Mateo Rodriguez

Periodic jobs are common (cleanup, digests, rollups), and it’s easy to accidentally run them on every instance in production. In local dev, in-process node-cron is fine. In production, I either run a dedicated worker or add a guard so only one instanc

Retries are great, but duplicates are inevitable—workers crash, Redis reconnects, deploys happen. I prefer building idempotency into the job key itself. BullMQ supports a jobId that acts like a de-dupe key: if a job with the same id already exists, en

Not all queries benefit from a full-table index, especially when most rows are ‘inactive’ or archived. A partial index lets you index only the subset you care about (like active users or un-deleted records), which shrinks index size and improves cache

Sometimes you just need ‘only one worker does this thing at a time’, and building distributed locks from scratch is risky. Postgres advisory locks are a pragmatic option when your DB is already the source of truth. I derive a deterministic lock key (l

Reset flows are a common place to accidentally store secrets in the database. I generate a random token, email it to the user, and store only a hash in the DB alongside an expiry timestamp. When the user redeems the token, I hash what they provide and

A single long-lived JWT is a liability: if it leaks, it’s valid until it expires and revocation is hard. I use short-lived access tokens and longer-lived refresh tokens, and I rotate refresh tokens on every use. Rotation means that if an attacker stea

CORS configs have a habit of getting more permissive over time until you’re basically allowing any origin. I keep an explicit allowlist and handle credentials carefully. If you allow cookies, you can’t use * as the origin. I also keep preflight respon

For read-heavy endpoints, clients often fetch the same resource repeatedly (profile data, settings, a snip page) even when it hasn’t changed. ETags let the client send If-None-Match and the server respond with 304 Not Modified, saving bandwidth and CP

Creating a new TCP/TLS connection for every request is slow and it adds load on both sides. For high-traffic services calling a small set of upstreams, keep-alive reduces latency and CPU dramatically. I configure an https.Agent with sensible maxSocket

Unbounded network calls eventually will hang, and then your Node process gets stuck with slow requests chewing up the connection pool. I wrap fetch with an AbortController timeout so every outbound call has an upper bound. The key is distinguishing be

Unbounded Promise.all is a great way to overload your DB (or a third-party API). I use a small concurrency limiter so I can process batches efficiently while keeping backpressure. This is especially useful for migrations, backfills, and webhook replay

Deep relative imports are a maintainability tax. Once a project grows, ../../../ becomes noise and refactors get painful. I define a small set of path aliases (like @/* for app code) and keep them consistent across TypeScript, Jest/Vitest, and the bun