An open API service indexing awesome lists of open source software.

https://github.com/haripatel07/nodejs-auth-system

A secure and professional Node.js + Express.js Authentication API with JWT, role-based access control, and password reset functionality.
https://github.com/haripatel07/nodejs-auth-system

backend express jwt mongodb nodejs

Last synced: about 2 months ago
JSON representation

A secure and professional Node.js + Express.js Authentication API with JWT, role-based access control, and password reset functionality.

Awesome Lists containing this project

README

          

# Authentication System API

This repository is a deployment-ready authentication API built with Node.js, Express, and MongoDB. It includes user registration, JWT authentication, role-based access control, and password reset functionality.

## Key Features

* User registration and login secured with `bcrypt` password hashing.
* JWT authentication using `jsonwebtoken` with token expiration support.
* Role-based access control (`user`, `admin`) for protected routes.
* Password reset via secure, time-limited reset tokens.
* Centralized error handling and environment-based configuration.
* MongoDB data persistence with `mongoose`.

## Architecture Overview

* `server.js`: Application entry point and route registration.
* `src/routes/authRoutes.js`: Authentication and authorization endpoints.
* `src/controllers/authController.js`: Request handling for auth operations.
* `src/middleware/authMiddleware.js`: JWT verification and protected route enforcement.
* `src/middleware/roleMiddleware.js`: Role-based authorization guard.
* `src/models/User.js`: User schema, password hashing, and role definition.
* `src/config/db.js`: MongoDB connection logic.

## Environment Variables

The application depends on the following environment variables:

* `PORT` - application port, default is `3000`.
* `NODE_ENV` - runtime environment (`development` or `production`).
* `MONGO_URI` - MongoDB connection string.
* `JWT_SECRET` - secret used to sign JWT tokens.
* `JWT_ACCESS_EXPIRY` - access token lifetime (for example `15m`).
* `JWT_EXPIRES_IN` - fallback value for JWT expiry if access expiry is not set.
* `BCRYPT_ROUNDS` - number of salt rounds for password hashing.
* `JWT_REFRESH_EXPIRY` - optional refresh token lifetime when refresh token support is added.

## Getting Started

### Local Setup

1. Install dependencies:

```bash
npm install
```

2. Copy the example environment file:

```bash
cp .env.example .env
```

3. Update `.env` with your MongoDB connection string and secrets.

4. Start the server:

```bash
npm start
```

The API will be available at `http://localhost:3000` when `PORT=3000` is configured.

## Docker Deployment

### Build and run with Docker

```bash
docker build -t auth-system .
docker run --env-file .env -p 3000:3000 auth-system
```

### Run with Docker Compose

```bash
docker-compose up --build
```

The `docker-compose.yml` file starts the application and a MongoDB database with persistent storage.

## API Endpoints

### Public Routes

| Method | Endpoint | Description |
| :----- | :----------------------------- | :-------------------------------------------- |
| `POST` | `/api/auth/register` | Register a new user. |
| `POST` | `/api/auth/login` | Authenticate and receive a JWT. |
| `POST` | `/api/auth/forgotpassword` | Request a password reset token. |
| `PUT` | `/api/auth/resetpassword/:resettoken` | Reset password using a reset token. |

### Protected Routes

| Method | Endpoint | Description |
| :----- | :---------------------- | :----------------------------------------- |
| `GET` | `/api/auth/profile` | Return authenticated user profile. |
| `GET` | `/api/auth/admin` | Access admin-only resources. |

Protected endpoints require an `Authorization` header with a Bearer token:

```http
Authorization: Bearer
```

## Deployment Notes

* Use `MONGO_URI` pointed at the `db` service when deploying with Docker Compose.
* Keep `JWT_SECRET` secure and do not commit `.env` to source control.
* Use production-ready values for `BCRYPT_ROUNDS` and token expiry times.

## Supported Roles

* `user` - standard authenticated user.
* `admin` - elevated privileges for admin-only routes.

## License

This project is released under the MIT License.