{"id":15575664,"url":"https://github.com/hsyntes/authentication-authorization-security","last_synced_at":"2025-04-24T02:22:11.496Z","repository":{"id":177963297,"uuid":"661150846","full_name":"hsyntes/authentication-authorization-security","owner":"hsyntes","description":"Authentication, Authorization and Security Back-End System with Node.js \u0026 Express.js \u0026 mongoDB - mongoose. Registering users to the database, authorization and authentication users, sending emails to users' email address to reset or update their password and more.","archived":false,"fork":false,"pushed_at":"2023-08-06T01:13:13.000Z","size":4833,"stargazers_count":13,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-18T10:23:22.275Z","etag":null,"topics":["authentication","authorization","expressjs","mongodb","mongoose","nodejs","security"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hsyntes.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-07-02T00:22:55.000Z","updated_at":"2025-01-01T12:55:29.000Z","dependencies_parsed_at":null,"dependency_job_id":"16d1cee5-9fc9-4beb-b75d-38daea7a1737","html_url":"https://github.com/hsyntes/authentication-authorization-security","commit_stats":null,"previous_names":["hsyntes/authentication-authorization-security"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hsyntes%2Fauthentication-authorization-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hsyntes%2Fauthentication-authorization-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hsyntes%2Fauthentication-authorization-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hsyntes%2Fauthentication-authorization-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hsyntes","download_url":"https://codeload.github.com/hsyntes/authentication-authorization-security/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250546363,"owners_count":21448313,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authorization","expressjs","mongodb","mongoose","nodejs","security"],"created_at":"2024-10-02T18:40:19.806Z","updated_at":"2025-04-24T02:22:11.478Z","avatar_url":"https://github.com/hsyntes.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Authentication \u0026 Authorization \u0026 Security\n\nAn overview of the authentication, authorization and security considerations for a back-end application written with Node.js, Express.js mongoDB and mongoose. These components are widely used in building web applications and require careful attention to ensure the safety and integrity of user data.\n\n## Features\n\n- Security HTTP headers with **helmet**\n- Rate limitting from the same **IP/API**\n- Data Sanitization against **NoSQL** injection\n- Data Sanitization against **XSS**\n- Maganing \u0026 catching errors globally with **middleware** functions\n- Sending token to users' email address to reset \u0026 update their password more secure\n- Generate expired token\n- Verifying **JSON Web Token**\n- Sending JWT via **cokie**\n- **Encrypting** \u0026 **hashing** passwords\n- Restrict/protect some features by token\n- Email validator\n- Dedicate environments to **development** and **production**\n- Structured users'data more secure with **mongoose Data Modelling**\n\n## Authentication\n\nAuthentication is the process of verifying the identity of a user or system. In the context of a back-end application, it ensures that only authorized users can access protected resources. Here are some key considerations for implementing authentication:\n\n## User Registration\n\nImplement a user registration process that collects necessary information, such as username, email, and password. Ensure that password requirements, such as length and complexity, are enforced.\n\n## Login\n\nProvide a secure login mechanism using sessions or tokens. Validate user credentials against stored data and generate authentication tokens or session cookies for subsequent requests.\n\n## Password Reset\n\nOffer a secure password reset functionality that involves verifying the user's identity through a password reset email or other verification methods.\n\n## Authentication Middleware\n\nUse middleware to authenticate requests. This middleware should check for valid authentication tokens, verify session cookies, or implement other authentication mechanisms.\n\n## Authorization\n\nAuthorization determines what actions a user can perform within an application. It ensures that authenticated users have the necessary permissions to access or modify specific resources. Consider the following when implementing authorization\n\n## Role-Based Access Control\n\nImplement role-based access control (RBAC) to assign different permissions to different user roles. For example, an administrator role might have more privileges than a regular user role.\n\n## Resource-Based Authorization\n\nControl access to specific resources based on user roles and ownership. Ensure that users can only access resources they are authorized to view or modify.\n\n## Security\n\nMaintaining the security of your application is crucial to protect user data and prevent unauthorized access or data breaches. Consider the following security measures\n\n#### Input Validation\n\nValidate and sanitize all user input to prevent common security vulnerabilities such as SQL injection, cross-site scripting (XSS), and command injection attacks. Use libraries or built-in mechanisms to handle input validation and sanitize user input before using it in database queries or rendering it in HTML templates.\n\n#### Password Hashing\n\nStore user passwords securely by hashing them with a strong cryptographic algorithm like bcrypt or Argon2. Hashing passwords prevents storing plain-text passwords in the database, making it harder for attackers to retrieve user passwords in case of a data breach.\n\n#### Secure Communication\n\nEnable secure communication between clients and the server using HTTPS/TLS. This ensures that data transmitted over the network is encrypted and protects against eavesdropping and tampering. Obtain and install an SSL certificate to enable HTTPS on your server.\n\n#### Session Management\n\nImplement secure session management to track user sessions and prevent session-related attacks such as session hijacking or fixation. Use secure session storage mechanisms, such as server-side storage or encrypted client-side storage (e.g., signed cookies), and regenerate session IDs after user authentication or privilege changes.\n\n### Error Handling\n\nHandle errors securely to avoid information leakage and potential vulnerabilities. Follow these best practices for error handling\n\n#### Avoid Detailed Error Messages\n\nDo not expose sensitive information or detailed error messages to clients in production environments. Instead, log the error details on the server and provide user-friendly error messages to clients.\n\n#### Custom Error Handling Middleware\n\nImplement custom error handling middleware to catch and handle errors in a consistent and secure manner. This middleware can log errors, handle different error types, and send appropriate error responses to clients.\nError Reporting and Monitoring: Set up error reporting and monitoring tools to track and investigate errors occurring in your application. These tools can help you identify and address security vulnerabilities or other issues promptly.\n\n## API Reference\n\n#### Get all users\n\n```http\n  GET /api/v1/users/\n```\n\n| Parameter | Type     | Description |\n| :-------- | :------- | :---------- |\n| `/`       | `string` | -           |\n\n#### Get a user\n\n```http\n  GET /api/v1/users/username/\n```\n\n| Parameter   | Type     | Description                  |\n| :---------- | :------- | :--------------------------- |\n| `username/` | `string` | **Required** Verifying token |\n\n#### SignUp\n\n```http\n  POST /api/v1/users/signup/\n```\n\n| Parameter | Type     | Description                      |\n| :-------- | :------- | :------------------------------- |\n| `signup/` | `string` | **Required** all fields in Model |\n\n#### Login\n\n```http\n  POST /api/v1/users/login/\n```\n\n| Parameter | Type     | Description                                 |\n| :-------- | :------- | :------------------------------------------ |\n| `login/`  | `string` | **Required** email or username and password |\n\n#### Forgot Password\n\n```http\n  POST /api/v1/users/forgot-password/\n```\n\n| Parameter          | Type     | Description        |\n| :----------------- | :------- | :----------------- |\n| `forgot-password/` | `string` | **Required** email |\n\n#### Reset Password\n\n```http\n  PATCH /api/v1/users/reset-password/passwordResetToken\n```\n\n| Parameter                            | Type     | Description                   |\n| :----------------------------------- | :------- | :---------------------------- |\n| `reset-password/passwordResetToken/` | `string` | **Required** token from email |\n\n#### Update Password\n\n```http\n  PATCH /api/v1/users/update-password/\n```\n\n| Parameter          | Type     | Description                  |\n| :----------------- | :------- | :--------------------------- |\n| `update-password/` | `string` | **Required** verifying token |\n\n#### Deactivate User\n\n```http\n  DELETE /api/v1/users/deactivate/\n```\n\n| Parameter     | Type     | Description                  |\n| :------------ | :------- | :--------------------------- |\n| `deactivate/` | `string` | **Required** verifying token |\n\n#### Close Account\n\n```http\n  DELETE /api/v1/users/delete/\n```\n\n| Parameter | Type     | Description                  |\n| :-------- | :------- | :--------------------------- |\n| `close/`  | `string` | **Required** verifying token |\n\n#### Update\n\n```http\n  PATCH /api/v1/users/delete/\n```\n\n| Parameter | Type     | Description                  |\n| :-------- | :------- | :--------------------------- |\n| `update/` | `string` | **Required** verifying token |\n\n## Run Locally\n\nClone the project\n\n```bash\n  git clone https://github.com/hsyntes/authentication-authorization-security\n```\n\nGo to the project directory\n\n```bash\n  cd authentication-authorization-security\n```\n\nInstall dependencies\n\n```bash\n  npm install\n```\n\nStart the server on **development** environment\n\n```bash\n  npm start\n```\n\nStart the server on **production** environment\n\n```bash\n  npm run start:prod\n```\n\n## 🔗 Links\n\n[![linkedin](https://img.shields.io/badge/linkedin-0A66C2?style=for-the-badge\u0026logo=linkedin\u0026logoColor=white)](https://www.linkedin.com/in/hsyntes)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhsyntes%2Fauthentication-authorization-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhsyntes%2Fauthentication-authorization-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhsyntes%2Fauthentication-authorization-security/lists"}