Repository files navigation

Live Demo:Link

Jump toWhat's new?

A boilerplate forNode.js web applications.

If you have attended any hackathons in the past, then you know how much time it takes to get a project started: decide on what to build, pick a programming language, pick a web framework, pick a CSS framework. A while later, you might have an initial project up on GitHub, and only then can other team members start contributing. Or how about doing something as simple asSign in with Facebook authentication? You can spend hours on it if you are not familiar with how OAuth 2.0 works.

When I started this project, my primary focus was onsimplicity andease of use.I also tried to make it asgeneric andreusable as possible to cover most use cases of hackathon web apps, without being too specific. In the worst case, you can use this as a learning guide for your projects, if for example you are only interested inSign in with Google authentication and nothing else.

"Nice! That README alone is already gold!"
— Adrian Le Bas

"Awesome. Simply awesome."
— Steven Rueter

"I'm using it for a year now and many projects, it's an awesome boilerplate and the project is well maintained!"
— Kevin Granger

"Small world with Sahat's project. We were using his hackathon starter for our hackathon this past weekend and got some prizes. Really handy repo!"
— Interview candidate for one of the companies I used to work with.

• Features
• Prerequisites
• Getting Started
• HTTPS Proxy
• Obtaining API Keys
• Web Analytics
• Open Graph
• Project Structure
• List of Packages
• Useful Tools and Resources
• Recommended Design Resources
• Recommended Node.js Libraries
• Recommended Client-side Libraries
• Using AI Assistants
• FAQ
• How It Works
• Cheatsheets
  • ES6
  • JavaScript Date
  • Mongoose Cheatsheet
• Deployment
• Docker
• Production
• Changelog
• Contributing
• License

• Login

  • Local Authentication Sign in with Email and Password, Passwordless
  • OAuth 2.0 Authentication: Sign in with Google, Microsoft, Facebook, X (Twitter), Twitch, GitHub, Discord
  • OpenID Connect: Sign in with LinkedIn

• User Profile and Account Management

  • Gravatar
  • Profile Details
  • Password management (Change, Reset, Forgot)
  • Verify Email
  • Link multiple OAuth provider accounts to one account
  • Delete Account

• Contact Form (powered by SMTP via Mailgun, AWS SES, etc.)

• File upload

• Device camera

• AI Examples and Boilerplates

  • RAG with semantic and embedding caching
  • Llama Instruct, Llama Vision
  • OpenAI Moderation
  • Support for a range of foundational and embedding models (DeepSeek, Llama, Mistral, Sentence Transformers, etc.) via LangChain, Together.AI, and Hugging Face

• API Examples

  • Backoffice: Lob (USPS Mail), Paypal, Quickbooks, Stripe, Twilio (text messaging)
  • Data, Media & Entertainment: Alpha Vantage (stocks and finance info) with ChartJS, Github, Foursquare, Last.fm, New York Times, PubChem (chemical information), Trakt.tv (movies/TV), Twitch, Tumblr (OAuth 1.0a example), Web Scraping, Tenor (GIFs)
  • Maps and Location: Google Maps, HERE Maps
  • Productivity: Google Drive, Google Sheets

• Flash notifications

• reCAPTCHA and rate limit protection

• CSRF protection

• MVC Project Structure

• Node.js clusters support

• HTTPS Proxy support (via ngrok, Cloudflare, etc.)

• Sass stylesheets

• Bootstrap 5

• "Go to production" checklist

• MongoDB (local install OR hosted)

  • Local Install:MongoDB
  • Hosted: No need to install, see the MongoDB Atlas section

• Node.js LTS 24

  • Highly recommended: Use/Upgrade your Node.js to the latest Node.js LTS version.

• Command Line Tools

•  Mac OS X:Xcode (orOS X 10.9+:xcode-select --install)

•  Windows:Visual Studio Code +Windows Subsystem for Linux - Ubuntu ORVisual Studio

•  Ubuntu / Linux Mint:sudo apt-get install build-essential

•  Fedora:sudo dnf groupinstall "Development Tools"

•  OpenSUSE:sudo zypper install --type pattern devel_basis

Note: If you are new to Node or Express, you may findNode.js & Express From Scratch series helpful for learning the basics of Node and Express. Alternatively, here is another great tutorial for complete beginners -Getting Started With Node.js, Express, MongoDB.

Step 1: The easiest way to get started is to clone the repository:

# Get the latest snapshotgit clone https://github.com/sahat/hackathon-starter.git myproject# Change directorycd myproject# Install NPM dependenciesnpm install# Then simply start your appnpm start

Note: I highly recommend installingNodemon. It watches for any changes in your node.js app and automatically restarts the server. Once installed, instead ofnode app.js usenodemon app.js. It willsave you a lot of time in the long run, because you won't need to manually restart the server each time you make a small change in code. To install, runsudo npm install -g nodemon.

Step 2: Obtain API Keys and change configs if neededAfter completing step 1 and locally installing MongoDB, you should be able to access the application through a web browser and use local user accounts. However, certain functions like API integrations may not function correctly until you obtain specific keys from service providers. The keys provided in the project serve as placeholders, and you can retain them for features you are not currently utilizing. To incorporate the acquired keys into the application, you have two options:

1. Set environment variables in your console session: Alternatively, you can set the keys as environment variables directly through the command prompt. For instance, in bash, you can use theexport command like this:export FACEBOOK_SECRET=xxxxxx. This method is considered a better practice as it reduces the risk of accidentally including your secrets in a code repository.
2. Replace the keys in the.env.example file: Open the.env.example file and update the placeholder keys with the newly acquired ones. This method has the risk of accidental checking-in of your secrets to code repos.

What to get and configure:

• SMTP

  • For user workflows for reset password and verify email
  • For contact form processing

• reCAPTCHA

  • For contact form submission, but you can skip it during your development

• OAuth for social logins (Sign in with / Login with)

  • Depending on your application need, obtain keys from Google, Facebook, X (Twitter), LinkedIn, Twitch, GitHub. You don't have to obtain valid keys for any provider that you don't need. Just remove the buttons and links in the login and account pug views before your demo.

• API keys for service providers that you need in the API Examples if you are planning to use them.

• MongoDB Atlas

  • If you are using MongoDB Atlas instead of a local db, set the MONGODB_URI to your db URI (including your db user/password).

• Email address

  • Set SITE_CONTACT_EMAIL as your incoming email address for messages sent to you through the contact form.
  • Set TRANSACTION_EMAIL as the "From" address for emails sent to users through the lost password or email verification emails to users. You may set this to the same address as SITE_CONTACT_EMAIL.

Step 3: Setup an HTTPS proxy to access the app with an https address:See

• HTTPS Proxy

Step 4: Develop your application and customize the experience

• Check outHow It Works

Step 5: Optional - deploy to productionSee:

• Deployment
• prod-checklist.md

If you want to use an API that requires HTTPS (for example, GitHub or Facebook), you need to run the app with an HTTPS URL. You can do this by setting up an HTTPS proxy using either ngrok or Cloudflare.Note: When using an HTTPS proxy, you may get a CSRF mismatch error if you try to directly access the app athttp://localhost:8080 instead of the HTTPS proxy address.

• Downloadngrok.
• Start ngrok.
• Set your BASE_URL to the forwarding address from ngrok (i.e.,https://3ccb-1234-abcd.ngrok-free.app). This will be the HTTPS address for accessing the app.

• Download and installcloudflared.
• For a quick, free tunnel with a random subdomain undertrycloudflare.com, execute:

cloudflared tunnel --url http://localhost:8080

• Set BASE_URL to the HTTPS address for the tunnel.

If you own a domain managed by Cloudflare, you can use Cloudflare's Zero Trust portal to set up a tunnel to your app that is activated by a system service. Alternatively, you can create a tunnel and route a subdomain you like to your app using their CLI:

cloudflared tunnel logincloudflared tunnel create myapptunnelcloudflared tunnel route dns myapptunnel myappsubdomain.mydomain.comcloudflared tunnel --url http://localhost:8080 run myapptunnel

Then set BASE_URL to the HTTPS address for the tunnel.Note that the tunnel and DNS route are a one-time setup. To reactivate the HTTPS tunnel to your app later, such as after a system restart, just rerun:

cloudflared tunnel --url http://localhost:8080 run myapptunnel

To clean up your own domain's related configurations when you're done:

• Delete the tunnel by executingcloudflared tunnel delete myapptunnel
• Remove themyappsubdomain DNS entry from your domain through the Cloudflare web UI.
• Remove%USERPROFILE%\.cloudflared (Windows) or~/.cloudflared (Linux/macOS) if you want to clear local credentials.

You will need to obtain appropriate credentials (Client ID, Client Secret, API Key, or Username & Password) for API and service providers which you need. See Step 2 in the Getting started section for more info.

Obtain SMTP credentials from a provider for transactional emails. Set the SMTP_USER, SMTP_PASSWORD, and SMTP_HOST environment variables accordingly. When picking the SMTP host, keep in mind that the app is configured to use secure SMTP transmissions over port 465 out of the box. You have the flexibility to select any provider that suits your needs or take advantage of one of the following providers, each offering a free tier for your convenience.

• VisitFacebook Developers
• ClickMy Apps, then select *Add a New App from the dropdown menu
• Enter a new name for your app
• Click on theCreate App ID button
• Find the Facebook Login Product and click onFacebook Login
• Instead of going through their Quickstart, click onSettings for your app in the top left corner
• Copy and pasteApp ID andApp Secret keys into.env
• Note:App ID isFACEBOOK_ID,App Secret isFACEBOOK_SECRET in.env
• Enterlocalhost underApp Domains
• Choose aCategory that best describes your app
• Click on+ Add Platform and selectWebsite
• Enter your BASEURL value (i.e.http://localhost:8080, etc) under _Site URL
• Click on theSettings tab in the left nav under Facebook Login
• Enter your BASE_URL value followed by /auth/facebook/callback (i.e.http://localhost:8080/auth/facebook/callback ) under Valid OAuth redirect URIs

Note: After a successful sign-in with Facebook, a user will be redirected back to the home page with appended hash#_=_ in the URL. It isnot a bug. See thisStack Overflow discussion for ways to handle it.

• Go toFoursquare for Developers and log in

• Click onCreate a new project button

• Enter yourOrganization andProject Name

• ClickCreate

• Navigate to your project

• ClickSettings in the left-hand-side menu

• Generate a Service API Key

• Copy and paste the Service API Key asFOURSQUARE_APIKEY in your.env file

• Go toAccount Settings
• SelectDeveloper settings from the sidebar
• Then click onOAuth Apps and then onRegister new application
• EnterApplication Name andHomepage URL. Enter your BASE_URL value (i.e.http://localhost:8080, etc) as the homepage URL.
• ForAuthorization Callback URL: your BASE_URL value followed by /auth/github/callback (i.e.http://localhost:8080/auth/github/callback )
• ClickRegister application
• Now copy and pasteClient ID andClient Secret keys into.env file

• VisitGoogle Cloud Console
• Click on theCreate Project button
• EnterProject Name, then clickCreate
• Copy the Project ID for your project and add it as GOOGLE_PROJECT_ID in your.env file.
• Then add the APIs and services that apply to your application. If the UI doesn't let you add them during project creation, you can add them later via theAPIs & Services page (left sidebar) or by searching for them in the top search bar.

Sign in with Google:

• Go to theCredentials tab, clickCreate credentials, and chooseOAuth client ID.
• SelectWeb application, and forAuthorized redirect URI use your BASE_URL value followed by/auth/google/callback (for examplehttp://localhost:8080/auth/google/callback).
• Copy and paste theClient ID andClient secret into your.env file.
• Update the OAuth consent screen if needed.

Other APIs:

Open theEnabled APIs & services page for your project in the Google Cloud Console (APIs & Services). Click+ Enable APIs and services (top of the page), find the services you need, and enable them:

• reCAPTCHA Enterprise API (recommended for the contact form)
• Google Drive API
• Google Sheets API
• Maps JavaScript API
• Tenor API

Next, create API keys for the services you enabled:

• For backend API calls (Google Drive, Sheets, or Tenor), create a single API key and restrict it to those APIs. Copy the key asGOOGLE_API_KEY into your.env file.
• For reCAPTCHA, follow the instructions atGoogle Cloud reCAPTCHA Docs and create a web checkbox reCAPTCHA key. No code changes are required. Just copy the reCAPTCHA site key into.env asGOOGLE_RECAPTCHA_SITE_KEY.
• For the Google Maps JavaScript API, use a separate API key from your backend key because the key is sent to the front end and can be exposed. Restrict this key to your website on the credentials page. Do NOT use "localhost" as the restriction since it is not unique to your application. Once configured, copy the API key asGOOGLE_MAP_API_KEY into your.env file.

• Go toTeams tab in the Discord Developer Portal and create a new team. This allows you to manage your Discord applications under a team name instead of your personal account.
• After creating a team, switch to theApplications tab in the Discord Developer Portal.
• Click onNew Application and give your app a name. When prompted, select your team as the owner.
• In the left sidebar, click onOAuth2 >General.
• Copy theClient ID andClient Secret (you may need to "reset" the client secret to obtain it for the first time), then paste them into your.env file asDISCORD_CLIENT_ID andDISCORD_CLIENT_SECRET, or set them as environment variables.
• In the left sidebar, click onOAuth2 >URL Generator.
• UnderScopes, selectidentify andemail.
• UnderRedirects, add your BASE_URL value followed by/auth/discord/callback (i.e.http://localhost:8080/auth/discord/callback).
• Save changes.

• Go tohttps://developer.here.com
• Sign up for the Base plan. The Base plan require a credit card to start, but you get 30,000 map renders for free each month.
• Create JAVASCRIPT/REST credentials. Copy and paste the API key into the.env file as HERE_API_KEY, or set it up as an environment variable.
• Set up Trusted Domain - Your credentials will go to the client-side (browser of the users). You need to enable trusted domains and add your test domain address. Otherwise, others may be able to use your credentials on other websites, go through your quota, and potentially leave you with a bill.

• Go tohttps://huggingface.co and create an account.
• Go to your Account Settings and create a new Access Token. Make sure you have granted the"Make calls to Inference Provider" permission to your token.
• Add your token asHUGGINGFACE_KEY to your.env file or as an environment variable.

• Go tohttps://developer.intuit.com/app/developer/qbo/docs/get-started
• Use the Sign Up option in the upper right corner of the screen (navbar) to get a free developer account and a sandbox company.
• Create a new app by going to your Dashboard using the My Apps option in the top nav bar or by going tohttps://developer.intuit.com/app/developer/myapps
• In your App, under Development, Keys & OAuth (right nav), find the Client ID and Client Secret for your.env file

• Sign in atLinkedIn Developer Network
• From the account name dropdown menu selectAPI Keys
• It may ask you to sign in once again
• Click+ Add New Application button
• Fill out all therequired fields
• OAuth 2.0 Redirect URLs: your BASE_URL value followed by /auth/linkedin/callback (i.e.http://localhost:8080/auth/linkedin/callback )
• JavaScript API Domains: your BASE_URL value (i.e.http://localhost:8080, etc).
• ForDefault Application Permissions make sure at least the following is checked:
• r_basicprofile
• Finish by clickingAdd Application button
• Copy and pasteAPI Key andSecret Key keys into.env file
• API Key is yourclientID
• Secret Key is yourclientSecret

• Go toMicrosoft Entra admin center and sign in
• ClickApp registrations >+ New registration
• Enter an application name (e.g., "Hackathon Starter App") and selectAccounts in any organizational directory and personal Microsoft accounts
• SetRedirect URI toWeb with your BASE_URL followed by/auth/microsoft/callback (e.g.,http://localhost:8080/auth/microsoft/callback)
• ClickRegister, then copy theApplication (client) ID to.env asMICROSOFT_CLIENT_ID
• Go toCertificates & secrets >+ New client secret, add a description and expiration, then clickAdd
• Copy the secretValue immediately to.env asMICROSOFT_CLIENT_SECRET (won't be visible again)

• VisitLob Dashboard
• Create an account
• Once logged into the dashboard, go to Settings in the bottom left corner of the page. (If there is a bottom pop-up, you may need to close it to see the Settings option.)
• Go to the API Keys tab and get your Secret API key for the Test Environment. No physical paper mail will be sent out if you use the Test key, but you can see the PDF of what would have been mailed from your app (with some limitations) through the dashboard. If you use the Live key, they will actually print a physical letter, put it in an envelope with postage, place it in a USPS mailbox, and bill you for it.

The OpenAI moderation API for checking harmful inputs is free to use as long as you have paid credits in your OpenAI developer account. The cost of using their other models depends on the model, as well as the input and output size of the API call.

• VisitOpenAI API Keys
• Sign in or create an OpenAI account.
• Click onCreate new secret key to generate an API key.
• Copy and paste the generated API key into your.env file asOPENAI_API_KEY or set it as an environment variable.

• VisitPayPal Developer
• Log in to your PayPal account
• ClickApplications > Create App in the navigation bar
• EnterApplication Name, then clickCreate app
• Copy and pasteClient ID andSecret keys into.env file
• App ID isclient_id,App Secret isclient_secret
• Changehost to api.paypal.com if you want to test against production and use the live credentials

• Go tohttp://steamcommunity.com/dev/apikey
• Sign in with your existing Steam account
• Enter yourDomain Name based on your BASE_URL, then and clickRegister
• Copy and pasteKey into.env file

• Sign up or log into yourdashboard
• Click on your profile and click on Account Settings
• Then click onAPI Keys
• Copy theSecret Key. and add this into.env file

• VisitTogether AI
• Sign in or create a Together AI account.
• Click onCreate API Key to generate a new key. You will also be able to access your API key under your account settings in the API Keys tab.
• Copy and paste the generated API key into your.env file asTOGETHERAI_API_KEY or set it as an environment variable.
• Go to Together AI's Models page and pick a model based on your use case and budget and specify it asTOGETHERAI_MODEL in your.env file or as an environment variable (e.g.togethercomputer/llama-3-70b-chat).

• Sign up or sign in to your trakt.tv account and go toTrakt.tv Applications.
• Create a new application and fill in the required fields:
  • Name: Your app name.
  • Redirect URI: Set to your BASE_URL value followed by/auth/trakt/callback (i.e.http://localhost:8080/auth/trakt/callback orngrokURL/auth/trakt/callback)
  • Leave the JavaScript origins blank as we won't be using client-side API calls.
• ClickSave App.
• Copy and paste theClient ID andClient Secret into your.env file asTRAKT_ID andTRAKT_SECRET or set them as your environment variables.

• Go tohttp://www.tumblr.com/oauth/apps
• Once signed in, click+Register application
• Fill in all the details
• ForDefault Callback URL: your BASE_URL value followed by /auth/tumblr/callback (i.e.http://localhost:8080/auth/tumblr/callback )
• Click✔Register
• Copy and pasteOAuth consumer key andOAuth consumer secret keys into.env file

• Visit theTwitch developer console
• If prompted, authorize the dashboard to access your twitch account
• In the Console, click on Register Your Application
• Enter the name of your application
• Use OAuth Redirect URLs enter your BASE_URL value followed by /auth/twitch/callback (i.e.http://localhost:8080/auth/twitch/callback )
• Set Category to Website Integration and press the Create button
• After the application has been created, click on the Manage button
• Copy and pasteClient ID into.env
• If there is no Client Secret displayed, click on the New Secret button and then copy and paste theClient secret into.env

• Go tohttps://www.twilio.com/try-twilio
• Sign up for an account.
• Once logged into the dashboard, expand the link 'show api credentials'
• Copy your Account Sid and Auth Token
• Note that you also need to set TWILIO_FROM_NUMBER environment variable to a number you have registered with Twilio and are authorized to send messages from. The +15005550006 placeholder in the .env.example file can be used in the sandbox environment for testing without registering a sending phone number with Twilio.

• Sign in athttps://developer.x.com/
• Start with the Free tier
• ClickCreate a new application
• Enter your application name, website and description. Set the website as your BASE_URL value (i.e.http://localhost:8080, etc).
• ForCallback URL: your BASE_URL value followed by /auth/x/callback (i.e.http://localhost:8080/auth/x/callback )
• Go toSettings tab
• UnderApplication Type selectRead and Write access
• Check the boxAllow this application to be used to Sign in with X
• ClickUpdate this X's applications settings
• Copy and pasteConsumer Key andConsumer Secret keys into.env file

This project supports integrating web analytics tools such as Google Analytics 4 and Facebook Pixel, along with Open Graph metadata for social sharing. Below are instructions to help you set up these features in your application.

• Go toGoogle Analytics
• Create a new GA4 property so you create a Measurement ID.
• Copy and paste your Measurement ID into.env file or set it up as an env variable

Optional: It is highly recommended to set up a business with Facebook that your personal account along with others you authorize can manage. You would need to Go toMeta Business Suite, register a business and add a business page and your website as an asset for the business.

• Go toMeta Event Manager
• If you have set up a business, switch from your personal to your business account and pick your business asset using the drop down in the upper right corner of the page.
• Use the Connect Data option to add a Web data source and create a Pixel ID
• Copy and paste the Pixel ID into.env file for FACEBOOK_PIXEL_ID or set it up as an environment variable

The metadata for Open Graph is only set up for the home page (home.pug). Update it to suit your application. You can also add Open Graph metadata to any other page that you plan to share through social media by including the relevant data in the corresponding view.

Note: There is no preference for how you name or structure your views.You could place all your templates in a top-levelviews directory withouthaving a nested folder structure if that makes things easier for you.Just don't forget to updateextends ../layout and correspondingres.render() paths in controllers.

Dependencies

Required to run the project before your modifications

Dev Dependencies

Required during code development for testing, Hygiene, code styling, etc.

• Microsoft Copilot - Free AI Assistant that can help you with coding questions as well
• HTML to Pug converter - HTML to PUG is a free online converter helping you to convert HTML files to pug syntax in real-time.
• Favicon Generator - Generate favicons for PC, Android, iOS, Windows 8.

• Code Guide - Standards for developing flexible, durable, and sustainable HTML and CSS.
• Bootsnipp - Code snippets for Bootstrap.
• Bootstrap Zero - Free Bootstrap templates themes.
• Google Bootstrap - Google-styled theme for Bootstrap.
• Font Awesome Icons - It's already part of the Hackathon Starter, so use this page as a reference.
• Colors - A nicer color palette for the web.
• Creative Button Styles - awesome button styles.
• Creative Link Effects - Beautiful link effects in CSS.
• Medium Scroll Effect - Fade in/out header background image as you scroll.
• GeoPattern - SVG background pattern generator.
• Trianglify - SVG low-poly background pattern generator.

• Nodemon - Automatically restart Node.js server on code changes.
• geoip-lite - Geolocation coordinates from IP address.
• Filesize.js - Pretty file sizes, e.g.filesize(265318); // "265.32 kB".
• Numeral.js - Library for formatting and manipulating numbers.
• sharp - Node.js module for resizing JPEG, PNG, WebP and TIFF images.

• Framework7 - Full Featured HTML Framework For Building iOS7 Apps.
• InstantClick - Makes your pages load instantly by pre-loading them on mouse hover.
• NProgress.js - Slim progress bars like on YouTube and Medium.
• Hover - Awesome CSS3 animations on mouse hover.
• Magnific Popup - Responsive jQuery Lightbox Plugin.
• Offline.js - Detect when user's internet connection goes offline.
• Alertify.js - Sweet looking alerts and browser dialogs.
• selectize.js - Styleable select elements and input tags.
• drop.js - Powerful Javascript and CSS library for creating dropdowns and other floating displays.
• scrollReveal.js - Declarative on-scroll reveal animations.

AI tools and large language models (LLMs) can greatly accelerate your ramp-up time, efficiency, and productivity during hackathons. Many of these tools are available for free and offer features that can significantly enhance your coding experience.

You have two main options for accessing these tools:

• Web-based chat interfaces: Platforms likeChatGPT andMS Copilot
• Integrated code assistants: Tools likeAmazon Q (CodeWhisperer),GitHub Copilot, and Gemini Code Assist integrate directly into code editors, such as Visual Studio Code.

Integrated tools, like plugins for Visual Studio Code, let you reference your code directly without needing to copy-paste, making them easier to use in many cases. Web-based assistants, on the other hand, require manual copy-pasting but can offer a different approach without impacting the "context" for your integrated tool. Tools and models perform differently depending on their update cycles, so results may vary. If an integrated tool struggles with a task, try copy-pasting the relevant code into a web assistant to troubleshoot. A good starting point is combining Amazon Q and MS Copilot, as these tools tend to produce fewer issues like outdated syntax, vulnerable code, or incomplete solutions compared to other assistants.

Context for LLMs is the additional information that the model needs to make sense of how it should respond to your question, which in coding is probably your existing code, example implementation, or specifications that you might copy-paste or pass to the model. Keep in mind that integrated assistants may not automatically include your project files as the context and may try to answer your question without looking at your code. To include the context:

• Amazon Q: Use@[filename] to specify a file or@workspace to include the entire project.
• GitHub Copilot: Click the "Add Context" button in the chat and manually add specific files or choose Codebase for full project context. Note that you need to set the copilot mode to "Ask", "Edit", etc based on your intended conversation.

Explaining Code and Concepts

• "Can you explain how this project handles sanitization of user inputs?"
• "What does functionx in filey do?" (Copy-paste code into a web-based assistant if using one.)
• "Can you walk me through what this regex does?"

Adding New Features

• "I want to add login functionality for [OAuth2 provider]. The project already includes similar logins for other providers. Can you guide me through the required changes toapp.js,config/passport.js,models/User.js, and the relevant views?"
  Pro Tip: If the assistant misses some changes, follow up with specific files or provide relevant documentation for better accuracy.
• "Can you help me design an addition to this project to do the following. I don't need any code yet, and want to work on the design and refine it before moving to an implementation. --- continue with a bullet point list of your requirements"

Debugging or Fixing Code

• "I modified the functionx below to achievey, but I get the following error. Can you help me fix it? --- Can have blocks afterward with a header like==== error ==== and==== function x ==== afterward."
• "Can you help me fix a bug in the following function or functionx. It is supposed to returny when it gets inputi but it is returningz."
• "Can you check my comments for spelling issues?".

You need to add the following hidden input element to your form. This has been added in thepull request #40 as part of the CSRF protection.

input(type='hidden', name='_csrf', value=_csrf)

Note: It is now possible to whitelist certain URLs. In other words, you can specify a list of routes that should bypass the CSRF verification check.

Note 2: To whitelist dynamic URLs use regular expression tests inside the CSRF middleware to see ifreq.originalUrl matches your desired pattern.

That's a custom error message defined inapp.js to indicate that there was a problem connecting to MongoDB:

mongoose.connection.on('error',(err)=>{console.error(err);console.log('%s MongoDB connection error. Please make sure MongoDB is running.');process.exit(1);});

You need to have a MongoDB server running before launchingapp.js. You can download MongoDBhere, or install it via a package manager.Windows users, readInstall MongoDB on Windows.

Tip: If you are always connected to the internet, you could just useMongoDB Atlas instead of downloading and installing MongoDB locally. You will only need to update the database credentials in the.env file.

NOTE: MongoDB Atlas (cloud database) is required for vector store, index, and search features used in AI integrations. These features are NOT available in locally installed MongoDBs.

Chances are you haven't changed theDatabase URI in.env. IfMONGODB is set tolocalhost, it will only work on your machine as long as MongoDB is running. When you deploy to Render, OpenShift, or some other provider, you will not have MongoDB running onlocalhost. You need to create an account withMongoDB Atlas, then create a free tier database.SeeDeployment for more information on how to set up an account and a new database step-by-step with MongoDB Atlas.

For the sake of simplicity. While there might be a better approach, such as passingapp context to each controller as outlined in thisblog, I find such a style to be confusing for beginners. It took me a long time to grasp the concept ofexports andmodule.exports, let alone having a globalapp reference in other files. That to me is backward thinking.Theapp.js is the "heart of the app", it should be the one referencing models, routes, controllers, etc.When working solo on small projects, I prefer to have everything insideapp.js as is the case with this REST API server.

This section is intended for giving you a detailed explanation of how a particular functionality works. Maybe you are just curious about how it works, or perhaps you are lost and confused while reading the code, I hope it provides some guidance to you.

HTML5 UP has many beautiful templates that you can download for free.

When you download the ZIP file, it will come withindex.html,images,CSS andjs folders. So, how do you integrate it with Hackathon Starter? Hackathon Starter uses the Bootstrap CSS framework, but these templates do not.Trying to use both CSS files at the same time will likely result in undesired effects.

Note: Using the custom templates approach, you should understand that you cannot reuse any of the views I have created: layout, the home page, API browser, login, signup, account management, contact. Those views were built using Bootstrap grid and styles. You will have to manually update the grid using a different syntax provided in the template.Having said that, you can mix and match if you want to do so: Use Bootstrap for the main app interface, and a custom template for a landing page.

Let's start from the beginning. For this example I will useEscape Velocity template:

Note: For the sake of simplicity I will only considerindex.html, and skipleft-sidebar.html,no-sidebar.html,right-sidebar.html.

Move all JavaScript files fromhtml5up-escape-velocity/js topublic/js. Then move all CSS files fromhtml5up-escape-velocity/css topublic/css. And finally, move all images fromhtml5up-escape-velocity/images topublic/images. You could move it to the existingimg folder, but that would require manually changing everyimg reference. Grab the contents ofindex.html and paste it intoHTML To Pug.

Note: Do not forget to update all the CSS and JS paths accordingly.

Create a new fileescape-velocity.pug and paste the Pug markup inviews folder.Whenever you see the coderes.render('account/login') - that means it will search forviews/account/login.pug file.

Let's see how it looks. Create a new controllerescapeVelocity insidecontrollers/home.js:

exports.escapeVelocity=(req,res)=>{res.render('escape-velocity',{title:'Landing Page',});};

And then create a route inapp.js. I placed it right after the index controller:

app.get('/escape-velocity',homeController.escapeVelocity);

Restart the server (if you are not usingnodemon); then you should see the new template athttp://localhost:8080/escape-velocity

I will stop right here, but if you would like to use this template as more than just a single page, take a look at how these Pug templates work:layout.pug - base template,index.pug - home page,partials/header.pug - Bootstrap navbar,partials/footer.pug - sticky footer. You will have to manually break it apart into smaller pieces. Figure out which part of the template you want to keep the same on all pages - that's your newlayout.pug.Then, each page that changes, be itindex.pug,about.pug,contact.pugwill be embedded in your newlayout.pug viablock content. Use existing templates as a reference.

This is a rather lengthy process, and templates you get from elsewhere might have yet another grid system. That's why I choseBootstrap for the Hackathon Starter.Many people are already familiar withBootstrap, plus it's easy to get started with it if you have never usedBootstrap.You can also buy many beautifully designedBootstrap themes at various vendors, and use them as a drop-in replacement for Hackathon Starter, just make sure they support the latest version of Bootstrap. However, if you would like to go with a completely custom HTML/CSS design, this should help you to get started!

Flash messages allow you to display a message at the end of the request and access it on the next request and only the next request. For instance, on a failed login attempt, you would display an alert with some error message, but as soon as you refresh that page or visit a different page and come back to the login page, that error message will be gone. It is only displayed once.This project uses a middleware for displaying flash messages. You don't have to explicitly send a flash message to every view insideres.render().All flash messages are available in your views viamessages object by default.

Flash messages have a two-step process. You usereq.flash('errors', { msg: 'Error messages goes here' }to create a flash message in your controllers, and then display them in your views:

ifmessages.errors.alert.alert-danger.fade.ineach errorinmessages.errors      div=error.msg

In the first step,'errors' is the name of a flash message, which should match the name of the property onmessages object in your views. You place alert messages insideif message.errors because you don't want to show them flash messages are present.The reason why you pass an error like{ msg: 'Error message goes here' } instead of just a string -'Error message goes here', is for the sake of consistency.To clarify that,express-validator module which is used for validating and sanitizing user's input, returns all errors as an array of objects, where each object has amsg property with a message why an error has occurred. Here is a more general example of what express-validator returns when there are errors present:

[{param:'name',msg:'Name is required',value:'<received input>'},{param:'email',msg:'A valid email is required',value:'<received input>'},];

To keep consistent with that style, you should pass all flash messages as{ msg: 'My flash message' } instead of a string. Otherwise, you will see an alert box without an error message. That is because inpartials/flash.pug template it will try to outputerror.msg (i.e."My flash message".msg), in other words, it will try to call amsg method on aString object, which will returnundefined. Everything I just mentioned about errors, also applies to "info" and "success" flash messages, and you could even create a new one yourself, such as:

Data Usage Controller (Example)

req.flash('warning', { msg: 'You have exceeded 90% of your data usage' });

User Account Page (Example)

ifmessages.warning.alert.alert-warning.fade.ineach warninginmessages.warning      div=warning.msg

partials/flash.pug is a partial template that contains how flash messages are formatted. Previously, flash messages were scattered throughout each view that used flash messages (contact, login, signup, profile), but now, thankfully it uses aDRY approach.

The flash messages partial template isincluded in thelayout.pug, along with footer and navigation.

bodyincludepartials/header.containerincludepartials/flashblockcontentincludepartials/footer

If you have any further questions about flash messages, please feel free to open an issue, and I will update this mini-guide accordingly, or send a pull request if you would like to include something that I missed.

A more correct way to say this would be "How do I create a new route?" The main fileapp.js contains all the routes.Each route has a callback function associated with it. Sometimes you will see three or more arguments for a route. In a case like that, the first argument is still a URL string, while middle arguments are what's called middleware. Think of middleware as a door. If this door prevents you from continuing forward, you won't get to your callback function. One such example is a route that requires authentication.

app.get('/account',passportConfig.isAuthenticated,userController.getAccount);

It always goes from left to right. A user visits/account page. ThenisAuthenticated middleware checks if you are authenticated:

exports.isAuthenticated=(req,res,next)=>{if(req.isAuthenticated()){returnnext();}res.redirect('/login');};

If you are authenticated, you let this visitor pass through your "door" by callingreturn next();. It then proceeds to thenext middleware until it reaches the last argument, which is a callback function that typically renders a template onGET requests or redirects onPOST requests. In this case, if you are authenticated, you will be redirected to theAccount Management page; otherwise, you will be redirected to theLogin page.

exports.getAccount=(req,res)=>{res.render('account/profile',{title:'Account Management',});};

Express.js hasapp.get,app.post,app.put,app.delete, but for the most part, you will only use the first two HTTP verbs, unless you are building a RESTful API.If you just want to display a page, then useGET, if you are submitting a form, sending a file then usePOST.

Here is a typical workflow for adding new routes to your application. Let's say we are building a page that lists all books from the database.

Step 1. Start by defining a route.

app.get('/books',bookController.getBooks);

Note: As of Express 4.x you can define your routes like so:

app.route('/books').get(bookController.getBooks).post(bookController.createBooks).put(bookController.updateBooks).delete(bookController.deleteBooks);

And here is how a route would look if it required anauthentication and anauthorization middleware:

app.route('/api/twitch').all(passportConfig.isAuthenticated).all(passportConfig.isAuthorized).get(apiController.getTwitch).post(apiController.postTwitch);

Use whichever style makes sense to you. Either one is acceptable. I think that chaining HTTP verbs onapp.route is a very clean and elegant approach, but on the other hand, I can no longer see all my routes at a glance when you have one route per line.

Step 2. Create a new schema and a modelBook.js inside themodels directory.

constmongoose=require('mongoose');constbookSchema=newmongoose.Schema({name:String,});constBook=mongoose.model('Book',bookSchema);module.exports=Book;

Step 3. Create a new controller file calledbook.js inside thecontrollers directory.

/** * GET /books * List all books. */constBook=require('../models/Book.js');exports.getBooks=(req,res)=>{Book.find((err,docs)=>{res.render('books',{books:docs});});};

Step 4. Import that controller inapp.js.

constbookController=require('./controllers/book');

Step 5. Createbooks.pug template.

extendslayoutblockcontent.page-header    h3 All Books  uleach bookin books      li=book.name

That's it! I will say that you could have combined Step 1, 2, 3 as following:

app.get('/books',(req,res)=>{Book.find((err,docs)=>{res.render('books',{books:docs});});});

Sure, it's simpler, but as soon as you pass 1000 lines of code inapp.js it becomes a little challenging to navigate the file.I mean, the whole point of this boilerplate project was to separate concerns, so you could work with your teammates without running intoMERGE CONFLICTS. Imagine you have four developers working on a singleapp.js, I promise you it won't be fun resolving merge conflicts all the time.If you are the only developer, then it's okay. But as I said, once it gets up to a certain LoC size, it becomes difficult to maintain everything in a single file.

That's all there is to it. Express.js is super simple to use.Most of the time you will be dealing with other APIs to do the real work:Mongoose for querying database, socket.io for sending and receiving messages over WebSockets, sending emails viaNodemailer, form validation usingvalidator.js library, parsing websites usingCheerio, etc.

Dan Stroot submitted an excellentpull request that adds a real-time dashboard with socket.io.And as much as I'd like to add it to the project, I think it violates one of the main principles of the Hackathon Starter:

When I started this project, my primary focus was on simplicity and ease of use.I also tried to make it as generic and reusable as possible to cover most use cases ofhackathon web apps,without being too specific.

When I need to use socket.io, Ireally need it, but most of the time - I don't. But more importantly, WebSockets support is still experimental on most hosting providers.Due to past provider issues with WebSockets, I have not include socket.io as part of the Hackathon Starter.For now...If you need to use socket.io in your app, please continue reading.

First, you need to install socket.io:

npminstallsocket.io

Replaceconst app = express(); with the following code:

constapp=express();constserver=require('http').Server(app);constio=require('socket.io')(server);

I like to have the following code organization inapp.js (from top to bottom): module dependencies,import controllers, import configs, connect to database, express configuration, routes,start the server, socket.io stuff. That way I always know where to look for things.

Add the following code at the end ofapp.js:

io.on('connection',(socket)=>{socket.emit('greet',{hello:'Hey there browser!'});socket.on('respond',(data)=>{console.log(data);});socket.on('disconnect',()=>{console.log('Socket disconnected');});});

One last thing left to change:

app.listen(app.get('port'),()=>{

to

server.listen(app.get('port'),()=>{

At this point, we are done with the back-end.

You now have a choice - to include your JavaScript code in Pug templates or have all your client-side JavaScript in a separate file - inapp.js. I admit, when I first started with Node.js and JavaScript in general, I placed all JavaScript code inside templates because I have access to template variables passed in from Express right then and there. It's the easiest thing you can do, but also the least efficient and harder to maintain. Since then I almost never include inline JavaScript inside templates anymore.

But it's also understandable if you want to take the easier road. Most of the time you don't even care about performance during hackathons, you just want to"get shit done" before the time runs out. Well, either way, use whichever approach makes more sense to you. At the end of the day, it'swhat you build that matters, nothow you build it.

If you want to stick all your JavaScript inside templates, then inlayout.pug - your main template file, add this to thehead block.

script(src='/socket.io/socket.io.js')script.let socket=io.connect(window.location.href);socket.on('greet',function (data) {console.log(data);socket.emit('respond', { message:'Hey there, server!' });  });

Note: Notice the path of thesocket.io.js, you don't actually have to havesocket.io.js file anywhere in your project; it will be generated automatically at runtime.

If you want to have JavaScript code separate from templates, move that inline script code intoapp.js, inside the$(document).ready() function:

$(document).ready(function(){// Place JavaScript code here...letsocket=io.connect(window.location.href);socket.on('greet',function(data){console.log(data);socket.emit('respond',{message:'Hey there, server!'});});});

And we are done!

Declares a read-only named constant.

constname='yourName';

Declares a block scope local variable.

letindex=0;

Using the`${}` syntax, strings can embed expressions.

constname='Oggy';constage=3;console.log(`My cat is named${name} and is${age} years old.`);

To import functions, objects, or primitives exported from an external module. These are the most common types of importing.

constname=require('module-name');

const{ foo, bar}=require('module-name');

To export functions, objects, or primitives from a given file or module.

module.exports={ myFunction};

module.exports.name='yourName';

module.exports=myFunctionOrClass;

The spread operator allows an expression to be expanded in places where multiple arguments (for function calls) or multiple elements (for array literals) are expected.

myFunction(...iterableObject);

<ChildComponent{...this.props}/>

A Promise is used in asynchronous computations to represent an operation that hasn't completed yet but is expected in the future.

varp=newPromise(function(resolve,reject){});

Thecatch() method returns a Promise and deals with rejected cases only.

p.catch(function(reason){/* handle rejection */});

Thethen() method returns a Promise. It takes two arguments: callback for the success & failure cases.

p.then(function(value){/* handle fulfillment */},function(reason){/* handle rejection */},);

ThePromise.all(iterable) method returns a promise that resolves when all of the promises in the iterable argument have resolved or rejects with the reason of the first passed promise that rejects.

Promise.all([p1,p2,p3]).then(function(values){console.log(values);});

Arrow function expression. Shorter syntax & lexically binds thethis value. Arrow functions are anonymous.

(singleParam)=>{statements;};

()=>{statements;};

(param1,param2)=>expression;

constarr=[1,2,3,4,5];constsquares=arr.map((x)=>x*x);

The class declaration creates a new class using prototype-based inheritance.

classPerson{constructor(name,age,gender){this.name=name;this.age=age;this.gender=gender;}incrementAge(){this.age++;}}

🎁Credits:DuckDuckGo and@DrkSephy.

🔝_{back to top}

Math.floor(Date.now()/1000);

moment().unix();

varnow=newDate();now.setMinutes(now.getMinutes()+30);

moment().add(30, 'minutes');

// DD-MM-YYYYvarnow=newDate();varDD=now.getDate();varMM=now.getMonth()+1;varYYYY=now.getFullYear();if(DD<10){DD='0'+DD;}if(MM<10){MM='0'+MM;}console.log(MM+'-'+DD+'-'+YYYY);// 03-30-2016

console.log(moment(new Date(), 'MM-DD-YYYY'));

// hh:mm (12 hour time with am/pm)varnow=newDate();varhours=now.getHours();varminutes=now.getMinutes();varamPm=hours>=12 ?'pm' :'am';hours=hours%12;hours=hours ?hours :12;minutes=minutes<10 ?'0'+minutes :minutes;console.log(hours+':'+minutes+' '+amPm);// 1:43 am

console.log(moment(new Date(), 'hh:mm A'));

vartoday=newDate();varnextWeek=newDate(today.getTime()+7*24*60*60*1000);

moment().add(7, 'days');

vartoday=newDate();varyesterday=date.setDate(date.getDate()-1);

moment().add(-1, 'days');

🔝_{back to top}

User.find((err,users)=>{console.log(users);});

letuserEmail='example@gmail.com';User.findOne({email:{$eq:email.toLowerCase()}}).then((user)=>{console.log(user);});

User.find().sort({_id:-1}).limit(5).exec((err,users)=>{console.log(users);});

Let's suppose that each user has avotes field and you would like to count the total number of votes in your database across all users. One very inefficient way would be to loop through each document and manually accumulate the count. Or you could useMongoDB Aggregation Framework instead:

User.aggregate({$group:{_id:null,total:{$sum:'$votes'}}},(err,votesCount)=>{console.log(votesCount.total);});

🔝_{back to top}

You will need to install docker and docker-compose on your system. If you are using WSL, you will need to install Docker Desktop on Windows and docker-compose on WSL.

• Docker installation

After installing docker, start the application with the following commands :

# To build the project while suppressing most of the build messagesdocker-compose build web# To build the project without suppressing the build messages or using cached datadocker-compose build --no-cache --progress=plain web# To start the application (or to restart after making changes to the source code)docker-compose up web

To view the app, find your docker IP address + port 8080 ( this will typically behttp://localhost:8080/ ). To use a port other than 8080, you would need to modify the port in app.js, Dockerfile, and docker-compose.yml.

Using a local instance on your laptop with ngrok is a good solution for your demo during the hackathon, and you wouldn't necessarily need to deploy to a cloud platform. If you wish to have your app run 24x7 for a general audience, once you are ready to deploy your app, you will need to create an account with a cloud platform to host it. There are a number of cloud service providers out there that you can research. Service providers like AWS and Azure provide a free tier of service which can help you get started with just some minor costs (such as traffic overage if any, etc).

• Go tomongodb.com
• Click the greenTry free button
• Fill in your information then hitCreate your Atlas account
• You will be redirected to Create New Cluster page.
• Select aCloud Provider and Region
• Set the cluster Tier to Free ForeverShared Cluster
• Give Cluster a name (default: Cluster0)
• Click on the green⚡Create Cluster button
• Now, to access your database you need to create a DB user. To create a new MongoDB user, from theClusters view, select theSecurity tab
• Under theMongoDB Users tab, click on+Add New User
• Fill in a username and password and give it eitherAtlas Admin User Privilege
• Next, you will need to create an IP address whitelist and obtain the connection URI. In the Clusters view, under the cluster details (i.e. SANDBOX - Cluster0), click on theCONNECT button.
• Under section(1) Check the IP Whitelist, click onALLOW ACCESS FROM ANYWHERE. The form will add a field with0.0.0.0/0. ClickSAVE to save the0.0.0.0/0 whitelist.
• Under section(2) Choose a connection method, click onConnect Your Application
• In the new screen, selectNode.js as Driver and version3.6 or later.
• Finally, copy the URI connection string and replace the URI in MONGODB_URI of.env.example with this URI string. Make sure to replace the with the db User password that you created under the Security tab.
• Note that after some of the steps in the Atlas UI, you may see a banner statingWe are deploying your changes. You will need to wait for the deployment to finish before using the DB in your application.

If you are starting with this boilerplate to build an application for prod deployment, or if after your hackathon you would like to get your project hardened for production use, seeprod-checklist.md.

Hackathon Starter includes both unit tests and end-to-end (E2E) tests.

• Unit tests focus on core functionality, such as user account management.
• E2E tests usePlaywright to run the application in a headless Chrome browser, making live API calls and verifying rendered views. These tests are located intest/e2e/ andtest/e2e-nokey/. The nokey tests are tests that don't require API keys to run.

During a hackathon, you typically don't need to worry about E2E tests; they can slow you down when you're focused on rapid prototyping. However, if you plan to launch your project for real-world use, adding and maintaining E2E tests is strongly recommended. They help ensure that future changes don't unintentionally break existing functionality.

The existing E2E tests cover the example API integrations included in the starter project. You can use these asexamples or templates when creating your own test files, adapting them to match your project's specific views and workflows.

You can run the tests using:

npmtest# unit tests (core functions)npm run test:e2e:live# All E2E tests with previously recorded API responsesnpm run test:e2e:replay# E2E (replay fixtures - recorded API responses)

You can run a single E2E Test file like the following:

# Run tests in a single test file against live APIsnpx playwrighttest test/e2e.../testfile.e2e.test.js --config=test/playwright.config.js --project=chromium# Run tests in a single test file while replaying recorded API responses from the fixturesnpx playwrighttest test/e2e.../testfile.e2e.test.js --config=test/playwright.config.js --project=chromium-replay# Run tests in a single test file against live APIs and capture the API responses as fixtures for replay laternpx playwrighttest test/e2e.../testfile.e2e.test.js --config=test/playwright.config.js --project=chromium-record

For more information on creating or running E2E tests seetest/TESTING.md

You can find the changelog for the project in:CHANGELOG.md

If something is unclear, confusing, or needs to be refactored, please let me know.Pull requests are always welcome, but due to the opinionated nature of this project, I cannot accept every pull request. Please open an issue before submitting a pull request. This project usesAirbnb JavaScript Style Guide with a few minor exceptions. If you are submitting a pull request that involves Pug templates, please make sure you are usingspaces, not tabs.

The MIT License (MIT)

Copyright (c) 2014-2025 Sahat Yalkabov

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.