Skip to content
Home JavaScript TypeScript Protected Fields — Leaked via Subclass Getters
JavaScript Intermediate

TypeScript Protected Fields — Leaked via Subclass Getters

📅 March 05, 2026 ⏱ 5 min read 🎯 Intermediate
Where developers are forged. · Structured learning · Free forever.
📍 Part of: TypeScript → Topic 3 of 15
Bank balances leaked via protected fields in TypeScript subclasses.
⚙️ Intermediate — basic JavaScript knowledge assumed
In this tutorial, you'll learn
Bank balances leaked via protected fields in TypeScript subclasses.
  • Access modifiers (private, protected, public) aren't just style choices — they're compile-time guardrails that prevent unintended mutations and make refactoring safe across large codebases.
  • Use abstract classes when you have real shared implementation to distribute to subclasses. Use interfaces when you only need a contract — especially when multiple unrelated classes need to satisfy the same shape.
  • Designing UserService to depend on IUserRepository (an interface) instead of PostgresUserRepository (a class) is the difference between code you can unit-test in milliseconds and code that requires a running database to test at all.
✦ Plain-English analogy ✦ Real code with output ✦ Interview questions
Quick Answer
  • TypeScript classes are blueprints for objects with built-in access control (public, private, protected).
  • Constructor shorthand (constructor(private name: string)) reduces boilerplate.
  • Abstract classes provide partial implementation; subclasses must fill in missing methods.
  • Interfaces define contracts—use them for dependency injection and testability.
  • Generics make classes type-safe across different types without losing compile-time checks.
  • Biggest mistake: treating private as a runtime security boundary—it's compile-time only.
🚨 START HERE

Quick OOP Debug Cheat Sheet

Immediate commands and checks for common TypeScript class issues
🟡

Class incorrectly implements interface

Immediate ActionAdd `--noEmit --pretty` to your `tsc` command to get full error details.
Commands
tsc --noEmit --pretty
Review the interface definition and ensure all method signatures match exactly (parameter names don't matter, but types do).
Fix NowUse your IDE's 'Implement Missing Members' quick action to scaffold the missing methods.
🟡

Circular dependency between classes

Immediate ActionCheck import statements for cycles.
Commands
npx madge --circular src/
Look for A imports B imports A pattern. Break the cycle by introducing an interface or using lazy require.
Fix NowExtract the shared dependency into an interface and place it in a separate module that both can import.
🟡

Generic type not inferred correctly

Immediate ActionExplicitly specify the type parameter when calling the generic class constructor.
Commands
const cache = new Cache<User>();
Check if the type parameter is constrained correctly. If inference still fails, you may need to pass a type witness.
Fix NowAdd `<Type>` after the class name when instantiating: `new MyClass<MyType>()`.
Production Incident

Protected Field Leaked via Subclass Getter

A developer protected a sensitive balance field with `protected`, but a subclass exposed it via a public getter, leading to a security audit failure.
SymptomBank account balances could be read via the UI even though the base class marked them as protected.
AssumptionThe protected access modifier prevents all external access to the field.
Root causeprotected only restricts access outside the class hierarchy—subclasses have full visibility and can expose the field through public methods or getters.
FixMark the field as private in the base class. If subclasses need read access, provide a controlled protected getter. For true runtime privacy, use JavaScript's native private fields (#balance) which are enforced even after compilation.
Key Lesson
Protected is not a security boundary—it's a design intention signal.Always treat access modifiers as compile-time guides, not runtime protections.Audit subclass overrides that could leak internal state.When dealing with sensitive data, prefer # private fields over TypeScript's private.
Production Debug Guide

Common compile-time and runtime OOP problems and their fixes

Private field is still accessible at runtimeTypeScript's private is compile-time only. For true runtime privacy, refactor to use JavaScript's native # prefix or use WeakMaps stored outside the class.
'Cannot read properties of undefined' when calling a class methodThe method is likely being detached from its instance (e.g., passed as a callback). Use an arrow function in class definition or bind the method in the constructor.
'Abstract class cannot be instantiated' errorCheck that you're not directly calling new on an abstract class. Ensure you're using a concrete subclass that implements all abstract methods.
'Property is missing in type X but required in type Y' during object literal assignmentWhen creating an object that satisfies a class contract, ensure you provide all required properties. Consider using the class itself as a factory method.

Most JavaScript projects start clean and end messy. Functions multiply, global state leaks everywhere, and six months later nobody dares touch the auth module. TypeScript classes exist to stop that slide before it starts. They're not just syntactic sugar over JavaScript prototypes — they're a contract. A class tells every developer on your team exactly what a thing is, what it can do, and what data it owns. That's architecture, not just syntax.

The real problem OOP solves is the same one your brain solves every day: managing complexity by grouping related things together. A User isn't a loose collection of a name string, an email string, and a login function floating in the void. A User is a single, self-contained unit that owns its data and exposes only the behaviour it intends to. TypeScript enforces that intent at compile time, catching mistakes before they ever hit production.

By the end of this article you'll know how to design a TypeScript class that's genuinely reusable, how to use access modifiers to protect your data like a pro, how inheritance and abstract classes let you build flexible hierarchies without copy-pasting code, and how to use interfaces as contracts that make your whole codebase more predictable. You'll also walk away knowing exactly what interviewers are hunting for when they ask about OOP in TypeScript.

Classes, Constructors, and Access Modifiers — The Foundation You Can't Skip

A TypeScript class is a named template that bundles state (properties) and behaviour (methods) into one coherent unit. The constructor runs once when you create an instance, and it's where you set the initial state. But the part most tutorials gloss over is access modifiers — and they're what separates a well-designed class from a bag of variables.

public means anyone, anywhere can read or write that property. It's the default, but writing it explicitly signals intent. private means only code inside that same class can touch it. protected is the middle ground: the class itself and any class that extends it can use it, but outside code cannot.

Why does this matter? Because without access control, any part of your codebase can mutate any property at any time. You end up debugging why a user's balance is negative and discovering it was modified in twelve different files. Private fields make that physically impossible. The shorthand constructor syntax — declaring private name: string directly in the constructor parameters — cuts the boilerplate in half and is the pattern you'll see in every serious TypeScript codebase.

BankAccount.ts · TYPESCRIPT
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960
// A real-world bank account — classic OOP demo done properly
class BankAccount {
  // private: only methods inside this class can touch the balance
  private balance: number;

  // public: anyone can read the account holder's name
  public readonly accountHolder: string;

  // protected: subclasses (e.g. SavingsAccount) can access this too
  protected transactionHistory: string[];

  // The shorthand constructor: TypeScript declares AND assigns in one line
  constructor(
    accountHolder: string,
    initialDeposit: number
  ) {
    this.accountHolder = accountHolder;
    // Guard against negative opening balances at construction time
    if (initialDeposit < 0) {
      throw new Error('Initial deposit cannot be negative');
    }
    this.balance = initialDeposit;
    this.transactionHistory = [`Account opened with $${initialDeposit}`];
  }

  // Public method: this is the ONLY way outsiders can change the balance
  public deposit(amount: number): void {
    if (amount <= 0) {
      throw new Error('Deposit amount must be positive');
    }
    this.balance += amount;
    this.transactionHistory.push(`Deposited $${amount}`);
    console.log(`Deposited $${amount}. New balance: $${this.balance}`);
  }

  public withdraw(amount: number): void {
    if (amount > this.balance) {
      throw new Error('Insufficient funds');
    }
    this.balance -= amount;
    this.transactionHistory.push(`Withdrew $${amount}`);
    console.log(`Withdrew $${amount}. New balance: $${this.balance}`);
  }

  // A getter exposes balance as read-only to the outside world
  public get currentBalance(): number {
    return this.balance;
  }
}

// --- Usage ---
const myAccount = new BankAccount('Alice', 500);
myAccount.deposit(200);
myAccount.withdraw(100);

console.log(`Balance: $${myAccount.currentBalance}`);
console.log(`Holder: ${myAccount.accountHolder}`);

// This line would cause a TypeScript COMPILE ERROR — balance is private:
// console.log(myAccount.balance); // Error: Property 'balance' is private
▶ Output
Deposited $200. New balance: $700
Withdrew $100. New balance: $600
Balance: $600
Holder: Alice
💡Pro Tip: Use the Constructor Shorthand
Instead of declaring a property, then listing it as a constructor parameter, then assigning it — just write constructor(private balance: number). TypeScript does all three steps for you. Every senior TypeScript dev uses this pattern; it's cleaner and harder to get wrong.
📊 Production Insight
Relying on TypeScript's private for sensitive data can create a false sense of security.
Compiled JavaScript exposes all properties—anyone can read or mutate them via the console.
Rule: Use native # private fields for anything you truly need to protect at runtime.
🎯 Key Takeaway
Access modifiers are compile-time guardrails, not runtime walls.
Shorthand constructor is the default pattern in production codebases.
Default to private, expose only what's part of the class API.

Inheritance and Abstract Classes — Reuse Without Copy-Pasting

Inheritance lets one class build on top of another. The child class (subclass) gets everything the parent has, and then adds or overrides what it needs. This is where people often go wrong: they reach for inheritance to share code, when really they should be asking 'Is a SavingsAccount genuinely a type of BankAccount?' If yes, inheritance makes sense. If you're just trying to reuse a helper method, composition is the better tool.

Abstract classes are the real power move. An abstract class says: 'I define the common structure and some shared behaviour, but I'm deliberately incomplete — you must extend me and fill in the blanks.' You can't instantiate an abstract class directly. This is perfect when you have a concept (like a PaymentProcessor) that absolutely must have a processPayment method, but the implementation differs completely between Stripe, PayPal, and bank transfer.

The super() call in a subclass constructor is mandatory when the parent has a constructor — it runs the parent's setup before your own. Forgetting it is a compile error, which is TypeScript doing you a favour.

PaymentProcessor.ts · TYPESCRIPT
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162
// Abstract class: defines the contract, can't be instantiated directly
abstract class PaymentProcessor {
  // Shared data every processor needs
  constructor(
    protected readonly providerName: string,
    protected readonly feesPercentage: number
  ) {}

  // Concrete method: shared logic all subclasses inherit as-is
  public calculateFee(amount: number): number {
    return parseFloat((amount * this.feesPercentage).toFixed(2));
  }

  // Abstract method: every subclass MUST implement this — or TypeScript errors
  public abstract processPayment(amount: number, recipient: string): void;

  // Template method pattern: calls the abstract method inside a shared wrapper
  public initiateTransaction(amount: number, recipient: string): void {
    const fee = this.calculateFee(amount);
    console.log(`\n[${this.providerName}] Starting transaction...`);
    console.log(`Amount: $${amount} | Fee: $${fee} | Total: $${amount + fee}`);
    // Delegates to the subclass-specific implementation
    this.processPayment(amount, recipient);
  }
}

// Concrete subclass: must implement processPayment
class StripeProcessor extends PaymentProcessor {
  private apiKey: string;

  constructor(apiKey: string) {
    // Call parent constructor first — mandatory
    super('Stripe', 0.029); // Stripe's 2.9% fee
    this.apiKey = apiKey;
  }

  // Fulfilling the abstract contract with Stripe-specific logic
  public processPayment(amount: number, recipient: string): void {
    console.log(`Stripe API call → charging $${amount} to ${recipient}`);
    console.log(`Using key: ${this.apiKey.substring(0, 8)}...`);
  }
}

class PayPalProcessor extends PaymentProcessor {
  constructor() {
    super('PayPal', 0.034); // PayPal's 3.4% fee
  }

  public processPayment(amount: number, recipient: string): void {
    console.log(`PayPal redirect → sending $${amount} to ${recipient}'s email`);
  }
}

// --- Usage ---
const stripe = new StripeProcessor('sk_live_abc123xyz');
stripe.initiateTransaction(100, 'vendor@shop.com');

const paypal = new PayPalProcessor();
paypal.initiateTransaction(50, 'buyer@email.com');

// This would be a compile error — can't instantiate an abstract class:
// const processor = new PaymentProcessor('Generic', 0.01); // ERROR
▶ Output
[Stripe] Starting transaction...
Amount: $100 | Fee: $2.9 | Total: $102.9
Stripe API call → charging $100 to vendor@shop.com
Using key: sk_live_...

[PayPal] Starting transaction...
Amount: $50 | Fee: $1.7 | Total: $51.7
PayPal redirect → sending $50 to buyer@email.com's email
⚠ Watch Out: Inheritance vs. Composition
Don't inherit just to share code. If EmailService extends DatabaseService just to reuse a formatDate helper, you've broken the 'is-a' rule. A service isn't a database. Extract the helper into a utility function or inject it as a dependency instead. Inheritance hierarchies deeper than two levels almost always become a maintenance trap.
📊 Production Insight
Deep inheritance hierarchies are fragile: a change in the base class can break all subclasses.
In production, such hierarchies quickly become 'untouchable' modules.
Rule: Prefer composition over inheritance—extract shared logic into injectable dependencies.
🎯 Key Takeaway
Inheritance is for 'is-a' relationships, not code reuse.
Abstract classes enforce contracts while sharing implementation.
Limit hierarchy depth to two levels—otherwise it becomes a maintenance burden.

Interfaces as Contracts — The TypeScript Superpower Most Devs Underuse

An interface in TypeScript is a pure contract. It has no implementation — it's just a description of what shape an object must have. Any class that implements an interface is promising to provide everything that interface describes. If it doesn't, TypeScript refuses to compile.

Here's why interfaces beat abstract classes for most real-world scenarios: a class can implement multiple interfaces, but it can only extend one abstract class. This is huge. Your UserRepository class can implement both Readable and Writable interfaces without the fragile single-inheritance chain.

Interfaces also enable genuine dependency inversion — one of the SOLID principles. Instead of your UserService depending on PostgresUserRepository (a concrete thing), it depends on IUserRepository (a contract). That means you can swap the Postgres implementation for an in-memory mock in tests without changing a single line in UserService. This is how professional-grade TypeScript codebases are structured.

The implements keyword is your compile-time safety net — it tells TypeScript to check the contract at build time, not at runtime when real users are already hitting your app.

UserRepository.ts · TYPESCRIPT
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384
// The contract — no implementation, just the shape
interface IUserRepository {
  findById(id: string): User | undefined;
  save(user: User): void;
  delete(id: string): boolean;
}

// A simple User type for context
type User = {
  id: string;
  name: string;
  email: string;
};

// Concrete implementation 1: talks to a real database (simplified)
class PostgresUserRepository implements IUserRepository {
  // In real life this would hold a DB connection
  private db: Map<string, User> = new Map();

  public findById(id: string): User | undefined {
    console.log(`[Postgres] Querying users table for id: ${id}`);
    return this.db.get(id);
  }

  public save(user: User): void {
    console.log(`[Postgres] Inserting/updating user: ${user.email}`);
    this.db.set(user.id, user);
  }

  public delete(id: string): boolean {
    console.log(`[Postgres] Deleting user id: ${id}`);
    return this.db.delete(id);
  }
}

// Concrete implementation 2: lives entirely in memory — perfect for unit tests
class InMemoryUserRepository implements IUserRepository {
  private store: Map<string, User> = new Map();

  public findById(id: string): User | undefined {
    return this.store.get(id);
  }

  public save(user: User): void {
    this.store.set(user.id, user);
  }

  public delete(id: string): boolean {
    return this.store.delete(id);
  }
}

// UserService depends on the INTERFACE, not a concrete class
// Swap Postgres for InMemory and this class never changes — that's the power
class UserService {
  constructor(private readonly userRepo: IUserRepository) {}

  public registerUser(name: string, email: string): User {
    const newUser: User = {
      id: `user_${Date.now()}`,
      name,
      email,
    };
    this.userRepo.save(newUser);
    console.log(`User registered: ${newUser.name} (${newUser.email})`);
    return newUser;
  }

  public getUser(id: string): User | undefined {
    return this.userRepo.findById(id);
  }
}

// --- Production usage: plug in the real DB implementation ---
const prodRepo = new PostgresUserRepository();
const prodService = new UserService(prodRepo);
const alice = prodService.registerUser('Alice', 'alice@example.com');

console.log('Found user:', prodService.getUser(alice.id)?.name);

// --- Test usage: swap to in-memory, zero infrastructure needed ---
const testRepo = new InMemoryUserRepository();
const testService = new UserService(testRepo);
testService.registerUser('Bob', 'bob@example.com');
▶ Output
[Postgres] Inserting/updating user: alice@example.com
User registered: Alice (alice@example.com)
[Postgres] Querying users table for id: user_1718000000000
Found user: Alice
User registered: Bob (bob@example.com)
🔥Interview Gold: Interface vs Abstract Class
When an interviewer asks 'when would you use an interface over an abstract class?', the winning answer is: use an interface when you want to define a contract that multiple unrelated classes can fulfil, especially when you need a class to satisfy multiple contracts. Use an abstract class when you have shared implementation (real code) to reuse alongside the contract. TypeScript lets you use both together — an abstract class can implement an interface.
📊 Production Insight
Without interfaces, unit tests require heavy infrastructure setup.
A concrete class dependency forces your test to bring up a database, mock an HTTP server, or bootstrap a whole service.
Rule: Every external service interaction should be behind an interface so you can swap it out in tests.
🎯 Key Takeaway
Interfaces enable dependency inversion—the core of testable architecture.
One class can implement many interfaces, avoiding single-inheritance constraints.
Design for swap-ability: depend on interfaces, not concrete classes.

Static Members and Generics in Classes — When You Need Class-Level Behaviour

Static properties and methods belong to the class itself, not to any instance. Every instance of BankAccount has its own balance, but if you want to track how many accounts exist in total, that counter belongs to the class — it's the same number no matter which instance you ask.

Use statics for: factory methods (creating instances with controlled logic), shared counters or caches, utility behaviour that doesn't need this instance data, and singleton patterns. Overusing statics leads to the same problems as global variables — tight coupling and untestable code — so keep them intentional.

Generics let you write a class once and have it work with any type, while TypeScript still enforces that you're consistent. A DataCache<T> class stores and retrieves items of type T — call it with DataCache<User> and TypeScript ensures you never accidentally store a Product in your user cache. It's the difference between a box that holds anything (and breaks at runtime) and a labelled box that refuses the wrong items at compile time.

DataCache.ts · TYPESCRIPT
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172
// A generic, type-safe cache — works for any type you give it
class DataCache<T> {
  // Static counter tracks how many caches have been created across the app
  private static instanceCount: number = 0;

  private readonly cacheId: number;
  private store: Map<string, T> = new Map();
  private hitCount: number = 0;

  constructor(private readonly cacheName: string) {
    // Static member accessed on the class, not on 'this'
    DataCache.instanceCount++;
    this.cacheId = DataCache.instanceCount;
    console.log(`Cache #${this.cacheId} created: "${cacheName}"`);
  }

  // Static factory method: named constructor pattern — clearer intent than 'new'
  public static create<U>(name: string): DataCache<U> {
    return new DataCache<U>(name);
  }

  public set(key: string, value: T): void {
    this.store.set(key, value);
  }

  // TypeScript knows the return type is T (whatever you chose), not 'any'
  public get(key: string): T | undefined {
    const value = this.store.get(key);
    if (value !== undefined) {
      this.hitCount++;
    }
    return value;
  }

  public getStats(): string {
    return `Cache "${this.cacheName}" | Keys: ${this.store.size} | Hits: ${this.hitCount}`;
  }

  // Static method: relevant to the class concept, needs no instance data
  public static getTotalCaches(): number {
    return DataCache.instanceCount;
  }
}

// --- Usage: two separate typed caches ---

type Product = { id: string; name: string; price: number };

// TypeScript now knows this cache only holds Product objects
const productCache = DataCache.create<Product>('ProductCache');
productCache.set('prod_001', { id: 'prod_001', name: 'Keyboard', price: 79 });
productCache.set('prod_002', { id: 'prod_002', name: 'Mouse', price: 45 });

// TypeScript knows this cache only holds strings
const sessionCache = DataCache.create<string>('SessionCache');
sessionCache.set('session_abc', 'user_123');

// Retrieve — TypeScript infers the correct type automatically
const keyboard = productCache.get('prod_001');
console.log(`Found: ${keyboard?.name} at $${keyboard?.price}`);

const session = sessionCache.get('session_abc');
console.log(`Session maps to user: ${session}`);

console.log(productCache.getStats());
console.log(sessionCache.getStats());

// Static method called on the class, not an instance
console.log(`Total caches created: ${DataCache.getTotalCaches()}`);

// This would be a compile error — wrong type for this cache:
// productCache.set('bad_key', 'just a string'); // Error: string not assignable to Product
▶ Output
Cache #1 created: "ProductCache"
Cache #2 created: "SessionCache"
Found: Keyboard at $79
Session maps to user: user_123
Cache "ProductCache" | Keys: 2 | Hits: 1
Cache "SessionCache" | Keys: 1 | Hits: 1
Total caches created: 2
💡Pro Tip: Prefer Static Factory Methods
Static factory methods like DataCache.create<User>('users') let you give intent to construction. Unlike new, they can have descriptive names (User.fromEmail(), User.fromOAuthProfile()), they can return subclasses, and they can enforce async creation patterns. This pattern shows up constantly in well-architected TypeScript codebases.
📊 Production Insight
Overusing statics creates global state that makes testing and debugging harder.
A static cache shared across requests can leak data between users if not scoped properly.
Rule: Use statics sparingly; prefer dependency injection for testable shared state.
🎯 Key Takeaway
Statics belong to the class, not to instances—use them for factories, counters, and caches.
Generics make classes reusable across types without losing type safety.
Named constructors via static methods are more expressive than new.

Polymorphism and Method Overriding — The Real-World Power of Subtypes

Polymorphism means you can treat different classes that share a common parent as if they were the same type. In TypeScript, this works naturally with inheritance: you can write code that operates on a base class (or abstract class) and have it work with any subclass. The actual method that runs depends on the runtime type of the object, not the declared type.

This is where abstract classes really shine. The initiateTransaction method in PaymentProcessor doesn't know which subclass is calling it—it just calls processPayment, and the correct implementation runs. You can write an array of payment processors and call the same method on each, getting different behaviour every time.

Polymorphism reduces conditionals. Instead of if (type === 'stripe') stripe.process(...) else if (type === 'paypal') paypal.process(...), you just call processor.initiateTransaction(...). That's fewer branches, less risk, and cleaner code.

The key rule is the Liskov Substitution Principle: a subclass must be able to replace its parent without breaking the program. If a subclass's processPayment throws a new type of error that the parent's contract didn't expect, you've violated it—and TypeScript won't catch it.

PolymorphicProcessors.ts · TYPESCRIPT
123456789101112131415161718192021222324252627282930313233343536373839
// Using the PaymentProcessor abstract class from earlier
// Polymorphism: treat all processors through the base type

function processAllPayments(processors: PaymentProcessor[], amount: number, recipient: string): void {
  for (const processor of processors) {
    // The same method call—different behaviour for each subclass
    processor.initiateTransaction(amount, recipient);
  }
}

const stripe = new StripeProcessor('sk_live_abc123xyz');
const paypal = new PayPalProcessor();

const processors: PaymentProcessor[] = [stripe, paypal];

processAllPayments(processors, 100, 'vendor@shop.com');

// --- Output ---
// [Stripe] Starting transaction...
// Amount: $100 | Fee: $2.9 | Total: $102.9
// Stripe API call → charging $100 to vendor@shop.com
// Using key: sk_live_...
//
// [PayPal] Starting transaction...
// Amount: $100 | Fee: $3.4 | Total: $103.4
// PayPal redirect → sending $100 to vendor@shop.com's email

// Liskov Substitution violation example (TypeScript compiles but breaks at runtime):
class BrokenProcessor extends PaymentProcessor {
  constructor() {
    super('Broken', 0.01);
  }

  public processPayment(amount: number, recipient: string): void {
    // Throws a new error type not expected by the base class contract
    throw { code: 'UNEXPECTED', detail: 'Simulated break' };
    // This violates LSP: callers expecting a normal Error object may crash
  }
}
▶ Output
[Stripe] Starting transaction...
Amount: $100 | Fee: $2.9 | Total: $102.9
Stripe API call → charging $100 to vendor@shop.com
Using key: sk_live_...

[PayPal] Starting transaction...
Amount: $100 | Fee: $3.4 | Total: $103.4
PayPal redirect → sending $100 to vendor@shop.com's email
Mental Model
Polymorphism = 'What if I don't care which one?'
Polymorphism lets you write code that works for any subclass—you don't need to know the exact type at the call site.
  • The declared type (base class) determines what methods you can call.
  • The runtime type (actual subclass) determines which method implementation runs.
  • This decouples callers from concrete implementations—adding a new subclass doesn't change the caller's code.
  • Conditional logic (if/switch) is replaced by method dispatch—fewer bugs, more extensibility.
📊 Production Insight
Polymorphism eliminates condition chains—but only if subclasses honour the parent's contract.
A single LSP violation can cascade: callers expecting a standard error format get something else, and error handling breaks silently.
Rule: Abstract classes should document the expected contract, and subclasses should be tested against it.
🎯 Key Takeaway
Polymorphism allows uniform treatment of diverse subtypes.
Liskov Substitution must hold—subclasses must behave as their parent expects.
Prefer polymorphic dispatch over switch/if chains for extensibility.
🗂 Interface vs Abstract Class
Key differences to help you choose the right structure
FeatureInterfaceAbstract Class
Can contain implementationNo — contract onlyYes — concrete methods allowed
Can be instantiated directlyNoNo
Multiple adoption per classYes — implement many interfacesNo — extend only one class
Can have constructor logicNoYes
Compiled to JavaScriptErased completely — zero runtime costCompiles to a real JS class
Best used forDefining contracts, enabling DI patternsSharing base behaviour + enforcing overrides
Supports genericsYesYes
Can extend another of its kindYes — interfaces can extend interfacesYes — classes can extend classes

🎯 Key Takeaways

  • Access modifiers (private, protected, public) aren't just style choices — they're compile-time guardrails that prevent unintended mutations and make refactoring safe across large codebases.
  • Use abstract classes when you have real shared implementation to distribute to subclasses. Use interfaces when you only need a contract — especially when multiple unrelated classes need to satisfy the same shape.
  • Designing UserService to depend on IUserRepository (an interface) instead of PostgresUserRepository (a class) is the difference between code you can unit-test in milliseconds and code that requires a running database to test at all.
  • Static members belong to the class blueprint, not to any house built from it — perfect for shared counters, factory methods, and caches that live once for the whole application.
  • Polymorphism eliminates conditional chains — but only if subclasses honour the parent's contract. The Liskov Substitution Principle is your safety guarantee.

⚠ Common Mistakes to Avoid

    Forgetting super() in a subclass constructor
    Symptom

    TypeScript throws a compile error: 'Constructors for derived classes must contain a super call.'

    Fix

    Always call super(...) as the very first line of a subclass constructor, passing any arguments the parent constructor requires.

    Making everything public by default
    Symptom

    No immediate error, but any file in the project can mutate internal state, causing bugs that are extremely difficult to trace.

    Fix

    Default to private for all properties; make things public only when you consciously decide the property is part of the class's external API. Use getters for read-only access.

    Implementing an interface but forgetting a method
    Symptom

    TypeScript error: 'Class X incorrectly implements interface Y — Property Z is missing.'

    Fix

    As soon as you write implements IUserRepository, implement every method it requires immediately. Use the IDE's 'Implement missing members' quick-fix to scaffold them, then fill in the logic.

    Extending a class for code reuse instead of composition
    Symptom

    Fragile base class syndrome: changing the parent class breaks multiple subclasses, and the hierarchy becomes too deep to maintain safely.

    Fix

    If you're inheriting solely to reuse a method, extract that method into a utility function or inject it via a dependency. Use inheritance only when the subclass genuinely is a kind of the base class.

Interview Questions on This Topic

  • QWhat's the difference between private in TypeScript and JavaScript's native private fields using #? When would you choose one over the other?Mid-levelReveal
    TypeScript's private is a compile-time construct that disappears after compilation—the property is still a normal public property at runtime. JavaScript's # private fields are natively enforced by the engine, providing true encapsulation. Choose private when you need only compile-time protection and maximum performance (no runtime cost). Choose # when you need actual runtime privacy, for example when dealing with sensitive data or writing library code that will be consumed by others. Performance consideration: # fields have a slight runtime overhead (property access via WeakMap internally). In most applications the difference is negligible, but for hot-path code, private is faster. In practice, most teams use TypeScript's private for internal code and reserve # for library/module boundaries where you must absolutely prevent external access.
  • QCan you explain the Liskov Substitution Principle and show me a TypeScript example where violating it would cause a runtime bug even though TypeScript compiles cleanly?SeniorReveal
    Liskov Substitution Principle (LSP) states that a subclass should be replaceable for its parent without altering the correctness of the program. In other words, if code works with the parent class, it should also work with any subclass. Example violation: ``typescript class Bird { fly(): void { console.log('Flying!'); } } class Penguin extends Bird { fly(): void { throw new Error('Penguins cannot fly'); } } function makeBirdFly(bird: Bird): void { bird.fly(); // Works for Bird, crashes for Penguin } makeBirdFly(new Penguin()); // Runtime error! ` TypeScript compiles fine because the method signatures match. But at runtime, Penguin.fly violates the contract: the parent's fly method never throws an error. This breaks any code that assumes birds can fly without exceptions. The fix: either don't make Penguin extend Bird (use composition instead) or redesign the hierarchy so that Bird doesn't assume all birds can fly (e.g., extract an IFlyable` interface).
  • QIf a class implements two interfaces that both declare a method with the same name but different signatures, what happens in TypeScript and how do you resolve it?SeniorReveal
    TypeScript requires the method signature to be compatible with both interfaces simultaneously. If the signatures are incompatible (different parameter types, different return types), TypeScript will give a compile error. Example: ``typescript interface UserRepo { get(id: string): User; } interface AdminRepo { get(id: number): User; } // Error: incompatible signatures class CombinedRepo implements UserRepo, AdminRepo { // ??? } ` Resolution options: 1. Refactor one interface to use a compatible signature (e.g., both use string or both use discriminated union string | number). 2. Use a multi-purpose method signature that satisfies both (e.g., get(id: string | number): User`) – this works if the merged signature covers both. 3. Remove the conflicting method from one interface and rename it. 4. Consider composition: the class can implement one interface directly and use a separate method for the other pattern. In production, this conflict usually signals a design issue—the two interfaces shouldn't share a method name with different meanings.
  • QWhat is the difference between implements and extends in TypeScript?JuniorReveal
    extends is used for class-to-class inheritance: a class inherits properties and methods from another class (including abstract classes). It creates an 'is-a' relationship and passes down the prototype chain. A class can only extend one base class. implements is used to enforce a contract on a class: the class must provide the shape defined by an interface. No code is inherited; it's a structural check only. A class can implement multiple interfaces. Example: - class Dog extends Animal – Dog inherits from Animal. - class Dog implements IWalker, IFeeder – Dog must have walk() and feed() methods as defined in those interfaces. You can combine them: class Dog extends Animal implements IWalker, IFeeder.

Frequently Asked Questions

What is the difference between an abstract class and an interface in TypeScript?

An abstract class can contain both fully implemented methods and abstract methods that subclasses must override. An interface is a pure contract with no implementation at all. The key practical difference: a class can implement multiple interfaces but can only extend one abstract class. Use abstract classes when you have shared code to reuse; use interfaces when you're purely defining a shape or contract.

Does TypeScript's `private` keyword actually prevent access at runtime in JavaScript?

No — TypeScript's private is compile-time only. It prevents access in your TypeScript source, but once compiled to JavaScript the property is a regular, publicly accessible property. If you need true runtime privacy, use JavaScript's native private fields with the # prefix (e.g., #balance), which TypeScript also supports. For most applications compile-time enforcement is sufficient.

When should I use a class versus a plain TypeScript object or type?

Use a class when your data has behaviour attached to it (methods), when you need encapsulation (private state), when you want instances with shared methods via the prototype, or when you need inheritance. Use a plain type or interface when you're just describing the shape of data that gets passed around without methods — like API response objects or config objects. Adding a class where a type would do is unnecessary complexity.

How does polymorphism work in TypeScript?

Polymorphism in TypeScript works through inheritance: a variable declared as a base class type can hold an instance of any subclass. When you call a method on that variable, the actual runtime type's implementation runs. This allows you to write code that works with any subclass without knowing the exact type at compile time. TypeScript supports both inheritance-based polymorphism (via extends) and interface-based polymorphism (via implements).

Can you give an example where violating Liskov Substitution Principle causes a bug in TypeScript?

Consider a Bird base class with a fly() method. A Penguin subclass overrides fly() to throw an error because penguins can't fly. TypeScript will compile this fine because signatures match. But code that expects birds to fly without exceptions will break at runtime. This is an LSP violation: the subclass doesn't honour the parent's contract. The fix is to not model penguins as birds that fly, or to separate the flying behaviour into an interface (IFlyable) that only flying birds implement.

🔥
Naren Founder & Author

Developer and founder of TheCodeForge. I built this site because I was tired of tutorials that explain what to type without explaining why it works. Every article here is written to make concepts actually click.

📚 Related Next Steps
TypeScript Generics Deep Dive — Constraints, Inference, and Real-World PatternsLearn how generics make your classes type-safe across different data types without sacrificing compile-time checks.TypeScript Types vs Interfaces: When to Use Each and Why It MattersUnderstand the trade-offs between type aliases and interfaces—essential for designing class contracts.Advanced TypeScript: Conditional Types & Template Literal TypesMaster advanced type-level programming that builds on the class patterns you just learned.TypeScript Interview Questions: Types, Generics & Real-World PatternsPrepare for senior-level interviews with questions that test deep understanding of TypeScript classes and design.
← PreviousTypeScript Types and InterfacesNext →TypeScript Generics
Forged with 🔥 at TheCodeForge.io — Where Developers Are Forged