Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
yukon is a component-based framework built on top of node/express - which makes 0-n asynchronous REST API calls in parallel to provide back-end data for each express request. It extends the nodulejs component framework.
A really simple yukon component looks like this:
module.exports = function(app) {
return {
route: '/home',
templateName: 'homePage.jade',
apiCalls: [
{path: '/api/cms/home'},
{path: '/api/data/homedata'}
],
preProcessor: function(req, res) {
// pre-API(s) business logic goes here
},
postProcessor: function(req, res) {
// post-API(s) business logic goes here
}
};
};
$ npm install yukon
require('yukon')(app, config);
A nodule is a self-discovering, self-registering web component tied to one or more express routes. With each incoming request, a nodule instance propagates throughout the express middleware chain as req.nodule.
A yukon nodule extends the base nodule behavior to include REST API data gathering, stub-handling and template-rendering. Yukon attaches data returned from the API(s) as the res.yukon object, and sends res.yukon.renderData to the template or straight back to the client as JSON.
Nodulejs was split off from yukon to separate out the core self-discovery and initialization features, which can potentially be a building block for a wide variety of node applications or frameworks.
A nodule is analogous to a JSP or PHP page in those worlds. Unlike PHP/JSP behavior however, a nodule's route is declared and not tied by default to the filename or folder structure. So you are free to re-organize nodules without upsetting urls. More importantly, because nodules are self-discovering, there are no onerous config files to maintain (IE - Spring). This system allows a much more scalable architecture on large sites--as there are no config or other shared files which grow to enormous sizes as the site grows, and nodules can be re-organized with zero impact.
From a feature-development point of view, we wanted to give developers the flexibility of component-based architecture as much as possible, but still keep system-wide control over the middleware chain. On a small site with a small development team the latter might not be an issue. But on a large site with devs scattered all over the globe, some kind of middleware sandbox was a necessity.
Our feature devs spend 80-90% of their effort in jade templates or on the client side. For them, node components are often mostly a pass-through to our back-end API(s)--with some business logic applied to the request on the way in, and api data on the way out. Ideally they should have to learn the as little as possible of the vagaries/plumbing/whatever-your-favorite-metaphor-for-framework-stuff of node. Creating a new node component should be as easy for them as creating a new JSP - but again, without the framework losing control of the middleware chain.
From a framework-development point of view, we knew that as requirements evolved, we would constantly need to add default properties to each component, while hopefully causing as little disruption as possible to existing components. This is easily accomplished by adding a default property to the base config, then specifying the property only in the nodules that need the new property.
We also knew we'd need to add slices of business logic globally or semi-globally at any point in the request chain. By keeping control of the middleware chain we are able to do this with ease.
This diagram might make the concept a little more clear:
Yukon config is broken into 3 sections:
Note: You may occasionally see "MAGIC ALERT" below. This is for the handful of times where the framework does some convenience method that isn't immediately obvious, but comes up so much we felt the code saving was worth the loss in conceptual clarity.
Yukon inherits the 4 core nodulejs defaults:
Yukon also adds the following optional nodule properties:
Yukon defines the following properties for each API call. It is important to understand that these exist in a one-to-many relationship with nodules.
An app can create and use 4 optional express middleware functions, which splice in between the built-in yukon middleware (see yukon.js for more detail):
An app can also create 2 global functions, which are executed before and after every API call. It's important to understand that there can be several API calls per express request. So these functions are not in the standard middleware chain, although the api callback does make use of the middleware paradigm.
There are also 3 global config properties inherited from nodulejs:
Download yukon - https://github.com/jackspaniel/yukon/archive/master.zip
$ npm install
$ make test
(homePage.js from the demoApp)
module.exports = function(app) {
return {
route: ['/', '/home', '/special'], // multiple routes
apiCalls: [
{path: '/api/cms/home'},
{path: '/api/data/homeslices'}
],
// pre-API(s) business logic
preProcessor: function(req, res) {
this.debug('preProcessor called');
if (req.path.indexOf('special') > -1) {
this.apiCalls[1].params = {isSpecial: true}; // setting api params at request-time
this.templateName = 'altHomePage.jade'; // using alternate template
}
},
// post-API(s) business logic
postProcessor: function(req, res) {
this.debug('postProcessor called');
var clientMsg = res.yukon.data2.specialMsg || res.yukon.data2.msg;
res.yukon.renderData = {
globalNav: res.yukon.globalNav,
cmsData: res.yukon.data1,
myData: res.yukon.data2,
clientMsg: clientMsg
};
}
};
};
(getData.js from the demoApp)
module.exports = function(app) {
return {
route : '/json/getData/:id',
apiCalls: [
{path: '/api/getdata/'}, // :id is tacked on by the framework automatically
],
preProcessor: function(req, res) {
this.debug('preProcessor called');
this.apiCalls[0].params = {myParam: req.query.myParam};
},
postProcessor: function(req, res) {
this.debug('postProcessor called');
res.yukon.renderData = {
systemMsg: res.yukon.data1.systemMsg,
data: res.yukon.data1
};
}
};
};
(submitForm.js from the demoApp)
var _ = require('lodash');
module.exports = function(app) {
return {
route : '/json/submitForm',
routeVerb: 'post', // default = get
apiCalls: [{
path: '/api/submitform',
verb: 'post', // post to API
bodyType: 'form', // default = 'json'
}],
preProcessor: function(req, res) {
this.debug('preProcessor called');
if (!_.isEmpty(req.body)) {
this.apiCalls[0].bodyType = 'json';
this.apiCalls[0].params = req.body; // JSON body
}
else {
this.apiCalls[0].params = req.query; // url-encoded
}
},
postProcessor: function(req, res) {
this.debug('postProcessor called');
res.yukon.renderData = {
response: res.yukon.data1
};
}
};
};
(from demoApp.js)
function demoStart(req, res, next) {
debug("demoStart called");
res.locals.pretty = true; // jade pretty setting - turn off at the component level if necessary
// example of setting nodule property globally
if (req.nodule.contentType !== 'html' && req.path.indexOf('/json/') === 0)
req.nodule.contentType = 'json';
// example of app-level logic - simple device detection (used throughout demoApp)
if (req.headers['user-agent'].match(/android/i))
req.deviceType = 'Android';
else if (req.headers['user-agent'].match(/iphone/i))
req.deviceType = 'iPhone';
else if (req.headers['user-agent'].match(/ipad/i))
req.deviceType = 'iPad';
else
req.deviceType = 'web';
next();
}
(from demoApp.js)
function demoApiCallback(callArgs, req, res, next) {
// custom error handling
if (callArgs.apiError && !callArgs.handleError) {
debug(callArgs.apiError.stack || callArgs.apiError);
next(new Error('API failed for '+callArgs.path +': '+callArgs.apiError));
}
else {
var msg = "RESPONSE FROM "+callArgs.apiResponse.req.path+": statusCode=" + callArgs.apiResponse.statusCode;
debug(msg);
// example of app-level logic on every api response (remember there can be multiple API calls per request)
res.yukon[callArgs.namespace].systemMsg = msg;
// used by kitchen sink to test if API custom headers are being set
if (callArgs.apiResponse.req._headers)
res.yukon[callArgs.namespace].customHeaders = callArgs.apiResponse.req._headers;
next();
}
}
For more examples see the Kitchen Sink and the rest of the Demo App
FAQs
Self-discovering data-driven web components
The npm package yukon receives a total of 13 weekly downloads. As such, yukon popularity was classified as not popular.
We found that yukon demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.