
Sails.js: Realtime MVC framework for Node.js - iamwil
http://balderdashy.github.com/sails/
======
bunkat
This looks incredibly cool, but if there is one thing that I've learned, it's
that less magic is generally better when building a real production
application (vs a weekend project). While typing something like 'sails
generate model User' is nice, I literally have no idea what that just did. In
the video it then shows a user creating new attributes on the model via a REST
API - what??(he even mistakenly adds a bad attribute and then proceeds to just
leave it there...).

After working with a few of these frameworks it always seems to lead to
spaghetti code where the code I write weaves in and out of the framework at
different pre-defined connection points (Sails calls them policies I think). I
always take note of all the times the developer says 'automatically', these
are all the places that will break when my requirements don't exactly match up
with theirs.

~~~
sideproject
Couldn't agree more. On a different topic, I've been toying with various JS
MVC frameworks, but a lot of them tries to do their "magic" without actually
explaining why the magic is necessary. These so called "conventions" at times
hide way too many things, it actually makes it frustrating to understand. In
the end, my choice came back to Backbone, which is the minimalistic framework.

Having said that, I'm trying to pick up NodeJS soon, what frameworks would you
recommend to start off with? Express?

~~~
andypants
Yes, express is very simple, and easy to learn and write. It's also the most
popular web framework for node.js.

It's less like rails/django and more like sinatra/flask.

~~~
mikermcneil
Hey guys, I wrote Sails.js. The controllers are just sets of Express
middleware. The reason I did it this way is that I wanted a conventional
abstraction (MVC) without the burden of a new API.

The only real "magic" here is how Sails handles Socket.io requests using the
same controllers. Sails generates req/res objects for socket requests and
allows you to handle WebSocket requests in the same code base as the rest of
your app. If you need to do more custom stuff, you can still directly access
Socket.io through sails.io, and each request object that came from a socket
request contains req.socket, which gets you access to the socket which sent
the message.

------
peter_l_downs
This looks great! The automatic API generation is a killer feature that makes
me want to try this out sometime soon. Only thing that seems strange to me is
adding the <resource>/create, <resource>/update, and <resource>/destroy GET
endpoints -- why not keep it RESTful?

~~~
jonny_eh
I can see the desire to be able to execute non-GET commands via the browser's
address bar. Another way Sails could accomplish that would be to accept
"?method=PUT|POST|DELETE" to mimic the desired HTTP method.

~~~
jkrems
I don't think that solves the underlying problem of side effect-ful/dangerous
GET requests that may be easily exploited via CSRF attacks. You really don't
want to expose POST/PUT/DELETE actions via GET.

~~~
jdavis703
Avoiding GET requests is not a fool proof way to mitigate CSRF. If your
website has just one XSS vulnerability an attacker can send POST requests.
It's much better to use some kind of token that is always sent with your
forms.

~~~
nadaviv
There's nothing stopping anyone from sending POST requests to wherever he
wants, even without an XSS. the same-domain origin policy only forbids you
from reading the response, not from sending the request. CSRF-wise, POST
requests are just as vulnerable as GET requests.

Also, if someone does manage to find an XSS vulnerability, using a CSRF token
won't be any good - the attacker can simply read the token from your website
and use it.

~~~
byroot
No. Before performing a POST/PUT/DELETE or any other method with side effect
to another domain your brother will issue an OPTIONS to get authorization
first and will never perform the request if the server do not authorize it.

Then if your authentication is cookie based and you allow to delete resource
via GET then all the attacker have to do is to insert <script> or <img> tag on
any other domain with the proper src attribute to delete your content
silently.

These endpoints are a VERY bad idea and are absolutly not REST. RESTful do not
mean CRUD.

~~~
nadaviv
`<form>`s are allowed to send POST requests to wherever they want, without any
restrictions. By creating a form that points to another domain, and
automatically submitting it, you can send a POST request to wherever you want
[1].

POST requests can be easily sent cross-domain. NO ONE SHOULD EVER think that
just because he's not using GET requests he's safe from CSRF attacks.

[1] See <http://jsfiddle.net/8xnB3/5/> for example (which sent this comment).

EDIT: Just to clarify - I'm not saying that exposing those endspoints via GET
is a good idea, I think its horrible. But people should be aware that avoiding
GET does not protect against CSRF, and you still have to use CSRF tokens.

~~~
mikermcneil
Hi nadaviv, if you don't want to expose those endpoints via GET, you don't
have to. Those are set up that way in development so it's much easier to get
started. You have full control over your routing table and access control
policies.

------
trungonnews
I wish more people would read this blog post before writing another MVC
framework in Node.

[http://eflorenzano.com/blog/2010/09/27/why-node-
disappoints-...](http://eflorenzano.com/blog/2010/09/27/why-node-disappoints-
me/)

~~~
gregr401
Except without leveraging those V8 features, we don't have what makes node.

The pace of invention today is based on iteration, building upon other
successes and similar ideas - and its happening in real-time across a vast
community. This is awesome.

Personally, I love that we have choices like derby, meteor and potentially,
sail. Every effort has pro's / con's that may or may not be ideal for a
particular use case. I would rather have more options than none.

~~~
tracker1
I think my issues with this are that it's cool, but there's no example of
security, and the tests are pretty much missing... I tend to look for either
tests, or samples for how things get done, and without any
security/authentication bits, I don't know what I would use something like
this for.

------
kaoD
Judging from the description it does what the other 1000+ Node MVC frameworks
do. What's the advantage of Sails over them? CRUD scaffolding is nothing new
in Node's ecosystem.

Apparently their edge is that users can manipulate the database on their own
in the default scaffold?

EDIT: Downvote without a comment is not constructive. This is a legitimate
question. Care to explain?

~~~
akmiller
I'm guessing the downvotes are for the snideness of your remark. A more
respectable way to phrase your question would've been to simply ask how this
framework compares to some of the other well known Node frameworks and why
might I look into Sails to solve a specific problem instead of some of the
others that are available.

~~~
kaoD
Thanks for your feedback. English is not my native language so I can sound
rude unintentionally in written expression (it's hard enough already in my
native language.)

I'll try throwing random smileys next time :P

------
etanol
I think that there is some abuse of the term real-time these days:

<http://en.wikipedia.org/wiki/Real-time_computing>

~~~
derda
Well the definition is Soft Real-Time (which may apply here) vs. Hard Real-
Time (i.e. car ECU).

But having done university research work in the field of hard real-time
systems I also think "naahh thats not real-time" every time I see some Web-
Framework advertised as such. There is a big set of interesting problems in
hard real-time systems: Complex scheduling algorithms, fault proctection and
recovery, bus systems that are also able to fulfil your timing
requirements....

If you spend some time doing this kind of work your had will wrap around
different problems. You cannot take malloc granted, you always fear that the
compiler does something wrong or that you better write that routine in inline
ASM. Etc.

That said, I do a lot of stuff in python now and its refreshing, but I miss
these problems a little bit.

------
j_col
Please stop calling anything on the internet real-time. Response time is not
guaranteed here.

~~~
mweibel
I guess you mean hard realtime. What usually on the web is called realtime is
soft realtime IMHO.

~~~
j_col
Sure I get, but I think it just dilutes the meaning of the term "real-time" to
use it in a soft context.

~~~
irahul
> Sure I get, but I think it just dilutes the meaning of the term "real-time"
> to use it in a soft context.

Soft realtime isn't a new thing. Chat has always been soft realtime.

------
marcamillion
I love how this is put together and packaged. The graphics, nice intro video,
and very clear docs. Well done!

I wish more OSS projects would put more care in their docs. Adding more
personality and character and just cleaning it up - making it feel more
approachable.

~~~
kaoD
This is pretty standard presentation for Node.js packages.

~~~
marcamillion
Oh really? As a non-Node.js guy, I would love to see some others. Can you show
me some examples please?

Thanks!

~~~
kaoD
Node.js packages are usually small and self-contained. Without typing/APIs
Node relies heavily on documentation, so packages which are not well-
documented will fall into oblivion quickly. Who'd write a OSS library which
nobody can use?

My personal favorite, interactive docs!

<http://coffeescript.org/>

I like these ones because of the straightforwardness:

<http://socket.io/>

<http://jade-lang.com/>

<http://mongoosejs.com/>

And many more:

<http://visionmedia.github.com/mocha/>

<http://meteor.com/>

<http://derbyjs.com/>

<http://compoundjs.com/>

<http://learnboost.github.com/stylus/>

Almost all packages without a website have a README (npm spits out warnings if
missing README):

<https://npmjs.org/package/request>

<https://npmjs.org/package/browserify>

<https://npmjs.org/package/formidable>

<https://npmjs.org/package/forever>

~~~
jahewson
To be fair only one of these has a video

~~~
kaoD
Well, not all projects show off on video. IMHO, a video is a sloooow way to
present information. I'd rather skim through some examples/demos/interactive
docs.

------
apunic
The whole point of Node/npm/Express (as a popular module) is its modularity.
Node is not just about JS on the server, it reflects a paradigm shift -- a
movement away from too much abstraction and magic back to lean and simple
systems. And it's unbelievable fast.

Sorry to say but such frameworks and ideas are from the last decade (Rails was
the main reason why I switched to Node).

~~~
nilliams
The whole point of Node is evented I/O in JavaScript. That's it - it doesn't
take a stance on frameworks.

The point of npm is ... to be a package manager.

Express is a framework. I admittedly don't know much about it, but I believe
it basically has pluggable middleware, like Rails.

Not sure these things share the "point" you are claiming they do.

It's great Node has both framework choices and a wealth of _small modules that
do one thing_. I think there's room for both.

~~~
nilliams
There was a bit of snark in this comment with the "..." which I apologise for,
but I think my point was fair. Trying to paint Node as an anti-framework
ecosystem is disingenuous and this is clearly not a goal of either Node, npm
or Express.

I love Node, and am consistently impressed by npm, but pretending that these
technologies represent a "paradigm shift" and some sort of cohesive shift away
from frameworks is faintly ridiculous.

If you work on a team and are faced with the task of creating a large app your
choice is to pick a framework or create your own from libraries. I'd argue
that a (good) framework is likely to be better because the conventions are
likely clearer and better documented than anything you cook up yourself by
combining libraries and filling in gaps with your own code.

------
d4mn
I started using sails.js and I loved it. I'm new in node so I needed some
starting point. Before that I was coding in php and used frameworks. I
couldn't imagine working without one so I started to look into node
frameworks. All of them have good sides and bad. But sails.js was the one
which I loved from first sight. I don't know why but it looked so similar to
php frameworks I used. It was very simple for me so I started working with it
and contributing. Yeah this framework lacks some futures but it's only a time
question when it gets better and better. Because I think this framework will
become choice number 1 for starting coders. Good luck guys and nice job!

------
mweibel
I've looked the past week into sails.js. It brings a really cool new way to
MVC Frameworks and makes it easy to do certain aspects. What I missed (and
that's why I'm using express.js now) is the documentation (lacking) and
testability (lacking as well). Also the ORM is really lacking. I'd recommend
the authors to look into an existing ORM (sequelize or node-orm2) instead of
creating an own one.

Sails certainly needs more polishing but I look forward to use it in the
future at some point, because I really like what it wants to accomplish.

If you like certain aspects (exposing models via REST, policies etc.) it's
really easy to do in express.js as well.

~~~
mikermcneil
Hi mweibel,

I originally used Sequelize, but we wanted (a) noSQL support and (b) a bundled
in-memory database.

Waterline has very good test coverage, and it's professionally maintained by
my Node.js studio, Balderdash. We invest heavily in its development, because
it makes our client projects better and faster.

Happy to answer any other questions about why we built our own ORM.

~~~
mweibel
Ok I understand the decision now. Surely both (sequelize and node-orm2) aren't
the one and only solution yet but I needed some stuff to be supported which
you didn't (yet), e.g. indexes or something like that.

Did you have a look at jugglingdb? I don't use it also because of similar
reasons why I didn't want waterline but basicly I think it's more mature than
waterline is.

------
desireco42
I think old RailwayJS now CompoundJS has similar goals to look like Rails, yet
bring goodness of NodeJS to the masses.

<http://compoundjs.com/>

I tried it before when it was RailwayJS and it was really good and fast. I
didn't do any major projects in it.

~~~
mimiflynn
I really enjoy using CompoundJS for quick prototypes. Wish there was a larger
community though; well, really, I wish any of the MVC nodeJS frameworks had
the kind of community that Rails and Django have.

~~~
desireco42
I agree. It will probably take someone making successful site and the word
will get out. My experience with it was that it was super fast, very
responsive, so I imagine it can handle more trafic then rails I am currently
using. It is no rails as rails has features that are out of this world, but
you often don't need those...

~~~
mikermcneil
We've been using Sails in all of our client projects for the last year, so I
guess we'll see what happens :)

------
api
Node is excellent from an architectural point of view, but I can't get over
JavaScript. I really think web developers have Stockholm syndrome with this
language.

~~~
adamauckland
Doing simple JavaScript is easy. Doing JavaScript well, that scales and
doesn't become a spaghetti mess is _hard_.

Having said that, there are a tonne of libraries and tools which make it much
better these days. A language is only as good as the available libraries and
there are some really good ones on npm.

What, particulary, do you find problematic?

~~~
mikermcneil
Totally agree. I created Sails to provide us a clean way of solving the
problem of building large projects for our clients.

------
gregr401
Cool, looking forward to watching the projects progress!

Quick question: when demonstrating the socket.io piece, one aspect that
differs with meteor is their ddp which only sends data diffs on a per client
basis, not the entire subset as your demo showed. How are you planning to
tackle that with any decent about of clients or data size?

~~~
mikermcneil
Great question! I'm really pumped about more folks getting involved.

First off, you can manage pubsub as you like using Socket.io. The most
important thing to realize about Sails is that we're not trying to be Meteor.
This is for real, production projects, with a straightforward fallback to
trusted technologies. How you manage publish and subscribe is completely up to
you-- but if you're using the API blueprint, here's how it works from a pubsub
perspective:

GET /user => the socket who issued this request is subscribed to the class
room, and the instance rooms for all models returned (until the socket closes)

POST /user => the model created is "introduced" to the class room, subscribing
all sockets connected to the class room, to IT. Then, all of the class room
subscribers are notified that the new model has been created.

PUT /user/n => sockets subscribed to the instance room for the model being
updated receive a message

DELETE /user/n => sockets subscribed to the instance room for the model being
deleted receive a message and become unsubscribed

The "magic" here is actually just a controller- you can take a peek here
([https://github.com/balderdashy/sails/blob/master/lib/scaffol...](https://github.com/balderdashy/sails/blob/master/lib/scaffolds/controller.js))
for more about what's going on in the blueprint.

------
twog
Cool project, but the syntax highlighting they are using makes it really
difficult to read: <http://cl.ly/image/0W2m1x1g2u29>

------
Yuioup
The logo on the front page makes me feel old ...

~~~
smrtinsert
jQuery rockstar anyone?

~~~
mikermcneil
lol for anyone else like me who didn't remember the reference, it was back in
'08: [http://blog.jquery.com/2008/08/29/death-to-javascript-
rock-s...](http://blog.jquery.com/2008/08/29/death-to-javascript-rock-stars/)

------
djerry
Cool project. Automatic API generation will be very helpful for quick
prototypes.

------
ile
Any example applications made with Sails? A chat app?

~~~
mikermcneil
Not that we can show yet! But we are currently working on several large client
projects that use Sails in production.

------
obilgic
sails business case rev2.pptx ?

~~~
mikermcneil
eh?

~~~
obilgic
Look at the files on this desktop

~~~
mikermcneil
Ah, we are a services company which helps brands and startups build web
applications. Sails is an instrumental tool in making our team agile and
effective, so I give presentations on that.

