# NodeJS Reference

Quick reference for Node.js/Express development. Detailed patterns in `.kilo/skills/nodejs-*`.

## Checklist

- [ ] `const`/`let` only, never `var`
- [ ] async/await everywhere, Promise.all for parallel ops
- [ ] try/catch with centralized error middleware (never swallow)
- [ ] Validate + sanitize input; parameterized queries; helmet middleware
- [ ] express.Router() for routes; handlers thin; error handler last
- [ ] Transactions for multi-write DB operations
- [ ] Structured logging (pino/winston); never log sensitive data
- [ ] JWT: short-lived access + refresh tokens; httpOnly cookies; never put secrets in payload
- [ ] bcrypt for passwords (cost ≥ 12); never store plaintext
- [ ] .env for secrets; validate required env vars on startup
- [ ] Exact dependency versions; `npm audit` regularly
- [ ] Streaming for large files; pagination for lists; compression middleware

## Common Patterns

```
routes/user.js → router.get('/', auth, validate, ctrl.list)
middleware/error.js → app.use(errorHandler) // last
db → connection pool, transactions for writes
tests → Jest, 80%+ coverage, mock externals
```