DEV Community: Kenwanjohi The latest articles on DEV Community by Kenwanjohi (@kenwanjohi). https://dev.to/kenwanjohi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F357550%2F9a4ef66b-0860-4d9c-865a-4c46a53abaa7.jpg DEV Community: Kenwanjohi https://dev.to/kenwanjohi en Solving GraphQL N+1 problem in fastify with loaders and conditional queries Kenwanjohi Fri, 30 Apr 2021 19:36:22 +0000 https://dev.to/kenwanjohi/solving-graphql-n-1-problem-in-fastify-with-loaders-and-conditional-queries-380o https://dev.to/kenwanjohi/solving-graphql-n-1-problem-in-fastify-with-loaders-and-conditional-queries-380o <h2> What is 1+N, err, N+1 ? </h2> <p>To understand this, let's give an example.</p> <p>Lets start by defining our graphql schema in a <code>schema.graphql</code> file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>type Song { songid: ID! songname: String! genre: String! } type Query { songs: [Song] } </code></pre> </div> <p>Normally we would have a songs table and a genres table in a relational database, say PostgreSQL:<br> Songs table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">Songs</span> <span class="p">(</span> <span class="n">SongID</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">SongName</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">75</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">GenreID</span> <span class="nb">SMALLINT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="p">);</span> </code></pre> </div> <p>Genres table<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">Genres</span> <span class="p">(</span> <span class="n">GenreID</span> <span class="nb">SMALLINT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">GenreDescription</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">75</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="p">);</span> </code></pre> </div> <p>Here, a genre can be in many songs, we're linking the two tables by having a foreign key (genreid ) in our songs table that references the genreid column in the genres table.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">songs</span> <span class="k">ADD</span> <span class="k">CONSTRAINT</span> <span class="n">FK_Songs</span> <span class="k">FOREIGN</span> <span class="k">KEY</span> <span class="p">(</span><span class="n">GenreID</span><span class="p">)</span> <span class="k">REFERENCES</span> <span class="n">Genres</span><span class="p">(</span><span class="n">GenreID</span><span class="p">);</span> </code></pre> </div> <p>Now let's define a query to fetch our songs and their genres from our server.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">songs</span><span class="p">{</span><span class="w"> </span><span class="n">songid</span><span class="w"> </span><span class="n">songname</span><span class="w"> </span><span class="n">genre</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>We define our resolvers in resolvers.js file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">resolvers</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Query</span><span class="p">:</span> <span class="p">{</span> <span class="na">songs</span><span class="p">:</span> <span class="k">async</span> <span class="p">(</span><span class="nx">_</span><span class="p">,</span> <span class="nx">args</span><span class="p">,</span> <span class="p">{</span><span class="nx">client</span><span class="p">,</span> <span class="nx">reply</span><span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">reply</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nx">info</span><span class="p">(</span><span class="dl">"</span><span class="s2">getting all songs</span><span class="dl">"</span><span class="p">)</span> <span class="kd">let</span> <span class="p">{</span><span class="nx">rows</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">query</span><span class="p">(</span><span class="s2">` SELECT songs.songid, songs.songname, songs.genreid FROM songs LIMIT 5; `</span><span class="p">)</span> <span class="k">return</span> <span class="nx">rows</span> <span class="p">}</span> <span class="p">},</span> <span class="na">Song</span><span class="p">:</span> <span class="p">{</span> <span class="na">genre</span><span class="p">:</span> <span class="k">async</span> <span class="p">(</span><span class="nx">parent</span><span class="p">,</span> <span class="nx">args</span><span class="p">,</span> <span class="p">{</span><span class="nx">client</span><span class="p">,</span> <span class="nx">reply</span><span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">reply</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nx">info</span><span class="p">(</span><span class="dl">"</span><span class="s2">getting genre</span><span class="dl">"</span><span class="p">)</span> <span class="kd">let</span> <span class="p">{</span><span class="nx">rows</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">query</span><span class="p">(</span><span class="s2">` SELECT genredescription AS genre FROM genres WHERE genreid = $1 `</span><span class="p">,</span> <span class="p">[</span><span class="nx">parent</span><span class="p">.</span><span class="nx">genreid</span><span class="p">])</span> <span class="k">return</span> <span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">genre</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span><span class="nx">resolvers</span><span class="p">}</span> </code></pre> </div> <p>If we ran our query and inspect the logs we see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{"msg":"getting all songs"} {"msg":"getting genre"} {"msg":"getting genre"} {"msg":"getting genre"} {"msg":"getting genre"} {"msg":"getting genre"} </code></pre> </div> <p><strong>What's happening?</strong> </p> <p>We are fetching all songs from our database and for each song we are also making <br> a database request to get the genre, hence the <strong>"N + 1"</strong> problem.</p> <p>That's really not efficient, especially with nested queries in many to many relations. A GraphQL API should fetch data efficiently as possible.</p> <h2> Solutions </h2> <h3> Solution 1: Using a join </h3> <p>One of the solution would be to perform a SQL INNER JOIN.</p> <p>Now our reslovers will look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">resolvers</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Query</span><span class="p">:</span> <span class="p">{</span> <span class="na">songs</span><span class="p">:</span> <span class="k">async</span> <span class="p">(</span><span class="nx">_</span><span class="p">,</span> <span class="nx">args</span><span class="p">,</span> <span class="p">{</span><span class="nx">client</span><span class="p">,</span> <span class="nx">reply</span><span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">reply</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nx">info</span><span class="p">(</span><span class="dl">"</span><span class="s2">getting all songs and genres</span><span class="dl">"</span><span class="p">)</span> <span class="kd">let</span> <span class="p">{</span><span class="nx">rows</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">query</span><span class="p">(</span><span class="s2">` SELECT songs.songid, songs.songname, genres.genredescription AS genre FROM genres INNER JOIN songs ON genres.genreid = songs.genreid LIMIT 5 `</span><span class="p">)</span> <span class="k">return</span> <span class="nx">rows</span> <span class="p">}</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p>In our logs we'll see this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{"msg":"getting all songs and genres"} </code></pre> </div> <p>Great! we have eliminated the extra SQL queries from our previous resolvers.</p> <p>Have we really?</p> <p><strong>The problem with this:</strong></p> <p>Let's say our API user now creates a query to fetch the songid and songname only, no genre.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">songs</span><span class="p">{</span><span class="w"> </span><span class="n">songid</span><span class="w"> </span><span class="n">songname</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>If you could check your database logs, you'll notice that we still have the join which is really unnecessary in this case.</p> <p>The same SQL query will be executed even though we don't need the genre. That's not very efficient right?</p> <h3> Solution 2: Conditional queries </h3> <p>What if we could be able to look into the query fields, see which fields our users have requested and create conditional SQL queries that returns only the data they requested.</p> <p>That sounds great, but how do we do that? </p> <p><strong>The GraphQL <code>info</code> object</strong></p> <p>Our resolver function takes four arguments: <code>parent</code>, <code>args</code>, <code>context</code> and <code>info</code>. The <code>info</code> object contains, well, information on the incoming GraphQl query. What we are interested in are the fields requested in the info.</p> <p>We could parse the <code>info</code> ourselves but there are some libraries we could use for that.</p> <p><a href="https://www.npmjs.com/package/graphql-parse-resolve-info">graphql-parse-resolve-info</a></p> <p>It parses the <code>info</code> object and returns  the fields that are being requested by our API user enabling us to optimise our resolvers.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm i graphql-parse-resolve-info </code></pre> </div> <p><strong>Usage</strong></p> <p>In our <code>reslovers.js</code> file require the module<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span><span class="nx">parseResolveInfo</span><span class="p">,</span><span class="nx">simplifyParsedResolveInfoFragmentWithType</span><span class="p">}</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">graphql-parse-resolve-info</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p>We use the first function to parse the <code>info</code> object and the second function as a helper to obtain the fields  in  our  returnType, in our case <code>Song</code>. From these, we can create conditional SQL queries.</p> <p>By using the <code>hasOwnproperty()</code> method, we can check whether our <code>Song</code> object has the field we need and execute the SQL queries conditionally.</p> <p>Now our resolvers will look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">resolvers</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Query</span><span class="p">:</span> <span class="p">{</span> <span class="na">songs</span><span class="p">:</span> <span class="k">async</span> <span class="p">(</span><span class="nx">_</span><span class="p">,</span> <span class="nx">args</span><span class="p">,</span> <span class="p">{</span><span class="nx">client</span><span class="p">,</span> <span class="nx">reply</span><span class="p">},</span> <span class="nx">info</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">reply</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nx">info</span><span class="p">(</span><span class="dl">"</span><span class="s2">getting all songs</span><span class="dl">"</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">parsedInfoObject</span> <span class="o">=</span> <span class="nx">parseResolveInfo</span><span class="p">(</span><span class="nx">info</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">fields</span><span class="p">}</span> <span class="o">=</span> <span class="nx">simplifyParsedResolveInfoFragmentWithType</span><span class="p">(</span><span class="nx">parsedInfoObject</span><span class="p">,</span> <span class="nx">info</span><span class="p">.</span><span class="nx">returnType</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">fields</span><span class="p">.</span><span class="nx">hasOwnProperty</span><span class="p">(</span><span class="dl">'</span><span class="s1">genre</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="kd">let</span> <span class="p">{</span><span class="nx">rows</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">query</span><span class="p">(</span><span class="s2">` SELECT songs.songid, songs.songname FROM songs LIMIT 5 `</span><span class="p">)</span> <span class="k">return</span> <span class="nx">rows</span> <span class="p">}</span> <span class="kd">let</span> <span class="p">{</span><span class="nx">rows</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">query</span><span class="p">(</span><span class="s2">` SELECT songs.songid, songs.songname, genres.genredescription AS genre FROM genres INNER JOIN songs ON genres.genreid = songs.genreid LIMIT 5 `</span><span class="p">)</span> <span class="k">return</span> <span class="nx">rows</span> <span class="p">}</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p><strong>The problem with this:</strong></p> <p>This is a good solution for simple query types, in our case, we only check whether the API user includes the <code>genre</code> in the query fields and perform the conditional SQL queries. </p> <p>However, with complex query types, our resolvers could get really messy and verbose.</p> <h3> Solution 3: Loaders </h3> <p>From mercurius <a href="https://mercurius.dev/#/docs/loaders">documentation</a>:</p> <blockquote> <p>Each defined loader will register a resolver that coalesces each of the request and combines them into a single, bulk query.</p> </blockquote> <p>Loaders enable us to write resolvers that batch requests.</p> <p>Mercurius - the graphql adapter for fastify - comes with great set of features including automatic loaders integration to solve 1 + N queries.</p> <p>We just need to define our loaders and add them in the options object where we register the mercurius plugin.</p> <p>In the<code>server.js</code> we have:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">fastify</span><span class="p">.</span><span class="nx">register</span><span class="p">(</span><span class="nx">mercurius</span><span class="p">,{</span> <span class="na">schema</span><span class="p">:</span> <span class="nx">makeExecutableSchema</span><span class="p">({</span> <span class="nx">typeDefs</span><span class="p">,</span> <span class="nx">resolvers</span> <span class="p">}),</span> <span class="na">context</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">client</span><span class="p">:</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nx">client</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">loaders</span><span class="p">,</span> <span class="na">graphiql</span><span class="p">:</span> <span class="dl">'</span><span class="s1">playground</span><span class="dl">'</span> <span class="p">})</span> </code></pre> </div> <p>Refactor our resolver and add our loader<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">resolvers</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Query</span><span class="p">:</span> <span class="p">{</span> <span class="na">songs</span><span class="p">:</span> <span class="k">async</span> <span class="p">(</span><span class="nx">_</span><span class="p">,</span> <span class="nx">args</span><span class="p">,</span> <span class="p">{</span><span class="nx">client</span><span class="p">,</span> <span class="nx">reply</span><span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">reply</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nx">info</span><span class="p">(</span><span class="dl">"</span><span class="s2">getting all songs</span><span class="dl">"</span><span class="p">)</span> <span class="kd">let</span> <span class="p">{</span><span class="nx">rows</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">query</span><span class="p">(</span><span class="s2">` SELECT songs.songid, songs.songname, songs.genreid FROM songs LIMIT 5; `</span><span class="p">)</span> <span class="k">return</span> <span class="nx">rows</span> <span class="p">}</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">loaders</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Song</span><span class="p">:</span> <span class="p">{</span> <span class="na">genre</span><span class="p">:</span> <span class="k">async</span> <span class="p">(</span><span class="nx">queries</span><span class="p">,</span> <span class="p">{</span><span class="nx">client</span><span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">genreids</span> <span class="o">=</span> <span class="nx">queries</span><span class="p">.</span><span class="nx">map</span><span class="p">(({</span> <span class="nx">obj</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="nx">obj</span><span class="p">.</span><span class="nx">genreid</span><span class="p">)</span> <span class="kd">let</span> <span class="p">{</span><span class="nx">rows</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">query</span><span class="p">(</span><span class="s2">` SELECT genreid, genredescription genre FROM genres WHERE genres.genreid = ANY ($1) `</span><span class="p">,[</span><span class="nx">genreids</span><span class="p">])</span> <span class="k">return</span> <span class="nx">genreids</span><span class="p">.</span><span class="nx">map</span><span class="p">(</span><span class="nx">genreid</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">rows</span><span class="p">.</span><span class="nx">filter</span><span class="p">(</span><span class="nx">genreitem</span> <span class="o">=&gt;</span> <span class="nx">genreitem</span><span class="p">.</span><span class="nx">genreid</span> <span class="o">===</span> <span class="nx">genreid</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nx">genre</span> <span class="p">})</span> <span class="p">},</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We have created a resolver for the <code>genre</code> in our <code>Song</code> object type. The loader receives two arguments, <code>queries</code>and <code>context</code>. <code>queries</code> is an array of objects in our case this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">[</span> <span class="p">{</span> <span class="na">obj</span><span class="p">:</span> <span class="p">{</span> <span class="na">songid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">f4b800b9-5093-49a7-9bc8-37561b2d7041</span><span class="dl">'</span><span class="p">,</span> <span class="na">songname</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Let Me Down Slowly (feat. Alessia Cara)</span><span class="dl">'</span><span class="p">,</span> <span class="na">genreid</span><span class="p">:</span> <span class="mi">2</span> <span class="p">},</span> <span class="na">params</span><span class="p">:</span> <span class="p">{}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">obj</span><span class="p">:</span> <span class="p">{</span> <span class="na">songid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">8a3416e9-a4ab-468c-b81d-b58c214ed3fd</span><span class="dl">'</span><span class="p">,</span> <span class="na">songname</span><span class="p">:</span> <span class="dl">'</span><span class="s1">stupid</span><span class="dl">'</span><span class="p">,</span> <span class="na">genreid</span><span class="p">:</span> <span class="mi">2</span> <span class="p">},</span> <span class="na">params</span><span class="p">:</span> <span class="p">{}</span> <span class="p">},</span> <span class="c1">// more objects</span> <span class="p">]</span> </code></pre> </div> <p>We map this object to obtain all the <code>genreids</code>, and perform a SQL batch query.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">let</span> <span class="nx">genreids</span> <span class="o">=</span> <span class="nx">queries</span><span class="p">.</span><span class="nx">map</span><span class="p">(({</span> <span class="nx">obj</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="nx">obj</span><span class="p">.</span><span class="nx">genreid</span><span class="p">)</span> <span class="kd">let</span> <span class="p">{</span><span class="nx">rows</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">query</span><span class="p">(</span><span class="s2">` SELECT genreid, genredescription genre FROM genres WHERE genres.genreid = ANY ($1) `</span><span class="p">,[</span><span class="nx">genreids</span><span class="p">])</span> </code></pre> </div> <p>We then return the result ordered by the genreids.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">return</span> <span class="nx">genreids</span><span class="p">.</span><span class="nx">map</span><span class="p">(</span><span class="nx">genreid</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">rows</span><span class="p">.</span><span class="nx">filter</span><span class="p">(</span><span class="nx">genreitem</span> <span class="o">=&gt;</span> <span class="nx">genreitem</span><span class="p">.</span><span class="nx">genreid</span> <span class="o">===</span> <span class="nx">genreid</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nx">genre</span> <span class="p">})</span> </code></pre> </div> <p>Our resolvers can now query our database efficiently.</p> <h2> References </h2> <ul> <li><a href="https://mercurius.dev/#/">Mercurius documentation</a></li> </ul> graphql node webdev javascript Fastify and PostgreSQL REST API Kenwanjohi Tue, 20 Apr 2021 17:23:48 +0000 https://dev.to/kenwanjohi/fastify-and-postgresql-rest-api-2f9l https://dev.to/kenwanjohi/fastify-and-postgresql-rest-api-2f9l <h2> Enter the 'speed force' </h2> <p>From the <a href="https://www.fastify.io/">documentation</a>, fastify is a fast and low overhead web framework for Node.js.</p> <p>So, I decided to explore some of the awesome features that fastify offers including but not limited to, speed, extensibility via plugins and decorators, schema validation, and serialization and logging. I dived into their <a href="https://www.fastify.io/docs/latest/">documentation</a>, which is excellent by the way, with the help of some GitHub repositories and decided to build some REST API endpoints powered by fastify and a PostgreSQL database.</p> <p>You can check out the <a href="https://github.com/Kenwanjohi/fastify">source code</a> or follow along in this post.</p> <h2> Getting Started </h2> <h3> Setting up the project </h3> <p>Navigate to the root folder of your project and run <code>npm init</code> to initialize your project. Create an <code>src</code> folder for your project source code and create an <code>index.js</code> file as the entry point.</p> <h3> Installing dependencies </h3> <p><strong>Installing nodemon</strong></p> <p><a href="https://www.npmjs.com/package/nodemon">nodemon</a> is a dev dependency that'll monitor your file changes and restart your server automatically.</p> <p>You can install nodemon locally with npm:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm install nodemon --save-dev </code></pre> </div> <p>Add this npm script to the scripts in the <code>package.json</code> file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"start"</span><span class="p">:</span><span class="w"> </span><span class="s2">"nodemon src/index.js"</span><span class="w"> </span></code></pre> </div> <p><strong>Installing Fastify</strong></p> <p>Install with npm:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm i fastify --save </code></pre> </div> <h3> Hello World: Starting and running your server </h3> <p>In the <code>index.js</code> file add this block of code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fastify</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fastify</span><span class="dl">'</span><span class="p">)({</span><span class="na">logger</span><span class="p">:</span> <span class="kc">true</span><span class="p">})</span> <span class="nx">fastify</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">reply</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">reply</span><span class="p">.</span><span class="nx">send</span><span class="p">({</span> <span class="na">hello</span><span class="p">:</span> <span class="dl">'</span><span class="s1">world</span><span class="dl">'</span> <span class="p">})</span> <span class="p">})</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">start</span><span class="p">()</span> <span class="p">{</span> <span class="k">try</span><span class="p">{</span> <span class="k">await</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="nx">process</span><span class="p">.</span><span class="nx">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">start</span><span class="p">()</span> </code></pre> </div> <p>On the first line, we create a fastify instance and enable logging, fastify uses <a href="https://getpino.io/#/">pino</a> as its logger. We then define a <code>GET</code> route method, specify a homepage endpoint <code>'/'</code> and pass in the route handler function which responds with the object <code>{hello: 'world'}</code> when we make a get request to the homepage.</p> <p>We instantiate our fastify server instance (wrapped in our <code>start</code> function)  and listen for requests on port 3000. To start the server, run <code>npm start</code> on your terminal in the root folder. You Server should now be running and the following will be logged in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{"level":30,"time":1618477680757,"pid":5800,"hostname":"x","msg":"Server listening at http://127.0.0.1:3000"} </code></pre> </div> <p>When you visit the homepage you should see the response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>curl http://localhost:3000/ {"hello":"world"} </code></pre> </div> <p>Great we have our server!</p> <h2> Plugins </h2> <p>We can extend fastify's functionality with plugins.<br> From the documentation:</p> <blockquote> <p>A plugin can be a set of routes, a server decorator, or whatever.</p> </blockquote> <p>We can refactor our route into a plugin and put it in a separate file i.e <code>routes.js</code>, then require it in our root file and use the <code>register</code> API to add the route or other plugins.</p> <p>Create a <code>routes.js</code> file and add this code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nx">routes</span><span class="p">(</span><span class="nx">fastify</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">{</span> <span class="nx">fastify</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">reply</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">reply</span><span class="p">.</span><span class="nx">send</span><span class="p">({</span> <span class="na">hello</span><span class="p">:</span> <span class="dl">'</span><span class="s1">world</span><span class="dl">'</span> <span class="p">})</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span><span class="o">=</span> <span class="nx">routes</span> </code></pre> </div> <p>We then require our module in <code>index.js</code> and register it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fastify</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fastify</span><span class="dl">'</span><span class="p">)({</span><span class="na">logger</span><span class="p">:</span> <span class="kc">true</span><span class="p">})</span> <span class="kd">const</span> <span class="nx">route</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes</span><span class="dl">'</span><span class="p">)</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">register</span><span class="p">(</span><span class="nx">route</span><span class="p">)</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">start</span><span class="p">()</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> <span class="nx">start</span><span class="p">()</span> </code></pre> </div> <p>A request on the homepage should still work. Great, we have our first plugin.</p> <h2> Creating our database </h2> <p>To create a database we first need to connect to <code>psql</code>, an interactive terminal for working with Postgres.</p> <p>To connect to <code>psql</code> run the command in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>psql -h localhost -U postgres </code></pre> </div> <p>Enter your password in the prompt to connect to <code>psql</code>.</p> <p>The <code>CREATE DATABASE databaseName</code> statement creates a database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">todos</span><span class="p">;</span> </code></pre> </div> <p>To connect to the created database run the command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="err">\</span><span class="k">c</span> <span class="n">todos</span> </code></pre> </div> <p>To create our table run the statement<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">todos</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">name</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">"createdAt"</span> <span class="nb">TIMESTAMP</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">important</span> <span class="nb">BOOLEAN</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="nv">"dueDate"</span> <span class="nb">TIMESTAMP</span><span class="p">,</span> <span class="n">done</span> <span class="nb">BOOLEAN</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="p">);</span> </code></pre> </div> <h2> Connecting our  database </h2> <p>To interface with postgreSQL database we need <a href="https://node-postgres.com/">node-postgres</a> or the <code>pg</code> driver.</p> <p>To install <code>node-postgres</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm install pg </code></pre> </div> <p><strong>Database connection plugin</strong></p> <p>Let's create a plugin to connect to our database. Create a <code>db.js</code> file and add the following code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fastifyPlugin</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fastify-plugin</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">Client</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">pg</span><span class="dl">'</span><span class="p">)</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">dotenv</span><span class="dl">'</span><span class="p">).</span><span class="nx">config</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Client</span><span class="p">({</span> <span class="na">user</span><span class="p">:</span> <span class="dl">'</span><span class="s1">postgres</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PASSWORD</span><span class="p">,</span> <span class="na">host</span><span class="p">:</span> <span class="dl">'</span><span class="s1">localhost</span><span class="dl">'</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="mi">5432</span><span class="p">,</span> <span class="na">database</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE</span> <span class="p">})</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">dbconnector</span><span class="p">(</span><span class="nx">fastify</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">connect</span><span class="p">()</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">db connected succesfully</span><span class="dl">"</span><span class="p">)</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">decorate</span><span class="p">(</span><span class="dl">'</span><span class="s1">db</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span><span class="nx">client</span><span class="p">})</span> <span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span><span class="o">=</span> <span class="nx">fastifyPlugin</span><span class="p">(</span><span class="nx">dbconnector</span><span class="p">)</span> </code></pre> </div> <p>Let's skip the <code>fastifyPlugin</code> part first.</p> <p>We require <code>Client</code> module from <code>node-postgres</code> and create a <code>client</code> instance, passing in the object with the various fields.</p> <p>Make sure to create a <code>.env</code> file and add:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PASSWORD='yourpassword' </code></pre> </div> <p>Install and require the <code>dotenv</code> module to load the environment variables<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm i dotenv </code></pre> </div> <p>We then create our <code>dbconnector</code> plugin and inside the try block, we connect to our postgres database.</p> <p>Inside the block you can also see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">fastify</span><span class="p">.</span><span class="nx">decorate</span><span class="p">(</span><span class="dl">'</span><span class="s1">db</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span><span class="nx">client</span><span class="p">})</span> </code></pre> </div> <p><strong>What is the decorate function?</strong></p> <p>In fastify, to add functionality to the fastify instance, you use <a href="https://www.fastify.io/docs/latest/Decorators/">decorators</a>. We use the <code>decorate</code> API, pass the property name <code>'db'</code> as the first argument and the value of our <code>client</code> instance (<code>{client}</code>) as the second argument. The value could also be a function or a string.<br> We export the plugin wrapped in a <code>fastifyPlugin</code> module.</p> <p>Require the module in the <code>index.js</code> file and register it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">dbconnector</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./db</span><span class="dl">'</span><span class="p">)</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">register</span><span class="p">(</span><span class="nx">dbconnector</span><span class="p">)</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">register</span><span class="p">(</span><span class="nx">route</span><span class="p">)</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">start</span><span class="p">()</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> <span class="nx">start</span><span class="p">()</span> </code></pre> </div> <p>We can now access our client instance in other parts of the application for instance in our routes to query data using  <code>fastify.db.client</code>.</p> <p>Let's take a step back to the <code>fastifyPlugin</code> module. Why wrap our plugin with fastifyPlugin? When we register a plugin, we create a fastify context (encapsulation), which means access to the data outside our registered plugin is restricted. In this case, we can't access our database <code>client</code> instance using <code>fastify.db.client</code> anywhere in our application.</p> <p>To share context, we wrap our plugin in a <code>fastifyPlugin</code> module. We can now access our database <code>client</code> instance anywhere in our application.</p> <h2> Serialization </h2> <p>Lets refactor our homepage route to return information from our database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nx">routes</span><span class="p">(</span><span class="nx">fastify</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">{</span> <span class="c1">//Access our client instance value from our decorator</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nx">client</span> <span class="nx">fastify</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span><span class="na">schema</span><span class="p">:</span> <span class="nx">allTodos</span><span class="p">},</span> <span class="k">async</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">reply</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">rows</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">SELECT * FROM todos</span><span class="dl">'</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">rows</span><span class="p">)</span> <span class="nx">reply</span><span class="p">.</span><span class="nx">send</span><span class="p">(</span><span class="nx">rows</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nb">Error</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span><span class="o">=</span> <span class="nx">routes</span> </code></pre> </div> <p>We First access our database <code>client</code> instance and assign it to a <code>client</code> variable.<br> Inside our routes we query all columns from our database using the shorthand <code>*</code> and send the returned todos using <code>reply.send(rows)</code> - you could also use <code>return rows</code>.<br> Make sure you add some todos in your database first in the <code>psql</code> terminal i.e:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">todos</span> <span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="nv">"createdAt"</span><span class="p">,</span> <span class="n">important</span><span class="p">,</span> <span class="nv">"dueDate"</span><span class="p">,</span> <span class="n">done</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="s1">'54e694ce-6003-46e6-9cfd-b1cf0fe9d332'</span><span class="p">,</span> <span class="s1">'learn fastify'</span><span class="p">,</span> <span class="s1">'2021-04-20T12:39:25Z'</span><span class="p">,</span> <span class="k">true</span><span class="p">,</span> <span class="s1">'2021-04-22T15:22:20Z'</span><span class="p">,</span> <span class="k">false</span><span class="p">);</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">todos</span> <span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="nv">"createdAt"</span><span class="p">,</span> <span class="n">important</span><span class="p">,</span> <span class="nv">"dueDate"</span><span class="p">,</span> <span class="n">done</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="s1">'d595655e-9691-4d1a-9a6b-9fbba046ae36'</span><span class="p">,</span> <span class="s1">'learn REST APIs'</span><span class="p">,</span> <span class="s1">'2021-04-18T07:24:07Z'</span><span class="p">,</span><span class="k">true</span><span class="p">,</span> <span class="k">null</span><span class="p">,</span> <span class="k">false</span><span class="p">);</span> </code></pre> </div> <p>If an error occurs, trying to query our database, we throw the error.</p> <p>When you look closer at our get route method, you can see have an object as our second argument with a <code>schema</code> key and <code>allTodos</code> as the value.</p> <p>Fastify uses  <a href="https://www.npmjs.com/package/fast-json-stringify">fast-json-stringify</a> to serialize your response body when a schema is provided in the route options.</p> <p>To add the schema create a <code>schemas.js</code> file and add the <code>allTodos schema</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">allTodos</span> <span class="o">=</span> <span class="p">{</span> <span class="na">response</span><span class="p">:</span> <span class="p">{</span> <span class="mi">200</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">array</span><span class="dl">'</span><span class="p">,</span> <span class="na">items</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">createdAt</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">important</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">dueDate</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">done</span><span class="dl">'</span><span class="p">],</span> <span class="na">properties</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">'</span><span class="s1">uuid</span><span class="dl">'</span><span class="p">},</span> <span class="na">name</span><span class="p">:</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">},</span> <span class="na">createdAt</span><span class="p">:{</span><span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">,</span><span class="na">format</span><span class="p">:</span> <span class="dl">"</span><span class="s2">date-time</span><span class="dl">"</span><span class="p">},</span> <span class="na">important</span><span class="p">:</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">boolean</span><span class="dl">'</span><span class="p">},</span> <span class="na">dueDate</span><span class="p">:</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">,</span><span class="na">format</span><span class="p">:</span> <span class="dl">"</span><span class="s2">date-time</span><span class="dl">"</span><span class="p">},</span> <span class="na">done</span><span class="p">:</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">boolean</span><span class="dl">'</span><span class="p">},</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Fastify recommends using <a href="https://json-schema.org/">JSON Schema</a> to serialize your outputs, you can read how to write JSON schema <a href="https://json-schema.org/understanding-json-schema/index.html">here</a>. </p> <p>We're specifying the <code>response</code>, the response <code>status code</code>, and the entity which is an <code>array</code> type. The <code>items</code> specify each entry in the array as an object with the required keys and the properties with the various fields and types.</p> <p>Remember to require the module in the <code>routes.js</code> file.</p> <h2> Validation </h2> <p>In the <code>routes.js</code> file, let's add a <code>POST</code> method route inside our route plugin to add todos to our database.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">fastify</span><span class="p">.</span><span class="nx">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span><span class="na">schema</span><span class="p">:</span> <span class="nx">addTodo</span><span class="p">},</span> <span class="k">async</span> <span class="kd">function</span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">reply</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">name</span><span class="p">,</span> <span class="nx">important</span><span class="p">,</span> <span class="nx">dueDate</span><span class="p">}</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">body</span> <span class="kd">const</span> <span class="nx">id</span> <span class="o">=</span> <span class="nx">uuidv4</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">done</span> <span class="o">=</span> <span class="kc">false</span> <span class="nx">createdAt</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Date</span><span class="p">().</span><span class="nx">toISOString</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="p">{</span> <span class="na">text</span><span class="p">:</span> <span class="s2">`INSERT INTO todos (id, name, "createdAt", important, "dueDate", done) VALUES($1, $2, $3, $4, $5, $6 ) RETURNING *`</span><span class="p">,</span> <span class="na">values</span><span class="p">:</span> <span class="p">[</span><span class="nx">id</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">createdAt</span><span class="p">,</span> <span class="nx">important</span><span class="p">,</span> <span class="nx">dueDate</span><span class="p">,</span> <span class="nx">done</span><span class="p">],</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">rows</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">query</span><span class="p">(</span><span class="nx">query</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="nx">reply</span><span class="p">.</span><span class="nx">code</span><span class="p">(</span><span class="mi">201</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="na">created</span><span class="p">:</span> <span class="kc">true</span><span class="p">}</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nb">Error</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p>We allow the client to send a JSON object in the body with <code>name</code> of the todo, <code>important</code>, and <code>dueDate</code> properties.</p> <p>We then generate a unique <code>id</code>, assign false to <code>done</code> and a timestamp assigned to <code>createdAt</code>.</p> <p>To generate the unique id install <code>uuid</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm install uuid </code></pre> </div> <p>Require the module in the <code>routes.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="na">v4</span><span class="p">:</span> <span class="nx">uuidv4</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">uuid</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p>We then construct a query object with a <code>text</code> property with the SQL statement to insert the todos in the database and the <code>values</code> property containing the values to be inserted into the respective columns.</p> <p>After a successful insert we send a <code>201 Created</code> status code back to the client.<br> In the <code>schemas.js</code> file, let's add the validation schema for our todos:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">addTodo</span> <span class="o">=</span> <span class="p">{</span> <span class="na">body</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">],</span> <span class="na">properties</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">,},</span> <span class="na">dueDate</span><span class="p">:</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">'</span><span class="s1">date-time</span><span class="dl">'</span><span class="p">,</span> <span class="na">nullable</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="kc">null</span><span class="p">},</span> <span class="na">important</span><span class="p">:</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">boolean</span><span class="dl">'</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="kc">false</span><span class="p">},</span> <span class="p">}</span> <span class="p">},</span> <span class="na">response</span><span class="p">:</span> <span class="p">{</span> <span class="mi">201</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span><span class="p">,</span> <span class="na">properties</span><span class="p">:</span> <span class="p">{</span> <span class="na">created</span><span class="p">:</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">boolean</span><span class="dl">'</span><span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Fastify uses <a href="https://ajv.js.org/">Ajv</a> to validate requests.<br> We expect the client to always send the <code>name</code> of the todo by adding it in the required property array.</p> <p>The <code>dueDate</code> property can be omitted by the client whereby it will be <code>null</code> by default. This is made possible by setting the <code>nullable</code> property to <code>true</code> which allows a data instance to be JSON null. When provided it has to be of the format 'date-time'.</p> <p>The <code>client</code> can optionally indicate whether a todo is important or it falls back to the default.</p> <p>If the above conditions are not satisfied, fastify will automatically send an error object with the error message.</p> <p>For instance, if you omit a name, you should see an error like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"statusCode"</span><span class="p">:</span><span class="w"> </span><span class="mi">400</span><span class="p">,</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bad Request"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"body should have required property 'name'"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Great! Our validation is working</p> <h2> Adding other REST endpoints </h2> <p><strong>Update todo</strong><br> Let's allow users to set their todo as done or importance of the todo or change dueDate. To do that let's add a <code>PATCH</code> method route to our routes plugin.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">fastify</span><span class="p">.</span><span class="nx">patch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/:id</span><span class="dl">'</span><span class="p">,{</span><span class="na">schema</span><span class="p">:</span> <span class="nx">updateTodo</span><span class="p">},</span> <span class="k">async</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">reply</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">id</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">important</span><span class="p">,</span> <span class="nx">dueDate</span><span class="p">,</span> <span class="nx">done</span><span class="p">}</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">body</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="p">{</span> <span class="na">text</span><span class="p">:</span> <span class="s2">`UPDATE todos SET important = COALESCE($1, important), "dueDate" = COALESCE($2, "dueDate"), done = COALESCE($3, done) WHERE id = $4 RETURNING *`</span><span class="p">,</span> <span class="na">values</span> <span class="p">:</span> <span class="p">[</span><span class="nx">important</span><span class="p">,</span> <span class="nx">dueDate</span><span class="p">,</span> <span class="nx">done</span><span class="p">,</span> <span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">rows</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">query</span><span class="p">(</span><span class="nx">query</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="nx">reply</span><span class="p">.</span><span class="nx">code</span><span class="p">(</span><span class="mi">204</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nb">Error</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p>We're extracting the <code>id</code> of the todo we want to update from the parameter and the values from the request body.</p> <p>We then create our query statement, updating the columns provided optionally using the <code>COALESCE</code> function. That is, if the clients omit some properties in the JSON body, we update only the provided properties and leave the rest as they are in the todo row.</p> <p>We then respond with a <code>204 No Content</code>.</p> <p>Lets add a validation schema for our route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">updateTodo</span> <span class="o">=</span> <span class="p">{</span> <span class="na">body</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span><span class="p">,</span> <span class="na">properties</span><span class="p">:</span> <span class="p">{</span> <span class="na">dueDate</span><span class="p">:</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">'</span><span class="s1">date-time</span><span class="dl">'</span><span class="p">},</span> <span class="na">important</span><span class="p">:</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">boolean</span><span class="dl">'</span><span class="p">},</span> <span class="na">done</span><span class="p">:</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">boolean</span><span class="dl">'</span><span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="na">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span><span class="p">,</span> <span class="na">properties</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">'</span><span class="s1">uuid</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>params validates the params object.</p> <p><strong>Delete todo</strong></p> <p>To delete a todo, we just need the <code>id</code> sent in the URL parameter.<br> Add a <code>DELETE</code> method route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">fastify</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">'</span><span class="s1">/:id</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span><span class="na">schema</span><span class="p">:</span> <span class="nx">deleteTodo</span><span class="p">},</span> <span class="k">async</span> <span class="kd">function</span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">reply</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">params</span><span class="p">)</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">rows</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">DELETE FROM todos WHERE id = $1 RETURNING *</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="nx">request</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">])</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="nx">reply</span><span class="p">.</span><span class="nx">code</span><span class="p">(</span><span class="mi">204</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nb">Error</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p>Lets add a validation schema for our <code>DELETE</code> route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">deleteTodo</span> <span class="o">=</span> <span class="p">{</span> <span class="na">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span><span class="p">,</span> <span class="na">properties</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">'</span><span class="s1">uuid</span><span class="dl">'</span><span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Conclusion: </h2> <p>Give fastify a try and "take your HTTP server to ludicrous speed" ~ <a href="https://twitter.com/matteocollina">Matteo Collina</a>.</p> <p>You can check out the project source code <a href="https://github.com/Kenwanjohi">here</a></p> <h3> References: </h3> <ul> <li><a href="https://www.fastify.io/docs/latest/">Fastify Documentation</a></li> <li><a href="https://json-schema.org/understanding-json-schema/index.html">Understanding JSON schema</a></li> </ul> <p>Fastify examples; GitHub repos:</p> <ul> <li><a href="https://github.com/delvedor/fastify-example">fastify-example</a></li> <li><a href="https://github.com/fastify/fastify-example-todo">fastify-example-todo</a></li> </ul> postgres node javascript webdev A valet key? OAuth 2.0 Delegated Authorization in Node.js Kenwanjohi Tue, 13 Oct 2020 20:33:11 +0000 https://dev.to/kenwanjohi/a-valet-key-oauth-2-0-delegated-authorization-in-node-js-2d7p https://dev.to/kenwanjohi/a-valet-key-oauth-2-0-delegated-authorization-in-node-js-2d7p <p>How to implement OAuth 2.0 in Node.js with Spotify using the Authorization code flow.</p> <h1> What is Delegated Authorization? </h1> <p>First things first, Delegated Authorization is all about granting access to perform some task on your behalf.<br> Consider a valet key, you hand a valet parking attendant a valet key to park and retrieve your car on your behalf. Valet keys typically unlock the driver's door and start the car but can't unlock the trunk or the glove box.<br> For an application to perform such tasks, for instance make API requests in order to perform actions(read and write) on user's resources(in another application), they need to be authorized by the user to perform only a set of actions on the user's behalf.<br> OAuth is a delegation framework that enables all the parties involved to orchestrate such a process.</p> <h2> OAuth 2.0 in Node.js </h2> <p>Setup your node.js environment and have your server running using the framework of your choice.<br> We'll be using Spotify as an example to show the OAuth 2.0 authorization code flow in node.js.<br> You can check out the final application <a href="https://nameless-badlands-53247.herokuapp.com/">here</a></p> <h3> Step 1: Client registration and configuration </h3> <p>From the specification, a client is an application making protected resource requests on behalf of the resource owner (end-user) with its authorization. To register an application you need to provide the information required by the authorization server. This will vary depending on the service provider. With Spotify some of the information includes application name, description, website, Redirect URL.<br> After registering an application you are presented with a client ID and client secret. Save the client ID and client Secret in a <strong>.env</strong> file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">Client_id</span><span class="o">=</span><span class="dl">"</span><span class="s2">your client_id</span><span class="dl">"</span> <span class="nx">Client_secret</span><span class="o">=</span><span class="dl">"</span><span class="s2">your client secret</span><span class="dl">"</span> </code></pre> </div> <p>A client ID is a unique identifier and a client secret is used to authenticate the client with the authorization server. <br> In the <strong>app.js</strong> create an object to encapsulate the client details (client_id and client_secret). Use the dotenv module to load the environment variables. To install the module, run <strong>npm install dotenv</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">dotenv</span><span class="dl">'</span><span class="p">).</span><span class="nx">config</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="p">{</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">Client_id</span><span class="p">,</span> <span class="na">client_secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">Client_secret</span><span class="p">,</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="dl">"</span><span class="s2">http://localhost:3000/callback</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <p>The <strong>redirect_uri</strong> is the endpoint URL that the authorization server redirects the user-agent back to the client with (previously used in client registration) after the resource owner grants or denies permission to your client.</p> <h3> Step 2: Send an authorization request </h3> <p>You need to include a link that initiates the process and also inform the user what service they are about to access. For instance, <strong>View your Spotify activity</strong>. This is done by sending the client to the authorization endpoint of the authorization server. The authorization endpoint can be found on the <a href="https://developer.spotify.com/documentation/general/guides/authorization-guide/">authorization guide</a>.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--3UeHBcRC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.datocms-assets.com/30168/1602607954-rsz1presentation7-1.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--3UeHBcRC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.datocms-assets.com/30168/1602607954-rsz1presentation7-1.png" alt=""></a><br> Next, configure the authorization server details; just like the client details, enclose the details in an object.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">authProvider</span> <span class="o">=</span> <span class="p">{</span> <span class="na">authEndpoint</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://accounts.spotify.com/authorize</span><span class="dl">'</span><span class="p">,</span> <span class="na">tokenEndpoint</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://accounts.spotify.com/api/token</span><span class="dl">'</span> <span class="p">}</span> </code></pre> </div> <p>From the specification, the <strong>authorization endpoint</strong> is used to interact with the resource owner and obtain an authorization grant. The <strong>token endpoint</strong> is used by the client to obtain an <strong>access token</strong> by providing its authorization grant or refresh tokens.<br> To send the user to the authorization endpoint, you need the authorization endpoint URL and a few concatenated URL query parameters:<br> <strong>Client ID</strong><br> The client id obtained after client registration.<br> <strong>response_type</strong><br> <em>code</em> indicates the type of response returned.<br> <strong>redirect_url</strong><br> The URI to redirect to after the user grants or denies permission to your client. We included it in the client's config object.<br> <strong>scope</strong><br> This refers to the information the client wants to access the resource server.<br> <strong>state</strong><br> A random non-guessable string used to protect against cross-site request forgery(CSRF) attacks.<br> To build the url with all the queries you can use the build-url library;a library that builds URLs. To install run <strong>npm install build-url --save</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">buildUrl</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">build-url</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">authorizeUrl</span> <span class="o">=</span> <span class="nx">buildUrl</span><span class="p">(</span><span class="nx">authProvider</span><span class="p">.</span><span class="nx">authEndpoint</span><span class="p">,</span> <span class="p">{</span> <span class="na">queryParams</span><span class="p">:</span> <span class="p">{</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">client</span><span class="p">.</span><span class="nx">client_id</span><span class="p">,</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="nx">client</span><span class="p">.</span><span class="nx">redirect_uri</span><span class="p">,</span> <span class="nx">state</span><span class="p">,</span> <span class="na">response_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">code</span><span class="dl">"</span><span class="p">,</span> <span class="na">scope</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user-top-read</span><span class="dl">"</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>First, we pass the authorization endpoint as the first argument of the buildUrl function followed by the query parameters. The queryParams object is self-explanatory, except the state and scope maybe. The scope <strong>"user-top-read"</strong> from the Spotify guide gives access to a user's top artists and tracks. </p> <h4> So what is the state query parameter? </h4> <p>From the <a href="https://tools.ietf.org/html/rfc6749#section-10.10">specification</a>;</p> <blockquote> <p>The client MUST implement CSRF protection for its redirection URI. .........The binding value used for CSRF protection MUST contain a non-guessable value</p> </blockquote> <p>There is no specification on how to generate the non-guessable value. We can use the node.js <strong>crypto</strong> module to genetrate the random string to be used as state.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">state</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">randomBytes</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">buf</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="k">throw</span> <span class="nx">err</span><span class="p">;</span> <span class="nx">state</span> <span class="o">=</span> <span class="nx">buf</span><span class="p">.</span><span class="nx">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)</span> <span class="p">});</span> </code></pre> </div> <p>The state parameter is returned in the response callback and thus has to be compared with the one in the client, we therefore need to store it somewhere. We could store in session strorage. To use session storage we need express-session middleware. To install run the command <strong>npm install express-session</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-session</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nx">use</span><span class="p">(</span><span class="nx">session</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SESSION_ID</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">secret</span><span class="p">,</span> <span class="c1">//signs the cookie</span> <span class="na">resave</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">saveUninitialized</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">}))</span> </code></pre> </div> <p>Send the request to the authorization endpoint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/authorize</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="nx">state</span> <span class="nx">res</span><span class="p">.</span><span class="nx">redirect</span><span class="p">(</span><span class="nx">authorizeUrl</span><span class="p">);</span> <span class="p">})</span> </code></pre> </div> <p>The user initiates the process by clicking the authorize link, they are redirected to the service provider's authorization endpoint where they authenticate themselves first(if not already authenticated), they are then presented with the scopes; information that the client will have access to and whether they agree to grant the client access or not. Whether they agree or not the user is redirected back to the client with the redirect URL.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--4TTD3RCS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.datocms-assets.com/30168/1602607960-rszpresentation7-3.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--4TTD3RCS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.datocms-assets.com/30168/1602607960-rszpresentation7-3.png" alt=""></a></p> <h3> Step 3: Exchanging the authorization code for an access token </h3> <p>If the user grants the client access, the redirect URL contains the <strong>code</strong> and the <strong>state</strong> query parameters. If they deny the client access, the redirect URL contains the <strong>error</strong> parameter with a description why the authorization failed i.e access_denied.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--hBZubrPZ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.datocms-assets.com/30168/1602607964-rszpresentation7-4.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--hBZubrPZ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.datocms-assets.com/30168/1602607964-rszpresentation7-4.png" alt=""></a></p> <p>At this point the client extracts the state parameter and compares it with the session state and if they don't match the client doesn't continue with the processing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">if</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">state</span> <span class="o">!==</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">state</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">render</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span><span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">State doesn</span><span class="se">\'</span><span class="s1">t match</span><span class="dl">'</span><span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>If they match the client extracts the code and exchanges it for the access token via a post request to the authorization server token endpoint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">code</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">code</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">axios</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">post</span><span class="dl">'</span><span class="p">,</span> <span class="na">url</span><span class="p">:</span> <span class="nx">authProvider</span><span class="p">.</span><span class="nx">tokenEndpoint</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/x-www-form-urlencoded</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Basic </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">stringToBase64</span><span class="p">(</span><span class="nx">client</span><span class="p">.</span><span class="nx">client_id</span><span class="p">,</span> <span class="nx">client</span><span class="p">.</span><span class="nx">client_secret</span><span class="p">)</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="nx">querystring</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span> <span class="nx">code</span><span class="p">,</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">authorization_code</span><span class="dl">"</span><span class="p">,</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="nx">client</span><span class="p">.</span><span class="nx">redirect_uri</span> <span class="p">})</span> <span class="p">})</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="nx">access_token</span> <span class="o">=</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">access_token</span> </code></pre> </div> <p>We've used http basic to authenticate the client; the client_id as the username and client_secret as the password encoded in Base64.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--MK09G_Z3--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.datocms-assets.com/30168/1602607969-rszpresentation7-5.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--MK09G_Z3--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.datocms-assets.com/30168/1602607969-rszpresentation7-5.png" alt=""></a></p> <h3> Step 4: Accessing user's resources </h3> <p>At this point you have the access_token. You can then use the access token to access the user's resources using the resource server API endpoints.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fetch_lists</span> <span class="o">=</span> <span class="k">async</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">axiosInstance</span> <span class="o">=</span> <span class="nx">axios</span><span class="p">.</span><span class="nx">create</span> <span class="p">({</span> <span class="na">baseURL</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">https://api.spotify.com/v1/me/top/</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Bearer </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">access_token</span> <span class="p">}</span> <span class="p">})</span> <span class="k">try</span><span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">response1</span><span class="p">,</span> <span class="nx">response2</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nx">all</span><span class="p">([</span> <span class="nx">axiosInstance</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">tracks</span><span class="dl">'</span><span class="p">),</span> <span class="nx">axiosInstance</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">artists</span><span class="dl">'</span><span class="p">),</span> <span class="p">])</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">response1</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">fetch_lists</span><span class="p">()</span> </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--nf1lDgZi--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.datocms-assets.com/30168/1602607973-rszpresentation7-6.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--nf1lDgZi--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.datocms-assets.com/30168/1602607973-rszpresentation7-6.png" alt=""></a></p> <h3> Conclusion </h3> <p>That's the gist of OAuth 2.0, You can check out the source code on <a href="https://github.com/Kenwanjohi/spotylister">Github</a>.<br> You can check out the original post on my <a href="https://wanjohi.vercel.app/posts/a-valet-key-oauth-2-0-delegated-authorization-in-node-js">blog</a>.</p> <h4> Related resources </h4> <ul> <li><a href="https://tools.ietf.org/html/rfc6749">OAuth 2.0 RFC 6749</a></li> <li><a href="https://oauth.net/articles/authentication/">User Authentication with OAuth 2.0</a></li> </ul> node oauth webdev