Middleware Ecosystem Comparison
Comprehensive comparison of Farrow framework with Express.js and Koa.js middleware ecosystems.
Mainstream Middleware Ecosystem Comparison
| Feature Category | Express.js | Koa.js | Farrow Framework | Recommended | Status |
|---|---|---|---|---|---|
| Authentication | ✅ passport, express-jwt, express-session | ✅ koa-passport, koa-jwt, koa-session | ✅ farrow-auth-session, farrow-auth-jwt | Application Layer | Community solutions available |
| File Upload | ✅ multer, express-fileupload | ✅ multer, koa-multer, @koa/multer | 🚧 Planned | Application Layer | Gap, needs development |
| Data Validation | ✅ joi, express-validator, yup | ✅ joi, koa-validate, yup | ✅ farrow-schema | Application Layer | Farrow Built-in Advantage |
| Routing System | ✅ express.Router | ✅ koa-router, @koa/router | ✅ farrow-http | Application Layer | Farrow Built-in Advantage |
| Error Handling | ✅ Callback-style error handling | ✅ Exception catching + onerror | ✅ Functional error handling | Application Layer | Farrow Architecture Advantage |
| Request Parsing | ✅ body-parser, express.json | ✅ koa-bodyparser, koa-body | ✅ farrow-http built-in | Application Layer | Farrow Built-in Advantage |
| CORS Handling | ✅ cors | ✅ @koa/cors | ✅ farrow-cors | Nginx Priority | Official package available, but Nginx recommended |
| Response Compression | ✅ compression | ✅ koa-compress | ❌ No development plans | Nginx Priority | Recommended gzip on; |
| Static Files | ✅ express.static | ✅ koa-static, koa-static-cache | ✅ Built-in serve method | Nginx Priority | Farrow has built-in support, but Nginx recommended |
| Cache Control | ✅ express-cache-controller | ✅ koa-cache-control | ❌ No development plans | Nginx Priority | Recommended expires directive |
| Rate Limiting | ✅ express-rate-limit | ✅ koa-ratelimit | ❌ No development plans | Nginx Priority | Recommended limit_req |
| Security Protection | ✅ helmet, express-security | ✅ koa-helmet | ✅ farrow-helmet (but Nginx recommended) | Nginx Priority | Community solution exists, but add_header recommended |
| Access Logging | ✅ morgan, winston | ✅ koa-logger, koa-pino-logger | 🔄 Complementary | Layered Approach | Gateway + Application dual logging |
| Reverse Proxy | ✅ http-proxy-middleware | ✅ koa-proxies | ❌ No development plans | Nginx Priority | Recommended proxy_pass |
Nginx/OpenResty and Application Layer Division
Layered Architecture Principles
In modern Web application architecture, many traditional "middleware" functions are better handled at the gateway layer (Nginx/OpenResty), allowing the application layer to focus on business logic.
| Capability | Nginx/OpenResty Implementation | Express/Koa Middleware | Farrow Recommendation | Conclusion & Advantages |
|---|---|---|---|---|
| Response Compression | gzip on; + Brotli modules | compression, koa-compress | ❌ No development plans | Nginx Priority: Better performance, supports pre-compressed files |
| Static Assets | location + root/alias | express.static, koa-static | ❌ No development plans | Nginx Priority: Higher throughput, better caching |
| Cache Control | expires, etag on; | Various cache middleware | ❌ No development plans | Nginx Priority: Unified cache strategy, reduces application burden |
| Rate Limiting | limit_req, limit_conn | express-rate-limit etc | ❌ No development plans | Nginx Priority: Edge interception, protects backend resources |
| CORS Handling | add_header directives | cors, @koa/cors | ✅ farrow-cors (but Nginx recommended) | Nginx Priority: Reduces application layer configuration complexity |
| Security Headers | add_header (CSP, HSTS etc) | helmet series | ❌ No development plans | Nginx Priority: Unified security policy management |
| Reverse Proxy | proxy_pass + load balancing | http-proxy-middleware | ❌ No development plans | Nginx Priority: Comprehensive protocol support, excellent connection management |
| Access Logging | access_log + custom format | morgan, koa-logger | 🔄 Complementary | Layered Logging: Gateway logs requests, application logs business |
Nginx Configuration Example
nginx
# nginx.conf
server {
listen 80;
server_name api.example.com;
# Compression configuration
gzip on;
gzip_types text/plain application/json application/javascript text/css;
# Security headers
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
# CORS handling
add_header Access-Control-Allow-Origin "https://app.example.com" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
# Rate limiting configuration
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_req zone=api burst=20 nodelay;
# Static assets
location /static/ {
root /var/www;
expires 1y;
add_header Cache-Control "public, immutable";
}
# Reverse proxy to Farrow application
location /api/ {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}Farrow Application Focuses on Business
typescript
// Farrow application only cares about core business logic
const app = Http()
// Authentication middleware
const authenticate = async (req: RequestInfo, next: Next) => {
const token = req.headers?.authorization?.replace('Bearer ', '')
if (!token) {
return Response.status(401).json({ error: 'No token' })
}
try {
const user = jwt.verify(token, secret)
AuthContext.set(user)
return next(req)
} catch (error) {
return Response.status(401).json({ error: 'Invalid token' })
}
}
// User API (built-in type safety)
app.post('/users', {
body: UserCreateSchema // Schema validation
}).use(authenticate)
.use((req) => {
const user = createUser(req.body)
return Response.status(201).json(user)
})
// No need to handle: compression, CORS, rate limiting, static files etc.
// These are all handled by Nginx layer