Nestjs GraphQL Best Practice
NestJS (Express + Typeorm) codebase containing real world examples (CRUD, auth, advanced patterns, etc).
Table of Contents
Structure
Function
- Dynamic import
- Authenticate
- Config jwt like OAuth ( access-token, refresh-token )
- OAuth Google
- OAuth Facebook
- Dump database
- Logger
- Send mail
- Payment
- Task scheduler
- Translate
- Upload file
- Cloudinary
- Fs createWriteStream to folder static
- Test
Usage
- Clone repository
git clone https://github.com/chnirt/nestjs-graphql-best-practice.git
- Cd into directory
cd nestjs-graphql-best-practice/
- Create .env
- Add to .env
- Install dependencies using npm
Starting the Server
- Generate graphql.schema.ts
2.1 Start in development normal
2.2 Start with webpack ( 2 terminal view )
npm run webpack
npm run start:hmr
Node.js Best Practices
1. Project Structure Practices
[โ๏ธ] 1.1 Structure your solution by components
[โ๏ธ] 1.2 Layer your components, keep Express within its boundaries
[โ๏ธ] 1.3 Wrap common utilities as npm packages
[โ] No neccessary - 1.4 Separate Express 'app' and 'server'
[โ๏ธ] 1.5 Use environment aware, secure and hierarchical config
2. Error Handling Practices
[โ๏ธ] 2.1 Use Async-Await or promises for async error handling
[โ๏ธ] 2.2 Use only the built-in Error object
![โ] 2.3 Distinguish operational vs programmer errors
[โ๏ธ] 2.4 Handle errors centrally, not within an Express middleware
[โ๏ธ] 2.5 Document API errors using Swagger or GraphQL
[โ๏ธ] 2.6 Exit the process gracefully when a stranger comes to town
[โ๏ธ] 2.7 Use a mature logger to increase error visibility
[โ๏ธ๏ธ] use Jest - 2.8 Test error flows using your favorite test framework
![โ] 2.9 Discover errors and downtime using APM products
[โ๏ธ] 2.10 Catch unhandled promise rejections
[โ๏ธ] 2.11 Fail fast, validate arguments using a dedicated library
3. Code Style Practices
[โ] No neccessary - 3.1 Use ESLint
[โ] 3.2 Node.js specific plugins
[โ๏ธ] 3.3 Start a Codeblock's Curly Braces on the Same Line
[โ๏ธ] 3.4 Separate your statements properly
[โ๏ธ] 3.5 Name your functions
[โ๏ธ] 3.6 Use naming conventions for variables, constants, functions and classes
[โ๏ธ] 3.7 Prefer const over let. Ditch the var
[โ๏ธ] 3.8 Require modules first, not inside functions
[โ๏ธ] Nest must import files directly - 3.9 Require modules by folders, opposed to the files directly
[โ๏ธ] 3.10 Use the === operator
[โ๏ธ] 3.11 Use Async Await, avoid callbacks
[โ๏ธ] 3.12 Use arrow function expressions (=>)
4. Testing And Overall Quality Practices
[โ๏ธ] 4.1 At the very least, write API (component) testing
[โ๏ธ] use Jest - 4.2 Include 3 parts in each test name
[โ๏ธ] use Jest - 4.3 Structure tests by the AAA pattern
[โ๏ธ] 4.4 Detect code issues with a linter
[ใฝ๏ธ] use Jest - 4.5 Avoid global test fixtures and seeds, add data per-test
[โ๏ธ] 4.6 Constantly inspect for vulnerable dependencies
![โ] 4.7 Tag your tests
[โ๏ธ] 4.8 Check your test coverage, it helps to identify wrong test patterns
[โ๏ธ] 4.9 Inspect for outdated packages
[โ๏ธ] 4.10 Use production-like env for e2e testing
[โ๏ธ] 4.11 Refactor regularly using static analysis tools
[โ๏ธ] 4.12 Carefully choose your CI platform (Jenkins vs CircleCI vs Travis vs Rest of the world)
5. Going To Production Practices
![โ] 5.1. Monitoring!
[โ๏ธ] 5.2. Increase transparency using smart logging
![โ] 5.3. Delegate anything possible (e.g. gzip, SSL) to a reverse proxy
[โ๏ธ] 5.4. Lock dependencies
![โ] 5.5. Guard process uptime using the right tool
[โ๏ธ] 5.6. Utilize all CPU cores
[โ๏ธ] 5.7. Create a โmaintenance endpointโ
[โ๏ธ] 5.8. Discover errors and downtime using APM products
[โ๏ธ] 5.9. Make your code production-ready
![โ] 5.10. Measure and guard the memory usage
[โ๏ธ] 5.11. Get your frontend assets out of Node
![โ] 5.12. Be stateless, kill your servers almost every day
[โ๏ธ] 5.13. Use tools that automatically detect vulnerabilities
![โ] 5.14. Assign a transaction id to each log statement
[โ๏ธ] 5.15. Set NODE_ENV=production
![โ] 5.16. Design automated, atomic and zero-downtime deployments
![โ] 5.17. Use an LTS release of Node.js
![โ] 5.18. Don't route logs within the app
6. Security Best Practices
[โ๏ธ] 6.1. Embrace linter security rules
[โ๏ธ] 6.2. Limit concurrent requests using a middleware
[โ๏ธ] 6.3 Extract secrets from config files or use packages to encrypt them
[โ๏ธ] 6.4. Prevent query injection vulnerabilities with ORM/ODM libraries
![โ] 6.5. Collection of generic security best practices
[โ๏ธ] 6.6. Adjust the HTTP response headers for enhanced security
[โ๏ธ] 6.7. Constantly and automatically inspect for vulnerable dependencies
[โ๏ธ] 6.8. Avoid using the Node.js crypto library for handling passwords, use Bcrypt
![โ] 6.9. Escape HTML, JS and CSS output
[โ๏ธ] 6.10. Validate incoming JSON schemas
![โ] 6.11. Support blacklisting JWTs
![โ] 6.12. Prevent brute-force attacks against authorization
[โ๏ธ] 6.13. Run Node.js as non-root user
[โ๏ธ] 6.14. Limit payload size using a reverse-proxy or a middleware
![โ] 6.15. Avoid JavaScript eval statements
![โ] 6.16. Prevent evil RegEx from overloading your single thread execution
[โ๏ธ] 6.17. Avoid module loading using a variable
![โ] 6.18. Run unsafe code in a sandbox
![โ] 6.19. Take extra care when working with child processes
[โ๏ธ] 6.20. Hide error details from clients
[โ๏ธ] 6.21. Configure 2FA for npm or Yarn
[โ] No neccessary - 6.22. Modify session middleware settings
![โ] 6.23. Avoid DOS attacks by explicitly setting when a process should crash
[โ] No neccessary - 6.24. Prevent unsafe redirects
[โ๏ธ] 6.25. Avoid publishing secrets to the npm registry
7. Performance Best Practices
Our contributors are working on this section. Would you like to join?
[โ๏ธ] 7.1. Prefer native JS methods over user-land utils like Lodash
[โ] 7.2. Use Fastify in place of Express
