cobol-java-v3/.claude/skills/code-review/references/node-express.md

Node.js Express Review Checklist

Extends the generic checklist with Node.js/Express-specific items.

Interface Layer (Express Routes)

• Request validation middleware (Joi, Zod, express-validator)
• Response format consistent across all routes
• express.json() with size limit configured
• Route handlers are async with try/catch or wrapped with async handler

Business Layer

• Business logic in service modules, not in route handlers
• Dependency injection or factory pattern for testability
• Config loaded from environment, not hardcoded

Data Layer (Sequelize / Prisma / Knex)

• Sequelize: eager loading uses include with proper scoping
• Prisma: select or include to avoid over-fetching
• Raw queries always parameterized ($1, ? placeholders)
• Connection pool configured (max, min, idleTimeoutMillis)

Error Handling

• Global error handler middleware (err, req, res, next)
• Async route handlers wrapped (express-async-errors or manual wrapper)
• Error responses never expose stack traces in production
• uncaughtException and unhandledRejection handlers

Security

• helmet middleware configured
• cors with specific origin allowlist
• express-rate-limit on auth and sensitive endpoints
• httpOnly, secure, sameSite flags on cookies
• No eval() or Function() with user input

Performance

• Compression middleware (compression)
• Database queries have limits and pagination
• Heavy operations offloaded to worker threads or queue
• Static assets served via CDN or reverse proxy, not Express