Background

Hey there, I would like to start a discussion and ask for a feature request. I tried to keep this feature request as short & understandable as possible, but somehow failed miserably 😉

I am a Java backend developer and really interested in Angular. Last year, I wrote a small Java library that allows a developer to server side render an Angular application from a Java stack. For this, the library uses Java language bindings for Node.js/V8 (https://github.com/eclipsesource/J2V8). You can find my project here: https://github.com/swaechter/angularj-universal

I would like to spend more time on my library and add more features and make it production ready. The problem is, that I am experiencing several technical limitations that I personally can’t solve or where there is no good alternative. So I am reaching out to you for input/feedback and a possible solution.

Overview

To give you a short overview how my library works, just take a look at this diagram:

You create a normal Angular application via Angular CLI and then generate the universal server. In addition, some glue code is required, so the J2V8 Node.js instance can load the server bundle and can call a method to render page requests via renderModuleFactory. The result is then passed back to the Java system and sent back to the client.

Important node: The J2V8 JavaScript engine allows us to dynamically register JavaScript functions like receiveResponse that can be implemented in Java and called from JavaScript. You can find the glue code in this file here: https://github.com/swaechter/angularj-universal/blob/master/angularj-universal-application/src/main/angular/library/renderadapter.ts

You can compare this render adapter to a express.js view engine - just a lot simpler (I guess).

Problems

This solutions works great for small applications with one module and routing. But there exist several larger problems:

Problem 1: Angular requires Node.js and zone.js/dist/zone-node for rendering

The J2V8 JavaScript engine is the only solution that provides a.) modern module loading and b.) an implemented Node.js API. There exist no other library that provide the same functionality in this quality. The problem is, that the project isn’t that actively maintained and the last public releases for Windows/OX X were made in September 2016. I really like the project, but the future is unsure and I would like to have other non-Node.js requiring solutions (Keep in mind: All Java JavaScript engines can dynamically implement functions in Java, so we could re-implement required Node.js parts).

There exist several non-Node.js alternatives, they just don’t implement the Node.js API:

• Nashorn: Great, out of the box, but no implementation of the Node.js API
• RingoJS: Great, but no [full] implementation of the Node.js API
• Rhino: Dead, superseded by Nashorn (But still usable)

So as you can see, J2V8 is a usable solution, but it’s the only available one and it would be good to have alternatives. I am in favor of Nashorn, a JavaScript engine that is provided by the Java runtime out of the box.

Problem 2: Many rendering tasks are done by Node.js or it’s underlaying subsystem

The authentication and session/cookie management is done by the Java wevserver/webframework (For example a session based basic authentication or a stateless JWT token that is stored via a httpOnly secured cookie). This works great, but potential HttpClient requests like /api/addresses during server side rendering are made by Node.js or to be more precise it’s underlying system - and they are not aware of these session/cookies. Hence, the server side rendered request is unable to fetch the data while the client side executed request is able to.

So the question is: How does Node.js know the session/cookie/authentication?

One solution (and in my opinion more a dirty hack) would be to pass down all session/cookie/Http header information and pass them to the HttpClient request. This would work, but violates the protection of httpOnly cookie values. This wouldn’t pass a commercial security review + what happens in the case of a potential XSS during server side rendering?

A more sophisticated and cleaner solution would be to route back the /api/addresses request to the Java environment, where I can securly access all session/cookie information of the user. I then make a manual Java request with these information and pass the result back to the Node.js instance. The Node.js instance will never know anything about httpOnly cookies (We can pass down the available cookies of course).

Proposal

In short: Make it possible to replace the Node.js based functionality in ServerModule (Like Http handling) with a custom, non Node.js dependent solution. This has to happen at compile time, so the relocatable server bundle doesn’t require any Node.js module. This also means, that some could (?) use a client-side zone.js.

I read the source code of the ServerModule and thought about ripping it apart, re-implementing some parts in Java and provide a new one (For example JavaServerModule). But I guess this approach is really time consuming and the solution has to keep up with the upstream version.

Please keep in mind that I am not that familiar with the Angular internals and there already might be a solution for that.

I also know that this feature request isn’t asking for some specific features, but is more a starting point for a discussion. Please also take a look at my comments in https://github.com/angular/universal/issues/280