Forem: Thomas Hunter II The latest articles on Forem by Thomas Hunter II (@tlhunter). https://forem.com/tlhunter https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F176508%2Fe71f88ca-063b-4377-8a76-45e5775ab3db.jpeg Forem: Thomas Hunter II https://forem.com/tlhunter en Osgood Performance Gains Thomas Hunter II Wed, 31 Jul 2019 16:06:00 +0000 https://forem.com/tlhunter/osgood-performance-gains-n59 https://forem.com/tlhunter/osgood-performance-gains-n59 <p>We recently performed several optimizations within the request/response path for the new JavaScript platform, <a href="https://github.com/IntrinsicLabs/osgood">Osgood</a>, in an attempt to make it run faster. Osgood is a secure, fast, and simple platform for running JavaScript HTTP servers, and is distributed as a binary that can run on your server just like Node.js.</p> <h2> Optimizations </h2> <p>Some of these improvements were rather straightforward and are applicable to most codebases:</p> <ul> <li>Remove <a href="https://github.com/IntrinsicLabs/osgood/commit/2a839bb2e1d580e8858f30e6e73f1bcf55ccd5f6">unnecessary</a> <a href="https://github.com/IntrinsicLabs/osgood/commit/8fd4ab1317cfe66de1453c32c1b5f99d3f2ba022">work</a> (in our case, when returning a string response)</li> <li> <a href="https://github.com/IntrinsicLabs/osgood/commit/7788a98f15fd513ab775ac26378292d9b2454a44">Lazily construct</a> complex class instances (such as <code>Headers</code>)</li> <li> <a href="https://github.com/IntrinsicLabs/osgood/commit/5d6d2471510f0012557282ab6a0301ec83a14256">Pass around references</a> instead of performing a table lookup</li> </ul> <p>Other optimizations depended on how V8 optimizes and runs JavaScript and wouldn't necessarily be faster in other situations:</p> <ul> <li>Replace <code>defineProperty()</code> calls with <a href="https://github.com/IntrinsicLabs/osgood/commit/67037b4a3f048a5d4ec3781ec6575227f0ab0c2b">private class fields</a> <ul> <li>Though <a href="https://github.com/IntrinsicLabs/osgood/commit/5afdc5be1a2cd751cbe8656ac6da7fb847e26d93">private symbols</a> turned out to be even faster</li> </ul> </li> <li>Use <code>class</code> when instantiating <a href="https://github.com/IntrinsicLabs/osgood/commit/c5b5053f8a17361d8da3c032ea53a615eaf5f0ab">similar-shaped objects</a> </li> </ul> <p>Many of these optimizations are ones you wouldn't necessarily want to make within app code. However, with Osgood being a large-audience platform for running application code, it makes sense to optimize as much as possible and benefit a large number of applications.</p> <h2> Results </h2> <p>Using the <code>wrk</code> benchmarking tool we saw a <strong>3.0x</strong> improvement—measured in requests per second (r/s)—when running a simple “Hello, World!” benchmark with <em>10 concurrent requests</em>: <code>osgood@0.1.0</code> runs at <strong>25,261 r/s</strong> whereas <code>osgood@0.2.1</code> runs at <strong>77,450 r/s</strong>! (For reference, <code>node@12.7.0</code>, which also runs server-side JavaScript, runs at <strong>31,159 r/s</strong>.)</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--QyKZk1eL--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://thepracticaldev.s3.amazonaws.com/i/gutm6rontu4i0cmcet83.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--QyKZk1eL--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://thepracticaldev.s3.amazonaws.com/i/gutm6rontu4i0cmcet83.png" alt="Osgood Performance Gains"></a></p> <p>As you can see, Osgood runs much faster as the concurrency increases. We built Osgood from the beginning with concurrency in mind so these results aren't that surprising. Under the hood, Osgood is making use of Tokio. From the <a href="https://tokio.rs/">Tokio homepage</a>:</p> <blockquote> <p>Applications built with Tokio are concurrent out of the box. Tokio provides a multithreaded, work-stealing, task scheduler tuned for async networking work loads.</p> </blockquote> <p>Here are some raw numbers from these benchmarks which also show how response time standard deviation is an order of magnitude calmer as well:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ wrk -d 60 -c 10 http://localhost:3000/hello # osgood 0.1.0 Thread Stats Avg Stdev Max +/- Stdev Latency 3.26ms 9.91ms 123.57ms 92.77% Req/Sec 12.69k 2.91k 16.98k 73.83% Requests/sec: 25261.70 $ wrk -d 60 -c 10 http://localhost:3000/hello # osgood 0.2.1 Thread Stats Avg Stdev Max +/- Stdev Latency 140.86us 219.40us 15.27ms 97.41% Req/Sec 38.92k 2.30k 45.89k 71.38% Requests/sec: 77449.91 $ wrk -d 60 -c 10 http://localhost:3000/hello # node v12.7.0 Thread Stats Avg Stdev Max +/- Stdev Latency 321.69us 96.95us 11.08ms 98.41% Req/Sec 15.66k 1.18k 17.50k 76.54% Requests/sec: 31159.16 $ wrk --version wrk 4.0.0 [epoll] </code></pre></div> <p>The code used for these benchmarks is <a href="https://github.com/IntrinsicLabs/osgood/tree/master/benchmarks">available here</a>.</p> <h2> What's Next </h2> <p>We're pretty happy with the performance gains we've been able to make. That said we have more plans to make it even faster. One such feature we're planning on implementing is to optionally <a href="https://github.com/IntrinsicLabs/osgood/pull/12">auto-scale workers</a> (a feature which gave a <strong>2.5x</strong> improvement over the <code>osgood@v0.1.0</code> release).</p> <p>While the <em>average</em> latency of <code>osgood@0.2.1</code> is less than half of Node.js, the <em>max</em> is still higher. This means there should still be some room to optimize garbage collection and get more consistent results.</p> <p>As always, <a href="https://github.com/IntrinsicLabs/osgood">patches are welcome</a>, and if you see an area to help performance we'd love to get a PR from you!</p> <p>Wanna get your hands on this faster version of Osgood? Visit the <a href="https://github.com/IntrinsicLabs/osgood/releases">releases</a> page and download the latest version!</p> javascript node Osgood and CouchDB Thomas Hunter II Mon, 22 Jul 2019 18:53:38 +0000 https://forem.com/tlhunter/osgood-and-couchdb-125k https://forem.com/tlhunter/osgood-and-couchdb-125k <p>We recently announced a new open source project, <a href="https://github.com/IntrinsicLabs/osgood">Osgood</a>, which aims to be a secure platform for running JavaScript on the server. This platform applies the <em>Principle of Least Privilege</em> to application code. One of the ways we enforce this is by limiting the types of operations an application can perform. For example, arbitrary network connections cannot be made and child processes cannot be executed.</p> <p>Outbound HTTP requests are a first class citizen thanks to the <code>fetch()</code> API. This means that <strong>CouchDB</strong>, a NoSQL database with an HTTP API, is a perfect match for performing application persistence with Osgood.</p> <p>One of the biggest strengths of Osgood is the ability to specify policies on a per-route basis. This allows for very-fine security enforcement, allowing each Osgood Worker to only perform pre-approved operations.</p> <h2> Sample CRUD Application </h2> <p>Consider a simple CRUD application. This app represents a microservice within a larger organization. The service is essentially a facade in front of other services. It performs validation of the provided data, like enforcing username length. It limits database interactions, such as preventing arbitrary destructive queries from running. This app also decouples application code from the database implementation by transforming data into an ideal format. It also handles the database authentication, keeping the credentials on a trusted internal service and out of the client.</p> <p>This microservice will have five endpoints:</p> <ul> <li>List Users (<code>GET /users</code>)</li> <li>Create User (<code>POST /users</code>)</li> <li>Get User (<code>GET /users/{user_id}</code>)</li> <li>Delete User (<code>DELETE /users/{user_id}</code>)</li> <li>Update User (<code>PUT /users/{user_id}</code>)</li> </ul> <blockquote> <p>Note: If you'd like to follow along with this example, the code for the project is open source and available in our repository: <a href="https://github.com/IntrinsicLabs/osgood/tree/master/examples/couchdb-rest">IntrinsicLabs/osgood/examples/couchdb-rest</a></p> </blockquote> <h2> Application Configuration: <code>app.js</code> </h2> <p>Osgood Applications are configured using JavaScript. There is a global object called <code>app</code> available for setting properties. The first one is <code>interface</code> and is the name of the interface we want our application to bind to. The second one is <code>port</code> and is the port we want to listen on.</p> <p>There are also some methods available on the <code>app</code> object for performing routing of incoming HTTP requests based on HTTP method and path patterns. For example, to route an incoming <code>GET</code> request to the <code>/users</code> endpoint, one can call <code>app.get('/users', ...)</code>. The second argument to the routing functions is a path to the Osgood Worker file. The third argument is a function for configuring the route's policy.</p> <p>Within the policy configuration functions we specify which URLs can be requested. These can be configured by calling methods like this: <code>policy.outboundHttp.allowMETHOD(urlPattern)</code>. The <code>urlPattern</code> uses the <code>glob</code> syntax.</p> <blockquote> <p>Note: This API is described in much more detail in our <a href="https://github.com/IntrinsicLabs/osgood/wiki/Osgood-Application-File#route-pattern">API Documentation</a>.</p> </blockquote> <p>This is what an Osgood Application file might look like for our CouchDB application:<br> </p> <div class="highlight"><pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="kr">interface</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">0.0.0.0</span><span class="dl">'</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nx">port</span> <span class="o">=</span> <span class="mi">8000</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">list.js</span><span class="dl">'</span><span class="p">,</span> <span class="nx">policy</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">outboundHttp</span><span class="p">.</span><span class="nx">allowGet</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://localhost:5984/users/_all_docs</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:user_id</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">view.js</span><span class="dl">'</span><span class="p">,</span> <span class="nx">policy</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">outboundHttp</span><span class="p">.</span><span class="nx">allowGet</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://localhost:5984/users/*</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:user_id</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">delete.js</span><span class="dl">'</span><span class="p">,</span> <span class="nx">policy</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">outboundHttp</span><span class="p">.</span><span class="nx">allowGet</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://localhost:5984/users/*</span><span class="dl">'</span><span class="p">);</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">outboundHttp</span><span class="p">.</span><span class="nx">allowDelete</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://localhost:5984/users/*</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nx">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">create.js</span><span class="dl">'</span><span class="p">,</span> <span class="nx">policy</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">outboundHttp</span><span class="p">.</span><span class="nx">allowPost</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://localhost:5984/users</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nx">put</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:user_id</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">update.js</span><span class="dl">'</span><span class="p">,</span> <span class="nx">policy</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">outboundHttp</span><span class="p">.</span><span class="nx">allowPut</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://localhost:5984/users/*</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre></div> <p>We've now described all of the capabilities and have fully configured our application within a single file. With this configuration our application would <em>not</em> be able to, say, send an HTTP request to <code>http://evil.co</code>, nor would the <code>GET /users</code> route be able to perform a <code>DELETE</code> operation against the <code>users</code> collection in CouchDB.</p> <p>Describing the capabilities up front is beneficial for two reasons. The straightforward reason is that it is secure. A side-effect is that application code is now <em>much</em> easier to audit. Imagine how quick those tedious GDPR audits could be if you had this list of I/O available for all your other apps.</p> <h2> Create User Worker: <code>create.js</code> </h2> <p>Our application has five operations that it can perform. In this post we'll only look at one of them: the creation of users (if you'd like to see the other examples checkout the <a href="https://github.com/IntrinsicLabs/osgood/tree/master/examples/couchdb-rest">sample application</a> on GitHub).</p> <p>This route will accept an incoming POST request, convert the body into JSON, perform some minimal validation, then pass the data to CouchDB (along with auth credentials). It'll then relay information to the client based on whether or not the operation succeeds.<br> </p> <div class="highlight"><pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AUTH</span> <span class="o">=</span> <span class="s2">`Basic </span><span class="p">${</span><span class="nx">btoa</span><span class="p">(</span><span class="dl">'</span><span class="s1">osgood_admin:hunter12</span><span class="dl">'</span><span class="p">)}</span><span class="s2">`</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="p">(</span><span class="nx">request</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nx">json</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">json</span><span class="p">({</span><span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">CANNOT_PARSE_REQUEST</span><span class="dl">"</span><span class="p">},</span> <span class="mi">400</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="o">||</span> <span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">json</span><span class="p">({</span><span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">CANNOT_OVERRIDE_ID</span><span class="dl">"</span><span class="p">},</span> <span class="mi">400</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">.</span><span class="nx">username</span> <span class="o">||</span> <span class="k">typeof</span> <span class="nx">user</span><span class="p">.</span><span class="nx">username</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">user</span><span class="p">.</span><span class="nx">username</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">3</span> <span class="o">||</span> <span class="nx">user</span><span class="p">.</span><span class="nx">username</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">20</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">json</span><span class="p">({</span><span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">USERNAME_INVALID</span><span class="dl">"</span><span class="p">},</span> <span class="mi">400</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fetch</span><span class="p">(</span><span class="s2">`http://localhost:5984/users`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="nx">AUTH</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">obj</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">json</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nx">obj</span><span class="p">.</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">json</span><span class="p">({</span><span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">UNABLE_TO_INSERT</span><span class="dl">"</span><span class="p">},</span> <span class="mi">500</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">json</span><span class="p">({</span><span class="na">ok</span><span class="p">:</span> <span class="kc">true</span><span class="p">});</span> <span class="p">}</span> <span class="kd">function</span> <span class="nx">json</span><span class="p">(</span><span class="nx">obj</span><span class="p">,</span> <span class="nx">status</span> <span class="o">=</span> <span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">headers</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Headers</span><span class="p">({</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">obj</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Response</span><span class="p">(</span><span class="nx">body</span><span class="p">,</span> <span class="p">{</span> <span class="nx">headers</span><span class="p">,</span> <span class="nx">status</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">response</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <p>If you've ever worked with Service Workers, Lambda Functions, or Express.js controllers then this code might look familiar. The file exports a single default function which accepts <code>request</code> and <code>context</code> arguments. The <code>request</code> argument is an instance of the <a href="https://developer.mozilla.org/en-US/docs/Web/API/Request">Request</a> object available in modern browsers. The <code>context</code> argument has some additional niceties that we don't need for this particular example. The function itself can be an <code>async</code> function or otherwise return a promise. If the promise rejects Osgood will respond to the client with a <code>500</code> error. If it resolves a <code>string</code> or a simple object then Osgood will reply with a <code>200</code> and an appropriate Content Type. But, for fine grained control, a <a href="https://developer.mozilla.org/en-US/docs/Web/API/Response">Response</a> object can be returned which allows for manually setting the HTTP status code and other headers.</p> <h2> Running Osgood </h2> <p>To run Osgood, first <a href="https://github.com/IntrinsicLabs/osgood/releases">download a release</a> for your platform. Once that's done extract the <code>osgood</code> binary somewhere, ideally in your <code>$PATH</code>.</p> <p>Then, download the six files for this project (<code>app.js</code>, <code>list.js</code>, <code>create.js</code>, <code>delete.js</code>, <code>update.js</code>, <code>view.js</code>). Finally, run this command:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span>osgood app.js </code></pre></div> <p>This will start the Osgood Application and route requests to the five Osgood Workers. Of course, the service won't be too useful without a CouchDB instance to talk to. The following commands will run CouchDB in a Docker container:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span>docker run <span class="se">\</span> <span class="nt">-e</span> <span class="nv">COUCHDB_USER</span><span class="o">=</span>osgood_admin <span class="se">\</span> <span class="nt">-e</span> <span class="nv">COUCHDB_PASSWORD</span><span class="o">=</span>hunter12 <span class="se">\</span> <span class="nt">-p</span> 5984:5984 <span class="se">\</span> <span class="nt">--name</span> osgood-couch <span class="se">\</span> <span class="nt">-d</span> couchdb <span class="nv">$ </span>curl <span class="se">\</span> <span class="nt">-X</span> PUT <span class="se">\</span> http://localhost:5984/users </code></pre></div> <p>After that we're ready to interact with the application. The next command will send a POST request to the Osgood Application and create our first user:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="se">\</span> <span class="nt">-X</span> POST <span class="se">\</span> http://localhost:8000/users <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"username": "osgood"}'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> </code></pre></div> <h2> More Information </h2> <p>Osgood is open source. It's written in Rust and runs JavaScript using the speedy V8 engine.</p> <p>The sourcecode is hosted on GitHub and is available at <a href="https://github.com/IntrinsicLabs/osgood">IntrinsicLabs/osgood</a>. Pull Requests welcome!</p> javascript security microservices Hosting a Static Site and Contact Form with Osgood Thomas Hunter II Wed, 17 Jul 2019 17:51:06 +0000 https://forem.com/tlhunter/hosting-a-static-site-and-contact-form-with-osgood-5c1g https://forem.com/tlhunter/hosting-a-static-site-and-contact-form-with-osgood-5c1g <p>Our newly released project, <a href="https://github.com/IntrinsicLabs/osgood">Osgood</a>, is a tool for building HTTP applications that run JavaScript on the server. It has an emphasis on security and by default enforces isolation between the different routes.</p> <p>One of the features we added is the ability to serve static content. In this post we'll show how easy it is to build a website which is almost entirely static but does require some server-side logic, in this case a contact form.</p> <p>This application will make use of <a href="https://www.mailgun.com/">Mailgun</a> to send email. Note that we're using the demo Mailgun API key and a demo URL—if you want to adapt this application for your own use you'll need to create an account and use real credentials.</p> <h2> Application File (app.js) </h2> <p>This file handles global configuration of Osgood, how to route requests, and the policies of the different routes. Every application requires an application file.<br> </p> <div class="highlight"><pre class="highlight javascript"><code><span class="cp">#!/usr/bin/env osgood </span> <span class="nx">app</span><span class="p">.</span><span class="nx">port</span> <span class="o">=</span> <span class="mi">3000</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nx">route</span><span class="p">(</span><span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/contact</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">contact.js</span><span class="dl">'</span><span class="p">,</span> <span class="nx">policy</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Mailgun demo URL</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">outboundHttp</span><span class="p">.</span><span class="nx">allowPost</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.mailgun.net/v3/samples.mailgun.org/messages</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// GET requests beginning with / will map to the ./static directory</span> <span class="nx">app</span><span class="p">.</span><span class="kd">static</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">./static</span><span class="dl">'</span><span class="p">);</span> </code></pre></div> <p>This file specifies two different routes. The first one is rather specific and captures POST requests made to the <code>/contact</code> endpoint. When these requests are made it will trigger the <code>contact.js</code> worker file. Based on the policy configuration that route will only be allowed to make a POST request to the specified Mailgun endpoint. Any other attempts at making I/O requests, such as making a GET request to the GitHub API, would fail.</p> <p>The other route is for static content. Any other request (i.e. <code>GET</code> requests beginning with <code>/</code>, aka not <code>POST /contact</code>) will translate into a lookup in the <code>./static</code> directory. Osgood defaults to serving a file named <code>index.html</code> when a request to a directory has been made.</p> <h2> Worker File (contact.js) </h2> <p>This worker file will handle the only route defined by our application which isn't related to serving static content.</p> <p>Osgood workers work by exporting a default function, usually with the <code>async</code> keyword. The value returned from this function will be used to determine the response for this particular HTTP request.</p> <p>This function can essentially be thought of as a controller for your application. Within this function we perform a lot of validation logic. Once we're satisfied we generate an instance of the <a href="https://developer.mozilla.org/en-US/docs/Web/API/FormData">FormData</a> class. Once the instance has the necessary values attached we can send the data along to Mailgun by making a <code>fetch</code> request. (The APIs available should look pretty familiar if you're used to writing JavaScript that runs in a web browser.)</p> <p>Finally, once the request has been sent, we notify the user that their email has been successfully delivered.<br> </p> <div class="highlight"><pre class="highlight javascript"><code><span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="p">(</span><span class="nx">request</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">req</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nx">json</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">json</span><span class="p">({</span><span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CANNOT_PARSE</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid JSON Payload Provided</span><span class="dl">"</span><span class="p">},</span> <span class="mi">400</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">FormData</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="dl">'</span><span class="s1">email</span><span class="dl">'</span> <span class="k">in</span> <span class="nx">req</span><span class="p">)</span> <span class="o">||</span> <span class="o">!</span><span class="p">(</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span> <span class="k">in</span> <span class="nx">req</span><span class="p">)</span> <span class="o">||</span> <span class="o">!</span><span class="p">(</span><span class="dl">'</span><span class="s1">message</span><span class="dl">'</span> <span class="k">in</span> <span class="nx">req</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">json</span><span class="p">({</span><span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">MISSING_FIELDS</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid JSON Payload Provided</span><span class="dl">"</span><span class="p">},</span> <span class="mi">400</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="k">typeof</span> <span class="nx">req</span><span class="p">.</span><span class="nx">email</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="o">||</span> <span class="k">typeof</span> <span class="nx">req</span><span class="p">.</span><span class="nx">name</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="o">||</span> <span class="k">typeof</span> <span class="nx">req</span><span class="p">.</span><span class="nx">message</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">json</span><span class="p">({</span><span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">INVALID_FIELD_TYPES</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid JSON Payload Provided</span><span class="dl">"</span><span class="p">},</span> <span class="mi">400</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">name</span> <span class="o">||</span> <span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">email</span> <span class="o">||</span> <span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">json</span><span class="p">({</span><span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">EMPTY_VALUE</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Please supply all fields</span><span class="dl">"</span><span class="p">},</span> <span class="mi">400</span><span class="p">);</span> <span class="p">}</span> <span class="nx">email</span><span class="p">.</span><span class="nx">append</span><span class="p">(</span><span class="dl">'</span><span class="s1">from</span><span class="dl">'</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2"> &lt;</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">email</span><span class="p">}</span><span class="s2">&gt;`</span><span class="p">);</span> <span class="nx">email</span><span class="p">.</span><span class="nx">append</span><span class="p">(</span><span class="dl">'</span><span class="s1">to</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">spam@intrinsic.com</span><span class="dl">'</span><span class="p">);</span> <span class="nx">email</span><span class="p">.</span><span class="nx">append</span><span class="p">(</span><span class="dl">'</span><span class="s1">subject</span><span class="dl">'</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Contact form email</span><span class="dl">"</span><span class="p">);</span> <span class="nx">email</span><span class="p">.</span><span class="nx">append</span><span class="p">(</span><span class="dl">'</span><span class="s1">text</span><span class="dl">'</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Mailgun demo URL</span> <span class="k">await</span> <span class="nx">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.mailgun.net/v3/samples.mailgun.org/messages</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="k">new</span> <span class="nx">Headers</span><span class="p">({</span> <span class="c1">// Mailgun demo key</span> <span class="na">Authorization</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Basic </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">btoa</span><span class="p">(</span><span class="dl">'</span><span class="s1">api:key-3ax6xnjp29jd6fds4gc373sgvjxteol0</span><span class="dl">'</span><span class="p">)</span> <span class="p">}),</span> <span class="na">body</span><span class="p">:</span> <span class="nx">email</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">json</span><span class="p">({</span><span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CANNOT_SEND</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Cannot parse provided JSON</span><span class="dl">"</span><span class="p">},</span> <span class="mi">500</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">json</span><span class="p">({</span><span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Email has been sent</span><span class="dl">"</span><span class="p">});</span> <span class="p">}</span> <span class="c1">// helper for setting status code</span> <span class="kd">function</span> <span class="nx">json</span><span class="p">(</span><span class="nx">obj</span><span class="p">,</span> <span class="nx">status</span> <span class="o">=</span> <span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">headers</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Headers</span><span class="p">({</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">obj</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Response</span><span class="p">(</span><span class="nx">body</span><span class="p">,</span> <span class="p">{</span> <span class="nx">headers</span><span class="p">,</span> <span class="nx">status</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">response</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <h2> Running the Project </h2> <p>Our project has the following hierarchy of files to support this application:</p> <ul> <li> <code>static/</code> <ul> <li><code>scripts/</code></li> <li><code>contact.js</code></li> <li><code>styles/</code></li> <li><code>main.css</code></li> <li><code>index.html</code></li> </ul> </li> <li><code>app.js</code></li> <li><code>contact.js</code></li> </ul> <p>We then run the application by executing the following command:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span>osgood app.js </code></pre></div> <p>After that the application can be seen by visiting <code>http://localhost:3000</code>.</p> <p>The files used in this example can be downloaded here: <a href="https://github.com/IntrinsicLabs/osgood/tree/master/examples/contact">osgood/examples/contact</a></p> <p>You'll also need to install a recent <a href="https://github.com/IntrinsicLabs/osgood/releases">Osgood Release</a> to run the example.</p> <p>Checkout the next post in this series, <a href="https://dev.to/tlhunter/osgood-and-couchdb-125k">Osgood and CouchDB</a>.</p> javascript webdev Introducing Osgood Thomas Hunter II Mon, 15 Jul 2019 18:22:52 +0000 https://forem.com/tlhunter/introducing-osgood-4k1m https://forem.com/tlhunter/introducing-osgood-4k1m <p>Services written today share a common flaw: Being over-privileged. Node.js applications, for example, are capable of executing child processes, sending network requests, writing to the filesystem, and sending signals to other processes. A typical application requires a small subset of these features, and as <a href="https://medium.com/intrinsic/common-node-js-attack-vectors-the-dangers-of-malicious-modules-863ae949e7e8" rel="noopener noreferrer">malicious modules</a> gain in popularity, the risk of these often-unnecessary features being abused only increases.</p> <p>At <a href="https://intrinsic.com" rel="noopener noreferrer">Intrinsic</a>, we've spent years building a product which applies the <em>Principle of Least Privilege</em> to Node.js. Our core product allows our customers to provide a list of policies describing what the application is capable of doing. This includes things like which binaries can be executed, how the filesystem can be interacted with, and what URLs the application can request. If an I/O operation hasn't been whitelisted, then it fails.</p> <p>Recently we asked ourselves: if a new platform was designed for building middleware / microservices, one which followed the <em>Principle of Least Privilege</em>, and provided enough functionality to securely replace the most common microservice use-cases, what would such a system look like?</p> <p><a href="https://github.com/IntrinsicLabs/osgood" rel="noopener noreferrer">Osgood</a> became our attempt to build such a platform. However, we didn't want such a tool to be completely unfamiliar to developers. So, we reached for a pile of technology already familiar to many.</p> <p>The platform is built using Rust, a language heralded for its safety, and JavaScript is run in V8, a ridiculously fast JavaScript engine.</p> <h2> How does it work? </h2> <p>Osgood is available as a statically-linked binary that can be downloaded for Linux and MacOS. The binary can then be called with a path to a JavaScript application defining high level configuration, how to route incoming requests to different Osgood workers, and the security policies required by each worker.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fp9raiah7dr5s723gclo7.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fp9raiah7dr5s723gclo7.gif" alt="Osgood Screencast"></a></p> <p>The binary can easily be run on a laptop for doing local development. Once the application is ready, the code, as well as the Osgood binary, can be uploaded to a production server.</p> <p>Osgood is generally useful in situations where logic needs to be performed on a server, or some sort of secret needs to be kept from a client, or when the only required outbound I/O is via HTTP requests.</p> <p>Osgood provides the necessary APIs to intuitively build CRUD applications backed with technologies like <a href="https://couchdb.apache.org/" rel="noopener noreferrer">CouchDB</a> or <a href="https://www.elastic.co/products/elasticsearch" rel="noopener noreferrer">Elasticsearch</a>. Clients such as mobile apps and web browsers typically shouldn't be given unfettered access to a database, both for security purposes as well as preventing tight coupling. Using Osgood to maintain database credentials is a more secure approach, and transforming data into a common format helps avoid vendor lock-in.</p> <p>Another use-case is providing an HTTP facade in front of existing backend API services. For example, if a mobile application wants to access data from two internal services, Osgood can make the two calls on behalf of the client and transform the resulting data. This also makes Osgood feasible as a GraphQL API.</p> <h2> Guiding Principles </h2> <p>A few principles helped guide us while designing Osgood. Since we're a security company it's very important that the platform be <strong>secure</strong>. Nobody is going to want to use Osgood if it's slower than other technologies, so it needs to be <strong>fast</strong>. And finally, we wanted to bring the <em>Principle of Least Privilege</em> into the hands of more programmers. This required us to make such an implementation extremely <strong>simple</strong>.</p> <h3> Osgood Applications are Secure </h3> <p>Policies are defined within Osgood Application files using JavaScript functions. These functions use the same syntax as the <a href="https://intrinsic.com/docs/latest/policy-outbound-http.html" rel="noopener noreferrer">Intrinsic for Node.js</a> HTTP policies.</p> <p>Here's an example of a policy file which is able to interact with a few select GitHub APIs, as well as a CouchDB database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app.js</span> <span class="c1">// global configuration</span> <span class="nx">app</span><span class="p">.</span><span class="kr">interface</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">0.0.0.0</span><span class="dl">'</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nx">port</span> <span class="o">=</span> <span class="mi">3000</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/user/:username</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">./worker.js</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">policy</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">outboundHttp</span><span class="p">.</span><span class="nf">allowGet</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.github.com/users/*/gists</span><span class="dl">'</span><span class="p">);</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">outboundHttp</span><span class="p">.</span><span class="nf">allowGet</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.github.com/users/*/repos</span><span class="dl">'</span><span class="p">);</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">outboundHttp</span><span class="p">.</span><span class="nf">allowGet</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://couchdb.local:5984/users/*</span><span class="dl">'</span><span class="p">);</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">outboundHttp</span><span class="p">.</span><span class="nf">allowPut</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://couchdb.local:5984/users/*</span><span class="dl">'</span><span class="p">);</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">outboundHttp</span><span class="p">.</span><span class="nf">allowPost</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://couchdb.local:5984/users</span><span class="dl">'</span><span class="p">);</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">outboundHttp</span><span class="p">.</span><span class="nf">allowDelete</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://couchdb.local:5984/users/*</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Many backend databases expose functionality via HTTP-based APIs—think CouchDB and Elasticsearch. Many third-party services expose their APIs via HTTP as well—such as GitHub and Stripe. Needless to say a <em>lot</em> of these middle-layer microservices can be built by exclusively communicating via HTTP.</p> <h3> Osgood is Fast </h3> <p>With a simple <code>Hello, World!</code> benchmark, Osgood is able to serve around 40k requests per second.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ wrk -c 100 -d 60 http://localhost:3000/hello Running 1m test @ http://localhost:3000/hello 2 threads and 100 connections Thread Stats Avg Stdev Max +/- Stdev Latency 4.61ms 13.36ms 219.02ms 97.42% Req/Sec 20.36k 3.17k 25.04k 91.00% 2422992 requests in 1.00m, 265.74MB read Requests/sec: 40360.32 Transfer/sec: 4.43MB </code></pre> </div> <h3> Osgood is Simple </h3> <p>Osgood is available as a single statically-linked binary about 20MB in size. The only required argument for executing the binary is a single JavaScript file.</p> <p>Let's take a look at a sample Osgood Application. This application represents a common task amongst microservices. The application accepts an input value in the request, makes multiple outbound HTTP requests using the value, transforms the resulting data in some manner, and responds with the combined dataset. This is the API facade pattern and is frequently used to reduce requests made by a client.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// worker.js</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async </span><span class="p">(</span><span class="nx">_request</span><span class="p">,</span> <span class="nx">context</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">username</span> <span class="o">=</span> <span class="nx">context</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">username</span><span class="p">;</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">gists_res</span><span class="p">,</span> <span class="nx">repos_res</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`https://api.github.com/users/</span><span class="p">${</span><span class="nx">username</span><span class="p">}</span><span class="s2">/gists`</span><span class="p">),</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`https://api.github.com/users/</span><span class="p">${</span><span class="nx">username</span><span class="p">}</span><span class="s2">/repos`</span><span class="p">),</span> <span class="p">]);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">gists</span><span class="p">,</span> <span class="nx">repos</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span> <span class="nx">gists_res</span><span class="p">.</span><span class="nf">json</span><span class="p">(),</span> <span class="nx">repos_res</span><span class="p">.</span><span class="nf">json</span><span class="p">(),</span> <span class="p">]);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">gists</span><span class="p">,</span> <span class="nx">repos</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Once you <a href="https://github.com/IntrinsicLabs/osgood/releases" rel="noopener noreferrer">download a release</a> you can then run this Osgood Application using the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>osgood app.js </code></pre> </div> <p>In our next post we'll look at <a href="https://dev.to/tlhunter/hosting-a-static-site-and-contact-form-with-osgood-5c1g">Hosting a Static Site and Contact Form with Osgood</a>.</p> javascript opensource node security