>For teams already using <strong>Prettier</strong>, it supports YAML formatting out of the box:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>prettier <span class="nt">--write</span> <span class="s2">"playbooks/**/*.yml"</span> </code></pre> </div> <p>Standardizing YAML formatting eliminates the most common source of noisy diff, whitespace-only changes.</p> <h3> Security Scanning Ansible with ansible-lint and Checkov </h3> <p>ansible-lint includes security-focused rules by default, flagging tasks that use <code>shell</code> or <code>command</code> with potentially unsafe inputs, or roles missing proper privilege escalation guards.</p> <p>Checkov also supports Ansible:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>checkov <span class="nt">-d</span> <span class="nb">.</span> <span class="nt">--framework</span> ansible </code></pre> </div> <p>It flags hardcoded secrets, missing no-log directives on sensitive tasks, and overly permissive file permissions.</p> <h2> Integrating into CI/CD </h2> <p>All of these tools become most valuable when they run automatically on every pull request. Here's a sample <strong>GitHub Actions</strong> workflow covering both Terraform and Ansible:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/iac-quality.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">IaC Quality Checks</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">terraform</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Format Check</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform fmt -check -recursive</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Validate</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform init -backend=false</span> <span class="s">terraform validate</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">TFLint</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">terraform-linters/setup-tflint@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">tflint_version</span><span class="pi">:</span> <span class="s">latest</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">tflint --recursive</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkov Security Scan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">bridgecrewio/checkov-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">directory</span><span class="pi">:</span> <span class="s">.</span> <span class="na">framework</span><span class="pi">:</span> <span class="s">terraform</span> <span class="na">ansible</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install tools</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pip install ansible-lint yamllint</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">yamllint</span> <span class="na">run</span><span class="pi">:</span> <span class="s">yamllint playbooks/</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ansible-lint</span> <span class="na">run</span><span class="pi">:</span> <span class="s">ansible-lint playbooks/</span> </code></pre> </div> <p>Start with warnings before enforcing hard failures — this gives teams time to remediate existing violations without blocking all merges on day one.</p> <h2> Recommended Toolchain Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Purpose</th> <th>Applies To</th> </tr> </thead> <tbody> <tr> <td><code>terraform fmt</code></td> <td>Canonical formatting</td> <td>Terraform</td> </tr> <tr> <td><code>terraform validate</code></td> <td>Syntax &amp; semantic validation</td> <td>Terraform</td> </tr> <tr> <td>TFLint</td> <td>Provider-aware deep linting</td> <td>Terraform</td> </tr> <tr> <td>Checkov</td> <td>Security misconfiguration scanning</td> <td>Terraform &amp; Ansible</td> </tr> <tr> <td>Trivy</td> <td>Security scanning (container-friendly)</td> <td>Terraform</td> </tr> <tr> <td>ansible-lint</td> <td>Best practice enforcement</td> <td>Ansible</td> </tr> <tr> <td>yamllint</td> <td>YAML formatting &amp; structure</td> <td>Ansible</td> </tr> <tr> <td>Prettier</td> <td>YAML formatting (if already in stack)</td> <td>Ansible</td> </tr> </tbody> </table></div> <h2> Conclusion </h2> <p>Infrastructure as Code is not configuration, it's code, and it deserves the same quality standards your application code receives. By integrating <strong>terraform fmt</strong>, <strong>TFLint</strong>, <strong>Checkov</strong>, <strong>ansible-lint</strong>, and <strong>yamllint</strong> into your development workflow and CI pipeline, you catch misconfigurations before they reach production, enforce consistent standards across teams, and make infrastructure pull requests actually reviewable.</p> <p>Start with formatting and basic validation, layer in security scanning, and enforce everything in CI. Your future self, and your on-call rotation, will thank you.</p> <p><em>Already using a different IaC tool like Pulumi or OpenTofu? The same principles apply — drop a comment with your preferred linting setup.</em></p> terraform ansible infrastructureascode softwareengineering ThankGod Chibugwum Obobo Sun, 15 Mar 2026 17:00:00 +0000 https://forem.com/actocodes/monorepo-vs-polyrepo-how-to-choose-the-right-strategy-for-managing-multiple-services-b13 https://forem.com/actocodes/monorepo-vs-polyrepo-how-to-choose-the-right-strategy-for-managing-multiple-services-b13 <p>As engineering teams grow and services multiply, one architectural decision quietly shapes how fast you ship, how well teams collaborate, and how painful your CI/CD pipelines become: <strong>how you organize your code repositories</strong>.</p> <p>The debate between <strong>monorepo</strong> and <strong>polyrepo</strong> is not new, but it's become more relevant than ever as microservices, micro-frontends, and platform engineering take center stage. Neither approach is universally superior. The right choice depends on your team size, service boundaries, and tooling maturity.</p> <p>This guide breaks down both strategies, how they work, where they excel, where they struggle, and how to make the right call for your organization.</p> <h2> What Is a Monorepo? </h2> <p>A <strong>monorepo</strong> (monolithic repository) stores all services, libraries, and applications in a single version-controlled repository. Every team works in the same codebase, sharing tooling, CI configuration, and dependency management.</p> <p>Notable companies using monorepos include Google, Meta, and Microsoft, though their implementations are backed by custom-built tooling at a scale most teams will never reach.</p> <p>In practice, a monorepo structure looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/repo /apps /web /api-gateway /admin-dashboard /services /users-service /orders-service /payments-service /packages /ui-components /shared-utils /config </code></pre> </div> <p>Popular monorepo tooling includes <strong>Nx</strong>, <strong>Turborepo</strong>, <strong>Lerna</strong>, and <strong>Bazel</strong>, each offering features like dependency graph analysis, affected-only builds, and remote caching.</p> <h2> What Is a Polyrepo? </h2> <p>A <strong>polyrepo</strong> strategy gives each service or application its own dedicated repository. Teams own their repos end-to-end, from code to CI/CD pipeline to deployment configuration.</p> <p>A typical polyrepo setup looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>github.com/your-org/web github.com/your-org/api-gateway github.com/your-org/users-service github.com/your-org/orders-service github.com/your-org/shared-ui ← published as an npm package </code></pre> </div> <p>Cross-service shared code is distributed as versioned packages (npm, PyPI, private registries), and each repo independently manages its own dependencies and release cycle.</p> <h2> Monorepo: Key Advantages </h2> <h3> Unified Dependency Management </h3> <p>All services share the same <code>node_modules</code> (or equivalent). Upgrading a shared library, say, a logging utility or a UI component, happens once and propagates everywhere. No more version drift between repos.</p> <h3> Atomic Cross-Service Changes </h3> <p>A single commit can update an API contract and all its consumers simultaneously. This is invaluable when refactoring shared interfaces or rolling out breaking changes, you see the full blast radius in one pull request.</p> <h3> Simplified Code Sharing </h3> <p>Internal packages are imported directly without publishing to a registry. Your <code>orders-service</code> can import from <code>packages/shared-utils</code> with a simple path alias, no versioning, no publish step.</p> <h3> Consistent Tooling and Standards </h3> <p>Linting rules, test configurations, TypeScript settings, and CI pipelines are defined once and enforced across every project. Onboarding a new engineer means one repo to clone, one setup script to run.</p> <h2> Monorepo: Key Challenges </h2> <h3> Build and CI Complexity at Scale </h3> <p>Without smart tooling, a single change triggers a full rebuild of everything. Tools like <strong>Nx</strong> and <strong>Turborepo</strong> solve this with <strong>affected builds</strong>, only rebuilding projects impacted by a change, but they require investment to configure correctly.</p> <h3> Repository Size Over Time </h3> <p>As the repo grows, <code>git clone</code>, <code>git log</code>, and local tooling can slow down. This is manageable for most teams but becomes a real concern at Google or Meta scale.</p> <h3> Access Control Limitations </h3> <p>Standard version control systems don't offer fine-grained folder-level permissions out of the box. If compliance or security requires strict team boundaries, monorepos add friction.</p> <h2> Polyrepo: Key Advantages </h2> <h3> Strong Team Autonomy </h3> <p>Each team owns their repo completely. They choose their own tooling, set their own release schedules, and deploy without coordinating with other teams. This maps cleanly to microservices ownership models.</p> <h3> Isolated CI/CD Pipelines </h3> <p>Pipelines only run for the service that changed. No risk of a flaky test in an unrelated service blocking your deployment.</p> <h3> Clearer Blast Radius </h3> <p>Changes in one repo cannot inadvertently break another, unless a published package version is bumped. This enforces intentionality around cross-service dependencies.</p> <h3> Familiar and Widely Supported </h3> <p>Every developer knows how to work with independent repos. GitHub, GitLab, and Bitbucket all support polyrepo workflows natively with no additional tooling required.</p> <h2> Polyrepo: Key Challenges </h2> <h3> Dependency Version Drift </h3> <p>When 12 services each pin their own version of a shared library, you end up with 12 different versions in production. Security patches and upgrades become coordination nightmares.</p> <h3> Painful Cross-Service Refactoring </h3> <p>Renaming a shared interface or updating an API contract requires opening PRs across multiple repos, coordinating merges, and hoping nothing gets missed. There's no atomic cross-repo commit.</p> <h3> Duplicated Boilerplate </h3> <p>CI configuration, Dockerfile templates, lint rules, and test setups get copy-pasted across repos and then slowly diverge. Standardizing them requires manual effort or internal tooling investment.</p> <h3> Discoverability Overhead </h3> <p>Finding which repo owns a piece of functionality, understanding the dependency graph between services, and onboarding new engineers all become harder as the number of repos grows.</p> <h2> Head-to-Head Comparison </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Dimension</th> <th>Monorepo</th> <th>Polyrepo</th> </tr> </thead> <tbody> <tr> <td>Code sharing</td> <td>Native, zero friction</td> <td>Via versioned packages</td> </tr> <tr> <td>Team autonomy</td> <td>Shared conventions required</td> <td>Full independence</td> </tr> <tr> <td>Atomic refactoring</td> <td>Single PR across services</td> <td>Multi-repo coordination</td> </tr> <tr> <td>CI/CD speed (early stage)</td> <td>Centralized pipelines</td> <td>Isolated pipelines</td> </tr> <tr> <td>CI/CD speed (at scale)</td> <td>Requires smart build tooling</td> <td>No cross-service impact</td> </tr> <tr> <td>Dependency management</td> <td>Single source of truth</td> <td>Version drift risk</td> </tr> <tr> <td>Access control</td> <td>Limited granularity</td> <td>Repo-level isolation</td> </tr> <tr> <td>Onboarding complexity</td> <td>One repo to learn</td> <td>Many repos to navigate</td> </tr> <tr> <td>Tooling investment</td> <td>Higher upfront (Nx, Turborepo)</td> <td>Lower upfront</td> </tr> </tbody> </table></div> <h2> How to Make the Right Decision </h2> <p>Rather than defaulting to one strategy, evaluate these four factors:</p> <h3> 1. Team Size and Structure </h3> <p>Small teams (under 10 engineers) almost always benefit from a monorepo, the coordination overhead of polyrepo outweighs the autonomy benefits. Larger organizations with dedicated platform teams are better equipped to manage polyrepo complexity.</p> <h3> 2. Degree of Code Sharing </h3> <p>If services share a significant amount of code UI libraries, API clients, validation schemas, domain models, a monorepo eliminates the version management overhead that polyrepo introduces.</p> <h3> 3. Deployment Independence Requirements </h3> <p>If regulatory, compliance, or security requirements demand hard boundaries between services, polyrepo provides natural isolation. Monorepos can enforce boundaries via tooling, but it requires discipline.</p> <h3> 4. Tooling Maturity </h3> <p>A monorepo without proper tooling is a pain. If your team isn't ready to invest in configuring <strong>Nx</strong>, <strong>Turborepo</strong>, or equivalent, a polyrepo may be the more pragmatic short-term choice.</p> <h2> Hybrid Approaches </h2> <p>Many mature organizations land on a <strong>hybrid strategy</strong>:</p> <ul> <li>Group closely related services (e.g., all backend microservices) into a <strong>single monorepo</strong> with Nx or Turborepo.</li> <li>Keep unrelated products or platforms in <strong>separate repos</strong>.</li> <li>Publish stable, widely-consumed libraries to a <strong>private package registry</strong>.</li> </ul> <p>This balances autonomy, code sharing, and operational complexity without forcing a binary choice.</p> <h2> Conclusion </h2> <p>The monorepo vs. polyrepo decision is less about which is objectively better and more about <strong>what fits your team's current size, workflow, and tooling investment capacity</strong>.</p> <p>If you're optimizing for fast iteration, easy code sharing, and consistent standards lean toward a <strong>monorepo</strong> with modern tooling like Nx or Turborepo. If you're optimizing for team autonomy, strict service isolation, and minimal cross-team coordination a <strong>polyrepo</strong> approach gives you clean boundaries.</p> <p>Whatever you choose, document the decision, define clear conventions, and revisit it as your organization scales. The best architecture is the one your team can actually operate effectively.</p> monorepo polyrepo architecture programming ThankGod Chibugwum Obobo Sun, 08 Mar 2026 17:00:00 +0000 https://forem.com/actocodes/micro-frontends-explained-how-to-implement-module-federation-oe3 https://forem.com/actocodes/micro-frontends-explained-how-to-implement-module-federation-oe3 <p>Frontend applications are growing in complexity. As teams scale and codebases expand, a single monolithic frontend becomes just as problematic as a monolithic backend, slow builds, deployment bottlenecks, and team conflicts over shared code.</p> <p><strong>Micro-frontends</strong> apply the same decomposition principles as microservices to the UI layer. And with <strong>Webpack Module Federation</strong>, implementing micro-frontends has never been more practical.</p> <p>In this guide, you'll learn what micro-frontends are, when to use them, and how to set up Module Federation step-by-step, with real configuration examples you can apply to your own projects.</p> <h2> What Are Micro-Frontends? </h2> <p>A micro-frontend architecture breaks a web application into smaller, independently deployable UI units each owned by a separate team, built with its own toolchain, and composed together at runtime.</p> <p>Think of it this way: instead of one giant React app that every team commits to, you have:</p> <ul> <li>A <strong>shell app</strong> (host) that defines the layout and navigation.</li> <li>Multiple <strong>remote apps</strong> (micro-frontends) that own specific features or pages.</li> </ul> <p>Each remote can be developed, tested, and deployed independently without touching the host or other remotes.</p> <h3> When Should You Use Micro-Frontends? </h3> <p>Micro-frontends are best suited for:</p> <ul> <li> <strong>Large teams</strong> working on the same product with minimal coordination overhead.</li> <li> <strong>Multi-team organizations</strong> where different squads own distinct product areas.</li> <li> <strong>Legacy modernization</strong> — incrementally replacing parts of an old app without a full rewrite.</li> <li> <strong>Independent deployment cycles</strong> — when one team shouldn't be blocked by another's release schedule.</li> </ul> <p>They're overkill for small teams or early-stage products. Start with a well-structured monorepo first.</p> <h2> What Is Webpack Module Federation? </h2> <p>Introduced in <strong>Webpack 5</strong>, <strong>Module Federation</strong> is a native plugin that allows JavaScript bundles to dynamically load code from other independently deployed applications at runtime.</p> <p>Before Module Federation, sharing code across apps required publishing npm packages, a slow feedback loop. Module Federation eliminates that by letting apps <strong>expose and consume modules directly over the network</strong>.</p> <p>Key concepts:<br> | Term | Description |<br> |------|-------------|<br> | <strong>Host</strong> | The shell app that consumes remote modules |<br> | <strong>Remote</strong> | An app that exposes modules to be consumed |<br> | <strong>Shared</strong> | Dependencies shared across host and remotes to avoid duplication |<br> | <strong>Exposes</strong> | The modules a remote makes available |</p> <h2> Step 1 — Project Structure </h2> <p>For this guide, we'll build two applications:</p> <ul> <li> <code>shell</code> — the host application</li> <li> <code>product-app</code> — a remote micro-frontend exposing a <code>ProductList</code> component </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/micro-frontend-demo /shell ← Host app /product-app ← Remote app </code></pre> </div> <p>Each app is a standalone Webpack + React project. Initialize them separately:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>shell product-app <span class="nb">cd </span>shell <span class="o">&amp;&amp;</span> npm init <span class="nt">-y</span> <span class="o">&amp;&amp;</span> npm <span class="nb">install </span>webpack webpack-cli webpack-dev-server react react-dom <span class="nb">cd</span> ../product-app <span class="o">&amp;&amp;</span> npm init <span class="nt">-y</span> <span class="o">&amp;&amp;</span> npm <span class="nb">install </span>webpack webpack-cli webpack-dev-server react react-dom </code></pre> </div> <h2> Step 2 — Configure the Remote App (product-app) </h2> <p>The remote app <strong>exposes</strong> components for the host to consume. Configure <code>ModuleFederationPlugin</code> in its <code>webpack.config.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// product-app/webpack.config.js</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">ModuleFederationPlugin</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">webpack</span><span class="dl">'</span><span class="p">).</span><span class="nx">container</span><span class="p">;</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">,</span> <span class="na">devServer</span><span class="p">:</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3001</span> <span class="p">},</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nc">ModuleFederationPlugin</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">productApp</span><span class="dl">'</span><span class="p">,</span> <span class="na">filename</span><span class="p">:</span> <span class="dl">'</span><span class="s1">remoteEntry.js</span><span class="dl">'</span><span class="p">,</span> <span class="na">exposes</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">./ProductList</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./src/components/ProductList</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">shared</span><span class="p">:</span> <span class="p">{</span> <span class="na">react</span><span class="p">:</span> <span class="p">{</span> <span class="na">singleton</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">requiredVersion</span><span class="p">:</span> <span class="dl">'</span><span class="s1">^18.0.0</span><span class="dl">'</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">react-dom</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="na">singleton</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">requiredVersion</span><span class="p">:</span> <span class="dl">'</span><span class="s1">^18.0.0</span><span class="dl">'</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p>Key properties explained:</p> <ul> <li> <strong><code>name</code></strong> — unique identifier for this remote.</li> <li> <strong><code>filename</code></strong> — the manifest file the host will fetch (<code>remoteEntry.js</code>).</li> <li> <strong><code>exposes</code></strong> — maps public aliases to local module paths.</li> <li> <strong><code>shared</code></strong> — prevents React from being loaded twice (critical for hooks to work correctly).</li> </ul> <h2> Step 3 — Configure the Host App (shell) </h2> <p>The shell app <strong>consumes</strong> the remote by referencing its <code>remoteEntry.js</code> URL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// shell/webpack.config.js</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">ModuleFederationPlugin</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">webpack</span><span class="dl">'</span><span class="p">).</span><span class="nx">container</span><span class="p">;</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">,</span> <span class="na">devServer</span><span class="p">:</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3000</span> <span class="p">},</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nc">ModuleFederationPlugin</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">shell</span><span class="dl">'</span><span class="p">,</span> <span class="na">remotes</span><span class="p">:</span> <span class="p">{</span> <span class="na">productApp</span><span class="p">:</span> <span class="dl">'</span><span class="s1">productApp@http://localhost:3001/remoteEntry.js</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">shared</span><span class="p">:</span> <span class="p">{</span> <span class="na">react</span><span class="p">:</span> <span class="p">{</span> <span class="na">singleton</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">requiredVersion</span><span class="p">:</span> <span class="dl">'</span><span class="s1">^18.0.0</span><span class="dl">'</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">react-dom</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="na">singleton</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">requiredVersion</span><span class="p">:</span> <span class="dl">'</span><span class="s1">^18.0.0</span><span class="dl">'</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p>The remote reference follows the pattern: <code>name@url/remoteEntry.js</code></p> <h2> Step 4 — Consume the Remote Component </h2> <p>In your shell app, import the remote component using a <strong>dynamic import with React.lazy</strong>. This is required because Module Federation loads code asynchronously at runtime:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// shell/src/App.tsx</span> <span class="k">import</span> <span class="nx">React</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Suspense</span><span class="p">,</span> <span class="nx">lazy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ProductList</span> <span class="o">=</span> <span class="nf">lazy</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">productApp/ProductList</span><span class="dl">'</span><span class="p">));</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">App</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span>My Store<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Suspense</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span>Loading products...<span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ProductList</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Suspense</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>When the shell renders <code>&lt;ProductList /&gt;</code>, Webpack fetches the component's bundle from the <code>product-app</code> server at runtime — not at build time.</p> <h2> Step 5 — Sharing State Across Micro-Frontends </h2> <p>One of the trickiest aspects of micro-frontends is <strong>cross-app state management</strong>. A few proven approaches:</p> <h3> URL as State </h3> <p>Use the URL (query params, path segments) as the source of truth for shared state. It's universally accessible and framework-agnostic.</p> <h3> Custom Events (Web APIs) </h3> <p>Use the browser's native <code>CustomEvent</code> API for lightweight communication between micro-frontends:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// In product-app — dispatch an event</span> <span class="nb">window</span><span class="p">.</span><span class="nf">dispatchEvent</span><span class="p">(</span><span class="k">new</span> <span class="nc">CustomEvent</span><span class="p">(</span><span class="dl">'</span><span class="s1">product:selected</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">detail</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">42</span> <span class="p">}</span> <span class="p">}));</span> <span class="c1">// In shell — listen for the event</span> <span class="nb">window</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">product:selected</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Selected product:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">e</span><span class="p">.</span><span class="nx">detail</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Shared State Library </h3> <p>If deeper integration is needed, expose a shared store (e.g., Zustand or a Redux slice) via Module Federation's <code>shared</code> config and consume it across remotes.</p> <h2> Step 6 — Deployment Considerations </h2> <p>In production, each micro-frontend is deployed independently to its own origin (CDN bucket, cloud function, or container). Update your remote URLs to use environment variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">remotes</span><span class="p">:</span> <span class="p">{</span> <span class="nl">productApp</span><span class="p">:</span> <span class="s2">`productApp@</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PRODUCT_APP_URL</span><span class="p">}</span><span class="s2">/remoteEntry.js`</span><span class="p">,</span> <span class="p">},</span> </code></pre> </div> <p><strong>Deployment best practices:</strong></p> <ul> <li> <strong>Version your remote entries</strong> — use content-hashed filenames or versioned paths (<code>/v2/remoteEntry.js</code>) to prevent stale cache issues.</li> <li> <strong>Health checks</strong> — monitor <code>remoteEntry.js</code> availability; a failed remote shouldn't crash the entire shell.</li> <li> <strong>Fallback UI</strong> — always wrap remote imports in <code>&lt;Suspense&gt;</code> and error boundaries.</li> <li> <strong>CI/CD independence</strong> — each remote should have its own pipeline with no dependency on the host's release cycle.</li> </ul> <h2> Common Pitfalls to Avoid </h2> <p><strong>Duplicate dependencies:</strong> Forgetting to mark <code>react</code> and <code>react-dom</code> as <code>singleton</code> in shared config causes multiple React instances breaking hooks and context. Always enforce singletons for peer dependencies.</p> <p><strong>Tight coupling through contracts:</strong> If remotes depend on props or APIs defined by the host, you've recreated the monolith problem. Remotes should be self-contained and communicate via events or shared state patterns.</p> <p><strong>Over-decomposing the UI:</strong> Not every component needs to be a micro-frontend. Decompose at the <strong>page or feature level</strong>, not the component level.</p> <h2> Conclusion </h2> <p><strong>Webpack Module Federation</strong> makes micro-frontends practical for production teams. By independently developing, deploying, and composing UI modules, you unlock true frontend scalability, shorter release cycles, clearer ownership, and the freedom to evolve each part of your UI without coordinating a full-app deployment.</p> <p>Start with a single remote extracted from your monolith, validate the workflow end-to-end, and expand incrementally. The architecture rewards patience and deliberate boundaries.</p> <p><em>Building micro-frontends with a different bundler like Vite or Rspack? Let me know in the comments, a follow-up guide might be on the way.</em></p> microfrontends modulefederation frontendarchitecture softwareengineering ThankGod Chibugwum Obobo Sun, 01 Mar 2026 17:00:00 +0000 https://forem.com/actocodes/how-to-migrate-from-monolith-to-microservices-using-nestjs-and-postgresql-4paj https://forem.com/actocodes/how-to-migrate-from-monolith-to-microservices-using-nestjs-and-postgresql-4paj <p>As your application grows, a monolithic backend can become a bottleneck, deployments slow down, teams step on each other's code, and scaling a single feature means scaling the entire app. The shift to a <strong>microservices architecture</strong> is one of the most impactful decisions you can make to ensure long-term scalability and maintainability.</p> <p>In this guide, you'll learn how to transition a monolithic Node.js backend to a microservices architecture using <strong>NestJS</strong> and <strong>PostgreSQL</strong>. We'll cover the architectural concepts, practical decomposition strategies, inter-service communication, and database-per-service patterns, giving you a clear, step-by-step roadmap.</p> <h2> What Is a Monolithic Architecture? </h2> <p>A monolithic application bundles all business logic, authentication, user management, payments, notifications, and more into a single deployable unit. While this works well early on, it comes with notable drawbacks as complexity scales:</p> <ul> <li> <strong>Tight coupling</strong> between modules makes changes risky.</li> <li> <strong>Scaling bottlenecks</strong> force you to scale the entire app instead of just the hot paths.</li> <li> <strong>Long deployment cycles</strong> increase downtime risk.</li> <li> <strong>Team friction</strong> grows as multiple engineers work in the same codebase.</li> </ul> <p>Recognizing these pain points is the first step toward making the right architectural shift.</p> <h2> Why NestJS Is Ideal for Microservices </h2> <p><strong>NestJS</strong> is a progressive Node.js framework built with TypeScript and inspired by Angular's module-based architecture. It has first-class support for microservices out of the box via its <code>@nestjs/microservices</code> package.</p> <p>Key advantages NestJS brings to microservices:</p> <ul> <li> <strong>Transport-agnostic communication:</strong> supports TCP, Redis, NATS, Kafka, RabbitMQ, and gRPC.</li> <li> <strong>Modular architecture:</strong> each domain naturally maps to an isolated NestJS module.</li> <li> <strong>Decorators and dependency injection:</strong> reduce boilerplate and improve testability.</li> <li> <strong>Consistent patterns:</strong> your team uses the same conventions across every service.</li> </ul> <h2> Step 1: Identify Service Boundaries (Domain Decomposition) </h2> <p>Before writing any code, map out your domain. A common strategy is <strong>Domain-Driven Design (DDD)</strong>, where you identify bounded contexts, logical groupings of business logic that operate independently. We mentioned this last week <a href="https://actocodes.hashnode.dev/decoupling-business-logic" rel="noopener noreferrer">here</a>.</p> <p>For example, an e-commerce monolith might be decomposed into:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnt9p2i09u73zb78zjyuy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnt9p2i09u73zb78zjyuy.png" alt="common services and responsibilities" width="422" height="183"></a></p> <blockquote> <p><strong>Rule of thumb:</strong> If two pieces of logic require different scaling, different teams, or different release cycles, they belong in separate services.</p> </blockquote> <h2> Step 2: Set Up a NestJS Microservice </h2> <p>Let's scaffold a basic microservice. First, install the necessary packages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @nestjs/microservices </code></pre> </div> <p>Then, bootstrap your service to listen over TCP (or any transport of your choice):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// main.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NestFactory</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Transport</span><span class="p">,</span> <span class="nx">MicroserviceOptions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/microservices</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AppModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./app.module</span><span class="dl">'</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">bootstrap</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">NestFactory</span><span class="p">.</span><span class="nx">createMicroservice</span><span class="o">&lt;</span><span class="nx">MicroserviceOptions</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">AppModule</span><span class="p">,</span> <span class="p">{</span> <span class="na">transport</span><span class="p">:</span> <span class="nx">Transport</span><span class="p">.</span><span class="nx">TCP</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="p">{</span> <span class="na">host</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0.0.0.0</span><span class="dl">'</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3001</span> <span class="p">},</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">();</span> <span class="p">}</span> <span class="nf">bootstrap</span><span class="p">();</span> </code></pre> </div> <p>Your service is now an independent process that communicates via TCP. Other services (or an API Gateway) can send messages to it using NestJS's <code>ClientProxy</code>.</p> <h2> Step 3: Database Per Service with PostgreSQL </h2> <p>One of the most critical principles in microservices is <strong>database isolation</strong>. Each service should own its data, no shared tables, no cross-service joins.</p> <p>With <strong>PostgreSQL</strong>, this means:</p> <ul> <li>Each service gets its own <strong>database or schema</strong>.</li> <li>Services never query another service's database directly.</li> <li>Data consistency across services is achieved via <strong>events</strong>, not transactions.</li> </ul> <p>Here's how to configure TypeORM in a NestJS microservice pointing to its own PostgreSQL database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app.module.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">TypeOrmModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/typeorm</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span> <span class="nx">TypeOrmModule</span><span class="p">.</span><span class="nf">forRoot</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">postgres</span><span class="dl">'</span><span class="p">,</span> <span class="na">host</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_HOST</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="mi">5432</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_USER</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_PASS</span><span class="p">,</span> <span class="na">database</span><span class="p">:</span> <span class="dl">'</span><span class="s1">orders_db</span><span class="dl">'</span><span class="p">,</span> <span class="na">entities</span><span class="p">:</span> <span class="p">[</span><span class="nx">Order</span><span class="p">],</span> <span class="na">synchronize</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppModule</span> <span class="p">{}</span> </code></pre> </div> <blockquote> <p><strong>Pro tip:</strong> Use <strong>database migrations</strong> (via TypeORM) instead of <code>synchronize: true</code> in any environment beyond local development.</p> </blockquote> <h2> Step 4: Inter-Service Communication </h2> <p>Services need to talk to each other. There are two primary communication patterns:</p> <h3> Synchronous (Request/Response) </h3> <p>Used when the caller needs an immediate answer, e.g., fetching a user's profile during order creation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// In the orders-service, calling the users-service</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersClient</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">get_user</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">userId</span> <span class="p">}).</span><span class="nf">toPromise</span><span class="p">();</span> </code></pre> </div> <h3> Asynchronous (Event-Driven) </h3> <p>Used when you want to decouple services, e.g., emitting an <code>order_placed</code> event that the notifications-service listens for.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Emit an event — fire and forget</span> <span class="k">this</span><span class="p">.</span><span class="nx">client</span><span class="p">.</span><span class="nf">emit</span><span class="p">(</span><span class="dl">'</span><span class="s1">order_placed</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">orderId</span><span class="p">,</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">total</span> <span class="p">});</span> </code></pre> </div> <p>For production workloads, consider using <strong>NATS</strong>, <strong>RabbitMQ</strong>, or <strong>Kafka</strong> as the message broker instead of bare TCP. These provide message persistence, retries, and fan-out delivery.</p> <h2> Step 5: API Gateway Pattern </h2> <p>In a microservices setup, clients shouldn't talk directly to individual services. Instead, implement an <strong>API Gateway</strong> — a single entry point that routes requests to the appropriate service.</p> <p>In NestJS, your gateway is a standard HTTP application that acts as a client to multiple microservices:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">Controller</span><span class="p">(</span><span class="dl">'</span><span class="s1">orders</span><span class="dl">'</span><span class="p">)</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">OrdersController</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span> <span class="p">@</span><span class="nd">Inject</span><span class="p">(</span><span class="dl">'</span><span class="s1">ORDERS_SERVICE</span><span class="dl">'</span><span class="p">)</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">ordersClient</span><span class="p">:</span> <span class="nx">ClientProxy</span><span class="p">,</span> <span class="p">)</span> <span class="p">{}</span> <span class="p">@</span><span class="nd">Post</span><span class="p">()</span> <span class="nf">createOrder</span><span class="p">(@</span><span class="nd">Body</span><span class="p">()</span> <span class="nx">dto</span><span class="p">:</span> <span class="nx">CreateOrderDto</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">ordersClient</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">create_order</span><span class="dl">'</span><span class="p">,</span> <span class="nx">dto</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The API Gateway handles:</p> <ul> <li> <strong>Authentication &amp; authorization</strong> (JWT validation)</li> <li><strong>Rate limiting</strong></li> <li><strong>Request routing</strong></li> <li><strong>Response aggregation</strong></li> </ul> <h2> Step 6: Migrating Incrementally with the Strangler Fig Pattern </h2> <p>You don't have to rewrite everything at once. The <strong>Strangler Fig Pattern</strong> lets you migrate piece by piece:</p> <ol> <li> <strong>Identify</strong> the most isolated module in your monolith (e.g., notifications).</li> <li> <strong>Extract</strong> it into a standalone NestJS microservice.</li> <li> <strong>Route</strong> traffic for that domain to the new service via your API Gateway.</li> <li> <strong>Retire</strong> the corresponding code from the monolith.</li> <li> <strong>Repeat</strong> for the next module.</li> </ol> <p>This approach minimizes risk and keeps your application running throughout the migration.</p> <h2> Common Pitfalls to Avoid </h2> <p><strong>Distributed monolith:</strong> If your services are tightly coupled via synchronous calls and shared databases, you have a distributed monolith with all the complexity of microservices and none of the benefits. Design for loose coupling from day one.<br> <strong>Over-decomposition:</strong> Not every function needs its own service. Start with 3–5 well-defined services and split further only when a clear need arises.<br> <strong>Ignoring observability:</strong> In a distributed system, tracing a request across services requires dedicated tooling. Integrate <strong>distributed tracing</strong> (e.g., OpenTelemetry) and <strong>centralized logging</strong> (e.g., ELK stack) early.</p> <h2> Conclusion </h2> <p>Migrating from a monolith to microservices is not a flip-of-a-switch operation, it's a deliberate, incremental process. With <strong>NestJS</strong> providing a structured and transport-flexible framework, and <strong>PostgreSQL</strong> offering a battle-tested relational database, you have a solid foundation to build scalable, maintainable backend systems.</p> <p>Start by identifying your domain boundaries, extract one service at a time using the Strangler Fig Pattern, and invest early in observability and messaging infrastructure. Done right, your architecture will scale with your product, and your team.</p> <p><em>Have questions about your specific migration scenario? Drop them in the comments below.</em></p> scalability programming softwareengineering architecture ThankGod Chibugwum Obobo Sun, 22 Feb 2026 17:00:00 +0000 https://forem.com/actocodes/decoupling-business-logic-a-fullstack-guide-to-domain-driven-design-ddd-b6g https://forem.com/actocodes/decoupling-business-logic-a-fullstack-guide-to-domain-driven-design-ddd-b6g <p>One of the biggest mistakes in modern development is letting your framework (React, NestJS, Flutter) dictate your business logic. When the "rules" of your application are scattered across UI components and Database controllers, your system becomes a "Big Ball of Mud."</p> <p><strong>Domain-Driven Design (DDD)</strong> is the architectural remedy. It allows us to build a "Brain" (The Domain) that is independent of the "Body" (The Framework).</p> <p>Building on the <a href="https://actocodes.hashnode.dev/scalable-folder-structures" rel="noopener noreferrer">scalable folder structures</a> we discussed previously, we’re now diving into Domain-Driven Design (DDD). We are moving beyond simple organization to a modular architecture where each feature acts as a standalone unit, a vital step for anyone looking to implement Micro-Frontends or Microservices.</p> <h2> 1. The Core Philosophy: The Bounded Context </h2> <p>In an enterprise system, the word "User" means different things to different departments.</p> <ul> <li> <strong>In Auth:</strong> A User is a set of credentials (email/password).</li> <li> <strong>In Billing:</strong> A User is a tax ID and a credit card.</li> <li> <strong>In Support:</strong> A User is a ticket history.</li> </ul> <p>Instead of one massive <code>User</code> class that handles everything, DDD teaches us to create <strong>Bounded Contexts</strong>. We split the application into logical boundaries where terms are consistent.</p> <h2> 2. The Layered Blueprint (Frontend &amp; Backend) </h2> <p>Whether you are in a NestJS service or a React feature folder, the internal structure should follow these four layers:</p> <h3> A. The Domain Layer (The Core) </h3> <ul> <li> <strong>Content:</strong> Entities, Value Objects, and Domain Services.</li> <li> <strong>Rule:</strong> <strong>Zero Dependencies.</strong> It should not know about React, NestJS, Axios, or TypeORM.</li> <li> <strong>Example:</strong> A <code>calculateInvoiceTotal()</code> function that only cares about math and business rules.</li> </ul> <h3> B. The Application Layer (The Orchestrator) </h3> <ul> <li> <strong>Content:</strong> Use Cases, Ports, and Custom Hooks.</li> <li> <strong>Role:</strong> It tells the Domain what to do. </li> <li> <strong>Frontend:</strong> A React Hook like <code>useCheckoutFlow()</code>.</li> <li> <strong>Backend:</strong> A NestJS Service that coordinates between the Database and the Domain.</li> </ul> <h3> C. The Infrastructure Layer (The External World) </h3> <ul> <li> <strong>Content:</strong> Repositories, API Clients, Database Models.</li> <li> <strong>Role:</strong> Technical implementation. This is where you write your SQL queries or your <code>fetch()</code> calls.</li> </ul> <h3> D. The Presentation Layer (The Interface) </h3> <ul> <li> <strong>Content:</strong> React Components / NestJS Controllers.</li> <li> <strong>Role:</strong> Translating user input (clicks or HTTP requests) into something the Application layer understands.</li> </ul> <h2> 3. Why DDD is the Secret to Fullstack Harmony </h2> <p>When both your Frontend and Backend teams use DDD:</p> <ol> <li> <strong>Shared Language:</strong> The <code>DiscountCode</code> logic in the React app matches the <code>DiscountCode</code> logic in the NestJS API.</li> <li> <strong>Easier Migrations:</strong> If you want to move from Postgres to MongoDB (Infrastructure), your Business Logic (Domain) stays exactly the same.</li> <li> <strong>Microservices &amp; MFE Ready:</strong> Because your contexts are already isolated, splitting a Monolith into Microservices or Micro-Frontends becomes a "copy-paste" job rather than a rewrite.</li> </ol> <h2> 4. Summary: The DDD Checklist </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Responsibility</th> <th>Framework Dependency?</th> </tr> </thead> <tbody> <tr> <td><strong>Domain</strong></td> <td>Business Rules &amp; Logic</td> <td>No</td> </tr> <tr> <td><strong>Application</strong></td> <td>Workflow Orchestration</td> <td>Minimal (Hooks/Services)</td> </tr> <tr> <td><strong>Infrastructure</strong></td> <td>Data &amp; External Tools</td> <td>Yes (DB/API)</td> </tr> <tr> <td><strong>Presentation</strong></td> <td>UI &amp; Entry Points</td> <td>Yes (React/Nest)</td> </tr> </tbody> </table></div> <h3> Conclusion </h3> <p>DDD is not about adding more files; it’s about putting logic where it belongs. By isolating your "Domain," you ensure that your business rules remain stable even as frontend frameworks and backend databases evolve.</p> softwaredevelopment typescript ddd cleancode ThankGod Chibugwum Obobo Sun, 15 Feb 2026 17:00:00 +0000 https://forem.com/actocodes/scalable-folder-structures-how-i-organized-nestjs-nuxtjs-and-nextjs-for-enterprise-projects-p8k https://forem.com/actocodes/scalable-folder-structures-how-i-organized-nestjs-nuxtjs-and-nextjs-for-enterprise-projects-p8k <p>This topic addresses one of the most debated aspects of frontend and backend development, where to put your files. As projects scale from 10 to 100+ modules, the standard "folders by type" approach often becomes a bottleneck for developer productivity.</p> <p>When a project is small, organizing by type (e.g., all controllers in one folder, all components in another) feels intuitive. But as I found while building modular UIs and enterprise systems, this structure eventually leads to "Folder Sprawl." </p> <p>To build for scale, we shifted from <strong>Type-based</strong> organization to <strong>Feature-based</strong> organization. Here is the blueprint for how to structure enterprise-grade apps across the stack.</p> <h2> 1. The Debate: Type-based vs. Feature-based </h2> <h3> The Type-based Approach </h3> <p>Organizing by what the file <em>is</em> (Components, Services, Models).</p> <ul> <li> <strong>Pros:</strong> Easy to set up, follows framework defaults.</li> <li> <strong>Cons:</strong> To work on a "User Profile" feature, you must open five different folders. It increases cognitive load and makes code discovery difficult.</li> </ul> <h3> The Feature-based Approach </h3> <p>Organizing by what the file <em>does</em> (Authentication, Billing, Dashboard).</p> <ul> <li> <strong>Pros:</strong> High cohesion, everything related to a feature is in one place.</li> <li> <strong>Cons:</strong> Requires more discipline and a "Shared" module for cross-cutting concerns.</li> </ul> <h2> 2. Implementation: Nest.js </h2> <p>Nest.js is designed around modules, which naturally encourages a feature-based structure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nestjs-app/ ├── src/ │ ├── main.ts │ ├── app.module.ts │ │ │ ├── common/ # Shared across all features │ │ ├── decorators/ │ │ ├── guards/ │ │ ├── interceptors/ │ │ ├── pipes/ │ │ ├── filters/ │ │ ├── middleware/ │ │ ├── interfaces/ │ │ └── utils/ │ │ │ ├── config/ # Configuration │ │ ├── database.config.ts │ │ ├── app.config.ts │ │ └── validation.schema.ts │ │ │ ├── features/ # Feature modules │ │ │ │ │ ├── auth/ │ │ │ ├── auth.module.ts │ │ │ ├── auth.controller.ts │ │ │ ├── auth.service.ts │ │ │ ├── dto/ │ │ │ │ ├── login.dto.ts │ │ │ │ ├── register.dto.ts │ │ │ │ └── refresh-token.dto.ts │ │ │ ├── entities/ │ │ │ │ └── session.entity.ts │ │ │ ├── guards/ │ │ │ │ ├── jwt-auth.guard.ts │ │ │ │ └── roles.guard.ts │ │ │ ├── strategies/ │ │ │ │ ├── jwt.strategy.ts │ │ │ │ └── local.strategy.ts │ │ │ └── tests/ │ │ │ ├── auth.controller.spec.ts │ │ │ └── auth.service.spec.ts │ │ │ │ │ ├── users/ │ │ │ ├── users.module.ts │ │ │ ├── users.controller.ts │ │ │ ├── users.service.ts │ │ │ ├── users.repository.ts │ │ │ ├── dto/ │ │ │ │ ├── create-user.dto.ts │ │ │ │ ├── update-user.dto.ts │ │ │ │ └── user-response.dto.ts │ │ │ ├── entities/ │ │ │ │ └── user.entity.ts │ │ │ ├── interfaces/ │ │ │ │ └── user.interface.ts │ │ │ └── tests/ │ │ │ ├── users.controller.spec.ts │ │ │ └── users.service.spec.ts │ │ │ │ │ ├── products/ │ │ │ ├── products.module.ts │ │ │ ├── products.controller.ts │ │ │ ├── products.service.ts │ │ │ ├── products.repository.ts │ │ │ ├── dto/ │ │ │ │ ├── create-product.dto.ts │ │ │ │ ├── update-product.dto.ts │ │ │ │ └── product-filter.dto.ts │ │ │ ├── entities/ │ │ │ │ ├── product.entity.ts │ │ │ │ └── product-category.entity.ts │ │ │ └── tests/ │ │ │ │ │ ├── orders/ │ │ │ ├── orders.module.ts │ │ │ ├── orders.controller.ts │ │ │ ├── orders.service.ts │ │ │ ├── orders.repository.ts │ │ │ ├── dto/ │ │ │ │ ├── create-order.dto.ts │ │ │ │ └── order-item.dto.ts │ │ │ ├── entities/ │ │ │ │ ├── order.entity.ts │ │ │ │ └── order-item.entity.ts │ │ │ ├── events/ │ │ │ │ └── order-created.event.ts │ │ │ ├── listeners/ │ │ │ │ └── order-notification.listener.ts │ │ │ └── tests/ │ │ │ │ │ └── payments/ │ │ ├── payments.module.ts │ │ ├── payments.controller.ts │ │ ├── payments.service.ts │ │ ├── dto/ │ │ ├── entities/ │ │ └── tests/ │ │ │ └── database/ # Database specific │ ├── migrations/ │ ├── seeds/ │ └── database.module.ts │ ├── test/ # E2E tests │ └── app.e2e-spec.ts │ ├── .env ├── .env.example ├── nest-cli.json ├── package.json ├── tsconfig.json └── README.md </code></pre> </div> <h3> Key Principles for NestJS: </h3> <ul> <li>Each feature is a self-contained module with its own controllers, services, DTOs, and entities</li> <li>Shared utilities and guards go in <code>common/</code> </li> <li>Database entities live within their respective feature folders</li> <li>Each feature can be independently tested and potentially extracted into a microservice</li> </ul> <h2> 3. Implementation: Nuxt.js &amp; Next.js (The Frontend) </h2> <p>Frontend projects often suffer from a <code>components/</code> folder containing 200 unrelated files. For enterprise projects, I implement a "Modular UI" strategy.</p> <h3> Next.js Feature-First Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nextjs-app/ ├── src/ │ ├── app/ # App Router │ │ ├── layout.tsx │ │ ├── page.tsx │ │ ├── loading.tsx │ │ ├── error.tsx │ │ │ │ │ ├── (auth)/ # Route group │ │ │ ├── login/ │ │ │ │ └── page.tsx │ │ │ └── register/ │ │ │ └── page.tsx │ │ │ │ │ ├── dashboard/ │ │ │ ├── layout.tsx │ │ │ ├── page.tsx │ │ │ └── loading.tsx │ │ │ │ │ ├── products/ │ │ │ ├── page.tsx │ │ │ ├── [id]/ │ │ │ │ ├── page.tsx │ │ │ │ └── loading.tsx │ │ │ └── new/ │ │ │ └── page.tsx │ │ │ │ │ └── api/ # API routes │ │ ├── auth/ │ │ │ └── [...nextauth]/ │ │ │ └── route.ts │ │ ├── products/ │ │ │ ├── route.ts │ │ │ └── [id]/ │ │ │ └── route.ts │ │ └── orders/ │ │ └── route.ts │ │ │ ├── features/ # Feature modules │ │ │ │ │ ├── auth/ │ │ │ ├── components/ │ │ │ │ ├── LoginForm.tsx │ │ │ │ ├── RegisterForm.tsx │ │ │ │ └── AuthProvider.tsx │ │ │ ├── hooks/ │ │ │ │ ├── useAuth.ts │ │ │ │ └── useSession.ts │ │ │ ├── services/ │ │ │ │ └── auth.service.ts │ │ │ ├── types/ │ │ │ │ └── auth.types.ts │ │ │ ├── utils/ │ │ │ │ └── validation.ts │ │ │ └── constants/ │ │ │ └── auth.constants.ts │ │ │ │ │ ├── users/ │ │ │ ├── components/ │ │ │ │ ├── UserProfile.tsx │ │ │ │ ├── UserList.tsx │ │ │ │ └── UserCard.tsx │ │ │ ├── hooks/ │ │ │ │ ├── useUser.ts │ │ │ │ └── useUsers.ts │ │ │ ├── services/ │ │ │ │ └── user.service.ts │ │ │ ├── types/ │ │ │ │ └── user.types.ts │ │ │ └── utils/ │ │ │ └── user.utils.ts │ │ │ │ │ ├── products/ │ │ │ ├── components/ │ │ │ │ ├── ProductCard.tsx │ │ │ │ ├── ProductList.tsx │ │ │ │ ├── ProductDetail.tsx │ │ │ │ ├── ProductForm.tsx │ │ │ │ └── ProductFilters.tsx │ │ │ ├── hooks/ │ │ │ │ ├── useProducts.ts │ │ │ │ ├── useProduct.ts │ │ │ │ └── useProductMutation.ts │ │ │ ├── services/ │ │ │ │ └── product.service.ts │ │ │ ├── types/ │ │ │ │ └── product.types.ts │ │ │ ├── store/ # If using state management │ │ │ │ ├── productSlice.ts │ │ │ │ └── productSelectors.ts │ │ │ └── utils/ │ │ │ └── product.utils.ts │ │ │ │ │ ├── orders/ │ │ │ ├── components/ │ │ │ │ ├── OrderList.tsx │ │ │ │ ├── OrderDetail.tsx │ │ │ │ └── OrderSummary.tsx │ │ │ ├── hooks/ │ │ │ │ └── useOrders.ts │ │ │ ├── services/ │ │ │ │ └── order.service.ts │ │ │ └── types/ │ │ │ └── order.types.ts │ │ │ │ │ └── cart/ │ │ ├── components/ │ │ │ ├── CartDrawer.tsx │ │ │ ├── CartItem.tsx │ │ │ └── CartSummary.tsx │ │ ├── hooks/ │ │ │ └── useCart.ts │ │ ├── store/ │ │ │ └── cartSlice.ts │ │ └── types/ │ │ └── cart.types.ts │ │ │ ├── shared/ # Shared across features │ │ ├── components/ │ │ │ ├── ui/ │ │ │ │ ├── Button.tsx │ │ │ │ ├── Input.tsx │ │ │ │ ├── Modal.tsx │ │ │ │ └── Card.tsx │ │ │ ├── layout/ │ │ │ │ ├── Header.tsx │ │ │ │ ├── Footer.tsx │ │ │ │ ├── Sidebar.tsx │ │ │ │ └── Container.tsx │ │ │ └── forms/ │ │ │ ├── FormInput.tsx │ │ │ └── FormSelect.tsx │ │ ├── hooks/ │ │ │ ├── useDebounce.ts │ │ │ ├── useLocalStorage.ts │ │ │ └── useMediaQuery.ts │ │ ├── utils/ │ │ │ ├── api.ts │ │ │ ├── format.ts │ │ │ └── validation.ts │ │ ├── types/ │ │ │ └── global.types.ts │ │ └── constants/ │ │ └── app.constants.ts │ │ │ ├── lib/ # Third-party configurations │ │ ├── prisma.ts │ │ ├── axios.ts │ │ └── react-query.ts │ │ │ └── styles/ │ ├── globals.css │ └── theme.ts │ ├── public/ │ ├── images/ │ ├── fonts/ │ └── icons/ │ ├── prisma/ # Database schema │ └── schema.prisma │ ├── .env.local ├── .env.example ├── next.config.js ├── tailwind.config.js ├── tsconfig.json ├── package.json └── README.md </code></pre> </div> <h3> Key Principles for Next.js: </h3> <ul> <li>Route-specific components live in <code>app/</code> directory</li> <li>Reusable feature logic (components, hooks, services) lives in <code>features/</code> </li> <li>Shared UI components and utilities in <code>shared/</code> </li> <li>Each feature is independent and can import from other features when needed</li> <li>API routes follow the same feature-based organization</li> </ul> <h3> Nuxt.js Feature-First Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nuxtjs-app/ ├── app/ │ ├── app.vue │ └── router.options.ts │ ├── assets/ # Uncompiled assets │ ├── styles/ │ │ ├── main.css │ │ └── variables.css │ ├── images/ │ └── fonts/ │ ├── components/ # Auto-imported components │ ├── layout/ │ │ ├── AppHeader.vue │ │ ├── AppFooter.vue │ │ └── AppSidebar.vue │ │ │ └── ui/ # Shared UI components │ ├── BaseButton.vue │ ├── BaseInput.vue │ ├── BaseModal.vue │ └── BaseCard.vue │ ├── composables/ # Auto-imported composables │ ├── useDebounce.ts │ ├── useLocalStorage.ts │ └── useMediaQuery.ts │ ├── features/ # Feature modules │ │ │ ├── auth/ │ │ ├── components/ │ │ │ ├── LoginForm.vue │ │ │ ├── RegisterForm.vue │ │ │ └── PasswordReset.vue │ │ ├── composables/ │ │ │ ├── useAuth.ts │ │ │ └── useSession.ts │ │ ├── services/ │ │ │ └── auth.service.ts │ │ ├── types/ │ │ │ └── auth.types.ts │ │ ├── utils/ │ │ │ └── validation.ts │ │ └── stores/ │ │ └── auth.store.ts │ │ │ ├── users/ │ │ ├── components/ │ │ │ ├── UserProfile.vue │ │ │ ├── UserList.vue │ │ │ ├── UserCard.vue │ │ │ └── UserAvatar.vue │ │ ├── composables/ │ │ │ ├── useUser.ts │ │ │ └── useUsers.ts │ │ ├── services/ │ │ │ └── user.service.ts │ │ ├── types/ │ │ │ └── user.types.ts │ │ ├── utils/ │ │ │ └── user.utils.ts │ │ └── stores/ │ │ └── user.store.ts │ │ │ ├── products/ │ │ ├── components/ │ │ │ ├── ProductCard.vue │ │ │ ├── ProductList.vue │ │ │ ├── ProductDetail.vue │ │ │ ├── ProductForm.vue │ │ │ └── ProductFilters.vue │ │ ├── composables/ │ │ │ ├── useProducts.ts │ │ │ ├── useProduct.ts │ │ │ └── useProductFilters.ts │ │ ├── services/ │ │ │ └── product.service.ts │ │ ├── types/ │ │ │ └── product.types.ts │ │ ├── utils/ │ │ │ └── product.utils.ts │ │ └── stores/ │ │ └── product.store.ts │ │ │ ├── orders/ │ │ ├── components/ │ │ │ ├── OrderList.vue │ │ │ ├── OrderDetail.vue │ │ │ ├── OrderSummary.vue │ │ │ └── OrderStatus.vue │ │ ├── composables/ │ │ │ └── useOrders.ts │ │ ├── services/ │ │ │ └── order.service.ts │ │ ├── types/ │ │ │ └── order.types.ts │ │ └── stores/ │ │ └── order.store.ts │ │ │ └── cart/ │ ├── components/ │ │ ├── CartDrawer.vue │ │ ├── CartItem.vue │ │ └── CartSummary.vue │ ├── composables/ │ │ └── useCart.ts │ ├── types/ │ │ └── cart.types.ts │ └── stores/ │ └── cart.store.ts │ ├── layouts/ # Application layouts │ ├── default.vue │ ├── auth.vue │ └── dashboard.vue │ ├── middleware/ # Route middleware │ ├── auth.ts │ ├── guest.ts │ └── permissions.ts │ ├── pages/ # File-based routing │ ├── index.vue │ │ │ ├── auth/ │ │ ├── login.vue │ │ └── register.vue │ │ │ ├── dashboard/ │ │ └── index.vue │ │ │ ├── products/ │ │ ├── index.vue │ │ ├── [id].vue │ │ └── new.vue │ │ │ └── orders/ │ ├── index.vue │ └── [id].vue │ ├── plugins/ # Nuxt plugins │ ├── api.ts │ └── toast.ts │ ├── public/ # Static files │ ├── favicon.ico │ └── robots.txt │ ├── server/ # Server-side code │ ├── api/ │ │ ├── auth/ │ │ │ ├── login.post.ts │ │ │ └── register.post.ts │ │ ├── products/ │ │ │ ├── index.get.ts │ │ │ ├── [id].get.ts │ │ │ └── [id].put.ts │ │ └── orders/ │ │ ├── index.get.ts │ │ └── [id].get.ts │ │ │ ├── middleware/ │ │ └── auth.ts │ │ │ └── utils/ │ └── db.ts │ ├── stores/ # Global Pinia stores │ └── app.store.ts │ ├── types/ # Global TypeScript types │ └── index.d.ts │ ├── utils/ # Auto-imported utilities │ ├── api.ts │ ├── format.ts │ └── constants.ts │ ├── .env ├── .env.example ├── nuxt.config.ts ├── tailwind.config.js ├── tsconfig.json ├── package.json └── README.md </code></pre> </div> <h3> Key Principles for Nuxt.js: </h3> <ul> <li>File-based routing in <code>pages/</code> directory</li> <li>Feature-specific components in <code>features/[feature]/components/</code> </li> <li>Auto-imported composables from both root <code>composables/</code> and feature-specific directories</li> <li>Server API routes follow feature organization in <code>server/api/</code> </li> <li>Pinia stores for state management within each feature</li> <li>Shared components in root <code>components/</code> directory with auto-import</li> </ul> <h2> 4. Cross-Cutting Concerns: The <code>Shared</code> Module </h2> <p>The biggest risk of feature-based structures is duplication. To solve this, you must have a strictly governed <code>shared</code> or <code>common</code> folder.</p> <ul> <li>Shared UI: Generic buttons, inputs, and layouts.</li> <li>Shared Utils: Date formatters, string manipulators, and validators.</li> <li>Shared Hooks: <code>useWindowSize</code>, <code>useAuthContext</code>.</li> </ul> <p>The Rule: A feature can import from shared, but shared can never import from a feature.</p> <h2> 5. Common Benefits of Feature-First Architecture </h2> <ol> <li> <strong>Scalability</strong>: Easy to add new features without affecting existing ones</li> <li> <strong>Maintainability</strong>: Related code is co-located, making it easier to understand and modify</li> <li> <strong>Team Collaboration</strong>: Different teams can work on different features with minimal conflicts</li> <li> <strong>Code Reusability</strong>: Shared code is explicitly separated from feature-specific code</li> <li> <strong>Testing</strong>: Each feature can be tested independently</li> <li> <strong>Modularity</strong>: Features can potentially be extracted into separate packages or microservices</li> </ol> <h2> 6. Migration Tips </h2> <p>When transitioning from a layer-first to feature-first structure:</p> <ol> <li>Start with new features using the feature-first approach</li> <li>Gradually migrate existing features one at a time</li> <li>Keep shared utilities separate from the start</li> <li>Use barrel exports (index files) to maintain clean import paths</li> <li>Document the structure for your team</li> </ol> <p>Configure path aliases in your <code>tsconfig.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"compilerOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"paths"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@/*"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"./src/*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"@features/*"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"./src/features/*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"@shared/*"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"./src/shared/*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"@common/*"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"./src/common/*"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 5. Summary: Scalability Checklist </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Principle</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><strong>Scale-Ready Structure</strong></td> <td>Design the folder structure to accommodate growth without major refactoring</td> </tr> <tr> <td><strong>Locality</strong></td> <td>Keep logic, types, and styles together with the component/module</td> </tr> <tr> <td><strong>Encapsulation</strong></td> <td>Use index.ts files to export only what is necessary (The Public API pattern)</td> </tr> <tr> <td><strong>Dependency Rule</strong></td> <td>Features should rarely depend on other features; use a Service or Store for communication</td> </tr> <tr> <td><strong>Naming</strong></td> <td>Use consistent suffixes (e.g., user.controller.ts, user.service.ts) for easy searching</td> </tr> </tbody> </table></div> <h2> Conclusion </h2> <p>Structure is not just about aesthetics, it is about developer velocity. By organizing Nest.js, Nuxt.js, and Next.js around features rather than types, you reduce the "mental tax" of navigating the codebase. This allows your team to spend less time finding files and more time building features.</p> softwaredevelopment softwareengineering programming cleancode ThankGod Chibugwum Obobo Sun, 08 Feb 2026 17:00:00 +0000 https://forem.com/actocodes/the-solid-principles-in-dart-building-robust-flutter-apps-4mho https://forem.com/actocodes/the-solid-principles-in-dart-building-robust-flutter-apps-4mho <p>In the fast-paced world of Flutter development, it is tempting to mix business logic with UI code. However, as your app grows, "quick fixes" lead to rigid codebases where a single change breaks three unrelated features.</p> <p>The <strong>SOLID principles</strong> are a set of five design guidelines that ensure your Dart code is flexible, testable, and scalable. Let’s look at how they apply specifically to the Flutter ecosystem.</p> <h2> 1. Single Responsibility Principle (SRP) </h2> <blockquote> <p>"A class should have one, and only one, reason to change."</p> </blockquote> <p>In Flutter, the biggest violation of SRP is the <strong>"God Widget"</strong> a single <code>StatefulWidget</code> that handles API calls, business logic, and complex UI rendering.</p> <ul> <li> <strong>The Fix:</strong> Separate your logic into a <strong>Controller</strong> or <strong>BLoC</strong> and your UI into a <strong>StatelessWidget</strong>.</li> <li> <strong>Result:</strong> You can test the business logic without rendering any pixels.</li> </ul> <p><strong>BAD:</strong> Violation of Single Responsibility Principle<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight dart"><code><span class="kd">class</span> <span class="nc">User</span> <span class="p">{</span> <span class="kt">String</span> <span class="n">name</span><span class="p">;</span> <span class="kt">String</span> <span class="n">email</span><span class="p">;</span> <span class="n">User</span><span class="p">(</span><span class="k">this</span><span class="o">.</span><span class="na">name</span><span class="p">,</span> <span class="k">this</span><span class="o">.</span><span class="na">email</span><span class="p">);</span> <span class="c1">// Responsibility 1: User data validation</span> <span class="kt">bool</span> <span class="n">isValidEmail</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="n">email</span><span class="o">.</span><span class="na">contains</span><span class="p">(</span><span class="s">'@'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="n">email</span><span class="o">.</span><span class="na">contains</span><span class="p">(</span><span class="s">'.'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Responsibility 2: Database operations</span> <span class="kt">void</span> <span class="n">saveToDatabase</span><span class="p">()</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Saving user to database...'</span><span class="p">);</span> <span class="c1">// Database logic here</span> <span class="p">}</span> <span class="c1">// Responsibility 3: Email notifications</span> <span class="kt">void</span> <span class="n">sendWelcomeEmail</span><span class="p">()</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Sending welcome email to </span><span class="si">$email</span><span class="s">...'</span><span class="p">);</span> <span class="c1">// Email sending logic here</span> <span class="p">}</span> <span class="c1">// Responsibility 4: Logging</span> <span class="kt">void</span> <span class="n">logUserActivity</span><span class="p">(</span><span class="kt">String</span> <span class="n">activity</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'[</span><span class="si">$name</span><span class="s">] </span><span class="si">$activity</span><span class="s">'</span><span class="p">);</span> <span class="c1">// Logging logic here</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>GOOD:</strong> Following Single Responsibility Principle<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight dart"><code><span class="c1">// Responsibility: Hold user data</span> <span class="kd">class</span> <span class="nc">User</span> <span class="p">{</span> <span class="kd">final</span> <span class="kt">String</span> <span class="n">name</span><span class="p">;</span> <span class="kd">final</span> <span class="kt">String</span> <span class="n">email</span><span class="p">;</span> <span class="n">User</span><span class="p">(</span><span class="k">this</span><span class="o">.</span><span class="na">name</span><span class="p">,</span> <span class="k">this</span><span class="o">.</span><span class="na">email</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Responsibility: Validate user data</span> <span class="kd">class</span> <span class="nc">UserValidator</span> <span class="p">{</span> <span class="kt">bool</span> <span class="n">isValidEmail</span><span class="p">(</span><span class="kt">String</span> <span class="n">email</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">email</span><span class="o">.</span><span class="na">contains</span><span class="p">(</span><span class="s">'@'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="n">email</span><span class="o">.</span><span class="na">contains</span><span class="p">(</span><span class="s">'.'</span><span class="p">);</span> <span class="p">}</span> <span class="kt">bool</span> <span class="n">isValidName</span><span class="p">(</span><span class="kt">String</span> <span class="n">name</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">name</span><span class="o">.</span><span class="na">isNotEmpty</span> <span class="o">&amp;&amp;</span> <span class="n">name</span><span class="o">.</span><span class="na">length</span> <span class="p">&gt;</span><span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Responsibility: Handle database operations for users</span> <span class="kd">class</span> <span class="nc">UserRepository</span> <span class="p">{</span> <span class="kt">void</span> <span class="n">save</span><span class="p">(</span><span class="n">User</span> <span class="n">user</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Saving user </span><span class="si">${user.name}</span><span class="s"> to database...'</span><span class="p">);</span> <span class="c1">// Database logic here</span> <span class="p">}</span> <span class="n">User</span><span class="o">?</span> <span class="n">findByEmail</span><span class="p">(</span><span class="kt">String</span> <span class="n">email</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Finding user by email: </span><span class="si">$email</span><span class="s">'</span><span class="p">);</span> <span class="c1">// Database query logic here</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Responsibility: Send email notifications</span> <span class="kd">class</span> <span class="nc">EmailService</span> <span class="p">{</span> <span class="kt">void</span> <span class="n">sendWelcomeEmail</span><span class="p">(</span><span class="n">User</span> <span class="n">user</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Sending welcome email to </span><span class="si">${user.email}</span><span class="s">...'</span><span class="p">);</span> <span class="c1">// Email sending logic here</span> <span class="p">}</span> <span class="kt">void</span> <span class="n">sendPasswordResetEmail</span><span class="p">(</span><span class="n">User</span> <span class="n">user</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Sending password reset email to </span><span class="si">${user.email}</span><span class="s">...'</span><span class="p">);</span> <span class="c1">// Email sending logic here</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Responsibility: Log application activities</span> <span class="kd">class</span> <span class="nc">Logger</span> <span class="p">{</span> <span class="kt">void</span> <span class="n">logUserActivity</span><span class="p">(</span><span class="kt">String</span> <span class="n">userName</span><span class="p">,</span> <span class="kt">String</span> <span class="n">activity</span><span class="p">)</span> <span class="p">{</span> <span class="kd">final</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="n">DateTime</span><span class="o">.</span><span class="na">now</span><span class="p">();</span> <span class="n">print</span><span class="p">(</span><span class="s">'[</span><span class="si">$timestamp</span><span class="s">] [</span><span class="si">$userName</span><span class="s">] </span><span class="si">$activity</span><span class="s">'</span><span class="p">);</span> <span class="c1">// Logging logic here</span> <span class="p">}</span> <span class="kt">void</span> <span class="n">logError</span><span class="p">(</span><span class="kt">String</span> <span class="n">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'[ERROR] </span><span class="si">$error</span><span class="s">'</span><span class="p">);</span> <span class="c1">// Error logging logic here</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 2. Open/Closed Principle (OCP) </h2> <blockquote> <p>"Software entities should be open for extension, but closed for modification."</p> </blockquote> <p>If you need to add a new payment method to your app, you shouldn't have to modify your existing <code>PaymentProcessor</code> class.</p> <ul> <li> <strong>The Fix:</strong> Use <strong>Interfaces</strong> (Abstract Classes in Dart).</li> <li> <strong>Example:</strong> Create a <code>PaymentMethod</code> abstract class. Whether you add "Stripe" or "Apple Pay" later, the core logic remains untouched.</li> </ul> <p><strong>BAD:</strong> Violation of Open/Closed Principle<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight dart"><code><span class="kd">class</span> <span class="nc">PaymentProcessor</span> <span class="p">{</span> <span class="kt">void</span> <span class="n">processPayment</span><span class="p">(</span><span class="kt">String</span> <span class="n">paymentType</span><span class="p">,</span> <span class="kt">double</span> <span class="n">amount</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">paymentType</span> <span class="o">==</span> <span class="s">'creditCard'</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Processing credit card payment of </span><span class="err">\$</span><span class="si">$amount</span><span class="s">'</span><span class="p">);</span> <span class="c1">// Credit card processing logic</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">paymentType</span> <span class="o">==</span> <span class="s">'paypal'</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Processing PayPal payment of </span><span class="err">\$</span><span class="si">$amount</span><span class="s">'</span><span class="p">);</span> <span class="c1">// PayPal processing logic</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">paymentType</span> <span class="o">==</span> <span class="s">'stripe'</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Processing Stripe payment of </span><span class="err">\$</span><span class="si">$amount</span><span class="s">'</span><span class="p">);</span> <span class="c1">// Stripe processing logic</span> <span class="p">}</span> <span class="c1">// Every time we add a new payment method, we need to modify this class!</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>GOOD:</strong> Following Open/Closed Principle<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight dart"><code><span class="c1">// Abstract base class - CLOSED for modification</span> <span class="kd">abstract</span> <span class="kd">class</span> <span class="nc">PaymentMethod</span> <span class="p">{</span> <span class="kt">void</span> <span class="n">processPayment</span><span class="p">(</span><span class="kt">double</span> <span class="n">amount</span><span class="p">);</span> <span class="kt">String</span> <span class="n">getPaymentMethodName</span><span class="p">();</span> <span class="p">}</span> <span class="c1">// Concrete implementations - OPEN for extension</span> <span class="kd">class</span> <span class="nc">CreditCardPayment</span> <span class="kd">implements</span> <span class="n">PaymentMethod</span> <span class="p">{</span> <span class="kd">final</span> <span class="kt">String</span> <span class="n">cardNumber</span><span class="p">;</span> <span class="kd">final</span> <span class="kt">String</span> <span class="n">cardHolderName</span><span class="p">;</span> <span class="n">CreditCardPayment</span><span class="p">(</span><span class="k">this</span><span class="o">.</span><span class="na">cardNumber</span><span class="p">,</span> <span class="k">this</span><span class="o">.</span><span class="na">cardHolderName</span><span class="p">);</span> <span class="nd">@override</span> <span class="kt">void</span> <span class="n">processPayment</span><span class="p">(</span><span class="kt">double</span> <span class="n">amount</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Processing credit card payment of </span><span class="err">\$</span><span class="si">$amount</span><span class="s">'</span><span class="p">);</span> <span class="c1">// Credit card specific processing logic</span> <span class="p">}</span> <span class="nd">@override</span> <span class="kt">String</span> <span class="n">getPaymentMethodName</span><span class="p">()</span> <span class="o">=</span><span class="p">&gt;</span> <span class="s">'Credit Card'</span><span class="p">;</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">PayPalPayment</span> <span class="kd">implements</span> <span class="n">PaymentMethod</span> <span class="p">{</span> <span class="kd">final</span> <span class="kt">String</span> <span class="n">email</span><span class="p">;</span> <span class="n">PayPalPayment</span><span class="p">(</span><span class="k">this</span><span class="o">.</span><span class="na">email</span><span class="p">);</span> <span class="nd">@override</span> <span class="kt">void</span> <span class="n">processPayment</span><span class="p">(</span><span class="kt">double</span> <span class="n">amount</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Processing PayPal payment of </span><span class="err">\$</span><span class="si">$amount</span><span class="s">'</span><span class="p">);</span> <span class="c1">// PayPal specific processing logic</span> <span class="p">}</span> <span class="nd">@override</span> <span class="kt">String</span> <span class="n">getPaymentMethodName</span><span class="p">()</span> <span class="o">=</span><span class="p">&gt;</span> <span class="s">'PayPal'</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// The payment processor is CLOSED for modification</span> <span class="c1">// but OPEN for extension through new PaymentMethod implementations</span> <span class="kd">class</span> <span class="nc">PaymentProcessor</span> <span class="p">{</span> <span class="kt">void</span> <span class="n">process</span><span class="p">(</span><span class="n">PaymentMethod</span> <span class="n">paymentMethod</span><span class="p">,</span> <span class="kt">double</span> <span class="n">amount</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'</span><span class="se">\n</span><span class="s">--- Starting </span><span class="si">${paymentMethod.getPaymentMethodName()}</span><span class="s"> Transaction ---'</span><span class="p">);</span> <span class="n">paymentMethod</span><span class="o">.</span><span class="na">processPayment</span><span class="p">(</span><span class="n">amount</span><span class="p">);</span> <span class="n">print</span><span class="p">(</span><span class="s">'--- Transaction Complete ---</span><span class="se">\n</span><span class="s">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 3. Liskov Substitution Principle (LSP) </h2> <blockquote> <p>"Objects of a superclass should be replaceable with objects of its subclasses without breaking the application."</p> </blockquote> <p>In Dart, if <code>Square</code> inherits from <code>Rectangle</code>, but setting the width of <code>Square</code> also changes its height, it violates LSP. </p> <p><strong>BAD:</strong> Classic LSP Violation - squares/rectangles Problem<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight dart"><code><span class="kd">class</span> <span class="nc">BadQuadrilateral</span> <span class="p">{</span> <span class="kt">double</span> <span class="n">_width</span><span class="p">;</span> <span class="kt">double</span> <span class="n">_height</span><span class="p">;</span> <span class="n">BadQuadrilateral</span><span class="p">(</span><span class="k">this</span><span class="o">.</span><span class="na">_width</span><span class="p">,</span> <span class="k">this</span><span class="o">.</span><span class="na">_height</span><span class="p">);</span> <span class="kt">double</span> <span class="kd">get</span> <span class="n">width</span> <span class="o">=</span><span class="p">&gt;</span> <span class="n">_width</span><span class="p">;</span> <span class="kt">double</span> <span class="kd">get</span> <span class="n">height</span> <span class="o">=</span><span class="p">&gt;</span> <span class="n">_height</span><span class="p">;</span> <span class="kd">set</span> <span class="n">width</span><span class="p">(</span><span class="kt">double</span> <span class="n">value</span><span class="p">)</span> <span class="o">=</span><span class="p">&gt;</span> <span class="n">_width</span> <span class="o">=</span> <span class="n">value</span><span class="p">;</span> <span class="kd">set</span> <span class="n">height</span><span class="p">(</span><span class="kt">double</span> <span class="n">value</span><span class="p">)</span> <span class="o">=</span><span class="p">&gt;</span> <span class="n">_height</span> <span class="o">=</span> <span class="n">value</span><span class="p">;</span> <span class="kt">double</span> <span class="kd">get</span> <span class="n">area</span> <span class="o">=</span><span class="p">&gt;</span> <span class="n">_width</span> <span class="o">*</span> <span class="n">_height</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// VIOLATION: Square changes the behavior of BadQuadrilateral</span> <span class="kd">class</span> <span class="nc">BadSquare</span> <span class="kd">extends</span> <span class="n">BadRectangle</span> <span class="p">{</span> <span class="n">BadSquare</span><span class="p">(</span><span class="kt">double</span> <span class="n">side</span><span class="p">)</span> <span class="o">:</span> <span class="k">super</span><span class="p">(</span><span class="n">side</span><span class="p">,</span> <span class="n">side</span><span class="p">);</span> <span class="c1">// VIOLATION: Setting width also changes height!</span> <span class="nd">@override</span> <span class="kd">set</span> <span class="n">width</span><span class="p">(</span><span class="kt">double</span> <span class="n">value</span><span class="p">)</span> <span class="p">{</span> <span class="n">_width</span> <span class="o">=</span> <span class="n">value</span><span class="p">;</span> <span class="n">_height</span> <span class="o">=</span> <span class="n">value</span><span class="p">;</span> <span class="c1">// Side effect that violates LSP</span> <span class="p">}</span> <span class="c1">// VIOLATION: Setting height also changes width!</span> <span class="nd">@override</span> <span class="kd">set</span> <span class="n">height</span><span class="p">(</span><span class="kt">double</span> <span class="n">value</span><span class="p">)</span> <span class="p">{</span> <span class="n">_width</span> <span class="o">=</span> <span class="n">value</span><span class="p">;</span> <span class="c1">// Side effect that violates LSP</span> <span class="n">_height</span> <span class="o">=</span> <span class="n">value</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// This breaks when we substitute Square for BadQuadrilateral</span> <span class="kt">void</span> <span class="nf">demonstrateBadLSP</span><span class="p">()</span> <span class="p">{</span> <span class="n">BadQuadrilateral</span> <span class="n">quad</span> <span class="o">=</span> <span class="n">BadQuadrilateral</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="n">print</span><span class="p">(</span><span class="s">'Rectangle: </span><span class="si">${rect.width}</span><span class="s"> x </span><span class="si">${rect.height}</span><span class="s"> = </span><span class="si">${rect.area}</span><span class="s">'</span><span class="p">);</span> <span class="c1">// 5 x 10 = 50</span> <span class="n">quad</span><span class="o">.</span><span class="na">width</span> <span class="o">=</span> <span class="mi">20</span><span class="p">;</span> <span class="n">print</span><span class="p">(</span><span class="s">'After width change: </span><span class="si">${rect.width}</span><span class="s"> x </span><span class="si">${rect.height}</span><span class="s"> = </span><span class="si">${rect.area}</span><span class="s">'</span><span class="p">);</span> <span class="c1">// 20 x 10 = 200</span> <span class="c1">// Now substitute with Square - BREAKS!</span> <span class="n">BadQuadrilateral</span> <span class="n">square</span> <span class="o">=</span> <span class="n">BadSquare</span><span class="p">(</span><span class="mi">5</span><span class="p">);</span> <span class="n">print</span><span class="p">(</span><span class="s">'</span><span class="se">\n</span><span class="s">Square: </span><span class="si">${square.width}</span><span class="s"> x </span><span class="si">${square.height}</span><span class="s"> = </span><span class="si">${square.area}</span><span class="s">'</span><span class="p">);</span> <span class="c1">// 5 x 5 = 25</span> <span class="n">square</span><span class="o">.</span><span class="na">width</span> <span class="o">=</span> <span class="mi">20</span><span class="p">;</span> <span class="c1">// Expected: 20 x 5 = 100 (if it truly behaves like BadQuadrilateral)</span> <span class="c1">// Actual: 20 x 20 = 400 (BROKEN!)</span> <span class="n">print</span><span class="p">(</span><span class="s">'After width change: </span><span class="si">${square.width}</span><span class="s"> x </span><span class="si">${square.height}</span><span class="s"> = </span><span class="si">${square.area}</span><span class="s">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>GOOD:</strong> Proper LSP-compliant design<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight dart"><code><span class="kd">abstract</span> <span class="kd">class</span> <span class="nc">Shape</span> <span class="p">{</span> <span class="kt">double</span> <span class="kd">get</span> <span class="n">area</span><span class="p">;</span> <span class="kt">String</span> <span class="kd">get</span> <span class="n">description</span><span class="p">;</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">GoodRectangle</span> <span class="kd">implements</span> <span class="n">Shape</span> <span class="p">{</span> <span class="kd">final</span> <span class="kt">double</span> <span class="n">width</span><span class="p">;</span> <span class="kd">final</span> <span class="kt">double</span> <span class="n">height</span><span class="p">;</span> <span class="n">GoodRectangle</span><span class="p">(</span><span class="k">this</span><span class="o">.</span><span class="na">width</span><span class="p">,</span> <span class="k">this</span><span class="o">.</span><span class="na">height</span><span class="p">);</span> <span class="nd">@override</span> <span class="kt">double</span> <span class="kd">get</span> <span class="n">area</span> <span class="o">=</span><span class="p">&gt;</span> <span class="n">width</span> <span class="o">*</span> <span class="n">height</span><span class="p">;</span> <span class="nd">@override</span> <span class="kt">String</span> <span class="kd">get</span> <span class="n">description</span> <span class="o">=</span><span class="p">&gt;</span> <span class="s">'Rectangle: </span><span class="si">$width</span><span class="s"> x </span><span class="si">$height</span><span class="s">'</span><span class="p">;</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">GoodSquare</span> <span class="kd">implements</span> <span class="n">Shape</span> <span class="p">{</span> <span class="kd">final</span> <span class="kt">double</span> <span class="n">side</span><span class="p">;</span> <span class="n">GoodSquare</span><span class="p">(</span><span class="k">this</span><span class="o">.</span><span class="na">side</span><span class="p">);</span> <span class="nd">@override</span> <span class="kt">double</span> <span class="kd">get</span> <span class="n">area</span> <span class="o">=</span><span class="p">&gt;</span> <span class="n">side</span> <span class="o">*</span> <span class="n">side</span><span class="p">;</span> <span class="nd">@override</span> <span class="kt">String</span> <span class="kd">get</span> <span class="n">description</span> <span class="o">=</span><span class="p">&gt;</span> <span class="s">'Square: </span><span class="si">$side</span><span class="s"> x </span><span class="si">$side</span><span class="s">'</span><span class="p">;</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">demonstrateGoodLSP</span><span class="p">()</span> <span class="p">{</span> <span class="kt">void</span> <span class="n">printShapeInfo</span><span class="p">(</span><span class="n">Shape</span> <span class="n">shape</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'</span><span class="si">${shape.description}</span><span class="s"> = Area: </span><span class="si">${shape.area}</span><span class="s">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Both work perfectly when treated as Shape</span> <span class="n">Shape</span> <span class="n">rect</span> <span class="o">=</span> <span class="n">GoodRectangle</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="n">Shape</span> <span class="n">square</span> <span class="o">=</span> <span class="n">GoodSquare</span><span class="p">(</span><span class="mi">5</span><span class="p">);</span> <span class="n">printShapeInfo</span><span class="p">(</span><span class="n">rect</span><span class="p">);</span> <span class="c1">// Works!</span> <span class="n">printShapeInfo</span><span class="p">(</span><span class="n">square</span><span class="p">);</span> <span class="c1">// Works!</span> <span class="p">}</span> </code></pre> </div> <h2> 4. Interface Segregation Principle (ISP) </h2> <blockquote> <p>"Clients should not be forced to depend upon interfaces they do not use."</p> </blockquote> <p>Avoid creating "fat" abstract classes that force a class to implement methods it doesn't need.</p> <p><strong>Bad:</strong> An interface <code>SmartHomeDevice</code> that forces a <code>LightBulb</code> to implement <code>adjustTemperature()</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight dart"><code><span class="kd">abstract</span> <span class="kd">class</span> <span class="nc">SmartHomeDevice</span> <span class="p">{</span> <span class="kt">void</span> <span class="n">turnOn</span><span class="p">();</span> <span class="kt">void</span> <span class="n">turnOff</span><span class="p">();</span> <span class="kt">void</span> <span class="n">setTemperature</span><span class="p">(</span><span class="kt">double</span> <span class="n">temp</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Good:</strong> Split them into <code>Switchable</code> and <code>Thermostatic</code> interfaces.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight dart"><code><span class="kd">abstract</span> <span class="kd">class</span> <span class="nc">Switchable</span> <span class="p">{</span> <span class="kt">void</span> <span class="n">turnOn</span><span class="p">();</span> <span class="kt">void</span> <span class="n">turnOff</span><span class="p">();</span> <span class="p">}</span> <span class="kd">abstract</span> <span class="kd">class</span> <span class="nc">Thermostatic</span> <span class="p">{</span> <span class="kt">void</span> <span class="n">setTemperature</span><span class="p">(</span><span class="kt">double</span> <span class="n">temp</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> 5. Dependency Inversion Principle (DIP) </h2> <blockquote> <p>"Depend upon abstractions, not concretions."</p> </blockquote> <p>This is the secret to a testable Flutter app. Your UI shouldn't depend on a specific FirebaseService, it should depend on a DatabaseInterface.</p> <ul> <li> <strong>The Fix:</strong> Use Dependency Injection (DI) with packages like get_it or Provider.* <strong>The Benefit:</strong> During testing, you can easily swap the real ApiService for a MockApiService.</li> </ul> <p><strong>BAD:</strong> Violation of Dependency Inversion Principle<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight dart"><code><span class="kd">class</span> <span class="nc">FirebaseDatabaseService</span> <span class="p">{</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">List</span><span class="p">&lt;</span><span class="kt">String</span><span class="p">&gt;&gt;</span> <span class="n">fetchUsers</span><span class="p">()</span> <span class="kd">async</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Firebase: Fetching users'</span><span class="p">);</span> <span class="k">await</span> <span class="n">Future</span><span class="o">.</span><span class="na">delayed</span><span class="p">(</span><span class="kd">const</span> <span class="n">Duration</span><span class="p">(</span><span class="nl">seconds:</span> <span class="mi">1</span><span class="p">));</span> <span class="k">return</span> <span class="p">[</span><span class="s">'User1'</span><span class="p">,</span> <span class="s">'User2'</span><span class="p">,</span> <span class="s">'User3'</span><span class="p">];</span> <span class="p">}</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">void</span><span class="p">&gt;</span> <span class="n">saveUser</span><span class="p">(</span><span class="kt">String</span> <span class="n">name</span><span class="p">)</span> <span class="kd">async</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Firebase: Saving user </span><span class="si">$name</span><span class="s">'</span><span class="p">);</span> <span class="k">await</span> <span class="n">Future</span><span class="o">.</span><span class="na">delayed</span><span class="p">(</span><span class="kd">const</span> <span class="n">Duration</span><span class="p">(</span><span class="nl">milliseconds:</span> <span class="mi">500</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// BAD: UserViewModel depends directly on concrete Firebase implementation</span> <span class="kd">class</span> <span class="nc">BadUserViewModel</span> <span class="p">{</span> <span class="kd">final</span> <span class="n">FirebaseDatabaseService</span> <span class="n">_dbService</span> <span class="o">=</span> <span class="n">FirebaseDatabaseService</span><span class="p">();</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">List</span><span class="p">&lt;</span><span class="kt">String</span><span class="p">&gt;&gt;</span> <span class="n">getUsers</span><span class="p">()</span> <span class="kd">async</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="n">_dbService</span><span class="o">.</span><span class="na">fetchUsers</span><span class="p">();</span> <span class="p">}</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">void</span><span class="p">&gt;</span> <span class="n">addUser</span><span class="p">(</span><span class="kt">String</span> <span class="n">name</span><span class="p">)</span> <span class="kd">async</span> <span class="p">{</span> <span class="k">await</span> <span class="n">_dbService</span><span class="o">.</span><span class="na">saveUser</span><span class="p">(</span><span class="n">name</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>GOOD:</strong> Following Dependency Inversion Principle<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight dart"><code><span class="c1">// Depend on abstractions, not concretions</span> <span class="c1">// Abstractions (interfaces)</span> <span class="kd">abstract</span> <span class="kd">class</span> <span class="nc">DatabaseService</span> <span class="p">{</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">List</span><span class="p">&lt;</span><span class="kt">String</span><span class="p">&gt;&gt;</span> <span class="n">fetchUsers</span><span class="p">();</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">void</span><span class="p">&gt;</span> <span class="n">saveUser</span><span class="p">(</span><span class="kt">String</span> <span class="n">name</span><span class="p">);</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">void</span><span class="p">&gt;</span> <span class="n">deleteUser</span><span class="p">(</span><span class="kt">String</span> <span class="n">name</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Concrete implementations</span> <span class="kd">class</span> <span class="nc">FirebaseDatabase</span> <span class="kd">implements</span> <span class="n">DatabaseService</span> <span class="p">{</span> <span class="nd">@override</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">List</span><span class="p">&lt;</span><span class="kt">String</span><span class="p">&gt;&gt;</span> <span class="n">fetchUsers</span><span class="p">()</span> <span class="kd">async</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Firebase: Fetching users'</span><span class="p">);</span> <span class="k">await</span> <span class="n">Future</span><span class="o">.</span><span class="na">delayed</span><span class="p">(</span><span class="kd">const</span> <span class="n">Duration</span><span class="p">(</span><span class="nl">seconds:</span> <span class="mi">1</span><span class="p">));</span> <span class="k">return</span> <span class="p">[</span><span class="s">'Alice'</span><span class="p">,</span> <span class="s">'Bob'</span><span class="p">,</span> <span class="s">'Charlie'</span><span class="p">];</span> <span class="p">}</span> <span class="nd">@override</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">void</span><span class="p">&gt;</span> <span class="n">saveUser</span><span class="p">(</span><span class="kt">String</span> <span class="n">name</span><span class="p">)</span> <span class="kd">async</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Firebase: Saving user </span><span class="si">$name</span><span class="s">'</span><span class="p">);</span> <span class="k">await</span> <span class="n">Future</span><span class="o">.</span><span class="na">delayed</span><span class="p">(</span><span class="kd">const</span> <span class="n">Duration</span><span class="p">(</span><span class="nl">milliseconds:</span> <span class="mi">500</span><span class="p">));</span> <span class="p">}</span> <span class="nd">@override</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">void</span><span class="p">&gt;</span> <span class="n">deleteUser</span><span class="p">(</span><span class="kt">String</span> <span class="n">name</span><span class="p">)</span> <span class="kd">async</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Firebase: Deleting user </span><span class="si">$name</span><span class="s">'</span><span class="p">);</span> <span class="k">await</span> <span class="n">Future</span><span class="o">.</span><span class="na">delayed</span><span class="p">(</span><span class="kd">const</span> <span class="n">Duration</span><span class="p">(</span><span class="nl">milliseconds:</span> <span class="mi">500</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Alternative implementation (easy to swap!)</span> <span class="kd">class</span> <span class="nc">LocalDatabase</span> <span class="kd">implements</span> <span class="n">DatabaseService</span> <span class="p">{</span> <span class="kd">final</span> <span class="kt">List</span><span class="p">&lt;</span><span class="kt">String</span><span class="p">&gt;</span> <span class="n">_users</span> <span class="o">=</span> <span class="p">[</span><span class="s">'User1'</span><span class="p">,</span> <span class="s">'User2'</span><span class="p">];</span> <span class="nd">@override</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">List</span><span class="p">&lt;</span><span class="kt">String</span><span class="p">&gt;&gt;</span> <span class="n">fetchUsers</span><span class="p">()</span> <span class="kd">async</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Local: Fetching users'</span><span class="p">);</span> <span class="k">return</span> <span class="kt">List</span><span class="o">.</span><span class="na">from</span><span class="p">(</span><span class="n">_users</span><span class="p">);</span> <span class="p">}</span> <span class="nd">@override</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">void</span><span class="p">&gt;</span> <span class="n">saveUser</span><span class="p">(</span><span class="kt">String</span> <span class="n">name</span><span class="p">)</span> <span class="kd">async</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Local: Saving user </span><span class="si">$name</span><span class="s">'</span><span class="p">);</span> <span class="n">_users</span><span class="o">.</span><span class="na">add</span><span class="p">(</span><span class="n">name</span><span class="p">);</span> <span class="p">}</span> <span class="nd">@override</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">void</span><span class="p">&gt;</span> <span class="n">deleteUser</span><span class="p">(</span><span class="kt">String</span> <span class="n">name</span><span class="p">)</span> <span class="kd">async</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">'Local: Deleting user </span><span class="si">$name</span><span class="s">'</span><span class="p">);</span> <span class="n">_users</span><span class="o">.</span><span class="na">remove</span><span class="p">(</span><span class="n">name</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// GOOD: ViewModels depend on abstractions</span> <span class="kd">class</span> <span class="nc">UserViewModel</span> <span class="p">{</span> <span class="kd">final</span> <span class="n">DatabaseService</span> <span class="n">_databaseService</span><span class="p">;</span> <span class="n">UserViewModel</span><span class="p">(</span><span class="k">this</span><span class="o">.</span><span class="na">_databaseService</span><span class="p">);</span> <span class="c1">// Dependency injection</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">List</span><span class="p">&lt;</span><span class="kt">String</span><span class="p">&gt;&gt;</span> <span class="n">getUsers</span><span class="p">()</span> <span class="kd">async</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="n">_databaseService</span><span class="o">.</span><span class="na">fetchUsers</span><span class="p">();</span> <span class="p">}</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">void</span><span class="p">&gt;</span> <span class="n">addUser</span><span class="p">(</span><span class="kt">String</span> <span class="n">name</span><span class="p">)</span> <span class="kd">async</span> <span class="p">{</span> <span class="k">await</span> <span class="n">_databaseService</span><span class="o">.</span><span class="na">saveUser</span><span class="p">(</span><span class="n">name</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Conclusion </h2> <p>Applying SOLID in Dart isn't about following dogmatic rules, it's about reducing the cost of change. By ensuring your Flutter components are decoupled and specialized, you build an app that can evolve as fast as the market demands.</p> programming softwaredevelopment softwareengineering cleancode ThankGod Chibugwum Obobo Sun, 01 Feb 2026 17:00:00 +0000 https://forem.com/actocodes/automated-code-quality-using-sonarqube-quality-gates-to-enforce-cleaner-codebases-53c0 https://forem.com/actocodes/automated-code-quality-using-sonarqube-quality-gates-to-enforce-cleaner-codebases-53c0 <p>You can explain "Clean Code" to a team a dozen times, but under the pressure of a deadline, shortcuts will be taken. Manual code reviews are essential, but they are subjective and fallible. To truly scale quality, you need an automated "referee."</p> <p>This is the strategy I’ve used to implement <strong>SonarQube Quality Gates</strong>, ensuring that "Technical Debt" never makes it into the master branch.</p> <h2> What is a Quality Gate? </h2> <p>A <strong>Quality Gate</strong> is a set of boolean conditions that a project must meet before it can be merged. It acts as a "Stop/Go" signal for your CI/CD pipeline. If the new code increases complexity or drops test coverage beyond the set thresholds, the gate "fails," the build breaks, and the PR cannot be merged.</p> <p>The secret to SonarQube for legacy codebases isn't fixing the <em>old</em> code (which can be overwhelming), it’s the <strong>New Code Period</strong>. You set the gate to only analyze code written in the last X days or since the last version. This ensures the technical debt doesn't grow.</p> <h2> Setting the Standards: My Recommended Thresholds </h2> <p>When I set up gates for enterprise projects, I use these specific metrics to balance speed and stability:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Threshold</th> <th>Why?</th> </tr> </thead> <tbody> <tr> <td><strong>Cognitive Complexity</strong></td> <td>Max 15 per function</td> <td>Ensures functions remain "readable" by humans.</td> </tr> <tr> <td><strong>New Code Coverage</strong></td> <td>Min 80%</td> <td>Ensures every new feature is tested without requiring 100% on legacy code.</td> </tr> <tr> <td><strong>Security Hotspots</strong></td> <td>0</td> <td>Prevents hardcoded API keys or SQL injection patterns from leaking.</td> </tr> <tr> <td><strong>Duplicated Blocks</strong></td> <td>&lt; 3%</td> <td>Enforces the "DRY" principle automatically.</td> </tr> <tr> <td><strong>Maintainability Rating</strong></td> <td>A</td> <td>Forces developers to fix "Code Smells" immediately.</td> </tr> </tbody> </table></div> <h2> Integrating into the CI/CD Pipeline (GitHub Actions) </h2> <p>Automation only works if it's invisible. By integrating SonarQube into your <strong>GitHub Actions</strong> or <strong>GitLab CI</strong>, the feedback loop happens within minutes of a <code>git push</code>.</p> <p><strong>The Workflow Flow:</strong></p> <ol> <li> <strong>Developer pushes code:</strong> A PR is opened.</li> <li> <strong>Scan Triggered:</strong> The SonarScanner runs against the files.</li> <li> <strong>The Verdict:</strong> SonarQube sends a "Success" or "Failure" status back to the PR.</li> <li> <strong>Blocking the Merge:</strong> GitHub is configured to "Require status checks to pass before merging."</li> </ol> <h2> SonarLint: Bringing the Gate to the IDE </h2> <p>While Quality Gates in the CI/CD pipeline act as the final "referee", waiting for a build to fail can be frustrating for developers. To solve this, you can use SonarLint, a free IDE extension that provides real-time feedback as you type.</p> <h3> Why use SonarLint? </h3> <ul> <li> <strong>Instant Gratification:</strong> Developers see "Code Smells" and security vulnerabilities highlighted in their editor immediately, much like a spellchecker.</li> <li> <strong>Educational Tooltips:</strong> Each finding comes with a detailed explanation of why the code is an issue and how to fix it, reinforcing "Clean Code" principles during the flow of work.</li> <li> <strong>Connected Mode:</strong> This is the "secret sauce." You can sync SonarLint with your SonarQube server to ensure the rules in the IDE perfectly match the rules in your Quality Gate.</li> </ul> <h3> The Developer Experience (DX) Benefit </h3> <p>By fixing issues locally, developers avoid the "context switching" that happens when a PR fails a CI check ten minutes after it was pushed. It transforms the Quality Gate from a "blocking hurdle" into a "final verification," making the entire workflow smoother and more collaborative.</p> <h2> The Cultural Shift: From "Policing" to "Empowering" </h2> <p>The biggest challenge with automated gates is developer pushback. If the gate is too strict, it feels like a hurdle. </p> <p><strong>How to win the team over:</strong></p> <ul> <li> <strong>Immediate Feedback:</strong> Developers see exactly which line of code caused the failure and why. It becomes a learning tool, not a punishment.</li> <li> <strong>Consistency:</strong> It removes the "Why are you picking on my variable names?" friction in code reviews. The machine is the one enforcing the rule, not the lead dev.</li> <li> <strong>Gamification:</strong> Teams start taking pride in maintaining an "A" rating for their projects.</li> </ul> <h2> Summary: Your Implementation Roadmap </h2> <ol> <li> <strong>Audit:</strong> Run an initial scan to see where your project stands (don't block merges yet!).</li> <li> <strong>Define:</strong> Create a "Quality Profile" specific to your language (e.g., a specific one for <strong>Flutter/Dart</strong>).</li> <li> <strong>Automate:</strong> Add the scanner to your CI pipeline.</li> <li> <strong>Enforce:</strong> Turn on the "Blocking" gate for <strong>New Code</strong> only.</li> </ol> <h2> Conclusion </h2> <p>Standardizing code quality shouldn't be a matter of opinion. By using a SonarQube strategy, you turn "Best Practices" from a vague concept into a hard requirement. This allows you to scale your team and your codebase without the fear that quality will degrade over time.</p> programming softwaredevelopment softwareengineering cleancode ThankGod Chibugwum Obobo Mon, 26 Jan 2026 01:33:52 +0000 https://forem.com/actocodes/set-up-vagrant-with-apache2-and-serve-a-static-page-via-port-forwarding-3o53 https://forem.com/actocodes/set-up-vagrant-with-apache2-and-serve-a-static-page-via-port-forwarding-3o53 <p>Vagrant isolates dependencies and their configuration within a single disposable, consistent environment, without sacrificing any of your existing tools. In lay-man terms vagrant helps you package a light weight bootable environment (OS) called boxes, which can be run on a hypervisor or a containerization platform.</p> <h2> Prerequisites </h2> <p>To get going with vagrant you'll need the following:</p> <ul> <li>An installation of the vagrant binaries in your system PATH (this makes vagrant available in your terminal)</li> <li>A hypervisor like virtualbox or a containerization platform like docker</li> <li>A vagrantfile which is a configuration file written in ruby that tells vagrant how to cook your environment</li> <li>A vagrant box which is the lightweight base image from which vagrant builds your custom environment</li> </ul> <h2> Getting Started with Vagrant </h2> <p>Follow these steps to get going with a vagrant environment:</p> <ol> <li><p><strong>Install the vagrant binaries</strong></p></li> <li><p><strong>Install the virtualisation software or hypervisor</strong></p></li> <li><p><strong>Initialize your project</strong> with the shell command <code>vagrant init ubuntu/focal64</code> in your project directory. This creates a vagrantfile in your current working directory. Here's a breakdown of the vagrantfile created:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># initiate a vagrant configuration block using the configure method</span> <span class="no">Vagrant</span><span class="p">.</span><span class="nf">configure</span><span class="p">(</span><span class="s2">"2"</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">config</span><span class="o">|</span> <span class="c1"># set "ubuntu/focal64" as the base image to use</span> <span class="n">config</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">box</span> <span class="o">=</span> <span class="s2">"ubuntu/focal64"</span> <span class="c1"># end the configuration block</span> <span class="k">end</span> </code></pre> </div> <ol> <li><p><strong>Spin up your virtual environment</strong> with the shell command <code>vagrant up</code> in your project directory. This goes ahead to cook a new environment from the provided base image using the configuration in your vagrantfile.</p></li> <li><p><strong>Access your virtual environment</strong> with the shell command <code>vagrant ssh</code> in your project directory. This will directly place you in a new shell environment on your guest environment/virtual environment.</p></li> <li><p><strong>Exit the virtual environment</strong> by running the command <code>logout</code>. This takes you out of ssh and back into your project directory.</p></li> <li><p><strong>Remove the virtual environment</strong> by running <code>vagrant destroy</code> in your project directory to remove all traces of the guest machine from your host PC.</p></li> </ol> <h2> How to Complete The Task: Create a Web Server Using Apache2 </h2> <blockquote> <p><strong>Note:</strong> Remember to use <code>sudo</code> if you encounter permission issues.</p> </blockquote> <h3> Step 1: Create the HTML File </h3> <ol> <li>Create a new directory in your project directory: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>html </code></pre> </div> <ol> <li>Move into the new directory: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>html </code></pre> </div> <ol> <li>Create a new file: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">touch </span>index.html </code></pre> </div> <ol> <li>Edit the file with <code>nano index.html</code> and add the following content: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Hello World!<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <ol> <li>Save the file with <code>CTRL+O</code> then <code>ENTER</code> and exit with <code>CTRL+X</code>. This is the html file we'll be serving.</li> </ol> <h3> Step 2: Set Up Apache2 Manually </h3> <ol> <li><p>Follow the steps above to spin up a virtual environment and ssh into it.</p></li> <li><p>From the ssh environment, update the package lists:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt update </code></pre> </div> <ol> <li>Install Apache2: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt <span class="nb">install </span>apache2 </code></pre> </div> <ol> <li>Remove the default <code>/var/www</code> directory: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">rm</span> <span class="nt">-rf</span> /var/www </code></pre> </div> <ol> <li>Create a symbolic link to serve files from the shared folder: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">ln</span> <span class="nt">-fs</span> /vagrant /var/www </code></pre> </div> <ol> <li>Verify the setup: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>wget <span class="nt">-qO-</span> 127.0.0.1 </code></pre> </div> <p>This should return the contents of the html file we created above.</p> <h2> Automating the Setup with Provisioning Scripts </h2> <p>There's a shortcut to all this using scripting or automation. We can create one more file in our project directory, say <code>bootstrap.sh</code>, and add the following as its contents:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># update package lists</span> apt-get update <span class="c"># install apache2 from apt(advance package tool)</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> apache2 <span class="c"># sets up a redirect for apache2 from "/var/www" to "/vagrant"</span> <span class="c"># (essentially this tells apache2 to serve the files from /vagrant, which is the shared folder set up by vagrant between our host pc and the guest VM.)</span> <span class="k">if</span> <span class="o">!</span> <span class="o">[</span> <span class="nt">-L</span> /var/www <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">rm</span> <span class="nt">-rf</span> /var/www <span class="nb">ln</span> <span class="nt">-fs</span> /vagrant /var/www <span class="k">fi</span> </code></pre> </div> <p>Notice that the contents of the new file are actually the commands with which we installed and set up apache2. Now we need vagrant to be aware that we want to run this script while setting up our environment. To do that, our vagrantfile needs to be edited as such:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># initiate a vagrant configuration block using the configure method</span> <span class="no">Vagrant</span><span class="p">.</span><span class="nf">configure</span><span class="p">(</span><span class="s2">"2"</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">config</span><span class="o">|</span> <span class="c1"># set "ubuntu/focal64" as the base image to use</span> <span class="n">config</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">box</span> <span class="o">=</span> <span class="s2">"ubuntu/focal64"</span> <span class="c1"># tell vagrant to run our bash script during setup</span> <span class="n">config</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">provision</span> <span class="ss">:shell</span><span class="p">,</span> <span class="ss">path: </span><span class="s2">"bootstrap.sh"</span> <span class="c1"># end the configuration block</span> <span class="k">end</span> </code></pre> </div> <p>With these changes made, we can go ahead to run <code>vagrant up</code> to spin up our environment, and once it's done we can run <code>wget -qO- 127.0.0.1</code> to test our server.</p> <h2> Port Forwarding With Vagrant </h2> <p>To forward a port is simply giving access to your guest system from the host system. Essentially, this provides a way to communicate with your guest system, by giving it a location, more casually a door to its apartment where you can knock on to make requests or talk to it. </p> <p>To achieve this, add another line to the vagrant config block in the vagrant file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># initiate a vagrant configuration block using the configure method</span> <span class="no">Vagrant</span><span class="p">.</span><span class="nf">configure</span><span class="p">(</span><span class="s2">"2"</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">config</span><span class="o">|</span> <span class="c1"># set "ubuntu/focal64" as the base image to use</span> <span class="n">config</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">box</span> <span class="o">=</span> <span class="s2">"ubuntu/focal64"</span> <span class="c1"># tell vagrant to run our bash script during setup</span> <span class="n">config</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">provision</span> <span class="ss">:shell</span><span class="p">,</span> <span class="ss">path: </span><span class="s2">"bootstrap.sh"</span> <span class="c1"># tell vagrant to forward the port 80 on the guest to port 4567 on the host.</span> <span class="n">config</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">network</span> <span class="ss">:forwarded_port</span><span class="p">,</span> <span class="ss">guest: </span><span class="mi">80</span><span class="p">,</span> <span class="ss">host: </span><span class="mi">4567</span> <span class="c1"># end the configuration block</span> <span class="k">end</span> </code></pre> </div> <p>With this new instruction we successfully open a portal to reach our guest system through the host. So any requests or messages that go to port 4567 on the host are forwarded to port 80 on the guest system. We can now open our browser and visit <code>localhost:4567</code> and we should get our html page as response.</p> <p><em>Connect with me on <a href="https://www.linkedin.com/in/actocodes/" rel="noopener noreferrer">LinkedIn</a></em></p> beginners devops tooling tutorial