- JWT Authentication (Access & Refresh Tokens)
- Login / Logout
- Token Refresh
- Get Current User (
/api/auth/me) - Forgot & Reset Password
- Change Password after logging in
- Node.js (v18 or higher) for typescript
- MongoDB (local installation or MongoDB Atlas)
- Postman or similar API testing tool
git clone https://github.com/<your-username>/intern-management-backend.git
cd intern-management-backendCreate a .env file in the root directory:
PORT=5000
MONGO_URI=mongodb://localhost:27017/intern-management
JWT_SECRET=your_jwt_secret_here_change_this_in_production
JWT_EXPIRES_IN=7d
JWT_ACCESS_SECRET=access_secret_token
JWT_REFRESH_SECRET=refresh_secret_token
NODE_ENV=development
⚠️ Security Note: Never commit.envfiles to version control.
npm run devServer will run at:
http://localhost:5000
// Run in MongoDB shell or Compass
db.companies.insertOne({
name: "Acme Corp",
status: "active",
created_at: new Date(),
updated_at: new Date()
});db.roles.insertOne({
company_id: ObjectId("COMPANY_ID_FROM_ABOVE"),
name: "admin",
permissions: ["*"], // Full access
created_at: new Date()
});First, generate a bcrypt hash for your password:
db.users.insertOne({
company_id: ObjectId("COMPANY_ID"),
role_id: ObjectId("ROLE_ID"),
email: "admin@acme.com",
password_hash: "$2b$10$hashed_password_here", // Replace with actual hash
temp_password: false,
status: "active",
created_at: new Date()
});Passwords stored in the database must be bcrypt-hashed.
nodeconst bcrypt = require("bcrypt");
bcrypt.hash("Admin@123", 12).then(console.log);✔ Output will be something like:
$2b$12$uQ9cZVZP1j3r9Yp9bqGJGeYFZp7q2Hk9YkYvPzQ5B6VnLZP2xWk2C
📌 Copy this hash and store it as password_hash in MongoDB.
db.users.insertOne({
"company_id": ObjectId("64f000000000000000000001"),
"role_id": ObjectId("64f000000000000000000002"),
"email": "admin@acme.com",
"password_hash": "$2b$12$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", // insert hashed password here
"temp_password": false,
"status": "active",
"onboarding_status": "approved",
"created_at": new Date(),
"updated_at": new Date()
});- Never store plain text passwords
- Use bcrypt rounds = 12
- Each hash is unique, even for the same password
- For production, never log password hashes
- Endpoint:
POST /api/auth/login - Body:
{
"email": "admin@acme.com",
"password": "Admin@123"
}- Response: Returns access and refresh tokens, temp_password, user details.
- Endpoint:
GET /api/auth/me - Headers:
Authorization: Bearer <ACCESS_TOKEN> - Description: Retrieves the authenticated user's profile.
- Endpoint:
POST /api/auth/refresh - Body:
{
"refreshToken": "<REFRESH_TOKEN>"
}- Response: Returns a new access token.
- Endpoint:
POST /api/auth/logout - Body:
{
"refreshToken": "<REFRESH_TOKEN>"
}- Description: Invalidates the refresh token.
- Endpoint:
POST /api/auth/forgot-password - Body:
{
"email": "admin@acme.com"
}- Response: Sends a password reset email( for now it is displayed in the console).
- Endpoint:
POST /api/auth/reset-password - Body:
{
"token": "<RESET_TOKEN>",
"password": "NewStrongPass@123"
}- Description: Resets the user's password using the provided reset token ( for now it will be displayed in the console, copy that and paste here).
-
Endpoint:
PUT /api/auth/change-password -
Headers:
Authorization: Bearer <ACCESS_TOKEN> -
Body:
{ "currentPassword": "OldPassword@123", "newPassword": "NewStrongPassword@123" } -
Description: Allows the authenticated user to change their own password by providing the current password.
- Token Expiry:
- Access Token: 15 minutes
- Refresh Token: 7 days