Table of Contents · Express is a Node.js Web Framework. Node.js is an amazing tool for building...

TableofContentsTheExpressHandbook

Expressoverview

Requestparameters

Sendingaresponse

SendingaJSONresponse

ManageCookies

WorkwithHTTPheaders

Redirects

Routing

Templating

ThePugGuide

Middleware

Servingstaticfiles

Sendfiles

Sessions

Validatinginput

Sanitizinginput

Handlingforms

Fileuploadsinforms

AnExpressHTTPSserverwithaself-signedcertificate

SetupLet'sEncryptforExpress

TheExpressHandbookTheExpressHandbookfollowsthe80/20rule:learnin20%ofthetimethe80%ofatopic.

Ifindthisapproachgivesawell-roundedoverview.ThisbookdoesnottrytocovereverythingunderthesunrelatedtoExpress.Ifyouthinksomespecifictopicshouldbeincluded,tellme.

YoucanreachmeonTwitter@flaviocopes.

Ihopethecontentsofthisbookwillhelpyouachievewhatyouwant:learnthebasicsExpress.

ThisbookiswrittenbyFlavio.Ipublishwebdevelopmenttutorialseverydayonmywebsiteflaviocopes.com.

Enjoy!

TheExpressHandbook

ExpressoverviewExpressisaNode.jsWebFramework.Node.jsisanamazingtoolforbuildingnetworkingservicesandapplications.ExpressbuildsontopofitsfeaturestoprovideeasytousefunctionalitythatsatisfytheneedsoftheWebServerusecase.

ExpressisaNode.jsWebFramework.

Node.jsisanamazingtoolforbuildingnetworkingservicesandapplications.

ExpressbuildsontopofitsfeaturestoprovideeasytousefunctionalitythatsatisfytheneedsoftheWebServerusecase.

It'sOpenSource,free,easytoextend,veryperformant,andhaslotsandlotsofpre-builtpackagesyoucanjustdropinanduse,toperformallkindofthings.

InstallationYoucaninstallExpressintoanyprojectwithnpm:

Expressoverview

npminstallexpress--save

orYarn:

yarnaddexpress

Bothcommandswillalsoworkinanemptydirectory,tostartupyourprojectfromscratch,although npmdoesnotcreatea package.jsonfileatall,andYarncreatesabasicone.

Justrun npminitor yarninitifyou'restartinganewprojectfromscratch.

HelloWorldWe'rereadytocreateourfirstExpressWebServer.

Hereissomecode:

constexpress=require('express')

constapp=express()

app.get('/',(req,res)=>res.send('HelloWorld!'))

app.listen(3000,()=>console.log('Serverready'))

Savethistoan index.jsfileinyourprojectrootfolder,andstarttheserverusing

nodeindex.js

Youcanopenthebrowsertoport3000onlocalhostandyoushouldseethe HelloWorld!message.

LearnthebasicsofExpressbyunderstandingtheHelloWorldcodeThose4linesofcodedoalotbehindthescenes.

First,weimportthe expresspackagetothe expressvalue.

Weinstantiateanapplicationbycallingits app()method.

Oncewehavetheapplicationobject,wetellittolistenforGETrequestsonthe /path,usingthe get()method.

Expressoverview

ThereisamethodforeveryHTTPverb: get(), post(), put(), delete(), patch():

app.get('/',(req,res)=>{/**/})

app.post('/',(req,res)=>{/**/})

app.put('/',(req,res)=>{/**/})

app.delete('/',(req,res)=>{/**/})

app.patch('/',(req,res)=>{/**/})

Thosemethodsacceptacallbackfunction,whichiscalledwhenarequestisstarted,andweneedtohandleit.

Wepassinanarrowfunction:

(req,res)=>res.send('HelloWorld!')

Expresssendsustwoobjectsinthiscallback,whichwecalled reqand res,thatrepresenttheRequestandtheResponseobjects.

RequestistheHTTPrequest.Itcangiveusalltheinfoaboutthat,includingtherequestparameters,theheaders,thebodyoftherequest,andmore.

ResponseistheHTTPresponseobjectthatwe'llsendtotheclient.

Whatwedointhiscallbackistosendthe'HelloWorld!'stringtotheclient,usingtheResponse.send()method.

Thismethodsetsthatstringasthebody,anditclosestheconnection.

Thelastlineoftheexampleactuallystartstheserver,andtellsittolistenonport 3000.Wepassinacallbackthatiscalledwhentheserverisreadytoacceptnewrequests.

Expressoverview

RequestparametersAhandyreferencetoalltherequestobjectpropertiesandhowtousethem

RequestparametersImentionedhowtheRequestobjectholdsalltheHTTPrequestinformation.

Thesearethemainpropertiesyou'lllikelyuse:

Property Description

.app holdsareferencetotheExpressappobject

.baseUrl thebasepathonwhichtheappresponds

.body containsthedatasubmittedintherequestbody(mustbeparsedandpopulatedmanuallybeforeyoucanaccessit)

.cookies containsthecookiessentbytherequest(needsthe cookie-parsermiddleware)

.hostname theserverhostname

.ip theserverIP

.method theHTTPmethodused

.params theroutenamedparameters

.path theURLpath

.protocol therequestprotocol

.query anobjectcontainingallthequerystringsusedintherequest

.secure trueiftherequestissecure(usesHTTPS)

.signedCookies containsthesignedcookiessentbytherequest(needsthe cookie-parsermiddleware)

.xhr trueiftherequestisanXMLHttpRequest

HowtoretrievetheGETquerystringparametersusingExpressThequerystringisthepartthatcomesaftertheURLpath,andstartswithanexclamationmark ?.

Requestparameters

Example:

?name=flavio

Multiplequeryparameterscanbeaddedusing &:

?name=flavio&age=35

HowdoyougetthosequerystringvaluesinExpress?

Expressmakesitveryeasybypopulatingthe Request.queryobjectforus:

constapp=express()

app.get('/',(req,res)=>{

console.log(req.query)

app.listen(8080)

Thisobjectisfilledwithapropertyforeachqueryparameter.

Iftherearenoqueryparams,it'sanemptyobject.

Thismakesiteasytoiterateonitusingthefor...inloop:

for(constkeyinreq.query){

console.log(key,req.query[key])

Thiswillprintthequerypropertykeyandthevalue.

Youcanaccesssinglepropertiesaswell:

req.query.name//flavio

req.query.age//35

HowtoretrievethePOSTquerystringparametersusingExpressPOSTqueryparametersaresentbyHTTPclientsforexamplebyforms,orwhenperformingaPOSTrequestsendingdata.

Requestparameters

Howcanyouaccessthisdata?

IfthedatawassentasJSON,using Content-Type:application/json,youwillusetheexpress.json()middleware:

constapp=express()

app.use(express.json())

IfthedatawassentasJSON,using Content-Type:application/x-www-form-urlencoded,youwillusethe express.urlencoded()middleware:

constapp=express()

app.use(express.urlencoded())

Inbothcasesyoucanaccessthedatabyreferencingitfrom Request.body:

app.post('/form',(req,res)=>{

constname=req.body.name

Note:olderExpressversionsrequiredtheuseofthe body-parsermoduletoprocessPOSTdata.ThisisnolongerthecaseasofExpress4.16(releasedinSeptember2017)andlaterversions.

Requestparameters

SendingaresponseHowtosendaresponsebacktotheclientusingExpress

IntheHelloWorldexampleweusedthe Response.send()methodtosendasimplestringasaresponse,andtoclosetheconnection:

(req,res)=>res.send('HelloWorld!')

Ifyoupassinastring,itsetsthe Content-Typeheaderto text/html.

ifyoupassinanobjectoranarray,itsetsthe application/json Content-Typeheader,andparsesthatparameterintoJSON.

send()automaticallysetsthe Content-LengthHTTPresponseheader.

send()alsoautomaticallyclosestheconnection.

Useend()tosendanemptyresponse

Analternativewaytosendtheresponse,withoutanybody,it'sbyusingthe Response.end()method:

res.end()

SettheHTTPresponsestatus

Usethe Response.status():

res.status(404).end()

res.status(404).send('Filenotfound')

sendStatus()isashortcut:

res.sendStatus(200)

//===res.status(200).send('OK')

res.sendStatus(403)

//===res.status(403).send('Forbidden')

Sendingaresponse

res.sendStatus(404)

//===res.status(404).send('NotFound')

res.sendStatus(500)

//===res.status(500).send('InternalServerError')

Sendingaresponse

SendingaJSONresponseHowtoserveJSONdatausingtheNode.jsExpresslibrary

WhenyoulistenforconnectionsonarouteinExpress,thecallbackfunctionwillbeinvokedoneverynetworkcallwithaRequestobjectinstanceandaResponseobjectinstance.

Example:

Hereweusedthe Response.send()method,whichacceptsanystring.

YoucansendJSONtotheclientbyusing Response.json(),ausefulmethod.

Itacceptsanobjectorarray,andconvertsittoJSONbeforesendingit:

res.json({username:'Flavio'})

SendingaJSONresponse

ManageCookiesHowtousethe`Response.cookie()`methodtomanipulateyourcookies

Usethe Response.cookie()methodtomanipulateyourcookies.

Examples:

res.cookie('username','Flavio')

Thismethodacceptsathirdparameterwhichcontainsvariousoptions:

res.cookie('username','Flavio',{domain:'.flaviocopes.com',path:'/administrator',sec

ure:true})

res.cookie('username','Flavio',{expires:newDate(Date.now()+900000),httpOnly:true

Themostusefulparametersyoucansetare:

Value Description

domain thecookiedomainname

expiressetthecookieexpirationdate.Ifmissing,or0,thecookieisasessioncookie

httpOnly setthecookietobeaccessibleonlybythewebserver.SeeHttpOnly

maxAge settheexpirytimerelativetothecurrenttime,expressedinmilliseconds

path thecookiepath.Defaultsto/

secure MarksthecookieHTTPSonly

signed setthecookietobesigned

sameSite Valueof SameSite

Acookiecanbeclearedwith

res.clearCookie('username')

ManageCookies

WorkwithHTTPheadersLearnhowtoaccessandchangeHTTPheadersusingExpress

AccessHTTPheadersvaluesfromarequestYoucanaccessalltheHTTPheadersusingthe Request.headersproperty:

console.log(req.headers)

Usethe Request.header()methodtoaccessoneindividualrequestheadervalue:

req.header('User-Agent')

ChangeanyHTTPheadervalueofaresponseYoucanchangeanyHTTPheadervalueusing Response.set():

res.set('Content-Type','text/html')

ThereisashortcutfortheContent-Typeheaderhowever:

res.type('.html')

//=>'text/html'

res.type('html')

//=>'text/html'

res.type('json')

//=>'application/json'

res.type('application/json')

//=>'application/json'

res.type('png')

//=>image/png:

WorkwithHTTPheaders

RedirectsHowtoredirecttootherpagesserver-side

RedirectsarecommoninWebDevelopment.YoucancreatearedirectusingtheResponse.redirect()method:

res.redirect('/go-there')

Thiscreatesa302redirect.

A301redirectismadeinthisway:

res.redirect(301,'/go-there')

Youcanspecifyanabsolutepath( /go-there),anabsoluteurl( https://anothersite.com),arelativepath( go-there)orusethe ..togobackonelevel:

res.redirect('../go-there')

res.redirect('..')

YoucanalsoredirectbacktotheRefererHTTPheadervalue(defaultingto /ifnotset)using

res.redirect('back')

Redirects

RoutingRoutingistheprocessofdeterminingwhatshouldhappenwhenaURLiscalled,oralsowhichpartsoftheapplicationshouldhandleaspecificincomingrequest.

RoutingistheprocessofdeterminingwhatshouldhappenwhenaURLiscalled,oralsowhichpartsoftheapplicationshouldhandleaspecificincomingrequest.

IntheHelloWorldexampleweusedthiscode

app.get('/',(req,res)=>{/**/})

ThiscreatesaroutethatmapsaccessingtherootdomainURL /usingtheHTTPGETmethodtotheresponsewewanttoprovide.

Namedparameters

Whatifwewanttolistenforcustomrequests,maybewewanttocreateaservicethatacceptsastring,andreturnsthatuppercase,andwedon'twanttheparametertobesentasaquerystring,butpartoftheURL.Weusenamedparameters:

app.get('/uppercase/:theValue',(req,res)=>res.send(req.params.theValue.toUpperCase()))

Ifwesendarequestto /uppercase/test,we'llget TESTinthebodyoftheresponse.

YoucanusemultiplenamedparametersinthesameURL,andtheywillallbestoredinreq.params.

Usearegularexpressiontomatchapath

Youcanuseregularexpressionstomatchmultiplepathswithonestatement:

app.get(/post/,(req,res)=>{/**/})

willmatch /post, /post/first, /thepost, /posting/something,andsoon.

Routing

CORSHowtoallowcrosssiterequestsbysettingupCORS

AJavaScriptapplicationrunninginthebrowsercanusuallyonlyaccessHTTPresourcesonthesamedomain(origin)thatservesit.

Loadingimagesorscripts/stylesalwaysworks,butXHRandFetchcallstoanotherserverwillfail,unlessthatserverimplementsawaytoallowthatconnection.

ThiswayiscalledCORS,Cross-OriginResourceSharing.

AlsoloadingWebFontsusing @font-facehassame-originpolicybydefault,andotherlesspopularthings(likeWebGLtexturesand drawImageresourcesloadedintheCanvasAPI).

OneveryimportantthingthatneedsCORSisESModules,recentlyintroducedinmodernbrowsers.

Ifyoudon'tsetupaCORSpolicyontheserverthatallowstoserve3rdpartorigins,therequestwillfail.

Fetchexample:

XHRexample:

ACross-Originresourcefailsifit's:

toadifferentdomaintoadifferentsubdomaintoadifferentporttoadifferentprotocol

andit'sthereforyoursecurity,topreventmalicioususerstoexploittheWebPlatform.

Butifyoucontrolboththeserverandtheclient,youhaveallthegoodreasonstoallowthemtotalktoeachother.

Itdependsonyourserver-sidestack.

BrowsersupportPrettygood(basicallyallexceptIE<10):

ExamplewithExpressIfyouareusingNode.jsandExpressasaframework,usetheCORSmiddlewarepackage.

Here'sasimpleimplementationofanExpressNode.jsserver:

constapp=express()

app.get('/without-cors',(req,res,next)=>{

res.json({msg:'ۘ noCORS,noparty!'})

constserver=app.listen(3000,()=>{

console.log('Listeningonport%s',server.address().port)

Ifyouhit /without-corswithafetchrequestfromadifferentorigin,it'sgoingtoraisetheCORSissue.

Allyouneedtodotomakethingsworkoutistorequirethe corspackagelinkedabove,andpassitinasamiddlewarefunctiontoanendpointrequesthandler:

constcors=require('cors')

constapp=express()

app.get('/with-cors',cors(),(req,res,next)=>{

res.json({msg:'WHOAHwithCORSitworks!ث ʦ '})

/*therestoftheapp*/

ImadeasimpleGlitchexample.Hereistheclientworking,andhere'sitscode:https://glitch.com/edit/#!/flavio-cors-client.

ThisistheNode.jsExpressserver:https://glitch.com/edit/#!/flaviocopes-cors-example-express

NotehowtherequestthatfailsbecauseitdoesnothandletheCORSheadingscorrectlyisstillreceived,asyoucanseeintheNetworkpanel,whereyoufindthemessagetheserversent:

AllowonlyspecificoriginsThisexamplehasaproblemhowever:ANYrequestwillbeacceptedbytheserverascross-origin.

AsyoucanseeintheNetworkpanel,therequestthatpassedhasaresponseheader access-control-allow-origin:*:

Youneedtoconfiguretheservertoonlyallowoneorigintoserve,andblockalltheothers.

Usingthesame corsNodelibrary,here'showyouwoulddoit:

constcors=require('cors')

constcorsOptions={

origin:'https://yourdomain.com'

app.get('/products/:id',cors(corsOptions),(req,res,next)=>{

Youcanservemoreaswell:

constwhitelist=['http://example1.com','http://example2.com']

constcorsOptions={

origin:function(origin,callback){

if(whitelist.indexOf(origin)!==-1){

callback(null,true)

}else{

callback(newError('NotallowedbyCORS'))

PreflightTherearesomerequeststhatarehandledina"simple"way.All GETrequestsbelongtothisgroup.

Alsosome POSTand HEADrequestsdoaswell.

POSTrequestsarealsointhisgroup,iftheysatisfytherequirementofusingaContent-Typeof

application/x-www-form-urlencoded

multipart/form-data

text/plain

Allotherrequestsmustrunthroughapre-approvalphase,calledpreflight.Thebrowserdoesthistodetermineifithasthepermissiontoperformanaction,byissuingan OPTIONSrequest.

Apreflightrequestcontainsafewheadersthattheserverwillusetocheckpermissions(irrelevantfieldsomitted):

OPTIONS/the/resource/you/request

Access-Control-Request-Method:POST

Access-Control-Request-Headers:origin,x-requested-with,accept

Origin:https://your-origin.com

Theserverwillrespondwithsomethinglikethis(irrelevantfieldsomitted):

HTTP/1.1200OK

Access-Control-Allow-Origin:https://your-origin.com

Access-Control-Allow-Methods:POST,GET,OPTIONS,DELETE

WecheckedforPOST,buttheservertellsuswecanalsoissueotherHTTPrequesttypesforthatparticularresource.

FollowingtheNode.jsExpressexampleabove,theservermustalsohandletheOPTIONSrequest:

varexpress=require('express')

varcors=require('cors')

varapp=express()

//allowOPTIONSonjustoneresource

app.options('/the/resource/you/request',cors())

//allowOPTIONSonallresources

app.options('*',cors())

TemplatingExpressiscapableofhandlingserver-sidetemplateengines.Templateenginesallowustoadddatatoaview,andgenerateHTMLdynamically.

Expressiscapableofhandlingserver-sidetemplateengines.

Templateenginesallowustoadddatatoaview,andgenerateHTMLdynamically.

ExpressusesJadeasthedefault.JadeistheoldversionofPug,specificallyPug1.0.

ThenamewaschangedfromJadetoPugduetoatrademarkissuein2016,whentheprojectreleasedversion2.YoucanstilluseJade,akaPug1.0,butgoingforward,it'sbesttousePug2.0

AlthoughthelastversionofJadeis3yearsold(atthetimeofwriting,summer2018),it'sstillthedefaultinExpressforbackwardcompatibilityreasons.

Inanynewproject,youshouldusePugoranotherengineofyourchoice.TheofficialsiteofPugishttps://pugjs.org/.

Youcanusemanydifferenttemplateengines,includingPug,Handlebars,Mustache,EJSandmore.

UsingPugTousePugwemustfirstinstallit:

npminstallpug

andwheninitializingtheExpressapp,weneedtosetit:

constapp=express()

app.set('viewengine','pug')

Wecannowstartwritingourtemplatesin .pugfiles.

Createanaboutview:

app.get('/about',(req,res)=>{

res.render('about')

Templating

andthetemplatein views/about.pug:

pHellofromFlavio

Thistemplatewillcreatea ptagwiththecontent HellofromFlavio.

Youcaninterpolateavariableusing

res.render('about',{name:'Flavio'})

pHellofrom#{name}

ThisisaveryshortintroductiontoPug,inthecontextofusingitwithExpress.LookatthePugguideformoreinformationonhowtousePug.

IfyouareusedtotemplateenginesthatuseHTMLandinterpolatevariables,likeHandlebars(describednext),youmightrunintoissues,especiallywhenyouneedtoconvertexistingHTMLtoPug.ThisonlineconverterfromHTMLtoJade(whichisverysimilar,butalittledifferentthanPug)willbeagreathelp:https://jsonformatter.org/html-to-jade

AlsoseethedifferencesbetweenJadeandPug

UsingHandlebarsLet'stryanduseHandlebarsinsteadofPug.

Youcaninstallitusing npminstallhbs.

Putan about.hbstemplatefileinthe views/folder:

Hellofrom{{name}}

andthenusethisExpressconfigurationtoserveiton /about:

constapp=express()

consthbs=require('hbs')

app.set('viewengine','hbs')

app.set('views',path.join(__dirname,'views'))

Templating

YoucanalsorenderaReactapplicationserver-side,usingthe express-react-viewspackage.

Startwith npminstallexpress-react-viewsreactreact-dom.

Nowinsteadofrequiring hbswerequire express-react-viewsandusethatastheengine,using jsxfiles:

constapp=express()

app.set('viewengine','jsx')

app.engine('jsx',require('express-react-views').createEngine())

Justputan about.jsxfilein views/,andcalling /aboutshouldpresentyouan"HellofromFlavio"string:

constReact=require('react')

classHelloMessageextendsReact.Component{

render(){

return<div>Hellofrom{this.props.name}</div>

module.exports=HelloMessage

Templating

ThePugGuideHowtousethePugtemplatingengine

IntroductiontoPugHowdoesPuglooklikeInstallPugSetupPugtobethetemplateengineinExpressYourfirstPugtemplateInterpolatingvariablesinPugInterpolateafunctionreturnvalueAddingidandclassattributestoelementsSetthedoctypeMetatagsAddingscriptsandstylesInlinescriptsLoopsConditionalsSetvariablesIncrementingvariablesAssigningvariablestoelementvaluesIteratingovervariablesIncludingotherPugfilesDefiningblocksExtendingabasetemplateComments

VisibleInvisible

IntroductiontoPugWhatisPug?It'satemplateengineforserver-sideNode.jsapplications.

Expressiscapableofhandlingserver-sidetemplateengines.Templateenginesallowustoadddatatoaview,andgenerateHTMLdynamically.

Pugisanewnameforanoldthing.It'sJade2.0.

ThePugGuide

ThenamewaschangedfromJadetoPugduetoatrademarkissuein2016,whentheprojectreleasedversion2.YoucanstilluseJade,akaPug1.0,butgoingforward,it'sbesttousePug2.0

AlsoseethedifferencesbetweenJadeandPug

ExpressusesJadeasthedefault.JadeistheoldversionofPug,specificallyPug1.0.

AlthoughthelastversionofJadeis3yearsold(atthetimeofwriting,summer2018),it'sstillthedefaultinExpressforbackwardcompatibilityreasons.

Inanynewproject,youshouldusePugoranotherengineofyourchoice.TheofficialsiteofPugishttps://pugjs.org/.

HowdoesPuglooklike

pHellofromFlavio

Asyoucansee,Pugisquitespecial.Ittakesthetagnameasthefirstthinginaline,andtherestisthecontentthatgoesinsideit.

IfyouareusedtotemplateenginesthatuseHTMLandinterpolatevariables,likeHandlebars(describednext),youmightrunintoissues,especiallywhenyouneedtoconvertexistingHTMLtoPug.ThisonlineconverterfromHTMLtoJade(whichisverysimilar,butalittledifferentthanPug)willbeagreathelp:https://jsonformatter.org/html-to-jade

InstallPugInstallingPugisassimpleasrunning npminstall:

npminstallpug

SetupPugtobethetemplateengineinExpressandwheninitializingtheExpressapp,weneedtosetit:

constapp=express()

app.set('viewengine','pug')

ThePugGuide

app.set('views',path.join(__dirname,'views'))

YourfirstPugtemplateCreateanaboutview:

res.render('about')

andthetemplatein views/about.pug:

pHellofromFlavio

InterpolatingvariablesinPugYoucaninterpolateavariableusing

pHellofrom#{name}

InterpolateafunctionreturnvalueYoucaninterpolateafunctionreturnvalueusing

res.render('about',{getName:()=>'Flavio'})

pHellofrom#{getName()}

Addingidandclassattributestoelements

ThePugGuide

p#title

p.title

Setthedoctype

doctypehtml

Metatags

meta(charset='utf-8')

meta(http-equiv='X-UA-Compatible',content='IE=edge')

meta(name='description',content='Somedescription')

meta(name='viewport',content='width=device-width,initial-scale=1')

Addingscriptsandstyles

script(src="script.js")

script(src='//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js')

link(rel='stylesheet',href='css/main.css')

Inlinescripts

scriptalert('test')

script

(function(b,o,i,l,e,r){b.GoogleAnalyticsObject=l;b[l]||(b[l]=

function(){(b[l].q=b[l].q||[]).push(arguments)});b[l].l=+newDate;

e=o.createElement(i);r=o.getElementsByTagName(i)[0];

e.src='//www.google-analytics.com/analytics.js';

r.parentNode.insertBefore(e,r)}(window,document,'script','ga'));

ga('create','UA-XXXXX-X');ga('send','pageview');

ThePugGuide

eachcolorin['Red','Yellow','Blue']

li=color

eachcolor,indexin['Red','Yellow','Blue']

li='Colornumber'+index+':'+color

Conditionals

ifname

h2Hellofrom#{name}

h2Hello

else-ifworkstoo:

ifname

h2Hellofrom#{name}

elseifanotherName

h2Hellofrom#{anotherName}

h2Hello

SetvariablesYoucansetvariablesinPugtemplates:

-varname='Flavio'

-varage=35

-varroger={name:'Roger'}

-vardogs=['Roger','Syd']

IncrementingvariablesYoucanincrementanumericvariableusing ++:

Assigningvariablestoelementvalues

ThePugGuide

p=name

span.age=age

IteratingovervariablesYoucanuse foror each.Thereisnodifference.

fordogindogs

li=dog

eachdogindogs

li=dog

Youcanuse .lengthtogetthenumberofitems:

pThereare#{values.length}

whileisanotherkindofloop:

-varn=0;

whilen<=5

li=n++

IncludingotherPugfilesInaPugfileyoucanincludeotherPugfiles:

includeotherfile.pug

DefiningblocksAwellorganizedtemplatesystemwilldefineabasetemplate,andthenalltheothertemplatesextendfromit.

ThePugGuide

Thewayapartofatemplatecanbeextendedisbyusingblocks:

script(src="script.js")

script(src='//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js')

link(rel='stylesheet',href='css/main.css')

blockhead

blockbody

h1Homepage

pwelcome

Inthiscaseoneblock, body,hassomecontent,while headdoesnot. headisintendedtobeusedtoaddadditionalcontenttotheheading,whilethe bodycontentismadetobeoverriddenbyotherpages.

ExtendingabasetemplateAtemplatecanextendabasetemplatebyusingthe extendskeyword:

extendshome.pug

Oncethisisdone,youneedtoredefineblocks.Allthecontentofthetemplatemustgointoblocks,otherwisetheenginedoesnotknowwheretoputthem.

Example:

extendshome.pug

blockbody

h1Anotherpage

liSomething

liSomethingelse

Youcanredefineoneormoreblocks.Theonesnotredefinedwillbekeptwiththeoriginaltemplatecontent.

CommentsCommentsinPugcanbeoftwotypes:visibleornotvisibleintheresultingHTML.

ThePugGuide

Visible

Inline:

//somecomment

Block:

comment

Invisible

Inline:

//-somecomment

Block:

comment

ThePugGuide

MiddlewareAmiddlewareisafunctionthathooksintotheroutingprocess,andperformssomeoperationatsomepoint,dependingonwhatitwanttodo.

Amiddlewareisafunctionthathooksintotheroutingprocess,andperformssomeoperationatsomepoint,dependingonwhatitwanttodo.

It'scommonlyusedtoedittherequestorresponseobjects,orterminatetherequestbeforeitreachestheroutehandlercode.

It'saddedtotheexecutionstacklikethis:

app.use((req,res,next)=>{/**/})

Thisissimilartodefiningaroute,butinadditiontotheRequestandResponseobjectsinstances,wealsohaveareferencetothenextmiddlewarefunction,whichweassigntothevariable next.

Wealwayscall next()attheendofourmiddlewarefunction,topasstheexecutiontothenexthandler,unlesswewanttoprematurelyendtheresponse,andsenditbacktotheclient.

Youtypicallyusepre-mademiddleware,intheformof npmpackages.Abiglistoftheavailableonesishere.

Oneexampleis cookie-parser,whichisusedtoparsethecookiesintothe req.cookiesobject.Youinstallitusing npminstallcookie-parserandyoucanuseitlikethis:

constapp=express()

constcookieParser=require('cookie-parser')

app.use(cookieParser())

Youcanalsosetamiddlewarefunctiontorunforspecificroutesonly,notforall,byusingitasthesecondparameteroftheroutedefinition:

constmyMiddleware=(req,res,next)=>{

/*...*/

next()

app.get('/',myMiddleware,(req,res)=>res.send('HelloWorld!'))

Middleware

Ifyouneedtostoredatathat'sgeneratedinamiddlewaretopassitdowntosubsequentmiddlewarefunctions,ortotherequesthandler,youcanusethe Request.localsobject.Itwillattachthatdatatothecurrentrequest:

req.locals.name='Flavio'

Middleware

ServingstaticfilesHowtoservestaticassetsdirectlyfromafolderinExpress

It'scommontohaveimages,CSSandmoreina publicsubfolder,andexposethemtotherootlevel:

constapp=express()

app.use(express.static('public'))

/*...*/

Ifyouhavean index.htmlfilein public/,thatwillbeservedifyounowhittherootdomainURL( http://localhost:3000)

Servingstaticfiles

SendfilesExpressprovidesahandymethodtotransferafileasattachment:`Response.download()`

Expressprovidesahandymethodtotransferafileasattachment: Response.download().

Onceauserhitsaroutethatsendsafileusingthismethod,browserswillprompttheuserfordownload.

The Response.download()methodallowsyoutosendafileattachedtotherequest,andthebrowserinsteadofshowingitinthepage,itwillsaveittodisk.

app.get('/',(req,res)=>res.download('./file.pdf'))

Inthecontextofanapp:

constapp=express()

app.get('/',(req,res)=>res.download('./file.pdf'))

Youcansetthefiletobesentwithacustomfilename:

res.download('./file.pdf','user-facing-filename.pdf')

Thismethodprovidesacallbackfunctionwhichyoucanusetoexecutecodeoncethefilehasbeensent:

res.download('./file.pdf','user-facing-filename.pdf',(err)=>{

if(err){

//handleerror

return

}else{

//dosomething

Sendfiles

SessionsHowtousesessionstoidentifyusersacrossrequests

BydefaultExpressrequestsaresequentialandnorequestcanbelinkedtoeachother.Thereisnowaytoknowifthisrequestcomesfromaclientthatalreadyperformedarequestpreviously.

Userscannotbeidentifiedunlessusingsomekindofmechanismthatmakesitpossible.

That'swhatsessionsare.

Whenimplemented,everyuserofyouAPIorwebsitewillbeassignedauniquesession,andthisallowsyoutostoretheuserstate.

We'llusethe express-sessionmodule,whichismaintainedbytheExpressteam.

Youcaninstallitusing

npminstallexpress-session

andonceyou'redone,youcaninstantiateitinyourapplicationwith

constsession=require('express-session')

Thisisamiddleware,soyouinstallitinExpressusing

constsession=require('express-session')

constapp=express()

app.use(session(

'secret':'343ji43j4n3jn4jk3n'

Afterthisisdone,alltherequeststotheapproutesarenowusingsessions.

secretistheonlyrequiredparameter,buttherearemanymoreyoucanuse.Itshouldbearandomlyuniquestringforyouapplication.

Thesessionisattachedtotherequest,soyoucanaccessitusing req.sessionhere:

app.get('/',(req,res,next)=>{

//req.session

Sessions

Thisobjectcanbeusedtogetdataoutofthesession,andalsotosetdata:

req.session.name='Flavio'

console.log(req.session.name)//'Flavio'

ThisdataisserializedasJSONwhenstored,soyouaresafetousenestedobjects.

Youcanusesessionstocommunicatedatatomiddlewarethat'sexecutedlater,ortoretrieveitlaterononsubsequentrequests.

Whereisthesessiondatastored?itdependsonhowyousetupthe express-sessionmodule.

Itcanstoresessiondatain

memory,notmeantforproductionadatabaselikeMySQLorMongoamemorycachelikeRedisorMemcached

Thereisabiglistof3rdpackagesthatimplementawidevarietyofdifferentcompatiblecachingstoresinhttps://github.com/expressjs/session

Allsolutionsstorethesessionidinacookie,andkeepthedataserver-side.Theclientwillreceivethesessionidinacookie,andwillsenditalongwitheveryHTTPrequest.

We'llreferencethatserver-sidetoassociatethesessionidwiththedatastoredlocally.

Memoryisthedefault,itrequiresnospecialsetuponyourpart,it'sthesimplestthingbutit'smeantonlyfordevelopmentpurposes.

ThebestchoiceisamemorycachelikeRedis,forwhichyouneedtosetupitsowninfrastructure.

AnotherpopularpackagetomanagesessionsinExpressis cookie-session,whichhasabigdifference:itstoresdataclient-sideinthecookie.Idonotrecommenddoingthatbecausestoringdataincookiesmeansthatit'sstoredclient-side,andsentbackandforthineverysinglerequestmadebytheuser.It'salsolimitedinsize,asitcanonlystore4kilobytesofdata.Cookiesalsoneedtobesecured,butbydefaulttheyarenot,sincesecureCookiesarepossibleonHTTPSsitesandyouneedtoconfigurethemifyouhaveproxies.

Sessions

ValidatinginputLearnhowtovalidateanydatacominginasinputinyourExpressendpoints

SayyouhaveaPOSTendpointthatacceptsthename,emailandageparameters:

constapp=express()

constemail=req.body.email

constage=req.body.age

Howdoyouserver-sidevalidatethoseresultstomakesure

nameisastringofatleast3characters?emailisarealemail?ageisanumber,between0and110?

ThebestwaytohandlevalidatinganykindofinputcomingfromoutsideinExpressisbyusingthe express-validatorpackage:

npminstallexpress-validator

Yourequirethe checkobjectfromthepackage:

const{check}=require('express-validator/check')

Wepassanarrayof check()callsasthesecondargumentofthe post()call.Everycheck()callacceptstheparameternameasargument:

app.post('/form',[

check('name').isLength({min:3}),

check('email').isEmail(),

check('age').isNumeric()

],(req,res)=>{

Validatinginput

NoticeIused

isLength()

isEmail()

isNumeric()

Therearemanymoreofthesemethods,allcomingfromvalidator.js,including:

contains(),checkifvaluecontainsthespecifiedvalueequals(),checkifvalueequalsthespecifiedvalueisAlpha()

isAlphanumeric()

isAscii()

isBase64()

isBoolean()

isCurrency()

isDecimal()

isEmpty()

isFQDN(),isafullyqualifieddomainname?isFloat()

isHash()

isHexColor()

isIP()

isIn(),checkifthevalueisinanarrayofallowedvaluesisInt()

isJSON()

isLatLong()

isLength()

isLowercase()

isMobilePhone()

isNumeric()

isPostalCode()

isURL()

isUppercase()

isWhitelisted(),checkstheinputagainstawhitelistofallowedcharacters

Youcanvalidatetheinputagainstaregularexpressionusing matches().

Datescanbecheckedusing

isAfter(),checkiftheentereddateisaftertheoneyoupassisBefore(),checkiftheentereddateisbeforetheoneyoupassisISO8601()

Validatinginput

isRFC3339()

Forexactdetailsonhowtousethosevalidators,refertohttps://github.com/chriso/validator.js#validators.

Allthosecheckscanbecombinedbypipingthem:

check('name')

.isAlpha()

.isLength({min:10})

Ifthereisanyerror,theserverautomaticallysendsaresponsetocommunicatetheerror.Forexampleiftheemailisnotvalid,thisiswhatwillbereturned:

"errors":[{

"location":"body",

"msg":"Invalidvalue",

"param":"email"

Thisdefaulterrorcanbeoverriddenforeachcheckyouperform,using withMessage():

check('name')

.isAlpha()

.withMessage('Mustbeonlyalphabeticalchars')

.isLength({min:10})

.withMessage('Mustbeatleast10charslong')

Whatifyouwanttowriteyourownspecial,customvalidator?Youcanusethe customvalidator.

Inthecallbackfunctionyoucanrejectthevalidationeitherbythrowinganexception,orbyreturningarejectedpromise:

app.post('/form',[

check('email').custom(email=>{

if(alreadyHaveEmail(email)){

thrownewError('Emailalreadyregistered')

],(req,res)=>{

Validatinginput

Thecustomvalidator:

thrownewError('Emailalreadyregistered')

canberewrittenas

returnPromise.reject('Emailalreadyregistered')

Validatinginput

SanitizinginputYou'veseenhowtovalidateinputthatcomesfromtheoutsideworldtoyourExpressapp.

There'sonethingyouquicklylearnwhenyourunapublic-facingserver:nevertrusttheinput.

Evenifyousanitizeandmakesurethatpeoplecan'tenterweirdthingsusingclient-sidecode,you'llstillbesubjecttopeopleusingtools(evenjustthebrowserdevtools)toPOSTdirectlytoyourendpoints.

Orbotstryingeverypossiblecombinationofexploitknowntohumans.

Whatyouneedtodoissanitizingyourinput.

The express-validatorpackageyoualreadyusetovalidateinputcanalsoconvenientlyusedtoperformsanitization.

SayyouhaveaPOSTendpointthatacceptsthename,emailandageparameters:

constapp=express()

Youmightvalidateitusing:

constapp=express()

app.post('/form',[

check('email').isEmail(),

],(req,res)=>{

Youcanaddsanitizationbypipingthesanitizationmethodsafterthevalidationones:

Sanitizinginput

app.post('/form',[

check('name').isLength({min:3}).trim().escape(),

check('email').isEmail().normalizeEmail(),

check('age').isNumeric().trim().escape()

],(req,res)=>{

HereIusedthemethods:

trim()trimscharacters(whitespacebydefault)atthebeginningandattheendofastringescape()replaces <, >, &, ', "and /withtheircorrespondingHTMLentitiesnormalizeEmail()canonicalizesanemailaddress.Acceptsseveraloptionstolowercaseemailaddressesorsubaddresses(e.g. flavio+newsletters@gmail.com)

Othersanitizationmethods:

blacklist()removecharactersthatappearintheblacklistwhitelist()removecharactersthatdonotappearinthewhitelistunescape()replacesHTMLencodedentitieswith <, >, &, ', "and /ltrim()liketrim(),butonlytrimscharactersatthestartofthestringrtrim()liketrim(),butonlytrimscharactersattheendofthestringstripLow()removeASCIIcontrolcharacters,whicharenormallyinvisible

Forceconversiontoaformat:

toBoolean()converttheinputstringtoaboolean.Everythingexceptfor'0','false'and''returnstrue.Instrictmodeonly'1'and'true'returntruetoDate()converttheinputstringtoadate,ornulliftheinputisnotadatetoFloat()converttheinputstringtoafloat,orNaNiftheinputisnotafloattoInt()converttheinputstringtoaninteger,orNaNiftheinputisnotaninteger

Likewithcustomvalidators,youcancreateacustomsanitizer.

Inthecallbackfunctionyoujustreturnthesanitizedvalue:

constsanitizeValue=value=>{

//sanitize...

app.post('/form',[

check('value').customSanitizer(value=>{

returnsanitizeValue(value)

],(req,res)=>{

constvalue=req.body.value

Sanitizinginput

HandlingformsHowtoprocessformsusingExpress

ThisisanexampleofanHTMLform:

<formmethod="POST"action="/submit-form">

<inputtype="text"name="username"/>

<inputtype="submit"/>

</form>

Whentheuserpressthesubmitbutton,thebrowserwillautomaticallymakea POSTrequesttothe /submit-formURLonthesameoriginofthepage,sendingthedataitcontains,encodedas application/x-www-form-urlencoded.Inthiscase,theformdatacontainstheusernameinputfieldvalue.

Formscanalsosenddatausingthe GETmethod,butthevastmajorityoftheformsyou'llbuildwilluse POST.

TheformdatawillbesentinthePOSTrequestbody.

Toextractit,youwillusethe express.urlencoded()middleware,providedbyExpress:

constapp=express()

app.use(express.urlencoded())

Nowyouneedtocreatea POSTendpointonthe /submit-formroute,andanydatawillbeavailableon Request.body:

app.post('/submit-form',(req,res)=>{

constusername=req.body.username

res.end()

Don'tforgettovalidatethedatabeforeusingit,using express-validator.

Handlingforms

FileuploadsinformsHowtomanagestoringandhandlingfilesuploadedviaforms,inExpress

ThisisanexampleofanHTMLformthatallowsausertouploadafile:

<formmethod="POST"action="/submit-form">

<inputtype="file"name="document"/>

<inputtype="submit"/>

</form>

Whentheuserpressthesubmitbutton,thebrowserwillautomaticallymakea POSTrequesttothe /submit-formURLonthesameoriginofthepage,sendingthedataitcontains,notencodedas application/x-www-form-urlencodedasanormalform,butas multipart/form-data.

Server-side,handlingmultipartdatacanbetrickyanderrorprone,sowearegoingtouseautilitylibrarycalledformidable.Here'stheGitHubrepo,ithasover4000starsandwellmaintained.

Youcaninstallitusing:

npminstallformidable

TheninyourNode.jsfile,includeit:

constapp=express()

constformidable=require('formidable')

Nowinthe POSTendpointonthe /submit-formroute,weinstantiateanewFormidableformusing formidable.IncomingFrom():

newformidable.IncomingFrom()

Afterdoingso,weneedtoparsetheform.Wecandososynchronouslybyprovidingacallback,whichmeansallfilesareprocessed,andonceformidableisdone,itmakesthemavailable:

newformidable.IncomingFrom().parse(req,(err,fields,files)=>{

if(err){

Fileuploadsinforms

console.error('Error',err)

throwerr

console.log('Fields',fields)

console.log('Files',files)

files.map(file=>{

console.log(file)

Oryoucanuseeventsinsteadofacallback,tobenotifiedwheneachfileisparsed,andotherevents,likeendingprocessing,receivinganon-filefield,oranerroroccurred:

newformidable.IncomingFrom().parse(req)

.on('field',(name,field)=>{

console.log('Field',name,field)

.on('file',(name,file)=>{

console.log('Uploadedfile',name,file)

.on('aborted',()=>{

console.error('Requestabortedbytheuser')

.on('error',(err)=>{

console.error('Error',err)

throwerr

.on('end',()=>{

res.end()

Whateverwayyouchoose,you'llgetoneormoreFormidable.Fileobjects,whichgiveyouinformationaboutthefileuploaded.Thesearesomeofthemethodsyoucancall:

file.size,thefilesizeinbytesfile.path,thepaththisfileiswrittentofile.name,thenameofthefilefile.type,theMIMEtypeofthefile

Thepathdefaultstothetemporaryfolderandcanbemodifiedifyoulistentothe fileBeginevent:

newformidable.IncomingFrom().parse(req)

.on('fileBegin',(name,file)=>{

form.on('fileBegin',(name,file)=>{

file.path=__dirname+'/uploads/'+file.name

Fileuploadsinforms

.on('file',(name,file)=>{

console.log('Uploadedfile',name,file)

Fileuploadsinforms

AnExpressHTTPSserverwithaself-signedcertificateHowtocreateaself-signedHTTPScertificateforNode.jstotestappslocally

TobeabletoserveasiteonHTTPSfromlocalhostyouneedtocreateaself-signedcertificate.

Aself-signedcertificatewillbeenoughtoestablishasecureHTTPSconnection,althoughbrowserswillcomplainthatthecertificateisself-signedandassuchit'snottrusted.It'sgreatfordevelopmentpurposes.

TocreatethecertificateyoumusthaveOpenSSLinstalledonyoursystem.

Youmighthaveitinstalledalready,justtestbytyping opensslinyourterminal.

Ifnot,onaMacyoucaninstallitusing brewinstallopensslifyouuseHomebrew.OtherwisesearchonGoogle"howtoinstallopensslon".

OnceOpenSSLisinstalled,runthiscommand:

opensslreq-nodes-new-x509-keyoutserver.key-outserver.cert

Itwillasyouafewquestions.Thefirstisthecountryname:

Generatinga1024bitRSAprivatekey

...........++++++

.........++++++

writingnewprivatekeyto'server.key'

Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertifi

caterequest.

WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.

Therearequiteafewfieldsbutyoucanleavesomeblank

Forsomefieldstherewillbeadefaultvalue,

Ifyouenter'.',thefieldwillbeleftblank.

CountryName(2lettercode)[AU]:

Thenyourstateorprovince:

StateorProvinceName(fullname)[Some-State]:

yourcity:

LocalityName(eg,city)[]:

andyourorganizationname:

OrganizationName(eg,company)[InternetWidgitsPtyLtd]:

OrganizationalUnitName(eg,section)[]:

Youcanleavealloftheseempty.

Justremembertosetthisto localhost:

CommonName(e.g.serverFQDNorYOURname)[]:localhost

andtoaddyouremailaddress:

EmailAddress[]:

That'sit!Nowyouhave2filesinthefolderwhereyouranthiscommand:

server.certistheself-signedcertificatefileserver.keyistheprivatekeyofthecertificate

BothfileswillbeneededtoestablishtheHTTPSconnection,anddependingonhowyouaregoingtosetupyourserver,theprocesstousethemwillbedifferent.

Thosefilesneedtobeputinaplacereachablebytheapplication,thenyouneedtoconfiguretheservertousethem.

Thisisanexampleusingthe httpscoremoduleandExpress:

consthttps=require('https')

constapp=express()

res.send('HelloHTTPS!')

https.createServer({},app).listen(3000,()=>{

console.log('Listening...')

withoutaddingthecertificate,ifIconnectto https://localhost:3000thisiswhatthebrowserwillshow:

Withthecertificateinplace:

constfs=require('fs')

https.createServer({

key:fs.readFileSync('server.key'),

cert:fs.readFileSync('server.cert')

},app).listen(3000,()=>{

Chromewilltellusthecertificateisinvalid,sinceit'sself-signed,andwillaskustoconfirmtocontinue,buttheHTTPSconnectionwillwork:

SetupLet'sEncryptforExpressHowtosetupHTTPSusingthepopularfreesolutionLet'sEncrypt

IfyourunaNode.jsapplicationonyourownVPS,youneedtomanagegettinganSSLcertificate.

TodaythestandardfordoingthisistouseLet'sEncryptandCertbot,atoolfromEFF,akaElectronicFrontierFoundation,theleadingnonprofitorganizationfocusedonprivacy,freespeech,andingeneralcivillibertiesinthedigitalworld.

Thesearethestepswe'llfollow:

InstallCertbotGeneratetheSSLcertificateusingCertbotAllowExpresstoservestaticfilesConfirmthedomainObtainthecertificateSetuptherenewal

InstallCertbotThoseinstructionsassumeyouareusingUbuntu,DebianoranyotherLinuxdistributionthatuses apt-get:

sudoadd-aptrepositoryppa:certbot/certbot

sudoapt-getupdate

sudoapt-getinstallcertbot

YoucanalsoinstallCertbotonaMactotest:

brewinstallcertbot

butyouwillneedtolinkthattoarealdomainname,inorderforittobeuseful.

GeneratetheSSLcertificateusingCertbotNowthatCertbotisinstalled,youcaninvokeittogeneratethecertificate.Youmustrunthisasroot:

certbotcertonly--manual

orcallsudo

sudocertbotcertonly--manual

Theinstallerwillaskyouthedomainofyourwebsite.

Thisistheprocessindetail.

Itasksfortheemail

➜sudocertbotcertonly--manualPassword:XXXXXXXXXXXXXXXXXX

Savingdebuglogto/var/log/letsencrypt/letsencrypt.log

Pluginsselected:Authenticatormanual,InstallerNone

Enteremailaddress(usedforurgentrenewalandsecuritynotices)(Enter'c'to

cancel):flavio@flaviocopes.com

ItaskstoaccepttheToS:

PleasereadtheTermsofServiceat

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf.Youmust

agreeinordertoregisterwiththeACMEserverat

https://acme-v02.api.letsencrypt.org/directory

(A)gree/(C)ancel:A

Itaskstosharetheemailaddress

WouldyoubewillingtoshareyouremailaddresswiththeElectronicFrontier

Foundation,afoundingpartneroftheLet'sEncryptprojectandthenon-profit

organizationthatdevelopsCertbot?We'dliketosendyouemailaboutourwork

encryptingtheweb,EFFnews,campaigns,andwaystosupportdigitalfreedom.

----------------------------------------

(Y)es/(N)o:Y

AndfinallywecanenterthedomainwherewewanttousetheSSLcertificate:

Pleaseenterinyourdomainname(s)(commaand/orspaceseparated)(Enter'c'

tocancel):copesflavio.com

Itasksifit'soktologyourIP:

Obtaininganewcertificate

Performingthefollowingchallenges:

http-01challengeforcopesflavio.com

----------------------------------------

NOTE:TheIPofthismachinewillbepubliclyloggedashavingrequestedthis

certificate.Ifyou'rerunningcertbotinmanualmodeonamachinethatisnot

yourserver,pleaseensureyou'reokaywiththat.

AreyouOKwithyourIPbeinglogged?

----------------------------------------

(Y)es/(N)o:y

Andfinallywegettotheverificationphase!

----------------------------------------

Createafilecontainingjustthisdata:

TS_oZ2-ji23jrio3j2irj3iroj_U51u1o0x7rrDY2E.1DzOo_voCOsrpddP_2kpoek2opeko2pke-UAPb21sW1c

AndmakeitavailableonyourwebserveratthisURL:

http://copesflavio.com/.well-known/acme-challenge/TS_oZ2-ji23jrio3j2irj3iroj_U51u1o0x7rrDY

Nowlet'sleaveCertbotaloneforacoupleminutes.

Weneedtoverifyweownthedomain,bycreatingafilenamed TS_oZ2-ji23jrio3j2irj3iroj_U51u1o0x7rrDY2Einthe .well-known/acme-challenge/folder.Payattention!TheweirdstringIjustpastedchangeeverysingletime.

You'llneedtocreatethefolderandthefile,sincetheydonotexistbydefault.

InthisfileyouneedtoputthecontentthatCertbotprinted:

TS_oZ2-ji23jrio3j2irj3iroj_U51u1o0x7rrDY2E.1DzOo_voCOsrpddP_2kpoek2opeko2pke-UAPb21sW1c

Asforthefilename,thisstringisuniqueeachtimeyourunCertbot.

AllowExpresstoservestaticfilesInordertoservethatfilefromExpress,youneedtoenableservingstaticfiles.Youcancreatea staticfolder,andaddtherethe .well-knownsubfolder,thenconfigureExpresslikethis:

constapp=express()

app.use(express.static(__dirname+'/static',{dotfiles:'allow'}))

The dotfilesoptionismandatoryotherwise .well-known,whichisadotfileasitstartswithadot,won'tbemadevisible.Thisisasecuritymeasure,becausedotfilescancontainsensitiveinformationandtheyarebetteroffpreservedbydefault.

ConfirmthedomainNowruntheapplicationandmakesurethefileisreachablefromthepublicinternet,andgobacktoCertbot,whichisstillrunning,andpressENTERtogoonwiththescript.

ObtainthecertificateThat'sit!Ifallwentwell,Certbotcreatedthecertificate,andtheprivatekey,andmadethemavailableinafolderonyourcomputer(anditwilltellyouwhichfolder,ofcourse).

Nowcopy/pastethepathsintoyourapplication,tostartusingthemtoserveyourrequests:

constfs=require('fs')

consthttps=require('https')

constapp=express()

res.send('HelloHTTPS!')

key:fs.readFileSync('/etc/letsencrypt/path/to/key.pem'),

cert:fs.readFileSync('/etc/letsencrypt/path/to/cert.pem'),

ca:fs.readFileSync('/etc/letsencrypt/path/to/chain.pem')

},app).listen(443,()=>{

NotethatImadethisserverlistenonport443,soyouneedtorunitwithrootpermissions.

Also,theserverisexclusivelyrunninginHTTPS,becauseIused https.createServer().YoucanalsorunanHTTPserveralongsidethis,byrunning:

http.createServer(app).listen(80,()=>{

key:fs.readFileSync('/etc/letsencrypt/path/to/key.pem'),

cert:fs.readFileSync('/etc/letsencrypt/path/to/cert.pem'),

ca:fs.readFileSync('/etc/letsencrypt/path/to/chain.pem')

},app).listen(443,()=>{

SetuptherenewalTheSSLcertificateisnotgoingtobevalidfor90days.Youneedtosetupanautomatedsystemforrenewingit.

How?Usingacronjob.

Acronjobisawaytoruntaskseveryintervaloftime.Itcanbeeeryweek,everyminute,everymonth.

Inourcasewe'llruntherenewalscripttwiceperday,asrecommendedintheCertbotdocumentation.

Firstfindouttheabsolutepathof certbotonyousystem.Iuse typecertbotonmacOStogetit,andinmycaseit's /usr/local/bin/certbot.

Here'sthescriptweneedtorun:

certbotrenew

Thisisthecronjobentry:

0*/12***root/usr/local/bin/certbotrenew>/dev/null2>&1

Itmeansrunitevery12hours,everyday:at00:00andat12:00.

Tip:Igeneratedthislineusinghttps://crontab-generator.org/

Addthisscripttoyourcrontab,byusingthecommand:

envEDITOR=picocrontab-e

Thisopensthe picoeditor(youcanchoosetheoneyouprefer).Youentertheline,save,andthecronjobisinstalled.

Oncethisisdone,youcanseethelistofcronjobsactiveusing

crontab-l

Table of Contents · Express is a Node.js Web Framework. Node.js is an amazing tool for building...

Documents

BUILDING A WEB APPLICATION USING THE MEAN STACK · 2018-10-03 · 2.2 Express JS The second component of the MEAN stack is Express. “Express is a minimal and flexible Node.js web

Node.js и WebStorm - nadin.miem.edu.runadin.miem.edu.ru/!!!_lec_2018_pdf/JS2_Nodejs_WS.pdf · Установите Node.js •Node.js состоит из : среды исполнения

MontaVista Carrier Grade Express...MontaVista Carrier Grade Express Agile development with QEMU Simulator, Secure Builds, Powerful Linux Environment delivers carrier grade Linux reliability,

Building RESTful Web APIs with Node.js, Express, MongoDB

Introducing in - FINN Technology · PDF fileAgenda What is Node.js? Why Node.js? How did we Introduce Node.js in FINN? Standardizing Node.js

Aprende Cómo Crear Un API REST Usando Node.js, Express y MongoDB

Video 4.1 Intro to Node.js Environment Setup Chris Murphy · 2019. 6. 19. · • Node.js and Express simplify the development of Web servers to handle HTTP requests and create and

Uniting the Web’s Fastest Moving Web Development Community...Jun 13, 2017 · • The Node.js build system produces nightly node-chakracore builds, enabling Node.js to be used with

Express: the web server for node.js

Spatial MongoDB, Node.JS, and Express - server-side JS for your application

node.js workshop- node.js unit testing

Node.js and express

Node.js Primer - Progress.commedia.progress.com/exchange/2014/...nodejs-primer.pdf · what is Node.js how Node.js Works Node.js Basics using Modules using streams to pipe data building

The SEAN stack - Build Web Apps With Salesforce, Express, Angular and Node.js

Create Restful Web Application With Node.js Express Framework

Develop a RESTful API Using Node.js With Express and Mongoose

یشرفت نسح فیلات - downloadnema.com · Node.js & Express Hassan Tafreshi 8 .رورس HTTP رد هتشپ لوا تمسق ارجا غارس میرب بوخ نیشکیلپا

Hire Node.js Developers | Node.js Development Company

Node.js and Backend Development - nthu-datalab.github.io · Outline •Node.js –Events and asynchronous I/O –NPM and CLI tools –Debugging •Backend Development using Express

Node.js What’s Next? March 2020 - Node.js - What's Next.pdf · • Node.js v12.11.0 –NODE_V8_COVERAGE –Load/cache source maps when available • Node.js v12.12.0 ---enable-source-maps