Team blog: Developers

File uploads and security

We’ll have basic file upload support (issue 55) live soon, though there’s lots of work still to do to make it really useful and user-friendly. What’s nice is that we’ll have support for batch uploads (more than one file at a time) from the start. A bit more technical detail follows, if you care.

We’re using the multer middleware for Express. It’s interesting to think about all the security issues with uploads. To begin with, ensuring basic cross-site request forgery token validation (CSRF) was a bit tricky. Because upload forms are encoded differently than regular forms, the token that protects against forged requests wasn’t available when it was needed.

The common recommendation is simply to move multer before the CSRF token check. But because multer itself saves the files, that would require all kinds of shenanigans to clean up the stored files if the check fails. Indeed, I suspect that lots of Node devs who follow this recommendation (multer is being downloaded >100,000 times per week) are vulnerable to uploads via CSRF, even though their checks dutifully report token errors! (See this comment for an explanation of the approach I’m using to avoid this.)

Additional complexity comes from multer’s processing of data streams. multer has a convenient function that lets me check whether files should be stored on the server or not. It can check against the MIME type reported by the client, but it doesn’t yet know the file’s contents, because the stream hasn’t finished yet at the time the check is performed.

Why do we need to look at the contents? Because a client might upload a malicious file disguised as an image, for example. Depending on the browser and operating system, that may create vulnerabilities for spreading malware. So to be safe, we’ll need to perform some basic inspections on the file later, and delete it if it’s not kosher. This isn’t implemented yet, which is a main reason I’ve not deployed the upload feature yet.

And there are other security concerns. Filenames are, of course, another vector for injection of HTML, for example – < and > are perfectly valid parts of a filename. We need to ensure that previously uploaded files don’t get accidentally overwritten. And we need to protect against denial of service attacks aiming to fill up the disk. The OWASP page on uploads is a great starting point to learn more about these and other security risks.

Fun with concurrency

As I mentioned previously, we’re using ava for running our tests. As I started adding more tests, earlier tests mysteriously began to break. ava runs all tests concurrently by default, so it tends to uncover issues you don’t see when you’re just testing things locally as a single user of your application. As frustrating as it can be, it is a good thing.

The particular issue was that strings sometimes didn’t show up in the expected language. English text was German, and German text was English. This issue would also have sometimes manifested in production under high concurrency situations, though I don’t know if any user ever saw it. The root cause was the way our internationalization (i18n) library was initialized.

We registered i18n helpers with our templating system on each page request, so that the i18n features are available to the template system but know about the current request’s language. Because the template system itself is initialized only once, under some timing conditions, a later request could interfere with an earlier request that hadn’t yet completed and mess up its language information.

This was tricky to track down, but should now be fixed – though we may well have introduced new bugs in the process. If something doesn’t look right, please be so kind to file a bug - thank you!

More testing & coming attractions

The last couple of days have been spent getting our testing infrastructure into shape. We now have the ability to spin up multiple RethinkDB instances in parallel, each bootstrapped and populated with data by the application code, and to run asynchronous tests against them. This means we can run tests reasonably fast while maintaining a pristine environment for each test.

RethinkDB is an interesting database to work with. It’s built to scale as a distributed system, which is something we’re not taking any advantage of yet since we’re still tiny – but it still has a cost in development in terms of additional complexity. For instance, an operation like table creation can result in two tables with the same name and different unique IDs, which then results in application errors. Table and database readiness needs to be validated in order to make sure you can perform write or read queries. And so on.

You can imagine that multiple automated tests hammering multiple databases in parallel will uncover a lot of edge cases, some of which aren’t likely to pose problems in real world situations. But encountering some of the potential pitfalls during testing certainly makes it easier to reason about that class of problems.

I look forward to eventually tapping into RethinkDB’s real-time change feed features, which will be useful once we can tackle the event feed intended to replace the rather dull review feeds we currently show on the front page and on user pages.

For now, here’s what’s on the horizon for the next 1-2 weeks:

  • More tests, which will be more fun to write now that we have some scaffolding in place
  • Getting our i18n files ready for a translation platform, so we can invite users to expand the number of languages offered
  • Polishing the frontpage a bit, to make it less cluttered
  • Automating deployment and code reverts with pm2
  • APIs, APIs, APIs
  • Working through the f-droid issues.

As always, say hello on the #libreviews IRC channel on and/or join our mailing list to get involved. :)

Collapsing content in browsers, feed readers & beyond

The world is pretty simple when you don’t have to worry about content re-use, accessibility, internationalization, and similar concerns. But the moment you prioritize those issues, even relatively simple features become complex.

I wanted to write a review with spoilers, so in the spirit of developing features the moment I need them as an active user of the site, I put something together that extends the markdown parser we use. It works as follows:

::: spoiler
Some content with spoilers


Warning: The text below contains spoilers.

Some content with spoilers

::: nsfw
Some NSFW content


Warning: The content below may not be safe for work (NSFW).

Some NSFW content

::: warning Here there be dragons
Some dangerous content


Here there be dragons

Some dangerous content

The choice of ::: isn’t arbitrary – it’s used by the markdown-it-container plugin which enables block-level extension to markdown-it that follow this pattern. We may use it in future for similar purposes with other block names.

Indeed, the help page for that package lists spoiler warnings as an example. But how you do them in a manner that 1) degrades gracefully, 2) is keyboard-accessible, 3) works in RSS readers and reviews obtained via API calls and inserted into someone else’s webpage?

The easiest choice would be to just expand the content if JavaScript is disabled, and otherwise collapse/expand it via JS. That may seem like a reasonable choice but it’s important to note that the use case 3) will often be affected – i.e., external content re-use will often show the collapsed content expanded, which is not desirable.

If you look around, you’ll find that there are a number of pure-CSS hacks to collapse/expand content. They work, but they rely on problematic choices, such as hidden checkbox inputs that toggle the collapse/expand state of content. Those are problematic because they mess with keyboard-accessibility.

In addition, CSS itself is not a reliable delivery method for content re-users. Pseudo-elements like :checked cannot be used in inline styles, and scoped stylesheets have been removed from the WHATWG standards and are supported only by Firefox.

Enter the <details> element. It is precisely intended to collapse or otherwise conceal some content by default, and to expand it on demand. Unfortunately, it’s not widely supported yet, but in browsers that do support it, this gets us a nice basic collapse/expand feature that works even without CSS or JavaScript! And where it’s not supported, the whole content is just displayed, not hidden.

But the look & feel is determined by the browser. So I added a bit of CSS and JavaScript that effectively overrides the built-in look and behavior when JavaScript is available (including the addition of a slide-in and slide-out animation) – and implicitly shims the feature for browsers that don’t have it at all.

That leaves only the case where 1) JavaScript is disabled, 2) the <details> element is not supported. In that case, the text will just be expanded by default. I tested this on a couple of mobile browsers and RSS readers, and it worked as expected.

Now what about i18n? markdown-ititself doesn’t have the notion of content language, but it has an environment that can be configured for each call of the render function that converts markdown into HTML. We pass the language into that environment, and our plugin picks the appropriate message to insert. For client-side live previews, we expose the necessary UI messages as JavaScript variables.

The message is ultimately stored as part of the content – which seems reasonable, given that it can be customized as in the “Here be dragons” example. But it has the side effect that if you switch the language of this post to German, the English warnings will still be English. A German review would have German messages. I think that’s an acceptable trade-off for UI text that really is part of the content. In any case, we retain the source code of all content, so we can re-render it in a different way in future if we want to.

Let me know if anything’s not working as it should (or file a bug). Check out the commit for the nitty gritty of how this was done.

The first tests, monitoring/deployment/process management, code quality

As mentioned in prior posts, it’s been time for a bit of heads down work that’s not very user-facing, so if you care about end user functionality, this post won’t be very interesting. This will likely go on for a few more days, though I may be able to get a feature or two in along the way. :)


As of today, we have a first simple set of integration tests. These are almost smoke tests, i.e. they tell us little more than whether the site is still going to basically load. But this is an important first step, because it solidified some technical choices for the project.

We’re using ava as our test runner. ava is interesting – it really is oriented towards the bleeding edge of what’s possible in JavaScript today. Your tests are fed through the Babel transpiler, which lets you use syntax that isn’t supported in any JavaScript runtime yet. Indeed, it even ships with implementations of stage 2 proposals for the language (drafts).

I find it useful to be able to use some new language features in one area of the codebase, so I can become familiar with them and start using the same syntax more widely once it is fully supported. It also supports ava’s overall goal to make it easy to write asynchronous tests: The new async/await language syntax is a pretty clever extension of existing language features that makes it quite enjoyable to write asynchronous code (you can see some examples in the current tests).

I reserve the right to change my mind on ava, but so far I’m pretty happy with it. Babel does add a bit to the startup time for tests, but otherwise execution is fast, and ava and Node’s other testing tools seem elegant.

We’re not set up with Travis yet, and that’s a very important near term objective. Running tests locally is one thing, but making sure that any pull requests triggers tests and that we have good public reporting makes a project a lot more maintainable.


As an app scales, it becomes important to think about maintenance, deployment, monitoring, and other such fun topics. Fortunately, the Node.js ecosystem is rich in increasingly battle-hardened solutions that make this a surprisingly enjoyable process.

For , I’ve been using forever as a simple process manager. forever, as the name suggests, keeps your Node processes running even under unforeseen circumstances, and it also provides some basic tools to manage your logs. But it really is quite basic.

Enter pm2. Made by monitoring startup Keymetrics, it’s a drop-in replacement for forever (and equally open source). It does everything forever does, but it has quite a few tricks up its sleeve, e.g.:

  • generates system startup scripts for you
  • helps you with log file management and rotation
  • provides simple built-in monitoring and log viewer tools
  • balances load across available CPU cores
  • lets you manage deployments, including reverts

The CPU core load balancing in particular is a nice bonus. Right now the site is running on a single core Digital Ocean VM, but if/when we need more CPU headroom, this offers a quick upgrade path for the near term.

Code quality

Similar to test coverage, it’s important to pay attention to the code quality of a growing codebase. There are a few tools that help with that. For one thing, I just switched from jshint to eslint (see my review), which spots a few more areas for improvement. As just one example, with the default rules, it flagged some code files as being too large. These are judgment calls, but it can be helpful to have little suggestions like that.

There are other code analysis tools beyond linters, and I’ll poke at some of them to see if they’ll give me useful pointers. But I also have a mental backlog of a lot of ways in which the codebase can be improved (again without obvious benefit to end users – this is about maintainability and the cost of making changes). I’m also whiteboarding the architecture as I go. Once it’s a bit more mature, I will post some of that here.

Atom feeds for "things"; testing fun

You can now get Atom feeds for any “thing” that has been reviewed on For example, if you want to get any future reviews of Twitter (because why not), you can add this page to your feed reader:

This, incidentally, is a feature most review sites don’t have, even though it seems very obviously useful. Part of the reason is that it can be used to download large numbers of reviews, which most proprietary sites want to make difficult (when they do offer feeds, they’re often abridged versions of the content).

So, in total, we have feeds for 1) a user’s reviews, 2) all reviews across the site, 3) reviews of a given thing, 4) blog posts. That’s pretty good. Down the road, we’ll want to have team-level feeds as well. If we manage to get some teams going, that’ll make feeds a lot of fun – e.g., if you wanted a team that reviews products for eco-friendliness, that feed could in itself be a very useful resource.

For now it’s time to move on to evaluating a few different testing frameworks. ava looks interesting and may win out over mocha on the basis of speed and architecture. Along the way I also discovered nsp which is one of those packages that makes me happy. It checks all your installed dependencies for known security issues - no muss, no fuss. Nice.

New "thing" pages deployed

As promised, the new pages for “things” (subjects of reviews) have been deployed, which means you can now see reviews on those pages as well. If you have written a review yourself, it will show that in a section at the top so you can easily find it. If you haven’t, it will show an invitation to do so. Here’s an example page:

Atom feeds and proper pagination are still to come (not that we have any pagination problems for those pages yet!). Beyond that the rest of this week will be relatively quiet and more focused on refactoring, tests, and a couple of forward-looking investigations.

Progress on Things & other things

Most of the work on listing reviews on their “thing” pages (e.g., page about a book or a piece of software) and letting users add reviews from there is done, and this will be deployed tomorrow. An interesting discussion is ongoing about the possibility of integrating with F-Droid, a repository of free/libre software for Android devices. F-Droid is a great project and it would make a lot of sense to me for to begin by serving different free software communities.

User reviews & team blog posts now also have Atom feeds

You can subscribe to a user’s reviews by adding their user page to your feed reader, e.g., my page. Adding their review feed works as well, e.g. my feed.

Similarly, you can subscribe to a team’s blog posts by adding that team’s page, e.g. the developers team to subscribe to the dev diary.

As a shortcut, adding will also work to add the development diary, though we may remove that link when we remove the dev diary from the main page. Moreover, this will require a feed reader that lets you choose between multiple feeds; otherwise you’ll most likely get the feed of all reviews instead.

Next up will be improvements to the presentation of “thing pages”, i.e. the pages about the thing that’s being reviewed. To begin with, we want to list all reviews of a thing on its page (which you’ll also be able to get an Atom feed of), and make it easy to write reviews from there. Eventually, this will be where additional metadata (e.g. business hours or a map for a restaurant) will be found.

A couple smaller items from today:

  • team blogs have dedicated pages and pagination now
  • our discussion list has been migrated to, using the familiar Mailman interface.

Later this week we’ll be diving into getting some first test coverage on the way, which will be invisible but important to keep breakage to a minimum as the application gets more complex.

First Atom feed up

We now have Atom feeds for our site-wide list of reviews. You can just copy into you feed reader of choice, and it should auto-detect the feeds. We advertise all languages since the feed reader can’t reliably guess which one you want. Some feed readers like will offer you a choice, others will just load the first one in the page. To specify precisely which language you want, use an address like (German version – just like the site, it will show English content unless a German translation is available!).

Next up: User feeds & blog feeds.

 Older blog posts