Opinionated Express.js HTTP Server Resource

1.3.0 verified Thu Apr 23 auth: no javascript abandoned

The `resource-http` library provides an opinionated framework for quickly setting up an HTTP server based on Express.js. It bundles common web application functionalities such as static file serving, user sessions, HTTPS/SSL, WebSockets, OAuth authentication (via Passport), view rendering (via the `view` module), i18n support (via `i18n-2`), and body parsing, all configurable through a single options object. Currently at version 1.3.0, the package appears to be unmaintained, with its last publish date in 2014 and explicitly relying on Express 4.x.x, which is a significantly outdated version of Express. Its core value lies in abstracting away individual middleware integrations for rapid prototyping, but its age makes it unsuitable for modern production environments.

Common errors

error TypeError: require is not a function ↓

cause Attempting to use `require()` in an ES Module (ESM) context when `resource-http` is a CommonJS (CJS) module.

fix

Ensure your project is configured for CommonJS (e.g., remove "type": "module" from package.json, or use a transpiler like Babel). If using Node.js, you might need to use a dynamic import import('resource-http') or a CJS wrapper, but this package is too old to guarantee compatibility.

error Error: Can't set headers after they are sent to the client ↓

cause This is a common Express.js error, often indicating that a response was already sent (e.g., `res.send()`, `res.end()`, `res.json()`) before another attempt to modify the headers or send another response was made. This can be more prevalent with older, less robust middleware.

fix

Carefully review your route handlers and middleware to ensure that res.send(), res.end(), or similar response-sending methods are called only once per request-response cycle. Use return after sending a response to prevent further execution in the handler.

error ERR_OSSL_EVP_UNSUPPORTED ↓

cause Occurs with Node.js 17+ when using older OpenSSL features, often triggered by outdated HTTPS/SSL configurations or certificates generated with deprecated algorithms, which this older package might default to or expect.

fix

If this error occurs, try setting NODE_OPTIONS=--openssl-legacy-provider when running Node.js (e.g., NODE_OPTIONS=--openssl-legacy-provider node server.js). This is a temporary workaround; the long-term fix is to update certificates and cryptographic algorithms to modern standards, or, ideally, migrate from this abandoned package.

Warnings

breaking This package is abandoned and has not been updated since 2014. It relies on Express 4.x.x, which is severely outdated and contains numerous known security vulnerabilities. Using this package in any production environment is strongly discouraged due to unpatched security flaws in its core dependencies and the package itself. ↓

fix Migrate to a modern, actively maintained HTTP server framework like Express 5.x.x, Fastify, or Koa, ensuring all dependencies are up to date and regularly patched.

security The `nodeinfo` and `nodeadmin` options (if set to `true`) expose sensitive system information and administrative interfaces via HTTP routes (`/_info`, `/_iadmin`). Enabling these options on an unsecured server creates a critical security vulnerability, allowing unauthorized access to server diagnostics and control. This risk is compounded by the package's abandonment. ↓

fix NEVER enable `nodeinfo` or `nodeadmin` on any server, especially those exposed to the public internet. If this functionality is required, implement robust authentication and authorization layers yourself using a modern framework.

deprecated The package's reliance on Express 4.x.x means it does not support modern Node.js features, ES Modules, or the latest Express API paradigms. Many common middleware and practices have evolved significantly since its last update. ↓

fix Rewrite server logic using a current version of Express (5.x.x) or another framework, adapting to modern patterns and dependency management.

gotcha All third-party dependencies mentioned in the README (e.g., `passport`, `view`, `i18n-2`, `connect-redis`) are likely also outdated and may have their own security vulnerabilities or compatibility issues with newer Node.js versions. These dependencies are not explicitly listed in the `package.json` for `resource-http` itself, meaning you might have to manually install very old, insecure versions. ↓

fix Thoroughly audit and update all transitive dependencies if forced to use this package, or better yet, migrate to a modern solution.

Install

npm install resource-http

yarn add resource-http

pnpm add resource-http

Imports

http
wrong
```
import http from 'resource-http';
```
correct
```
const http = require('resource-http');
```
This package is CommonJS-only and relies on the `require()` syntax. Direct ES Module `import` syntax will not work without a CommonJS-to-ESM wrapper or a custom Node.js loader configuration. The imported `http` object directly exposes the `listen` function and other utilities.
listen
wrong
```
import { listen } from 'resource-http';
```
correct
```
const http = require('resource-http');
http.listen({ port: 8080 }, (err, app) => { /* ... */ });
```
The `listen` function is a property of the main exported `http` object, not a named export. Attempting to destructure it as a named export from an ES Module import will fail due to the package's CJS nature.

app

wrong

const app = require('resource-http').app;

correct

const http = require('resource-http');
http.listen({ port: 8080 }, (err, app) => {
  // `app` is an Express application instance
  app.get('/', (req, res) => res.send('Hello'));
});

The Express `app` instance is exposed via the callback of the `http.listen` function, not directly as an export from the package. It is an instance of an Express 4.x.x application.

Quickstart

This example demonstrates how to initialize and configure an HTTP server using `resource-http`, including basic routing and common options like WebSockets and session management. It creates an Express app instance and attaches a simple GET route.

const http = require('resource-http');
const fs = require('fs');

// all options are optional and will default to a reasonable value if left unset
http.listen({
  port: 8888,
  wss: true, // enables websocket server
  host: 'localhost',
  root: __dirname + "/public",
  view: __dirname + "/view",
  cacheView: true, // caches all local view templates and presenters into memory
  uploads: false,
  https: false, // enables https / ssl, requires key, cert, ca
  autoport: true, // will auto-increment port if port unavailable
  bodyParser: true, // parse incoming body data automatically, disable for streaming
  sslRequired: false, // redirects all http traffic to https
  onlySSL: false, // will only start https server, no http services
  noSession: false, // removes all session handling from server
  nodeinfo: false, // makes /_info route available for node information
  nodeadmin: false, // makes /_iadmin route available for node administration
  // For HTTPS, you would need to provide actual key, cert, and ca files:
  // key: fs.readFileSync(__dirname + "/ssl/server.key").toString(),
  // cert: fs.readFileSync(__dirname + "/ssl/cert.crt").toString(),
  // ca: fs.readFileSync(__dirname + "/ssl/ca.crt").toString(),
  secret: "supersecret", // session password
  redis: { // optional redis store for sessions, requires `connect-redis` package
    host: "0.0.0.0",
    port: 6379,
    password: "foobar" // replace with process.env.REDIS_PASSWORD ?? '' in production
  },
  auth: {
    basicAuth: {
      username: 'admin',
      password: 'admin' // replace with process.env.ADMIN_PASSWORD ?? '' in production
    }
  }
}, function(err, app){
  if (err) {
    console.error('Server failed to start:', err);
    return;
  }
  console.log('Server listening on', app.server.address());
  // from here, app is a regular Express.js server
  app.get('/foo', function (req, res){
    res.end('got /foo');
  });
  app.get('/', function (req, res){
    res.end('Hello from resource-http!');
  });
});