Nodejs Patterns — Node.js Patterns — Node.js 后端开发模式

Name: Nodejs Patterns — Node.js Patterns — Node.js 后端开发模式
Rating: 1 (2 reviews)
Author: wpank

wpank

Nodejs Patterns — Node.js Patterns — Node.js 后端开发模式

v1.0.0

提供生产级 Node.js 后端开发模式，包括 Express/Fastify 设置、分层架构、中间件、错误处理、验证、数据库集成、身份验证和缓存等。适用于构建 REST API、设置 Node.js 服务器、实现身份验证、集成数据库、添加验证/缓存和结构化后端应用。

2· 2,000·13 当前·13 累计

by @wpank·MIT-0

API工具数据库安全开发工具

下载技能包

License

MIT-0

最后更新

2026/2/26

安全扫描

VirusTotal

无害

查看报告

OpenClaw

安全

medium confidence

此技能仅提供指令和 Node.js 后端开发模式代码片段，能力与目的一致，但源码/安装指南不清晰，使用前应验证。

评估建议

此技能是一致的 Node.js 后端开发模式集合，仅包含指令，无可执行代码。使用前请：（1）验证技能来源/作者；（2）不要在示例中输入生产密钥；（3）在沙盒/分支中审查和测试代码；（4）优先从官方仓库安装依赖。...

详细分析 ▾

✓ 用途与能力

技能名称/描述与 SKILL.md 内容匹配，包括分层架构、Express/Fastify 代码片段、错误处理、验证、身份验证、数据库和缓存。技能不请求无关的凭据、二进制文件或配置路径。

✓ 指令范围

SKILL.md 仅包含 Node.js 服务器的代码示例和指南，不指示代理读取系统文件、传输外部数据或超出典型用途访问环境变量。无广泛或开放式指令授予额外数据访问。

ℹ 安装机制

无安装规格（仅指令），低风险。README 安装示例中有一些小问题（如使用 'npx add' 与 GitHub 树 URL 和本地 ~/.ai-skills 路径的引用），不明确但不表明恶意行为，使用前应验证。

✓ 凭证需求

技能不声明任何必需的环境变量或凭据。内联示例引用 process.env（典型的应用配置），但 SKILL.md 中没有内容指示代理泄露机密或要求无关令牌。

✓ 持久化与权限

技能仅包含指令，无安装步骤写入磁盘，'always' 为 false。不请求提升的持久性或系统范围的配置更改。

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv1.0.02026/2/10

初始发布 — 生产级 Node.js 后端模式。包括 Express 和 Fastify 设置、分层架构、错误处理、验证、JWT 身份验证、数据库集成、安全和可维护性指南。

● 无害

安装命令点击复制

官方npx clawhub@latest install nodejs-patterns

镜像加速npx clawhub@latest install nodejs-patterns --registry https://cn.clawhub-mirror.com

技能文档

使用 TypeScript 构建可扩展、可维护的 Node.js 后端应用程序的模式。

永远不要

永远不要在代码中存储密钥 - 使用环境变量，永远不要硬编码凭证
永远不要跳过输入验证 - 使用 Zod/Joi 在中间件层验证所有输入
永远不要在生产环境中暴露错误详情 - 返回通用消息，在服务器端记录详情
永远不要使用 any 类型 - TypeScript 类型防止运行时错误
永远不要跳过错误处理 - 始终包装异步处理器，使用全局错误中间件
永远不要使用同步操作 - 对 I/O 使用 async/await，切勿在处理器中使用 fs.readFileSync
永远不要信任客户端输入 - 清理、验证并参数化所有查询

何时使用

使用 Express 或 Fastify 构建 REST API
设置中间件管道和错误处理
实现身份验证和授权
使用连接池和事务集成数据库
添加验证、缓存和速率限制

项目结构 — 分层架构

src/
├── controllers/     # 处理 HTTP 请求/响应
├── services/        # 业务逻辑
├── repositories/   # 数据访问层
├── models/         # 数据模型和类型
├── middleware/     # 认证、验证、日志、错误
├── routes/        # 路由定义
├── config/        # 数据库、缓存、环境配置
└── utils/         # 辅助工具、自定义错误、响应格式化

控制器处理 HTTP 事务，服务包含业务逻辑，仓储抽象数据访问。每一层只能调用其下一层。

Express 设置

import express from "express";
import helmet from "helmet";
import cors from "cors";
import compression from "compression";
const app = express();app.use(helmet());
app.use(cors({ origin: process.env.ALLOWED_ORIGINS?.split(",") }));
app.use(compression());
app.use(express.json({ limit: "10mb" }));
app.use(express.urlencoded({ extended: true, limit: "10mb" }));

Fastify 设置

import Fastify from "fastify";
import helmet from "@fastify/helmet";
import cors from "@fastify/cors";
const fastify = Fastify({
  logger: { level: process.env.LOG_LEVEL || "info" },
});await fastify.register(helmet);
// ... 其他插件

中间件

// 验证中间件
const validateRequest = (schema: ZodSchema) => {
  return (req: Request, res: Response, next: NextFunction) => {
    try {
      schema.parse(req.body);
      next();
    } catch (error) {
      res.status(400).json({ error: "Validation failed", details: error });
    }
  };
};
// 速率限制
import rateLimit from "express-rate-limit";
const limiter = rateLimit({
  windowMs: 15  60  1000, // 15 分钟
  max: 100, // 每个 IP 限制 100 个请求
});
app.use("/api/", limiter);// 认证中间件
const authenticate = (req: Request, res: Response, next: NextFunction) => {
  const token = req.headers.authorization?.split(" ")[1];
  if (!token) {
    return res.status(401).json({ error: "No token provided" });
  }
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET!);
    (req as any).user = decoded;
    next();
  } catch {
    res.status(401).json({ error: "Invalid token" });
  }
};

错误处理

// 自定义错误类
class AppError extends Error {
  constructor(
    public statusCode: number,
    public message: string,
    public isOperational = true
  ) {
    super(message);
  }
}// 全局错误处理器
app.use((err: Error, req: Request, res: Response, next: NextFunction) => {
  if (err instanceof AppError) {
    return res.status(err.statusCode).json({
      error: err.message,
    });
  }
  
  // 生产环境不暴露详情
  console.error("Server error:", err);
  res.status(500).json({
    error: process.env.NODE_ENV === "production" 
      ? "Internal server error" 
      : err.message,
  });
});

数据验证

import { z } from "zod";
// 创建验证 schema
const createUserSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8),
  name: z.string().min(2).optional(),
});
const updateUserSchema = createUserSchema.partial();// 在控制器中使用
const createUser = async (req: Request, res: Response) => {
  const data = createUserSchema.parse(req.body);
  // ... 创建用户
};

数据库集成

// 仓储模式
class UserRepository {
  constructor(private db: Pool) {}
  
  async findById(id: string): Promise {
    const result = await this.db.query(
      "SELECT  FROM users WHERE id = $1",
      [id]
    );
    return result.rows[0] || null;
  }
  
  async create(data: CreateUserData): Promise {
    const result = await this.db.query(
      INSERT INTO users (email, password_hash, name) 
       VALUES ($1, $2, $3) RETURNING ,
      [data.email, data.passwordHash, data.name]
    );
    return result.rows[0];
  }
}

身份验证

import jwt from "jsonwebtoken";
import bcrypt from "bcrypt";
// JWT 签名
const signToken = (userId: string): string => {
  return jwt.sign(
    { userId },
    process.env.JWT_SECRET!,
    { expiresIn: "7d" }
  );
};
// 密码哈希
const hashPassword = async (password: string): Promise => {
  return bcrypt.hash(password, 12);
};// 密码验证
const verifyPassword = async (
  password: string, 
  hash: string
): Promise => {
  return bcrypt.compare(password, hash);
};

缓存

import Redis from "ioredis";
const redis = new Redis(process.env.REDIS_URL);// 缓存中间件
const cacheMiddleware = (key: string, ttl: number = 300) => {
  return async (req: Request, res: Response, next: NextFunction) => {
    const cached = await redis.get(key);
    if (cached) {
      return res.json(JSON.parse(cached));
    }
    
    // 拦截响应
    const originalJson = res.json.bind(res);
    res.json = (data: any) => {
      redis.setex(key, ttl, JSON.stringify(data));
      return originalJson(data);
    };
    
    next();
  };
};

速率限制

// 滑动窗口速率限制
const slidingWindowLimiter = async (
  key: string,
  limit: number,
  window: number
): Promise => {
  const now = Date.now();
  const windowStart = now - window;
  
  // 移除旧请求
  await redis.zremrangebyscore(key, 0, windowStart);
  
  // 计算当前请求数
  const count = await redis.zcard(key);
  
  if (count >= limit) {
    return false;
  }
  
  // 添加新请求
  await redis.zadd(key, now, ${now}-${Math.random()});
  await redis.expire(key, Math.ceil(window / 1000));
  
  return true;
};

配置管理

import dotenv from "dotenv";
dotenv.config();export const config = {
  port: parseInt(process.env.PORT || "3000", 10),
  nodeEnv: process.env.NODE_ENV || "development",
  database: {
    host: process.env.DB_HOST!,
    port: parseInt(process.env.DB_PORT || "5432", 10),
    name: process.env.DB_NAME!,
    user: process.env.DB_USER!,
    password: process.env.DB_PASSWORD!,
  },
  redis: {
    url: process.env.REDIS_URL!,
  },
  jwt: {
    secret: process.env.JWT_SECRET!,
    expiresIn: process.env.JWT_EXPIRES_IN || "7d",
  },
};

日志

import pino from "pino";
const logger = pino({
  level: process.env.LOG_LEVEL || "info",
  transport: process.env.NODE_ENV !== "production" 
    ? { target: "pino-pretty" } 
    : undefined,
});// 使用
logger.info({ userId: req.user?.id }, "Request received");
logger.error({ err, userId: req.user?.id }, "Request failed");

最佳实践

分层架构 - 控制器→服务→仓储→数据库
验证 - 在中间件层验证所有输入
错误处理 - 使用全局错误处理器和自定义错误类
安全 - 使用 helmet、cors、速率限制
缓存 - Redis 缓存频繁访问的数据
类型 - 始终使用 TypeScript 类型，避免 any
配置 - 环境变量管理所有配置
日志 - 结构化日志便于调试

Patterns for building scalable, maintainable Node.js backend applications with TypeScript.

NEVER

NEVER store secrets in code - Use environment variables, never hardcode credentials
NEVER skip input validation - Validate all input at the middleware layer with Zod/Joi
NEVER expose error details in production - Return generic messages, log details server-side
NEVER use any type - TypeScript types prevent runtime errors
NEVER skip error handling - Always wrap async handlers, use global error middleware
NEVER use sync operations - Use async/await for I/O, never fs.readFileSync in handlers
NEVER trust client input - Sanitize, validate, and parameterize all queries

When to Use

Building REST APIs with Express or Fastify
Setting up middleware pipelines and error handling
Implementing authentication and authorization
Integrating databases with connection pooling and transactions
Adding validation, caching, and rate limiting

Project Structure — Layered Architecture

src/
├── controllers/     # Handle HTTP requests/responses
├── services/        # Business logic
├── repositories/    # Data access layer
├── models/          # Data models and types
├── middleware/      # Auth, validation, logging, errors
├── routes/          # Route definitions
├── config/          # Database, cache, env configuration
└── utils/           # Helpers, custom errors, response formatting

Controllers handle HTTP concerns, services contain business logic, repositories abstract data access. Each layer only calls the layer below it.

Express Setup

import express from "express";
import helmet from "helmet";
import cors from "cors";
import compression from "compression";
const app = express();app.use(helmet());
app.use(cors({ origin: process.env.ALLOWED_ORIGINS?.split(",") }));
app.use(compression());
app.use(express.json({ limit: "10mb" }));
app.use(express.urlencoded({ extended: true, limit: "10mb" }));

Fastify Setup

import Fastify from "fastify";
import helmet from "@fastify/helmet";
import cors from "@fastify/cors";
const fastify = Fastify({
  logger: { level: process.env.LOG_LEVEL || "info" },
});
await fastify.register(helmet);
await fastify.register(cors, { origin: true });// Type-safe routes with built-in schema validation
fastify.post<{ Body: { name: string; email: string } }>(
  "/users",
  {
    schema: {
      body: {
        type: "object",
        required: ["name", "email"],
        properties: {
          name: { type: "string", minLength: 1 },
          email: { type: "string", format: "email" },
        },
      },
    },
  },
  async (request) => {
    const { name, email } = request.body;
    return { id: "123", name };
  },
);

Error Handling

Custom Error Classes

export class AppError extends Error {
  constructor(
    public message: string,
    public statusCode: number = 500,
    public isOperational: boolean = true,
  ) {
    super(message);
    Object.setPrototypeOf(this, AppError.prototype);
    Error.captureStackTrace(this, this.constructor);
  }
}export class ValidationError extends AppError {
  constructor(message: string, public errors?: any[]) { super(message, 400); }
}
export class NotFoundError extends AppError {
  constructor(message = "Resource not found") { super(message, 404); }
}
export class UnauthorizedError extends AppError {
  constructor(message = "Unauthorized") { super(message, 401); }
}
export class ForbiddenError extends AppError {
  constructor(message = "Forbidden") { super(message, 403); }
}

Global Error Handler

import { Request, Response, NextFunction } from "express";
import { AppError, ValidationError } from "../utils/errors";
export const errorHandler = (
  err: Error, req: Request, res: Response, next: NextFunction,
) => {
  if (err instanceof AppError) {
    return res.status(err.statusCode).json({
      status: "error",
      message: err.message,
      ...(err instanceof ValidationError && { errors: err.errors }),
    });
  }
  // Don't leak details in production
  const message = process.env.NODE_ENV === "production"
    ? "Internal server error"
    : err.message;
  res.status(500).json({ status: "error", message });
};// Wrap async route handlers to forward errors
export const asyncHandler = (
  fn: (req: Request, res: Response, next: NextFunction) => Promise,
) => (req: Request, res: Response, next: NextFunction) => {
  Promise.resolve(fn(req, res, next)).catch(next);
};

Validation Middleware (Zod)

import { AnyZodObject, ZodError } from "zod";
export const validate = (schema: AnyZodObject) => {
  return async (req: Request, res: Response, next: NextFunction) => {
    try {
      await schema.parseAsync({
        body: req.body,
        query: req.query,
        params: req.params,
      });
      next();
    } catch (error) {
      if (error instanceof ZodError) {
        const errors = error.errors.map((e) => ({
          field: e.path.join("."),
          message: e.message,
        }));
        next(new ValidationError("Validation failed", errors));
      } else {
        next(error);
      }
    }
  };
};// Usage
import { z } from "zod";
const createUserSchema = z.object({
  body: z.object({
    name: z.string().min(1),
    email: z.string().email(),
    password: z.string().min(8),
  }),
});
router.post("/users", validate(createUserSchema), userController.createUser);

Authentication — JWT

Auth Middleware

import jwt from "jsonwebtoken";
interface JWTPayload { userId: string; email: string; }
export const authenticate = async (
  req: Request, res: Response, next: NextFunction,
) => {
  try {
    const token = req.headers.authorization?.replace("Bearer ", "");
    if (!token) throw new UnauthorizedError("No token provided");
    req.user = jwt.verify(token, process.env.JWT_SECRET!) as JWTPayload;
    next();
  } catch {
    next(new UnauthorizedError("Invalid token"));
  }
};export const authorize = (...roles: string[]) => {
  return (req: Request, res: Response, next: NextFunction) => {
    if (!req.user) return next(new UnauthorizedError("Not authenticated"));
    if (!roles.some((r) => req.user?.roles?.includes(r))) {
      return next(new ForbiddenError("Insufficient permissions"));
    }
    next();
  };
};

Auth Service

export class AuthService {
  constructor(private userRepository: UserRepository) {}
  async login(email: string, password: string) {
    const user = await this.userRepository.findByEmail(email);
    if (!user || !(await bcrypt.compare(password, user.password))) {
      throw new UnauthorizedError("Invalid credentials");
    }    return {
      token: jwt.sign(
        { userId: user.id, email: user.email },
        process.env.JWT_SECRET!,
        { expiresIn: "15m" },
      ),
      refreshToken: jwt.sign(
        { userId: user.id },
        process.env.REFRESH_TOKEN_SECRET!,
        { expiresIn: "7d" },
      ),
      user: { id: user.id, name: user.name, email: user.email },
    };
  }
}

Database Patterns

PostgreSQL Connection Pool

import { Pool, PoolConfig } from "pg";
const pool = new Pool({
  host: process.env.DB_HOST,
  port: parseInt(process.env.DB_PORT || "5432"),
  database: process.env.DB_NAME,
  user: process.env.DB_USER,
  password: process.env.DB_PASSWORD,
  max: 20,
  idleTimeoutMillis: 30000,
  connectionTimeoutMillis: 2000,
});
pool.on("error", (err) => {
  console.error("Unexpected database error", err);
  process.exit(-1);
});export const closeDatabase = async () => { await pool.end(); };

Transaction Pattern

async createOrder(userId: string, items: OrderItem[]) {
  const client = await this.db.connect();
  try {
    await client.query("BEGIN");
    const { rows } = await client.query(
      "INSERT INTO orders (user_id, total) VALUES ($1, $2) RETURNING id",
      [userId, calculateTotal(items)],
    );
    const orderId = rows[0].id;
    for (const item of items) {
      await client.query(
        "INSERT INTO order_items (order_id, product_id, quantity, price) VALUES ($1, $2, $3, $4)",
        [orderId, item.productId, item.quantity, item.price],
      );
      await client.query(
        "UPDATE products SET stock = stock - $1 WHERE id = $2",
        [item.quantity, item.productId],
      );
    }    await client.query("COMMIT");
    return orderId;
  } catch (error) {
    await client.query("ROLLBACK");
    throw error;
  } finally {
    client.release();
  }
}

Rate Limiting

import rateLimit from "express-rate-limit";
import RedisStore from "rate-limit-redis";
import Redis from "ioredis";
const redis = new Redis({ host: process.env.REDIS_HOST });
export const apiLimiter = rateLimit({
  store: new RedisStore({ client: redis, prefix: "rl:" }),
  windowMs: 15  60  1000,
  max: 100,
  standardHeaders: true,
  legacyHeaders: false,
});export const authLimiter = rateLimit({
  store: new RedisStore({ client: redis, prefix: "rl:auth:" }),
  windowMs: 15  60  1000,
  max: 5,
  skipSuccessfulRequests: true,
});

Caching with Redis

import Redis from "ioredis";
const redis = new Redis({
  host: process.env.REDIS_HOST,
  retryStrategy: (times) => Math.min(times * 50, 2000),
});
export class CacheService {
  async get(key: string): Promise {
    const data = await redis.get(key);
    return data ? JSON.parse(data) : null;
  }
  async set(key: string, value: any, ttl?: number): Promise {
    const serialized = JSON.stringify(value);
    ttl ? await redis.setex(key, ttl, serialized) : await redis.set(key, serialized);
  }
  async delete(key: string): Promise { await redis.del(key); }  async invalidatePattern(pattern: string): Promise {
    const keys = await redis.keys(pattern);
    if (keys.length) await redis.del(...keys);
  }
}

API Response Helpers

export class ApiResponse {
  static success(res: Response, data: T, message?: string, statusCode = 200) {
    return res.status(statusCode).json({ status: "success", message, data });
  }  static paginated(res: Response, data: T[], page: number, limit: number, total: number) {
    return res.json({
      status: "success",
      data,
      pagination: { page, limit, total, pages: Math.ceil(total / limit) },
    });
  }
}

Best Practices

Use TypeScript — type safety prevents runtime errors
Validate all input — Zod or Joi at the middleware layer
Custom error classes — map to HTTP status codes, use global handler
Never hardcode secrets — use environment variables
Structured logging — Pino or Winston with request context
Rate limiting — Redis-backed for distributed deployments
Connection pooling — always for databases
Dependency injection — constructor injection for testability
Graceful shutdown — close DB pools, drain connections on SIGTERM
Health checks — /health endpoint for liveness/readiness probes

数据来源：ClawHub ↗ · 中文优化：龙虾技能库

OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险，如需更匹配、更安全的方案，建议联系付费定制

了解定制服务

License

运行时依赖

版本

安装命令 点击复制

技能文档

永远不要

何时使用

项目结构 — 分层架构

Express 设置

Fastify 设置

中间件

错误处理

数据验证

数据库集成

身份验证

缓存

速率限制

配置管理

日志

最佳实践

NEVER

When to Use

Project Structure — Layered Architecture

Express Setup

Fastify Setup

Error Handling

Custom Error Classes

Global Error Handler

Validation Middleware (Zod)

Authentication — JWT

Auth Middleware

Auth Service

Database Patterns

PostgreSQL Connection Pool

Transaction Pattern

Rate Limiting

Caching with Redis

API Response Helpers

Best Practices

安装命令点击复制