Node.js Course in Pune
Express, MongoDB & REST APIs — Backend Development Training

Most Node.js tutorials jump straight to Express without explaining what Node.js actually is or how it works. This leads to developers who can copy code but cannot debug mysterious timing issues, understand why their server crashes under load, or explain their technology choices in interviews. This module fixes that.

The V8 engine: what it is, how it compiles JavaScript to machine code, and why Node.js is faster than most people expect for a dynamically typed language. The libuv library: the C++ library that provides Node.js with its event loop, thread pool, and non-blocking I/O capabilities. The event loop phases in detail: timers (setTimeout, setInterval), pending callbacks, idle and prepare, poll (waiting for I/O), check (setImmediate), and close callbacks. The microtask queue: Promise callbacks and process.nextTick — and why they execute before the next event loop iteration, and why this matters for understanding async ordering. The call stack: how synchronous code executes, what a stack overflow is, and how the event loop interacts with the call stack. Non-blocking I/O demonstration: reading a file synchronously vs asynchronously, and a live experiment showing how Node.js handles 1000 concurrent file reads with a single thread. The Node.js module system: CommonJS (require/module.exports) vs ES Modules (import/export) — why both exist, when to use each, and how to configure a project for ES modules. Core Node.js modules: fs (file system), path, http, https, os, events (the EventEmitter pattern that underpins most of Node.js), stream (readable, writable, duplex, transform), and child_process. npm and package.json: installing packages, semantic versioning, the node_modules folder, package-lock.json, and npm scripts.

Express is deliberately minimal — it provides routing and middleware, and leaves everything else to you. Understanding Express's middleware architecture deeply is what allows you to build Express applications that are secure, maintainable, and extensible rather than a pile of spaghetti code that works on day one and becomes unmaintainable by month three.

Building an HTTP server with the raw Node.js http module first — this is the foundation Express is built on, and understanding it makes Express's abstractions more meaningful. Installing and setting up Express. The request-response cycle in Express: req (the request object — method, URL, headers, body, params, query, cookies, IP), res (the response object — send, json, status, redirect, sendFile, download, cookie, clearCookie), and next (the middleware continuation function). Routing: app.get, app.post, app.put, app.delete, app.patch — defining routes with static and dynamic segments (:id), route parameters and query strings. The Express Router for modular route organisation: splitting routes into separate files by resource (users, products, orders) and mounting them with app.use. Middleware — the most important Express concept: understanding that Express is fundamentally a pipeline of middleware functions, each receiving req, res, and next. Types of middleware: application-level (app.use), router-level, error-handling (4 parameters: err, req, res, next), built-in (express.json, express.urlencoded, express.static), and third-party (morgan for logging, cors, helmet, compression, express-rate-limit). Error handling: creating a global error handler, distinguishing operational errors from programmer errors, and the express-async-errors library for automatic async error forwarding. Response patterns: consistent JSON response format (success, data, message, statusCode), HTTP status codes and when to use each.

MongoDB is the natural database pairing for Node.js — both use JavaScript, both work with JSON-like data structures, and MongoDB's flexible schema makes it ideal for the rapid iteration common in startup and product development environments. Mongoose, the Object Document Mapper (ODM), adds schema enforcement, validation, and a clean API for database operations.

MongoDB concepts: documents (JSON-like objects), collections (groups of documents), databases, the _id field and ObjectId, BSON (Binary JSON — MongoDB's internal storage format), and how MongoDB compares to relational databases. MongoDB Atlas: the cloud-managed MongoDB service used in most production Node.js applications — setting up a free cluster, connection string, network access, and database user configuration. Mongoose setup: connecting to MongoDB Atlas, the connection event and error handling, and the significance of using mongoose.connect at application startup. Schema definition: field types (String, Number, Date, Boolean, ObjectId, Array, Mixed, Map), required fields, default values, enum validation, custom validators, and the select: false option for hiding sensitive fields like passwords in queries. Models: creating models from schemas, understanding the model as the interface to a MongoDB collection. CRUD operations: Model.create, Model.find, Model.findById, Model.findOne, Model.updateOne, Model.updateMany, Model.findByIdAndUpdate (with the new: true option), Model.findByIdAndDelete, and the lean() option for performance. Query operators: comparison ($eq, $ne, $gt, $gte, $lt, $lte, $in, $nin), logical ($and, $or, $not, $nor), element ($exists, $type), and evaluation ($regex). Relationships in MongoDB: embedding documents (for data that is always queried together), referencing with ObjectId (for data that is queried independently), and population with Mongoose's populate() for joining referenced documents. Pagination: implementing skip/limit pagination and cursor-based pagination.

Security is not a feature you add to an API after it is built — it is part of the architecture from the beginning. This module covers authentication and security comprehensively, because insecure APIs in production cause real damage — data breaches, account takeovers, and regulatory consequences that affect companies and their users.

Password hashing with bcrypt: why plain-text and MD5 passwords are never acceptable, how bcrypt's work factor makes brute-force attacks computationally expensive, bcrypt.hash for hashing on registration, and bcrypt.compare for verifying on login. JWT (JSON Web Token) authentication: the three parts of a JWT (header, payload, signature), signing tokens with jsonwebtoken's sign() function (HS256 algorithm), verifying tokens with verify(), token expiry with the expiresIn option, and storing the JWT secret in environment variables. Authentication middleware: a reusable Express middleware that extracts the token from the Authorization header, verifies it, attaches the decoded user to req.user, and calls next() on success or returns 401 on failure. Role-based access control (RBAC): attaching a role field to the user model, a restrictTo() middleware factory that creates middleware restricting access to specific roles, and protecting admin routes. Refresh token pattern: why short-lived access tokens (15 minutes) with long-lived refresh tokens (7 days) are more secure than long-lived access tokens. Cookie-based token storage: httpOnly cookies (inaccessible to JavaScript) vs localStorage — the security tradeoffs. Security best practices: helmet for HTTP security headers (Content-Security-Policy, X-Frame-Options, X-XSS-Protection), cors with whitelist configuration, express-rate-limit for brute-force protection, input sanitisation with express-validator to prevent injection attacks, and parameter pollution protection.

Building a REST API that works is the starting point. Building one that is consistent, predictable, well-documented, and maintainable under a team is the goal. This module covers the design principles and practical capabilities that make a professional-grade API.

REST API design principles: resource naming (nouns not verbs, plural resources, nested resources for relationships), HTTP method semantics, HTTP status code semantics (2xx success, 3xx redirection, 4xx client errors, 5xx server errors), and idempotency. API versioning: URL path versioning (/api/v1), request header versioning, and why versioning matters for backward compatibility. Request validation with express-validator: validating and sanitising input before it reaches your database, checking types, lengths, formats, and custom rules. Consistent error responses: a custom AppError class extending Error, centralised error middleware that converts errors to consistent JSON responses, distinguishing MongoDB errors (CastError for invalid ObjectId, duplicate key error 11000) and sending appropriate status codes. File uploads with Multer: handling multipart/form-data, disk storage vs memory storage, file type filtering, file size limits, and uploading to Cloudinary (the most popular cloud image and file storage service for Node.js). Image processing with Sharp: resizing images before upload, converting to WebP format for smaller file sizes, and generating thumbnails. Email sending with Nodemailer: configuring SMTP transport (Gmail with App Passwords, SendGrid for production), HTML email templates, sending welcome emails, password reset tokens (hashed in database, emailed as raw token), and email verification flows. Environment configuration with dotenv: loading environment variables, separating development and production configuration, and never committing secrets to git.

Basic CRUD covers most use cases. But real applications need analytics, complex data transformations, multi-document transactions, and performance at scale. This module covers the MongoDB and Mongoose features that make the difference between an application that works for 100 users and one that works for 100,000.

The MongoDB Aggregation Pipeline: the most powerful feature of MongoDB for complex data processing. Pipeline stages: $match (filter), $group (aggregate), $project (reshape), $sort, $limit, $skip, $lookup (left join from another collection), $unwind (flatten arrays), $addFields (add computed fields), $bucket (group into ranges), $facet (multiple pipelines in parallel). Aggregation examples from real use cases: calculating average rating per product category, finding the top 10 most purchased products, monthly sales reports, and user cohort analysis. Mongoose aggregate() for running pipelines with full type support. Transactions in MongoDB: the multi-document transaction API (session.startTransaction, session.commitTransaction, session.abortTransaction), and when to use transactions (operations that must succeed or fail together — e.g., transferring credits between accounts). Mongoose middleware (hooks): pre and post hooks on save, findOneAndUpdate, remove, and other operations — used for hashing passwords before save, updating timestamps, and maintaining aggregate data. Virtuals: computed fields that are not stored in the database (fullName from firstName + lastName, age from birthDate). Indexes: creating single and compound indexes, the impact on query performance and write performance, the explain() method for query analysis, and TTL indexes for automatic document expiry (session management, email verification tokens). Mongoose plugins for reusable schema behaviour.

REST APIs are request-response — the client asks, the server responds. But many modern application features need the server to push data to clients unprompted — a new message arriving, a payment succeeding, a bid being outbid, a delivery status updating. Socket.io provides this real-time bidirectional communication using WebSockets with automatic fallback to long-polling for environments where WebSockets are blocked.

WebSocket protocol vs HTTP: the fundamental difference (persistent connection vs request-response), the WebSocket handshake, and why WebSockets are the right tool for real-time features. Socket.io server setup: integrating Socket.io with an Express server (the http.createServer pattern), configuring CORS for Socket.io. Socket.io fundamentals: the connection event, socket.id (unique identifier for each connected client), socket.emit (send to one client), io.emit (broadcast to all clients), socket.to(room).emit (send to room), and socket.broadcast.emit (send to all except sender). Rooms: the mechanism for grouping connections — joining and leaving rooms, emitting to specific rooms, and use cases (chat rooms, game lobbies, user-specific notifications). Authentication with Socket.io: using middleware to verify JWT tokens on the initial connection, attaching the user to the socket object for use in events. Building a complete real-time chat application: user registration and login, personal one-to-one messaging, group chat rooms, online user presence tracking (who is currently connected), typing indicators with debounced emit, message persistence in MongoDB, and message history on room join. Real-time notifications: sending notifications to a specific user when an event affects them (new order, payment received, document shared).

Database queries are the most common performance bottleneck in Node.js applications. Redis — an in-memory data structure store — solves this by caching frequently requested data so that the application can serve it without hitting the database. This module also covers API testing and the production architecture patterns used by Node.js teams at scale.

Redis fundamentals: what Redis is (in-memory key-value store), how it differs from MongoDB (volatile, not primary storage), Redis data structures (strings, hashes, lists, sets, sorted sets), and the most important Redis commands (SET, GET, SETEX, DEL, EXPIRE, TTL, HSET, HGET, LPUSH, SADD). ioredis: the Redis client for Node.js — connecting to Redis (locally and on Redis Cloud), storing and retrieving cached data, and cache invalidation strategies. Implementing a caching middleware for Express: checking if a cached response exists for a route, returning it immediately if found, otherwise proceeding to the controller and caching the response for future requests. Session storage with Redis: storing Express sessions in Redis instead of in-memory (which does not work across multiple server instances). API testing with Jest and Supertest: unit testing service functions with Jest mocks, integration testing Express API endpoints with Supertest (making real HTTP requests to the application without a running server), seeding test data with beforeEach/afterEach, and cleaning up after tests. Test coverage reporting. Production architecture considerations: clustering Node.js with the cluster module to use multiple CPU cores, PM2 for process management and automatic restarts, load balancing concepts, and 12-factor application principles for production-ready Node.js applications.

Knowing how to build a Node.js API is the core skill. Knowing how to ship it to production, keep it running, and explain it to technical interviewers are what complete the picture. This final module covers containerisation, cloud deployment, and targeted interview preparation.

Docker: understanding why containers exist (the it works on my machine problem), the Dockerfile for Node.js applications (choosing the right base image, npm ci vs npm install for production, non-root user for security, EXPOSE and CMD), building and running Docker images, and Docker Compose for running the application with MongoDB and Redis locally as a multi-container setup. Deployment on Render: connecting a GitHub repository, configuring environment variables, and understanding Render's free and paid tiers for Node.js web services. MongoDB Atlas for production database. Redis Cloud for production caching. Environment management: the difference between development, staging, and production environments, and how Node.js applications switch between them with NODE_ENV. Capstone project deployment: the complete application — Express API, MongoDB Atlas, Redis Cloud, Socket.io, file uploads on Cloudinary — deployed and publicly accessible on Render. Node.js backend interview preparation: the most common Node.js interview questions (event loop, callback vs Promise vs async/await, streams, child processes, clustering), Express questions (middleware, error handling, routing), MongoDB questions (indexing, aggregation, when to embed vs reference), JWT questions, and system design basics for Node.js applications. Mock technical interviews. Resume building for backend developer roles.