A highly secure, enterprise-grade microservices-based grading ledger and identity management system built for Pamantasan ng Lungsod ng Valenzuela (PLV). This project seamlessly integrates traditional Web2 relational databases with cutting-edge blockchain technology using Hyperledger Fabric, providing immutable audit trails, transparent role-based access control, and cryptographic verification.
Live Demo: BlockGO Portal
- Overview
- Key Features
- System Architecture
- User Roles & Workflows
- Technology Stack
- Quick Start & Deployment
- API Documentation
- Security Highlights
- Troubleshooting
- Production Deployment
- Contributing
Traditional grading systems suffer from critical vulnerabilities:
- Centralized data vulnerability β Single point of failure
- No immutable audit trails β Grades can be altered retroactively
- Limited transparency β Stakeholders can't verify data integrity
- Manual verification bottlenecks β Slow approval workflows
- No cryptographic proof β Disputes difficult to resolve
BlockGO eliminates these issues by creating an immutable, decentralized blockchain ledger where:
- Grades are permanently recorded and cryptographically verified
- All transactions are transparent and auditable across organizations
- Role-based access ensures data security and privacy
- Distributed consensus prevents unauthorized modifications
- Automated workflows reduce approval time from days to minutes
| Feature | Description |
|---|---|
| Immutable Ledger | Grades recorded on Hyperledger Fabric with cryptographic hashing |
| Identity Management | X.509 certificate-based authentication with role-based access control |
| Multi-Organization | 3 independent organizations (Registrar, Faculty, Department) with peer consensus |
| Rich Queries | CouchDB integration for complex grade analytics and reports |
| IPFS Storage | Distributed file system for encrypted grading sheets and documents |
| Microservices | Scalable architecture separating Web2 operations from Web3 blockchain logic |
| Kubernetes Ready | Production-grade K8s deployment with HPA, RBAC, and network policies |
| Enterprise Security | TLS 1.3, JWT auth, bcrypt hashing, ABAC, and full audit logging |
| Multi-User Dashboard | Tailored interfaces for Students, Faculty, Dept admins, and Registrar |
| Automated Workflows | Waitlist β Approval β Enrollment β Grade Issuance β Finalization |
This system utilizes a clean separation of concerns, splitting traditional database orchestration from cryptographic blockchain operations.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β User Browsers (HTTPS) β
ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββ
β
ββββββββββββββββββΌβββββββββββββββββ
β Nginx Reverse Proxy (443) β
β - Route /api/Auth/ β C# β
β - Route /api/* β Node.js β
β - Serve React Static Files β
ββββββββββββββ¬βββββββββββ¬ββββββββββ
β β
βββββββββββββΌββ ββββΌβββββββββββββββ
β Frontend β β React Portal β
β (Port 80) β β Multi-Role UI β
βββββββββββββββ βββββββββββββββββββ
β β
ββββββββββββββ΄βββββββββββ΄ββββββββββββββ
β Internal Service Network β
ββββββ¬ββββββββββββββββββββββββββ¬βββββββ
β β
ββββββββββΌβββββββ ββββββββββΌβββββββββββ
β ASP.NET Core β β Node.js Bridge β
β (Port 5000) β β (Port 4000) β
β β β β
β - PostgreSQL β β - Fabric SDK β
β - Waitlist β β - Cryptography β
β - Auth Logic β β - JWT Generation β
ββββββββββ¬βββββββ ββββββββββ¬βββββββββββ
β β
ββββββββββΌβββββββββββββββββββββββββΌββββββββββββββββββ
β Hyperledger Fabric Network (Docker/K8s) β
β β
β 3 Organizations: β
β - RegistrarMSP (Orderer + 2 Peers) β
β - FacultyMSP (2 Peers + CouchDB) β
β - DepartmentMSP (2 Peers + CouchDB) β
β β
β - Channel: grades-channel β
β - Chaincode: Go-based Smart Contract (CCaaS) β
β - State DB: CouchDB for rich queries β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
ββββββββββΌβββββββββββββββββββββββ
β Storage & Persistence β
β - PostgreSQL (Activity Logs) β
β - IPFS (Documents, Sheets) β
β - CouchDB (Blockchain State) β
βββββββββββββββββββββββββββββββββ
- Purpose: User interface for Students, Faculty, Department Admins (Dept admins), and the Registrar
- Security: Hosted behind Nginx Reverse Proxy with SSL/TLS encryption
- Authentication: JWT-based authorization with role-based dashboards
- Performance: Static file serving, SPA routing with React Router
- Port: 5000 (Internal)
- Responsibility: Standard Web2 operations
- Database: PostgreSQL (
ActivityLogs, user profiles, organizational hierarchy) - Key Operations:
- User waitlist management
- Department and section assignments
- Account provisioning and deprovisioning
- Coordinating with Node.js middleware for wallet creation
- API Routes:
/api/Auth/*endpoints
- Port: 4000 (Internal)
- Responsibility: Web3 & Cryptography gateway
- Integrations:
- Hyperledger Fabric SDK for chaincode interactions
- X.509 certificate management via Fabric CA
- JWT token generation and validation
- bcrypt password hashing
- CouchDB wallet management
- Key Operations:
- Smart contract transaction submission/queries
- User identity provisioning on blockchain
- Cryptographic signature verification
- Hyperledger Fabric v2.5.4 β 3 organizations with 2 peers each
- Orderer: Kafka-based consensus (RegistrarMSP)
- State Database: CouchDB for rich queries on grade records
- Chaincode: Go-based smart contract running as a Service (CCaaS)
- Storage: IPFS nodes for distributed file/asset storage
- Networking: Docker network (dev) or K8s services (production)
The Nginx container (nginx-shield) acts as the single entry point for all incoming HTTP traffic. It intelligently routes requests to the appropriate backend microservice and enforces modern TLS security standards.
Configuration: middleware/nginx/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
# Service discovery via Docker DNS
upstream client_app_backend { server client-app:5000; }
upstream middleware_backend { server middleware:4000; }
# HTTP β HTTPS redirect
server {
listen 80;
server_name localhost;
return 301 https://$host$request_uri;
}
# HTTPS server with modern TLS
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/ssl/localhost.crt;
ssl_certificate_key /etc/nginx/ssl/localhost.key;
# Security enhancements
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# Route Web2 authentication to C#
location /api/Auth/ {
proxy_pass http://client_app_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Route Web3 operations to Node.js
location /api/ {
proxy_pass http://middleware_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Serve React SPA
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}
}
}Responsibilities:
- Waitlist Management β Approves newly registered users (Students, Faculty, Staff)
- Department Admin Assignment β Routes approved admins to specific colleges
- Faculty Assignment β Routes approved faculty to departments/sections/year levels
- Student Assignment β Routes approved students to departments/sections
- Grade Finalization β Commits approved grades permanently to blockchain
Responsibilities:
- Enrollment β Reviews students assigned by Registrar and officially enrolls them
- Grade Verification β Reviews faculty grades and approves them for Registrar finalization
- Department Reports β Views aggregate performance metrics and student records
Responsibilities:
- Grade Issuance β Creates new grade records using
IssueGradesmart contract - Limited Visibility β Sees only their issued grades and department-related records
- Grade Management β Can modify unfinalized grades before Dept admin approval
Responsibilities:
- View Grades β Has strictly limited access to view only finalized grades
- Receive Notifications β Alerts when grades are issued and finalized
- Framework: React.js (SPA with Router)
- Communication: Axios with JWT interceptors
- UI/UX: Responsive design, role-based dashboards
- State Management: React Context API / Redux
| Component | Stack |
|---|---|
| Web2 Orchestrator | ASP.NET Core 8.0, C#, Entity Framework |
| Web3 Bridge | Node.js, Express.js, Hyperledger Fabric SDK |
| Databases | PostgreSQL (relational), CouchDB (state), IPFS (distributed) |
- Framework: Hyperledger Fabric v2.5.4
- Chaincode: Go Language (CCaaS)
- PKI: X.509 certificates, Fabric Certificate Authority
- Hashing: bcrypt (passwords), SHA-256 (transactions)
- Authentication: JWT (stateless), mTLS (service-to-service)
- Containerization: Docker, Docker Compose
- Orchestration: Kubernetes v1.24+, Helm (optional)
- Networking: Nginx reverse proxy, Docker DNS, K8s ingress
- Monitoring: Kubernetes native (kubectl logs, metrics-server)
- OS: Ubuntu/Debian (or WSL2 on Windows)
- Container Runtime: Docker & Docker Compose (v20+)
- Runtime Environments: Node.js (v20+), .NET 8.0 SDK
- CLI Tools: kubectl (if deploying to Kubernetes)
- Resources: 8GB+ RAM, 20GB+ disk space
git clone https://github.com/Pat-asc/Capstone-Project-BlockChain-BlockGo.git
cd Capstone-Project-BlockChain-BlockGoCreate network/.env with required secrets:
cd network
cat > .env << 'EOF'
JWT_SECRET=your-super-secret-jwt-key-min-32-chars
INTERNAL_API_KEY=your-internal-api-key-for-service-auth
POSTGRES_PASS=secure-postgres-password-here
BOOTSTRAP_REGISTRAR_PASS=fabric-ca-admin-password
IPFS_ENCRYPTION_KEY=32character-encryption-key!
MOCK_REGISTRAR_PASS=initial-registrar-login-password
EOF
chmod 600 .envchmod +x full_deploy.sh
./full_deploy.shThis script will:
- Install dependencies (Node.js packages, .NET assemblies)
- Generate secure X.509 certificates
- Build Hyperledger Fabric network (3 orgs, 2 peers each)
- Start all Docker containers
- Initialize the blockchain channel
Expected output:
OK Network deployed successfully!
OK Fabric channel 'grades-channel' created
OK Chaincode installed and instantiated
OK Services running on:
- Frontend: http://localhost
- API: http://localhost/api
- Middleware: http://localhost:4000 (internal)
Because the system has a strict waitlist (to prevent unauthorized admin creation), the initial Registrar must be bootstrapped:
curl -X GET http://localhost/api/bootstrap \
-H "x-api-key: $INTERNAL_API_KEY"Response:
{
"success": true,
"message": "Registrar bootstrapped successfully",
"user": "registrar@plv.edu.ph"
}Navigate to http://localhost in your browser and log in:
| Field | Value |
|---|---|
registrar@plv.edu.ph |
|
| Password | [Your MOCK_REGISTRAR_PASS from .env] |
Success! You now have full access to the BlockGO system.
POST /api/Auth/request
Content-Type: application/json
{
"email": "student@plv.edu.ph",
"fullName": "Juan Dela Cruz",
"role": "STUDENT"
}Response:
{
"id": "uuid-123",
"email": "student@plv.edu.ph",
"status": "PENDING",
"createdAt": "2026-06-08T10:00:00Z"
}PUT /api/Auth/requests/{id}/approve
Authorization: Bearer <JWT_TOKEN>
Content-Type: application/json
{
"departmentId": "dept-123",
"sectionId": "section-456"
}Workflow Behind the Scenes:
- ASP.NET Core updates PostgreSQL status to
APPROVED - C# calls Node.js
/api/fabric/register-user - Node.js registers user with Fabric CA
- Certificate downloaded and saved to wallet
- User can now authenticate and access blockchain
POST /api/grades/issue
Authorization: Bearer <JWT_TOKEN>
Content-Type: application/json
{
"studentId": "student-123",
"courseId": "course-789",
"grade": "1.5",
"semester": "2nd",
"academicYear": "2025-2026"
}PUT /api/grades/{gradeId}/approve
Authorization: Bearer <JWT_TOKEN>
Content-Type: application/json
{
"approved": true,
"remarks": "Grade verified against rubric"
}PUT /api/grades/{gradeId}/finalize
Authorization: Bearer <JWT_TOKEN>
Content-Type: application/jsonResponse: Grade is now immutable on blockchain
- JWT-based stateless authentication
- Role-Based Access Control (RBAC) at API level
- Attribute-Based Access Control (ABAC) for fine-grained permissions
- X.509 certificate validation for Fabric interactions
- TLS 1.3 encryption in transit
- AES-256 encryption for IPFS stored files
- bcrypt password hashing (salt + rounds)
- Immutable blockchain ledger (cryptographic hashing)
- Nginx reverse proxy with WAF capabilities
- mTLS between microservices
- Network segmentation (Docker bridge / K8s network policies)
- API key authentication for internal service-to-service calls
- Complete transaction audit trail on blockchain
- PostgreSQL activity logs with timestamps
- User action logging (who, what, when)
- Regulatory compliance ready (FERPA, GDPR)
Capstone-Project-BlockChain-BlockGo/
β
βββ README.md # This file
βββ Guide.md # Detailed System Architecture & DFDs
β
βββ chaincode/ # Hyperledger Fabric Smart Contract
β βββ grades.go # Main chaincode logic
β βββ models.go # Data structures
β βββ go.mod # Dependencies
β
βββ client-app/ # C# ASP.NET Core Backend
β βββ Controllers/
β β βββ AuthController.cs # Authentication & waitlist
β β βββ GradesController.cs # Grade operations
β β βββ AdminController.cs # Admin functions
β βββ Models/ # Entity models
β βββ Services/ # Business logic
β βββ appsettings.json # Configuration & DB connection
β βββ Startup.cs # DI & middleware setup
β
βββ frontend/ # React.js UI Portal
β βββ public/
β β βββ index.html
β βββ src/
β β βββ components/
β β β βββ Dashboard.jsx
β β β βββ LoginForm.jsx
β β β βββ GradesList.jsx
β β β βββ AdminPanel.jsx
β β βββ pages/
β β βββ api.js # Axios API wrapper
β β βββ App.jsx
β β βββ index.js
β βββ package.json
β βββ .env.example
β
βββ middleware/ # Node.js Blockchain Bridge
β βββ middleware.js # Express app & API routes
β βββ enrollAdmin.js # Admin enrollment logic
β βββ fabricInteraction.js # Fabric SDK integration
β βββ cryptoUtils.js # Hashing, JWT generation
β βββ walletManager.js # CouchDB wallet operations
β βββ nginx/
β β βββ nginx.conf # Reverse proxy configuration
β β βββ ssl/ # SSL certificates
β βββ package.json
β βββ middleware.log # Runtime logs
β
βββ network/ # Deployment & Configuration
β βββ docker-compose.yml # Complete container orchestration
β βββ full_deploy.sh # Automated deployment script
β βββ cleanup.ps1 # Environment reset utility
β βββ backup_postgres.sh # Database backup script
β β
β βββ crypto-config/ # X.509 certificates (auto-generated)
β β βββ ordererOrganizations/
β β βββ peerOrganizations/
β β
β βββ fabric-ca/ # Certificate Authority configs
β β βββ registrar-ca/
β β βββ faculty-ca/
β β βββ department-ca/
β β
β βββ channel-artifacts/ # Genesis & channel configs
β β βββ genesis.block
β β βββ grades-channel.tx
β β
β βββ k8s/ # Kubernetes deployment files
β βββ 01-namespace.yaml
β βββ 02-configmap-secret.yaml
β βββ 03-postgres.yaml
β βββ 04-fabric-ca.yaml
β βββ 05-fabric-peer.yaml
β βββ 06-middleware-api.yaml
β βββ 07-ipfs.yaml
β βββ 08-ingress.yaml
β βββ init-channel.sh
β βββ install-chaincode.sh
β βββ README.md # K8s deployment guide
β
βββ .gitignore
βββ .env.example # Environment template
βββ LICENSE
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Complete Registration Flow β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. SIGNUP REQUEST
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Student opens React app β Fills registration form β
β Frontend: POST /api/Auth/request β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Nginx routes /api/Auth/* β ASP.NET Core (5000) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β C# calls Node.js POST /api/crypto/hash-password β
β Node.js computes bcrypt hash, returns to C# β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β C# saves user to PostgreSQL with status=PENDING β
β User appears in Registrar's waitlist β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. REGISTRAR APPROVAL
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Registrar reviews pending users in dashboard β
β Clicks "Approve" on student record β
β Frontend: PUT /api/Auth/requests/{id}/approve β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Nginx routes β C# Backend updates PostgreSQL β
β Status: PENDING β APPROVED β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β C# sends POST to Node.js: /api/fabric/register-userβ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Node.js uses Fabric SDK to: β
β - Contact ca.registrar.capstone.com (Fabric CA) β
β - Register user and get X.509 certificate β
β - Download certificate + private key β
β - Save to local /wallet (CouchDB) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β C# sends welcome email to student β
β Student can now log in with registered credentials β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
3. USER LOGIN & BLOCKCHAIN ACCESS
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Student logs in with email + password β
β Frontend: POST /api/Auth/login β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β C# validates credentials against PostgreSQL β
β If valid, calls Node.js: /api/crypto/generate-jwt β
β Node.js returns signed JWT token β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Frontend stores JWT in localStorage β
β All subsequent API calls include JWT header β
β Authorization: Bearer <JWT_TOKEN> β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Student can now query grades from blockchain β
β Node.js retrieves from Fabric ledger via CouchDB β
β Only returns grades student is authorized to see β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
# View all running containers
docker ps -a
# Check Fabric network status
docker compose -f network/docker-compose.yml ps
# View specific service logs
docker logs blockgo-middleware -f
docker logs blockgo-postgres -f
docker logs blockgo-orderer -fNode.js Middleware:
cd middleware
tail -f middleware.logC# Backend (Serilog):
cd client-app
ls -la logs/
tail -f logs/*.txtFabric Chaincode Container:
docker logs registrar-chaincode -f# Find process using port
sudo lsof -i :80
sudo lsof -i :443
# Kill process
sudo kill -9 <PID># Restart network with clean state
cd network
./cleanup.ps1 # or bash cleanup.sh on Linux
./full_deploy.sh# Verify PostgreSQL is running
docker logs blockgo-postgres
# Check credentials in appsettings.json
cat client-app/appsettings.json | grep ConnectionString
# Manually test connection
psql -h localhost -U BLOCKGO -d ActivityLogs# Restart Nginx proxy
docker compose restart nginx-shield
# Clear browser cache
# Or hard refresh: Ctrl+Shift+R (or Cmd+Shift+R on Mac)# Check wallet directory
ls -la middleware/wallet/
# Re-enroll admin
cd middleware && node enrollAdmin.js
# Verify Fabric CA is running
docker logs fabric-caCreate Backup:
cd network
chmod +x backup_postgres.sh
./backup_postgres.sh
# Creates: backups/db_backup_YYYY-MM-DD_HH-MM-SS.sqlRestore Backup:
docker compose exec blockgo-postgres psql -U BLOCKGO -d ActivityLogs < backups/db_backup_latest.sql# CPU/Memory usage
docker stats
# Fabric peer metrics
docker exec blockgo-peer0 peer node status
# Channel info
docker exec blockgo-peer0 peer channel getinfo -c grades-channelCONFIDENTIAL
- Kubernetes cluster (v1.24+)
kubectlconfigured and connected- Helm (optional, for package management)
- 4+ CPU cores, 16GB+ RAM
-
Secrets Management
- Use HashiCorp Vault instead of K8s Secrets
- Rotate credentials regularly
- Enable encryption at rest (etcd encryption)
-
Network Security
- Enable network policies (deny-all by default)
- Restrict ingress to necessary ports only
- Use service mesh (Istio/Linkerd) for mTLS
-
Monitoring & Logging
- Deploy Prometheus + Grafana for metrics
- Setup ELK stack (Elasticsearch, Logstash, Kibana) for centralized logging
- Enable audit logging for all blockchain transactions
-
High Availability
- Deploy Fabric orderers as StatefulSet with 3+ replicas
- Configure peer anti-affinity rules
- Setup database replication (PostgreSQL streaming replication)
- Use PodDisruptionBudgets for graceful scaling
-
Backup & Disaster Recovery
- Automated daily backups to cloud storage (S3, GCS, etc.)
- Test recovery procedures monthly
- Document RTO (Recovery Time Objective) & RPO (Recovery Point Objective)
# Install dependencies
cd frontend && npm install
cd ../client-app && dotnet restore
cd ../middleware && npm install# Backend tests
cd client-app && dotnet test
# Chaincode tests
cd chaincode && go test ./...
# Frontend tests
cd frontend && npm testThis project is licensed under the MIT License β see LICENSE file for details.
- Documentation: See Guide.md for detailed architecture
- Report Issues: GitHub Issues
- Discussions: GitHub Discussions
- Email: pascualpatrick264@gmail.com
- Pamantasan ng Lungsod ng Valenzuela (PLV) β Institution Partner
- Hyperledger Fabric β Blockchain Framework
- The Open Source Community β For amazing tools and libraries
Last Updated: June 8, 2026
Status: Production Ready
Version: 1.0.0
Project architecture designed and maintained for robust security, immutable auditing, and strict attribute-based access control (ABAC).