DEV Community: Paradane The latest articles on DEV Community by Paradane (@paradane). https://dev.to/paradane https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3984433%2Feb8bd608-90e9-453b-83e0-89f647eae6c8.png DEV Community: Paradane https://dev.to/paradane en Building a Production-Ready API in Node.js: A Complete Walkthrough Paradane Mon, 15 Jun 2026 15:08:28 +0000 https://dev.to/paradane/building-a-production-ready-api-in-nodejs-a-complete-walkthrough-2k1m https://dev.to/paradane/building-a-production-ready-api-in-nodejs-a-complete-walkthrough-2k1m <p>Most Node.js API tutorials stop at "and then you <code>res.json()</code> the data." But a production API needs rate limiting, proper error handling, structured logging, input validation, authentication, and a deployment strategy that won't fall over at 2 AM. At Paradane, we've built dozens of production APIs for clients — from e-commerce backends to SaaS platforms — and we've settled on a stack and patterns that work reliably.</p> <p>This walkthrough covers building a production-ready REST API from scratch using Express, PostgreSQL, and a handful of battle-tested libraries. No magic frameworks — just the pieces you actually need.</p> <h2> The Stack </h2> <ul> <li> <strong>Runtime:</strong> Node.js 20 LTS</li> <li> <strong>Framework:</strong> Express 4 (still the most stable and well-understood)</li> <li> <strong>Database:</strong> PostgreSQL with <code>pg</code> (native driver, no ORM overhead)</li> <li> <strong>Validation:</strong> Zod (parse, don't validate)</li> <li> <strong>Auth:</strong> JWT with <code>jsonwebtoken</code> + bcrypt</li> <li> <strong>Rate limiting:</strong> <code>express-rate-limit</code> </li> <li> <strong>Logging:</strong> <code>pino</code> (fastest Node.js logger)</li> <li> <strong>Testing:</strong> Vitest + Supertest</li> <li> <strong>Deployment:</strong> Docker + docker-compose</li> </ul> <h2> Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>api/ ├── src/ │ ├── index.js # Entry point, server startup │ ├── app.js # Express app setup, middleware │ ├── config/ │ │ └── env.js # Environment variable validation │ ├── middleware/ │ │ ├── auth.js # JWT verification │ │ ├── errorHandler.js │ │ ├── rateLimiter.js │ │ └── validate.js # Zod validation middleware │ ├── routes/ │ │ ├── auth.js │ │ └── users.js │ ├── services/ │ │ └── userService.js │ ├── db/ │ │ ├── pool.js # pg Pool singleton │ │ └── migrations/ │ └── utils/ │ └── logger.js ├── tests/ ├── docker-compose.yml ├── Dockerfile └── package.json </code></pre> </div> <h2> Step 1: Environment Config That Won't Bite You </h2> <p>Never trust <code>process.env</code> directly. Validate it at startup so you catch missing variables before they cause cryptic runtime errors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/config/env.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">zod</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">envSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">PORT</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nx">coerce</span><span class="p">.</span><span class="nf">number</span><span class="p">().</span><span class="k">default</span><span class="p">(</span><span class="mi">3000</span><span class="p">),</span> <span class="na">DATABASE_URL</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">url</span><span class="p">(),</span> <span class="na">JWT_SECRET</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">32</span><span class="p">),</span> <span class="na">NODE_ENV</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">test</span><span class="dl">'</span><span class="p">]).</span><span class="k">default</span><span class="p">(</span><span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">),</span> <span class="na">RATE_LIMIT_WINDOW_MS</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nx">coerce</span><span class="p">.</span><span class="nf">number</span><span class="p">().</span><span class="k">default</span><span class="p">(</span><span class="mi">900000</span><span class="p">),</span> <span class="na">RATE_LIMIT_MAX</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nx">coerce</span><span class="p">.</span><span class="nf">number</span><span class="p">().</span><span class="k">default</span><span class="p">(</span><span class="mi">100</span><span class="p">),</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">env</span> <span class="o">=</span> <span class="nx">envSchema</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">);</span> </code></pre> </div> <p>If <code>DATABASE_URL</code> is missing or <code>JWT_SECRET</code> is too short, the app crashes immediately with a clear Zod error — not three hours later when someone tries to log in.</p> <h2> Step 2: Database Pool (Keep It Simple) </h2> <p>A single <code>pg.Pool</code> instance, exported once and imported everywhere:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/db/pool.js</span> <span class="k">import</span> <span class="nx">pg</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">pg</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../config/env.js</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">pool</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">pg</span><span class="p">.</span><span class="nc">Pool</span><span class="p">({</span> <span class="na">connectionString</span><span class="p">:</span> <span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="na">idleTimeoutMillis</span><span class="p">:</span> <span class="mi">30000</span><span class="p">,</span> <span class="na">connectionTimeoutMillis</span><span class="p">:</span> <span class="mi">2000</span><span class="p">,</span> <span class="p">});</span> <span class="nx">pool</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Unexpected pool error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">err</span><span class="p">);</span> <span class="p">});</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">pool</span><span class="p">;</span> </code></pre> </div> <p>No ORM. Raw SQL with parameterized queries. You get full control over query performance, and you never fight an ORM's opinion about how joins should work.</p> <h2> Step 3: Structured Logging with Pino </h2> <p><code>console.log</code> is fine for debugging. It's not fine for production. Pino gives you structured JSON logs that are fast and machine-parseable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/utils/logger.js</span> <span class="k">import</span> <span class="nx">pino</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">pino</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../config/env.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">logger</span> <span class="o">=</span> <span class="nf">pino</span><span class="p">({</span> <span class="na">level</span><span class="p">:</span> <span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">info</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">debug</span><span class="dl">'</span><span class="p">,</span> <span class="na">transport</span><span class="p">:</span> <span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="p">?</span> <span class="p">{</span> <span class="na">target</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pino-pretty</span><span class="dl">'</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="p">{</span> <span class="na">colorize</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>In production, logs go to stdout as JSON. Your log aggregator (CloudWatch, Datadog, Loki) picks them up. In development, <code>pino-pretty</code> makes them readable.</p> <h2> Step 4: Validation Middleware </h2> <p>Zod schemas at the route level. Every incoming request body, query, and param gets validated before it touches business logic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/middleware/validate.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ZodError</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">zod</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">validate</span><span class="p">(</span><span class="nx">schema</span><span class="p">)</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">req</span><span class="p">.</span><span class="nx">validated</span> <span class="o">=</span> <span class="nx">schema</span><span class="p">.</span><span class="nf">parse</span><span class="p">({</span> <span class="na">body</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="na">query</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">,</span> <span class="na">params</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">,</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">ZodError</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Validation failed</span><span class="dl">'</span><span class="p">,</span> <span class="na">details</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">errors</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">e</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">path</span><span class="p">:</span> <span class="nx">e</span><span class="p">.</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">),</span> <span class="na">message</span><span class="p">:</span> <span class="nx">e</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="p">})),</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">next</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Usage in a route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">zod</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">validate</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../middleware/validate.js</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">createUserSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">body</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">email</span><span class="p">(),</span> <span class="na">password</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">8</span><span class="p">),</span> <span class="na">name</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="nf">max</span><span class="p">(</span><span class="mi">100</span><span class="p">),</span> <span class="p">}),</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nf">validate</span><span class="p">(</span><span class="nx">createUserSchema</span><span class="p">),</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">name</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">validated</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="c1">// ... business logic</span> <span class="p">});</span> </code></pre> </div> <h2> Step 5: Rate Limiting </h2> <p><code>express-rate-limit</code> is simple and effective. Configure it globally, then tighten it for auth routes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/middleware/rateLimiter.js</span> <span class="k">import</span> <span class="nx">rateLimit</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express-rate-limit</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../config/env.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">globalLimiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="nx">env</span><span class="p">.</span><span class="nx">RATE_LIMIT_WINDOW_MS</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="nx">env</span><span class="p">.</span><span class="nx">RATE_LIMIT_MAX</span><span class="p">,</span> <span class="na">standardHeaders</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">legacyHeaders</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many requests, please try again later.</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">authLimiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 15 minutes</span> <span class="na">max</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="c1">// 10 attempts per window</span> <span class="na">message</span><span class="p">:</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many login attempts, please try again later.</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h2> Step 6: Authentication </h2> <p>JWT with access tokens (short-lived) and refresh tokens (long-lived, stored in DB):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/middleware/auth.js</span> <span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../config/env.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">authenticate</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">header</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">header</span><span class="p">?.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">Bearer </span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Missing or malformed token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">header</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">7</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">role</span> <span class="p">};</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">name</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">TokenExpiredError</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Token expired</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Password hashing with bcrypt (cost factor 12 — balances security and speed):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">bcrypt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">bcrypt</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">SALT_ROUNDS</span> <span class="o">=</span> <span class="mi">12</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">hashPassword</span><span class="p">(</span><span class="nx">plain</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">plain</span><span class="p">,</span> <span class="nx">SALT_ROUNDS</span><span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">verifyPassword</span><span class="p">(</span><span class="nx">plain</span><span class="p">,</span> <span class="nx">hash</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">plain</span><span class="p">,</span> <span class="nx">hash</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Step 7: Centralized Error Handling </h2> <p>Express's default error handling is barebones. A custom error handler gives you consistent error shapes and proper logging:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/middleware/errorHandler.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">logger</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../utils/logger.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">errorHandler</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">_next</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="nx">err</span><span class="p">,</span> <span class="na">reqId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">path</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">Unhandled error</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">status</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">status</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Don't leak stack traces in production</span> <span class="kd">const</span> <span class="nx">message</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">Internal server error</span><span class="dl">'</span> <span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Create a custom error class for business logic errors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">class</span> <span class="nc">AppError</span> <span class="kd">extends</span> <span class="nc">Error</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">message</span><span class="p">,</span> <span class="nx">status</span> <span class="o">=</span> <span class="mi">400</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">status</span> <span class="o">=</span> <span class="nx">status</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now your services can <code>throw new AppError('User not found', 404)</code> and the error handler formats it correctly.</p> <h2> Step 8: Putting It All Together — app.js </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/app.js</span> <span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">globalLimiter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./middleware/rateLimiter.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">errorHandler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./middleware/errorHandler.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">logger</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./utils/logger.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">authRoutes</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./routes/auth.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">userRoutes</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./routes/users.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">createApp</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// Trust proxy if behind nginx/load balancer (needed for rate limiter IP detection)</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">trust proxy</span><span class="dl">'</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="c1">// Body parsing</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">limit</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1mb</span><span class="dl">'</span> <span class="p">}));</span> <span class="c1">// Request ID for log correlation</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">req</span><span class="p">.</span><span class="nx">id</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">();</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">X-Request-Id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> <span class="c1">// Request logging</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">start</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="nx">res</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">finish</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">method</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">path</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="nx">res</span><span class="p">.</span><span class="nx">statusCode</span><span class="p">,</span> <span class="na">duration</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">start</span><span class="p">,</span> <span class="na">reqId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">request completed</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> <span class="c1">// Global rate limiter</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">globalLimiter</span><span class="p">);</span> <span class="c1">// Health check (no auth required)</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">_req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ok</span><span class="dl">'</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Routes</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/auth</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authRoutes</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">userRoutes</span><span class="p">);</span> <span class="c1">// 404 handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">_req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Not found</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Error handler (must be last)</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">errorHandler</span><span class="p">);</span> <span class="k">return</span> <span class="nx">app</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Step 9: Graceful Shutdown </h2> <p>A production server needs to handle SIGTERM gracefully — finish in-flight requests, close the database pool, then exit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/index.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createApp</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./app.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./config/env.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">pool</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./db/pool.js</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">logger</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./utils/logger.js</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">createApp</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">env</span><span class="p">.</span><span class="nx">PORT</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">({</span> <span class="na">port</span><span class="p">:</span> <span class="nx">env</span><span class="p">.</span><span class="nx">PORT</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">server started</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">shutdown</span><span class="p">(</span><span class="nx">signal</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">({</span> <span class="nx">signal</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">shutdown initiated</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Stop accepting new connections</span> <span class="nx">server</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="c1">// Close database pool</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">pool</span><span class="p">.</span><span class="nf">end</span><span class="p">();</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">'</span><span class="s1">database pool closed</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="nx">err</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">error closing database pool</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">SIGTERM</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">shutdown</span><span class="p">(</span><span class="dl">'</span><span class="s1">SIGTERM</span><span class="dl">'</span><span class="p">));</span> <span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">SIGINT</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">shutdown</span><span class="p">(</span><span class="dl">'</span><span class="s1">SIGINT</span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <h2> Step 10: Docker Deployment </h2> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Dockerfile</span> <span class="k">FROM</span><span class="s"> node:20-alpine</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm ci <span class="nt">--only</span><span class="o">=</span>production <span class="k">COPY</span><span class="s"> src/ ./src/</span> <span class="k">USER</span><span class="s"> node</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">CMD</span><span class="s"> ["node", "src/index.js"]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># docker-compose.yml</span> <span class="na">services</span><span class="pi">:</span> <span class="na">api</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">.</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3000:3000"</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">DATABASE_URL=postgresql://user:pass@db:5432/mydb</span> <span class="pi">-</span> <span class="s">JWT_SECRET=${JWT_SECRET}</span> <span class="pi">-</span> <span class="s">NODE_ENV=production</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">db</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:16-alpine</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">POSTGRES_USER=user</span> <span class="pi">-</span> <span class="s">POSTGRES_PASSWORD=pass</span> <span class="pi">-</span> <span class="s">POSTGRES_DB=mydb</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pgdata:/var/lib/postgresql/data</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pg_isready</span><span class="nv"> </span><span class="s">-U</span><span class="nv"> </span><span class="s">user</span><span class="nv"> </span><span class="s">-d</span><span class="nv"> </span><span class="s">mydb"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">pgdata</span><span class="pi">:</span> </code></pre> </div> <h2> What We Skipped (And Why) </h2> <ul> <li> <strong>ORM (Prisma, Sequelize, TypeORM):</strong> They're great for rapid prototyping, but for production APIs with complex queries, raw SQL gives you more control and better performance. We use migration tools (like <code>node-pg-migrate</code>) instead of ORM-managed schemas.</li> <li> <strong>GraphQL:</strong> Powerful, but adds complexity. REST with good documentation (OpenAPI/Swagger) serves most use cases. We reach for GraphQL when clients need flexible querying across multiple related resources.</li> <li> <strong>TypeScript:</strong> We use it on most projects, but kept this walkthrough in plain JS for clarity. The patterns translate directly — add types to your Zod schemas and service functions.</li> <li> <strong>Redis for rate limiting:</strong> <code>express-rate-limit</code> with in-memory storage works for single-instance deployments. Add Redis when you scale horizontally.</li> </ul> <h2> Testing (Don't Skip This) </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// tests/users.test.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">describe</span><span class="p">,</span> <span class="nx">it</span><span class="p">,</span> <span class="nx">expect</span><span class="p">,</span> <span class="nx">beforeAll</span><span class="p">,</span> <span class="nx">afterAll</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">vitest</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">request</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">supertest</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createApp</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../src/app.js</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">createApp</span><span class="p">();</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">GET /health</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">returns 200 with status ok</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">request</span><span class="p">(</span><span class="nx">app</span><span class="p">).</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="mi">200</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">status</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">'</span><span class="s1">ok</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> The Checklist Before You Ship </h2> <ul> <li>[ ] Environment variables validated at startup (Zod schema)</li> <li>[ ] Rate limiting on all routes, tighter on auth</li> <li>[ ] All inputs validated (Zod middleware)</li> <li>[ ] Structured logging (Pino, JSON in production)</li> <li>[ ] Centralized error handler (no stack traces in production)</li> <li>[ ] Authentication with short-lived access tokens</li> <li>[ ] Passwords hashed with bcrypt (cost ≥ 12)</li> <li>[ ] Health check endpoint (no auth)</li> <li>[ ] Graceful shutdown (SIGTERM handling)</li> <li>[ ] Database pool with connection limits and error handling</li> <li>[ ] Request IDs for log correlation</li> <li>[ ] Docker deployment with health checks</li> </ul> <h2> The Bottom Line </h2> <p>A production API isn't about the framework — it's about the layers around your business logic. Validation, rate limiting, logging, error handling, and graceful shutdown are what keep your API running at 2 AM when you're asleep. The patterns above have served us well across dozens of client projects, from small e-commerce backends to multi-tenant SaaS platforms.</p> <p><em>At <a href="https://paradane.com" rel="noopener noreferrer">Paradane</a>, we build production APIs for businesses — REST, GraphQL, and real-time. If you're planning an API project or need help hardening an existing one, we'd be happy to talk.</em></p> webdev node api softwaredevelopment React Server Components in Production: What We Learned After Migrating a Client Dashboard Paradane Mon, 15 Jun 2026 15:07:44 +0000 https://dev.to/paradane/react-server-components-in-production-what-we-learned-after-migrating-a-client-dashboard-2e0g https://dev.to/paradane/react-server-components-in-production-what-we-learned-after-migrating-a-client-dashboard-2e0g <p>When React Server Components (RSC) shipped with Next.js 14, the promise was compelling: ship less JavaScript to the browser, render more on the server, and get better performance for free. But moving a real production dashboard from the old Pages Router to the App Router with RSC wasn't free — it was a migration that taught us a lot about what the docs don't tell you.</p> <p>At Paradane, we recently migrated a client's analytics dashboard — a data-heavy application with real-time charts, filtering, and multi-tenant data isolation — from Next.js 12 (Pages Router) to Next.js 14 with the App Router and React Server Components. Here's what we learned.</p> <h2> The Starting Point </h2> <p>The dashboard had about 15 pages, each pulling data from a PostgreSQL database through tRPC procedures. Every page was a client component by default — <code>useEffect</code> for data fetching, client-side state for filters, and heavy chart libraries (Recharts, D3) rendering entirely in the browser. Page loads were 3-4 seconds on a good connection, and the JavaScript bundle was pushing 400KB gzipped.</p> <h2> What We Expected </h2> <ul> <li>Faster initial page loads because data fetching happens on the server</li> <li>Smaller client bundles because components that don't need interactivity stay on the server</li> <li>Better SEO for the few public-facing report pages</li> </ul> <h2> What Actually Happened </h2> <h3> 1. The Server/Client Boundary Is the Hardest Part </h3> <p>The docs make it sound simple: add <code>"use client"</code> at the top of files that need interactivity. In practice, the boundary is where most bugs live. A server component imports a client component that imports a server component — and suddenly you have a hydration mismatch because the server rendered something the client can't reconcile.</p> <p><strong>What worked:</strong> We adopted a strict pattern — server components fetch data and pass it as props to client components. Client components never fetch data directly. This single rule eliminated 80% of our hydration issues.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// Server Component — fetches data, renders nothing interactive</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/db</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DashboardClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./dashboard-client</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">DashboardPage</span><span class="p">({</span> <span class="nx">params</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">tenantId</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">metrics</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">metrics</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">tenantId</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">tenantId</span> <span class="p">},</span> <span class="p">});</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nc">DashboardClient</span> <span class="na">metrics</span><span class="p">=</span><span class="si">{</span><span class="nx">metrics</span><span class="si">}</span> <span class="p">/&gt;;</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// Client Component — receives data, handles interactivity</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Chart</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./chart</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">DashboardClient</span><span class="p">({</span> <span class="nx">metrics</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">metrics</span><span class="p">:</span> <span class="nx">Metric</span><span class="p">[]</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">filter</span><span class="p">,</span> <span class="nx">setFilter</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">'</span><span class="s1">7d</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">filtered</span> <span class="o">=</span> <span class="nx">metrics</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">m</span> <span class="o">=&gt;</span> <span class="nx">m</span><span class="p">.</span><span class="nx">period</span> <span class="o">===</span> <span class="nx">filter</span><span class="p">);</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">FilterBar</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">filter</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="nx">setFilter</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">Chart</span> <span class="na">data</span><span class="p">=</span><span class="si">{</span><span class="nx">filtered</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> 2. Chart Libraries Are Still a Problem </h3> <p>Recharts and D3 need the DOM. You can't render charts on the server (well, you can, but they won't be interactive). Our solution: wrap every chart in a client component with <code>dynamic(() =&gt; import(...), { ssr: false })</code>. This adds a loading skeleton while the chart bundle loads, but the tradeoff is worth it — no hydration mismatches, and the rest of the page renders instantly on the server.</p> <h3> 3. Data Fetching Got Simpler (Eventually) </h3> <p>Moving from tRPC to direct server-side database calls was the biggest win. No more API route boilerplate, no more client-side loading states for data that could have been fetched at request time. But we had to restructure our data access layer — tRPC procedures that assumed a client context (like session cookies) needed to be rewritten as server-side functions that accept the session directly.</p> <h3> 4. Bundle Size Dropped, But Not as Much as Expected </h3> <p>We went from ~400KB gzipped to ~280KB. Good, but not the 50% reduction some blog posts promised. Why? Because interactive components (charts, filters, forms) still ship their code to the client. RSC helps most with content-heavy pages — dashboards with heavy interactivity see smaller gains.</p> <h3> 5. Streaming Is the Real Performance Win </h3> <p>React Suspense with streaming changed the perceived performance dramatically. Instead of waiting for all data before showing anything, we could stream the page shell immediately and fill in data as it arrived:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">DashboardPage</span><span class="p">({</span> <span class="nx">params</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">tenantId</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">DashboardShell</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Suspense</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">MetricsSkeleton</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">MetricsSection</span> <span class="na">tenantId</span><span class="p">=</span><span class="si">{</span><span class="nx">params</span><span class="p">.</span><span class="nx">tenantId</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Suspense</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Suspense</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nc">ChartSkeleton</span> <span class="p">/&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ChartsSection</span> <span class="na">tenantId</span><span class="p">=</span><span class="si">{</span><span class="nx">params</span><span class="p">.</span><span class="nx">tenantId</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Suspense</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">DashboardShell</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Users saw the dashboard shell in under 500ms, with data populating progressively. Time-to-interactive dropped from 3.2s to 1.1s.</p> <h2> The Numbers </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Before (Pages Router)</th> <th>After (App Router + RSC)</th> </tr> </thead> <tbody> <tr> <td>First Contentful Paint</td> <td>2.1s</td> <td>0.4s</td> </tr> <tr> <td>Time to Interactive</td> <td>3.2s</td> <td>1.1s</td> </tr> <tr> <td>JS Bundle (gzipped)</td> <td>398KB</td> <td>281KB</td> </tr> <tr> <td>Lighthouse Performance</td> <td>62</td> <td>91</td> </tr> <tr> <td>Build time</td> <td>45s</td> <td>68s</td> </tr> </tbody> </table></div> <p>Build time increased — server components mean more work at build time. Not a dealbreaker, but worth knowing.</p> <h2> What We'd Do Differently Next Time </h2> <ol> <li> <strong>Start with the data flow, not the component tree.</strong> Map out which data each component needs and whether it can be fetched server-side before writing any code.</li> <li> <strong>Use <code>dynamic(() =&gt; import(...), { ssr: false })</code> for ALL third-party interactive libraries.</strong> Don't try to make them work with SSR — it's not worth the debugging time.</li> <li> <strong>Embrace streaming early.</strong> Suspense boundaries aren't an afterthought — they're the architecture. Plan them before you write components.</li> <li> <strong>Keep the server/client boundary rule simple.</strong> Server components fetch and pass data. Client components receive data and handle interactivity. No exceptions until you have a very good reason.</li> </ol> <h2> The Bottom Line </h2> <p>React Server Components are a real improvement, not just hype. The performance gains are measurable, and the programming model — once you internalize the server/client boundary — is cleaner than the old <code>useEffect</code>-for-everything pattern. But the migration isn't free, and the learning curve is steeper than the docs suggest.</p> <p>If you're considering the move, start with a content-heavy page (blog, docs, marketing pages) where RSC shines brightest. Save the interactive dashboard migration for when you've built some intuition about the boundary.</p> <p><em>At <a href="https://paradane.com" rel="noopener noreferrer">Paradane</a>, we build and migrate web applications for businesses — from e-commerce platforms to SaaS dashboards. If you're planning a Next.js migration or building a new React application, we'd be happy to share what we've learned.</em></p> webdev react nextjs softwaredevelopment Debugging a Production Memory Leak: A Step-by-Step Walkthrough Paradane Mon, 15 Jun 2026 08:34:51 +0000 https://dev.to/paradane/debugging-a-production-memory-leak-a-step-by-step-walkthrough-42dn https://dev.to/paradane/debugging-a-production-memory-leak-a-step-by-step-walkthrough-42dn <h2> The 3 AM Alert </h2> <p>It started with a PagerDuty alert at 3 AM. Our client's Node.js API server had been restarted by the process manager — again. This was the third OOM (Out of Memory) kill this week, and the team was running out of patience.</p> <p>The application was an Express.js API handling about 2,000 requests per minute. Nothing crazy. But every 6-8 hours, memory usage would climb past the 512MB container limit, and Docker would unceremoniously kill the process.</p> <p>Here's exactly how we found the leak, fixed it, and what we learned along the way.</p> <h2> Step 1: Confirm It's Actually a Leak </h2> <p>First rule of memory debugging: make sure you're not just under-provisioned. A growing heap doesn't always mean a leak — it could be legitimate cache growth or increased traffic.</p> <p>We checked the metrics:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Container memory over 24 hours</span> docker stats <span class="nt">--no-stream</span> </code></pre> </div> <p>The pattern was unmistakable: steady, linear growth with no plateau. A healthy application's memory should level off after warm-up. Ours never did.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Quick and dirty heap size check we added to a health endpoint</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/health/debug</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">used</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nf">memoryUsage</span><span class="p">();</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">heapUsed</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nb">Math</span><span class="p">.</span><span class="nf">round</span><span class="p">(</span><span class="nx">used</span><span class="p">.</span><span class="nx">heapUsed</span> <span class="o">/</span> <span class="mi">1024</span> <span class="o">/</span> <span class="mi">1024</span><span class="p">)}</span><span class="s2"> MB`</span><span class="p">,</span> <span class="na">heapTotal</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nb">Math</span><span class="p">.</span><span class="nf">round</span><span class="p">(</span><span class="nx">used</span><span class="p">.</span><span class="nx">heapTotal</span> <span class="o">/</span> <span class="mi">1024</span> <span class="o">/</span> <span class="mi">1024</span><span class="p">)}</span><span class="s2"> MB`</span><span class="p">,</span> <span class="na">external</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nb">Math</span><span class="p">.</span><span class="nf">round</span><span class="p">(</span><span class="nx">used</span><span class="p">.</span><span class="nx">external</span> <span class="o">/</span> <span class="mi">1024</span> <span class="o">/</span> <span class="mi">1024</span><span class="p">)}</span><span class="s2"> MB`</span><span class="p">,</span> <span class="na">rss</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nb">Math</span><span class="p">.</span><span class="nf">round</span><span class="p">(</span><span class="nx">used</span><span class="p">.</span><span class="nx">rss</span> <span class="o">/</span> <span class="mi">1024</span> <span class="o">/</span> <span class="mi">1024</span><span class="p">)}</span><span class="s2"> MB`</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Hitting this endpoint every 30 seconds confirmed: heap used was climbing ~5MB per hour with no signs of garbage collection bringing it back down.</p> <h2> Step 2: Take a Heap Snapshot </h2> <p>Node.js has built-in heap snapshot capabilities via the <code>v8</code> module and Chrome DevTools. We added a snapshot endpoint (behind auth, obviously — snapshots are expensive):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">v8</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">v8</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin/heap-snapshot</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">snapshot</span> <span class="o">=</span> <span class="nx">v8</span><span class="p">.</span><span class="nf">writeHeapSnapshot</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">filename</span> <span class="o">=</span> <span class="nx">snapshot</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">download</span><span class="p">(</span><span class="nx">filename</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>We took two snapshots 30 minutes apart, downloaded them, and loaded them into Chrome DevTools (Memory tab → Load).</p> <h2> Step 3: Compare Snapshots in Chrome DevTools </h2> <p>This is where the real debugging happens. In DevTools:</p> <ol> <li>Load the first snapshot</li> <li>Load the second snapshot</li> <li>Switch to "Comparison" view</li> <li>Sort by "Delta" (new objects) or "Size Delta"</li> </ol> <p>The comparison view shows exactly what objects were allocated between the two snapshots and — crucially — what was NOT garbage collected.</p> <p>Immediately, one thing jumped out: <strong><code>(closure)</code> objects</strong> were dominating the delta. Thousands of closures, each holding references to request-scoped data.</p> <h2> Step 4: Trace the Closures </h2> <p>We drilled into the closure objects and followed the retaining paths. The DevTools "Retainers" view shows what's keeping each object alive. For our closures, the chain looked like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>closure → context → array → EventEmitter._events → ... → global </code></pre> </div> <p>The <code>EventEmitter._events</code> was the smoking gun. Something was attaching event listeners that never got removed.</p> <p>We searched the codebase for <code>.on(</code> and <code>.addListener(</code> calls. Found the culprit in our request logging middleware:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// THE BUG: middleware that attached a listener but never cleaned up</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">requestId</span> <span class="o">=</span> <span class="nx">uuid</span><span class="p">.</span><span class="nf">v4</span><span class="p">();</span> <span class="c1">// This listener is attached per-request but never removed</span> <span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">uncaughtException</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="nx">requestId</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">finish</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">({</span> <span class="nx">requestId</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="nx">res</span><span class="p">.</span><span class="nx">statusCode</span> <span class="p">});</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <p>Every single request added a new <code>uncaughtException</code> listener to the global <code>process</code> object. Those listeners were closures capturing <code>requestId</code> and <code>logger</code>. After 100,000 requests, that's 100,000 listeners — each holding a closure with references that the GC couldn't touch because <code>process</code> is a global that never goes out of scope.</p> <h2> Step 5: The Fix </h2> <p>The fix was straightforward once we understood the problem:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// FIXED: use once() or manage listener lifecycle</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">requestId</span> <span class="o">=</span> <span class="nx">uuid</span><span class="p">.</span><span class="nf">v4</span><span class="p">();</span> <span class="c1">// Option A: Use process.once() if you genuinely need per-request handling</span> <span class="c1">// (but you probably don't — uncaughtException handlers should be global)</span> <span class="c1">// Option B: Move the handler to app startup, pass context differently</span> <span class="c1">// This is what we actually did:</span> <span class="nx">res</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">finish</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">({</span> <span class="nx">requestId</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="nx">res</span><span class="p">.</span><span class="nx">statusCode</span> <span class="p">});</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> <span class="c1">// Single global handler at startup — no per-request listeners</span> <span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">uncaughtException</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="na">stack</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">stack</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>We also added a safeguard: a periodic check that warns if the listener count grows unexpectedly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">setInterval</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">listenerCount</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nf">listenerCount</span><span class="p">(</span><span class="dl">'</span><span class="s1">uncaughtException</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">listenerCount</span> <span class="o">&gt;</span> <span class="mi">5</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">warn</span><span class="p">({</span> <span class="nx">listenerCount</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">Possible listener leak detected</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">},</span> <span class="mi">60000</span><span class="p">);</span> </code></pre> </div> <h2> Step 6: Verify the Fix </h2> <p>After deploying, we watched the heap for 48 hours:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Before fix: ~80MB → ~480MB over 8 hours (OOM kill) After fix: ~80MB → ~120MB over 48 hours (stable, GC working) </code></pre> </div> <p>The heap stabilized around 120MB with normal GC sawtooth patterns. No more 3 AM alerts.</p> <h2> What We Learned </h2> <ol> <li><p><strong>Heap snapshots are your best friend.</strong> The comparison view in Chrome DevTools makes leaks obvious. Don't guess — take snapshots.</p></li> <li><p><strong>Event listeners on global objects are dangerous.</strong> <code>process</code>, <code>global</code>, and long-lived <code>EventEmitter</code> instances will keep your closures alive forever. Always clean up with <code>removeListener</code> or use <code>once()</code>.</p></li> <li><p><strong>Per-request resource allocation needs per-request cleanup.</strong> If you create something during a request, make sure it dies with the request. The <code>res.on('finish')</code> pattern is fine — <code>res</code> gets garbage collected. <code>process</code> does not.</p></li> <li><p><strong>Add listener count monitoring.</strong> A simple <code>process.listenerCount()</code> check in your health endpoint can catch leaks before they take down production.</p></li> </ol> <p>At <a href="https://paradane.com" rel="noopener noreferrer">Paradane</a>, we've debugged memory leaks across dozens of client applications — Node.js, Python, PHP, you name it. The pattern is almost always the same: something global holding references to things that should be ephemeral. If you're dealing with a production memory leak and need a second pair of eyes, our <a href="https://paradane.com/services/custom-software-development" rel="noopener noreferrer">custom software development team</a> has seen it all.</p> <h2> Tools We Use for Memory Profiling </h2> <ul> <li> <strong>Chrome DevTools</strong> (for Node.js heap snapshots) — free, built into Node</li> <li> <strong>clinic.js</strong> — excellent for spotting event loop delays and memory issues</li> <li> <strong>pm2</strong> with <code>--max-memory-restart</code> — buys you time while you debug</li> <li> <strong>Prometheus + Grafana</strong> — for long-term memory trend visualization</li> </ul> <p><em>Have you debugged a production memory leak? What tools worked for you? Drop your war stories in the comments.</em></p> node debugging performance javascript How We Reduced API Response Time by 80% for a Client — A Real-World Optimization Walkthrough Paradane Mon, 15 Jun 2026 05:02:45 +0000 https://dev.to/paradane/how-we-reduced-api-response-time-by-80-for-a-client-a-real-world-optimization-walkthrough-37b6 https://dev.to/paradane/how-we-reduced-api-response-time-by-80-for-a-client-a-real-world-optimization-walkthrough-37b6 <h2> The Problem: An API That Was Costing Real Money </h2> <p>A few months ago, a client came to us with a problem that was bleeding revenue. Their e-commerce platform's product search API was taking 2.3 seconds on average — and during peak traffic, it spiked to 4+ seconds. For an online store, every 100ms of delay costs conversions. At 2.3 seconds, they were losing customers before the page even loaded.</p> <p>The API served product listings with inventory, pricing, and availability across multiple warehouses. It was built on Node.js + Express with PostgreSQL, and it had grown organically over two years without much performance attention. The code worked — it just worked slowly.</p> <p>Here's exactly how we diagnosed the bottlenecks and brought response times down to under 400ms.</p> <h2> Step 1: Measure Before You Touch Anything </h2> <p>You can't optimize what you don't measure. We instrumented the API with OpenTelemetry tracing and added request-level timing logs. Within an hour of deploying instrumentation, the picture was clear:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Avg Time</th> <th>% of Total</th> </tr> </thead> <tbody> <tr> <td>Database queries</td> <td>1,420ms</td> <td>62%</td> </tr> <tr> <td>External inventory API call</td> <td>480ms</td> <td>21%</td> </tr> <tr> <td>Response serialization</td> <td>210ms</td> <td>9%</td> </tr> <tr> <td>Auth/validation</td> <td>120ms</td> <td>5%</td> </tr> <tr> <td>Other</td> <td>70ms</td> <td>3%</td> </tr> </tbody> </table></div> <p>The database was the obvious villain. But the external inventory call was also a problem — it was synchronous and blocking.</p> <h2> Step 2: Fix the Database Queries </h2> <p>Digging into the PostgreSQL query logs, we found three issues:</p> <h3> N+1 Query Problem </h3> <p>The product listing endpoint was fetching products, then looping through each one to fetch its variants, then looping through variants to fetch inventory. Classic N+1. A page of 20 products was triggering 60+ queries.</p> <p><strong>Fix:</strong> We rewrote the data access layer to use JOINs and fetch everything in 2-3 queries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Before: 1 product query + 20 variant queries + 40 inventory queries</span> <span class="c1">-- After: 3 queries total</span> <span class="k">SELECT</span> <span class="n">p</span><span class="p">.</span><span class="o">*</span><span class="p">,</span> <span class="n">json_agg</span><span class="p">(</span><span class="n">json_build_object</span><span class="p">(</span><span class="s1">'id'</span><span class="p">,</span> <span class="n">v</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="s1">'sku'</span><span class="p">,</span> <span class="n">v</span><span class="p">.</span><span class="n">sku</span><span class="p">,</span> <span class="s1">'price'</span><span class="p">,</span> <span class="n">v</span><span class="p">.</span><span class="n">price</span><span class="p">))</span> <span class="k">as</span> <span class="n">variants</span> <span class="k">FROM</span> <span class="n">products</span> <span class="n">p</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">variants</span> <span class="n">v</span> <span class="k">ON</span> <span class="n">v</span><span class="p">.</span><span class="n">product_id</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">id</span> <span class="k">WHERE</span> <span class="n">p</span><span class="p">.</span><span class="n">category_id</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">p</span><span class="p">.</span><span class="n">id</span> <span class="k">LIMIT</span> <span class="mi">20</span><span class="p">;</span> </code></pre> </div> <h3> Missing Indexes </h3> <p>The <code>WHERE</code> clause was filtering on <code>category_id</code> and <code>is_active</code>, but neither column had an index. A sequential scan on 200K+ products was happening on every request.</p> <p><strong>Fix:</strong> Two composite indexes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_products_category_active</span> <span class="k">ON</span> <span class="n">products</span><span class="p">(</span><span class="n">category_id</span><span class="p">,</span> <span class="n">is_active</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">is_active</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_variants_product</span> <span class="k">ON</span> <span class="n">variants</span><span class="p">(</span><span class="n">product_id</span><span class="p">);</span> </code></pre> </div> <h3> Unnecessary Data Fetching </h3> <p>The API was returning full product descriptions (sometimes 2KB+ of HTML) in the listing endpoint. Nobody reads descriptions in a search result.</p> <p><strong>Fix:</strong> We created a lightweight <code>product_summary</code> view that excluded heavy text fields and computed pre-aggregated values.</p> <p><strong>Result:</strong> Database time dropped from 1,420ms to ~180ms.</p> <h2> Step 3: Parallelize the External Call </h2> <p>The inventory availability check was calling a third-party warehouse API synchronously — the request sat idle waiting for a response that took 400-500ms.</p> <p><strong>Fix:</strong> We moved the inventory check to a background job using Redis-backed queues (BullMQ). The API now returns product listings immediately with a <code>inventory_status: 'pending'</code> flag. A separate WebSocket channel pushes real-time inventory updates to the frontend within 1-2 seconds.</p> <p>This was a UX tradeoff — the product appears instantly, and inventory data fills in a moment later. The client's users preferred this dramatically over waiting 2+ seconds for a complete response.</p> <p><strong>Result:</strong> The 480ms blocking call was eliminated from the critical path.</p> <h2> Step 4: Response Serialization </h2> <p>We found that <code>JSON.stringify()</code> on large response objects was taking 200ms+. The culprit: the API was serializing full product objects with nested relations, many of which the frontend never used.</p> <p><strong>Fix:</strong> We implemented a response shaping layer using DTOs (Data Transfer Objects) that only included fields the frontend actually consumed. We also added response compression (gzip at the Express level), which cut payload size by 70%.</p> <p><strong>Result:</strong> Serialization dropped to ~40ms.</p> <h2> Step 5: Add Caching (But Carefully) </h2> <p>With the database queries optimized, we added a Redis cache layer for product listings. The key insight: cache at the right granularity.</p> <p>We cached at the category + filter combination level with a 60-second TTL. This meant:</p> <ul> <li>First request: ~200ms (database)</li> <li>Subsequent requests within 60s: ~15ms (Redis)</li> <li>Cache invalidation on product update via database triggers → Redis pub/sub</li> </ul> <p>We deliberately kept the TTL short because inventory changes frequently. A longer TTL would have served stale data.</p> <h2> The Final Numbers </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Before</th> <th>After</th> <th>Improvement</th> </tr> </thead> <tbody> <tr> <td>Avg response time</td> <td>2,300ms</td> <td>380ms</td> <td>83.5%</td> </tr> <tr> <td>p95 response time</td> <td>4,100ms</td> <td>620ms</td> <td>84.9%</td> </tr> <tr> <td>p99 response time</td> <td>5,800ms</td> <td>890ms</td> <td>84.7%</td> </tr> <tr> <td>DB queries per request</td> <td>60+</td> <td>3</td> <td>95%</td> </tr> <tr> <td>Payload size</td> <td>48KB</td> <td>14KB</td> <td>71%</td> </tr> </tbody> </table></div> <p>The client saw an immediate 12% increase in product page conversions and a 9% drop in search abandonment. The infrastructure cost actually went <em>down</em> because fewer database CPU cycles were burned on inefficient queries.</p> <h2> What We Learned </h2> <ol> <li> <strong>Instrument first.</strong> You can't fix what you can't see. OpenTelemetry + query logging gave us the map.</li> <li> <strong>The database is usually the bottleneck.</strong> In our experience at <a href="https://paradane.com" rel="noopener noreferrer">Paradane</a>, 7 out of 10 slow APIs are slow because of database access patterns, not application code.</li> <li> <strong>N+1 queries are everywhere.</strong> ORMs make them easy to write and hard to spot. Always check your query logs.</li> <li> <strong>Synchronous external calls are API killers.</strong> If you're calling a third-party service in the request path, you're borrowing their latency.</li> <li> <strong>Cache with intent.</strong> Don't just slap Redis on everything. Think about TTL, invalidation, and what staleness means for your users.</li> </ol> <h2> Is Your API Slow? </h2> <p>If your API response times are creeping up, start with instrumentation. The fixes are usually simpler than you think — indexes, query consolidation, and removing blocking I/O solve most problems. And if you need help diagnosing or optimizing your stack, <a href="https://paradane.com/services/api-integration-services" rel="noopener noreferrer">we do this kind of work at Paradane</a> every day.</p> <p><em>Have you tackled a similar optimization? What was your biggest win? Drop a comment below.</em></p> webdev performance node postgres