Forem: Yukti Sahu The latest articles on Forem by Yukti Sahu (@yuktisays). https://forem.com/yuktisays https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3251204%2Fcd38b3c8-54d2-41bf-bb2d-b7c814854080.jpeg Forem: Yukti Sahu https://forem.com/yuktisays en Learn all the operators with where clause in SQL Yukti Sahu Thu, 08 Jan 2026 04:55:32 +0000 https://forem.com/yuktisays/learn-all-the-operators-with-where-clause-in-sql-478h https://forem.com/yuktisays/learn-all-the-operators-with-where-clause-in-sql-478h <div class="ltag__link"> <a href="/yuktisays" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3251204%2Fcd38b3c8-54d2-41bf-bb2d-b7c814854080.jpeg" alt="yuktisays"> </div> </a> <a href="https://dev.to/yuktisays/sql-where-clause-i-thought-i-knew-it-until-it-asked-me-about-like-1jha" class="ltag__link__link"> <div class="ltag__link__content"> <h2>SQL WHERE Clause: I Thought I Knew It… Until It Asked Me About LIKE 😭</h2> <h3>Yukti Sahu ・ Jan 8</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#beginners</span> <span class="ltag__link__tag">#webdev</span> <span class="ltag__link__tag">#programming</span> <span class="ltag__link__tag">#sql</span> </div> </div> </a> </div> beginners webdev programming sql SQL WHERE Clause: I Thought I Knew It… Until It Asked Me About LIKE 😭 Yukti Sahu Thu, 08 Jan 2026 04:54:03 +0000 https://forem.com/yuktisays/sql-where-clause-i-thought-i-knew-it-until-it-asked-me-about-like-1jha https://forem.com/yuktisays/sql-where-clause-i-thought-i-knew-it-until-it-asked-me-about-like-1jha <p>Back in college vivas, I used to think I knew the SQL WHERE clause pretty well.</p> <p>I knew we use it to filter records, I remembered operators like =, &lt;, &gt;, and with that, my confidence was sorted.</p> <p>But then someone would casually ask,</p> <blockquote> <p>"Okay, explain LIKE or BETWEEN with proper syntax."</p> </blockquote> <p>I knew the theory part. I knew what they do.</p> <p>But when it came to writing the actual query, I'd mess up the syntax or forget small details.</p> <p>So recently, I finally decided to clear this once and for all. I watched a good YouTube explanation, revised everything properly, and now I'm summarizing the entire WHERE clause world here — mainly for revision and future reference.</p> <p>If you skim this article, you should get a clear picture of:</p> <ul> <li>what each WHERE operator does</li> <li>when to use it</li> <li>and how the syntax actually looks in real queries</li> </ul> <p>Let's break it down in a simple, practical way.</p> <p>Let's go.</p> <h2> What is the WHERE Clause ? </h2> <p>The WHERE clause is basically SQL's filter button.</p> <p>You don't want all rows. You want specific rows.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">students</span><span class="p">;</span> </code></pre> </div> <p>This brings everyone.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">students</span> <span class="k">WHERE</span> <span class="n">marks</span> <span class="o">&gt;</span> <span class="mi">80</span><span class="p">;</span> </code></pre> </div> <p>This brings only the smart kids.</p> <p>That's it. That's the purpose.</p> <h2> Big Picture: WHERE Operators (Mental Map) </h2> <p>Think of WHERE operators in 5 categories:</p> <ol> <li> <strong>Comparison Operators</strong> – compare values</li> <li> <strong>Logical Operators</strong> – combine conditions</li> <li> <strong>Range Operator</strong> – between two values</li> <li> <strong>Membership Operator</strong> – check from a list</li> <li> <strong>Search Operator</strong> – pattern matching</li> </ol> <p>Now let's break them one by one.</p> <h2> Comparison Operators (The Ones Everyone Knows… Mostly) </h2> <p>These compare one value with another.</p> <h3> Operators </h3> <ul> <li> <code>=</code> → equal</li> <li> <code>!=</code> or <code>&lt;&gt;</code> → not equal</li> <li> <code>&gt;</code> → greater than</li> <li> <code>&lt;</code> → less than</li> <li> <code>&gt;=</code> → greater than or equal</li> <li> <code>&lt;=</code> → less than or equal</li> </ul> <h3> Syntax </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">columns</span> <span class="k">FROM</span> <span class="k">table</span> <span class="k">WHERE</span> <span class="n">condition</span><span class="p">;</span> </code></pre> </div> <h3> Examples </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">students</span> <span class="k">WHERE</span> <span class="n">age</span> <span class="o">=</span> <span class="mi">20</span><span class="p">;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">students</span> <span class="k">WHERE</span> <span class="n">marks</span> <span class="o">&gt;</span> <span class="mi">75</span><span class="p">;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">employees</span> <span class="k">WHERE</span> <span class="n">salary</span> <span class="o">&lt;=</span> <span class="mi">30000</span><span class="p">;</span> </code></pre> </div> <p>Nothing scary here. This is the confidence booster part.</p> <h2> Logical Operators (Where Things Start Combining) </h2> <p>Logical operators are used when one condition is not enough.</p> <h3> Operators </h3> <ul> <li> <strong>AND</strong> → all conditions must be true</li> <li> <strong>OR</strong> → any one condition true</li> <li> <strong>NOT</strong> → reverse the condition</li> </ul> <h3> AND – Both Conditions Must Be True </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">students</span> <span class="k">WHERE</span> <span class="n">marks</span> <span class="o">&gt;</span> <span class="mi">80</span> <span class="k">AND</span> <span class="n">age</span> <span class="o">&lt;</span> <span class="mi">22</span><span class="p">;</span> </code></pre> </div> <p>Student must be smart AND young.</p> <h3> OR – Any One Condition Is Enough </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">students</span> <span class="k">WHERE</span> <span class="n">city</span> <span class="o">=</span> <span class="s1">'Delhi'</span> <span class="k">OR</span> <span class="n">city</span> <span class="o">=</span> <span class="s1">'Mumbai'</span><span class="p">;</span> </code></pre> </div> <p>Either Delhi or Mumbai. Chill.</p> <h3> NOT – The Opposite Game </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">students</span> <span class="k">WHERE</span> <span class="k">NOT</span> <span class="n">city</span> <span class="o">=</span> <span class="s1">'Delhi'</span><span class="p">;</span> </code></pre> </div> <p>Everyone except Delhi.</p> <h2> BETWEEN (The One I Always Knew… But Forgot Syntax) </h2> <p>BETWEEN is used for ranges.</p> <p><strong>Important Truth:</strong> BETWEEN includes both values.</p> <h3> Syntax </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WHERE</span> <span class="k">column</span> <span class="k">BETWEEN</span> <span class="n">value1</span> <span class="k">AND</span> <span class="n">value2</span><span class="p">;</span> </code></pre> </div> <h3> Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">students</span> <span class="k">WHERE</span> <span class="n">marks</span> <span class="k">BETWEEN</span> <span class="mi">60</span> <span class="k">AND</span> <span class="mi">80</span><span class="p">;</span> </code></pre> </div> <p>Marks 60, 61, 62 … 80 all included.</p> <p>Equivalent to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WHERE</span> <span class="n">marks</span> <span class="o">&gt;=</span> <span class="mi">60</span> <span class="k">AND</span> <span class="n">marks</span> <span class="o">&lt;=</span> <span class="mi">80</span><span class="p">;</span> </code></pre> </div> <p>But cleaner. Less typing. More peace.</p> <h2> IN / NOT IN (Cleaner Than Multiple ORs) </h2> <p>Instead of writing this monster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WHERE</span> <span class="n">city</span> <span class="o">=</span> <span class="s1">'Delhi'</span> <span class="k">OR</span> <span class="n">city</span> <span class="o">=</span> <span class="s1">'Mumbai'</span> <span class="k">OR</span> <span class="n">city</span> <span class="o">=</span> <span class="s1">'Pune'</span><span class="p">;</span> </code></pre> </div> <p>Use IN like a sane developer.</p> <h3> IN – Value Exists in a List </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">students</span> <span class="k">WHERE</span> <span class="n">city</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'Delhi'</span><span class="p">,</span> <span class="s1">'Mumbai'</span><span class="p">,</span> <span class="s1">'Pune'</span><span class="p">);</span> </code></pre> </div> <h3> NOT IN – Value NOT in the List </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">students</span> <span class="k">WHERE</span> <span class="n">city</span> <span class="k">NOT</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'Delhi'</span><span class="p">,</span> <span class="s1">'Mumbai'</span><span class="p">);</span> </code></pre> </div> <p>Everyone except these cities.</p> <p><strong>Pro tip:</strong> If you see multiple ORs → IN is waiting for you.</p> <h2> LIKE (The Syntax That Betrayed Me in Exams) </h2> <p>LIKE is used for pattern matching, mostly with strings.</p> <h3> Wildcards You MUST Remember </h3> <ul> <li> <code>%</code> → zero or more characters</li> <li> <code>_</code> → exactly one character</li> </ul> <h3> Syntax </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WHERE</span> <span class="k">column</span> <span class="k">LIKE</span> <span class="n">pattern</span><span class="p">;</span> </code></pre> </div> <h3> Examples (Read Slowly) </h3> <h4> Starts with 'A' </h4> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">students</span> <span class="k">WHERE</span> <span class="n">name</span> <span class="k">LIKE</span> <span class="s1">'A%'</span><span class="p">;</span> </code></pre> </div> <p>Aanya, Aman, Akash</p> <h4> Ends with 'a' </h4> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">students</span> <span class="k">WHERE</span> <span class="n">name</span> <span class="k">LIKE</span> <span class="s1">'%a'</span><span class="p">;</span> </code></pre> </div> <p>Riya, Sanya, Neha</p> <h4> Contains 'an' </h4> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">students</span> <span class="k">WHERE</span> <span class="n">name</span> <span class="k">LIKE</span> <span class="s1">'%an%'</span><span class="p">;</span> </code></pre> </div> <p>Ananya, Sandeep</p> <h4> Exactly 4 Letters </h4> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">students</span> <span class="k">WHERE</span> <span class="n">name</span> <span class="k">LIKE</span> <span class="s1">'____'</span><span class="p">;</span> </code></pre> </div> <p>Four underscores = four characters.</p> <p>This is where most people mess up — not conceptually, but syntactically.</p> <h2> Final Mental Cheat Sheet </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="k">table</span> <span class="k">WHERE</span> <span class="n">condition</span><span class="p">;</span> </code></pre> </div> <ul> <li> <strong>Compare</strong> → =, &gt;, &lt;, &gt;=, &lt;=</li> <li> <strong>Combine</strong> → AND, OR, NOT</li> <li> <strong>Range</strong> → BETWEEN x AND y</li> <li> <strong>List</strong> → IN (a, b, c)</li> <li> <strong>Pattern</strong> → LIKE '%text%'</li> </ul> <p>I genuinely thought I knew the WHERE clause.</p> <p>But knowing names of operators and knowing how to write them correctly are two very different things.</p> <p>This article is my revision note, my syntax reminder, and my future interview backup.</p> beginners webdev programming sql That CORS Error Isn’t a Bug — It’s Actually Protecting Your Web App Yukti Sahu Sat, 27 Dec 2025 05:37:40 +0000 https://forem.com/yuktisays/that-cors-error-isnt-a-bug-its-actually-protecting-your-web-app-378 https://forem.com/yuktisays/that-cors-error-isnt-a-bug-its-actually-protecting-your-web-app-378 <p>If you've worked with APIs in a web app, you've probably seen this error at least once:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Access to fetch has been blocked by CORS policy </code></pre> </div> <p>And honestly, it feels annoying.</p> <p>Your API URL is correct.<br><br> Your code looks fine.<br><br> But the browser just refuses to cooperate.</p> <p>At first, it feels like a bug or misconfiguration. But the truth is:<br><br> <strong>CORS is not an error — it's a security feature doing exactly what it's supposed to do.</strong></p> <p>In this article, let's understand CORS in simple words and see why it exists, what problems it solves, and why the browser behaves this way.</p> <h2> 1. Why CORS Exists in the First Place </h2> <p>To understand CORS, we need to imagine a situation without it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb4j35z85w5952bj4xsys.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb4j35z85w5952bj4xsys.png" alt="diagram of the cors flow and explanations" width="800" height="457"></a><br> Suppose you are logged into:</p> <ul> <li><code>facebook.com</code></li> <li>or your bank website like <code>hdfc.com</code> </li> </ul> <p>Your browser stores cookies or tokens so you stay logged in.</p> <p>Now, in another tab, you open a random website — maybe a malicious one. That website also runs JavaScript.</p> <p>If there were no restrictions, that JavaScript could send requests like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://hdfc.com/api/balance</span><span class="dl">"</span><span class="p">)</span> </code></pre> </div> <p>Because the request is coming from your browser, your bank cookies would automatically be sent along.</p> <p>The bank server would think:<br><br> <em>"This request is from a logged-in user."</em></p> <p>And it might return sensitive data like your balance.</p> <p><strong>This is dangerous.</strong></p> <p>To prevent this, browsers enforce something called the <strong>Same-Origin Policy (SOP)</strong>:</p> <ul> <li>A website can only access data from the same origin by default.</li> </ul> <p><strong>CORS (Cross-Origin Resource Sharing)</strong> is a controlled way to relax this rule — but only when the server explicitly allows it.</p> <h2> 2. What Exactly is an "Origin"? </h2> <p>An origin is made of three things:</p> <ul> <li> <strong>Scheme</strong> → <code>http</code> or <code>https</code> </li> <li> <strong>Host</strong> → domain name</li> <li> <strong>Port</strong> → <code>80</code>, <code>443</code>, <code>5173</code>, etc.</li> </ul> <p>If any one of these changes, the origin is different.</p> <p><strong>Examples:</strong></p> <ul> <li> <code>https://yuktisahu.dev</code> ❌ <code>https://api.yuktisahu.dev</code> <em>(different host)</em> </li> <li> <code>https://yuktisahu.dev</code> ❌ <code>http://yuktisahu.dev</code> <em>(different scheme)</em> </li> <li> <code>http://localhost:5173</code> ❌ <code>http://localhost:8000</code> <em>(different port)</em> </li> <li> <code>/page1</code> and <code>/page2</code> on the same domain ✅ <em>(same origin — path doesn't matter)</em> </li> </ul> <p>This is important because browsers use this definition to decide whether a request is cross-origin or not.</p> <h2> 3. Why You Can't Fix CORS from the Frontend </h2> <p>This is one of the most confusing parts for beginners.</p> <p>You see the error in the browser console, so you try to fix it in your frontend code.</p> <p>But <strong>CORS is not controlled by frontend code.</strong></p> <p>Here's what actually happens:</p> <ol> <li>Your frontend sends a request to another origin</li> <li>The browser automatically adds an <code>Origin</code> header</li> <li>The server checks this <code>Origin</code> </li> <li>The server decides whether it trusts that origin</li> <li>If trusted, the server sends this header in response: <code>Access-Control-Allow-Origin: https://yuktisahu.dev</code> </li> <li>If this header is missing or doesn't match your origin: The browser blocks the response Your JavaScript code never gets access to it</li> </ol> <p>So even if the server does respond, the browser refuses to give that response to your code.</p> <p><strong>That's why CORS must be fixed on the server, not the frontend.</strong></p> <h2> 4. Why It Works in Postman but Not in the Browser </h2> <p>Another very common confusion:</p> <p><em>"The API works in Postman, so why does it fail in my web app?"</em></p> <p>Because <strong>CORS is a browser security rule, not a server rule.</strong></p> <p><strong>Postman:</strong></p> <ul> <li>Is not a browser</li> <li>Has no cookies from other websites</li> <li>Has no logged-in user sessions to protect</li> </ul> <p><strong>Browsers, on the other hand:</strong></p> <ul> <li>Run code from many websites at once</li> <li>Store cookies for sensitive sites</li> <li>Must protect users from data leaks</li> </ul> <p>So only browsers enforce CORS. Postman and curl don't need to.</p> <h2> 5. Cookies Make CORS Stricter </h2> <p>Sometimes your frontend needs to send cookies along with the request.</p> <p>In fetch, this looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">"</span><span class="s2">include</span><span class="dl">"</span> <span class="p">})</span> </code></pre> </div> <p>When you do this, the rules become stricter.</p> <p>Now the server cannot respond with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Access-Control-Allow-Origin: * </code></pre> </div> <p>Instead, it must explicitly say which origin is allowed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Access-Control-Allow-Origin: https://yuktisahu.dev Access-Control-Allow-Credentials: true </code></pre> </div> <p><strong>This is intentional.</strong></p> <p>If cookies are involved, the server must clearly trust one specific origin, not everyone.</p> <h2> 6. What is a Preflight Request? </h2> <p>Some requests are simple, like:</p> <ul> <li><code>GET</code></li> <li>basic <code>POST</code> </li> </ul> <p>Others are considered complex, such as:</p> <ul> <li> <code>PUT</code>, <code>PATCH</code>, <code>DELETE</code> </li> <li>requests with custom headers</li> <li>JSON content types</li> </ul> <p>For these, the browser sends an extra request first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">OPTIONS /api </span></code></pre> </div> <p>This is called a <strong>preflight request</strong>.</p> <p>It's the browser asking:<br><br> <em>"Is it okay if I send this kind of request with these headers?"</em></p> <p>If the server responds with the right CORS headers, the browser sends the actual request.<br><br> If not, the browser blocks it completely.</p> <h2> Final Thoughts </h2> <p>CORS feels frustrating because it stops your code.</p> <p>But it exists to protect:</p> <ul> <li>logged-in users</li> <li>sensitive data</li> <li>browser security boundaries</li> </ul> <p>Once you understand that:</p> <ul> <li>CORS errors make more sense</li> <li>debugging becomes easier</li> <li>you know the fix is always on the server side</li> </ul> <p>So the next time you see a CORS error, instead of thinking <em>"something is broken"</em>, think:</p> <p><strong>"The browser is protecting users — and the server hasn't given permission yet."</strong></p> <p>That small mindset shift really helps.</p> programming webdev beginners tutorial 5 Surprising Truths About Your SQL SELECT Query (And Why They Matter) Yukti Sahu Sun, 14 Dec 2025 17:25:13 +0000 https://forem.com/yuktisays/5-surprising-truths-about-your-sql-select-query-and-why-they-matter-1fgn https://forem.com/yuktisays/5-surprising-truths-about-your-sql-select-query-and-why-they-matter-1fgn <p>If you're learning SQL, you likely started with a simple <code>SELECT</code> statement. You wrote <code>SELECT</code>, then <code>FROM</code>, then maybe a <code>WHERE</code> clause, and hit "execute." It's natural to assume the database reads and runs your code sequentially, just as you wrote it. This top-to-bottom logic seems intuitive, but it's an illusion.</p> <p>The truth is, the SQL database engine has a <strong>hidden, logical order of operations</strong> that is completely different from the order in which you write the clauses. This execution pipeline is one of the most fundamental concepts to grasp, as it dictates what you can and can't do in a query. Understanding it separates those who can write basic queries from those who can write <strong>powerful, efficient, and bug-free code</strong>.</p> <p>This article will reveal <strong>five counter-intuitive but crucial truths</strong> about how SQL queries actually work. By the end, you'll think more like the database itself, enabling you to build more sophisticated and accurate queries.</p> <h2> 1. Your Query Doesn't Run in the Order You Write It </h2> <p>The most significant surprise for beginners is that the coding order of an SQL query is <strong>not its execution order</strong>. The way we are required to structure the code for readability and syntax is completely different from the logical steps the database takes to produce the result.</p> <h3> Standard Coding Order: </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="p">...</span> <span class="k">FROM</span> <span class="p">...</span> <span class="k">WHERE</span> <span class="p">...</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="p">...</span> <span class="k">HAVING</span> <span class="p">...</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="p">...</span> </code></pre> </div> <h3> Actual Logical Execution Order: </h3> <ol> <li> <code>FROM</code> (Gets the source data)</li> <li> <code>WHERE</code> (Filters individual rows)</li> <li> <code>GROUP BY</code> (Aggregates rows into groups)</li> <li> <code>HAVING</code> (Filters the aggregated groups)</li> <li> <code>SELECT</code> (Selects the final columns, creates aliases, and handles DISTINCT)</li> <li> <code>ORDER BY</code> (Sorts the final result set)</li> <li> <code>TOP / LIMIT</code> (Restricts the number of rows returned)</li> </ol> <blockquote> <p>Notice how <code>SELECT</code>, which you write first, is one of the last things executed. This explains why you can't use a column alias created in the <code>SELECT</code> clause within a <code>WHERE</code> clause—the <code>WHERE</code> clause is processed long before the <code>SELECT</code> clause is evaluated.</p> </blockquote> <h2> 2. WHERE and HAVING Are Filters for Different Stages of Your Data </h2> <p>At first glance, <code>WHERE</code> and <code>HAVING</code> seem to do the same thing: filter rows. However, they operate at completely different points in the query's execution pipeline.</p> <ul> <li> <strong>WHERE</strong> filters <strong>individual rows</strong> from the source table <strong>before any grouping or aggregation</strong>. Think of it as a bouncer checking IDs at the door.</li> <li> <strong>HAVING</strong> filters <strong>groups of rows</strong> <strong>after aggregation</strong>. It's like security checking groups that have already formed inside.</li> </ul> <blockquote> <p>You cannot use aggregate functions like <code>SUM()</code>, <code>AVG()</code>, or <code>COUNT()</code> in a <code>WHERE</code> clause because aggregation hasn’t happened yet. Conversely, <code>HAVING</code> is almost always used with <code>GROUP BY</code>, as its purpose is to filter aggregated results.</p> </blockquote> <h2> 3. GROUP BY Doesn't Just Group—It Transforms Your Data </h2> <p>The <code>GROUP BY</code> clause does more than just sort or arrange your data—it fundamentally <strong>transforms it</strong>. It takes multiple rows that share the same value in a specified column and combines them into a <strong>single summary row</strong>.</p> <p><strong>Example:</strong></p> <p><strong>Before GROUP BY:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>first_name</th> <th>country</th> </tr> </thead> <tbody> <tr> <td>Maria</td> <td>Germany</td> </tr> <tr> <td>Martin</td> <td>Germany</td> </tr> <tr> <td>Joan</td> <td>USA</td> </tr> <tr> <td>Peter</td> <td>USA</td> </tr> <tr> <td>George</td> <td>UK</td> </tr> </tbody> </table></div> <p><strong>After <code>GROUP BY country</code>:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>country</th> </tr> </thead> <tbody> <tr> <td>Germany</td> </tr> <tr> <td>USA</td> </tr> <tr> <td>UK</td> </tr> </tbody> </table></div> <blockquote> <p>Rule: Any column in your <code>SELECT</code> list must either be part of an aggregate function (<code>SUM(score)</code>, <code>COUNT(customer_id)</code>) or be listed in the <code>GROUP BY</code> clause. Otherwise, the database will throw an error because it doesn't know which value to pick for the collapsed group.</p> </blockquote> <h2> 4. You Can Build Powerful Ranked Reports with TOP and ORDER BY </h2> <p>The <code>TOP</code> clause (or <code>LIMIT</code> in other SQL dialects) is often used to get a sample of rows. Its true power is unlocked when combined with <code>ORDER BY</code>. Together, they create <strong>ranked reports</strong> and allow <strong>top-N analysis</strong>.</p> <p><strong>Examples:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Top 3 customers with highest scores</span> <span class="k">SELECT</span> <span class="n">TOP</span> <span class="mi">3</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">customers</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">score</span> <span class="k">DESC</span><span class="p">;</span> <span class="c1">-- Lowest 2 customers</span> <span class="k">SELECT</span> <span class="n">TOP</span> <span class="mi">2</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">customers</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">score</span> <span class="k">ASC</span><span class="p">;</span> <span class="c1">-- Two most recent orders</span> <span class="k">SELECT</span> <span class="n">TOP</span> <span class="mi">2</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">orders</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">order_date</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <blockquote> <p>Sorting with <code>ORDER BY</code> before using <code>TOP</code> ensures precise control over which rows you retrieve.</p> </blockquote> <h2> 5. DISTINCT Is an "Expensive" Tool—Use It Wisely </h2> <p><code>DISTINCT</code> removes duplicate rows from a result set. For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="k">DISTINCT</span> <span class="n">country</span> <span class="k">FROM</span> <span class="n">customers</span><span class="p">;</span> </code></pre> </div> <p>While useful, <code>DISTINCT</code> can be <strong>computationally expensive</strong>, because the database often needs to perform a full sort or hash of the result set.</p> <p><strong>Best practices:</strong></p> <ul> <li>Use <code>DISTINCT</code> <strong>only when necessary</strong>.</li> <li>Avoid using it on columns that are already unique (like primary keys).</li> <li>Redundant use adds unnecessary processing overhead, slowing down queries.</li> </ul> <h2> Conclusion: Thinking Like the Database </h2> <p>Becoming an effective SQL practitioner isn’t just about memorizing syntax—it’s about understanding <strong>how the database interprets your commands</strong>.</p> <p>By internalizing these truths—realizing that <code>SELECT</code> runs almost last, or that <code>WHERE</code> filters raw rows while <code>HAVING</code> filters aggregated groups—you move beyond just writing queries. You start to <strong>anticipate how the database processes your request</strong>, allowing you to craft more efficient, accurate, and powerful SQL queries.</p> <blockquote> <p>Which of these concepts will change the way you write SQL the most?</p> </blockquote> tutorial beginners sql database REST API Design: A Comprehensive Guide Yukti Sahu Thu, 04 Dec 2025 08:21:02 +0000 https://forem.com/yuktisays/rest-api-design-a-comprehensive-guide-5719 https://forem.com/yuktisays/rest-api-design-a-comprehensive-guide-5719 <h2> The Origin Story </h2> <p>REST (Representational State Transfer) was introduced by Roy Fielding in his doctoral dissertation in 2000, building upon the foundational work of Tim Berners-Lee who started the World Wide Web. The web was built on fundamental concepts like URIs, HTTP, URLs, HTML, web servers, and WYSIWYG editors that made content creation accessible to everyone.</p> <h2> Understanding REST </h2> <h3> Breaking Down the Acronym </h3> <p><strong>R - Representational</strong></p> <ul> <li>Resources are represented in different formats</li> <li>Common formats: JSON, XML, HTML</li> <li>The same resource can have multiple representations based on client needs</li> </ul> <p><strong>S - State</strong></p> <ul> <li>Refers to the current properties of a resource</li> <li>State can be transferred between client and server</li> <li>Server doesn't maintain client state between requests (stateless architecture)</li> </ul> <p><strong>T - Transfer</strong></p> <ul> <li>The movement of resource representations between client and server</li> <li>Each request contains all information needed to understand it</li> </ul> <h2> Anatomy of a URL </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://google.com/blog/post?q=something#header </code></pre> </div> <p><strong>Components:</strong></p> <ul> <li> <strong>Scheme</strong>: <code>https</code> or <code>http</code> - the protocol used</li> <li> <strong>Domain/Authority</strong>: <code>google.com</code> - can include subdomains</li> <li> <strong>Resources</strong>: <code>/blog/post</code> - hierarchical path showing resource relationships</li> <li> <strong>Query Parameters</strong>: <code>?q=something</code> - filters or search criteria</li> <li> <strong>Fragment</strong>: <code>#header</code> - navigates to a specific section of the resource</li> </ul> <h2> Idempotency in HTTP Methods </h2> <p><strong>Definition</strong>: An idempotent operation produces the same result no matter how many times it's executed.</p> <h3> Idempotent Methods </h3> <ul> <li> <strong>GET</strong>: Always returns the same resource (no side effects)</li> <li> <strong>PUT</strong>: Updates a resource to the same state, multiple calls yield same result</li> <li> <strong>DELETE</strong>: Deleting the same resource multiple times has the same effect</li> <li> <strong>HEAD</strong>: Like GET but only returns headers</li> <li> <strong>OPTIONS</strong>: Always returns the same allowed methods</li> </ul> <h3> Non-Idempotent Methods </h3> <ul> <li> <strong>POST</strong>: Creates new resources or performs actions, each call may produce different results</li> </ul> <h2> HTTP Methods and Their Uses </h2> <h3> GET </h3> <ul> <li> <strong>Purpose</strong>: Retrieve resources</li> <li> <strong>Idempotent</strong>: Yes</li> <li> <strong>Safe</strong>: Yes (no side effects)</li> <li> <strong>Use Cases</strong>: <ul> <li>Fetch a list of items</li> <li>Retrieve a single item</li> <li>Search and filter data </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /api/articles GET /api/articles/123 GET /api/articles?author=john&amp;status=published </code></pre> </div> <h3> POST </h3> <ul> <li> <strong>Purpose</strong>: Create resources or perform actions</li> <li> <strong>Idempotent</strong>: No</li> <li> <strong>Safe</strong>: No</li> <li> <strong>Use Cases</strong>: <ul> <li>Create new resources</li> <li>Perform custom actions</li> <li>Send emails</li> <li>Trigger workflows</li> <li>Any action that doesn't fit CRUD </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>POST /api/articles POST /api/articles/123/publish POST /api/users/456/send-welcome-email POST /api/orders/789/calculate-shipping </code></pre> </div> <p><strong>Why POST is Open-Ended</strong>: When you need to perform an action that doesn't map to standard CRUD operations, POST is your go-to method. It's intentionally flexible for custom operations.</p> <h3> PUT </h3> <ul> <li> <strong>Purpose</strong>: Update entire resource or create if doesn't exist</li> <li> <strong>Idempotent</strong>: Yes</li> <li> <strong>Safe</strong>: No</li> <li> <strong>Use Case</strong>: Replace complete resource </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PUT /api/articles/123 </code></pre> </div> <h3> PATCH </h3> <ul> <li> <strong>Purpose</strong>: Partial update of resource</li> <li> <strong>Idempotent</strong>: Usually yes</li> <li> <strong>Safe</strong>: No</li> <li> <strong>Use Case</strong>: Update specific fields </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PATCH /api/articles/123 </code></pre> </div> <h3> DELETE </h3> <ul> <li> <strong>Purpose</strong>: Remove resources</li> <li> <strong>Idempotent</strong>: Yes</li> <li> <strong>Safe</strong>: No</li> <li> <strong>Use Case</strong>: Delete resources </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>DELETE /api/articles/123 </code></pre> </div> <h2> REST API Design Principles </h2> <h3> 1. Resource Naming Conventions </h3> <p><strong>Use Plural Nouns</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✅ /api/articles ✅ /api/users ✅ /api/comments ❌ /api/article ❌ /api/user ❌ /api/comment </code></pre> </div> <p><strong>Why Plural?</strong></p> <ul> <li>Consistency across endpoints</li> <li>Collections naturally use plural</li> <li>Easier to understand at a glance</li> </ul> <p><strong>Handle Whitespace in URLs</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Input: "Harry Potter" URL: /api/books/harry-potter ✅ Use hyphens (kebab-case) ❌ Avoid underscores or spaces </code></pre> </div> <h3> 2. Hierarchical Resource Relationships </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /api/articles/123/comments GET /api/articles/123/comments/456 POST /api/articles/123/comments DELETE /api/users/789/preferences/notifications </code></pre> </div> <h3> 3. Query Parameters for Filtering </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /api/articles?status=published&amp;author=john&amp;sort=date&amp;order=desc GET /api/users?role=admin&amp;page=2&amp;limit=20 </code></pre> </div> <h3> 4. Versioning </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/api/v1/articles /api/v2/articles </code></pre> </div> <p>Or via headers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Accept: application/vnd.api.v1+json </code></pre> </div> <h2> The Critical 404 vs 200 Rule </h2> <h3> When Fetching a Single Resource </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /api/articles/999 Response: 404 Not Found </code></pre> </div> <p><strong>Why?</strong> The specific resource doesn't exist - this is an error state.</p> <h3> When Fetching a Collection </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /api/articles?author=unknown Response: 200 OK Body: [] </code></pre> </div> <p><strong>Why?</strong> The request was successful - an empty result set is valid data, not an error.</p> <h2> Designing REST APIs: The Process </h2> <h3> Step 1: Design the Wireframe/UI First </h3> <p>Before writing a single line of API code, design the user interface or understand the client needs.</p> <p><strong>Questions to Ask:</strong></p> <ul> <li>What data does the user need to see?</li> <li>What actions can they perform?</li> <li>What filters or searches will they use?</li> <li>How will they navigate between resources?</li> </ul> <p><strong>Example Flow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Homepage] ↓ [Article List] → Filter by category, author, date ↓ [Article Detail] → View comments ↓ [Comment Section] → Add/edit/delete comments </code></pre> </div> <h3> Step 2: Map UI Components to API Endpoints </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>UI Component</th> <th>HTTP Method</th> <th>Endpoint</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>Article List</td> <td>GET</td> <td><code>/api/articles</code></td> <td>Fetch all articles</td> </tr> <tr> <td>Article Filters</td> <td>GET</td> <td><code>/api/articles?category=tech</code></td> <td>Filtered list</td> </tr> <tr> <td>Article Detail</td> <td>GET</td> <td><code>/api/articles/123</code></td> <td>Single article</td> </tr> <tr> <td>Create Article</td> <td>POST</td> <td><code>/api/articles</code></td> <td>New article</td> </tr> <tr> <td>Edit Article</td> <td>PUT/PATCH</td> <td><code>/api/articles/123</code></td> <td>Update article</td> </tr> <tr> <td>Delete Article</td> <td>DELETE</td> <td><code>/api/articles/123</code></td> <td>Remove article</td> </tr> <tr> <td>Publish Article</td> <td>POST</td> <td><code>/api/articles/123/publish</code></td> <td>Custom action</td> </tr> <tr> <td>Article Comments</td> <td>GET</td> <td><code>/api/articles/123/comments</code></td> <td>Nested resource</td> </tr> <tr> <td>Add Comment</td> <td>POST</td> <td><code>/api/articles/123/comments</code></td> <td>Create comment</td> </tr> </tbody> </table></div> <h3> Step 3: Define Resource Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">123</span><span class="p">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Understanding REST APIs"</span><span class="p">,</span><span class="w"> </span><span class="nl">"slug"</span><span class="p">:</span><span class="w"> </span><span class="s2">"understanding-rest-apis"</span><span class="p">,</span><span class="w"> </span><span class="nl">"author"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">456</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"John Doe"</span><span class="p">,</span><span class="w"> </span><span class="nl">"avatar"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://..."</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"content"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"published"</span><span class="p">,</span><span class="w"> </span><span class="nl">"category"</span><span class="p">:</span><span class="w"> </span><span class="s2">"technology"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tags"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"api"</span><span class="p">,</span><span class="w"> </span><span class="s2">"rest"</span><span class="p">,</span><span class="w"> </span><span class="s2">"web-development"</span><span class="p">],</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-01-15T10:30:00Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-01-20T14:45:00Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"comments_count"</span><span class="p">:</span><span class="w"> </span><span class="mi">42</span><span class="p">,</span><span class="w"> </span><span class="nl">"links"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"self"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/articles/123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"comments"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/articles/123/comments"</span><span class="p">,</span><span class="w"> </span><span class="nl">"author"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/users/456"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Step 4: Plan Response Codes </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Status Code</th> <th>Meaning</th> <th>Use Case</th> </tr> </thead> <tbody> <tr> <td>200 OK</td> <td>Success</td> <td>GET, PATCH successful</td> </tr> <tr> <td>201 Created</td> <td>Resource created</td> <td>POST successful</td> </tr> <tr> <td>204 No Content</td> <td>Success, no body</td> <td>DELETE successful</td> </tr> <tr> <td>400 Bad Request</td> <td>Invalid input</td> <td>Validation errors</td> </tr> <tr> <td>401 Unauthorized</td> <td>Not authenticated</td> <td>Missing/invalid token</td> </tr> <tr> <td>403 Forbidden</td> <td>Not authorized</td> <td>Insufficient permissions</td> </tr> <tr> <td>404 Not Found</td> <td>Resource missing</td> <td>Single resource not found</td> </tr> <tr> <td>409 Conflict</td> <td>Resource conflict</td> <td>Duplicate resource</td> </tr> <tr> <td>422 Unprocessable</td> <td>Validation failed</td> <td>Business logic errors</td> </tr> <tr> <td>500 Server Error</td> <td>Server problem</td> <td>Unexpected errors</td> </tr> </tbody> </table></div> <h3> Step 5: Design Error Responses </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VALIDATION_ERROR"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Invalid input data"</span><span class="p">,</span><span class="w"> </span><span class="nl">"details"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"email"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Email is required"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"password"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Password must be at least 8 characters"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-01-20T14:45:00Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/users"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Complete API Example </h2> <h3> Blog Platform REST API </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Articles GET /api/v1/articles # List all articles GET /api/v1/articles?status=published # Filter articles GET /api/v1/articles/understanding-rest # Get single article POST /api/v1/articles # Create article PUT /api/v1/articles/123 # Update full article PATCH /api/v1/articles/123 # Partial update DELETE /api/v1/articles/123 # Delete article # Custom Actions POST /api/v1/articles/123/publish # Publish article POST /api/v1/articles/123/unpublish # Unpublish article POST /api/v1/articles/123/duplicate # Duplicate article # Nested Resources GET /api/v1/articles/123/comments # Get article comments POST /api/v1/articles/123/comments # Add comment GET /api/v1/articles/123/comments/456 # Get single comment PATCH /api/v1/articles/123/comments/456 # Update comment DELETE /api/v1/articles/123/comments/456 # Delete comment # Authors GET /api/v1/authors # List authors GET /api/v1/authors/789 # Get author profile GET /api/v1/authors/789/articles # Author's articles # Categories &amp; Tags GET /api/v1/categories # List categories GET /api/v1/categories/tech/articles # Articles in category GET /api/v1/tags # List tags GET /api/v1/tags/api/articles # Articles with tag </code></pre> </div> <h2> Best Practices Checklist </h2> <ul> <li>✅ Use plural nouns for resources</li> <li>✅ Use hyphens in URLs (kebab-case)</li> <li>✅ Use nouns, not verbs in endpoints</li> <li>✅ Keep URLs lowercase</li> <li>✅ Version your API</li> <li>✅ Use proper HTTP methods</li> <li>✅ Return appropriate status codes</li> <li>✅ Use 404 for missing single resources</li> <li>✅ Use 200 with empty array for empty collections</li> <li>✅ Include links to related resources (HATEOAS)</li> <li>✅ Provide consistent error responses</li> <li>✅ Support filtering, sorting, and pagination</li> <li>✅ Document your API thoroughly</li> <li>✅ Use POST for custom actions</li> <li>✅ Design UI/UX before API</li> </ul> <h2> Conclusion </h2> <p>Great REST API design starts with understanding user needs through wireframes and UI flows. By following these principles—proper resource naming, appropriate HTTP methods, clear response codes, and the critical distinction between empty results and missing resources—you create APIs that are intuitive, maintainable, and developer-friendly.</p> <p>Remember: Design for your users first, then build the API that serves their needs. The technical excellence of your REST API should be invisible to end users, manifesting only as a seamless, fast, and reliable experience.</p> <p><em>Happy API building! 🚀</em></p> development tutorial beginners javascript Understanding Backend Architecture: A Complete Guide to Request Lifecycle Yukti Sahu Wed, 03 Dec 2025 01:34:52 +0000 https://forem.com/yuktisays/understanding-backend-architecture-a-complete-guide-to-request-lifecycle-55gp https://forem.com/yuktisays/understanding-backend-architecture-a-complete-guide-to-request-lifecycle-55gp <p>When building scalable and maintainable backend applications, proper architecture isn't just a nice-to-have—it's essential. In this article, we'll dive deep into the journey of an HTTP request through a well-structured backend system, exploring each layer's responsibility and how they work together.</p> <h2> Why Separate Concerns? </h2> <p>Before we jump into the request lifecycle, let's understand why we organize code into different layers:</p> <ul> <li> <strong>Maintainability</strong>: Each layer has a single responsibility, making bugs easier to locate and fix</li> <li> <strong>Scalability</strong>: You can optimize or scale individual layers without touching others</li> <li> <strong>Testability</strong>: Isolated layers are easier to unit test</li> <li> <strong>Reusability</strong>: Business logic in services can be reused across different controllers</li> <li> <strong>Security</strong>: Clear separation helps implement security at appropriate layers</li> </ul> <h2> The Request Lifecycle: A Journey Through Layers </h2> <p>Let's follow a typical request from the moment it hits your server until a response is sent back.</p> <h3> 1. Routing: The Entry Point </h3> <p>When a client sends a request, it first hits your server on a specific port and route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Node.js/Express example</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">createUserController</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/users/:id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">getUserController</span><span class="p">);</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Go example</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/api/users"</span><span class="p">,</span> <span class="n">createUserHandler</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/api/users/"</span><span class="p">,</span> <span class="n">getUserHandler</span><span class="p">)</span> </code></pre> </div> <p>The router matches the URL pattern and HTTP method, then directs the request to the appropriate handler.</p> <h3> 2. Middlewares: The Gatekeepers </h3> <p>Middlewares are functions that execute <strong>before</strong> your controller. They have access to the request, response, and a special <code>next()</code> function that passes control to the next middleware or controller.</p> <p><strong>Key characteristics of middlewares:</strong></p> <ul> <li>They execute in the order they're defined (order matters!)</li> <li>They can modify the request/response objects</li> <li>They can end the request-response cycle early</li> <li>They're optional but powerful</li> </ul> <p><strong>Common middleware use cases:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Authentication middleware</span> <span class="kd">function</span> <span class="nf">authMiddleware</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No token provided</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET_KEY</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="c1">// Add user info to request context</span> <span class="nf">next</span><span class="p">();</span> <span class="c1">// Pass control to next middleware or controller</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Logging middleware</span> <span class="kd">function</span> <span class="nf">loggingMiddleware</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">}</span><span class="s2"> - </span><span class="p">${</span><span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()}</span><span class="s2">`</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="c1">// Request body parsing middleware (built-in in Express)</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="c1">// Parses JSON bodies</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}));</span> <span class="c1">// Parses URL-encoded bodies</span> <span class="c1">// Using middlewares</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">loggingMiddleware</span><span class="p">,</span> <span class="nx">authMiddleware</span><span class="p">,</span> <span class="nx">createUserController</span> <span class="p">);</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Python/Flask example </span><span class="kn">from</span> <span class="n">functools</span> <span class="kn">import</span> <span class="n">wraps</span> <span class="k">def</span> <span class="nf">require_auth</span><span class="p">(</span><span class="n">f</span><span class="p">):</span> <span class="nd">@wraps</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="k">def</span> <span class="nf">decorated_function</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Authorization</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">No token provided</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">401</span> <span class="k">try</span><span class="p">:</span> <span class="n">decoded</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">SECRET_KEY</span><span class="p">)</span> <span class="n">g</span><span class="p">.</span><span class="n">user</span> <span class="o">=</span> <span class="n">decoded</span> <span class="c1"># Store in request context </span> <span class="k">return</span> <span class="nf">f</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="k">except</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Invalid token</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">401</span> <span class="k">return</span> <span class="n">decorated_function</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/users</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="nd">@require_auth</span> <span class="k">def</span> <span class="nf">create_user</span><span class="p">():</span> <span class="c1"># Controller code here </span> <span class="k">pass</span> </code></pre> </div> <h3> 3. Request Context: Shared State for a Request </h3> <p>Request context is a storage mechanism that holds metadata for a specific request throughout its lifecycle. Think of it as a backpack that travels with the request, carrying useful information.</p> <p><strong>Why use request context?</strong></p> <ul> <li>Avoid passing the same data through every function parameter</li> <li>Store authentication info, user roles, request IDs</li> <li>Share data between middlewares and controllers </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Node.js example - using res.locals or custom middleware</span> <span class="kd">function</span> <span class="nf">authMiddleware</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET_KEY</span><span class="p">);</span> <span class="c1">// Store in request context</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">role</span> <span class="p">};</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">createUserController</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Access user info from context instead of decoding token again</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Request by user: </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// ... rest of controller logic</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Python/Flask example - using 'g' object </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">g</span> <span class="nd">@app.before_request</span> <span class="k">def</span> <span class="nf">load_user</span><span class="p">():</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Authorization</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">token</span><span class="p">:</span> <span class="n">decoded</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">SECRET_KEY</span><span class="p">)</span> <span class="n">g</span><span class="p">.</span><span class="n">user_id</span> <span class="o">=</span> <span class="n">decoded</span><span class="p">[</span><span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">]</span> <span class="n">g</span><span class="p">.</span><span class="n">user_role</span> <span class="o">=</span> <span class="n">decoded</span><span class="p">[</span><span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="p">]</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/posts</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">create_post</span><span class="p">():</span> <span class="c1"># Access from context </span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">g</span><span class="p">.</span><span class="n">user_id</span> <span class="c1"># ... rest of controller logic </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Go example - using context</span> <span class="k">func</span> <span class="n">authMiddleware</span><span class="p">(</span><span class="n">next</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span> <span class="p">{</span> <span class="k">return</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">token</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"Authorization"</span><span class="p">)</span> <span class="n">decoded</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">verifyToken</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Unauthorized"</span><span class="p">,</span> <span class="m">401</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Store in request context</span> <span class="n">ctx</span> <span class="o">:=</span> <span class="n">context</span><span class="o">.</span><span class="n">WithValue</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">(),</span> <span class="s">"user_id"</span><span class="p">,</span> <span class="n">decoded</span><span class="o">.</span><span class="n">UserID</span><span class="p">)</span> <span class="n">ctx</span> <span class="o">=</span> <span class="n">context</span><span class="o">.</span><span class="n">WithValue</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"user_role"</span><span class="p">,</span> <span class="n">decoded</span><span class="o">.</span><span class="n">Role</span><span class="p">)</span> <span class="c">// Pass new context to next handler</span> <span class="n">next</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">WithContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">createPostHandler</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Retrieve from context</span> <span class="n">userID</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">()</span><span class="o">.</span><span class="n">Value</span><span class="p">(</span><span class="s">"user_id"</span><span class="p">)</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">)</span> <span class="n">userRole</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">()</span><span class="o">.</span><span class="n">Value</span><span class="p">(</span><span class="s">"user_role"</span><span class="p">)</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">)</span> <span class="c">// ... rest of handler logic</span> <span class="p">}</span> </code></pre> </div> <h3> 4. Controllers: Request Handlers </h3> <p>Controllers are the traffic directors of your application. They handle HTTP-specific concerns and orchestrate the flow of data.</p> <p><strong>Controller responsibilities:</strong></p> <ol> <li><strong>Extract data from the request</strong></li> <li><strong>Validate and transform input</strong></li> <li><strong>Call service layer with processed data</strong></li> <li> <strong>Format and send HTTP response</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Node.js/Express example</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">createUserController</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Step 1: Extract data from request</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userRole</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">role</span><span class="p">;</span> <span class="c1">// From request context</span> <span class="c1">// Step 2: Validate input</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span> <span class="o">||</span> <span class="o">!</span><span class="nx">email</span> <span class="o">||</span> <span class="o">!</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Missing required fields</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">isValidEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid email format</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Step 3: Transform data (set defaults, normalize)</span> <span class="kd">const</span> <span class="nx">userData</span> <span class="o">=</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">name</span><span class="p">.</span><span class="nf">trim</span><span class="p">(),</span> <span class="na">email</span><span class="p">:</span> <span class="nx">email</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">(),</span> <span class="na">password</span><span class="p">:</span> <span class="nx">password</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// default role</span> <span class="na">createdBy</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="c1">// from context</span> <span class="p">};</span> <span class="c1">// Step 4: Call service layer</span> <span class="kd">const</span> <span class="nx">newUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">userService</span><span class="p">.</span><span class="nf">createUser</span><span class="p">(</span><span class="nx">userData</span><span class="p">);</span> <span class="c1">// Step 5: Send HTTP response</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">newUser</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Handle errors appropriately</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">code</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">EMAIL_EXISTS</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">409</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Email already registered</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Internal server error</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// GET request with query parameters</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getUsersController</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Extract from query params</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">page</span> <span class="o">=</span> <span class="mi">1</span><span class="p">,</span> <span class="nx">limit</span> <span class="o">=</span> <span class="mi">10</span><span class="p">,</span> <span class="nx">sortBy</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">createdAt</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// default sort</span> <span class="nx">order</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">desc</span><span class="dl">'</span> <span class="c1">// default order</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">;</span> <span class="c1">// Validate and transform</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">page</span><span class="p">:</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">page</span><span class="p">),</span> <span class="na">limit</span><span class="p">:</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="nf">parseInt</span><span class="p">(</span><span class="nx">limit</span><span class="p">),</span> <span class="mi">100</span><span class="p">),</span> <span class="c1">// max 100</span> <span class="nx">sortBy</span><span class="p">,</span> <span class="na">order</span><span class="p">:</span> <span class="nx">order</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">()</span> <span class="p">};</span> <span class="c1">// Call service</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">userService</span><span class="p">.</span><span class="nf">getUsers</span><span class="p">(</span><span class="nx">options</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">users</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Failed to fetch users</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Python/Flask example </span><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/users</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="nd">@require_auth</span> <span class="k">def</span> <span class="nf">create_user_controller</span><span class="p">():</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Step 1: Extract data (Flask automatically parses JSON) </span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()</span> <span class="n">name</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">)</span> <span class="n">email</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">)</span> <span class="n">password</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Step 2: Validate </span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">all</span><span class="p">([</span><span class="n">name</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">password</span><span class="p">]):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Missing required fields</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">400</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">is_valid_email</span><span class="p">(</span><span class="n">email</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Invalid email format</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">400</span> <span class="c1"># Step 3: Transform </span> <span class="n">user_data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">:</span> <span class="n">name</span><span class="p">.</span><span class="nf">strip</span><span class="p">(),</span> <span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">:</span> <span class="n">email</span><span class="p">.</span><span class="nf">lower</span><span class="p">(),</span> <span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">:</span> <span class="n">password</span><span class="p">,</span> <span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">created_by</span><span class="sh">'</span><span class="p">:</span> <span class="n">g</span><span class="p">.</span><span class="n">user_id</span> <span class="c1"># from context </span> <span class="p">}</span> <span class="c1"># Step 4: Call service </span> <span class="n">new_user</span> <span class="o">=</span> <span class="n">user_service</span><span class="p">.</span><span class="nf">create_user</span><span class="p">(</span><span class="n">user_data</span><span class="p">)</span> <span class="c1"># Step 5: Send response </span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span> <span class="sh">'</span><span class="s">success</span><span class="sh">'</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">:</span> <span class="n">new_user</span> <span class="p">}),</span> <span class="mi">201</span> <span class="k">except</span> <span class="n">EmailExistsError</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Email already registered</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">409</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Internal server error</span><span class="sh">'</span><span class="p">}),</span> <span class="mi">500</span> </code></pre> </div> <p><strong>Important</strong>: Controllers should NOT contain business logic. They're just coordinators between HTTP and your business layer.</p> <h3> 5. Services: Business Logic Layer </h3> <p>The service layer is where your application's business logic lives. Services should be <strong>framework-agnostic</strong>—they shouldn't know anything about HTTP, requests, or responses.</p> <p><strong>Service layer principles:</strong></p> <ul> <li>Pure functions focused on business logic</li> <li>No HTTP-specific code</li> <li>Can be called from controllers, background jobs, CLI commands, etc.</li> <li>Orchestrates multiple repository calls if needed </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// userService.js</span> <span class="kd">class</span> <span class="nc">UserService</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">userRepository</span><span class="p">,</span> <span class="nx">emailService</span><span class="p">,</span> <span class="nx">hashService</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span> <span class="o">=</span> <span class="nx">userRepository</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">emailService</span> <span class="o">=</span> <span class="nx">emailService</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">hashService</span> <span class="o">=</span> <span class="nx">hashService</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">createUser</span><span class="p">(</span><span class="nx">userData</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Business logic validation</span> <span class="kd">const</span> <span class="nx">existingUser</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">findByEmail</span><span class="p">(</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">email</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">existingUser</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">EMAIL_EXISTS</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Business rule: hash password before storing</span> <span class="kd">const</span> <span class="nx">hashedPassword</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">hashService</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">password</span> <span class="p">);</span> <span class="c1">// Create user</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="p">...</span><span class="nx">userData</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">hashedPassword</span> <span class="p">});</span> <span class="c1">// Business logic: send welcome email</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">emailService</span><span class="p">.</span><span class="nf">sendWelcomeEmail</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="c1">// Don't return sensitive data</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">password</span><span class="p">,</span> <span class="p">...</span><span class="nx">safeUser</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">user</span><span class="p">;</span> <span class="k">return</span> <span class="nx">safeUser</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">getUsers</span><span class="p">(</span><span class="nx">options</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Business rule: users can only see active accounts</span> <span class="kd">const</span> <span class="nx">filters</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">options</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">active</span><span class="dl">'</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">findAll</span><span class="p">(</span><span class="nx">filters</span><span class="p">);</span> <span class="c1">// Remove sensitive fields</span> <span class="k">return</span> <span class="nx">users</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">user</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">password</span><span class="p">,</span> <span class="p">...</span><span class="nx">safeUser</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">user</span><span class="p">;</span> <span class="k">return</span> <span class="nx">safeUser</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">updateUserProfile</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">updates</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Business validation</span> <span class="k">if </span><span class="p">(</span><span class="nx">updates</span><span class="p">.</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">existingUser</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">findByEmail</span><span class="p">(</span> <span class="nx">updates</span><span class="p">.</span><span class="nx">email</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">existingUser</span> <span class="o">&amp;&amp;</span> <span class="nx">existingUser</span><span class="p">.</span><span class="nx">id</span> <span class="o">!==</span> <span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">EMAIL_TAKEN</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Business rule: can't change role through profile update</span> <span class="k">delete</span> <span class="nx">updates</span><span class="p">.</span><span class="nx">role</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">updatedUser</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">updates</span> <span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">password</span><span class="p">,</span> <span class="p">...</span><span class="nx">safeUser</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">updatedUser</span><span class="p">;</span> <span class="k">return</span> <span class="nx">safeUser</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UserService</span><span class="p">(</span> <span class="nx">userRepository</span><span class="p">,</span> <span class="nx">emailService</span><span class="p">,</span> <span class="nx">hashService</span> <span class="p">);</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># user_service.py </span><span class="k">class</span> <span class="nc">UserService</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">user_repository</span><span class="p">,</span> <span class="n">email_service</span><span class="p">,</span> <span class="n">hash_service</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">user_repository</span> <span class="o">=</span> <span class="n">user_repository</span> <span class="n">self</span><span class="p">.</span><span class="n">email_service</span> <span class="o">=</span> <span class="n">email_service</span> <span class="n">self</span><span class="p">.</span><span class="n">hash_service</span> <span class="o">=</span> <span class="n">hash_service</span> <span class="k">def</span> <span class="nf">create_user</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">user_data</span><span class="p">):</span> <span class="c1"># Business logic validation </span> <span class="n">existing_user</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">user_repository</span><span class="p">.</span><span class="nf">find_by_email</span><span class="p">(</span> <span class="n">user_data</span><span class="p">[</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="k">if</span> <span class="n">existing_user</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">EmailExistsError</span><span class="p">(</span><span class="sh">'</span><span class="s">Email already registered</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Hash password </span> <span class="n">hashed_password</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">hash_service</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="n">user_data</span><span class="p">[</span><span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">])</span> <span class="c1"># Create user </span> <span class="n">user</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">user_repository</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="o">**</span><span class="n">user_data</span><span class="p">,</span> <span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">:</span> <span class="n">hashed_password</span> <span class="p">})</span> <span class="c1"># Send welcome email </span> <span class="n">self</span><span class="p">.</span><span class="n">email_service</span><span class="p">.</span><span class="nf">send_welcome_email</span><span class="p">(</span> <span class="n">user</span><span class="p">[</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">],</span> <span class="n">user</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="c1"># Remove sensitive data </span> <span class="n">safe_user</span> <span class="o">=</span> <span class="p">{</span><span class="n">k</span><span class="p">:</span> <span class="n">v</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">user</span><span class="p">.</span><span class="nf">items</span><span class="p">()</span> <span class="k">if</span> <span class="n">k</span> <span class="o">!=</span> <span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">}</span> <span class="k">return</span> <span class="n">safe_user</span> <span class="k">def</span> <span class="nf">get_users</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">options</span><span class="p">):</span> <span class="n">filters</span> <span class="o">=</span> <span class="p">{</span><span class="o">**</span><span class="n">options</span><span class="p">,</span> <span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">active</span><span class="sh">'</span><span class="p">}</span> <span class="n">users</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">user_repository</span><span class="p">.</span><span class="nf">find_all</span><span class="p">(</span><span class="n">filters</span><span class="p">)</span> <span class="k">return</span> <span class="p">[</span> <span class="p">{</span><span class="n">k</span><span class="p">:</span> <span class="n">v</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">user</span><span class="p">.</span><span class="nf">items</span><span class="p">()</span> <span class="k">if</span> <span class="n">k</span> <span class="o">!=</span> <span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">}</span> <span class="k">for</span> <span class="n">user</span> <span class="ow">in</span> <span class="n">users</span> <span class="p">]</span> </code></pre> </div> <h3> 6. Repositories: Database Abstraction Layer </h3> <p>Repositories handle all database operations. They abstract away the database implementation details, making it easy to switch databases or ORMs.</p> <p><strong>Repository responsibilities:</strong></p> <ul> <li>Construct database queries</li> <li>Execute queries</li> <li>Map database results to application models</li> <li>Handle database-specific errors </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// userRepository.js</span> <span class="kd">class</span> <span class="nc">UserRepository</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">database</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">db</span> <span class="o">=</span> <span class="nx">database</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">create</span><span class="p">(</span><span class="nx">userData</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="s2">` INSERT INTO users (name, email, password, role, created_by) VALUES ($1, $2, $3, $4, $5) RETURNING * `</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">values</span> <span class="o">=</span> <span class="p">[</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">role</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">createdBy</span> <span class="p">];</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">query</span><span class="p">,</span> <span class="nx">values</span><span class="p">);</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">code</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">23505</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Unique violation</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">EMAIL_EXISTS</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">throw</span> <span class="nx">error</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">findByEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">SELECT * FROM users WHERE email = $1</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">query</span><span class="p">,</span> <span class="p">[</span><span class="nx">email</span><span class="p">]);</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">||</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">findAll</span><span class="p">(</span><span class="nx">options</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">page</span><span class="p">,</span> <span class="nx">limit</span><span class="p">,</span> <span class="nx">sortBy</span><span class="p">,</span> <span class="nx">order</span><span class="p">,</span> <span class="nx">status</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">options</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">offset</span> <span class="o">=</span> <span class="p">(</span><span class="nx">page</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="o">*</span> <span class="nx">limit</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="s2">` SELECT * FROM users WHERE status = $1 ORDER BY </span><span class="p">${</span><span class="nx">sortBy</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">order</span><span class="p">}</span><span class="s2"> LIMIT $2 OFFSET $3 `</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">query</span><span class="p">,</span> <span class="p">[</span><span class="nx">status</span><span class="p">,</span> <span class="nx">limit</span><span class="p">,</span> <span class="nx">offset</span><span class="p">]);</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">rows</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">update</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">updates</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">fields</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">updates</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">values</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">values</span><span class="p">(</span><span class="nx">updates</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">setClause</span> <span class="o">=</span> <span class="nx">fields</span> <span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">field</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">`</span><span class="p">${</span><span class="nx">field</span><span class="p">}</span><span class="s2"> = $</span><span class="p">${</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">2</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">, </span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="s2">` UPDATE users SET </span><span class="p">${</span><span class="nx">setClause</span><span class="p">}</span><span class="s2">, updated_at = NOW() WHERE id = $1 RETURNING * `</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">query</span><span class="p">,</span> <span class="p">[</span><span class="nx">userId</span><span class="p">,</span> <span class="p">...</span><span class="nx">values</span><span class="p">]);</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="p">}</span> <span class="k">async</span> <span class="k">delete</span><span class="p">(</span><span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">DELETE FROM users WHERE id = $1</span><span class="dl">'</span><span class="p">;</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">query</span><span class="p">,</span> <span class="p">[</span><span class="nx">userId</span><span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UserRepository</span><span class="p">(</span><span class="nx">database</span><span class="p">);</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># user_repository.py </span><span class="k">class</span> <span class="nc">UserRepository</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">database</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">db</span> <span class="o">=</span> <span class="n">database</span> <span class="k">def</span> <span class="nf">create</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">user_data</span><span class="p">):</span> <span class="n">query</span> <span class="o">=</span> <span class="sh">"""</span><span class="s"> INSERT INTO users (name, email, password, role, created_by) VALUES (%s, %s, %s, %s, %s) RETURNING * </span><span class="sh">"""</span> <span class="n">values</span> <span class="o">=</span> <span class="p">(</span> <span class="n">user_data</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">],</span> <span class="n">user_data</span><span class="p">[</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">],</span> <span class="n">user_data</span><span class="p">[</span><span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">],</span> <span class="n">user_data</span><span class="p">[</span><span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="p">],</span> <span class="n">user_data</span><span class="p">[</span><span class="sh">'</span><span class="s">created_by</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">query</span><span class="p">,</span> <span class="n">values</span><span class="p">)</span> <span class="k">return</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="k">except</span> <span class="n">IntegrityError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">EmailExistsError</span><span class="p">(</span><span class="sh">'</span><span class="s">Email already exists</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">find_by_email</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">email</span><span class="p">):</span> <span class="n">query</span> <span class="o">=</span> <span class="sh">"</span><span class="s">SELECT * FROM users WHERE email = %s</span><span class="sh">"</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">query</span><span class="p">,</span> <span class="p">(</span><span class="n">email</span><span class="p">,))</span> <span class="k">return</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="k">def</span> <span class="nf">find_all</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">options</span><span class="p">):</span> <span class="n">page</span> <span class="o">=</span> <span class="n">options</span><span class="p">[</span><span class="sh">'</span><span class="s">page</span><span class="sh">'</span><span class="p">]</span> <span class="n">limit</span> <span class="o">=</span> <span class="n">options</span><span class="p">[</span><span class="sh">'</span><span class="s">limit</span><span class="sh">'</span><span class="p">]</span> <span class="n">offset</span> <span class="o">=</span> <span class="p">(</span><span class="n">page</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="o">*</span> <span class="n">limit</span> <span class="n">query</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s"> SELECT * FROM users WHERE status = %s ORDER BY </span><span class="si">{</span><span class="n">options</span><span class="p">[</span><span class="sh">'</span><span class="s">sortBy</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> </span><span class="si">{</span><span class="n">options</span><span class="p">[</span><span class="sh">'</span><span class="s">order</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> LIMIT %s OFFSET %s </span><span class="sh">"""</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="n">query</span><span class="p">,</span> <span class="p">(</span><span class="n">options</span><span class="p">[</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">],</span> <span class="n">limit</span><span class="p">,</span> <span class="n">offset</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchall</span><span class="p">()</span> </code></pre> </div> <h2> Putting It All Together: Folder Structure </h2> <p>Here's how to organize your codebase:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>project/ ├── src/ │ ├── controllers/ │ │ ├── userController.js │ │ ├── postController.js │ │ └── authController.js │ │ │ ├── services/ │ │ ├── userService.js │ │ ├── postService.js │ │ └── emailService.js │ │ │ ├── repositories/ │ │ ├── userRepository.js │ │ ├── postRepository.js │ │ └── commentRepository.js │ │ │ ├── middlewares/ │ │ ├── authMiddleware.js │ │ ├── errorHandler.js │ │ ├── validation.js │ │ └── rateLimiter.js │ │ │ ├── routes/ │ │ ├── userRoutes.js │ │ ├── postRoutes.js │ │ └── index.js │ │ │ ├── models/ │ │ ├── User.js │ │ └── Post.js │ │ │ ├── utils/ │ │ ├── validators.js │ │ └── helpers.js │ │ │ └── app.js │ ├── tests/ ├── config/ └── package.json </code></pre> </div> <h2> Complete Example: User Registration Flow </h2> <p>Let's see how all layers work together for a user registration request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// routes/userRoutes.js</span> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">userController</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../controllers/userController</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">validateRegistration</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../middlewares/validation</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">rateLimiter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../middlewares/rateLimiter</span><span class="dl">'</span><span class="p">);</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="dl">'</span><span class="s1">/register</span><span class="dl">'</span><span class="p">,</span> <span class="nx">rateLimiter</span><span class="p">,</span> <span class="c1">// Middleware 1: Rate limiting</span> <span class="nx">validateRegistration</span><span class="p">,</span> <span class="c1">// Middleware 2: Input validation</span> <span class="nx">userController</span><span class="p">.</span><span class="nx">register</span> <span class="c1">// Controller</span> <span class="p">);</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">router</span><span class="p">;</span> <span class="c1">// middlewares/validation.js</span> <span class="kd">function</span> <span class="nf">validateRegistration</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span> <span class="o">||</span> <span class="nx">name</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">2</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Name must be at least 2 characters</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span> <span class="o">||</span> <span class="o">!</span><span class="nf">isValidEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid email address</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">password</span> <span class="o">||</span> <span class="nx">password</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">8</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Password must be at least 8 characters</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="c1">// Pass to next middleware or controller</span> <span class="p">}</span> <span class="c1">// controllers/userController.js</span> <span class="kd">const</span> <span class="nx">userService</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../services/userService</span><span class="dl">'</span><span class="p">);</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">register</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="c1">// Transform data</span> <span class="kd">const</span> <span class="nx">userData</span> <span class="o">=</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">name</span><span class="p">.</span><span class="nf">trim</span><span class="p">(),</span> <span class="na">email</span><span class="p">:</span> <span class="nx">email</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">(),</span> <span class="na">password</span><span class="p">:</span> <span class="nx">password</span> <span class="p">};</span> <span class="c1">// Call service layer</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">userService</span><span class="p">.</span><span class="nf">registerUser</span><span class="p">(</span><span class="nx">userData</span><span class="p">);</span> <span class="c1">// Send response</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Registration successful</span><span class="dl">'</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">user</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">EMAIL_EXISTS</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">409</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Email already registered</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Registration failed</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// services/userService.js</span> <span class="kd">const</span> <span class="nx">userRepository</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../repositories/userRepository</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">emailService</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./emailService</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bcrypt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">bcrypt</span><span class="dl">'</span><span class="p">);</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">registerUser</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">userData</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Check if user exists</span> <span class="kd">const</span> <span class="nx">existingUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">userRepository</span><span class="p">.</span><span class="nf">findByEmail</span><span class="p">(</span><span class="nx">userData</span><span class="p">.</span><span class="nx">email</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">existingUser</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">EMAIL_EXISTS</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Hash password (business logic)</span> <span class="kd">const</span> <span class="nx">hashedPassword</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">userData</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="c1">// Create user</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">userRepository</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="p">...</span><span class="nx">userData</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">hashedPassword</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">active</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// Send welcome email (business logic)</span> <span class="k">await</span> <span class="nx">emailService</span><span class="p">.</span><span class="nf">sendWelcomeEmail</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="c1">// Return safe user object</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">password</span><span class="p">,</span> <span class="p">...</span><span class="nx">safeUser</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">user</span><span class="p">;</span> <span class="k">return</span> <span class="nx">safeUser</span><span class="p">;</span> <span class="p">};</span> <span class="c1">// repositories/userRepository.js</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../config/database</span><span class="dl">'</span><span class="p">);</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">create</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">userData</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="s2">` INSERT INTO users (name, email, password, role, status) VALUES ($1, $2, $3, $4, $5) RETURNING id, name, email, role, status, created_at `</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">values</span> <span class="o">=</span> <span class="p">[</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">role</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">status</span> <span class="p">];</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">query</span><span class="p">,</span> <span class="nx">values</span><span class="p">);</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="p">};</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">findByEmail</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">email</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">SELECT * FROM users WHERE email = $1</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">query</span><span class="p">,</span> <span class="p">[</span><span class="nx">email</span><span class="p">]);</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="p">};</span> </code></pre> </div> <h2> Key Takeaways </h2> <ol> <li> <strong>Separation of concerns</strong> makes your code maintainable and testable</li> <li> <strong>Middlewares</strong> handle cross-cutting concerns like auth, logging, and validation</li> <li> <strong>Controllers</strong> manage HTTP concerns and orchestrate the flow</li> <li> <strong>Services</strong> contain business logic and should be framework-agnostic</li> <li> <strong>Repositories</strong> abstract database operations</li> <li> <strong>Request context</strong> shares metadata across the request lifecycle</li> <li> <strong>Order matters</strong> especially with middlewares</li> </ol> <p>This architecture isn't just for large applications—even small projects benefit from this organization. It makes your code easier to understand, test, and scale as your application grows.</p> <p>Happy coding! 🚀</p> webdev programming beginners tutorial Validations and Transformations in Backend Development Yukti Sahu Tue, 25 Nov 2025 16:36:56 +0000 https://forem.com/yuktisays/validations-and-transformations-in-backend-development-4h7g https://forem.com/yuktisays/validations-and-transformations-in-backend-development-4h7g <h2> Backend Architecture — The Layer Cake of Backend Development </h2> <p>Think of your backend as a well-organized kitchen where each station has a specific job. This document breaks down the major backend layers and examples (JavaScript / Node/Express code) for each.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────┐ │ Middleware (Validation) │ ← Guards the entrance ├─────────────────────────────────────┤ │ Controllers (HTTP Handlers) │ ← Manages requests/responses ├─────────────────────────────────────┤ │ Service Layer (Business Logic) │ ← Where the magic happens ├─────────────────────────────────────┤ │ Repository (Database Access) │ ← Talks to the database └─────────────────────────────────────┘ </code></pre> </div> <h2> 1) Repository Layer (Bottom Layer) </h2> <p>This is the foundation — it directly talks to your database.</p> <p>Why separate this layer?</p> <ul> <li>Keeps SQL or DB queries in one place</li> <li>Easier to switch databases (MySQL → PostgreSQL) by only changing repository code</li> <li>Easier to unit test database operations independently</li> </ul> <h3> Example: User Repository </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Example: UserRepository</span> <span class="kd">class</span> <span class="nc">UserRepository</span> <span class="p">{</span> <span class="c1">// This method ONLY deals with database operations</span> <span class="k">async</span> <span class="nf">findUserByEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Using a database query to fetch user</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">SELECT * FROM users WHERE email = ?</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="nx">email</span><span class="p">]);</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">createUser</span><span class="p">(</span><span class="nx">userData</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Insert new user into database</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="dl">'</span><span class="s1">INSERT INTO users (name, email, password) VALUES (?, ?, ?)</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="nx">userData</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">password</span><span class="p">]</span> <span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">updateUserLastLogin</span><span class="p">(</span><span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Update user's last login timestamp</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="dl">'</span><span class="s1">UPDATE users SET last_login = NOW() WHERE id = ?</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="nx">userId</span><span class="p">]</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 2) Service Layer (Business Logic Layer) </h2> <p>This is where your application's brain lives. It orchestrates multiple operations and calls repository functions, external services, etc.</p> <p>Why this layer is important:</p> <ul> <li>Reusability: calling the same business logic from different controllers or handlers</li> <li>Easier to unit test business rules without HTTP semantics</li> <li>Keeps controller thin</li> </ul> <h3> Example: User Service </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">class</span> <span class="nc">UserService</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">userRepository</span><span class="p">,</span> <span class="nx">emailService</span><span class="p">,</span> <span class="nx">webhookService</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span> <span class="o">=</span> <span class="nx">userRepository</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">emailService</span> <span class="o">=</span> <span class="nx">emailService</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">webhookService</span> <span class="o">=</span> <span class="nx">webhookService</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">registerUser</span><span class="p">(</span><span class="nx">userData</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">existingUser</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">findUserByEmail</span><span class="p">(</span><span class="nx">userData</span><span class="p">.</span><span class="nx">email</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">existingUser</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">User already exists with this email</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">hashedPassword</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">userData</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">newUser</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">createUser</span><span class="p">({</span> <span class="p">...</span><span class="nx">userData</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">hashedPassword</span> <span class="p">});</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">emailService</span><span class="p">.</span><span class="nf">sendWelcomeEmail</span><span class="p">(</span><span class="nx">newUser</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="nx">newUser</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">webhookService</span><span class="p">.</span><span class="nf">notifyUserCreated</span><span class="p">(</span><span class="nx">newUser</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">newUser</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">newUser</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">newUser</span><span class="p">.</span><span class="nx">email</span> <span class="p">};</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">loginUser</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">findUserByEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid credentials</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">isPasswordValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isPasswordValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid credentials</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">updateUserLastLogin</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">token</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span> <span class="p">}</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 3) Controller Layer (HTTP Handler) </h2> <p>This layer handles Express-specific logic: reading <code>req</code>, sending <code>res</code>, HTTP status codes, and calling services.</p> <h3> Controller Example: User Controller </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">class</span> <span class="nc">UserController</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">userService</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">userService</span> <span class="o">=</span> <span class="nx">userService</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Handle user registration endpoint</span> <span class="k">async</span> <span class="nf">register</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userService</span><span class="p">.</span><span class="nf">registerUser</span><span class="p">({</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User registered successfully</span><span class="dl">'</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">result</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Handle user login endpoint</span> <span class="k">async</span> <span class="nf">login</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userService</span><span class="p">.</span><span class="nf">loginUser</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Login successful</span><span class="dl">'</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">result</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Handle getting user profile</span> <span class="k">async</span> <span class="nf">getProfile</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userService</span><span class="p">.</span><span class="nf">getUserById</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">user</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User not found</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 4) Middleware Layer (The Gatekeeper) </h2> <p>Middleware sits before controllers to enforce security, validation, and transformation.</p> <h3> Example: Authentication Middleware </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">authMiddleware</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No token provided, authorization denied</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> Example: Validation Middleware </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">validateUserRegistration</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span> <span class="o">||</span> <span class="o">!</span><span class="nx">email</span> <span class="o">||</span> <span class="o">!</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Name, email, and password are required</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">emailRegex</span> <span class="o">=</span> <span class="sr">/^</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+@</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+</span><span class="se">\.[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+$/</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">emailRegex</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">email</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid email format</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">password</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">8</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Password must be at least 8 characters long</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> <span class="c1">// Using middleware in routes</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/register</span><span class="dl">'</span><span class="p">,</span> <span class="nx">validateUserRegistration</span><span class="p">,</span> <span class="nx">userController</span><span class="p">.</span><span class="nx">register</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profile</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authMiddleware</span><span class="p">,</span> <span class="nx">userController</span><span class="p">.</span><span class="nx">getProfile</span><span class="p">);</span> </code></pre> </div> <p>Why use middleware?</p> <ul> <li>Security: stop unauthorized access BEFORE business logic</li> <li>Data validation: catch bad data early</li> <li>Reuse logic across routes</li> <li>Keep controllers focused on business flow</li> </ul> <h2> Understanding Errors: The Three Types </h2> <p>Errors encountered while validating/processing data typically fall into these categories: Syntactic, Type validation, and Semantic validation.</p> <h3> 1) Syntactic Errors (Structure Problems) </h3> <p>These are errors where the data format itself is wrong.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">validateJsonSyntax</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nf">is</span><span class="p">(</span><span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Syntactic Error</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Content-Type must be application/json</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <p>Common syntactic issues:</p> <ul> <li>Missing quotes: <code>{name: John}</code> (invalid) vs <code>{"name":"John"}</code> (valid)</li> <li>Trailing commas</li> <li>Using single quotes for JSON</li> </ul> <h3> 2) Type Validation Errors (Wrong Data Type) </h3> <p>The structure is correct, but data types are incorrect.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">validateUserTypes</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">age</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">isActive</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">name</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Type Validation Error</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Name must be a string</span><span class="dl">'</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">age</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">number</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Type Validation Error</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Age must be a number</span><span class="dl">'</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">email</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Type Validation Error</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Email must be a string</span><span class="dl">'</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">isActive</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">boolean</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Type Validation Error</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">isActive must be a boolean</span><span class="dl">'</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <h3> 3) Semantic Validation Errors (Wrong Meaning/Logic) </h3> <p>Type is correct, but the value doesn't make sense in your business context.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">validateUserSemantics</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">age</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">birthDate</span><span class="p">,</span> <span class="nx">country</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">age</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="o">||</span> <span class="nx">age</span> <span class="o">&gt;</span> <span class="mi">150</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Semantic Validation Error</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Age must be between 0 and 150</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">emailRegex</span> <span class="o">=</span> <span class="sr">/^</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+@</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+</span><span class="se">\.[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+$/</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">emailRegex</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">email</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Semantic Validation Error</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Email format is invalid</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">birth</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">birthDate</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">birth</span> <span class="o">&gt;</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Semantic Validation Error</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Birth date cannot be in the future</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">validCountries</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">US</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">UK</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">IN</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CA</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">AU</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">validCountries</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">country</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Semantic Validation Error</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid country code</span><span class="dl">'</span><span class="p">,</span> <span class="na">allowedValues</span><span class="p">:</span> <span class="nx">validCountries</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <h2> Transformations: Shaping Data Into What You Need </h2> <p>Transformations convert incoming data into a consistent format suitable for your business logic and storage.</p> <p>Why transform?</p> <ul> <li>Normalize casing</li> <li>Trim whitespace</li> <li>Convert strings to numbers, booleans, dates</li> <li>Remove special chars (e.g., phone formatting)</li> </ul> <h3> Frontend client example </h3> <p>Input:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">" John Doe "</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"JOHN@EXAMPLE.COM"</span><span class="p">,</span><span class="w"> </span><span class="nl">"phone"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123-456-7890"</span><span class="p">,</span><span class="w"> </span><span class="nl">"age"</span><span class="p">:</span><span class="w"> </span><span class="s2">"25"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>After server transform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"John Doe"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"john@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"phone"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1234567890"</span><span class="p">,</span><span class="w"> </span><span class="nl">"age"</span><span class="p">:</span><span class="w"> </span><span class="mi">25</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Example: Transformation Middleware </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">transformUserInput</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">phone</span><span class="p">,</span> <span class="nx">age</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">transformedData</span> <span class="o">=</span> <span class="p">{};</span> <span class="k">if </span><span class="p">(</span><span class="nx">name</span><span class="p">)</span> <span class="nx">transformedData</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="nx">name</span><span class="p">.</span><span class="nf">trim</span><span class="p">().</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">).</span><span class="nf">map</span><span class="p">(</span><span class="nx">w</span> <span class="o">=&gt;</span> <span class="nx">w</span><span class="p">.</span><span class="nf">charAt</span><span class="p">(</span><span class="mi">0</span><span class="p">).</span><span class="nf">toUpperCase</span><span class="p">()</span><span class="o">+</span><span class="nx">w</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="nf">toLowerCase</span><span class="p">()).</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">email</span><span class="p">)</span> <span class="nx">transformedData</span><span class="p">.</span><span class="nx">email</span> <span class="o">=</span> <span class="nx">email</span><span class="p">.</span><span class="nf">trim</span><span class="p">().</span><span class="nf">toLowerCase</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">phone</span><span class="p">)</span> <span class="nx">transformedData</span><span class="p">.</span><span class="nx">phone</span> <span class="o">=</span> <span class="nx">phone</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\D</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">''</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">age</span><span class="p">)</span> <span class="nx">transformedData</span><span class="p">.</span><span class="nx">age</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">age</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span> <span class="o">=</span> <span class="nx">transformedData</span><span class="p">;</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> <span class="c1">// Usage</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">transformUserInput</span><span class="p">,</span> <span class="nx">validateUserTypes</span><span class="p">,</span> <span class="nx">userController</span><span class="p">.</span><span class="nx">register</span><span class="p">);</span> </code></pre> </div> <h3> Query Parameter Transformation </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">transformQueryParams</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">page</span><span class="p">,</span> <span class="nx">limit</span><span class="p">,</span> <span class="nx">sortBy</span><span class="p">,</span> <span class="nx">minPrice</span><span class="p">,</span> <span class="nx">inStock</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">queryParams</span> <span class="o">=</span> <span class="p">{</span> <span class="na">page</span><span class="p">:</span> <span class="nx">page</span> <span class="p">?</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">page</span><span class="p">,</span> <span class="mi">10</span><span class="p">)</span> <span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="nx">limit</span> <span class="p">?</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">limit</span><span class="p">,</span> <span class="mi">10</span><span class="p">)</span> <span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="na">sortBy</span><span class="p">:</span> <span class="nx">sortBy</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">createdAt</span><span class="dl">'</span><span class="p">,</span> <span class="na">minPrice</span><span class="p">:</span> <span class="nx">minPrice</span> <span class="p">?</span> <span class="nf">parseFloat</span><span class="p">(</span><span class="nx">minPrice</span><span class="p">)</span> <span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">inStock</span><span class="p">:</span> <span class="nx">inStock</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span> <span class="p">};</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">queryParams</span><span class="p">.</span><span class="nx">page</span> <span class="o">&lt;</span> <span class="mi">1</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid page number</span><span class="dl">'</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">queryParams</span><span class="p">.</span><span class="nx">limit</span> <span class="o">&lt;</span> <span class="mi">1</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">queryParams</span><span class="p">.</span><span class="nx">limit</span> <span class="o">&gt;</span> <span class="mi">100</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid limit</span><span class="dl">'</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <h3> Date Transformation &amp; Validation </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">transformDates</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">startDate</span><span class="p">,</span> <span class="nx">endDate</span><span class="p">,</span> <span class="nx">birthDate</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">startDate</span><span class="p">)</span> <span class="p">{</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">startDate</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">startDate</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nf">isNaN</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">startDate</span><span class="p">.</span><span class="nf">getTime</span><span class="p">()))</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid startDate format</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">endDate</span><span class="p">)</span> <span class="p">{</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">endDate</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">endDate</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nf">isNaN</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">endDate</span><span class="p">.</span><span class="nf">getTime</span><span class="p">()))</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid endDate format</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">birthDate</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">birth</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">birthDate</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nf">isNaN</span><span class="p">(</span><span class="nx">birth</span><span class="p">.</span><span class="nf">getTime</span><span class="p">()))</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid birthDate format</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">today</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">();</span> <span class="kd">let</span> <span class="nx">age</span> <span class="o">=</span> <span class="nx">today</span><span class="p">.</span><span class="nf">getFullYear</span><span class="p">()</span> <span class="o">-</span> <span class="nx">birth</span><span class="p">.</span><span class="nf">getFullYear</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">monthDiff</span> <span class="o">=</span> <span class="nx">today</span><span class="p">.</span><span class="nf">getMonth</span><span class="p">()</span> <span class="o">-</span> <span class="nx">birth</span><span class="p">.</span><span class="nf">getMonth</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">monthDiff</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="o">||</span> <span class="p">(</span><span class="nx">monthDiff</span> <span class="o">===</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="nx">today</span><span class="p">.</span><span class="nf">getDate</span><span class="p">()</span> <span class="o">&lt;</span> <span class="nx">birth</span><span class="p">.</span><span class="nf">getDate</span><span class="p">()))</span> <span class="nx">age</span><span class="o">--</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">birthDate</span> <span class="o">=</span> <span class="nx">birth</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">age</span> <span class="o">=</span> <span class="nx">age</span><span class="p">;</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <h2> Client-Side vs Server-Side Validation </h2> <p>Think of client-side validation as a helpful sign (UX) and server-side validation as security screening — both are necessary.</p> <h3> Client-Side (React example) </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">RegistrationForm</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">errors</span><span class="p">,</span> <span class="nx">setErrors</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">({});</span> <span class="kd">const</span> <span class="nx">validateForm</span> <span class="o">=</span> <span class="p">(</span><span class="nx">formData</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">newErrors</span> <span class="o">=</span> <span class="p">{};</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">formData</span><span class="p">.</span><span class="nx">name</span><span class="p">)</span> <span class="nx">newErrors</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Name is required</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">formData</span><span class="p">.</span><span class="nx">email</span><span class="p">)</span> <span class="nx">newErrors</span><span class="p">.</span><span class="nx">email</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Email is required</span><span class="dl">'</span><span class="p">;</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="sr">/^</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+@</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+</span><span class="se">\.[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+$/</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">formData</span><span class="p">.</span><span class="nx">email</span><span class="p">))</span> <span class="nx">newErrors</span><span class="p">.</span><span class="nx">email</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Invalid format</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">formData</span><span class="p">.</span><span class="nx">password</span><span class="p">)</span> <span class="nx">newErrors</span><span class="p">.</span><span class="nx">password</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Password is required</span><span class="dl">'</span><span class="p">;</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">formData</span><span class="p">.</span><span class="nx">password</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">8</span><span class="p">)</span> <span class="nx">newErrors</span><span class="p">.</span><span class="nx">password</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Password must be at least 8 characters</span><span class="dl">'</span><span class="p">;</span> <span class="nf">setErrors</span><span class="p">(</span><span class="nx">newErrors</span><span class="p">);</span> <span class="k">return</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">newErrors</span><span class="p">).</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">;</span> <span class="p">};</span> <span class="c1">// ...handle submit, fetch API</span> <span class="p">}</span> </code></pre> </div> <p>Pros:</p> <ul> <li>Better UX, instant feedback</li> <li>Reduces server load</li> <li>Faster response</li> </ul> <p>Limitations:</p> <ul> <li>Not secure (easily bypassed)</li> <li>Can't verify database constraints</li> </ul> <h3> Server-Side (Node/Express example) </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">validateRegistration</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">errors</span> <span class="o">=</span> <span class="p">{};</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span> <span class="o">||</span> <span class="o">!</span><span class="nx">name</span><span class="p">.</span><span class="nf">trim</span><span class="p">())</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Name is required and cannot be empty</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span><span class="p">)</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">email</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Email is required</span><span class="dl">'</span><span class="p">;</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="sr">/^</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+@</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+</span><span class="se">\.[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+$/</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">email</span><span class="p">))</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">email</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Invalid email format</span><span class="dl">'</span><span class="p">;</span> <span class="k">else</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">existingUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">userRepository</span><span class="p">.</span><span class="nf">findByEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">existingUser</span><span class="p">)</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">email</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Email is already registered</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">password</span><span class="p">)</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">password</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Password is required</span><span class="dl">'</span><span class="p">;</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">password</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">8</span><span class="p">)</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">password</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Password must be at least 8 characters</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">errors</span><span class="p">).</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="nx">errors</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <p>Pros:</p> <ul> <li>Security and data integrity</li> <li>Database checks and complex business rules</li> </ul> <p>The Golden Rule: Always Do Both — client for UX, server for security.</p> <h2> How Developers Should Approach This (DRY principle) </h2> <ul> <li>Define validation rules in a single place and reuse them across frontend and backend</li> <li>Create a generic validator function and re-use it across layers</li> </ul> <h3> Example: Single Source Validation Rules </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">validationRules</span> <span class="o">=</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">minLength</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">maxLength</span><span class="p">:</span> <span class="mi">50</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="sr">/^</span><span class="se">[</span><span class="sr">a-zA-Z</span><span class="se">\s]</span><span class="sr">+$/</span> <span class="p">},</span> <span class="na">email</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="sr">/^</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+@</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+</span><span class="se">\.[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+$/</span> <span class="p">},</span> <span class="na">password</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">minLength</span><span class="p">:</span> <span class="mi">8</span><span class="p">,</span> <span class="na">maxLength</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="sr">/^</span><span class="se">(?=</span><span class="sr">.*</span><span class="se">[</span><span class="sr">a-z</span><span class="se">])(?=</span><span class="sr">.*</span><span class="se">[</span><span class="sr">A-Z</span><span class="se">])(?=</span><span class="sr">.*</span><span class="se">\d)(?=</span><span class="sr">.*</span><span class="se">[</span><span class="sr">@$!%*?&amp;</span><span class="se">])[</span><span class="sr">A-Za-z</span><span class="se">\d</span><span class="sr">@$!%*?&amp;</span><span class="se">]</span><span class="sr">/</span> <span class="p">}</span> <span class="p">};</span> <span class="kd">function</span> <span class="nf">validateField</span><span class="p">(</span><span class="nx">value</span><span class="p">,</span> <span class="nx">rules</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">rules</span><span class="p">.</span><span class="nx">required</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">value</span><span class="p">)</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">Field is required</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">rules</span><span class="p">.</span><span class="nx">minLength</span> <span class="o">&amp;&amp;</span> <span class="nx">value</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="nx">rules</span><span class="p">.</span><span class="nx">minLength</span><span class="p">)</span> <span class="k">return</span> <span class="s2">`Must be at least </span><span class="p">${</span><span class="nx">rules</span><span class="p">.</span><span class="nx">minLength</span><span class="p">}</span><span class="s2"> characters`</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">rules</span><span class="p">.</span><span class="nx">maxLength</span> <span class="o">&amp;&amp;</span> <span class="nx">value</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="nx">rules</span><span class="p">.</span><span class="nx">maxLength</span><span class="p">)</span> <span class="k">return</span> <span class="s2">`Must be at most </span><span class="p">${</span><span class="nx">rules</span><span class="p">.</span><span class="nx">maxLength</span><span class="p">}</span><span class="s2"> characters`</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">rules</span><span class="p">.</span><span class="nx">pattern</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">rules</span><span class="p">.</span><span class="nx">pattern</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">value</span><span class="p">))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">Invalid format</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Reuse the same functions on both frontend and backend</span> </code></pre> </div> <h2> Real-World Example: Complete User Registration Flow </h2> <p>A complete example: shared validation rules, transform middleware, validation middleware, repository, service, controller, and router.</p> <h3> 1) Validation Rules (shared) </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">userValidationRules</span> <span class="o">=</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">minLength</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">maxLength</span><span class="p">:</span> <span class="mi">50</span><span class="p">,</span> <span class="na">errorMessages</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Name is required</span><span class="dl">'</span><span class="p">,</span> <span class="na">minLength</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Name must be at least 2 characters</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxLength</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Name cannot exceed 50 characters</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="na">email</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="sr">/^</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+@</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+</span><span class="se">\.[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+$/</span><span class="p">,</span> <span class="na">errorMessages</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Email is required</span><span class="dl">'</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Please enter a valid email address</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="na">password</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">minLength</span><span class="p">:</span> <span class="mi">8</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="sr">/^</span><span class="se">(?=</span><span class="sr">.*</span><span class="se">[</span><span class="sr">a-z</span><span class="se">])(?=</span><span class="sr">.*</span><span class="se">[</span><span class="sr">A-Z</span><span class="se">])(?=</span><span class="sr">.*</span><span class="se">\d)(?=</span><span class="sr">.*</span><span class="se">[</span><span class="sr">@$!%*?&amp;</span><span class="se">])</span><span class="sr">/</span><span class="p">,</span> <span class="na">errorMessages</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Password is required</span><span class="dl">'</span><span class="p">,</span> <span class="na">minLength</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Password must be at least 8 characters</span><span class="dl">'</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Password must contain uppercase, lowercase, number, and special character</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="na">age</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">min</span><span class="p">:</span> <span class="mi">18</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">120</span><span class="p">,</span> <span class="na">errorMessages</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Age is required</span><span class="dl">'</span><span class="p">,</span> <span class="na">min</span><span class="p">:</span> <span class="dl">'</span><span class="s1">You must be at least 18 years old</span><span class="dl">'</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Please enter a valid age</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> 2) Transformation Middleware </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">transformUserInput</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">age</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span> <span class="o">=</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">name</span> <span class="p">?</span> <span class="nx">name</span><span class="p">.</span><span class="nf">trim</span><span class="p">()</span> <span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">email</span> <span class="p">?</span> <span class="nx">email</span><span class="p">.</span><span class="nf">trim</span><span class="p">().</span><span class="nf">toLowerCase</span><span class="p">()</span> <span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">password</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="na">age</span><span class="p">:</span> <span class="nx">age</span> <span class="p">?</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">age</span><span class="p">,</span> <span class="mi">10</span><span class="p">)</span> <span class="p">:</span> <span class="kc">null</span> <span class="p">};</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Error processing input data</span><span class="dl">'</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> 3) Validation Middleware </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">validateUserRegistration</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">age</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">errors</span> <span class="o">=</span> <span class="p">{};</span> <span class="c1">// Name</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span><span class="p">)</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">name</span><span class="p">.</span><span class="nx">errorMessages</span><span class="p">.</span><span class="nx">required</span><span class="p">;</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">name</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">name</span><span class="p">.</span><span class="nx">minLength</span><span class="p">)</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">name</span><span class="p">.</span><span class="nx">errorMessages</span><span class="p">.</span><span class="nx">minLength</span><span class="p">;</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">name</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">name</span><span class="p">.</span><span class="nx">maxLength</span><span class="p">)</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">name</span><span class="p">.</span><span class="nx">errorMessages</span><span class="p">.</span><span class="nx">maxLength</span><span class="p">;</span> <span class="c1">// Email</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span><span class="p">)</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">email</span> <span class="o">=</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">email</span><span class="p">.</span><span class="nx">errorMessages</span><span class="p">.</span><span class="nx">required</span><span class="p">;</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">email</span><span class="p">.</span><span class="nx">pattern</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">email</span><span class="p">))</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">email</span> <span class="o">=</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">email</span><span class="p">.</span><span class="nx">errorMessages</span><span class="p">.</span><span class="nx">pattern</span><span class="p">;</span> <span class="k">else</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">existingUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">userRepository</span><span class="p">.</span><span class="nf">findByEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">existingUser</span><span class="p">)</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">email</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">This email is already registered</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Password</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">password</span><span class="p">)</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">password</span> <span class="o">=</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">password</span><span class="p">.</span><span class="nx">errorMessages</span><span class="p">.</span><span class="nx">required</span><span class="p">;</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">password</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">password</span><span class="p">.</span><span class="nx">minLength</span><span class="p">)</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">password</span> <span class="o">=</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">password</span><span class="p">.</span><span class="nx">errorMessages</span><span class="p">.</span><span class="nx">minLength</span><span class="p">;</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">password</span><span class="p">.</span><span class="nx">pattern</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">password</span><span class="p">))</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">password</span> <span class="o">=</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">password</span><span class="p">.</span><span class="nx">errorMessages</span><span class="p">.</span><span class="nx">pattern</span><span class="p">;</span> <span class="c1">// Age</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">age</span><span class="p">)</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">age</span> <span class="o">=</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">age</span><span class="p">.</span><span class="nx">errorMessages</span><span class="p">.</span><span class="nx">required</span><span class="p">;</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">age</span> <span class="o">&lt;</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">age</span><span class="p">.</span><span class="nx">min</span><span class="p">)</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">age</span> <span class="o">=</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">age</span><span class="p">.</span><span class="nx">errorMessages</span><span class="p">.</span><span class="nx">min</span><span class="p">;</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">age</span> <span class="o">&gt;</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">age</span><span class="p">.</span><span class="nx">max</span><span class="p">)</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">age</span> <span class="o">=</span> <span class="nx">userValidationRules</span><span class="p">.</span><span class="nx">age</span><span class="p">.</span><span class="nx">errorMessages</span><span class="p">.</span><span class="nx">max</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">errors</span><span class="p">).</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Validation failed</span><span class="dl">'</span><span class="p">,</span> <span class="nx">errors</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <h3> 4) Repository Layer (simplified) </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">class</span> <span class="nc">UserRepository</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">findByEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">SELECT * FROM users WHERE email = ?</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="nx">email</span><span class="p">]);</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">create</span><span class="p">(</span><span class="nx">userData</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">INSERT INTO users (name, email, password, age, created_at) VALUES (?, ?, ?, ?, NOW())</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="nx">userData</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">age</span><span class="p">]);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">insertId</span><span class="p">,</span> <span class="p">...</span><span class="nx">userData</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 5) Service Layer </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">class</span> <span class="nc">UserService</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">userRepository</span><span class="p">,</span> <span class="nx">emailService</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span> <span class="o">=</span> <span class="nx">userRepository</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">emailService</span> <span class="o">=</span> <span class="nx">emailService</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">registerUser</span><span class="p">(</span><span class="nx">userData</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">hashedPassword</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">userData</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">newUser</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="p">...</span><span class="nx">userData</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">hashedPassword</span> <span class="p">});</span> <span class="c1">// Send welcome email (async)</span> <span class="k">this</span><span class="p">.</span><span class="nx">emailService</span><span class="p">.</span><span class="nf">sendWelcomeEmail</span><span class="p">(</span><span class="nx">newUser</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="nx">newUser</span><span class="p">.</span><span class="nx">name</span><span class="p">).</span><span class="k">catch</span><span class="p">(</span><span class="nx">err</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Email error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">err</span><span class="p">));</span> <span class="k">return</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">newUser</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">newUser</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">newUser</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">age</span><span class="p">:</span> <span class="nx">newUser</span><span class="p">.</span><span class="nx">age</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 6) Controller Layer </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">class</span> <span class="nc">UserController</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">userService</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">userService</span> <span class="o">=</span> <span class="nx">userService</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">register</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userService</span><span class="p">.</span><span class="nf">registerUser</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User registered successfully</span><span class="dl">'</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">result</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Registration error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Internal server error</span><span class="dl">'</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="kc">undefined</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 7) Routes (Putting it together) </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">userRepository</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UserRepository</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">emailService</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">EmailService</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">userService</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UserService</span><span class="p">(</span><span class="nx">userRepository</span><span class="p">,</span> <span class="nx">emailService</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">userController</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UserController</span><span class="p">(</span><span class="nx">userService</span><span class="p">);</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/register</span><span class="dl">'</span><span class="p">,</span> <span class="nx">transformUserInput</span><span class="p">,</span> <span class="nx">validateUserRegistration</span><span class="p">,</span> <span class="nx">userController</span><span class="p">.</span><span class="nx">register</span><span class="p">.</span><span class="nf">bind</span><span class="p">(</span><span class="nx">userController</span><span class="p">));</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <h2> Key Takeaways ✅ </h2> <ul> <li>Layer Separation is critical: each layer has one job (Repository, Service, Controller, Middleware)</li> <li>Validation prevents disasters: syntactic, type-based, and semantic checks are all necessary</li> <li>Transform data early: normalize types and formats before they reach your business logic</li> <li>Client + Server validation = complete protection (UX + Security)</li> <li>Middleware is your friend: reusable, consistent, and keeps controllers focused</li> </ul> <p>By following these patterns, you can build robust, secure, and maintainable backend systems. Remember: <strong>validate early, transform carefully, and never trust user input.</strong> 🛡️</p> webdev programming beginners tutorial JWT vs Sessions: A Complete Guide to Modern Web Authentication (Security, Flow, and Best Practices) Yukti Sahu Sat, 22 Nov 2025 03:26:59 +0000 https://forem.com/yuktisays/jwt-vs-sessions-a-complete-guide-to-modern-web-authentication-security-flow-and-best-practices-1nf2 https://forem.com/yuktisays/jwt-vs-sessions-a-complete-guide-to-modern-web-authentication-security-flow-and-best-practices-1nf2 <h2> Table of Contents </h2> <ol> <li>Understanding HTTP Statelessness</li> <li>Sessions - The Traditional Approach</li> <li>JWT - Modern Stateless Authentication</li> <li>Cookies Explained</li> <li>Authentication Types</li> <li>OAuth 2.0 &amp; OpenID Connect</li> <li>When to Use What</li> </ol> <h2> 1. Understanding HTTP Statelessness </h2> <h3> The Problem </h3> <p>HTTP is <strong>stateless</strong> by design - it has no memory of past interactions. Each request is independent and the server doesn't remember previous requests from the same client.</p> <p><strong>Early Web (Static Websites):</strong></p> <ul> <li>Simple HTML pages</li> <li>No user accounts or personalization</li> <li>Statelessness wasn't a problem</li> </ul> <p><strong>Modern Web (Dynamic Content):</strong></p> <ul> <li>User profiles and dashboards</li> <li>Shopping carts</li> <li>Personalized content</li> <li>Need to keep users logged in</li> <li>Server needs to "remember" who you are</li> </ul> <h3> Why We Needed Sessions </h3> <p>When websites became dynamic, we needed <strong>stateful interactions</strong> - a way for the server to maintain context about each user across multiple requests.</p> <p><strong>Example Scenario:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Without Sessions: User logs in → Server verifies ✓ User views profile → Server asks: "Who are you?" ❌ User adds to cart → Server asks: "Who are you?" ❌ </code></pre> </div> <p>This is where <strong>sessions</strong> came to rescue!</p> <h2> 2. Sessions - The Traditional Approach </h2> <h3> How Sessions Work </h3> <p>A <strong>session</strong> is a temporary, server-side context that stores information about a user during their visit to a website.</p> <p><strong>Flow Diagram:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. User logs in (username + password) ↓ 2. Server validates credentials ✓ ↓ 3. Server creates unique Session ID ↓ 4. Session ID stored in database/Redis ↓ 5. Session ID sent to client as Cookie ↓ 6. Client sends cookie with every request ↓ 7. Server looks up session to identify user </code></pre> </div> <h3> Code Example - Session-Based Authentication </h3> <p><strong>Server-side (Node.js with Express):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-session</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">RedisStore</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">connect-redis</span><span class="dl">'</span><span class="p">).</span><span class="k">default</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">redis</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">redis</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">redisClient</span> <span class="o">=</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">createClient</span><span class="p">();</span> <span class="c1">// Configure session middleware</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">session</span><span class="p">({</span> <span class="na">store</span><span class="p">:</span> <span class="k">new</span> <span class="nc">RedisStore</span><span class="p">({</span> <span class="na">client</span><span class="p">:</span> <span class="nx">redisClient</span> <span class="p">}),</span> <span class="na">secret</span><span class="p">:</span> <span class="dl">'</span><span class="s1">your-secret-key</span><span class="dl">'</span><span class="p">,</span> <span class="na">resave</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">saveUninitialized</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">cookie</span><span class="p">:</span> <span class="p">{</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">3600000</span><span class="p">,</span> <span class="c1">// 1 hour</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Cannot be accessed by JavaScript</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span> <span class="c1">// Only sent over HTTPS</span> <span class="p">}</span> <span class="p">}));</span> <span class="c1">// Login endpoint</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="c1">// Validate credentials (simplified)</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">validateUser</span><span class="p">(</span><span class="nx">username</span><span class="p">,</span> <span class="nx">password</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Store user info in session</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">userId</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">username</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nx">username</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">role</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nx">role</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Login successful</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid credentials</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Protected route</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profile</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Not authenticated</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">username</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Logout</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/logout</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nf">destroy</span><span class="p">((</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Logout failed</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Logged out successfully</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>What's Stored in Redis:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Session ID: "sess:abc123xyz" Data: { "userId": 42, "username": "john_doe", "role": "admin", "createdAt": "2025-11-21T10:00:00Z", "expiresAt": "2025-11-21T11:00:00Z" } </code></pre> </div> <h3> Evolution of Session Storage </h3> <p><strong>1. File-Based Sessions (Early Days):</strong></p> <ul> <li>Stored in server's file system</li> <li>Problems: Slow, not scalable, difficult to share across servers</li> </ul> <p><strong>2. Database Sessions:</strong></p> <ul> <li>Stored in MySQL, PostgreSQL</li> <li>Better than files but still had performance issues</li> </ul> <p><strong>3. In-Memory Stores (Current):</strong></p> <ul> <li>Redis, Memcached</li> <li>Fast lookups (microseconds)</li> <li>Easy to scale horizontally</li> </ul> <h3> Problems with Sessions in Distributed Systems </h3> <p>As the web evolved into distributed architectures, sessions created bottlenecks:</p> <p><strong>1. Memory/Storage Costs:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Scenario: 1 million active users Session Size: ~1KB per user Total Storage: 1GB just for sessions Cost: $$$$ at scale </code></pre> </div> <p><strong>2. Replication Issues:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User in USA → Server A (has session) User in Europe → Server B (no session) ❌ Need to sync sessions across regions → Latency </code></pre> </div> <p><strong>3. Consistency Challenges:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User updates profile on Server A Server B still has old session data Race conditions and stale data </code></pre> </div> <p>This led to the birth of <strong>JWT</strong>!</p> <h2> 3. JWT - Modern Stateless Authentication </h2> <h3> What is JWT? </h3> <p><strong>JWT (JSON Web Token)</strong> was formalized in 2015 as a stateless mechanism for securely transferring claims between parties.</p> <p>A JWT is a <strong>self-contained token</strong> that includes:</p> <ul> <li>User data (payload)</li> <li>Metadata (header)</li> <li>Cryptographic signature (for verification)</li> </ul> <h3> JWT Structure </h3> <p>A JWT has three parts separated by dots (<code>.</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>xxxxx.yyyyy.zzzzz [HEADER].[PAYLOAD].[SIGNATURE] </code></pre> </div> <p><strong>Example JWT:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjQyLCJ1c2VybmFtZSI6ImpvaG5fZG9lIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNzMyMTg4MDAwLCJleHAiOjE3MzIxOTE2MDB9.4p8JkB8k3Yn8G7X9xF5qZ2eR4wT6vY3nM1oL7pQ2sA4 </code></pre> </div> <p><strong>Decoded:</strong></p> <p><strong>1. Header (Algorithm &amp; Token Type):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HS256"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"JWT"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>2. Payload (Claims/User Data):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"userId"</span><span class="p">:</span><span class="w"> </span><span class="mi">42</span><span class="p">,</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"john_doe"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1732188000</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Issued</span><span class="w"> </span><span class="err">at</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1732191600</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Expires</span><span class="w"> </span><span class="err">at</span><span class="w"> </span><span class="err">(</span><span class="mi">1</span><span class="w"> </span><span class="err">hour</span><span class="w"> </span><span class="err">later)</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>3. Signature (Verification):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret_key ) </code></pre> </div> <h3> How JWT Works - Step by Step </h3> <p><strong>Flow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. User logs in with credentials ↓ 2. Server validates user ↓ 3. Server creates JWT with user data + signs it with secret key ↓ 4. JWT sent to client (usually in response body) ↓ 5. Client stores JWT (localStorage/cookie) ↓ 6. Client sends JWT in Authorization header with each request ↓ 7. Server verifies signature using secret key ↓ 8. If valid → Grant access | If invalid → Reject </code></pre> </div> <h3> Code Example - JWT Authentication </h3> <p><strong>Server-side (Node.js):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bcrypt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">bcrypt</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">SECRET_KEY</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">your-super-secret-key-keep-it-safe</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Login endpoint</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="c1">// Find user in database</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">findUserByUsername</span><span class="p">(</span><span class="nx">username</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid credentials</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Verify password</span> <span class="kd">const</span> <span class="nx">isPasswordValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">passwordHash</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isPasswordValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid credentials</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Create JWT payload</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">role</span> <span class="p">};</span> <span class="c1">// Sign JWT (expires in 1 hour)</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">SECRET_KEY</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1h</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// Send token to client</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">token</span><span class="p">:</span> <span class="nx">token</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Login successful</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Middleware to verify JWT</span> <span class="kd">function</span> <span class="nf">authenticateToken</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Get token from Authorization header</span> <span class="kd">const</span> <span class="nx">authHeader</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">authHeader</span> <span class="o">&amp;&amp;</span> <span class="nx">authHeader</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="c1">// "Bearer TOKEN"</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No token provided</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Verify token</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET_KEY</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">decoded</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid or expired token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Attach user info to request</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Protected route</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profile</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authenticateToken</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">role</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>Client-side (JavaScript):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Login</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">login</span><span class="p">(</span><span class="nx">username</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span> <span class="p">})</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Store token in localStorage</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">data</span><span class="p">.</span><span class="nx">token</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Making authenticated requests</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getProfile</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profile</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">});</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h3> Sessions vs JWT Comparison </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>Sessions</th> <th>JWT</th> </tr> </thead> <tbody> <tr> <td><strong>Storage</strong></td> <td>Server-side (DB/Redis)</td> <td>Client-side (browser)</td> </tr> <tr> <td><strong>State</strong></td> <td>Stateful</td> <td>Stateless</td> </tr> <tr> <td><strong>Scalability</strong></td> <td>Harder (need session sync)</td> <td>Easy (no server storage)</td> </tr> <tr> <td><strong>Memory</strong></td> <td>High (stores all sessions)</td> <td>Low (no server storage)</td> </tr> <tr> <td><strong>Revocation</strong></td> <td>Easy (delete from DB)</td> <td>Hard (token valid until expiry)</td> </tr> <tr> <td><strong>Database Lookup</strong></td> <td>Yes (every request)</td> <td>No (just verify signature)</td> </tr> <tr> <td><strong>Cost</strong></td> <td>Higher (storage costs)</td> <td>Lower (no storage)</td> </tr> <tr> <td><strong>Security Risk</strong></td> <td>Lower (can invalidate anytime)</td> <td>Higher (stolen token valid until expiry)</td> </tr> </tbody> </table></div> <h3> JWT Advantages </h3> <p>✅ <strong>Stateless</strong> - No database lookup needed<br> ✅ <strong>Scalable</strong> - Works perfectly in distributed systems<br> ✅ <strong>Portable</strong> - Can be used across different domains<br> ✅ <strong>Lightweight</strong> - No server-side storage<br> ✅ <strong>Cost-effective</strong> - Saves storage costs<br> ✅ <strong>Fast</strong> - No database queries for authentication</p> <h3> JWT Disadvantages </h3> <p>❌ <strong>Token Theft</strong> - If someone steals your token, they can impersonate you<br> ❌ <strong>No Immediate Revocation</strong> - Can't invalidate a token before it expires<br> ❌ <strong>Payload Size</strong> - Larger than session IDs (sent with every request)<br> ❌ <strong>Secret Key Management</strong> - If secret key is compromised, all tokens are invalid</p> <h3> Hybrid Approaches (Best of Both Worlds) </h3> <p>Modern applications often combine both approaches:</p> <p><strong>1. JWT with Blacklist:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// When user logs out or token is compromised</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/logout</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authenticateToken</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">].</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="c1">// Add token to blacklist in Redis</span> <span class="k">await</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span> <span class="s2">`blacklist:</span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EX</span><span class="dl">'</span><span class="p">,</span> <span class="mi">3600</span> <span class="c1">// Expire when token would expire anyway</span> <span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Logged out successfully</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Modify authentication middleware</span> <span class="kd">function</span> <span class="nf">authenticateToken</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">]?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No token provided</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Check if token is blacklisted</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="s2">`blacklist:</span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">result</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Token has been revoked</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Verify JWT as usual</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET_KEY</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">decoded</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><strong>2. Refresh Tokens Pattern:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Issue both access token (short-lived) and refresh token (long-lived)</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">validateUser</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">password</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Short-lived access token (15 minutes)</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">username</span> <span class="p">},</span> <span class="nx">ACCESS_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">15m</span><span class="dl">'</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// Long-lived refresh token (7 days)</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="nx">REFRESH_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">7d</span><span class="dl">'</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// Store refresh token in database</span> <span class="k">await</span> <span class="nf">saveRefreshToken</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Refresh endpoint</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/refresh</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">refreshToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="c1">// Verify refresh token</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">REFRESH_SECRET</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">decoded</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid refresh token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Check if refresh token exists in database</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">verifyRefreshToken</span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Refresh token revoked</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Issue new access token</span> <span class="kd">const</span> <span class="nx">newAccessToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">userId</span> <span class="p">},</span> <span class="nx">ACCESS_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">15m</span><span class="dl">'</span> <span class="p">}</span> <span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">accessToken</span><span class="p">:</span> <span class="nx">newAccessToken</span> <span class="p">});</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>3. Using Auth Providers (Third-Party Solutions):</strong></p> <p>Modern applications often use <strong>Authentication Providers</strong> like:</p> <ul> <li><strong>Auth0</strong></li> <li><strong>Firebase Authentication</strong></li> <li><strong>AWS Cognito</strong></li> <li><strong>Clerk</strong></li> <li><strong>Supabase Auth</strong></li> </ul> <p><strong>What Auth Providers Solve:</strong></p> <ul> <li>Handle complex security logic for you</li> <li>Provide built-in user management</li> <li>Offer social login (Google, Facebook, etc.)</li> <li>Handle token refresh automatically</li> <li>Provide MFA (Multi-Factor Authentication)</li> <li>Manage password resets and email verification</li> <li>Give you security best practices out of the box</li> </ul> <p><strong>Example with Auth0:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Frontend</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Auth0Provider</span><span class="p">,</span> <span class="nx">useAuth0</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@auth0/auth0-react</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">App</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">Auth0Provider</span> <span class="nx">domain</span><span class="o">=</span><span class="dl">"</span><span class="s2">your-domain.auth0.com</span><span class="dl">"</span> <span class="nx">clientId</span><span class="o">=</span><span class="dl">"</span><span class="s2">your-client-id</span><span class="dl">"</span> <span class="nx">redirectUri</span><span class="o">=</span><span class="p">{</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span><span class="p">}</span> <span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">MyApp</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="sr">/Auth0Provider</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">LoginButton</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">loginWithRedirect</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth0</span><span class="p">();</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">button</span> <span class="nx">onClick</span><span class="o">=</span><span class="p">{</span><span class="nx">loginWithRedirect</span><span class="p">}</span><span class="o">&gt;</span><span class="nx">Log</span> <span class="nx">In</span><span class="o">&lt;</span><span class="sr">/button&gt;</span><span class="err">; </span><span class="p">}</span> <span class="kd">function</span> <span class="nf">Profile</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">getAccessTokenSilently</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth0</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">callAPI</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getAccessTokenSilently</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/protected</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">});</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">isAuthenticated</span> <span class="o">&amp;&amp;</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="nx">Hello</span> <span class="p">{</span><span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/div&gt;</span><span class="err">; </span><span class="p">}</span> </code></pre> </div> <h2> 4. Cookies Explained {#cookies} </h2> <h3> What are Cookies? </h3> <p>A <strong>cookie</strong> is a small piece of data (text) that a server sends to a user's browser, which the browser stores and sends back with every subsequent request to that server.</p> <p><strong>Think of it like a ticket:</strong></p> <ul> <li>You go to an amusement park (website)</li> <li>They give you a wristband (cookie)</li> <li>Every time you go to a ride (make a request), they check your wristband</li> </ul> <h3> Cookie Properties </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Setting a cookie from server</span> <span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">sessionId</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">abc123</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Cannot be accessed by JavaScript</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Only sent over HTTPS</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">strict</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// CSRF protection</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">3600000</span><span class="p">,</span> <span class="c1">// Expires in 1 hour</span> <span class="na">domain</span><span class="p">:</span> <span class="dl">'</span><span class="s1">.example.com</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Available to all subdomains</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="c1">// Available to all paths</span> <span class="p">});</span> </code></pre> </div> <p><strong>Cookie Example in HTTP Response:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP/1.1 200 OK Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Strict; Max-Age=3600 Content-Type: application/json </code></pre> </div> <h3> How Cookies Work </h3> <p><strong>1. Server Sets Cookie:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Validate user...</span> <span class="c1">// Set cookie</span> <span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">userId</span><span class="dl">'</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">3600000</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Logged in</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>2. Browser Stores Cookie:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Browser Storage: userId=42; expires=Fri, 21-Nov-2025 11:00:00 GMT; path=/; HttpOnly; Secure </code></pre> </div> <p><strong>3. Browser Sends Cookie Automatically:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Every request to same domain automatically includes cookies</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/profile</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Browser automatically adds: Cookie: userId=42</span> </code></pre> </div> <p><strong>4. Server Reads Cookie:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profile</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nx">userId</span><span class="p">;</span> <span class="c1">// Find user by ID</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nf">findUserById</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Important Cookie Rules </h3> <p><strong>Security Rules:</strong></p> <ol> <li> <strong>httpOnly</strong> - JavaScript cannot access the cookie (prevents XSS attacks)</li> <li> <strong>secure</strong> - Cookie only sent over HTTPS</li> <li> <strong>sameSite</strong> - Prevents CSRF attacks <ul> <li> <code>strict</code> - Cookie only sent to same site</li> <li> <code>lax</code> - Cookie sent with top-level navigation</li> <li> <code>none</code> - Cookie sent with cross-site requests (needs secure)</li> </ul> </li> </ol> <p><strong>Domain Rules:</strong></p> <ul> <li>A server can only access cookies it set</li> <li> <code>example.com</code> cannot read cookies from <code>google.com</code> </li> <li>Cookies are automatically sent with every request to the domain</li> </ul> <h3> Cookies vs LocalStorage </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Cookies</th> <th>LocalStorage</th> </tr> </thead> <tbody> <tr> <td><strong>Sent to Server</strong></td> <td>Yes (automatically)</td> <td>No</td> </tr> <tr> <td><strong>Size Limit</strong></td> <td>4KB</td> <td>5-10MB</td> </tr> <tr> <td><strong>Accessible by JS</strong></td> <td>Only if not httpOnly</td> <td>Always</td> </tr> <tr> <td><strong>Expiration</strong></td> <td>Can be set</td> <td>Never (until cleared)</td> </tr> <tr> <td><strong>Security</strong></td> <td>More secure (httpOnly)</td> <td>Less secure (XSS vulnerable)</td> </tr> </tbody> </table></div> <h2> 5. Authentication Types </h2> <h3> 1. Stateful Authentication (Session-Based) </h3> <p><strong>Components:</strong></p> <ul> <li>Client (Browser)</li> <li>Server</li> <li>Database/Redis (for session storage)</li> </ul> <p><strong>How it Works:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────┐ ┌─────────┐ ┌─────────┐ │ Client │ │ Server │ │Database │ └────┬────┘ └────┬────┘ └────┬────┘ │ │ │ │ POST /login │ │ │ {username, password} │ │ ├─────────────────────────────&gt;│ │ │ │ │ │ │ Validate credentials │ │ ├─────────────────────────────&gt;│ │ │ │ │ │&lt;─────────────────────────────┤ │ │ User found ✓ │ │ │ │ │ │ Generate Session ID │ │ │ Store in Redis │ │ ├─────────────────────────────&gt;│ │ │ │ │ Set-Cookie: sessionId │ │ │&lt;─────────────────────────────┤ │ │ │ │ │ GET /profile │ │ │ Cookie: sessionId │ │ ├─────────────────────────────&gt;│ │ │ │ │ │ │ Lookup session │ │ ├─────────────────────────────&gt;│ │ │ │ │ │&lt;─────────────────────────────┤ │ │ Session data │ │ │ │ │ Profile data │ │ │&lt;─────────────────────────────┤ │ </code></pre> </div> <p><strong>When to Use:</strong></p> <ul> <li>When you need instant token revocation</li> <li>When managing long-lived sessions</li> <li>When you have a monolithic application</li> <li>When security is the top priority</li> </ul> <h3> 2. Stateless Authentication (JWT-Based) </h3> <p><strong>Components:</strong></p> <ul> <li>Client (Browser)</li> <li>Server</li> <li>No database needed for authentication!</li> </ul> <p><strong>How it Works:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────┐ ┌─────────┐ │ Client │ │ Server │ └────┬────┘ └────┬────┘ │ │ │ POST /login │ │ {username, password} │ ├───────────────────────────────────&gt;│ │ │ │ │ Validate credentials │ │ (checks database) │ │ │ │ Generate JWT │ │ Sign with secret key │ │ │ { token: "eyJhbG..." } │ │&lt;───────────────────────────────────┤ │ │ │ Store token in localStorage │ │ │ │ GET /profile │ │ Authorization: Bearer eyJhbG... │ ├───────────────────────────────────&gt;│ │ │ │ │ Verify JWT signature │ │ (No database lookup!) │ │ Decode payload │ │ │ Profile data │ │&lt;───────────────────────────────────┤ </code></pre> </div> <p><strong>When to Use:</strong></p> <ul> <li>Microservices architecture</li> <li>Mobile applications</li> <li>When you need horizontal scalability</li> <li>When you want to minimize database queries</li> <li>Cross-domain authentication (different domains)</li> </ul> <h3> 3. API Key Authentication </h3> <p><strong>What is an API Key?</strong><br> An API key is a simple token that identifies an application or user making API requests.</p> <p><strong>How it Works:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. User/App registers and receives API key ↓ 2. API key is long random string: "sk_live_51HabcD123..." ↓ 3. Client sends API key with every request ↓ 4. Server validates API key against database </code></pre> </div> <p><strong>Code Example:</strong></p> <p><strong>Server-side:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Generate API key</span> <span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">generateAPIKey</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">sk_</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Store in database</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="nf">generateAPIKey</span><span class="p">();</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">apiKeys</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">apiKey</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">()</span> <span class="p">});</span> <span class="c1">// Middleware to validate API key</span> <span class="kd">function</span> <span class="nf">validateAPIKey</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-api-key</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">apiKey</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">API key required</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Check if API key exists and is valid</span> <span class="nx">db</span><span class="p">.</span><span class="nx">apiKeys</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">apiKey</span> <span class="p">},</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">keyData</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span> <span class="o">||</span> <span class="o">!</span><span class="nx">keyData</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid API key</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">req</span><span class="p">.</span><span class="nx">userId</span> <span class="o">=</span> <span class="nx">keyData</span><span class="p">.</span><span class="nx">userId</span><span class="p">;</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Protected route</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/data</span><span class="dl">'</span><span class="p">,</span> <span class="nx">validateAPIKey</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Your secret data</span><span class="dl">'</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">userId</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>Client-side:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Making API request with API key</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/data</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-API-Key</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sk_live_51HabcD123...</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p><strong>Real-world Examples:</strong></p> <ul> <li>Stripe API: <code>sk_live_51H...</code> </li> <li>OpenAI API: <code>sk-proj-...</code> </li> <li>Google Maps API: Uses API keys</li> <li>SendGrid: Uses API keys</li> </ul> <p><strong>API Key Best Practices:</strong></p> <ul> <li>Never commit API keys to Git</li> <li>Use environment variables</li> <li>Rotate keys periodically</li> <li>Have separate keys for development and production</li> <li>Rate limit API key usage</li> </ul> <p><strong>When to Use:</strong></p> <ul> <li>Server-to-server communication</li> <li>Third-party integrations</li> <li>Automated scripts/bots</li> <li>Webhooks</li> <li>Public APIs with usage tracking</li> </ul> <h3> 4. OAuth 2.0 Authentication </h3> <p>(See detailed section below)</p> <h2> 6. OAuth 2.0 &amp; OpenID Connect {#oauth} </h2> <h3> The Problem OAuth Solved </h3> <p><strong>Before OAuth - The Delegation Problem:</strong></p> <p>Imagine you want Facebook to access your Google contacts:</p> <p><strong>The Bad Old Way:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>You: "Hey Facebook, get my Google contacts" Facebook: "Give me your Google password" You: "Here's my password: myPassword123" Facebook: *logs into Google with your password* Facebook: *can now access EVERYTHING - emails, drive, calendar* </code></pre> </div> <p><strong>Problems:</strong></p> <ul> <li>You had to share your password</li> <li>Third-party app had FULL access to your account</li> <li>No way to revoke access without changing password</li> <li>If third-party got hacked, your password is exposed</li> </ul> <h3> What is OAuth 2.0? </h3> <p><strong>OAuth 2.0</strong> is an authorization framework that allows third-party applications to access your resources without sharing your password.</p> <p><strong>Key Concept:</strong> Instead of sharing passwords, you share <strong>tokens</strong> with limited permissions.</p> <h3> OAuth Terminology </h3> <ul> <li> <strong>Resource Owner:</strong> You (the user)</li> <li> <strong>Client:</strong> The app wanting access (e.g., Facebook)</li> <li> <strong>Resource Server:</strong> Where your data lives (e.g., Google)</li> <li> <strong>Authorization Server:</strong> Issues tokens (often same as resource server)</li> </ul> <h3> How OAuth 2.0 Works </h3> <p><strong>Example: "Login with Google" on a Website</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────┐ ┌──────────┐ ┌──────────┐ │ You │ │ Website │ │ Google │ │ (User) │ │ (Client) │ │ (Auth) │ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ │ │ │ Click "Login with Google" │ ├────────────────────────&gt;│ │ │ │ │ │ │ Redirect to Google │ │ │ with client_id │ │&lt;────────────────────────┤ │ │ │ │ │ Browser redirects to Google │ ├──────────────────────────────────────────────────&gt;│ │ │ │ │ │ Google login page │ │&lt;──────────────────────────────────────────────────┤ │ │ │ │ Enter Google credentials │ ├──────────────────────────────────────────────────&gt;│ │ │ │ │ "Allow Website to access your profile?" │ │&lt;──────────────────────────────────────────────────┤ │ │ │ │ Click "Allow" │ ├──────────────────────────────────────────────────&gt;│ │ │ │ │ │ Redirect with auth code│ │&lt;────────────────────────┤&lt;────────────────────────┤ │ │ │ │ │ Exchange code for token │ │ ├────────────────────────&gt;│ │ │ │ │ │&lt;────────────────────────┤ │ │ Access Token │ │ │ │ │ You're logged in! │ │ │&lt;────────────────────────┤ │ </code></pre> </div> <h3> OAuth 2.0 Flow Types (Grant Types) </h3> <p><strong>1. Authorization Code Flow</strong> (Most Secure - for web apps)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Step 1: Redirect user to authorization server</span> <span class="kd">const</span> <span class="nx">authUrl</span> <span class="o">=</span> <span class="s2">`https://accounts.google.com/o/oauth2/v2/auth? client_id=YOUR_CLIENT_ID&amp; redirect_uri=https://yourapp.com/callback&amp; response_type=code&amp; scope=profile email&amp; state=random_string_for_security`</span><span class="p">;</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="nx">authUrl</span><span class="p">;</span> <span class="c1">// Step 2: Handle callback (server-side)</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/callback</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">code</span><span class="p">,</span> <span class="nx">state</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">;</span> <span class="c1">// Verify state to prevent CSRF</span> <span class="k">if </span><span class="p">(</span><span class="nx">state</span> <span class="o">!==</span> <span class="nx">expectedState</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid state</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Exchange code for token</span> <span class="kd">const</span> <span class="nx">tokenResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://oauth2.googleapis.com/token</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">code</span><span class="p">:</span> <span class="nx">code</span><span class="p">,</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">YOUR_CLIENT_ID</span><span class="p">,</span> <span class="na">client_secret</span><span class="p">:</span> <span class="nx">YOUR_CLIENT_SECRET</span><span class="p">,</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://yourapp.com/callback</span><span class="dl">'</span><span class="p">,</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">authorization_code</span><span class="dl">'</span> <span class="p">})</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">tokens</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// tokens = { access_token, refresh_token, expires_in }</span> <span class="c1">// Use access token to get user info</span> <span class="kd">const</span> <span class="nx">userResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://www.googleapis.com/oauth2/v2/userinfo</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">tokens</span><span class="p">.</span><span class="nx">access_token</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">userResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// user = { id, email, name, picture }</span> <span class="c1">// Create session or JWT for your app</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">userId</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><strong>2. Implicit Flow</strong> (Legacy - for single-page apps, less secure)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Returns token directly in URL (not recommended anymore)</span> <span class="kd">const</span> <span class="nx">authUrl</span> <span class="o">=</span> <span class="s2">`https://accounts.google.com/o/oauth2/v2/auth? client_id=YOUR_CLIENT_ID&amp; redirect_uri=https://yourapp.com/callback&amp; response_type=token&amp; // Returns token directly scope=profile email`</span><span class="p">;</span> </code></pre> </div> <p><strong>3. Client Credentials Flow</strong> (For server-to-server)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// No user involved - app authenticates itself</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://oauth2.googleapis.com/token</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">YOUR_CLIENT_ID</span><span class="p">,</span> <span class="na">client_secret</span><span class="p">:</span> <span class="nx">YOUR_CLIENT_SECRET</span><span class="p">,</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">client_credentials</span><span class="dl">'</span><span class="p">,</span> <span class="na">scope</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://www.googleapis.com/auth/cloud-platform</span><span class="dl">'</span> <span class="p">})</span> <span class="p">});</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">access_token</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> </code></pre> </div> <p><strong>4. Password Grant Flow</strong> (Not recommended - requires sharing password)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// User provides username/password to client app</span> <span class="c1">// Only use if you trust the client completely</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://oauth2.googleapis.com/token</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user_password</span><span class="dl">'</span><span class="p">,</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">YOUR_CLIENT_ID</span><span class="p">,</span> <span class="na">client_secret</span><span class="p">:</span> <span class="nx">YOUR_CLIENT_SECRET</span> <span class="p">})</span> <span class="p">});</span> </code></pre> </div> <h3> OAuth 2.0 Tokens </h3> <p><strong>Access Token:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Purpose: Short-lived token to access resources Lifetime: 15 minutes - 1 hour Example: "ya29.a0AfH6SMBx..." </code></pre> </div> <p><strong>Refresh Token:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Purpose: Long-lived token to get new access tokens Lifetime: Days to months Example: "1//0gKz8..." </code></pre> </div> <p><strong>Token Refresh Flow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// When access token expires</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">refreshAccessToken</span><span class="p">(</span><span class="nx">refreshToken</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://oauth2.googleapis.com/token</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">YOUR_CLIENT_ID</span><span class="p">,</span> <span class="na">client_secret</span><span class="p">:</span> <span class="nx">YOUR_CLIENT_SECRET</span><span class="p">,</span> <span class="na">refresh_token</span><span class="p">:</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">refresh_token</span><span class="dl">'</span> <span class="p">})</span> <span class="p">});</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">access_token</span><span class="p">,</span> <span class="nx">expires_in</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="nx">access_token</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> OAuth Scopes (Permissions) </h3> <p>Scopes define what the third-party app can access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Example scopes for Google</span> <span class="nx">scope</span><span class="p">:</span> <span class="dl">'</span><span class="s1">profile email</span><span class="dl">'</span> <span class="c1">// Only basic profile</span> <span class="nx">scope</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://www.googleapis.com/auth/drive.readonly</span><span class="dl">'</span> <span class="c1">// Read Drive files</span> <span class="nx">scope</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://www.googleapis.com/auth/gmail.send</span><span class="dl">'</span> <span class="c1">// Send emails</span> <span class="c1">// GitHub scopes</span> <span class="nx">scope</span><span class="p">:</span> <span class="dl">'</span><span class="s1">read:user</span><span class="dl">'</span> <span class="c1">// Read user profile</span> <span class="nx">scope</span><span class="p">:</span> <span class="dl">'</span><span class="s1">repo</span><span class="dl">'</span> <span class="c1">// Access repositories</span> <span class="nx">scope</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user:email</span><span class="dl">'</span> <span class="c1">// Access email addresses</span> </code></pre> </div> <p><strong>User sees:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Website XYZ wants to: ✓ View your basic profile ✓ View your email address ✗ NOT access your Drive files ✗ NOT send emails on your behalf [Allow] [Deny] </code></pre> </div> <h3> Evolution: OAuth 1.0 → OAuth 2.0 </h3> <p><strong>OAuth 1.0 (2007):</strong></p> <ul> <li>Very complex cryptographic signatures</li> <li>Difficult for developers to implement</li> <li>Required signing every request</li> <li>Limited to web applications </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// OAuth 1.0 - Complex signature generation</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha1</span><span class="dl">'</span><span class="p">,</span> <span class="nx">signingKey</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">signatureBase</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p><strong>OAuth 2.0 (2012):</strong></p> <ul> <li>Simplified, uses bearer tokens</li> <li>Multiple flow types for different app types</li> <li>Easier to implement</li> <li>Works with mobile and single-page apps</li> <li>Relies on HTTPS for security </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// OAuth 2.0 - Simple bearer token</span> <span class="nx">headers</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">access_token</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> </code></pre> </div> <h3> OpenID Connect (OIDC) - Authentication Layer </h3> <p><strong>The Problem:</strong><br> OAuth 2.0 is for <strong>authorization</strong> (what you can do), not <strong>authentication</strong> (who you are).</p> <p><strong>Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>OAuth 2.0: "This token can access your Google Drive" But: Who owns this token? What's their identity? </code></pre> </div> <p><strong>Solution: OpenID Connect</strong></p> <p>OIDC extends OAuth 2.0 by adding an <strong>ID Token</strong> - a JWT that contains user identity information.</p> <h3> OIDC ID Token </h3> <p><strong>Structure:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://accounts.google.com"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Who</span><span class="w"> </span><span class="err">issued</span><span class="w"> </span><span class="err">it</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"110169484474386276334"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">User's</span><span class="w"> </span><span class="err">unique</span><span class="w"> </span><span class="err">ID</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_CLIENT_ID"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Who</span><span class="w"> </span><span class="err">it's</span><span class="w"> </span><span class="err">for</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1732191600</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Expiration</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1732188000</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Issued</span><span class="w"> </span><span class="err">at</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user@example.com"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">User's</span><span class="w"> </span><span class="err">email</span><span class="w"> </span><span class="nl">"email_verified"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"John Doe"</span><span class="p">,</span><span class="w"> </span><span class="nl">"picture"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"given_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"John"</span><span class="p">,</span><span class="w"> </span><span class="nl">"family_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Doe"</span><span class="p">,</span><span class="w"> </span><span class="nl">"locale"</span><span class="p">:</span><span class="w"> </span><span class="s2">"en"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> OIDC Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Step 1: Request with openid scope</span> <span class="kd">const</span> <span class="nx">authUrl</span> <span class="o">=</span> <span class="s2">`https://accounts.google.com/o/oauth2/v2/auth? client_id=YOUR_CLIENT_ID&amp; redirect_uri=https://yourapp.com/callback&amp; response_type=code&amp; scope=openid profile email&amp; // Note: "openid" scope state=random_string`</span><span class="p">;</span> <span class="c1">// Step 2: Exchange code for tokens</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://oauth2.googleapis.com/token</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">code</span><span class="p">:</span> <span class="nx">authorizationCode</span><span class="p">,</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">YOUR_CLIENT_ID</span><span class="p">,</span> <span class="na">client_secret</span><span class="p">:</span> <span class="nx">YOUR_CLIENT_SECRET</span><span class="p">,</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://yourapp.com/callback</span><span class="dl">'</span><span class="p">,</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">authorization_code</span><span class="dl">'</span> <span class="p">})</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">tokens</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// tokens = {</span> <span class="c1">// access_token: "ya29.a0...", // For accessing resources</span> <span class="c1">// refresh_token: "1//0g...", // For getting new access tokens</span> <span class="c1">// id_token: "eyJhbGciOiJSUz...", // JWT with user identity</span> <span class="c1">// expires_in: 3600</span> <span class="c1">// }</span> <span class="c1">// Step 3: Verify and decode ID token</span> <span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="nx">tokens</span><span class="p">.</span><span class="nx">id_token</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">decoded</span><span class="p">);</span> <span class="c1">// {</span> <span class="c1">// email: "user@example.com",</span> <span class="c1">// name: "John Doe",</span> <span class="c1">// sub: "110169484474386276334",</span> <span class="c1">// ...</span> <span class="c1">// }</span> <span class="c1">// Step 4: Create your own session/JWT</span> <span class="kd">const</span> <span class="nx">yourAppToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">email</span> <span class="p">},</span> <span class="nx">YOUR_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">7d</span><span class="dl">'</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// Send to client</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">token</span><span class="p">:</span> <span class="nx">yourAppToken</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="nx">decoded</span> <span class="p">});</span> </code></pre> </div> <h3> "Login with Google/Facebook/GitHub" Explained </h3> <p>This uses <strong>OIDC</strong> (OpenID Connect):</p> <p><strong>How "Login with Google" Works:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. User clicks "Login with Google" ↓ 2. Redirect to Google with openid scope ↓ 3. User logs into Google (if not already) ↓ 4. User grants permission ↓ 5. Google redirects back with authorization code ↓ 6. Your server exchanges code for: - ID Token (JWT with user info) - Access Token (to access Google APIs) ↓ 7. Your server verifies ID Token signature ↓ 8. Extract user info (email, name, picture) ↓ 9. Create/find user in your database ↓ 10. Create your own session/JWT ↓ 11. User is logged into YOUR app </code></pre> </div> <p><strong>Code Example - Complete "Login with Google":</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">axios</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">axios</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">GOOGLE_CLIENT_ID</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">your-client-id</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">GOOGLE_CLIENT_SECRET</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">your-client-secret</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">REDIRECT_URI</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">http://localhost:3000/auth/google/callback</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Step 1: Initiate OAuth flow</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/auth/google</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">googleAuthUrl</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://accounts.google.com/o/oauth2/v2/auth</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">scope</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">openid profile email</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">state</span> <span class="o">=</span> <span class="nf">generateRandomString</span><span class="p">();</span> <span class="c1">// CSRF protection</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">googleAuthUrl</span><span class="p">}</span><span class="s2">?client_id=</span><span class="p">${</span><span class="nx">GOOGLE_CLIENT_ID</span><span class="p">}</span><span class="s2">&amp;redirect_uri=</span><span class="p">${</span><span class="nx">REDIRECT_URI</span><span class="p">}</span><span class="s2">&amp;response_type=code&amp;scope=</span><span class="p">${</span><span class="nx">scope</span><span class="p">}</span><span class="s2">&amp;state=</span><span class="p">${</span><span class="nx">state</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="c1">// Store state in session to verify later</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">oauthState</span> <span class="o">=</span> <span class="nx">state</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Step 2: Handle OAuth callback</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/auth/google/callback</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">code</span><span class="p">,</span> <span class="nx">state</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">;</span> <span class="c1">// Verify state (CSRF protection)</span> <span class="k">if </span><span class="p">(</span><span class="nx">state</span> <span class="o">!==</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">oauthState</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid state parameter</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Exchange code for tokens</span> <span class="kd">const</span> <span class="nx">tokenResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://oauth2.googleapis.com/token</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">code</span><span class="p">,</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">GOOGLE_CLIENT_ID</span><span class="p">,</span> <span class="na">client_secret</span><span class="p">:</span> <span class="nx">GOOGLE_CLIENT_SECRET</span><span class="p">,</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="nx">REDIRECT_URI</span><span class="p">,</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">authorization_code</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">access_token</span><span class="p">,</span> <span class="nx">id_token</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="c1">// Decode ID token (contains user info)</span> <span class="kd">const</span> <span class="nx">userInfo</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="nx">id_token</span><span class="p">);</span> <span class="c1">// userInfo = { sub, email, name, picture, email_verified }</span> <span class="c1">// Find or create user in your database</span> <span class="kd">let</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">googleId</span><span class="p">:</span> <span class="nx">userInfo</span><span class="p">.</span><span class="nx">sub</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">googleId</span><span class="p">:</span> <span class="nx">userInfo</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">userInfo</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">userInfo</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">picture</span><span class="p">:</span> <span class="nx">userInfo</span><span class="p">.</span><span class="nx">picture</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Create YOUR app's JWT</span> <span class="kd">const</span> <span class="nx">appToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">7d</span><span class="dl">'</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// Send token to client</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">token</span><span class="p">:</span> <span class="nx">appToken</span><span class="p">,</span> <span class="nx">user</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">OAuth error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Authentication failed</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">function</span> <span class="nf">generateRandomString</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">().</span><span class="nf">toString</span><span class="p">(</span><span class="mi">36</span><span class="p">).</span><span class="nf">substring</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">15</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Frontend (React):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">LoginPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">handleGoogleLogin</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Redirect to your backend OAuth endpoint</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">http://localhost:3000/auth/google</span><span class="dl">'</span><span class="p">;</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">Login</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">button</span> <span class="nx">onClick</span><span class="o">=</span><span class="p">{</span><span class="nx">handleGoogleLogin</span><span class="p">}</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">img</span> <span class="nx">src</span><span class="o">=</span><span class="dl">"</span><span class="s2">google-icon.png</span><span class="dl">"</span> <span class="nx">alt</span><span class="o">=</span><span class="dl">"</span><span class="s2">Google</span><span class="dl">"</span> <span class="o">/&gt;</span> <span class="nx">Login</span> <span class="kd">with</span> <span class="nx">Google</span> <span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Handle callback (in a different component)</span> <span class="kd">function</span> <span class="nf">AuthCallback</span><span class="p">()</span> <span class="p">{</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">urlParams</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">code</span> <span class="o">=</span> <span class="nx">urlParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">code</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">code</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Your backend will handle the token exchange</span> <span class="c1">// and redirect to dashboard</span> <span class="p">}</span> <span class="p">},</span> <span class="p">[]);</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="nx">Logging</span> <span class="nx">you</span> <span class="k">in</span><span class="p">...</span><span class="o">&lt;</span><span class="sr">/div&gt;</span><span class="err">; </span><span class="p">}</span> </code></pre> </div> <h3> Is "Login with Google/GitHub" Secure? </h3> <p><strong>✅ Yes, very secure when implemented correctly:</strong></p> <p><strong>Security Benefits:</strong></p> <ol> <li> <strong>No password sharing</strong> - You never give your Google password to third-party apps</li> <li> <strong>Limited permissions</strong> - Apps only get what you approve (scopes)</li> <li> <strong>Revokable</strong> - You can revoke access anytime from Google settings</li> <li> <strong>Strong authentication</strong> - Leverages Google's security (2FA, etc.)</li> <li> <strong>Regular security updates</strong> - Google maintains the auth infrastructure</li> </ol> <p><strong>What to Verify:</strong></p> <ul> <li>Always check the permissions (scopes) being requested</li> <li>Use only trusted apps</li> <li>Review connected apps regularly in your Google account</li> </ul> <p><strong>Should You Use It?</strong><br> ✅ <strong>Yes</strong> - It's generally more secure than having users create weak passwords</p> <h2> 7. When to Use What {#best-practices} </h2> <h3> Decision Matrix </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Recommended Approach</th> <th>Why</th> </tr> </thead> <tbody> <tr> <td><strong>Traditional web app</strong></td> <td>Sessions</td> <td>Easy to invalidate, secure with httpOnly cookies</td> </tr> <tr> <td><strong>Mobile app</strong></td> <td>JWT with refresh tokens</td> <td>Stateless, works offline, scalable</td> </tr> <tr> <td><strong>Microservices</strong></td> <td>JWT</td> <td>No shared session storage needed</td> </tr> <tr> <td><strong>Internal API</strong></td> <td>API Keys</td> <td>Simple, easy to track usage</td> </tr> <tr> <td><strong>Third-party integration</strong></td> <td>OAuth 2.0</td> <td>Secure delegation without password sharing</td> </tr> <tr> <td><strong>Social login</strong></td> <td>OIDC (OpenID Connect)</td> <td>Get user identity from trusted providers</td> </tr> <tr> <td><strong>SPA (Single Page App)</strong></td> <td>JWT with httpOnly cookies</td> <td>Prevents XSS, still stateless</td> </tr> <tr> <td><strong>Banking/Financial app</strong></td> <td>Sessions + MFA</td> <td>Maximum security, immediate revocation</td> </tr> </tbody> </table></div> <h3> Security Best Practices </h3> <p><strong>1. Password Security:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">bcrypt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">bcrypt</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// ALWAYS hash passwords</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">hashPassword</span><span class="p">(</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">saltRounds</span> <span class="o">=</span> <span class="mi">10</span><span class="p">;</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">saltRounds</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// NEVER store plain text</span> <span class="c1">// ❌ BAD</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">password</span><span class="p">;</span> <span class="c1">// ✅ GOOD</span> <span class="nx">user</span><span class="p">.</span><span class="nx">passwordHash</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">hashPassword</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">password</span><span class="p">);</span> </code></pre> </div> <p><strong>2. Secure JWT Storage:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ BAD - Vulnerable to XSS</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">jwt</span><span class="p">);</span> <span class="c1">// ✅ BETTER - Use httpOnly cookies</span> <span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">jwt</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Cannot be accessed by JavaScript</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Only sent over HTTPS</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">strict</span><span class="dl">'</span> <span class="c1">// CSRF protection</span> <span class="p">});</span> </code></pre> </div> <p><strong>3. Token Expiration:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ✅ GOOD - Short-lived access tokens</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">secret</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">15m</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// ✅ GOOD - Long-lived refresh tokens</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">secret</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">7d</span><span class="dl">'</span> <span class="p">});</span> </code></pre> </div> <p><strong>4. HTTPS Only:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>❌ http://yoursite.com - Tokens can be intercepted ✅ https://yoursite.com - Encrypted, secure </code></pre> </div> <p><strong>5. Input Validation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ✅ ALWAYS validate and sanitize input</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">body</span><span class="p">,</span> <span class="nx">validationResult</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-validator</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nf">body</span><span class="p">(</span><span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">).</span><span class="nf">isEmail</span><span class="p">().</span><span class="nf">normalizeEmail</span><span class="p">(),</span> <span class="nf">body</span><span class="p">(</span><span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">).</span><span class="nf">isLength</span><span class="p">({</span> <span class="na">min</span><span class="p">:</span> <span class="mi">8</span> <span class="p">}),</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">errors</span> <span class="o">=</span> <span class="nf">validationResult</span><span class="p">(</span><span class="nx">req</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">errors</span><span class="p">.</span><span class="nf">isEmpty</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">errors</span><span class="p">:</span> <span class="nx">errors</span><span class="p">.</span><span class="nf">array</span><span class="p">()</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Process login...</span> <span class="p">}</span> <span class="p">);</span> </code></pre> </div> <h3> Understanding Security Terms </h3> <p><strong>Password Breach:</strong><br> When hackers gain access to a database containing user passwords, usually through:</p> <ul> <li>SQL injection attacks</li> <li>Database misconfiguration</li> <li>Insider threats</li> <li>Server vulnerabilities</li> </ul> <p><strong>Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>2019: 773 million email addresses and 21 million passwords leaked Sites affected: LinkedIn, Adobe, Yahoo, etc. Why it's dangerous: - Many users reuse passwords across sites - If one site is breached, all accounts with same password are at risk </code></pre> </div> <p><strong>Protection:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// 1. Hash passwords (so breach exposes hashes, not passwords)</span> <span class="kd">const</span> <span class="nx">hashedPassword</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="c1">// 2. Add salt (makes rainbow table attacks useless)</span> <span class="c1">// bcrypt does this automatically</span> <span class="c1">// 3. Monitor for breaches</span> <span class="c1">// Use services like "Have I Been Pwned" API</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`https://api.pwnedpasswords.com/range/</span><span class="p">${</span><span class="nx">hashPrefix</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> </code></pre> </div> <h3> Modern Auth Recommendations </h3> <p><strong>For New Projects in 2025:</strong></p> <p><strong>1. Consumer Apps (B2C):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✅ Use: OAuth/OIDC (Login with Google/GitHub) ✅ Add: JWT with refresh tokens ✅ Store: httpOnly cookies for web, secure storage for mobile ✅ Extra: Magic links, passwordless authentication </code></pre> </div> <p><strong>2. Enterprise Apps (B2B):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✅ Use: SAML or OIDC ✅ Add: Single Sign-On (SSO) ✅ Consider: Auth0, Okta, Azure AD </code></pre> </div> <p><strong>3. Internal Tools:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✅ Use: Sessions or JWT ✅ Add: VPN or IP restrictions ✅ Consider: API keys for scripts </code></pre> </div> <p><strong>4. Public APIs:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✅ Use: API keys + OAuth 2.0 ✅ Add: Rate limiting ✅ Monitor: Usage and abuse </code></pre> </div> <h2> Summary Cheat Sheet </h2> <h3> Quick Comparison </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────┐ │ AUTHENTICATION METHODS │ ├────────────┬──────────┬──────────┬──────────┬──────────────┤ │ Method │ State │ Storage │ Speed │ Use Case │ ├────────────┼──────────┼──────────┼──────────┼──────────────┤ │ Sessions │ Stateful │ Server │ Medium │ Web apps │ │ JWT │Stateless │ Client │ Fast │ APIs/Mobile │ │ API Keys │ Stateful │ Server │ Medium │ B2B/Bots │ │ OAuth 2.0 │ Stateless│ Client │ Fast │ Delegation │ └────────────┴──────────┴──────────┴──────────┴──────────────┘ </code></pre> </div> <h3> Key Takeaways </h3> <ol> <li> <strong>Sessions</strong> = Server remembers you (like a locker with your stuff)</li> <li> <strong>JWT</strong> = You carry your ID card (self-contained proof)</li> <li> <strong>Cookies</strong> = Automatic note attached to every request</li> <li> <strong>OAuth</strong> = Valet key (limited access, no password sharing)</li> <li> <strong>OIDC</strong> = OAuth + your identity card</li> </ol> <h3> Remember </h3> <ul> <li> <strong>Always use HTTPS</strong> in production</li> <li> <strong>Hash passwords</strong> with bcrypt</li> <li> <strong>Use httpOnly cookies</strong> for tokens when possible</li> <li> <strong>Implement refresh tokens</strong> for better security</li> <li> <strong>Never store secrets</strong> in frontend code</li> <li> <strong>Validate all inputs</strong> to prevent injection attacks</li> <li> <strong>Monitor and log</strong> authentication attempts</li> <li> <strong>Use proven libraries</strong> - don't roll your own crypto</li> </ul> <h2> Additional Resources </h2> <p><strong>Libraries &amp; Tools:</strong></p> <ul> <li> <strong>jsonwebtoken</strong> - JWT for Node.js</li> <li> <strong>bcrypt</strong> - Password hashing</li> <li> <strong>Passport.js</strong> - Authentication middleware</li> <li> <strong>express-session</strong> - Session management</li> <li> <strong>Auth0</strong> - Complete auth platform</li> <li> <strong>OAuth.net</strong> - OAuth specifications</li> </ul> webdev programming beginners tutorial Understanding Backend Routing Like a Pro Yukti Sahu Thu, 20 Nov 2025 03:25:41 +0000 https://forem.com/yuktisays/understanding-backend-routing-like-a-pro-9id https://forem.com/yuktisays/understanding-backend-routing-like-a-pro-9id <p>When you send a request to your server, two things matter:</p> <ul> <li> <strong>WHAT</strong> you want to do → defined by <strong>HTTP methods</strong> </li> <li> <strong>WHERE</strong> you want to do it → handled by <strong>Routing</strong> </li> </ul> <p>Together, they decide <em>what action to perform and on which resource</em>.<br> And then your handler function steps in to run the business logic.</p> <h2> 🌐 HTTP Methods = "What do you want to do?" </h2> <p>HTTP methods describe the <strong>intention</strong> of your request.</p> <p>Method Meaning Example</p> <p><strong>GET</strong> "Give me data" <code>/users</code> → fetch users<br> <strong>POST</strong> "Create something" <code>/users</code> → add a new user<br> <strong>PUT</strong> "Replace this fully" <code>/users/10</code><br> <strong>PATCH</strong> "Update partially" <code>/users/10</code><br> <strong>DELETE</strong> "Remove this" <code>/users/10</code></p> <h3> Example (Express.js) </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">getAllUsers</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">createUser</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">deleteUser</span><span class="p">);</span> </code></pre> </div> <h2> 🛣️ Routing = "Where do you want to go?" </h2> <p>Routes tell the server:</p> <ul> <li> <strong>which endpoint</strong> the request targets\</li> <li> <strong>which resource</strong> to operate on\</li> <li> <strong>which handler</strong> will run your logic</li> </ul> <p>Example:</p> <p><code>/users</code> → returns an array of all users\<br> <code>/users/5</code> → returns data of user with ID 5</p> <p>Routing literally maps URLs → functions.</p> <h2> 🧠 Handlers = Your Business Logic </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">getAllUsers</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">users</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Routing = address\<br> Handler = the function cooking the response</p> <h2> 🔥 Static vs Dynamic Routing </h2> <h2> 1️⃣ Static Routes </h2> <p>These routes are fixed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/about</span><span class="dl">'</span><span class="p">,</span> <span class="nx">aboutPage</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/contact</span><span class="dl">'</span><span class="p">,</span> <span class="nx">contactPage</span><span class="p">);</span> </code></pre> </div> <h2> 2️⃣ Dynamic Routes </h2> <p>Dynamic routes accept variables using <code>:</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/:id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">getUser</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/posts/:postId/comments/:commentId</span><span class="dl">'</span><span class="p">,</span> <span class="nx">getComment</span><span class="p">);</span> </code></pre> </div> <p>From <code>/users/21</code> → <code>req.params.id</code> is <code>21</code>.</p> <h2> 🔍 Semantic Routing/Search </h2> <p>Semantic URLs are meaningful and readable.</p> <p>Example:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /products/search/shoes </code></pre> </div> <p>They are:</p> <ul> <li> SEO-friendly\</li> <li> easy to read\</li> <li> more intuitive</li> </ul> <h2> ❓ Query Parameters </h2> <p>Query params come after <code>?</code>.</p> <p>Examples:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/users?limit=10&amp;page=2 /users?active=true /users/search?name=yukti&amp;sort=asc </code></pre> </div> <h2> 🧩 Nested Routes </h2> <p>Represent relationships like:</p> <p>User → Posts → Comments</p> <p>Examples:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/users/:id/posts /users/:id/posts/:postId/comments </code></pre> </div> <h2> 🗂️ Route Versioning </h2> <p>Your API evolves. Older apps still depend on older endpoints.</p> <p>That's why you version:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/api/v1/users /api/v2/users </code></pre> </div> <h2> 🧹 Route Deprecation </h2> <p>Mark older routes as deprecated before retiring them.</p> <p>Example JSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"v1/users is deprecated. Please migrate to v2."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 🌍 Catch-All Routes </h2> <p>A catch-all route handles undefined paths.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Route not found</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> 🌟 Best Practices </h2> <ul> <li> Group routes by feature\</li> <li> Use nouns, not verbs\</li> <li> Keep routes lowercase\</li> <li> Use meaningful names\</li> <li> Version your API\</li> <li> Add structured error responses</li> </ul> <h2> ✨ Summary </h2> <ul> <li> HTTP methods = <strong>what</strong>\</li> <li> Routes = <strong>where</strong>\</li> <li> Handlers = <strong>logic</strong>\</li> <li> Static &amp; dynamic routes\</li> <li> Query params, nested routes\</li> <li> Versioning &amp; deprecation\</li> <li> Catch-all routes</li> </ul> webdev programming beginners tutorial 🔥 Understanding HTTP Deeply — The Backbone of the Web (For Backend Learners) Yukti Sahu Mon, 17 Nov 2025 04:07:11 +0000 https://forem.com/yuktisays/understanding-http-deeply-the-backbone-of-the-web-for-backend-learners-k4n https://forem.com/yuktisays/understanding-http-deeply-the-backbone-of-the-web-for-backend-learners-k4n <p>You tryna be a backend dev but HTTP is still a mystery? That’s not very slay of you<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwqs4jl5hlvenrih9x444.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwqs4jl5hlvenrih9x444.png" alt="o" width="243" height="207"></a></p> <p>When you step into backend development, you quickly realize that knowing HTTP is not optional. It's the foundation of how clients and servers talk, how browsers fetch your apps, how APIs work, how authentication happens — everything.</p> <p>This article explains HTTP in a simple but deeply technical way, covering:</p> <ul> <li>Statelessness</li> <li>Client–Server Model</li> <li>Evolution of HTTP (HTTP/0.9 → HTTP/3)</li> <li>Headers and Their Types</li> <li>Idempotency</li> <li>Methods and Use Cases</li> <li>CORS &amp; OPTIONS</li> <li>Status Codes</li> <li>SSL/TLS &amp; HTTPS</li> <li>Real examples</li> </ul> <p>Let’s begin. 🚀</p> <h2> 1. HTTP is Stateless — What Does That Actually Mean? </h2> <p>Stateless means:</p> <ul> <li>The server does not remember anything about previous requests.</li> <li>Every request is independent.</li> </ul> <p>If a client sends 5 requests, the server treats each one as a fresh request with no memory of previous interactions.</p> <h3> Why is HTTP stateless? </h3> <ul> <li>Server doesn’t store user info → architecture becomes simple.</li> <li>Scaling becomes easier → any server can handle the next request.</li> <li>If one server crashes, user is not affected (because the client re-sends credentials).</li> </ul> <h3> If HTTP is stateless, how do websites keep you logged in? </h3> <p>Developers implement state management using techniques such as:</p> <ul> <li>Cookies</li> <li>Sessions</li> <li>JWT tokens</li> <li>OAuth</li> <li>localStorage (client-side)</li> </ul> <p>Each request carries user identity again and again.</p> <h3> Example request (showing stateless nature) </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">GET</span> <span class="nn">/profile</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">example.com</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s">Bearer &lt;token&gt;</span> <span class="na">Cookie</span><span class="p">:</span> <span class="s">session_id=abc123</span> </code></pre> </div> <p>Every request must re-send credentials because the server doesn't remember previous requests.</p> <h2> 2. The Client–Server Model </h2> <p>HTTP follows the Client–Server architecture.</p> <h3> Client </h3> <p>Anything that sends a request:</p> <ul> <li>Browser</li> <li>Mobile app</li> <li>React/Next.js frontend</li> <li>Postman/cURL</li> </ul> <h3> Server </h3> <p>Hosts:</p> <ul> <li>APIs</li> <li>Database access logic</li> <li>Files &amp; resources</li> <li>Authentication</li> </ul> <h3> Basic flow </h3> <p>Client → sends Request → HTTP → Server</p> <p>Server → sends Response → HTTP → Client</p> <p>Medium of communication → TCP.</p> <p>HTTP runs on top of TCP (Transmission Control Protocol). TCP ensures:</p> <ul> <li>Reliable message delivery</li> <li>No data loss</li> <li>Ordered packets</li> </ul> <h2> 3. Evolution of HTTP (Important for interviews) </h2> <ul> <li> <p><strong>HTTP/0.9 (1991)</strong></p> <ul> <li>Only GET, no headers, response was plain text.</li> </ul> </li> <li> <p><strong>HTTP/1.0 (1996)</strong></p> <ul> <li>Headers introduced. Each request opens + closes connection → slower.</li> </ul> </li> <li> <p><strong>HTTP/1.1 (1999)</strong></p> <ul> <li>Persistent connections, chunked responses, caching headers.</li> <li>Default for many years and still widely used.</li> </ul> </li> <li> <p><strong>HTTP/2 (2015)</strong></p> <ul> <li>Binary protocol, multiplexing (many requests in one connection), HPACK header compression → faster.</li> </ul> </li> <li> <p><strong>HTTP/3 (2022)</strong></p> <ul> <li>Based on QUIC (UDP). Zero head-of-line blocking, faster on unstable networks.</li> </ul> </li> </ul> <h2> 4. Understanding HTTP Headers </h2> <p>Headers = metadata sent with requests and responses. They tell the server:</p> <ul> <li>Who is requesting?</li> <li>What format is expected?</li> <li>What content is being sent?</li> <li>What authentication is used?</li> </ul> <h3> Categories of headers </h3> <h4> 1) Request headers </h4> <p>Tell the server about the client.</p> <p>Examples:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User-Agent: Mozilla/5.0 Authorization: Bearer &lt;token&gt; Cookie: session_id=abc123 Accept: application/json </code></pre> </div> <h4> 2) General headers </h4> <p>Used in both request and response:</p> <ul> <li>Cache-Control: no-cache</li> <li>Connection: keep-alive</li> <li>Date: Tue, 15 Nov 2025</li> </ul> <h4> 3) Representation headers </h4> <p>Tell about the actual payload/data:</p> <ul> <li>Content-Type: application/json</li> <li>Content-Length: 532</li> <li>Content-Encoding: gzip</li> <li>ETag: "9b1f..."</li> </ul> <h4> 4) Security headers </h4> <p>Used to harden web apps:</p> <ul> <li>Strict-Transport-Security: max-age=31536000; includeSubDomains</li> <li>Content-Security-Policy: default-src 'self'</li> <li>X-Frame-Options: DENY</li> <li>X-Content-Type-Options: nosniff</li> <li>Set-Cookie: session_id=abc123; HttpOnly; Secure</li> </ul> <h3> Why is HTTP extensible? </h3> <p>You can add custom headers without changing the protocol. Examples:</p> <ul> <li>X-Client-Region: India</li> <li>X-App-Version: 3.1.0</li> </ul> <p>These are useful for telemetry, experimentation, versioning or additional security metadata.</p> <blockquote> <p>Headers are like remote controls for servers. Examples:</p> </blockquote> <ul> <li> <p>Client -&gt; “Send JSON only.”</p> <ul> <li><code>Accept: application/json</code></li> </ul> </li> <li> <p>Client -&gt; “Store this only for 1 hour.”</p> <ul> <li><code>Cache-Control: max-age=3600</code></li> </ul> </li> <li> <p>Client -&gt; “Send compressed data.”</p> <ul> <li><code>Accept-Encoding: gzip</code></li> </ul> </li> </ul> <h2> 5. HTTP Methods &amp; Their Intent </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Method</th> <th>Use case</th> </tr> </thead> <tbody> <tr> <td>GET</td> <td>read data</td> </tr> <tr> <td>POST</td> <td>create data</td> </tr> <tr> <td>PUT</td> <td>update (replace)</td> </tr> <tr> <td>PATCH</td> <td>update (partial)</td> </tr> <tr> <td>DELETE</td> <td>remove resource</td> </tr> <tr> <td>OPTIONS</td> <td>discover server capabilities (CORS)</td> </tr> </tbody> </table></div> <h2> 6. Idempotent vs Non-Idempotent </h2> <p><strong>Idempotent</strong> (same result even if request is repeated):</p> <ul> <li>GET</li> <li>PUT</li> <li>DELETE</li> </ul> <p><strong>Non-idempotent</strong>:</p> <ul> <li>POST</li> </ul> <p>Example:</p> <p>POST /order — if you send the same request twice -&gt; two orders are created.</p> <h2> 7. OPTIONS and CORS </h2> <p>Browsers enforce CORS for cross-origin security.</p> <p>Two types of requests:</p> <h3> 1) Simple request </h3> <ul> <li>No preflight. Usually GET/POST with safe headers.</li> </ul> <h3> 2) Preflighted request </h3> <ul> <li>Browser first sends an OPTIONS preflight to check permissions.</li> </ul> <p>Example preflight request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">OPTIONS</span> <span class="nn">/api/data</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Origin</span><span class="p">:</span> <span class="s">https://example.com</span> <span class="na">Access-Control-Request-Method</span><span class="p">:</span> <span class="s">POST</span> </code></pre> </div> <p>Server replies with allowed origins &amp; methods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Access-Control-Allow-Origin: https://example.com Access-Control-Allow-Methods: POST </code></pre> </div> <p>After a successful preflight, the browser sends the actual request.</p> <h2> 8. HTTP Response Status Codes </h2> <ul> <li> <p><strong>200–299 → Success</strong></p> <ul> <li>200 OK</li> <li>201 Created</li> <li>204 No Content</li> </ul> </li> <li> <p><strong>300–399 → Redirection</strong></p> <ul> <li>301 Moved Permanently</li> <li>302 Found</li> </ul> </li> <li> <p><strong>400–499 → Client errors</strong></p> <ul> <li>400 Bad Request</li> <li>401 Unauthorized</li> <li>403 Forbidden</li> <li>404 Not Found</li> <li>429 Too Many Requests</li> </ul> </li> <li> <p><strong>500–599 → Server errors</strong></p> <ul> <li>500 Internal Server Error</li> <li>503 Service Unavailable</li> </ul> </li> </ul> <h3> Example response </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">200</span> <span class="ne">OK</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="na">Cache-Control</span><span class="p">:</span> <span class="s">no-store</span> <span class="p">{</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"User fetched successfully"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 9. SSL, TLS &amp; HTTPS (expanded) </h2> <p>HTTP by itself is not secure — data travels in plain text. SSL/TLS provide confidentiality, integrity, and authentication for HTTP, resulting in HTTPS (HTTP over TLS).</p> <h3> A brief history </h3> <ul> <li> <strong>SSL</strong>: the original Secure Sockets Layer (SSL 2.0/3.0) is now deprecated because of several design flaws and vulnerabilities.</li> <li> <strong>TLS</strong>: Transport Layer Security replaced SSL. Major TLS versions: TLS 1.0 / 1.1 (deprecated), TLS 1.2 (widely used), and TLS 1.3 (recommended).</li> </ul> <h3> What TLS provides (concise) </h3> <ul> <li>Confidentiality — encrypts the payload so eavesdroppers can't read it.</li> <li>Integrity — ensures data isn't tampered with in transit (via MACs or AEAD).</li> <li>Authentication — ensures the client is talking to the genuine server via certificates.</li> </ul> <h3> TLS handshake — a deeper look </h3> <p>The handshake establishes cryptographic parameters and shared keys. High-level steps (TLS 1.2 style, then notes for TLS 1.3):</p> <ol> <li>ClientHello: the client sends supported protocol versions, cipher suites (e.g., ECDHE + AES-GCM), supported extensions (SNI, ALPN), and a random value.</li> <li>ServerHello: the server picks a protocol version and cipher suite and sends its certificate chain (leaf certificate + intermediate CA certs) and its ServerHello random.</li> <li>Certificate verification: the client validates the server certificate chain up to a trusted root, checks validity dates, host name (or SAN), and revocation status (CRL/OCSP).</li> <li>Key exchange: depending on the cipher suite, the client and server perform an asymmetric key exchange (ECDHE is common) to derive a shared secret. ECDHE provides forward secrecy; RSA key-exchange (deprecated for forward secrecy) is no longer recommended.</li> <li>Finished messages: both sides derive symmetric keys (for the record layer) and exchange Finished messages to validate the handshake integrity.</li> </ol> <p>Notes:</p> <ul> <li>In TLS 1.3 the handshake is streamlined: the number of round-trips is reduced, RSA key-exchange is removed, and forward-secret key exchange (ECDHE) is always used. TLS 1.3 also mandates modern AEAD ciphers (like AES-GCM or ChaCha20-Poly1305).</li> <li>TLS supports session resumption (session IDs or session tickets) and in TLS 1.3 0‑RTT for some scenarios (with replay risks to consider).</li> </ul> <h3> Certificate basics </h3> <ul> <li>Certificates are signed by Certificate Authorities (CAs). A certificate contains the server's public key, the domain name(s) (CN / SAN), and validity dates.</li> <li>The client verifies the signature chain up to a trusted root CA present in its trust store.</li> <li>Let's Encrypt is a widely used free CA with automation for issuance and renewal.</li> <li>Self-signed certificates work for local development but are not trusted by browsers.</li> </ul> <h3> Common cryptographic elements </h3> <ul> <li>Public-key algorithms: RSA (older), ECDSA (preferred for smaller key sizes and performance).</li> <li>Key-exchange: ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) for forward secrecy.</li> <li>Symmetric ciphers / AEAD: AES-GCM, AES-CCM, ChaCha20-Poly1305.</li> <li>Hashes / HKDF: used in key derivation.</li> </ul> <h3> Practical deployment tips for backend developers </h3> <ul> <li>Prefer TLS 1.3 where possible; otherwise, require at least TLS 1.2.</li> <li>Disable TLS 1.0 and 1.1 and avoid older cipher suites (RC4, DES, 3DES, MD5-based MACs, non-AEAD modes).</li> <li>Prefer ECDHE key exchange for forward secrecy.</li> <li>Use HSTS (Strict-Transport-Security header) to force browsers to use HTTPS.</li> <li>Redirect all HTTP traffic to HTTPS (301 redirect), and set Secure and HttpOnly flags on cookies.</li> <li>Automate certificate issuance &amp; renewal (Let's Encrypt + ACME clients like certbot) and monitor expiry.</li> <li>Enable OCSP stapling to improve revocation checking performance.</li> <li>Test your configuration with tools like SSL Labs (Qualys) and Mozilla Observatory.</li> </ul> <h3> TLS-specific server headers &amp; features to consider </h3> <ul> <li>Strict-Transport-Security: enforces HTTPS (example: <code>Strict-Transport-Security: max-age=31536000; includeSubDomains; preload</code>).</li> <li>OCSP Stapling: avoid clients having to fetch OCSP from CA networks.</li> <li>ALPN (Application-Layer Protocol Negotiation): enables HTTP/2 or HTTP/3 negotiation during the TLS handshake.</li> </ul> <h3> Security features and advanced topics </h3> <ul> <li>Forward Secrecy: ensures that even if a server's long-term key is compromised later, past sessions remain confidential (use ECDHE).</li> <li>Certificate Pinning: binds a service to a specific certificate/public key (use with caution — difficult to rotate).</li> <li>Mutual TLS (mTLS): both client and server present certificates; useful for service-to-service authentication.</li> <li>TLS 1.3 improvements: fewer round trips, mandatory forward secrecy, removal of insecure primitives, improved performance on lossy networks.</li> </ul> <h3> Quick checklist for a secure HTTPS deployment </h3> <ol> <li>Use TLS 1.3 (or TLS 1.2 minimum).</li> <li>Prefer ECDHE + AEAD ciphers (AES-GCM, ChaCha20-Poly1305).</li> <li>Enable HSTS and set Secure, HttpOnly on cookies.</li> <li>Automate cert issuance &amp; renewal; monitor expiry.</li> <li>Test with SSL Labs and fix warnings (protocols, key sizes, chain issues).</li> </ol> <h2> 10. Code Examples </h2> <h3> Fetch API (frontend) </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://api.example.com/user</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Authorization</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Bearer token123</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Accept</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">}</span> <span class="p">})</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">res</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> </code></pre> </div> <h3> Node.js (Express) example </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/login</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span> <span class="o">||</span> <span class="o">!</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Missing fields</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">token</span><span class="p">:</span> <span class="dl">"</span><span class="s2">jwt-token-here</span><span class="dl">"</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> Final thoughts </h2> <p>HTTP may seem simple, but it's one of the most powerful and important protocols in computer science and backend development.</p> <p>Once you understand:</p> <ul> <li>statelessness</li> <li>headers</li> <li>authentication</li> <li>CORS</li> <li>TLS</li> <li>the protocol's evolution</li> </ul> <p>—you can design scalable, secure, modern backend systems.</p> development networking security web3 From RNNs to ChatGPT: The Paper That Changed How AI Thinks 🤖 Yukti Sahu Fri, 10 Oct 2025 16:36:42 +0000 https://forem.com/yuktisays/from-rnns-to-chatgpt-the-paper-that-changed-how-ai-thinks-3ke3 https://forem.com/yuktisays/from-rnns-to-chatgpt-the-paper-that-changed-how-ai-thinks-3ke3 <h2> 💡 “Attention Is All You Need”: The Paper That Changed How AI Thinks </h2> <p>So, I was just scrolling through Instagram reels when one popped up saying — </p> <blockquote> <p>“If you really want to understand what <em>real AI</em> is made of, go read the paper ‘Attention Is All You Need.’”</p> </blockquote> <p>At first, I laughed a little — I thought it was something about <em>mental health and focus</em> 😅.<br><br> But curiosity won. I searched for the paper, opened it, and… okay, I’ll be honest — I didn’t get even half of it by reading directly. </p> <p>So, as the smart generation we are, I passed the paper to <strong>ChatGPT</strong> and said, </p> <blockquote> <p>“Explain this to me like I’m five, but still make me feel smart.” </p> </blockquote> <p>And wow — what came out was <em>fascinating</em>.<br><br> Here’s everything that paper actually means — in plain, simple English. </p> <h2> 🌟 1. Background – What Was the Problem Before? </h2> <p>Before the <strong>Transformer</strong> was born, all AI models for language — like translation or speech — used <strong>RNNs (Recurrent Neural Networks)</strong> or <strong>CNNs (Convolutional Neural Networks)</strong>. </p> <h3> 🌀 The RNN Problem </h3> <p>RNNs read data <strong>one word at a time</strong> — first “I,” then “love,” then “pizza.”<br><br> They remember what came before using something called <em>hidden states</em>. </p> <p>But here’s the issue — when sentences got long, they started <strong>forgetting earlier words</strong>.<br><br> And since they process words one by one, <strong>parallel processing</strong> (speed) was impossible. </p> <p>📖 <strong>Example:</strong><br><br> Sentence: “I went to Paris because I love art.”<br><br> To connect “I” and “art,” RNN has to go through the entire sentence — word by word.<br><br> That’s slow and memory-heavy.</p> <h3> 🧩 The CNN Problem </h3> <p>CNNs were faster, using filters to detect local word patterns like <code>[I love]</code> or <code>[love pizza]</code>.<br><br> But they couldn’t easily understand <strong>long-distance relationships</strong> — like connecting “it” and “animal” in </p> <blockquote> <p>“The animal didn’t cross because it was tired.”</p> </blockquote> <p>So both RNNs and CNNs were <strong>limited</strong> — they worked but weren’t great at context or speed.</p> <h2> ⚡ 2. The Big Idea — The Transformer </h2> <p>Then came 2017.<br><br> The paper <strong>“Attention Is All You Need”</strong> by <em>Vaswani et al.</em> dropped — and it <em>revolutionized everything</em>. </p> <p>The authors said: </p> <blockquote> <p>“What if we throw away RNNs and CNNs completely… and just use <em>attention</em>?” </p> </blockquote> <h3> 🧠 What’s Attention? </h3> <p>Attention means <strong>focusing on the most relevant parts</strong> of information. </p> <p>When you read a paragraph, your brain doesn’t remember every word — it focuses on key ones.<br><br> That’s what the Transformer does: it looks at the whole sentence and figures out <em>which words depend on which</em>. </p> <p><strong>Example:</strong><br><br> In the sentence </p> <blockquote> <p>“The animal didn’t cross because it was too tired,”<br><br> the word “it” clearly refers to “animal.” </p> </blockquote> <p>That’s what <strong>self-attention</strong> helps the model understand — without reading word by word like RNNs.</p> <h2> 🔍 3. Transformer Architecture – The Encoder–Decoder </h2> <p>The Transformer is built from two main parts: </p> <h3> 1️⃣ Encoder – The Reader </h3> <p>It reads the input sentence and figures out all relationships between words.<br><br> Example:<br><br> “I love pizza.”<br><br> → It learns that “love” is strongly connected to “pizza.” </p> <h3> 2️⃣ Decoder – The Writer </h3> <p>It takes that understanding and <strong>generates output</strong>, like a translation.<br><br> Example:<br><br> “I love pizza.” → “मुझे पिज्ज़ा पसंद है” </p> <p>So, the <strong>encoder understands</strong>, and the <strong>decoder speaks</strong>.</p> <h2> 🧩 4. The Secret Sauce – Types of Attention </h2> <h3> 💫 (a) Self-Attention </h3> <p>Every word looks at all the other words in the sentence and decides which ones are important.<br><br> Example: </p> <blockquote> <p>“The animal didn’t cross because it was too tired.”<br><br> Here, “it” relates to “animal,” not “cross.”<br><br> Self-attention figures that out automatically.</p> </blockquote> <h3> 💫 (b) Multi-Head Attention </h3> <p>Instead of one attention mechanism, Transformers use <strong>multiple attention heads</strong>. </p> <p>Each head learns something different: </p> <ul> <li>One focuses on grammar. </li> <li>One on meaning. </li> <li>Another on context. </li> </ul> <p>It’s like having a group of teachers — each checking your sentence from a different angle.</p> <h2> 🔢 5. Positional Encoding – Remembering Word Order </h2> <p>Since the Transformer doesn’t read in sequence like RNNs, it doesn’t know word order.<br><br> To fix that, it adds <strong>positional encoding</strong> — a mathematical way to tell the model the position of each word. </p> <p>📍 <strong>Example:</strong><br><br> “Book a flight to Delhi” ≠ “Delhi a flight to book.”<br><br> Positional encoding helps it understand that order matters.</p> <h2> ⚙️ 6. Training Details </h2> <p>The original Transformer was trained using: </p> <ul> <li> <strong>Optimizer:</strong> Adam </li> <li> <strong>Dataset:</strong> English–German and English–French translations (WMT 2014) </li> <li> <strong>Hardware:</strong> 8 GPUs for just 12 hours! </li> </ul> <p>That’s super fast compared to RNN or CNN models of that time. </p> <h2> 🧪 7. The Results </h2> <p>The Transformer outperformed every model before it. </p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Task</th> <th>Dataset</th> <th>BLEU Score (higher = better)</th> </tr> </thead> <tbody> <tr> <td>English–German</td> <td>WMT 2014</td> <td><strong>28.4</strong></td> </tr> <tr> <td>English–French</td> <td>WMT 2014</td> <td><strong>41.0</strong></td> </tr> </tbody> </table></div> <p>That was a <strong>2+ point improvement</strong> over previous state-of-the-art systems — with <em>less training time.</em></p> <h2> 💭 8. Why It Was a Revolution </h2> <ul> <li>🚀 <strong>Faster training</strong> → parallel processing </li> <li>🧠 <strong>Better context understanding</strong> → self-attention </li> <li>🔄 <strong>Scalable</strong> → the bigger the model, the smarter it gets </li> </ul> <p>This paper inspired all the models we use today —<br><br> <strong>BERT, GPT, T5, Gemini, Claude, and beyond.</strong></p> <h2> 🎬 Real-World Scenarios </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Use Case</th> <th>Explanation</th> </tr> </thead> <tbody> <tr> <td>🌍 Google Translate</td> <td>Uses Transformer for language translation</td> </tr> <tr> <td>💬 ChatGPT, Gemini</td> <td>Based on advanced Transformer variants</td> </tr> <tr> <td>🖼️ Vision Models (ViT)</td> <td>Use attention for image understanding</td> </tr> <tr> <td>🎙️ Speech Models</td> <td>Modified Transformers for audio and text</td> </tr> </tbody> </table></div> <h2> 🪄 Beyond the Paper – My Curiosity Took Over </h2> <p>After reading, I couldn’t stop wondering —<br><br> “How do these models now process audio and images too?”<br><br> So I asked GPT a few more questions.</p> <h3> 🧩 How Do Transformers Handle Audio and Images? </h3> <p>Text was just the beginning.<br><br> Later, engineers realized they could also break images into <strong>patches</strong> (small square pieces), treat them like words, and feed them into a <strong>Vision Transformer (ViT)</strong>. </p> <p>For audio, they convert sound into <strong>spectrograms</strong> (visual wave-like graphs).<br><br> The same attention mechanism then learns patterns in sound frequencies — recognizing tone, pitch, and even emotion.</p> <p>That’s how models like <strong>Gemini</strong> or <strong>GPT-4o</strong> can now see, listen, and respond intelligently across formats — they use <strong>multimodal transformers</strong>.</p> <h3> 🎨 Then I Asked: “How Does AI Generate Images?” </h3> <p>The answer?<br><br> Through something called <strong>Diffusion Models</strong>.</p> <p>They start with <em>pure noise</em> and slowly turn it into a meaningful image by reversing the noise step by step. </p> <p><strong>Example:</strong><br><br> Prompt: “A cat riding a bike in space.”<br><br> The model begins with random static and <em>diffuses backward</em> — learning how to “denoise” it into an actual picture. </p> <p>Each denoising step is guided by your text prompt, so the cat, the bike, and the space background all take shape gradually. </p> <p>That’s what powers <strong>Stable Diffusion, DALL·E, and Midjourney.</strong></p> <h2> 🧭 In Simple Words </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Model</th> <th>Core Idea</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td><strong>RNN</strong></td> <td>Sequential memory</td> <td>Learns time-based patterns</td> </tr> <tr> <td><strong>CNN</strong></td> <td>Filters + local focus</td> <td>Good for images and short text</td> </tr> <tr> <td><strong>Transformer</strong></td> <td>Self-attention</td> <td>Understands global context</td> </tr> <tr> <td><strong>Vision Transformer</strong></td> <td>Image patches</td> <td>“Sees” like a human eye</td> </tr> <tr> <td><strong>Diffusion Model</strong></td> <td>Reverse noise</td> <td>Creates new images</td> </tr> <tr> <td><strong>Multimodal Transformer</strong></td> <td>Unified input</td> <td>Handles text, image, audio</td> </tr> </tbody> </table></div> <h2> ✨ Final Thought </h2> <p>That Instagram reel led me down a rabbit hole — and it turned out to be <em>the best kind of curiosity</em>. </p> <p>From <strong>“Attention Is All You Need”</strong> to <strong>ChatGPT and Gemini</strong>, the entire AI world evolved because of that one paper. </p> <p>It replaced slow, step-by-step thinking with fast, focused attention — and gave birth to models that can read, talk, see, and even imagine. </p> <blockquote> <p><strong>RNN walked so Transformer could fly — and now GPTs are flying rockets. 🚀</strong></p> </blockquote> <h2> 📚 Further Reading </h2> <p>Here are some great references if you’d like to dive deeper 👇 </p> <ul> <li>🧾 <strong>Original Paper:</strong> <a href="https://arxiv.org/abs/1706.03762" rel="noopener noreferrer">Attention Is All You Need (NeurIPS 2017)</a> </li> <li>🧠 <strong>Google AI Blog:</strong> <a href="https://ai.googleblog.com/2017/08/transformer-novel-neural-network.html" rel="noopener noreferrer">Transformer: A Novel Neural Network Architecture for Language Understanding</a> </li> <li>🔍 <strong>Annotated Paper Walkthrough:</strong> <a href="https://jalammar.github.io/illustrated-transformer/" rel="noopener noreferrer">The Illustrated Transformer – Jay Alammar</a> </li> <li>🏗️ <strong>BERT Paper (2018):</strong> <a href="https://arxiv.org/abs/1810.04805" rel="noopener noreferrer">BERT: Pre-training of Deep Bidirectional Transformers</a> </li> <li>🤖 <strong>OpenAI Blog:</strong> <a href="https://openai.com/research" rel="noopener noreferrer">GPT Models and the Evolution of LLMs</a> </li> <li>🎨 <strong>Diffusion Models Explained:</strong> <a href="https://lilianweng.github.io/posts/2021-07-11-diffusion-models/" rel="noopener noreferrer">Lil’Log: What are Diffusion Models?</a> </li> </ul> <p>✍️ <em>Written by Yukti Sahu — exploring the world of AI, one paper at a time.</em></p> ai programming chatgpt datascience Hashmaps: My Ultimate Savior in the Wild World of DSA Yukti Sahu Thu, 09 Oct 2025 04:09:05 +0000 https://forem.com/yuktisays/hashmaps-my-ultimate-savior-in-the-wild-world-of-dsa-f3c https://forem.com/yuktisays/hashmaps-my-ultimate-savior-in-the-wild-world-of-dsa-f3c <h2> The Beginning: Campus Placement Panic </h2> <p>So, my campus placements have officially started. And guess what? The moment I saw the word <em>DSA</em> on the prep list, I could literally hear my brain whispering, "Run!" 😂</p> <p>But being the brave soul (and caffeine-powered coder) that I am, I decided to face it head-on. I opened a random problem, stared at it for 10 minutes like a detective at a crime scene, and then thought...<br> lol?<br> My Face</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F00wxw73ytwu3tunosbnj.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F00wxw73ytwu3tunosbnj.jpg" alt="my face" width="768" height="432"></a></p> <p>but one thing i know,</p> <blockquote> <p>hashmaps can help. They always do something magical.</p> </blockquote> <p>And yes, I was right.</p> <h2> So... What Exactly Is a Hashmap? </h2> <p>If you’re also like me — someone who <em>used</em> hashmaps before but didn’t really understand them — let’s clear that up.</p> <p>A <strong>hashmap</strong> is like your brain’s quick memory. You remember your friend’s name (the <em>key</em>) and instantly recall their face (the <em>value</em>).<br> That’s exactly what hashmaps do — they store stuff in <em>key-value</em> pairs.</p> <p>In C++, it’s called an <code>unordered_map</code>.<br> you can also use <code>ordered_map</code> as well.</p> <h3> Example Declaration: </h3> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="n">unordered_map</span><span class="o">&lt;</span><span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="o">&gt;</span> <span class="n">m</span><span class="p">;</span> <span class="c1">// key: int, value: int</span> </code></pre> </div> <h3> Some Common Operations: </h3> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="n">m</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="o">=</span> <span class="n">value</span><span class="p">;</span> <span class="c1">// Store a value</span> <span class="n">m</span><span class="p">[</span><span class="n">key</span><span class="p">]</span><span class="o">++</span><span class="p">;</span> <span class="c1">// Increment the frequency of key</span> <span class="n">m</span><span class="p">.</span><span class="n">find</span><span class="p">(</span><span class="n">key</span><span class="p">);</span> <span class="c1">// Check if key exists</span> <span class="n">m</span><span class="p">.</span><span class="n">erase</span><span class="p">(</span><span class="n">key</span><span class="p">);</span> <span class="c1">// Remove key-value pair</span> </code></pre> </div> <p>And the best part — all these operations are super fast, like O(1) average time. Pretty neat, right?</p> <h2> The Problem: "Lost Attendance Sheet" 📋 </h2> <p>So here’s the story.</p> <p>Imagine you’re a teacher, and you have a list of students’ roll numbers who attended class. Everything looks fine until... someone signs the attendance sheet <em>twice!</em> 😅<br> You now need to find which roll number is the duplicate.</p> <h3> Input: </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[1, 3, 4, 2, 2] </code></pre> </div> <h3> Output: </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>2 </code></pre> </div> <h2> Thinking Like a Problem Solver 🧠 </h2> <h3> Step 1: Understand Input and Output </h3> <ul> <li>Input → an array of integers</li> <li>Output → the roll number that appears twice</li> </ul> <h3> Step 2: Think About the Logic </h3> <p>We need to <em>count</em> how many times each number appears.<br> If any number appears twice → that’s our culprit!</p> <h3> Step 3: Choose the Right Data Structure </h3> <p>We need quick insert + quick search = <strong>Hashmap</strong> ✅</p> <p>Key → roll number<br> Value → frequency count</p> <h2> My First Attempt (aka the "Oops" moment) </h2> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="n">unordered_map</span><span class="o">&lt;</span><span class="kt">int</span><span class="p">,</span><span class="kt">int</span><span class="o">&gt;</span> <span class="n">m</span><span class="p">;</span> <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">:</span> <span class="n">arr</span><span class="p">)</span> <span class="p">{</span> <span class="n">m</span><span class="p">[</span><span class="n">arr</span><span class="p">[</span><span class="n">i</span><span class="p">]]</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="k">for</span><span class="p">(</span><span class="k">auto</span> <span class="n">i</span> <span class="o">:</span> <span class="n">m</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span><span class="p">(</span><span class="n">m</span><span class="p">.</span><span class="n">second</span><span class="p">()</span> <span class="o">&gt;=</span> <span class="mi">2</span><span class="p">)</span> <span class="k">return</span> <span class="n">m</span><span class="p">.</span><span class="n">first</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>💡 <em>Mistake alert!</em> — I wrote <code>m.second()</code> and <code>m.first()</code> with brackets like they’re functions.<br> But nope — they’re <em>members</em>, not functions.</p> <p>It should be:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="k">if</span><span class="p">(</span><span class="n">i</span><span class="p">.</span><span class="n">second</span> <span class="o">&gt;=</span> <span class="mi">2</span><span class="p">)</span> <span class="k">return</span> <span class="n">i</span><span class="p">.</span><span class="n">first</span><span class="p">;</span> </code></pre> </div> <p>Classic rookie move. Happens to the best of us. 😅</p> <h2> Final Working Code </h2> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="cp">#include</span> <span class="cpf">&lt;iostream&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;unordered_map&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;vector&gt;</span><span class="cp"> </span><span class="k">using</span> <span class="k">namespace</span> <span class="n">std</span><span class="p">;</span> <span class="kt">int</span> <span class="nf">findDuplicate</span><span class="p">(</span><span class="n">vector</span><span class="o">&lt;</span><span class="kt">int</span><span class="o">&gt;&amp;</span> <span class="n">arr</span><span class="p">)</span> <span class="p">{</span> <span class="n">unordered_map</span><span class="o">&lt;</span><span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="o">&gt;</span> <span class="n">m</span><span class="p">;</span> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">:</span> <span class="n">arr</span><span class="p">)</span> <span class="p">{</span> <span class="n">m</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="k">for</span> <span class="p">(</span><span class="k">auto</span> <span class="n">i</span> <span class="o">:</span> <span class="n">m</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">i</span><span class="p">.</span><span class="n">second</span> <span class="o">&gt;=</span> <span class="mi">2</span><span class="p">)</span> <span class="k">return</span> <span class="n">i</span><span class="p">.</span><span class="n">first</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span> <span class="c1">// no duplicate found</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">vector</span><span class="o">&lt;</span><span class="kt">int</span><span class="o">&gt;</span> <span class="n">arr</span> <span class="o">=</span> <span class="p">{</span><span class="mi">1</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">2</span><span class="p">};</span> <span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">"Duplicate roll number: "</span> <span class="o">&lt;&lt;</span> <span class="n">findDuplicate</span><span class="p">(</span><span class="n">arr</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Dry Run (Because Visuals Help) </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>arr = [1, 3, 4, 2, 2] </code></pre> </div> <p>After the first loop → hashmap looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{1:1, 3:1, 4:1, 2:2} </code></pre> </div> <p>Second loop → finds that 2 has frequency 2.<br> ✅ . Duplicate found.</p> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Duplicate roll number: 2 </code></pre> </div> <p>All done in <strong>O(n)</strong> time, <strong>O(n)</strong> space.<br> Hashmaps doing their magic again 🪄</p> <h2> Why This Works </h2> <p>Normally, you’d have to compare every element with every other element → O(n²) time.<br> But hashmaps let you store and check everything in one pass → O(n) time.</p> <p>Basically, they’re like the <em>cheat codes</em> of DSA problems.</p> <h2> Final Takeaway: How to Think in DSA </h2> <p>Over time, I’ve realized that solving DSA problems boils down to three things:</p> <ol> <li> <strong>Understand the input and output</strong> → What are we working with?</li> <li> <strong>Find the logic and right data structure</strong> → What helps us solve it fastest?</li> <li> <strong>Apply and tweak</strong> → Turn logic into working code, and fix when it doesn’t work (like my first attempt 😅)</li> </ol> <h2> The End (or Maybe Just the Beginning) </h2> <p>Hashmaps are that one friend in DSA who always has your back. They might look scary at first, but once you get them — oh boy, they make your life so much easier. 😎</p> <p>So next time you feel lost in a jungle of arrays and strings, remember:</p> <blockquote> <p>Hashmaps might just be your map 🗺️.</p> </blockquote> dsa cpp algorithms coding