README.md
Live Demo: Link
Jump to What's new?
A boilerplate for Node.js web applications.
If you have attended any hackathons in the past, then you know how much time it takes to get a project started: decide on what to build, pick a programming language, pick a web framework, pick a CSS framework. A while later, you might have an initial project up on GitHub, and only then can other team members start contributing. Or how about doing something as simple as Sign in with Facebook authentication? You can spend hours on it if you are not familiar with how OAuth 2.0 works.
When I started this project, my primary focus was on simplicity and ease of use. I also tried to make it as generic and reusable as possible to cover most use cases of hackathon web apps, without being too specific. In the worst case, you can use this as a learning guide for your projects, if for example you are only interested in Sign in with Google authentication and nothing else.
— Adrian Le Bas
— Steven Rueter
— Kevin Granger
"Small world with Sahat's project. We were using his hackathon starter for our hackathon this past weekend and got some prizes. Really handy repo!"
<h4 align="center">Modern Theme</h4> <h4 align="center">Flatly Bootstrap Theme</h4> <h4 align="center">API Examples</h4>— Interview candidate for one of the companies I used to work with.
Login
User Profile and Account Management
Contact Form (powered by SMTP via Mailgun, AWS SES, etc.)
File upload
Device camera
AI Examples and Boilerplates
API Examples
Flash notifications
reCAPTCHA and rate limit protection
CSRF protection
MVC Project Structure
Node.js clusters support
HTTPS Proxy support (via ngrok, Cloudflare, etc.)
Sass stylesheets
Bootstrap 5
"Go to production" checklist
MongoDB (local install OR hosted)
Command Line Tools
Mac OS X: Xcode (or OS X 10.9+: xcode-select --install)
Windows: Visual Studio Code + Windows Subsystem for Linux - Ubuntu OR Visual Studio
Ubuntu / Linux Mint: sudo apt-get install build-essential
Fedora: sudo dnf groupinstall "Development Tools"
OpenSUSE: sudo zypper install --type pattern devel_basis
Note: If you are new to Node or Express, you may find Node.js & Express From Scratch series helpful for learning the basics of Node and Express. Alternatively, here is another great tutorial for complete beginners - Getting Started With Node.js, Express, MongoDB.
Step 1: The easiest way to get started is to clone the repository:
# Get the latest snapshot
git clone https://github.com/sahat/hackathon-starter.git myproject
# Change directory
cd myproject
# Install NPM dependencies
npm install
# Then simply start your app
npm start
Note: I highly recommend installing Nodemon. It watches for any changes in your node.js app and automatically restarts the server. Once installed, instead of node app.js use nodemon app.js. It will
save you a lot of time in the long run, because you won't need to manually restart the server each time you make a small change in code. To install, run sudo npm install -g nodemon.
Step 2: Obtain API Keys and change configs if needed After completing step 1 and locally installing MongoDB, you should be able to access the application through a web browser and use local user accounts. However, certain functions like API integrations may not function correctly until you obtain specific keys from service providers. The keys provided in the project serve as placeholders, and you can retain them for features you are not currently utilizing. To incorporate the acquired keys into the application, you have two options:
export command like this: export FACEBOOK_SECRET=xxxxxx. This method is considered a better practice as it reduces the risk of accidentally including your secrets in a code repository..env.example file: Open the .env.example file and update the placeholder keys with the newly acquired ones. This method has the risk of accidental checking-in of your secrets to code repos.What to get and configure:
SMTP
reCAPTCHA
OAuth for social logins (Sign in with / Login with)
API keys for service providers that you need in the API Examples if you are planning to use them.
MongoDB Atlas
Email address
Step 3: Setup an HTTPS proxy to access the app with an https address: See
Step 4: Develop your application and customize the experience
Step 5: Optional - deploy to production See:
If you want to use an API that requires HTTPS (for example, GitHub or Facebook), you need to run the app with an HTTPS URL. You can do this by setting up an HTTPS proxy using either ngrok or Cloudflare.
Note: When using an HTTPS proxy, you may get a CSRF mismatch error if you try to directly access the app at http://localhost:8080 instead of the HTTPS proxy address.
https://3ccb-1234-abcd.ngrok-free.app). This will be the HTTPS address for accessing the app.trycloudflare.com, execute:cloudflared tunnel --url http://localhost:8080
If you own a domain managed by Cloudflare, you can use Cloudflare's Zero Trust portal to set up a tunnel to your app that is activated by a system service. Alternatively, you can create a tunnel and route a subdomain you like to your app using their CLI:
cloudflared tunnel login
cloudflared tunnel create myapptunnel
cloudflared tunnel route dns myapptunnel myappsubdomain.mydomain.com
cloudflared tunnel --url http://localhost:8080 run myapptunnel
Then set BASE_URL to the HTTPS address for the tunnel. Note that the tunnel and DNS route are a one-time setup. To reactivate the HTTPS tunnel to your app later, such as after a system restart, just rerun:
cloudflared tunnel --url http://localhost:8080 run myapptunnel
To clean up your own domain's related configurations when you're done:
cloudflared tunnel delete myapptunnelmyappsubdomain DNS entry from your domain through the Cloudflare web UI.%USERPROFILE%\.cloudflared (Windows) or ~/.cloudflared (Linux/macOS) if you want to clear local credentials.You will need to obtain appropriate credentials (Client ID, Client Secret, API Key, or Username & Password) for API and service providers which you need. See Step 2 in the Getting started section for more info.
Obtain SMTP credentials from a provider for transactional emails. Set the SMTP_USER, SMTP_PASSWORD, and SMTP_HOST environment variables accordingly. When picking the SMTP host, keep in mind that the app is configured to use secure SMTP transmissions over port 465 out of the box. You have the flexibility to select any provider that suits your needs or take advantage of one of the following providers, each offering a free tier for your convenience.
| Provider | Free Tier | Website |
|---|---|---|
| SMTP2Go | 1000 emails/month for free | https://www.smtp2go.com |
| Brevo | 300 emails/day for free | https://www.brevo.com |
.env.envlocalhost under App Domainshttp://localhost:8080, etc) under _Site URLhttp://localhost:8080/auth/facebook/callback ) under Valid OAuth redirect URIsNote: After a successful sign-in with Facebook, a user will be redirected back to the home page with appended hash #_=_ in the URL. It is not a bug. See this Stack Overflow discussion for ways to handle it.
Go to <a href="https://foursquare.com/developers" target="_blank">Foursquare for Developers</a> and log in
Click on Create a new project button
Enter your Organization and Project Name
Click Create
Navigate to your project
Click Settings in the left-hand-side menu
Generate a Service API Key
Copy and paste the Service API Key as FOURSQUARE_APIKEY in your .env file
http://localhost:8080, etc) as the homepage URL.http://localhost:8080/auth/github/callback ).env file.env file as GIPHY_API_KEY..env file.Sign in with Google:
/auth/google/callback (for example http://localhost:8080/auth/google/callback)..env file.Other APIs:
Open the Enabled APIs & services page for your project in the Google Cloud Console (APIs & Services). Click + Enable APIs and services (top of the page), find the services you need, and enable them:
Next, create API keys for the services you enabled:
GOOGLE_API_KEY into your .env file..env as GOOGLE_RECAPTCHA_SITE_KEY.GOOGLE_MAP_API_KEY into your .env file..env file as DISCORD_CLIENT_ID and DISCORD_CLIENT_SECRET, or set them as environment variables.identify and email./auth/discord/callback (i.e. http://localhost:8080/auth/discord/callback)..env file as HERE_API_KEY, or set it up as an environment variable.HUGGINGFACE_KEY to your .env file or as an environment variable..env filehttp://localhost:8080/auth/linkedin/callback )http://localhost:8080, etc).r_basicprofile.env file/auth/microsoft/callback (e.g., http://localhost:8080/auth/microsoft/callback).env as MICROSOFT_CLIENT_ID.env as MICROSOFT_CLIENT_SECRET (won't be visible again)The OpenAI moderation API for checking harmful inputs is free to use as long as you have paid credits in your OpenAI developer account. The cost of using their other models depends on the model, as well as the input and output size of the API call.
.env file as OPENAI_API_KEY or set it as an environment variable..env file.env file.env file.env file as GROQ_API_KEY or set it as an environment variable./auth/trakt/callback (i.e. http://localhost:8080/auth/trakt/callback or ngrokURL/auth/trakt/callback).env file as TRAKT_ID and TRAKT_SECRET or set them as your environment variables.http://localhost:8080/auth/tumblr/callback ).env filehttp://localhost:8080/auth/twitch/callback ).env.envhttp://localhost:8080, etc).http://localhost:8080/auth/x/callback ).env fileThis project supports integrating web analytics tools such as Google Analytics 4 and Facebook Pixel, along with Open Graph metadata for social sharing. Below are instructions to help you set up these features in your application.
.env file or set it up as an env variableOptional: It is highly recommended to set up a business with Facebook that your personal account along with others you authorize can manage. You would need to Go to Meta Business Suite, register a business and add a business page and your website as an asset for the business.
.env file for FACEBOOK_PIXEL_ID or set it up as an environment variableThe metadata for Open Graph is only set up for the home page (home.pug). Update it to suit your application. You can also add Open Graph metadata to any other page that you plan to share through social media by including the relevant data in the corresponding view.
| Name | Description |
|---|---|
| config/flash.js | Flash middleware (replacement for express-flash) |
| config/morgan.js | Configuration for request logging with morgan. |
| config/nodemailer.js | Configuration and helper function for sending email with nodemailer. |
| config/passport.js | Passport Local and OAuth strategies, plus login middleware. |
| config/token-revocation.js | Helper for revoking OAuth tokens. |
| controllers/ai.js | Controller for /ai route and all ai examples and boilerplates. |
| controllers/api.js | Controller for /api route and all api examples. |
| controllers/contact.js | Controller for contact form. |
| controllers/home.js | Controller for home page (index). |
| controllers/user.js | Controller for user account management. |
| controllers/webauthn.js | Controller for webauthn management (passkey / biometrics login) |
| models/User.js | Mongoose schema and model for User. |
| public/ | Static assets (fonts, css, js, img). |
| public/js/application.js | Specify client-side JavaScript dependencies. |
| public/js/app.js | Place your client-side JavaScript here. |
| public/css/main.scss | Main stylesheet for your app. |
| test/*.js | Tests, related configs and helpers. |
| views/account/ | Templates for login, password reset, signup, profile, webauthn |
| views/ai/ | Templates for AI examples and boilerplates. |
| views/api/ | Templates for API examples. |
| views/partials/flash.pug | Error, info and success flash notifications. |
| views/partials/header.pug | Navbar partial template. |
| views/partials/footer.pug | Footer partial template. |
| views/layout.pug | Base template. |
| views/home.pug | Home page template. |
| .env.example | Your API keys, tokens, passwords and database URI. |
| .gitignore | Folder and files ignored by git. |
| app.js | The main application file. |
| eslint.config.mjs | Rules for eslint linter. |
| package.json | NPM dependencies. |
| package-lock.json | Contains exact versions of NPM dependencies in package.json. |
Note: There is no preference for how you name or structure your views.
You could place all your templates in a top-level views directory without
having a nested folder structure if that makes things easier for you.
Just don't forget to update extends ../layout and corresponding
res.render() paths in controllers.
Dependencies
Required to run the project before your modifications
| Package | Description |
|---|---|
| @fortawesome/fontawesome-free | Symbol and Icon library. |
| @googleapis/drive | Google Drive API integration library. |
| @googleapis/sheets | Google Sheets API integration library. |
| @huggingface/inference | Client library for Hugging Face Inference providers |
| @keyv/mongo | MongoDB storage adapter for Keyv |
| @langchain/community | Third party integrations for Langchain |
| @langchain/core | Base LangChain abstractions and Expression Language |
| @langchain/mongodb | MongoDB integrations for LangChain |
| @langchain/textsplitters | LangChain text splitters for RAG pipelines |
| @lob/lob-typescript-sdk | Lob (USPS mailing / physical mailing service) library. |
| @node-rs/bcrypt | Library for hashing and salting user passwords. |
| @octokit/rest | GitHub API library. |
| @passport-js/passport-twitter | X (Twitter) login support (OAuth 2). |
| @popperjs/core | Frontend js library for poppers and tooltips. |
| @simplewebauthn/browser | WebAuthn frontend library (passkey / biometrics authentication) |
| @simplewebauthn/server | WebAuthn backend library (passkey / biometrics authentication) |
| bootstrap | CSS Framework. |
| bootstrap-social | Social buttons library. |
| bowser | User agent parser |
| chart.js | Front-end js library for creating charts. |
| cheerio | Scrape web pages using jQuery-style syntax. |
| compression | Node.js compression middleware. |
| connect-mongo | MongoDB session store for Express. |
| errorhandler | Development-only error handler middleware. |
| express | Node.js web framework. |
| express-rate-limit | Rate limiting middleware for abuse protection. |
| express-session | Simple session middleware for Express. |
| jquery | Front-end JS library to interact with HTML elements. |
| keyv | key-value storage with support for multiple backends |
| langchain | Framework for developing LLM applications |
| lastfm | Last.fm API library. |
| lusca | CSRF middleware. |
| mailchecker | Verifies that an email address is valid and not a disposable address. |
| mongodb | MongoDB driver |
| mongoose | MongoDB ODM. |
| morgan | HTTP request logger middleware for node.js. |
| multer | Node.js middleware for handling multipart/form-data. |
| nodemailer | Node.js library for sending emails. |
| oauth | OAuth API library without middleware constraints. |
| otpauth | One-Time Password (TOTP/HOTP) library for 2FA authenticator apps. |
| passport | Simple and elegant authentication library for node.js. |
| passport-facebook | Sign-in with Facebook plugin. |
| passport-github2 | Sign-in with GitHub plugin. |
| passport-google-oauth | Sign-in with Google plugin. |
| passport-local | Sign-in with Username and Password plugin. |
| passport-oauth | Allows you to set up your own OAuth 1.0a and OAuth 2.0 strategies. |
| passport-oauth2-refresh | A library to refresh OAuth 2.0 access tokens using refresh tokens. |
| passport-steam-openid | OpenID 2.0 Steam plugin. |
| patch-package | Fix broken node modules ahead of fixes by maintainers. |
| pdfjs-dist | PDF parser |
| pug | Template engine for Express. |
| sass | Sass compiler to generate CSS with superpowers. |
| stripe | Official Stripe API library. |
| twilio | Twilio API library. |
| twitch-passport | Sign-in with Twitch plugin. |
| validator | A library of string validators and sanitizers. |
Dev Dependencies
Required during code development for testing, Hygiene, code styling, etc.
| Package | Description |
|---|---|
| @eslint/js | ESLint JavaScript language implementation. |
| @playwright/test | Automated end-to-end web testing framework (supports headless web browsers) |
| @prettier/plugin-pug | Prettier plugin for formatting pug templates |
| c8 | Coverage test. |
| chai | BDD/TDD assertion library. |
| eslint-config-prettier | Make ESLint and Prettier play nice with each other. |
| eslint | Linter JavaScript. |
| eslint-plugin-chai-friendly | Makes eslint friendly towards Chai.js 'expect' and 'should' statements. |
| eslint-plugin-import-x | ESLint plugin with rules that help validate proper imports. |
| globals | ESLint global identifiers from different JavaScript environments. |
| husky | Git hook manager to automate tasks with git. |
| mocha | Test framework. |
| mongodb-memory-server | In memory mongodb server for testing, so tests can be ran without a DB. |
| prettier | Code formatter. |
| sinon | Test spies, stubs and mocks for JavaScript. |
| supertest | HTTP assertion library. |
filesize(265318); // "265.32 kB".AI tools and large language models (LLMs) can greatly accelerate your ramp-up time, efficiency, and productivity during hackathons. Many of these tools are available for free and offer features that can significantly enhance your coding experience.
You have two main options for accessing these tools:
Integrated tools, like plugins for Visual Studio Code, let you reference your code directly without needing to copy-paste, making them easier to use in many cases. Web-based assistants, on the other hand, require manual copy-pasting but can offer a different approach without impacting the "context" for your integrated tool. Tools and models perform differently depending on their update cycles, so results may vary. If an integrated tool struggles with a task, try copy-pasting the relevant code into a web assistant to troubleshoot. A good starting point is combining Amazon Q and MS Copilot, as these tools tend to produce fewer issues like outdated syntax, vulnerable code, or incomplete solutions compared to other assistants.
Context for LLMs is the additional information that the model needs to make sense of how it should respond to your question, which in coding is probably your existing code, example implementation, or specifications that you might copy-paste or pass to the model. Keep in mind that integrated assistants may not automatically include your project files as the context and may try to answer your question without looking at your code. To include the context:
@[filename] to specify a file or @workspace to include the entire project.Explaining Code and Concepts
x in file y do?" (Copy-paste code into a web-based assistant if using one.)Adding New Features
app.js, config/passport.js, models/User.js, and the relevant views?"Debugging or Fixing Code
x below to achieve y, but I get the following error. Can you help me fix it? --- Can have blocks afterward with a header like ==== error ==== and ==== function x ==== afterward."x. It is supposed to return y when it gets input i but it is returning z."403 Error: Forbidden when submitting a form?You need to add the following hidden input element to your form. This has been added in the pull request #40 as part of the CSRF protection.
input(type='hidden', name='_csrf', value=_csrf)
Note: It is now possible to whitelist certain URLs. In other words, you can specify a list of routes that should bypass the CSRF verification check.
Note 2: To whitelist dynamic URLs use regular expression tests inside the CSRF middleware to see if req.originalUrl matches your desired pattern.
That's a custom error message defined in app.js to indicate that there was a problem connecting to MongoDB:
mongoose.connection.on('error', (err) => {
console.error(err);
console.log('%s MongoDB connection error. Please make sure MongoDB is running.');
process.exit(1);
});
You need to have a MongoDB server running before launching app.js. You can download MongoDB here, or install it via a package manager.
Windows users, read Install MongoDB on Windows.
Tip: If you are always connected to the internet, you could just use MongoDB Atlas instead of downloading and installing MongoDB locally. You will only need to update the database credentials in the .env file.
NOTE: MongoDB Atlas (cloud database) is required for vector store, index, and search features used in AI integrations. These features are NOT available in locally installed MongoDBs.
Chances are you haven't changed the Database URI in .env. If MONGODB is set to localhost, it will only work on your machine as long as MongoDB is running. When you deploy to Render, OpenShift, or some other provider, you will not have MongoDB running on localhost. You need to create an account with MongoDB Atlas, then create a free tier database.
See Deployment for more information on how to set up an account and a new database step-by-step with MongoDB Atlas.
For the sake of simplicity. While there might be a better approach, such as passing app context to each controller as outlined in this blog, I find such a style to be confusing for beginners. It took me a long time to grasp the concept of exports and module.exports, let alone having a global app reference in other files. That to me is backward thinking.
The app.js is the "heart of the app", it should be the one referencing models, routes, controllers, etc.
When working solo on small projects, I prefer to have everything inside app.js as is the case with this REST API server.
This section is intended for giving you a detailed explanation of how a particular functionality works. Maybe you are just curious about how it works, or perhaps you are lost and confused while reading the code, I hope it provides some guidance to you.
HTML5 UP has many beautiful templates that you can download for free.
When you download the ZIP file, it will come with index.html, images, CSS and js folders. So, how do you integrate it with Hackathon Starter? Hackathon Starter uses the Bootstrap CSS framework, but these templates do not. Trying to use both CSS files at the same time will likely result in undesired effects.
Note: Using the custom templates approach, you should understand that you cannot reuse any of the views I have created: layout, the home page, API browser, login, signup, account management, contact. Those views were built using Bootstrap grid and styles. You will have to manually update the grid using a different syntax provided in the template. Having said that, you can mix and match if you want to do so: Use Bootstrap for the main app interface, and a custom template for a landing page.
Let's start from the beginning. For this example I will use Escape Velocity template:
Note: For the sake of simplicity I will only consider index.html, and skip left-sidebar.html,
no-sidebar.html, right-sidebar.html.
Move all JavaScript files from html5up-escape-velocity/js to public/js. Then move all CSS files from html5up-escape-velocity/css to public/css. And finally, move all images from html5up-escape-velocity/images to public/images. You could move it to the existing img folder, but that would require manually changing every img reference. Grab the contents of index.html and paste it into HTML To Pug.
Note: Do not forget to update all the CSS and JS paths accordingly.
Create a new file escape-velocity.pug and paste the Pug markup in views folder.
Whenever you see the code res.render('account/login') - that means it will search for views/account/login.pug file.
Let's see how it looks. Create a new controller escapeVelocity inside controllers/home.js:
exports.escapeVelocity = (req, res) => {
res.render('escape-velocity', {
title: 'Landing Page',
});
};
And then create a route in app.js. I placed it right after the index controller:
app.get('/escape-velocity', homeController.escapeVelocity);
Restart the server (if you are not using nodemon); then you should see the new template at http://localhost:8080/escape-velocity
I will stop right here, but if you would like to use this template as more than just a single page, take a look at how these Pug templates work: layout.pug - base template, index.pug - home page, partials/header.pug - Bootstrap navbar, partials/footer.pug - sticky footer. You will have to manually break it apart into smaller pieces. Figure out which part of the template you want to keep the same on all pages - that's your new layout.pug.
Then, each page that changes, be it index.pug, about.pug, contact.pug
will be embedded in your new layout.pug via block content. Use existing templates as a reference.
This is a rather lengthy process, and templates you get from elsewhere might have yet another grid system. That's why I chose Bootstrap for the Hackathon Starter. Many people are already familiar with Bootstrap, plus it's easy to get started with it if you have never used Bootstrap. You can also buy many beautifully designed Bootstrap themes at various vendors, and use them as a drop-in replacement for Hackathon Starter, just make sure they support the latest version of Bootstrap. However, if you would like to go with a completely custom HTML/CSS design, this should help you to get started!
<hr>Flash messages allow you to display a message at the end of the request and access it on the next request and only the next request. For instance, on a failed login attempt, you would display an alert with some error message, but as soon as you refresh that page or visit a different page and come back to the login page, that error message will be gone. It is only displayed once.
This project uses a middleware for displaying flash messages. You don't have to explicitly send a flash message to every view inside res.render().
All flash messages are available in your views via messages object by default.
Flash messages have a two-step process. You use req.flash('errors', { msg: 'Error messages goes here' }
to create a flash message in your controllers, and then display them in your views:
if messages.errors
.alert.alert-danger.fade.in
each error in messages.errors
div= error.msg
In the first step, 'errors' is the name of a flash message, which should match the name of the property on messages object in your views. You place alert messages inside if message.errors because you don't want to show them flash messages are present.
The reason why you pass an error like { msg: 'Error message goes here' } instead of just a string - 'Error message goes here', is for the sake of consistency.
To clarify that, express-validator module which is used for validating and sanitizing user's input, returns all errors as an array of objects, where each object has a msg property with a message why an error has occurred. Here is a more general example of what express-validator returns when there are errors present:
[
{ param: 'name', msg: 'Name is required', value: '<received input>' },
{ param: 'email', msg: 'A valid email is required', value: '<received input>' },
];
To keep consistent with that style, you should pass all flash messages as { msg: 'My flash message' } instead of a string. Otherwise, you will see an alert box without an error message. That is because in partials/flash.pug template it will try to output error.msg (i.e. "My flash message".msg), in other words, it will try to call a msg method on a String object, which will return undefined. Everything I just mentioned about errors, also applies to "info" and "success" flash messages, and you could even create a new one yourself, such as:
Data Usage Controller (Example)
req.flash('warning', { msg: 'You have exceeded 90% of your data usage' });
User Account Page (Example)
if messages.warning
.alert.alert-warning.fade.in
each warning in messages.warning
div= warning.msg
partials/flash.pug is a partial template that contains how flash messages are formatted. Previously, flash messages were scattered throughout each view that used flash messages (contact, login, signup, profile), but now, thankfully it uses a DRY approach.
The flash messages partial template is included in the layout.pug, along with footer and navigation.
body
include partials/header
.container
include partials/flash
block content
include partials/footer
If you have any further questions about flash messages, please feel free to open an issue, and I will update this mini-guide accordingly, or send a pull request if you would like to include something that I missed.
<hr>A more correct way to say this would be "How do I create a new route?" The main file app.js contains all the routes.
Each route has a callback function associated with it. Sometimes you will see three or more arguments for a route. In a case like that, the first argument is still a URL string, while middle arguments are what's called middleware. Think of middleware as a door. If this door prevents you from continuing forward, you won't get to your callback function. One such example is a route that requires authentication.
app.get('/account', passportConfig.isAuthenticated, userController.getAccount);
It always goes from left to right. A user visits /account page. Then isAuthenticated middleware checks if you are authenticated:
exports.isAuthenticated = (req, res, next) => {
if (req.isAuthenticated()) {
return next();
}
res.redirect('/login');
};
If you are authenticated, you let this visitor pass through your "door" by calling return next();. It then proceeds to the
next middleware until it reaches the last argument, which is a callback function that typically renders a template on GET requests or redirects on POST requests. In this case, if you are authenticated, you will be redirected to the Account Management page; otherwise, you will be redirected to the Login page.
exports.getAccount = (req, res) => {
res.render('account/profile', {
title: 'Account Management',
});
};
Express.js has app.get, app.post, app.put, app.delete, but for the most part, you will only use the first two HTTP verbs, unless you are building a RESTful API.
If you just want to display a page, then use GET, if you are submitting a form, sending a file then use POST.
Here is a typical workflow for adding new routes to your application. Let's say we are building a page that lists all books from the database.
Step 1. Start by defining a route.
app.get('/books', bookController.getBooks);
Note: As of Express 4.x you can define your routes like so:
app.route('/books').get(bookController.getBooks).post(bookController.createBooks).put(bookController.updateBooks).delete(bookController.deleteBooks);
And here is how a route would look if it required an authentication and an authorization middleware:
app.route('/api/twitch').all(passportConfig.isAuthenticated).all(passportConfig.isAuthorized).get(apiController.getTwitch).post(apiController.postTwitch);
Use whichever style makes sense to you. Either one is acceptable. I think that chaining HTTP verbs on app.route is a very clean and elegant approach, but on the other hand, I can no longer see all my routes at a glance when you have one route per line.
Step 2. Create a new schema and a model Book.js inside the models directory.
const mongoose = require('mongoose');
const bookSchema = new mongoose.Schema({
name: String,
});
const Book = mongoose.model('Book', bookSchema);
module.exports = Book;
Step 3. Create a new controller file called book.js inside the controllers directory.
/**
* GET /books
* List all books.
*/
const Book = require('../models/Book.js');
exports.getBooks = (req, res) => {
Book.find((err, docs) => {
res.render('books', { books: docs });
});
};
Step 4. Import that controller in app.js.
const bookController = require('./controllers/book');
Step 5. Create books.pug template.
extends layout
block content
.page-header
h3 All Books
ul
each book in books
li= book.name
That's it! I will say that you could have combined Step 1, 2, 3 as following:
app.get('/books', (req, res) => {
Book.find((err, docs) => {
res.render('books', { books: docs });
});
});
Sure, it's simpler, but as soon as you pass 1000 lines of code in app.js it becomes a little challenging to navigate the file.
I mean, the whole point of this boilerplate project was to separate concerns, so you could work with your teammates without running into MERGE CONFLICTS. Imagine you have four developers working on a single app.js, I promise you it won't be fun resolving merge conflicts all the time.
If you are the only developer, then it's okay. But as I said, once it gets up to a certain LoC size, it becomes difficult to maintain everything in a single file.
That's all there is to it. Express.js is super simple to use. Most of the time you will be dealing with other APIs to do the real work: Mongoose for querying database, socket.io for sending and receiving messages over WebSockets, sending emails via Nodemailer, form validation using validator.js library, parsing websites using Cheerio, etc.
<hr>LangChain v1 ReAct agent intended as a starting point for building new AI agents. The end-to-end implementation supports:
To build your Agent using this controller as a starting point, you need to do two things:
Edit the systemPrompt in createAIAgent() to describe what the agent does and which tools it can use.
systemPrompt: `You are a helpful [... e.g. travel, personal assistant, exam grading] agent.
Your responsibilities:
1. [YOUR_RESPONSIBILITY_1]
2. [YOUR_RESPONSIBILITY_2]
3. [YOUR_RESPONSIBILITY_3]
Available tools:
[LIST_YOUR_TOOLS_HERE]`
Add tools specific to your project by replacing the existing tools in the tools array inside createAIAgent().
The existing tool functions can be removed.
Tools follow this structure and use a Zod schema for input validation:
const myTool = tool(
async ({ input }, config) => {
config.writer?.({ message: 'Calling my service...' });
// Call your API or database
const result = await callYourAPI(input);
return JSON.stringify(result);
},
{
name: 'my_tool',
description: 'Does something specific',
schema: z.object({
input: z.string().describe('The input'),
}),
},
);
These functions handle streaming, parsing, and session management and typically do not need modification:
promptGuardMiddleware() : LangChain middleware that classifies user input before the agent processes it. Blocks unsafe prompts and redirects the conversation.getCheckpointer() : Initializes the MongoDB checkpointer for session persistence.cleanupOrphanedTempSessions() : Cleans up checkpoint data for unauthenticated users whose Express sessions have expired. Called on app startup.getAIAgent(req, res) : Express route (GET /ai/ai-agent) - Renders the AI agent demo page and loads prior messages.postAIAgentChat(req, res) : Express route (POST /ai/ai-agent/chat) - Main SSE endpoint. Streams AI responses, tool progress, and debug data.postAIAgentReset(req, res) : Express route (POST /ai/ai-agent/reset) - Clears the user's chat session from MongoDB.deleteUserAIAgentData(userId) : Called when a user deletes their account to clean up their chat data.sendSSE(res, eventType, data) : Sends typed SSE events to the frontend.extractAIMessages(data) : Extracts user-visible AI messages from agent stream updates.extractStatus(data) : Derives tool call and completion status messages.The AI Agent requires these environment variables:
GROQ_API_KEY : Your Groq API keyGROQ_MODEL : The main LLM model (e.g., llama-3.3-70b-versatile)GROQ_MODEL_PROMPT_GUARD : The guard model for input safety (e.g., meta-llama/llama-guard-4-12b)Dan Stroot submitted an excellent pull request that adds a real-time dashboard with socket.io. And as much as I'd like to add it to the project, I think it violates one of the main principles of the Hackathon Starter:
When I started this project, my primary focus was on simplicity and ease of use. I also tried to make it as generic and reusable as possible to cover most use cases of hackathon web apps, without being too specific.
When I need to use socket.io, I really need it, but most of the time - I don't. But more importantly, WebSockets support is still experimental on most hosting providers. Due to past provider issues with WebSockets, I have not include socket.io as part of the Hackathon Starter. For now... If you need to use socket.io in your app, please continue reading.
First, you need to install socket.io:
npm install socket.io
Replace const app = express(); with the following code:
const app = express();
const server = require('http').Server(app);
const io = require('socket.io')(server);
I like to have the following code organization in app.js (from top to bottom): module dependencies,
import controllers, import configs, connect to database, express configuration, routes,
start the server, socket.io stuff. That way I always know where to look for things.
Add the following code at the end of app.js:
io.on('connection', (socket) => {
socket.emit('greet', { hello: 'Hey there browser!' });
socket.on('respond', (data) => {
console.log(data);
});
socket.on('disconnect', () => {
console.log('Socket disconnected');
});
});
One last thing left to change:
app.listen(app.get('port'), () => {
to
server.listen(app.get('port'), () => {
At this point, we are done with the back-end.
You now have a choice - to include your JavaScript code in Pug templates or have all your client-side JavaScript in a separate file - in app.js. I admit, when I first started with Node.js and JavaScript in general, I placed all JavaScript code inside templates because I have access to template variables passed in from Express right then and there. It's the easiest thing you can do, but also the least efficient and harder to maintain. Since then I almost never include inline JavaScript inside templates anymore.
But it's also understandable if you want to take the easier road. Most of the time you don't even care about performance during hackathons, you just want to "get shit done" before the time runs out. Well, either way, use whichever approach makes more sense to you. At the end of the day, it's what you build that matters, not how you build it.
If you want to stick all your JavaScript inside templates, then in layout.pug - your main template file, add this to the head block.
script(src='/socket.io/socket.io.js')
script.
let socket = io.connect(window.location.href);
socket.on('greet', function (data) {
console.log(data);
socket.emit('respond', { message: 'Hey there, server!' });
});
Note: Notice the path of the socket.io.js, you don't actually have to have socket.io.js file anywhere in your project; it will be generated automatically at runtime.
If you want to have JavaScript code separate from templates, move that inline script code into app.js, inside the $(document).ready() function:
$(document).ready(function () {
// Place JavaScript code here...
let socket = io.connect(window.location.href);
socket.on('greet', function (data) {
console.log(data);
socket.emit('respond', { message: 'Hey there, server!' });
});
});
And we are done!
Declares a read-only named constant.
const name = 'yourName';
Declares a block scope local variable.
let index = 0;
Using the `${}` syntax, strings can embed expressions.
const name = 'Oggy';
const age = 3;
console.log(`My cat is named ${name} and is ${age} years old.`);
To import functions, objects, or primitives exported from an external module. These are the most common types of importing.
const name = require('module-name');
const { foo, bar } = require('module-name');
To export functions, objects, or primitives from a given file or module.
module.exports = { myFunction };
module.exports.name = 'yourName';
module.exports = myFunctionOrClass;
The spread operator allows an expression to be expanded in places where multiple arguments (for function calls) or multiple elements (for array literals) are expected.
myFunction(...iterableObject);
<ChildComponent {...this.props} />
A Promise is used in asynchronous computations to represent an operation that hasn't completed yet but is expected in the future.
var p = new Promise(function (resolve, reject) {});
The catch() method returns a Promise and deals with rejected cases only.
p.catch(function (reason) {
/* handle rejection */
});
The then() method returns a Promise. It takes two arguments: callback for the success & failure cases.
p.then(
function (value) {
/* handle fulfillment */
},
function (reason) {
/* handle rejection */
},
);
The Promise.all(iterable) method returns a promise that resolves when all of the promises in the iterable argument have resolved or rejects with the reason of the first passed promise that rejects.
Promise.all([p1, p2, p3]).then(function (values) {
console.log(values);
});
Arrow function expression. Shorter syntax & lexically binds the this value. Arrow functions are anonymous.
(singleParam) => {
statements;
};
() => {
statements;
};
(param1, param2) => expression;
const arr = [1, 2, 3, 4, 5];
const squares = arr.map((x) => x * x);
The class declaration creates a new class using prototype-based inheritance.
class Person {
constructor(name, age, gender) {
this.name = name;
this.age = age;
this.gender = gender;
}
incrementAge() {
this.age++;
}
}
:gift: Credits: DuckDuckGo and @DrkSephy.
:top: <sub>back to top</sub>
Math.floor(Date.now() / 1000);
var now = new Date();
now.setMinutes(now.getMinutes() + 30);
// DD-MM-YYYY
var now = new Date();
var DD = now.getDate();
var MM = now.getMonth() + 1;
var YYYY = now.getFullYear();
if (DD < 10) {
DD = '0' + DD;
}
if (MM < 10) {
MM = '0' + MM;
}
console.log(MM + '-' + DD + '-' + YYYY); // 03-30-2016
// hh:mm (12 hour time with am/pm)
var now = new Date();
var hours = now.getHours();
var minutes = now.getMinutes();
var amPm = hours >= 12 ? 'pm' : 'am';
hours = hours % 12;
hours = hours ? hours : 12;
minutes = minutes < 10 ? '0' + minutes : minutes;
console.log(hours + ':' + minutes + ' ' + amPm); // 1:43 am
var today = new Date();
var nextWeek = new Date(today.getTime() + 7 * 24 * 60 * 60 * 1000);
var today = new Date();
var yesterday = date.setDate(date.getDate() - 1);
:top: <sub>back to top</sub>
User.find((err, users) => {
console.log(users);
});
let userEmail = '[email protected]';
User.findOne({ email: { $eq: email.toLowerCase() } }).then((user) => {
console.log(user);
});
User.find()
.sort({ _id: -1 })
.limit(5)
.exec((err, users) => {
console.log(users);
});
Let's suppose that each user has a votes field and you would like to count the total number of votes in your database across all users. One very inefficient way would be to loop through each document and manually accumulate the count. Or you could use MongoDB Aggregation Framework instead:
User.aggregate({ $group: { _id: null, total: { $sum: '$votes' } } }, (err, votesCount) => {
console.log(votesCount.total);
});
:top: <sub>back to top</sub>
Using a local instance on your laptop with ngrok is a good solution for your demo during the hackathon, and you wouldn't necessarily need to deploy to a cloud platform. If you wish to have your app run 24x7 for a general audience, once you are ready to deploy your app, you will need to create an account with a cloud platform to host it. There are a number of cloud service providers out there that you can research. Service providers like AWS and Azure provide a free tier of service which can help you get started with just some minor costs (such as traffic overage if any, etc).
0.0.0.0/0. Click SAVE to save the 0.0.0.0/0 whitelist..env.example with this URI string. Make sure to replace the <PASSWORD> with the db User password that you created under the Security tab.We are deploying your changes. You will need to wait for the deployment to finish before using the DB in your application.If you are starting with this boilerplate to build an application for prod deployment, or if after your hackathon you would like to get your project hardened for production use, see prod-checklist.md.
Hackathon Starter includes both unit tests and end-to-end (E2E) tests.
test/e2e/ and test/e2e-nokey/. The nokey tests are tests that don't require API keys to run.During a hackathon, you typically don't need to worry about E2E tests; they can slow you down when you're focused on rapid prototyping. However, if you plan to launch your project for real-world use, adding and maintaining E2E tests is strongly recommended. They help ensure that future changes don't unintentionally break existing functionality.
The existing E2E tests cover the example API integrations included in the starter project. You can use these as examples or templates when creating your own test files, adapting them to match your project's specific views and workflows.
You can run the tests using:
npm test # unit tests (core functions)
npm run test:e2e:live # All E2E tests with previously recorded API responses
npm run test:e2e:replay # E2E (replay fixtures - recorded API responses)
You can run a single E2E Test file like the following:
# Run tests in a single test file against live APIs
npx playwright test test/e2e.../testfile.e2e.test.js --config=test/playwright.config.js --project=chromium
# Run tests in a single test file while replaying recorded API responses from the fixtures
npx playwright test test/e2e.../testfile.e2e.test.js --config=test/playwright.config.js --project=chromium-replay
# Run tests in a single test file against live APIs and capture the API responses as fixtures for replay later
npx playwright test test/e2e.../testfile.e2e.test.js --config=test/playwright.config.js --project=chromium-record
For more information on creating or running E2E tests see test/TESTING.md
You can find the changelog for the project in: CHANGELOG.md
If something is unclear, confusing, or needs to be refactored, please let me know. Pull requests are always welcome, but due to the opinionated nature of this project, I cannot accept every pull request. Please open an issue before submitting a pull request. This project uses Airbnb JavaScript Style Guide with a few minor exceptions. If you are submitting a pull request that involves Pug templates, please make sure you are using spaces, not tabs.
The MIT License (MIT)
Copyright (c) 2014-2026 Sahat Yalkabov
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.