The Nodewood API is an Express server that automatically loads Controllers in enabled features. It connects to a PostgreSQL database server for storage and can be configured to use a variety of mailing services.

To launch the Nodewood API in development mode, connect to the Nodewood development VM (nodewood vm from the root of your project folder), then cd code to switch to the shared code folder, and nodewood dev api to launch the API.

# Configuration

The following files are located in wood/config, but can be overridden by creating identically-named entries in app/config. The options below are not exhaustive, but cover the options in these files that apply to the API.

As these files can be included in the UI as well, no secrets should be kept in them, only configuration details.

# app.js

This file contains general configuration details for your app.

  • name: This is the name that is used by default for the title of your pages and in emails.
  • url: This is the base URL for your app that is used when sending emails that link back to your app.
  • email: This is the email address that emails will be sent from.
  • features: This is the list of enabled features. Features appearing in this list and located in the app/features folder will be examined for Controllers and have their routes automatically added. Note that this is split into app features (ones that you create) andwood` features (once that come bundled with Nodewood). This allows you to disable Nodewood features should you need or want to.

# security.js

This file contains security configuration details for your app. This file should only contain configuration, not any actual secrets.

  • redactedLoggingPaths: Fields matching this array will be redacted when logging, so things like passwords, security tokens won't be stored in your logs.
  • shouldLogBody: If the body of requests should be logged. This can increase the size of your logs significantly, but can be useful in debugging. Make sure to redact fields you don't want saved in your logs.
  • emailFloodProtectionMinutes: How many minutes to wait between emails that can be triggered from public URLs (password reset, etc) to prevent malicious attackers from flooding a user's inbox.
  • failedLoginMaxAttempts: Maximum number of failed login attempts before a user must enter a cooldown period.
  • failedLoginCooldown: The amount of time a user must "cool down" for before they can attempt to log in again.
  • jwt.issuer: The issuing party for this JWT. This is set by default to your app's project name.
  • jwt.expiryDays: The number of days the JWT is valid for before it expires and the user must log in again.
  • jwt.hashidsMinLength: The user ID in the JWT is hashed using Hashids so that users can't examine your JWT and enumerate your user count. This sets the minimum length of that hash.

# .env

This file is actually located in the root of your project and is where secrets should be kept.

  • DB_HOST: The IP address or URL of the database server. (e.g. '')
  • DB_PORT: The port of the database server. (e.g. '5432')
  • DB_DB: The name of your database. (e.g. 'nodewood')
  • DB_USER: The username that is authenticated to connect to your database. (e.g. 'nodewood_user')
  • DB_PASS: The password for the provided username. (e.g. 'god')
  • LOG_LEVEL: The minimum logging level to trigger logs to be written. (e.g. 'info')
  • JWT_SECRET: The secret used to create JWTs for users. (e.g. 'jwtSecret')
  • JWT_HASHID_SALT: The salt to use to hash the user ID contained in the JWT. (e.g. 'jwtHashidSalt')
  • JWT_GLOBAL_SERIES: The global JWT series. Increment this number to invalidate all JWTs for every user. (e.g. '1')
  • PASSWORD_SALT_ROUNDS: The number of rounds used to salt the user's password hash. Higher numbers are more secure, but take longer.