Express.js - Part 2

Deployment, Forms, & Databases

CSCI 4513

Week 14, Lecture 25

Today's Learning Objectives

🎯 Understand deployment and hosting providers
🎯 Deploy Express apps to PaaS providers
🎯 Handle and validate forms with express-validator
🎯 Prevent XSS and SQL injection attacks
🎯 Install and configure PostgreSQL
🎯 Use node-postgres to query databases
🎯 Build an Inventory Application

Norse Mythology Connection

The Dwarven Forges of Svartalfheim

Deep in Svartalfheim, master dwarven smiths craft legendary treasures, validate their quality, store them in secure vaults, and share them with the Nine Realms—just as we deploy applications, validate forms, store data in databases, and make our creations public.

The Tale:

In the dark realm of Svartalfheim dwell the dwarves, the greatest craftsmen in all of creation. Brothers Brokk and Sindri forge in their workshop, creating treasures of immense power—Mjölnir (Thor's hammer), Gungnir (Odin's spear), and Draupnir (Odin's self-replicating ring). But their work doesn't end at creation.

Each item must pass rigorous quality checks (validation). Mjölnir must be perfectly balanced, Gungnir must never miss its mark, Draupnir must replicate without flaw. Once validated, these treasures are stored in secure vaults (databases) with detailed records of their properties and lineage. Finally, they must be delivered to the surface realms (deployment), where gods and heroes can use them. The dwarves protect their vaults fiercely, ensuring only authorized beings can access or modify their treasures—much like we secure our databases and validate user input.

The Forge, Vault, and Delivery

// The Dwarven Forge - creating items
app.post('/items', validateItem, async (req, res) => {
    const { name, power, owner } = matchedData(req);

    // Store in the vault (database)
    await db.insertItem({ name, power, owner });

    // Deliver to the realm (deployment)
    res.redirect('/items');
});

// Validation - quality checks
const validateItem = [
    body('name').trim()
        .notEmpty().withMessage('Item must have a name')
        .isLength({ max: 100 }),
    body('power').isInt({ min: 1, max: 100 })
        .withMessage('Power must be between 1 and 100'),
];

// The Vault - PostgreSQL database
const pool = new Pool({
    host: 'localhost',
    database: 'dwarven_treasury',
    user: 'brokk',
    password: process.env.DB_PASSWORD
});

Reflection Questions

❓ Dwarven smiths rigorously test each creation before considering it complete. Why is server-side validation crucial even if you have client-side validation?
❓ The dwarven vaults are heavily guarded and organized. What security measures should you take when storing and accessing data in your database?
❓ Treasures are delivered from the underground forges to the surface realms. What challenges might arise when deploying an application to production?

Part 1: Deployment

Making Your Apps Public

What Are Hosting Providers?

🏢 Hosting Providers: Server landlords
💻 They own servers and rent space to customers
🌐 Make your websites accessible to anyone on the web
📦 You've used GitHub Pages for static sites!

GitHub Pages is great for static sites, but we need more power for Node.js apps!

Static vs Dynamic Sites

📄 Static Sites

Pre-written HTML pages
Everyone sees same content
Only need: HTML, CSS, JS
Examples: GitHub Pages, Netlify

⚡ Dynamic Sites

Content changes per user
Personalized experiences
Need: Server + Database
Examples: Twitter/X, Facebook

What is a PaaS?

🎯 Platform as a Service
👨‍💻 Beginner-friendly hosting providers
🔧 Manage low-level server infrastructure for you
🎨 Focus on building, not configuring servers

Landlord metaphor: They handle utilities, maintenance, security. You focus on living in the space!

How PaaS Services Work

💻 Instances: Virtual "computers" running your app
🗄️ Databases: Easy setup and configuration
🌐 Domain Names: Random domains (can add custom later)

Instances

Instance: A single instance of your application running

1 instance = 1 "computer" running your app
Like running on localhost, but online
Multiple instances = handle more traffic
1 instance is plenty for learning projects!

Many PaaS providers give you your first instance free!

Databases on PaaS

🔧 Easy setup and configuration
💾 Automatic backups
🔒 Security patches applied automatically
📊 Ongoing maintenance handled for you

⚠️ You can keep server and database on one PaaS or split them!

Domain Names

Default: Random domain from provider

Example: afternoon-falls-4209.herokuapp.com

Custom domains: (optional)

Purchase from registrar (Porkbun, NameSilo)
Point to your PaaS project
Not needed for portfolio projects!

Find domains with Domainr

Recommended PaaS Providers

Why multiple options?

Heroku discontinued their free tier in 2022 😢

All have limited free tiers, so we recommend:

Free: Use combination of providers
Paid: Pick one and master it ($5-21/month)

Railway.app

✅ Can deploy both servers and databases

✅ Links to GitHub repo

✅ Pay for what you use ($5/month ≈ 4 apps)

Free Plan:

$5 one-time grant (never sleep!)
After 30 days or $5 used → limited trial

Render

✅ Can deploy both servers and databases

✅ Deploy via "Blueprints" + GitHub

✅ Free 750 hours/month

⚠️ Databases cost $7 each (lowest)

Free Plan:

750 hours = enough for a few apps
Apps sleep after 15 minutes inactivity

Koyeb & Database-Only Options

Koyeb

Git push to deploy
1 free web service
1 free Postgres DB (50 hrs)
No credit card required

Database Only

Neon:

10 projects
24/7 main database

Aiven:

5 GiB storage
24/7 all services

Node Version Compatibility

// package.json - specify Node version
{
  "name": "my-app",
  "version": "1.0.0",
  "engines": {
    "node": ">=18.0.0"
  }
}

Different providers support different Node versions. Check their docs!

Debugging Deployment Issues

🔍 During deployment: Check build logs
💥 After deployment: Check application logs
🔙 If broken after update: Use git to revert

Don't panic! Most errors are well-documented. Google the error message!

Build Logs

When: Error during deployment

Where: Stream of output after deployment

What to do:

Find the error in the logs
Read the stack trace
Google the error message
Check deployment guide again

Application Logs

When: App deployed but showing errors (500 page)

What: Real-time output of your running app

How to use:

Open application logs
Refresh your app in browser
Watch logs for errors in real-time
Debug based on error messages

Keep Secrets Safe!

⚠️ NEVER commit credentials to git!

Use environment variables
Add .env to .gitignore
Use your PaaS provider's environment variable settings

Part 2: Forms and Data Handling

Collecting and Validating User Input

HTML Forms Refresher

<form action="/create" method="POST">
  <label for="fullName">Full Name:</label>
  <input type="text" name="fullName" id="fullName"
         placeholder="John Doe" required>

  <button type="submit">Submit</button>
</form>

action: Where data is sent
method: HTTP verb (GET or POST)
name: Key in req.body

POST vs GET for Forms

POST (most common)

Creating/updating data
Sensitive information
Data in request body
Not in server logs

GET

Search forms
Non-modifying operations
Data in query string
Bookmarkable URLs

Post/Redirect/Get Pattern

// User submits form (POST)
app.post('/create', (req, res) => {
  // Process data
  db.createUser(req.body);

  // Redirect to prevent duplicate submissions
  res.redirect('/');
});

// User sees result (GET)
app.get('/', (req, res) => {
  res.render('index');
});

This prevents duplicate POST requests when refreshing!

Validation vs Sanitization

Validation

Checks if input meets criteria

Required fields
Correct format
Length limits
Type checking

Sanitization

Cleans malicious data

Remove dangerous chars
Encode HTML entities
Trim whitespace
Normalize data

Installing express-validator

// Install
npm install express-validator

// Import
const { body, validationResult, matchedData } = require("express-validator");

The body() Function

// Basic validation
body("name")
  .trim()
  .notEmpty()
  .withMessage("Name cannot be empty");

// Optional field with format validation
body("birthdate", "Must be a valid date")
  .optional({ values: "falsy" })
  .isISO8601(); // YYYY-MM-DD format

// Chaining multiple validations
body("name")
  .trim()
  .notEmpty().withMessage("Name cannot be empty")
  .isAlpha().withMessage("Name must only contain letters")
  .isLength({ min: 1, max: 10 })
  .withMessage("Name must be 1-10 characters");

XSS Attack Example

<!-- ❌ DANGEROUS - Unescaped output -->
<div>
  About Me: <%- description %>
</div>

<!-- User inputs: <script>alert("Hacked!");</script> -->
<!-- Renders as: -->
<div>
  About Me: <script>alert("Hacked!");</script>
</div>

<!-- ✅ SAFE - Escaped output -->
<div>
  About Me: <%= description %>
</div>

<!-- Renders as: -->
<div>
  About Me: &lt;script&gt;alert(&quot;Hacked!&quot;);&lt;/script&gt;
</div>

When to Escape

Why escape at output, not input?

"Dangerous" depends on context
What's dangerous for HTML ≠ dangerous for SQL
Only dangerous at point of use

EJS: Use <%= %> for escaped output

Use <%- %> only for trusted HTML!

Validation Results

const controller = (req, res, next) => {
  const errors = validationResult(req);

  if (!errors.isEmpty()) {
    return res.status(400).render("index", {
      errors: errors.array(),
    });
  }

  // Validation passed - use matchedData for safety
  const { firstName, lastName } = matchedData(req);

  // Do stuff if successful
  res.redirect("/success");
};

Complete Validation Example

const alphaErr = "must only contain letters.";
const lengthErr = "must be between 1 and 10 characters.";

const validateUser = [
  body("firstName").trim()
    .isAlpha().withMessage(`First name ${alphaErr}`)
    .isLength({ min: 1, max: 10 }).withMessage(`First name ${lengthErr}`),
  body("lastName").trim()
    .isAlpha().withMessage(`Last name ${alphaErr}`)
    .isLength({ min: 1, max: 10 }).withMessage(`Last name ${lengthErr}`),
];

// Use in route
app.post("/create", validateUser, (req, res) => {
  const errors = validationResult(req);
  if (!errors.isEmpty()) {
    return res.status(400).render("createUser", {
      errors: errors.array()
    });
  }
  // Process valid data
});

Displaying Errors in View

<!-- views/partials/errors.ejs -->
<% if (locals.errors) {%>
  <ul class="errors">
    <% errors.forEach(function(error) { %>
      <li><%= error.msg %></li>
    <% }); %>
  </ul>
<% } %>

<!-- Include in your form view -->
<%- include("partials/errors.ejs") %>

<form method="POST" action="/create">
  <!-- form fields -->
</form>

Part 3: PostgreSQL

Data Persistence with Databases

Introduction to PostgreSQL

Watch this short introduction by Fireship

Why Databases?

💾 Data Persistence: Data survives server restarts
👥 Multiple Users: Concurrent access
🔍 Querying: Powerful search and filter capabilities
🔒 Data Integrity: Constraints and validation

Where does The Odin Project store usernames? Project submissions? This lesson content? Databases!

PostgreSQL Shell (psql)

💻 Terminal-based front end to PostgreSQL
📝 Execute SQL queries interactively
🛠️ Manage database structures
📂 Databases stored in filesystem

Setting Up a Database

-- Enter PostgreSQL shell
$ psql

-- Create a new database
CREATE DATABASE top_users;

-- List databases
\l

-- Connect to database
\c top_users

-- Create a table
CREATE TABLE usernames (
  id INTEGER PRIMARY KEY GENERATED ALWAYS AS IDENTITY,
  username VARCHAR(255)
);

-- List tables
\d

Identity Columns

-- GENERATED ALWAYS AS IDENTITY
-- Automatically generates values for id column
-- Starts at 1, increments by 1

CREATE TABLE users (
  id INTEGER PRIMARY KEY GENERATED ALWAYS AS IDENTITY,
  username VARCHAR(255)
);

-- PostgreSQL creates a sequence: users_id_seq
-- Tracks next value to use

Populating the Database

-- Insert data
INSERT INTO usernames (username)
VALUES ('Mao'), ('nevz'), ('Lofty');

-- Verify
SELECT * FROM usernames;

--  id | username
-- ----+----------
--   1 | Mao
--   2 | nevz
--   3 | Lofty

Installing node-postgres

npm install pg

Connecting to PostgreSQL

// db/pool.js
const { Pool } = require("pg");

// Method 1: Connection object
module.exports = new Pool({
  host: "localhost",
  user: "<role_name>",
  database: "top_users",
  password: "<role_password>",
  port: 5432 // Default PostgreSQL port
});

// Method 2: Connection URI
module.exports = new Pool({
  connectionString: "postgresql://<user>:<password>@localhost:5432/top_users"
});

Client vs Pool

Client

Individual connection
Manually manage
Open, query, close
Good for one-off queries

Pool ✅

Pool of connections
Automatically managed
Reuses connections
Perfect for web servers!

Querying with pg

// db/queries.js
const pool = require("./pool");

async function getAllUsernames() {
  const { rows } = await pool.query("SELECT * FROM usernames");
  return rows;
}

async function insertUsername(username) {
  await pool.query("INSERT INTO usernames (username) VALUES ($1)", [username]);
}

module.exports = {
  getAllUsernames,
  insertUsername
};

SQL Injection Prevention

// ❌ DANGEROUS - SQL Injection vulnerability
await pool.query(
  "INSERT INTO usernames (username) VALUES ('" + username + "')"
);

// User inputs: sike'); DROP TABLE usernames; --
// Executes: INSERT INTO usernames (username) VALUES ('sike');
//           DROP TABLE usernames; --')

// ✅ SAFE - Parameterized query
await pool.query(
  "INSERT INTO usernames (username) VALUES ($1)",
  [username]
);

// pg handles escaping and prevents injection!

Using Queries in Controllers

// controllers/usersController.js
const db = require("../db/queries");

async function getUsernames(req, res) {
  const usernames = await db.getAllUsernames();
  console.log("Usernames:", usernames);
  res.send("Usernames: " +
    usernames.map(user => user.username).join(", "));
}

async function createUsernamePost(req, res) {
  const { username } = req.body;
  await db.insertUsername(username);
  res.redirect("/");
}

module.exports = { getUsernames, createUsernamePost };

Populate DB via Script

#! /usr/bin/env node
const { Client } = require("pg");

const SQL = `
CREATE TABLE IF NOT EXISTS usernames (
  id INTEGER PRIMARY KEY GENERATED ALWAYS AS IDENTITY,
  username VARCHAR(255)
);

INSERT INTO usernames (username)
VALUES ('Bryan'), ('Odin'), ('Damon');
`;

async function main() {
  console.log("seeding...");
  const client = new Client({
    connectionString: "postgresql://user:pass@localhost:5432/top_users"
  });
  await client.connect();
  await client.query(SQL);
  await client.end();
  console.log("done");
}

main();

Running the Population Script

// Drop existing table
DROP TABLE usernames;

// Run script
node db/populatedb.js

// Or add to package.json scripts:
"scripts": {
  "db:populate": "node db/populatedb.js"
}

// Then run:
npm run db:populate

⚠️ This script is designed to run once!

Local vs Production Databases

Local DB

Development
Faster interactions
Easy modifications
No internet needed
Testing features

Production DB

Public apps
Global access
Scalability
Robust security
External server

Environment Variables

// Install dotenv
npm install dotenv

// .env file
DB_HOST=localhost
DB_USER=myuser
DB_PASSWORD=mypassword
DB_NAME=top_users
DB_PORT=5432

// db/pool.js
require('dotenv').config();

module.exports = new Pool({
  host: process.env.DB_HOST,
  user: process.env.DB_USER,
  password: process.env.DB_PASSWORD,
  database: process.env.DB_NAME,
  port: process.env.DB_PORT
});

.gitignore

# .gitignore
node_modules/
.env

# NEVER commit .env to git!
# It contains sensitive credentials

Populating Production DB

// Use process.argv for flexibility
const connectionString = process.argv[2];

async function main() {
  const client = new Client({ connectionString });
  await client.connect();
  await client.query(SQL);
  await client.end();
}

main();

// Local DB:
node db/populatedb.js postgresql://user:pass@localhost:5432/top_users

// Production DB (run once after deployment):
node db/populatedb.js <production-db-url>

Project: Inventory Application

Build an inventory management app!

Choose what kind of business (groceries, toys, music, etc.)
Categories and items
Full CRUD for both
PostgreSQL database
Form validation

Project Requirements

✅ Categories table (e.g., genres, types, departments)
✅ Items table (e.g., games, pokemon, products)
✅ Relationships and constraints
✅ Create routes (GET form + POST handler)
✅ Read routes (list all, view one)
✅ Update routes (GET form + POST handler)
✅ Delete routes (with confirmation)
✅ Form validation with express-validator

Database Design Examples

Game Management:

Tables: games, genres, developers
Relationships: game has multiple genres/developers

Pokemon Management:

Tables: pokemon, trainers, types
Relationships: pokemon has type, trainer has multiple pokemon

Plan your tables, fields, and relationships BEFORE coding!

Delete Functionality

What happens when deleting a category with items?

CASCADE: Delete all items in category
SET NULL: Remove category from items
RESTRICT: Prevent deletion if items exist

Choose based on your app's requirements!

Extra Credit

🎨 Make it pretty! Add CSS styling
🔒 Admin password: Protect destructive actions
- Require secret password for delete/update
- Simple hardcoded password for now
- (We'll learn real auth later!)

Review: Deployment

✅ Static sites: pre-written HTML
✅ Dynamic sites: need server + database
✅ PaaS: Platform as a Service (beginner-friendly)
✅ Instances: virtual computers running your app
✅ Debug with build logs and application logs
✅ Use environment variables for secrets

Review: Forms and Validation

✅ POST for creating/updating, GET for searches
✅ Post/Redirect/Get pattern prevents duplicates
✅ Validation: check if input meets criteria
✅ Sanitization: clean malicious data
✅ express-validator: body(), validationResult()
✅ Escape output to prevent XSS attacks

Review: PostgreSQL

✅ psql: PostgreSQL shell for managing databases
✅ node-postgres (pg): interface with PostgreSQL
✅ Pool: connection pool (better than Client)
✅ Parameterized queries prevent SQL injection
✅ Scripts to populate database
✅ Environment variables for connection info

Complete CRUD Example

// CREATE
router.get("/create", renderCreateForm);
router.post("/create", validateItem, createItem);

// READ
router.get("/", listAll);
router.get("/:id", getOne);

// UPDATE
router.get("/:id/update", renderUpdateForm);
router.post("/:id/update", validateItem, updateItem);

// DELETE
router.post("/:id/delete", deleteItem);

Security Best Practices

✅ Always validate on server (never trust client)
✅ Use parameterized queries (prevent SQL injection)
✅ Escape output in templates (prevent XSS)
✅ Use environment variables (never commit secrets)
✅ Use HTTPS in production
✅ Keep dependencies updated

Today's Takeaways

You Can Now:

✅ Deploy Express apps to PaaS providers
✅ Debug deployment and runtime issues
✅ Validate and sanitize form input
✅ Prevent XSS and SQL injection attacks
✅ Set up and use PostgreSQL databases
✅ Query databases with node-postgres
✅ Build a complete inventory application!

Next Steps

📅 Next Class: Authentication

Topics Coming:

User authentication
Password hashing with bcrypt
Sessions and cookies
Passport.js

📝 Homework: Inventory Application

Design database schema
Build all CRUD operations
Add form validation
Deploy with database
Extra credit: Add admin password protection