backend.html

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Backend Engineering -- Node.js, Files &amp; Databases - Better Dev</title>
  <link rel="preconnect" href="https://fonts.googleapis.com">
  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
  <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700;800&display=swap" rel="stylesheet">
  <link rel="stylesheet" href="style.css">
</head>
<body>

  <header class="topbar">
    <button class="sidebar-toggle" aria-label="Open navigation" aria-expanded="false">
      <span class="hamburger-icon"></span>
    </button>
    <a href="index.html" class="logo">Better Dev</a>
  </header>

  <div class="sidebar-backdrop" aria-hidden="true"></div>

  <aside class="sidebar" aria-label="Site navigation">
    <div class="sidebar-header">
      <span class="sidebar-title">Navigation</span>
      <button class="sidebar-close" aria-label="Close navigation">&times;</button>
    </div>
    <div class="sidebar-search">
      <input type="text" class="sidebar-search-input" placeholder="Search topics..." aria-label="Search topics">
      <div class="sidebar-search-results"></div>
    </div>
    <nav class="sidebar-nav">
      <div class="sidebar-group">
        <a href="index.html">Home</a>
      </div>
      <div class="sidebar-group">
        <div class="sidebar-group-label">Mathematics</div>
        <a href="pre-algebra.html">Pre-Algebra</a>
        <a href="algebra.html">Algebra</a>
        <a href="sequences-series.html">Sequences &amp; Series</a>
        <a href="geometry.html">Geometry</a>
        <a href="calculus.html">Calculus</a>
        <a href="discrete-math.html">Discrete Math</a>
        <a href="linear-algebra.html">Linear Algebra</a>
        <a href="probability.html">Probability &amp; Statistics</a>
        <a href="binary-systems.html">Binary &amp; Number Systems</a>
        <a href="number-theory.html">Number Theory for CP</a>
        <a href="computational-geometry.html">Computational Geometry</a>
        <a href="game-theory.html">Game Theory</a>
      </div>
      <div class="sidebar-group">
        <div class="sidebar-group-label">Data Structures &amp; Algorithms</div>
        <a href="dsa-foundations.html">DSA Foundations</a>
        <a href="arrays.html">Arrays &amp; Strings</a>
        <a href="stacks-queues.html">Stacks &amp; Queues</a>
        <a href="hashmaps.html">Hash Maps &amp; Sets</a>
        <a href="linked-lists.html">Linked Lists</a>
        <a href="trees.html">Trees &amp; BST</a>
        <a href="graphs.html">Graphs</a>
        <a href="sorting.html">Sorting &amp; Searching</a>
        <a href="patterns.html">LeetCode Patterns</a>
        <a href="dp.html">Dynamic Programming</a>
        <a href="advanced.html">Advanced Topics</a>
        <a href="string-algorithms.html">String Algorithms</a>
        <a href="advanced-graphs.html">Advanced Graphs</a>
        <a href="advanced-dp.html">Advanced DP</a>
        <a href="advanced-ds.html">Advanced Data Structures</a>
        <a href="leetcode-650.html">The 650 Problems</a>
        <a href="competitive-programming.html">CP Roadmap</a>
      </div>
      <div class="sidebar-group">
        <div class="sidebar-group-label">Languages &amp; Systems</div>
        <a href="cpp.html">C++</a>
        <a href="golang.html">Go</a>
        <a href="javascript.html">JavaScript Deep Dive</a>
        <a href="typescript.html">TypeScript</a>
        <a href="nodejs.html">Node.js Internals</a>
        <a href="os.html">Operating Systems</a>
        <a href="linux.html">Linux</a>
        <a href="git.html">Git</a>
        <a href="backend.html">Backend</a>
        <a href="system-design.html">System Design</a>
        <a href="networking.html">Networking</a>
        <a href="cloud.html">Cloud &amp; Infrastructure</a>
        <a href="docker.html">Docker &amp; Compose</a>
        <a href="kubernetes.html">Kubernetes</a>
        <a href="message-queues.html">Queues &amp; Pub/Sub</a>
        <a href="selfhosting.html">VPS &amp; Self-Hosting</a>
        <a href="databases.html">PostgreSQL &amp; MySQL</a>
        <a href="stripe.html">Stripe &amp; Payments</a>
        <a href="distributed-systems.html">Distributed Systems</a>
        <a href="backend-engineering.html">Backend Engineering</a>
      </div>
      <div class="sidebar-group">
        <div class="sidebar-group-label">JS/TS Ecosystem</div>
        <a href="js-tooling.html">Tooling &amp; Bundlers</a>
        <a href="js-testing.html">Testing</a>
        <a href="ts-projects.html">Building with TS</a>
      </div>
      <div class="sidebar-group">
        <div class="sidebar-group-label">More</div>
        <a href="seans-brain.html">Sean's Brain</a>
      </div>
    </nav>
  </aside>

<div class="container">

  <!-- ===== PAGE HEADER ===== -->
  <div class="page-header">
    <div class="breadcrumb"><a href="index.html">Home</a> / Backend Engineering</div>
    <h1>Backend Engineering</h1>
    <p>Master the Node.js internals that separate frontend developers from full-stack engineers. Blob, File API, Buffers, Streams, the filesystem, and database fundamentals -- all the concepts you need to handle files, multimedia, and data at scale.</p>
  </div>


  <!-- ===== TABLE OF CONTENTS ===== -->
  <div class="toc">
    <h4>Table of Contents</h4>
    <a href="#multimedia">1. Multimedia &amp; Binary Data (Blob, File, MIME, Base64)</a>
    <a href="#node-fs">2. Node.js File System &amp; Path</a>
    <a href="#buffers">3. Buffers in Node.js</a>
    <a href="#streams">4. Streams in Node.js</a>
    <a href="#db-scale">5. Database Essentials: Transactions, Indexes &amp; Scale</a>
    <a href="#chunking">6. Chunked Reading &amp; Streaming Servers</a>
    <a href="#scalability">7. Scalability Patterns</a>
    <a href="#backend-patterns">8. Backend Design Patterns</a>
  </div>


  <!-- ============================================================ -->
  <!--  SECTION 1: MULTIMEDIA & BINARY DATA                         -->
  <!-- ============================================================ -->
  <section id="multimedia">
    <h2>1. Multimedia &amp; Binary Data (Blob, File, MIME, Base64)</h2>
    <p>Every app eventually deals with files -- images, videos, PDFs, audio. Understanding how binary data moves between the browser, your API, and storage is <strong>non-negotiable</strong> for a backend engineer. This section covers the fundamental building blocks.</p>

    <div class="warning-box">
      <div class="label">Why This Matters for Your Career</div>
      <p>Most tutorials skip this. Then you get a job and your first ticket is "users can upload profile pictures up to 5MB." Suddenly you need to understand MIME types, multipart form data, base64 encoding, file size validation, and streaming uploads. This section gives you the mental model so none of that feels foreign.</p>
    </div>

    <h3>What is Binary Data?</h3>
    <p>Everything on a computer is binary -- ones and zeros. Text files are binary with a nice encoding (UTF-8) that maps bytes to characters. But images, videos, and audio are <strong>raw binary</strong> -- there is no "human-readable" version. You work with them as sequences of bytes.</p>

    <div class="example-box">
      <div class="label">Text vs Binary -- The Key Difference</div>
      <p>A text file containing "Hello" is 5 bytes: <code>48 65 6C 6C 6F</code> (hex). Each byte maps to a letter.</p>
      <p>A PNG image's first 8 bytes are always: <code>89 50 4E 47 0D 0A 1A 0A</code> -- this is the "magic number" that tells programs "I'm a PNG." The rest is compressed pixel data that only image decoders understand.</p>
      <p><strong>The takeaway:</strong> You can <code>console.log()</code> text and read it. You cannot <code>console.log()</code> an image and get anything useful. Binary data requires specialized handling.</p>
    </div>

    <h3>Blob (Binary Large Object)</h3>
    <p>A <strong>Blob</strong> is the browser's way of representing raw binary data. It's an immutable chunk of bytes with a MIME type attached. You cannot read a Blob directly -- you must use APIs to extract its contents.</p>

    <div class="example-box">
      <div class="label">Creating and Using Blobs in the Browser</div>
<pre><code>// Creating a Blob from text
const textBlob = new Blob(["Hello, World!"], { type: "text/plain" });
console.log(textBlob.size);  // 13 bytes
console.log(textBlob.type);  // "text/plain"

// Creating a Blob from JSON
const data = { name: "Sean", role: "developer" };
const jsonBlob = new Blob([JSON.stringify(data)], { type: "application/json" });

// Creating a Blob from binary data (Uint8Array)
const bytes = new Uint8Array([72, 101, 108, 108, 111]);  // "Hello"
const binaryBlob = new Blob([bytes], { type: "application/octet-stream" });

// Reading a Blob's contents
const text = await textBlob.text();       // "Hello, World!"
const buffer = await textBlob.arrayBuffer(); // Raw bytes as ArrayBuffer

// Slicing a Blob (like substring but for binary)
const partial = textBlob.slice(0, 5, "text/plain");  // First 5 bytes</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">When You Use Blobs in Real Apps</div>
      <ul>
        <li><strong>File uploads:</strong> When a user selects a file via <code>&lt;input type="file"&gt;</code>, you get a <code>File</code> object (which extends Blob)</li>
        <li><strong>Download links:</strong> <code>URL.createObjectURL(blob)</code> creates a temporary URL to trigger downloads</li>
        <li><strong>Canvas exports:</strong> <code>canvas.toBlob()</code> gives you the image as a Blob for uploading</li>
        <li><strong>Fetch responses:</strong> <code>response.blob()</code> gets binary data from API responses</li>
      </ul>
    </div>

    <h3>The File API</h3>
    <p>The <code>File</code> object extends Blob, adding <code>name</code>, <code>lastModified</code>, and <code>webkitRelativePath</code>. When a user picks a file from their computer, the browser gives you a File object.</p>

    <div class="example-box">
      <div class="label">Handling File Uploads -- The Complete Pattern</div>
<pre><code>// HTML: &lt;input type="file" id="upload" accept="image/*" multiple&gt;

const input = document.getElementById("upload");

input.addEventListener("change", async (event) => {
  const files = event.target.files;  // FileList (array-like)

  for (const file of files) {
    console.log(file.name);          // "photo.jpg"
    console.log(file.size);          // 2458832 (bytes)
    console.log(file.type);          // "image/jpeg"
    console.log(file.lastModified);  // 1708123456789 (timestamp)

    // Validate before uploading
    if (file.size > 5 * 1024 * 1024) {
      alert("File too large! Max 5MB.");
      continue;
    }

    if (!file.type.startsWith("image/")) {
      alert("Only images allowed!");
      continue;
    }

    // Option 1: Upload as FormData (multipart -- most common)
    const formData = new FormData();
    formData.append("avatar", file);
    formData.append("userId", "123");
    await fetch("/api/upload", { method: "POST", body: formData });

    // Option 2: Upload as raw binary
    await fetch("/api/upload", {
      method: "POST",
      headers: { "Content-Type": file.type },
      body: file,  // File IS a Blob, so this works
    });

    // Option 3: Read as base64 for preview
    const reader = new FileReader();
    reader.onload = () => {
      const base64 = reader.result;  // "data:image/jpeg;base64,/9j/4AAQ..."
      document.getElementById("preview").src = base64;
    };
    reader.readAsDataURL(file);
  }
});</code></pre>
    </div>

    <h3>MIME Types</h3>
    <p>MIME (Multipurpose Internet Mail Extensions) types tell systems <strong>what kind of data</strong> they're looking at. Format: <code>type/subtype</code>. Getting MIME types wrong causes real bugs -- browsers won't display images, downloads get corrupted, security filters reject uploads.</p>

    <div class="example-box">
      <div class="label">Common MIME Types You Must Know</div>
<pre><code>// Text formats
"text/plain"                  // .txt
"text/html"                   // .html
"text/css"                    // .css
"text/javascript"             // .js (also "application/javascript")
"text/csv"                    // .csv

// Application formats
"application/json"            // .json -- APIs
"application/pdf"             // .pdf
"application/xml"             // .xml
"application/zip"             // .zip
"application/octet-stream"    // Generic binary (unknown type)

// Images
"image/jpeg"                  // .jpg, .jpeg
"image/png"                   // .png
"image/gif"                   // .gif
"image/webp"                  // .webp (modern, smaller)
"image/svg+xml"               // .svg (vector graphics)

// Audio
"audio/mpeg"                  // .mp3
"audio/wav"                   // .wav
"audio/ogg"                   // .ogg

// Video
"video/mp4"                   // .mp4
"video/webm"                  // .webm
"video/ogg"                   // .ogv

// Multipart (for form uploads)
"multipart/form-data"         // File uploads via forms</code></pre>
    </div>

    <div class="warning-box">
      <div class="label">Security: Never Trust Client-Sent MIME Types</div>
      <p>A user can rename <code>malware.exe</code> to <code>photo.jpg</code> and the browser will send <code>image/jpeg</code> as the MIME type. <strong>Always validate on the server</strong> by checking the file's magic bytes (first few bytes), not the extension or MIME header.</p>
<pre><code>// Server-side: check magic bytes for real file type
// JPEG starts with: FF D8 FF
// PNG starts with:  89 50 4E 47
// PDF starts with:  25 50 44 46 ("%PDF")
// GIF starts with:  47 49 46 38 ("GIF8")

const buf = Buffer.from(fileData);
const isJPEG = buf[0] === 0xFF && buf[1] === 0xD8 && buf[2] === 0xFF;
const isPNG  = buf[0] === 0x89 && buf[1] === 0x50 && buf[2] === 0x4E && buf[3] === 0x47;</code></pre>
    </div>

    <h3>Base64 Encoding</h3>
    <p>Base64 converts binary data into ASCII text using 64 characters (A-Z, a-z, 0-9, +, /). Why? Because many systems (JSON, HTML, email, URLs) can only handle text, not raw bytes. Base64 is the bridge.</p>

    <div class="example-box">
      <div class="label">Base64 in Practice</div>
<pre><code>// Browser: encoding and decoding
const encoded = btoa("Hello, World!");       // "SGVsbG8sIFdvcmxkIQ=="
const decoded = atob("SGVsbG8sIFdvcmxkIQ=="); // "Hello, World!"

// Node.js: Buffer handles base64 natively
const buf = Buffer.from("Hello, World!");
const b64 = buf.toString("base64");          // "SGVsbG8sIFdvcmxkIQ=="
const original = Buffer.from(b64, "base64").toString("utf-8"); // "Hello, World!"

// Data URLs: embed binary in HTML/CSS (small images only!)
// Format: data:[MIME];base64,[DATA]
const imgTag = `&lt;img src="data:image/png;base64,iVBORw0KGgo..." /&gt;`;

// Converting a file to base64 for JSON APIs
const file = fs.readFileSync("photo.jpg");
const payload = {
  filename: "photo.jpg",
  content: file.toString("base64"),  // Now it's a JSON-safe string
  mime: "image/jpeg"
};</code></pre>
    </div>

    <div class="warning-box">
      <div class="label">Base64 Overhead: 33% Larger</div>
      <p>Base64 encoding increases data size by ~33%. A 3MB image becomes ~4MB as base64. This is why you should <strong>never</strong> use base64 for large file transfers -- use multipart form data or streams instead. Base64 is best for small assets (icons, thumbnails) or when you must embed binary data inside JSON/HTML.</p>
    </div>

    <h3>ArrayBuffer and TypedArrays</h3>
    <p>Under the hood, binary data in JavaScript lives in <strong>ArrayBuffers</strong> -- fixed-length chunks of raw memory. You read/write them through <strong>TypedArrays</strong> (views into the buffer).</p>

    <div class="example-box">
      <div class="label">Working with ArrayBuffers</div>
<pre><code>// Create a buffer of 16 bytes
const buffer = new ArrayBuffer(16);

// View it as unsigned 8-bit integers (0-255 per byte)
const uint8 = new Uint8Array(buffer);
uint8[0] = 72;   // 'H'
uint8[1] = 101;  // 'e'
uint8[2] = 108;  // 'l'
uint8[3] = 108;  // 'l'
uint8[4] = 111;  // 'o'

// View the SAME buffer as 32-bit integers
const uint32 = new Uint32Array(buffer);
console.log(uint32[0]);  // Combines first 4 bytes into one 32-bit number

// Common TypedArrays:
// Uint8Array    -- bytes (0 to 255) -- most common for file I/O
// Int8Array     -- signed bytes (-128 to 127)
// Uint16Array   -- 2-byte unsigned (0 to 65535)
// Int32Array    -- 4-byte signed
// Float32Array  -- 4-byte floats (for audio/graphics)
// Float64Array  -- 8-byte doubles (for precision math)

// Converting between Blob and ArrayBuffer
const blob = new Blob([uint8], { type: "application/octet-stream" });
const backToBuffer = await blob.arrayBuffer();
const backToUint8 = new Uint8Array(backToBuffer);</code></pre>
    </div>

    <h3>Multipart Form Data -- How File Uploads Actually Work</h3>
    <p>When you submit a form with files, the browser sends a <strong>multipart/form-data</strong> request. The body is divided into "parts" separated by a boundary string. Each part has its own headers and content. This is how most file uploads work on the web.</p>

    <div class="example-box">
      <div class="label">What a Multipart Request Looks Like on the Wire</div>
<pre><code>POST /api/upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW

------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="username"

sean
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="avatar"; filename="photo.jpg"
Content-Type: image/jpeg

[RAW BINARY BYTES OF THE IMAGE HERE]
------WebKitFormBoundary7MA4YWxkTrZu0gW--</code></pre>
      <p>The boundary string separates each field. Text fields send their value directly. File fields include the filename, MIME type, and raw binary content. Your backend framework (Express, Fastify, etc.) parses this for you using libraries like <code>multer</code> or <code>busboy</code>.</p>
    </div>

    <div class="example-box">
      <div class="label">Express.js File Upload with Multer -- Production Pattern</div>
<pre><code>const express = require("express");
const multer = require("multer");
const path = require("path");

// Configure where and how files are stored
const storage = multer.diskStorage({
  destination: (req, file, cb) => {
    cb(null, "./uploads/");  // Save to uploads directory
  },
  filename: (req, file, cb) => {
    // Unique name: timestamp-randomhex.extension
    const uniqueName = Date.now() + "-" + crypto.randomBytes(6).toString("hex");
    const ext = path.extname(file.originalname);  // ".jpg"
    cb(null, uniqueName + ext);
  }
});

// Validation: only images, max 5MB
const upload = multer({
  storage,
  limits: { fileSize: 5 * 1024 * 1024 },  // 5MB
  fileFilter: (req, file, cb) => {
    const allowed = ["image/jpeg", "image/png", "image/webp"];
    if (allowed.includes(file.mimetype)) {
      cb(null, true);
    } else {
      cb(new Error("Only JPEG, PNG, and WebP allowed"));
    }
  }
});

const app = express();

// Single file upload
app.post("/api/avatar", upload.single("avatar"), (req, res) => {
  console.log(req.file);
  // { fieldname: 'avatar', originalname: 'photo.jpg',
  //   mimetype: 'image/jpeg', size: 245883,
  //   destination: './uploads/', filename: '1708123456789-a1b2c3.jpg',
  //   path: 'uploads/1708123456789-a1b2c3.jpg' }
  res.json({ url: `/uploads/${req.file.filename}` });
});

// Multiple files
app.post("/api/gallery", upload.array("photos", 10), (req, res) => {
  console.log(req.files);  // Array of file objects (max 10)
  res.json({ count: req.files.length });
});

// Error handling for multer
app.use((err, req, res, next) => {
  if (err instanceof multer.MulterError) {
    if (err.code === "LIMIT_FILE_SIZE") {
      return res.status(413).json({ error: "File too large. Max 5MB." });
    }
  }
  res.status(400).json({ error: err.message });
});</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">File Storage: Local vs Cloud</div>
      <ul>
        <li><strong>Local filesystem</strong> -- Fine for dev and small apps. Breaks when you have multiple servers (load balancing) because files only exist on one machine.</li>
        <li><strong>Cloud object storage (S3, GCS, R2)</strong> -- The production standard. Files are accessible from any server, automatically replicated, and you get CDN integration for fast delivery.</li>
        <li><strong>Database (BLOB column)</strong> -- Almost never do this. Databases are optimized for structured data, not large binary blobs. It makes backups huge and queries slow.</li>
        <li><strong>The pattern:</strong> Upload to cloud storage, save the URL/key in your database. Serve via CDN.</li>
      </ul>
    </div>
  </section>


  <!-- ============================================================ -->
  <!--  SECTION 2: NODE.JS FILE SYSTEM & PATH                       -->
  <!-- ============================================================ -->
  <section id="node-fs">
    <h2>2. Node.js File System &amp; Path</h2>
    <p>The <code>fs</code> (file system) and <code>path</code> modules are how Node.js interacts with the operating system's files and directories. Every backend engineer uses these daily -- reading config files, writing logs, processing uploads, generating reports.</p>

    <div class="warning-box">
      <div class="label">Sync vs Async -- This Will Bite You</div>
      <p>The <code>fs</code> module offers three flavors of every operation:</p>
      <ul>
        <li><strong><code>fs.readFileSync()</code></strong> -- Blocks the entire event loop. Use only at startup (reading config). <strong>Never in request handlers.</strong></li>
        <li><strong><code>fs.readFile(path, callback)</code></strong> -- Callback-based async. Works but leads to callback hell.</li>
        <li><strong><code>fs.promises.readFile()</code></strong> -- Promise-based async. <strong>This is what you should use.</strong></li>
      </ul>
      <p>If you use <code>readFileSync</code> inside an Express route handler, your server can only handle <strong>one request at a time</strong> while the file is being read. For a 100ms disk read, that's 100ms where every other user is waiting. With 100 concurrent users, the last one waits 10 seconds. Use async.</p>
    </div>

    <h3>Reading Files</h3>
    <div class="example-box">
      <div class="label">Three Ways to Read Files</div>
<pre><code>const fs = require("fs");
const fsPromises = require("fs/promises");  // or fs.promises

// 1. Synchronous -- blocks event loop (only use at startup)
const configSync = fs.readFileSync("./config.json", "utf-8");
const config = JSON.parse(configSync);

// 2. Callback -- works but messy
fs.readFile("./data.txt", "utf-8", (err, data) => {
  if (err) {
    console.error("Failed to read:", err.message);
    return;
  }
  console.log(data);
});

// 3. Promises -- the modern way (use this)
async function loadData() {
  try {
    const data = await fsPromises.readFile("./data.txt", "utf-8");
    console.log(data);
  } catch (err) {
    if (err.code === "ENOENT") {
      console.log("File not found");
    } else {
      throw err;  // Re-throw unexpected errors
    }
  }
}

// Reading binary files (no encoding = returns Buffer)
const imageBuffer = await fsPromises.readFile("./photo.jpg");
console.log(imageBuffer.length);  // Size in bytes
console.log(imageBuffer[0]);      // First byte (0xFF for JPEG)</code></pre>
    </div>

    <h3>Writing Files</h3>
    <div class="example-box">
      <div class="label">Writing and Appending</div>
<pre><code>const fsPromises = require("fs/promises");

// Write (creates or overwrites)
await fsPromises.writeFile("./output.txt", "Hello, World!", "utf-8");

// Write JSON
const data = { users: 150, active: true };
await fsPromises.writeFile("./data.json", JSON.stringify(data, null, 2));

// Append (adds to end of file)
await fsPromises.appendFile("./log.txt", `[${new Date().toISOString()}] Server started\n`);

// Write binary data
const buffer = Buffer.from([0x89, 0x50, 0x4E, 0x47]);  // PNG header
await fsPromises.writeFile("./header.bin", buffer);

// Write with flags
const { open } = require("fs/promises");
const fileHandle = await open("./output.txt", "w");  // 'w' = write, 'a' = append
await fileHandle.write("Line 1\n");
await fileHandle.write("Line 2\n");
await fileHandle.close();  // Always close file handles!</code></pre>
    </div>

    <h3>The Path Module -- Never Hardcode Paths</h3>
    <div class="example-box">
      <div class="label">Path Operations You Use Every Day</div>
<pre><code>const path = require("path");

// Joining paths safely (handles slashes for you)
path.join("/users", "sean", "documents", "file.txt");
// "/users/sean/documents/file.txt"

// Resolving to absolute path
path.resolve("./uploads", "photo.jpg");
// "/home/sean/project/uploads/photo.jpg" (from current working dir)

// Getting parts of a path
path.basename("/uploads/photo.jpg");           // "photo.jpg"
path.basename("/uploads/photo.jpg", ".jpg");   // "photo" (without ext)
path.extname("/uploads/photo.jpg");            // ".jpg"
path.dirname("/uploads/photo.jpg");            // "/uploads"

// Parsing a path into its components
path.parse("/home/sean/photo.jpg");
// { root: '/', dir: '/home/sean', base: 'photo.jpg',
//   ext: '.jpg', name: 'photo' }

// __dirname and __filename (CommonJS)
console.log(__dirname);   // Directory of current file
console.log(__filename);  // Full path of current file

// ES Modules equivalent
import { fileURLToPath } from "url";
import { dirname } from "path";
const __filename = fileURLToPath(import.meta.url);
const __dirname = dirname(__filename);

// Why this matters: NEVER do this
const bad = "./uploads/" + userInput;  // Path traversal attack!
// User sends "../../../etc/passwd" and reads your system files

// ALWAYS sanitize and resolve
const safePath = path.join("./uploads", path.basename(userInput));
// path.basename strips directory traversal: "../../../etc/passwd" -> "passwd"</code></pre>
    </div>

    <h3>Directory Operations</h3>
    <div class="example-box">
      <div class="label">Creating, Reading, and Managing Directories</div>
<pre><code>const fsPromises = require("fs/promises");
const path = require("path");

// Create directory (recursive: true creates parent dirs too)
await fsPromises.mkdir("./uploads/avatars/thumbnails", { recursive: true });

// List directory contents
const files = await fsPromises.readdir("./uploads");
console.log(files);  // ["photo1.jpg", "photo2.png", "avatars"]

// List with file type info
const entries = await fsPromises.readdir("./uploads", { withFileTypes: true });
for (const entry of entries) {
  if (entry.isFile()) console.log("File:", entry.name);
  if (entry.isDirectory()) console.log("Dir:", entry.name);
}

// Check if file/directory exists
async function exists(filePath) {
  try {
    await fsPromises.access(filePath);
    return true;
  } catch {
    return false;
  }
}

// Get file metadata
const stats = await fsPromises.stat("./photo.jpg");
console.log(stats.size);          // Size in bytes
console.log(stats.isFile());      // true
console.log(stats.isDirectory()); // false
console.log(stats.mtime);         // Last modified date
console.log(stats.birthtime);     // Created date

// Delete file
await fsPromises.unlink("./temp/old-file.txt");

// Delete directory (recursive: removes contents too)
await fsPromises.rm("./temp", { recursive: true, force: true });

// Rename / Move file
await fsPromises.rename("./old-name.txt", "./new-name.txt");
await fsPromises.rename("./uploads/temp.jpg", "./uploads/avatars/final.jpg");

// Copy file
await fsPromises.copyFile("./source.jpg", "./backup/source.jpg");

// Watch for changes (useful for dev tools, hot reload)
const { watch } = require("fs/promises");
const watcher = watch("./src", { recursive: true });
for await (const event of watcher) {
  console.log(event.eventType, event.filename);  // "change" "index.js"
}</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">Common fs Error Codes</div>
      <ul>
        <li><strong><code>ENOENT</code></strong> -- File or directory not found (most common)</li>
        <li><strong><code>EACCES</code></strong> -- Permission denied (check file ownership)</li>
        <li><strong><code>EISDIR</code></strong> -- Expected a file but got a directory</li>
        <li><strong><code>ENOTDIR</code></strong> -- Expected a directory but got a file</li>
        <li><strong><code>EEXIST</code></strong> -- File already exists (when using exclusive create)</li>
        <li><strong><code>EMFILE</code></strong> -- Too many open files (you're leaking file handles)</li>
        <li><strong><code>ENOSPC</code></strong> -- No space left on device (disk full)</li>
      </ul>
    </div>
  </section>


  <!-- ============================================================ -->
  <!--  SECTION 3: BUFFERS IN NODE.JS                               -->
  <!-- ============================================================ -->
  <section id="buffers">
    <h2>3. Buffers in Node.js</h2>
    <p>A <strong>Buffer</strong> is Node.js's way of handling raw binary data. Unlike JavaScript strings (which are UTF-16 encoded), Buffers are sequences of raw bytes. When you read a file without specifying an encoding, you get a Buffer. When you receive data over a network socket, it arrives as Buffers. They are everywhere in backend code.</p>

    <div class="warning-box">
      <div class="label">Buffer vs ArrayBuffer</div>
      <p><strong>Buffer</strong> is Node.js-specific. <strong>ArrayBuffer</strong> is the browser standard. Buffer actually extends Uint8Array under the hood, so they share many methods. In Node.js, always use Buffer. In the browser, use ArrayBuffer/TypedArrays. When working in environments that support both (like Deno or modern Node), Buffer is still the conventional choice on the server.</p>
    </div>

    <h3>Creating Buffers</h3>
    <div class="example-box">
      <div class="label">Every Way to Create a Buffer</div>
<pre><code>// From a string (most common)
const buf1 = Buffer.from("Hello, World!", "utf-8");
console.log(buf1);        // &lt;Buffer 48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 21&gt;
console.log(buf1.length); // 13 bytes

// From an array of bytes
const buf2 = Buffer.from([72, 101, 108, 108, 111]);  // "Hello"

// From hex string
const buf3 = Buffer.from("48656c6c6f", "hex");  // "Hello"

// From base64
const buf4 = Buffer.from("SGVsbG8=", "base64");  // "Hello"

// Allocate empty buffer (filled with zeros)
const buf5 = Buffer.alloc(1024);      // 1KB of zeros -- SAFE
const buf6 = Buffer.allocUnsafe(1024); // 1KB, may contain old memory data -- FAST

// Why allocUnsafe exists: alloc fills memory with zeros (takes time).
// allocUnsafe skips zeroing (faster) but may expose data from
// previously freed memory. Use alloc for security-sensitive data,
// allocUnsafe when you'll immediately overwrite all bytes.</code></pre>
    </div>

    <h3>Reading From Buffers</h3>
    <div class="example-box">
      <div class="label">Extracting Data from Buffers</div>
<pre><code>const buf = Buffer.from("Hello, World!");

// Convert to string
buf.toString("utf-8");     // "Hello, World!"
buf.toString("hex");       // "48656c6c6f2c20576f726c6421"
buf.toString("base64");    // "SGVsbG8sIFdvcmxkIQ=="

// Read individual bytes
buf[0];  // 72 (the byte value of 'H')
buf[1];  // 101 ('e')

// Slice (does NOT copy -- shares memory!)
const slice = buf.slice(0, 5);    // Buffer: "Hello"
slice[0] = 74;                     // Changes BOTH buf and slice!
console.log(buf.toString());       // "Jello, World!" -- buf was modified!

// subarray (same as slice, shares memory)
const sub = buf.subarray(7, 12);   // Buffer: "World"

// To get an independent copy, use Buffer.from(slice)
const copy = Buffer.from(buf.slice(0, 5));  // Independent copy

// Reading numbers from binary data (network protocols, file formats)
const data = Buffer.alloc(8);
data.writeUInt32BE(0x12345678, 0);  // Write 4-byte big-endian at offset 0
data.writeUInt16LE(0xABCD, 4);     // Write 2-byte little-endian at offset 4
data.readUInt32BE(0);               // 0x12345678
data.readUInt16LE(4);               // 0xABCD

// BE = Big Endian (most significant byte first) -- network byte order
// LE = Little Endian (least significant byte first) -- x86 CPUs</code></pre>
    </div>

    <h3>Buffer Operations</h3>
    <div class="example-box">
      <div class="label">Common Buffer Manipulations</div>
<pre><code>// Concatenating buffers
const part1 = Buffer.from("Hello, ");
const part2 = Buffer.from("World!");
const combined = Buffer.concat([part1, part2]);
// &lt;Buffer 48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 21&gt;

// Comparing buffers
const a = Buffer.from("abc");
const b = Buffer.from("abc");
const c = Buffer.from("abd");
a.equals(b);     // true (same content)
a.equals(c);     // false
Buffer.compare(a, c);  // -1 (a comes before c)

// Searching in buffers
const buf = Buffer.from("Hello, World!");
buf.indexOf("World");   // 7 (byte offset)
buf.includes("World");  // true
buf.indexOf(0x57);      // 7 (byte value of 'W')

// Filling a buffer
const zeroed = Buffer.alloc(10);
zeroed.fill(0xFF);      // All bytes set to 255
zeroed.fill("ab");      // Repeating pattern: 61 62 61 62 61 62...

// Iterating over bytes
for (const byte of buf) {
  process.stdout.write(byte.toString(16) + " ");
}
// 48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 21</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">When You Use Buffers in Real Backend Code</div>
      <ul>
        <li><strong>File I/O:</strong> <code>fs.readFile(path)</code> without encoding returns a Buffer</li>
        <li><strong>Crypto:</strong> <code>crypto.randomBytes(32)</code> returns a Buffer (for tokens, salts, IVs)</li>
        <li><strong>Network:</strong> TCP sockets receive data as Buffers</li>
        <li><strong>Image processing:</strong> Libraries like Sharp take and return Buffers</li>
        <li><strong>Hashing:</strong> <code>crypto.createHash("sha256").update(buf).digest()</code> works with Buffers</li>
        <li><strong>Protocol parsing:</strong> Reading binary protocols (WebSocket frames, HTTP/2, database wire protocols)</li>
      </ul>
    </div>
  </section>


  <!-- ============================================================ -->
  <!--  SECTION 4: STREAMS IN NODE.JS                               -->
  <!-- ============================================================ -->
  <section id="streams">
    <h2>4. Streams in Node.js</h2>
    <p>Streams let you process data <strong>piece by piece</strong> instead of loading everything into memory at once. This is the difference between an app that crashes on a 2GB file and one that handles it effortlessly with 50MB of RAM. Streams are the backbone of scalable Node.js.</p>

    <div class="warning-box">
      <div class="label">Why Streams Are Non-Negotiable for Scale</div>
      <p>Imagine 100 users simultaneously uploading 100MB files.</p>
      <ul>
        <li><strong>Without streams:</strong> <code>readFile()</code> loads each entire file into memory. 100 users x 100MB = 10GB RAM. Your server crashes.</li>
        <li><strong>With streams:</strong> Each upload processes in small chunks (16KB-64KB at a time). 100 users x 64KB = 6.4MB RAM. Your server is fine.</li>
      </ul>
      <p>Streams are not an optimization. They are how you build software that doesn't fall over under load.</p>
    </div>

    <h3>The Four Types of Streams</h3>
    <div class="example-box">
      <div class="label">Stream Types and Real-World Examples</div>
<pre><code>// 1. READABLE -- Data comes OUT of it (source)
//    Examples: fs.createReadStream, HTTP request body, process.stdin
const readable = fs.createReadStream("./bigfile.csv");

// 2. WRITABLE -- Data goes INTO it (destination)
//    Examples: fs.createWriteStream, HTTP response, process.stdout
const writable = fs.createWriteStream("./output.txt");

// 3. TRANSFORM -- Data goes in, different data comes out (processor)
//    Examples: zlib.createGzip(), crypto.createCipher(), CSV parser
const gzip = zlib.createGzip();

// 4. DUPLEX -- Both readable AND writable (independent)
//    Examples: TCP sockets, WebSockets
const socket = new net.Socket();</code></pre>
    </div>

    <h3>Reading with Streams</h3>
    <div class="example-box">
      <div class="label">Processing Large Files Without Loading Them Entirely</div>
<pre><code>const fs = require("fs");

// Create a readable stream (default chunk size: 64KB)
const stream = fs.createReadStream("./server.log", {
  encoding: "utf-8",
  highWaterMark: 64 * 1024,  // 64KB chunks (default)
});

// Event-based reading
stream.on("data", (chunk) => {
  console.log(`Received ${chunk.length} bytes`);
  // Process each chunk -- this fires many times for large files
});

stream.on("end", () => {
  console.log("Done reading");
});

stream.on("error", (err) => {
  console.error("Read error:", err.message);
});

// Modern async iteration (cleaner -- use this)
async function processFile() {
  const stream = fs.createReadStream("./server.log", { encoding: "utf-8" });

  for await (const chunk of stream) {
    // Process each chunk
    const lines = chunk.split("\n");
    for (const line of lines) {
      if (line.includes("ERROR")) {
        console.log("Found error:", line);
      }
    }
  }
}</code></pre>
    </div>

    <h3>Writing with Streams</h3>
    <div class="example-box">
      <div class="label">Writing Large Amounts of Data Efficiently</div>
<pre><code>const fs = require("fs");

const writeStream = fs.createWriteStream("./output.csv");

// Write header
writeStream.write("id,name,email\n");

// Write 1 million rows without running out of memory
for (let i = 0; i < 1_000_000; i++) {
  const row = `${i},user_${i},user${i}@example.com\n`;

  // write() returns false when internal buffer is full
  const canContinue = writeStream.write(row);

  if (!canContinue) {
    // BACKPRESSURE: internal buffer is full
    // Wait for it to drain before writing more
    await new Promise((resolve) => writeStream.once("drain", resolve));
  }
}

// Signal that we're done writing
writeStream.end();

// Wait for all data to be flushed to disk
writeStream.on("finish", () => {
  console.log("All data written to disk");
});</code></pre>
    </div>

    <h3>Piping -- Connecting Streams Together</h3>
    <div class="example-box">
      <div class="label">pipe() is the Most Important Stream Method</div>
<pre><code>const fs = require("fs");
const zlib = require("zlib");
const crypto = require("crypto");

// Simple copy: read from one file, write to another
fs.createReadStream("./input.txt")
  .pipe(fs.createWriteStream("./copy.txt"));

// Compress a file: read -> gzip -> write
fs.createReadStream("./bigfile.log")
  .pipe(zlib.createGzip())
  .pipe(fs.createWriteStream("./bigfile.log.gz"));

// Chain multiple transforms: read -> encrypt -> compress -> write
fs.createReadStream("./sensitive.json")
  .pipe(crypto.createCipheriv("aes-256-cbc", key, iv))
  .pipe(zlib.createGzip())
  .pipe(fs.createWriteStream("./sensitive.json.enc.gz"));

// Modern: pipeline() with error handling (use this over pipe)
const { pipeline } = require("stream/promises");

async function compressFile(input, output) {
  await pipeline(
    fs.createReadStream(input),
    zlib.createGzip(),
    fs.createWriteStream(output)
  );
  console.log("Compression complete");
  // pipeline automatically handles errors and cleanup
}

// HTTP streaming -- serve large files without buffering
app.get("/download/:filename", (req, res) => {
  const filePath = path.join("./files", req.params.filename);
  const stat = fs.statSync(filePath);

  res.writeHead(200, {
    "Content-Type": "application/octet-stream",
    "Content-Length": stat.size,
    "Content-Disposition": `attachment; filename="${req.params.filename}"`,
  });

  // Stream the file to the client -- constant memory usage regardless of file size
  fs.createReadStream(filePath).pipe(res);
});</code></pre>
    </div>

    <h3>Transform Streams -- Processing Data as It Flows</h3>
    <div class="example-box">
      <div class="label">Building Custom Transform Streams</div>
<pre><code>const { Transform } = require("stream");

// Transform that converts text to uppercase
const upperCase = new Transform({
  transform(chunk, encoding, callback) {
    // chunk is a Buffer, convert to string, transform, push out
    this.push(chunk.toString().toUpperCase());
    callback();  // Signal that we're done processing this chunk
  }
});

// Use it in a pipeline
fs.createReadStream("./input.txt")
  .pipe(upperCase)
  .pipe(fs.createWriteStream("./UPPER_OUTPUT.txt"));

// Transform that filters lines (e.g., only errors from a log)
const errorFilter = new Transform({
  objectMode: false,
  transform(chunk, encoding, callback) {
    const lines = chunk.toString().split("\n");
    const errors = lines.filter(line => line.includes("ERROR"));
    if (errors.length > 0) {
      this.push(errors.join("\n") + "\n");
    }
    callback();
  }
});

// Real-world: CSV parser as a transform stream
const csvParser = new Transform({
  objectMode: true,  // Push JS objects instead of buffers
  transform(chunk, encoding, callback) {
    const lines = chunk.toString().split("\n");
    for (const line of lines) {
      if (line.trim()) {
        const [id, name, email] = line.split(",");
        this.push({ id, name, email });  // Push JS object
      }
    }
    callback();
  }
});</code></pre>
    </div>

    <div class="warning-box">
      <div class="label">Backpressure -- The #1 Stream Concept Developers Miss</div>
      <p><strong>Backpressure</strong> happens when a writable stream can't keep up with a readable stream. If the reader produces data faster than the writer can consume it, data buffers in memory and eventually crashes your process.</p>
<pre><code>// BAD: ignoring backpressure
readable.on("data", (chunk) => {
  writable.write(chunk);  // What if writable is slow? Memory grows unbounded!
});

// GOOD: pipe() handles backpressure automatically
readable.pipe(writable);  // Pauses readable when writable's buffer is full

// GOOD: manual backpressure handling
readable.on("data", (chunk) => {
  const ok = writable.write(chunk);
  if (!ok) {
    readable.pause();  // Stop reading until writer catches up
    writable.once("drain", () => {
      readable.resume();  // Writer caught up, resume reading
    });
  }
});

// BEST: use pipeline (handles backpressure + errors + cleanup)
const { pipeline } = require("stream/promises");
await pipeline(readable, transform, writable);</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">Streams Cheat Sheet</div>
      <ul>
        <li><strong>Small file (&lt;50MB):</strong> <code>readFile</code>/<code>writeFile</code> is fine</li>
        <li><strong>Large file (&gt;50MB):</strong> Always use streams</li>
        <li><strong>File download:</strong> <code>createReadStream(file).pipe(res)</code></li>
        <li><strong>File upload:</strong> <code>req.pipe(createWriteStream(dest))</code></li>
        <li><strong>Compression:</strong> <code>pipeline(input, zlib.createGzip(), output)</code></li>
        <li><strong>Line-by-line:</strong> Use <code>readline.createInterface({ input: stream })</code></li>
        <li><strong>Error handling:</strong> Always use <code>pipeline()</code> over <code>.pipe()</code></li>
      </ul>
    </div>
  </section>


  <!-- ============================================================ -->
  <!--  SECTION 5: DATABASE ESSENTIALS                               -->
  <!-- ============================================================ -->
  <section id="db-scale">
    <h2>5. Database Essentials: Transactions, Indexes &amp; Scale</h2>
    <p>Your app is only as good as its data layer. Understanding how databases actually work -- not just writing queries, but understanding transactions, indexes, connection pooling, and scaling patterns -- separates junior developers from engineers who can build systems that survive production traffic.</p>

    <h3>ACID -- The Four Guarantees of Reliable Databases</h3>
    <p>ACID is not academic theory. It's the set of promises your database makes so your data doesn't get corrupted. Every time you transfer money, place an order, or update a user profile, ACID is protecting you.</p>

    <div class="example-box">
      <div class="label">ACID Properties Explained with Real Scenarios</div>
<pre><code>// A = ATOMICITY -- "All or nothing"
// A bank transfer: debit Account A AND credit Account B
// If the server crashes after debiting A but before crediting B,
// the ENTIRE transaction rolls back. Money doesn't vanish.

BEGIN TRANSACTION;
  UPDATE accounts SET balance = balance - 100 WHERE id = 'A';
  -- Server crashes here? Both statements roll back. No money lost.
  UPDATE accounts SET balance = balance + 100 WHERE id = 'B';
COMMIT;

// C = CONSISTENCY -- "Rules are never broken"
// If you have a constraint "balance >= 0", the database will
// reject any transaction that would make balance negative.
// The database moves from one valid state to another valid state.

// I = ISOLATION -- "Concurrent transactions don't interfere"
// User A reads their balance (1000) while User B transfers money to them.
// User A sees either the old balance or the new one -- never a
// half-updated state. (The isolation LEVEL determines the exact behavior.)

// D = DURABILITY -- "Committed data survives crashes"
// Once the database says "COMMIT successful", the data is on disk.
// Even if the server loses power 1ms later, the data is safe.</code></pre>
    </div>

    <div class="formula-box">
      <strong>ACID Properties (Formal Definitions):</strong><br><br>
      • <strong>Atomicity:</strong> All operations in a transaction succeed, or none do. No partial commits.<br>
      • <strong>Consistency:</strong> A transaction brings the database from one valid state to another. All constraints are satisfied.<br>
      • <strong>Isolation:</strong> Concurrent transactions appear as if they ran sequentially. One transaction cannot see another's uncommitted changes.<br>
      • <strong>Durability:</strong> Once committed, the data survives crashes, power loss, and restarts (written to disk/WAL).
    </div>

    <h3>Transactions in Practice</h3>
    <div class="example-box">
      <div class="label">Node.js Transaction Patterns</div>
<pre><code>// PostgreSQL with pg (node-postgres)
const { Pool } = require("pg");
const pool = new Pool();

async function transferMoney(fromId, toId, amount) {
  const client = await pool.connect();  // Get a connection from the pool

  try {
    await client.query("BEGIN");

    // Lock the rows we're modifying (SELECT ... FOR UPDATE)
    const { rows } = await client.query(
      "SELECT balance FROM accounts WHERE id = $1 FOR UPDATE",
      [fromId]
    );

    if (rows[0].balance < amount) {
      await client.query("ROLLBACK");
      throw new Error("Insufficient funds");
    }

    await client.query(
      "UPDATE accounts SET balance = balance - $1 WHERE id = $2",
      [amount, fromId]
    );

    await client.query(
      "UPDATE accounts SET balance = balance + $1 WHERE id = $2",
      [amount, toId]
    );

    await client.query("COMMIT");
    return { success: true };

  } catch (err) {
    await client.query("ROLLBACK");
    throw err;
  } finally {
    client.release();  // ALWAYS return connection to pool
  }
}

// Prisma ORM transaction
const result = await prisma.$transaction(async (tx) => {
  const sender = await tx.account.update({
    where: { id: fromId },
    data: { balance: { decrement: amount } },
  });

  if (sender.balance < 0) {
    throw new Error("Insufficient funds");  // Auto-rollback
  }

  await tx.account.update({
    where: { id: toId },
    data: { balance: { increment: amount } },
  });

  return { success: true };
});</code></pre>
    </div>

    <h3>Transaction Isolation Levels</h3>
    <div class="example-box">
      <div class="label">What Each Level Protects Against</div>
<pre><code>// From weakest to strongest:

// 1. READ UNCOMMITTED (almost never used)
//    Can see uncommitted changes from other transactions ("dirty reads")
//    Problem: You read data that might get rolled back

// 2. READ COMMITTED (PostgreSQL default)
//    Only sees committed data. No dirty reads.
//    Problem: If you read the same row twice in one transaction,
//    you might get different values ("non-repeatable read")

// 3. REPEATABLE READ (MySQL InnoDB default)
//    Reading the same row twice always gives the same result
//    Problem: New rows inserted by other transactions might
//    appear in range queries ("phantom reads")

// 4. SERIALIZABLE (strongest, slowest)
//    Transactions behave as if they ran one at a time
//    No anomalies, but highest overhead and most lock contention

-- Set isolation level per transaction
BEGIN TRANSACTION ISOLATION LEVEL SERIALIZABLE;
  -- your queries here
COMMIT;

-- The right level depends on your use case:
-- Financial transfers:  SERIALIZABLE or REPEATABLE READ
-- Analytics queries:    READ COMMITTED (acceptable stale data)
-- Inventory deduction:  SERIALIZABLE (prevent overselling)</code></pre>
    </div>

    <h3>Indexes -- Why Your Query is Slow</h3>
    <p>An index is a data structure (usually a B-tree) that lets the database find rows without scanning the entire table. Without an index, finding one user in 10 million rows means reading all 10 million rows. With an index, it takes ~23 lookups (log2 of 10M).</p>

    <div class="example-box">
      <div class="label">Index Types and When to Use Each</div>
<pre><code>-- B-Tree Index (default, most common)
-- Good for: equality, range queries, sorting, prefix matching
CREATE INDEX idx_users_email ON users (email);
CREATE INDEX idx_orders_date ON orders (created_at);

-- Now these queries use the index instead of scanning all rows:
SELECT * FROM users WHERE email = 'sean@example.com';    -- O(log n) instead of O(n)
SELECT * FROM orders WHERE created_at > '2024-01-01';    -- Range scan on index
SELECT * FROM orders ORDER BY created_at DESC LIMIT 10;  -- Index already sorted

-- Composite Index (multiple columns)
CREATE INDEX idx_orders_user_date ON orders (user_id, created_at);

-- This index helps queries that filter by user_id, or by user_id AND created_at
-- Column ORDER MATTERS: (user_id, date) helps "WHERE user_id = 5"
-- but does NOT help "WHERE created_at > ..." alone (leftmost prefix rule)

-- Unique Index (also enforces uniqueness)
CREATE UNIQUE INDEX idx_users_email ON users (email);

-- Partial Index (index only some rows -- saves space)
CREATE INDEX idx_active_users ON users (email) WHERE active = true;

-- GIN Index (for arrays, JSONB, full-text search -- PostgreSQL)
CREATE INDEX idx_tags ON articles USING GIN (tags);
SELECT * FROM articles WHERE tags @> ARRAY['javascript'];

-- Hash Index (equality only, no range queries)
CREATE INDEX idx_session_token ON sessions USING HASH (token);</code></pre>
    </div>

    <div class="warning-box">
      <div class="label">Index Traps -- Common Mistakes</div>
<pre><code>-- MISTAKE 1: Indexing everything
-- Each index slows down INSERT/UPDATE/DELETE because the index
-- must also be updated. More indexes = slower writes.

-- MISTAKE 2: Functions defeat indexes
SELECT * FROM users WHERE LOWER(email) = 'sean@example.com';
-- This does NOT use the index on email! The function prevents it.
-- Fix: Create an expression index:
CREATE INDEX idx_users_email_lower ON users (LOWER(email));

-- MISTAKE 3: Leading wildcard kills index
SELECT * FROM users WHERE email LIKE '%@gmail.com';
-- Cannot use B-tree index (doesn't know where to start)
-- Fix: Use a reverse index or full-text search

-- MISTAKE 4: Wrong column order in composite index
CREATE INDEX idx ON orders (created_at, user_id);
SELECT * FROM orders WHERE user_id = 5;
-- This query CANNOT use the index efficiently because
-- user_id is the second column. Leftmost prefix rule!

-- MISTAKE 5: Not using EXPLAIN
EXPLAIN ANALYZE SELECT * FROM users WHERE email = 'sean@example.com';
-- Always check the query plan. "Seq Scan" = no index used. Bad.
-- "Index Scan" or "Index Only Scan" = index used. Good.</code></pre>
    </div>

    <h3>Connection Pooling</h3>
    <p>Opening a database connection is expensive (TCP handshake, SSL negotiation, authentication). A <strong>connection pool</strong> keeps a set of open connections ready to use. Your app borrows a connection, runs a query, and returns it to the pool.</p>

    <div class="example-box">
      <div class="label">Connection Pooling in Node.js</div>
<pre><code>const { Pool } = require("pg");

// Create a pool with sensible defaults
const pool = new Pool({
  host: "localhost",
  port: 5432,
  database: "myapp",
  user: "appuser",
  password: process.env.DB_PASSWORD,
  max: 20,                // Maximum connections in pool
  idleTimeoutMillis: 30000,    // Close idle connections after 30s
  connectionTimeoutMillis: 5000, // Fail if can't connect in 5s
});

// Simple query (pool manages the connection for you)
const { rows } = await pool.query("SELECT * FROM users WHERE id = $1", [userId]);

// For transactions: manually check out a connection
const client = await pool.connect();
try {
  await client.query("BEGIN");
  // ... your transaction queries ...
  await client.query("COMMIT");
} catch (err) {
  await client.query("ROLLBACK");
  throw err;
} finally {
  client.release();  // CRITICAL: always release back to pool
  // If you forget client.release(), the connection leaks.
  // After max connections leak, new requests hang forever.
}

// Monitor pool health
pool.on("error", (err) => {
  console.error("Unexpected pool error:", err);
});

// Sizing: max connections = (CPU cores * 2) + number of disks
// For most web apps, 10-20 connections handles hundreds of req/s.
// More connections = more contention, not more throughput.</code></pre>
    </div>

    <h3>N+1 Query Problem</h3>
    <div class="example-box">
      <div class="label">The Most Common Performance Bug in Backend Code</div>
<pre><code>// PROBLEM: Fetching users and their orders
const users = await db.query("SELECT * FROM users LIMIT 100");

// N+1: 1 query for users + 100 queries for orders = 101 queries!
for (const user of users) {
  const orders = await db.query(
    "SELECT * FROM orders WHERE user_id = $1", [user.id]
  );
  user.orders = orders;
}

// FIX 1: JOIN (single query)
const result = await db.query(`
  SELECT u.*, o.id AS order_id, o.total, o.created_at AS order_date
  FROM users u
  LEFT JOIN orders o ON u.id = o.user_id
  LIMIT 100
`);

// FIX 2: Batch query (2 queries instead of 101)
const users = await db.query("SELECT * FROM users LIMIT 100");
const userIds = users.map(u => u.id);
const orders = await db.query(
  "SELECT * FROM orders WHERE user_id = ANY($1)", [userIds]
);

// Group orders by user_id
const ordersByUser = {};
for (const order of orders) {
  if (!ordersByUser[order.user_id]) ordersByUser[order.user_id] = [];
  ordersByUser[order.user_id].push(order);
}

// FIX 3: Use an ORM with eager loading
// Prisma
const users = await prisma.user.findMany({
  take: 100,
  include: { orders: true },  // Automatic JOIN or batch query
});</code></pre>
    </div>

    <div class="formula-box">
      <strong>N+1 Query Problem (Precise Definition):</strong><br><br>
      1 query to fetch N records + N queries to fetch related data for each = N+1 total queries.<br><br>
      <strong>Fix:</strong> Use a JOIN (1 query) or eager loading (2 queries: one for parents, one for all children with WHERE parent_id IN (...)).
    </div>

    <h3>Database Scaling Patterns</h3>
    <div class="example-box">
      <div class="label">From Single Server to Distributed Database</div>
<pre><code>// LEVEL 1: Vertical Scaling ("scale up")
// Bigger machine: more CPU, RAM, faster SSD
// Works until you hit hardware limits or budget limits
// Good for: most startups and mid-size apps

// LEVEL 2: Read Replicas
// One primary (handles writes) + multiple replicas (handle reads)
// Your app sends writes to primary, reads to replicas
// Good for: read-heavy apps (90% reads, 10% writes)

PRIMARY (writes) ──replicates──> REPLICA 1 (reads)
                 ──replicates──> REPLICA 2 (reads)
                 ──replicates──> REPLICA 3 (reads)

// Caveat: Replication lag. A write to primary may take 10-100ms
// to appear on replicas. "Read your own writes" pattern:
// After a write, read from primary (not replica) for that user.

// LEVEL 3: Sharding (horizontal partitioning)
// Split data across multiple databases by a shard key
// Example: users 1-1M on shard 1, users 1M-2M on shard 2

function getShard(userId) {
  return userId % NUM_SHARDS;  // Simple hash-based sharding
}

// Shard 0: users where id % 3 == 0
// Shard 1: users where id % 3 == 1
// Shard 2: users where id % 3 == 2

// Caveats:
// - Cross-shard queries are expensive (joining data across shards)
// - Resharding (adding more shards) is painful
// - Some queries become impossible (ORDER BY across all shards)
// - Only shard when you've exhausted other options

// LEVEL 4: Caching layer
// Redis/Memcached in front of the database
// Cache frequently-read, rarely-changed data

async function getUser(id) {
  // 1. Check cache first
  const cached = await redis.get(`user:${id}`);
  if (cached) return JSON.parse(cached);

  // 2. Cache miss -- query database
  const user = await db.query("SELECT * FROM users WHERE id = $1", [id]);

  // 3. Store in cache for 5 minutes
  await redis.setex(`user:${id}`, 300, JSON.stringify(user));

  return user;
}

// Cache invalidation (the hard part):
// When user data changes, delete/update the cache
async function updateUser(id, data) {
  await db.query("UPDATE users SET name = $1 WHERE id = $2", [data.name, id]);
  await redis.del(`user:${id}`);  // Invalidate cache
}</code></pre>
    </div>

    <h3>Database Migrations</h3>
    <div class="example-box">
      <div class="label">Changing Your Schema Safely in Production</div>
<pre><code>// Migrations are versioned SQL scripts that evolve your database schema
// They run in order and track which ones have been applied

// Example: migration file 001_create_users.sql
CREATE TABLE users (
  id SERIAL PRIMARY KEY,
  email VARCHAR(255) UNIQUE NOT NULL,
  name VARCHAR(100) NOT NULL,
  created_at TIMESTAMP DEFAULT NOW()
);

// 002_add_avatar_to_users.sql
ALTER TABLE users ADD COLUMN avatar_url TEXT;

// 003_create_orders.sql
CREATE TABLE orders (
  id SERIAL PRIMARY KEY,
  user_id INTEGER REFERENCES users(id) ON DELETE CASCADE,
  total DECIMAL(10, 2) NOT NULL,
  status VARCHAR(20) DEFAULT 'pending',
  created_at TIMESTAMP DEFAULT NOW()
);
CREATE INDEX idx_orders_user_id ON orders (user_id);

// Tools: Prisma Migrate, Knex migrations, golang-migrate, Flyway
// NEVER modify a database schema by hand in production.
// ALWAYS use migrations so changes are tracked, reversible, and reproducible.

// Dangerous migrations (require careful planning):
// - Renaming columns (breaks existing queries)
// - Dropping columns (data loss, breaks existing code)
// - Adding NOT NULL columns to large tables (full table lock)
// Pattern: deploy code that handles both old AND new schema,
// then run migration, then deploy code that uses only new schema.</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">Database Concepts Cheat Sheet</div>
      <ul>
        <li><strong>ACID</strong> -- Atomicity, Consistency, Isolation, Durability. The guarantees that prevent data corruption.</li>
        <li><strong>Transaction</strong> -- A group of queries that succeed or fail together. Use for any multi-step data change.</li>
        <li><strong>Index</strong> -- Makes reads fast, makes writes slightly slower. Always index columns you WHERE, JOIN, or ORDER BY.</li>
        <li><strong>N+1 Problem</strong> -- Querying in a loop. Fix with JOINs, batch queries, or ORM eager loading.</li>
        <li><strong>Connection Pool</strong> -- Reuse database connections instead of opening/closing per query.</li>
        <li><strong>Read Replica</strong> -- Copy of database for read-only queries. Reduces load on primary.</li>
        <li><strong>Sharding</strong> -- Splitting data across multiple databases. Last resort for extreme scale.</li>
        <li><strong>Cache</strong> -- Store hot data in Redis/Memcached. Invalidation is the hard part.</li>
        <li><strong>Migration</strong> -- Versioned schema changes. Never ALTER production by hand.</li>
        <li><strong>EXPLAIN ANALYZE</strong> -- Your best friend for debugging slow queries.</li>
      </ul>
    </div>
  </section>


  <!-- ============================================================ -->
  <!--  SECTION 6: CHUNKED READING & STREAMING SERVERS              -->
  <!-- ============================================================ -->
  <section id="chunking">
    <h2>6. Chunked Reading &amp; Streaming Servers</h2>
    <p>Most tutorials teach you to read a file and send it. That works for tiny files. In production, you stream data in chunks -- keeping memory constant whether the file is 1KB or 10GB. This section explains why and how.</p>

    <h3>The Problem with Reading Entire Files</h3>
    <p>The naive approach loads the <strong>entire file</strong> into RAM before sending it to the client. This is fine for a config file. It is catastrophic for media files.</p>

    <div class="warning-box">
      <div class="label">Why This Kills Production Servers</div>
      <p><code>fs.readFile()</code> loads the whole file into a single Buffer in memory. If your file is 500MB, that is 500MB of RAM per request. 100 concurrent downloads = <strong>50GB of RAM</strong>. Your server will OOM-crash long before that.</p>
    </div>

    <div class="example-box">
      <div class="label">Naive vs Streamed -- Memory Comparison</div>
<pre><code><span class="lang-label">JavaScript</span>
// BAD: Reads entire file into memory
const http = require("http");
const fs = require("fs");

http.createServer((req, res) => {
  const data = fs.readFileSync("big-video.mp4");  // 500MB in RAM!
  res.writeHead(200, { "Content-Type": "video/mp4" });
  res.end(data);
}).listen(3000);

// GOOD: Streams file in chunks (~64KB in memory at a time)
http.createServer((req, res) => {
  res.writeHead(200, { "Content-Type": "video/mp4" });
  const stream = fs.createReadStream("big-video.mp4");
  stream.pipe(res);  // Chunks flow from disk to network automatically
}).listen(3000);</code></pre>
      <p>With streaming, memory usage stays at roughly 64KB regardless of file size. The file is read chunk by chunk from disk and each chunk is sent to the client before the next is read.</p>
    </div>

    <h3>How Chunked Reading Works</h3>
    <p>Files are read in fixed-size chunks, typically 16KB to 64KB. Each chunk is sent to the client as soon as it is read. Memory usage remains constant no matter how large the file is.</p>

    <div class="formula-box">
      <strong>The Chunked Reading Pipeline:</strong><br><br>
<pre><code>Disk                    Server Memory           Network              Client
┌──────────┐           ┌──────────────┐        ┌──────────┐       ┌──────────┐
│          │  read()   │              │ write() │          │       │          │
│  File    │──[64KB]──▶│    Buffer    │──[64KB]─▶│  Socket  │──────▶│ Browser  │
│  (10GB)  │           │   (~64KB)    │         │          │       │          │
│          │  repeat   │              │  repeat │          │       │          │
└──────────┘           └──────────────┘        └──────────┘       └──────────┘

Memory used: ~64KB constant          NOT 10GB!</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">Key Insight</div>
      <p>The chunk size is controlled by the <code>highWaterMark</code> option in Node.js streams. The default is 64KB for file streams. You can tune this: smaller chunks use less memory but more syscalls; larger chunks use more memory but fewer syscalls.</p>
    </div>

    <h3>HTTP Chunked Transfer Encoding</h3>
    <p>When the server does not know the total size of the response upfront (e.g., dynamically generated content), it uses <code>Transfer-Encoding: chunked</code>. Each chunk is framed with its size in hexadecimal, followed by CRLF, the data, and another CRLF.</p>

    <div class="example-box">
      <div class="label">Raw Chunked HTTP Response Format</div>
<pre><code><span class="lang-label">Terminal</span>
HTTP/1.1 200 OK
Content-Type: text/plain
Transfer-Encoding: chunked

7\r\n
Hello, \r\n
6\r\n
World!\r\n
0\r\n
\r\n

# Breakdown:
# "7"      = next chunk is 7 bytes (hex)
# "Hello, " = the 7 bytes of data
# "6"      = next chunk is 6 bytes
# "World!" = the 6 bytes of data
# "0"      = zero-length chunk signals end of response</code></pre>
      <p>This format lets the server start sending data before it knows how much there is. The client reads chunk by chunk until it sees the zero-length terminator.</p>
    </div>

    <div class="tip-box">
      <div class="label">When Chunked vs Content-Length</div>
      <p>If you know the exact size (static file), use <code>Content-Length</code> -- it is more efficient and lets clients show progress bars. Use <code>Transfer-Encoding: chunked</code> when the total size is unknown: server-sent events, dynamically generated responses, or proxied streams.</p>
    </div>

    <h3>Implementing a Chunked File Server in Node.js</h3>
    <p>A production file server needs to handle range requests (for video seeking), set correct headers, and stream efficiently.</p>

    <div class="example-box">
      <div class="label">File Server with Range Request Support (206 Partial Content)</div>
<pre><code><span class="lang-label">JavaScript</span>
const http = require("http");
const fs = require("fs");
const path = require("path");

http.createServer((req, res) => {
  const filePath = path.join(__dirname, "videos", "demo.mp4");
  const stat = fs.statSync(filePath);
  const fileSize = stat.size;

  const range = req.headers.range;

  if (range) {
    // Range request: "bytes=32324-"
    const parts = range.replace(/bytes=/, "").split("-");
    const start = parseInt(parts[0], 10);
    const end = parts[1] ? parseInt(parts[1], 10) : fileSize - 1;
    const chunkSize = end - start + 1;

    res.writeHead(206, {
      "Content-Range": `bytes ${start}-${end}/${fileSize}`,
      "Accept-Ranges": "bytes",
      "Content-Length": chunkSize,
      "Content-Type": "video/mp4",
    });

    const stream = fs.createReadStream(filePath, { start, end });
    stream.pipe(res);
  } else {
    // Full file request
    res.writeHead(200, {
      "Content-Length": fileSize,
      "Content-Type": "video/mp4",
    });

    fs.createReadStream(filePath).pipe(res);
  }
}).listen(3000, () => console.log("File server on :3000"));</code></pre>
      <p>When a browser plays an MP4 and the user seeks to 2:30, the browser sends a <code>Range: bytes=15000000-</code> header. The server responds with <strong>206 Partial Content</strong> and streams only the requested portion.</p>
    </div>

    <div class="example-box">
      <div class="label">Custom highWaterMark for Tuning</div>
<pre><code><span class="lang-label">JavaScript</span>
// Default: 64KB chunks
const stream = fs.createReadStream("large.bin");

// Custom: 256KB chunks (fewer syscalls, more memory per stream)
const stream = fs.createReadStream("large.bin", {
  highWaterMark: 256 * 1024  // 256KB
});

// Custom: 16KB chunks (less memory, more syscalls)
const stream = fs.createReadStream("large.bin", {
  highWaterMark: 16 * 1024   // 16KB
});</code></pre>
    </div>

    <h3>Chunked File Server in Go</h3>
    <p>Go's standard library handles much of this for you, but understanding the internals matters.</p>

    <div class="example-box">
      <div class="label">Go File Server -- From Simple to Custom</div>
<pre><code><span class="lang-label">Go</span>
package main

import (
    "io"
    "net/http"
    "os"
)

func main() {
    // Method 1: http.ServeFile (handles Range requests automatically)
    http.HandleFunc("/video", func(w http.ResponseWriter, r *http.Request) {
        http.ServeFile(w, r, "./videos/demo.mp4")
    })

    // Method 2: Manual chunk-by-chunk reading
    http.HandleFunc("/download", func(w http.ResponseWriter, r *http.Request) {
        file, err := os.Open("./files/large.bin")
        if err != nil {
            http.Error(w, "File not found", 404)
            return
        }
        defer file.Close()

        w.Header().Set("Content-Type", "application/octet-stream")

        // io.Copy reads in 32KB chunks internally
        // It calls file.Read() repeatedly and writes to the ResponseWriter
        io.Copy(w, file)
    })

    // Method 3: Custom chunk size with a buffer
    http.HandleFunc("/custom", func(w http.ResponseWriter, r *http.Request) {
        file, err := os.Open("./files/large.bin")
        if err != nil {
            http.Error(w, "File not found", 404)
            return
        }
        defer file.Close()

        buf := make([]byte, 128*1024) // 128KB chunks
        for {
            n, err := file.Read(buf)
            if n > 0 {
                w.Write(buf[:n])
            }
            if err == io.EOF {
                break
            }
            if err != nil {
                break
            }
        }
    })

    http.ListenAndServe(":8080", nil)
}</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">Go vs Node.js for File Serving</div>
      <p><code>http.ServeFile</code> in Go automatically handles <code>Range</code> headers, <code>If-Modified-Since</code>, <code>Content-Type</code> detection, and proper caching headers. In Node.js, you must implement these yourself or use a library. For production static file serving, both languages are fast -- the bottleneck is disk I/O, not the language.</p>
    </div>

    <h3>Chunked Uploads</h3>
    <p>Downloading files in chunks is only half the story. Uploading large files reliably requires chunking too -- especially over unreliable networks.</p>

    <div class="example-box">
      <div class="label">Multipart Upload Strategy</div>
<pre><code><span class="lang-label">JavaScript</span>
// Client-side: Split a large file into chunks and upload each
async function uploadInChunks(file, chunkSize = 5 * 1024 * 1024) {
  const totalChunks = Math.ceil(file.size / chunkSize);

  // Step 1: Initiate upload, get an upload ID
  const { uploadId } = await fetch("/api/upload/init", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({
      filename: file.name,
      totalChunks,
      fileSize: file.size,
    }),
  }).then(r => r.json());

  // Step 2: Upload each chunk
  for (let i = 0; i &lt; totalChunks; i++) {
    const start = i * chunkSize;
    const end = Math.min(start + chunkSize, file.size);
    const chunk = file.slice(start, end);

    const formData = new FormData();
    formData.append("chunk", chunk);
    formData.append("chunkIndex", i);
    formData.append("uploadId", uploadId);

    await fetch("/api/upload/chunk", {
      method: "POST",
      body: formData,
    });

    console.log(`Uploaded chunk ${i + 1}/${totalChunks}`);
  }

  // Step 3: Finalize -- server assembles chunks
  await fetch("/api/upload/complete", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ uploadId }),
  });
}</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">How Cloud Storage Handles This</div>
      <ul>
        <li><strong>AWS S3 Multipart Upload:</strong> Files over 100MB should use multipart. You initiate, upload parts (min 5MB each), then complete. S3 assembles them server-side.</li>
        <li><strong>Resumable Uploads:</strong> If a chunk fails, you retry only that chunk -- not the entire file. The server tracks which chunks have been received.</li>
        <li><strong>Why 5MB minimum?</strong> S3 requires each part to be at least 5MB (except the last). This prevents excessive overhead from managing millions of tiny parts.</li>
      </ul>
    </div>
  </section>


  <!-- ============================================================ -->
  <!--  SECTION 7: SCALABILITY PATTERNS                             -->
  <!-- ============================================================ -->
  <section id="scalability">
    <h2>7. Scalability Patterns</h2>
    <p>Your app works on localhost. Then real users show up. This section covers the patterns that take you from "works on my machine" to "handles millions of requests."</p>

    <h3>Vertical vs Horizontal Scaling</h3>
    <p>There are exactly two ways to get more capacity: make the server bigger, or add more servers.</p>

    <div class="formula-box">
      <strong>Vertical vs Horizontal Scaling:</strong><br><br>
<pre><code>VERTICAL SCALING                    HORIZONTAL SCALING
(Scale Up)                          (Scale Out)

┌─────────────────┐                ┌─────────┐ ┌─────────┐ ┌─────────┐
│                 │                │ Server  │ │ Server  │ │ Server  │
│   BIG SERVER    │                │   1     │ │   2     │ │   3     │
│                 │                └────┬────┘ └────┬────┘ └────┬────┘
│  64 CPU cores   │                     │           │           │
│  512 GB RAM     │                     └─────┬─────┘───────────┘
│  10TB SSD       │                           │
│                 │                    ┌──────┴──────┐
└─────────────────┘                    │ Load Balancer│
                                       └─────────────┘
Pro: Simple, no code changes           Pro: No single point of failure
Con: Has a ceiling, expensive          Con: Requires stateless design
Con: Single point of failure           Con: More operational complexity</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">When to Use Which</div>
      <ul>
        <li><strong>Start vertical.</strong> It is simpler. A single beefy server can handle more traffic than most startups will ever see.</li>
        <li><strong>Go horizontal when:</strong> You need fault tolerance (server dies, others keep running), you hit the ceiling of the biggest machine available, or your workload is embarrassingly parallel.</li>
        <li><strong>Most apps do both:</strong> Vertically scale each node to a reasonable size, then horizontally scale the number of nodes.</li>
      </ul>
    </div>

    <h3>Stateless Services</h3>
    <p>The golden rule of horizontal scaling: <strong>any server must be able to handle any request</strong>. This means no request-specific state stored in the server's memory.</p>

    <div class="warning-box">
      <div class="label">The Stateful Trap</div>
      <p>If you store user sessions in memory (<code>const sessions = {}</code>), you cannot add more servers. User A logs in on Server 1, but their next request hits Server 2 -- which has no idea who they are. This is why you must externalize state.</p>
    </div>

    <div class="example-box">
      <div class="label">Stateful vs Stateless Authentication</div>
<pre><code><span class="lang-label">JavaScript</span>
// STATEFUL: Sessions stored in server memory (breaks with multiple servers)
const sessions = {};

app.post("/login", (req, res) => {
  const sessionId = crypto.randomUUID();
  sessions[sessionId] = { userId: user.id, email: user.email };
  res.cookie("sessionId", sessionId);
  res.json({ success: true });
});

app.get("/profile", (req, res) => {
  const session = sessions[req.cookies.sessionId]; // Only works on THIS server!
  if (!session) return res.status(401).json({ error: "Not authenticated" });
  res.json(session);
});

// STATELESS: JWT (works with any number of servers)
const jwt = require("jsonwebtoken");
const SECRET = process.env.JWT_SECRET;

app.post("/login", (req, res) => {
  const token = jwt.sign({ userId: user.id, email: user.email }, SECRET, {
    expiresIn: "24h",
  });
  res.json({ token });
});

app.get("/profile", (req, res) => {
  const token = req.headers.authorization?.split(" ")[1];
  try {
    const payload = jwt.verify(token, SECRET); // Any server can verify this
    res.json(payload);
  } catch {
    res.status(401).json({ error: "Invalid token" });
  }
});</code></pre>
      <p>With JWTs, the token itself contains the user's data, signed by the server. Any server with the secret key can verify it -- no shared state needed.</p>
    </div>

    <div class="tip-box">
      <div class="label">Where to Put State Instead</div>
      <ul>
        <li><strong>Sessions:</strong> Redis (fast, shared across all servers)</li>
        <li><strong>File uploads:</strong> S3 or object storage (not local disk)</li>
        <li><strong>Cache:</strong> Redis or Memcached (shared cache layer)</li>
        <li><strong>Database:</strong> PostgreSQL, MySQL, MongoDB (already external)</li>
      </ul>
    </div>

    <h3>Load Balancing</h3>
    <p>A load balancer distributes incoming requests across multiple servers. It is the entry point for all traffic in a horizontally scaled system.</p>

    <div class="example-box">
      <div class="label">Load Balancing Algorithms</div>
<pre><code><span class="lang-label">Terminal</span>
# Round-Robin: Requests go to servers in order (1, 2, 3, 1, 2, 3...)
# Simple and fair. Default for most load balancers.
Request 1 → Server A
Request 2 → Server B
Request 3 → Server C
Request 4 → Server A  (back to start)

# Least Connections: Send to the server with fewest active connections.
# Better when requests have variable processing time.
Server A (3 active) ← skip
Server B (1 active) ← SEND HERE
Server C (2 active) ← skip

# IP Hash: Hash the client IP to always route them to the same server.
# Useful for session affinity without shared session stores.
hash("192.168.1.1") % 3 = 1 → always Server B

# Weighted: Servers with more capacity get more traffic.
# Server A (weight 5): gets 50% of requests
# Server B (weight 3): gets 30% of requests
# Server C (weight 2): gets 20% of requests</code></pre>
    </div>

    <div class="formula-box">
      <strong>L4 (Transport) vs L7 (Application) Load Balancing:</strong><br><br>
      <strong>L4 Load Balancer:</strong> Works at the TCP level. Sees IP addresses and ports. Very fast (just forwards packets). Cannot inspect HTTP headers, URLs, or cookies.<br><br>
      <strong>L7 Load Balancer:</strong> Works at the HTTP level. Can route based on URL path, headers, cookies. Can terminate TLS, add headers, rewrite URLs. Slower but much more flexible.<br><br>
      <strong>Example:</strong> L7 can route <code>/api/*</code> to backend servers and <code>/static/*</code> to a CDN. L4 cannot -- it sees only the destination port.
    </div>

    <div class="warning-box">
      <div class="label">Sticky Sessions Are a Code Smell</div>
      <p>Sticky sessions (always routing the same user to the same server) defeat the purpose of load balancing. If that server dies, the user loses their session. If it gets overloaded, you cannot redistribute. Fix the root cause: make your services stateless.</p>
    </div>

    <h3>Caching Layers</h3>
    <p>The fastest request is one you never make. Caching stores computed results so they can be served instantly on subsequent requests.</p>

    <div class="formula-box">
      <strong>The Cache Hierarchy (request flows left to right, first hit wins):</strong><br><br>
<pre><code>Browser     CDN        Reverse       Application    Database
Cache       Cache      Proxy Cache   Cache (Redis)  Query Cache
┌─────┐   ┌─────┐    ┌─────────┐   ┌───────────┐  ┌──────────┐
│ HIT │──▶│ HIT │──▶ │  HIT    │──▶│   HIT     │──▶│  Query   │
│     │   │     │    │ (Nginx) │   │  (Redis)  │  │  (MySQL) │
└──┬──┘   └──┬──┘    └────┬────┘   └─────┬─────┘  └──────────┘
   │         │            │              │
 ~0ms      ~5ms        ~10ms          ~1ms           ~50-500ms

The closer to the user, the faster. But invalidation gets harder.</code></pre>
    </div>

    <div class="example-box">
      <div class="label">Cache-Aside Pattern with Redis</div>
<pre><code><span class="lang-label">JavaScript</span>
const Redis = require("ioredis");
const redis = new Redis();

async function getUserById(userId) {
  const cacheKey = `user:${userId}`;

  // Step 1: Check cache first
  const cached = await redis.get(cacheKey);
  if (cached) {
    console.log("Cache HIT");
    return JSON.parse(cached);
  }

  // Step 2: Cache miss -- query database
  console.log("Cache MISS");
  const user = await db.query("SELECT * FROM users WHERE id = $1", [userId]);

  // Step 3: Store in cache for next time (expire after 5 minutes)
  await redis.set(cacheKey, JSON.stringify(user), "EX", 300);

  return user;
}

// When user data changes, invalidate the cache
async function updateUser(userId, data) {
  await db.query("UPDATE users SET name = $1 WHERE id = $2", [data.name, userId]);
  await redis.del(`user:${userId}`);  // Invalidate cache
}</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">Cache Invalidation Strategies</div>
      <ul>
        <li><strong>TTL (Time-To-Live):</strong> Cache expires after N seconds. Simple, but data can be stale for up to N seconds.</li>
        <li><strong>Event-Based:</strong> When data changes, explicitly delete the cache entry. Precise, but requires discipline.</li>
        <li><strong>Cache-Aside (Lazy):</strong> Application checks cache first, loads from DB on miss, writes to cache. Most common pattern.</li>
        <li><strong>Write-Through:</strong> Every write goes to both cache and DB. Consistent, but slower writes.</li>
      </ul>
      <p><em>"There are only two hard things in computer science: cache invalidation and naming things."</em> -- Phil Karlton</p>
    </div>

    <h3>Database Scaling</h3>
    <p>The database is almost always the bottleneck. Here are the main strategies for scaling it.</p>

    <div class="formula-box">
      <strong>Database Scaling Strategies:</strong><br><br>
<pre><code>READ REPLICAS                          SHARDING
(Scale reads)                          (Scale reads AND writes)

   Writes ───▶ ┌──────────┐            ┌───────────┐
               │ Primary  │            │  Shard 1  │  Users A-M
               │   (RW)   │            │  (RW)     │
               └────┬─────┘            └───────────┘
          ┌─────────┼──────────┐
          ▼         ▼          ▼        ┌───────────┐
     ┌────────┐ ┌────────┐ ┌────────┐  │  Shard 2  │  Users N-Z
     │Replica │ │Replica │ │Replica │  │  (RW)     │
     │ (RO)   │ │ (RO)   │ │ (RO)   │  └───────────┘
     └────────┘ └────────┘ └────────┘
          ▲         ▲          ▲        Cross-shard queries
     Reads distributed across replicas  are painful. Avoid if possible.</code></pre>
    </div>

    <div class="example-box">
      <div class="label">Connection Pooling -- Why It Matters</div>
<pre><code><span class="lang-label">JavaScript</span>
const { Pool } = require("pg");

// WITHOUT pooling: new connection per query (~50-100ms overhead each)
// WITH pooling: reuse connections from a pool (~0ms overhead)

const pool = new Pool({
  host: "localhost",
  database: "myapp",
  max: 20,           // Maximum 20 connections in the pool
  idleTimeoutMillis: 30000,  // Close idle connections after 30s
  connectionTimeoutMillis: 2000,  // Fail if can't connect in 2s
});

// Every query borrows a connection, uses it, and returns it
const result = await pool.query("SELECT * FROM users WHERE id = $1", [userId]);

// The connection is NOT closed -- it goes back to the pool for reuse</code></pre>
      <p>A database server can typically handle 100-500 concurrent connections. Without pooling, a busy Node.js app can exhaust connections in seconds. Pooling keeps the count bounded and reuses existing connections.</p>
    </div>

    <div class="tip-box">
      <div class="label">SQL vs NoSQL -- A Simple Decision Framework</div>
      <ul>
        <li><strong>Use SQL (PostgreSQL, MySQL) when:</strong> You have structured data with relationships, need transactions (ACID), need complex queries with JOINs, or need strong consistency.</li>
        <li><strong>Use NoSQL (MongoDB, DynamoDB) when:</strong> Your data is document-shaped (nested JSON), you need flexible schemas that change often, you need extreme horizontal scale for simple key-value lookups, or you have no cross-document relationships.</li>
        <li><strong>Default choice:</strong> Start with PostgreSQL. It handles JSON, full-text search, and most "NoSQL" use cases too.</li>
      </ul>
    </div>

    <h3>Message Queues for Async Processing</h3>
    <p>Not everything needs to happen during the HTTP request. Heavy or slow operations should be pushed to a queue and processed in the background.</p>

    <div class="example-box">
      <div class="label">Why Queues -- The Email Example</div>
<pre><code><span class="lang-label">JavaScript</span>
// WITHOUT a queue: user waits for email to send (~2-5 seconds)
app.post("/signup", async (req, res) => {
  const user = await db.createUser(req.body);
  await sendWelcomeEmail(user.email);  // SLOW! User waits for this
  await sendSlackNotification(user);    // Even slower!
  res.json({ success: true });          // 5 seconds later...
});

// WITH a queue: user gets instant response, email sends in background
app.post("/signup", async (req, res) => {
  const user = await db.createUser(req.body);
  await queue.publish("user.created", { userId: user.id, email: user.email });
  res.json({ success: true });  // Instant! (~50ms)
});

// Separate worker process picks up the job
queue.subscribe("user.created", async (message) => {
  await sendWelcomeEmail(message.email);
  await sendSlackNotification(message);
  // If this fails, the queue retries automatically
});</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">Common Queue Use Cases</div>
      <ul>
        <li><strong>Email / Notifications:</strong> Send asynchronously, retry on failure</li>
        <li><strong>Image / Video Processing:</strong> Resize, transcode in background workers</li>
        <li><strong>Data Pipelines:</strong> ETL jobs, analytics event processing</li>
        <li><strong>Order Processing:</strong> Payment, inventory, shipping as separate steps</li>
      </ul>
      <p>Popular options: <strong>RabbitMQ</strong> (full-featured), <strong>Redis Streams</strong> (simple, already have Redis), <strong>AWS SQS</strong> (managed, serverless), <strong>Kafka</strong> (high-throughput, event streaming).</p>
    </div>

    <h3>Rate Limiting</h3>
    <p>Rate limiting protects your server from being overwhelmed -- whether by a traffic spike, a misbehaving client, or a deliberate attack. It is both a <strong>scalability</strong> and <strong>security</strong> tool.</p>

    <div class="formula-box">
      <strong>Token Bucket Algorithm:</strong><br><br>
<pre><code>Bucket capacity: 10 tokens
Refill rate: 1 token per second

Time 0s:  [● ● ● ● ● ● ● ● ● ●]  10 tokens (full)
          Request! → consume 1 token → ALLOWED

Time 0s:  [● ● ● ● ● ● ● ● ●  ]  9 tokens
          Request! → consume 1 token → ALLOWED

          ... 8 more requests in rapid succession ...

Time 1s:  [                       ]  0 tokens (empty)
          Request! → no tokens → REJECTED (429 Too Many Requests)

Time 2s:  [●                      ]  1 token (refilled)
          Request! → consume 1 token → ALLOWED

Key insight: Allows bursts (up to bucket size) but enforces
an average rate (refill rate) over time.</code></pre>
    </div>

    <div class="example-box">
      <div class="label">Rate Limiter in Node.js</div>
<pre><code><span class="lang-label">JavaScript</span>
// Simple in-memory rate limiter using sliding window
const rateLimits = new Map();

function rateLimit(key, maxRequests, windowMs) {
  const now = Date.now();
  const windowStart = now - windowMs;

  if (!rateLimits.has(key)) {
    rateLimits.set(key, []);
  }

  const timestamps = rateLimits.get(key);

  // Remove expired timestamps
  while (timestamps.length > 0 &amp;&amp; timestamps[0] &lt; windowStart) {
    timestamps.shift();
  }

  if (timestamps.length >= maxRequests) {
    return false;  // Rate limited
  }

  timestamps.push(now);
  return true;  // Allowed
}

// Express middleware
app.use((req, res, next) => {
  const key = req.ip;
  const allowed = rateLimit(key, 100, 60 * 1000);  // 100 requests per minute

  if (!allowed) {
    return res.status(429).json({
      error: "Too many requests",
      retryAfter: "60 seconds",
    });
  }

  next();
});</code></pre>
    </div>

    <div class="example-box">
      <div class="label">Rate Limiter in Go</div>
<pre><code><span class="lang-label">Go</span>
package main

import (
    "net/http"
    "sync"
    "time"
)

type RateLimiter struct {
    mu       sync.Mutex
    tokens   float64
    maxTokens float64
    refillRate float64   // tokens per second
    lastTime time.Time
}

func NewRateLimiter(maxTokens, refillRate float64) *RateLimiter {
    return &amp;RateLimiter{
        tokens:     maxTokens,
        maxTokens:  maxTokens,
        refillRate: refillRate,
        lastTime:   time.Now(),
    }
}

func (rl *RateLimiter) Allow() bool {
    rl.mu.Lock()
    defer rl.mu.Unlock()

    now := time.Now()
    elapsed := now.Sub(rl.lastTime).Seconds()
    rl.tokens += elapsed * rl.refillRate
    if rl.tokens > rl.maxTokens {
        rl.tokens = rl.maxTokens
    }
    rl.lastTime = now

    if rl.tokens &lt; 1 {
        return false
    }
    rl.tokens--
    return true
}

func main() {
    limiter := NewRateLimiter(10, 1) // 10 burst, 1/sec refill

    http.HandleFunc("/api", func(w http.ResponseWriter, r *http.Request) {
        if !limiter.Allow() {
            http.Error(w, "Too Many Requests", http.StatusTooManyRequests)
            return
        }
        w.Write([]byte("OK"))
    })

    http.ListenAndServe(":8080", nil)
}</code></pre>
    </div>

    <div class="warning-box">
      <div class="label">In-Memory Rate Limiting Does Not Scale</div>
      <p>The examples above store rate limit state in the server's memory. With multiple servers, each has its own counter -- a user could send 100 requests to each of 5 servers (500 total). For production, use <strong>Redis</strong> with atomic operations (INCR + EXPIRE) so all servers share one counter per key.</p>
    </div>
  </section>


  <!-- ============================================================ -->
  <!--  SECTION 8: BACKEND DESIGN PATTERNS                          -->
  <!-- ============================================================ -->
  <section id="backend-patterns">
    <h2>8. Backend Design Patterns</h2>
    <p>These are the recurring solutions to common backend problems. Learn them and you will recognize (and solve) architectural issues faster than engineers with twice your experience.</p>

    <h3>Repository Pattern</h3>
    <p>Separate data access from business logic. A repository is an abstraction layer between your application code and the database. Your business logic asks the repository for data -- it never knows or cares whether the data comes from PostgreSQL, MongoDB, or a test mock.</p>

    <div class="example-box">
      <div class="label">Repository Pattern in Node.js (TypeScript-style)</div>
<pre><code><span class="lang-label">JavaScript</span>
// repository/userRepository.js -- defines the contract
class UserRepository {
  async findById(id) { throw new Error("Not implemented"); }
  async findByEmail(email) { throw new Error("Not implemented"); }
  async create(userData) { throw new Error("Not implemented"); }
  async update(id, userData) { throw new Error("Not implemented"); }
  async delete(id) { throw new Error("Not implemented"); }
}

// repository/pgUserRepository.js -- PostgreSQL implementation
class PgUserRepository extends UserRepository {
  constructor(pool) {
    super();
    this.pool = pool;
  }

  async findById(id) {
    const { rows } = await this.pool.query(
      "SELECT * FROM users WHERE id = $1", [id]
    );
    return rows[0] || null;
  }

  async create(userData) {
    const { rows } = await this.pool.query(
      "INSERT INTO users (name, email) VALUES ($1, $2) RETURNING *",
      [userData.name, userData.email]
    );
    return rows[0];
  }

  // ... update, delete, findByEmail
}

// In tests: swap with a mock
class MockUserRepository extends UserRepository {
  constructor() {
    super();
    this.users = [];
  }

  async findById(id) {
    return this.users.find(u => u.id === id) || null;
  }

  async create(userData) {
    const user = { id: this.users.length + 1, ...userData };
    this.users.push(user);
    return user;
  }
}

// Business logic doesn't know which implementation it's using
async function getUserProfile(userRepo, userId) {
  const user = await userRepo.findById(userId);
  if (!user) throw new Error("User not found");
  return { name: user.name, email: user.email };
}</code></pre>
    </div>

    <div class="example-box">
      <div class="label">Repository Pattern in Go (Interface-driven)</div>
<pre><code><span class="lang-label">Go</span>
package repository

import "context"

// Interface -- the contract
type UserRepository interface {
    FindByID(ctx context.Context, id int64) (*User, error)
    FindByEmail(ctx context.Context, email string) (*User, error)
    Create(ctx context.Context, user *User) error
    Update(ctx context.Context, user *User) error
    Delete(ctx context.Context, id int64) error
}

// PostgreSQL implementation
type pgUserRepo struct {
    db *sql.DB
}

func NewPgUserRepo(db *sql.DB) UserRepository {
    return &amp;pgUserRepo{db: db}
}

func (r *pgUserRepo) FindByID(ctx context.Context, id int64) (*User, error) {
    user := &amp;User{}
    err := r.db.QueryRowContext(ctx,
        "SELECT id, name, email FROM users WHERE id = $1", id,
    ).Scan(&amp;user.ID, &amp;user.Name, &amp;user.Email)
    if err == sql.ErrNoRows {
        return nil, nil
    }
    return user, err
}

// In tests: use a mock that satisfies the same interface
type mockUserRepo struct {
    users map[int64]*User
}

func (m *mockUserRepo) FindByID(ctx context.Context, id int64) (*User, error) {
    return m.users[id], nil
}</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">Why the Repository Pattern Matters</div>
      <ul>
        <li><strong>Swap databases:</strong> Move from PostgreSQL to DynamoDB without touching business logic</li>
        <li><strong>Testing:</strong> Inject a mock repository -- no database needed in unit tests</li>
        <li><strong>Single Responsibility:</strong> Business logic handles rules, repositories handle data access</li>
      </ul>
    </div>

    <h3>Service Layer Pattern</h3>
    <p>The service layer sits between your HTTP controllers and your data repositories. Controllers handle HTTP concerns (parsing requests, sending responses). Services handle business logic (validation, rules, orchestration). Repositories handle data access.</p>

    <div class="formula-box">
      <strong>The Three-Layer Architecture:</strong><br><br>
<pre><code>HTTP Request
    │
    ▼
┌──────────────┐  Parses request, validates input format,
│  Controller  │  calls service, sends HTTP response.
│  (HTTP)      │  Knows about req/res. Thin.
└──────┬───────┘
       │
       ▼
┌──────────────┐  Contains business rules, orchestrates
│   Service    │  repository calls, handles validation.
│  (Logic)     │  Knows nothing about HTTP.
└──────┬───────┘
       │
       ▼
┌──────────────┐  Talks to the database. Returns data.
│  Repository  │  Knows nothing about business rules.
│  (Data)      │
└──────────────┘
       │
       ▼
   Database</code></pre>
    </div>

    <div class="example-box">
      <div class="label">Service Layer in Practice</div>
<pre><code><span class="lang-label">JavaScript</span>
// service/userService.js -- business logic lives here
class UserService {
  constructor(userRepo, emailService) {
    this.userRepo = userRepo;
    this.emailService = emailService;
  }

  async signup(name, email, password) {
    // Business rule: check for existing user
    const existing = await this.userRepo.findByEmail(email);
    if (existing) throw new Error("Email already registered");

    // Business rule: hash password
    const hashedPassword = await bcrypt.hash(password, 10);

    // Create user via repository
    const user = await this.userRepo.create({
      name,
      email,
      password: hashedPassword,
    });

    // Side effect: send welcome email (via another service)
    await this.emailService.sendWelcome(user.email, user.name);

    return { id: user.id, name: user.name, email: user.email };
  }
}

// controller/userController.js -- HTTP concerns only
app.post("/api/signup", async (req, res) => {
  try {
    const { name, email, password } = req.body;

    if (!name || !email || !password) {
      return res.status(400).json({ error: "Missing required fields" });
    }

    const user = await userService.signup(name, email, password);
    res.status(201).json(user);
  } catch (err) {
    if (err.message === "Email already registered") {
      return res.status(409).json({ error: err.message });
    }
    res.status(500).json({ error: "Internal server error" });
  }
});</code></pre>
      <p>The controller is thin -- it parses the request, calls the service, and maps the result to an HTTP response. All business logic (duplicate check, password hashing, email sending) lives in the service.</p>
    </div>

    <h3>Middleware Pattern</h3>
    <p>Middleware functions form a chain. Each function can process the request, modify it, and decide whether to pass it to the next function. This is how you add cross-cutting concerns (logging, auth, rate limiting) without cluttering your route handlers.</p>

    <div class="example-box">
      <div class="label">Middleware Chain in Express</div>
<pre><code><span class="lang-label">JavaScript</span>
// Each middleware: do something, then call next()
// If you don't call next(), the chain stops.

// 1. Logging middleware
function logger(req, res, next) {
  const start = Date.now();
  res.on("finish", () => {
    const duration = Date.now() - start;
    console.log(`${req.method} ${req.url} ${res.statusCode} ${duration}ms`);
  });
  next();
}

// 2. Auth middleware
function authenticate(req, res, next) {
  const token = req.headers.authorization?.split(" ")[1];
  if (!token) return res.status(401).json({ error: "No token" });

  try {
    req.user = jwt.verify(token, SECRET);
    next();  // Token valid, continue to next middleware
  } catch {
    res.status(401).json({ error: "Invalid token" });
    // No next() call -- chain stops here
  }
}

// 3. Rate limiting middleware
function rateLimit(req, res, next) {
  if (!limiter.allow(req.ip)) {
    return res.status(429).json({ error: "Too many requests" });
  }
  next();
}

// Apply middleware in order: logger → rateLimit → auth → handler
app.use(logger);
app.use(rateLimit);

app.get("/api/profile", authenticate, (req, res) => {
  // Only reached if logger, rateLimit, AND authenticate all called next()
  res.json({ user: req.user });
});</code></pre>
    </div>

    <div class="example-box">
      <div class="label">Middleware Chain in Go</div>
<pre><code><span class="lang-label">Go</span>
package main

import (
    "log"
    "net/http"
    "time"
)

// Middleware type: takes a handler, returns a handler
type Middleware func(http.Handler) http.Handler

// Logging middleware
func Logger(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        start := time.Now()
        next.ServeHTTP(w, r)
        log.Printf("%s %s %v", r.Method, r.URL.Path, time.Since(start))
    })
}

// Auth middleware
func Auth(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        token := r.Header.Get("Authorization")
        if token == "" {
            http.Error(w, "Unauthorized", 401)
            return // Chain stops -- next is NOT called
        }
        // Validate token, set user in context...
        next.ServeHTTP(w, r)
    })
}

// Chain middleware: Logger → Auth → Handler
func Chain(handler http.Handler, middlewares ...Middleware) http.Handler {
    for i := len(middlewares) - 1; i >= 0; i-- {
        handler = middlewares[i](handler)
    }
    return handler
}

func main() {
    api := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        w.Write([]byte("Hello, authenticated user!"))
    })

    http.Handle("/api/profile", Chain(api, Logger, Auth))
    http.ListenAndServe(":8080", nil)
}</code></pre>
    </div>

    <h3>Circuit Breaker</h3>
    <p>When a downstream service (database, external API, microservice) goes down, every request to it will hang or fail. Without a circuit breaker, your entire service grinds to a halt waiting for timeouts.</p>

    <div class="formula-box">
      <strong>Circuit Breaker State Machine:</strong><br><br>
<pre><code>                    N failures
   ┌──────────┐    exceeded     ┌──────────┐
   │  CLOSED  │────────────────▶│   OPEN   │
   │ (normal) │                 │(fail fast)│
   └──────────┘                 └─────┬────┘
        ▲                             │
        │  Success                    │ After timeout
        │                             ▼
        │                       ┌───────────┐
        └───────────────────────│ HALF-OPEN │
              Success           │ (test one) │
                                └───────────┘
                                      │
                                      │ Failure
                                      ▼
                                ┌──────────┐
                                │   OPEN   │
                                │(fail fast)│
                                └──────────┘

CLOSED:    Normal operation. Requests pass through. Failures are counted.
OPEN:      All requests fail immediately (no network call). Fast failure.
HALF-OPEN: One test request is allowed through. Success → CLOSED. Failure → OPEN.</code></pre>
    </div>

    <div class="example-box">
      <div class="label">Circuit Breaker Implementation</div>
<pre><code><span class="lang-label">JavaScript</span>
class CircuitBreaker {
  constructor(fn, options = {}) {
    this.fn = fn;
    this.failureThreshold = options.failureThreshold || 5;
    this.resetTimeout = options.resetTimeout || 30000; // 30 seconds
    this.state = "CLOSED";
    this.failureCount = 0;
    this.lastFailureTime = null;
  }

  async call(...args) {
    if (this.state === "OPEN") {
      // Check if enough time has passed to try again
      if (Date.now() - this.lastFailureTime > this.resetTimeout) {
        this.state = "HALF-OPEN";
      } else {
        throw new Error("Circuit is OPEN -- failing fast");
      }
    }

    try {
      const result = await this.fn(...args);
      this.onSuccess();
      return result;
    } catch (error) {
      this.onFailure();
      throw error;
    }
  }

  onSuccess() {
    this.failureCount = 0;
    this.state = "CLOSED";
  }

  onFailure() {
    this.failureCount++;
    this.lastFailureTime = Date.now();
    if (this.failureCount >= this.failureThreshold) {
      this.state = "OPEN";
    }
  }
}

// Usage
const paymentBreaker = new CircuitBreaker(
  (orderId) => fetch(`https://payments.api/charge/${orderId}`),
  { failureThreshold: 3, resetTimeout: 10000 }
);

app.post("/checkout", async (req, res) => {
  try {
    const result = await paymentBreaker.call(req.body.orderId);
    res.json(result);
  } catch (err) {
    if (err.message.includes("OPEN")) {
      res.status(503).json({ error: "Payment service unavailable, try later" });
    } else {
      res.status(500).json({ error: "Payment failed" });
    }
  }
});</code></pre>
    </div>

    <h3>Retry with Exponential Backoff</h3>
    <p>When a request fails, do not retry immediately. Wait a little, then try again. If it fails again, wait longer. This prevents a thundering herd of retries from overwhelming a recovering service.</p>

    <div class="formula-box">
      <strong>Exponential Backoff Formula:</strong><br><br>
      <code>delay = baseDelay * 2^attempt + randomJitter</code><br><br>
      <strong>Example with baseDelay = 1 second:</strong><br>
      Attempt 1: 1s + jitter<br>
      Attempt 2: 2s + jitter<br>
      Attempt 3: 4s + jitter<br>
      Attempt 4: 8s + jitter<br>
      Attempt 5: 16s + jitter (give up after this)<br><br>
      <strong>Why jitter?</strong> Without it, if 1000 clients all fail at the same time, they all retry at 1s, then 2s, then 4s -- creating synchronized bursts. Random jitter spreads retries out over time.
    </div>

    <div class="example-box">
      <div class="label">Retry with Exponential Backoff</div>
<pre><code><span class="lang-label">JavaScript</span>
async function retryWithBackoff(fn, options = {}) {
  const maxRetries = options.maxRetries || 5;
  const baseDelay = options.baseDelay || 1000;
  const maxDelay = options.maxDelay || 30000;

  for (let attempt = 0; attempt &lt; maxRetries; attempt++) {
    try {
      return await fn();
    } catch (error) {
      if (attempt === maxRetries - 1) throw error;  // Last attempt, give up

      const delay = Math.min(baseDelay * Math.pow(2, attempt), maxDelay);
      const jitter = Math.random() * delay * 0.1;  // 10% jitter
      const totalDelay = delay + jitter;

      console.log(`Attempt ${attempt + 1} failed. Retrying in ${totalDelay}ms...`);
      await new Promise(resolve => setTimeout(resolve, totalDelay));
    }
  }
}

// Usage
const data = await retryWithBackoff(
  () => fetch("https://api.example.com/data").then(r => {
    if (!r.ok) throw new Error(`HTTP ${r.status}`);
    return r.json();
  }),
  { maxRetries: 3, baseDelay: 1000 }
);</code></pre>
    </div>

    <div class="example-box">
      <div class="label">Retry with Exponential Backoff in Go</div>
<pre><code><span class="lang-label">Go</span>
package main

import (
    "fmt"
    "math"
    "math/rand"
    "time"
)

func RetryWithBackoff(fn func() error, maxRetries int, baseDelay time.Duration) error {
    for attempt := 0; attempt &lt; maxRetries; attempt++ {
        err := fn()
        if err == nil {
            return nil
        }

        if attempt == maxRetries-1 {
            return fmt.Errorf("all %d attempts failed: %w", maxRetries, err)
        }

        delay := time.Duration(float64(baseDelay) * math.Pow(2, float64(attempt)))
        jitter := time.Duration(rand.Float64() * float64(delay) * 0.1)
        totalDelay := delay + jitter

        fmt.Printf("Attempt %d failed. Retrying in %v...\n", attempt+1, totalDelay)
        time.Sleep(totalDelay)
    }
    return nil
}</code></pre>
    </div>

    <h3>Event-Driven Architecture</h3>
    <p>Instead of services calling each other directly, they emit events. Other services listen for events they care about. This decouples services -- the emitter does not know or care who is listening.</p>

    <div class="example-box">
      <div class="label">Event-Driven with Node.js EventEmitter</div>
<pre><code><span class="lang-label">JavaScript</span>
const EventEmitter = require("events");
const bus = new EventEmitter();

// Service A: User signup (emits an event, doesn't know who listens)
async function signup(name, email, password) {
  const user = await db.createUser({ name, email, password });
  bus.emit("user.created", { userId: user.id, email, name });
  return user;
}

// Service B: Email service (listens for user.created)
bus.on("user.created", async ({ email, name }) => {
  await sendWelcomeEmail(email, name);
  console.log(`Welcome email sent to ${email}`);
});

// Service C: Analytics (also listens for user.created)
bus.on("user.created", async ({ userId }) => {
  await analytics.track("signup", { userId });
});

// Service D: Audit log (listens for everything)
bus.on("user.created", async (data) => {
  await auditLog.write("user.created", data);
});

// Adding a new listener requires ZERO changes to the signup function.
// That's the power of event-driven architecture.</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">When to Use Event-Driven Architecture</div>
      <ul>
        <li><strong>Decoupled microservices:</strong> Services communicate through events, not direct HTTP calls</li>
        <li><strong>Audit logs:</strong> Record every significant action without cluttering business logic</li>
        <li><strong>Notifications:</strong> Email, SMS, push -- triggered by events, not inline code</li>
        <li><strong>Eventual consistency:</strong> When immediate consistency is not required (e.g., search index updates)</li>
      </ul>
      <p>For cross-process events, use a message broker (Redis Pub/Sub, RabbitMQ, Kafka) instead of in-process EventEmitter.</p>
    </div>

    <h3>Graceful Shutdown</h3>
    <p>When your server receives a shutdown signal (deploy, scale-down, crash recovery), it should not just die. It should stop accepting new requests, wait for in-flight requests to finish, close database connections, and then exit cleanly.</p>

    <div class="example-box">
      <div class="label">Graceful Shutdown in Node.js</div>
<pre><code><span class="lang-label">JavaScript</span>
const http = require("http");

const server = http.createServer(app);
const connections = new Set();

server.on("connection", (conn) => {
  connections.add(conn);
  conn.on("close", () => connections.delete(conn));
});

function gracefulShutdown(signal) {
  console.log(`\n${signal} received. Starting graceful shutdown...`);

  // Step 1: Stop accepting new connections
  server.close(() => {
    console.log("All connections closed. Exiting.");
    process.exit(0);
  });

  // Step 2: Close idle keep-alive connections
  for (const conn of connections) {
    conn.end();
  }

  // Step 3: Force exit after 30 seconds if shutdown hangs
  setTimeout(() => {
    console.error("Forced shutdown after timeout.");
    process.exit(1);
  }, 30000);
}

// Catch termination signals
process.on("SIGTERM", () => gracefulShutdown("SIGTERM"));
process.on("SIGINT", () => gracefulShutdown("SIGINT"));

server.listen(3000, () => console.log("Server on :3000"));</code></pre>
    </div>

    <div class="example-box">
      <div class="label">Graceful Shutdown in Go</div>
<pre><code><span class="lang-label">Go</span>
package main

import (
    "context"
    "fmt"
    "net/http"
    "os"
    "os/signal"
    "syscall"
    "time"
)

func main() {
    mux := http.NewServeMux()
    mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        time.Sleep(2 * time.Second) // Simulate work
        w.Write([]byte("Hello!"))
    })

    server := &amp;http.Server{Addr: ":8080", Handler: mux}

    // Start server in a goroutine
    go func() {
        fmt.Println("Server listening on :8080")
        if err := server.ListenAndServe(); err != http.ErrServerClosed {
            fmt.Printf("Server error: %v\n", err)
        }
    }()

    // Wait for shutdown signal
    quit := make(chan os.Signal, 1)
    signal.Notify(quit, syscall.SIGTERM, syscall.SIGINT)
    sig := &lt;-quit
    fmt.Printf("\n%v received. Shutting down gracefully...\n", sig)

    // Give in-flight requests 30 seconds to complete
    ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
    defer cancel()

    if err := server.Shutdown(ctx); err != nil {
        fmt.Printf("Forced shutdown: %v\n", err)
    }

    fmt.Println("Server exited cleanly.")
}</code></pre>
    </div>

    <div class="warning-box">
      <div class="label">Why Graceful Shutdown Matters in Production</div>
      <p>Without graceful shutdown, deploying a new version kills in-flight requests. Users see errors. Database transactions are left incomplete. WebSocket connections drop with no explanation. Kubernetes sends SIGTERM before killing a pod -- your app must handle it.</p>
    </div>

    <h3>Health Check &amp; Readiness Endpoints</h3>
    <p>Load balancers and orchestrators (Kubernetes) need to know: Is this server alive? Can it handle traffic? These two questions have different answers.</p>

    <div class="example-box">
      <div class="label">Health and Readiness in Node.js</div>
<pre><code><span class="lang-label">JavaScript</span>
let isReady = false;

// /health -- Is the process alive? (liveness probe)
// If this fails, Kubernetes restarts the pod.
app.get("/health", (req, res) => {
  res.status(200).json({ status: "alive" });
});

// /ready -- Can it serve traffic? (readiness probe)
// If this fails, Kubernetes stops sending traffic to this pod.
app.get("/ready", async (req, res) => {
  try {
    // Check database connection
    await pool.query("SELECT 1");

    // Check Redis connection
    await redis.ping();

    // Check any other critical dependencies
    res.status(200).json({
      status: "ready",
      checks: {
        database: "connected",
        redis: "connected",
      },
    });
  } catch (err) {
    res.status(503).json({
      status: "not ready",
      error: err.message,
    });
  }
});

// Mark as ready after initialization is complete
async function startServer() {
  await pool.connect();
  await redis.connect();
  isReady = true;
  console.log("Server is ready to accept traffic");
}</code></pre>
    </div>

    <div class="example-box">
      <div class="label">Health and Readiness in Go</div>
<pre><code><span class="lang-label">Go</span>
package main

import (
    "encoding/json"
    "net/http"
)

func healthHandler(w http.ResponseWriter, r *http.Request) {
    w.Header().Set("Content-Type", "application/json")
    json.NewEncoder(w).Encode(map[string]string{
        "status": "alive",
    })
}

func readyHandler(db *sql.DB, redisClient *redis.Client) http.HandlerFunc {
    return func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("Content-Type", "application/json")

        // Check database
        if err := db.Ping(); err != nil {
            w.WriteHeader(http.StatusServiceUnavailable)
            json.NewEncoder(w).Encode(map[string]string{
                "status": "not ready",
                "error":  "database: " + err.Error(),
            })
            return
        }

        // Check Redis
        if err := redisClient.Ping(r.Context()).Err(); err != nil {
            w.WriteHeader(http.StatusServiceUnavailable)
            json.NewEncoder(w).Encode(map[string]string{
                "status": "not ready",
                "error":  "redis: " + err.Error(),
            })
            return
        }

        json.NewEncoder(w).Encode(map[string]string{
            "status": "ready",
        })
    }
}

func main() {
    http.HandleFunc("/health", healthHandler)
    http.HandleFunc("/ready", readyHandler(db, redisClient))
    http.ListenAndServe(":8080", nil)
}</code></pre>
    </div>

    <div class="tip-box">
      <div class="label">Liveness vs Readiness -- The Kubernetes Connection</div>
      <ul>
        <li><strong>Liveness probe (<code>/health</code>):</strong> "Is the process alive?" If this fails repeatedly, Kubernetes <strong>restarts</strong> the pod. Keep this check lightweight -- just return 200.</li>
        <li><strong>Readiness probe (<code>/ready</code>):</strong> "Can it handle traffic?" If this fails, Kubernetes <strong>removes the pod from the service load balancer</strong> but does NOT restart it. The pod stays alive, waiting for dependencies to recover.</li>
        <li><strong>Example scenario:</strong> Your app starts, but the database is still booting. Liveness passes (process is alive), readiness fails (database not connected). Kubernetes waits, no traffic is sent. Once the database connects, readiness passes, traffic flows.</li>
      </ul>
    </div>
  </section>


</div><!-- end .container -->

<!-- ===== FOOTER ===== -->
<footer>
  <p>MathPath -- Learn mathematics from the ground up.</p>
  <p><a href="index.html">Back to Home</a></p>
    <p style="margin-top: 1rem; font-size: 0.85rem;"><a href="https://github.com/pythonwithsean/BetterDev/blob/main/backend.html" target="_blank" rel="noopener noreferrer" class="edit-link">Edit this page on GitHub <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="vertical-align: middle; margin-left: 2px;"><path d="M18 13v6a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V8a2 2 0 0 1 2-2h6"></path><polyline points="15 3 21 3 21 9"></polyline><line x1="10" y1="14" x2="21" y2="3"></line></svg></a></p>
</footer>

<script>
(function(){
  var sidebar=document.querySelector('.sidebar');
  var backdrop=document.querySelector('.sidebar-backdrop');
  var toggleBtn=document.querySelector('.sidebar-toggle');
  var closeBtn=document.querySelector('.sidebar-close');

  function openSidebar(){
    sidebar.classList.add('open');
    backdrop.classList.add('visible');
    document.body.classList.add('sidebar-open');
    toggleBtn.setAttribute('aria-expanded','true');
    var si=sidebar.querySelector('.sidebar-search-input');
    if(si)si.focus();
  }
  function closeSidebar(){
    sidebar.classList.remove('open');
    backdrop.classList.remove('visible');
    document.body.classList.remove('sidebar-open');
    toggleBtn.setAttribute('aria-expanded','false');
  }
  if(toggleBtn)toggleBtn.addEventListener('click',function(){
    sidebar.classList.contains('open')?closeSidebar():openSidebar();
  });
  if(closeBtn)closeBtn.addEventListener('click',closeSidebar);
  if(backdrop)backdrop.addEventListener('click',closeSidebar);
  document.addEventListener('keydown',function(e){
    if(e.key==='Escape'&&sidebar.classList.contains('open'))closeSidebar();
  });

  // Active page detection
  var currentPage=window.location.pathname.split('/').pop()||'index.html';
  var navLinks=document.querySelectorAll('.sidebar-nav a');
  for(var i=0;i<navLinks.length;i++){
    if(navLinks[i].getAttribute('href')===currentPage)navLinks[i].classList.add('active');
  }

  // Search
  var input=document.querySelector('.sidebar-search-input');
  var box=document.querySelector('.sidebar-search-results');
  if(!input||!box)return;
  var links=[].slice.call(document.querySelectorAll('.sidebar-nav a'));
  var topics=links.map(function(a){return{text:a.textContent.trim(),href:a.getAttribute('href')};});
  var idx=-1;
  function render(q){
    if(!q){box.classList.remove('visible');box.innerHTML='';idx=-1;return;}
    var lc=q.toLowerCase();
    var matches=topics.filter(function(t){return t.text.toLowerCase().indexOf(lc)!==-1;});
    if(matches.length===0){box.innerHTML='<div class="no-results">No topics found</div>';box.classList.add('visible');idx=-1;return;}
    box.innerHTML=matches.map(function(m){return'<a href="'+m.href+'">'+m.text+'</a>';}).join('');
    box.classList.add('visible');
    idx=-1;
  }
  function highlight(items){
    for(var i=0;i<items.length;i++){items[i].classList.toggle('highlighted',i===idx);}
  }
  input.addEventListener('input',function(){render(this.value);});
  input.addEventListener('keydown',function(e){
    var items=box.querySelectorAll('a');
    if(!items.length)return;
    if(e.key==='ArrowDown'){e.preventDefault();idx=Math.min(idx+1,items.length-1);highlight(items);items[idx].scrollIntoView({block:'nearest'});}
    else if(e.key==='ArrowUp'){e.preventDefault();idx=Math.max(idx-1,0);highlight(items);items[idx].scrollIntoView({block:'nearest'});}
    else if(e.key==='Enter'&&idx>=0){e.preventDefault();items[idx].click();}
  });
  input.addEventListener('blur',function(){setTimeout(function(){box.classList.remove('visible');idx=-1;},200);});
  input.addEventListener('focus',function(){if(this.value)render(this.value);});
})();
</script>
</body>
</html>