Make your own data platform for the Internet of Things using Node.js and Express.js


I recently wrote a tutorial explaining how to make a connected barometer in which I used Thingspeak as an endpoint for the data. With the current buzz around the Internet of Things, a lot of similar services popped up : Plotly, the Wolframe data drop, Xively and even IBM Cloud to name a few.

What I find problematic with theses services is that you loose control over your data. What are they used for, what happens if the company closes ? You don’t want to lose your preciously collected data.

One solution is to create your own data platform. This way you keep full control over your database. You can set-up backups and are sure that your digital property wont be used for commercial purposes behind your back.

We will thus be making, a web application using Node.js as a server, Express.js for the framework and MongoDB as the database (the MEAN stack, without the A). : application requirements

Let’s take a minute to think about our needs. First, we want to be able to authenticate the user. is built as a single-user application, but the backend is ready to support multiple users. We need a way to create new collections of data which we will call Datasets, and to customize the fields (variables) of this collection. Each dataset will be issued a read and write API key that can be publicly distributed to authenticate requests sending data in or requesting data out. We also need a way to easily regenerate theses keys if they end up being compromised.

How does that translate in term of views ? Well first we need a setup screen so that the user can register. Once logged in, he will need some kind of dashboard giving a quick overview of his datasets. He needs to be able to create new datasets, to edit (as well as delete) and view them. Finally we will also provide a simple ‘settings’ page if he ever wanted to change its username or password.

This tutorial will be organized in the following way : first we will take care of installing all the per-requisite. We will then make our way through the MVC (Model View Controller) pattern in a slightly different order, starting with the models defining the structure of our data, then the controllers (called routes in Express.js) and finally the corresponding views. At each step will be associated a specific commit holding our progress thus far.

Initial set-up

Note : this tutorial assumes that your are running a linux architecture. I’m personally working on ubuntu 15.04.

Server dependencies

The following modules will be needed to run our application. Start by installing them if it’s not already the case :

  1. Node.js: the server of our application. If you’re more used to that, it’s like apache but running on javascript. It comes in with npm, an awesome package manager that will make our life much easier.
  2. MongoDB: a very versatile database system. I like it because of its object-like structure and the fact that ‘tables'(collections) can be created on the fly even if they were not previously registered.
  3. Express-generator: an npm package used to generate an express.js skeleton with a simple command. Express.js is a lightweight framework for Node.js. At the difference of ‘traditional’ frameworks such as Laravel on PHP or Django on Python it doesn’t come with a clearly defined structure which can be a bit confusing at first (especially when you’re reading different tutorials that each use their own way of doing things). The counterpart is that it offers a great deal of flexibility to the developer about the way he wants to structure its application.
  4. Nodemon: a utility that will monitor for any changes in your source and automatically restart your server. We will use it instead of node to run our application, this way we won’t need to restart the server after each modification (pretty handy he!).
# Install node.js
curl --silent --location | sudo bash -
sudo apt-get install --yes nodejs

# Install latest stable MongoDB
sudo apt-key adv --keyserver hkp:// --recv 7F0CEB10
echo "deb trusty/mongodb-org/3.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.0.list
sudo apt-get update
sudo apt-get install -y mongodb-org

# Install Express-generator
# the -g option is used so that the package is installed globally, 
# meaning that we can now use it from the command line
# Try express -h to see the options now available
sudo npm install express-generator -g

# Install Nodemon
sudo npm install nodemon -g

Express.js skeleton

Navigate to the directory of your choice and generate the skeleton of our application. After that, install the default dependencies. Finally, a quick test will ensure that everything is running properly.

# Generate skeleton

# Install dependencies
sudo npm install

# Run the app
nodemon bin/www

The app is being served on port 3000. To check if everything is going well, fire up your browser at the following address : http://localhost:3000. You should receive a warm welcome from Express.

Corresponding code

Application dependencies

We’re now ready to add the packages required for our application :

  1. Mongoose : our ODM (Object Data Manager).
  2. Connect-mongo : used to store the user’s session information in the database.
  3. Express-session : a standard session manager for Express.js.
  4. Method-override : this package will be used in order to pass PUT and DELETE requests though POST requests.
  5. Bcrypt : for password hashing.
  6. Hat : to generate unique API keys.

All these packages will be installed with the –save argument so that they are automatically added to the package.json file.

sudo npm install mongoose connect-mongo express-session method-override bcrypt hat --save

Setting up the app

We need to make a few changes to the app.js file. First let’s import the packages we just installed :

var express = require("express");
    bodyParser = require("body-parser"),
    methodOverride = require("method-override"),
    mongoose = require("mongoose"),
    session = require("express-session"),
    MongoStore = require("connect-mongo")(session);

Then add a connection to the database (which we name ‘iotdb’):

// Connect to mongodb
mongoose.connect("mongodb://localhost/iotdb", function(err) {
    if (err) throw err;
    console.log("Successfully connected to mongodb");

We need to add two middlewares, the first being express-session. As I previously said, it is used to store the user’s session info, which is pretty handy if you want to keep him logged in between views (and to ensure that a user has been authenticated before accessing protected resources). We will also use it in order to pass messages between the views. Connect-mongo is used to store the session’s informations in the database.

// We use mongodb to store session info
// expiration of the session is set to 7 days (ttl option)
    store: new MongoStore({mongooseConnection: mongoose.connection,
                          ttl: 7*24*60*60}),
    saveUninitialized: true,
    resave: true,
    secret: "MyBigBigSecret"

Finally we will configure method-override to look for a hidden field called ‘_method’ in our POST requests. This way we will be able to post PUT and DELETE requests as well.

 // used to manipulate post requests and recongize PUT and DELETE operations
app.use(methodOverride(function(req, res){
      if (req.body && typeof req.body === "object" && "_method" in req.body) {
        // look in urlencoded POST bodies and delete it
        var method = req.body._method
        delete req.body._method
        return method

That’s it ! We’re ready to define our first models.
Corresponding code

The models

Create a new folder in your application directory called models. We need to create two models : one to store the user’s informations and the other for the datasets.


Create a new file called users.js in the models folder. This model is very simple : we want to store a username and a password, as well as the timestamp of creation.

var mongoose = require("mongoose");

// Declare schema
var userSchema = new mongoose.Schema({
    name: {type: String, required: true, index: {unique: true}},
    password: {type: String, required: true},
    created_on: {type: Date, default:}

// Export schema
mongoose.model("User", userSchema);

But this is not all. We also need to ensure that the password is stored as a hash so that it never falls into the wrong hands if your database is ever compromised. This will be done by adding a middleware relying on bcrypt to hash the password value before adding the user to the database. Don’t forget to import bcrypt and to set the salt factor.

    bcrypt = require("bcrypt"),
    SALT_WORK_FACTOR = 10; // used to resist rainbow table and brute force attacks
// Add hashing middleware to schema
userSchema.pre("save", function(next) {
    var user = this;

    // only hash password if it has been modified (or is new)
    if (!user.isModified("password")) return next();

    // generate a salt
    bcrypt.genSalt(SALT_WORK_FACTOR, function(err, salt) {
        if (err) return next(err);

        // hash the password using the new salt
        bcrypt.hash(user.password, salt, function(err, hash) {
            if (err) return next (err);

            // override the cleartext password with the hashed one
            user.password = hash;

Finally, we need to add a method to the schema that will enable us to compare passwords based on their hash. This is done so that we can authenticate users later on.

// Add compare method to schema
userSchema.methods.comparePassword = function(candidatePassword, next) {, this.password, function(err, isMatch) {
        if (err) return cb(err);
        next(null, isMatch);


The dataset model will be a bit more evolved than the last one. It will hold the read and write API keys, the name of the dataset, a unique index used to identify the dataset (we wont use the _id of the dataset because we don’t want to end up with a url looking like /datasets/de1eee192869b90f993acf3857691f07 so we’ll generate a shorter one), the username of the owner of the dataset, a public option which will authorize non authenticated users to access the dataset view, two fields holding the timestamp of creation and last data entry, the number of data entries and finally the data.

Create a new file called datasets.js filled with the following code :

var mongoose = require("mongoose");

// Declare schema
var datasetSchema = new mongoose.Schema({
    index: {type: String, required: true, index: {unique: true}},
    name: {type: String, required: true},
    owner_name: {type: String, required: true},
    read_key: {type: String},
    write_key: {type: String},
    public: {type: Boolean, default: false},
    data: {type: Object},
    entries_number: {type: Number, default: 0}, 
    created_at: {type: Date, default:},
    last_entry_at: {type: Date}

// Export schema
mongoose.model("Dataset", datasetSchema);

Don’t forget to import the models in app.js :

// Loading DB models
var user = require("./models/users"),
    dataset = require("./models/datasets");

Corresponding code

The routes

Now that we know which data to store, it’s time to see how we will handle it. This is where things get trickier (well, only a little). We will need 3 categories of controllers :

  1. One for the user handling, which will be limited to a CRUD (Create Read Update Delete) API that will allow us to act on our users schema. This is what I meant when I said that our application will be ready to serve multiple users even if this version is not made for it : you will be able to rely on this API.
  2. One to deal with the datasets. It will control the new, edit and show views, as well as provide yet another CRUD API allowing to act on the datasets model. This is where we will handle the requests pushing new data points to the dataset and asking for the existing data.
  3. Last but not least a more general controller will handle the remaining views and requests : setup, login, dashboard (index), settings and logout.

An authentication middleware

But before jumping into the routes we need to make a small detour. We don’t want anyone to be able to use the APIs we are going to make. Only an authenticated user should be able to modify his account, right ? Same thing with generating or modifying API keys, as well as accessing the dashboard or the dataset if it is made private.
In order to do that, we will create a middleware that will be called before each route for which authentication is needed. Create a new file called utils.js in the root directory. This is where we are going to put our middleware which will simply ensure that the current user in session has been authenticated. Since we pass the user’s information to the session manager after each login request, this is what we will be looking for. If the user is indeed authenticated, we pass the request to the route. Otherwise we redirect to the login page with and error message. Pretty straightforward.

// Middleware used to check if user is authenticated before accessing a resource
function authenticate(req, res, next) {
    if (req.session.user) {
    } else {
        req.session.error = "You need to be authenticated to access this resource.";

exports.authenticate = authenticate;


You’ll notice that the routes folder is already included in our skeleton. Isn’t that convenient. We will progress step by step from now on. Start by importing the User schema and the authentication middleware we juste made.

var express = require("express"),
    router = express.Router(),
    mongoose = require("mongoose"),
    User = mongoose.model("User"),
    helper = require("../utils");

Then we’ll create the first method of the API : POST used to create a new user. We first check that the user is authenticated before letting him perform the operation. The controller simply takes the username and password provided, calls the create method on the user schema and responds according to the result. Remember the hashing middleware we wrote earlier ? It will be called automatically so that the password will be stored as a hash. The newly created user is returned as a json.

// Create - POST"/", helper.authenticate, function(req, res, next) {
    // Get values from POST request
    var name =;
    var password = req.body.password;

    // Create new user document
        name: name, 
        password: password
    }, function(err, user) {
        if (err) {
            console.log("Error creating new user: " + err);
            res.send("Error creating new user.");
        } else {
            console.log("POST creating new user: " + user);

The GET request is even simpler : it looks for a user matching the id provided in the url and returns it as a json.

// Retreive by ID - GET
router.get("/:id", helper.authenticate, function(req, res){
    // Find user document by id
    User.findById(, function(err, user){
        if (err) {
            console.log("Error retrieving user " + err);
            res.send("Error retrieving user.");
        } else {
            console.log("GET user with ID: " + user._id);

The PUT request is used to update a user’s information. We ask the user to confirm its new password in case of change so that he doesn’t lock himself out of the app by mistake. So we check if both password fields match, create an update request according to which new information was provided and update the user document. You’ll notice that we use the save method instead of update. This is so that the hashing middleware is called, which wouldn’t be the case with update. If an error occurred, we redirect to the settings page with an error message, else we redirect to the index with a success message an update the current session with the new user’s info.

// Update by ID - PUT
router.put("/:id/edit", helper.authenticate, function(req, res) {
    // Get form values
    var newUsername = req.body.username;
    var newPassword = req.body.newPassword;
    var newPasswordBis = req.body.newPasswordConfirm;
    var passError = null;

    // Check if password and confirmation match
    if(newPassword||newPasswordBis) {
        if (newPassword!=newPasswordBis) {
            newPassword = null;
            passError = true;
            req.session.error = "The passwords do not match, try again.";

    if (!passError) {
        //find user document by ID
        User.findById(, function(err, user) {
            if (err) {
                console.log("Error retrieving user " + err);
                req.session.error = "A problem occured retrieving the user.";
            } else {
                 // Check what to update
                if (!=newUsername) = newUsername;
                if (newPassword) user.password = newPassword;

                // Save is used instead of update so that the hashing middleware is called on the password
      , function(err, userID) {
                    if (err) {
                        console.log("Error updating user: " + err);
                        req.session.error = "A problem occured updating the user.";
                    } else {
                        console.log("UPDATE user with id: " + userID);
                        // Regenerate session with new user info
                        req.session.regenerate(function() {
                            req.session.user = user;
                            req.session.success = "Update successful";



As for the DELETE request, it fetches the user matching the id provided in the url and deletes it as you would expect it to. An error/success message is passed to the session according to the result.

// Delete by ID - DELETE
router.delete("/:id", helper.authenticate, function(req, res) {
    // Find user document by id
    User.findById(, function(err, user){
        if (err) {
            console.log("Error retrieving user " + err);
            req.session.error = "A problem occured retrieving the user.";
        } else {
            // Remove user document
            user.remove(function(err, user){
                if (err) {
                    console.log("Error deleting the user " + err);
                    req.session.error = "A problem occured deleting the user.";
                } else {
                    console.log("DELETE user with ID: " + user._id);
                    req.session.regenerate(function() {
                        req.session.success = "Account successfully deleted";

Corresponding code


This one was not included by default, so create a new datasets.js file in the routes folder and prepare it with the required imports.

var express = require("express"),
    router = express.Router(),
    hat = require("hat"),
    mongoose = require("mongoose"),
    Dataset = mongoose.model("Dataset"),
    helper = require("../utils");

// Content goes here

module.exports = router;


We’ll set the GET request aside as it involves dealing with the read API key.

Let’s start with the POST. We retrieve the user’s name from the current session informations. Then we extract the dataset name and the public option values from the body of the POST and delete these keys from the object. Why ? Because we then need to iterate through the remaining keys to retrieve the information concerning the variables to include in our dataset. The dataset is then created and the user is redirected to the index which is served with an appropriate message to display.

// POST new dataset request"/", helper.authenticate, function(req, res) {
    // Used to set the dataset owner
    var sessionUser =;
    // Get values from the post request
    var name =;
    var isPublic = req.body.public != undefined ? true:false;
    // Delete the values from the request body so that we only keep information about the variables
    delete req.body.public;

    // This is so that we can loop through the object in reverse order
    // We do that so that the fields are saved in the right order on the db
    // (this way it will appear in the right order on the 'edit' view)
    var propertiesList = [];
    for (var property in req.body) {
        if (req.body.hasOwnProperty(property)) {

    var variablesFields = {};
    for (var i in propertiesList) {
        variablesFields[propertiesList[i]] = {name:req.body[propertiesList[i]],
                                    values: Array}; 

    // Create dataset 
        index: helper.uniqueIndex(),
        name: name,
        owner_name: sessionUser,
        read_key: hat(), 
        write_key: hat(),
        public: isPublic,
        data: variablesFields
    }, function(err, dataset) {
        if (err) {
            console.log("Error creating the dataset: " + err);
            req.session.error = "A problem occured when creating the dataset. Please try again.";
        } else {
            console.log("New dataset created with id: " + dataset._id);
            req.session.success = "Dataset " + name + " created successfully.";

Hat is used to generate unique read and write keys and a unique index of 9 characters is generated by…what’s that ? A new helper function we didn’t create yet ?! Let’s repair that! Go back to the utils.js file and add the following function :

// Helper used to generate unique index of 9 characters based on the current timestamp + a little randomness
function uniqueIndex() {
    var now = new Date();
    var index = Math.floor(Math.random() * 10) + parseInt(now.getTime()).toString(36).toUpperCase();
    return index;

exports.uniqueIndex = uniqueIndex;

The PUT request follows a similar logic than the POST, except that we have to be a bit smart about how we handle the variables : if a variable is found on the request but not on the existing dataset, we add it to a list of variables to be set. Otherwise if it is absent for the request but present in the dataset, it means that it has to be removed so it is added to a list of variables to be unset. Once again, we then redirect to the index page with the appropriate message.

// PUT request to update dataset
router.put("/:id/", helper.authenticate, function(req, res) {
    // Get values from the POST request
    var name =;
    var isPublic = req.body.public != undefined ? true:false;
    // Delete the values from the request body so that we only keep information about the variables
    delete req.body.public

    var setList = {};
    var unsetList = {};
    var updateQuery = {};

    // Find dataset by id
    Dataset.findById(, function(err, dataset) {
        updateQuery = {
            name: name,
            public: isPublic
        // If variable in request body and not in dataset, add to setList (or if no variable at all in dataset)
        for (var property in req.body) {
            if (!||(req.body.hasOwnProperty(property)&! {
                setList["data."+ property] = {name:req.body[property],
                                                values: Array}; 

        // If variable in dataset but not in request body, add to unsetList
        for (var property in {
            if (!req.body.hasOwnProperty(property))
                unsetList["data."+property] = true;

        // If setList or unsetList non-empty, add to updateQuery
        if (Object.keys(setList).length) {
            updateQuery["$set"] = setList;
        if (Object.keys(unsetList).length) {
            updateQuery["$unset"] = unsetList;

        // Update dataset
        dataset.update(updateQuery, function(err, datasetID) {
            if (err) {
                console.log("Error updating dataset: " + err);
                req.session.error = "Update failed, please try again.";
            } else {
                console.log("Update on dataset: " + datasetID);
                req.session.success = "Update successul.";

The DELETE request shouldn’t be a mistery by now :

// DELETE dataset request 
router.delete("/:id/", helper.authenticate, function(req, res) {
    // Find dataset by id
    Dataset.findById(, function(err, dataset) {
        if (err) {
            console.log("Error retrieving the dataset: " + err);
            req.session.error = "A problem occured retrieving the dataset.";
        } else {
            // Remove dataset document
            dataset.remove(function(err, dataset) {
                if (err) {
                    console.log("Error deleting dataset: " + err);
                    req.session.error("A problem occured deleting the dataset. Please try again.");
                } else {
                    console.log("Deleted dataset with id: " + dataset._id);
                    req.session.success = "Successfully deleted dataset " +;

API keys

We will now take care of 3 special cases we didn’t handle yet : how to push data and get data providing the appropriate API keys.

Updating an API key wont be difficult. A POST request is made to a specific route, providing the _id of the dataset that needs to be updated and the name of the key (read or write). We store the redirect url as we can’t hardcode it this time : it depends on the index of the dataset being updated.

// POST request to update API key"/update/key", helper.authenticate, function(req, res) {
    var redirectUrl = req.headers.referer; // used to redirect to dataset edit page
    // Get values from the POST request
    var id =;
    var key = req.body.key;

    var updateJson = {};
    updateJson[key+"_key"] = hat(); // Generate new API key

    // Find dataset by ID 
    Dataset.findById(id, function(err, dataset) {
        if (err) {
            console.log("Error retrieving dataset: " + err);
            req.session.error = "A problem occured finding the dataset";
        } else {
            // Update dataset with new key
            dataset.update(updateJson, function(err, datasetID) {
                console.log("API key updated: " + key);

The request to add new entries to the dataset will look like that: /datasets/update?key=WRITE_APIKEY&var1=value&var2=value etc. Each variable must have been registered beforehand for the value to be stored. They are selected by they tag which is normalized, contrarly to their name which are personalized by the user. We retrieve the write API key from the GET request arguments and delete the key from the query object so that we can then iterate through the variables and their values. The dataset is fetched according to the key provided. Before inserting the values, we check that the variables have beem previously registered. The values are added by the $push operator in the data document. An appropriate response code is then sent depending on the result.

Here what the structure of data looks like :

“var1”:{“name”:”Variable A”,”values”:[[1,1442867230518]]},
“var2”:{“name”:”Variable B”,”values”:[[2,1442867230518]]}

As you can see it is composed of nested documents each representing a variable. Each variable document is indentified by its tag. It holds its name (if defined) and an array of values. Each value is a composed of the value per-se and a timestamp of the time of insertion.

// GET request to push data to the dataset
router.get("/update", function(req, res) {
    // Get values from request arguments
    var apiKey = req.query.key;
    delete req.query.key; // flush api key value so we only keep values concerning variables

    var values = [];
    var updateQuery = {};

    // Find dataset by write API key
    // Send status code for each case : -1 if error, 0 if no dataset found and 1 if update successful
    Dataset.findOne({write_key:apiKey}, function(err, dataset) {
        if (err) {
            console.log("Error retrieving dataset: " + err);
        } else if ( {
            // build $push query with variables passed in POST request
            // we check that the variable have already been registered otherwise they"ll be ignored
            for (var property in req.query) {
                if (req.query.hasOwnProperty(property)& {
                  updateQuery["data." + property + ".values"] = [parseInt(req.query[property]),]; 
            // Update dataset with new values and increment entries_number
            dataset.update({$push: updateQuery,
                            $inc: {entries_number: 1}, 
                            last_entry_at:}, function(err, datasetID) {
                if (err) {
                    console.log("Error updating dataset: " + err);
                } else {
                    console.log("New entry for dataset with API key: " + apiKey);
        } else {
            console.log("Either no dataset was found for this API key: " + apiKey + " or the dataset doesn't have any variables set");

To request a dataset, one need to provide the correct read API key. A new object representing the dataset stripped from sensible information is created and returned as a json. Here is what you can expect as a response :

“name”:”My dataset”,
“var1”:{“name”:”Variable A”,”values”:[[1,1442867230518]]},
“var2”:{“name”:”Variable B”,”values”:[[2,1442867230518]]}

// GET request to get data
router.get("/request", function(req, res) {
    // Get values from request arguments
    var apiKey = req.query.key;

    // Find dataset by read API key
    Dataset.findOne({read_key: apiKey}, function(err, dataset) {
        if (err) {
            console.log("Error retrieving dataset: " + err);
        } else if (dataset) {
            // Strip dataset from sensible informations (_id and API keys)
            var cleanDataset = {owner_name: dataset.owner_name,
                                index: dataset.index,
                                public: dataset.public,
                                created_at: dataset.created_at,
                                last_entry_at: dataset.last_entry_at,
                                entries_number: dataset.entries_number,
            // return dataset as json
        } else {
            console.log("No dataset found for this API key: " + apiKey);

These two routes must be placed before the others for them to work properly.

Views controllers

Now for the easy part. Here we simply control which information is sent to our views.

We don’t need anything to create a new dataset, only to render the proper view :

// GET new dataset page
router.get("/new", helper.authenticate, function(req, res) {

To edit a dataset, we simply need to retrieve it according to its index and pass these informations to the view :

// GET edit dataset page
router.get("/:index/edit", helper.authenticate, function(req, res) {
    var index = req.params.index;

    // Find dataset by index
    Dataset.findOne({index: index}, function(err, dataset) {
        res.render("datasets/edit", {"dataset": dataset});

The show view is a bit tricky. We retrieve the dataset according to its index and serve it with a stripped version of the document (for reasons already evoked). The tricky part is that we check the public option. If it is set to true, anybody will be able to access this page. Otherwise we call our authentication middleware to ensure that only an authenticated user can access it.

// Get show dataset page
router.get("/:index", function(req, res) {
    var index = req.params.index;

    // Find dataset by index
    Dataset.findOne({index: index}, function(err, dataset) {
        if (err) {
            req.session.error = "Error retrieving the dataset";
        } else {
            // Only send non-sensible info to res (ie: striped from API keys)
            var cleanDataset = {name :,
                                created_at: dataset.created_at, 
                                last_entry_at: dataset.last_entry_at,
                                entries_number: dataset.entries_number,

            // Check if the dataset is public or not
            // If it is, no need for auth middleware. If not, check auth
            if (!dataset.public) {
                helper.authenticate(req, res, function() {
                    res.render("datasets/show", {dataset: cleanDataset})     
            } else {
                res.render("datasets/show", {dataset: cleanDataset});

Finally import and register the new route in app.js:

//  Loading routes
    datasets = require("./routes/datasets");
// Register routes
app.use("/datasets", datasets);

Corresponding code


You should have got the hang of it by now, but let’s repeat it one more time. Start by including the required models and our helper:

var express = require("express"),
    router = express.Router(),
    helper = require("../utils"),
    mongoose = require("mongoose"),
    User = mongoose.model("User"),
    Dataset = mongoose.model("Dataset");

Requests controllers

The first thing our user needs to be able to do is to POST a setup request in order to create his account. This request will redirect him to the index page where he will be able to create his first dataset.

// POST setup request"/setup", function(req, res) {
    // Get values from POST request
    var username = req.body.username;
    var password = req.body.password;

    // Create new user document
        name: username, 
        password: password
    }, function(err, user) {
        if (err) {
            console.log("Error creating the user: " + err);
            req.session.error = "An error occured creating the user.";
        } else {
            console.log("POST creating new user: " + user);
            // Generate new session holding newly created user's info
            req.session.regenerate(function() {
                req.session.user = user;

If he comes back, he’ll probably want to login. In order to do that, we will find the user registered under the login he provided and compare the password he entered with the one from the user retrieved thanks to the helper we created earlier. If no user is found under this username or if the passwords don’t match, we redirect him on the login page with an appropriate message. Otherwise we store his informations in the current session and redirect him to his dashboard.

// POST login request"/login", function(req, res) {
    // Get values form POST request
    var username = req.body.username;
    var password = req.body.password;

    // Find user document by username
    // If a user is returned but the passwords do not match, send error message indicating wrong password
    // If no user is returned, send error message indicating wrong username
    User.findOne({name:username}, function(err, user) {
            if (err) {
                console.log("Error retrieving user " + err);
                req.session.error = "A problem occured while retrieving the user";
            } else if (user) {
                // Use the method registered on the User model to compare entered password with user password
                user.comparePassword(password, function(err, isMatch) {
                    if (err) throw err;

                    if (isMatch) {
                        req.session.regenerate(function() {
                            req.session.user = user;
                            req.session.success = "Authenticated as " +;
                    } else {
                        req.session.error = "Authentication failed, please check your password.";
            } else {
                req.session.error = "Authentication failed, please check your username.";

Finally in case of logout we create a new session and redirect to the login page, serving the messages in the process if need be:

// GET logout request
router.get("/logout", helper.authenticate, function(req, res) {
    var errorMessage = req.session.error;
    var successMessage = req.session.success;

    // Regenerate new session; session.detroy() is not used as we still want 
    // the error/success messages to be served to the endpoint
    req.session.regenerate(function() {
        req.session.error = errorMessage;
        req.session.success = successMessage;

Views controllers

The first view to take care of is the landing page. What happens there ? We first check if a user has been registered. If it hasn’t, it means that our visitor needs to complete the setup process (we thus render the setup view). If a user is present in the database but not in the current session, he needs to login. Otherwise he can be redirected to the index.

// GET landing page
router.get("/", function(req, res, next) {
    var errorMessage = req.session.error;
    var successMessage = req.session.success;

    // since messages have been served, delete from session
    delete req.session.error; 
    delete req.session.success;

    User.count({}, function(err, count){
        // If a user is already registered, redirect to index
        // else render setup view in order to register
        if (count) {
            if (req.session.user) {
            } else {
                res.render("login", {errorMessage: errorMessage,
                                    successMessage: successMessage});
        } else {


The controller for the setup page simply serves messages if need be and renders the setup view.

// GET setup page
router.get("/setup", function(req, res) {
    var errorMessage = req.session.error;
    var successMessage = req.session.success;

    // since messages have been served, delete from session
    delete req.session.error; 
    delete req.session.success;

    res.render("setup", {errorMessage: errorMessage,
                        successMessage: successMessage});

For the index (or dashboard, or watchamacallit), we retrieve every dataset owned by the user and pass them to the index view, along with the messages in the session:

// GET index page
router.get("/index", helper.authenticate, function(req, res, next) {
    var sessionUser =;
    var errorMessage = req.session.error;
    var successMessage = req.session.success;

    // since messages have been served, delete from session
    delete req.session.error; 
    delete req.session.success;

    // Find datasets documents owned by the current session user
    Dataset.find({owner_name: sessionUser}, function(err, datasets) {
        if (err) {
            console.log("Error retrieving datasets: " + err);
            errorMessage = "A problem occured retrieving the datasets";
            res.render("index", {datasets: {},
                                errorMessage: errorMessage});
        } else { 
            res.render("index", {datasets: datasets,
                                errorMessage: errorMessage,
                                successMessage: successMessage});

As for the settings view, we pass it the current user in session, along with the mes…you got it by now right ?

// GET settings page
router.get("/settings", helper.authenticate, function(req, res) {
    var errorMessage = req.session.error;
    var successMessage = req.session.success;

    // since messages have been served, delete from session
    delete req.session.error; 
    delete req.session.success;

    res.render("settings", {user:req.session.user, 
                            errorMessage: errorMessage,
                            successMessage: successMessage});

Corresponding code
And that’s it for the controllers! If you’re still reading, I’m sending you a warm virtual tap on the shoulder. We’re almost there!

The views

We will rely on the jade templating engine to create our views. You are of course free to use anything else, but I personally find it convenient. The first thing you need to do is to add our front-end dependencies : bootstrap with the glyphicons fonts, jQuery, Chart.js to handle our plots, a logo and a favicon. You can also delete everything in style.css. Since we now have a favicon, we can uncomment and modify the following line in app.js:

app.use(favicon(path.join(__dirname, "public/images/favicon.ico")));

Corresponding code

Landing page

Let’s put the common elements between the setup and login page in a new landing.jade file that you will create in the views folder:


The first page on which the user will arrive is the setup page, composed of a logo and a form allowing to open a new account. Create a new file called setup.jade composed of:

extends ./landing

block content
        h1.text-center Setup
                label(for="inputUsername") Username: 
                input#inputUsername.form-control(type="text", placeholder="ex. John Smith", name="username")
                label(for="inputPassword") Password:
                input#inputPassword.form-control(type="password", placeholder="ex. 123456", name="password")
                button#btnSubmit.btn.btn-success(type="submit") Create account

If a user is already registered, he will arrive on the rather similar (if not almost identical) login page. The key difference is that the route called by the form request is not the same. Once again, create a file called login.jade with the following content:

extends ./landing

block content
        form#formLogin(method="POST", action="/login")
                label(for="username") Username: 
                input#inputUsername.form-control(type="text", name="username")
                label(for="password") Password: 
                input#inputPassword.form-control(type="password", name="password")
                input.btn.btn-success(type="submit", value="Log In")

Corresponding code

General views

We need to take care of the layout that will be used as the base of every views that follows. It will include a navbar and import the scripts shared by the views.

doctype html
    title= title
    link(rel="stylesheet", href="/stylesheets/bootstrap.min.css")
    link(rel="stylesheet", href="/stylesheets/style.css")    
                     img(alt="Brand" src="/images/logo.png" width="35px", height="35px")
                        a(href="/index") Home
                        a(href="/settings") Settings
                        a(href="/logout") Logout
        if errorMessage
                button.close(type="button", data-dismiss="alert", aria-label="Close")
                    span(aria-hidden="true") ×
                | #{errorMessage}
        if successMessage
                button.close(type="button", data-dismiss="alert", aria-label="Close")
                    span(aria-hidden="true") ×
                | #{successMessage}
        block content

    block importScripts

    block inPageScript

The index will be composed of a table presenting an overview of the existing datasets, as well as an option to create new ones:

extends layout

block content
        a.btn.btn-success(href="/datasets/new" role="button") New dataset
        h3 My datasets
                    th Name
                    th API keys
                    th Created at
                    th Last data received
                    th Entries
                - each dataset, i in datasets
                                strong Read: 
                                | #{dataset.read_key}
                                strong Write: 
                                | #{dataset.write_key}
                            p= dataset.created_at
                            p= dataset.last_entry_at
                            p= dataset.entries_number
                                a.btn.btn-link(href="/datasets/#{dataset.index}") Show   
                                a.btn.btn-link(href="/datasets/#{dataset.index}/edit") Edit

The settings view requires a new settings.jade file. It is simply a form allowing to update account’s information:

Corresponding code

Dataset views

Start by creating a new subfolder datasets in the views.

The new.jade view (a new file that you just created without having to be asked to because you are so ahead of things) is yet again composed of a form. We use jQuery in order to dynamically add or remove variable fields.


edit.jade is extremely similar, except for the fact that we display display the variables already registered and provide a way to regenerate the dataset’s API keys.


As for show.jade, it relies on Chart.js to generate a line chart for each variable. If you’re looking for more elaborate options, have a look at the D3.js and C3.js libraries. I chose Chart.js because it is very easy to implement and it gives fairly good looking results.

extends ../layout

block content
                strong Created at:
                |  #{dataset.created_at}
                strong Last entry at: 
                |  #{dataset.last_entry_at}
                strong Entries number:
                |  #{dataset.entries_number}

        - each variable, i in
                    h3.text-center #{}
                    h3.text-center #{i}
                canvas(id="#{i}_canvas", height="400px", width="800px")

    script(type="text/javascript", src="/javascripts/Chart.min.js")
        // Unserialize dataset object so that we can interract with it from the script
        var datasetObject =!{JSON.stringify(dataset)}
        var data =

        // For each variable in the dataset, extract title, tag name and values
        // then instanciate the chart with theses values
        for (var property in data) {
            if (data.hasOwnProperty(property)) {
                var varTag = property;
                var varData = data[property];
                var label =;
                var xLabels = [];
                var yValues = [];

                for (var i in varData.values) {
                    // extract values
                    // extract timestamp in a Date object and format the output in a string
                    var t = new Date(varData.values[i][1]);
                    var cleanTime = t.getDay() +"/"+ t.getMonth() + " " + t.getHours() + ":" + t.getMinutes()
                    // add formated timestamp to the array holding values for x axis

            var chartData = {
            labels: xLabels,
            datasets: [
                    label: label,
                    fillColor: "rgba(220,220,220,0.2)",
                    strokeColor: "rgba(220,220,220,1)",
                    pointColor: "rgba(220,220,220,1)",
                    pointStrokeColor: "#fff",
                    pointHighlightFill: "#fff",
                    pointHighlightStroke: "rgba(220,220,220,1)",
                    data: yValues

            var ctx = document.getElementById(varTag+"_canvas").getContext("2d");

            new Chart(ctx).Line(chartData, {
                bezierCurve: false

Corresponding code.

And there you go! Your very own data platform is up and running. You can congratulate yourself, it was not such an easy project to build. And there is still much to be done. You can customize the front-end to match your preferences, add layout options to your plots, open your app to multiple users (setting a password to the database would probably be a good idea too 😉 ).

I would be very pleased to see what you will make out of it, so don’t hesitate to drop me a line in the comments!


