ScriptCode best practices

Context

Rules for writing ScriptCode on the Eximee platform will ensure consistency, readability and code safety, and will also facilitate onboarding of new employees.

Create ScriptCode according to the rules described below.

Area
Rule

Consistent naming convention

  • Write code in English - use English names for variables, functions, etc.

Exceptions: top-down business decisions regarding naming or a high level of script complexity (the decision is up to the low-code developer here). If you choose a naming convention in Polish - be consistent within a single script.

  • Literal constants hardcoded in code name them in UPPER_SNAKE_CASE format, e.g. const MOBILE_CHANNEL = "mobile"

  • Name other variables and functions in camelCase format, e.g. const correlationId = context.getFirstParameter('correlationId'), let motherBranchNumber, function generateBranch()

Order in code structure

Organize code in the following order:

  1. Literal constants- declare at the beginning of the script

  2. Variables - then declare variables that will be used in the main logic

  3. Main logic - the main sequence of operations that the code performs (e.g. data processing, function calls)

  4. Helper functions - place at the end

Logging

  • Do not duplicate platform logs - if some parameters are automatically generated by the platform, do not log them again in the script

  • Use a sensitive logger for logging sensitive data, pattern: Logger.info("Client's PESEL filled on the form: {}", pesel)

Learn more: Logging in ScriptCode

Variable declaration

  • Do not use vars

  • Primitive types: use let only when you change the variable's value in the script. In other cases use const

  • Complex types: do not use let if you only modify the contents of an object - including arrays (Array), sets (Set), maps (Map).

There is no need to use let when declaring objects - including arrays (Array), sets (Set), maps (Map) - as long as the reference (that is the reference to a specific object or array) will not be changed. In most cases const should be used to declare arrays and other objects, even if their contents will be modified.

Example using const:

const array = [1, 2, 3]; array.push(4); // Works correctly, we modify the array's contents

const obj = { name: "Alice" }; obj.age = 30; // Works correctly, we modify the object's properties

Note: As long as the Rhino engine does not properly support block scope for const, variables inside a "for" loop should be declared using let. You can read more about the bug in the material linked below.

Learn more: Data types in Javascript,

Reference, mutability, primitive types - Javascript recap!

Scripts (ScriptService)

Table listing which features are currently not properly supported by the Rhino engine Rhino: error when declaring const inside a for loop

Error handling

  • Use blocks try-catch in places where exceptions may occur. In case of an error, log it using the logger to enable easy problem tracing.

Code readability

  • Right-click → select Format Document. This will make the code more clear and readable

  • Remove commented-out code that is no longer needed

  • Write comments concisely and clearly, explaining more difficult code fragments, intentions and unusual solutions. Avoid obvious comments that merely repeat what is already readable in the code.

Code repetition

  • If you repeat a piece of code several times - create a helper function

Script description

  • When creating a new script/validator - add a description

Tests

  • Create unit tests whenever possible, include edge cases.

Security

  • Treat any parameters entering the ScriptCode as untrusted when sending to services

Sample code:

Wrong:

const url = "/api/form/" + context.getFirstParameter( "form_id" ) + "/data" ; const response = api.rest.v1.get( "host" , {pathParams: url.split( "/" )});

Right:

const pathParams = [ "api" , "form" , context.getFirstParameter( "form_id" ), "data" ]; const response = api.rest.v1.get( "host" , {pathParams: pathParms});

  • Do not use credentials directly in ScriptCode

  • Fetch remote resources (images, documents, card images, etc.) from a trusted source (e.g. the Eximee platform, a bank resource)

  • If you must use any link in the application make sure it is trusted and its use directly follows from the requirements

  • If some functionality is missing in the platform report the need - do not use external tools

Learn more: OWASP_Application_Security_Verification_Standard_4.0 - scriptCode

Mathematical operations with BigDecimal

  • Perform mathematical operations using BigDecimal

Learn more: Mathematical operations in ScriptCode

Handling falsy values

  • Before using a property's or method's name, check whether the variable's value is not null nor undefined, to avoid errors related to missing values. In situations where you also want to catch 0, an empty string or NaN, you can use a general condition if(value).

Review

  • If you are not the only low-code developer on the team - ask someone from the team for a code review.

Materials

PreviousPlatform header with tenant identifierNextOWASP_Application_Security_Verification_Standard_4.0 - scriptCode

Last updated

Was this helpful?