Security News
Input Validation Vulnerabilities Dominate MITRE's 2024 CWE Top 25 List
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
node-tailor
Advanced tools
Tailor is a layout service that uses streams to compose a web page from fragment services. O'Reilly describes it in the title of this blog post as "a library that provides a middleware which you can integrate into any Node.js server." It's partially inspired by Facebook’s BigPipe, but developed in an ecommerce context.
Some of Tailor's features and benefits:
Tailor is part of Project Mosaic, which aims to help developers create microservices for the frontend. The Mosaic also includes an extendable HTTP router for service composition (Skipper) with related RESTful API that stores routes (Innkeeper); more components are in the pipeline for public release. If your front-end team is making the monolith-to-microservices transition, you might find Tailor and its available siblings beneficial.
Microservices get a lot of traction these days. They allow multiple teams to work independently from each other, choose their own technology stacks and establish their own release cycles. Unfortunately, frontend development hasn’t fully capitalized yet on the benefits that microservices offer. The common practice for building websites remains “the monolith”: a single frontend codebase that consumes multiple APIs.
What if we could have microservices on the frontend? This would allow frontend developers to work together with their backend counterparts on the same feature and independently deploy parts of the website — “fragments” such as Header, Product, and Footer. Bringing microservices to the frontend requires a layout service that composes a website out of fragments. Tailor was developed to solve this need.
Begin using Tailor with:
yarn add node-tailor
const http = require('http');
const Tailor = require('node-tailor');
const tailor = new Tailor({/* Options */});
const server = http.createServer(tailor.requestHandler);
server.listen(process.env.PORT || 8080);
fetchContext(request)
- Function that returns a promise of the context, that is an object that maps fragment id to fragment url, to be able to override urls of the fragments on the page, defaults to Promise.resolve({})
fetchTemplate(request, parseTemplate)
- Function that should fetch the template, call parseTemplate
and return a promise of the result. Useful to implement your own way to retrieve and cache the templates, e.g. from s3.
Default implementation lib/fetch-template.js
fetches the template from the file systemtemplatesPath
- To specify the path where the templates are stored locally, Defaults to /templates/
fragmentTag
- Name of the fragment tag, defaults to fragment
handledTags
- An array of custom tags, check tests/handle-tag
for more infohandleTag(request, tag, options, context)
- Receives a tag or closing tag and serializes it to a string or returns a streamfilterRequestHeaders(attributes, request)
- Function that filters the request headers that are passed to fragment request, check default implementation in lib/filter-headers
filterResponseHeaders(attributes, headers)
- Function that maps the given response headers from the primary fragment request to the final responsemaxAssetLinks
- Number of Link
Header directives for CSS and JS respected per fragment - defaults to 1
requestFragment(filterHeaders)(url, attributes, request)
- Function that returns a promise of request to a fragment server, check the default implementation in lib/request-fragment
amdLoaderUrl
- URL to AMD loader. We use RequireJS from cdnjs as deafultpipeInstanceName
- Pipe instance name that is available in the browser window for consuming frontend hooks.pipeAttributes(attributes)
- Function that returns the minimal set of fragment attributes available on the frontend hooks.tracer
- Opentracing compliant Tracer implementation.Tailor uses parse5 to parse the template, where it replaces each fragmentTag
with a stream from the fragment server and handledTags
with the result of handleTag
function.
<html>
<head>
<script type="fragment" src="http://assets.domain.com"></script>
</head>
<body>
<fragment src="http://header.domain.com"></fragment>
<fragment src="http://content.domain.com" primary></fragment>
<fragment src="http://footer.domain.com" async></fragment>
</body>
</html>
id
- optional unique identifier (autogenerated)src
- URL of the fragmentprimary
- denotes a fragment that sets the response code of the pagetimeout
- optional timeout of fragment in milliseconds (default is 3000)async
- postpones the fragment until the end of body tagpublic
- to prevent tailor from forwarding filtered request headers from upstream to the fragments.fallback-src
- URL of the fallback fragment in case of timeout/error on the current fragmentOther attributes are allowed and will be passed as well to relevant functions (eg.
filterRequestHeaders
,filterResponseHeaders
, etc.)
A fragment is an http(s) server that renders only the part of the page and sets Link
header to provide urls to CSS and JavaScript resources. Check example/fragment.js
for the draft implementation.
A JavaScript of the fragment is an AMD module, that exports an init
function, that will be called with DOM element of the fragment as an argument.
Note: For compatability with AWS the Link
header can also be passed as x-amz-meta-link
By default, the incoming request will be used to selecting the template.
So to get the index.html
template you go to /index
.
If you want to listen to /product/my-product-123
to go to product.html
template, you can change the req.url
to /product
.
Every header is filtered by default to avoid leaking information, but you can give the original URI and host by adding it to the headers, x-request-host
and x-request-uri
, then reading in the fragment the headers to know what product to fetch and display.
http
.createServer((req, res) => {
req.headers['x-request-uri'] = req.url
req.url = '/index'
tailor.requestHandler(req, res);
})
.listen(8080, function() {
console.log('Tailor server listening on port 8080');
});
Some of the concepts in Tailor are described in detail on the specific docs.
Tailor has out of the box distributed tracing instrumentation with OpenTracing. It will pick up any span context on the ingress HTTP request and propagate it to the existing Remote Procedure Calls (RPCs).
Currently, only the fetching of fragments is instrumented providing some additional details like the fragment tag, attributes and some logging payload like the stack trace for errors.
# Get a copy of the repository
git clone https://github.com/zalando/tailor.git
# Change to the folder
cd tailor
# Install dependencies
yarn
node examples/basic
node examples/basic-css-and-js
node examples/multiple-fragments-with-custom-amd
node examples/fragment-performance
Go to http://localhost:8080/index after running the specific example.
Note: Please run the examples with node versions > 6.0.0
Single-page application examples are also available:
To start running benchmark execute npm run benchmark
and wait for couple of seconds to see the results.
Please check the Contributing guidelines here.
3.9.2
FAQs
Tailor assembles a web page from multiple fragments
We found that node-tailor demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.