Angular HTTP Interceptors for JWT and Error Handling

# Next.js 16: Middleware → Proxy – A Smarter Request Interception Next.js 16 brings a key evolution in how we handle request interception: **replacing `middleware.ts` with `proxy.ts`**. This isn't just a rename it's about clarity, predictability, and leveraging the full power of the Node.js runtime. ### Key Changes - **File**: `middleware.ts` → `proxy.ts` - **Export**: `middleware()` → `proxy()` - **Runtime**: Edge → Node.js (full Node API access now available!) - **Node API**: Previously limited → Now unrestricted The API surface (NextRequest, NextResponse, config matchers) remains the same, so your logic stays intact. ### Migration Steps (Super Simple for Most Projects) 1. Rename the file:    ```bash   mv middleware.ts proxy.ts   ``` 2. Update the export:    ```typescript   // Before   export function middleware(request: NextRequest) { ... }   // After   export function proxy(request: NextRequest) { ... }   ``` 3. Done! 🎉 (Pro tip: Use the official codemod for automatic migration.) ### Why This Change Matters The old Edge runtime came with restrictions: - No file system access - Compatibility issues with certain auth libraries - Slower for CPU-heavy tasks Now with Node.js: - Full Node.js ecosystem access - Better performance for complex operations - Easier debugging Plus, "Proxy" better describes its role as a clear network gateway avoiding confusion with traditional app-level middleware. Migration is straightforward for most apps, making this a low-friction upgrade with big wins in flexibility. #NextJS #ReactJS #WebDevelopment #JavaScript #Frontend Vercel Complete migration guide: https://lnkd.in/dYyweAm7

✴️ Let’s talk about React2Shell (CVE-2025-55182) — a critical vulnerability that affected thousands of production applications worldwide using React Server Components and Next.js. This flaw allows attackers to take over a server without login, without user interaction, and with a single crafted request. 🚨 The Technical Failure: ➡️ The server accepted a specially crafted POST request that looked like normal app data ➡️ That request contained pointers (references) telling the server to jump between internal objects ➡️ Those pointers were used to reach built-in JavaScript functions through the prototype chain ➡️ During data processing, the server mistakenly executed a function instead of just reading data ➡️ In short: attacker-controlled input was deserialized and turned into live server-side code ⚠️ This is not just bad input validation. This is data being allowed to become executable logic. ⚡ The Result: ➡️ Attackers can run commands on the server ➡️ Steal API keys, secrets, and environment variables ➡️ Read or modify databases ➡️ Take full control of apps built with React Server Components and Next.js ✅ The Lesson for System Architects: Security is defined by execution boundaries, not just features. You must know what data is allowed to become code — especially when introducing new frameworks, libraries, or architectural patterns. Pulling in a new dependency without understanding its internal trust model can silently expose your entire system. 💡💡💡 At Tech-Moody: This is exactly the class of architectural risk we specialize in eliminating. Our teams design and review systems where: ✔️ User input is never allowed to influence code execution paths ✔️ Deserialization is treated as a high-risk boundary, not a safe utility ✔️ Framework internals and third-party libraries are reviewed as potential attack surfaces ✔️ System-level operations are isolated and sandboxed by design ☑️ If external input can reach your execution layer through libraries or framework internals, your architecture hasn’t just failed — it was never safe to begin with. #CyberSecurity #SystemDesign #React #NextJS #RCE #ZeroTrust #EnterpriseSecurity #InfoSec #JavaScript

🔓 CORS in .NET Core Ever faced this error? 👇 🚫 “Access to XMLHttpRequest has been blocked by CORS policy” ❓ Why does this happen? Browsers block requests from Angular (localhost:4200) ➜ .NET API (localhost:7000) because they are different origins (security rule). ✅ How to Fix CORS in .NET Core (4 Simple Steps) 1️⃣ Add CORS Service (Program.cs) var builder = WebApplication.CreateBuilder(args); builder.Services.AddCors(options => { options.AddPolicy("AngularDev", policy => policy.WithOrigins("http://localhost:4200", "https://localhost:4200") .AllowAnyHeader() .AllowAnyMethod() .AllowCredentials()); }); 2️⃣ Enable CORS Middleware (Order Matters! 🚨) var app = builder.Build(); app.UseCors("AngularDev"); // ✅ MUST be before auth app.UseAuthentication(); // ❌ After CORS app.UseAuthorization(); app.MapControllers(); 3️⃣ Test from Angular this.http.get('https://localhost:7000/api/values') .subscribe(); ✅ No more CORS errors! 4️⃣ Production-Ready Configuration // appsettings.json "CorsOrigins": ["https://yourapp.com"] ⚠️ Common CORS Mistakes ❌ Wrong port (4200 ≠ 4201) ❌ CORS middleware after Authentication ❌ Missing HTTPS origin ❌ Using AllowAnyOrigin() with credentials 🎯 Result ✨ Angular ↔ .NET Core API ✨ Secure ✨ Clean ✨ Error-free communication #DotNet #ASPNetCore #CSharp #CORS #Angular #WebAPI #FullStackDeveloper #APIDevelopment #SoftwareDeveloper

⚠️ SECURITY RELEASE: Node.js 24.13.0 (LTS) — 2026-01-13 🟢🔒 https://lnkd.in/ddMyqTAY Notable Changes (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) https://lnkd.in/dTBB69gs (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) https://lnkd.in/dXB-CM4Z (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) https://lnkd.in/dMaGKuMC (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) https://lnkd.in/dncbsCSx (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) https://lnkd.in/dDsjfYJh (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) https://lnkd.in/dVTwVw-7 ALSO! You know what you can do tomorrow! 😉 #nodejs #security #node

CERT/CC Warns binary-parser Bug Allows Node.js Privilege-Level Code Execution A security vulnerability has been disclosed in the popular binary-parser npm library that, if successfully exploited, could result in the execution of arbitrary JavaScript. The vulnerability, tracked as CVE-2026-1245 (CVSS score: N/A), affects all versions of the module prior to version 2.3.0, which addresses the issue. Patches for the flaw were released on November 26, 2025. Binary-parser is a widely used parser builder for JavaScript that allows developers to parse binary data. It supports a wide range of common data types, including integers, floating-point values, strings, and arrays. The package attracts approximately 13,000 downloads on a weekly basis. https://lnkd.in/esBQfTS4 Please follow Divye Dwivedi for such content.  #DevSecOps,#SecureDevOps,#CyberSecurity,#SecurityAutomation,#CloudSecurity,#InfrastructureSecurity,#DevOpsSecurity,#ContinuousSecurity, #SecurityByDesign, #SecurityAsCode, #ApplicationSecurity,#ComplianceAutomation,#CloudSecurityPosture, #SecuringTheCloud,#AI4Security #DevOpsSecurity #IntelligentSecurity #AppSecurityTesting #CloudSecuritySolutions #ResilientAI #AdaptiveSecurity #SecurityFirst #AIDrivenSecurity #FullStackSecurity #ModernAppSecurity #SecurityInTheCloud #EmbeddedSecurity #SmartCyberDefense #ProactiveSecurity

Angular Routing: What actually happens between the click and the component? 🔄 Stop fetching data in ngOnInit. Use Resolvers instead. The hidden lifecycle of an Angular Route. We often think of routing as just switching from Component A to Component B. But under the hood, Angular triggers a complex sequence of events. Understanding this lifecycle is key to building secure and performant applications. Here is the simplified flow of a navigation event: 1️⃣ NavigationStart: The process begins. 2️⃣ Guards (CanLoad/CanActivate): Security check. Should the user see this? If false, we cancel right here. 3️⃣ Resolvers: Data pre-fetching. The router waits for data before the component initializes. No more "loading" flickers. 4️⃣ Activation: The component finally instantiates. 5️⃣ NavigationEnd: The URL updates and the view renders. 💡 Pro Tip: Moving your API calls from ngOnInit to a Resolver ensures your component has everything it needs before it even renders. Do you rely on Guards and Resolvers, or do you handle everything inside the component? CMD / Call to Action: Let me know in the comments: Team Resolver 🛡️ or Team ngOnInit ⚡? Hashtags: #Angular #WebDevelopment #FrontendEngineering #TypeScript #CodingTips #SoftwareArchitecture #developer #softwareengineer #dotnetdeveloper

APIs aren’t always the best solution anymore. Next.js 15 makes Server Actions feel like a practical alternative to the “build an API route for every mutation” habit. Instead of wiring up a route handler, a client fetch, loading states, and error handling, you can run a server function directly from the UI flow using the use server pattern and form actions. That reduces glue code and keeps mutation logic closer to the component that owns it. Where Server Actions shine is anything UI-driven and internal. Form submissions, database writes, updating user settings, and small mutations that exist purely to support a page or feature. You get a simpler mental model, and Next.js includes protections like origin checks and configuration options for Server Actions. API routes still matter, and they are often the right choice when you need a real endpoint. If you’re handling webhooks, integrating with third-party services, supporting mobile clients, exposing public APIs, or building anything that must be called outside your Next.js UI, route handlers are the clearer and more scalable contract. The rule I follow is simple. Use Server Actions when the caller is your own UI and the job is a mutation. Use API routes when the caller could be anything else, or when you need a stable interface for external systems. Also, Server Actions are generally positioned for mutations rather than data fetching, so I keep reads in server components, route handlers, or dedicated data layers depending on the app. Next.js 15 doesn’t kill APIs. It just removes the need to build them by default for every internal interaction. The best teams use both, intentionally. #NextJS15 #FullStack #ServerActions #APIRoutes #ReactServerComponents #WebDevelopment #JavaScript #TypeScript #Frontend #Backend #SoftwareArchitecture #Vercel #EngineeringBestPractices #DeveloperExperience

🟢 Node.js Core Concepts Explained This visual highlights the building blocks of Node.js that power scalable and high-performance applications. 🔍 Key Node.js components: 🧠 Modules ➡️ Reusable code units that keep applications organized 🧵 Callbacks ➡️ Handle asynchronous operations efficiently 🧰 Buffer ➡️ Manage binary data streams 🌐 DNS ➡️ Perform domain name resolution 🔗 Net ➡️ Build TCP servers and network applications 🧩 Cluster ➡️ Scale Node.js apps across multiple CPU cores 🐞 Debugger ➡️ Inspect and troubleshoot application behavior 📋 Console ➡️ Logging and runtime insights ⚠️ Error Handling ➡️ Detect, manage, and recover from failures 🧱 Domain ➡️ Group and handle multiple asynchronous operations 💡 Understanding these fundamentals is essential for writing efficient, maintainable, and scalable Node.js applications. #NodeJS #JavaScript #BackendDevelopment #WebDevelopment #AsyncProgramming #SystemDesign

The "Localhost" Lie: Why my code failed locally but worked on IP I spent yesterday chasing a ghost in my development environment. The Scenario: I canceled an API request in my Angular frontend. ✅ Chrome Network tab: "Cancelled" ❌ Backend (ASP.NET Core): CancellationToken never triggered. The server kept crunching data. The Investigation: I tested every combination to isolate the issue: localhost:4200 (Via Proxy) ➡ Failed ip:4200 (Via Proxy) ➡ Failed localhost:5012 (Direct Backend) ➡ Failed ip:5012 (Direct Backend) ➡ ✅ Success! The "Aha!" Moment: Why did hitting the backend via IP work when Localhost failed? They are the exact same server! The Culprit? Protocol Negotiation. 🔹 Via Proxy (:4200): The Angular/Node proxy was "swallowing" the cancellation signal, never forwarding it to the backend. 🔹 Direct Localhost (:5012): Chrome treated localhost as a "Secure Context," negotiated HTTP/2, and sent a RST_STREAM frame. The server stack didn't map this logical frame to the token correctly. 🔹 Direct IP (:5012): Chrome saw an invalid cert for the IP, forced a downgrade to HTTP/1.1, and killed the TCP connection. The server had to listen to the hard socket close. The Takeaway: Handling request cancellation is a major, often overlooked part of development. Proxies often block disconnect signals by default. Localhost behavior != Production behavior due to HTTP/2. If you aren't testing your CancellationTokens, you're likely paying for "Zombie Requests" in production. Has anyone else battled the HTTP/2 ghost in.NET? #SoftwareEngineering #DotNet #Angular #WebDevelopment #Debugging

🔒 Stop Trusting the Frontend: The JWT Rule If your API expects a userId in the request body while also receiving a JWT in the header, you’re doing more than just wasting bandwidth—you’re potentially opening a security hole. Why does this matter? The frontend is a "public" environment. Anything sent from the client can be intercepted, modified, or spoofed. If your backend trusts the ID in the JSON body over the claims in your cryptographically signed token, you are vulnerable to ID Spoofing. The Logic is Simple: The JWT is the Source of Truth: It’s signed by your server. If it says the user is ID 123, then the user is ID 123. Avoid Redundancy: Sending the same data twice leads to logic conflicts. What happens if the body ID and the token ID don't match? Save your backend the headache. Backend Responsibility: Security doesn't happen in the browser. It happens at the gate—your server. The Golden Rule: If it’s already encoded in the token, don't ask the client to send it again. Decode, verify, and execute. 💡 Devs, what’s your take? Do you prefer keeping the request body explicit for clarity, or do you strictly pull identity from the claims? Let’s discuss in the comments! 👇 #WebDev #CyberSecurity #Backend #API #ProgrammingTips #JWT #NodeJS #Python #SoftwareEngineering #MrSmartboy