The latest articles on DEV Community by ibraheembello (@ibraheembello). https://dev.to/ibraheembello https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1140237%2Fe6a5feb4-6383-4b6c-9e47-b781c76a7d75.jpg https://dev.to/ibraheembello en ibraheembello Wed, 10 Jun 2026 17:37:27 +0000 https://dev.to/ibraheembello/two-backend-tasks-from-my-hng-internship-that-stuck-with-me-ibe https://dev.to/ibraheembello/two-backend-tasks-from-my-hng-internship-that-stuck-with-me-ibe <p>I spent the last few months in the HNG internship writing backend code, breaking things, and figuring out how to put them back together. By the end you collect a lot of tickets, a lot of pull requests, and a few late nights you would rather forget. But when I sat down to write this, two tasks came back to me before any of the others.</p> <p>One I did on my own. One I did as part of a team. Both took longer than they should have, and both taught me something I did not expect going in. This is the honest version of how they went.</p> <h2> Task one: securing a single backend for both a CLI and a web app </h2> <h3> What it was </h3> <p>This was my Stage 3 task. I was asked to build a backend for a small analytics product I will call Insighta. The twist that made it interesting was that the same backend had to serve two completely different clients at once: a command line tool that an analyst would install and run from their terminal, and a web portal they would log into from a browser. Same data, same permissions, two front doors.</p> <p>So I ended up building three things that had to agree with each other: the API itself, a global npm CLI you could install with one command, and a Next.js web portal.</p> <h3> The problem it was solving </h3> <p>The real problem was not "build an API". It was "build one security model that two very different clients can both trust". A browser and a terminal authenticate in almost opposite ways. A browser is happy with cookies, redirects, and sessions. A command line tool has none of that. There is no browser tab, no cookie jar, no obvious place to safely store a login.</p> <p>If I got this wrong, I would either have to build two separate auth systems and keep them in sync forever, or I would end up with a CLI that asked people to paste long lived secrets into a config file, which is exactly the kind of thing that leaks.</p> <h3> How I approached it </h3> <p>I picked GitHub OAuth as the single source of identity so I was never storing raw passwords for this product. On top of that I added role based access control with two roles, admin and analyst, so the same token could be checked the same way no matter which client sent it. I wrapped the API in the usual production hygiene: helmet for headers, structured logging with pino, CSRF protection, rate limiting, and an explicit API version header so clients could not be surprised by changes.</p> <p>For the web portal I used HttpOnly cookies and a double submit CSRF token, kept everything on a single origin using rewrites so the cookie rules stayed simple, and made the UI refresh its token automatically when it hit a 401 instead of dumping the user back on the login screen.</p> <p>The CLI was the part I had to really think about.</p> <blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fikljarmi0mhj3e8m8ohi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fikljarmi0mhj3e8m8ohi.png" alt=" " width="800" height="845"></a> </p> <p>Suggested caption: <em>One backend, two front doors. The CLI and the web portal share a single identity and one security model.</em></p> </blockquote> <h3> What broke and how I fixed it </h3> <p>OAuth assumes a browser. The whole dance is built around redirecting a user to a login page and then redirecting them back to a URL your server controls. A terminal has no URL to redirect back to. My first few attempts tried to bend the normal web flow onto the CLI and it just did not fit. Either the login could not complete, or I was tempted to store a long lived token in plain text, which I did not want to do.</p> <p>The fix was to use the authorization code flow with PKCE, which is the variant designed exactly for clients that cannot keep a secret. When you run the login command, the CLI spins up a tiny local web server on a loopback address, opens your browser to GitHub, and uses that local server as the redirect target. GitHub sends the code back to your own machine, the CLI exchanges it using a one time code verifier that never leaves your computer, and only then do you get tokens. Those tokens get written to a credentials file in your home directory with locked down file permissions so other users on the machine cannot read them.</p> <blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnkubjz2w4u4gwuqnqis7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnkubjz2w4u4gwuqnqis7.png" alt=" " width="800" height="621"></a></p> <p>Suggested caption: <em>The CLI login flow. A tiny local server on your own machine becomes the redirect target, and the secret verifier never leaves your computer.</em></p> </blockquote> <p>Once that clicked, both clients were finally speaking the same language. The CLI and the browser were getting identity from the same place, the API checked every request the same way, and I was not storing a single raw password or long lived secret in plain text anywhere.</p> <p>I deployed the API on AWS App Runner so it had a real home and was not just running on my laptop.</p> <h3> What I took away </h3> <p>Authentication is not one problem, it is a different problem for every kind of client, and the trick is finding the one model underneath that all of them can share. Before this task PKCE was just an acronym I had seen in docs. After it, I understood why it exists and what it actually protects you from. I also learned to be suspicious of any design that asks a user to paste a secret into a file. There is almost always a better flow.</p> <h3> Why I picked it </h3> <p>I picked this one because it is the task where I stopped copying patterns and started understanding them. I could not google my way to a CLI OAuth flow that matched my exact setup. I had to read the spec, understand the reasoning, and build it. That is the moment the internship started feeling like engineering instead of homework.</p> <h2> Task two: fixing a login flow that was broken between everyone's code </h2> <h3> What it was </h3> <p>The team task was a product I will call SEIL, a NestJS backend that several of us built together in a shared repository. We did not fork and send pull requests from the outside. Everyone had write access and pushed feature branches straight to the same repo, which means your code lived right next to everyone else's and had to get along with it.</p> <p>My ticket was BE-005: login, logout, and session management. On paper it sounds small. In practice it was the ticket where all the separate pieces other people had built were supposed to finally connect, and that is exactly where the trouble was hiding.</p> <h3> The problem it was solving </h3> <p>Registration already existed. Login already existed. Logout already existed. On their own, each endpoint looked finished and each had been merged. My job was to add account lockout after repeated failed logins, tidy up session handling, and make the whole login lifecycle actually usable from end to end.</p> <p>The catch is that "each endpoint works on its own" and "the flow works end to end" are two very different statements, and the gap between them was my entire ticket.</p> <h3> How I approached it </h3> <p>I started by reading other people's code instead of writing my own. I traced a single user from registration, through login, to calling a protected route, to refreshing their token, to logging out. I wanted to walk the full path before touching anything.</p> <p>For the actual lockout feature, the database already had unused columns sitting there waiting: a failed attempts counter and a locked until timestamp. I wired up the policy of five failed attempts locking the account for one hour, made a locked account respond with a clear 423 status instead of a generic error, and made a successful login reset the counter and stamp the last login time. I also wrote unit tests for every branch of that logic, because lockout is the kind of thing you only find out is wrong when a real user gets locked out by accident.</p> <h3> What broke and how I fixed it </h3> <p>Two things were quietly broken, and both of them lived in the seams between different people's work, which is why nobody had caught them.</p> <p>The first: protected routes required a session record in Redis, but only the registration endpoint actually wrote that record. So if you logged in normally, your token was valid, but the moment you tried to log out or load your profile you got a 401. The login path and the guard had been built by different hands and nobody had walked the full path between them. I fixed it by making token issuance always write the Redis session, no matter whether you arrived through register, login, or refresh, so the guard always had something to find.</p> <p>The second was sneakier. Login set the refresh token as an HttpOnly cookie, which is the secure thing to do, but it means JavaScript cannot read it. Meanwhile the refresh endpoint only knew how to read the token from the request body, and the login response did not echo the token anywhere a client could grab it. So the secure design and the refresh endpoint were each correct on their own and completely incompatible together. There was no path a real browser client could actually take to refresh a token. I added cookie parsing on the server, made the refresh endpoint accept the token from either the body or the cookie, and made logout also delete the Redis key so an access token died the instant you logged out instead of lingering for fifteen minutes.</p> <blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuqax5cy5esp9hprxwe1n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuqax5cy5esp9hprxwe1n.png" alt=" " width="799" height="402"></a></p> <p>Suggested caption: <em>The same flow before and after. A valid token used to get rejected because no session was ever written. The fix made token issuance always create the session.</em></p> </blockquote> <p>None of these were dramatic bugs. They were the kind that only show up when you stop testing one endpoint at a time and start testing the way an actual user moves through the system.</p> <h3> What I took away </h3> <p>In a team, the bugs are not usually inside any one person's code. They are in the spaces between, where your assumptions and a teammate's assumptions quietly disagree. Everyone can be individually right and the product can still be broken. The most useful thing I did on this ticket was not writing code, it was reading everyone else's carefully and walking the full path before I trusted it. I also got a lot more comfortable working in a repo with strict standards, a pre-commit hook, automated scanners, and reviewers who would send a pull request back if it grew too large. Discipline that felt slow at first is the only reason a shared codebase with many hands in it stayed sane.</p> <h3> Why I picked it </h3> <p>I picked this one because it changed how I think about teamwork. I came in assuming a team task means splitting the work into pieces and gluing them together at the end. This taught me the gluing is the work. The interesting, hard, and genuinely valuable part was making independent pieces trust each other, and you only get good at that by reading more than you write.</p> <h2> Closing </h2> <p>If I tie these two together, they are really the same lesson seen from two sides. The solo task was about finding one model that two different clients could share. The team task was about finding the seams where separate pieces failed to agree. Both came down to the same instinct: do not trust that things work together just because they work apart. Walk the whole path yourself.</p> <p>That instinct is the most useful thing I am taking out of HNG, more than any single framework or tool. Thanks for reading.</p> backend webdev career hng ibraheembello Sun, 26 Apr 2026 02:05:12 +0000 https://dev.to/ibraheembello/building-a-real-time-anomaly-detection-engine-for-a-self-hosted-nextcloud-hng-stage-3-59km https://dev.to/ibraheembello/building-a-real-time-anomaly-detection-engine-for-a-self-hosted-nextcloud-hng-stage-3-59km <blockquote> <p><strong>TL;DR</strong> - I built a Python daemon that watches every HTTP request hitting an Nginx reverse proxy, learns what normal traffic looks like in real time, and automatically bans IPs that misbehave by inserting iptables rules at the kernel level. It alerts to Slack and ships its live metrics on a public dashboard. This post explains every piece in beginner-friendly terms.</p> </blockquote> <p><strong>Live demo:</strong> <a href="http://cloud-ng-anomaly.duckdns.org" rel="noopener noreferrer">http://cloud-ng-anomaly.duckdns.org</a><br> <strong>Source code:</strong> <a href="https://github.com/ibraheembello/hng-stage3-anomaly-detector" rel="noopener noreferrer">https://github.com/ibraheembello/hng-stage3-anomaly-detector</a></p> <h2> What the project does and why it matters </h2> <p>Imagine you run a public website, let's say, a self-hosted Google-Drive-style cloud storage. Random people visit it all day. Most are real users. Some are bots. A few are attackers trying to flood your server with fake requests until it falls over. That last category is called a <strong>DDoS</strong> attack - Distributed Denial of Service.</p> <p>The traditional way to deal with this is reactive: when something breaks, an engineer wakes up at 3 a.m., diagnoses the issue, and manually blocks the offender. That's slow and painful.</p> <p>The better way is <strong>proactive detection</strong>: watch the traffic continuously, learn what "normal" looks like, and automatically block the abnormal stuff <em>before</em> it brings the site down.</p> <p>That's what this project does - for a Nextcloud cluster running behind Nginx.</p> <p>It builds <strong>its own definition of "normal"</strong> from the last 30 minutes of real traffic, not a hardcoded number. It works whether you get 2 requests per second at 3 a.m. or 200 at peak. And when an attacker sends a burst, the detector reacts within a couple of seconds - adds a kernel-level firewall rule, pings me on Slack, and shows the ban on a dashboard.</p> <h2> The architecture in one picture </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftpnop3hei47fsg51bspp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftpnop3hei47fsg51bspp.png" alt="arch" width="800" height="557"></a></p> <p>Four moving parts:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td><strong>Nginx</strong></td> <td>The doorman. Every request hits Nginx first; Nginx forwards it to Nextcloud. Crucially, it also writes a JSON line per request into a log file.</td> </tr> <tr> <td><strong>Nextcloud</strong></td> <td>The actual application. Doesn't know any of this is happening.</td> </tr> <tr> <td><strong>The detector daemon</strong></td> <td>A Python program that reads the log file as it grows. The brain of the operation.</td> </tr> <tr> <td><strong>iptables</strong></td> <td>The Linux kernel's firewall. The detector tells it <em>"drop every packet from this IP on ports 80 and 443"</em> and the kernel does the rest.</td> </tr> </tbody> </table></div> <p>Everything runs in Docker containers, orchestrated by Docker Compose, on one Ubuntu VPS.</p> <h2> Step 1 - How the sliding window works </h2> <p>This is the heart of the detector. Skip to step 2 if data structures bore you, but trust me - this part is <strong>clever and simple</strong>.</p> <p>A "rate" is a question: <em>"how many requests has this IP made in the last 60 seconds?"</em> If you naively count requests per minute by tallying them in 60-second buckets, you get the wrong answer when traffic falls right between two buckets - and an attacker can exploit that gap.</p> <p>A <strong>sliding window</strong> answers the same question, but the 60-second period <strong>slides forward continuously</strong> with the clock. So at 12:00:30, "the last 60 seconds" means 11:59:30 to 12:00:30. At 12:00:31, it means 11:59:31 to 12:00:31. Always exactly the past 60 seconds, never a fixed bucket.</p> <p>How do you implement that without re-counting every time? Use a <strong>deque</strong> - a "double-ended queue".<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span> <span class="c1"># Per-IP and global windows: each one stores timestamps of recent requests </span><span class="n">window</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="n">WINDOW_SECONDS</span> <span class="o">=</span> <span class="mi">60</span> <span class="k">def</span> <span class="nf">record</span><span class="p">(</span><span class="n">now</span><span class="p">:</span> <span class="nb">float</span><span class="p">):</span> <span class="c1"># 1. Drop everything older than 60s from the front </span> <span class="k">while</span> <span class="n">window</span> <span class="ow">and</span> <span class="n">window</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;=</span> <span class="n">now</span> <span class="o">-</span> <span class="n">WINDOW_SECONDS</span><span class="p">:</span> <span class="n">window</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="c1"># 2. Append the new request to the back </span> <span class="n">window</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="k">def</span> <span class="nf">current_rate</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">window</span><span class="p">)</span> <span class="o">/</span> <span class="n">WINDOW_SECONDS</span> </code></pre> </div> <p>That's it. <strong>Two operations per request</strong>: pop old entries off the front (O(1)), append the new one to the back (O(1)). The current rate is just <code>len(window) / 60</code>.</p> <p>The detector keeps <strong>one such window per source IP</strong> and <strong>one global window</strong> across all traffic.</p> <blockquote> <p>⚠️ The Stage 3 brief explicitly forbids "faking the sliding window with a per-minute counter." This deque pattern is the cheapest way to satisfy that requirement honestly.</p> </blockquote> <h2> Step 2 - How the baseline learns from traffic </h2> <p>The detector now knows the <em>current</em> request rate. But it has no idea whether 5 requests per second is a lot or a little for <em>this</em> site. To answer that, it needs a <strong>baseline</strong> - a model of normal traffic.</p> <p>The baseline keeps a <strong>30-minute history of per-second request counts</strong>. Every second, the count of requests in that second is appended to a rolling list. The list is bounded so anything older than 30 minutes is automatically forgotten.</p> <p>Every 60 seconds, the baseline thread does this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">mean</span> <span class="o">=</span> <span class="n">statistics</span><span class="p">.</span><span class="nf">fmean</span><span class="p">(</span><span class="n">per_second_counts</span><span class="p">)</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">statistics</span><span class="p">.</span><span class="nf">stdev</span><span class="p">(</span><span class="n">per_second_counts</span><span class="p">)</span> </code></pre> </div> <p>That gives us two numbers describing the baseline:</p> <ul> <li> <strong>mean</strong> - on average, how many requests does this site get per second?</li> <li> <strong>stddev</strong> ("standard deviation") - how much does that number bounce around?</li> </ul> <h3> Per-hour-of-day slots </h3> <p>Here's a subtle wrinkle: traffic at 3 a.m. is naturally lower than at 3 p.m. If you used one universal baseline, the detector would think 3 p.m. traffic was an attack just because it's higher than the all-day average. Or it would miss a real attack at 3 a.m. because it's still below the all-day average.</p> <p>The fix: keep <strong>24 separate slots, one per hour of day</strong>. Once the slot for the current hour has at least 5 minutes of data, use <em>that</em> slot instead of the global rolling baseline. So 3 a.m. traffic is judged against other 3 a.m. traffic, and 3 p.m. against 3 p.m.</p> <h3> Floors </h3> <p>If traffic is genuinely zero for a while, mean and stddev both crash toward zero. The very next request would then have an infinite z-score (you can't divide by zero) and trigger a false alarm. Two cheap "floor" values prevent this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mean_floor</span><span class="pi">:</span> <span class="m">1.0</span> <span class="na">stddev_floor</span><span class="pi">:</span> <span class="m">0.5</span> </code></pre> </div> <p>The mean is never allowed below 1.0; the stddev never below 0.5. Boring, but necessary.</p> <h2> Step 3 - How detection makes a decision </h2> <p>For every request that comes in, the detector asks <strong>two simultaneous questions</strong>:</p> <ol> <li><p><strong>Is this rate too many sigmas above the mean?</strong><br> The "z-score" answers that: <code>z = (rate - mean) / stddev</code>.<br> If <code>z &gt; 3.0</code>, the rate is more than three standard deviations away from normal - which statistically happens in about 0.3% of normal traffic. Almost certainly an anomaly.</p></li> <li><p><strong>Is this rate flat-out higher than 5× the mean?</strong><br> This is a hard ceiling that catches steady, sustained floods even when stddev is wide. If the mean is 2 req/s, anything above 10 req/s is suspicious <em>regardless</em> of statistics.</p></li> </ol> <p>If either fires, the IP (or the global stream) is <strong>anomalous</strong>. Whichever fires first wins.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">z</span> <span class="o">=</span> <span class="p">(</span><span class="n">rate</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">/</span> <span class="nf">max</span><span class="p">(</span><span class="n">stddev</span><span class="p">,</span> <span class="mf">1e-9</span><span class="p">)</span> <span class="k">if</span> <span class="n">z</span> <span class="o">&gt;</span> <span class="mf">3.0</span> <span class="ow">or</span> <span class="n">rate</span> <span class="o">&gt;</span> <span class="n">mean</span> <span class="o">*</span> <span class="mf">5.0</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">anomaly!</span><span class="sh">"</span> </code></pre> </div> <p>There's one more wrinkle: an <strong>error surge</strong>. If an IP's 4xx/5xx response rate is at least <strong>3×</strong> the baseline error rate, the detector tightens <em>that IP's</em> thresholds (multiplies them by 0.7). The intuition: an IP generating mostly errors is probing or scanning, and we want to ban it sooner.</p> <h2> Step 4 - How iptables is used to block an IP </h2> <p>Once the detector decides an IP is bad, the question is: <em>how do you actually block it?</em></p> <p>Linux kernels include a packet-filtering subsystem called <strong>netfilter</strong>. The user-space tool to talk to it is <strong><code>iptables</code></strong>. When you run<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>iptables <span class="nt">-I</span> INPUT <span class="nt">-p</span> tcp <span class="nt">-s</span> 1.2.3.4 <span class="nt">--dport</span> 80 <span class="nt">-j</span> DROP </code></pre> </div> <p>…the kernel installs a rule that says: <em>"any TCP packet coming in on port 80 from 1.2.3.4 - drop it silently."</em> The packet never even reaches Nginx. It's the lowest-level, fastest way to block traffic.</p> <p>The blocker module shells out to <code>iptables</code> directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span><span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-I</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-p</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tcp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">--dport</span><span class="sh">"</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">port</span><span class="p">),</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span><span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> </code></pre> </div> <p>I scope the rule to <strong>TCP ports 80 and 443 only</strong>, not the whole IP. Why? So that when an admin's workstation accidentally trips the detector, the admin doesn't lose SSH at the same time. (Yes, I learned this the painful way.)</p> <p>The ban isn't permanent - it's tiered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">schedule_seconds</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">600</span><span class="pi">,</span> <span class="nv">1800</span><span class="pi">,</span> <span class="nv">7200</span><span class="pi">]</span> <span class="c1"># 10 min, 30 min, 2 h</span> </code></pre> </div> <p>The first ban lasts 10 minutes. If the same IP misbehaves again later, the <em>second</em> ban lasts 30 minutes. The third lasts 2 hours. The fourth is permanent. This <strong>back-off</strong> pattern keeps you from permanently banning a real user who had one bad minute, but punishes repeat offenders harder each time.</p> <p>A small "unbanner" thread polls every 5 seconds for expired bans, removes the corresponding iptables rule, and pings Slack: <em>"unbanned 1.2.3.4 (ban #1)"</em>.</p> <h2> Putting it all together </h2> <p>Here's a real audit log line generated during testing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[2026-04-26T00:31:22Z] BAN 102.88.55.19 | z-score 3.03 &gt; 3.00 | rate=2.52 | baseline=1.00 | duration=600s [2026-04-26T00:41:27Z] UNBAN 102.88.55.19 | … | duration=released | reason=scheduled-release </code></pre> </div> <p>I sent a burst of 400 HTTP requests from my home IP. The detector took ~30 seconds to process them, computed <code>z-score = 3.03</code>, banned my IP for 10 minutes, and notified Slack. Exactly 600 seconds later, the unbanner removed the rule and notified Slack again. Meanwhile, the dashboard was updating every 3 seconds, the baseline was learning from the burst (its stddev climbed to 6.6 and decayed back over the next 30 minutes), and a synthetic multi-IP attack later that hour fired the <strong>global</strong> detection path with <code>rate 11.28 &gt; mean 2.26 × 5.00</code>.</p> <p>Everything I described above ran without me intervening once.</p> <h2> What I would change next time </h2> <ul> <li> <strong>Production WSGI</strong> - Flask's built-in dev server runs the dashboard. For a real deployment I'd put it behind gunicorn.</li> <li> <strong>TLS</strong> - I left HTTP-only because the brief didn't mandate it; in real life I'd terminate TLS at Nginx via certbot.</li> <li> <strong>Persistence of the baseline</strong> - currently the baseline restarts cold on a daemon restart. Snapshotting the recent history to disk would let it warm up faster.</li> <li> <strong>Adaptive backoff</strong> - the schedule is static. A repeat-offender weighting that takes the <em>gap</em> between offences into account would feel more humane.</li> </ul> <p>But those are polish. The core mechanism - sliding windows + rolling baseline + z-score + iptables - works.</p> <h2> Try it yourself </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/ibraheembello/hng-stage3-anomaly-detector.git <span class="nb">cd </span>hng-stage3-anomaly-detector <span class="nb">cp</span> .env.example _private/.env <span class="nv">$EDITOR</span> _private/.env docker compose <span class="nt">--env-file</span> _private/.env up <span class="nt">-d</span> <span class="nt">--build</span> </code></pre> </div> <p>The README has a full from-scratch runbook, including how to install Docker on a fresh Ubuntu 24.04 box, how to point a free DuckDNS domain at the EC2 IP, and how to set up the Slack webhook.</p> <p>If you build something on top of this, ping me - I'd love to see what you change.</p> devops security python docker ibraheembello Wed, 12 Nov 2025 04:29:41 +0000 https://dev.to/ibraheembello/deploying-nestjs-microservices-to-azure-container-apps-1jh4 https://dev.to/ibraheembello/deploying-nestjs-microservices-to-azure-container-apps-1jh4 <h2> Introduction </h2> <p>After spending countless hours (and a few late nights) deploying a distributed notification system to Azure, I wanted to share my complete journey - including all the challenges, solutions, and lessons learned. This isn't just a tutorial; it's a real-world deployment story with all the gotchas you'll actually encounter.</p> <p><strong>What we'll cover:</strong></p> <ul> <li>🏗️ Setting up a microservices architecture with NestJS and Prisma</li> <li>🐳 Building production-ready Docker images</li> <li>☁️ Deploying to Azure Container Apps</li> <li>🐛 Troubleshooting common deployment issues</li> <li>✅ Testing and monitoring live services</li> </ul> <p><strong>Live Demo:</strong></p> <ul> <li>🔗 <a href="https://user-service-app.blacksky-6bcbe9ee.uksouth.azurecontainerapps.io/api/docs" rel="noopener noreferrer">User Service API Docs</a> </li> <li>🔗 <a href="https://template-service-app.blacksky-6bcbe9ee.uksouth.azurecontainerapps.io/api/docs" rel="noopener noreferrer">Template Service API Docs</a> </li> </ul> <h2> 📊 The Architecture </h2> <p>We're building a distributed notification system with the following components:</p> <h3> Services </h3> <ol> <li> <strong>User Service</strong> - Handles user authentication, authorization, and profile management</li> <li> <strong>Template Service</strong> - Manages notification templates with variable substitution</li> <li><em>(Coming soon: Notification Service, Worker Service, Analytics Service)</em></li> </ol> <h3> Tech Stack </h3> <ul> <li> <strong>Backend:</strong> NestJS (Node.js 20)</li> <li> <strong>ORM:</strong> Prisma 5.22</li> <li> <strong>Database:</strong> PostgreSQL 15 (Azure Flexible Server)</li> <li> <strong>Container Platform:</strong> Azure Container Apps</li> <li> <strong>Container Registry:</strong> Azure Container Registry</li> <li> <strong>Region:</strong> UK South (London)</li> </ul> <h3> Why Azure Container Apps? </h3> <p>Azure Container Apps hit the sweet spot for microservices:</p> <ul> <li>✅ <strong>Fully managed</strong> - No Kubernetes complexity</li> <li>✅ <strong>Auto-scaling</strong> - Scale to zero or scale out based on load</li> <li>✅ <strong>Built-in HTTPS</strong> - Automatic SSL certificates</li> <li>✅ <strong>Simple deployments</strong> - Deploy from container registries</li> <li>✅ <strong>Cost-effective</strong> - Pay only for what you use</li> </ul> <h2> 🏗️ Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>distributed-notification-system/ ├── services/ │ ├── user-service/ │ │ ├── src/ │ │ ├── prisma/ │ │ │ └── schema.prisma │ │ ├── Dockerfile │ │ ├── package.json │ │ └── .env │ └── template-service/ │ ├── src/ │ ├── prisma/ │ │ └── schema.prisma │ ├── Dockerfile │ ├── package.json │ └── .env └── infrastructure/ └── azure/ </code></pre> </div> <h2> 🚦 Step 1: Building the Services </h2> <h3> User Service - Key Features </h3> <p><strong>Authentication &amp; Authorization:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/auth/auth.service.ts</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AuthService</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span> <span class="k">private</span> <span class="nx">prisma</span><span class="p">:</span> <span class="nx">PrismaService</span><span class="p">,</span> <span class="k">private</span> <span class="nx">jwtService</span><span class="p">:</span> <span class="nx">JwtService</span><span class="p">,</span> <span class="p">)</span> <span class="p">{}</span> <span class="k">async</span> <span class="nf">register</span><span class="p">(</span><span class="nx">dto</span><span class="p">:</span> <span class="nx">RegisterDto</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">hashedPassword</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">dto</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">dto</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">hashedPassword</span><span class="p">,</span> <span class="na">first_name</span><span class="p">:</span> <span class="nx">dto</span><span class="p">.</span><span class="nx">first_name</span><span class="p">,</span> <span class="na">last_name</span><span class="p">:</span> <span class="nx">dto</span><span class="p">.</span><span class="nx">last_name</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">tokens</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">generateTokens</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">user</span><span class="p">,</span> <span class="p">...</span><span class="nx">tokens</span> <span class="p">};</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">login</span><span class="p">(</span><span class="nx">dto</span><span class="p">:</span> <span class="nx">LoginDto</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">dto</span><span class="p">.</span><span class="nx">email</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span> <span class="o">||</span> <span class="o">!</span><span class="p">(</span><span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">dto</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">)))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">UnauthorizedException</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid credentials</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">generateTokens</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="k">async</span> <span class="nf">generateTokens</span><span class="p">(</span><span class="nx">user</span><span class="p">:</span> <span class="nx">User</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="na">sub</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span> <span class="p">};</span> <span class="k">return</span> <span class="p">{</span> <span class="na">access_token</span><span class="p">:</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">jwtService</span><span class="p">.</span><span class="nf">signAsync</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">15m</span><span class="dl">'</span><span class="p">,</span> <span class="p">}),</span> <span class="na">refresh_token</span><span class="p">:</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">jwtService</span><span class="p">.</span><span class="nf">signAsync</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">7d</span><span class="dl">'</span><span class="p">,</span> <span class="p">}),</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Prisma Schema:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// prisma/schema.prisma generator client { provider = "prisma-client-js" } datasource db { provider = "postgresql" url = env("DATABASE_URL") } model User { id String @id @default(uuid()) email String @unique password String first_name String last_name String is_active Boolean @default(true) created_at DateTime @default(now()) updated_at DateTime @updatedAt preferences UserPreference? push_tokens PushToken[] @@map("users") } model UserPreference { id String @id @default(uuid()) user_id String @unique user User @relation(fields: [user_id], references: [id], onDelete: Cascade) email_enabled Boolean @default(true) sms_enabled Boolean @default(false) push_enabled Boolean @default(true) timezone String @default("UTC") language String @default("en") created_at DateTime @default(now()) updated_at DateTime @updatedAt @@map("user_preferences") } </code></pre> </div> <h3> Template Service - Key Features </h3> <p><strong>Template Rendering with Variables:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/templates/templates.service.ts</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">TemplatesService</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="nx">prisma</span><span class="p">:</span> <span class="nx">PrismaService</span><span class="p">)</span> <span class="p">{}</span> <span class="k">async</span> <span class="nf">renderTemplate</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">variables</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">any</span><span class="o">&gt;</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">template</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">prisma</span><span class="p">.</span><span class="nx">template</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">template</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">NotFoundException</span><span class="p">(</span><span class="dl">'</span><span class="s1">Template not found</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Simple variable substitution</span> <span class="kd">let</span> <span class="nx">renderedSubject</span> <span class="o">=</span> <span class="nx">template</span><span class="p">.</span><span class="nx">subject</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">renderedBody</span> <span class="o">=</span> <span class="nx">template</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">variables</span><span class="p">).</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">key</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">regex</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RegExp</span><span class="p">(</span><span class="s2">`{{</span><span class="se">\\</span><span class="s2">s*</span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="se">\\</span><span class="s2">s*}}`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">g</span><span class="dl">'</span><span class="p">);</span> <span class="nx">renderedSubject</span> <span class="o">=</span> <span class="nx">renderedSubject</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="nx">regex</span><span class="p">,</span> <span class="nx">variables</span><span class="p">[</span><span class="nx">key</span><span class="p">]);</span> <span class="nx">renderedBody</span> <span class="o">=</span> <span class="nx">renderedBody</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="nx">regex</span><span class="p">,</span> <span class="nx">variables</span><span class="p">[</span><span class="nx">key</span><span class="p">]);</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">subject</span><span class="p">:</span> <span class="nx">renderedSubject</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">renderedBody</span><span class="p">,</span> <span class="na">template_id</span><span class="p">:</span> <span class="nx">template</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">template_name</span><span class="p">:</span> <span class="nx">template</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Usage Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Create a template</span> <span class="nx">POST</span> <span class="o">/</span><span class="nx">api</span><span class="o">/</span><span class="nx">v1</span><span class="o">/</span><span class="nx">templates</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">name</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">welcome-email</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">subject</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Welcome {{user_name}}!</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">body</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Hello {{user_name}}, thanks for joining {{app_name}}!</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">language</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">en</span><span class="dl">"</span> <span class="p">}</span> <span class="c1">// Render with variables</span> <span class="nx">POST</span> <span class="o">/</span><span class="nx">api</span><span class="o">/</span><span class="nx">v1</span><span class="o">/</span><span class="nx">templates</span><span class="o">/</span><span class="p">:</span><span class="nx">id</span><span class="o">/</span><span class="nx">render</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">variables</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">user_name</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">John Doe</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">app_name</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">NotificationApp</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Result:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">subject</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Welcome John Doe!</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">body</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Hello John Doe, thanks for joining NotificationApp!</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <h2> 🐳 Step 2: Dockerizing the Services </h2> <h3> The Challenge: Alpine Linux vs Debian </h3> <p><strong>First Attempt (Failed):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># ❌ This DOESN'T work with Prisma!</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:20-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm ci <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span>npx prisma generate <span class="k">RUN </span>npm run build <span class="k">FROM</span><span class="s"> node:20-alpine</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> --from=builder /app/node_modules ./node_modules</span> <span class="k">COPY</span><span class="s"> --from=builder /app/dist ./dist</span> <span class="k">CMD</span><span class="s"> ["node", "dist/main.js"]</span> </code></pre> </div> <p><strong>The Error:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PrismaClientInitializationError: Unable to require(`libquery_engine-linux-musl.so.node`) Error loading shared library libssl.so.1.1: No such file or directory </code></pre> </div> <p><strong>The Problem:</strong> </p> <ul> <li>Alpine Linux uses musl instead of glibc</li> <li>Latest Alpine (3.22) removed <code>openssl1.1-compat</code> package</li> <li>Prisma's query engine needs OpenSSL 1.1 or 3.x</li> </ul> <p><strong>The Solution: Use Debian Slim</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># ✅ This works perfectly!</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:20-slim</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="c"># Install OpenSSL and other dependencies</span> <span class="k">RUN </span>apt-get update <span class="nt">-y</span> <span class="o">&amp;&amp;</span> <span class="se">\ </span> apt-get <span class="nb">install</span> <span class="nt">-y</span> openssl ca-certificates <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">COPY</span><span class="s"> prisma ./prisma/</span> <span class="k">RUN </span>npm ci <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span>npx prisma generate <span class="k">RUN </span>npm run build <span class="c"># Production stage</span> <span class="k">FROM</span><span class="s"> node:20-slim</span> <span class="k">RUN </span>apt-get update <span class="nt">-y</span> <span class="o">&amp;&amp;</span> <span class="se">\ </span> apt-get <span class="nb">install</span> <span class="nt">-y</span> openssl ca-certificates <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> --from=builder /app/node_modules ./node_modules</span> <span class="k">COPY</span><span class="s"> --from=builder /app/dist ./dist</span> <span class="k">COPY</span><span class="s"> --from=builder /app/prisma ./prisma</span> <span class="k">COPY</span><span class="s"> --from=builder /app/package*.json ./</span> <span class="k">EXPOSE</span><span class="s"> 3001</span> <span class="k">CMD</span><span class="s"> ["node", "dist/main.js"]</span> </code></pre> </div> <p><strong>Why Debian Slim?</strong></p> <ul> <li>✅ OpenSSL 3.x included by default</li> <li>✅ Compatible with Prisma</li> <li>✅ Still relatively small (~200MB vs Alpine's ~50MB)</li> <li>✅ Most stable for production</li> </ul> <h2> ☁️ Step 3: Azure Infrastructure Setup </h2> <h3> Creating Azure Resources </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># Variables</span> <span class="nv">RESOURCE_GROUP</span><span class="o">=</span><span class="s2">"notification-system-rg"</span> <span class="nv">LOCATION</span><span class="o">=</span><span class="s2">"uksouth"</span> <span class="nv">ACR_NAME</span><span class="o">=</span><span class="s2">"notificationsystemacr"</span> <span class="nv">ENV_NAME</span><span class="o">=</span><span class="s2">"notification-env"</span> <span class="c"># 1. Create Resource Group</span> az group create <span class="se">\</span> <span class="nt">--name</span> <span class="nv">$RESOURCE_GROUP</span> <span class="se">\</span> <span class="nt">--location</span> <span class="nv">$LOCATION</span> <span class="c"># 2. Create Azure Container Registry</span> az acr create <span class="se">\</span> <span class="nt">--resource-group</span> <span class="nv">$RESOURCE_GROUP</span> <span class="se">\</span> <span class="nt">--name</span> <span class="nv">$ACR_NAME</span> <span class="se">\</span> <span class="nt">--sku</span> Basic <span class="se">\</span> <span class="nt">--location</span> <span class="nv">$LOCATION</span> <span class="se">\</span> <span class="nt">--admin-enabled</span> <span class="nb">true</span> <span class="c"># 3. Create PostgreSQL for User Service</span> az postgres flexible-server create <span class="se">\</span> <span class="nt">--name</span> user-service-db <span class="se">\</span> <span class="nt">--resource-group</span> <span class="nv">$RESOURCE_GROUP</span> <span class="se">\</span> <span class="nt">--location</span> <span class="nv">$LOCATION</span> <span class="se">\</span> <span class="nt">--admin-user</span> dbadmin <span class="se">\</span> <span class="nt">--admin-password</span> <span class="s2">"YourSecurePassword123"</span> <span class="se">\</span> <span class="nt">--sku-name</span> Standard_B1ms <span class="se">\</span> <span class="nt">--tier</span> Burstable <span class="se">\</span> <span class="nt">--version</span> 15 <span class="se">\</span> <span class="nt">--storage-size</span> 32 <span class="se">\</span> <span class="nt">--public-access</span> 0.0.0.0 <span class="c"># 4. Create database</span> az postgres flexible-server db create <span class="se">\</span> <span class="nt">--resource-group</span> <span class="nv">$RESOURCE_GROUP</span> <span class="se">\</span> <span class="nt">--server-name</span> user-service-db <span class="se">\</span> <span class="nt">--database-name</span> user_service_db <span class="c"># 5. Create PostgreSQL for Template Service</span> az postgres flexible-server create <span class="se">\</span> <span class="nt">--name</span> template-service-db <span class="se">\</span> <span class="nt">--resource-group</span> <span class="nv">$RESOURCE_GROUP</span> <span class="se">\</span> <span class="nt">--location</span> <span class="nv">$LOCATION</span> <span class="se">\</span> <span class="nt">--admin-user</span> dbadmin <span class="se">\</span> <span class="nt">--admin-password</span> <span class="s2">"YourSecurePassword123"</span> <span class="se">\</span> <span class="nt">--sku-name</span> Standard_B1ms <span class="se">\</span> <span class="nt">--tier</span> Burstable <span class="se">\</span> <span class="nt">--version</span> 15 <span class="se">\</span> <span class="nt">--storage-size</span> 32 <span class="se">\</span> <span class="nt">--public-access</span> 0.0.0.0 az postgres flexible-server db create <span class="se">\</span> <span class="nt">--resource-group</span> <span class="nv">$RESOURCE_GROUP</span> <span class="se">\</span> <span class="nt">--server-name</span> template-service-db <span class="se">\</span> <span class="nt">--database-name</span> template_service_db <span class="c"># 6. Configure firewall rules</span> az postgres flexible-server firewall-rule create <span class="se">\</span> <span class="nt">--resource-group</span> <span class="nv">$RESOURCE_GROUP</span> <span class="se">\</span> <span class="nt">--name</span> user-service-db <span class="se">\</span> <span class="nt">--rule-name</span> AllowAzureServices <span class="se">\</span> <span class="nt">--start-ip-address</span> 0.0.0.0 <span class="se">\</span> <span class="nt">--end-ip-address</span> 0.0.0.0 az postgres flexible-server firewall-rule create <span class="se">\</span> <span class="nt">--resource-group</span> <span class="nv">$RESOURCE_GROUP</span> <span class="se">\</span> <span class="nt">--name</span> template-service-db <span class="se">\</span> <span class="nt">--rule-name</span> AllowAzureServices <span class="se">\</span> <span class="nt">--start-ip-address</span> 0.0.0.0 <span class="se">\</span> <span class="nt">--end-ip-address</span> 0.0.0.0 <span class="c"># 7. Create Container Apps Environment</span> az containerapp <span class="nb">env </span>create <span class="se">\</span> <span class="nt">--name</span> <span class="nv">$ENV_NAME</span> <span class="se">\</span> <span class="nt">--resource-group</span> <span class="nv">$RESOURCE_GROUP</span> <span class="se">\</span> <span class="nt">--location</span> <span class="nv">$LOCATION</span> <span class="nb">echo</span> <span class="s2">"✅ Infrastructure setup complete!"</span> </code></pre> </div> <h2> 🚀 Step 4: Database Migrations </h2> <p><strong>Important:</strong> Run migrations BEFORE deploying containers!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># User Service migrations</span> <span class="nb">cd </span>services/user-service <span class="nv">DATABASE_URL</span><span class="o">=</span><span class="s2">"postgresql://dbadmin:YourSecurePassword123@user-service-db.postgres.database.azure.com:5432/user_service_db?sslmode=require"</span> <span class="se">\</span> npx prisma migrate deploy <span class="c"># Template Service migrations</span> <span class="nb">cd </span>services/template-service <span class="nv">DATABASE_URL</span><span class="o">=</span><span class="s2">"postgresql://dbadmin:YourSecurePassword123@template-service-db.postgres.database.azure.com:5432/template_service_db?sslmode=require"</span> <span class="se">\</span> npx prisma migrate deploy </code></pre> </div> <h2> 📦 Step 5: Building and Pushing Docker Images </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Login to ACR</span> az acr login <span class="nt">--name</span> notificationsystemacr <span class="c"># Build and push User Service</span> <span class="nb">cd </span>services/user-service docker build <span class="nt">-t</span> notificationsystemacr.azurecr.io/user-service:latest <span class="nb">.</span> docker push notificationsystemacr.azurecr.io/user-service:latest <span class="c"># Build and push Template Service</span> <span class="nb">cd </span>services/template-service docker build <span class="nt">-t</span> notificationsystemacr.azurecr.io/template-service:latest <span class="nb">.</span> docker push notificationsystemacr.azurecr.io/template-service:latest </code></pre> </div> <h2> 🎯 Step 6: Deploying Container Apps </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get ACR credentials</span> <span class="nv">ACR_PASSWORD</span><span class="o">=</span><span class="si">$(</span>az acr credential show <span class="se">\</span> <span class="nt">--name</span> notificationsystemacr <span class="se">\</span> <span class="nt">--query</span> <span class="s2">"passwords[0].value"</span> <span class="nt">-o</span> tsv<span class="si">)</span> <span class="c"># Generate JWT secrets</span> <span class="nv">JWT_SECRET</span><span class="o">=</span><span class="si">$(</span>openssl rand <span class="nt">-base64</span> 32<span class="si">)</span> <span class="nv">JWT_REFRESH_SECRET</span><span class="o">=</span><span class="si">$(</span>openssl rand <span class="nt">-base64</span> 32<span class="si">)</span> <span class="c"># Deploy User Service</span> az containerapp create <span class="se">\</span> <span class="nt">--name</span> user-service-app <span class="se">\</span> <span class="nt">--resource-group</span> notification-system-rg <span class="se">\</span> <span class="nt">--environment</span> notification-env <span class="se">\</span> <span class="nt">--image</span> notificationsystemacr.azurecr.io/user-service:latest <span class="se">\</span> <span class="nt">--registry-server</span> notificationsystemacr.azurecr.io <span class="se">\</span> <span class="nt">--registry-username</span> notificationsystemacr <span class="se">\</span> <span class="nt">--registry-password</span> <span class="s2">"</span><span class="nv">$ACR_PASSWORD</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--target-port</span> 3001 <span class="se">\</span> <span class="nt">--ingress</span> external <span class="se">\</span> <span class="nt">--min-replicas</span> 1 <span class="se">\</span> <span class="nt">--max-replicas</span> 3 <span class="se">\</span> <span class="nt">--cpu</span> 0.5 <span class="se">\</span> <span class="nt">--memory</span> 1Gi <span class="se">\</span> <span class="nt">--env-vars</span> <span class="se">\</span> <span class="s2">"DATABASE_URL=secretref:database-url"</span> <span class="se">\</span> <span class="s2">"JWT_SECRET=secretref:jwt-secret"</span> <span class="se">\</span> <span class="s2">"JWT_REFRESH_SECRET=secretref:jwt-refresh-secret"</span> <span class="se">\</span> <span class="s2">"PORT=3001"</span> <span class="se">\</span> <span class="s2">"NODE_ENV=production"</span> <span class="se">\</span> <span class="nt">--secrets</span> <span class="se">\</span> <span class="s2">"database-url=postgresql://dbadmin:YourSecurePassword123@user-service-db.postgres.database.azure.com:5432/user_service_db?sslmode=require"</span> <span class="se">\</span> <span class="s2">"jwt-secret=</span><span class="nv">$JWT_SECRET</span><span class="s2">"</span> <span class="se">\</span> <span class="s2">"jwt-refresh-secret=</span><span class="nv">$JWT_REFRESH_SECRET</span><span class="s2">"</span> <span class="c"># Deploy Template Service</span> az containerapp create <span class="se">\</span> <span class="nt">--name</span> template-service-app <span class="se">\</span> <span class="nt">--resource-group</span> notification-system-rg <span class="se">\</span> <span class="nt">--environment</span> notification-env <span class="se">\</span> <span class="nt">--image</span> notificationsystemacr.azurecr.io/template-service:latest <span class="se">\</span> <span class="nt">--registry-server</span> notificationsystemacr.azurecr.io <span class="se">\</span> <span class="nt">--registry-username</span> notificationsystemacr <span class="se">\</span> <span class="nt">--registry-password</span> <span class="s2">"</span><span class="nv">$ACR_PASSWORD</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--target-port</span> 3004 <span class="se">\</span> <span class="nt">--ingress</span> external <span class="se">\</span> <span class="nt">--min-replicas</span> 1 <span class="se">\</span> <span class="nt">--max-replicas</span> 3 <span class="se">\</span> <span class="nt">--cpu</span> 0.5 <span class="se">\</span> <span class="nt">--memory</span> 1Gi <span class="se">\</span> <span class="nt">--env-vars</span> <span class="se">\</span> <span class="s2">"DATABASE_URL=secretref:database-url"</span> <span class="se">\</span> <span class="s2">"PORT=3004"</span> <span class="se">\</span> <span class="s2">"NODE_ENV=production"</span> <span class="se">\</span> <span class="nt">--secrets</span> <span class="se">\</span> <span class="s2">"database-url=postgresql://dbadmin:YourSecurePassword123@template-service-db.postgres.database.azure.com:5432/template_service_db?sslmode=require"</span> </code></pre> </div> <h2> 🔥 Common Issues &amp; Solutions </h2> <h3> Issue 1: Containers Keep Crashing with OpenSSL Error </h3> <p><strong>Symptoms:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PrismaClientInitializationError Error loading shared library libssl.so.1.1 </code></pre> </div> <p><strong>Root Cause:</strong> Alpine Linux 3.22+ doesn't have <code>openssl1.1-compat</code></p> <p><strong>Solution:</strong> Switch to Debian Slim (see Dockerfile above)</p> <h3> Issue 2: Container Apps Not Using New Images </h3> <p><strong>Symptoms:</strong> Updated code, pushed new images, but containers still running old code</p> <p><strong>Root Cause:</strong> Azure cached the <code>:latest</code> tag</p> <p><strong>Solution:</strong> Force new revision with unique suffix<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">TIMESTAMP</span><span class="o">=</span><span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span> az containerapp update <span class="se">\</span> <span class="nt">--name</span> user-service-app <span class="se">\</span> <span class="nt">--resource-group</span> notification-system-rg <span class="se">\</span> <span class="nt">--image</span> notificationsystemacr.azurecr.io/user-service:latest <span class="se">\</span> <span class="nt">--revision-suffix</span> <span class="s2">"v2-</span><span class="k">${</span><span class="nv">TIMESTAMP</span><span class="k">}</span><span class="s2">"</span> </code></pre> </div> <h3> Issue 3: Database Connection Timeout </h3> <p><strong>Symptoms:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: P1001: Can't reach database server </code></pre> </div> <p><strong>Solution:</strong> </p> <ol> <li>Check firewall rules allow Azure services (0.0.0.0)</li> <li>Verify connection string format includes <code>?sslmode=require</code> </li> <li>Wait 2-3 minutes after creating firewall rules</li> </ol> <h3> Issue 4: Rate Limiter Warning </h3> <p><strong>Warning:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ValidationError: The 'X-Forwarded-For' header is set but Express 'trust proxy' is false </code></pre> </div> <p><strong>Solution:</strong> Add to <code>main.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">bootstrap</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">NestFactory</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">AppModule</span><span class="p">);</span> <span class="c1">// Trust Azure's proxy</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">trust proxy</span><span class="dl">'</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="k">await</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3001</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> ✅ Verification &amp; Testing </h2> <h3> Health Checks </h3> <p>Both services expose health endpoints:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># User Service</span> curl https://user-service-app.blacksky-6bcbe9ee.uksouth.azurecontainerapps.io/api/v1/health <span class="c"># Response:</span> <span class="o">{</span> <span class="s2">"status"</span>: <span class="s2">"healthy"</span>, <span class="s2">"timestamp"</span>: <span class="s2">"2025-11-12T02:33:03.054Z"</span>, <span class="s2">"service"</span>: <span class="s2">"user-service"</span>, <span class="s2">"version"</span>: <span class="s2">"1.0.0"</span>, <span class="s2">"uptime"</span>: 371.52, <span class="s2">"database"</span>: <span class="o">{</span> <span class="s2">"status"</span>: <span class="s2">"connected"</span>, <span class="s2">"response_time_ms"</span>: 88 <span class="o">}</span>, <span class="s2">"memory"</span>: <span class="o">{</span> <span class="s2">"used_mb"</span>: 19, <span class="s2">"total_mb"</span>: 21 <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> API Testing </h3> <p><strong>1. Register a User:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="se">\</span> https://user-service-app.blacksky-6bcbe9ee.uksouth.azurecontainerapps.io/api/v1/auth/register <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "email": "john@example.com", "password": "SecurePass123!", "first_name": "John", "last_name": "Doe" }'</span> </code></pre> </div> <p><strong>2. Login:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="se">\</span> https://user-service-app.blacksky-6bcbe9ee.uksouth.azurecontainerapps.io/api/v1/auth/login <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "email": "john@example.com", "password": "SecurePass123!" }'</span> </code></pre> </div> <p><strong>3. Access Protected Endpoint:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> GET <span class="se">\</span> https://user-service-app.blacksky-6bcbe9ee.uksouth.azurecontainerapps.io/api/v1/users <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer YOUR_ACCESS_TOKEN"</span> </code></pre> </div> <p><strong>4. Create a Template:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="se">\</span> https://template-service-app.blacksky-6bcbe9ee.uksouth.azurecontainerapps.io/api/v1/templates <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "name": "welcome-email", "type": "email", "subject": "Welcome {{user_name}}!", "body": "Hello {{user_name}}, thanks for joining!", "language": "en" }'</span> </code></pre> </div> <h2> 📊 Monitoring &amp; Metrics </h2> <h3> Azure Portal Monitoring </h3> <ol> <li>Navigate to your Container App in Azure Portal</li> <li>Click <strong>Metrics</strong> in the left menu</li> <li>Add metrics: <ul> <li> <strong>Requests</strong> - HTTP request count</li> <li> <strong>Replica Count</strong> - Number of running instances</li> <li> <strong>CPU Usage</strong> - Container CPU utilization</li> <li> <strong>Memory Usage</strong> - Container memory utilization</li> </ul> </li> </ol> <h3> Application Insights (Optional) </h3> <p>Add Application Insights for detailed telemetry:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/main.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">INestApplication</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">appInsights</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">applicationinsights</span><span class="dl">'</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">bootstrap</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Initialize Application Insights</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APPLICATIONINSIGHTS_CONNECTION_STRING</span><span class="p">)</span> <span class="p">{</span> <span class="nx">appInsights</span><span class="p">.</span><span class="nf">setup</span><span class="p">()</span> <span class="p">.</span><span class="nf">setAutoCollectRequests</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="p">.</span><span class="nf">setAutoCollectPerformance</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="p">.</span><span class="nf">setAutoCollectExceptions</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="p">.</span><span class="nf">start</span><span class="p">();</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">NestFactory</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">AppModule</span><span class="p">);</span> <span class="k">await</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3001</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> 💰 Cost Optimization </h2> <h3> Current Setup Costs (Approximate) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Tier</th> <th>Monthly Cost</th> </tr> </thead> <tbody> <tr> <td>Container Apps Environment</td> <td>Consumption</td> <td>$0 (free tier)</td> </tr> <tr> <td>User Service Container</td> <td>0.5 vCPU, 1GB RAM</td> <td>~$15-25</td> </tr> <tr> <td>Template Service Container</td> <td>0.5 vCPU, 1GB RAM</td> <td>~$15-25</td> </tr> <tr> <td>PostgreSQL User DB</td> <td>Burstable B1ms</td> <td>~$13</td> </tr> <tr> <td>PostgreSQL Template DB</td> <td>Burstable B1ms</td> <td>~$13</td> </tr> <tr> <td>Container Registry</td> <td>Basic</td> <td>~$5</td> </tr> <tr> <td><strong>Total</strong></td> <td></td> <td><strong>~$60-80/month</strong></td> </tr> </tbody> </table></div> <h3> Optimization Tips </h3> <ol> <li> <strong>Scale to Zero</strong> for dev/staging: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az containerapp update <span class="se">\</span> <span class="nt">--name</span> user-service-app <span class="se">\</span> <span class="nt">--resource-group</span> notification-system-rg <span class="se">\</span> <span class="nt">--min-replicas</span> 0 <span class="se">\</span> <span class="nt">--max-replicas</span> 3 </code></pre> </div> <ol> <li><p><strong>Use Spot Instances</strong> for non-critical workloads</p></li> <li><p><strong>Share PostgreSQL Server</strong> across multiple databases</p></li> <li><p><strong>Use Azure Reserved Instances</strong> for 30-40% savings</p></li> </ol> <h2> 🎯 Results &amp; Performance </h2> <h3> Deployment Metrics </h3> <ul> <li> <strong>Build Time:</strong> ~3-4 minutes per service</li> <li> <strong>Deployment Time:</strong> ~2-3 minutes per service</li> <li> <strong>Cold Start:</strong> ~3-5 seconds</li> <li> <strong>Response Time (P95):</strong> &lt;100ms</li> <li> <strong>Database Latency:</strong> ~80-120ms</li> </ul> <h3> Load Test Results </h3> <p>Using Apache Bench for basic load testing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ab <span class="nt">-n</span> 10000 <span class="nt">-c</span> 100 <span class="se">\</span> https://user-service-app.blacksky-6bcbe9ee.uksouth.azurecontainerapps.io/api/v1/health </code></pre> </div> <p><strong>Results:</strong></p> <ul> <li> <strong>Requests per second:</strong> ~450</li> <li> <strong>Mean response time:</strong> 220ms</li> <li> <strong>95th percentile:</strong> 380ms</li> <li> <strong>Failed requests:</strong> 0</li> </ul> <h2> 🔐 Security Best Practices </h2> <h3> 1. Secrets Management </h3> <p>❌ <strong>DON'T</strong> hardcode secrets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">jwtSecret</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">my-secret-key</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// BAD!</span> </code></pre> </div> <p>✅ <strong>DO</strong> use environment variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">jwtSecret</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">;</span> </code></pre> </div> <p>✅ <strong>BETTER</strong> - Use Azure Key Vault:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az keyvault create <span class="se">\</span> <span class="nt">--name</span> notification-kv <span class="se">\</span> <span class="nt">--resource-group</span> notification-system-rg az keyvault secret <span class="nb">set</span> <span class="se">\</span> <span class="nt">--vault-name</span> notification-kv <span class="se">\</span> <span class="nt">--name</span> jwt-secret <span class="se">\</span> <span class="nt">--value</span> <span class="s2">"your-secret"</span> </code></pre> </div> <h3> 2. Network Security </h3> <ul> <li>✅ Use private networking for databases</li> <li>✅ Restrict database firewall to specific IP ranges</li> <li>✅ Enable SSL/TLS for all connections</li> <li>✅ Use managed identities instead of passwords</li> </ul> <h3> 3. Container Security </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Run as non-root user</span> <span class="k">FROM</span><span class="s"> node:20-slim</span> <span class="k">RUN </span>groupadd <span class="nt">-r</span> nodejs <span class="o">&amp;&amp;</span> useradd <span class="nt">-r</span> <span class="nt">-g</span> nodejs nodejs <span class="k">USER</span><span class="s"> nodejs</span> <span class="c"># Use specific versions</span> <span class="k">FROM</span><span class="s"> node:20.10.0-slim</span> <span class="c"># Scan for vulnerabilities</span> <span class="k">RUN </span>npm audit fix </code></pre> </div> <h2> 📚 Key Learnings </h2> <h3> What Went Right ✅ </h3> <ol> <li> <strong>Debian Slim over Alpine</strong> - Saved hours of OpenSSL troubleshooting</li> <li> <strong>Migrations before deployment</strong> - Databases ready when containers start</li> <li> <strong>Health checks</strong> - Essential for monitoring and debugging</li> <li> <strong>Swagger documentation</strong> - Makes API testing effortless</li> <li> <strong>Auto-scaling</strong> - Handles traffic spikes automatically</li> </ol> <h3> What I'd Do Differently 🔄 </h3> <ol> <li> <strong>Use Infrastructure as Code</strong> (Terraform/Bicep) from day one</li> <li> <strong>Set up CI/CD pipeline</strong> before manual deployments</li> <li> <strong>Implement centralized logging</strong> (ELK/Datadog) earlier</li> <li> <strong>Add integration tests</strong> for database connectivity</li> <li> <strong>Use Azure Key Vault</strong> for secrets management</li> </ol> <h3> Challenges Overcome 💪 </h3> <ol> <li> <strong>Alpine OpenSSL compatibility</strong> → Switched to Debian</li> <li> <strong>Container caching issues</strong> → Used unique revision suffixes</li> <li> <strong>Database connection timeouts</strong> → Configured firewall rules properly</li> <li> <strong>Rate limiter warnings</strong> → Added Express trust proxy configuration</li> </ol> <h2> 🚀 Next Steps </h2> <h3> Phase 2: Additional Services </h3> <ul> <li>[ ] <strong>Notification Service</strong> - Email, SMS, and push notification delivery</li> <li>[ ] <strong>Notification Worker</strong> - Queue processing with Bull/BullMQ</li> <li>[ ] <strong>Analytics Service</strong> - Track delivery rates and engagement</li> <li>[ ] <strong>Admin Dashboard</strong> - Service management UI</li> </ul> <h3> Phase 3: Enhancements </h3> <ul> <li>[ ] <strong>CI/CD Pipeline</strong> - GitHub Actions or Azure DevOps</li> <li>[ ] <strong>Infrastructure as Code</strong> - Terraform or Bicep</li> <li>[ ] <strong>API Gateway</strong> - Centralized routing and authentication</li> <li>[ ] <strong>Message Queue</strong> - Redis or Azure Service Bus</li> <li>[ ] <strong>Caching Layer</strong> - Redis for frequently accessed data</li> <li>[ ] <strong>Monitoring</strong> - Application Insights, Prometheus, Grafana</li> </ul> <h2> 🔗 Live Demo &amp; Resources </h2> <h3> Try It Yourself! </h3> <p><strong>User Service:</strong></p> <ul> <li>🔗 <a href="https://user-service-app.blacksky-6bcbe9ee.uksouth.azurecontainerapps.io/api/docs" rel="noopener noreferrer">API Documentation</a> </li> <li>🔗 <a href="https://user-service-app.blacksky-6bcbe9ee.uksouth.azurecontainerapps.io/api/v1/health" rel="noopener noreferrer">Health Check</a> </li> </ul> <p><strong>Template Service:</strong></p> <ul> <li>🔗 <a href="https://template-service-app.blacksky-6bcbe9ee.uksouth.azurecontainerapps.io/api/docs" rel="noopener noreferrer">API Documentation</a> </li> <li>🔗 <a href="https://template-service-app.blacksky-6bcbe9ee.uksouth.azurecontainerapps.io/api/v1/health" rel="noopener noreferrer">Health Check</a> </li> </ul> <p><strong>Test User:</strong></p> <ul> <li>Email: <code>test@example.com</code> </li> <li>Password: <code>TestPass123!</code> </li> </ul> <h3> Additional Resources </h3> <ul> <li>📖 <a href="https://docs.microsoft.com/azure/container-apps/" rel="noopener noreferrer">Azure Container Apps Documentation</a> </li> <li>📖 <a href="https://docs.nestjs.com/" rel="noopener noreferrer">NestJS Documentation</a> </li> <li>📖 <a href="https://www.prisma.io/docs/" rel="noopener noreferrer">Prisma Documentation</a> </li> <li>🐙 Source Code <em>(Add your GitHub repo link)</em> </li> </ul> <h2> 💭 Final Thoughts </h2> <p>Deploying microservices to production is never as straightforward as tutorials make it seem. Between Docker compatibility issues, database connectivity problems, and platform-specific quirks, there's always something unexpected.</p> <p>But that's also what makes it rewarding! Every issue solved is a lesson learned, and every deployment gets smoother.</p> <p><strong>Key Takeaways:</strong></p> <ul> <li>✅ Start with a solid local development setup</li> <li>✅ Test Docker images thoroughly before deploying</li> <li>✅ Use managed services (databases, registries) to reduce complexity</li> <li>✅ Implement comprehensive health checks</li> <li>✅ Monitor everything from day one</li> <li>✅ Document your deployment process</li> </ul> <p>If you found this helpful, give it a ❤️ and feel free to ask questions in the comments!</p> <h2> 🤝 Connect With Me </h2> <ul> <li>💼 http://www.linkedin.com/in/ibraheem-bello-049b34287 </li> <li>🐙 https://github.com/ibraheembello </li> <li>🐦 https://x.com/Officialibrosky </li> <li>📧 <a href="mailto:belloibrahimolawale@gmail.com">belloibrahimolawale@gmail.com</a> </li> </ul> <p><strong>Tags:</strong> #azure #nestjs #microservices #docker #prisma #typescript #devops #cloudcomputing #containerization #tutorial</p> <p><em>Have questions or suggestions? Drop a comment below! 👇</em></p> azure nestjs microservices docker ibraheembello Sun, 02 Nov 2025 19:19:58 +0000 https://dev.to/ibraheembello/github-issue-monitor-ai-agent-with-mastra-334c https://dev.to/ibraheembello/github-issue-monitor-ai-agent-with-mastra-334c <h2> Building a GitHub Issue Monitor AI Agent with Mastra and Telex.im </h2> <p><em>How I built an intelligent AI agent to track repository issues and integrated it with Telex using the A2A protocol</em></p> <h2> 🎯 The Challenge </h2> <p>As a developer, staying on top of GitHub issues across multiple repositories can be overwhelming. Whether you're maintaining open-source projects, contributing to others, or just keeping track of important discussions, manually checking each repository is time-consuming and inefficient.</p> <p>I wanted to solve this by building an AI agent that could:</p> <ul> <li> <strong>Monitor GitHub repositories</strong> for new and updated issues</li> <li> <strong>Provide intelligent summaries</strong> of changes</li> <li> <strong>Integrate seamlessly</strong> with communication platforms</li> <li> <strong>Run automatically</strong> in the background</li> </ul> <p>This is the story of how I built the <strong>GitHub Issue Monitor</strong> using Mastra and integrated it with Telex.im.</p> <h2> 🛠️ Tech Stack </h2> <p>Here's what I used to build this project:</p> <ul> <li> <strong><a href="https://mastra.ai" rel="noopener noreferrer">Mastra</a></strong>: AI agent framework for building and orchestrating intelligent agents</li> <li> <strong><a href="https://telex.im" rel="noopener noreferrer">Telex.im</a></strong>: Communication platform with A2A (Agent-to-Agent) protocol support</li> <li> <strong>Azure App Service</strong>: Cloud hosting for the agent</li> <li> <strong>Node.js + TypeScript</strong>: Backend runtime and type safety</li> <li> <strong>Octokit</strong>: Official GitHub API client</li> <li> <strong>OpenAI GPT-4o-mini</strong>: Language model for intelligence</li> </ul> <h2> 🏗️ Architecture Overview </h2> <p>The GitHub Issue Monitor consists of several key components working together seamlessly.</p> <h3> System Design </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User Message (Telex) ↓ JSON-RPC 2.0 Request ↓ Azure App Service (Node.js Server) ↓ Message Parser &amp; Router ↓ Simple GitHub Agent ↓ GitHub API (Octokit) ↓ Format &amp; Return ↓ A2A Response ↓ Telex.im Display </code></pre> </div> <h2> 💻 Building the Agent </h2> <h3> Step 1: Setting Up Mastra </h3> <p>I started by creating a Mastra agent with clear instructions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Agent</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@mastra/core/agent</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">openai</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@ai-sdk/openai</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">githubIssueMonitorAgent</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Agent</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GitHub Issue Monitor</span><span class="dl">'</span><span class="p">,</span> <span class="na">instructions</span><span class="p">:</span> <span class="s2">` You are a GitHub Issue Monitor that tracks repository issues and provides concise summaries with proper formatting. `</span><span class="p">,</span> <span class="na">model</span><span class="p">:</span> <span class="nf">openai</span><span class="p">(</span><span class="dl">'</span><span class="s1">gpt-4o-mini</span><span class="dl">'</span><span class="p">),</span> <span class="p">});</span> </code></pre> </div> <h3> Step 2: GitHub API Integration </h3> <p>Using Octokit, I built the core functionality:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Octokit</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">octokit</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">octokit</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Octokit</span><span class="p">({</span> <span class="na">auth</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GITHUB_TOKEN</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Fetch repository issues</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">issues</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">octokit</span><span class="p">.</span><span class="nx">rest</span><span class="p">.</span><span class="nx">issues</span><span class="p">.</span><span class="nf">listForRepo</span><span class="p">({</span> <span class="na">owner</span><span class="p">:</span> <span class="dl">'</span><span class="s1">facebook</span><span class="dl">'</span><span class="p">,</span> <span class="na">repo</span><span class="p">:</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">,</span> <span class="na">state</span><span class="p">:</span> <span class="dl">'</span><span class="s1">open</span><span class="dl">'</span><span class="p">,</span> <span class="na">per_page</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">sort</span><span class="p">:</span> <span class="dl">'</span><span class="s1">created</span><span class="dl">'</span><span class="p">,</span> <span class="na">direction</span><span class="p">:</span> <span class="dl">'</span><span class="s1">desc</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h3> Step 3: Direct Formatting for Reliability </h3> <p>After experimenting with LLM-based formatting, I found that direct JavaScript formatting was more reliable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">let</span> <span class="nx">summary</span> <span class="o">=</span> <span class="s2">`📊 **GitHub Repository: </span><span class="p">${</span><span class="nx">owner</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">repo</span><span class="p">}</span><span class="s2">**\n\n`</span><span class="p">;</span> <span class="nx">summary</span> <span class="o">+=</span> <span class="s2">`Total open issues: **</span><span class="p">${</span><span class="nx">issues</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2">**\n`</span><span class="p">;</span> <span class="nx">summary</span> <span class="o">+=</span> <span class="s2">`Showing 5 most recent:\n\n`</span><span class="p">;</span> <span class="nx">recentIssues</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">issue</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">summary</span> <span class="o">+=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2">. **#</span><span class="p">${</span><span class="nx">issue</span><span class="p">.</span><span class="kr">number</span><span class="p">}</span><span class="s2">**: </span><span class="p">${</span><span class="nx">issue</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="s2">\n`</span><span class="p">;</span> <span class="nx">summary</span> <span class="o">+=</span> <span class="s2">` 👤 @</span><span class="p">${</span><span class="nx">issue</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">login</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">labels</span><span class="p">)</span> <span class="p">{</span> <span class="nx">summary</span> <span class="o">+=</span> <span class="s2">` | 🏷️ </span><span class="p">${</span><span class="nx">labels</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="nx">summary</span> <span class="o">+=</span> <span class="s2">`\n 🔗 </span><span class="p">${</span><span class="nx">issue</span><span class="p">.</span><span class="nx">html_url</span><span class="p">}</span><span class="s2">\n\n`</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <p><strong>Why direct formatting?</strong></p> <ul> <li>✅ Faster (no LLM API call)</li> <li>✅ More reliable (predictable output)</li> <li>✅ Cost-effective (no extra tokens)</li> <li>✅ Easier to debug</li> </ul> <h3> Step 4: Implementing A2A Protocol </h3> <p>The key challenge was supporting Telex's JSON-RPC 2.0 format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Parse JSON-RPC request</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">jsonrpc</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">2.0</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">data</span><span class="p">.</span><span class="nx">params</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">textPart</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">message</span><span class="p">?.</span><span class="nx">parts</span><span class="p">?.</span><span class="nf">find</span><span class="p">(</span> <span class="p">(</span><span class="nx">p</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">p</span><span class="p">.</span><span class="nx">kind</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">text</span><span class="dl">'</span> <span class="p">);</span> <span class="nx">userMessage</span> <span class="o">=</span> <span class="nx">textPart</span><span class="p">?.</span><span class="nx">text</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Return A2A-compliant response</span> <span class="kd">const</span> <span class="nx">a2aResponse</span> <span class="o">=</span> <span class="p">{</span> <span class="na">kind</span><span class="p">:</span> <span class="dl">'</span><span class="s1">message</span><span class="dl">'</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">assistant</span><span class="dl">'</span><span class="p">,</span> <span class="na">parts</span><span class="p">:</span> <span class="p">[{</span> <span class="na">kind</span><span class="p">:</span> <span class="dl">'</span><span class="s1">text</span><span class="dl">'</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">formattedSummary</span> <span class="p">}]</span> <span class="p">};</span> <span class="c1">// Wrap in JSON-RPC format</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">jsonrpc</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2.0</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">result</span><span class="p">:</span> <span class="nx">a2aResponse</span> <span class="p">}));</span> </code></pre> </div> <h3> Step 5: Deploying to Azure </h3> <p>Deployment was streamlined with GitHub Actions:</p> <ol> <li>Push code to GitHub</li> <li>Azure detects changes</li> <li>Runs <code>npm install</code> and <code>npm run build</code> </li> <li>Deploys to App Service</li> <li>Restarts server automatically</li> </ol> <p><strong>Environment variables</strong> (configured in Azure):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">OPENAI_API_KEY</span><span class="o">=</span>sk-proj-... <span class="nv">GITHUB_TOKEN</span><span class="o">=</span>ghp_... <span class="nv">GITHUB_OWNER</span><span class="o">=</span>facebook <span class="nv">GITHUB_REPO</span><span class="o">=</span>react <span class="nv">CHECK_INTERVAL_MINUTES</span><span class="o">=</span>30 <span class="nv">PORT</span><span class="o">=</span>8080 </code></pre> </div> <h2> 🎨 Features &amp; Output </h2> <h3> Example Interaction </h3> <p><strong>User</strong>: <code>Check facebook/react</code></p> <p><strong>Agent</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>📊 **GitHub Repository: facebook/react** Total open issues: **847** Showing 5 most recent: 1. **#35033**: Typo in comment: "untill" → "until" in ReactDOMRoot.js 👤 @Ashish-coder-gif | 🏷️ Status: Unconfirmed 🔗 https://github.com/facebook/react/issues/35033 2. **#35032**: chore(react-reconciler/README.md): replace older Medium links 👤 @onstash | 🏷️ CLA Signed 🔗 https://github.com/facebook/react/pull/35032 3. **#35029**: [Compiler Bug]: set-state-in-effect false negative 👤 @mdwyer6 | 🏷️ Type: Bug, Status: Unconfirmed 🔗 https://github.com/facebook/react/issues/35029 4. **#35028**: Bug: state changes inside forwardRef change props object 👤 @Hypnosphi | 🏷️ Status: Unconfirmed 🔗 https://github.com/facebook/react/issues/35028 5. **#35027**: test: add coverage for zero-length style values 👤 @Biki-das | 🏷️ CLA Signed 🔗 https://github.com/facebook/react/pull/35027 💡 *Ask for specific labels or date ranges to filter results* </code></pre> </div> <h2> 🚧 Challenges &amp; Solutions </h2> <h3> Challenge 1: Empty LLM Responses </h3> <p><strong>Problem</strong>: Initial implementation using Mastra tools returned empty responses.</p> <p><strong>Root Cause</strong>: The tool wasn't being invoked properly, and the LLM sometimes returned empty text.</p> <p><strong>Solution</strong>: </p> <ol> <li>Added <code>toolChoice: 'required'</code> to force tool usage</li> <li>Eventually replaced with direct formatting (more reliable)</li> </ol> <h3> Challenge 2: A2A Protocol Format </h3> <p><strong>Problem</strong>: Telex uses JSON-RPC 2.0 with nested structures:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"jsonrpc"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"params"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"parts"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="nl">"kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"text"</span><span class="p">,</span><span class="w"> </span><span class="nl">"text"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Solution</strong>: Created flexible message parser supporting multiple formats:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Support JSON-RPC</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">jsonrpc</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">2.0</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">messageData</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">params</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Support standard messages</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">messages</span><span class="p">)</span> <span class="p">{</span> <span class="nx">userMessage</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">messages</span><span class="p">[</span><span class="nx">data</span><span class="p">.</span><span class="nx">messages</span><span class="p">.</span><span class="nx">length</span> <span class="o">-</span> <span class="mi">1</span><span class="p">];</span> <span class="p">}</span> <span class="c1">// Support parts array</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">parts</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">textPart</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">parts</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="nx">p</span><span class="p">.</span><span class="nx">kind</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">text</span><span class="dl">'</span><span class="p">);</span> <span class="nx">userMessage</span> <span class="o">=</span> <span class="nx">textPart</span><span class="p">?.</span><span class="nx">text</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Challenge 3: ES Module Imports </h3> <p><strong>Problem</strong>: TypeScript compiles to <code>.js</code> but imports need explicit extensions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// This fails at runtime</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">tool</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./tools/github-tool</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// This works</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">tool</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./tools/github-tool.js</span><span class="dl">'</span><span class="p">;</span> </code></pre> </div> <p><strong>Solution</strong>: Added <code>.js</code> extensions to all relative imports in TypeScript files.</p> <h3> Challenge 4: Build Errors on Azure </h3> <p><strong>Problem</strong>: Azure deployment failed due to TypeScript errors in test files.</p> <p><strong>Solution</strong>: Updated <code>tsconfig.json</code> to exclude test files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"exclude"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"node_modules"</span><span class="p">,</span><span class="w"> </span><span class="s2">"dist"</span><span class="p">,</span><span class="w"> </span><span class="s2">"src/**/*.test.ts"</span><span class="p">,</span><span class="w"> </span><span class="s2">"src/**/test-*.ts"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 📊 Performance &amp; Metrics </h2> <p><strong>Response Times:</strong></p> <ul> <li>GitHub API call: <strong>~500ms</strong> </li> <li>Formatting: <strong>&lt;50ms</strong> </li> <li>Total response: <strong>~2-3 seconds</strong> </li> </ul> <p><strong>Reliability:</strong></p> <ul> <li>Uptime: <strong>99.9%</strong> </li> <li>Success rate: <strong>100%</strong> (with proper error handling)</li> <li>Average requests/day: <strong>~50</strong> (testing phase)</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Azure App Service B1: <strong>$13/month</strong> </li> <li>GitHub API: <strong>Free</strong> (5,000 requests/hour)</li> <li>OpenAI (minimal): <strong>~$0.10/month</strong> (mostly unused now)</li> </ul> <h2> 🎓 Key Learnings </h2> <h3> 1. <strong>Simplicity Over Complexity</strong> </h3> <p>My first instinct was to use LLMs for everything. But sometimes plain JavaScript is better:</p> <ul> <li>More predictable</li> <li>Faster</li> <li>Cheaper</li> <li>Easier to debug</li> </ul> <h3> 2. <strong>Protocol Compliance Matters</strong> </h3> <p>Understanding the A2A protocol and JSON-RPC 2.0 was crucial. Reading the spec saved hours of debugging.</p> <h3> 3. <strong>Azure is Developer-Friendly</strong> </h3> <p>The GitHub integration and automatic deployments made iteration fast. Environment variables through the portal are convenient.</p> <h3> 4. <strong>Error Handling is Critical</strong> </h3> <p>Production agents need robust error handling:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">issues</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetchIssues</span><span class="p">();</span> <span class="k">return</span> <span class="nf">formatResponse</span><span class="p">(</span><span class="nx">issues</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">[Agent] Error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="k">return</span> <span class="s2">`Error: </span><span class="p">${</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> 5. <strong>Logging is Your Friend</strong> </h3> <p>Detailed logs at every step made debugging on Azure much easier:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">[Simple Agent] Fetching issues for</span><span class="dl">'</span><span class="p">,</span> <span class="nx">owner</span><span class="p">,</span> <span class="nx">repo</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">[Simple Agent] Fetched</span><span class="dl">'</span><span class="p">,</span> <span class="nx">issues</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="dl">'</span><span class="s1">issues</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">[Simple Agent] Formatted summary (</span><span class="dl">'</span><span class="p">,</span> <span class="nx">summary</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="dl">'</span><span class="s1">chars)</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <h2> 🚀 Future Enhancements </h2> <h3> Near-term: </h3> <ol> <li> <strong>Advanced filtering</strong> by labels, milestones, assignees</li> <li> <strong>Custom formatting</strong> options (compact, detailed, etc.)</li> <li> <strong>Multi-repository</strong> monitoring in single query</li> <li> <strong>Caching</strong> to reduce API calls</li> </ol> <h3> Long-term: </h3> <ol> <li> <strong>Real-time notifications</strong> for important changes</li> <li> <strong>Analytics dashboard</strong> with trends and insights</li> <li> <strong>Smart summaries</strong> using LLM for complex analysis</li> <li> <strong>Integration</strong> with other Git platforms (GitLab, Bitbucket)</li> </ol> <h2> 📚 Technical Stack Details </h2> <p><strong>Backend:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Node.js 20 LTS TypeScript 5.x Express-style HTTP server ES Modules </code></pre> </div> <p><strong>APIs &amp; SDKs:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>@mastra/core: ^0.1.x octokit: ^3.x @ai-sdk/openai: ^0.x dotenv: ^16.x </code></pre> </div> <p><strong>Deployment:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Platform: Azure App Service OS: Linux Region: West Europe Tier: Basic B1 Auto-deploy: GitHub Actions </code></pre> </div> <h2> 💡 Tips for Building Your Own </h2> <p>If you want to build something similar:</p> <ol> <li> <strong>Start with curl</strong> - Test your agent locally before deploying</li> <li> <strong>Read the A2A spec</strong> - Understanding the protocol saves time</li> <li> <strong>Use environment variables</strong> - Never hardcode API keys</li> <li> <strong>Test edge cases</strong> - Empty responses, API errors, invalid inputs</li> <li> <strong>Monitor logs</strong> - Set up proper logging from day one</li> <li> <strong>Keep it simple</strong> - Start basic, add complexity when needed</li> </ol> <h2> 🤝 Open Source &amp; Community </h2> <p>This project is <strong>open source</strong>! You can:</p> <ul> <li>View the code</li> <li>Report issues</li> <li>Contribute features</li> <li>Fork and customize</li> </ul> <p><strong>GitHub Repository</strong>: [<a href="https://github.com/ibraheembello/GitHub-Issue-Monitor.git" rel="noopener noreferrer">https://github.com/ibraheembello/GitHub-Issue-Monitor.git</a>]</p> <p><strong>Contributions welcome for:</strong></p> <ul> <li>Bug fixes</li> <li>New features</li> <li>Documentation improvements</li> <li>Test coverage</li> <li>Performance optimizations</li> </ul> <h2> 🎯 Conclusion </h2> <p>Building this GitHub Issue Monitor taught me valuable lessons about AI agent development, protocol integration, and production deployment. The combination of Mastra's framework and Telex's A2A protocol makes it surprisingly easy to build powerful, communicative AI agents.</p> <p>Whether you're tracking open-source projects, managing team workflows, or experimenting with AI agents, I hope this post inspires you to build something cool!</p> <p><strong>Try the agent in Telex.im and let me know what you think!</strong></p> <h2> 📞 Connect &amp; Follow </h2> <ul> <li> <strong>Twitter/X</strong>: [<a href="https://x.com/Officialibrosky" rel="noopener noreferrer">https://x.com/Officialibrosky</a>]</li> <li> <strong>GitHub</strong>: [<a href="https://github.com/ibraheembello" rel="noopener noreferrer">https://github.com/ibraheembello</a>]</li> <li> <strong>LinkedIn</strong>: [<a href="http://www.linkedin.com/in/ibraheem-bello-049b34287" rel="noopener noreferrer">www.linkedin.com/in/ibraheem-bello-049b34287</a>]</li> </ul> <p><em>Built with ❤️ using Mastra, Telex.im, and Azure</em></p> <p><strong>#AI #Mastra #Telex #GitHub #AgentDevelopment #A2A #Azure #NodeJS #TypeScript #OpenSource</strong></p> <p><strong>Found this helpful? ⭐ Star the repo and share with your network!</strong><br> : A Complete A2A Integration Guide</p> ai agents azure typescript