Forem: Hammad Khan The latest articles on Forem by Hammad Khan (@hammadxcm). https://forem.com/hammadxcm https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1249401%2F2bf8c18a-96c9-4621-b5d8-725f82781cc1.jpeg Forem: Hammad Khan https://forem.com/hammadxcm en JWT Hardening Checklist: Beyond 'Use HS256' Hammad Khan Sat, 16 May 2026 13:33:17 +0000 https://forem.com/hammadxcm/jwt-hardening-checklist-beyond-use-hs256-2f80 https://forem.com/hammadxcm/jwt-hardening-checklist-beyond-use-hs256-2f80 <h1> JWT Hardening Checklist: Beyond "Use HS256" </h1> <p>Every codebase that uses JWTs has the same comment somewhere: "Using HS256 for now, can switch to RS256 later." That comment was right when it was written and it's wrong now, because "later" has been five years and nobody's revisited it.</p> <p>This is a checklist of the JWT issues I've found across production codebases, in rough order of severity. Most teams have two or three of them. A few teams have all of them.</p> <h2> 1. Algorithm pinning </h2> <p>The famous bug: a JWT library that accepts <code>"alg": "none"</code> and skips signature verification. Auditors have been chasing this for a decade and yet libraries still ship with permissive defaults.</p> <p>The fix is to pin the algorithm at the verification call:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">HS256</span><span class="dl">'</span><span class="p">]</span> <span class="p">})</span> </code></pre> </div> <p>Note <code>algorithms</code> is an array, but you should pass exactly one. Multiple algorithms means the attacker chooses. They will choose <code>none</code>.</p> <p>The Python equivalent (PyJWT):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">decoded</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">SECRET</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">])</span> </code></pre> </div> <p>The Ruby equivalent (jwt gem):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">decoded</span> <span class="o">=</span> <span class="no">JWT</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="no">SECRET</span><span class="p">,</span> <span class="kp">true</span><span class="p">,</span> <span class="p">{</span> <span class="ss">algorithm: </span><span class="s1">'HS256'</span> <span class="p">})</span> </code></pre> </div> <p>If your verify call doesn't pass <code>algorithms</code> explicitly, fix it. This is a five-character change and it closes a class of CVEs.</p> <h2> 2. Symmetric vs asymmetric (HS256 vs RS256/ES256) </h2> <p>HS256 uses a shared secret. Whoever holds the secret can sign tokens. If you're signing tokens in one service and verifying them in another, both services need the secret. That means twice the attack surface for the secret, and rotation is twice the work.</p> <p>RS256 uses an asymmetric keypair. The signer holds the private key. Verifiers hold the public key. Compromising a verifier doesn't let an attacker forge tokens (they only have the public key). For multi-service architectures, this is strictly better.</p> <p>The migration is straightforward if you have the runway:</p> <ol> <li>Add asymmetric key generation to your auth service.</li> <li>Have your auth service start issuing JWTs signed with both algorithms (dual-sign during the rotation window — yes, you can include both signatures).</li> <li>Update verifiers to accept either.</li> <li>Once all verifiers are on the new code, drop the old HS256 signature.</li> <li>Once all in-flight HS256 tokens have expired, drop the verify support.</li> </ol> <p>If you're a single-service app and you don't see a multi-service future, HS256 is fine. Don't migrate for migration's sake.</p> <h2> 3. Expiry — and <em>short</em> expiry </h2> <p>Tokens should expire. The lifetime should be measured in minutes, not hours.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">HS256</span><span class="dl">'</span><span class="p">,</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">15m</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <p>The argument I hear against short tokens: "the user will get logged out too often." This is what refresh tokens are for. Access tokens live 15 minutes. Refresh tokens live longer (hours to days) and live in HttpOnly cookies, where JS can't reach them. When the access token expires, the client calls a refresh endpoint, gets a new access token, and moves on.</p> <p>If your tokens live 8 hours, an attacker who exfiltrates one has 8 hours of impersonation. If they live 15 minutes, they have 15 minutes. The math is straightforward.</p> <h2> 4. Verify the issuer and audience </h2> <p>The <code>iss</code> (issuer) and <code>aud</code> (audience) claims are how you tell that a token was minted by the right authority and intended for your application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">HS256</span><span class="dl">'</span><span class="p">],</span> <span class="na">issuer</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://auth.example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">audience</span><span class="p">:</span> <span class="dl">'</span><span class="s1">api.example.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <p>If you don't verify these, a token issued by your auth server for one of your services can be replayed against a different service. Inter-service token reuse is a real attack pattern.</p> <h2> 5. Don't put PII or secrets in the payload </h2> <p>JWT payloads are base64-encoded, not encrypted. Anyone with the token can decode and read the contents. This includes:</p> <ul> <li>The user's email or name (PII).</li> <li>Role information (which the attacker now knows).</li> <li>Application-internal IDs (which the attacker can guess at).</li> </ul> <p>Keep the payload minimal: user ID, issued-at, expiry, issuer, audience, maybe a session ID. Everything else, look up server-side from the user ID.</p> <p>If you absolutely need an encrypted payload, use JWE instead of JWT. But the better answer is usually "don't put the data there."</p> <h2> 6. Refresh tokens belong in HttpOnly cookies </h2> <p>Storing tokens in <code>localStorage</code> is the default in many tutorials and the default in many bugs. JS code can read localStorage. XSS gets you the tokens.</p> <p>The better pattern:</p> <ul> <li> <strong>Access token</strong>: short-lived (15 min), held in memory by the SPA, sent in <code>Authorization: Bearer</code> headers.</li> <li> <strong>Refresh token</strong>: longer-lived, set as <code>HttpOnly; Secure; SameSite=Lax</code> cookie. JS can't read it. The browser sends it automatically on the refresh endpoint.</li> </ul> <p>The refresh endpoint is the only one that reads the refresh token. Everything else uses the access token.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Refresh endpoint</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/auth/refresh</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">refresh</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">[</span><span class="dl">'</span><span class="s1">refresh_token</span><span class="dl">'</span><span class="p">]</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">refresh</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">refresh</span><span class="p">,</span> <span class="nx">REFRESH_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">HS256</span><span class="dl">'</span><span class="p">],</span> <span class="na">issuer</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://auth.example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">audience</span><span class="p">:</span> <span class="dl">'</span><span class="s1">api.example.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="k">await</span> <span class="nf">isRevoked</span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">jti</span><span class="p">))</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">access</span> <span class="o">=</span> <span class="nf">signAccessToken</span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">sub</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">access_token</span><span class="p">:</span> <span class="nx">access</span> <span class="p">})</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <h2> 7. Refresh token rotation </h2> <p>When the client uses a refresh token, give them a new refresh token in the response. Invalidate the old one. This is "refresh token rotation."</p> <p>The win: if an attacker steals a refresh token and uses it, you'll notice when the legitimate client tries to use the same (now-invalidated) token next time. You can force-logout the entire session in response.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// On refresh, mint a new refresh too</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/auth/refresh</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">refresh</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">[</span><span class="dl">'</span><span class="s1">refresh_token</span><span class="dl">'</span><span class="p">]</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">refresh</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">refresh</span><span class="p">,</span> <span class="nx">REFRESH_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="cm">/* ... */</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="k">await</span> <span class="nf">isRevoked</span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">jti</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// Refresh token reuse detected. Kill the entire session.</span> <span class="k">await</span> <span class="nf">killSession</span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">session_id</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="p">}</span> <span class="k">await</span> <span class="nf">markRevoked</span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">jti</span><span class="p">)</span> <span class="c1">// single-use</span> <span class="kd">const</span> <span class="nx">newRefresh</span> <span class="o">=</span> <span class="nf">signRefreshToken</span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">session_id</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">access</span> <span class="o">=</span> <span class="nf">signAccessToken</span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">sub</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">refresh_token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">newRefresh</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">lax</span><span class="dl">'</span> <span class="p">})</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">access_token</span><span class="p">:</span> <span class="nx">access</span> <span class="p">})</span> <span class="p">})</span> </code></pre> </div> <p>The <code>jti</code> (JWT ID) claim is what makes this work. Each refresh token has a unique ID. You track which IDs have been used (in Redis, with a TTL slightly longer than the refresh token's expiry). Reuse of a used ID is a sign of compromise.</p> <h2> 8. Revocation </h2> <p>Stateless tokens can't be revoked by changing a database row. They're valid until they expire. This is a fundamental design constraint, and you work around it two ways:</p> <ol> <li> <strong>Short access tokens</strong> so the window of impersonation is small.</li> <li> <strong>A revocation list keyed by <code>jti</code> or session ID</strong> for cases where you need immediate revocation (logout, password change, role downgrade).</li> </ol> <p>The revocation list is a small Redis SET. On every token verify, check the SET. If the <code>jti</code> is in the SET, reject the token regardless of signature validity.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">verifyWithRevocation</span><span class="p">(</span><span class="nx">token</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">Decoded</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="cm">/* ... */</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">sismember</span><span class="p">(</span><span class="dl">'</span><span class="s1">revoked_jti</span><span class="dl">'</span><span class="p">,</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">jti</span><span class="p">))</span> <span class="k">return</span> <span class="kc">null</span> <span class="k">return</span> <span class="nx">decoded</span> <span class="p">}</span> </code></pre> </div> <p>The Redis hit costs about 0.1ms. The peace of mind is worth it.</p> <h2> 9. Don't trust the <code>kid</code> claim blindly </h2> <p>If you support multiple signing keys (e.g., for rotation), tokens carry a <code>kid</code> (key ID) claim that says which key to use. A naive implementation does this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">getKey</span><span class="p">(</span><span class="nx">kid</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">KEYS</span><span class="p">[</span><span class="nx">kid</span><span class="p">]</span> <span class="c1">// attacker controls kid; they can pick any key, including ones you've rotated out</span> <span class="p">}</span> </code></pre> </div> <p>The fix: maintain an allowlist of currently-valid <code>kid</code> values. Reject any token whose <code>kid</code> isn't in the allowlist, before you do anything else.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">VALID_KIDS</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">([</span><span class="dl">'</span><span class="s1">2026-q2</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">2026-q1</span><span class="dl">'</span><span class="p">])</span> <span class="kd">function</span> <span class="nf">getKey</span><span class="p">(</span><span class="nx">kid</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">VALID_KIDS</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="nx">kid</span><span class="p">))</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">invalid_kid</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="nx">KEYS</span><span class="p">[</span><span class="nx">kid</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>For RS256/ES256 with JWKS endpoints, the library typically handles this, but verify your specific library's behavior.</p> <h2> 10. Clock skew </h2> <p>The <code>exp</code> and <code>nbf</code> claims are time-based. If your servers' clocks drift, tokens issued by one server can be rejected by another. Allow a small clock skew:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">HS256</span><span class="dl">'</span><span class="p">],</span> <span class="na">clockTolerance</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="c1">// 30 seconds of skew allowed</span> <span class="p">})</span> </code></pre> </div> <p>Don't make this too generous. 30 seconds is reasonable. 5 minutes is "you have a different problem to solve, please go fix NTP."</p> <h2> The checklist, in summary </h2> <ul> <li>Pin the algorithm at verify time. Never accept <code>alg=none</code>.</li> <li>Use asymmetric keys (RS256/ES256) for multi-service architectures.</li> <li>Short access tokens (15 min). Long refresh tokens in HttpOnly cookies.</li> <li>Verify <code>iss</code> and <code>aud</code>. Always.</li> <li>Don't put PII in the payload.</li> <li>Rotate refresh tokens on each use. Track <code>jti</code> for reuse detection.</li> <li>Maintain a revocation list for immediate kills.</li> <li>Allowlist <code>kid</code> values.</li> <li>Allow small clock skew (30s).</li> </ul> <p>Each item is a small piece of code. The aggregate is the difference between "we use JWTs" and "we use JWTs correctly." If your codebase fails three or more of these, it's worth a Tuesday afternoon.</p> security jwt authentication node Designing Idempotent Bulk Import Pipelines (E.164, VIN, and the Rest) Hammad Khan Wed, 13 May 2026 13:16:43 +0000 https://forem.com/hammadxcm/designing-idempotent-bulk-import-pipelines-e164-vin-and-the-rest-1man https://forem.com/hammadxcm/designing-idempotent-bulk-import-pipelines-e164-vin-and-the-rest-1man <h1> Designing Idempotent Bulk Import Pipelines (E.164, VIN, and the Rest) </h1> <p>Bulk imports are a special category of pain. You give the user a CSV uploader, they hand you a file, and your job is to take that file from "blob of text" to "thousands of clean rows in your database." Somewhere in the middle, every assumption you have about your data falls apart.</p> <p>I rebuilt the bulk import system for a dealership SaaS recently. The redesign covered phone number normalization, VIN format validation, file-format consistency, and the structural decision that makes the whole thing reliable: idempotency.</p> <p>If you've ever shipped a bulk importer, you've probably hit the same problems. Here's the shape of the design that finally worked.</p> <h2> The four problems </h2> <p>Any bulk import system has to solve four problems:</p> <ol> <li> <strong>Validation.</strong> Every row has to satisfy schema constraints before it goes into the database. Some constraints are obvious (required fields), some are domain-specific (a VIN must be 17 characters in a specific alphabet).</li> <li> <strong>Normalization.</strong> "077 12345" and "+447712345" and "01234 567 890" might all need to become <code>+441234567890</code> before they hit the database. The user doesn't think about this; you have to.</li> <li> <strong>Error reporting.</strong> When 200 of 5,000 rows fail validation, the user needs to know which 200 and why. A flat "import failed" tells them nothing.</li> <li> <strong>Idempotency.</strong> When the upload crashes halfway through and the user clicks "Retry," the second run must not double-write the first 2,500 rows.</li> </ol> <p>The fourth problem is the one teams skip. It's also the one that breaks production. Let me start there.</p> <h2> Idempotency: the key decision </h2> <p>The pattern that works is <strong>stable per-row keys with an upsert at the DB level.</strong></p> <p>For each row, compute a stable key from the row's natural identity. For dealership customers, that might be <code>(dealer_id, email_lowercase)</code>. For vehicles, <code>(dealer_id, vin)</code>. Whatever uniquely identifies the row in the customer's mental model.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">customerKey</span><span class="p">(</span><span class="nx">row</span><span class="p">:</span> <span class="nx">CustomerRow</span><span class="p">,</span> <span class="nx">dealerId</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="nx">dealerId</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">row</span><span class="p">.</span><span class="nx">email</span><span class="p">.</span><span class="nf">trim</span><span class="p">().</span><span class="nf">toLowerCase</span><span class="p">()}</span><span class="s2">`</span> <span class="p">}</span> </code></pre> </div> <p>Then use that key as the basis for an upsert:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">customers</span> <span class="p">(</span><span class="n">dealer_id</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">phone</span><span class="p">,</span> <span class="p">...)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="err">$</span><span class="mi">1</span><span class="p">,</span> <span class="err">$</span><span class="mi">2</span><span class="p">,</span> <span class="err">$</span><span class="mi">3</span><span class="p">,</span> <span class="err">$</span><span class="mi">4</span><span class="p">,</span> <span class="p">...)</span> <span class="k">ON</span> <span class="n">CONFLICT</span> <span class="p">(</span><span class="n">dealer_id</span><span class="p">,</span> <span class="n">email</span><span class="p">)</span> <span class="k">DO</span> <span class="k">UPDATE</span> <span class="k">SET</span> <span class="n">name</span> <span class="o">=</span> <span class="n">EXCLUDED</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="n">phone</span> <span class="o">=</span> <span class="n">EXCLUDED</span><span class="p">.</span><span class="n">phone</span><span class="p">,</span> <span class="p">...</span> <span class="n">updated_at</span> <span class="o">=</span> <span class="n">NOW</span><span class="p">();</span> </code></pre> </div> <p>Now if the import crashes after row 2,500 and the user retries, the first 2,500 rows update themselves in-place (no-op if the data didn't change) and the remaining 2,500 get inserted. Same end state as if the import had run cleanly the first time.</p> <p>This sounds obvious. Most bulk import code I see doesn't do it. Most code uses <code>INSERT INTO ... VALUES (...)</code> and crashes on the unique-constraint violation when the user retries.</p> <h2> Normalize once, at the entry point </h2> <p>The normalization rule: do it once, as close to the file parsing as possible. Don't sprinkle normalization throughout the codebase.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// import-normalize.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">parsePhoneNumberFromString</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">libphonenumber-js</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">normalizePhone</span><span class="p">(</span><span class="nx">raw</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">defaultCountry</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">raw</span> <span class="o">||</span> <span class="o">!</span><span class="nx">raw</span><span class="p">.</span><span class="nf">trim</span><span class="p">())</span> <span class="k">return</span> <span class="kc">null</span> <span class="c1">// Auto-prepend country code if user typed a local number without +</span> <span class="kd">const</span> <span class="nx">candidate</span> <span class="o">=</span> <span class="nx">raw</span><span class="p">.</span><span class="nf">trim</span><span class="p">().</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">+</span><span class="dl">'</span><span class="p">)</span> <span class="p">?</span> <span class="nx">raw</span><span class="p">.</span><span class="nf">trim</span><span class="p">()</span> <span class="p">:</span> <span class="nx">raw</span><span class="p">.</span><span class="nf">trim</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">parsed</span> <span class="o">=</span> <span class="nf">parsePhoneNumberFromString</span><span class="p">(</span><span class="nx">candidate</span><span class="p">,</span> <span class="nx">defaultCountry</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">parsed</span><span class="p">?.</span><span class="nf">isValid</span><span class="p">())</span> <span class="k">return</span> <span class="kc">null</span> <span class="k">return</span> <span class="nx">parsed</span><span class="p">.</span><span class="nf">format</span><span class="p">(</span><span class="dl">'</span><span class="s1">E.164</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// e.g. "+441234567890"</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">normalizeVin</span><span class="p">(</span><span class="nx">raw</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">raw</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span> <span class="kd">const</span> <span class="nx">cleaned</span> <span class="o">=</span> <span class="nx">raw</span><span class="p">.</span><span class="nf">trim</span><span class="p">().</span><span class="nf">toUpperCase</span><span class="p">().</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">[^</span><span class="sr">A-HJ-NPR-Z0-9</span><span class="se">]</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">''</span><span class="p">)</span> <span class="c1">// VIN must be 17 chars; no I, O, or Q allowed</span> <span class="k">if </span><span class="p">(</span><span class="nx">cleaned</span><span class="p">.</span><span class="nx">length</span> <span class="o">!==</span> <span class="mi">17</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span> <span class="k">return</span> <span class="nx">cleaned</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">normalizeEmail</span><span class="p">(</span><span class="nx">raw</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">raw</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span> <span class="kd">const</span> <span class="nx">trimmed</span> <span class="o">=</span> <span class="nx">raw</span><span class="p">.</span><span class="nf">trim</span><span class="p">().</span><span class="nf">toLowerCase</span><span class="p">()</span> <span class="k">return</span> <span class="sr">/^</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+@</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+</span><span class="se">\.[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+$/</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">trimmed</span><span class="p">)</span> <span class="p">?</span> <span class="nx">trimmed</span> <span class="p">:</span> <span class="kc">null</span> <span class="p">}</span> </code></pre> </div> <p>Three things in here that look small:</p> <ul> <li> <strong>Each function returns <code>null</code> on invalid input, not a thrown exception.</strong> The caller decides what to do with invalid rows (skip them, surface an error). Throwing inside normalization makes the loop harder to reason about.</li> <li> <strong>Phone normalization uses <code>libphonenumber-js</code>, not a regex.</strong> Phone numbers are too varied for regex to handle correctly. The library handles country codes, formatting, valid-number checks, and the auto-prepend logic.</li> <li> <strong>VIN normalization knows about the VIN alphabet.</strong> The letters <code>I</code>, <code>O</code>, and <code>Q</code> are not valid VIN characters (they look too much like 1 and 0). Strip them out during cleanup, and reject if the result isn't 17 characters.</li> </ul> <h2> The validation pipeline </h2> <p>The pipeline as a whole looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">type</span> <span class="nx">ImportResult</span> <span class="o">=</span> <span class="p">{</span> <span class="na">validRows</span><span class="p">:</span> <span class="nx">Customer</span><span class="p">[]</span> <span class="na">errors</span><span class="p">:</span> <span class="nb">Array</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">row</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">field</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">reason</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">processImport</span><span class="p">(</span><span class="nx">file</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">,</span> <span class="nx">dealerId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">dealerCountry</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">ImportResult</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">parsed</span> <span class="o">=</span> <span class="nf">parseCsv</span><span class="p">(</span><span class="nx">file</span><span class="p">)</span> <span class="kd">const</span> <span class="na">errors</span><span class="p">:</span> <span class="nx">ImportResult</span><span class="p">[</span><span class="dl">'</span><span class="s1">errors</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">[]</span> <span class="kd">const</span> <span class="na">validRows</span><span class="p">:</span> <span class="nx">Customer</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">parsed</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">row</span> <span class="o">=</span> <span class="nx">parsed</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">rowNum</span> <span class="o">=</span> <span class="nx">i</span> <span class="o">+</span> <span class="mi">2</span> <span class="c1">// 1-indexed, plus header</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="nf">normalizeEmail</span><span class="p">(</span><span class="nx">row</span><span class="p">.</span><span class="nx">email</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="nx">errors</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">row</span><span class="p">:</span> <span class="nx">rowNum</span><span class="p">,</span> <span class="na">field</span><span class="p">:</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="na">reason</span><span class="p">:</span> <span class="dl">'</span><span class="s1">invalid email</span><span class="dl">'</span> <span class="p">})</span> <span class="k">continue</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">phone</span> <span class="o">=</span> <span class="nf">normalizePhone</span><span class="p">(</span><span class="nx">row</span><span class="p">.</span><span class="nx">phone</span><span class="p">,</span> <span class="nx">dealerCountry</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">row</span><span class="p">.</span><span class="nx">phone</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">phone</span><span class="p">)</span> <span class="p">{</span> <span class="nx">errors</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">row</span><span class="p">:</span> <span class="nx">rowNum</span><span class="p">,</span> <span class="na">field</span><span class="p">:</span> <span class="dl">'</span><span class="s1">phone</span><span class="dl">'</span><span class="p">,</span> <span class="na">reason</span><span class="p">:</span> <span class="dl">'</span><span class="s1">invalid phone</span><span class="dl">'</span> <span class="p">})</span> <span class="k">continue</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="p">(</span><span class="nx">row</span><span class="p">.</span><span class="nx">name</span> <span class="o">??</span> <span class="dl">''</span><span class="p">).</span><span class="nf">trim</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span><span class="p">)</span> <span class="p">{</span> <span class="nx">errors</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">row</span><span class="p">:</span> <span class="nx">rowNum</span><span class="p">,</span> <span class="na">field</span><span class="p">:</span> <span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="na">reason</span><span class="p">:</span> <span class="dl">'</span><span class="s1">required</span><span class="dl">'</span> <span class="p">})</span> <span class="k">continue</span> <span class="p">}</span> <span class="nx">validRows</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="nx">dealerId</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">phone</span><span class="p">,</span> <span class="nx">name</span> <span class="p">})</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">validRows</span><span class="p">,</span> <span class="nx">errors</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>A few choices to point out:</p> <ul> <li> <strong><code>continue</code> on validation error, don't return.</strong> Process every row, accumulate every error. The user wants to see all 200 errors at once, not the first one.</li> <li> <strong>Row numbers are 1-indexed plus the header.</strong> The user's spreadsheet starts at row 1 (header) and the first data row is row 2. Match the user's mental model.</li> <li> <strong>Errors capture row, field, and reason.</strong> This is what gets surfaced back to the UI. "Row 47: phone — invalid phone" is what the user needs to fix the spreadsheet.</li> </ul> <h2> The atomic write </h2> <p>Now you've got <code>validRows</code>. The write step is a single transactional upsert:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">writeRows</span><span class="p">(</span><span class="nx">rows</span><span class="p">:</span> <span class="nx">Customer</span><span class="p">[])</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">rows</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">inserted</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">updated</span><span class="p">:</span> <span class="mi">0</span> <span class="p">}</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">transaction</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">tx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tx</span> <span class="p">.</span><span class="nf">insertInto</span><span class="p">(</span><span class="dl">'</span><span class="s1">customers</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">values</span><span class="p">(</span><span class="nx">rows</span><span class="p">)</span> <span class="p">.</span><span class="nf">onConflict</span><span class="p">((</span><span class="nx">oc</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">oc</span><span class="p">.</span><span class="nf">columns</span><span class="p">([</span><span class="dl">'</span><span class="s1">dealer_id</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">]).</span><span class="nf">doUpdateSet</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="p">(</span><span class="nx">eb</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">eb</span><span class="p">.</span><span class="nf">ref</span><span class="p">(</span><span class="dl">'</span><span class="s1">excluded.name</span><span class="dl">'</span><span class="p">),</span> <span class="na">phone</span><span class="p">:</span> <span class="p">(</span><span class="nx">eb</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">eb</span><span class="p">.</span><span class="nf">ref</span><span class="p">(</span><span class="dl">'</span><span class="s1">excluded.phone</span><span class="dl">'</span><span class="p">),</span> <span class="na">updated_at</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">sql</span><span class="s2">`now()`</span><span class="p">,</span> <span class="p">}))</span> <span class="p">.</span><span class="nf">returning</span><span class="p">([</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">xmax</span><span class="dl">'</span><span class="p">])</span> <span class="c1">// xmax = 0 means insert, otherwise update</span> <span class="p">.</span><span class="nf">execute</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">inserted</span> <span class="o">=</span> <span class="nx">result</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">xmax</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">0</span><span class="dl">'</span><span class="p">).</span><span class="nx">length</span> <span class="kd">const</span> <span class="nx">updated</span> <span class="o">=</span> <span class="nx">result</span><span class="p">.</span><span class="nx">length</span> <span class="o">-</span> <span class="nx">inserted</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">inserted</span><span class="p">,</span> <span class="nx">updated</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Three things:</p> <ul> <li> <strong>Single transaction.</strong> Either all 4,800 valid rows make it in, or none do. No partial state for the user to discover later.</li> <li> <strong><code>xmax</code> trick to distinguish inserts from updates.</strong> Postgres-specific: when <code>INSERT ... ON CONFLICT DO UPDATE</code> performs an insert, the returning row's <code>xmax</code> is 0. On an update, <code>xmax</code> is non-zero. This lets you tell the user "inserted 3,200, updated 1,600."</li> <li> <strong><code>updated_at</code> on conflict.</strong> Always touch the timestamp, even if no other fields changed. The audit trail wants to know the row was re-imported.</li> </ul> <p>For very large imports (50,000+ rows), this single transaction will become a problem (long-held locks, replication lag). The fix is to batch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">BATCH_SIZE</span> <span class="o">=</span> <span class="mi">1000</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">rows</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span> <span class="o">+=</span> <span class="nx">BATCH_SIZE</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">batch</span> <span class="o">=</span> <span class="nx">rows</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="nx">i</span><span class="p">,</span> <span class="nx">i</span> <span class="o">+</span> <span class="nx">BATCH_SIZE</span><span class="p">)</span> <span class="k">await</span> <span class="nf">writeRows</span><span class="p">(</span><span class="nx">batch</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Each batch is its own transaction. You lose all-or-nothing across batches, but you gain the ability to scale to large imports. For our dealership use case (rare imports of 5,000-50,000 rows), this trade was right.</p> <h2> What about the "supply-chain" failures? </h2> <p>The original code we replaced loaded its xlsx parser from a CDN. We had a separate write-up on why that's a bad idea (and a separate fix). For the bulk-import context specifically: the parser runs against user-uploaded files. If the parser is malicious, every uploaded file is exfiltrated. Vendor the parser, verify its hash in CI, and don't load it from a remote URL. (Details in the companion article on the xlsx CDN supply-chain hole.)</p> <h2> The user-facing report </h2> <p>The validation step returns errors. The UI needs to show them in a way the user can act on. Two patterns work:</p> <ol> <li> <strong>Inline error report.</strong> After upload, show "5,200 rows imported, 200 errors. Download error report?" The download is a CSV with the user's original rows plus an <code>error</code> column. They fix the spreadsheet and re-upload.</li> <li> <strong>Reject-on-any-error.</strong> If any row has an error, reject the whole upload, surface the errors, and don't write anything. This is right for cases where partial imports are dangerous (vehicle records that have FK dependencies on other tables, for example).</li> </ol> <p>For our customer imports, option 1 was right. For our vehicle imports, option 2 was right. Pick deliberately. Document the choice. Don't let the default be "import what we can, drop the rest silently" — that's how dealers find missing customers six months later.</p> <h2> The full pipeline shape </h2> <p>To summarize the design:</p> <ol> <li> <strong>Parse</strong> the file into raw rows. No transformation here.</li> <li> <strong>Normalize</strong> each field (phone, email, VIN, etc.) to the canonical form.</li> <li> <strong>Validate</strong> each row. Collect errors. Don't stop on the first failure.</li> <li> <strong>Decide</strong> based on the policy: reject-on-error or skip-bad-rows-and-continue.</li> <li> <strong>Upsert</strong> valid rows in a transaction (or batched transactions), using a stable natural key.</li> <li> <strong>Report</strong> back to the user: counts, errors, downloadable diff.</li> </ol> <p>Each step is a small, testable function. The pipeline as a whole is reproducible: same file, same dealer config, same result. Crashes mid-way are recoverable because of idempotency.</p> <h2> The takeaway </h2> <p>Bulk imports become reliable once you commit to two ideas: normalize at the boundary, and make every write idempotent via a stable key. Once those two are in place, retries are free, partial failures are recoverable, and "the import broke" stops being a thing your support team has to handle.</p> <p>The hardest part of building one isn't the validation. It's having the conversation about what your stable key actually is — and being willing to make the user pick one if the data doesn't have one obvious.</p> systemdesign validation node datapipelines From Hours to Seconds: Simplifying RuboCop with rubocop-hk Hammad Khan Mon, 25 Aug 2025 07:11:35 +0000 https://forem.com/hammadxcm/from-hours-to-seconds-simplifying-rubocop-with-rubocop-hk-24dl https://forem.com/hammadxcm/from-hours-to-seconds-simplifying-rubocop-with-rubocop-hk-24dl <h2> The two-hour setup that drove me crazy </h2> <p>I started what should have been a simple task last Thursday at 3 PM: setting up RuboCop for a new Ruby project. I was still changing configuration files, searching for "best RuboCop rules for Ruby 3.2," and arguing with myself about whether to use double or single quotes by 5 PM. Does this sound familiar?</p> <p>At that point, I knew it was time to stop. If I'm spending two hours setting up a linter instead of writing code, something is wrong. That night, I began working on <strong>rubocop-hk</strong>, a pre-configured RuboCop gem that lets you start linting in just 30 seconds.</p> <h2> What is rubocop-hk? </h2> <p><a href="https://rubygems.org/gems/rubocop-hk" rel="noopener noreferrer">rubocop-hk</a> is a RuboCop configuration gem that works well right away without any changes. It's like RuboCop's opinionated cousin who has already made all the hard choices for you.</p> <p>RuboCop's default setup takes a long time to customize, but rubocop-hk gives you a setup that has been tested in real-world Ruby projects and improved over time. You can now install it just like any other gem because it's on RubyGems.</p> <p>What I like best is It's still RuboCop on the inside. You get all the power of RuboCop without having to worry about setting it up. It saves time by making the most boring part of setting up a project a one-minute task.</p> <h2> The problem it solves (or why I made it) </h2> <p>Let's be honest about what adding RuboCop to a project does:</p> <p><strong>Before rubocop-hk:</strong></p> <ol> <li>Put RuboCop in your Gemfile (5 minutes)</li> <li>Run it and get 500 or more offenses (10 minutes of crying)</li> <li>Begin making <code>.rubocop.yml</code> (15 minutes)</li> <li>Search for "best RuboCop configuration" on Google (30 minutes)</li> <li>Take rules from different blog posts (20 minutes)</li> <li>Talk with your team for 45 minutes about how long the lines should be.</li> <li>Finally, choose a configuration (15 minutes)</li> <li>Remember that you forgot to set up Rails cops (start over)</li> </ol> <p>Total time: more than two hours of setting up hell.</p> <p><strong>After rubocop-hk:</strong></p> <ol> <li>Put rubocop-hk in your Gemfile (30 seconds)</li> <li>Make a small <code>.rubocop.yml</code> file (30 seconds)</li> <li>Start coding in a consistent way (worth its weight in gold)</li> </ol> <p>The real killer isn't just the first step. It's keeping things the same across a lot of projects. How many times have you copied <code>.rubocop.yml</code> files from one project to another, only to find that each one is a little different and none of them are quite right?</p> <h2> How to Install and Get Started </h2> <p>Are you ready to take back your afternoon? Here's how to get going:</p> <h3> Step 1: Put it in your Gemfile </h3> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">group</span> <span class="ss">:development</span><span class="p">,</span> <span class="ss">:test</span> <span class="k">do</span> <span class="n">gem</span> <span class="s1">'rubocop-hk'</span> <span class="k">end</span> </code></pre> </div> <h3> Step 2: Install the bundle </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>bundle <span class="nb">install</span> </code></pre> </div> <h3> Step 3: Make your .rubocop.yml </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">inherit_gem</span><span class="pi">:</span> <span class="na">rubocop-hk</span><span class="pi">:</span> <span class="s">default.yml</span> <span class="c1"># Optional: Add settings that are specific to your project</span> <span class="na">AllCops</span><span class="pi">:</span> <span class="na">NewCops</span><span class="pi">:</span> <span class="s">enable</span> <span class="na">TargetRubyVersion</span><span class="pi">:</span> <span class="m">3.2</span> </code></pre> </div> <h3> Step 4: Start RuboCop </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>bundle <span class="nb">exec </span>rubocop Looking at 23 files ....................... 23 files checked, no crimes found </code></pre> </div> <p>That's all. That's really all there is to it. In less than a minute, you've set up RuboCop with settings that are ready for production.</p> <h2> Important Features and Benefits </h2> <p>What makes rubocop-hk special isn't what it adds; it's what it takes away from your workflow:</p> <p><strong>🎯 The Philosophy of No Configuration</strong><br><br> The gem follows the Ruby community's best practices right out of the box. No more being stuck on a decision or making changes over and over. It just works.</p> <p><strong>⚡ Productivity Right Away</strong><br><br> Stop arguing about whether to use <code>%w[]</code> or <code>%w()</code> for arrays of words. Based on popular Ruby style guides and how people use it in the real world, rubocop-hk has already made these choices.</p> <p><strong>🔧 Still Adjustable</strong><br><br> Don't like a rule? You can change it in your <code>.rubocop.yml</code>. rubocop-hk gives you the base, but you are still in charge:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">inherit_gem</span><span class="pi">:</span> <span class="na">rubocop-hk</span><span class="pi">:</span> <span class="s">default.yml</span> <span class="c1"># Your group likes longer lines</span> <span class="na">Layout/LineLength</span><span class="pi">:</span> <span class="na">Max</span><span class="pi">:</span> <span class="m">120</span> </code></pre> </div> <p><strong>📦 Batteries Included</strong><br><br> The gem has settings for:</p> <ul> <li>Style cops (Ruby idioms that are always the same)</li> <li>Layout cops (spacing and indentation)</li> <li>Lint cops (find real bugs)</li> <li>Metrics cops (code that is easy to understand and change)</li> <li>Naming cops (making sure that variable and method names are always the same)</li> </ul> <p>To see exactly what you're getting, go to <a href="https://github.com/hammadxcm/rubocop-hk" rel="noopener noreferrer">GitHub</a> and look at the full configuration.</p> <h2> Examples of How to Use It in Real Life </h2> <h3> Example 1: Putting together a Rails project </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">inherit_gem</span><span class="pi">:</span> <span class="na">rubocop-hk</span><span class="pi">:</span> <span class="s">default.yml</span> <span class="na">require</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">rubocop-rails</span> <span class="na">Rails</span><span class="pi">:</span> <span class="na">Enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">AllCops</span><span class="pi">:</span> <span class="na">Exclude</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">db/schema.rb'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">vendor/**/*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">config/initializers/*'</span> </code></pre> </div> <h3> Example 2: GitHub Actions CI/CD Pipeline </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Linters</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">rubocop</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">ruby/setup-ruby@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">bundler-cache</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run RuboCop</span> <span class="na">run</span><span class="pi">:</span> <span class="s">bundle exec rubocop --parallel</span> </code></pre> </div> <h3> Example 3: Slowly getting the team to use it </h3> <p>Start out strict and then loosen up when you need to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">inherit_gem</span><span class="pi">:</span> <span class="na">rubocop-hk</span><span class="pi">:</span> <span class="s">default.yml</span> <span class="c1"># Turn off strict cops for a while while the team gets used to it</span> <span class="na">Metrics/MethodLength</span><span class="pi">:</span> <span class="na">Enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">Style/Documentation</span><span class="pi">:</span> <span class="na">Enabled</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <h3> Example 4: Fixing Old Code Automatically </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Fix automatically what's safe to repair</span> <span class="nv">$ </span>bundle <span class="nb">exec </span>rubocop <span class="nt">-a</span> <span class="c"># Show what needs to be done by hand</span> <span class="nv">$ </span>bundle <span class="nb">exec </span>rubocop <span class="nt">--only-recognized-offenses</span> </code></pre> </div> <h2> Who Should Use This? </h2> <p><strong>Developers Who Work Alone</strong><br><br> Stop wasting time setting things up. Use rubocop-hk and concentrate on adding new features.</p> <p><strong>Teams that work on development</strong><br><br> Stop arguing about the style guide. Make rubocop-hk your team's standard and get back to solving real problems.</p> <p><strong>Students in Bootcamp and Ruby Beginners</strong><br><br> Learn how to write Ruby code well without having to deal with hundreds of cop configurations.</p> <p><strong>People who keep open source software up to date</strong><br><br> Without having to keep up with complicated documentation, give contributors clear style rules. With rubocop-hk, all you have to do is point them to your <code>.rubocop.yml</code>.</p> <p><strong>Agencies and Consultants</strong><br><br> Keep client projects consistent without having to move configuration files around.</p> <h2> Your turn: Start in 30 seconds </h2> <p>The time is running out. You could have already installed rubocop-hk and be writing better Ruby code by the time you finish reading this conclusion.</p> <ol> <li> <strong>Get the gem</strong>: <a href="https://rubygems.org/gems/rubocop-hk" rel="noopener noreferrer">rubygems.org/gems/rubocop-hk</a> </li> <li> <strong>Star the repo</strong>: <a href="https://github.com/hammadxcm/rubocop-hk" rel="noopener noreferrer">github.com/hammadxcm/rubocop-hk</a> </li> <li> <strong>Tell us about your experience</strong>: Let us know how long it took you to set up by leaving a comment below!</li> </ol> <p>Do you have any questions? Did you find a bug? Do you have a suggestion for how to set it up? This gem was made for the community, by the community. If you have a problem, open an issue on GitHub.</p> <p>Stop setting things up. Get started with coding. Your future self will be grateful.</p> <p><strong>What is your RuboCop setup horror story?</strong> Please leave a comment below and let me know how much time you've wasted setting up your linter! 👇</p> <p><em>If rubocop-hk helped you save time, please like this post and tell your Ruby friends about it. Let's speed up Ruby development for everyone!</em></p> ruby code programming opensource Mastering GraphQL Mutations with the graphql-client Ruby Gem Hammad Khan Fri, 05 Jan 2024 09:02:34 +0000 https://forem.com/hammadxcm/mastering-graphql-mutations-with-the-graphql-client-ruby-gem-31g https://forem.com/hammadxcm/mastering-graphql-mutations-with-the-graphql-client-ruby-gem-31g <p>GraphQL has become a popular choice for building APIs due to its flexibility and efficiency. When working with GraphQL APIs in Ruby, the graphql-client gem proves to be a powerful tool. In this article, we will delve into the intricacies of using mutations with the graphql-client gem to modify data on the server side.</p> <h2> Introduction to GraphQL Mutations </h2> <p>In GraphQL, mutations are operations used to modify data on the server. While queries are used to fetch data, mutations enable us to create, update, or delete data. This distinction aligns with the principles of the GraphQL schema, where mutations are defined to perform write operations.</p> <h2> Setting Up the graphql-client Gem </h2> <p>Before diving into mutations, it’s crucial to have the graphql-client gem set up in your Ruby project. The gem facilitates easy communication with GraphQL APIs. Here is a basic setup snippet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>require 'graphql/client' require 'graphql/client/http' module Api HTTP = GraphQL::Client::HTTP.new(ENV['GRAPHQL_API_URL']) Schema = GraphQL::Client.load_schema(HTTP) Client = GraphQL::Client.new(schema: Schema, execute: HTTP) end </code></pre> </div> <p>Make sure to replace 'GRAPHQL_API_URL' it with the actual URL of your GraphQL endpoint.</p> <h2> Executing a Mutation </h2> <p>Executing a mutation with the graphql-client gem is similar to querying data. Let's take an example of a mutation that creates a country. In this case, we have a mutation called CreateCountryMutation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CreateCountryMutation = Api::Client.parse(&lt;&lt;~'GRAPHQL') mutation($name: String) { createCountry(name: $name) { id } } GRAPHQL </code></pre> </div> <p>This mutation expects a parameter name of type String and returns the ID of the created city.</p> <p>To execute this mutation, you can use the following code snippet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>variables = { name: 'United States' } result = Api::Client.query(CreateCountryMutation, variables: variables) puts result.data.create_country.id </code></pre> </div> <p>Replace 'United States' with the desired country name. The result object will contain the response from the server, and you can access the created country's ID using result.data.create_country.id.</p> <h2> Conclusion </h2> <p>The graphql-client gem simplifies the process of working with GraphQL APIs in Ruby, and mutations play a crucial role in modifying data. By understanding how to structure mutations and execute them using the graphql-client gem, you can seamlessly integrate write operations into your Ruby applications.</p> <p>Explore more about GraphQL mutations, handle errors, and optimize your mutations for efficient data manipulation. The combination of GraphQL and the graphql-client gem opens up a world of possibilities for building robust and flexible APIs. Happy coding!</p>