 Okay, so hi all a few two people who showed up here for our work Well, maybe just like introduce us for like 10 seconds. So we're Jerry and I'm Anna and we work on node core and We are two of the people who try to answer questions in the node. Yes slash help repository on GitHub and And so that is kind of the idea of this workshop here trying to find people who might have issues with no chess and Help them get Get answers to their questions Okay Yeah Thanks, Anna. So for me This is first of its kind event that's happening So please feel free to provide any feedback in terms of the expectations If it is not matching in terms of the content or in terms of, you know The details and things like that we can always improve on that But for me what is most important is For the node.js ecosystem We have set of folks who are working on programs who are end users customers who want to learn node.js and things like that on one side and then we have people who are On a daily basis working on the node.js core who are familiar with the APIs Who are defining the abstractions and looking at the gap in in the abstractions and who are familiar with the core? At the API level at the code level at the design level and even at the machine instruction level So combining these two groups together the whole idea is to make Having meaningful conversations and make the node.js user experience a better one So that's the whole idea. That's the whole intent. So in that in that perspective, I think we are doing the right thing So please feel to share the feedback if any So yeah, since there's only like less than a handful of people here who attend I Would suggest that Well, well if you like that that we start by asking you like Do you have any issues or any questions about node.js that you brought with you that you want to ask and? Don't be shy because you're not taking up anybody else's talking time I didn't do you okay? I'm So do you think that That is something that we could like discuss in like in a verbal form where we need to look at your code or I'm just Right having this year. So You know, it's probably recording. Well, yeah Okay, then if you want to take this, I don't know if you guys can show anything on the screen or like do you have a Browser you can go to things. Yeah, sure Like I you could open a browser, right? I feel like I'm in charge here now And you kind of are Because you've got the mic I Currently have an application where it's passing the IDs through the URL address bar and I Don't really want that for a number of reasons Right. So like as a as a like parameter behind the question mark everything. Yeah. Yeah, that doesn't sound like something you'd usually want security reasons and just ugliness Yeah, I mean like I didn't know who the person in this room with like the most express experience would be but Yeah, I guess it's not a no jazz specific question Well, I mean express is no just specific but Yeah, yeah, we have the time to figure it out like actually we Mean like for at least for me It's like very unfortunate that I don't really get to do application development anymore Like I'm just working on node core So you want to you want to open some specific GitHub issue or something? I don't have it Deployed online, but I have the code. Do you have the code somewhere online? Yeah, I have it in GitHub actually as long as everybody doesn't make fun of my code No, we won't promise Feel free to recommend other issues or other ways of doing anything though. So a few basics I know of the session module is that You have a session Which is highly configurable which you construct at the time of the program beginning and then that returns a middleware Which gets involved in your route before the actual user callback gets called and then you have couple of APIs for the session like save Re-save and things like that Right, and then you have the back end where the session gets stored which is highly customizable Yeah, the databases and other other projects can implement their own Session stores session basically is an interface. Yeah, and then we have seen few issues coming from the session rapport in terms of The session not getting persisted when you are redirecting the URL and sometimes the session gets Deleter across the routes, okay Yeah, it all makes sense in theory, but I guess I don't know so I mean which problem Which category your problem comes in is it like session not persisting or something like that No, it like he explained it It's like the session is transferred as a parameter in the like in the URL. Yeah as a request parameter Yeah, it's just a parameter or something right? What's that? It's a cookie probably. Yeah, I want to Eliminate passing the ID in the address bar and use the session to contain that ID so I can use it anywhere in the application So I don't think the session ID is passed as part of the URL. No Yeah, that's what I don't want to do Okay, I Actually had a working Semi-working solution where I set these so that I create the session in the application when it starts up And I can get some pages working, but from the start to the end. I'm having problems with the flow So are you using the express this session module? Yeah, okay Yeah, yeah, I'm looking at the like at their documentation and they basically only talk about cookies But you seem to be familiar more familiar with it anyway, but yeah, if you could share your code Maybe that would actually be a good starting point. Okay Let me see here what I have Actually, just roll the back because I'm gonna use it in a branch, but Let me see here Is there any way I can share this or you just want to look at my github? codebase You can spell it. Yep. It's a d e N a d Does that right? D Yeah, you and that's it if I go there. You'll see my repositories Yeah, that looks like you Shoot. Oh, it's not public right now. Just a minute here It's my project with the code in it. No, no, sorry Okay, that's the only public one that I have there right now. I'm trying to make this one public Okay, should be another that one right there Okay, that looks like it has quite a bit of code So if you go into the app Startup App.js. Yeah, you'll see If you scroll down a little bit. Yeah, there's express session definitely Yeah And then down there, that's where a session is created. I copied that out of some example I found so If you go to the user route in a different If you go back up a level Like back up in the repository My routes in users and if you scroll down to log in Right there There anything down below? Okay, so there I'm trying to set the Is if the passwords match that locked user in and Put their session as the user ID So then I go to the other the profile page it's called and Right now when it works, I have the URL or the ID on the end of the profile Folder there for the redirect is going it's actually not redirect. It's a It's just a response and it sends it to that page or it responds and sends the Fords on to the actual JavaScript that's on the page jQuery so That's it Okay, so so it's just a wild guess and you might correct me if I'm wrong but in the session setup code you had like like in the In the call to what? Express dash session return There was like a key option that was set that I'm not finding in the documentation and that kind of sounds like that You know might be In the when I created the session or When you're setting up the session in middleware yeah in the app.js I think that Like I I like the first thing I would try is deleting that line maybe seeing what happens. Oh, yeah, yeah, that that's a good Yeah, right there's this key user as I do you think like I can't find that in the documentation I don't know if this like where that comes from But is that what the like does this user as I do you think show up in your URL? No, okay I may have put that in after I I May have changed that let me look back at a different So just for my understanding is the problem you're describing is the session value which you saved in the Dash profile route is not visible in the second redirect Is that the problem statement? Yes When I go to the profile route I guess you could call it down in the down further. Okay. I don't know. Maybe I'm just halfway through it. I kind of am confused So ideally the Session object gets persisted between the redirect right, but we have seen many issues on that line one one known issue which is related to some race condition is that Suppose a scenario where you have a session store, which is a remote machine like a MongoDB or whatever which is across the network and Then the contract with the session API is that every time you send the response back to the client That's the time the session gets stored automatically to the session store now The response go to the client the session go to the session store Right, these are two separate network requests Now what if the client comes back with the second request immediately? meaning back-to-back Second request which assumes that your session is already persisted and is available in the server in its modified form but then there is a round trip network latency that's involved and the depends on the proximity of the Session store with respect to the client machine and all other network latency Complexities involved. It's so possible that the session is not really stored into the session store and When the client comes back for the second time you actually get the whole value of the session Right. Okay. So I have tested it on a few pages and it is storing the ID in the session Okay. So I do you have a working example or maybe we could pull one up online Let me see. So the best practice around Working with the session stores which are remote as opposed to a memory store is to explicitly save the session like session.save and then Send the response to the client only in the callback of the session method so that when the callback is triggered You are guaranteed that the session is actually persisted in the store. Let me see if I can figure out a find an example Yeah, that might actually be very helpful. I don't know if this would be appropriate to ask here But like maybe once we're done with this or at some another point Would you guys be able to answer any questions around like just a brief What's happening with ESM modules? Like I know that they just got removed from the flag But I'm basically confused about what the future of ESM and node and what you know, how all that's gonna work or Yeah, okay Yeah, yeah, like I can definitely give some kind of update. Yeah, just any color. I mean, I I don't I'm just curious if you guys have any that's a question that like Confuses a lot of my friends and I feel like I understand what's happening. But I don't think I do Well, so like for the GSC panel tomorrow, like We did practice runs and like we actually kind of I was at like five to ten minutes Question time from the audience. I like I feel like yes, I might deserve a bit more Yeah, okay, so here is an example code for your reference. I can walk you through this first Let's look at the client side. There's the client side code In the app that listen callback. I start one client which is accessing the main route and In the callback of the first request. I am making a second request So just to make sure that both the request get the proper session object reflected in there If you look at the server code you create a session here Well, no un save uninitialized is set to false. We save is set to false and a max age of one minute the default route I create a session object and set the views to some value and Then send the response. But if it is not the default case, that's it's not for the first time I Increment the session and add some extra value to the session. This is only done in the second time onwards and instead of Simply redirecting to the next route, which is here. I do it Basically I do an explicit save and Then in the callback I do the redirection at this point line number 29. It's guaranteed that whatever the session store implementation Is a database or memory store or whatsoever at this point the session is actually persistent So then when you actually land upon the admin route, you actually get the latest value So maybe something you can try this But like so so maybe just to clarify like it's the issue that the Session key shows up in the URL or is it that you know the session is not always persisted? Don't have an issue. I just it's not showing up. That's how I have it set up now because I was I was Passing IDs and now afterwards. I want to go back and update the session Okay, so I'm halfway through that though. I just wanted to see like an example of how you guys would accomplish it and The best way to do that the most efficient way But that makes sense. I just Maybe I just need to put more time into it So one of the other thing you can do is Enable the debug mode. So right now if you run say the program just runs like this But if you say export debug is equal to express session, I guess Probably we need to Get the client as well 12,000. Yeah, so as you can see Most of the express modules including the session have a lot of debug statements sprinkled across the You know vital control flow points That means to say the life cycle of the session when it is just getting persisted when it is recreated and things like that So they they print a very useful debug message So the only thing you need to do is before starting just export this Right. Yeah, and you get very good information. Yeah Okay, that gives me some information to go with so sure appreciate that. Thank you. Thanks Okay, does that mean like you want to like see if that helps you and maybe later we can come back to you if it doesn't or I'll try something after the session and if I have any issues, maybe I can find you guys Yeah, you can you can also open issues on the github node. Just slash help repository Okay, that's the inspiration for this kind of thing here and like you can ask any question there if you have any Okay, sounds good. Thank you So about ES module So my current understanding so like the feature is still considered experimental but the flag has been removed There are still experimental flags for some sub features Like I think like the the VM part like the in the VM module of Node.js the part that is Concerned with modules or I think the loader is still experimental to like the loader API What So like for the hard issues, I don't think there have been any like real bam super good solutions like you at this moment you cannot require ES modules from common JS and Somebody opened a PR yesterday that would do that, but that basically wouldn't work in Yeah, it would like require some very hacky things that you should generally not do in Node.js and Yes, so so That's tricky like it partially because of ESM supporting things like top level of weight Yeah, like like ESM single execution can be asynchronous and Well, well require a synchronous and that kind of just doesn't match up and that PR to kind of like hacks around that in some Ways that you should not do the other way around like importing common JS from ES module that works, but only for the default export and There are some like I Don't think there's a really good way around that right now I think the the most Like the solution that the modules team is going for as I understand it is For now that you can create some kind of wrapper module that is an ESM and that loads that common JS file and then re exports everything Which you know it I guess that works well enough There are some Features being added to package.json that are very relevant here So you can so for one there's a type flag that can be set to module or I Don't know. I guess something else not module and the type flag would tell you that Like if it is type module then dot JS file are going to be interpreted as ESM So like that that is the solution for not having to use that MGS Again, as I understand it, I'm not part of the module team. I just like Try to observe what they do and have strong opinions about that that I try to not Express because that gets frustrating I Don't know what what else is there with the ESM? So to frame it because you know a lot of people are really used to using Well, so for example like create react app, obviously you get to use import export Syntax currently, but that's because it's being transpiled by babble and webpack So I find a lot of people are confused when I tell them that like no node doesn't support Yeah, import export syntax aka ESM currently so the effort that the module team is working on that's specifically to get Native support in Node.js. Yes, I'm without requiring transpilation, right? Yeah There's currently experimental support which is why there's been a flag etc. Yeah So do you know much about What babble is doing in terms of you know, it looks like we're using ESM currently But I assume that because I can I can import Common JS modules. Yeah, it's just it's doing a translation of the background, etc So we're not we're not currently even using real ESM like our people publishing ESM Is there a standard that we've agreed on for mjs currently or is that is that all the work that's happening? Yeah, but like more specifically to a question like like my understanding is that babble does support ESM Like in a spec compliant way, but the spec leaves some options open for what the implementation does and So the yeah one of the main issues and that I'm really unhappy about that We didn't find a solution so far at least not that everybody's happy with is that the What babble does and what node currently does are not compatible like you don't have named imports from common JS for example And I think in terms of what babble actually does I think it transpiles to something that essentially is require and Then works on top of that. I I'm not a hundred percent sure, but I think it does. Yeah Think there's also like a talk on the topic like Gus you mean okay and guy guessing guy. Yeah I'm happy to hear that it is complicated and it is being worked on because it's that's what it's felt like to me So far is that it's it's you know, I don't fully grasp it No, the this session has time till 1250 1250 actually we have two hours Like the the mobile version of the schedule is very confusing but because it doesn't show you the times of detox just when they start I'm happy to like I said to talk to you guys about it I'll I'll track down miles and I'll maybe ask the TSC panel as like as a consumer of you know of node JS This has been really confusing to me We're in terms of like whether what I'm gonna have to end up doing in order to change my the JavaScript I write or if I need to but it sounds like as of today We're can still using babble etc, but the module group is working hard to Smooth out issues so that we can use it natively sometimes. Yeah. Yeah, definitely And so like I looked it up the talk is tomorrow at 3 40 p.m Miles was giving it and it's about yes modules Thank you. I hope this was helpful Yeah, I think so I'm I'm still Anna. Yeah, yeah, we've definitely met before Sorry, I mean this so like the schedule says this one has time until 1250 But like I mean like depending on what we end up doing here we might cut it early I guess Okay, yeah, so this is your coat. Did you share? Oh, yeah, right any other questions? I Mean like if you have any other questions about how node just works like this would be the time that I'm just wondering we should wait 12 o'clock or so because then the morning session and 12 o'clock is 11 o'clock session and Some people may come in But I'm sure we can do that, but I wouldn't count on it Like I wouldn't expect a lot of people to shop partially because of how the schedule looks online. Yeah Yes, there is This is just like so it's on the recording, you know Yes, we recently transitioned from yes, and that's not the thing this practice is just general I don't do you Unfortunately, I don't have much insight on to the types good Yeah, like I'm also like in the unfortunate position that I've never actually used types group for anything And I really wish we like I personally would love to have that a node core at this point Because it would definitely have caught a few bucks early Yeah, I don't really think I like I mean like so so the thing is like if you run into issues that you know TypeScript has specifically with node then feel free to reach out to us And like I would always be curious to see like how we can improve things for types users but Like like node itself it only kind of compiles whatever the user Sends it and in the typescript case. That's you know, try already transpiled typescript So usually it doesn't really affect us. I think you can still ask them So like it the current screams API version is three. Yes Well, like it might I mean like they all exist at the same time like it's Someward someward backwards compatible Screams one was basically just emitting events like emitting data events on a screen I think that was pretty much it like no internals in any way like whatever implemented that interface was screen and Screams two was like the thing that actually most people use at this point just like having dot write and Dot on data, but like with a lot of internal machinery that takes care of things like buffering and Like converting screens and buffers stuff like that and And screams three added like dot read Which is kind of a different paradigm like it allows doing Pull screams instead of push screams But I don't see many people using that in practice because that on data is still kind of very useful And there are some things being worked on like Jeremiah Sanctil is working like at fishrock one two three this is and and he's working or he had been working on a Replacement Screams API that would kind of be more low level and have less overhead Like one of the things that annoyed that's annoying about not just cartoons is that they do have some overhead That you know wouldn't be necessarily in an ideal world, but the API kind of requires it at this point And what he's working on is kind of like trying to you know, yeah be more low level and provide something nicer for people who want it Yeah, that's Bob screams. Yeah And I mean like there's also always the option of like eventually implementing what WG screams in at note at some point Anything else I'm not an SME in the streams, but my perspective probably Outsiders view to the streams is that no JCC is possibly the first platform or language which has the stream Implemented at the language API level itself, which works well with the asynchronous event-driven programming model Other languages like C++ or Java.net, etc. Will have this as an additional capability Not a few things in the sunlight So because of that, I mean because of that it's an added advantage But the the drawback is we don't have a specification around the life cycle events of the stream Whether the close should be called after the destroy destroy should be called before the end those conversations are happening in an endless manner and that adds up to a bad Probably one of the thing we should be looking at is not necessarily a new implementation which outperforms the existing one we should freeze on the spec or the protocol what what should be the life cycle event and I guess node.js is best place to come up with a spec on that than other languages Yeah, I mean it's tricky I'd like you probably also have seen like we have a collaborator or not yet collaborator, but probably hopefully soon Who did a lot of work around the streams over the last month? And like he opened so many issues on the node core report that were all about like Yeah ordering of life cycle events or like yep Just like figuring out what the actual edge cases are what the Interactions of the different parts of streams are is there's so many unanswered questions at this point with the current API Yeah, I also like I find it super interesting that there's this pattern that like a lot of node.js features eventually end up being Provided by browsers at some point, but like in a very different and kind of clearer manner Like for example buffers, which eventually became UNData race and stuff like that or stringy node string decoder, which you know browsers provide as text decoder now And streams, you know, I feel like what WG streams are nicer more like well-defined API Okay, yeah Training or anything so I'm here on my own After I get the session variables working I don't have anything in there for security currently So I don't know if any of you guys know the best way to proceed. I haven't even searched around to be honest I just I'm looking for some early guidance on how to properly And most beneficially do that within my node JS application I mean security is like a very big topic, right? Right So, can you just explain the different types of security there is or the Individual components if you say it's complex or it's large A quick overview or is that too high level for this workshop? Yes. Yeah, I have no yeah I mean at high level I would say that node.js is the best Being in the back end being always serving services is centrally located in terms of the security Vulnerability But at the same time when it comes to the security posture We have to look at two aspects one is What is the type of your application? Are you trusting everything that the Program contains for example the the program at high level would contain Your application the routes and other things and npm modules and the node.js apis itself and the underlying System and kernel and things like that. This is the whole web app stack Now, what is the trust that is established between these stack modules? There are I guess there were huge discussions that happened in 2017 node.js interactio Should we trust the npm modules or shouldn't be? If you don't trust the npm modules Then we need to implement the security constraints right in the runtime itself but if you if you trust the npm modules like put proper security audits and proper reviews and things like that then the default security constraints that is available in the runtime applies across the board all the node all the javascript modules come under the purview of that and then I mean then you just need to worry about the other the vulnerabilities which are available in the networking session like the cross-site scripting the session hijacking and things like that I guess the default behavior or the default implementation of all the express and its sub modules have very good security coverage in terms of the web app security So that boils down to the runtime security alone in my opinion So the current Current standpoint or the current way the node.js app works is Taken for granted that the modules and pm modules and your own application And the node.js api all work together in conjunction. There is no difference between Each of these things from the virtual machine perspective. Okay. Thanks I guess you try to implement a whole security Layer in between the apis and the user. Yeah, but yeah, that didn't happen already at least not yet Anyway, like you mentioned something do you mind if I like yeah, sure, please use So I'm gonna If I can find it pluck somebody else's talk here If I can find it online Anyway, like I was at a conference like earlier this year where there was a great talk about htb headers and how they affect security Maybe they have a link to their youtube channel here or something If not then not I don't know he he was the dude they gave the talk and Okay, yeah, I don't know Anyway Okay, I yeah Anyway, like there is a lot of htb headers that are concerned with things like security um And like you since you mentioned cross-site scripting like if that is one of your concerns Then there's always always measures that you can take to Mitigate this like Reduce the seriousness of this attack factor I like I don't know. There's probably good resources on the relevant htb headers out there to right Maybe Yeah It might have been that But but it also like it was a great talk, which is why I'm playing Okay Yeah, thanks One other thing which I think the Express or any middleware component can improve on is to document the security implications of Different usage of the modules for example If your application is not redirecting or not making use of the session Then the session hijacking is not coming into the picture. Maybe for people who are well Understood in the art it might become trivial But for a new programmer or an application Normal application programmer these kinds of mapping really helps a lot For example, what is the nature of your application? What are the kind of things you are doing with respect to the client server or the web app transactions? and what are the vulnerabilities that is Subjected for this type of transaction that mapping would really help Yeah, so I see a I'm just on the node security page and it says that you can report third-party module bugs to The security working group repository hacker one yeah, so anybody ever had problems with third-party node modules or Our modules third-party modules. I mean not anybody in the world, but like in your guys experience anyone I mean like I'm not seeing the the h1 reports for that, but I definitely I know that there have been reports and And I mean like I know that there have been like very Public cases of npm packages being used to do evil things Um, I but it's the same with python and the same with other repositories too, right? Okay, that's great. Thank you Do we call it? My mic keeps falling off So that might be a sign from the universe Well, then thank you all for coming and Yeah, uh, and again if there's anything else like anything you need help with then there's the node.js slash help repository for that And Yeah, thank you so much