
Hoodie – Fast web app development - madhukarah
http://hood.ie/
======
primitivesuave
Giving full email privileges to the client is a terrible idea. Even if you do
rate limiting, you're essentially allowing anyone to get your mail server(s)
blacklisted and all future mail from anyone marked as spam.

In general, most people would be naturally apprehensive about federating their
entire user authentication system through a third party. However, I suppose
that by using hoodie you are supporting a group of people whose only job is to
ensure security and fix vulnerabilities in your login system. It's also open-
source, so you can vet it for yourself.

The JS library needs more work though - I could think of several basic use
cases that it can't handle. It would also be great to see some full examples.
Overall this is very cool stuff.

~~~
gr2m
Hoodie doesn't provide any email privileges in it's core. There is an email
plugin that does that, but it's just a showcase and we would not recommend to
use that in a production app. The plugin is maybe 10 lines of code, you can
easily use that as base and put all the security in it that you would do in a
REST API as well.

I'd be also very interested in your basic use cases that you think Hoodie
couldn't handle. It would certainly be great input for the project.

~~~
mcguire
" _There is an email plugin that does that, but it 's just a showcase and we
would not recommend to use that in a production app._"

You do realize that by putting it in your documentation, you're _encouraging
people to use it_.

~~~
janl
We also encourage people not to use Hoodie in production, yet :)

What @gr2m means: there is no reason Hoodie’s mail feature would work any
different from a traditional web app. At some point a server side will
validate a client request, and if valid, translate that into sending an email
(Gmail comes to mind). Hoodie’s email plugin can do exactly that, except that
today’s implementation is a mere sketch of that, like other parts of Hoodie,
that show what can be done, but aren’t hardened against production use, yet.
None of that means though that Hoodie behaves any differently from a
security/abuse/DOS perspective than any other web app :)

~~~
HackinOut
Thanks for confirming my crosspost :) However, as I was just saying, wouldn't
it be nice to clearly see that we're talking 0.x directly on the website and
not only when we install the npm package?

EDIT: Thanks for your answer, I am going to stop crossposting now :D

------
egeozcan
If you wonder how the synchronization works, it's currently using a custom
solution which is built on top of local storage. However it seems[0] that they
are planing to switch to the awesome Pouchdb[1].

[0]:
[https://github.com/hoodiehq/hoodie.js/issues/8](https://github.com/hoodiehq/hoodie.js/issues/8)

[1]: [http://pouchdb.com/](http://pouchdb.com/)

~~~
skybrian
I looked at pouchdb's website and there's a lot about browser support but I
didn't see any docs about the data model. It seems you're expected to know how
CouchDB works?

~~~
janl
Yeah, it’s a document database, uses UUIDs and revisions for identification
and does HTTP-based P2P replication. In Hoodie we abstract that away in a
simple to use `hoodie.store` object with the usual `add()`, `update(),
`find()`, `findAll()` methods for operations. No need to know about the
CouchDB/PouchDB specifics, just store your objects :)

~~~
skybrian
Okay, but the key design decision in any data syncing library is how it
resolves update conflicts. Is it last-one-wins, report an error and try again,
diff merging, or maybe some kind of operational transform?

Since that's the heart of the problem being solved, it's weird when the docs
leave it out.

~~~
janl
Excellent point. We will make this more clear.

Conflicts are detected for you, like in version control systems. You need to
resolve them yourself, or you can implement a server-wins/client-wins/last-
write-wins scenario, if you want to.

------
preek
I know @gr2m, one of the guys behind Hoodie - he's one of the most awesome and
holistic engineers I have met in my professional career! Also he's a regular
speaker at conferences and devoting his time for charitable work.

If you don't have a backend ninja in your dev team, you should take a serious
look into Hoodie!

~~~
da02
Would you happen to know if there are any videos of his talks online?

~~~
preek
There are probably videos. However, I do not have links.

But he was one of the speakers at re:publica[1] two weeks ago in Berlin as
well as one of the moderators of the Global Innovation Lounge that was
streamed by voicerepublic[2].

1\. [http://re-publica.de/user/2037/event/1](http://re-
publica.de/user/2037/event/1)

2\. [https://voicerepublic.com/venues/196#archived-
talks](https://voicerepublic.com/venues/196#archived-talks)

------
cmelbye
Broken back button, bleh.

~~~
josefresco
And you thought you were just scrolling... turns out you were navigating.

~~~
drcode
I wish we could stop calling things "broken" just because they work in a way
that's well thought out but unconventional. How are we ever going to make
progress on UI design if everyone immediately gets chastised for deviating
from more orthodox web behavior by even the slightest amount?

EDIT: lbarrow is correct that the hash tag navigation is borked. I thought
people were just complaining about navigation to a previous site on the same
tab. I stand corrected, I fully agree it's broken.

~~~
lbarrow
This is clearly broken. You can't go back beyond the first part of the page
you looked at. It doesn't work.

~~~
drcode
OK, I stand corrected, after further testing I agree the inter-page navigation
doesn't work right.

------
janl
Team Hoodie here. Happy to answer any questions you might have :)

~~~
talideon
How exactly did you convince the IEDR to let you have hood.ie?

~~~
conoro
Well given that one of the hood.ie developers is called Caolan McMahon, I'm
guessing there's an Irish granny involved somewhere ;-)

~~~
talideon
I was thinking that initially, but it looks to be a proxy registration with
somebody else acting as the domain holder. The domain holder is 'Paul
Campbell', who registered under the category "Discretionary Name" as a Sole
Trader. I'm guessing there were some little fibs used to get the registration
past the hostmasters... :-)

------
billyhoffman
So let's just deliver all our business logic as JavaScript to an entirely
untrustworthy client! Whats the worst that could happen?

~~~
janl
Hoodie works no different than Gmail. What’s the worst that can happen there?

~~~
billyhoffman
Well you sure as shit aren't going to see "hoodie.account.signUp(username,
password);" in Gmail's client-side code.

Gmail's code base is not a "offline first, mobile first" platform. The API
that is exposed to the client-side is fairly light (watch the traffic).

I highly suggest use research "business logic flaws" in web apps. Anything
Jeremiah Grossman has said on this topic is good stuff.

~~~
pokstad
Can you give an example for why that signup code is bad? In the case that I'm
using Hoodie with CouchDB, wouldn't Hoodie just AJAX post a user document to
the CouchDB _users database (which is a good implementation)? All of the
access control would be in the hands of the server with minimal (if any at
all) security logic in the front end.

------
auvrw
looks cool on several levels: empowering people to build the things they want
w/o being "1337", volunteer driven, a "noBackend"/"One Backend Per User"
([http://www.infoq.com/presentations/private-
backend](http://www.infoq.com/presentations/private-backend)) default for a
freer internet, and named after one of the most versatile articles of clothing
ever invented.

the hoodie-server repo clocks in at just under 3k lines of javascript, though.
i mean, there are a bunch of plugins, and wc is far from the best metric, but
it's the only one that i've time for while this is still near the top of the
list, so i'll just ask:

is this whole project to be viewed more as kick-ass-but-still-in-progress
codebase or more like a socio-political statement about what happens when you
make creating a single user's experience the priority (vs. trying to roll out
an app that could scale your user base while still managing to own all their
data)?

anyway, it seems like some of each.

~~~
janl
You basically nailed it :) — Hoodie is probably further along that it might
seem. The team has been working on earlier iterations of this for nearly a
decade now, and we have learned a lot along the way, allowing us to be very
concise this time around. In addition, we have chosen a few powerful
abstractions to make the actual implementation rather tiny.

That said, there is lots of work to be done, to make it, say, Rails, or
Django-grade production ready, but the rough sketches are there and we are
comfortable running a production app since December 2013, and we are working
with a bunch of clients on their products, that we are comfortable with
putting our reputation on the line for.

After 1.0 (we are pre), we want to be very explicit with the different levels
of stability and maturity we ascribe to all parts of the system and the whole
release overall. Our current production app handles 10k registered users on a
small VPS without much sweat, so anywhere in that order of magnitude, with
similar usage patterns, we thing Hoodie rocks the real-world, but if you are
significantly diverging from this, we want to be careful and only recommend
other’s to rely on Hoodie, when we have reasonable first or second hand
experience of similar scale and use.

As for the socio-political statement: that’s definitely a big part of our
motivation. We want to write and spread a story that isn’t the usual idea-vc-
flip-sunset / abuse-overworking-cheating horror stories. And freeing data and
empowering users is a future we want to see, so we are building it :)

------
sergiotapia
>It took less than 15 minutes for a person with no experience in any part of
the stack to take an existing single user app and make it a multi-user
application with robust security and data storage. […] Bravo, hood.ie, brav-
fucking-o.

I find that extremely hard to believe.

~~~
themodelplumber
>brav-fucking-o

I would have left that part out. Partly because it doesn't really roll off the
tongue well, and partly because it comes across as hubris.

~~~
quarterto
[http://www.xkcd.com/1290/](http://www.xkcd.com/1290/)

~~~
8ig8
Wow, there really is a relevant xkcd for everything.

------
hammadfauz
I didn't realize there there was a name for it. Nobackend. catchy. I use
SharePoint server as a nobackend solution. All the apps I write are client-
side JavaScript. User profiles, permissions, and authentication are left to
SharePoint to deal with. I create lists, query and update them via web
services provided out of the box. Even search is provided by a web service, so
I don't have to worry about indexing content. All I have to do is build user-
centric clients for dealing with the data. It's brilliant.

Hoodie sounds like a great generalization for that, in a public/non-corporate
domain. Plus it has events for displaying data changes immediately. What's not
to like?

------
owenwil
We're working on a similar no-backend product called Hoist that does most of
what Hoodie is but is a hosted solution. We do all the 'server' work so you
can just build your app. We provide API's for everything from Data management
(just post and get JSON) and user management. We're also working on
integrating other cloud company API's so you can quickly get hooked up to them
(and do the auth with tokens) on the server side and then use their API's in a
fully client-side app.

Check it out: [http://hoistapps.com](http://hoistapps.com)

Would love to hear what anyone thinks if you give it a go. I can be emailed on
ow@hoistapps.com

~~~
barce
Hood.ie is open source, and your code is not. Any chance you can open source
your code?

~~~
owenwil
Our client library is entirely open source, but our platform itself is not as
it's a commercial no-backend offering. This allows us to offer production-
grade hosting for these types of no-backend apps.

~~~
Arkadir
Many companies offer production-grade hosting for open source applications.
The fact that you are keeping your source closed tells me that you are afraid
a competitor (or your clients themselves) could achieve an equivalent quality
of hosting for less than they would pay you. To a customer like me, this is
bad news.

~~~
owenwil
We absolutely think that open sourcing code is important, but not just a giant
lump of all of it; a mountain of code not always useful.

It's still early days for us but we are considering open sourcing reusable
parts of our platform or allowing people to host their own if they wish, but
we haven't yet decided on which we will pursue yet.

------
nailer
Interestingly enough this is a very similar business model to GetAngular,
where AngularJS originated, a few years ago.

[http://web.archive.org/web/20100413141437/http://getangular....](http://web.archive.org/web/20100413141437/http://getangular.com/)

More details: [http://www.niden.net/2009/12/world-with-part-1-reviewhow-
to....](http://www.niden.net/2009/12/world-with-part-1-reviewhow-to.html)

------
lazerwalker
So this appears to essentially be a Parse-like service that's self-hostable?
Interesting.

~~~
gr2m
Exactly. Plus it's self-extandable, too. And expect many hoodie hosting
providers popping up in the future, if you don't want that hassle.

------
runawaybottle
So I'm looking at their "Account" api, and I wonder if something similar like
that exists for node just for the backend.

~~~
LazerBear
Not really the same, but Passport offers easy account authentication.

------
reconbot
Moving from a request based business logic to data based business logic
(processing incoming data, as opposed to processing incoming http requests) is
an interesting shift. Does anyone know what this kind of system is called? I'd
love to do more research.

~~~
janl
Heya @reconbot, I don’t know if this specific system has a name, but it is
something akin to a messaging bus, where clients and servers just exchange
messages, if they have a network connection. Messages can carry raw data (a
user record), or intents (send this email), and both sides agree on what to do
with certain types of messages. Hope this helps! :)

------
hmslydia
How does this compare/contrast to Meteor?

~~~
nailer
Hoodie provides a backend for you, you manage the browser.

Meteor (and Derby etc) is a full stack JS setup, where you manage both the
browser and node.

Both do data sync.

------
smegel
I suppose it's better than "Bro"...

------
twunde
I guess this means that the sample web app no longer breaks if it's kept
running for 15 minutes? Or is that problem still around?

~~~
janl
Not that we are aware of. Could you please open an issue at
[https://github.com/hoodiehq/hoodie-
server/issues/new](https://github.com/hoodiehq/hoodie-server/issues/new), and
post your error messages? We're happy to help

------
HackinOut
As discussed before here on hn
([https://news.ycombinator.com/item?id=5514284](https://news.ycombinator.com/item?id=5514284)),
this seems like a great successor (or at least a well-maintained alternative)
to CouchApps and Kanso. I will definitively give it a try once PouchDB becomes
a dependency :)

------
dahjelle
I suspect this is in the documentation, but I'll ask here anyways: what does
Hoodie do with the browser-cached data when a user signs out? Is it entirely
removed from the local machine, or does it persist so the user can login while
the machine is still offline?

(I suspect there is an attack vector there, though I've not looked into it at
all.)

~~~
janl
The default is keeping the data, but app devs can implement a pruning method
as well, to make things suitable for shared browsers and such.

------
coherentpony
I'm not sure if it's just me, but I think this site hijacks my 'back' button.
I'm trying to get a recreate but I'm having some trouble.

Will report back shortly.

------
josephjrobison
Just realized .ie is an excellent TLD for cute website names

~~~
talideon
Less than you might think. It's not a trivial matter to get an .ie domain. The
IEDR's rules make things difficult if you can't either (a) demonstrate a
connection with Ireland the reviewer will accept or (b) demonstrate that you
trade in the Irish market. There are ways around some of their rules, such as
getting a registered business name from the CRO, but it really is a pain in
the backside.

I write this as somebody who works for one of the biggest .ie registrars.

~~~
justincormack
Isn't creating an Irish company relatively easy (if you are in EU)? I guess
its a fair amount of work and cost to get a nice name if you dont want a
company...

~~~
talideon
Comparatively speaking, yes, but they're registered in Germany, so that
wouldn't fly. It looks like they used a proxy registrant and some well placed
fibs to acquire the domain name, which is one of the more dicey ways to go
about it as the IEDR aren't afraid to pull registrations.

Much safer and saner is to get a Registered Business Name number from the CRO.
It doesn't cost much, you have it practically forever, and it's possible for
private citizens and foreign corps to get them.

------
fit2rule
Very nice tool, quite convenient .. having just picked up a MeteorJS
requirement for a project, this looks like a nice distraction. ;)

~~~
gr2m
please ping us if you have any questions! twitter.com/hoodiehq

------
sneak
Getting .ie domains is a pain in the ass. Tons of great domain hacks there but
requires a physical presence in Ireland. Good work.

------
alien3d
Nice.but the website i see only source code. so kinda confuse how large system
can build fast by noob.

------
itsbits
I see you can add , update data to the db using javascript...is it using
nodejs?

~~~
janl
End users only ever see JavaScript in the frontend. Some backend heavy lifting
is done in Node and developers can extend that writing plugins in Node as
well.

------
smrtinsert
Seems like I should've seen this on the latest episode of Silicon Valley.

------
mrfusion
Didn't appjet (yc 20xx) try this same idea a few years ago?

~~~
janl
Yeah, it looks like the target audiences squarely overlap.

[https://en.wikipedia.org/wiki/AppJet](https://en.wikipedia.org/wiki/AppJet)
doesn’t look like it had a focus on offline-first. And Hoodie is not a hosted
platform but an Open Source project more akin to Rails.

In addition, Hoodie is not interested in VC and flipping to Google later ;)

------
thomasfromcdnjs
Couldn't find the example link? Is there one?

~~~
janl
There are API samples further down the main page on
[http://hood.ie](http://hood.ie)

[https://github.com/zoePage/hoodie-drawing](https://github.com/zoePage/hoodie-
drawing) is an example app.

------
EGreg
You guys should take a look at
[http://github.com/EGreg/Q](http://github.com/EGreg/Q)

Not released yet -- but if someone has PHP / JS / PhoneGap skillz and wants to
work with us, you can be an early member of the community.

~~~
rcsorensen
In case you were unaware, there's a very popular and lovely promises library
for javascript named q.

[https://github.com/kriskowal/q](https://github.com/kriskowal/q)

~~~
EGreg
Yes I am aware of it. I also like it a lot. The Q Platform is able to
interoperate with that Q library as well as with Angular, etc.

There are also several languages named Q. I don't think "Q Platform" is the
same thing as a promises framework. It's not even for Javascript only. So why
downvote the platform because there is something named similar to it?

Another example:
[http://en.wikipedia.org/wiki/X_Window_authorization](http://en.wikipedia.org/wiki/X_Window_authorization)

[https://dev.twitter.com/docs/oauth/xauth](https://dev.twitter.com/docs/oauth/xauth)

[https://www.google.com/support/enterprise/static/postini/doc...](https://www.google.com/support/enterprise/static/postini/docs/admin/en/admin_ee_cu/authen_xauth.html)

