The big idea
Backends for wellness apps quietly accumulate business rules disguised as code paths. The legacy Rails system had years of this baked in. The goal here was not just to rewrite it in Node, but to lift the rules into versioned, documented models.
Architecture: domain-driven, soft-delete by default
- Mongoose models as the source of truth —
User,Resource,Assessment,Subscription,UserAssessmentResult. Each owns its validation, indexes, query helpers, and lifecycle hooks. - Embedded vs. referenced relationships chosen per access pattern.
- Soft delete everywhere — every model carries
archived_atanddeleted_at, with a.active()query helper. - Compound + sparse indexes for uniqueness scoped by type.
- Layered security — Helmet, CORS allowlist, rate limiting, Passport-JWT + bcrypt, Joi/express-validator at every boundary.
Innovative features
- Generic assessment scoring engine —
sum,average,weightedstrategies withresult_rangesmatching. - Edge-enforced visibility model — one
canAccessfunction gates all/premium/private uniformly. - Status workflow with guardrails —
temporary → draft → published, unidirectional from temporary. - Trial + reminder automation via node-cron + Nodemailer + Expo push.
- Profile-completion gate computed centrally.
- Operational ergonomics — nightly backups, function catalog, structured Winston logs, Docker compose.
Outcome
- Replaced the legacy Rails backend without breaking a single shipped feature.
- Centralised all business rules in versioned, documented models.
- Stable production deployment with automated nightly backups and scheduled jobs.