Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
roosevelt
Advanced tools
Roosevelt is a web application development framework based on Express that aims to be the easiest web framework on the Node.js stack to learn and use.
Some notable features:
Boilerplate minimized. Teddy Roosevelt — referred to by Cracked magazine as the "the most badass President of all-time" — curtailed the abuse of monopolists, so there's no way he would ever put up with all the indecipherable boilerplate common to other web frameworks.
MVC-based default directory structure.
Teddy HTML templates by default which are much easier to read and maintain than common alternatives. Can be configured to use any templating system that supports Express.
LESS preconfigured out of the box to intelligently minify your external-facing CSS files via clean-css. There's also built-in support for Sass and Stylus. Other CSS preprocessors can be used as well with a bit of extra configuration.
Webpack fully integrated providing an easy to use interface for bundling and minifying your frontend JS.
Code-reloading in development mode via nodemon for server-side changes and reload for frontend changes.
HTML validation done automatically in development mode for your post-server rendered HTML powered by express-html-validator.
This is documentation for the current version of Roosevelt. If you need API documentation for a previous version of Roosevelt, look here.
First you will need to install Node.js. Both the current and LTS version of Node.js are supported. It is recommended that you have both the current and LTS versions of Node.js installed on your system. To do that, it is recommended that you install Node.js using a Node.js version manager like nvm or nvm-windows rather than the official installer, as a version manager will allow you to switch between multiple versions of Node.js easily.
The Roosevelt app generator is a command line script based on Yeoman that can create a sample Roosevelt app for you.
To use it, simply run the following command:
npx mkroosevelt
Then follow the prompts.
You can also optionally install the app generator to your system if you like so that it doesn't need to be refetched from npm each time you want to create a new app. To do that, first globally install Yeoman and the Yeoman-based Roosevelt app generator:
npm i -g yo generator-roosevelt
Then create a Roosevelt app using the Roosevelt app generator:
yo roosevelt
Then follow the prompts.
After creating your app, cd
to your app's directory and:
npm i
npm run development
npm run dev
npm run d
See available npm scripts for more ways to run the app.
It is also possible to create a Roosevelt app without using the app generator. This will result in a more minimalist default configuration (e.g. no CSS or JS preprocessors enabled by default).
To do that:
First create a new folder and cd
into it.
Then npm i roosevelt
. This will create a node_modules
folder with Roosevelt and its bare minimum dependencies.
Create a file named app.js
.
Put this code in app.js
:
require('roosevelt')({
'makeBuildArtifacts': true
}).startServer()
Then node app.js
. If the makeBuildArtifacts
parameter is set to true like the above code example, an entire Roosevelt app with bare minimum viability will be created and the server will be started. See configure your app with parameters for more information about parameter configuration.
Create a Roosevelt app using one of the methods above, then set the makeBuildArtifacts
param to the value of 'staticsOnly'
which will allow Roosevelt to create static files but skip the creation of the MVC directories:
require('roosevelt')({
makeBuildArtifacts: 'staticsOnly'
}).init()
You will also need to set viewEngine
if you want to render HTML templates into static pages and supply data to the templates:
require('roosevelt')({
makeBuildArtifacts: 'staticsOnly',
viewEngine: 'html: teddy',
onServerInit: (app) => {
app.get('htmlModels')['index.html'] = {
hello: 'world!'
}
}
}).init()
If model data is not supplied by configuration, Roosevelt will try to automatically load a model from a JS file with the same name alongside the template if it exists instead. For example if an index.js file exists next to index.html and the model is not defined by configuration like in the example above, then the index.js file will be used to set the model so long as it exports either an object or a function that returns an object.
Roosevelt apps created with the app generator come with the following notable npm scripts prepopulated in package.json:
npm run production
: Runs the app in production mode.
npm run prod
npm run p
npm start
nodemon app.js --production-mode
npm run development
: Runs the app in development mode.
npm run dev
npm run d
nodemon app.js --development-mode
npm run production-proxy
: Runs the app in production mode, but with localhostOnly
set to true and hostPublic
set to false. This mode will make it so your app only listens to requests coming from localhost and does not serve anything in the public folder. This mode is useful when you want to host your app behind a reverse proxy from a web server like Apache or nginx and is considered a best practice for Node.js deployments.
npm run prodproxy
npm run x
nodemon app.js --production-proxy-mode
npm run generate-certs
: Generates self-signed HTTPS certs for your app.
node ./node_modules/roosevelt/lib/scripts/certsGenerator.js
npm run generate-session-secret
: Generates a secret key for the express-session
module.
node ./node_modules/roosevelt/lib/scripts/sessionSecretGenerator.js
npm run generate-secrets
: Generates self-signed HTTPS certs and a express-session
secret.npm run audit-config
: Scans current rooseveltConfig
and scripts
in package.json
and warns about any parameters or npm scripts that don't match the current Roosevelt API:
node ./node_modules/roosevelt/lib/scripts/configAuditor.js
npm i
or npm ci
as well.node app.js --production-mode
: Runs the app in production mode.
--prod
-p
node app.js --development-mode
: Runs the app in development mode.
--dev
-d
node app.js --build
: Only runs the build scripts and doesn't start the app.
-b
node app.js --webpack=verbose
: Enables webpack to print verbose errors to the console.
--wp=verbose
-w=verbose
node app.js --webpack=verbose-file
: Enables webpack to print verbose errors to the console as well as write a webpackError file to the app's root directory containing the full error.
--wp=verbose-file
-w=verbose-file
node app.js --production-proxy-mode
: Runs the app in production mode, but with localhostOnly
set to true and hostPublic
set to false. This mode will make it so your app only listens to requests coming from localhost and does not serve anything in the public folder. This mode is useful when you want to host your app behind a reverse proxy from a web server like Apache or nginx and is considered a best practice for Node.js deployments.
--prodproxy
-x
node app.js --enable-validator
: Forces the HTML validator to be enabled.
--html-validator
-h
node app.js --disable-validator
: Forces the HTML validator to be disabled.
--raw
-r
The npm scripts can be combined with the command line flags.
For example, running npm run d -- -r
will run your app in development mode and force the HTML validator to be disabled.
The following is a list of environment variables that Roosevelt listens for.
NODE_ENV
:
production
to force the app into production mode.development
to force the app into development mode.NODE_PORT
: Default HTTP port to run your app on.HTTP_PORT
: Default HTTP port to run your app on. Takes precedence over NODE_PORT
.HTTPS_PORT
: Default HTTPS port to run your app on.DISABLE_HTTPS
: When set to true
, the HTTPS server will be disabled and the app will revert to HTTP regardless of what is set in the rooseveltConfig
.Environment variable precedence:
Below is the default directory structure for an app created using the Roosevelt app generator:
Application logic:
app.js
: Entry point to your application. Feel free to rename this, but make sure to update package.json
's references to it.
lib
: Random includable JS files that don't belong in any of the other directories. It has been added to the require
stack so you can simply require('lib/someFile')
.
mvc
: Folder for models, views, and controllers. All configurable via parameters (see below).
controllers
: Folder for controller files; the "C" in MVC. This is where your HTTP routes will go.models
: Folder for model files; the "M" in MVC. This is where you will get data to display in your views e.g. by querying a database or do other business logic.views
: Folder for view files; the "V" in MVC. This is where your HTML templates will go.Static files:
public
: All contents within this folder will be exposed as static files.
statics
: Folder for source CSS, image, JS, and other static files. By default some of the contents of this folder are symlinked to from public
, which you can configure via params. See configure your app with parameters for more information about parameter configuration.
css
: Folder for source CSS files.images
: Folder for source image files.js
: Folder for source JS files.pages
: Folder for HTML templates that get rendered and minified into static pages.Application infrastructure:
.gitignore
: A standard file which contains a list of files and folders to ignore if your project is in a git repo. Delete it if you're not using git. The default .gitignore
file contains many common important things to ignore, however you may need to tweak it to your liking before committing a fresh Roosevelt app to your git repo.
node_modules
: This folder is created when installing dependencies using the npm i
step to set up your app. It's generally not recommended to commit the node_modules
folder or any other build artifacts to git.public
: It's recommended that you don't create files in this folder manually, but instead use the statics
parameter detailed below to expose folders in your statics
directory to public
via auto-generated symlinks.secrets
: A folder for "secret" files, e.g. session keys, HTTPS certs, passwords, etc. Since this folder contains sensitive information, it should not be committed to git.node_modules
: A standard folder created by Node.js where all modules your app depends on (such as Roosevelt) are installed to. This folder is created when installing dependencies using the npm i
command.
package.json
: A file common to most Node.js apps for configuring your app.
package-lock.json
: An auto-generated file common to most Node.js apps containing a map of your dependency tree. This is created after you run npm i
for the first time.
rooseveltConfig.json
: Where your Roosevelt config is stored and what your params are set to. See configure your app with parameters for more information about parameter configuration.
secrets
: A folder for "secret" files, e.g. session keys, HTTPS certs, passwords, etc. It is added to .gitignore
.
Roosevelt is designed to have a minimal amount of boilerplate so you can spend less time focused on configuration and more time writing your app. All parameters are optional. As such, by default, all that's in app.js is this:
require('roosevelt')().startServer()
Roosevelt will determine your app's name by examining "name"
in package.json
. If none is provided, it will use Roosevelt Express
instead.
There are multiple ways to pass a configuration to Roosevelt:
A rooseveltConfig.json
file located in the root directory of your app.
Via package.json under "rooseveltConfig"
.
Programmatically via Roosevelt's constructor like so:
require('roosevelt')({
paramName: 'paramValue',
param2: 'value2',
etc: 'etc'
}).startServer();
package.json
or rooseveltConfig.json
such as event handlers.In addition, all parameters support template literal style variable syntax that you can use to refer to other Roosevelt parameters. For example:
{
"port": 4000,
"https": {
"port": "${port + 1}"
},
"css": {
"sourcePath": "css",
"output": ".build/${css.sourcePath}"
}
}
Resolves to:
{
"port": 4000,
"https": {
"port": 4001
},
"css": {
"sourcePath": "css",
"output": ".build/css"
}
}
controllersPath
: Relative path on filesystem to where your controller files are located.
"mvc/controllers"
.modelsPath
: Relative path on filesystem to where your model files are located.
"mvc/models"
.viewsPath
: Relative path on filesystem to where your view files are located.
"mvc/views"
.secretsDir
: Directory that stores certs, keys, and secrets.
Default: [String] secrets
.
Important: Changing this value will require updating .gitignore
.
frontendReload
: Settings to use for the reload module which automatically reloads your browser when your frontend code changes. This feature is only available in development mode.
Default: [Object]
{
"enable": true,
"port": 9856,
"httpsPort": 9857
}
htmlValidator
: Parameters to send to express-html-validator. This feature is only available in development mode.
enable
: [Boolean] Enables or disables the built-in HTML validator.
exceptions
: A set of params that can be used to prevent validation in certain scenarios.
header
[String]: A custom header that when set will disable the validator on a per request basis.
'Partial'
.modelValue
[String]: An entry in your data model passed along with a res.render
that when set will disable validation on the rendered HTML.
'_disableValidator'
.validatorConfig
[Object]: html-validate configuration that determines what errors the validator looks for.
The full list of available validator rules can be found here.
This configuration can also be set by a .htmlValidate.json
file placed in your app root directory.
Default: [Object]
{
"enable": true,
"exceptions": {
"requestHeader": "Partial",
"modelValue": "_disableValidator"
},
"validatorConfig": {}
}
hostPublic
: Whether or not to allow Roosevelt to host the public folder. By default in production-proxy
mode Roosevelt will not expose the public folder. It's recommended instead that you host the public folder through another web server, such as Apache or nginx that is better optimized for hosting static files.
false
.https
: [Object] params for configuring the HTTPS server. HTTPS is disabled by default in apps created manually and enabled by default in apps generated with generator-roosevelt.
Default: [Object] {}
.
Object members:
enable
: Enable HTTPS server.false
.port
: The port your app will run the HTTPS server on.
43733
.force
: Disallow unencrypted HTTP and route all traffic through HTTPS.
false
.autoCert
: Will create self-signed HTTPS certificates in development mode as long as they don't already exist.
true
.authInfoPath
: [Object] Specify either the paths where the server certificate files can be found or set the appropriate parameters to be a PKCS#12-formatted string or certificate or key strings.
undefined
.p12
: [Object] Parameter used when the server certificate/key is in PKCS#12 format.
undefined
.p12Path
: [String] Either the path to a PKCS#12-formatted file (e.g. a .p12 or .pfx file) or a PKCS#12-formatted string or buffer (e.g. the result of reading in the contents of a .p12 file).
undefined
.authCertAndKey
: [Object] Parameter used when the server certificate and key are in separate PEM-encoded files.
cert
: [String] Either the path to a PEM-encoded certificate file (e.g. .crt, .cer, etc.) or a PEM-encoded certificate string.
undefined
.key
: [String] Either the path to a PEM-encoded key file (e.g. .crt, .cer, etc.) or a PEM-encoded key string for the certificate given in cert
.
undefined
.passphrase
: [String] Shared passphrase used for a single private key and/or a P12.
undefined
.requestCert
: [Boolean] Set whether to request a certificate from the client attempting to connect to the server to verify the client's identity.
undefined
.rejectUnauthorized
: [Boolean] Set whether to reject connections from clients that do no present a valid certificate to the server. (Ignored if requestCert
is set to false
.)
undefined
.caCert
: [String] Either the path to a PEM-encoded Certificate Authority root certificate or certificate chain or a PEM-encoded Certificate Authority root certificate or certificate chain string. This certificate (chain) will be used to verify client certificates presented to the server. It is only needed if requestCert
and rejectUnauthorized
are both set to true
and the client certificates are not signed by a Certificate Authority in the default publicly trusted list of CAs curated by Mozilla.
undefined
.localhostOnly
: Listen only to requests coming from localhost in production mode. This is useful in environments where it is expected that HTTP requests to your app will be proxied through a more traditional web server like Apache or nginx. This setting is ignored in development mode.
true
.mode
: Decides whether your app starts in production mode or development mode by default.
production
.port
: The HTTP port your app will run on. This setting is ignored if the app is set to force HTTPS-only mode.
43711
.shutdownTimeout
: Maximum amount of time in milliseconds given to Roosevelt to gracefully shut itself down when sent the kill signal.
30000
(30 seconds).appDir
: Root directory of your application.
package.json
is located.bodyParser
: Parameters to supply to the body-parser module which handles POST requests.
urlEncoded
: [Object] Parameters to supply to body-parser.urlencoded.
json
: [Object] Parameters to supply to body-parser.json.
Default: [Object]
{
"urlEncoded": {
"extended": true
},
"json": {}
}
csrfProtection
: Whether to enable Cross-Site Request Forgery protection.
Default: [Boolean] true
.
To exempt certain routes from protection, supply an object as your config with an array of exemptions.
{
"exemptions": [
"/foo",
"/bar",
"/baz"
]
}
enableCLIFlags
: Enables parsing of command line flags. Disable this if you want to handle them yourself or if you don't want Roosevelt to listen to the command line flags it listens for by default.
true
.errorPages
: Relative path on filesystem to where your various error page controller files are located. If you do not supply them, Roosevelt will use its default ones instead:
notFound
: Your 404 Not Found error page.
"404.js"
.forbidden
: Your 403 Forbidden error page.
"403.js"
.internalServerError
: Your Internal Server Error error page.
"5xx.js"
.serviceUnavailable
: Your 503 Service Unavailable error page.
"503.js"
.expressSession
: Parameter(s) to pass to the express-session module.
Default: [Boolean] true
.
If expressSession
is set to true
, it will supply to following configuration to express-session
:
{
"secret": [an auto-generated secret],
"resave": false, // usually a bad idea to set to true
"saveUninitialized": false, // usually a bad idea to set to true
"cookie": {
"secure": false, // will automatically be set to true if https is enabled
"sameSite": "strict", // adds same site enforcement
"maxAge": 347126472000 // sets expiration very far in the future (~11 years) to basically never expire
}
"store": [the expressSessionStore.instance Roosevelt param]
}
Roosevelt sets express-session
to use memorystore as the default session store.
The default setting for maxAge
is ~11 years. You should set that to be shorter in use cases where you want sessions to expire regularly, e.g. if you want users to reauthorize and login again frequently for security reasons.
If you supply your own parameters to express-session
, it is recommended you take the above default configuration and modify it.
expressSessionStore
: Define a custom session store to use with express-session
instead of the default one provided by Roosevelt. This is recommended if you plan to shard your app across multiple separate processes or scale it to multiple servers.
filename
: Name of the session file.
sessions.sqlite
instance
: [Object] A store instance. See this list for compatible stores.
preset
: [String] Available presets provided by Roosevelt. Only used if instance
is not provided.
default
: Use Roosevelt's default session store, which is better-sqlite3-session-store.express-session-default
: Use express-session
's default session store (not recommended).presetOptions
: Options to pass to the preset session store if one is selected. Only used if instance
is not provided.
checkPeriod
: How long, in milliseconds, the memory store will check for expired items.
86400000
(1 day).ttl
: How long, in milliseconds, before a session is expired.
checkPeriod
.max
: The maximum size of the cache, checked by applying the length function to all values in the cache.
Infinity
.Either instance
or preset
must be set for this param to work properly.
formidable
: Parameters to pass to formidable using formidable's API for multipart form processing (file uploads). Access files uploaded in your controllers by examining the req.files
object. Roosevelt will remove any files uploaded to the upload directory when the request ends automatically. To keep any, be sure to move them before the request ends.
Default: [Object]
{
"multiples": true // enables multiple files to be uploaded simultaneously
}
To disable multipart forms entirely, set formidable
to false
.
helmet
: Parameters to pass to the helmet module. This module helps secure Express apps by setting HTTP response headers.
Content-Security-Policy
settings:
upgrade-insecure-requests
directive has been removed. This change prevents this bug.script-src
directive has been set to 'unsafe-inline'
. This makes it possible to use inline scripts.form-action
directive has been set to null
. This makes it possible to submit forms to other domains.false
.logging
: Parameters to pass to roosevelt-logger. See roosevelt-logger parameters documentation for configuration options.
Default: [Object]
{
"methods": {
"http": true,
"info": true,
"warn": true,
"error": true,
"verbose": false
}
}
makeBuildArtifacts
: When enabled Roosevelt will generate user-specified directories, CSS/JS bundles, etc.
Default: [Boolean] false
for apps created manually.
Will be set to true
in apps generated with generator-roosevelt.
Can also accept a value of 'staticsOnly'
which will allow Roosevelt to create static files but skip the creation of the MVC directories.
routePrefix
: [String] A prefix prepended to your application's routes. Applies to all routes and static files.
Example: When set to "foo"
a route bound to /
will be instead be bound to /foo/
.
This prefix is exposed via the routePrefix
Express variable which should be used for resolving the absolute paths to statics programmatically.
/images/teddy.jpg
can be resolved in a prefix-agnostic way via `${app.get('routePrefix')/images/teddy.jpg}`
.Default: null
.
viewEngine
: What templating engine to use, formatted as [String] "fileExtension: nodeModule"
.
Default: [String] "none"
for apps created manually.
Will be set to "html: teddy"
in apps generated with generator-roosevelt.
Also by default when using the generator, the module teddy is marked as a dependency in package.json
.
To use multiple templating systems, supply an array of engines to use in the same string format. Each engine you use must also be marked as a dependency in your app's package.json
. Whichever engine you supply first with this parameter will be considered the default.
Example configuration using multiple templating systems: [Object]
{
"viewEngine": [
"html: teddy",
"php: php",
"ejs: ejs"
]
}
clientViews
: [Object] Allows you to expose view (template) file code to frontend JS for client-side templating.
exposeAll
: [Boolean] Option to expose all templates.
false
.blocklist
: [Array] of [Strings] List of files or folders to exclude when exposeAll
is enabled.
[]
.Can also be set declaratively by putting a <!-- roosevelt-blocklist -->
tag at the top of any template.
allowlist
: [Object] of [Arrays] List of JS files to create mapped to which view files to expose.
Default: [Object] {}
.
Example:
{
"mainLayouts.js": ["baseLayout.html", "footer.html"],
"forms.js": ["forms/formTemplate.html"]
}
Can also be set declaratively by putting a <!-- roosevelt-allowlist <filepath> -->
tag at the top of any template.
defaultBundle
: [String] File name for the default JS view bundle.
"views.js"
.output
: [String] Subdirectory within publicFolder
to write JS view bundles to.
"js"
.minify
: [Boolean] Option to minify templates that are exposed via this feature.
true
.minifyOptions
: [Object] Parameters to supply to html-minifier's API.
html.minifier.options
if empty.Default: [Object]
"clientViews": {
"exposeAll": false,
"blocklist": [],
"allowlist": {},
"defaultBundle": "views.js",
"output": "js",
"minify": true,
"minifyOptions": {}
}
isomorphicControllers
: [Object] Allows you to expose controller (route) file code to frontend JS for client-side routing.
file
: [String] File name for the default JS controller auto-loader file. Set to null
to disable this feature.
null
.output
: [String] Subdirectory within publicFolder
to write JS controller auto-loader file to.
"js"
.Default: [Object]
"isomorphicControllers": {
"file": null
"output": "js"
}
css
: [Object] How you want Roosevelt to configure your CSS preprocessor:
sourcePath
: Subdirectory within staticsRoot
where your CSS files are located. By default this folder will not be made public, but is instead meant to store unminified CSS source files which will be minified and written to the public
folder when the app is started.
compiler
: [Object] Which CSS preprocessor (if any) to use.
enable
: [Boolean] Whether or not to use a preprocessor.
module
: [String] Node module name of the CSS preprocessor you wish to use.
options
: [Object] Parameters to send to the CSS preprocessor if it accepts any.
minifier
: [Object] Params pertaining to CSS minifcation.
enable
: [Boolean] Whether or not to minify CSS.
minify
param.options
: [Object] Parameters to pass to the CSS minifier clean-css, a list of which can be found in the clean-css docs.
allowlist
: Array of CSS files to allow for compiling. Leave undefined to compile all files. Supply a :
character after each file name to delimit an alternate file path and/or file name for the minified file.
example.less:example.min.css
compiles example.less
into example.min.css
.output
: Subdirectory within publicFolder
where compiled CSS files will be written to.
versionFile
: If enabled, Roosevelt will create a CSS file which declares a CSS variable containing your app's version number from package.json
. Enable this option by supplying an object with the member variables fileName
and varName
. Versioning your static files is useful for resetting your users' browser cache when you release a new version of your app.
Example usage (with LESS): [Object]
{
"fileName": "_version.less",
"varName": "appVersion"
}
Assuming the default Roosevelt configuration otherwise, this will result in a file statics/css/_version.less
with the following content:
/* do not edit; generated automatically by Roosevelt */ @appVersion: '0.1.0';
Some things to note:
If there is already a file there with that name, this will overwrite it, so be careful!
It's generally a good idea to add this file to .gitignore
, since it is a build artifact.
Default: [Object]
{
"sourcePath": "css",
"compiler": {
"enable" : false,
"module": "less",
"options": {}
},
"minifier": {
"enable": true,
"options": {}
},
"allowlist": null,
"output": "css",
"versionFile": null
}
favicon
: [String] Location of your favicon file.
"none"
.
"images/favicon.ico"
in apps generated with generator-roosevelt.html
: Generate static HTML pages:
sourcePath
: Subdirectory within staticsRoot
where your static HTML files are located. By default this folder will not be made public, but is instead meant to store unminified / unprocessed HTML template source files which will be rendered, minified, and written to the public
folder when the app is started.
allowlist
: [Array] of [Strings] List of templates to render, minify, and write to the public
folder when the app is started. If the list is empty, all templates in your sourcePath
will be sourced. Supports wildcard matching, e.g. dir/*
.
blocklist
: [Array] of [Strings] List of templates in your sourcePath
to skip. Supports wildcard matching, e.g. dir/*
.
models
: Data to pass to templates by file path / file name.
Example:
{
"models": {
"index.html": {
"some": "data"
},
"subdirectory/otherFile.html": {
"someOther": "data"
}
}
}
If this data is not supplied by configuration, Roosevelt will try to automatically load a model from a JS file with the same name alongside the template if it exists instead. For example if an index.js file exists next to index.html and the model is not defined by configuration like in the example above, then the index.js file will be used to set the model so long as it exports either an object or a function that returns an object.
output
: Subdirectory within publicFolder
where parsed and minified HTML files will be written to.
minifier
: How you want Roosevelt to minify your HTML:
enable
: [Boolean] Whether or not to minify HTML.
minify
param.exceptionRoutes
: [Array] List of controller routes that will skip minification entirely. Set to false
to minify all URLs.
options
: [Object] Parameters to supply to html-minifier's API.
Default: [Object]
{
"sourcePath": "pages",
"allowlist": null,
"blocklist": null,
"models": {},
"output": "",
"minifier": {
"enable": true,
"exceptionRoutes": false,
"options": {
"removeComments": true,
"collapseWhitespace": true,
"collapseBooleanAttributes": true,
"removeAttributeQuotes": true,
"removeEmptyAttributes": true
}
}
}
js
: [Object] How you want Roosevelt to handle module bundling and minifying your frontend JS:
sourcePath
: Subdirectory within staticsRoot
where your JS files are located. By default this folder will not be made public, but is instead meant to store unminified JS source files which will be minified and written to the public
folder when the app is started.
webpack
: Parameters related to bundling JS with Webpack:
enable
: Enable Webpack bundling.
bundles
: [Array] Declare one or more Webpack configurations to bundle JS with.
env
: [String] Bundle only in dev
or prod
mode. Omitting env
will result in bundling in both modes.
config
: [Object] or [String] The Webpack configuration to send to Webpack. Can also be a path to a Webpack config file relative to the app directory.
Examples: [Array] of [Objects]
Webpack bundle example declaring one bundle:
[
{
"config": {
"entry": "${js.sourcePath}/main.js",
"output": {
"path": "${publicFolder}/js",
"filename": "bundle.js"
}
}
}
]
Webpack bundle example declaring one bundle only used in dev
mode:
[
{
"env": "dev",
"config": {
"entry": "${js.sourcePath}/main.js",
"output": {
"path": "${publicFolder}/js",
"filename": "bundle.js"
}
}
}
]
Webpack bundle example declaring multiple bundles:
[
{
"config": {
"entry": "${js.sourcePath}/main.js",
"output": {
"path": "${publicFolder}/js",
"filename": "bundle.js"
}
}
},
{
"config": {
"entry": "${js.sourcePath}/moreStuff.js",
"output": {
"path": "${publicFolder}/js",
"filename": "bundle2.js"
}
}
},
etc...
]
verbose
: [string] Enable Webpack verbose error handler.
Default: [Object] for manually created apps.
{
"sourcePath": "js",
"webpack": {
"enable": false,
"bundles": [],
"verbose": false
}
}
Default: [Object] for apps generated with generator-roosevelt:
{
"sourcePath": "js",
"webpack": {
"enable": true,
"bundles": [{
"config": {
"entry": "${js.sourcePath}/main.js",
"devtool": "source-map",
"output": {
"path": "${publicFolder}/js"
},
"resolve": {
"alias": {
"fs": false,
"path": false
},
"modules": ["${js.sourcePath}", "${publicFolder}/js", "${appDir}", "node_modules"]
}
}
}]
}
}
publicFolder
: All files and folders in this directory will be exposed as static files in development mode or when hostPublic
is enabled.
"public"
.staticsRoot
: Relative path on filesystem to where your source static assets are located. By default this folder will not be made public, but is instead meant to store unprocessed or uncompressed source assets that will later be preprocessed and exposed in public
.
"statics"
.symlinks
: [Array] Declare one or more symlinks to be generated at runtime.
source
: [String] Path to be linked to.
dest
: [String] Path to place symlink.
Default: [Array] of [Objects] []
.
Will be set to the following in apps generated with generator-roosevelt:
[
{
"source": "${staticsRoot}/images",
"dest": "${publicFolder}/images"
}
]
minify
: Enables HTML and CSS minification. This feature is automatically disabled during development mode.
true
.versionedPublic
: If set to true, Roosevelt will prepend your app's version number from package.json
to your public folder. Versioning your public folder is useful for resetting your users' browser cache when you release a new version.
false
.Roosevelt provides a series of events you can attach code to by passing a function to the desired event as a parameter to Roosevelt's constructor like so:
require('roosevelt')({
onServerStart: (app) => { /* do something */ }
})
onServerInit(app)
: Fired when the server begins starting, prior to any actions taken by Roosevelt. Some Express variables exposed by Roosevelt are not available yet during this event.
app
: The Express app created by Roosevelt.onStaticAssetsGenerated(app)
: Fired when the server finishes init but before the server starts.
app
: The Express app created by Roosevelt.onServerStart(app)
: Fired when the server starts.
app
: The Express app created by Roosevelt.onAppExit(app)
: Fired when the app recieves a kill signal.
app
: The Express app created by Roosevelt.onReqStart(req, res, next)
: Fired at the beginning of each new request.
req
: The request object created by Express.res
: The response object created by Express.next
: Callback to continue with the request. Must be called to continue the request.onReqBeforeRoute(req, res, next)
: Fired just before executing the controller.
req
: The request object created by Express.res
: The response object created by Express.next
: Callback to continue with the request. Must be called to continue the request.onReqAfterRoute(req, res)
: Fired after the request ends.
req
: The request object created by Express.res
: The response object created by Express.onClientViewsProcess(template)
: Fired to preprocess templates before being exposed to the client.
template
: A string containing a template written in any JS-based templating engine (e.g. Teddy, Pug, ejs, etc)Place a file named dataModel.js
in mvc/models
.
Here's a simple example dataModel.js
data model:
module.exports = () => {
return {some: 'data'}
}
In more complex apps, you might query a database to get your data instead.
Views by default are Teddy templates. See the Teddy documentation for information about how to write Teddy templates.
You can also use different templating engines by tweaking Roosevelt's MVC parameters.
Controller files are places to write Express routes. A route is the term Express uses for URL endpoints, such as http://yoursite/blog
or http://yoursite/about
.
Controllers bind models and views together.
To make a new controller, make a new file in the controllers directory. For example:
module.exports = (router, app) => {
// router is an Express router
// and app is the Express app created by Roosevelt
// standard Express route
router.route('/about').get((req, res) => {
// load a data model
let model = require('models/dataModel')()
// render a template and pass it the model
res.render('about', model)
})
}
Sometimes it is also useful to separate controller logic from your routing. This can be done by creating a reusable controller module.
An example would be creating a reusable controller for "404 Not Found" pages:
// reusable controller "notFound.js"
module.exports = (app, req, res) => {
let model = { content: 'Cannot find this page' }
res.status(404)
res.render('404', model)
}
Reusable controller modules differ from standard controller modules in that they accept req
and res
arguments in addition to app
. They are meant to be called from within routes rather than define new routes.
This allows them to be called at will in any other controller's route when needed:
// import the "notFound" controller logic previously defined
const throw404 = require('controllers/notFound')
module.exports = (router, app) => {
router.route('/whatever').get((req, res) => {
// test some logic that could fail
// thus triggering the need for the 404 controller
if (something) {
// logic didn't fail
// so render the page normally
let model = require('models/dataModel')
res.render('whatever', model)
}
else {
// logic failed
// so throw the 404 by executing your reusable controller
throw404(app, req, res)
}
})
}
You can also write isomorphic controller files that can be shared on both the client and the server:
// isomorphic controller file about.js
module.exports = (router, app) => {
router.route('/about').get((req, res) => {
let model
// do any pre-render server-side stuff here
if (router.server) {
// populate the model with database queries and other transformations that are exclusive to the server
// isoRequire allows you to require a file only on the server; it will always return false on the client
// this makes it possible to share this file with frontend module bundlers without server-exclusive files
// being included in your bundle
model = router.isoRequire('models/global')(req, res) // get some data common to all pages
// do things you only need to do if it's a server-side render (when serving HTML from the server, not JSON)
if (router.serverSideRender(req)) {
// do SSR-exclusive things here
}
}
// do any pre-render client-side stuff here
if (router.client) {
model = window.model // assuming this was fetched from somewhere at some point beforehand
}
// do any pre-render stuff common to both the backend and frontend here before calling the render method
model.content.pageTitle = 'About'
// if it's an API request (as defined by a request with content-type: 'application/json'), then it will send JSON data
// if not, it will render HTML
router.apiRender(req, res, model) || res.render('about', model)
if (router.client) {
// do any post-render client-side stuff here (e.g. DOM manipulation)
}
})
}
When using controller files on the client, you will need to include and configure roosevelt-router
in your main JS bundle before loading your controller files:
// main.js — frontend JS bundle entry point
// require and configure roosevelt-router
const router = require('roosevelt/lib/roosevelt-router')({
// your templating system (required)
templatingSystem: require('teddy'),
// your templates (required)
// requires use of clientViews feature of roosevelt
templateBundle: require('views'),
// supply a function to be called immediately when roosevelt-router's constructor is invoked
// you can leave this undefined if you're using teddy and you don't want to customize the default SPA rendering behavior
// required if not using teddy, optional if using teddy
onLoad: null,
// define a res.render(template, model) function to render your templates
// you can leave this undefined if you're using teddy and you don't want to customize the default SPA rendering behavior
// required if not using teddy, optional if using teddy
renderMethod: null
})
// load all isomorphic controllers
// leverages isomorphicControllers roosevelt feature
require('controllers')(router)
router.init() // activate router
Constructor parameters:
When you call roosevelt-router
's constructor, e.g. const router = require('roosevelt/lib/roosevelt-router')(params)
, the params
object can accept the following methods:
templatingSystem
(required): Which HTML templating system you would like to use. Supply the Node.js module. teddy
is recommended, but not required.templateBundle
(required): A JavaScript object containing a bundle of HTML templates. It is recommended that you use the clientViews
feature of Roosevelt to supply this, but not required.onLoad
: A function that will be called immediately after roosevelt-router
's constructor is invoked. You can leave this undefined if you're using Teddy and you don't want to customize the default SPA rendering behavior.
renderMethod
: Define a res.render(template, model)
function to render your templates. You can leave this undefined if you're using Teddy and you don't want to customize the default SPA rendering behavior.
Instance members:
When you get a router
object after instantiating roosevelt-router
e.g. const router = require('roosevelt/lib/roosevelt-router')(params)
, the following properties and methods are available to you:
router.isoRequire(module)
: [Function] Like require
but designed to fail silently allowing ||
chaining.
let model = router.isoRequire('models/dataModel') || window.model
.
models/dataModel
does not exist, it will fall back to window.model
.router.apiRender(req, res, model)
: [Function] Server-side method to send JSON data in response to the request instead of HTML, but only when the request's content-type
is application/json
. Otherwise, fails silently allowing ||
chaining.
Arguments:
req
: Express request object for this request.res
: Express response object for this request.model
: Data model to send to the template.Example: router.apiRender(req, res, model) || res.render('about', model)
.
router.onSubmit(callback)
: [Function] Client-side convenience method for handling form submits to the server in a SPA-friendly way. You can of course define your own DOM events however you like, but router.onSubmit
gives you some stuff for free, such as preventing the page reload when the form is submitted, automatically sending a fetch to the server with the form data, automatically detecting if the response is JSON or text, and giving you an easy callback interface to handle the response with minimal boilerplate.
Arguments:
callback
: Callback function to execute when the request is complete. The callback function will be provided with two arguments: a standard event object for the DOM event and the data that was sent back from the request.Example:
router.onSubmit((e, data) => {
// e is the submit event object
// data is the response from the server
})
router.updatePage(markup, targetContainer)
: [Function] Convenience method for replacing some or all of the page with new markup.
Arguments:
markup
: String of markup to update the page with.targetContainer
: What DOM element will be the container for your new markup. If none is specified, the entire <body>
tag will be replaced and the <title>
tag will be updated if the markup fragement containts a <title>
tag.Example with a targetContainer
: router.updatePage(markupFragment, document.getElementById('some-container))
Example without a targetContainer
: router.updatePage(fullPageMarkup)
router.serverSideRender(req)
and router.ssr(req)
: [Function] Server-side method to check to see if the request is full page load (a server-side render) or if it's an API request. Retruns true if it's a full page load or returns false if it is an API request.
req
: Express request object for this request.router.backend
: [Boolean] True if the execution context is the Node.js server.
router.server
: [Boolean] True if the execution context is the Node.js server.
router.frontend
: [Boolean] True if the execution context is the browser.
router.client
: [Boolean] True if the execution context is the browser.
Roosevelt supplies several variables to Express that you may find handy. Access them using app.get('variableName')
.
Express variable | Description |
---|---|
express | The Express module. |
router | Instance of router module used by Roosevelt. |
routePrefix | Prefix appended to routes via the routePrefix param. Will be '' if not set. |
routes | List of all routes loaded in the Express app by Roosevelt. |
viewEngine e.g. teddy by default | Any view engine(s) you define will be exposed as an Express variable. For instance, the default view engine is teddy. So by default app.get('teddy') will return the teddy module. |
view engine | Default view engine file extension, e.g. .html . |
formidable | The formidable module Roosevelt uses internally. Used for handling multipart forms. |
morgan | The morgan module Roosevelt uses internally. HTTP request logger middleware. |
expressSession | The express-session module Roosevelt uses internally. Session middleware. |
logger | The roosevelt-logger module Roosevelt uses internally. Used for console logging. |
modelsPath | Full path on the file system to where your app's models folder is located. |
viewsPath or views | Full path on the file system to where your app's views folder is located. |
controllersPath | Full path on the file system to where your app's controllers folder is located. |
staticsRoot | Full path on the file system to where your app's statics folder is located. |
publicFolder | Full path on the file system to where your app's public folder is located. |
htmlPath | Full path on the file system to where your app's HTML static page source files are located. |
cssPath | Full path on the file system to where your app's CSS source files are located. |
jsPath | Full path on the file system to where your app's JS source files are located. |
htmlRenderedOutput | Full path on the file system to where your app's rendered and minified staic HTML files are located. |
cssCompiledOutput | Full path on the file system to where your app's minified CSS files are located. |
clientViewsBundledOutput | Full path on the file system to where your app's client-exposed views folder is located. |
env | Either development or production . |
params | The parameters you sent to Roosevelt. |
appDir | The directory the main module is in. |
appName | The name of your app derived from package.json . Uses "Roosevelt Express" if no name is supplied. |
appVersion | The version number of your app derived from package.json . |
package | The contents of package.json . |
roosevelt:state | Application state, e.g. disconnecting if the app is currently being shut down. |
Additionally the Roosevelt constructor returns the following object:
Roosevelt constructor returned object members | Description |
---|---|
expressApp | [Object] The Express app created by Roosevelt. |
httpServer | [Object] The http server created by Roosevelt. httpServer is also available as a direct child of app , e.g. app.httpServer . |
httpsServer | [Object] The https server created by Roosevelt. httpsServer is also available as a direct child of app , e.g. app.httpsServer . |
reloadHttpServer | [Object] The http instance of reload created by Roosevelt. |
reloadHttpsServer | [Object] The https instance of reload created by Roosevelt. |
initServer(callback) | [Method] Starts the HTML validator, sets up some middleware, runs the CSS and JS preprocessors, and maps routes, but does not start the HTTP server. Call this method manually first instead of startServer if you need to setup the Express app, but still need to do additional setup before the HTTP server is started. This method is automatically called by startServer once per instance if it has not yet already been called. Takes an optional callback. |
init | [Method] Shorthand for initServer . |
startServer | [Method] Calls the listen method of http , https , or both (depending on your configuration) to start the web server with Roosevelt's config. |
stopServer(close) | [Method] Stops the server and takes an optional argument stopServer('close') which stops the server from accepting new connections before exiting. |
In addition to Roosevelt's built-in support for the LESS, Sass, and Stylus preprocessors you can also define your own preprocessor on the fly at start time in Roosevelt's constructor like so:
let app = require('roosevelt')({
cssCompiler: app => {
return {
versionCode: app => {
// write code to return the version of your app here
},
parse: (app, filePath) => {
// write code to preprocess CSS here
}
}
}
})
cssCompiler(app)
: Custom CSS preprocessor.
versionCode(app)
: Function to return the version of your app. This is needed to support the versionFile
feature of Roosevelt's CSS preprocessor API.
app
: The Express app created by Roosevelt.parse(app, fileName)
: Function to preprocess CSS.
app
: The Express app created by Roosevelt.filePath
: The path to the file being preprocessed.When a custom preprocessor is defined in this way it will override the selected preprocessor specified in css.compiler.module
.
If you want to deploy a Roosevelt live to the internet, there are some things you should do to harden it appropriately if you expect to take significant traffic.
Setting up HTTPS can be tricky to configure properly especially for novices, so it can be tempting not do it to simplify deployment, but your website won't be seen as professional if it isn't served up via HTTPS. It's worth the effort to set it up.
Roosevelt's default session store for express-session
works great if your app only needs a single process, but if you're spreading your app across multiple processes or servers, you will need to reconfigure express-session
to use a caching service that supports replication like redis or a database that supports replication like PostgreSQL in order to scale your app.
To do this, use the production-proxy-mode
command line flag and run the process on multiple cores using a tool like pm2.
Then host your app behind a reverse proxy from a web server like Apache or nginx, which is considered a best practice for Node.js deployments.
Running the app in production-proxy mode runs the app in production mode, but with localhostOnly
set to true and hostPublic
set to false. This mode will make it so your app only listens to requests coming from the proxy server and does not serve anything in the public folder.
You will then need to serve the contents of the public folder directly via Apache or nginx.
When you upgrade to a new version of Roosevelt, your Roosevelt config, npm run scripts, or other ways you use Roosevelt may need to be updated to account for breaking changes. There is a config auditor built-in to Roosevelt to detect most such issues, but not everything you might need to change is automatically detected.
Aside from the config auditor, one of the easiest ways to see what you might need to change in your app during a Roosevelt upgrade is to compare changes to the default sample app over time, which you can view here.
Here's how to set up a development environment to hack on Roosevelt's code:
Fork/clone this repo.
Create or find a Roosevelt app you want to test against.
npx mkroosevelt
.Use the devSync.js
tool to test your fork/clone of Roosevelt against your test app.
To do that:
Run the following command:
Linux/Mac: node devSync.js /path/to/roosevelt/app
.
Windows: node devSync.js path:\\to\\roosevelt\\app
.
You can also set the path in a ROOSEVELT_DEST_DIR
environment variable. When set, you only need to run node devSync.js
.
export ROOSEVELT_DEST_DIR=/path/to/roosevelt/app
.$env:ROOSEVELT_DEST_DIR="path:\\to\\roosevelt\\app"
.export ROOSEVELT_DEST_DIR=/path/to/your/roosevelt/app && node devSync.js
.If you do not provide a path, running the devSync.js
script will prompt you for one.
To stop the script:
control^ + C
.stop
or s
.If some of the automated tests fail for you when they shouldn't be, make sure you remove the test/app
folder and kill any Node.js processes (e.g. killall node
) before running the test suite again.
If you want to see the output from a generated test app in one of the tests, insert this block of code into the test:
testApp.stdout.on('data', (data) => {
console.log(data.toString())
})
You can support Roosevelt's development and maintenance by buying merch or donating. Please note that donations are not tax-deductible. Thank you for your support!
FAQs
Roosevelt MVC web framework
We found that roosevelt demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.