{"id":21662520,"url":"https://github.com/medhatnasra/blog","last_synced_at":"2026-04-18T09:36:21.756Z","repository":{"id":261929410,"uuid":"885737235","full_name":"medhatnasra/blog","owner":"medhatnasra","description":"A secure Blog API built with Node.js and Express, featuring JWT-based authentication with HttpOnly cookies for enhanced security. Includes user, post, and comment management with role-based access control and protections against XSS and CSRF attacks, making it ideal for a secure blogging platform.","archived":false,"fork":false,"pushed_at":"2024-11-09T14:57:32.000Z","size":1387,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-20T05:47:52.758Z","etag":null,"topics":["article-management","blog","blogging","httponly-cookie","jwt-authentication"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/medhatnasra.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-11-09T09:02:32.000Z","updated_at":"2024-11-09T15:01:20.000Z","dependencies_parsed_at":"2024-11-09T10:32:30.970Z","dependency_job_id":"d4c3fe62-013f-44dd-b1d4-ade9ee1dd396","html_url":"https://github.com/medhatnasra/blog","commit_stats":null,"previous_names":["medhatnasra/blog"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/medhatnasra/blog","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/medhatnasra%2Fblog","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/medhatnasra%2Fblog/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/medhatnasra%2Fblog/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/medhatnasra%2Fblog/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/medhatnasra","download_url":"https://codeload.github.com/medhatnasra/blog/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/medhatnasra%2Fblog/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31964290,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-18T00:39:45.007Z","status":"online","status_checked_at":"2026-04-18T02:00:07.018Z","response_time":103,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["article-management","blog","blogging","httponly-cookie","jwt-authentication"],"created_at":"2024-11-25T10:16:42.627Z","updated_at":"2026-04-18T09:36:16.739Z","avatar_url":"https://github.com/medhatnasra.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch2\u003eAuthentication System\u003c/h2\u003e\n\n\u003cp\u003eThe authentication system of this project is designed with a strong emphasis on security, leveraging industry-standard practices to ensure both user privacy and the integrity of their sessions.\u003c/p\u003e\n\n\u003ch3\u003eKey Features:\u003c/h3\u003e\n\u003col\u003e\n  \u003cli\u003e\u003cstrong\u003eJWT-based Authentication:\u003c/strong\u003e  \n    At the core of the authentication system is the use of \u003cstrong\u003eJSON Web Tokens (JWT)\u003c/strong\u003e. This stateless mechanism allows the server to securely verify user identities while maintaining scalability. Once logged in, users are issued a JWT that contains the necessary claims to validate their session without needing to store any session data on the server side.\n  \u003c/li\u003e\n  \u003cli\u003e\u003cstrong\u003eHttpOnly Cookies for Enhanced Security:\u003c/strong\u003e  \n    To mitigate the risk of \u003cstrong\u003eCross-Site Scripting (XSS)\u003c/strong\u003e attacks, the system uses \u003cstrong\u003eHttpOnly cookies\u003c/strong\u003e for storing the authentication token. These cookies are \u003cstrong\u003einaccessible to JavaScript\u003c/strong\u003e running in the browser, making them less susceptible to malicious scripts attempting to steal sensitive information.  \n    This secure storage mechanism is complemented by the use of \u003cstrong\u003eSecure\u003c/strong\u003e and \u003cstrong\u003eSameSite\u003c/strong\u003e cookie attributes to enforce stricter security measures. With the \u003cstrong\u003eSecure\u003c/strong\u003e flag enabled, cookies are only sent over \u003cstrong\u003eHTTPS\u003c/strong\u003e connections, ensuring data is encrypted in transit. The \u003cstrong\u003eSameSite\u003c/strong\u003e attribute prevents cookies from being sent with cross-site requests, protecting the system from \u003cstrong\u003eCross-Site Request Forgery (CSRF)\u003c/strong\u003e attacks.\n  \u003c/li\u003e\n  \u003cli\u003e\u003cstrong\u003eRefresh Tokens for Extended Sessions:\u003c/strong\u003e  \n    To provide users with an optimal experience while maintaining security, the system implements a \u003cstrong\u003erefresh token\u003c/strong\u003e mechanism. This ensures that users stay logged in for extended periods without having to frequently reauthenticate. Once the \u003cstrong\u003eaccess token\u003c/strong\u003e expires, the system automatically issues a new one using the stored refresh token, reducing the likelihood of users being logged out unexpectedly.\n  \u003c/li\u003e\n  \u003cli\u003e\u003cstrong\u003eJWT Expiry and Token Revocation:\u003c/strong\u003e  \n    JWTs have a built-in expiration time, ensuring that authentication tokens are automatically invalidated after a predefined period. Additionally, the system supports token revocation if needed, allowing administrators to invalidate any active tokens in case of suspicious activity or a security breach.\n  \u003c/li\u003e\n\u003c/ol\u003e\n\n\u003ch3\u003eHow It Works:\u003c/h3\u003e\n\u003cul\u003e\n  \u003cli\u003e\u003cstrong\u003eUser Login:\u003c/strong\u003e  \n    When users provide valid credentials (username and password), the system authenticates them and issues an access token and refresh token. The access token is sent back to the client in an HttpOnly cookie, and the refresh token can be stored securely on the client or sent to the server for further processing.\n  \u003c/li\u003e\n  \u003cli\u003e\u003cstrong\u003eUser Session:\u003c/strong\u003e  \n    During the user's session, the access token is automatically included in the request headers for API calls to authenticate the user. The system checks the validity of the token before allowing any operations to be performed.\n  \u003c/li\u003e\n  \u003cli\u003e\u003cstrong\u003eToken Renewal:\u003c/strong\u003e  \n    When the access token expires, the refresh token is used to request a new access token from the server. The server checks the validity of the refresh token and issues a new access token, extending the session without requiring the user to log in again.\n  \u003c/li\u003e\n\u003c/ul\u003e\n\n\u003ch3\u003eSecurity Benefits:\u003c/h3\u003e\n\u003cul\u003e\n  \u003cli\u003e\u003cstrong\u003eProtection Against XSS:\u003c/strong\u003e  \n    Storing the JWT token in HttpOnly cookies ensures that it is not accessible by client-side JavaScript, making it less vulnerable to attacks like \u003cstrong\u003eCross-Site Scripting (XSS)\u003c/strong\u003e.\n  \u003c/li\u003e\n  \u003cli\u003e\u003cstrong\u003eProtection Against CSRF:\u003c/strong\u003e  \n    By using the \u003cstrong\u003eSameSite\u003c/strong\u003e cookie attribute, the system mitigates the risk of \u003cstrong\u003eCross-Site Request Forgery (CSRF)\u003c/strong\u003e attacks, which attempt to exploit a user's authenticated session.\n  \u003c/li\u003e\n  \u003cli\u003e\u003cstrong\u003eEfficient Token Handling:\u003c/strong\u003e  \n    The use of \u003cstrong\u003eJWTs\u003c/strong\u003e allows for \u003cstrong\u003estateless authentication\u003c/strong\u003e, reducing the risk of server-side session hijacking and improving system scalability. Furthermore, by using short-lived access tokens and refresh tokens for long-term session maintenance, the system ensures that tokens remain valid only for the necessary period.\n  \u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cp\u003eWith this secure and scalable authentication system, users can have peace of mind knowing that their data is protected while enjoying a seamless, long-lasting session experience.\u003c/p\u003e\n\u003ch2\u003eBlog API Documentation\u003c/h2\u003e\n\n\u003cp\u003eThis API allows users to interact with a blog platform by providing routes for authentication, user management, post management, and comments. The system uses \u003cstrong\u003eJWT-based authentication\u003c/strong\u003e with \u003cstrong\u003eHttpOnly cookies\u003c/strong\u003e to ensure high security against \u003cstrong\u003eXSS\u003c/strong\u003e and \u003cstrong\u003eCSRF attacks\u003c/strong\u003e.\u003c/p\u003e\n\n\u003ch3\u003eAuthentication Routes\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eFile:\u003c/strong\u003e \u003ccode\u003eauthRoute.js\u003c/code\u003e\u003c/p\u003e\n\u003cul\u003e\n  \u003cli\u003e\u003ccode\u003ePOST /api/register\u003c/code\u003e - Register a new user.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003ePOST /api/login\u003c/code\u003e - Authenticate a user and issue JWT tokens.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003ePOST /api/logout\u003c/code\u003e - Log out the user by clearing cookies.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003ePOST /api/refreshtoken\u003c/code\u003e - Refresh the access token using a refresh token.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003eGET /api/auth/verify\u003c/code\u003e - Verify the JWT token and provide user information if authenticated.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003ch4\u003eSecurity\u003c/h4\u003e\n\u003cp\u003eAll authentication routes use \u003cstrong\u003eJWTs stored in HttpOnly cookies\u003c/strong\u003e for enhanced security. This prevents the tokens from being accessible to JavaScript, reducing the risk of token theft through XSS attacks.\u003c/p\u003e\n\n\u003chr\u003e\n\n\u003ch3\u003eUser Routes\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eFile:\u003c/strong\u003e \u003ccode\u003euserRoute.js\u003c/code\u003e\u003c/p\u003e\n\u003cul\u003e\n  \u003cli\u003e\u003ccode\u003ePUT /api/user/profile/:id\u003c/code\u003e - Update a user’s profile information.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003eGET /api/user/profile/:id\u003c/code\u003e - Retrieve information for a specific user profile.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003eGET /api/user/profile\u003c/code\u003e - Get a list of all user profiles (Admin access only).\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003ePOST /api/user/profile/upload-photo\u003c/code\u003e - Upload a user’s profile photo.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003ch4\u003eSecurity\u003c/h4\u003e\n\u003cp\u003eEach user route is protected with \u003cstrong\u003erole-based access control\u003c/strong\u003e to restrict certain actions based on user roles. Admins have additional permissions to access or modify all user profiles, whereas regular users can only access and update their own profiles.\u003c/p\u003e\n\n\u003chr\u003e\n\n\u003ch3\u003ePost Routes\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eFile:\u003c/strong\u003e \u003ccode\u003epostRoute.js\u003c/code\u003e\u003c/p\u003e\n\u003cul\u003e\n  \u003cli\u003e\u003ccode\u003eGET /api/post/\u003c/code\u003e - Retrieve a list of posts.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003eGET /api/post/:id\u003c/code\u003e - Retrieve details for a specific post.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003eGET /api/post/count\u003c/code\u003e - Get the total count of posts.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003eDELETE /api/post/:id\u003c/code\u003e - Delete a post.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003ePUT /api/post/:id\u003c/code\u003e - Update a post.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003ePUT /api/post/like/:id\u003c/code\u003e - Toggle like on a post.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003ePUT /api/post/image/:id\u003c/code\u003e - Update the image associated with a post.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003ePOST /api/post/\u003c/code\u003e - Create a new post with an optional image.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003ch4\u003eSecurity\u003c/h4\u003e\n\u003cp\u003eAll post-related routes are protected by \u003cstrong\u003eJWT authentication\u003c/strong\u003e. Only authenticated users can create, like, update, or delete posts. Each action is verified through token validation, ensuring that only authorized users can access or modify posts.\u003c/p\u003e\n\n\u003chr\u003e\n\n\u003ch3\u003eComment Routes\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eFile:\u003c/strong\u003e \u003ccode\u003ecommentRoute.js\u003c/code\u003e\u003c/p\u003e\n\u003cul\u003e\n  \u003cli\u003e\u003ccode\u003ePOST /api/comment/\u003c/code\u003e - Create a new comment on a post.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003eGET /api/comment/\u003c/code\u003e - Retrieve all comments (Admin access only).\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003ch4\u003eSecurity\u003c/h4\u003e\n\u003cp\u003eComments are protected by \u003cstrong\u003eJWT authentication\u003c/strong\u003e. Only authenticated users can post comments, and only admins can retrieve all comments.\u003c/p\u003e\n\n\u003chr\u003e\n\n\u003ch3\u003eMiddleware\u003c/h3\u003e\n\u003cp\u003eThis API includes several middleware functions to enhance security, ensure data integrity, and manage error handling:\u003c/p\u003e\n\u003cul\u003e\n  \u003cli\u003e\u003ccode\u003ehelmet\u003c/code\u003e - Adds security headers to responses.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003ecors\u003c/code\u003e - Configured to allow requests from the specified frontend URL.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003eexpress.json\u003c/code\u003e - Parses incoming JSON payloads.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003exss\u003c/code\u003e - Prevents XSS attacks by sanitizing input data.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003ecookieParser\u003c/code\u003e - Parses cookies from incoming requests.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003ch3\u003eError Handling\u003c/h3\u003e\n\u003cp\u003eThe API has custom error-handling middleware to handle different errors effectively:\u003c/p\u003e\n\u003cul\u003e\n  \u003cli\u003e\u003ccode\u003eerrorNotFoundHandler\u003c/code\u003e - Returns a 404 error for any unknown route.\u003c/li\u003e\n  \u003cli\u003e\u003ccode\u003eerrorHandler\u003c/code\u003e - Manages all other server errors, sending appropriate HTTP status codes and messages.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003ch3\u003eHow to Start the API\u003c/h3\u003e\n\u003cp\u003eTo start the API, simply run the following command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003enode index.js\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe server will be running on \u003cstrong\u003elocalhost:4000\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eMake sure to set up the required \u003cstrong\u003eMongoDB connection string\u003c/strong\u003e and \u003cstrong\u003eJWT_SECRET\u003c/strong\u003e in your \u003ccode\u003e.env\u003c/code\u003e file.\u003c/p\u003e\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmedhatnasra%2Fblog","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmedhatnasra%2Fblog","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmedhatnasra%2Fblog/lists"}