A production-ready Node.js REST API with JWT authentication, role-based access control, rate limiting, input validation, audit logging, and interactive Swagger documentation.
- JWT Authentication — Register, login, token refresh, logout with access + refresh tokens
- Role-Based Access —
user,moderator,adminroles with middleware guards - Password Security — bcrypt hashing with configurable rounds
- Rate Limiting — Global + stricter auth endpoint limits
- Input Validation — express-validator on all endpoints
- Audit Logging — Track user actions with IP addresses
- CRUD Operations — Full task management with filtering, pagination, and stats
- User Management — Admin endpoints for listing, updating, deactivating users
- Swagger Docs — Interactive API documentation at
/api-docs - Security Headers — Helmet.js for HTTP security headers
- SQLite Database — Zero-config, file-based with WAL mode
| Component | Technology |
|---|---|
| Runtime | Node.js 18+ |
| Framework | Express.js 4.18 |
| Auth | JWT + bcryptjs |
| Database | SQLite (better-sqlite3) |
| Validation | express-validator |
| Rate Limiting | express-rate-limit |
| Security | Helmet.js, CORS |
| Docs | Swagger UI + swagger-jsdoc |
| Logging | Morgan |
# Install dependencies
npm install
# Run in development (with auto-reload)
npm run dev
# Run in production
npm startServer starts at http://localhost:3000
Swagger docs at http://localhost:3000/api-docs
| Method | Endpoint | Description | Auth |
|---|---|---|---|
| POST | /api/auth/register |
Register new user | No |
| POST | /api/auth/login |
Login & get tokens | No |
| POST | /api/auth/refresh |
Refresh access token | No |
| GET | /api/auth/me |
Get current profile | Yes |
| POST | /api/auth/logout |
Revoke tokens | Yes |
| Method | Endpoint | Description | Auth |
|---|---|---|---|
| GET | /api/users |
List all users | Admin |
| GET | /api/users/:id |
Get user by ID | Owner/Admin |
| PUT | /api/users/:id |
Update user | Owner/Admin |
| DELETE | /api/users/:id |
Delete user | Admin |
| Method | Endpoint | Description | Auth |
|---|---|---|---|
| GET | /api/tasks |
List user's tasks | Yes |
| GET | /api/tasks/:id |
Get task by ID | Yes |
| POST | /api/tasks |
Create task | Yes |
| PUT | /api/tasks/:id |
Update task | Yes |
| DELETE | /api/tasks/:id |
Delete task | Yes |
| GET | /api/tasks/stats/summary |
Task statistics | Yes |
# Register
curl -X POST http://localhost:3000/api/auth/register \
-H "Content-Type: application/json" \
-d '{"username":"test","email":"test@test.com","password":"password123"}'
# Login
curl -X POST http://localhost:3000/api/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"test@test.com","password":"password123"}'
# Create task (use token from login response)
curl -X POST http://localhost:3000/api/tasks \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_TOKEN" \
-d '{"title":"My first task","priority":"high"}'authshield-api/
├── src/
│ ├── index.js # Express app setup & server
│ ├── config.js # Configuration
│ ├── middleware/
│ │ ├── auth.js # JWT authentication & role authorization
│ │ ├── validate.js # Input validation handler
│ │ └── audit.js # Audit logging middleware
│ ├── models/
│ │ └── db.js # SQLite database setup & schema
│ └── routes/
│ ├── auth.js # Auth endpoints (register/login/refresh)
│ ├── users.js # User management (CRUD)
│ └── tasks.js # Task management (CRUD + stats)
├── package.json
└── .gitignore
dev2production.com — We build production-ready software.