JSONP with Express.js API – cross domain request

The problem:

So you have this awesome API endpoint, but of course it is another domain as the static site.

Web browsers are pretty moody with Cross Domain and there are actually very good security reasons for that, but even using good practices the old Internet Explorer don’t care.

Welcome ancient jsonp techniques!


For some Express.js API running on Node.js and client using jQuery (or something alike)

In your server:

app.get('/my-unique-endpoint', function(req, res, next) {
  var myAwesomeResource = ["hello", "mundo"];
  if (req.query && req.query.callback) {
      // nice to have, but Chrome dont seem to mind either way
      'Access-Control-Allow-Origin': '*',
      // right content type prevent warnings and errors
      'Content-Type': 'text/javascript; charset=UTF-8',
      // optional, this is in seconds, equivalent to 8h
      'Cache-Control': 'public, max-age=28800'
    return res.send(200, "" + req.query.callback + "(" + JSON.stringify(myAwesomeResource) + ");");
  } else {
    return res.send(200, myAwesomeResource);

In the client:

// see the data in your console
$.getJSON("http://myawesomewebsiteurl/my-unique-endpoint?callback=?", function(data){ console.log(data) } )


jsonp is works for GET verb, because it effectively execute the code received as if it was downloading a script.
for the same as above, the source should also be fully trusted!


Testing a Node.js Express API server with Vows (functional)

How to test an API that must be authenticated via session?

vows: plural of vow

Noun: A solemn promise.
Verb: Solemnly promise to do a specified thing: “one fan vowed, “I’ll picket every home game.””.

Oh wait..

Asynchronous behaviour driven development for Node.

I should… test every method I expose to the client..
Since the Vows documentation is very awesome, and I already have another post that explains the strategy used on the API, there is no need to much talk; just not that this code is still very early in maturity.
Straight to current code [ test/api-test-authed.js ]

 * run the site at localhost, port 8010
 * run vows --spec test/api-test-authed.js

var request = require('request'),
    vows = require('vows'),
    assert = require('assert'),
    apiUrl = "http://localhost:8010/",
    cookie = null

var apiTest = {
  general: function( method, url, data, cb ){
    //console.log( 'cb?', cb )
        method: method,
        url: apiUrl+(url||''),
        json: data || {},
        headers: {Cookie: cookie}
      function(req, res){
        cb( res )
  get: function( url, data, cb  ){ apiTest.general( 'GET', url, data, cb    )  },
  post: function( url, data, cb ){ apiTest.general( 'POST', url, data, cb   )  },
  put: function( url, data, cb  ){ apiTest.general( 'PUT', url, data, cb    )  },
  del: function( url, data, cb  ){ apiTest.general( 'DELETE', url, data, cb )  }

function assertStatus(code) {
  return function (res, b, c) {
    assert.equal(res.statusCode, code);

function assertJSONHead(){
  return function(res, b, c ){
    assert.equal( res.headers['content-type'], 'application/json; charset=utf-8' )

function assertValidJSON(){
  return function(res, b ){
    // this can either be a Object or Array
    assert.ok( typeof( res.body ) == 'object' )
    //assert.isObject( res.body)

// TODO include unauthed tests
var suite = vows.describe('API Localhost HTTP Authenticated Tests')

// Very first test!
  "Server should be UP as in: var apiUrl": {
    topic: function(){
      apiTest.get('', {} ,this.callback )

    '/ should repond something' : function(res, b){

  'Authenticate to /login': {
    topic: function(){
          url: "http://localhost:8010/login",
          json: { user:{ username: 'flockin_lab', password: '123456' }}

    'get a valid Cookie': function(req, res, body, err){
        cookie = res.headers['set-cookie'].pop().split(';')[0]
        console.log("GOT COOKIE!", cookie)
      } catch(e){ }

      assert.ok( typeof(cookie) == 'string' && cookie.length > 10 )
  'Users#index': {
    topic: function(){
      apiTest.get('admin/employees', {}, this.callback)
    'should be 200': assertStatus(200),
    'should have JSON header' : assertJSONHead(),
    'body is valid JSON' : assertValidJSON(),

  'Qrcodes#index': {
    topic: function(){
      apiTest.get('admin/qrcodes', {}, this.callback)
    'should be 200': assertStatus(200),
    'should have JSON header' : assertJSONHead(),
    'body is valid JSON' : assertValidJSON(),


//suite.run( )
suite.export( module )

Brief Discussion

This code is still state-of-art,
We depend on the lib ‘request’, which is pretty good,
The server should already be started, since I see no point in having the test being responsible to bring it up and handle it.

Can improve it? Please leave a comment! 🙂

accepts_nested_attributes_for 3.0.5 :reject_if still have gotchas


Nested forms are nasty, but many times, a necessary evil 🙂

Rails tackled it since version 2.3x, when added the ActiveRecord method accepts_nested_attributes_for, main ref here. For its complexity, I believe, it is still hard to master it, and still bugs may happen; this was my lesson.

Ryan Bates, (a ruby hero) has made some screencasts from it, watch part1, part2. Soon after, he and some buds, made a gem for it, targeting Adding and Removing via JavaScript, without harassment. You can find on GitHub, along with the necessary doc.

So, using the gem or not, still there are things to cover over this methods params;

From what I could observe, :reject_if, does not work for ‘rejecting’ a existing record, i.e.: those that have ID. But, it is called for those too! – In this topic, (what may be a bug) is that, if the record gets rejected, it does not get updated (it does not go through it’s model’s validations either).

The solution I found was not using :reject_if,  instead, validating whatever I wanted on the nested Model in order to keep dry.

For this scenario, consider the following setup (rails v3.0.5)

class A < ActiveRecord::Base
 has_many :bs
 accepts_nested_attributes_for :bs,
                               :allow_destroy => true
                               #no use. :reject_if => :combo_elem_zero?

 # wont use this function at all
 def combo_elem_zero?( att )
  #att['_destroy'] = '1' # wont work here

  # only useful for new records
  if atribs['id'].blank? && att[:some_atrib].to_f < something_blah

class B < ActiveRecord::Base
 belongs_to :a

 validate :destruction_update # works both for create/update

 def destruction_update
  if self.some_atrib.to_f < something_blah


If on the other hand, you only need to check on the nested new records, :reject_if may do the job.

Migrating from SQLite to Mysql on Rails 3

Common sense on developers use to say: Don’t use sqlite on production, because it sux in performance.

Well, for a system with around 20 users that should be no problem at all in the begin, right? – Right but also Wrong!

I’ve tested using the system on the same settings, but for some reason, after a while the reading on the Database by Rails became very inconsistent. While in console I would find some recently created objects by Rufus Scheduler, the web app would not see then until the server was restarted! Weird results, but a price to pay for not listening the common sense =)

The solution would be to migrate the schema and data to some easy to use Mysql. Schema as widely known is extremely easy to migrate on Rails framework (if used properly).

Searching for solutions for migrating data from different databases may be a pain, but given a great Rails tool it is rather simple! Introducing the gem yaml_db, made by the Heroku people.

As the commands are simple as :dump and :load, I don’t see why go longer in the explanation.

The whole process took less than 2 hours, including a small bug fix in a non-agnostic code =)

At service of BananaBrains, FIRE the social soccer game RPG.

JavaScript Simple String Templating System, Ruby like

Ever wanted to use the beautifulness of the Ruby String template (a.k.a #{}) on JavaScript? Now you can!

  var hero = new Object(); hero.name = 'Conan'; hero.lv = 1;
  S("#{ hero.name } Level Up! He is now Lv:#{ hero.lv+1 } ") // "Conan Level Up! He is now Lv:2 "
  S("Date & Time now: #{ new Date() }") // "Date & Time now: Sat Nov 13 2010 19:20:16 GMT-0200 (BRT)"

The source of this goodness you can be found here: FlockonUS-GitHub long with other Utils 🙂

When to use it? It is hard to say that there is a limitation to this function.
In my case, I use it on a WebApp ( that requires JavaScript), to eval the response of Ajax before appending the content to the page.

Rails User Action Logger


The problem: I need to log my user’s actions on the site ( a game) so I can Datamine it later, It is also very desirable to investigate each user individually.

My solution: (still primitive) A ruby lib that is able to accumulate some actions (in a array) and then append it to a log  File. Aafter_filterapplication_controller that auto-logs every action taken. The action can set a custom warn level, and a custom message.

I made a GIST with this. link1 link2

Usage: The usage is actually automatic, but you can custom with 2 options on a Action, Example:

def create
    @user_session = UserSession.new(params[:user_session])
    @bf_errors = 10
    @bf_minutes = 10
    #logger.info ">>>> #{@bfw.to_s}, #{session['create_number']}"
    if @bfw = brute_force_warning
      captcha = verify_recaptcha(:model => @user_session, :message => "Favor digite as letras que aparecem distorcidas")
      if (@bfw == :active && !captcha)
        @warn = 8
        @action_obs = "#{@bf_errors} per #{ @bf_minutes} minutes. Email:#{@user_session.try( :email)}, pass: #{@user_session.try( :password)}. "
        render :action => "login"
        return true

Discussion: I chose JSON for being very extremely easy to parse on JavaScript, which has great Libs for data visualization.
I considered the rails Buffered Logger, Beanstalk and direct File Write, but I believe the method I’m using is way faster than those. My assumption is because all I do is native to Ruby, with minimal memory use, and disc access.

. A plugin that handles this.
. A controller-action-view to visualize this Data =)

LazyLoad on JavaScript Load only once

What? And what’s the point?

On some web pages, the focus is displaying information fast, but also being aware that some actions that rely on a kinda heavy framework such as jQuery/Prototype/Dojo (Ajax+Animations+etc..) may still be done in page by a minority of users.

I believe the use cases of this technique are sparse, but would be around pages focusing Mobile Phones, where the processing and bandwidth are limited and pages that should prioritize very fast loadings.

To solve several browsers implementation for calling for JS after the page is fully loaded I used this library (LazyLoad 2.0) by a great programmer, a non-evil-doer. With this great lib is pretty easy to call a JS (or css for that matter) but is complicated to know when the Framework  you required is already loaded ( in the case that multiple acions may trigger the load)

For this case I developed a sort of proxy-function that should do the job in the following way:

        function load_and_run( callback, arg ){
		if( typeof($) == 'function' ){
			// This means jQuery is loaded
			callback( (typeof( arg ) != 'undefined' ? arg : true))
			LazyLoad.js('/javascripts/jquery-1.4.2.js', function(arg){
			        //as here you can use LazyLoad to require some plugin
				callback( (typeof( arg ) != 'undefined' ? arg : true) );
			}, arg)


The secret sauce there is that I simply verify if the $ ( signature of jQuery, Prototype and others) is already defined, and for that to work I must proxy other actions by load_and_run, as can be seen here:

var spinner = new Image();	spinner.name = "madd-spinner";	spinner.src = "/images/ajax-loader.gif";
	function up_request( id, node ){
		load_and_run( up_request_callback )
		node.parentNode.appendChild( spinner )
	function up_request_callback( id ){
					url: '/ajax/up',

Remember to always give some feedback about the loading process for your user, in my case, I use a spinner gif preloaded.

Lesson learned from building www.gasa.jaeh.net, can be seen on any definition page