The latest articles on Forem by Mohamed Idris (@edriso). https://forem.com/edriso https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F542036%2F3d38f955-495f-4ee8-9445-db0d27f2fd7b.png https://forem.com/edriso en Mohamed Idris Tue, 26 May 2026 00:11:04 +0000 https://forem.com/edriso/for-ambitious-devs-who-also-feel-tired-18hl https://forem.com/edriso/for-ambitious-devs-who-also-feel-tired-18hl <p>Hey friends 👋</p> <p>A lot of us struggle with the same thing. We want to keep learning. We sit down to code, then life happens, then a week goes by, then we feel bad about it.</p> <p>I built a tiny Discord bot for a study server that fights this without adding more pressure.</p> <h2> What it does </h2> <p>You finish about 15 minutes of real coding. You click a button. You write one line about what you did. You post it. That's a "cup."</p> <p>Your first cup of the day gives you XP. Extra cups still post in the feed, but no extra XP. The point is to show up, not to grind.</p> <p>If you show up 5 days in a week, you get a small bonus and a public shoutout. If you miss days, nothing bad happens. Your XP stays. No streak to break.</p> <p>You can also set a <strong>quest</strong> like <code>NestJS</code> or <code>AWS exam</code> with an optional target (e.g. 10 cups). When you hit the target, the bot celebrates it in the feed.</p> <h2> Why I built it this way </h2> <p>I read too much about gamification before writing a line of code. Three things came up over and over:</p> <ul> <li> <strong>Leaderboards make people quit.</strong> When you can see who is ahead, study turns into competition. Some people grind. Most people compare and feel bad.</li> <li> <strong>Daily streaks punish missing.</strong> One bad day breaks a 50-day streak. That feels worse than the win felt good.</li> <li> <strong>Pre-set goals do not stick.</strong> Goals work when you choose them yourself.</li> </ul> <p>So this server has:</p> <ul> <li>No leaderboards.</li> <li>No public daily streaks. Miss a day, you keep your XP.</li> <li>Quests are optional. You set the name. You set the target. Or you set nothing.</li> </ul> <h2> Who it is for </h2> <p>Devs who want to keep learning but feel the cold-start every time. Especially helpful if you are a student or in your first few years of work. The default focus is TypeScript fullstack (NestJS, React, Prisma) but you can tag your cups with anything you are learning.</p> <h2> Want to join? </h2> <p>Check first comment or drop a comment or DM me in case the invitation link got expired. The server is small on purpose.</p> <p>It is free. There is no course. There is no cohort. Just a place to show up.</p> <p>Show up, log it, keep moving. ☕</p> webdev coding learning beginners Mohamed Idris Sun, 24 May 2026 13:12:00 +0000 https://forem.com/edriso/learning-nestjs-as-if-you-built-it-yourself-li7 https://forem.com/edriso/learning-nestjs-as-if-you-built-it-yourself-li7 <p>If you have ever built a Node.js app with plain Express, you know the moment. The first three routes feel great. By route thirty, you have a <code>routes/</code> folder, a <code>middlewares/</code> folder, a <code>utils/</code> folder, and one giant <code>app.js</code> where everyone wires things up however they feel like that day. There is no rulebook, so every developer invents one.</p> <p>That is fine for a weekend project. For a real backend with a team, it gets painful. You want structure that you do not have to invent, you want testability without bending over backwards, and you want your code to look the same whether it was written today or a year ago.</p> <p>That is the gap NestJS fills.</p> <h2> What is NestJS, really </h2> <p>Think of NestJS as Express (or Fastify, your pick) with a wise older sibling sitting next to it. The sibling says "actually, put your HTTP code over here, your business logic over there, your validation right at the door, and ask me when you need something instead of building it yourself".</p> <p>It is opinionated on purpose. Once you learn the pattern once, every NestJS app on the planet starts to feel familiar.</p> <p>The sibling speaks fluent TypeScript and loves decorators. That is the whole vibe.</p> <h2> Let's pretend we are building one </h2> <p>We want a Node.js framework that scales nicely with the team and the codebase. We will call it <strong>NestJS</strong>. As we design it, every decision we make is a thing you will see again and again in real code, so let's make them on purpose.</p> <p>For our running example, imagine a tiny app: a little online library. Books and members. Nothing fancy.</p> <h2> Decision 1: Code should be organized in feature boxes </h2> <p>We will call these boxes <strong>modules</strong>. A module is a folder with everything one feature needs: its routes, its logic, its data shapes, its tests. If you delete the folder, the feature is gone, and nothing else breaks.</p> <p>A module is just a class with a decorator on top:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// books/books.module.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Module</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@nestjs/common</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">BooksController</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./books.controller</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">BooksService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./books.service</span><span class="dl">"</span><span class="p">;</span> <span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">controllers</span><span class="p">:</span> <span class="p">[</span><span class="nx">BooksController</span><span class="p">],</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span><span class="nx">BooksService</span><span class="p">],</span> <span class="na">exports</span><span class="p">:</span> <span class="p">[</span><span class="nx">BooksService</span><span class="p">],</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">BooksModule</span> <span class="p">{}</span> </code></pre> </div> <p>Read that decorator like a mini contract:</p> <ul> <li> <code>controllers</code> are the doors of this feature, the things that listen for HTTP requests.</li> <li> <code>providers</code> are the workers that do the actual job (services, repositories, helpers).</li> <li> <code>exports</code> is what this module is willing to share with other modules. If you do not export it, it stays private.</li> </ul> <p>Then a top level <code>AppModule</code> wires the features together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span><span class="nx">BooksModule</span><span class="p">,</span> <span class="nx">MembersModule</span><span class="p">],</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppModule</span> <span class="p">{}</span> </code></pre> </div> <p>Modules give us boundaries. Boundaries give us sanity.</p> <blockquote> <p>Tiny tip: keep one feature per folder, not one technical layer per folder. A <code>books/</code> folder with controller, service, dto, and entity inside beats four parallel folders called <code>controllers/</code>, <code>services/</code>, <code>dtos/</code>, <code>entities/</code>. Modern NestJS guides all push this style.</p> </blockquote> <h2> Decision 2: HTTP stuff lives in a controller </h2> <p>We need something that receives requests and returns responses. We do not want HTTP code mixed into business logic, so we put it in its own class called a <strong>controller</strong>. Decorators do the routing for us.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// books/books.controller.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Controller</span><span class="p">,</span> <span class="nx">Get</span><span class="p">,</span> <span class="nx">Post</span><span class="p">,</span> <span class="nx">Body</span><span class="p">,</span> <span class="nx">Param</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@nestjs/common</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">BooksService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./books.service</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CreateBookDto</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./dto/create-book.dto</span><span class="dl">"</span><span class="p">;</span> <span class="p">@</span><span class="nd">Controller</span><span class="p">(</span><span class="dl">"</span><span class="s2">books</span><span class="dl">"</span><span class="p">)</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">BooksController</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="k">readonly</span> <span class="nx">books</span><span class="p">:</span> <span class="nx">BooksService</span><span class="p">)</span> <span class="p">{}</span> <span class="p">@</span><span class="nd">Get</span><span class="p">()</span> <span class="nf">findAll</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">books</span><span class="p">.</span><span class="nf">findAll</span><span class="p">();</span> <span class="p">}</span> <span class="p">@</span><span class="nd">Get</span><span class="p">(</span><span class="dl">"</span><span class="s2">:id</span><span class="dl">"</span><span class="p">)</span> <span class="nf">findOne</span><span class="p">(@</span><span class="nd">Param</span><span class="p">(</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">)</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">books</span><span class="p">.</span><span class="nf">findOne</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="p">}</span> <span class="p">@</span><span class="nd">Post</span><span class="p">()</span> <span class="nf">create</span><span class="p">(@</span><span class="nd">Body</span><span class="p">()</span> <span class="nx">dto</span><span class="p">:</span> <span class="nx">CreateBookDto</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">books</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">dto</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>A few things worth noticing, because these patterns repeat everywhere:</p> <ul> <li> <code>@Controller("books")</code> mounts every route in the class under <code>/books</code>.</li> <li> <code>@Get</code>, <code>@Post</code>, <code>@Put</code>, <code>@Patch</code>, <code>@Delete</code> map to HTTP verbs. The argument inside is the sub path.</li> <li> <code>@Param</code>, <code>@Body</code>, <code>@Query</code>, <code>@Headers</code> pull pieces out of the request for you. No more <code>req.body.something</code>, you ask for what you want directly.</li> <li>The controller does not know what a database is, and that is the point. It just calls the service.</li> </ul> <p>The controller is the door. It greets visitors and points them inside.</p> <h2> Decision 3: The brain lives in a service </h2> <p>Real work belongs in a class with no HTTP awareness, so the same logic can be reused from a CLI, a queue worker, a GraphQL resolver, or a test. We call these classes <strong>services</strong>, and we mark them with <code>@Injectable()</code> so our framework knows it is allowed to manage them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// books/books.service.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Injectable</span><span class="p">,</span> <span class="nx">NotFoundException</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@nestjs/common</span><span class="dl">"</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">BooksService</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">books</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span><span class="p">,</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">The Little Prince</span><span class="dl">"</span><span class="p">,</span> <span class="na">author</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Saint-Exupery</span><span class="dl">"</span> <span class="p">},</span> <span class="p">];</span> <span class="nf">findAll</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">books</span><span class="p">;</span> <span class="p">}</span> <span class="nf">findOne</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">book</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">books</span><span class="p">.</span><span class="nf">find</span><span class="p">((</span><span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">b</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nx">id</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">book</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">NotFoundException</span><span class="p">(</span><span class="s2">`Book </span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2"> not found`</span><span class="p">);</span> <span class="k">return</span> <span class="nx">book</span><span class="p">;</span> <span class="p">}</span> <span class="nf">create</span><span class="p">(</span><span class="nx">dto</span><span class="p">:</span> <span class="p">{</span> <span class="nl">title</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">author</span><span class="p">:</span> <span class="kr">string</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">book</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nc">String</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">books</span><span class="p">.</span><span class="nx">length</span> <span class="o">+</span> <span class="mi">1</span><span class="p">),</span> <span class="p">...</span><span class="nx">dto</span> <span class="p">};</span> <span class="k">this</span><span class="p">.</span><span class="nx">books</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">book</span><span class="p">);</span> <span class="k">return</span> <span class="nx">book</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Services are where the boring, valuable code lives. They are also the easiest things in the universe to unit test, because they are just classes with constructor arguments.</p> <h2> Decision 4: Don't <code>new</code> your stuff, ask for it </h2> <p>This is the heart of NestJS, and it is the part that feels weird for about two days, then makes total sense.</p> <p>Look at the controller again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="k">readonly</span> <span class="nx">books</span><span class="p">:</span> <span class="nx">BooksService</span><span class="p">)</span> <span class="p">{}</span> </code></pre> </div> <p>We never wrote <code>new BooksService()</code> anywhere. We just declared "I need a <code>BooksService</code>", and somehow we got one. That is <strong>dependency injection</strong>, and the framework's IoC container is the thing pulling the strings.</p> <p>Here is roughly what happens at boot:</p> <ol> <li>NestJS reads every module's <code>providers</code> array.</li> <li>For each provider, it figures out what it needs (by looking at constructor types).</li> <li>It builds them in the right order, hands each one its dependencies, and caches the result.</li> <li>By default, every provider is a <strong>singleton</strong>, one shared instance for the whole app.</li> <li>When a controller is created, the container wires in the services it asked for.</li> </ol> <p>Why bother? Three reasons that pay off forever:</p> <ul> <li> <strong>Testing is trivial.</strong> In a test you can hand a controller a fake service. No mocking libraries required.</li> <li> <strong>Swapping implementations is one line.</strong> Change which class is bound to a token in the module, and the entire app uses the new one.</li> <li> <strong>No spaghetti <code>require</code> graph.</strong> Modules tell the framework what they expose, and that is the only path other modules can use.</li> </ul> <p>You can also bind by token instead of by class, for things like config or external clients:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">provide</span><span class="p">:</span> <span class="dl">"</span><span class="s2">BOOKS_REPO</span><span class="dl">"</span><span class="p">,</span> <span class="na">useFactory</span><span class="p">:</span> <span class="p">(</span><span class="na">config</span><span class="p">:</span> <span class="nx">ConfigService</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="k">new</span> <span class="nc">BooksRepo</span><span class="p">(</span><span class="nx">config</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">DB_URL</span><span class="dl">"</span><span class="p">)),</span> <span class="na">inject</span><span class="p">:</span> <span class="p">[</span><span class="nx">ConfigService</span><span class="p">],</span> <span class="p">},</span> <span class="p">],</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">BooksModule</span> <span class="p">{}</span> </code></pre> </div> <p>Then inside a service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">constructor</span><span class="p">(@</span><span class="nd">Inject</span><span class="p">(</span><span class="dl">"</span><span class="s2">BOOKS_REPO</span><span class="dl">"</span><span class="p">)</span> <span class="k">private</span> <span class="nx">repo</span><span class="p">:</span> <span class="nx">BooksRepo</span><span class="p">)</span> <span class="p">{}</span> </code></pre> </div> <p>That same trick is how you swap a real database for an in memory fake in tests.</p> <h2> Decision 5: Validate at the door with DTOs </h2> <p>We agreed earlier that controllers are the door of the app. Doors should check who is coming in. So we want to define exactly what the body of <code>POST /books</code> looks like, and reject anything weird before it ever reaches the service.</p> <p>We use a plain class called a <strong>DTO</strong> (Data Transfer Object), and we decorate its fields with rules from <code>class-validator</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// books/dto/create-book.dto.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">IsString</span><span class="p">,</span> <span class="nx">Length</span><span class="p">,</span> <span class="nx">IsOptional</span><span class="p">,</span> <span class="nx">IsInt</span><span class="p">,</span> <span class="nx">Min</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">class-validator</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CreateBookDto</span> <span class="p">{</span> <span class="p">@</span><span class="nd">IsString</span><span class="p">()</span> <span class="p">@</span><span class="nd">Length</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">120</span><span class="p">)</span> <span class="nx">title</span><span class="o">!</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">@</span><span class="nd">IsString</span><span class="p">()</span> <span class="p">@</span><span class="nd">Length</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">80</span><span class="p">)</span> <span class="nx">author</span><span class="o">!</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">@</span><span class="nd">IsOptional</span><span class="p">()</span> <span class="p">@</span><span class="nd">IsInt</span><span class="p">()</span> <span class="p">@</span><span class="nd">Min</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="nx">pages</span><span class="p">?:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Then in <code>main.ts</code>, we turn on the global <code>ValidationPipe</code> once, and the whole app is protected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// main.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ValidationPipe</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@nestjs/common</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NestFactory</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@nestjs/core</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AppModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./app.module</span><span class="dl">"</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">bootstrap</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">NestFactory</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">AppModule</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">useGlobalPipes</span><span class="p">(</span> <span class="k">new</span> <span class="nc">ValidationPipe</span><span class="p">({</span> <span class="na">whitelist</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// drop fields we did not declare</span> <span class="na">forbidNonWhitelisted</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// or throw if someone tries</span> <span class="na">transform</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// turn the body into a real DTO instance</span> <span class="na">transformOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">enableImplicitConversion</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">);</span> <span class="k">await</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">);</span> <span class="p">}</span> <span class="nf">bootstrap</span><span class="p">();</span> </code></pre> </div> <p>That single block of options is one of the highest leverage settings in NestJS. <code>whitelist</code> strips junk, <code>forbidNonWhitelisted</code> shouts about junk, <code>transform</code> gives you a typed DTO instance instead of a plain object. Most security and bug pain disappears once this is on.</p> <p>For partial updates, you do not rewrite the whole DTO. NestJS gives you helpers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PartialType</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@nestjs/mapped-types</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CreateBookDto</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./create-book.dto</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">UpdateBookDto</span> <span class="kd">extends</span> <span class="nc">PartialType</span><span class="p">(</span><span class="nx">CreateBookDto</span><span class="p">)</span> <span class="p">{}</span> </code></pre> </div> <p>Now every field is optional, but every existing rule still applies.</p> <h2> Decision 6: Plug in extra logic with a tiny pipeline </h2> <p>Real apps need cross cutting things. Logging. Auth. Caching. Error handling. We do not want any of that mess inside controllers or services, so we offered five clean places to plug in. The order they run in is fixed and worth memorizing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>incoming request -&gt; Middleware -&gt; Guards -&gt; Interceptors (before) -&gt; Pipes -&gt; Controller handler -&gt; Service -&gt; Interceptors (after / response shaping) -&gt; Exception Filters (only if something throws) outgoing response </code></pre> </div> <p>Each one has a job:</p> <ul> <li> <strong>Middleware</strong> is the classic Express style function. Runs first, knows nothing about which route, good for logging, request ids, raw header tweaks.</li> <li> <strong>Guards</strong> answer one question: "is this request allowed in?". Auth, roles, feature flags. They have access to the route metadata, so they know which controller and handler they are guarding.</li> <li> <strong>Interceptors</strong> wrap the handler. They can run code before and after, modify the response, add caching, add timing logs. Powered by RxJS observables.</li> <li> <strong>Pipes</strong> transform and validate inputs. <code>ValidationPipe</code> is one. <code>ParseIntPipe</code>, <code>ParseUUIDPipe</code>, <code>ParseDatePipe</code> (added in NestJS 11) are others.</li> <li> <strong>Exception Filters</strong> catch errors and shape them into nice HTTP responses. You can have a global one for consistent error JSON.</li> </ul> <p>A guard looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AuthGuard</span> <span class="k">implements</span> <span class="nx">CanActivate</span> <span class="p">{</span> <span class="nf">canActivate</span><span class="p">(</span><span class="nx">ctx</span><span class="p">:</span> <span class="nx">ExecutionContext</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">req</span> <span class="o">=</span> <span class="nx">ctx</span><span class="p">.</span><span class="nf">switchToHttp</span><span class="p">().</span><span class="nf">getRequest</span><span class="p">();</span> <span class="k">return</span> <span class="nc">Boolean</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Apply it to one route, one controller, or globally. Same shape for the rest of the family.</p> <p>If you only remember one rule: <strong>middleware does not know the route, guards do</strong>. That distinction will save you future headaches.</p> <h2> Decision 7: Make it fast and easy to start </h2> <p>NestJS 11 (the current major version) made some quality of life moves we should mention, because you will see them in fresh projects:</p> <ul> <li> <strong>SWC is the default compiler.</strong> Cold starts and rebuilds are dramatically faster than the old <code>tsc</code> based dev loop. You barely notice the build step anymore.</li> <li> <strong>Vitest is the suggested test runner</strong> in new project templates, and it pairs nicely with SWC.</li> <li> <strong>Standalone applications</strong> via <code>NestFactory.createApplicationContext(AppModule)</code> give you the IoC container without an HTTP server, perfect for CLI tools, cron jobs, and serverless handlers that just want dependency injection.</li> <li> <strong><code>ConsoleLogger</code> supports JSON output</strong> out of the box, so shipping logs to your aggregator does not need a custom logger anymore.</li> <li> <strong><code>IntrinsicException</code></strong> lets you throw errors that skip the framework's automatic logging, useful for sensitive flows.</li> <li> <strong><code>ParseDatePipe</code></strong> validates and converts incoming date strings into real <code>Date</code> objects.</li> <li>Better CSRF helpers and small but nice microservice transport improvements (<code>unwrap()</code> to reach the underlying client).</li> </ul> <p>You do not need to use any of this on day one. But knowing these exist means you will recognize them when you see them in code or release notes.</p> <h2> A peek under the hood </h2> <p>What really happens when a request hits a NestJS app, end to end:</p> <ol> <li>Node receives the request through the underlying platform (Express by default, Fastify if you swapped it in).</li> <li>NestJS runs registered <strong>middleware</strong> in order.</li> <li> <strong>Guards</strong> run for the matched route. If any returns false or throws, we stop.</li> <li> <strong>Interceptors (before phase)</strong> wrap the handler call.</li> <li> <strong>Pipes</strong> transform and validate each parameter (so your <code>@Body() dto</code> becomes a real <code>CreateBookDto</code> with validations applied).</li> <li>The <strong>controller method</strong> runs. It calls a <strong>service</strong>, which the IoC container had already wired up.</li> <li>The return value flows back through the <strong>interceptor (after phase)</strong>, which can map, cache, or log it.</li> <li>If anything threw on the way, <strong>exception filters</strong> catch it and turn it into a clean HTTP response.</li> <li>Node writes the response back to the client.</li> </ol> <p>That entire flow is what makes NestJS feel "boring in a good way". You always know where to put new code.</p> <h2> Tiny tips that will save you later </h2> <ul> <li> <strong>One feature, one folder, one module.</strong> Do not pre split by layer.</li> <li> <strong>Turn on the global <code>ValidationPipe</code></strong> in <code>main.ts</code> on day one, with <code>whitelist</code>, <code>forbidNonWhitelisted</code>, and <code>transform</code> enabled.</li> <li> <strong>Use <code>@nestjs/config</code></strong> with a Zod or Joi schema so missing env vars fail at boot, not at 3am in production.</li> <li> <strong>Keep controllers thin.</strong> If a controller method is more than a few lines, push the logic into the service.</li> <li> <strong>Inject by class when you can, by token when you must.</strong> Tokens are great for swapping implementations and for things you cannot easily type as a class.</li> <li> <strong>Default scope is singleton.</strong> Only opt into request scope when you genuinely need per request state, since it is more expensive.</li> <li> <strong>Use <code>nest g</code> generators</strong> (<code>nest g module books</code>, <code>nest g resource books</code>) early on. They scaffold the boilerplate you would have typed anyway, in the canonical shape.</li> <li> <strong>Test services as plain classes.</strong> Test controllers with a fake service. Reach for <code>Test.createTestingModule</code> only when you actually need the DI graph.</li> </ul> <h2> Wrapping up </h2> <p>So that is the whole story. We wanted Express scale to stop being painful. We built a framework that gives every app the same shape:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Module -&gt; Controller (the door, decorated routes) -&gt; Service (the brain, plain TypeScript) -&gt; whatever it needs (repos, clients, configs) </code></pre> </div> <p>Then we surrounded that core with a tidy pipeline: middleware, guards, interceptors, pipes, filters, each with one job. We let the IoC container wire everything together, so you never type <code>new</code> and never wonder where a dependency came from. We made validation a one liner at the boundary. And in version 11, we made the whole thing faster to start and lighter to ship.</p> <p>Once that shape clicks, NestJS stops feeling like a framework you are learning, and starts feeling like a project layout you can fall back on, no matter how big the codebase grows.</p> <p>Happy building, and put a nice book on the shelf for me.</p> learning nestjs backend Mohamed Idris Sat, 23 May 2026 13:11:00 +0000 https://forem.com/edriso/learning-expressjs-as-if-you-built-it-yourself-49n4 https://forem.com/edriso/learning-expressjs-as-if-you-built-it-yourself-49n4 <p>If you have ever opened the raw <code>node:http</code> module and tried to write a real server with it, you remember the moment. You wrote <code>http.createServer((req, res) =&gt; { ... })</code>. Then you tried to read JSON from the body and discovered there is no <code>req.body</code>. You parsed it with streams. Then you tried to route a <code>POST /users</code> differently from <code>GET /users</code> and ended up with a giant <code>if/else</code> ladder. Then you added auth, logging, error handling, CORS, and the file became unreadable.</p> <p>Node gave you a great low level engine, but a real web server needs a friendly chassis on top. Express is that chassis.</p> <p>That is the gap Express fills.</p> <h2> What is Express, really </h2> <p>Think of Express as <strong>a small assembly line for HTTP requests</strong>. A request walks in one end. It passes through a series of stations, where each station does one thing: parse the body, check the cookie, log the URL, look up the user, validate the input. At the end, a route handler builds a response. The response walks back out the door.</p> <p>Each station is a <strong>middleware</strong>. The whole assembly line is the <strong>app</strong>. You decide which stations to install, in what order. That single idea, plus a list of HTTP verb shortcuts, is essentially the entire framework.</p> <p>Two ideas drive everything:</p> <ul> <li> <strong>Middleware chain.</strong> Every request passes through a sequence of functions. Each one calls <code>next()</code> to pass control along, or sends a response to stop.</li> <li> <strong>Unopinionated.</strong> Express does not tell you how to structure your app. It gives you a tiny, sharp tool and gets out of your way. That is its strength and its trap.</li> </ul> <p>That is the whole vibe.</p> <h2> Let's pretend we are building one </h2> <p>We want a friendly Node.js framework that handles routing, body parsing, and middleware composition without inventing a new language. We will call it <strong>Express.js</strong>.</p> <p>For the running example, we are building a tiny <strong>Stickies API</strong>: tiny sticky notes, owned by users, taggable, searchable. Small, but it lets us touch every important corner.</p> <h2> Decision 1: Hello world in five lines </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">"</span><span class="s2">Hello, sticky notes.</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">listening on :3000</span><span class="dl">"</span><span class="p">));</span> </code></pre> </div> <p>That is a working web server. Read it like a sentence: when a <code>GET</code> request comes in for <code>/</code>, send back a string. Listen on port 3000.</p> <p>The two things every senior should know about that snippet:</p> <ul> <li> <strong><code>app.get("/", handler)</code></strong> is sugar for "add a middleware that only runs for <code>GET /</code>".</li> <li> <strong><code>res.send()</code></strong> auto sets <code>Content-Type</code> based on the value (string, Buffer, JSON, etc). Use <strong><code>res.json(obj)</code></strong> when you want to be explicit and force <code>application/json</code>.</li> </ul> <h2> Decision 2: Routes, the verbs and the paths </h2> <p>Every HTTP verb has a method on the app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get </span><span class="p">(</span><span class="dl">"</span><span class="s2">/stickies</span><span class="dl">"</span><span class="p">,</span> <span class="nx">listStickies</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post </span><span class="p">(</span><span class="dl">"</span><span class="s2">/stickies</span><span class="dl">"</span><span class="p">,</span> <span class="nx">createSticky</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get </span><span class="p">(</span><span class="dl">"</span><span class="s2">/stickies/:id</span><span class="dl">"</span><span class="p">,</span> <span class="nx">readSticky</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">patch </span><span class="p">(</span><span class="dl">"</span><span class="s2">/stickies/:id</span><span class="dl">"</span><span class="p">,</span> <span class="nx">updateSticky</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">"</span><span class="s2">/stickies/:id</span><span class="dl">"</span><span class="p">,</span> <span class="nx">deleteSticky</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">all </span><span class="p">(</span><span class="dl">"</span><span class="s2">/stickies/:id/lock</span><span class="dl">"</span><span class="p">,</span> <span class="nx">lockHandler</span><span class="p">);</span> <span class="c1">// any verb</span> </code></pre> </div> <p>The colon prefix marks a <strong>route parameter</strong>. Inside the handler, you read it from <code>req.params</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">readSticky</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">;</span> <span class="c1">// string</span> <span class="kd">const</span> <span class="nx">note</span> <span class="o">=</span> <span class="nx">db</span><span class="p">.</span><span class="nf">getSticky</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">note</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">not found</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">note</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Three sources of input every Express handler reads from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">req</span><span class="p">.</span><span class="nx">params</span> <span class="c1">// path params: /stickies/:id -&gt; { id: "42" }</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span> <span class="c1">// query string: ?tag=urgent -&gt; { tag: "urgent" }</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span> <span class="c1">// request body (after a parser middleware sets it)</span> </code></pre> </div> <p>Plus the headers and cookies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">"</span><span class="s2">authorization</span><span class="dl">"</span><span class="p">];</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">?.</span><span class="nx">session</span><span class="p">;</span> <span class="c1">// requires cookie-parser middleware</span> </code></pre> </div> <p>Modern advice: types for <code>req.body</code>, <code>req.params</code>, and <code>req.query</code> should come from a <strong>Zod schema</strong> validated at the start of the handler, not from hand annotated TypeScript generics. We will see this in a moment.</p> <h2> Decision 3: Middleware, the soul of Express </h2> <p>A middleware is a function with the shape <code>(req, res, next) =&gt; void</code>. It can:</p> <ul> <li>Read or modify the request.</li> <li>Write a response and end the chain.</li> <li>Call <code>next()</code> to pass to the next middleware.</li> <li>Call <code>next(err)</code> to skip ahead to error middleware. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">logger</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">start</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="nx">res</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">finish</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">res</span><span class="p">.</span><span class="nx">statusCode</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">start</span><span class="p">}</span><span class="s2">ms`</span><span class="p">);</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">logger</span><span class="p">);</span> </code></pre> </div> <p><code>app.use(...)</code> mounts a middleware that runs on every request. You can also mount per path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api</span><span class="dl">"</span><span class="p">,</span> <span class="nx">apiAuth</span><span class="p">);</span> <span class="c1">// only for /api/*</span> </code></pre> </div> <p>Order matters. A request flows top to bottom through the middleware list, and the first one to write a response wins. This is why <strong>the order of <code>app.use</code> calls is your program's pipeline</strong>.</p> <p>A typical production app stacks them like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">helmet</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">helmet</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">cors</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">cors</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">compression</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">compression</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">morgan</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">morgan</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">helmet</span><span class="p">());</span> <span class="c1">// security headers</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cors</span><span class="p">({</span> <span class="na">origin</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WEB_ORIGIN</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">compression</span><span class="p">());</span> <span class="c1">// gzip / brotli</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">morgan</span><span class="p">(</span><span class="dl">"</span><span class="s2">tiny</span><span class="dl">"</span><span class="p">));</span> <span class="c1">// request logging</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">limit</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1mb</span><span class="dl">"</span> <span class="p">}));</span> <span class="c1">// parse JSON bodies</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}));</span> <span class="c1">// parse form bodies</span> <span class="c1">// your routes</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/stickies</span><span class="dl">"</span><span class="p">,</span> <span class="nx">stickiesRouter</span><span class="p">);</span> <span class="c1">// error middleware (last)</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">errorHandler</span><span class="p">);</span> </code></pre> </div> <p>That stack is essentially the same in every Express app on the planet. Memorize the shape.</p> <h2> Decision 4: Built in body parsers (no more body-parser) </h2> <p>Once upon a time you installed <code>body-parser</code>. Now Express ships JSON and URL-encoded parsers built in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">limit</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1mb</span><span class="dl">"</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">text</span><span class="p">());</span> <span class="c1">// text bodies</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">raw</span><span class="p">());</span> <span class="c1">// Buffer bodies</span> </code></pre> </div> <p>Always set a <strong><code>limit</code></strong>. The default is 100KB and that is fine for most endpoints, but explicit beats default. An unbounded JSON parser is a denial of service waiting to happen.</p> <p>For file uploads, reach for <strong>Multer</strong> (multipart/form-data) or stream the body yourself if it is a single file. Never read uploads into memory for big files.</p> <h2> Decision 5: Routers for modular structure </h2> <p>A <code>Router</code> is a mini app. Same <code>.get</code>, <code>.post</code>, <code>.use</code> API. You compose them with <code>app.use(prefix, router)</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// routes/stickies.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Router</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">r</span> <span class="o">=</span> <span class="nc">Router</span><span class="p">();</span> <span class="nx">r</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="nx">listStickies</span><span class="p">);</span> <span class="nx">r</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="nx">createSticky</span><span class="p">);</span> <span class="nx">r</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/:id</span><span class="dl">"</span><span class="p">,</span> <span class="nx">readSticky</span><span class="p">);</span> <span class="nx">r</span><span class="p">.</span><span class="nf">patch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/:id</span><span class="dl">"</span><span class="p">,</span> <span class="nx">updateSticky</span><span class="p">);</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">r</span><span class="p">;</span> <span class="c1">// app.ts</span> <span class="k">import</span> <span class="nx">stickies</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./routes/stickies</span><span class="dl">"</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/stickies</span><span class="dl">"</span><span class="p">,</span> <span class="nx">stickies</span><span class="p">);</span> </code></pre> </div> <p>Senior level habits:</p> <ul> <li> <strong>One router per resource.</strong> A <code>stickies.ts</code> router, a <code>users.ts</code> router, a <code>tags.ts</code> router.</li> <li> <strong>Mount under a versioned prefix.</strong> <code>app.use("/api/v1", apiV1)</code> so future you can add v2 without a rewrite.</li> <li> <strong>Group middleware on the router</strong>, not on every route. <code>r.use(authRequired)</code> at the top of an admin router runs once per request.</li> </ul> <p>A full senior style folder layout for a non-trivial app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>src/ app.ts -&gt; app composition server.ts -&gt; listen + graceful shutdown routes/ stickies.ts users.ts controllers/ stickies.controller.ts services/ stickies.service.ts middleware/ auth.ts error.ts rate-limit.ts schemas/ sticky.schema.ts -&gt; Zod schemas lib/ db.ts logger.ts </code></pre> </div> <p>Express will not enforce this. It is convention. Pick one and stick with it.</p> <h2> Decision 6: Async handlers (the Express 5 superpower) </h2> <p>In Express 4, an <code>async</code> route that threw or rejected would crash the process unless you wrapped it in <code>asyncHandler</code> or installed <code>express-async-errors</code>. It was the single most common bug in the Express world.</p> <p>Express 5 (released in October 2024) fixes this. Async route handlers and middleware that return a rejected Promise now automatically forward to the error middleware. You no longer need a wrapper.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// works correctly in Express 5</span> <span class="nx">r</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/:id</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sticky</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">stickies</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">sticky</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">NotFoundError</span><span class="p">(</span><span class="dl">"</span><span class="s2">sticky not found</span><span class="dl">"</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">sticky</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>If a senior interview asks you "how do you handle async errors in Express", the modern answer in 2026 is "I use Express 5 and I just throw or reject. The framework forwards to my error middleware."</p> <p>If you are stuck on Express 4, the patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// option 1: a wrapper</span> <span class="kd">const</span> <span class="nx">wrap</span> <span class="o">=</span> <span class="p">(</span><span class="nx">fn</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nf">fn</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)).</span><span class="k">catch</span><span class="p">(</span><span class="nx">next</span><span class="p">);</span> <span class="nx">r</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/:id</span><span class="dl">"</span><span class="p">,</span> <span class="nf">wrap</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="cm">/* ... */</span> <span class="p">}));</span> <span class="c1">// option 2: a single import</span> <span class="k">import</span> <span class="dl">"</span><span class="s2">express-async-errors</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// monkey patches Express to handle async</span> </code></pre> </div> <p>But upgrade. Express 5 is stable and the migration is small.</p> <h2> Decision 7: Error handling middleware, the four argument signature </h2> <p>An error handler is a middleware with <strong>four arguments</strong> instead of three. Express uses the arity to find them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">errorHandler</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// ...</span> <span class="p">}</span> </code></pre> </div> <p>Mount it <strong>last</strong>. Anything that calls <code>next(err)</code> (or throws inside an async handler in Express 5) lands here.</p> <p>A real error middleware that maps known errors to statuses, logs unknown ones, and never leaks internals:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">ZodError</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">zod</span><span class="dl">"</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">HttpError</span> <span class="kd">extends</span> <span class="nc">Error</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">public</span> <span class="nx">status</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="nx">message</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="k">public</span> <span class="nx">code</span><span class="p">?:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">errorHandler</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">ZodError</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">422</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid input</span><span class="dl">"</span><span class="p">,</span> <span class="na">issues</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">issues</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">HttpError</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">status</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="na">code</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">code</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">req</span><span class="p">.</span><span class="nx">log</span><span class="p">?.</span><span class="nf">error</span><span class="p">({</span> <span class="nx">err</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">Unhandled error</span><span class="dl">"</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Internal server error</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Senior level rule: <strong>the error middleware is the only place that decides the status and the body of an error response</strong>. Handlers throw, middleware translates. The system stays consistent.</p> <h2> Decision 8: Validate every input with Zod </h2> <p>Express does not validate anything for you. Use a Zod schema at the top of every handler, and you get safety, types, and a clear failure mode for free.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">zod</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">CreateSticky</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">body</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="nf">max</span><span class="p">(</span><span class="mi">500</span><span class="p">),</span> <span class="na">tags</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()).</span><span class="k">default</span><span class="p">([]),</span> <span class="na">color</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">"</span><span class="s2">yellow</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">pink</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">blue</span><span class="dl">"</span><span class="p">]).</span><span class="k">default</span><span class="p">(</span><span class="dl">"</span><span class="s2">yellow</span><span class="dl">"</span><span class="p">),</span> <span class="p">});</span> <span class="nx">r</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="nx">CreateSticky</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="c1">// throws ZodError on failure</span> <span class="kd">const</span> <span class="nx">sticky</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">stickies</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="nx">data</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">).</span><span class="nf">json</span><span class="p">(</span><span class="nx">sticky</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>When <code>parse</code> throws, your error middleware turns it into a <code>422</code> with the issues. Hands free.</p> <p>If you want a one liner middleware version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">validate</span> <span class="o">=</span> <span class="p">(</span><span class="nx">schemas</span><span class="p">:</span> <span class="p">{</span> <span class="nl">body</span><span class="p">?:</span> <span class="nx">ZodSchema</span><span class="p">;</span> <span class="nl">query</span><span class="p">?:</span> <span class="nx">ZodSchema</span><span class="p">;</span> <span class="nl">params</span><span class="p">?:</span> <span class="nx">ZodSchema</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">schemas</span><span class="p">.</span><span class="nx">body</span><span class="p">)</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span> <span class="o">=</span> <span class="nx">schemas</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">schemas</span><span class="p">.</span><span class="nx">query</span><span class="p">)</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span> <span class="o">=</span> <span class="nx">schemas</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">schemas</span><span class="p">.</span><span class="nx">params</span><span class="p">)</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span> <span class="o">=</span> <span class="nx">schemas</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> <span class="nx">r</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="nf">validate</span><span class="p">({</span> <span class="na">body</span><span class="p">:</span> <span class="nx">CreateSticky</span> <span class="p">}),</span> <span class="nx">createSticky</span><span class="p">);</span> </code></pre> </div> <h2> Decision 9: Auth, the modern Node story </h2> <p>Express has zero auth out of the box, on purpose. Three patterns you will see:</p> <ul> <li> <strong>Session cookies</strong> with a store like <code>connect-redis</code>. Use <code>express-session</code> plus <code>cookie-parser</code>. The classic, still excellent for first party web apps.</li> <li> <strong>JWT in HttpOnly cookies</strong>, verified with a tiny middleware that reads the cookie, verifies the signature, and attaches <code>req.user</code>.</li> <li> <strong>Auth.js / Lucia / hosted services</strong> (Clerk, Kinde, WorkOS) when you want to stop thinking about auth.</li> </ul> <p>A minimal cookie session example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">session</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express-session</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">RedisStore</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">connect-redis</span><span class="dl">"</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">session</span><span class="p">({</span> <span class="na">store</span><span class="p">:</span> <span class="k">new</span> <span class="nc">RedisStore</span><span class="p">({</span> <span class="na">client</span><span class="p">:</span> <span class="nx">redis</span> <span class="p">}),</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SESSION_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">cookie</span><span class="p">:</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">"</span><span class="s2">lax</span><span class="dl">"</span><span class="p">,</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">1000</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">7</span><span class="p">,</span> <span class="p">},</span> <span class="na">resave</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">saveUninitialized</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">}));</span> <span class="kd">function</span> <span class="nf">authRequired</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">userId</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">unauthorized</span><span class="dl">"</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/admin</span><span class="dl">"</span><span class="p">,</span> <span class="nx">authRequired</span><span class="p">);</span> </code></pre> </div> <p>Senior level rule: <strong>never trust the client about auth</strong>. The session check happens server side, on every protected request, in middleware.</p> <h2> Decision 10: Security middleware that should be on by default </h2> <p>A short checklist most teams skip and regret later:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">helmet</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">helmet</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">cors</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">cors</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">rateLimit</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express-rate-limit</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">hpp</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">hpp</span><span class="dl">"</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">disable</span><span class="p">(</span><span class="dl">"</span><span class="s2">x-powered-by</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// do not advertise the framework</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">trust proxy</span><span class="dl">"</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="c1">// honor X-Forwarded-* behind a proxy</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">helmet</span><span class="p">());</span> <span class="c1">// sets a dozen security headers</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cors</span><span class="p">({</span> <span class="na">origin</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WEB_ORIGIN</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">hpp</span><span class="p">());</span> <span class="c1">// protects against parameter pollution</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/</span><span class="dl">"</span><span class="p">,</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">60</span><span class="nx">_000</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">120</span><span class="p">,</span> <span class="na">standardHeaders</span><span class="p">:</span> <span class="dl">"</span><span class="s2">draft-7</span><span class="dl">"</span><span class="p">,</span> <span class="na">legacyHeaders</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">}));</span> </code></pre> </div> <p>The senior level extras:</p> <ul> <li> <strong>Set a body size limit</strong> on <code>express.json({ limit })</code>.</li> <li> <strong>Set timeouts</strong> on the server: <code>server.headersTimeout = 60_000; server.requestTimeout = 30_000;</code>.</li> <li> <strong>Validate every input.</strong> No exceptions.</li> <li> <strong>Use parameterized DB queries.</strong> No string concatenation.</li> </ul> <h2> Decision 11: TypeScript with Express, the friendly way </h2> <p>You can type Express by hand, or you can let inference do most of the work via Zod and a tiny helper:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">NextFunction</span><span class="p">,</span> <span class="nx">RequestHandler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// hand typed handler</span> <span class="kd">const</span> <span class="nx">createSticky</span><span class="p">:</span> <span class="nx">RequestHandler</span><span class="o">&lt;</span><span class="p">{},</span> <span class="nx">Sticky</span><span class="p">,</span> <span class="nx">CreateStickyDto</span><span class="o">&gt;</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sticky</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">service</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">).</span><span class="nf">json</span><span class="p">(</span><span class="nx">sticky</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <p>The cleaner pattern in 2026: stop typing <code>req.body</code> by hand, let Zod validate and infer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">CreateSticky</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">body</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">tags</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">())</span> <span class="p">});</span> <span class="kd">type</span> <span class="nx">CreateStickyInput</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nx">infer</span><span class="o">&lt;</span><span class="k">typeof</span> <span class="nx">CreateSticky</span><span class="o">&gt;</span><span class="p">;</span> <span class="nx">r</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="na">data</span><span class="p">:</span> <span class="nx">CreateStickyInput</span> <span class="o">=</span> <span class="nx">CreateSticky</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="c1">// ...</span> <span class="p">});</span> </code></pre> </div> <p>For shared client / server typed contracts, look at <strong>ts-rest</strong> or <strong>tRPC</strong>. They put the schema in one place, both sides import it, no drift.</p> <h2> Decision 12: Testing Express handlers </h2> <p>Two patterns:</p> <h3> Supertest, the classic </h3> <p>Drives your Express app in memory, no real server needed. Works with Vitest or Jest.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">request</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">supertest</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../src/app</span><span class="dl">"</span><span class="p">;</span> <span class="nf">it</span><span class="p">(</span><span class="dl">"</span><span class="s2">creates a sticky</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">request</span><span class="p">(</span><span class="nx">app</span><span class="p">)</span> <span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/stickies</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">body</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Buy milk</span><span class="dl">"</span> <span class="p">})</span> <span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="mi">201</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">body</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">"</span><span class="s2">Buy milk</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Real HTTP for integration tests </h3> <p>When you want the full stack (rate limit, auth, real database), run the app on an ephemeral port and hit it with <code>fetch</code>. Slower, more realistic. Pair with a transactional rollback per test or a Postgres / Mongo Memory Server.</p> <p>The boundary that gives the best return: <strong>one Supertest test per route</strong>. Hit the happy path, hit the validation error, hit the auth error. That covers most regressions in five minutes.</p> <h2> Decision 13: Graceful shutdown and observability </h2> <p>Senior level details that beginners skip:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">shutdown</span><span class="p">(</span><span class="nx">signal</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`received </span><span class="p">${</span><span class="nx">signal</span><span class="p">}</span><span class="s2">, shutting down`</span><span class="p">);</span> <span class="nx">server</span><span class="p">.</span><span class="nf">close</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">db</span><span class="p">.</span><span class="nf">disconnect</span><span class="p">().</span><span class="k">finally</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">));</span> <span class="p">});</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="mi">10</span><span class="nx">_000</span><span class="p">).</span><span class="nf">unref</span><span class="p">();</span> <span class="p">}</span> <span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">SIGINT</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">shutdown</span><span class="p">(</span><span class="dl">"</span><span class="s2">SIGINT</span><span class="dl">"</span><span class="p">));</span> <span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">SIGTERM</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">shutdown</span><span class="p">(</span><span class="dl">"</span><span class="s2">SIGTERM</span><span class="dl">"</span><span class="p">));</span> </code></pre> </div> <p>A long running process should drain in flight requests on SIGTERM, close the database, and only then exit. Without this, deploys interrupt users mid request.</p> <p>For logs and metrics: pick <strong>pino</strong> (fast structured logger) and <strong>OpenTelemetry</strong> (tracing and metrics). Drop a request id middleware so every log line is correlatable.</p> <h2> Decision 14: When to pick Express, when to pick something else </h2> <p>Senior engineers know when to reach for a different tool. The 2026 landscape:</p> <ul> <li> <strong>Express</strong>: the default for "I want a small server, I want to control everything". Tons of middleware, tons of tutorials, runs everywhere Node runs. Slower than the new generation, but only by milliseconds. For 99% of apps the difference does not matter.</li> <li> <strong>Fastify</strong>: a faster, more opinionated cousin of Express. Native schema validation (via Ajv), plugin system, very good performance. Pick this when throughput matters or you want stricter conventions.</li> <li> <strong>Hono</strong>: tiny, ultra fast, built for the edge (Cloudflare Workers, Bun, Deno, AWS Lambda). Same vibe as Express, modern API. Pick this when you target serverless or the edge.</li> <li> <strong>NestJS</strong>: a full framework on top of Express (or Fastify). Modules, controllers, dependency injection, opinionated patterns. Pick this when the team is large and you want structure for free. (See the NestJS post.)</li> <li> <strong>tRPC</strong>: not a server framework, a typed RPC layer. Sits inside an Express or Fastify app and gives you end to end type safety with no codegen. Pick this when client and server are both TypeScript and you control both.</li> </ul> <p>If you do not know what to pick, pick Express. It is the lingua franca. You can always migrate later.</p> <h2> A peek under the hood </h2> <p>What really happens when a request hits an Express app:</p> <ol> <li>Node's <code>http</code> server emits a <code>"request"</code> event with the raw <code>req</code> and <code>res</code>.</li> <li>Express's app function receives them. It walks its internal <strong>router stack</strong> (the middleware list).</li> <li>For each middleware, Express checks the path and method. If they match, the function runs.</li> <li> <code>next()</code> advances. <code>next(err)</code> skips to the next four argument middleware. A response (<code>res.send</code>, <code>res.json</code>, <code>res.end</code>) ends the chain.</li> <li>Once the response is committed, Node sends it back to the client and the request lifecycle ends.</li> </ol> <p>That whole loop is built on top of the <code>http</code> module. No magic, no proxy, no codegen. Express is, deep down, a very polished <code>for</code> loop over middleware functions. That clarity is its greatest gift.</p> <h2> Tiny tips that will save you later </h2> <ul> <li> <strong>Upgrade to Express 5.</strong> Free async error handling, free upgrades.</li> <li> <strong>Mount middleware in the right order.</strong> Helmet first, body parsers next, routes after, error handler last.</li> <li><strong>Set <code>app.disable("x-powered-by")</code>.</strong></li> <li> <strong>Always validate input with Zod.</strong> Trust nothing.</li> <li><strong>Limit body size.</strong></li> <li><strong>One router per resource. One file per router.</strong></li> <li><strong>Throw real <code>Error</code> objects with <code>cause</code>.</strong></li> <li> <strong>Never <code>console.log</code> in production code.</strong> Use pino or the framework logger of your choice, with structured fields.</li> <li> <strong>Add a <code>/health</code> endpoint.</strong> Your load balancer wants it.</li> <li><strong>Graceful shutdown on SIGTERM.</strong></li> <li> <strong>Use Supertest for handler tests.</strong> Fast feedback, real HTTP semantics.</li> <li> <strong>Generate API docs from Zod schemas</strong> with <code>zod-to-openapi</code>. Free OpenAPI spec, no extra source of truth.</li> </ul> <h2> Wrapping up </h2> <p>So that is the whole story. We were tired of fighting raw <code>node:http</code>. We built a tiny chassis that turns the request lifecycle into an assembly line of middleware. Each station does one thing. The first one to write a response stops the line. Routes are middleware that match a verb and a path. Errors are middleware with four arguments. Async errors, in Express 5, just work.</p> <p>We learned to mount security middleware first, validate every input with Zod, push business logic into services, return errors through a single error handler, and shut down gracefully when the platform asks. We picked routers as our unit of structure. We tested with Supertest. We compared Express to Fastify, Hono, NestJS, and tRPC, and learned when each one wins.</p> <p>Once that map is in your head, Express stops feeling like "the old way to write a Node server" and starts feeling like the calm, reliable backbone it has been for a decade. It is small enough to learn in an afternoon and deep enough to build a career on.</p> <p>Happy serving, and may your <code>next()</code> always lead somewhere useful.</p> learning express backend Mohamed Idris Fri, 22 May 2026 13:10:00 +0000 https://forem.com/edriso/learning-prisma-as-if-you-built-it-yourself-50bp https://forem.com/edriso/learning-prisma-as-if-you-built-it-yourself-50bp <p>If you have ever written raw SQL inside a real app, you already know the feeling. At first it looks fine, then a few weeks later you are staring at a 40 line query, scared to touch it because changing one comma might bring down half the website. Maintaining raw SQL across a growing app is just hard. The shape of the data changes, the team grows, the queries multiply, and suddenly you spend more time fixing strings than writing features.</p> <p>That is exactly the gap an ORM fills.</p> <h2> What is an ORM, really </h2> <p>Think of an ORM as a friendly translator. You speak your favorite programming language, and the translator turns it into SQL on the fly. You say "give me all users with their pets", and the translator quietly walks over to the database, writes the proper SQL, brings back the rows, and hands you back nice objects you can actually work with.</p> <p>No more building strings by hand. No more guessing if you forgot a <code>JOIN</code>. The translator knows the database, you stay in your language.</p> <h2> Let's pretend we are building one </h2> <p>We love JavaScript and TypeScript. So let's say we want to build our own ORM for the JS world. We will call it <strong>Prisma</strong>.</p> <p>Before we write a single query, we need a few decisions. These decisions are basically the design of the whole library, and once you see them, every Prisma snippet on the internet starts to feel obvious.</p> <h2> Decision 1: We need a map of the database </h2> <p>The translator can only translate if it knows the language. So our ORM needs to know what tables exist, what columns they have, what types those columns are, and how tables relate to each other.</p> <p>We could read this from the database every time, but that is slow and fragile. So instead we ask the developer to write it down once, in a file we will call <code>schema.prisma</code>. This becomes the single source of truth.</p> <p>Here is what a tiny pet adoption app might look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// schema.prisma generator client { provider = "prisma-client-js" } datasource db { provider = "postgresql" url = env("DATABASE_URL") } model User { id Int @id @default(autoincrement()) name String email String @unique pets Pet[] } model Pet { id Int @id @default(autoincrement()) name String species String adoptedAt DateTime? owner User? @relation(fields: [ownerId], references: [id]) ownerId Int? } </code></pre> </div> <p>Three blocks, each with a clear job:</p> <ul> <li> <code>generator</code> tells Prisma what kind of client to build for us. We picked the JS one.</li> <li> <code>datasource</code> tells Prisma which database we are talking to and where it lives.</li> <li> <code>model</code> blocks describe our tables. Each line is a column, with a type and optional attributes.</li> </ul> <p>A few cute things to notice:</p> <ul> <li> <code>@id</code> says this is the primary key.</li> <li> <code>@default(autoincrement())</code> means the database fills it in for us.</li> <li> <code>@unique</code> adds a uniqueness constraint, like for emails.</li> <li> <code>pets Pet[]</code> says a user has many pets. The <code>[]</code> after <code>Pet</code> is what tells you it is a list, not just one.</li> <li>The <code>?</code> after a type (like <code>User?</code> and <code>Int?</code>) means "this is optional, it can be empty". Without <code>?</code>, the field is required.</li> <li>The matching <code>owner</code> and <code>ownerId</code> on <code>Pet</code> is how we say "each pet belongs to one user". <code>@relation</code> wires the foreign key.</li> </ul> <p>About that <code>?</code>: this is a pet adoption app, so a pet can sit in the shelter for a while with no owner yet. Making <code>owner</code> and <code>ownerId</code> optional says "a pet may or may not have a human". Same idea for <code>adoptedAt</code>: no adoption date until they are actually adopted. If we wanted to force every pet to have an owner from day one, we would drop the <code>?</code> and the database would refuse to create a pet without one.</p> <p>That is the whole schema. No SQL yet.</p> <h2> Decision 2: Turn the schema into actual code </h2> <p>Now the magic step. We run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx prisma migrate dev <span class="nt">--name</span> init </code></pre> </div> <p>This does two things at once. It creates the SQL tables in the database to match our schema, and it generates a Prisma Client tailored to those exact models. The client is regular JS/TS code that lives in <code>node_modules/@prisma/client</code> (or a custom folder you point to). Every time the schema changes, you regenerate, and the client updates with it.</p> <p>This is the part people miss when they first see Prisma. The client is not a generic library. It is custom built for <strong>your</strong> schema. That is why autocomplete knows your fields, your relations, and your types. Nothing is guessed.</p> <h2> Decision 3: Every call starts with <code>prisma</code> </h2> <p>We agreed early on that every query in our ORM should start with the same word, so the API feels predictable. We went with <code>prisma</code>, which is the instance of the generated client.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@prisma/client</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">prisma</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PrismaClient</span><span class="p">();</span> </code></pre> </div> <p>What is <code>prisma</code> here? It is the client object we just generated. Under the hood, when you call something on it, the client builds a structured query, hands it to a query engine (a small native binary that ships with Prisma), and the engine talks to the actual database, gets the rows, and returns them as plain JS objects with full types attached. You never see the SQL unless you ask for it.</p> <p>So when you read <code>prisma.something.somethingElse(...)</code>, you can read it like a sentence:</p> <blockquote> <p>Hey Prisma client, on the <strong>User</strong> table, please <strong>find many</strong> rows that match this.</p> </blockquote> <p>Let's see it.</p> <h2> Decision 4: After <code>prisma.</code>, you name the table </h2> <p>We called these "models" in the schema, and they map one to one with the lowercase property on the client. So <code>model User</code> becomes <code>prisma.user</code>, <code>model Pet</code> becomes <code>prisma.pet</code>. Simple rule.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">;</span> <span class="c1">// the users table</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">pet</span><span class="p">;</span> <span class="c1">// the pets table</span> </code></pre> </div> <p>Nothing happens yet. We are just pointing at a table. The action comes next.</p> <h2> Decision 5: After the model, you pick a command </h2> <p>Each model has the same set of commands, because every table can be read, written to, updated, and deleted. The names are boring on purpose, which is good, because boring is easy to remember.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findMany</span><span class="p">();</span> <span class="c1">// get a list</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">();</span> <span class="c1">// get one by a unique field</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">();</span> <span class="c1">// get the first that matches</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">create</span><span class="p">();</span> <span class="c1">// insert a row</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">update</span><span class="p">();</span> <span class="c1">// change a row</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="k">delete</span><span class="p">();</span> <span class="c1">// delete a row</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">upsert</span><span class="p">();</span> <span class="c1">// update if it exists, otherwise create</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">count</span><span class="p">();</span> <span class="c1">// how many match</span> </code></pre> </div> <p>That is basically the whole vocabulary. Once you learn it for <code>user</code>, you know it for every other model in your schema.</p> <h2> Decision 6: Inside the command, you describe what you want </h2> <p>Most commands take a single object as the argument, and the keys of that object are little instructions. Think of it as filling out a form.</p> <p>The most useful keys are:</p> <ul> <li> <code>where</code> to filter</li> <li> <code>data</code> to write</li> <li> <code>select</code> to pick which fields come back</li> <li> <code>include</code> to pull related rows</li> <li> <code>orderBy</code>, <code>take</code>, <code>skip</code> for sorting and paginating</li> </ul> <p>Let's adopt some pets.</p> <h3> Creating a user </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">mia</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Mia</span><span class="dl">"</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">mia@cats.dev</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p><code>data</code> is what we are putting into the row. Notice how we did not pass <code>id</code> or <code>pets</code>. The id is auto, and pets is a relation we have not used yet.</p> <h3> Finding a user </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">someone</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">mia@cats.dev</span><span class="dl">"</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p><code>where</code> only accepts unique fields here, because <code>findUnique</code> is supposed to return at most one. If you want to filter on anything, use <code>findMany</code> or <code>findFirst</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">miaLikes</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="p">{</span> <span class="na">contains</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Mia</span><span class="dl">"</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>That <code>contains</code> is one of many handy filters Prisma gives you. There is <code>equals</code>, <code>not</code>, <code>in</code>, <code>startsWith</code>, <code>endsWith</code>, <code>gt</code>, <code>lt</code>, and so on. Same idea: it is just a key in the form.</p> <h3> Updating </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">mia</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Mia Rose</span><span class="dl">"</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Two keys here. <code>where</code> says which row, <code>data</code> says what to change. Reads like English.</p> <h3> Deleting </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">mia</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Same shape. Just <code>where</code>.</p> <h2> Decision 7: Joining tables with <code>include</code> </h2> <p>Now to the fun part. We promised a translator that handles relations for us. So when we want a user <strong>with</strong> their pets, we should not have to write a JOIN by hand.</p> <p>We added a key called <code>include</code>. You hand it the names of the relations you want pulled in, and it returns nested data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">usersWithPets</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">include</span><span class="p">:</span> <span class="p">{</span> <span class="na">pets</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>The result looks like this, naturally nested:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Mia Rose</span><span class="dl">"</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">mia@cats.dev</span><span class="dl">"</span><span class="p">,</span> <span class="na">pets</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Whiskers</span><span class="dl">"</span><span class="p">,</span> <span class="na">species</span><span class="p">:</span> <span class="dl">"</span><span class="s2">cat</span><span class="dl">"</span><span class="p">,</span> <span class="na">ownerId</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">adoptedAt</span><span class="p">:</span> <span class="p">...</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Mochi</span><span class="dl">"</span><span class="p">,</span> <span class="na">species</span><span class="p">:</span> <span class="dl">"</span><span class="s2">cat</span><span class="dl">"</span><span class="p">,</span> <span class="na">ownerId</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">adoptedAt</span><span class="p">:</span> <span class="p">...</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">...</span> <span class="p">]</span> </code></pre> </div> <p>Under the hood, Prisma does the right thing for you. It might use a JOIN, it might use two queries and stitch them together, depending on the relation and the database. You do not have to care.</p> <p>You can go deeper too. Let's get every user, with their pets, and only the pet's name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">cuteList</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">include</span><span class="p">:</span> <span class="p">{</span> <span class="na">pets</span><span class="p">:</span> <span class="p">{</span> <span class="na">select</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p><code>select</code> is the cousin of <code>include</code>. While <code>include</code> says "give me the related rows on top of everything else", <code>select</code> says "give me ONLY these fields". You can mix them, and Prisma's types follow along, so the returned object literally has only the fields you picked. No more guessing what the API returned.</p> <p>You can even create related rows together, in one call:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Sam</span><span class="dl">"</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sam@dogs.dev</span><span class="dl">"</span><span class="p">,</span> <span class="na">pets</span><span class="p">:</span> <span class="p">{</span> <span class="na">create</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Biscuit</span><span class="dl">"</span><span class="p">,</span> <span class="na">species</span><span class="p">:</span> <span class="dl">"</span><span class="s2">dog</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Pepper</span><span class="dl">"</span><span class="p">,</span> <span class="na">species</span><span class="p">:</span> <span class="dl">"</span><span class="s2">cat</span><span class="dl">"</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>One round trip, two tables, zero SQL written by you. That moment is when most people fall in love with Prisma.</p> <h2> Decision 8: Migrations are part of the story </h2> <p>Schemas change. We add a column, we rename a field, we add a new model. Our ORM should make that safe.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># After changing schema.prisma</span> npx prisma migrate dev <span class="nt">--name</span> added_age_to_pet </code></pre> </div> <p>This generates a SQL migration file, applies it to your dev database, and regenerates the client so your code knows about the new field. In production you usually run <code>prisma migrate deploy</code>, which only applies already created migrations, no surprises.</p> <p>Migrations are versioned files in your repo, so your database history lives next to your code history. Future you will be grateful.</p> <h2> A peek under the hood </h2> <p>So what really happens when you write this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">u</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">mia@cats.dev</span><span class="dl">"</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Roughly:</p> <ol> <li>The Prisma Client (the generated JS) takes your call and builds a structured query, kind of like a JSON description of the request.</li> <li>It sends that to the query engine, a small process or module that ships with Prisma.</li> <li>The engine turns it into actual SQL for your database (Postgres, MySQL, SQLite, SQL Server, MongoDB, and so on).</li> <li>It runs the SQL, gets the rows, and shapes them back into the typed object you expected.</li> <li>You get a fully typed <code>User</code> (or <code>null</code>) back in your <code>await</code>.</li> </ol> <p>That layered design is why Prisma can support different databases without changing your app code, and why the types are so accurate. The shape of every return value is computed from your schema and the exact <code>select</code> or <code>include</code> you used.</p> <h2> Tiny tips that will save you later </h2> <ul> <li>Run <code>npx prisma studio</code> when you want a quick GUI to peek at your data. It feels like cheating.</li> <li>Keep one <code>PrismaClient</code> instance across your app. In dev with hot reload, stash it on <code>globalThis</code> so you do not open a hundred connections.</li> <li>If a query feels slow, log the SQL with <code>new PrismaClient({ log: ["query"] })</code> and see what is happening. Indexes still matter.</li> <li>Use <code>select</code> aggressively in hot paths so you only fetch what you need.</li> <li>Read the error messages. Prisma errors are weirdly nice.</li> </ul> <h2> Wrapping up </h2> <p>So that is the whole story. We wanted to stop wrestling with raw SQL. We built a translator. We taught it our database with <code>schema.prisma</code>. We generated a custom client called <code>prisma</code>. We agreed every call follows the same little shape:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">prisma</span><span class="p">.</span><span class="o">&lt;</span><span class="nx">model</span><span class="o">&gt;</span><span class="p">.</span><span class="o">&lt;</span><span class="nx">command</span><span class="o">&gt;</span><span class="p">({</span> <span class="nx">where</span><span class="p">,</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">select</span><span class="p">,</span> <span class="nx">include</span><span class="p">,</span> <span class="p">...</span> <span class="p">});</span> </code></pre> </div> <p>Read it as: client, then table, then verb, then a small form describing the details. That single shape covers reads, writes, updates, deletes, filters, sorts, pagination, and even joins.</p> <p>Once that shape clicks, Prisma stops feeling like a library you are learning, and starts feeling like a translator you trust.</p> <p>Happy querying, and give your pets a treat from me.</p> learning prisma database orm Mohamed Idris Thu, 21 May 2026 13:08:00 +0000 https://forem.com/edriso/learning-mongodb-as-if-you-built-it-yourself-4djp https://forem.com/edriso/learning-mongodb-as-if-you-built-it-yourself-4djp <p>If you have ever tried to fit a messy real world thing into rigid SQL tables, you remember the feeling. A user has zero, one, or many addresses. Each address has a label, sometimes a unit number, sometimes notes. So you make an <code>addresses</code> table. Now every read needs a join. Then a customer feature ships that needs "favorite delivery instructions per address per day of the week", and your diagram grows three more boxes.</p> <p>The shape of your data changed faster than your schema could keep up. Every change meant a migration, a deploy, and a small panic.</p> <p>That is the gap MongoDB fills.</p> <h2> What is MongoDB, really </h2> <p>Think of MongoDB as <strong>a giant filing cabinet of folders</strong>. Each folder is a complete dossier on one thing. A user folder contains the user's name, their preferences, all their addresses, even their three latest orders if you want them right there. You do not have to open six folders and staple them together to learn about the user. Everything that belongs together lives together.</p> <p>The folders are JSON like documents. The cabinet drawers are called <strong>collections</strong>. The cabinet itself is the <strong>database</strong>. There are no tables, no rigid columns, and no joins required for the common case. You ask for the folder, you get the folder.</p> <p>The price for that flexibility is responsibility: the database is not going to enforce your schema for you unless you ask it to, and if you store data sloppily, you will read it back sloppily.</p> <p>That is the whole vibe.</p> <h2> Let's pretend we are building one </h2> <p>We want a database that stores data the way our app already thinks about it (as nested objects), scales out across many machines, and lets us evolve schemas without crying. We will call it <strong>MongoDB</strong>.</p> <p>For the running example, we are building a tiny <strong>recipe app</strong>. Recipes have ingredients, steps, tags, comments. Perfect for showing off documents.</p> <h2> Decision 1: The unit of data is a document, not a row </h2> <p>A document is a JSON object. (Internally, it is <strong>BSON</strong>, a binary form of JSON that adds types like <code>Date</code>, <code>ObjectId</code>, <code>Decimal128</code>, and binary blobs.) It can have arrays. It can have nested objects. It can be thirty fields deep. It is not a row.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">{</span> <span class="nl">_id</span><span class="p">:</span> <span class="nc">ObjectId</span><span class="p">(</span><span class="dl">"</span><span class="s2">65fa1c...</span><span class="dl">"</span><span class="p">),</span> <span class="nx">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Mochi Cookies</span><span class="dl">"</span><span class="p">,</span> <span class="nx">author</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Mia</span><span class="dl">"</span><span class="p">,</span> <span class="nx">tags</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">dessert</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">japanese</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">easy</span><span class="dl">"</span><span class="p">],</span> <span class="nx">ingredients</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">rice flour</span><span class="dl">"</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">unit</span><span class="p">:</span> <span class="dl">"</span><span class="s2">g</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sugar</span><span class="dl">"</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">unit</span><span class="p">:</span> <span class="dl">"</span><span class="s2">g</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">milk</span><span class="dl">"</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">250</span><span class="p">,</span> <span class="na">unit</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ml</span><span class="dl">"</span> <span class="p">}</span> <span class="p">],</span> <span class="nx">steps</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">Mix dry ingredients.</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Add milk slowly while whisking.</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Cook on medium heat until smooth.</span><span class="dl">"</span> <span class="p">],</span> <span class="nx">prepMinutes</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="nx">createdAt</span><span class="p">:</span> <span class="nc">ISODate</span><span class="p">(</span><span class="dl">"</span><span class="s2">2026-04-01T10:00:00Z</span><span class="dl">"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>A few things worth pausing on:</p> <ul> <li> <strong>Every document has an <code>_id</code>.</strong> If you do not provide one, the driver creates an <code>ObjectId</code> for you. It is sortable by time and unique across the cluster.</li> <li> <strong>Schemas are flexible.</strong> Two recipes in the same collection do not need identical fields.</li> <li> <strong>Arrays are first class.</strong> No "join table" needed for tags, steps, or ingredients on a recipe.</li> <li> <strong>There is no enforced schema by default.</strong> This is a feature and a footgun. We will add validation in a moment.</li> </ul> <h2> Decision 2: Four verbs, just like SQL </h2> <p>The mental model is familiar. We just talk to documents instead of rows.</p> <h3> Insert </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">insertOne</span><span class="p">({</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Mochi Cookies</span><span class="dl">"</span><span class="p">,</span> <span class="na">author</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Mia</span><span class="dl">"</span><span class="p">,</span> <span class="na">tags</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">dessert</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">japanese</span><span class="dl">"</span><span class="p">],</span> <span class="na">prepMinutes</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(),</span> <span class="p">});</span> <span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">insertMany</span><span class="p">([</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Miso Soup</span><span class="dl">"</span><span class="p">,</span> <span class="na">prepMinutes</span><span class="p">:</span> <span class="mi">10</span> <span class="p">},</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Onigiri</span><span class="dl">"</span><span class="p">,</span> <span class="na">prepMinutes</span><span class="p">:</span> <span class="mi">15</span> <span class="p">},</span> <span class="p">]);</span> </code></pre> </div> <h3> Find (the workhorse) </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">tags</span><span class="p">:</span> <span class="dl">"</span><span class="s2">dessert</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">_id</span><span class="p">:</span> <span class="nc">ObjectId</span><span class="p">(</span><span class="dl">"</span><span class="s2">65fa1c...</span><span class="dl">"</span><span class="p">)</span> <span class="p">});</span> <span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">find</span><span class="p">({},</span> <span class="p">{</span> <span class="na">projection</span><span class="p">:</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">prepMinutes</span><span class="p">:</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// only those fields</span> <span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">prepMinutes</span><span class="p">:</span> <span class="p">{</span> <span class="na">$lte</span><span class="p">:</span> <span class="mi">15</span> <span class="p">}</span> <span class="p">})</span> <span class="p">.</span><span class="nf">sort</span><span class="p">({</span> <span class="na">prepMinutes</span><span class="p">:</span> <span class="mi">1</span> <span class="p">})</span> <span class="p">.</span><span class="nf">limit</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> </code></pre> </div> <p><code>find</code> returns a cursor. You stream from it. <code>findOne</code> returns one document or <code>null</code>.</p> <h3> Update </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">updateOne</span><span class="p">(</span> <span class="p">{</span> <span class="na">_id</span><span class="p">:</span> <span class="nc">ObjectId</span><span class="p">(</span><span class="dl">"</span><span class="s2">65fa1c...</span><span class="dl">"</span><span class="p">)</span> <span class="p">},</span> <span class="p">{</span> <span class="na">$set</span><span class="p">:</span> <span class="p">{</span> <span class="na">prepMinutes</span><span class="p">:</span> <span class="mi">18</span> <span class="p">}</span> <span class="p">}</span> <span class="p">);</span> <span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">updateMany</span><span class="p">(</span> <span class="p">{</span> <span class="na">tags</span><span class="p">:</span> <span class="dl">"</span><span class="s2">japanese</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">$addToSet</span><span class="p">:</span> <span class="p">{</span> <span class="na">tags</span><span class="p">:</span> <span class="dl">"</span><span class="s2">asian</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">);</span> </code></pre> </div> <p>Notice the dollar prefixed operators. They are how you describe <strong>what</strong> to do, not the literal new document. If you write <code>{ $set: { x: 1 } }</code>, you set field <code>x</code>. If you forget the operator and write just <code>{ x: 1 }</code>, you replace the entire document with <code>{ x: 1 }</code>. Yes, that bug stings the first time.</p> <h3> Delete </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">deleteOne</span><span class="p">({</span> <span class="na">_id</span><span class="p">:</span> <span class="nc">ObjectId</span><span class="p">(</span><span class="dl">"</span><span class="s2">65fa1c...</span><span class="dl">"</span><span class="p">)</span> <span class="p">});</span> <span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">deleteMany</span><span class="p">({</span> <span class="na">tags</span><span class="p">:</span> <span class="dl">"</span><span class="s2">spam</span><span class="dl">"</span> <span class="p">});</span> </code></pre> </div> <h2> Decision 3: Query operators, the dollar sign menu </h2> <p>Inside a query, MongoDB has a small language of operators. The greatest hits:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">prepMinutes</span><span class="p">:</span> <span class="p">{</span> <span class="na">$gt</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">$lte</span><span class="p">:</span> <span class="mi">30</span> <span class="p">},</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">$in</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">dessert</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">snack</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="na">author</span><span class="p">:</span> <span class="p">{</span> <span class="na">$ne</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Anonymous</span><span class="dl">"</span> <span class="p">},</span> <span class="na">createdAt</span><span class="p">:</span> <span class="p">{</span> <span class="na">$gte</span><span class="p">:</span> <span class="nc">ISODate</span><span class="p">(</span><span class="dl">"</span><span class="s2">2026-01-01</span><span class="dl">"</span><span class="p">)</span> <span class="p">},</span> <span class="na">notes</span><span class="p">:</span> <span class="p">{</span> <span class="na">$exists</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>The comparison operators: <code>$eq</code>, <code>$ne</code>, <code>$gt</code>, <code>$gte</code>, <code>$lt</code>, <code>$lte</code>, <code>$in</code>, <code>$nin</code>.</p> <p>Logical operators (when AND of fields is not enough):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">$or</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">prepMinutes</span><span class="p">:</span> <span class="p">{</span> <span class="na">$lt</span><span class="p">:</span> <span class="mi">5</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">tags</span><span class="p">:</span> <span class="dl">"</span><span class="s2">easy</span><span class="dl">"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">});</span> </code></pre> </div> <p>Querying inside arrays is shockingly useful:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// any ingredient with name "sugar"</span> <span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="dl">"</span><span class="s2">ingredients.name</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sugar</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// at least one ingredient with name "sugar" AND amount &gt; 50, on the same element</span> <span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">ingredients</span><span class="p">:</span> <span class="p">{</span> <span class="na">$elemMatch</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sugar</span><span class="dl">"</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="p">{</span> <span class="na">$gt</span><span class="p">:</span> <span class="mi">50</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// a recipe with all of these tags</span> <span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">$all</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">easy</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">dessert</span><span class="dl">"</span><span class="p">]</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Update operators are a parallel menu:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">updateOne</span><span class="p">({</span> <span class="na">_id</span><span class="p">:</span> <span class="nx">id</span> <span class="p">},</span> <span class="p">{</span> <span class="na">$set</span><span class="p">:</span> <span class="p">{</span> <span class="na">prepMinutes</span><span class="p">:</span> <span class="mi">25</span> <span class="p">},</span> <span class="na">$inc</span><span class="p">:</span> <span class="p">{</span> <span class="na">views</span><span class="p">:</span> <span class="mi">1</span> <span class="p">},</span> <span class="na">$push</span><span class="p">:</span> <span class="p">{</span> <span class="na">tags</span><span class="p">:</span> <span class="dl">"</span><span class="s2">popular</span><span class="dl">"</span> <span class="p">},</span> <span class="na">$addToSet</span><span class="p">:</span> <span class="p">{</span> <span class="na">tags</span><span class="p">:</span> <span class="dl">"</span><span class="s2">popular</span><span class="dl">"</span> <span class="p">},</span> <span class="c1">// push but only if not already there</span> <span class="na">$pull</span><span class="p">:</span> <span class="p">{</span> <span class="na">tags</span><span class="p">:</span> <span class="dl">"</span><span class="s2">draft</span><span class="dl">"</span> <span class="p">},</span> <span class="na">$unset</span><span class="p">:</span> <span class="p">{</span> <span class="na">temporaryNote</span><span class="p">:</span> <span class="dl">""</span> <span class="p">},</span> <span class="na">$rename</span><span class="p">:</span> <span class="p">{</span> <span class="na">oldField</span><span class="p">:</span> <span class="dl">"</span><span class="s2">newField</span><span class="dl">"</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>If you remember three operators, remember <code>$set</code>, <code>$inc</code>, and <code>$addToSet</code>. You will reach for them every day.</p> <h2> Decision 4: Schema design, the part that actually matters </h2> <p>Here is the truth that catches every newcomer: in MongoDB, <strong>schema design is 90% of your job</strong>, even though there is no enforced schema. The flexibility is real, but the wrong shape is still going to hurt you.</p> <p>The single most important decision is <strong>embed or reference</strong>.</p> <h3> Embed when data is owned and read together </h3> <p>A recipe owns its ingredients. They are not shared with other recipes. They are read every time you read the recipe. So embed them right inside the recipe document.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">{</span> <span class="nl">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Mochi Cookies</span><span class="dl">"</span><span class="p">,</span> <span class="nx">ingredients</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">rice flour</span><span class="dl">"</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">unit</span><span class="p">:</span> <span class="dl">"</span><span class="s2">g</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sugar</span><span class="dl">"</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">unit</span><span class="p">:</span> <span class="dl">"</span><span class="s2">g</span><span class="dl">"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>One read, all the data. No joins. This is MongoDB's superpower.</p> <h3> Reference when data is shared or grows without bound </h3> <p>If a recipe is part of a cookbook, and a cookbook can have hundreds of recipes, you do not embed all the recipes inside the cookbook. You store the recipe ids:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// cookbooks</span> <span class="p">{</span> <span class="nl">_id</span><span class="p">:</span> <span class="nc">ObjectId</span><span class="p">(</span><span class="dl">"</span><span class="s2">c1</span><span class="dl">"</span><span class="p">),</span> <span class="nx">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Tiny Asian Bites</span><span class="dl">"</span><span class="p">,</span> <span class="nx">recipeIds</span><span class="p">:</span> <span class="p">[</span><span class="nc">ObjectId</span><span class="p">(</span><span class="dl">"</span><span class="s2">r1</span><span class="dl">"</span><span class="p">),</span> <span class="nc">ObjectId</span><span class="p">(</span><span class="dl">"</span><span class="s2">r2</span><span class="dl">"</span><span class="p">)]</span> <span class="p">}</span> <span class="c1">// recipes</span> <span class="p">{</span> <span class="na">_id</span><span class="p">:</span> <span class="nc">ObjectId</span><span class="p">(</span><span class="dl">"</span><span class="s2">r1</span><span class="dl">"</span><span class="p">),</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Mochi Cookies</span><span class="dl">"</span><span class="p">,</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <p>Then you fetch the recipes separately (or with <code>$lookup</code>, see the aggregation pipeline soon).</p> <h3> The rule of thumb </h3> <ul> <li> <strong>One to few</strong>: embed. (A user with 3 addresses.)</li> <li> <strong>One to many but bounded and small</strong>: embed. (A blog post with 50 comments? Probably embed. With 5,000? Reference.)</li> <li> <strong>One to many, unbounded or shared</strong>: reference.</li> <li> <strong>Many to many</strong>: reference, with arrays of ids on one side or both.</li> </ul> <p>There is also a maximum document size: <strong>16 MB</strong>. If a document is approaching that limit, your model is wrong.</p> <p>A few more design patterns that show up in production:</p> <ul> <li> <strong>Bucket pattern</strong>: instead of one document per sensor reading per second, store one document per minute (or hour) holding an array of readings. Way fewer documents, better cache use, much faster aggregations.</li> <li> <strong>Computed pattern</strong>: precompute aggregates and store them on the parent (<code>commentCount</code>, <code>totalSpentCents</code>). Update them on writes. The read becomes free.</li> <li> <strong>Extended reference</strong>: when you reference, copy the few fields you almost always need (a recipe stores <code>author: { _id, name, avatarUrl }</code>). Saves a join. Trade off: you must update the copy when the source changes.</li> <li> <strong>Schema versioning</strong>: store a <code>schemaVersion: 2</code> field on every document. Migrating becomes "any document still on v1 gets transformed lazily on read".</li> </ul> <p>These patterns are why senior MongoDB feels different from senior SQL. You design for the read, not the write.</p> <h2> Decision 5: Validate at the door anyway </h2> <p>Schemaless feels great until a typo in your code writes <code>{ tile: "Mochi" }</code> instead of <code>{ title: "Mochi" }</code> for three weeks before anyone notices. So MongoDB lets you bolt on <strong>JSON Schema validation</strong> at the collection level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">db</span><span class="p">.</span><span class="nf">createCollection</span><span class="p">(</span><span class="dl">"</span><span class="s2">recipes</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">validator</span><span class="p">:</span> <span class="p">{</span> <span class="na">$jsonSchema</span><span class="p">:</span> <span class="p">{</span> <span class="na">bsonType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">object</span><span class="dl">"</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">title</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">createdAt</span><span class="dl">"</span><span class="p">],</span> <span class="na">properties</span><span class="p">:</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="p">{</span> <span class="na">bsonType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">string</span><span class="dl">"</span><span class="p">,</span> <span class="na">minLength</span><span class="p">:</span> <span class="mi">1</span> <span class="p">},</span> <span class="na">prepMinutes</span><span class="p">:</span> <span class="p">{</span> <span class="na">bsonType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">int</span><span class="dl">"</span><span class="p">,</span> <span class="na">minimum</span><span class="p">:</span> <span class="mi">0</span> <span class="p">},</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">bsonType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">array</span><span class="dl">"</span><span class="p">,</span> <span class="na">items</span><span class="p">:</span> <span class="p">{</span> <span class="na">bsonType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">string</span><span class="dl">"</span> <span class="p">}</span> <span class="p">},</span> <span class="na">createdAt</span><span class="p">:</span> <span class="p">{</span> <span class="na">bsonType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">date</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="na">validationLevel</span><span class="p">:</span> <span class="dl">"</span><span class="s2">strict</span><span class="dl">"</span><span class="p">,</span> <span class="na">validationAction</span><span class="p">:</span> <span class="dl">"</span><span class="s2">error</span><span class="dl">"</span> <span class="p">});</span> </code></pre> </div> <p>Now writes that violate the schema are rejected. You keep the flexibility, you remove the typos.</p> <p>In a real Node.js app, you usually go one level higher: define the schema once with <strong>Zod</strong> (or use <strong>Mongoose</strong> if you want a fuller ODM), and let it both validate at the API boundary and produce your TypeScript types.</p> <h2> Decision 6: Indexes work just like SQL, but read the rules </h2> <p>Without indexes, every query is a full collection scan. Same as SQL.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">createIndex</span><span class="p">({</span> <span class="na">title</span><span class="p">:</span> <span class="mi">1</span> <span class="p">});</span> <span class="c1">// ascending</span> <span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">createIndex</span><span class="p">({</span> <span class="na">author</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="o">-</span><span class="mi">1</span> <span class="p">});</span> <span class="c1">// compound</span> <span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">createIndex</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="mi">1</span> <span class="p">},</span> <span class="p">{</span> <span class="na">unique</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> </code></pre> </div> <p>Special index types you will actually use:</p> <ul> <li> <strong>Multikey</strong> (automatic): if a field is an array, the index covers each element. <code>db.recipes.createIndex({ tags: 1 })</code> lets you find recipes by any tag.</li> <li> <strong>Text</strong>: full text search. <code>db.recipes.createIndex({ title: "text", description: "text" })</code>. Then <code>find({ $text: { $search: "mochi" } })</code>.</li> <li> <strong>Geospatial</strong> (<code>2dsphere</code>): for "find places near me" queries on GeoJSON points.</li> <li> <strong>TTL</strong>: documents auto delete after a deadline. Great for sessions, magic links, signed urls. <code>db.sessions.createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 })</code>.</li> <li> <strong>Partial</strong>: index only the matching subset. <code>{ partialFilterExpression: { active: true } }</code>.</li> <li> <strong>Wildcard</strong>: index unknown fields. Use sparingly.</li> </ul> <p>To see what a query is doing, ask:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">find</span><span class="p">({</span> <span class="na">tags</span><span class="p">:</span> <span class="dl">"</span><span class="s2">dessert</span><span class="dl">"</span> <span class="p">}).</span><span class="nf">explain</span><span class="p">(</span><span class="dl">"</span><span class="s2">executionStats</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>Look at <code>winningPlan</code> and the <code>totalDocsExamined</code> vs <code>nReturned</code>. If they are wildly different, you are probably scanning when you could be using an index.</p> <p>The compound index ordering rule is the same as SQL: <strong>the order of fields matters</strong>. <code>{ author: 1, createdAt: -1 }</code> helps queries that filter by <code>author</code> (alone) or by <code>author</code> plus <code>createdAt</code>. It does not help a query that only filters by <code>createdAt</code>. This is sometimes called the <strong>ESR rule</strong> in MongoDB land: index keys should generally appear in the order <strong>Equality, Sort, Range</strong>.</p> <h2> Decision 7: The aggregation pipeline, the real power tool </h2> <p><code>find</code> is fine for "give me documents that match". The moment you need to group, transform, join, project, or compute, you graduate to the <strong>aggregation pipeline</strong>.</p> <p>You think of it as Unix pipes. Each stage takes documents in and emits documents out.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">db</span><span class="p">.</span><span class="nx">orders</span><span class="p">.</span><span class="nf">aggregate</span><span class="p">([</span> <span class="p">{</span> <span class="na">$match</span><span class="p">:</span> <span class="p">{</span> <span class="na">placedAt</span><span class="p">:</span> <span class="p">{</span> <span class="na">$gte</span><span class="p">:</span> <span class="nc">ISODate</span><span class="p">(</span><span class="dl">"</span><span class="s2">2026-04-01</span><span class="dl">"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">$group</span><span class="p">:</span> <span class="p">{</span> <span class="na">_id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">$customerId</span><span class="dl">"</span><span class="p">,</span> <span class="na">orders</span><span class="p">:</span> <span class="p">{</span> <span class="na">$sum</span><span class="p">:</span> <span class="mi">1</span> <span class="p">},</span> <span class="na">revenueCents</span><span class="p">:</span> <span class="p">{</span> <span class="na">$sum</span><span class="p">:</span> <span class="dl">"</span><span class="s2">$totalCents</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}},</span> <span class="p">{</span> <span class="na">$sort</span><span class="p">:</span> <span class="p">{</span> <span class="na">revenueCents</span><span class="p">:</span> <span class="o">-</span><span class="mi">1</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">$limit</span><span class="p">:</span> <span class="mi">10</span> <span class="p">}</span> <span class="p">]);</span> </code></pre> </div> <p>The stages you will use most:</p> <ul> <li> <strong><code>$match</code></strong>: filter, like <code>WHERE</code>. Put it first when you can to use indexes.</li> <li> <strong><code>$project</code></strong>: shape the output, pick fields, compute new ones.</li> <li> <strong><code>$group</code></strong>: collapse documents by a key, with accumulators (<code>$sum</code>, <code>$avg</code>, <code>$min</code>, <code>$max</code>, <code>$push</code>, <code>$addToSet</code>, <code>$first</code>, <code>$last</code>).</li> <li> <strong><code>$sort</code></strong>, <strong><code>$limit</code></strong>, <strong><code>$skip</code></strong>: classic.</li> <li> <strong><code>$unwind</code></strong>: turn an array field into one document per element. Magic for "explode tags".</li> <li> <strong><code>$lookup</code></strong>: yes, <strong>MongoDB does joins</strong>. Same idea as SQL <code>LEFT JOIN</code>, with a slightly different API.</li> <li> <strong><code>$facet</code></strong>: run multiple sub pipelines on the same input, return them side by side. Great for dashboards.</li> <li> <strong><code>$set</code> / <code>$addFields</code></strong>: add computed fields without losing the existing ones.</li> <li> <strong><code>$merge</code></strong> / <strong><code>$out</code></strong>: write the result back into a collection.</li> </ul> <p>A <code>$lookup</code> example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">db</span><span class="p">.</span><span class="nx">recipes</span><span class="p">.</span><span class="nf">aggregate</span><span class="p">([</span> <span class="p">{</span> <span class="na">$match</span><span class="p">:</span> <span class="p">{</span> <span class="na">tags</span><span class="p">:</span> <span class="dl">"</span><span class="s2">dessert</span><span class="dl">"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">$lookup</span><span class="p">:</span> <span class="p">{</span> <span class="na">from</span><span class="p">:</span> <span class="dl">"</span><span class="s2">users</span><span class="dl">"</span><span class="p">,</span> <span class="na">localField</span><span class="p">:</span> <span class="dl">"</span><span class="s2">authorId</span><span class="dl">"</span><span class="p">,</span> <span class="na">foreignField</span><span class="p">:</span> <span class="dl">"</span><span class="s2">_id</span><span class="dl">"</span><span class="p">,</span> <span class="na">as</span><span class="p">:</span> <span class="dl">"</span><span class="s2">author</span><span class="dl">"</span> <span class="p">}},</span> <span class="p">{</span> <span class="na">$unwind</span><span class="p">:</span> <span class="dl">"</span><span class="s2">$author</span><span class="dl">"</span> <span class="p">},</span> <span class="c1">// flatten to a single object</span> <span class="p">{</span> <span class="na">$project</span><span class="p">:</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="dl">"</span><span class="s2">author.name</span><span class="dl">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">prepMinutes</span><span class="p">:</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]);</span> </code></pre> </div> <p>That is a join, an unwind, and a projection in one query. Once the pipeline clicks, you stop reaching for application code to do post processing. You let the database do it.</p> <blockquote> <p>Senior tip: aggregations can use indexes, but only on the early <code>$match</code> and <code>$sort</code> stages. Filter early, then transform.</p> </blockquote> <h2> Decision 8: Transactions, when you really need them </h2> <p>For most workloads, the trick is to design your documents so a single write changes everything that needs to change. One document update is atomic by itself. That is enough for 90% of cases.</p> <p>When you really do need to write across multiple documents or collections atomically, MongoDB has <strong>multi document transactions</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nx">client</span><span class="p">.</span><span class="nf">startSession</span><span class="p">();</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">session</span><span class="p">.</span><span class="nf">withTransaction</span><span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">accounts</span><span class="p">.</span><span class="nf">updateOne</span><span class="p">({</span> <span class="na">_id</span><span class="p">:</span> <span class="nx">a</span> <span class="p">},</span> <span class="p">{</span> <span class="na">$inc</span><span class="p">:</span> <span class="p">{</span> <span class="na">balance</span><span class="p">:</span> <span class="o">-</span><span class="mi">1000</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">session</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">accounts</span><span class="p">.</span><span class="nf">updateOne</span><span class="p">({</span> <span class="na">_id</span><span class="p">:</span> <span class="nx">b</span> <span class="p">},</span> <span class="p">{</span> <span class="na">$inc</span><span class="p">:</span> <span class="p">{</span> <span class="na">balance</span><span class="p">:</span> <span class="mi">1000</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">session</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">transfers</span><span class="p">.</span><span class="nf">insertOne</span><span class="p">({</span> <span class="na">from</span><span class="p">:</span> <span class="nx">a</span><span class="p">,</span> <span class="na">to</span><span class="p">:</span> <span class="nx">b</span><span class="p">,</span> <span class="na">amountCents</span><span class="p">:</span> <span class="mi">1000</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">session</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">session</span><span class="p">.</span><span class="nf">endSession</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>ACID is real here, just like in SQL. The catches:</p> <ul> <li>Transactions need a <strong>replica set</strong> (which Atlas always gives you, and most production MongoDBs run as).</li> <li>They are slower than single document writes. Reach for them only when you need them.</li> <li>Long transactions hurt throughput. Keep them short.</li> </ul> <p>The right design instinct in MongoDB is "make this one document update", and the second instinct is "okay then, transactions". Not the other way around.</p> <h2> Decision 9: Scaling, replication, and sharding </h2> <p>Three things you will hear about, in order of importance for most apps:</p> <ul> <li> <strong>Replica set</strong>: a primary plus secondaries that follow along. Reads can go to secondaries with the right read preference. Writes go to the primary. If the primary dies, a secondary is elected. This gives you durability and high availability and is the default in Atlas.</li> <li> <strong>Read concern and write concern</strong>: you choose how many nodes must acknowledge a write (<code>w: "majority"</code> is the safe default), and how recent your reads must be (<code>readConcern: "majority"</code> for the safest reads). These two knobs are the trade off between durability and latency.</li> <li> <strong>Sharding</strong>: when one machine cannot hold the data, you split the collection across many. You pick a <strong>shard key</strong> that determines which documents live where. Pick wisely: an <code>_id</code> or random shard key spreads writes evenly, but lookups by user are then scattered across all shards. There is no perfect shard key, only the one that fits your access patterns.</li> </ul> <p>Most apps under "huge" scale never need sharding. Replica sets are enough.</p> <h2> Decision 10: The modern stack </h2> <p>In 2026, the typical MongoDB setup looks like:</p> <ul> <li> <strong>Atlas</strong> (the official managed service) for production. Free tier for prototypes. Handles replica sets, backups, point in time restore, monitoring, and Atlas Search.</li> <li> <strong>Atlas Search</strong> for full text search backed by Lucene. It is wildly more capable than the built in <code>$text</code> operator.</li> <li> <strong>Atlas Vector Search</strong> for semantic search and RAG (retrieval augmented generation) for AI apps. Vectors live next to your documents. One database, both kinds of search.</li> <li> <strong>Official drivers</strong> for every language. In Node.js, the modern choice is the official <code>mongodb</code> driver, often paired with <strong>Zod</strong> for validation, or the <strong>Mongoose</strong> ODM if you want a more opinionated layer with hooks and middleware.</li> <li> <strong>Compass</strong> (the GUI) for poking at data and prototyping aggregations.</li> <li> <strong><code>mongosh</code></strong> (the new shell) for command line work.</li> </ul> <p>If you are starting a new app, the lean default is: official driver + Zod schemas + Atlas. Reach for Mongoose only if you genuinely want its conveniences.</p> <h2> Decision 11: Pitfalls you only learn the hard way </h2> <p>A short list of senior level traps:</p> <ul> <li> <strong>Forgetting <code>$set</code> in updates</strong> replaces the document. Always include the operator.</li> <li> <strong>Storing a stringly typed <code>_id</code></strong> when you could have used <code>ObjectId</code>. ObjectIds are sortable by creation time, smaller, and indexed by default.</li> <li> <strong>Querying with the wrong type</strong> silently returns nothing. <code>{ price: "10" }</code> will not match <code>{ price: 10 }</code>. Types matter.</li> <li> <strong>Letting documents grow unbounded.</strong> A recipe with 50,000 comments is a problem. Bucket or reference them.</li> <li> <strong>Treating Mongo like SQL.</strong> If your queries are full of <code>$lookup</code> joins, you may be designing as if you are still in SQL. Reconsider whether the data should be embedded.</li> <li> <strong>Writing <code>find()</code> and forgetting the projection.</strong> You ship the entire 8KB document over the wire when you only needed the title.</li> <li> <strong>Skipping indexes "for now".</strong> "For now" becomes "in production" faster than you think.</li> <li> <strong>Ignoring the <code>_id</code> in <code>$group</code>.</strong> <code>_id: null</code> groups everything together. <code>_id: "$field"</code> groups by that field. This is the most confusing line in the aggregation pipeline for newcomers.</li> <li> <strong>Not using <code>.lean()</code> (Mongoose) or projection (driver) when you do not need full hydrated objects.</strong> Slower otherwise.</li> <li> <strong>Treating capped collections like queues.</strong> Use a real queue.</li> </ul> <h2> A peek under the hood </h2> <p>What really happens when you run a query:</p> <ol> <li>The driver opens a connection (pooled) to the cluster and figures out the topology (which node is primary, which are secondaries).</li> <li>Your query goes to the appropriate node based on read preference.</li> <li>The query planner picks an execution plan, ideally using an index.</li> <li>The storage engine (WiredTiger, by default) reads pages from the cache or from disk. Documents are stored as compressed BSON.</li> <li>Results stream back through the driver. Cursors fetch in batches by default (100 documents or 1MB), so a <code>find()</code> over a million docs does not blow up memory.</li> <li>Writes go to the primary, get applied in memory, then flushed to the on disk <strong>journal</strong>, then replicated to secondaries based on your write concern.</li> </ol> <p>The mental model is: WiredTiger is the SQLite or InnoDB underneath, BSON is the row format, and the replica set is the durability story. Once you know that, debugging slow queries and odd behavior gets much easier.</p> <h2> Tiny tips that will save you later </h2> <ul> <li> <strong>Design for the read.</strong> What does your most common query look like? Shape documents to make it one read, no joins.</li> <li><strong>Pick <code>ObjectId</code> for <code>_id</code> unless you have a reason not to.</strong></li> <li> <strong>Always set <code>w: "majority"</code></strong> in production. Default is fine for development.</li> <li><strong>Use Atlas Search for anything past trivial text search.</strong></li> <li> <strong>Add indexes before they bite, not after.</strong> Watch slow query logs.</li> <li> <strong>Use the aggregation pipeline.</strong> It is faster than fetching documents to your app and looping.</li> <li> <strong>Keep documents under a megabyte where you can.</strong> 16 MB is the hard limit, but cache and replication love smaller documents.</li> <li> <strong>Validate at the boundary with Zod</strong> (or the collection validator). Schemaless does not mean schema free.</li> <li> <strong>Use <code>.explain("executionStats")</code> like you would <code>EXPLAIN ANALYZE</code>.</strong> It is the same skill in a different costume.</li> <li> <strong>Back it up. Test the restore.</strong> Atlas does this for you. If you self host, you are on the hook.</li> </ul> <h2> Wrapping up </h2> <p>So that is the whole story. We were tired of forcing nested, evolving data into rigid tables. We built a database that stores documents, the same shape your app already passes around. We grouped them into collections, indexed them, and gave them a powerful aggregation pipeline so we did not have to do post processing in app code.</p> <p>We accepted the trade off: schemaless is freedom, and freedom needs discipline. We designed documents around the reads we cared about, embedded what was owned, referenced what was shared, and added validation to keep typos from rotting our data. We learned that ACID is not just a SQL thing: single document writes are atomic, and full transactions are there when we need them.</p> <p>Once that map is in your head, MongoDB stops feeling like SQL with weird syntax and starts feeling like the data model your app was always trying to be.</p> <p>Happy modeling, and save a cookie for me.</p> learning mongodb database Mohamed Idris Wed, 20 May 2026 13:08:00 +0000 https://forem.com/edriso/learning-sql-as-if-you-built-it-yourself-3fig https://forem.com/edriso/learning-sql-as-if-you-built-it-yourself-3fig <p>If you have ever tried to keep your app's data in a JSON file or in memory, you know how that story ends. At first it works. Two users? Easy. A hundred users with orders, addresses, and a history of returns? Now your "database" is a 40MB file you are scared to open, and looking up a single record takes a full scan of the disk.</p> <p>You start writing helper functions. Find a user by email. Find all their orders. Make sure no order points at a missing user. After a week of this, you have invented a worse, slower database, and you still cannot answer "what were our top 5 selling books last month?".</p> <p>That is the gap SQL fills.</p> <h2> What is SQL, really </h2> <p>Think of SQL as <strong>a giant spreadsheet on steroids, with a strict librarian living inside</strong>. Your data goes into tables (sheets). Each row is a record. Each column has a type and rules. The librarian enforces the rules: no missing required fields, no duplicate ids, no orders pointing to a user that does not exist.</p> <p>You do not poke around the sheets yourself. You write a polite question in a special language, and the librarian goes off, walks the shelves, and brings back exactly the rows you asked for. The question is <strong>declarative</strong>. You say what you want, not how to get it. The librarian (the query planner) figures out the fastest path.</p> <p>That is the whole vibe.</p> <h2> Let's pretend we are building one </h2> <p>We want a way to store structured data, enforce rules between pieces of data, and answer questions about it without writing custom code every time. We will call the language <strong>SQL</strong> (Structured Query Language) and the engine behind it a <strong>relational database</strong>.</p> <p>For our running example, we are opening a tiny online bookstore. Books, authors, customers, orders. We will model the whole thing and learn to ask it useful questions.</p> <h2> Decision 1: Data lives in tables, with a strict shape </h2> <p>A table has a fixed set of columns. Each column has a type. Each row must obey the shape. No "this row has an extra field" surprises.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">authors</span> <span class="p">(</span> <span class="n">id</span> <span class="n">BIGSERIAL</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">name</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">born_year</span> <span class="nb">INT</span> <span class="p">);</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">books</span> <span class="p">(</span> <span class="n">id</span> <span class="n">BIGSERIAL</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">title</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">author_id</span> <span class="nb">BIGINT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">REFERENCES</span> <span class="n">authors</span><span class="p">(</span><span class="n">id</span><span class="p">),</span> <span class="n">price_cents</span> <span class="nb">INT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">price_cents</span> <span class="o">&gt;=</span> <span class="mi">0</span><span class="p">),</span> <span class="n">published</span> <span class="nb">DATE</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">customers</span> <span class="p">(</span> <span class="n">id</span> <span class="n">BIGSERIAL</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">email</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">UNIQUE</span><span class="p">,</span> <span class="n">name</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="p">);</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">orders</span> <span class="p">(</span> <span class="n">id</span> <span class="n">BIGSERIAL</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">customer_id</span> <span class="nb">BIGINT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">REFERENCES</span> <span class="n">customers</span><span class="p">(</span><span class="n">id</span><span class="p">),</span> <span class="n">book_id</span> <span class="nb">BIGINT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">REFERENCES</span> <span class="n">books</span><span class="p">(</span><span class="n">id</span><span class="p">),</span> <span class="n">qty</span> <span class="nb">INT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">qty</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">),</span> <span class="n">placed_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> </code></pre> </div> <p>A few things worth pausing on, because they show up everywhere:</p> <ul> <li> <strong><code>PRIMARY KEY</code></strong> is the row's unique identity. Every table has one.</li> <li> <strong><code>REFERENCES other_table(id)</code></strong> is a <strong>foreign key</strong>. The librarian will refuse to insert an order for a customer that does not exist, and refuse to delete a customer who still has orders (unless you say <code>ON DELETE CASCADE</code>).</li> <li> <strong><code>NOT NULL</code></strong>, <strong><code>UNIQUE</code></strong>, <strong><code>CHECK</code></strong> are constraints that bake business rules into the data, not into the app code. The database becomes the last line of defense, even if six different apps write to it.</li> <li> <strong><code>DEFAULT</code></strong> lets the database fill in values for you (timestamps, ids, version numbers).</li> </ul> <p>This shape is the <strong>schema</strong>. The whole database is just schemas plus rows.</p> <blockquote> <p>Quick sanity rule: if your data has a stable shape and relationships matter, use SQL. If your data is messy, document like, and varies row to row, that is what we will discuss in the MongoDB post.</p> </blockquote> <h2> Decision 2: Four verbs, infinite combinations </h2> <p>Every interaction with SQL is one of four verbs. Learn these and you have learned 70% of the language.</p> <h3> Insert </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">authors</span> <span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">born_year</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="s1">'Saint-Exupery'</span><span class="p">,</span> <span class="mi">1900</span><span class="p">);</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">books</span> <span class="p">(</span><span class="n">title</span><span class="p">,</span> <span class="n">author_id</span><span class="p">,</span> <span class="n">price_cents</span><span class="p">,</span> <span class="n">published</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="s1">'The Little Prince'</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">999</span><span class="p">,</span> <span class="s1">'1943-04-06'</span><span class="p">),</span> <span class="p">(</span><span class="s1">'Night Flight'</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1199</span><span class="p">,</span> <span class="s1">'1931-01-01'</span><span class="p">);</span> </code></pre> </div> <h3> Select (the workhorse) </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">id</span><span class="p">,</span> <span class="n">title</span><span class="p">,</span> <span class="n">price_cents</span> <span class="k">FROM</span> <span class="n">books</span> <span class="k">WHERE</span> <span class="n">price_cents</span> <span class="o">&lt;</span> <span class="mi">1500</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">published</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">10</span><span class="p">;</span> </code></pre> </div> <p>Read it like English: pick these columns, from this table, where this is true, sorted this way, give me the first 10.</p> <h3> Update </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">UPDATE</span> <span class="n">books</span> <span class="k">SET</span> <span class="n">price_cents</span> <span class="o">=</span> <span class="mi">1099</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </code></pre> </div> <p>If you forget the <code>WHERE</code>, <strong>you update every row</strong>. Yes, every senior has done it once. Wrap big updates in a transaction, we will see how soon.</p> <h3> Delete </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">DELETE</span> <span class="k">FROM</span> <span class="n">books</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </code></pre> </div> <p>Same warning as <code>UPDATE</code>. No <code>WHERE</code>, no rows left.</p> <h2> Decision 3: Filtering rows the librarian can understand </h2> <p>Inside <code>WHERE</code> you can stack conditions. A short list of the most useful operators:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">books</span> <span class="k">WHERE</span> <span class="n">price_cents</span> <span class="k">BETWEEN</span> <span class="mi">800</span> <span class="k">AND</span> <span class="mi">1500</span> <span class="k">AND</span> <span class="n">title</span> <span class="k">ILIKE</span> <span class="s1">'%prince%'</span> <span class="c1">-- case insensitive in Postgres</span> <span class="k">AND</span> <span class="n">author_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span> <span class="k">AND</span> <span class="n">published</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="n">published</span> <span class="o">&gt;=</span> <span class="nb">DATE</span> <span class="s1">'2000-01-01'</span><span class="p">;</span> </code></pre> </div> <p>The classic gotcha: <code>NULL</code> is not equal to anything, not even itself. <code>WHERE col = NULL</code> always returns no rows. Use <code>IS NULL</code> and <code>IS NOT NULL</code>. Always.</p> <p><code>LIKE 'foo%'</code> matches the prefix <code>foo</code>. <code>LIKE '%foo'</code> matches the suffix. <code>LIKE '%foo%'</code> is the full text contains. The percent sign is the wildcard.</p> <h2> Decision 4: Joining tables, the actual superpower </h2> <p>Splitting data into multiple tables only pays off if we can stitch them back together at query time. That is what <strong>joins</strong> do.</p> <p>The four flavors that matter:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- INNER JOIN: only rows that match in both tables</span> <span class="k">SELECT</span> <span class="n">b</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="n">a</span><span class="p">.</span><span class="n">name</span> <span class="k">AS</span> <span class="n">author</span> <span class="k">FROM</span> <span class="n">books</span> <span class="n">b</span> <span class="k">JOIN</span> <span class="n">authors</span> <span class="n">a</span> <span class="k">ON</span> <span class="n">a</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">b</span><span class="p">.</span><span class="n">author_id</span><span class="p">;</span> <span class="c1">-- LEFT JOIN: every row from the left, with NULLs where the right has nothing</span> <span class="k">SELECT</span> <span class="n">a</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="n">b</span><span class="p">.</span><span class="n">title</span> <span class="k">FROM</span> <span class="n">authors</span> <span class="n">a</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">books</span> <span class="n">b</span> <span class="k">ON</span> <span class="n">b</span><span class="p">.</span><span class="n">author_id</span> <span class="o">=</span> <span class="n">a</span><span class="p">.</span><span class="n">id</span><span class="p">;</span> <span class="c1">-- An author with zero books still appears, with title = NULL.</span> <span class="c1">-- RIGHT JOIN: mirror image of LEFT JOIN. Rarely used (just flip the tables).</span> <span class="c1">-- FULL OUTER JOIN: every row from both sides, NULL where the other is missing.</span> </code></pre> </div> <p>The <code>ON</code> clause says how to match. The <code>WHERE</code> clause filters the joined result.</p> <p>Two senior level rules that catch newcomers:</p> <ol> <li> <strong>A <code>LEFT JOIN</code> plus a <code>WHERE</code> on the right table acts like an <code>INNER JOIN</code>.</strong> If you write <code>LEFT JOIN books WHERE books.published IS NOT NULL</code>, you have just thrown away the unmatched rows. Put filters that should keep the unmatched rows inside the <code>ON</code> clause: <code>LEFT JOIN books b ON b.author_id = a.id AND b.published IS NOT NULL</code>.</li> <li> <strong>Always alias your tables</strong> in non trivial queries. <code>b.title</code> is much easier to read (and grep) than <code>books.title</code> repeated five times.</li> </ol> <h2> Decision 5: Aggregations, the "summarize this" verbs </h2> <p>When you do not want individual rows but a roll up, you reach for <code>GROUP BY</code> and the aggregate functions: <code>COUNT</code>, <code>SUM</code>, <code>AVG</code>, <code>MIN</code>, <code>MAX</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Top selling books last month</span> <span class="k">SELECT</span> <span class="n">b</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="n">b</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="n">o</span><span class="p">.</span><span class="n">qty</span><span class="p">)</span> <span class="k">AS</span> <span class="n">sold</span> <span class="k">FROM</span> <span class="n">orders</span> <span class="n">o</span> <span class="k">JOIN</span> <span class="n">books</span> <span class="n">b</span> <span class="k">ON</span> <span class="n">b</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">o</span><span class="p">.</span><span class="n">book_id</span> <span class="k">WHERE</span> <span class="n">o</span><span class="p">.</span><span class="n">placed_at</span> <span class="o">&gt;=</span> <span class="n">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'30 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">b</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="n">b</span><span class="p">.</span><span class="n">title</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">sold</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">5</span><span class="p">;</span> </code></pre> </div> <p>Two rules to internalize:</p> <ul> <li>Every column in the <code>SELECT</code> must either be in the <code>GROUP BY</code> or wrapped in an aggregate.</li> <li> <strong><code>HAVING</code> filters groups.</strong> <code>WHERE</code> filters rows before grouping. Do not confuse them. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">customer_id</span><span class="p">,</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">orders_count</span> <span class="k">FROM</span> <span class="n">orders</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">customer_id</span> <span class="k">HAVING</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">3</span><span class="p">;</span> <span class="c1">-- only customers with 3+ orders</span> </code></pre> </div> <h2> Decision 6: When one query is not enough, build it in pieces </h2> <p>For complex queries, stacking joins and aggregations gets unreadable fast. We added two tools for that.</p> <h3> Subqueries </h3> <p>A query inside a query. Treat its result as a virtual table.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">title</span> <span class="k">FROM</span> <span class="n">books</span> <span class="k">WHERE</span> <span class="n">author_id</span> <span class="k">IN</span> <span class="p">(</span><span class="k">SELECT</span> <span class="n">id</span> <span class="k">FROM</span> <span class="n">authors</span> <span class="k">WHERE</span> <span class="n">born_year</span> <span class="o">&lt;</span> <span class="mi">1950</span><span class="p">);</span> </code></pre> </div> <h3> Common Table Expressions (CTEs) </h3> <p>Same idea, named, top to bottom. Far more readable when the query has multiple stages.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">top_books</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">book_id</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="n">qty</span><span class="p">)</span> <span class="k">AS</span> <span class="n">sold</span> <span class="k">FROM</span> <span class="n">orders</span> <span class="k">WHERE</span> <span class="n">placed_at</span> <span class="o">&gt;=</span> <span class="n">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'30 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">book_id</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="n">b</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="n">t</span><span class="p">.</span><span class="n">sold</span> <span class="k">FROM</span> <span class="n">top_books</span> <span class="n">t</span> <span class="k">JOIN</span> <span class="n">books</span> <span class="n">b</span> <span class="k">ON</span> <span class="n">b</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t</span><span class="p">.</span><span class="n">book_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">t</span><span class="p">.</span><span class="n">sold</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">5</span><span class="p">;</span> </code></pre> </div> <p>CTEs can be <strong>recursive</strong>, which is how you walk tree shaped data (categories with subcategories, employees with managers, comments with replies):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="k">RECURSIVE</span> <span class="n">descendants</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">id</span><span class="p">,</span> <span class="n">parent_id</span><span class="p">,</span> <span class="n">name</span> <span class="k">FROM</span> <span class="n">categories</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="mi">7</span> <span class="k">UNION</span> <span class="k">ALL</span> <span class="k">SELECT</span> <span class="k">c</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="k">c</span><span class="p">.</span><span class="n">parent_id</span><span class="p">,</span> <span class="k">c</span><span class="p">.</span><span class="n">name</span> <span class="k">FROM</span> <span class="n">categories</span> <span class="k">c</span> <span class="k">JOIN</span> <span class="n">descendants</span> <span class="n">d</span> <span class="k">ON</span> <span class="n">d</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="k">c</span><span class="p">.</span><span class="n">parent_id</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">descendants</span><span class="p">;</span> </code></pre> </div> <p>CTEs read top to bottom like a small program. Use them.</p> <h2> Decision 7: Window functions, the senior superpower </h2> <p>Sometimes you want a per row calculation that "sees" other rows around it without collapsing into groups. That is what <strong>window functions</strong> do.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Rank books by sales within each author</span> <span class="k">SELECT</span> <span class="n">b</span><span class="p">.</span><span class="n">author_id</span><span class="p">,</span> <span class="n">b</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="n">o</span><span class="p">.</span><span class="n">qty</span><span class="p">)</span> <span class="k">AS</span> <span class="n">sold</span><span class="p">,</span> <span class="n">RANK</span><span class="p">()</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">b</span><span class="p">.</span><span class="n">author_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="k">SUM</span><span class="p">(</span><span class="n">o</span><span class="p">.</span><span class="n">qty</span><span class="p">)</span> <span class="k">DESC</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">rank_for_author</span> <span class="k">FROM</span> <span class="n">books</span> <span class="n">b</span> <span class="k">JOIN</span> <span class="n">orders</span> <span class="n">o</span> <span class="k">ON</span> <span class="n">o</span><span class="p">.</span><span class="n">book_id</span> <span class="o">=</span> <span class="n">b</span><span class="p">.</span><span class="n">id</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">b</span><span class="p">.</span><span class="n">author_id</span><span class="p">,</span> <span class="n">b</span><span class="p">.</span><span class="n">title</span><span class="p">;</span> </code></pre> </div> <p><code>OVER(...)</code> says "do this calculation across this window". <code>PARTITION BY</code> is the group, <code>ORDER BY</code> is the order within the group. You get one output row per input row, plus the calculated value.</p> <p>Common ones to know:</p> <ul> <li> <code>ROW_NUMBER()</code> for "give each row a serial number".</li> <li> <code>RANK()</code> and <code>DENSE_RANK()</code> for tied ranking.</li> <li> <code>LAG(col)</code>, <code>LEAD(col)</code> for "value of the previous/next row in the window".</li> <li> <code>SUM(col) OVER (ORDER BY ...)</code> for running totals.</li> </ul> <p>Once these click, a whole class of "I had to do this in app code" problems become one liners.</p> <h2> Decision 8: Indexes, the secret to fast queries </h2> <p>A table without indexes is a phone book printed in random order. Finding "Alice" means starting at page one. With an index, the librarian builds an alphabetical map: "Alice is around page 47, go straight there".<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">books_author_id_idx</span> <span class="k">ON</span> <span class="n">books</span> <span class="p">(</span><span class="n">author_id</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">orders_customer_placed_idx</span> <span class="k">ON</span> <span class="n">orders</span> <span class="p">(</span><span class="n">customer_id</span><span class="p">,</span> <span class="n">placed_at</span> <span class="k">DESC</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">UNIQUE</span> <span class="k">INDEX</span> <span class="n">customers_email_idx</span> <span class="k">ON</span> <span class="n">customers</span> <span class="p">(</span><span class="n">email</span><span class="p">);</span> </code></pre> </div> <p>The senior level rules:</p> <ul> <li> <strong>Primary keys and unique constraints already create indexes.</strong> You get those free.</li> <li> <strong>Index columns you filter or join on</strong>, not columns you only display.</li> <li> <strong>Composite index column order matters.</strong> <code>(customer_id, placed_at)</code> helps queries that filter by <code>customer_id</code> (alone) or by <code>customer_id</code> plus <code>placed_at</code>. It does <strong>not</strong> help a query that only filters by <code>placed_at</code>.</li> <li> <strong>Postgres has special index types</strong>: GIN (for arrays and JSONB), BRIN (for huge time series), partial (<code>WHERE active = true</code>), expression (<code>LOWER(email)</code>).</li> <li> <strong>Indexes are not free.</strong> Every write has to update them. Do not index every column "just in case". Profile first.</li> </ul> <p>To find out what the database is actually doing for a query, ask:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">EXPLAIN</span> <span class="k">ANALYZE</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">books</span> <span class="k">WHERE</span> <span class="n">author_id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </code></pre> </div> <p>That returns the <strong>query plan</strong>. Look for "Index Scan" (good) versus "Seq Scan" (full table read, fine for small tables, scary for big ones), and look at the actual time per step.</p> <p>Reading query plans is the single skill that separates "writes SQL" from "writes fast SQL". Spend time on it.</p> <h2> Decision 9: Transactions, all or nothing </h2> <p>Sometimes a single user action needs multiple statements, and "half done" is the worst possible state. Money moved out of one account but never into the other. An order created without payment.</p> <p>We wrap the statements in a <strong>transaction</strong>. Either every statement commits, or none of them do.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">BEGIN</span><span class="p">;</span> <span class="k">UPDATE</span> <span class="n">accounts</span> <span class="k">SET</span> <span class="n">balance</span> <span class="o">=</span> <span class="n">balance</span> <span class="o">-</span> <span class="mi">1000</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="k">UPDATE</span> <span class="n">accounts</span> <span class="k">SET</span> <span class="n">balance</span> <span class="o">=</span> <span class="n">balance</span> <span class="o">+</span> <span class="mi">1000</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="k">COMMIT</span><span class="p">;</span> <span class="c1">-- or ROLLBACK if anything went wrong</span> </code></pre> </div> <p>Transactions guarantee four properties together known as <strong>ACID</strong>:</p> <ul> <li> <strong>Atomicity</strong>: all or nothing.</li> <li> <strong>Consistency</strong>: constraints stay valid before and after.</li> <li> <strong>Isolation</strong>: concurrent transactions do not see each other's half done work.</li> <li> <strong>Durability</strong>: once committed, it survives a crash.</li> </ul> <p>Isolation has levels (read committed, repeatable read, serializable). The default in Postgres is <code>READ COMMITTED</code>, which is fine for most apps. Reach for <code>SERIALIZABLE</code> when you have a critical multi step invariant and you would rather have the database retry than risk anomalies. Read about phantom reads and lost updates once, then you will recognize the bug shapes when you see them.</p> <h2> Decision 10: Views and materialized views </h2> <p>If a complex query is something you ask all the time, give it a name.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">VIEW</span> <span class="n">top_books_30d</span> <span class="k">AS</span> <span class="k">SELECT</span> <span class="n">b</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="n">b</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="n">o</span><span class="p">.</span><span class="n">qty</span><span class="p">)</span> <span class="k">AS</span> <span class="n">sold</span> <span class="k">FROM</span> <span class="n">orders</span> <span class="n">o</span> <span class="k">JOIN</span> <span class="n">books</span> <span class="n">b</span> <span class="k">ON</span> <span class="n">b</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">o</span><span class="p">.</span><span class="n">book_id</span> <span class="k">WHERE</span> <span class="n">o</span><span class="p">.</span><span class="n">placed_at</span> <span class="o">&gt;=</span> <span class="n">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'30 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">b</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="n">b</span><span class="p">.</span><span class="n">title</span><span class="p">;</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">top_books_30d</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">sold</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">5</span><span class="p">;</span> </code></pre> </div> <p>A <strong>view</strong> is just a saved query. It runs every time you <code>SELECT</code> from it.</p> <p>A <strong>materialized view</strong> stores the result physically and refreshes on demand. Great for expensive analytics that do not need to be real time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">MATERIALIZED</span> <span class="k">VIEW</span> <span class="n">top_books_30d</span> <span class="k">AS</span> <span class="p">...;</span> <span class="n">REFRESH</span> <span class="n">MATERIALIZED</span> <span class="k">VIEW</span> <span class="n">top_books_30d</span><span class="p">;</span> </code></pre> </div> <h2> Decision 11: Set operations </h2> <p>Less famous, but very handy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Books either by author 1 or with sales (and both)</span> <span class="k">SELECT</span> <span class="n">id</span> <span class="k">FROM</span> <span class="n">books</span> <span class="k">WHERE</span> <span class="n">author_id</span> <span class="o">=</span> <span class="mi">1</span> <span class="k">UNION</span> <span class="k">SELECT</span> <span class="n">book_id</span> <span class="k">FROM</span> <span class="n">orders</span><span class="p">;</span> <span class="c1">-- Same idea but keep duplicates</span> <span class="k">UNION</span> <span class="k">ALL</span> <span class="c1">-- In A but not in B</span> <span class="k">EXCEPT</span> <span class="c1">-- In both</span> <span class="k">INTERSECT</span> </code></pre> </div> <p><code>UNION</code> deduplicates and is slower. <code>UNION ALL</code> keeps everything and is faster. Pick on purpose.</p> <h2> Decision 12: Talking to SQL safely from your app </h2> <p>This is the one rule you must never break.</p> <p><strong>Never build a query by string concatenation with user input.</strong> That is how you get SQL injection, the most embarrassing bug in our profession.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// NEVER</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="s2">`SELECT * FROM users WHERE email = '</span><span class="p">${</span><span class="nx">email</span><span class="p">}</span><span class="s2">'`</span><span class="p">);</span> <span class="c1">// ALWAYS</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">SELECT * FROM users WHERE email = $1</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="nx">email</span><span class="p">]);</span> </code></pre> </div> <p>Use parameterized queries. Every modern client supports them. The driver sends the SQL and the values separately, so the database never confuses one for the other.</p> <p>The other classic app side trap is the <strong>N+1 query problem</strong>. You fetch a list of authors, then for each one, you fire a separate query for their books. 1 query becomes 1 + N queries. The fix is one query with a <code>JOIN</code>, or batch loading by id list (<code>WHERE author_id IN (...)</code>).</p> <h2> Decision 13: Designing schemas that age well </h2> <p>The art is in the schema, not the queries. Tables you regret are tables you fight forever. A short senior level checklist:</p> <ul> <li> <strong>Normalize first, denormalize on purpose.</strong> A normalized schema (no duplicated facts) is easier to keep correct. You can always add a denormalized cache column later if profiling demands it.</li> <li> <strong>Pick the right primary key.</strong> <code>BIGSERIAL</code> (auto increment) is fine for most things. UUIDs are great for distributed systems and for not exposing row counts in URLs. Use <code>UUID v7</code> if you need sortable UUIDs.</li> <li> <strong>Always store timestamps with timezone.</strong> <code>TIMESTAMPTZ</code>, not <code>TIMESTAMP</code>. Future you will thank present you.</li> <li> <strong>Money in integer cents, not floats.</strong> <code>1.10 + 2.20</code> in floats is heartbreak.</li> <li> <strong>Booleans are fine.</strong> Do not use a <code>CHAR(1)</code> "Y"/"N". This is not 1995.</li> <li> <strong>Add indexes for foreign keys.</strong> The database does not always do this for you, and queries that join on them will sit and cry without one.</li> <li> <strong>Soft delete with a <code>deleted_at TIMESTAMPTZ</code> column</strong> if you need recoverable deletes. Then add <code>WHERE deleted_at IS NULL</code> to your reads (or a partial index).</li> <li> <strong>Migrations are version controlled SQL.</strong> Tools like Flyway, Sqitch, Prisma Migrate, Alembic. Never edit the production schema by hand.</li> </ul> <h2> Decision 14: A peek under the hood </h2> <p>What really happens when you run a query:</p> <ol> <li>The client sends the SQL to the server (bind parameters separately if you used a parameterized query).</li> <li>The <strong>parser</strong> turns the text into a syntax tree.</li> <li>The <strong>planner / optimizer</strong> considers many possible execution plans (full scan, index scan, different join orders, hash join vs merge join vs nested loop). It uses statistics about the table sizes and column distributions to pick the cheapest plan it can find.</li> <li>The <strong>executor</strong> runs the chosen plan, reading pages from disk or the buffer cache, joining, filtering, aggregating.</li> <li>Results stream back to the client. Transactions wrap all of this in WAL (write ahead log) entries for durability.</li> </ol> <p>That little planner is the brain of the whole thing. It is also why the same query can be fast on Tuesday and slow on Wednesday: the data shape changed, and the planner picked a different plan. Keep statistics fresh (<code>ANALYZE</code> in Postgres) and you will rarely be surprised.</p> <h2> A short guide to dialects </h2> <p>SQL is a standard. Real engines extend and tweak it. The big three you will see:</p> <ul> <li> <strong>PostgreSQL</strong>: the senior favorite. Best in class JSON support, window functions, CTEs, generated columns, partial indexes, <code>RETURNING</code>, extensions. Default choice for most new apps in 2026.</li> <li> <strong>MySQL / MariaDB</strong>: massive ecosystem, fine performance, weaker default constraints (set <code>STRICT_ALL_TABLES</code>), historically weaker on JSON and window features (now caught up).</li> <li> <strong>SQLite</strong>: a single file database, perfect for embedded use, tests, mobile, and surprisingly capable for small to mid sized apps. Great for prototypes.</li> </ul> <p>Almost every example in this post is portable. The places you will find dialect differences: identifier quoting, auto increment syntax, JSON functions, full text search, and date functions.</p> <h2> Tiny tips that will save you later </h2> <ul> <li> <strong><code>SELECT *</code> is fine in the editor, dangerous in production code.</strong> List the columns you need.</li> <li> <strong>Always run an <code>UPDATE</code> or <code>DELETE</code> as a <code>SELECT</code> first.</strong> Same <code>WHERE</code>, same eyes.</li> <li> <strong>Wrap risky changes in a transaction</strong> with <code>BEGIN; ... ROLLBACK;</code> until you are certain.</li> <li> <strong><code>COUNT(*)</code> counts rows. <code>COUNT(col)</code> skips NULLs.</strong> They are different.</li> <li> <strong>Prefer <code>EXISTS</code> over <code>IN</code> for subqueries</strong> that may grow large.</li> <li> <strong>Filter early.</strong> Push <code>WHERE</code> and joins as low as possible so fewer rows climb the pipeline.</li> <li> <strong>Read the query plan before optimizing.</strong> Guessing is a waste of an evening.</li> <li> <strong>Connection pool, do not connect per request.</strong> Use PgBouncer, the language client's built in pool, or your framework's helper.</li> <li> <strong>Put long names into a style guide.</strong> <code>snake_case</code> for tables and columns, plural for tables (<code>books</code>, not <code>book</code>). Pick one and never argue about it again.</li> <li> <strong>Back up the database. Test the restore.</strong> A backup you have never restored is a wish, not a backup.</li> </ul> <h2> Wrapping up </h2> <p>So that is the whole story. We were tired of inventing tiny worse databases out of files and helper functions. We built one engine that holds structured data, enforces relationships, and answers questions in a declarative language we agreed to call SQL.</p> <p>We taught the engine four verbs: <code>INSERT</code>, <code>SELECT</code>, <code>UPDATE</code>, <code>DELETE</code>. We let it stitch tables back together with joins, summarize with aggregations, and walk windows with window functions. We added CTEs so complex queries read top to bottom. We made it fast with indexes, and gave it transactions and ACID guarantees so half done work is never visible. We baked rules into the schema with constraints, so the data stays sane even when buggy apps try to mess it up.</p> <p>Once that map is in your head, every database tutorial, blog post, and codebase starts to feel familiar. SQL stops feeling like a foreign language and starts feeling like a calm conversation with a very picky librarian who is, secretly, on your side.</p> <p>Happy querying, and put a bookmark in chapter two for me.</p> learning database sql Mohamed Idris Tue, 19 May 2026 13:07:00 +0000 https://forem.com/edriso/learning-frontend-testing-as-if-you-built-it-yourself-3ko6 https://forem.com/edriso/learning-frontend-testing-as-if-you-built-it-yourself-3ko6 <p>If you have ever pushed a "tiny" change to production on a Friday and watched the bug reports roll in over the weekend, you know why testing exists. Manual checking does not scale. A teammate refactors a util, your screen still looks fine, and three pages you never opened are quietly broken.</p> <p>Tests are how you stop being scared of your own code.</p> <p>That is the gap testing fills.</p> <h2> What is frontend testing, really </h2> <p>Think of tests as <strong>a tiny robot that opens your app for you, faster and more thorough than you ever could</strong>. The robot clicks, types, waits, asserts. It does this on every commit. When something breaks, the robot tells you within seconds.</p> <p>There are three sizes of robot, and a senior frontend engineer uses all three on purpose:</p> <ul> <li> <strong>Unit tests</strong> poke a single function. Tiny, fast, run by the thousands.</li> <li> <strong>Component / integration tests</strong> mount one component (or a small tree) and interact with it. Real DOM, real events, mocked network.</li> <li> <strong>End to end tests</strong> drive a real browser through a real app. Slow, expensive, the closest thing to a user.</li> </ul> <p>The 2026 sweet spot in the React world: <strong>Vitest</strong> for the first two, <strong>Playwright</strong> for the third. <strong>React Testing Library</strong> for the assertions and queries inside Vitest.</p> <p>That is the whole vibe.</p> <h2> Let's pretend we are building one </h2> <p>We want a frontend testing setup that is fast in development, accurate in CI, and gives us confidence to refactor without panic. We will not build it from scratch. We will assemble it from three modern tools.</p> <p>For the running example, we are testing pieces of an "Adopt a cat" app: a <code>formatPrice</code> helper, an <code>AdoptForm</code> component, and the full happy path of finding and adopting a cat.</p> <h2> Decision 1: Three layers, three tools </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────┐ │ E2E tests Playwright ~few │ │ ────────────── │ │ Component tests Vitest + RTL ~many │ │ ────────────── │ │ Unit tests Vitest ~lots │ └─────────────────────────────────────────────────┘ </code></pre> </div> <p>The number of tests should look roughly like that triangle. Lots of cheap unit tests, a healthy middle of component tests, a small number of expensive E2E tests for the critical paths.</p> <p>The trap senior engineers warn about: a flat shape, where you have hundreds of E2E tests and almost no unit or component tests. Your CI takes 40 minutes, every flaky test wastes the team's morning, and a small refactor breaks 60 tests at once.</p> <h2> Decision 2: Unit tests with Vitest </h2> <p>Install:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm i <span class="nt">-D</span> vitest </code></pre> </div> <p>Add to <code>package.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"test"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vitest"</span><span class="p">,</span><span class="w"> </span><span class="nl">"test:run"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vitest run"</span><span class="p">,</span><span class="w"> </span><span class="nl">"test:cov"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vitest run --coverage"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>A unit test is a function that calls another function and asserts the result.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/lib/format-price.ts</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">formatPrice</span><span class="p">(</span><span class="nx">cents</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="s2">`$</span><span class="p">${(</span><span class="nx">cents</span> <span class="o">/</span> <span class="mi">100</span><span class="p">).</span><span class="nf">toFixed</span><span class="p">(</span><span class="mi">2</span><span class="p">)}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/lib/format-price.test.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">describe</span><span class="p">,</span> <span class="nx">it</span><span class="p">,</span> <span class="nx">expect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">vitest</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">formatPrice</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./format-price</span><span class="dl">"</span><span class="p">;</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">formatPrice</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">it</span><span class="p">(</span><span class="dl">"</span><span class="s2">formats whole dollars</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">expect</span><span class="p">(</span><span class="nf">formatPrice</span><span class="p">(</span><span class="mi">500</span><span class="p">)).</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">"</span><span class="s2">$5.00</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="dl">"</span><span class="s2">formats cents with two decimals</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">expect</span><span class="p">(</span><span class="nf">formatPrice</span><span class="p">(</span><span class="mi">1234</span><span class="p">)).</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">"</span><span class="s2">$12.34</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="dl">"</span><span class="s2">handles zero</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">expect</span><span class="p">(</span><span class="nf">formatPrice</span><span class="p">(</span><span class="mi">0</span><span class="p">)).</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">"</span><span class="s2">$0.00</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>A few things worth knowing:</p> <ul> <li> <strong><code>describe</code></strong> groups related tests, <strong><code>it</code></strong> (or <code>test</code>) is one test.</li> <li> <strong><code>expect(x).toBe(y)</code></strong> checks strict equality. <strong><code>.toEqual(y)</code></strong> for deep equality. <strong><code>.toBeTruthy()</code></strong>, <strong><code>.toContain()</code></strong>, <strong><code>.toThrow()</code></strong> for the rest.</li> <li> <strong>Vitest uses Vite's config</strong>, so your aliases, plugins, and TypeScript setup work for free.</li> <li> <strong>Tests run in parallel by default</strong>, so write them isolated. No shared global state.</li> </ul> <p>The senior level habits:</p> <ul> <li> <strong>Test the contract, not the implementation.</strong> Same input, same output. Refactors should not break unit tests.</li> <li> <strong>One assertion per test in spirit.</strong> A test that checks five different things is five tests in a trench coat.</li> <li> <strong>Name tests as sentences.</strong> "formats whole dollars" reads better than "test1".</li> <li> <strong>Skip happy path snapshots.</strong> A snapshot of a function output is fine. A snapshot of a 200 line HTML tree is a tax you will pay forever.</li> </ul> <h2> Decision 3: Component tests with React Testing Library </h2> <p>Install:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm i <span class="nt">-D</span> @testing-library/react @testing-library/user-event @testing-library/jest-dom jsdom </code></pre> </div> <p>Configure Vitest for the DOM:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// vitest.config.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">defineConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">vitest/config</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">react</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@vitejs/plugin-react</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineConfig</span><span class="p">({</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span><span class="nf">react</span><span class="p">()],</span> <span class="na">test</span><span class="p">:</span> <span class="p">{</span> <span class="na">environment</span><span class="p">:</span> <span class="dl">"</span><span class="s2">jsdom</span><span class="dl">"</span><span class="p">,</span> <span class="na">setupFiles</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">./test/setup.ts</span><span class="dl">"</span><span class="p">],</span> <span class="na">globals</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// test/setup.ts</span> <span class="k">import</span> <span class="dl">"</span><span class="s2">@testing-library/jest-dom/vitest</span><span class="dl">"</span><span class="p">;</span> </code></pre> </div> <p>Now you can mount components and interact with them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// src/components/AdoptForm.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">AdoptForm</span><span class="p">({</span> <span class="nx">onAdopt</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">onAdopt</span><span class="p">:</span> <span class="p">(</span><span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="k">void</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">name</span><span class="p">,</span> <span class="nx">setName</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">form</span> <span class="na">onSubmit</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">name</span><span class="p">)</span> <span class="nf">onAdopt</span><span class="p">(</span><span class="nx">name</span><span class="p">);</span> <span class="p">}</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">label</span> <span class="na">htmlFor</span><span class="p">=</span><span class="s">"name"</span><span class="p">&gt;</span>Cat name<span class="p">&lt;/</span><span class="nt">label</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">id</span><span class="p">=</span><span class="s">"name"</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">name</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setName</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">type</span><span class="p">=</span><span class="s">"submit"</span> <span class="na">disabled</span><span class="p">=</span><span class="si">{</span><span class="o">!</span><span class="nx">name</span><span class="si">}</span><span class="p">&gt;</span>Adopt<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">form</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// src/components/AdoptForm.test.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">render</span><span class="p">,</span> <span class="nx">screen</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@testing-library/react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">userEvent</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@testing-library/user-event</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">describe</span><span class="p">,</span> <span class="nx">it</span><span class="p">,</span> <span class="nx">expect</span><span class="p">,</span> <span class="nx">vi</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">vitest</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AdoptForm</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./AdoptForm</span><span class="dl">"</span><span class="p">;</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">AdoptForm</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">it</span><span class="p">(</span><span class="dl">"</span><span class="s2">disables the submit button when the name is empty</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">render</span><span class="p">(&lt;</span><span class="nc">AdoptForm</span> <span class="na">onAdopt</span><span class="p">=</span><span class="si">{</span><span class="nx">vi</span><span class="p">.</span><span class="nf">fn</span><span class="p">()</span><span class="si">}</span> <span class="p">/&gt;);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">screen</span><span class="p">.</span><span class="nf">getByRole</span><span class="p">(</span><span class="dl">"</span><span class="s2">button</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="sr">/adopt/i</span> <span class="p">})).</span><span class="nf">toBeDisabled</span><span class="p">();</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="dl">"</span><span class="s2">calls onAdopt with the typed name</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">userEvent</span><span class="p">.</span><span class="nf">setup</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">onAdopt</span> <span class="o">=</span> <span class="nx">vi</span><span class="p">.</span><span class="nf">fn</span><span class="p">();</span> <span class="nf">render</span><span class="p">(&lt;</span><span class="nc">AdoptForm</span> <span class="na">onAdopt</span><span class="p">=</span><span class="si">{</span><span class="nx">onAdopt</span><span class="si">}</span> <span class="p">/&gt;);</span> <span class="k">await</span> <span class="nx">user</span><span class="p">.</span><span class="nf">type</span><span class="p">(</span><span class="nx">screen</span><span class="p">.</span><span class="nf">getByLabelText</span><span class="p">(</span><span class="sr">/cat name/i</span><span class="p">),</span> <span class="dl">"</span><span class="s2">Mochi</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nx">user</span><span class="p">.</span><span class="nf">click</span><span class="p">(</span><span class="nx">screen</span><span class="p">.</span><span class="nf">getByRole</span><span class="p">(</span><span class="dl">"</span><span class="s2">button</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="sr">/adopt/i</span> <span class="p">}));</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">onAdopt</span><span class="p">).</span><span class="nf">toHaveBeenCalledWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">Mochi</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>The single most important rule of React Testing Library:</p> <blockquote> <p><strong>Find elements the way a user would.</strong> By role, by label, by visible text. Almost never by class name or test id.</p> </blockquote> <p>The query priority, from best to worst:</p> <ol> <li> <strong><code>getByRole</code></strong> (<code>button</code>, <code>heading</code>, <code>textbox</code>, <code>link</code>, ...). Tests both rendering and accessibility.</li> <li> <strong><code>getByLabelText</code></strong> for form fields.</li> <li> <strong><code>getByPlaceholderText</code></strong>, <strong><code>getByText</code></strong>, <strong><code>getByDisplayValue</code></strong>.</li> <li> <strong><code>getByAltText</code></strong>, <strong><code>getByTitle</code></strong> for images and tooltips.</li> <li> <strong><code>getByTestId</code></strong> as a last resort.</li> </ol> <p>If your tests cannot find a button by its role, that is a sign the markup is not accessible. Tests guide you toward better HTML.</p> <p>The four flavors of query:</p> <ul> <li> <strong><code>getBy...</code></strong> throws if not found. Use for things that should be there now.</li> <li> <strong><code>queryBy...</code></strong> returns null if not found. Use for asserting absence: <code>expect(queryByText("Loading")).toBeNull()</code>.</li> <li> <strong><code>findBy...</code></strong> is async, retries until it appears. Use for things that show up after a state change or a fetch.</li> <li> <strong><code>...All</code></strong> versions return arrays for matching multiple.</li> </ul> <h2> Decision 4: Mocking the network, the right way </h2> <p>Real components fetch data. In tests you do not want to hit a real API. Two modern choices:</p> <h3> MSW (Mock Service Worker), the senior favorite </h3> <p>MSW intercepts fetch calls at the network layer, so your component code uses real <code>fetch</code> but the response comes from your handlers.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// test/mocks.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">http</span><span class="p">,</span> <span class="nx">HttpResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">msw</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">setupServer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">msw/node</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handlers</span> <span class="o">=</span> <span class="p">[</span> <span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/cats</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">HttpResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">([{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Mochi</span><span class="dl">"</span> <span class="p">}])</span> <span class="p">),</span> <span class="nx">http</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/adopt/:id</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">HttpResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})),</span> <span class="p">];</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nf">setupServer</span><span class="p">(...</span><span class="nx">handlers</span><span class="p">);</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// test/setup.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">server</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./mocks</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">beforeAll</span><span class="p">,</span> <span class="nx">afterAll</span><span class="p">,</span> <span class="nx">afterEach</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">vitest</span><span class="dl">"</span><span class="p">;</span> <span class="nf">beforeAll</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">server</span><span class="p">.</span><span class="nf">listen</span><span class="p">({</span> <span class="na">onUnhandledRequest</span><span class="p">:</span> <span class="dl">"</span><span class="s2">error</span><span class="dl">"</span> <span class="p">}));</span> <span class="nf">afterEach</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">server</span><span class="p">.</span><span class="nf">resetHandlers</span><span class="p">());</span> <span class="nf">afterAll</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">server</span><span class="p">.</span><span class="nf">close</span><span class="p">());</span> </code></pre> </div> <p>Now any <code>fetch("/api/cats")</code> in any test returns the mocked data. You can override per test:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">http</span><span class="p">,</span> <span class="nx">HttpResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">msw</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">server</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../test/mocks</span><span class="dl">"</span><span class="p">;</span> <span class="nf">it</span><span class="p">(</span><span class="dl">"</span><span class="s2">shows an error when the API fails</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">server</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/cats</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="k">new</span> <span class="nc">HttpResponse</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">500</span> <span class="p">})));</span> <span class="c1">// ...</span> <span class="p">});</span> </code></pre> </div> <p>MSW is the closest thing to "real network" you can get without one. The same handlers work in dev (with the browser worker), in tests (with the Node server), and in Storybook.</p> <h3> Module mocks for everything else </h3> <p>For non network dependencies, use Vitest's <code>vi.mock</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">vi</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">vitest</span><span class="dl">"</span><span class="p">;</span> <span class="nx">vi</span><span class="p">.</span><span class="nf">mock</span><span class="p">(</span><span class="dl">"</span><span class="s2">@/lib/db</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">db</span><span class="p">:</span> <span class="p">{</span> <span class="na">post</span><span class="p">:</span> <span class="p">{</span> <span class="na">findMany</span><span class="p">:</span> <span class="nx">vi</span><span class="p">.</span><span class="nf">fn</span><span class="p">().</span><span class="nf">mockResolvedValue</span><span class="p">([])</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}));</span> </code></pre> </div> <p>Use sparingly. A test full of mocks tests the mocks, not the code.</p> <h2> Decision 5: End to end tests with Playwright </h2> <p>Install:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm init playwright@latest </code></pre> </div> <p>Playwright spins up real Chromium, Firefox, and WebKit, drives them through your app, and asserts what the user sees. It is the gold standard for E2E in 2026.</p> <p>A single test of the adoption flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// e2e/adopt.spec.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">test</span><span class="p">,</span> <span class="nx">expect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@playwright/test</span><span class="dl">"</span><span class="p">;</span> <span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">a user can adopt a cat</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">({</span> <span class="nx">page</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">goto</span><span class="p">(</span><span class="dl">"</span><span class="s2">/cats</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">page</span><span class="p">.</span><span class="nf">getByRole</span><span class="p">(</span><span class="dl">"</span><span class="s2">heading</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="sr">/cats looking for a home/i</span> <span class="p">})).</span><span class="nf">toBeVisible</span><span class="p">();</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">getByRole</span><span class="p">(</span><span class="dl">"</span><span class="s2">button</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Adopt Mochi</span><span class="dl">"</span> <span class="p">}).</span><span class="nf">click</span><span class="p">();</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">page</span><span class="p">.</span><span class="nf">getByText</span><span class="p">(</span><span class="dl">"</span><span class="s2">Mochi is going home</span><span class="dl">"</span><span class="p">)).</span><span class="nf">toBeVisible</span><span class="p">();</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">page</span><span class="p">).</span><span class="nf">toHaveURL</span><span class="p">(</span><span class="sr">/</span><span class="se">\/</span><span class="sr">cats</span><span class="se">\/</span><span class="sr">adopted/</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>The senior level habits:</p> <ul> <li> <strong>Use the same query priorities as RTL.</strong> <code>getByRole</code>, <code>getByLabel</code>, <code>getByText</code>. Skip CSS selectors when you can.</li> <li> <strong>Web first assertions auto retry.</strong> <code>await expect(locator).toBeVisible()</code> keeps trying until the timeout. Almost no <code>waitForSelector</code> needed.</li> <li> <strong>Test the critical path, not every page.</strong> 20 to 30 well chosen E2E tests is plenty for most apps. The unit and component layers cover the rest.</li> <li> <strong>Run against a real build (<code>next build &amp;&amp; next start</code>)</strong> in CI, not the dev server. You catch problems specific to production builds (missing <code>"use client"</code>, env var issues, route handler bugs).</li> <li> <strong>Shard E2E in CI.</strong> Playwright supports <code>--shard=1/4</code> natively. Splitting the suite across four parallel runners turns a 12 minute run into 3.</li> <li> <strong>Trace on failure.</strong> <code>npx playwright test --trace=retain-on-failure</code> records a video, screenshots, and network for every failing test. Debugging gets ten times faster.</li> </ul> <p>A few useful Playwright extras:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">locator</span><span class="p">(</span><span class="dl">"</span><span class="s2">input[name=name]</span><span class="dl">"</span><span class="p">).</span><span class="nf">fill</span><span class="p">(</span><span class="dl">"</span><span class="s2">Mochi</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// fill a field</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">getByRole</span><span class="p">(</span><span class="dl">"</span><span class="s2">button</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Adopt</span><span class="dl">"</span> <span class="p">}).</span><span class="nf">click</span><span class="p">();</span> <span class="c1">// click</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">waitForURL</span><span class="p">(</span><span class="dl">"</span><span class="s2">/dashboard</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// wait for navigation</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">screenshot</span><span class="p">({</span> <span class="na">path</span><span class="p">:</span> <span class="dl">"</span><span class="s2">fail.png</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// screenshot on demand</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">page</span><span class="p">.</span><span class="nf">getByText</span><span class="p">(</span><span class="dl">"</span><span class="s2">Loading</span><span class="dl">"</span><span class="p">)).</span><span class="nf">toHaveCount</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="c1">// assert it disappeared</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">page</span><span class="p">.</span><span class="nf">getByRole</span><span class="p">(</span><span class="dl">"</span><span class="s2">alert</span><span class="dl">"</span><span class="p">)).</span><span class="nf">toContainText</span><span class="p">(</span><span class="dl">"</span><span class="s2">Saved</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>For visual regression, Playwright has a built in <code>toHaveScreenshot()</code> that diffs against a stored baseline. Great for design system primitives.</p> <h2> Decision 6: A modern test pyramid for a real React app </h2> <p>A repeatable target for any new project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">unit</span><span class="pi">:</span> <span class="s">lots tests/lib/**/*.test.ts</span> <span class="na">component</span><span class="pi">:</span> <span class="s">per feature tests/components/**/*.test.tsx</span> <span class="na">e2e</span><span class="pi">:</span> <span class="s">critical paths e2e/**/*.spec.ts</span> </code></pre> </div> <p>What to test where:</p> <ul> <li> <strong>Pure functions, formatters, parsers, validators</strong>: unit.</li> <li> <strong>Single component behavior with props and events</strong>: component.</li> <li> <strong>A page or a feature working end to end (auth, checkout, signup, search)</strong>: E2E.</li> <li> <strong>Server actions, API routes, server queries</strong>: integration tests with a real test database (or a transactional rollback per test). Use Vitest with <code>node</code> environment, not jsdom.</li> <li> <strong>Skip</strong>: testing internal state, testing your component library, testing TypeScript types, testing third party hooks.</li> </ul> <h2> Decision 7: Make tests easy to read </h2> <p>The single best style guide for tests, in one rule:</p> <blockquote> <p><strong>A failing test should tell you what is wrong without you reading the code.</strong></p> </blockquote> <p>Two patterns help:</p> <h3> Arrange / Act / Assert </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">it</span><span class="p">(</span><span class="dl">"</span><span class="s2">calls onAdopt with the typed name</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Arrange</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">userEvent</span><span class="p">.</span><span class="nf">setup</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">onAdopt</span> <span class="o">=</span> <span class="nx">vi</span><span class="p">.</span><span class="nf">fn</span><span class="p">();</span> <span class="nf">render</span><span class="p">(</span><span class="o">&lt;</span><span class="nx">AdoptForm</span> <span class="nx">onAdopt</span><span class="o">=</span><span class="p">{</span><span class="nx">onAdopt</span><span class="p">}</span> <span class="sr">/&gt;</span><span class="se">)</span><span class="err">; </span> <span class="c1">// Act</span> <span class="k">await</span> <span class="nx">user</span><span class="p">.</span><span class="nf">type</span><span class="p">(</span><span class="nx">screen</span><span class="p">.</span><span class="nf">getByLabelText</span><span class="p">(</span><span class="sr">/cat name/i</span><span class="p">),</span> <span class="dl">"</span><span class="s2">Mochi</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nx">user</span><span class="p">.</span><span class="nf">click</span><span class="p">(</span><span class="nx">screen</span><span class="p">.</span><span class="nf">getByRole</span><span class="p">(</span><span class="dl">"</span><span class="s2">button</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="sr">/adopt/i</span> <span class="p">}));</span> <span class="c1">// Assert</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">onAdopt</span><span class="p">).</span><span class="nf">toHaveBeenCalledWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">Mochi</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Custom render helpers </h3> <p>Wrap once, reuse everywhere. Providers (router, query client, theme, i18n) live in one place:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// test/render.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">render</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@testing-library/react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">QueryClient</span><span class="p">,</span> <span class="nx">QueryClientProvider</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@tanstack/react-query</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">renderWithProviders</span><span class="p">(</span><span class="nx">ui</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactElement</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">qc</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">QueryClient</span><span class="p">({</span> <span class="na">defaultOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">queries</span><span class="p">:</span> <span class="p">{</span> <span class="na">retry</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(&lt;</span><span class="nc">QueryClientProvider</span> <span class="na">client</span><span class="p">=</span><span class="si">{</span><span class="nx">qc</span><span class="si">}</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">ui</span><span class="si">}</span><span class="p">&lt;/</span><span class="nc">QueryClientProvider</span><span class="p">&gt;);</span> <span class="p">}</span> </code></pre> </div> <p>Now every component test imports <code>renderWithProviders</code> and the noise stays out of the test body.</p> <h2> Decision 8: Testing async UI without flakes </h2> <p>Async tests fail intermittently when they assert at the wrong moment. The fix is to ask the testing library to wait for the right thing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// wait for a thing to appear</span> <span class="nf">expect</span><span class="p">(</span><span class="k">await</span> <span class="nx">screen</span><span class="p">.</span><span class="nf">findByText</span><span class="p">(</span><span class="dl">"</span><span class="s2">Adopted</span><span class="dl">"</span><span class="p">)).</span><span class="nf">toBeInTheDocument</span><span class="p">();</span> <span class="c1">// wait for a thing to disappear</span> <span class="k">await</span> <span class="nf">waitForElementToBeRemoved</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">screen</span><span class="p">.</span><span class="nf">queryByText</span><span class="p">(</span><span class="dl">"</span><span class="s2">Loading</span><span class="dl">"</span><span class="p">));</span> <span class="c1">// wait for any condition</span> <span class="k">await</span> <span class="nf">waitFor</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">onAdopt</span><span class="p">).</span><span class="nf">toHaveBeenCalled</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <p>Two anti patterns to avoid:</p> <ul> <li> <strong><code>setTimeout</code> or hand spun delays.</strong> Always flaky.</li> <li> <strong>Testing <code>useEffect</code> directly.</strong> Test the user visible result, not the hook internals.</li> </ul> <h2> Decision 9: CI integration and speed </h2> <p>A CI pipeline that respects developers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/test.yml (sketch)</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run lint</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run test:run -- --reporter=github</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npx playwright install --with-deps</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run build</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npx playwright test --shard=${{ matrix.shard }}/4</span> </code></pre> </div> <p>The order matters: lint first (cheapest), unit and component tests next (fast), build, then E2E (slowest, sharded).</p> <p>The senior level habits:</p> <ul> <li> <strong>Fail fast.</strong> If lint fails, do not run E2E.</li> <li> <strong>Cache dependencies.</strong> <code>actions/setup-node</code> plus <code>cache: npm</code> shaves real time.</li> <li> <strong>Upload Playwright traces</strong> as artifacts on failure. Future you will thank present you.</li> <li> <strong>Ban <code>.only</code> and <code>.skip</code></strong> in CI with a lint rule. They sneak in.</li> </ul> <h2> Decision 10: Senior level moves and pitfalls </h2> <p>A short list of habits that separate "writes tests" from "writes good tests":</p> <ul> <li> <strong>Test behavior, not structure.</strong> A test that breaks when you change the markup but not the behavior is testing too much.</li> <li> <strong>Avoid <code>data-testid</code> unless you must.</strong> They drift from the user experience.</li> <li> <strong>Write the test first when the bug is hard.</strong> A failing test pinpoints the problem and stays as a regression guard.</li> <li> <strong>Never test third party libraries.</strong> They have their own tests.</li> <li> <strong>Test the boundary, not the internals.</strong> A component takes props, renders, and emits events. Test those.</li> <li> <strong>Keep tests independent.</strong> Order should not matter. No shared mutable state.</li> <li> <strong>Mock at the network, not at every module.</strong> MSW &gt; a forest of <code>vi.mock</code>.</li> <li> <strong>Run a real database in integration tests.</strong> SQLite in memory, Postgres in Docker, Mongo Memory Server. Mocked databases lie.</li> <li> <strong>Coverage is not a goal.</strong> 80 high quality tests beat 200 noisy ones.</li> <li> <strong>Delete tests that no longer earn their keep.</strong> A test you mute every other week is a tax, not an asset.</li> </ul> <h2> A peek under the hood </h2> <p>What really happens when you run <code>vitest</code>:</p> <ol> <li>Vitest reads your <code>vite.config</code> and starts a Vite dev server.</li> <li>Vite transforms your source on the fly using esbuild or SWC.</li> <li>Tests run in worker threads, in parallel.</li> <li>JSDOM provides a fake DOM. React renders into it. Events go through React's synthetic event system.</li> <li>Assertions run, results stream to the reporter.</li> </ol> <p>What really happens when you run Playwright:</p> <ol> <li>Playwright launches a real browser binary (Chromium by default).</li> <li>It opens your test URL in a fresh context (cookies, storage are isolated).</li> <li>Each <code>await</code> is an action recorded in a trace, with snapshots and network logs.</li> <li>Tests run in parallel across browser contexts within a single browser instance.</li> <li>On failure, traces are saved, screenshots are taken, the next test still runs.</li> </ol> <p>Two consequences for your time:</p> <ul> <li> <strong>Vitest is fast because Vite is fast.</strong> Cold start in milliseconds, hot reload of tests as you edit.</li> <li> <strong>Playwright is slow because browsers are slow.</strong> Use it sparingly, run in parallel, shard in CI.</li> </ul> <h2> Tiny tips that will save you later </h2> <ul> <li> <strong><code>screen.debug()</code></strong> prints the current DOM. Use it when you cannot find a node.</li> <li> <strong><code>logRoles(container)</code></strong> lists every accessible role. Pick the one your test should query.</li> <li> <strong>Use <code>userEvent</code>, not <code>fireEvent</code>.</strong> It simulates real user actions including focus, keypresses, and accessible interactions.</li> <li> <strong>Reset MSW handlers between tests.</strong> Otherwise tests bleed into each other.</li> <li> <strong>Run Playwright in <code>--ui</code> mode</strong> locally. The time travel debugger is magical.</li> <li> <strong>Snapshot only stable, narrow output.</strong> A function output, a serialized state. Not a 5000 character DOM string.</li> <li> <strong>Write a small <code>renderWithProviders</code></strong> on day one. Tests stay lean.</li> <li> <strong>Keep one test file per source file</strong>, named the same way (<code>Foo.tsx</code> paired with <code>Foo.test.tsx</code>). Easy to find.</li> </ul> <h2> Wrapping up </h2> <p>So that is the whole story. We were tired of being scared of our own code. We built a three layer testing pyramid: lots of unit tests with Vitest, a healthy middle of component tests with React Testing Library, a small number of E2E tests with Playwright. We mocked the network with MSW, queried elements the way a user would, asserted behavior instead of internals, and let CI catch what we missed.</p> <p>We learned to write tests as sentences, structure them as Arrange / Act / Assert, keep them independent, and delete the ones that stopped earning their keep. We chose tools that pay back our time: Vitest for speed, RTL for accessibility friendly queries, Playwright for real browser confidence, MSW for sane network mocks.</p> <p>Once that map is in your head, tests stop feeling like a tax and start feeling like a backup brain that catches the regressions a tired Friday you would have shipped. You start refactoring without flinching. You start sleeping better.</p> <p>Happy testing, and may your suite stay green.</p> learning frontend testing Mohamed Idris Mon, 18 May 2026 13:06:00 +0000 https://forem.com/edriso/learning-web-performance-as-if-you-built-it-yourself-29fn https://forem.com/edriso/learning-web-performance-as-if-you-built-it-yourself-29fn <p>If you have ever opened a beautiful new website on your phone and watched the layout shift around for two seconds while you tried to tap a button, you have met bad web performance. You are not alone. According to the 2025 Web Almanac, only 48% of mobile pages and 56% of desktop pages pass all three Core Web Vitals.</p> <p>Performance is the gap between "the design looks great" and "people actually use it". A 24% lower bounce rate is the kind of number a CEO will print on a poster. It comes from making the page feel fast.</p> <p>That is the gap web performance fills.</p> <h2> What is web performance, really </h2> <p>Think of web performance as <strong>measuring three feelings the user has, not measuring how clever your code is</strong>:</p> <ul> <li> <strong>"Did the page show up?"</strong> (LCP, Largest Contentful Paint)</li> <li> <strong>"Does it respond when I tap?"</strong> (INP, Interaction to Next Paint)</li> <li> <strong>"Is it staying still or jumping around?"</strong> (CLS, Cumulative Layout Shift)</li> </ul> <p>Google calls these <strong>Core Web Vitals</strong>. They are user perception metrics, not synthetic numbers. Google measures them on real users. They feed search rankings. Browsers expose them via the Performance API for free.</p> <p>The 2026 thresholds you must memorize:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Good</th> <th>Needs work</th> <th>Poor</th> </tr> </thead> <tbody> <tr> <td>LCP</td> <td>≤ 2.5 s</td> <td>2.5 to 4.0 s</td> <td>&gt; 4.0 s</td> </tr> <tr> <td>INP</td> <td>≤ 200 ms</td> <td>200 to 500 ms</td> <td>&gt; 500 ms</td> </tr> <tr> <td>CLS</td> <td>≤ 0.1</td> <td>0.1 to 0.25</td> <td>&gt; 0.25</td> </tr> </tbody> </table></div> <p>INP replaced FID (First Input Delay) in March 2024 and is the strictest Core Web Vital. <strong>43% of sites fail the 200ms INP threshold</strong>. Most of the work in 2026 is here.</p> <p>That is the whole vibe.</p> <h2> Let's pretend we are building one </h2> <p>We want a way to make websites feel fast on real devices, on real networks, in real users' hands. We will not invent the metrics. The browser already gives them to us. We just need to learn to read them and to fix what they reveal.</p> <p>For the running example, we are speeding up a tiny <strong>online bakery</strong> landing page: a hero image, a list of products, a "buy" button. We will improve each metric in turn.</p> <h2> Decision 1: Measure first, optimize second </h2> <p>Before you change anything, measure. Three places to measure, in order:</p> <h3> Lighthouse / PageSpeed Insights </h3> <p>Open Chrome DevTools, hit the Lighthouse tab, run a report. Or paste your URL into <a href="https://pagespeed.web.dev" rel="noopener noreferrer">pagespeed.web.dev</a>. You get scores for each metric, plus specific suggestions ranked by impact.</p> <p>This is <strong>lab data</strong>, run on a simulated mobile device. Useful for catching regressions, but does not match what real users see.</p> <h3> CrUX (Chrome User Experience Report) </h3> <p>Real anonymized data from real Chrome users. The PageSpeed report shows it at the top under "field data". This is the data Google uses for ranking. Trust this number more than the Lighthouse one.</p> <h3> Real User Monitoring (RUM) </h3> <p>Send your own metrics from production using the <code>web-vitals</code> library. Two minutes of setup gives you the truth, on every device, every connection, every page.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">onLCP</span><span class="p">,</span> <span class="nx">onINP</span><span class="p">,</span> <span class="nx">onCLS</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">web-vitals</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">send</span><span class="p">(</span><span class="nx">metric</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// ship to your analytics endpoint</span> <span class="nb">navigator</span><span class="p">.</span><span class="nf">sendBeacon</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/vitals</span><span class="dl">"</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">metric</span><span class="p">));</span> <span class="p">}</span> <span class="nf">onLCP</span><span class="p">(</span><span class="nx">send</span><span class="p">);</span> <span class="nf">onINP</span><span class="p">(</span><span class="nx">send</span><span class="p">);</span> <span class="nf">onCLS</span><span class="p">(</span><span class="nx">send</span><span class="p">);</span> </code></pre> </div> <p>The senior level rule: <strong>Lighthouse for trends, CrUX for the truth, RUM for debugging.</strong></p> <h2> Decision 2: Improve LCP, the "did the page show up" metric </h2> <p>LCP measures the time until the largest visible element finishes rendering. Almost always: a hero image, a hero <code>&lt;h1&gt;</code>, or a big text block. If LCP is slow, the page feels broken even if everything else is fine.</p> <p>The four highest impact fixes, in order:</p> <h3> Preload the LCP image </h3> <p>Tell the browser the most important image early, while it is still parsing HTML.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"preload"</span> <span class="na">as=</span><span class="s">"image"</span> <span class="na">href=</span><span class="s">"/hero-bakery.jpg"</span> <span class="na">fetchpriority=</span><span class="s">"high"</span> <span class="nt">/&gt;</span> </code></pre> </div> <p>In Next.js, <code>priority</code> on <code>&lt;Image&gt;</code> does the same thing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="p">&lt;</span><span class="nc">Image</span> <span class="na">src</span><span class="p">=</span><span class="s">"/hero-bakery.jpg"</span> <span class="na">alt</span><span class="p">=</span><span class="s">"..."</span> <span class="na">width</span><span class="p">=</span><span class="si">{</span><span class="mi">1200</span><span class="si">}</span> <span class="na">height</span><span class="p">=</span><span class="si">{</span><span class="mi">800</span><span class="si">}</span> <span class="na">priority</span> <span class="p">/&gt;</span> </code></pre> </div> <h3> Use modern image formats and responsive sizes </h3> <p>AVIF is roughly half the size of JPEG. WebP is roughly 25% smaller. Browsers support them. Serve them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;picture&gt;</span> <span class="nt">&lt;source</span> <span class="na">srcset=</span><span class="s">"/hero.avif"</span> <span class="na">type=</span><span class="s">"image/avif"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;source</span> <span class="na">srcset=</span><span class="s">"/hero.webp"</span> <span class="na">type=</span><span class="s">"image/webp"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">"/hero.jpg"</span> <span class="na">alt=</span><span class="s">"..."</span> <span class="na">width=</span><span class="s">"1200"</span> <span class="na">height=</span><span class="s">"800"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/picture&gt;</span> </code></pre> </div> <p>Always serve a size that fits the viewport. A phone does not need a 4K hero. Use <code>srcset</code> with descriptors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">"/hero-1200.jpg"</span> <span class="na">srcset=</span><span class="s">"/hero-400.jpg 400w, /hero-800.jpg 800w, /hero-1600.jpg 1600w"</span> <span class="na">sizes=</span><span class="s">"(max-width: 600px) 100vw, 1200px"</span> <span class="na">alt=</span><span class="s">"..."</span> <span class="nt">/&gt;</span> </code></pre> </div> <p>A tool like Sharp or a CDN like Cloudinary or Vercel Image Optimization gives you these sizes automatically.</p> <h3> Inline critical CSS, defer the rest </h3> <p>Render blocking CSS delays paint. Inline the styles your above-the-fold content needs in <code>&lt;style&gt;</code>, then load the full stylesheet <code>&lt;link rel="preload" as="style"&gt;</code> and apply asynchronously.</p> <p>Most teams do not do this by hand. Frameworks handle it. If yours does not, run a tool like Critters or use a service that does.</p> <h3> Server side render the first paint </h3> <p>Static HTML (SSG, ISR, RSC, plain server rendering) puts visible content on the screen before any JavaScript executes. That is the single biggest win you will ever ship.</p> <p>If your app is a Vite SPA where everything renders inside <code>&lt;div id="root"&gt;&lt;/div&gt;</code> on the client, your LCP is at the mercy of the JS bundle. If you can move to Next.js, Astro, Remix, or a framework that ships HTML, do.</p> <h3> Self host fonts and use <code>font-display: swap</code> </h3> <p>A custom font that takes 800ms to load and blocks text with <code>font-display: block</code> will torpedo your LCP. The fix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="k">@font-face</span> <span class="p">{</span> <span class="nl">font-family</span><span class="p">:</span> <span class="s1">"Inter"</span><span class="p">;</span> <span class="nl">src</span><span class="p">:</span> <span class="sx">url("/fonts/inter.woff2")</span> <span class="n">format</span><span class="p">(</span><span class="s1">"woff2"</span><span class="p">);</span> <span class="py">font-display</span><span class="p">:</span> <span class="n">swap</span><span class="p">;</span> <span class="nl">font-weight</span><span class="p">:</span> <span class="m">100</span> <span class="m">900</span><span class="p">;</span> <span class="c">/* variable font, one file for all weights */</span> <span class="p">}</span> </code></pre> </div> <p><code>font-display: swap</code> shows fallback text immediately and swaps to the custom font when it loads. Then preload the file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"preload"</span> <span class="na">as=</span><span class="s">"font"</span> <span class="na">type=</span><span class="s">"font/woff2"</span> <span class="na">href=</span><span class="s">"/fonts/inter.woff2"</span> <span class="na">crossorigin</span> <span class="nt">/&gt;</span> </code></pre> </div> <p>Better yet, use <code>next/font</code> (in Next.js) or <code>unplugin-fonts</code> (everywhere else). They handle subsetting, preloading, and <code>size-adjust</code> to prevent CLS when the font swaps.</p> <h2> Decision 3: Improve INP, the "does it respond" metric </h2> <p>INP is the time between a user interaction (tap, click, keypress) and the next paint after the resulting work. If your button takes 600ms to react, INP fails.</p> <p>The pain almost always comes from a <strong>long task</strong> on the main thread blocking the browser from painting. JavaScript is single threaded. While it is busy, nothing else happens.</p> <p>The senior level fixes:</p> <h3> Break long tasks into chunks </h3> <p>A 200ms <code>for</code> loop blocks the main thread for 200ms. Split it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">processInChunks</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">items</span><span class="p">:</span> <span class="nx">T</span><span class="p">[],</span> <span class="nx">handle</span><span class="p">:</span> <span class="p">(</span><span class="nx">item</span><span class="p">:</span> <span class="nx">T</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="k">void</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">CHUNK</span> <span class="o">=</span> <span class="mi">50</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">items</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span> <span class="o">+=</span> <span class="nx">CHUNK</span><span class="p">)</span> <span class="p">{</span> <span class="nx">items</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="nx">i</span><span class="p">,</span> <span class="nx">i</span> <span class="o">+</span> <span class="nx">CHUNK</span><span class="p">).</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">handle</span><span class="p">);</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">r</span><span class="p">,</span> <span class="mi">0</span><span class="p">));</span> <span class="c1">// yield to the browser</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Or use the modern API directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">yieldToMain</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="dl">"</span><span class="s2">scheduler</span><span class="dl">"</span> <span class="k">in</span> <span class="nb">window</span> <span class="o">&amp;&amp;</span> <span class="dl">"</span><span class="s2">yield</span><span class="dl">"</span> <span class="k">in</span> <span class="nb">window</span><span class="p">.</span><span class="nx">scheduler</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nb">window</span><span class="p">.</span><span class="nx">scheduler</span><span class="p">.</span><span class="k">yield</span><span class="p">();</span> <span class="p">}</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">r</span><span class="p">,</span> <span class="mi">0</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>Inside long work, <code>await yieldToMain()</code> periodically. The browser gets a chance to paint and respond.</p> <h3> Use React's transitions for non urgent updates </h3> <p>Sometimes the work is React rendering. <code>useTransition</code> marks an update as low priority so the browser can paint the urgent stuff first.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">const</span> <span class="p">[</span><span class="nx">isPending</span><span class="p">,</span> <span class="nx">startTransition</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useTransition</span><span class="p">();</span> <span class="kd">function</span> <span class="nf">handleSearch</span><span class="p">(</span><span class="nx">query</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setQuery</span><span class="p">(</span><span class="nx">query</span><span class="p">);</span> <span class="c1">// urgent: input updates immediately</span> <span class="nf">startTransition</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nf">setResults</span><span class="p">(</span><span class="nf">filter</span><span class="p">(</span><span class="nx">allItems</span><span class="p">,</span> <span class="nx">query</span><span class="p">)));</span> <span class="c1">// not urgent</span> <span class="p">}</span> </code></pre> </div> <p>The input feels instant even when the result list is heavy.</p> <h3> Move heavy work off the main thread </h3> <p>If a function takes 400ms, it should not run on the UI thread. Use a <strong>Web Worker</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// worker.ts</span> <span class="nb">self</span><span class="p">.</span><span class="nx">onmessage</span> <span class="o">=</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">expensiveCompute</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> <span class="nb">self</span><span class="p">.</span><span class="nf">postMessage</span><span class="p">(</span><span class="nx">result</span><span class="p">);</span> <span class="p">};</span> <span class="c1">// main.ts</span> <span class="kd">const</span> <span class="nx">worker</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Worker</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">"</span><span class="s2">./worker.ts</span><span class="dl">"</span><span class="p">,</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">url</span><span class="p">),</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">module</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">worker</span><span class="p">.</span><span class="nf">postMessage</span><span class="p">(</span><span class="nx">input</span><span class="p">);</span> <span class="nx">worker</span><span class="p">.</span><span class="nx">onmessage</span> <span class="o">=</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setResult</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> </code></pre> </div> <p>Tools like <code>comlink</code> make this much friendlier (the worker exposes a function, you <code>await</code> it from the main thread).</p> <h3> Cut your JavaScript bundle </h3> <p>The fastest function is the one that does not run. Common wins:</p> <ul> <li> <strong>Code split by route.</strong> Next.js does this automatically. In Vite SPAs, <code>React.lazy</code> plus a route loader does the trick.</li> <li> <strong>Lazy load heavy widgets.</strong> Maps, charts, rich text editors should load only when used.</li> <li> <strong>Tree shake your icon libraries.</strong> Importing a single icon from <code>lucide-react</code> is fine. Importing the whole namespace is not.</li> <li> <strong>Replace heavy dependencies.</strong> <code>date-fns/locale/en</code> over <code>moment</code>. <code>nanoid</code> over <code>uuid</code>.</li> <li> <strong>Use the Coverage tab in DevTools</strong> to see how much of your shipped JS is actually used. The number will surprise you.</li> </ul> <h3> Stop unnecessary re renders </h3> <p>A React component that re renders on every keystroke when it does not need to is INP poison. Tools to reach for:</p> <ul> <li> <code>React.memo</code> on heavy components passed stable props.</li> <li> <code>useMemo</code> for expensive computations.</li> <li> <code>useCallback</code> only when the callback is a dependency of a memoed child.</li> <li>The React Compiler (in 2026) handles most of this for you, but it is not magic. Inspect with the React DevTools Profiler.</li> </ul> <h2> Decision 4: Improve CLS, the "is it staying still" metric </h2> <p>CLS measures unexpected layout shifts: the page jumping while the user is reading or about to tap. Three causes account for almost every shift in the wild:</p> <h3> Images without dimensions </h3> <p>The browser does not know how big the image will be until it loads, so it reserves zero space. When the image arrives, everything below it shifts.</p> <p>The fix is one line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">"/cookie.jpg"</span> <span class="na">alt=</span><span class="s">"..."</span> <span class="na">width=</span><span class="s">"640"</span> <span class="na">height=</span><span class="s">"480"</span> <span class="nt">/&gt;</span> </code></pre> </div> <p>Or in CSS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nt">img</span> <span class="p">{</span> <span class="py">aspect-ratio</span><span class="p">:</span> <span class="m">4</span> <span class="p">/</span> <span class="m">3</span><span class="p">;</span> <span class="nl">height</span><span class="p">:</span> <span class="nb">auto</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The browser uses <code>width</code> and <code>height</code> to compute an aspect ratio and reserves space immediately. This is a free CLS win that almost no one does.</p> <h3> Late loading fonts </h3> <p>A custom font usually has different metrics from the fallback. When it swaps in, every line of text shifts.</p> <p>Mitigation:</p> <ul> <li> <code>font-display: optional</code> to skip the swap entirely on slow connections.</li> <li> <code>size-adjust</code>, <code>ascent-override</code>, <code>descent-override</code> in <code>@font-face</code> to make the fallback look like the custom font.</li> <li>The <code>next/font</code> package and the modern Fontsource setup handle this for you.</li> </ul> <h3> Dynamic content (ads, embeds, banners) injected without reserved space </h3> <p>The fix is to <strong>always reserve the space</strong> before the content arrives. A skeleton, a placeholder div with a min height, an explicit <code>aspect-ratio</code>. Anything that holds the slot.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nc">.ad-slot</span> <span class="p">{</span> <span class="nl">min-height</span><span class="p">:</span> <span class="m">300px</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.embed-yt</span> <span class="p">{</span> <span class="py">aspect-ratio</span><span class="p">:</span> <span class="m">16</span> <span class="p">/</span> <span class="m">9</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>If the dimensions are unknown, do not inject content above the user's viewport at all. Inject below.</p> <h2> Decision 5: The network is the bottleneck </h2> <p>A perfectly written app on a slow network is still slow. Two layers of fixes:</p> <h3> Compress everything </h3> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="c1"># nginx (or your CDN equivalent)</span> <span class="k">gzip</span> <span class="no">on</span><span class="p">;</span> <span class="c1"># compresses text by 70%+</span> <span class="k">brotli</span> <span class="no">on</span><span class="p">;</span> <span class="c1"># compresses 20-25% better than gzip</span> </code></pre> </div> <p>Most CDNs and platforms do this by default. Confirm in DevTools (Network tab, Headers, look for <code>content-encoding</code>). If you see <code>text/css</code> files at 100KB uncompressed, something is misconfigured.</p> <h3> Cache aggressively, invalidate precisely </h3> <p>Static assets (JS bundles, CSS, fonts, images) should be cached for a year, with a hash in the filename so a deploy busts the cache:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Cache-Control: public, max-age=31536000, immutable </span></code></pre> </div> <p>HTML responses should be revalidated each time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Cache-Control: no-cache </span></code></pre> </div> <p>Most build tools (Vite, Next.js, Astro) handle hash naming automatically. Your CDN (Vercel, Netlify, Cloudflare) sets the headers.</p> <p>For dynamic content, use <strong>stale-while-revalidate</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Cache-Control: public, max-age=60, stale-while-revalidate=600 </span></code></pre> </div> <p>Reads:</p> <blockquote> <p>Trust this for 60 seconds. After that, keep serving the stale copy for up to 10 minutes while you fetch a fresh one in the background.</p> </blockquote> <p>That single header is the secret to APIs that feel instant under load.</p> <h3> Use HTTP/2 or HTTP/3 </h3> <p>If your server still answers in HTTP/1.1, you are wasting connections. Modern hosting gives you HTTP/2 or HTTP/3 (QUIC) for free. Multiplexing means dozens of small requests share a single connection, so you can stop bundling 200 modules into a single mega bundle out of fear.</p> <h3> Preconnect and DNS prefetch </h3> <p>For domains you know the page will hit (analytics, fonts, CDN, API), tell the browser early:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"preconnect"</span> <span class="na">href=</span><span class="s">"https://api.example.com"</span> <span class="na">crossorigin</span> <span class="nt">/&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"dns-prefetch"</span> <span class="na">href=</span><span class="s">"https://cdn.example.com"</span> <span class="nt">/&gt;</span> </code></pre> </div> <p>Saves 100 to 500 ms on the first request to that origin.</p> <h2> Decision 6: Make the rest of the page feel fast </h2> <p>A few moves that do not show up on Lighthouse but real users feel:</p> <ul> <li> <strong>Skeletons over spinners.</strong> A grey placeholder shaped like the content feels faster than a centered spinner. The page looks alive.</li> <li> <strong>Optimistic UI for mutations.</strong> When the user clicks "Like", increase the count immediately. Roll back if the request fails. (See <code>useOptimistic</code> in React 19.)</li> <li> <strong>Prefetch on hover or intent.</strong> Next.js's <code>&lt;Link&gt;</code> does this automatically. For other apps, use <code>fetchpriority="low"</code> on speculative requests, or a library like Quicklink.</li> <li> <strong>Defer below the fold.</strong> Anything not visible can wait. <code>&lt;img loading="lazy"&gt;</code>, <code>&lt;iframe loading="lazy"&gt;</code>, <code>IntersectionObserver</code> for components.</li> <li> <strong>Avoid <code>display: none</code> for things you will show in 50ms.</strong> Build them off screen, animate in. The user perceives the action faster.</li> </ul> <h2> Decision 7: A practical performance budget </h2> <p>A budget is a number you commit to and let your CI enforce. Without one, performance rots over time.</p> <p>A starting budget for most apps:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Asset</th> <th>Budget</th> </tr> </thead> <tbody> <tr> <td>Main bundle JS</td> <td>&lt; 100 KB gzipped on the entry route</td> </tr> <tr> <td>CSS</td> <td>&lt; 50 KB gzipped</td> </tr> <tr> <td>Images on first paint</td> <td>&lt; 200 KB total</td> </tr> <tr> <td>Fonts</td> <td>1 to 2 weights, woff2, &lt; 100 KB</td> </tr> <tr> <td>Total page weight</td> <td>&lt; 500 KB on first paint</td> </tr> <tr> <td>LCP</td> <td>&lt; 2.5 s on a slow 4G mid range phone</td> </tr> <tr> <td>INP</td> <td>&lt; 200 ms</td> </tr> <tr> <td>CLS</td> <td>&lt; 0.1</td> </tr> </tbody> </table></div> <p>Plug a tool like <code>lighthouse-ci</code>, <code>bundlesize</code>, or <code>size-limit</code> into CI. If a PR pushes the bundle past the budget, the build fails. The PR explains itself.</p> <h2> Decision 8: Devtools you should know </h2> <ul> <li> <strong>Lighthouse panel</strong> for one-off audits.</li> <li> <strong>Performance panel</strong> to record a real interaction and see where time goes. The flame graph is your best friend.</li> <li> <strong>Network panel</strong> with throttling. Set "Fast 3G", reload, watch what happens.</li> <li> <strong>Coverage panel</strong> to find unused JS and CSS.</li> <li> <strong>WebPageTest</strong> (<a href="https://www.webpagetest.org" rel="noopener noreferrer">webpagetest.org</a>) for a deeper, scriptable analysis. The waterfall view is iconic.</li> <li> <strong><code>bundle-analyzer</code></strong> plugins for Vite, Webpack, and Next.js. See what is in your bundle, by file, sorted by size.</li> <li> <strong><code>web-vitals</code> extension</strong> to see real metrics in the browser bar as you click around.</li> </ul> <h2> A peek under the hood </h2> <p>What really happens between the click and the pixels:</p> <ol> <li> <strong>DNS lookup</strong> for the domain.</li> <li> <strong>TCP / TLS handshake</strong> with the server.</li> <li> <strong>HTTP request</strong> for the HTML.</li> <li> <strong>HTML streams</strong> to the browser. The parser starts immediately.</li> <li> <strong>CSS in the head blocks rendering</strong> until it parses. This is why critical CSS matters.</li> <li> <strong><code>&lt;script&gt;</code> tags</strong> without <code>defer</code>/<code>async</code> block the parser. This is why script placement matters.</li> <li> <strong>Layout</strong> computes the size and position of every element.</li> <li> <strong>Paint</strong> fills in pixels.</li> <li> <strong>Composite</strong> stacks layers and shows the final frame.</li> <li> <strong>JavaScript hydrates</strong> any framework on the page, attaching event listeners.</li> </ol> <p>Two practical consequences:</p> <ul> <li> <strong>Anything that delays steps 4 to 8 hurts LCP.</strong> Fonts, images, render blocking CSS, server time.</li> <li> <strong>Anything that runs on the main thread after step 10 hurts INP.</strong> Heavy hydration, large JS bundles, third party scripts.</li> </ul> <p>That mental model is enough to debug almost any performance issue you will hit.</p> <h2> Tiny tips that will save you later </h2> <ul> <li> <strong>Test on a real low end phone.</strong> Your MacBook does not represent your users.</li> <li> <strong>Throttle to slow 4G in DevTools</strong> before believing your local times.</li> <li><strong>Set <code>width</code> and <code>height</code> on every image and iframe.</strong></li> <li> <strong>Use <code>loading="lazy"</code></strong> on images below the fold.</li> <li><strong>Self host fonts. Preload one. Use <code>font-display: swap</code>.</strong></li> <li><strong>Code split by route.</strong></li> <li> <strong>Remove dependencies you do not use.</strong> <code>npx depcheck</code> finds them.</li> <li> <strong>Audit third party scripts.</strong> Analytics, tag managers, chat widgets are often the slowest thing on a page.</li> <li> <strong>Run Lighthouse in CI.</strong> Performance regresses silently otherwise.</li> <li> <strong>Track INP in production.</strong> Most regressions live in JavaScript work, not in the network.</li> <li> <strong>Cache HTML for short windows with <code>stale-while-revalidate</code></strong> to absorb traffic spikes without losing freshness.</li> </ul> <h2> Wrapping up </h2> <p>So that is the whole story. We were tired of building beautiful sites that felt slow. We learned that the user only cares about three things: did the page show up, does it respond when I tap, is it staying still. Google bottled those into LCP, INP, and CLS. We measured with Lighthouse, CrUX, and <code>web-vitals</code>. We fixed LCP with preloading, modern image formats, server rendering, and font tactics. We fixed INP by yielding to the main thread, splitting bundles, cutting work, and moving heavy compute to workers. We fixed CLS with image dimensions, font metric overrides, and reserved space.</p> <p>We taught our network to compress, cache, preconnect, and prefetch. We set a budget, plugged it into CI, and stopped letting bundle size sneak upward.</p> <p>Once that map is in your head, web performance stops feeling like a dark art and starts feeling like a small set of repeatable habits. You ship fast pages on purpose, not by accident.</p> <p>Happy optimizing, and may your Vitals always be green.</p> learning webdev Mohamed Idris Sun, 17 May 2026 13:05:00 +0000 https://forem.com/edriso/learning-the-web-platform-apis-as-if-you-built-them-yourself-3o14 https://forem.com/edriso/learning-the-web-platform-apis-as-if-you-built-them-yourself-3o14 <p>If you have ever reached for a library to do something the browser already does, you have met the gap this post is about. Need a debounce? You wrote a <code>useEffect</code>. Need to detect when a card scrolls into view? You added a 300 line library. Need offline support? You shrugged and gave up.</p> <p>The browser has changed. Modern browsers ship a generous, capable platform. Most of the libraries we still install in 2026 were written when the platform was missing the feature. They are not missing anymore.</p> <p>A senior frontend engineer knows what the browser already gives them, and reaches for it before reaching for npm.</p> <p>That is the gap this post fills.</p> <h2> What is the web platform, really </h2> <p>Think of the browser as <strong>a small operating system that runs in a tab</strong>. It has storage, a network stack, threads, scheduling, sensors, sometimes even a file system and Bluetooth. Each capability has an API. Many of them are excellent. Many of them are five lines of code instead of a 12KB dependency.</p> <p>Two ideas drive the whole thing:</p> <ul> <li> <strong>The platform is doing more than you think.</strong> Capabilities ship every six weeks across all the major browsers.</li> <li> <strong>Promises and observers are the shape.</strong> Most modern APIs are either <code>await</code>able or "watch this thing and call me back".</li> </ul> <p>That is the whole vibe.</p> <h2> Let's pretend we are building one </h2> <p>We are not building the platform. We are doing a senior level tour of it. For the running example, we will sprinkle a tiny <strong>read later</strong> notes app with native APIs as we go. Save notes offline, fetch articles, observe the page, schedule work, broadcast across tabs.</p> <h2> API 1: <code>fetch</code> (and AbortController), the network everyone forgets has features </h2> <p>Every frontend engineer knows <code>fetch</code>. Half of them only use 20% of it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/notes</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">,</span> <span class="na">Accept</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Read later</span><span class="dl">"</span> <span class="p">}),</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">"</span><span class="s2">include</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// send cookies on cross origin requests</span> <span class="na">cache</span><span class="p">:</span> <span class="dl">"</span><span class="s2">no-cache</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// override default</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">"</span><span class="s2">cors</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// also "same-origin", "no-cors"</span> <span class="na">signal</span><span class="p">:</span> <span class="nx">ctrl</span><span class="p">.</span><span class="nx">signal</span><span class="p">,</span> <span class="c1">// AbortController</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`HTTP </span><span class="p">${</span><span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> </code></pre> </div> <p>The features senior engineers actually use:</p> <h3> <code>AbortController</code> for cancelling </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">ctrl</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AbortController</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">timer</span> <span class="o">=</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">ctrl</span><span class="p">.</span><span class="nf">abort</span><span class="p">(),</span> <span class="mi">5000</span><span class="p">);</span> <span class="c1">// 5s timeout</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{</span> <span class="na">signal</span><span class="p">:</span> <span class="nx">ctrl</span><span class="p">.</span><span class="nx">signal</span> <span class="p">});</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nf">clearTimeout</span><span class="p">(</span><span class="nx">timer</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The same <code>AbortController</code> works with <code>addEventListener</code>, with most modern Promise APIs, and with React Query's queries. Make it your default mental model: any long lived async work should be cancellable.</p> <p>The shortcut for "fetch with timeout":<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{</span> <span class="na">signal</span><span class="p">:</span> <span class="nx">AbortSignal</span><span class="p">.</span><span class="nf">timeout</span><span class="p">(</span><span class="mi">5000</span><span class="p">)</span> <span class="p">});</span> </code></pre> </div> <h3> Streaming responses </h3> <p>The body is a <code>ReadableStream</code>. You can consume it as it arrives, perfect for AI streaming or large downloads:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/stream</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">reader</span> <span class="o">=</span> <span class="nx">res</span><span class="p">.</span><span class="nx">body</span><span class="o">!</span><span class="p">.</span><span class="nf">pipeThrough</span><span class="p">(</span><span class="k">new</span> <span class="nc">TextDecoderStream</span><span class="p">()).</span><span class="nf">getReader</span><span class="p">();</span> <span class="k">while </span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">value</span><span class="p">,</span> <span class="nx">done</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">reader</span><span class="p">.</span><span class="nf">read</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">done</span><span class="p">)</span> <span class="k">break</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">chunk:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">value</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> <code>Response</code> and <code>Request</code> are real classes </h3> <p>You can build them, store them, clone them. Service Workers rely on this. The same <code>Response</code> API you receive from <code>fetch</code> is the one you return from a Service Worker.</p> <h2> API 2: Storage, three flavors </h2> <p>The browser has three storage mechanisms. Pick on purpose.</p> <h3> <code>localStorage</code> and <code>sessionStorage</code> </h3> <p>Tiny key value store. Synchronous. Strings only. Good for: small UI state (theme, last opened tab), tiny preferences. Bad for: anything large, anything secret, anything that should sync.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">localStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="dl">"</span><span class="s2">theme</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">dark</span><span class="dl">"</span><span class="p">);</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="dl">"</span><span class="s2">theme</span><span class="dl">"</span><span class="p">);</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">removeItem</span><span class="p">(</span><span class="dl">"</span><span class="s2">theme</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p><code>sessionStorage</code> is the same, scoped to the tab. Cleared on close.</p> <p>A senior level rule: <strong>never store auth tokens in <code>localStorage</code></strong>. JavaScript can read it, which means every third party script can too.</p> <h3> Cookies </h3> <p>Sent automatically with every same origin request. The browser respects <code>HttpOnly</code>, <code>Secure</code>, <code>SameSite</code>. We covered them in the auth post. Use them for sessions and CSRF tokens.</p> <h3> IndexedDB, the actual database </h3> <p>A real client side database. Asynchronous. Stores anything structurable, including blobs. Indexed for fast queries. Quotas in the megabytes to gigabytes range.</p> <p>The native API is famously verbose. Use a tiny wrapper like <strong><code>idb-keyval</code></strong> for simple cases or <strong>Dexie.js</strong> for richer querying.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="kd">get</span><span class="p">,</span> <span class="kd">set</span><span class="p">,</span> <span class="nx">del</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">idb-keyval</span><span class="dl">"</span><span class="p">;</span> <span class="k">await</span> <span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">note:42</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Read later</span><span class="dl">"</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="dl">"</span><span class="s2">...</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">note</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">note:42</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nf">del</span><span class="p">(</span><span class="dl">"</span><span class="s2">note:42</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>Use IndexedDB for: offline caches, drafts, full text search indexes, large user data, anything you need to survive a refresh and a flaky network. It is the storage that makes serious offline apps possible.</p> <p>In 2026 there is also an exciting trend: <strong>SQLite in the browser</strong>, via wasm libraries like <code>sql.js</code> and <code>wa-sqlite</code>, often backed by IndexedDB or the <strong>Origin Private File System (OPFS)</strong>. Real SQL queries on the client. Worth knowing about for offline first apps.</p> <h2> API 3: Service Workers, the engine of offline </h2> <p>A Service Worker is a script that runs in the background, separate from any page, and can intercept network requests for a whole origin. It is how websites become installable apps that work offline.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/main.ts</span> <span class="k">if </span><span class="p">(</span><span class="dl">"</span><span class="s2">serviceWorker</span><span class="dl">"</span> <span class="k">in</span> <span class="nb">navigator</span><span class="p">)</span> <span class="p">{</span> <span class="nb">navigator</span><span class="p">.</span><span class="nx">serviceWorker</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="dl">"</span><span class="s2">/sw.js</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// public/sw.js</span> <span class="nb">self</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">install</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">waitUntil</span><span class="p">(</span><span class="nx">caches</span><span class="p">.</span><span class="nf">open</span><span class="p">(</span><span class="dl">"</span><span class="s2">v1</span><span class="dl">"</span><span class="p">).</span><span class="nf">then</span><span class="p">((</span><span class="nx">c</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">c</span><span class="p">.</span><span class="nf">addAll</span><span class="p">([</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/styles.css</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/app.js</span><span class="dl">"</span><span class="p">])));</span> <span class="p">});</span> <span class="nb">self</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">fetch</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">respondWith</span><span class="p">(</span> <span class="nx">caches</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">request</span><span class="p">).</span><span class="nf">then</span><span class="p">((</span><span class="nx">cached</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">cached</span> <span class="o">||</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">request</span><span class="p">))</span> <span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>What that gives you: the page loads from cache instantly, even offline.</p> <p>The senior level patterns:</p> <ul> <li> <strong>Cache first</strong> for static assets that change rarely.</li> <li> <strong>Network first, cache fallback</strong> for HTML.</li> <li> <strong>Stale while revalidate</strong> for API responses.</li> <li> <strong>Use a tool, do not hand roll.</strong> <strong>Workbox</strong> (Google) and <strong>Vite PWA Plugin</strong> scaffold a sane Service Worker in a few lines. They handle caching strategies, precaching, runtime caching, navigation fallback, and updates.</li> </ul> <p>The full PWA story (offline + installable + push notifications) is a real thing in 2026. Browsers across Mac, Windows, Linux, Android, and even iOS support it. For an app that runs daily, "Add to Home Screen" is real distribution.</p> <h2> API 4: Web Workers, threads for compute </h2> <p>JavaScript runs on a single thread. Long work blocks the page. A <strong>Web Worker</strong> runs a script on a separate thread, communicating by message passing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// worker.ts</span> <span class="nb">self</span><span class="p">.</span><span class="nx">onmessage</span> <span class="o">=</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">expensiveCompute</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> <span class="nb">self</span><span class="p">.</span><span class="nf">postMessage</span><span class="p">(</span><span class="nx">result</span><span class="p">);</span> <span class="p">};</span> <span class="c1">// main.ts</span> <span class="kd">const</span> <span class="nx">worker</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Worker</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">"</span><span class="s2">./worker.ts</span><span class="dl">"</span><span class="p">,</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">url</span><span class="p">),</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">module</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">worker</span><span class="p">.</span><span class="nf">postMessage</span><span class="p">(</span><span class="nx">input</span><span class="p">);</span> <span class="nx">worker</span><span class="p">.</span><span class="nx">onmessage</span> <span class="o">=</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setResult</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> </code></pre> </div> <p>The friendlier modern API: <strong>Comlink</strong> turns the worker into a proxy you can <code>await</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// worker.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">expose</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">comlink</span><span class="dl">"</span><span class="p">;</span> <span class="nf">expose</span><span class="p">({</span> <span class="nf">parseMarkdown</span><span class="p">(</span><span class="na">md</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">slowParser</span><span class="p">(</span><span class="nx">md</span><span class="p">);</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// main.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">wrap</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">comlink</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">api</span> <span class="o">=</span> <span class="nx">wrap</span><span class="o">&lt;</span><span class="p">{</span> <span class="nf">parseMarkdown</span><span class="p">(</span><span class="na">md</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">(</span> <span class="k">new</span> <span class="nc">Worker</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">"</span><span class="s2">./worker.ts</span><span class="dl">"</span><span class="p">,</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">url</span><span class="p">),</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">module</span><span class="dl">"</span> <span class="p">})</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">html</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">api</span><span class="p">.</span><span class="nf">parseMarkdown</span><span class="p">(</span><span class="nx">text</span><span class="p">);</span> </code></pre> </div> <p>Use Web Workers for: heavy parsing (Markdown, syntax highlighting, JSON), image processing, data transforms, anything more than 50ms of compute. The page stays smooth, INP stays under 200ms.</p> <p>A close cousin: <strong><code>requestIdleCallback</code></strong> runs a function when the browser is idle. Great for non urgent work like analytics flushing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">requestIdleCallback</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nf">sendQueuedAnalytics</span><span class="p">(),</span> <span class="p">{</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">2000</span> <span class="p">});</span> </code></pre> </div> <h2> API 5: IntersectionObserver, "tell me when this is on screen" </h2> <p>Before this API, "is the element visible" was solved by listening to <code>scroll</code> and reading layout in a tight loop. It was awful.</p> <p>Now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">obs</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">IntersectionObserver</span><span class="p">((</span><span class="nx">entries</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">entry</span> <span class="k">of</span> <span class="nx">entries</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">isIntersecting</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">visible:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">target</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">rootMargin</span><span class="p">:</span> <span class="dl">"</span><span class="s2">200px</span><span class="dl">"</span> <span class="p">});</span> <span class="nb">document</span><span class="p">.</span><span class="nf">querySelectorAll</span><span class="p">(</span><span class="dl">"</span><span class="s2">.lazy</span><span class="dl">"</span><span class="p">).</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">el</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">obs</span><span class="p">.</span><span class="nf">observe</span><span class="p">(</span><span class="nx">el</span><span class="p">));</span> </code></pre> </div> <p>Uses for senior frontends:</p> <ul> <li> <strong>Lazy load images and components</strong> before they are needed.</li> <li> <strong>Infinite scroll</strong>: observe a sentinel at the bottom of the list.</li> <li> <strong>Trigger animations</strong> when an element scrolls into view.</li> <li> <strong>Track impressions</strong> for analytics.</li> </ul> <p><code>rootMargin</code> lets you start the work early, so the user never sees the loading state.</p> <p>A close cousin: <strong><code>ResizeObserver</code></strong> fires when an element changes size. Great for charts, tables, and components that need to re-render on layout changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">new</span> <span class="nc">ResizeObserver</span><span class="p">(([</span><span class="nx">entry</span><span class="p">])</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">drawChart</span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nx">contentRect</span><span class="p">.</span><span class="nx">width</span><span class="p">,</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">contentRect</span><span class="p">.</span><span class="nx">height</span><span class="p">);</span> <span class="p">}).</span><span class="nf">observe</span><span class="p">(</span><span class="nx">chartEl</span><span class="p">);</span> </code></pre> </div> <p>And <strong><code>MutationObserver</code></strong> for "tell me when the DOM changed". Niche but lifesaving for browser extensions and integrations with markup you do not control.</p> <h2> API 6: BroadcastChannel, talking across tabs </h2> <p>If a user has your app open in three tabs and logs out in one, the others should know. <strong><code>BroadcastChannel</code></strong> posts messages across same origin tabs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">ch</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">BroadcastChannel</span><span class="p">(</span><span class="dl">"</span><span class="s2">auth</span><span class="dl">"</span><span class="p">);</span> <span class="nx">ch</span><span class="p">.</span><span class="nf">postMessage</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">logout</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">ch</span><span class="p">.</span><span class="nx">onmessage</span> <span class="o">=</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">logout</span><span class="dl">"</span><span class="p">)</span> <span class="nf">goToLogin</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <p>Five lines, no library. Use it for: logout sync, cache invalidation across tabs, "this item just changed" notifications.</p> <p>For more general cross window coordination, the <strong>Web Locks API</strong> ensures only one tab does a piece of work at a time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">await</span> <span class="nb">navigator</span><span class="p">.</span><span class="nx">locks</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="dl">"</span><span class="s2">sync-notes</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">syncNotesWithServer</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <p>Other tabs that try to acquire the lock will queue. Brilliant for "only one tab should be syncing".</p> <h2> API 7: Clipboard, Share, File access, the human integration layer </h2> <p>These are the APIs that make a web app feel native.</p> <h3> Clipboard </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">await</span> <span class="nb">navigator</span><span class="p">.</span><span class="nx">clipboard</span><span class="p">.</span><span class="nf">writeText</span><span class="p">(</span><span class="dl">"</span><span class="s2">hello</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">text</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">navigator</span><span class="p">.</span><span class="nx">clipboard</span><span class="p">.</span><span class="nf">readText</span><span class="p">();</span> </code></pre> </div> <p>Modern, async, permission gated. The old <code>document.execCommand("copy")</code> is deprecated. For images and other rich data, use <code>navigator.clipboard.write</code> with <code>ClipboardItem</code>.</p> <h3> Web Share API </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">if </span><span class="p">(</span><span class="nb">navigator</span><span class="p">.</span><span class="nx">share</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nb">navigator</span><span class="p">.</span><span class="nf">share</span><span class="p">({</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Mochi's Blog</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="dl">"</span><span class="s2">A great post</span><span class="dl">"</span><span class="p">,</span> <span class="na">url</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://example.com/post</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>On mobile, this opens the system share sheet. On desktop, it falls back gracefully. One line replaces a custom share modal.</p> <h3> File System Access </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">handle</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">window</span><span class="p">.</span><span class="nf">showSaveFilePicker</span><span class="p">({</span> <span class="na">suggestedName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">notes.json</span><span class="dl">"</span><span class="p">,</span> <span class="na">types</span><span class="p">:</span> <span class="p">[{</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">JSON</span><span class="dl">"</span><span class="p">,</span> <span class="na">accept</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">.json</span><span class="dl">"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}],</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">writable</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">handle</span><span class="p">.</span><span class="nf">createWritable</span><span class="p">();</span> <span class="k">await</span> <span class="nx">writable</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> <span class="k">await</span> <span class="nx">writable</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> </code></pre> </div> <p>Real "save as" dialog, real file. Limited to Chromium browsers in 2026 but excellent for productivity apps.</p> <p>The simpler alternative for downloads is the venerable <code>&lt;a download&gt;</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="nx">URL</span><span class="p">.</span><span class="nf">createObjectURL</span><span class="p">(</span><span class="k">new</span> <span class="nc">Blob</span><span class="p">([</span><span class="nx">data</span><span class="p">],</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">}));</span> <span class="kd">const</span> <span class="nx">a</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">assign</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">"</span><span class="s2">a</span><span class="dl">"</span><span class="p">),</span> <span class="p">{</span> <span class="na">href</span><span class="p">:</span> <span class="nx">url</span><span class="p">,</span> <span class="na">download</span><span class="p">:</span> <span class="dl">"</span><span class="s2">notes.json</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">a</span><span class="p">.</span><span class="nf">click</span><span class="p">();</span> <span class="nx">URL</span><span class="p">.</span><span class="nf">revokeObjectURL</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> </code></pre> </div> <h2> API 8: View Transitions, navigation feels smooth </h2> <p>A genuinely magical API. Animate between any two DOM states with one line.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nb">document</span><span class="p">.</span><span class="nf">startViewTransition</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// any DOM mutation here</span> <span class="nf">setTheme</span><span class="p">(</span><span class="dl">"</span><span class="s2">dark</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>The browser captures a snapshot before, applies your changes, captures after, and animates between them. With CSS <code>view-transition-name</code> on shared elements, you get FLIP-style transitions for free.</p> <p>In 2026, the cross document version (<code>@view-transition</code>) lets multi page apps animate between full page navigations as smoothly as SPAs. This is one of the reasons SPAs are no longer the only path to good UX.</p> <h2> API 9: Scheduler, Idle Detection, and modern timing </h2> <p>The scheduler family of APIs, increasingly supported, gives you fine grained control over priority:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// new in 2024+ browsers</span> <span class="k">await</span> <span class="nx">scheduler</span><span class="p">.</span><span class="k">yield</span><span class="p">();</span> <span class="c1">// give the browser a frame</span> <span class="nx">scheduler</span><span class="p">.</span><span class="nf">postTask</span><span class="p">(</span><span class="nx">work</span><span class="p">,</span> <span class="p">{</span> <span class="na">priority</span><span class="p">:</span> <span class="dl">"</span><span class="s2">background</span><span class="dl">"</span> <span class="p">});</span> </code></pre> </div> <p>If <code>scheduler.yield()</code> is not available, the polyfill is a <code>setTimeout(0)</code> plus a microtask check.</p> <p>The classic timing tools still matter:</p> <ul> <li> <strong><code>requestAnimationFrame</code></strong> for any visual update tied to the next frame. Always use it for animations driven by JS.</li> <li> <strong><code>performance.now()</code></strong> for high resolution timing.</li> <li> <strong><code>PerformanceObserver</code></strong> to subscribe to LCP, INP, CLS, long tasks, navigation timing, resource timing. This is what <code>web-vitals</code> is built on. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">new</span> <span class="nc">PerformanceObserver</span><span class="p">((</span><span class="nx">list</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">entry</span> <span class="k">of</span> <span class="nx">list</span><span class="p">.</span><span class="nf">getEntries</span><span class="p">())</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">entry</span><span class="p">);</span> <span class="p">}).</span><span class="nf">observe</span><span class="p">({</span> <span class="na">entryTypes</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">longtask</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">layout-shift</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">largest-contentful-paint</span><span class="dl">"</span><span class="p">]</span> <span class="p">});</span> </code></pre> </div> <p>Drop into devtools when you want to see what is actually slow.</p> <h2> API 10: Notifications, Push, Background Sync </h2> <p>For "this app feels real" features:</p> <ul> <li> <strong>Notifications</strong>: <code>new Notification("Hi")</code> with permission. Used as the visual layer for Push.</li> <li> <strong>Push</strong>: a Service Worker can receive pushes from your server even when the page is closed. Requires the user to grant permission and your server to send via the Web Push protocol.</li> <li> <strong>Background Sync</strong>: the browser will retry a queued task when the user comes back online. Perfect for "send this comment whenever there is connectivity".</li> </ul> <p>These are senior level features. Only enable them where they pay off. Most users have notification fatigue, so ask politely or not at all.</p> <h2> API 11: The "knows about the user" APIs (use sparingly) </h2> <p>The platform has a long tail of "tell me about the device" APIs. Senior engineers know they exist and use them with care.</p> <ul> <li> <strong><code>matchMedia("(prefers-color-scheme: dark)").matches</code></strong> for theme detection.</li> <li> <strong><code>matchMedia("(prefers-reduced-motion: reduce)").matches</code></strong> to respect motion preferences.</li> <li> <strong><code>navigator.connection</code></strong> (Network Information API) for adaptive loading. Slow 3G? Send fewer images.</li> <li> <strong><code>document.visibilityState</code></strong> to pause work when the tab is hidden.</li> <li> <strong><code>navigator.locks</code></strong> (already mentioned).</li> <li> <strong><code>Battery</code>, <code>Bluetooth</code>, <code>USB</code>, <code>Serial</code>, <code>Geolocation</code></strong>: each is a permissioned API, useful for very specific apps.</li> </ul> <p>The principle: <strong>respect the user, ask before you peek</strong>. Permission prompts kill conversion if used carelessly.</p> <h2> API 12: Modern selection, drag, paste, undo </h2> <p>A handful of small APIs that delete entire libraries:</p> <ul> <li> <strong><code>getSelection()</code></strong> for the current text selection.</li> <li> <strong><code>document.execCommand</code> is deprecated</strong>. For rich text, use <code>contenteditable</code> plus a library like <strong>TipTap</strong> or <strong>Lexical</strong>.</li> <li> <strong><code>InputEvent</code></strong> with <code>inputType</code> ("insertText", "deleteContentBackward", etc.) for fine grained input handling.</li> <li> <strong><code>HTMLDialogElement.showModal()</code></strong> for native modals (we covered this in the HTML post).</li> <li> <strong><code>&lt;details&gt;</code> and <code>&lt;summary&gt;</code></strong> for native disclosures, no JS needed.</li> <li> <strong><code>&lt;input type="search"&gt;</code>, <code>type="date"</code>, <code>type="time"</code>, <code>type="color"</code></strong> for native pickers on mobile.</li> </ul> <p>A surprising amount of "I need a library for this" turns into "the browser already does it" once you check first.</p> <h2> API 13: WebRTC, WebSockets, SSE, beyond request/response </h2> <p>Three transports for real time:</p> <ul> <li> <strong>WebSockets</strong> for bidirectional persistent connections. We mentioned this in the HTTP post.</li> <li> <strong>Server-Sent Events</strong> (<code>EventSource</code>) for one way streaming from server to client. Simpler than WebSockets, plays nicely with HTTP infrastructure.</li> <li> <strong>WebRTC</strong> for peer to peer audio, video, and data. The transport behind every browser based video call.</li> </ul> <p>Most apps need SSE for live updates and never touch the others. Reach for them when you have a specific need (real time collaboration, video, gaming).</p> <h2> A peek under the hood </h2> <p>What really happens when you call a platform API:</p> <ol> <li>JavaScript calls into the browser's C++ implementation.</li> <li>The browser does the work (often on another thread or in another process).</li> <li>The result comes back as a Promise resolution, an event, or a callback.</li> <li>Your code runs in the JS event loop.</li> </ol> <p>Two consequences for senior engineers:</p> <ul> <li> <strong>Native APIs are usually faster than userland equivalents</strong> because the heavy lifting happens off the main thread.</li> <li> <strong>Browser support varies.</strong> Use <a href="https://caniuse.com" rel="noopener noreferrer">caniuse.com</a> before committing. For features you must have everywhere, polyfills exist. For features that gracefully degrade, feature detect with <code>if ("foo" in window)</code> and ship the better experience to capable browsers.</li> </ul> <h2> Tiny tips that will save you later </h2> <ul> <li> <strong>Read MDN.</strong> It is the single best web platform documentation, and it is free.</li> <li> <strong>Use <code>caniuse.com</code></strong> before adopting any platform API. Browser share matters.</li> <li> <strong>Feature detect, do not user agent sniff.</strong> <code>if ("share" in navigator)</code> is the right check.</li> <li> <strong>Cancel everything.</strong> <code>AbortController</code> works with <code>fetch</code>, with <code>addEventListener</code>, with most modern APIs.</li> <li><strong>Use <code>IntersectionObserver</code> instead of scroll listeners.</strong></li> <li> <strong>Use <code>ResizeObserver</code> instead of window resize listeners</strong> when you only care about an element.</li> <li><strong>Use <code>BroadcastChannel</code> for cross tab communication.</strong></li> <li> <strong>Use <code>idb-keyval</code> or Dexie for IndexedDB</strong> unless you really enjoy callbacks.</li> <li> <strong>Use Workbox or Vite PWA</strong> for Service Workers.</li> <li> <strong>Use <code>view-transition</code> for navigation animations.</strong> Free polish.</li> <li> <strong>Respect <code>prefers-reduced-motion</code> and <code>prefers-color-scheme</code>.</strong> They are one query away.</li> <li> <strong>Keep platform APIs small.</strong> Wrap each in a tiny module so the call sites do not get noisy.</li> </ul> <h2> Wrapping up </h2> <p>So that is the whole story. The web platform stopped being a dumb document viewer years ago. Modern browsers ship a small operating system: a network stack with cancellation and streaming, three storage tiers, real threads, real schedulers, observers for everything that used to need a polling loop, broadcast channels for cross tab life, file system access, share sheets, push notifications, and beautiful view transitions.</p> <p>A senior frontend engineer treats these as the first toolkit, not the last resort. The libraries on npm exist because the platform was missing the feature. Many features have shipped. Many libraries can come out of your <code>package.json</code> if you check what the browser already does.</p> <p>Once that map is in your head, you write less code, ship smaller bundles, and build apps that feel like the device they run on.</p> <p>Happy platforming, and may your dependency list stay short.</p> learning beginners webdev Mohamed Idris Sat, 16 May 2026 16:04:34 +0000 https://forem.com/edriso/how-to-actually-log-out-a-user-when-you-use-jwt-2n6a https://forem.com/edriso/how-to-actually-log-out-a-user-when-you-use-jwt-2n6a <p>JWT is stateless and fast, but logout is tricky. Here is the full story with simple analogies, the jti blacklist trick, password change invalidation, refresh token rotation, and Node.js code.</p> <h2> The problem in one sentence </h2> <p>You log a user out, but their token still works until it expires. That is scary for any app that touches sensitive data.</p> <p>This post walks through why that happens and how to fix it properly. I will keep it simple and use real life analogies so it sticks in your head.</p> <blockquote> <p>This post was inspired by a great post from Mohamed Kamal in the Node.js Egypt group. He shared a solid pattern. I am going to explain the same idea slowly, then add the parts that make it production grade.</p> </blockquote> <h2> First, a mental model: the festival wristband </h2> <p>Imagine you go to a music festival. At the entrance they give you a wristband.</p> <ul> <li>The wristband has your info printed on it: your name, your ticket type (VIP or normal), and the date it stops working.</li> <li>The guard at every stage just <strong>looks</strong> at your wristband. He does not call the main office to ask "is this person still allowed in?"</li> <li>That makes entry super fast. One guard can check thousands of people.</li> </ul> <p>This wristband is a <strong>JWT</strong> (JSON Web Token).</p> <p>The fact that the guard does not call the office is what we call <strong>stateless</strong>. The server does not keep a list of who is logged in. All the info is inside the token itself, and the signature proves it is real and was not edited.</p> <p>This is great for speed and scaling. You can add 10 more servers and none of them need a shared "who is logged in" list. Any server can read the wristband and trust it.</p> <h2> So where is the problem? </h2> <p>You leave the festival early. You go home.</p> <p>Your wristband is still on your wrist. It still says VIP. It still works until the festival ends.</p> <p>If someone cuts it off your wrist (or you gave it to a friend), they can walk back in. The guard has no idea you "left". He only checks the wristband, and the wristband is still valid.</p> <p>That is the JWT logout problem.</p> <p>When a user clicks <strong>Logout</strong>, you usually just delete the token from the browser. But if a copy of that token was stolen earlier, it keeps working until the expiry time. The server never said "this token is dead now".</p> <p>For a blog, who cares. For a banking app, a health app, or anything with private data, this is a real risk.</p> <h2> The naive fixes (and why they are not enough) </h2> <p><strong>"Just make the token expire fast."</strong><br> Good instinct, but if it expires every 5 minutes, the user has to log in again every 5 minutes. Annoying.</p> <p><strong>"Store every active token in the database and check it on every request."</strong><br> This works, but now you call the database on every single request to ask "is this token still alive?". You just threw away the main benefit of JWT, which was being stateless and fast. At that point a normal session in the database is simpler.</p> <p>So we need a middle path. We want most requests to stay fast and stateless, but we still want the power to kill a token when we need to.</p> <h2> The real solution, step by step </h2> <p>The pattern has a few moving parts. Let us build them one at a time.</p> <h3> Part 1: Two tokens, not one (access token + refresh token) </h3> <p>Stop using one long living token. Use two.</p> <p><strong>Access token</strong></p> <ul> <li>Short life. Think 5 to 15 minutes.</li> <li>This is the festival wristband. The server trusts it without checking a database.</li> <li>Used on every normal request (get profile, load dashboard, etc).</li> </ul> <p><strong>Refresh token</strong></p> <ul> <li>Long life. Think 7 to 30 days.</li> <li>This is like your <strong>ID card kept at the front desk</strong>.</li> <li>It has only one job: when your wristband expires, you show the ID card and get a fresh wristband.</li> </ul> <p>Analogy: the wristband gets you into stages quickly. When it stops working after 15 minutes, you walk to the front desk, show your ID card, and they print you a new wristband. You do not need to buy a new ticket.</p> <p>Why this matters for logout: because the access token only lives 15 minutes, even if logout is not perfect, a stolen access token dies on its own very soon. The damage window is tiny. The real control point becomes the refresh step.</p> <h3> Part 2: Give every token an ID (the <code>jti</code>) </h3> <p><code>jti</code> means <strong>JWT ID</strong>. It is just a unique id you put inside the token when you create it. Usually a UUID.</p> <p>Think of it as a <strong>serial number</strong> on the wristband.</p> <p>Why do we need a serial number? Because if we ever want to ban one specific wristband, we need a way to point at it and say "that one, number 8f3a..., is banned".<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="na">v4</span><span class="p">:</span> <span class="nx">uuidv4</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">uuid</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">jsonwebtoken</span><span class="dl">"</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">createAccessToken</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">sub</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">role</span><span class="p">,</span> <span class="na">jti</span><span class="p">:</span> <span class="nf">uuidv4</span><span class="p">(),</span> <span class="c1">// the serial number</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ACCESS_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">15m</span><span class="dl">"</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Part 3: The blacklist (also called a denylist) </h3> <p>When the user logs out, we take the token serial number (<code>jti</code>) and put it on a <strong>banned list</strong>.</p> <p>This is exactly like the festival having a small "banned wristbands" sheet at the front desk. The guards at the stages still do not check it (they stay fast). But the front desk <strong>does</strong> check it before giving out a new wristband.</p> <p>So:</p> <ul> <li> <strong>Logout</strong> puts the <code>jti</code> on the banned list.</li> <li>The <strong>refresh step</strong> (front desk) checks the banned list before giving a new access token.</li> <li>If the <code>jti</code> is banned, refresh is refused. No new wristbands for you. And since the old access token dies in a few minutes anyway, the user is fully out very soon.</li> </ul> <p>This is the key trick. We did <strong>not</strong> check the blacklist on every request. We only check it at the refresh step. So normal requests stay fast and stateless, and we still get real logout.</p> <blockquote> <p>Note: in the original post the blacklist was checked at refresh time. That is the smart, cheap choice <strong>as long as your access token is short lived</strong>. If your access token lives for hours, that small window becomes a big risk. Keep access tokens short.</p> </blockquote> <h3> Part 4: Auto cleanup with a TTL index </h3> <p>A banned list that grows forever is a problem. We do not need to remember a banned token after it would have expired anyway. A dead token cannot be used, banned or not.</p> <p>MongoDB has a feature called a <strong>TTL index</strong> (Time To Live). You tell Mongo "delete this document automatically after this date". Mongo does the cleanup for you.</p> <p>Analogy: the front desk shreds old banned wristband notes at the end of each night. No one keeps paper forever.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">mongoose</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">mongoose</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">blacklistSchema</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">mongoose</span><span class="p">.</span><span class="nc">Schema</span><span class="p">({</span> <span class="na">jti</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">index</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="c1">// when the original token would have expired anyway</span> <span class="na">expiresAt</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">Date</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// TTL index: Mongo deletes the row when expiresAt is reached</span> <span class="nx">blacklistSchema</span><span class="p">.</span><span class="nf">index</span><span class="p">({</span> <span class="na">expiresAt</span><span class="p">:</span> <span class="mi">1</span> <span class="p">},</span> <span class="p">{</span> <span class="na">expireAfterSeconds</span><span class="p">:</span> <span class="mi">0</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">mongoose</span><span class="p">.</span><span class="nf">model</span><span class="p">(</span><span class="dl">"</span><span class="s2">BlacklistedToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">blacklistSchema</span><span class="p">);</span> </code></pre> </div> <h3> Part 5: Kill all old tokens when the password changes </h3> <p>Here is a nasty case. A hacker stole a user token. The user feels something is wrong and changes the password. With plain JWT, the hacker token still works, because the token does not care about the password.</p> <p>The fix is a timestamp on the user. Call it <code>credentialsChangedAt</code> (the original post called it <code>changeCredentials</code>).</p> <p>The rule is simple:</p> <blockquote> <p>If the token was created <strong>before</strong> the user last changed their password, the token is dead.</p> </blockquote> <p>Analogy: the festival announces "we changed the wristband color to green at 2pm. Any blue wristband is now invalid." You do not need to hunt down every blue wristband one by one. One announcement kills them all at once.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// inside your auth middleware, after verifying the token signature</span> <span class="k">if </span><span class="p">(</span> <span class="nx">user</span><span class="p">.</span><span class="nx">credentialsChangedAt</span> <span class="o">&amp;&amp;</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">iat</span> <span class="o">*</span> <span class="mi">1000</span> <span class="o">&lt;</span> <span class="nx">user</span><span class="p">.</span><span class="nx">credentialsChangedAt</span><span class="p">.</span><span class="nf">getTime</span><span class="p">()</span> <span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Token no longer valid, please log in again</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><code>iat</code> is "issued at", a standard field JWT puts in automatically that says when the token was created.</p> <p>This one timestamp gives you a powerful "log out everywhere" button for free. Change password, all old sessions die.</p> <h2> Level up: refresh token rotation and theft detection </h2> <p>This part was not in the original post, but it is the modern best practice and it is worth knowing.</p> <p>Right now our refresh token (the ID card) lives for many days. If someone steals it, they can keep getting fresh wristbands for days. Not good.</p> <p><strong>Refresh token rotation</strong> means: every time you use the refresh token to get a new access token, you also get a <strong>brand new refresh token</strong>, and the old one is thrown away. One time use only.</p> <p>Analogy: every time you use your ID card at the front desk, they shred it and hand you a new ID card. The old card number is now dead.</p> <p>Now the clever part, <strong>reuse detection</strong> (theft detection):</p> <p>If an old, already used refresh token shows up again, that is a huge red flag. It means two people have the card: the real user and a thief. A normal user never reuses an old card, because they always have the newest one.</p> <p>So when the server sees a used refresh token come back, it assumes theft and <strong>kills the entire token family</strong> for that login. Both the real user and the thief are logged out. The user logs in again, the thief is locked out.</p> <p>Analogy: if security sees a shredded ID card number being used at the door, they lock the whole account and call you to confirm it is really you. Annoying for a second, much safer overall.</p> <p>Quick lifetime guide that the big providers recommend:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Token</th> <th>Lifetime</th> <th>Why</th> </tr> </thead> <tbody> <tr> <td>Access token</td> <td>5 to 15 minutes</td> <td>Small damage window if stolen</td> </tr> <tr> <td>Refresh token (sensitive apps)</td> <td>7 to 30 days</td> <td>Balance of safety and not annoying the user</td> </tr> <tr> <td>Refresh token (single page web app)</td> <td>up to 24 hours</td> <td>Browsers are more exposed, keep it short</td> </tr> </tbody> </table></div> <h2> Where do you store these tokens in the browser? </h2> <p>This part trips up almost every junior, so read slowly.</p> <p><strong>localStorage</strong>: easy to use, but <strong>any</strong> JavaScript on your page can read it. If an attacker sneaks in a script (an XSS attack), they read your token instantly. OWASP openly says do not keep session tokens in localStorage.</p> <p><strong>httpOnly cookie</strong>: JavaScript <strong>cannot</strong> read this cookie at all. Even if an attacker runs a script on your page, they cannot read the token out of it. The trade off is you must protect against CSRF (use the <code>SameSite</code> cookie setting and CSRF tokens).</p> <p>The recommended hybrid setup today:</p> <ul> <li> <strong>Access token</strong>: keep it in memory only (a variable in your app state). It is short lived, so losing it on refresh of the page is fine, you just silently get a new one.</li> <li> <strong>Refresh token</strong>: store it in a <strong>secure, httpOnly cookie</strong>. Scripts cannot touch it, and it is the long lived secret you most want to protect.</li> </ul> <p>Analogy: you keep the cheap day pass (access token) in your pocket where it is easy to grab. You keep your passport (refresh token) in the hotel safe where no random person can reach it.</p> <h2> Putting the whole flow together </h2> <p><strong>Login</strong></p> <ol> <li>Check email and password.</li> <li>Create an access token (15 min) with a unique <code>jti</code>.</li> <li>Create a refresh token (store it server side or as a signed token with its own <code>jti</code>).</li> <li>Send the access token to be kept in memory, and the refresh token in an httpOnly cookie.</li> </ol> <p><strong>Normal request (load dashboard, etc)</strong></p> <ol> <li>Verify the access token signature. Fast. No database.</li> <li>Check the <code>credentialsChangedAt</code> rule.</li> <li>Done. This is the stateless fast path.</li> </ol> <p><strong>Access token expired</strong></p> <ol> <li>Browser calls the refresh endpoint. The httpOnly cookie is sent automatically.</li> <li>Server checks: is this refresh <code>jti</code> on the blacklist? Was it already used (reuse detection)?</li> <li>If all good, issue a new access token and a new refresh token, retire the old refresh token.</li> </ol> <p><strong>Logout</strong></p> <ol> <li>Add the refresh token <code>jti</code> (and optionally the current access token <code>jti</code>) to the blacklist with an <code>expiresAt</code>.</li> <li>Clear the cookie.</li> <li>The access token dies on its own in a few minutes. The refresh token is already banned. User is fully out.</li> </ol> <p><strong>Password change</strong></p> <ol> <li>Update <code>credentialsChangedAt = now</code>.</li> <li>Every token created before that instant is dead everywhere, automatically.</li> </ol> <p>Here is a compact logout and refresh example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// LOGOUT</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/logout</span><span class="dl">"</span><span class="p">,</span> <span class="nx">auth</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">jti</span><span class="p">,</span> <span class="nx">exp</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">;</span> <span class="c1">// from the verified token</span> <span class="k">await</span> <span class="nx">BlacklistedToken</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="nx">jti</span><span class="p">,</span> <span class="na">expiresAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">exp</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">),</span> <span class="c1">// matches token expiry, TTL cleans it later</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">clearCookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">refreshToken</span><span class="dl">"</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Logged out</span><span class="dl">"</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// REFRESH</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/refresh</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nx">refreshToken</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">No refresh token</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">let</span> <span class="nx">decoded</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REFRESH_SECRET</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid refresh token</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// is this refresh token banned (logged out or reused)?</span> <span class="kd">const</span> <span class="nx">banned</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">BlacklistedToken</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">jti</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">jti</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">banned</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Token revoked</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">sub</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">User not found</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// password changed after this token was made? kill it</span> <span class="k">if </span><span class="p">(</span> <span class="nx">user</span><span class="p">.</span><span class="nx">credentialsChangedAt</span> <span class="o">&amp;&amp;</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">iat</span> <span class="o">*</span> <span class="mi">1000</span> <span class="o">&lt;</span> <span class="nx">user</span><span class="p">.</span><span class="nx">credentialsChangedAt</span><span class="p">.</span><span class="nf">getTime</span><span class="p">()</span> <span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Please log in again</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// rotation: ban the old refresh token, issue fresh ones</span> <span class="k">await</span> <span class="nx">BlacklistedToken</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">jti</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">jti</span><span class="p">,</span> <span class="na">expiresAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">exp</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">newAccess</span> <span class="o">=</span> <span class="nf">createAccessToken</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">newRefresh</span> <span class="o">=</span> <span class="nf">createRefreshToken</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="c1">// new jti inside</span> <span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">refreshToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">newRefresh</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">"</span><span class="s2">strict</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">accessToken</span><span class="p">:</span> <span class="nx">newAccess</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> A note on MongoDB vs Redis for the blacklist </h2> <p>The original post used MongoDB with a TTL index, and that is perfectly fine and clean. Many teams use <strong>Redis</strong> instead because it is an in memory store built for exactly this kind of fast key lookup, and it also supports automatic expiry. If your blacklist gets very hot (checked a lot), Redis is the common choice. If you are early or your traffic is normal, MongoDB with a TTL index is a solid, simple start. Do not over engineer too early.</p> <h2> Common mistakes juniors make </h2> <ul> <li>Using one long lived token for everything. Always split into short access and longer refresh.</li> <li>Forgetting to revoke the refresh token on logout. If you only handle the access token, the refresh token can still mint new ones. Logout must kill the refresh token.</li> <li>Checking the blacklist on every single request. That kills the stateless speed benefit. Check it at the refresh step and keep access tokens short.</li> <li>Storing tokens in localStorage because the tutorial did. Prefer memory for access and httpOnly cookie for refresh.</li> <li>No <code>credentialsChangedAt</code>. Without it, changing the password does not actually protect a user whose token was already stolen.</li> <li>Letting the blacklist grow forever. Always set a TTL so dead entries clean themselves up.</li> </ul> <h2> The one paragraph summary </h2> <p>JWT is fast because the server trusts the token without a database lookup, like a guard glancing at a wristband. The cost of that speed is that logout does not naturally kill a token. You fix it by using a short lived access token plus a longer refresh token, giving every token a unique <code>jti</code> serial number, putting that <code>jti</code> on a blacklist at logout and checking the blacklist only at the refresh step, auto cleaning the blacklist with a TTL index, and adding a <code>credentialsChangedAt</code> timestamp so a password change kills all old tokens at once. Add refresh token rotation with reuse detection and store tokens safely (access in memory, refresh in an httpOnly cookie) and you have a real, production grade auth system.</p> <p>Authentication is not just login and register. The small security details are what separate a toy project from a real system.</p> <h2> Sources and further reading </h2> <ul> <li><a href="https://supertokens.com/blog/revoking-access-with-a-jwt-blacklist" rel="noopener noreferrer">Revoke Access Using a JWT Blacklist (SuperTokens)</a></li> <li><a href="https://medium.com/@ahmedosamaft/understanding-jwt-revocation-strategies-allowlist-denylist-and-jti-matcher-9d298893f8a1" rel="noopener noreferrer">Understanding JWT Revocation Strategies: Allowlist, Denylist, JTI (Medium)</a></li> <li><a href="https://oneuptime.com/blog/post/2026-02-02-jwt-revocation/view" rel="noopener noreferrer">How to Handle JWT Revocation (OneUptime)</a></li> <li><a href="https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation" rel="noopener noreferrer">Refresh Token Rotation (Auth0 Docs)</a></li> <li><a href="https://developer.okta.com/docs/guides/refresh-tokens/main/" rel="noopener noreferrer">Refresh access tokens and rotate refresh tokens (Okta)</a></li> <li><a href="https://mihai-andrei.com/blog/refresh-token-reuse-interval-and-reuse-detection/" rel="noopener noreferrer">Secure Refresh Token Rotation with Theft Detection (Mihai Andrei)</a></li> <li><a href="https://dev.to/cotter/localstorage-vs-cookies-all-you-need-to-know-about-storing-jwt-tokens-securely-in-the-front-end-15id">LocalStorage vs Cookies: storing JWT tokens securely (DEV Community)</a></li> <li><a href="https://www.wisp.blog/blog/understanding-token-storage-local-storage-vs-httponly-cookies" rel="noopener noreferrer">Understanding Token Storage: Local Storage vs HttpOnly Cookies (Wisp)</a></li> </ul> <p>Big thanks to Mohamed Kamal for the original post in Node.js Egypt that started this. If this helped you, share it with a junior who is still using one giant token for everything.</p> jwt node security webdev Mohamed Idris Sat, 16 May 2026 13:05:00 +0000 https://forem.com/edriso/learning-http-apis-and-auth-as-if-you-built-it-yourself-ddj https://forem.com/edriso/learning-http-apis-and-auth-as-if-you-built-it-yourself-ddj <p>If you have ever built a frontend that calls a backend, you have run into all three of these. You wrote a <code>fetch</code>. You picked a URL shape. You stuck a token somewhere and prayed. Something returned a 200 with <code>{ ok: false }</code> in the body, and you spent the afternoon arguing in the team chat about whether that was correct.</p> <p>It probably was not.</p> <p>There is a small set of conventions that the whole web agreed on, decades ago, and most apps half know them. Frontend engineers who fully know them ship cleaner, more debuggable systems and have shorter Slack arguments.</p> <p>That is the gap this post fills.</p> <h2> What are HTTP, APIs, and auth, really </h2> <p>Think of the web as <strong>a polite postal system</strong>. Your client (the browser) writes a letter (a request), the server reads it, writes back (a response), and the conversation ends. Each letter has an envelope (headers), a way of being addressed (the URL), and a body (the data). Each reply has a stamp on the front (a status code) that tells you, at a glance, what happened.</p> <ul> <li> <strong>HTTP</strong> is the postal protocol itself. Verbs, headers, status codes, caching rules.</li> <li> <strong>APIs</strong> are the postal addresses your team agreed on. Which URLs do what, what each one expects in the body, what it sends back.</li> <li> <strong>Auth</strong> is the picture ID you put in the envelope. Who are you, and are you allowed to ask for this?</li> </ul> <p>A senior frontend engineer treats those three as one fluent topic, not three separate puzzles.</p> <p>That is the whole vibe.</p> <h2> Let's pretend we are building one </h2> <p>We want to design a small backend a frontend can talk to without surprises, with proper status codes, predictable URLs, and authenticated calls. We will not hand build a server. We will agree on the conventions and use any framework that respects them.</p> <p>For the running example, we are designing the <strong>Mochi Recipes API</strong>: list recipes, read one, create one, log in, save a favorite. Small, but it lets us touch every important corner.</p> <h2> Decision 1: HTTP, the verbs and the rules </h2> <p>Every request is one verb plus one URL. The verbs:</p> <ul> <li> <strong><code>GET</code></strong>: read. Safe (no side effects). Idempotent (same request, same result).</li> <li> <strong><code>POST</code></strong>: create or trigger an action. Not idempotent.</li> <li> <strong><code>PUT</code></strong>: replace the resource entirely. Idempotent.</li> <li> <strong><code>PATCH</code></strong>: change part of the resource. Idempotent in spirit.</li> <li> <strong><code>DELETE</code></strong>: delete. Idempotent.</li> <li> <strong><code>HEAD</code></strong>: like GET but only the headers come back.</li> <li> <strong><code>OPTIONS</code></strong>: what verbs and headers are allowed here? (Used for CORS preflights.)</li> </ul> <p>Two things every senior should know cold:</p> <ul> <li> <strong><code>GET</code> must never modify state.</strong> Browsers, proxies, and prefetchers send GETs whenever they like. A <code>GET /unsubscribe?id=42</code> link will be deleted by Outlook's URL preview. (Yes, this is a real bug that has happened many times.)</li> <li> <strong><code>PUT</code> vs <code>PATCH</code></strong>: <code>PUT /recipes/42</code> with a partial body replaces the recipe with that partial body and removes the missing fields. <code>PATCH /recipes/42</code> with the same body changes only what was sent. Pick on purpose.</li> </ul> <h2> Decision 2: Status codes that say what happened </h2> <p>The first three letters of the response. Memorize the pattern:</p> <ul> <li> <strong><code>2xx</code></strong> success <ul> <li> <code>200 OK</code>: the default success.</li> <li> <code>201 Created</code>: after a successful POST that created a thing. Include a <code>Location:</code> header pointing at the new resource.</li> <li> <code>204 No Content</code>: success but nothing to return. Common after <code>DELETE</code>.</li> </ul> </li> <li> <strong><code>3xx</code></strong> redirection <ul> <li> <code>301 Moved Permanently</code>: the URL changed forever. Browsers cache this.</li> <li> <code>302 Found</code>, <code>307 Temporary Redirect</code>: the resource is over there, for now.</li> <li> <code>304 Not Modified</code>: the cached copy is still good. The body is empty.</li> </ul> </li> <li> <strong><code>4xx</code></strong> the client made a mistake <ul> <li> <code>400 Bad Request</code>: malformed input.</li> <li> <code>401 Unauthorized</code>: you are not logged in. (Misnamed, it is really "unauthenticated".)</li> <li> <code>403 Forbidden</code>: you are logged in, but not allowed.</li> <li> <code>404 Not Found</code>: no such resource.</li> <li> <code>405 Method Not Allowed</code>: wrong verb for this URL.</li> <li> <code>409 Conflict</code>: your write would conflict with the current state (e.g. duplicate email).</li> <li> <code>422 Unprocessable Entity</code>: well formed but invalid (e.g. validation errors).</li> <li> <code>429 Too Many Requests</code>: slow down. Pair with <code>Retry-After</code>.</li> </ul> </li> <li> <strong><code>5xx</code></strong> the server made a mistake <ul> <li> <code>500 Internal Server Error</code>: something blew up.</li> <li> <code>502 Bad Gateway</code>, <code>503 Service Unavailable</code>, <code>504 Gateway Timeout</code>: upstream issues.</li> </ul> </li> </ul> <p>The two anti patterns I see most often on real teams:</p> <ul> <li> <strong>Returning <code>200 { ok: false }</code> for errors.</strong> This breaks every standard tool. Use the right status code. Tools, logs, monitoring, CDNs, and the browser DevTools all rely on it.</li> <li> <strong>Returning <code>400</code> for "not found".</strong> A missing user is <code>404</code>, not <code>400</code>. A malformed JSON body is <code>400</code>. Tell them apart.</li> </ul> <h2> Decision 3: REST URL design </h2> <p>A URL points at a <strong>resource</strong> (a thing). The verb says what you are doing to it. Resources are nouns, plural, lowercase.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET /recipes -&gt; list GET /recipes/42 -&gt; read one POST /recipes -&gt; create PATCH /recipes/42 -&gt; update DELETE /recipes/42 -&gt; delete GET /recipes/42/comments -&gt; list comments on recipe 42 POST /recipes/42/comments -&gt; add a comment </span></code></pre> </div> <p>A few senior level rules:</p> <ul> <li> <strong>Nouns, not verbs.</strong> <code>POST /createRecipe</code> is wrong. <code>POST /recipes</code> is right.</li> <li> <strong>Plural, consistently.</strong> <code>GET /recipes</code>, not <code>GET /recipe</code>.</li> <li> <strong>Use query parameters for filtering, sorting, paging.</strong> <code>GET /recipes?tag=dessert&amp;sort=-createdAt&amp;page=2&amp;limit=20</code>.</li> <li> <strong>Use sub paths for relationships.</strong> <code>GET /users/42/recipes</code> reads better than <code>GET /recipes?userId=42</code> for natural ownership.</li> <li> <strong>Version the API in the URL or in a header.</strong> <code>/v1/recipes</code> or <code>Accept: application/vnd.example.v1+json</code>. Pick one and never argue again.</li> <li> <strong>Return JSON in a stable shape.</strong> Never change a field type or remove a key without a version bump.</li> </ul> <p>If REST does not fit your needs (lots of nested data, lots of round trips), look at <strong>GraphQL</strong> or <strong>tRPC</strong>. Both are excellent in 2026. Neither replaces REST for public APIs.</p> <h2> Decision 4: Headers, the metadata you cannot ignore </h2> <p>Headers are the envelope of every request and response. The ones every senior should recognize:</p> <h3> Content negotiation </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Content-Type: application/json Accept: application/json Accept-Language: en-US,en;q=0.9 </span></code></pre> </div> <p>Always set <code>Content-Type</code> on requests with a body. Always read it on responses (the body might not be JSON).</p> <h3> Auth </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Authorization: Bearer &lt;token&gt; Cookie: session=... </span></code></pre> </div> <p>We will dig into these in a moment.</p> <h3> Caching </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Cache-Control: public, max-age=60, stale-while-revalidate=600 ETag: "v3-abc123" Last-Modified: Wed, 09 May 2026 10:00:00 GMT </span></code></pre> </div> <p>The single most underused tool in frontend performance is <strong>conditional requests</strong>. A client with an <code>ETag</code> can ask "is this still fresh?":<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET /recipes/42 If-None-Match: "v3-abc123" </span></code></pre> </div> <p>If yes, the server replies <code>304 Not Modified</code> with no body. Bandwidth saved, page faster.</p> <h3> CORS </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Access-Control-Allow-Origin: https://app.example.com Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST, PATCH, DELETE Access-Control-Allow-Headers: Authorization, Content-Type </span></code></pre> </div> <p>CORS lives entirely on the server. It tells the browser which origins are allowed to call this API from JavaScript. It does not exist for security against attackers (curl ignores it). It exists to protect users from a malicious page calling another origin from their browser.</p> <p>The two CORS bugs every frontend developer hits:</p> <ul> <li> <strong>The preflight <code>OPTIONS</code> request.</strong> Before a "non simple" request, the browser sends an <code>OPTIONS</code> to ask permission. Your server must respond with the right headers. Most frameworks have a one-line <code>cors</code> middleware.</li> <li> <strong><code>*</code> and credentials do not mix.</strong> If your server returns <code>Access-Control-Allow-Origin: *</code>, the browser will refuse to send cookies. For credentialed requests, set the exact origin.</li> </ul> <h3> Rate limiting </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">X-RateLimit-Limit: 100 X-RateLimit-Remaining: 23 X-RateLimit-Reset: 1715251200 Retry-After: 60 </span></code></pre> </div> <p>A polite API tells the client when to back off. A polite client respects it.</p> <h2> Decision 5: Errors that the client can actually handle </h2> <p>The body of a <code>4xx</code> or <code>5xx</code> response should follow a stable shape. The de facto standard is <strong>RFC 7807 / 9457 Problem Details</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">HTTP/</span><span class="mf">1.1</span><span class="w"> </span><span class="mi">422</span><span class="w"> </span><span class="err">Unprocessable</span><span class="w"> </span><span class="err">Entity</span><span class="w"> </span><span class="err">Content-Type:</span><span class="w"> </span><span class="err">application/problem+json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://example.com/problems/validation"</span><span class="p">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Invalid input"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">422</span><span class="p">,</span><span class="w"> </span><span class="nl">"detail"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Some fields failed validation."</span><span class="p">,</span><span class="w"> </span><span class="nl">"instance"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/recipes"</span><span class="p">,</span><span class="w"> </span><span class="nl">"errors"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"title"</span><span class="p">,</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"too_short"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"prepMinutes"</span><span class="p">,</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"must_be_positive"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>A few rules:</p> <ul> <li> <strong>Use the right status code first.</strong> The body explains, the status decides.</li> <li> <strong>Include a stable error code per problem.</strong> UI code can switch on it without parsing English.</li> <li> <strong>Include enough info to render a good error message</strong> without leaking internals.</li> <li> <strong>Never echo user input back in HTML errors</strong> unless you escape it. That is a classic XSS path.</li> </ul> <h2> Decision 6: Authentication, the choices that actually exist </h2> <p>Auth is two words pretending to be one:</p> <ul> <li> <strong>Authentication (authn)</strong>: who are you?</li> <li> <strong>Authorization (authz)</strong>: what are you allowed to do?</li> </ul> <p>The four mainstream patterns in 2026:</p> <h3> 1. Session cookies (the original, still excellent) </h3> <p>The server creates a session, stores it server side (in a database or Redis), and sets a cookie. The browser sends the cookie automatically on every request to the origin. The server looks up the session and knows who you are.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Set-Cookie: session=opaque_id; HttpOnly; Secure; SameSite=Lax; Path=/ </span></code></pre> </div> <p>Every flag matters:</p> <ul> <li> <strong><code>HttpOnly</code></strong>: JavaScript cannot read it. Stops XSS from stealing the token.</li> <li> <strong><code>Secure</code></strong>: only sent over HTTPS.</li> <li> <strong><code>SameSite=Lax</code></strong> (or <code>Strict</code>): only sent for same site requests, blocking most CSRF.</li> <li> <strong><code>Path=/</code></strong>: sent on every path under the origin.</li> </ul> <p>The security defaults are excellent. The state lives on the server where you can revoke it instantly. Best for first party web apps where the API and the frontend share an origin.</p> <p>The one CSRF caveat: if you use cookies, every state changing endpoint should require either <code>SameSite=Strict</code>, a CSRF token, or a custom header that browsers will not send cross origin without permission.</p> <h3> 2. JWT (JSON Web Tokens) </h3> <p>A JWT is a self contained token that is signed by the server. It contains the user id, expiration, and any claims you want, all readable by anyone (it is base64 encoded JSON). Only the signature can be checked by the server.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6... </span></code></pre> </div> <p>Pros: stateless, easy to verify on any service that has the public key, popular in SPAs, mobile, and microservices.</p> <p>Cons: hard to revoke before expiration (you would need a blocklist, defeating the stateless point). Often misused to store sensitive data in the token (the body is readable by the client).</p> <p>The 2026 advice:</p> <ul> <li> <strong>Short lived access token (15 minutes) plus a long lived refresh token.</strong> When the access token expires, the client uses the refresh token to get a new one.</li> <li> <strong>Store tokens in <code>HttpOnly</code> cookies, not in <code>localStorage</code>.</strong> Tokens in <code>localStorage</code> are XSS's lunch.</li> <li> <strong>Never use JWTs as session cookies on a single origin web app.</strong> Use real session cookies. JWTs shine for cross origin or service to service.</li> </ul> <h3> 3. OAuth 2.0 / OAuth 2.1 </h3> <p>OAuth is not a login method. It is a protocol for your app to act on behalf of a user at another service. "Sign in with Google" is OAuth.</p> <p>The flow you actually need to know:</p> <ol> <li>Your app sends the user to Google's <code>/authorize</code> URL.</li> <li>The user logs in to Google and clicks "Allow".</li> <li>Google redirects back to your app with an authorization code.</li> <li>Your server exchanges the code for an access token (and a refresh token) at Google's <code>/token</code> endpoint.</li> <li>Your server uses the access token to call Google's APIs.</li> </ol> <p>OAuth 2.1 (the modern consolidation) makes a few things mandatory:</p> <ul> <li> <strong>PKCE for all authorization code flows.</strong> A short random secret the client generates and proves possession of. Closes a class of attacks.</li> <li> <strong>No more Implicit grant.</strong> It was insecure in browsers. Use authorization code with PKCE.</li> <li> <strong>No more Resource Owner Password grant.</strong> Bad pattern, gone.</li> <li> <strong>Exact redirect URI matching.</strong> No fuzzy patterns.</li> </ul> <p>For most frontend developers, you will not implement OAuth. You will use a library or a service: <strong>Auth.js / NextAuth</strong>, <strong>Clerk</strong>, <strong>Auth0</strong>, <strong>WorkOS</strong>, <strong>Stack Auth</strong>. Pick one, follow its setup, get on with your day.</p> <h3> 4. API keys </h3> <p>A long opaque string a service gives a developer for server to server access. Useful for partners and CLI tools. Never put one in frontend code, ever. If a key shows up in your client bundle, it is leaked.</p> <h2> Decision 7: Storing tokens in the browser, the only sane way </h2> <p>The single most common security mistake in frontend code is putting an auth token where JavaScript can read it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// don't</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="dl">"</span><span class="s2">token</span><span class="dl">"</span><span class="p">,</span> <span class="nx">token</span><span class="p">);</span> <span class="c1">// don't</span> <span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span> <span class="o">=</span> <span class="s2">`token=</span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> </code></pre> </div> <p>If any third party script (analytics, chat widget, ad SDK) is XSS'd, your token leaks to it.</p> <p>The right pattern:</p> <ul> <li><strong>The server sets an <code>HttpOnly</code> cookie with the session or refresh token.</strong></li> <li><strong>JavaScript never sees it.</strong></li> <li><strong>The browser sends it automatically on calls to your API.</strong></li> <li><strong>For cross origin frontends, set the API on a subdomain and use <code>SameSite=None; Secure</code> cookies, with explicit CORS allowing credentials.</strong></li> </ul> <p>Modern auth libraries default to this. If yours does not, find one that does.</p> <h2> Decision 8: Calling APIs from the frontend without pain </h2> <p>Once the conventions are set, the client side patterns are simple.</p> <h3> <code>fetch</code>, the modern default </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">getRecipes</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/recipes</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Accept</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(),</span> <span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">as</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">Recipe</span><span class="p">[]</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>A few habits to internalize:</p> <ul> <li> <strong><code>fetch</code> does not throw on <code>4xx</code> or <code>5xx</code>.</strong> You have to check <code>res.ok</code> yourself.</li> <li> <strong>Always cancel in flight requests</strong> when the user navigates away or types again. <code>AbortController</code> is the answer: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">ctrl</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AbortController</span><span class="p">();</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/search?q=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">q</span><span class="p">,</span> <span class="p">{</span> <span class="na">signal</span><span class="p">:</span> <span class="nx">ctrl</span><span class="p">.</span><span class="nx">signal</span> <span class="p">});</span> <span class="c1">// later: ctrl.abort();</span> </code></pre> </div> <ul> <li> <strong>Wrap in a typed client.</strong> Hand rolling <code>fetch</code> with try/catch in 80 places is painful. Use <strong>TanStack Query</strong> for caching and retries, or <strong>tRPC</strong>, or <strong>Hey API</strong> generated clients from an OpenAPI spec, or <strong>ts-rest</strong> for typed contracts.</li> <li> <strong>Use <code>credentials: "include"</code></strong> when you need cookies on cross origin requests, alongside the right CORS headers.</li> </ul> <h3> TanStack Query, the go to data layer </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">useQuery</span><span class="p">,</span> <span class="nx">useMutation</span><span class="p">,</span> <span class="nx">useQueryClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@tanstack/react-query</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">useRecipes</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">useQuery</span><span class="p">({</span> <span class="na">queryKey</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">recipes</span><span class="dl">"</span><span class="p">],</span> <span class="na">queryFn</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/recipes</span><span class="dl">"</span><span class="p">).</span><span class="nf">then</span><span class="p">((</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">()),</span> <span class="na">staleTime</span><span class="p">:</span> <span class="mi">60</span><span class="nx">_000</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">useCreateRecipe</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">qc</span> <span class="o">=</span> <span class="nf">useQueryClient</span><span class="p">();</span> <span class="k">return</span> <span class="nf">useMutation</span><span class="p">({</span> <span class="na">mutationFn</span><span class="p">:</span> <span class="p">(</span><span class="na">data</span><span class="p">:</span> <span class="nx">NewRecipe</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/recipes</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="p">}),</span> <span class="na">onSuccess</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">qc</span><span class="p">.</span><span class="nf">invalidateQueries</span><span class="p">({</span> <span class="na">queryKey</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">recipes</span><span class="dl">"</span><span class="p">]</span> <span class="p">}),</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Caching, deduping, retries, background refetching, optimistic updates, all included. We have already discussed why server data does not belong in Zustand or Redux.</p> <h2> Decision 9: WebSockets and Server-Sent Events </h2> <p>For real time data (chat, notifications, live dashboards), HTTP request/response is not enough. Two real options:</p> <ul> <li> <strong>Server-Sent Events (SSE)</strong>: a one way stream from server to client over HTTP. Simple. Built into the browser via <code>EventSource</code>. Great for live updates that flow one direction.</li> <li> <strong>WebSockets</strong>: a two way persistent connection. Use when both ends need to push. Heavier, more work to deploy. The browser API is <code>WebSocket</code>. Frameworks like Socket.IO and <code>partykit</code> make it friendlier.</li> </ul> <p>Pick SSE first. It is simpler, plays better with HTTP infrastructure (load balancers, proxies, CDNs), and covers most "live updates" needs.</p> <h2> Decision 10: Senior level moves and pitfalls </h2> <p>A short list that separates "calls APIs" from "designs and consumes APIs well":</p> <ul> <li> <strong>Always use HTTPS.</strong> Even in development, with a self signed cert if you have to. Cookies and tokens get weird without it.</li> <li> <strong>Validate every input on the server.</strong> The client is not in your control. Use Zod (or your language equivalent) at the boundary.</li> <li> <strong>Never trust the client about auth.</strong> Authorization happens on the server.</li> <li> <strong>Pagination by default.</strong> Any list endpoint that can return more than a few hundred rows must paginate. <code>?page=2&amp;limit=20</code> or cursor based (<code>?after=cursor</code>).</li> <li> <strong>Rate limit even your internal APIs.</strong> A bug on the client side that hammers your endpoint will eat your database otherwise.</li> <li><strong>Set up CORS once, in middleware, not per route.</strong></li> <li><strong>Send a <code>Content-Length</code> and a real <code>Content-Type</code>.</strong></li> <li><strong>Use <code>application/json</code> for JSON, not <code>text/json</code>.</strong></li> <li> <strong>Use ISO 8601 timestamps with timezone.</strong> <code>2026-05-09T10:00:00Z</code>. No "May 9 2026". No <code>1715251200000</code> unless you also tell the consumer it is millis.</li> <li> <strong>Money in integer cents.</strong> Same lesson as the SQL post.</li> <li> <strong>Document with OpenAPI</strong> or a similar spec. Future you, your other team, your AI tools, and your client generators all benefit.</li> <li> <strong>Treat 5xx as your fault, 4xx as the client's.</strong> Logging, alerts, dashboards must respect that line.</li> <li> <strong>Rate limit responses include the limit headers.</strong> Do not make clients guess.</li> <li> <strong>For long jobs, return <code>202 Accepted</code> with a polling URL,</strong> or use a webhook, or stream progress with SSE. Do not hold an HTTP request open for 30 minutes.</li> </ul> <h2> A peek under the hood </h2> <p>What really happens when your frontend calls <code>/api/recipes</code>:</p> <ol> <li>The browser builds a request: method, URL, headers, optional body.</li> <li>If cross origin and "non simple", the browser sends an <code>OPTIONS</code> preflight first.</li> <li>DNS resolves, TCP and TLS handshake (kept warm if possible).</li> <li>The request is sent over HTTP/2 or HTTP/3, multiplexed with other requests on the same connection.</li> <li>The server matches the route, runs middleware (auth, rate limit, validation), runs the handler, builds a response.</li> <li>The response status, headers, and body stream back.</li> <li>The browser respects <code>Cache-Control</code>, sets cookies (<code>Set-Cookie</code>), updates its CORS state.</li> <li>Your <code>fetch</code> resolves. Your app gets the parsed JSON.</li> </ol> <p>That whole loop is what every "an API call" really is. Once you can picture it, debugging gets ten times faster, because you know where to look.</p> <h2> Tiny tips that will save you later </h2> <ul> <li> <strong>Use the right verb and the right status code.</strong> Half of all API arguments end here.</li> <li> <strong>Set <code>Cache-Control</code> on every response.</strong> Even <code>no-cache</code> is better than nothing.</li> <li> <strong>Use <code>ETag</code>s for read heavy endpoints.</strong> Free 304s.</li> <li> <strong>Always <code>AbortController</code> in flight requests.</strong> Especially in search-as-you-type.</li> <li><strong>Cookies for first party web apps. JWT for cross origin or services.</strong></li> <li><strong>Never put tokens in <code>localStorage</code>.</strong></li> <li><strong>Validate every body server side with Zod.</strong></li> <li><strong>Use TanStack Query (or equivalent) for any non trivial frontend.</strong></li> <li><strong>Page everything. Sort consistently. Paginate with stable cursors when ordering matters.</strong></li> <li> <strong>Document your API.</strong> The OpenAPI spec pays for itself.</li> <li> <strong>Read RFCs once.</strong> Especially RFC 7231 (HTTP semantics), RFC 6750 (Bearer), and RFC 9457 (Problem Details).</li> </ul> <h2> Wrapping up </h2> <p>So that is the whole story. The web runs on a polite postal protocol where the verbs and the stamps already mean something specific. APIs are agreements about which addresses do what. Auth is the picture ID in your envelope.</p> <p>We learned to use the right verbs (<code>GET</code> is safe, <code>POST</code> creates, <code>PATCH</code> updates, <code>DELETE</code> deletes), the right status codes (2xx success, 4xx your fault, 5xx mine), the right URL shapes (nouns, plural, sub paths for ownership), the right headers (Content-Type, Accept, Authorization, Cache-Control, ETag, CORS), and the right errors (Problem Details, stable codes, useful messages).</p> <p>We picked auth on purpose: session cookies for first party web apps, JWT in <code>HttpOnly</code> cookies for cross origin SPAs, OAuth 2.1 for "sign in with X", API keys never in the browser. We aborted in-flight requests, cached on purpose, paginated everything, and treated client validation as cosmetic and server validation as security.</p> <p>Once that map is in your head, every API conversation becomes shorter. You stop arguing about whether something should return <code>200 { ok: false }</code> because you already know the answer. You stop chasing CORS ghosts because you can read the preflight in DevTools. You stop leaking tokens because you never put them where JavaScript could see them in the first place.</p> <p>Happy networking, and may your <code>2xx</code> always outnumber your <code>5xx</code>.</p> learning beginners webdev Mohamed Idris Fri, 15 May 2026 13:03:00 +0000 https://forem.com/edriso/learning-nextjs-as-if-you-built-it-yourself-16kn https://forem.com/edriso/learning-nextjs-as-if-you-built-it-yourself-16kn <p>If you have ever built a React app with plain Vite, you remember the moment. Three months in, you have hand rolled a router. You have hand rolled the loading spinner pattern. You have hand rolled metadata for SEO. You have an Express server next to it for the API, and you spend half your time keeping the two in sync. Deploying is a checklist. Production caching is a guess.</p> <p>You did not want to build a framework. You just wanted to ship a website.</p> <p>That is the gap Next.js fills.</p> <h2> What is Next.js, really </h2> <p>Think of Next.js as <strong>a React framework with the boring parts already done</strong>. Routing, data fetching, server side rendering, caching, image optimization, fonts, head tags, deployment, all of it. You write the components, Next.js wires the rest into a coherent app that runs on the server, the edge, and the browser.</p> <p>Two ideas drive the whole thing:</p> <ul> <li> <strong>Server first.</strong> Pages render on the server by default. Only the parts that truly need interactivity ship JavaScript to the browser. Smaller bundles, faster first paint, better SEO, secrets stay safe.</li> <li> <strong>The file system is your routing config.</strong> A folder is a route. A <code>page.tsx</code> inside it is the screen. A <code>layout.tsx</code> is the shared shell. No router config file to maintain.</li> </ul> <p>That is the whole vibe.</p> <h2> Let's pretend we are building one </h2> <p>We want a React framework that handles routing, server rendering, mutations, and caching by default. We will call it <strong>Next.js</strong>.</p> <p>For the running example, we are building <strong>Mochi's Blog</strong>: posts, a single post page, an author dashboard, and a comment form.</p> <h2> Decision 1: The folder is the route </h2> <p>Next.js (App Router) maps your <code>app/</code> folder onto URLs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>app/ layout.tsx -&gt; shared shell for the whole site page.tsx -&gt; / about/ page.tsx -&gt; /about posts/ page.tsx -&gt; /posts [slug]/ page.tsx -&gt; /posts/anything dashboard/ layout.tsx -&gt; shared shell only for /dashboard/* page.tsx -&gt; /dashboard settings/ page.tsx -&gt; /dashboard/settings api/ subscribe/ route.ts -&gt; POST/GET /api/subscribe </code></pre> </div> <p>A few rules that explain the rest of the framework:</p> <ul> <li> <strong><code>page.tsx</code></strong> is a page. It receives <code>params</code> and <code>searchParams</code> props.</li> <li> <strong><code>layout.tsx</code></strong> is a shell that wraps every page below it in the tree. Layouts compose: every nested layout wraps inside the parent's.</li> <li> <strong><code>[slug]</code></strong> is a dynamic segment. The folder name with brackets becomes a route param.</li> <li> <strong><code>route.ts</code></strong> is a backend endpoint. Export <code>GET</code>, <code>POST</code>, <code>PUT</code>, <code>DELETE</code> functions and they become handlers.</li> <li> <strong><code>loading.tsx</code></strong> is the suspense fallback for that segment. Streamed in automatically.</li> <li> <strong><code>error.tsx</code></strong> is the error boundary for that segment.</li> <li> <strong><code>not-found.tsx</code></strong> is shown when <code>notFound()</code> is thrown.</li> </ul> <p>A minimal layout and home page:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// app/layout.tsx</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">metadata</span> <span class="o">=</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Mochi's Blog</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Cats and code.</span><span class="dl">"</span> <span class="p">};</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">RootLayout</span><span class="p">({</span> <span class="nx">children</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">html</span> <span class="na">lang</span><span class="p">=</span><span class="s">"en"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">body</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">header</span><span class="p">&gt;&lt;</span><span class="nt">a</span> <span class="na">href</span><span class="p">=</span><span class="s">"/"</span><span class="p">&gt;</span>Mochi's Blog<span class="p">&lt;/</span><span class="nt">a</span><span class="p">&gt;&lt;/</span><span class="nt">header</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">main</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">children</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">main</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">body</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">html</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// app/page.tsx</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">HomePage</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span>Welcome to Mochi's Blog<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <p>That is a working Next.js app.</p> <h2> Decision 2: Server Components by default </h2> <p>Every component you write is a <strong>Server Component</strong> unless you opt out. Server Components run on the server, can read from a database directly, can use secrets, and ship zero JavaScript to the browser.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// app/posts/page.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/db</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">PostsPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">posts</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">post</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">orderBy</span><span class="p">:</span> <span class="p">{</span> <span class="na">createdAt</span><span class="p">:</span> <span class="dl">"</span><span class="s2">desc</span><span class="dl">"</span> <span class="p">}</span> <span class="p">});</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">ul</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">posts</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">p</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">li</span> <span class="na">key</span><span class="p">=</span><span class="si">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">id</span><span class="si">}</span><span class="p">&gt;&lt;</span><span class="nt">a</span> <span class="na">href</span><span class="p">=</span><span class="si">{</span><span class="s2">`/posts/</span><span class="p">${</span><span class="nx">p</span><span class="p">.</span><span class="nx">slug</span><span class="p">}</span><span class="s2">`</span><span class="si">}</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">p</span><span class="p">.</span><span class="nx">title</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">a</span><span class="p">&gt;&lt;/</span><span class="nt">li</span><span class="p">&gt;</span> <span class="p">))</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">ul</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>That is the whole page. Async function, awaits the database, returns JSX. No <code>useEffect</code>, no loading state, no API route in between.</p> <p>When you do need interactivity (state, effects, event handlers, browser APIs), opt into <strong>Client Components</strong> with <code>"use client"</code> at the top of the file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// app/posts/[slug]/like-button.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">LikeButton</span><span class="p">({</span> <span class="nx">initial</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">initial</span><span class="p">:</span> <span class="kr">number</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">count</span><span class="p">,</span> <span class="nx">setCount</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="nx">initial</span><span class="p">);</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">setCount</span><span class="p">(</span><span class="nx">count</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span><span class="si">}</span><span class="p">&gt;</span>♥ <span class="si">{</span><span class="nx">count</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <p>The mental model: <strong>default to Server Components. Reach for <code>"use client"</code> only on the interactive island.</strong> The pattern is server pages with small client islands inside, not whole client trees with little server islands.</p> <h2> Decision 3: Server Actions for mutations </h2> <p>When you need to write data, you do not have to hand build an API route. Write an async function with <code>"use server"</code> and call it from a form or a button.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// app/posts/[slug]/comment-form.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">addComment</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./actions</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">CommentForm</span><span class="p">({</span> <span class="nx">postId</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">postId</span><span class="p">:</span> <span class="kr">string</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">form</span> <span class="na">action</span><span class="p">=</span><span class="si">{</span><span class="nx">addComment</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"hidden"</span> <span class="na">name</span><span class="p">=</span><span class="s">"postId"</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">postId</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">textarea</span> <span class="na">name</span><span class="p">=</span><span class="s">"body"</span> <span class="na">required</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">button</span><span class="p">&gt;</span>Post comment<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">form</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// app/posts/[slug]/actions.ts</span> <span class="dl">"</span><span class="s2">use server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/db</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">revalidatePath</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/cache</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">addComment</span><span class="p">(</span><span class="nx">formData</span><span class="p">:</span> <span class="nx">FormData</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">postId</span> <span class="o">=</span> <span class="nc">String</span><span class="p">(</span><span class="nx">formData</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">postId</span><span class="dl">"</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="nc">String</span><span class="p">(</span><span class="nx">formData</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">body</span><span class="dl">"</span><span class="p">));</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">comment</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">postId</span><span class="p">,</span> <span class="nx">body</span> <span class="p">}</span> <span class="p">});</span> <span class="nf">revalidatePath</span><span class="p">(</span><span class="s2">`/posts/</span><span class="p">${</span><span class="nx">postId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>That is a full mutation. No API route. No fetch. The browser submits the form, Next.js calls the server function, the server runs it, the page revalidates, and the new comment appears.</p> <p>For a richer client experience (pending state, error message, optimistic UI), pair the action with React 19's <code>useActionState</code> and <code>useOptimistic</code> hooks. Same patterns you already know, no Next.js specific magic needed.</p> <h2> Decision 4: Three rendering modes, one mental model </h2> <p>Every route picks one of three behaviors:</p> <ul> <li> <strong>Static</strong>: built once at deploy time, cached forever, fastest possible. Default for routes with no dynamic data.</li> <li> <strong>Dynamic</strong>: rendered on every request, can use cookies, headers, and search params freely.</li> <li> <strong>Streaming</strong>: starts sending HTML immediately and fills in slow parts as data arrives. Pairs with <code>&lt;Suspense&gt;</code> and <code>loading.tsx</code>.</li> </ul> <p>You rarely pick these explicitly. Next.js infers from what your code does. If you read <code>cookies()</code> or <code>headers()</code>, the route becomes dynamic. If you wrap a slow component in <code>&lt;Suspense&gt;</code>, that part streams.</p> <p>For data that should not be revalidated on every request, you cache and tag it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">unstable_cache</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/cache</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">getPostBySlug</span> <span class="o">=</span> <span class="nf">unstable_cache</span><span class="p">(</span> <span class="k">async </span><span class="p">(</span><span class="nx">slug</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">db</span><span class="p">.</span><span class="nx">post</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">slug</span> <span class="p">}</span> <span class="p">}),</span> <span class="p">[</span><span class="dl">"</span><span class="s2">post-by-slug</span><span class="dl">"</span><span class="p">],</span> <span class="p">{</span> <span class="na">revalidate</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="na">tags</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">posts</span><span class="dl">"</span><span class="p">]</span> <span class="p">}</span> <span class="p">);</span> </code></pre> </div> <p>When you mutate, you invalidate by tag or by path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">revalidateTag</span><span class="p">,</span> <span class="nx">revalidatePath</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/cache</span><span class="dl">"</span><span class="p">;</span> <span class="nf">revalidateTag</span><span class="p">(</span><span class="dl">"</span><span class="s2">posts</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// any cache tagged "posts" is dropped</span> <span class="nf">revalidatePath</span><span class="p">(</span><span class="dl">"</span><span class="s2">/posts</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// re-render that path on next request</span> </code></pre> </div> <p>In Next.js 15, the modern surface for this is the <strong><code>use cache</code></strong> directive at the top of a function or component, plus <code>cacheTag()</code> and <code>cacheLife()</code> to control freshness:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="dl">"</span><span class="s2">use cache</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">cacheTag</span><span class="p">,</span> <span class="nx">cacheLife</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/cache</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getRecentPosts</span><span class="p">()</span> <span class="p">{</span> <span class="nf">cacheTag</span><span class="p">(</span><span class="dl">"</span><span class="s2">posts</span><span class="dl">"</span><span class="p">);</span> <span class="nf">cacheLife</span><span class="p">(</span><span class="dl">"</span><span class="s2">hours</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="nx">db</span><span class="p">.</span><span class="nx">post</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">orderBy</span><span class="p">:</span> <span class="p">{</span> <span class="na">createdAt</span><span class="p">:</span> <span class="dl">"</span><span class="s2">desc</span><span class="dl">"</span> <span class="p">},</span> <span class="na">take</span><span class="p">:</span> <span class="mi">10</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>The mental model: <strong>cache everything you can, tag what you cache, invalidate by tag when you mutate</strong>.</p> <h2> Decision 5: Route handlers for the rest </h2> <p>If your client (a mobile app, a third party webhook, an external integration) needs a real REST endpoint, write a <code>route.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/posts/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/db</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">posts</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">post</span><span class="p">.</span><span class="nf">findMany</span><span class="p">();</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">posts</span><span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">req</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">post</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">post</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="nx">body</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">post</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">201</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Same file system pattern, same colocation. Use Server Actions for app-internal mutations and route handlers for public APIs.</p> <h2> Decision 6: Navigation and links </h2> <p>The <code>&lt;Link&gt;</code> component from <code>next/link</code> does client side navigation, prefetches in view links, and keeps your layouts mounted across navigations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">import</span> <span class="nx">Link</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/link</span><span class="dl">"</span><span class="p">;</span> <span class="p">&lt;</span><span class="nc">Link</span> <span class="na">href</span><span class="p">=</span><span class="s">"/posts/mochi-stole-socks"</span><span class="p">&gt;</span>Read post<span class="p">&lt;/</span><span class="nc">Link</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Link</span> <span class="na">href</span><span class="p">=</span><span class="si">{</span><span class="s2">`/posts/</span><span class="p">${</span><span class="nx">slug</span><span class="p">}</span><span class="s2">`</span><span class="si">}</span> <span class="na">prefetch</span><span class="p">=</span><span class="si">{</span><span class="kc">false</span><span class="si">}</span><span class="p">&gt;</span>Read<span class="p">&lt;/</span><span class="nc">Link</span><span class="p">&gt;</span> </code></pre> </div> <p>For programmatic navigation, use <code>useRouter()</code> from <code>next/navigation</code> (the new App Router version, not the old <code>next/router</code>).</p> <h2> Decision 7: Images, fonts, and metadata, the boring wins </h2> <p>Next.js has built in components for the things every website gets wrong.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">import</span> <span class="nx">Image</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/image</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Inter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/font/google</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">inter</span> <span class="o">=</span> <span class="nc">Inter</span><span class="p">({</span> <span class="na">subsets</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">latin</span><span class="dl">"</span><span class="p">]</span> <span class="p">});</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Hero</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="si">{</span><span class="nx">inter</span><span class="p">.</span><span class="nx">className</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Image</span> <span class="na">src</span><span class="p">=</span><span class="s">"/mochi.jpg"</span> <span class="na">alt</span><span class="p">=</span><span class="s">"A small white cat with big eyes"</span> <span class="na">width</span><span class="p">=</span><span class="si">{</span><span class="mi">1200</span><span class="si">}</span> <span class="na">height</span><span class="p">=</span><span class="si">{</span><span class="mi">800</span><span class="si">}</span> <span class="na">priority</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>What that gives you for free: responsive images with <code>srcset</code>, modern formats (AVIF, WebP), lazy loading by default, layout shift prevention, font self hosting with no FOUT, font subsetting.</p> <p>For SEO, set <code>metadata</code> on each route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">metadata</span> <span class="o">=</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Why my cat steals socks</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">A short investigation.</span><span class="dl">"</span><span class="p">,</span> <span class="na">openGraph</span><span class="p">:</span> <span class="p">{</span> <span class="na">images</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">/cover.png</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <p>Or generate it dynamically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">generateMetadata</span><span class="p">({</span> <span class="nx">params</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">post</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getPost</span><span class="p">(</span><span class="nx">params</span><span class="p">.</span><span class="nx">slug</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="nx">post</span><span class="p">.</span><span class="nx">title</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="nx">post</span><span class="p">.</span><span class="nx">excerpt</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>These small wins (<code>&lt;Image&gt;</code>, <code>next/font</code>, metadata API) are why most production React apps run on Next.js even when they technically could ship as a Vite SPA.</p> <h2> Decision 8: Middleware and edge </h2> <p>Code that runs on every request, before any route, lives in <code>middleware.ts</code> at the root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">session</span><span class="dl">"</span><span class="p">)?.</span><span class="nx">value</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">isAuthed</span> <span class="o">=</span> <span class="nc">Boolean</span><span class="p">(</span><span class="nx">session</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">/dashboard</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">isAuthed</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">"</span><span class="s2">/login</span><span class="dl">"</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">/dashboard/:path*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/api/admin/:path*</span><span class="dl">"</span><span class="p">]</span> <span class="p">};</span> </code></pre> </div> <p>Middleware runs on the edge by default, so it is fast and globally distributed. Use it for authentication gates, redirects, A/B test bucketing, locale negotiation, bot blocking. Keep it light. It runs on every matched request.</p> <h2> Decision 9: Project structure that scales </h2> <p>A pattern most senior teams settle on:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>app/ (marketing)/ -&gt; route group, does not appear in URLs page.tsx -&gt; / pricing/page.tsx -&gt; /pricing (dashboard)/ layout.tsx -&gt; auth-protected layout dashboard/page.tsx -&gt; /dashboard api/ layout.tsx components/ ui/ -&gt; design system primitives (Button, Card, Dialog) posts/ -&gt; feature components lib/ db.ts -&gt; database client auth.ts -&gt; auth helpers validators/ -&gt; Zod schemas, shared between client and server </code></pre> </div> <p>The senior level habits:</p> <ul> <li> <strong>Group routes with <code>(name)/</code></strong> for sectioning without affecting URLs.</li> <li> <strong>Keep server only code in <code>lib/</code></strong> and never import it from a <code>"use client"</code> file. (Add <code>import "server-only"</code> at the top of files that should never reach the browser.)</li> <li> <strong>One feature, one folder.</strong> A <code>posts</code> feature has its server queries, components, and forms colocated.</li> <li> <strong>Use the official <code>next.config</code> minimum.</strong> Resist the urge to customize Webpack until you must.</li> </ul> <h2> Decision 10: Auth, the modern story </h2> <p>Next.js does not ship auth, on purpose. The two clean choices in 2026:</p> <ul> <li> <strong>Auth.js (formerly NextAuth)</strong>: full featured, supports OAuth providers, email magic links, credentials. Sets a session cookie. Read sessions from Server Components with <code>auth()</code>.</li> <li> <strong>Clerk / Kinde / Stack Auth / WorkOS</strong>: hosted auth services with React components and a back end you do not run. Trade some money for zero auth code.</li> <li> <strong>Roll your own session cookie + a strong library</strong> like <code>iron-session</code> or <code>lucia-auth</code>. Reasonable for small projects.</li> </ul> <p>Whatever you pick, the rule is the same: <strong>read the session in middleware or in a Server Component, never trust client side flags</strong>. Server Components are where authorization decisions belong.</p> <h2> Decision 11: Deployment and runtime </h2> <p>The simplest deploy: push to a Git repo connected to Vercel. Build, deploy, edge middleware, image optimization, all included. That is the path the framework was designed for.</p> <p>You can also self host:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>next build next start </code></pre> </div> <p>That gives you a Node.js server. For containerized deploys, the <code>output: "standalone"</code> config produces a minimal output that runs anywhere Node runs.</p> <p>Two runtime knobs to know:</p> <ul> <li> <strong>Node.js runtime</strong> (default): full Node APIs, larger cold start, runs anywhere.</li> <li> <strong>Edge runtime</strong>: a subset of APIs, V8 isolate based, low latency cold start, geographically distributed. Set per route with <code>export const runtime = "edge";</code>. Great for middleware and small API handlers.</li> </ul> <h2> A peek under the hood </h2> <p>What really happens when a user opens your Next.js app:</p> <ol> <li>The request hits the edge or your Node server.</li> <li>Middleware runs, possibly redirecting or rewriting.</li> <li>Next.js matches the URL to a <code>page.tsx</code> plus its parent layouts.</li> <li>Server Components render on the server, fetching data, awaiting promises.</li> <li>The HTML streams to the browser, with <code>&lt;Suspense&gt;</code> boundaries filling in as data arrives.</li> <li>A small JavaScript payload hydrates the Client Components only.</li> <li>The browser shows pixels almost immediately, interactivity follows shortly after.</li> <li>Subsequent navigations are client side, prefetched, and reuse the layout tree.</li> </ol> <p>Two senior level consequences:</p> <ul> <li> <strong>Less JS in the browser is the headline win.</strong> A typical Next.js page ships a fraction of what a typical Vite SPA ships, because Server Components stay on the server.</li> <li> <strong>Caching is the second big win, and the most confusing one.</strong> Next.js caches at the data level (fetch, <code>unstable_cache</code>, <code>use cache</code>) and the route level. Get comfortable with <code>revalidateTag</code> and <code>revalidatePath</code> early.</li> </ul> <h2> Tiny tips that will save you later </h2> <ul> <li> <strong>Default to Server Components.</strong> Add <code>"use client"</code> only where you must.</li> <li> <strong>Use <code>&lt;Image&gt;</code>, <code>next/font</code>, and the metadata API.</strong> Free Lighthouse points.</li> <li> <strong>Use <code>&lt;Link&gt;</code> for internal navigation.</strong> Native <code>&lt;a&gt;</code> reloads the page.</li> <li> <strong>Tag your caches.</strong> It pays off the first time you ship a "show fresh data" feature.</li> <li> <strong>Keep secrets server side.</strong> A <code>process.env.SECRET</code> accessed from a <code>"use client"</code> file is shipped to the browser.</li> <li> <strong>Use Zod schemas in <code>lib/validators/</code></strong> to share types between client forms and server actions.</li> <li> <strong>Read sessions on the server.</strong> Auth checks in client code are cosmetic, not security.</li> <li> <strong>Run <code>next build</code> in CI.</strong> Type errors and config issues show up there, not in dev.</li> <li> <strong>Profile with the Vercel Analytics or <code>next/web-vitals</code></strong> to track real user metrics.</li> </ul> <h2> Wrapping up </h2> <p>So that is the whole story. We were tired of stitching React, a router, an API server, an image pipeline, and a deployment script together by hand. We built a framework that does it all by default. The file system is the router. Server Components do data fetching. Server Actions do mutations. Caching is built in, with tag based invalidation. Images, fonts, and metadata are first class. Middleware runs on the edge.</p> <p>We learned to default to the server, ship small client islands, cache aggressively, invalidate precisely, and let Next.js handle the boring parts so we can focus on the actual app.</p> <p>Once that map is in your head, every modern React project starts to feel familiar. Next.js stops feeling like "React with extra steps" and starts feeling like the full stack toolkit you wished you had three years ago.</p> <p>Happy shipping, and may your LCP always be green.</p> nextjs learning beginners