crocodile-node-mvc-framework 0,2,0,0,2,0,4

:crocodile: CrocodileJS is a full-stack Node.js + Koa + ES7 MVC framework for Apps and API’s

:crocodile: CrocodileJS

[![PayPal Donate][paypal-donate-image]][paypal-donate-url] [![Slack Status][slack-image]][slack-url] ![GPLv3 License][license-image] [![Stability][stability-image]][stability-url] [![Build Status][build-image]][build-url] [![Coverage Status][codecov-image]][codecov-url] [![Standard JS Style][standard-image]][standard-url]

CrocodileJS is a multilingual full-stack Node.js + Koa + ES7 MVC framework for Apps and API’s

![Crocodile Dependencies][crocodile-dependencies]

Tip: Click the :crocodile: in section headers to jump back to this index.

:crocodile: Index

:crocodile: What is CrocodileJS?

CrocodileJS is an application framework boilerplate for rapid iteration of a minimal viable product. It is built with ES6, ES7, Babel, and Koa, and has dozens of other extremely useful packages built-in. It is production-ready and used by several startups.


  • Built for Startups, Bootstrappers, and Enterprises
  • Includes an API Server, Web Server, and Job Scheduler
  • GitHub emojis are supported in email content, email subject lines, and views! :smile: :crocodile: :sparkles:
  • Bootstrap 4.x and FontAwesome
  • FontAwesome fonts are supported in emails through [font-awesome-assets][font-awesome-assets]!
  • Emails contain inlined CSS (re-uses your web stylesheet)
  • Emails support highlighted code blocks using [Highlight.js][highlight.js]
  • ECMAScript 7+ Features
  • Async/await callback hell
  • [email protected] (latest version of Koa)
  • Automatic translation using Google Translate
  • File uploads using streams (built-in resizing, optimization, and image transformation!)
  • Localization Supported with i18n
  • Basic Email Signup and Password Reset
  • API BasicAuth Access Built-in
  • 9+ Authentication Providers Supported (e.g. Google/Facebook)
  • Beautiful Email Templates and Translation Support
  • Extremely Secure and Well-tested
  • Ready for Production and Highly Configurable
  • Zero Guesswork; it uses 80+ NPM packages already hooked together

Framework Comparison

Instead of sharing a table with irrelevant benchmarks and checklists of features that only Crocodile has, we provide a simple summary of the most comparable, popular frameworks that come to mind:

  • [Hackathon Starter][hackathon-starter] doesn’t do anything for your production-ready assets and it still uses ECMAScript 5. As a “hackathon starter”, it leads you to write spaghetti code for a quick hackathon – which leads you [to writing huge files][hackathon-app-file] that could be componentized. It also doesn’t use Koa.
  • [Sails][sailsjs] was built in a way that is extremely confusing, as such (and not to be rude) but @niftylettuce [won the first official SailsJS hackathon][won-hackathon] and never used SailsJS again since that one time. It locks you into their philosophy with little wiggle room due to the convoluted setup. It also uses an [outdated version of Express][outdated-express] with no plans to upgrade. It also doesn’t use Koa.
  • [Hapi.js][hapijs] simply doesn’t do enough for you. Input validation and other menial features don’t allow you to ship a high-quality MVP. It also doesn’t use Koa.
  • [Total.js][totaljs] was written from scratch and [is against the Node philosophy][node-philosophy]… just ([look at this file][totaljs-example]). It also doesn’t use Koa.
  • … honestly every single framework/boilerplate is half-baked and really not great for building stellar MVP’s

There really aren’t many decent Node frameworks, so only the above made the list. GitHub is full of [pure web app boilerplates][gh-boilerplate], but they really don’t do much for you.


Crocodile was designed to prove the viability of an idea as quick as possible, with sheer simplicity, and an extremely ambitious quality level. It uses the latest standards, best practices, and is production ready.

For example, Crocodile can be used to release prototypes of the following in less than 30 days:

  • Enterprise Node.js Web Application for Online Ticket Booking
  • Functional Web App for Online Food Ordering
  • RESTful API for a React Native iOS/Android App
  • HR Platform for Payroll, Billing, and Employee Benefits

As you can see, quite literally any type of Software-as-a-Service business can be built with CrocodileJS! Of course, you can build something more complex or simpler than these examples with CrocodileJS.

Crocodile is more of a “boilerplate” than a “framework”. It’s often called a framework because of keyword search popularity and the confusion between the two words. It has a very minimal codebase, which was written with ES6/ES7 (yes, it uses the new [Async/Await][async-await] syntax!) – and it was structured with an MVC approach (in other words it has three folders to separate your logic src/app/models (“M” for models), src/app/controllers (“C” for controllers), and src/app/views (“V” for views).

![SPA Framework][spa-image]

Crocodile does not come with a single page app framework out of the box, and does not use any special client-side framework by default (other than jQuery, which isn’t really a SPA framework) – though it can easily be changed, and you could include React, Choo, Angular, VueJS, or whatever you’d like). The reason it does not use a SPA library, such as [React][react] or [Angular][angular], is because most (probably?) of software as a service start-ups (and API’s in general) don’t need something this fancy to start (API’s don’t even need a SPA). Using SPA frameworks will and have made proving the viability of an idea take even longer than it already should. Instead, Crocodile uses the extremely powerful and fast rendering template language called [Nunjucks][nunjucks]. In order to render it with Koa, we use [koa-nunjucks-promise][koa-nunjucks-promise].

[![Fake Grimlock][avc-chicken-image]][fake-grimlock]

Before diving into the structure and how it works, it is important to share that Crocodile is highly opinionated and may not be for you. If you are not comfortable or do not agree with the ideas shared in these articles, then perhaps you should not read any further into Crocodile, and close this browser tab.

  1. [Rapid MVP Standards][rapid-mvp] by [@niftylettuce][nifty-twitter]
  2. [Frameworks don’t make much sense][frameworks-dont-make-sense] by [@pkrumins][pkrumins]
  3. [Do Things that Don’t Scale][dont-scale] by [@paulg][pg-twitter]

Who’s using CrocodileJS?

[See the full list on GitHub here][gh-showcase-issue].

Did you ship a project with Crocodile? Post a comment [here][gh-showcase-issue]!


Since we use ECMAScript 7+ features, Crocodile does not lock you into this framework and does not make you do something that is not ordinary. In other words, it does not make you adhere to some function named frameworkDoSomething everywhere in your app. It also does not use globals either to try to make things glue together. It’s very clean and organized.

In other words, we use concepts like ES6 classes, standard import and export, and directory traversal, which are all new standards in JavaScript.

We don’t use dependency injection, and quite simply don’t need to. If you need to use a model in another model, you can simply import it.

The architecture is based on MVC design (another standard), and it has the following structure (tree output below):

Back-end with Koa + Async/Await

We use Koa for the back-end, and if you previously used [Express][express], you might want to understand the differences; [see this article][koa-vs-express].

To rid of [callback hell][callback-hell], we use a new JavaScript language feature called Async/Await.

For example, here are two blocks of code that compare before and after…

This is how one might write a Mongoose save with callbacks:

// find the user that belongs to the @crocodilejs organization
// and make their user group have "admin" status
function updateUser(req, res, next) {
  Users.findOne({ org: 'crocodilejs' }, function(err, user) {
    if (err) return next(err);
    if (!user) return next(new Error('User does not exist')); = 'admin';, user) {
      if (err) return next(err);

This is how one might write a Mongoose save with Async/Await:

// find the user that belongs to the @crocodilejs organization
// and make their user group have "admin" status
static async updateUser(ctx) {
  let user = await User.findOne({ org: 'crocodilejs' });
  if (!user) return ctx.throw(Boom.badRequest('User does not exist')); = 'admin';
  ctx.body = await;

Crocodile has custom built-in error handling – so actually you don’t even need to wrap the Async/Await function with a try {} catch (e) {} statement – but be careful, because in other cases you might want to (e.g. when you don’t want to show a specific error from a third-party API response)!

Other scenarios where Async/Await is resourceful:

  • Populating database references cleanly
  • Complex find, search, or querying in general
  • Less indentation = more readable code
  • No more callbacks = more readable code
  • Less indentation = code wrapping to 80 or 100 (recommended) characters is easy

Front-end with jQuery + Bootstrap

By default, the [latest Bootstrap version 4 alpha][bootstrap-4-alpha] is used (it uses SCSS for its CSS pre-processor).

However, you can swap out Bootstrap to another version, or entirely for something else. You can also switch SCSS to use LESS or plain CSS.

Also included are the following front-end components:

  • [jQuery][jquery]
  • [FontAwesome][fontawesome]
  • [SpinKit][spinkit]
  • [Sweetalert2][sweetalert2]
  • [dense][dense]
  • [jquery.lazy][jquery-lazy]
  • [Frisbee][frisbee]
  • [clipboard][clipboard]
  • [bootstrap-social][bootstrap-social]
  • [tether][tether]

You don’t need Bower anymore, since you can simply import libraries through our Browserify setup!

Job Scheduler

Job scheduling is built on top of [Agenda][agenda]. See the src/agenda.js file and also src/jobs folder for how it works and is set up.

There are two sample jobs built-in, email and locales. The job “email” is obviously used for queuing outbound emails, and “locales” is used for generating and validating your localization efforts.

Here are a few code examples of how to queue emails:

Send an email now

import Jobs from '../../models/job';
import { Logger } from '../../../helpers';

try {
  const job = await Jobs.create({
    name: 'email',
    data: {
      template: 'some-template-name',
      to: '[email protected]',
      locals: {
        name: '@niftylettuce',
  });'Queued an email to send now');
} catch (err) {

Send an email in 24 hours

import Jobs from '../../models/job';
import { Logger } from '../../../helpers';
import moment from 'moment';

try {
  const job = await Jobs.create({
    name: 'email',
    nextRunAt: moment().add(24, 'hours').toDate(),
    data: {
      template: 'some-template-name',
      to: '[email protected]',
      locals: {
        name: '@niftylettuce',
  });'Queued an email to send in 24 hours');
} catch (err) {

Send an email every 5 minutes

agenda.every('5 minutes', 'five-minute-email');
getJobs() {
  return [
    [ 'email', {}, ],
    [ 'locales', {}, this.locales ],
    [ 'five-minute-email', {}, this.fiveMinuteEmail ]

async fiveMinuteEmail(job, done) {
  try {
    const job = await Jobs.create({
      name: 'email',
      data: {
        template: 'some-template-name',
        to: '[email protected]',
        locals: {
          name: '@niftylettuce',
    done(null, job);
  } catch (err) {

You can see the contents, subjects, and templates of the provided emails in the src/emails/ folder. Emails are sent using [Postmark][postmarkapp] and the package [email-templates][email-templates].

However in development mode, emails are not sent using an outbound service. Instead they are rendered to the OS temporary directory and opened in the browser automatically for you (saving you time and preventing you from clicking “Refresh” in Gmail a dozen times!).

Finally, here is an example of the helpful output that the “locales” job provides:

warning: the following phrases need translated in es:
Email address was invalid
Password was invalid
Reset token provided was invalid
Reset token and email were not valid together
Password strength was not strong enough
Invalid session secret
Invalid CSRF token
We have sent you an email with a link to reset your password.
Hello %s world
You have successfully registered
You have successfully reset your password.

You can specify which locales (languages) you support in the `src/config/locales.js` file.

### Proxy

You no longer need to install, configure, nor use [Apache's Virtual Hosts][apache-virtual-hosts] or [Nginx's Reverse Proxy][nginx-reverse-proxy]!

Crocodile includes a simple script (shown below) that serves as a proxy for port `80` to port `443` (so `http` requests are automatically redirected to the secure `https` protocol in production).

Just run `NODE_ENV=production npm run proxy` in production to start forwarding ports!


// this redirects any incoming connections
// on port 80 to port 443 (http -> https)

import qs from 'qs';
import _ from 'lodash';
import Koa from 'koa';

const app = new Koa();

app.use(ctx => {
  // 301 = permanent redirect for SEO
  ctx.status = 301;
  ctx.redirect(`https://${ctx.hostname}${ctx.path}${_.isEmpty(ctx.query) ? '' : `?${qs.stringify(ctx.query)}`}`);


Database & ORM

[MongoDB][mongodb] and [Mongoose][mongoose] are built in, but you can swap them out with your preferred database and ORM glue. If you need help setting up [Postgres][pg] and [Bookshelf][bookshelf], then we suggest you to change your mind! It will slow you down – but if you insist, we can put you in the right direction.

To better beautify validation error messages we use [mongoose-beautiful-unique-validation][mongoose-beautiful-unique-validation]

To enhance security and allow you to have selective JSON output from query results (e.g. never return a user’s refresh_token, access_token, hash, or password fields) we use [mongoose-json-select][mongoose-json-select].

We automatically strip the default provided tokens/hash/password fields from JSON output, don’t worry! See the default user model in app/models/user.js for insight.

Sessions & Auth

[Redis][redis] and [Passport][passport] are used for session storage and authentication.

Out of the box, we provide quite a few authentication methods (but only basic email/password and API token access is enabled by default – see Authentication Providers for more info).

NOTE: Some providers such as Twitter do not provide a user’s email address. Similarly, Facebook doesn’t always share a user’s email, especially if they choose not to share it. For cases like this, we automatically prompt the user for a valid email address upon sign-in (if we do not detect an email address).

Type Description
Basic users sign up with an email address and password
API Token an api_token field is populated for each user in the database after their first log-in, and this can be passed as the user in user:pass with BasicAuth headers – password is blank for simplicity). This is very useful for API access if you are building an iOS/Android or client-side focused app. See the API Example below for more information on this and how to test it out.
Facebook uses [passport-facebook]passport-facebook
Twitter uses [passport-twitter]passport-twitter
Google uses [passport-google-oauth]passport-google-oauth
GitHub uses [passport-github]passport-github
LinkedIn uses [passport-linkedin]passport-linkedin
Instagram uses [passport-instagram]passport-instagram
Stripe uses [passport-stripe]passport-stripe

If you need to add additional strategies, you can literally clone the Google Strategy code and use another [passport package][passport-package] for your auth provider. Don’t be afraid to [join our Slack channel][slack-url] and ask us for help!

Flash Messaging

Flash Messaging

Through the use of [Sweetalert2][sweetalert2] and [koa-connect-flash][koa-connect-flash], we allow you to display to users extremely beautiful alerts.

ctx.flash(level, message);

Combine this with our support for international localization/translation and you get localized alerts!

The level parameter can be one of the following (adhering to Sweetalert2 defaults):

  • success - Success/OK messages
  ctx.flash('success', 'Everything worked OK');
  • info - Informational messages
  ctx.flash('info', 'You will never achieve greatness unless you believe in such greatness');
  • warning - Warning messages
  ctx.flash('warning', "Don't forget to tie your shoes before you walk forward");
  • error - Error messages
  ctx.flash('error', 'If you fail, then retry, and retry, and retry, until you succeed.');
  • question - Question messages
  ctx.flash('question', 'Who are you?');

API Example

Using the user’s api_token field value (which is automatically generated upon user creation, see src/app/models/user.js), you can pass the test of the policy policies.ensureApiToken.

For example, we have one restricted route built into Crocodile, which is GET /v1/users.

As a test, try to sign in at http://localhost:3000 after you’ve started the web server and API server.

Go to your account page at http://localhost:3000/my-account and copy your API token to your clipboard.

Take this value, and run the following curl command using it (replace with your API token where it says api_token below:

curl -u "api_token:" http://localhost:3000/v1/users

This should output a JSON response like the following:

  "id": "578ee8af0d1f58b77a4f9ad7",
  "updated_at": "2016-07-20T02:57:51.099Z",
  "created_at": "2016-07-20T02:57:51.000Z",
  "object": "user",
  "display_name": "Nick Baugh",
  "given_name": "Nick",
  "family_name": "Baugh",
  "google_profile_id": "105518868040745239689",
  "avatar_url": ""


With respect to security, we support the following out of the box:

  • [koa-helmet][koa-helmet] - defaults are used, including:
    • [dnsPrefetchControl][dns-prefetch] controls browser DNS prefetching
    • [frameguard][frameguard] to prevent clickjacking
    • [hidePoweredBy][poweredby] to remove the X-Powered-By header
    • [hsts][hsts] for HTTP Strict Transport Security
    • [ieNoOpen][ienoopen] sets X-Download-Options for IE8+
    • [noSniff][nosniff] to keep clients from sniffing the MIME type
    • [xssFilter][xssfilter] adds some small XSS protections
  • [koa-ratelimit][koa-ratelimit] - prevent bots and hackers from infinitely brute-forcing routes


Crocodile uses the following helper libraries:

  • [boom][boom] - HTTP-friendly error objects
  • [chalk][chalk] - colorful output
  • [chalkline][chalkline] - easily debug with a huge chalkline in your terminal
  • [dotenv][dotenv] - management of dotfiles (your environment configurations)
  • [frisbee][frisbee] - an API wrapper for WHATWG’s fetch method (similar to [request][request]!)
  • [koa-convert][koa-convert] - easily convert generator middleware functions to Async/Await
  • [lodash][lodash] - the utility library
  • [moment][moment] - date and time formatting and manipulation
  • [underscore.string][underscore-string] - string manipulation
  • [validator][validator] - string validation and sanitization

:crocodile: Why should I use it?

Best Practices

  • Zero-downtime, graceful reloading with automated continuous integration (see deployment)
  • Automated test runner and code coverage setup using:
    • [chai][chai]
    • [check-chai][check-chai]
    • [dirty-chai][dirty-chai]
    • [istanbul][istanbul]
    • [jsdom][jsdom]
    • [mocha][mocha]
  • Simple message alert system with [koa-connect-flash][koa-connect-flash] and [Sweetalert2][sweetalert2]
  • API token without a password for an extremely simple approach to session-less, BasicAuth access
  • Store dollar values as cents (which is inspired by Stripe), and it avoids floating/rounding issues. If you want to format cents to dollars, simply run accounting.formatMoney(cents / 100).
  • [Stripe-inspired][stripe-inspired] API design with versioning, error handling, type description, and verbose list output with count and number of pages
  • [No callback hell][callback-hell] since you can use Async/Await syntax

Latest Standards

  • Latest stable version of Node
  • Streams for build process with Gulp
  • Newest versions of MongoDB and Redis
  • Uses ES6/ES7 syntax (no more callbacks; you can use await and async finally!)
  • Latest version of Koa v2 (or commonly referred to as @next)

LiveReload Built-in

Through [koa-livereload][koa-livereload] and [gulp-livereload][gulp-livereload] your assets automatically reload as you continually change and save them.

This means you can have your editor open and a browser tab opened to your app at http://localhost:3000/ – of course you need to be running the task npm run watch-assets (which in turn runs the LiveReload bit) – and your changes appear in real-time! Yes, we know this is not new technology, but not many other frameworks had this built-in (at least the right way with gulp).

For example, if you make the following change to your stylesheet file and save it…

body {
-  background-color: red;
+  background-color: hotpink;

… then your background color on the browser tab will instantly change to hot pink.

Production Ready

Building your project for production is as easy as running npm run compile. This runs a script to compile your back-end and front-end assets consecutively.

Crocodile comes with a robust and well-tested Gulpfile (written with Babel!), check [it out here][gulpfile]. This file builds for you all the assets, from images to client-side JavaScript assets (through Browserify and Babelify).

What’s a Gulpfile? You can [read about Gulp here][gulp] – but it’s basically a file that has a series of build tasks defined (e.g. it’s very similar to a Makefile or [Grunt][grunt] if you’re familiar with that).

In a production environment, your app’s assets will be minified, compressed, gzipped, revision hashed, and uploaded to Amazon S3 and CloudFront for load balancing. To do this, we use the packages [koa-manifest-rev][koa-manifest-rev] and [gulp-rev][gulp-rev], with plugins that include:

  • [babelify][babelify] - convert ES6/ES7 code to ES5
  • [browserify][browserify] - you can import (or require) modules in the browser! You no longer need to use Bower. We looked at using Webpack when we had worked on React Native stuff, but it was too complicated and we ran into way too many problems.
  • [eslint][eslint] - lints your JavaScript according to the .eslintrc configuration. Feel free to swap out our .eslintrc for something like [eslint-config-airbnb][eslint-config-airbnb].
  • [gulp-awspublish][gulp-awspublish] - publishes to AWS your assets
  • [gulp-cloudfront][gulp-cloudfront] - publishes to CloudFront your assets
  • [gulp-eslint][gulp-eslint] - lints your JavaScript in the build runner
  • [gulp-imagemin][gulp-imagemin] - compresses your images
  • [gulp-postcss][gulp-postcss] - processes your CSS
  • [gulp-sourcemaps][gulp-sourcemaps] - adds sourcemaps to your code for easy debugging
  • [gulp-uglify][gulp-uglify] - uglifies and minifies your JavaScript code
  • [imagemin-pngquant][imagemin-pngquant] - plugin for imagemin to compress PNG’s

This is the de-facto standard for hosting images, fonts, scripts, and assets in general – and it is managed properly in Crocodile using asset revisioning. For example, your file named crocodile-logo.png will become crocodile-logo-0775041dd4.png in production (you don’t have to worry about cache busting!).

Not only that, but your files will be linted and they come with sourcemaps too!

To compile all the assets and source code for production:

NODE_ENV=production npm run compile

To publish to Amazon S3/CloudFront all of the assets:

NODE_ENV=production npm run publish-assets

After running these two sets of commands, you can test things out locally by running the processes (simulate production on your own machine):


NODE_ENV=production npm run app


NODE_ENV=production npm run api

Job Scheduler:

NODE_ENV=production npm run agenda


NODE_ENV=production npm run proxy

NOTE: The above commands are what you’d use in a deployment configuration.

File Uploads


Cross-browser Compatibility

Is this cross-browser compatible? Yes, 100%! What about all of your ES6/ES7 code? Yes, 100%.

For a list of supported browsers, please see Bootstrap’s list of supported browsers.

All of your code is converted to browser-friendly ES5 vanilla JavaScript (using [Browserify][browserify] and [Babelify][babelify])…so it’s cross-browser compatible!

This means both your server-side and client-side code is built to the ./lib/ folder with ES5 syntax when the Gulpfile is run with gulp build. You never have to worry about passing some --harmony flag either to run your app. The idea here is that you can focus on writing clean, short bits of code – and never have to worry about how it runs.

Built-in User Group Permissioning

By default, all users are assigned to the “user” group. This group is defined in the user model under app/models/user.js per the property 'group'`.

This approach was inspired by classic Linux-based user-group permissioning.

We’ve also added a default policy helper to detect whether or not a user an admin, which you can add as a middleware before your controller logic.

For example, if you want to restrict access to all /admin routes, you can add this simple middleware:

router.all('/admin*', policies.ensureAdmin);

This simple middleware is automatically added by default for you.

If you’d like to grant yourself admin access to the /admin routes, then you can run this script (replace with your email address and database name):

mongo crocodilejs_development --eval 'printjson(db.users.update({ email: "[email protected]" }, { $set: { group: "admin" }}));'

Search Engine Indexing

Since we don’t use a SPA, you don’t have to worry about rendering SEO-friendly content! What you see in the browser is what the search engine crawler sees.

We didn’t build in structured open graph tags as a default to edit, since we figure you can customize to your own needs.

With this setup, we have climbed to #1 on Google for various keywords, easily. Of course, you need great content and traffic.

In order to prevent duplicate content, we have added a plugin that removes trailing slashes from URL’s, so /home/ will 301 redirect to /home automatically.

We support easily configurable (and translated) meta tags for <title> and <meta name="description"> &ndash; see src/config/meta.js.

i18n Internationalization and l10n Localization

We built-in international localization/translation support &ndash; with automatic Google Translations.

See the following files for an understanding of how it works:

  • src/locales folder (full of all the translations, if a locale is missing, it defaults to English; en.json)
  • src/config/locales.js file (uncommented languages are the ones supported)
  • src/config/i18n.js file (see the HELLO_WORLD variable as an example &ndash; you can use the config.i18n object for error messages, success messages, page titles, page descriptions, and more)

If you want recommendations on services to use for this and how to integrate, then [join our Slack][slack-url] and ask us!

To translate a message, you simply use the context helper method ctx.translate('SOME_CONFIG_KEY_MESSAGE'). If you need interpolation, you can pass them as such ctx.translate('SOME_MESSAGE', 'Foo', 'Bar', 'Baz') whereas config.i18n.SOME_MESSAGE = 'Hello %s %s %s' (outputs Hello Foo Bar Baz).

Or if you are in a template/view, you can write {{ t('Some phrase that should get translated.') }}.

Translations of message keys in config.i18n are found in locales/. If you wanted to translate SOME_CONFIG_KEY_MESSAGE in Spanish, then edit the value for the key of "Hello %s %s %s" in locales/es.json.


For performance, you should always use the lean() method while writing your Mongoose queries (here’s [an example article][lean-method] showing why).

You should also never use Mongoose hooks, virtuals, or the populate method. Instead you should write static functions in the models, such as User.doSomething(user, fn). For insight as to how to write static methods, [see the Mongoose docs here][mongoose-static-method].

If you need to asynchronously populate or waterfall chain populate of database references (e.g. populate each user that made a post on a message board) &ndash; then we suggest to use Async/Await with Promise.all.

We’ve also included these libraries to help with performance:

  • [koa-compress][koa-compress] - compress responses with zlib
  • [koa-conditional-get][koa-conditional-get] - allows conditional GET response (returns a 304 “Not Modified” header if condition matches)
  • [koa-etag][koa-etag] - reduce bandwidth consumption with e-tags on responses
  • [koa-response-time][koa-response-time] - adds a new response header called X-Response-Time with the number of milliseconds the server took to respond

Other than that, you just need to increase your server storage/bandwidth/memory/swap, add load balancing, and/or use PM2’s clustering mode &ndash; and you should be able to support thousands of users. Horizontal scaling!

Check out the deployment section below for how a production environment and deployment process should be configured.


In order to validate data sent from <form> and other HTTP requests (and in general), we use:

  • lodash ([docs][lodash])
  • validator ([docs][validator])
  • Mongoose’s validate instance method ([docs][mongoose-validate]).

Imagine you have a form asking for a user’s favorite color.

The user can select from a dropdown a color.


import _ from 'lodash';
import validator from 'validator';
import Boom from 'boom';

const colors = [ 'red', 'blue', 'green' ];

function someController(ctx, next) {

  if (!_.isString(ctx.req.body.fav_color) || !_.contains(colors, ctx.req.body.fav_color))
    return ctx.throw(Boom.badRequest('You did not specify a valid color, try again!'));

  // if you wanted to support translation from a key in `src/config/i18n.js`
  // return ctx.throw(Boom.badRequest(ctx.translate('INVALID_COLOR')));

  // ...


Now imagine that you want to store this user’s favorite color to their user object stored in MongoDB.

And imagine that you want to reduce code you write elsewhere, in case something else manipulates favorite_color.

To accomplish this, we use a custom Schema validator object, which also supports translation.


const colors = [ 'red', 'blue', 'green' ];

const Users = new mongoose.Schema({

  fav_color: {
    type: String,
    required: true,
    validate: function (val, fn) {

      if (_.isString(val) && _.contains(colors, val))
        return fn();

      fn(null, i18n.t({ phrase: 'Invalid color', locale: this.locale });

      // if you wanted to support translation from a key in `src/config/i18n.js`
      // fn(null, i18n.translate('INVALID_COLOR', this.locale));


  // ...



function someController(ctx, next) {

  // set favorite color
  ctx.state.user.fav_color = ctx.req.body.fav_color;

  try {

    // (optional) set the locale for i18n translations
    // this `locale` is a getter/setter on ALL models
    // see `src/models/plugins/common.js` for more info
    ctx.state.user.locale = ctx.req.locale;

    // simply validates the user object
    await ctx.state.user.validate();

    // you could also just call this instead of `.validate()`:
    // await;

  } catch(err) {


We’ve already crafted some complex validation examples for you &ndash; see the controllers in src/app/controllers.

:crocodile: How do I use it?


You’ll need to have the following installed on your operating system (we provide instructions below):

  • [Node][node] >= v7.7.x (we recommend using [NVM][nvm] to manage your Node versions)
  • [MongoDB][mongodb] >= v3.x
  • [Redis][redis] >= v3.x

We also recommend that you install our preferred tools as well!

Mac OS X

  1. Install [Brew][brew]:
  /usr/bin/ruby -e "$(curl -fsSL"
  1. Install [NVM][nvm]:
  curl -o- | bash
  source ~/.bashrc
  1. Install [Node][node] with NVM:
  nvm install stable
  nvm alias default stable
  1. Install [MongoDB]mongodb:
  brew install mongo
  1. Install [Redis]redis:
  brew install redis


  1. Install [NVM][nvm]:
  curl -o- | bash
  source ~/.bashrc
  1. Install [Node][node] with NVM:
  nvm install stable
  nvm alias default stable
  1. Install [MongoDB][mongodb]:
  sudo apt-key adv --keyserver hkp:// --recv 7F0CEB10
  echo "deb "$(lsb_release -sc)"/mongodb-org/3.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.0.list
  sudo apt-get update
  sudo apt-get install -y mongodb-org
  service mongod status
  1. Install [Redis][redis]:
  sudo add-apt-repository ppa:chris-lea/redis-server
  sudo apt-get update
  sudo apt-get install redis-server
  redis-benchmark -q -n 1000 -c 10 -P 5
  source ~/.profile


We do not support Windows, so please use [VirtualBox][virtualbox] or [Vagrant][vagrant] instead with [Ubuntu][ubuntu] or [Linux Mint][linux-mint].


We crafted a simple command-line utility for creating new projects using Crocodile.

Simply install it, then run one of the available commands.

npm install -g crocodile

”`bash crocodile

+s/.     -sssoo+ooosso-

:o:yso++++o+ooyso / :yo+++++ooosyys- -/++oo+++oooosy/... ./osss+++oo+oossosso/ /oo+ssoosoossossss/ ./+++ooossysso:.soo :ooooo/:-:--. +oo- –. .

Related Repositories



:crocodile: CrocodileJS is a full-stack Node.js + Koa + ES7 MVC framework for Apps and API’s ...

Top Contributors

niftylettuce HenriqueLimas andrunix Rajan