https://github.com/4ssh1/url-shortener-api
A high-performance, secure URL shortener and analytics API built with TypeScript, Express, and MongoDB. It features sliding-window token management, non-blocking background click logging optimized for minimal computing overhead and fast link redirects.
https://github.com/4ssh1/url-shortener-api
expressjs nodejs security-hardening sliding-window typescript url-shortener
Last synced: about 1 month ago
JSON representation
A high-performance, secure URL shortener and analytics API built with TypeScript, Express, and MongoDB. It features sliding-window token management, non-blocking background click logging optimized for minimal computing overhead and fast link redirects.
- Host: GitHub
- URL: https://github.com/4ssh1/url-shortener-api
- Owner: 4ssh1
- License: mit
- Created: 2026-05-12T11:51:50.000Z (2 months ago)
- Default Branch: main
- Last Pushed: 2026-05-25T11:54:10.000Z (about 2 months ago)
- Last Synced: 2026-05-25T13:33:21.304Z (about 2 months ago)
- Topics: expressjs, nodejs, security-hardening, sliding-window, typescript, url-shortener
- Language: TypeScript
- Homepage: https://documenter.getpostman.com/view/40852797/2sBXqQHJno
- Size: 380 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# URL Shortener & Analytics API
A production-grade, high-performance, and secure URL shortening microservice built with Node.js, Express, TypeScript, and MongoDB. This platform is designed to handle high-traffic link redirection with sub-millisecond tracking analytics while keeping the core database healthy and protected against common vulnerabilities.
**Frontend repo: https://github.com/4ssh1/url-shortener**
## 2. High-Level Architecture
The system is built using a clean, layered architectural pattern that separates how data travels, how business logic is executed, and how data is stored.
```
[ Client Request ]
│
▼
┌────────────────────────────────────────────────────────┐
│ 1. Security & Routing Layer │
│ - Global Protection (Helmet, CORS, Rate Limiters) │
│ - Session Guards (Access & Refresh Middleware) │
└────────────────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────┐
│ 2. Controller Layer (Traffic Control) │
│ - Extracts data & handles HTTP responses │
│ - Enforces input safety shapes via Zod schemas │
└────────────────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────┐
│ 3. Service Layer (Core Business Logic) │
│ - Orchestrates data operations │
│ - Triggers non-blocking background workers │
└────────────────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────┐
│ 4. Database Layer (MongoDB Atlas) │
│ - Structured Document Storage │
│ - Specialized performance indexes │
└────────────────────────────────────────────────────────┘
```
By ensuring that each layer has exactly one job, the codebase avoids redundancy (keeping it **DRY** — Don't Repeat Yourself). For instance, validation happens entirely before the core logic runs, meaning the service layer can trust the data implicitly without repeating safety checks.
## 🛠️ Technologies Used
- **Language**: TypeScript
- **Runtime Environment**: Node.js
- **Web Framework**: Express.js
- **Database**: MongoDB (via Mongoose ODM)
- **Data Validation**: Zod
- **Security & Middleware**: Helmet, CORS, Cookie-Parser, Compression
- **Logging & Telemetry**: Pino (with Pino-Abstract / Logtail transports)
- **Cryptography**: Node.js Native Crypto Module, JSON Web Tokens (JWT)
## End-to-End Breakdown
### 1. The Secure Session Lifespan
To keep users securely logged in without ruining application performance, the platform splits authentication into a **dual-token system**:
- **Short-Lived Access Key**: Used for rapid access to private features. Expires in **15 minutes**.
- **Long-Lived Refresh Key**: Locked safely inside the browser's memory using a secure `httpOnly` cookie that JavaScript cannot read.
When a user interacts with their dashboard, the server runs a **Sliding Window** check. Instead of writing to the database every single time, the system reads from a lightweight memory cache. It only performs a hard database rewrite to extend the session if the refresh key is nearing its actual expiration date.
### 2. High-Speed Redirection & Fire-and-Forget Analytics
The primary job of a URL shortener is to redirect instantly. To eliminate any delay:
- A visitor clicks the short link.
- The server instantly increments the counter and issues the redirect.
- In the background (completely hidden from the user), a separate micro-task logs deep metadata: device type (User-Agent), origin source (Referer), and connection timestamp.
### 3. Bulletproof Password Recovery
Instead of using complex JWTs, the system generates an **unguessable, cryptographically secure random identifier**. This single-use token is stored with a strict **10-minute expiration** on the account document. Once used, it is completely removed from the system, preventing token reuse or overlapping reset attempts.
## Critical Engineering Decisions
### Why We Restrict Token Swaps (Sliding Window over Regular Rotation)
While rotating refresh tokens on every request is highly secure, it creates heavy write amplification on the database. The **Sliding Window** approach preserves **90%** of database computing power while maintaining strict security.
### State-Backed Tokens vs. Stateless JWTs for Resets
Using a simple cryptographic string instead of a JWT keeps the system lightweight. Since the server must query the database during password updates anyway, embedding expiration and status checks in the same operation removes unnecessary complexity.
### Intentional State Management for Safe Shutdowns
To handle cloud scaling and deployments safely, the application uses **Process Termination Traps** (`SIGINT`/`SIGTERM`). On shutdown, it:
- Pauses operations
- Flushes pending analytics streams to disk
- Drains connection pools
- Logs out cleanly
This prevents data loss or database corruption during server restarts.