A quickstart guide for Node.js & its cryptographic module

This article is made for engineers who want to dive into the core of node.js fast and kick-start their full-stack JavaScript security career. Reading the code (instead of trying to understand concepts through words) is usually the easiest way to learn a new language. We will try to demonstrate through code snippets, several NodeJS security features.

Requirements for this guide:

  • Vanilla JavaScript (ES6)
  • Object-oriented programming
  • HTTP protocol
  • Basic understanding of cryptography

Introduction

  • Build on C++, node.js allows developers to write server-side code with JavaScript, therefore making full-stack JS development possible.
  • It is fast. Node.js is single-threaded but handles requests/responses in parallel (compared to e.g serial handling of php).
Why is node.js fast?
Why is node.js fast?
Why node.js is fast

Choose nvm instead of apt to install node on your Linux machine.

user@ubuntu:~$ sudo apt get nodejs ❌
user@ubuntu:~$ nvm install node ✅
Downloading and installing node latest version
blah blah...
user@ubuntu:~$ node -v
v15.5.1

npm is for node, what apt is for unix, composer for php, pip for python.

user@ubuntu:~$ npm install some_module
user@ubuntu:~$ echo "
console.log('Hello medium!')" > hello.js
user@ubuntu:~$ node hello.js
Hello medium!

The node.js libraries are called modules. Modules can be installed with npm and be required in .js files.

user@ubuntu:~$ npm install some_module 
How to import a module

Other .js files can be required by a script too, as long as they are exported first.

Requires fileToBeRequired.js
Exports what can be required. E.g privateInspiringVariable cannot be required cause it is not exported.

Building a simple server in Node.js

Install the module called express with npm.

Simple server with Node.js

req stands for (HTTP) request, res stands for (HTTP) response. Express module is great for handling incoming and outgoing server traffic.

Server that fetches URL parameters

Lets hit: http://127.0.0.1:3000/?var=value1&var2=value2

Fetched URL GET parameters with Express — Node.js
Fetched URL GET parameters with Express — Node.js
Fetched URL GET parameters with Express — Node.js

With Node.js, JS can access operating systems environmental variables

user@ubuntu:~$ node
> console.log(process.platform)
linux
> console.log(process.env.SHELL)
/bin/bash
> console.log(process.env.PWD)
/home/user

File system

With Node.js, JS can operate on files:

Similarly for write and other operations.

Events

Much of the Node.js core API is built around an idiomatic asynchronous event-driven architecture in which certain kinds of objects (called “emitters”) emit named events that cause Function objects ("listeners") to be called. — Official docs

The function .on() specifies the callback when the connection event occurs:

Simple Event

Handling errors is always wise

Throw an error event

DNS Resolver

Node can handle DNS requests too.

Simple DNS lookup

or even host a full DNS server

Crypto Module

Node.js offers a wide variety of native cryptographic implementations. No need for external libraries anymore.

SHA256 Node.js implementation — Bye bye MD5
The classic old Bob-Alice Tango

Now, it's the right moment for an introduction to Tom Waits.

Alice — By Tom Waits

Now, that is enough information. These examples should have given you a good understanding of the basics of how Node.js operates.

Once you master the basics, consider reading about the way that node handles the MVC framework. A google search about “routing and controllers of Express module” should be enough to give you an idea of how to structure a node.js project, whether this is an API, a microservice, or a part of a full-stack app with a language such as React.js on the front.

Node JS Wallpaper posted by Zoey Simpson

Security Engineer