A production-ready healthcare management backend built with Node.js, Express, and MongoDB. This RESTful API powers a comprehensive medical appointment system with features including authentication, video consultations, AI-powered clinical summaries, and real-time chat.
-
Authentication & Authorization
- JWT-based authentication with access and refresh tokens
- Google OAuth 2.0 integration
- Role-based access control (Admin, Doctor, Patient)
- Secure password hashing with bcrypt
-
User Management
- Multi-role user system (Admin, Doctor, Patient)
- Admin dashboard for doctor management
- Profile management with specializations
-
Appointment System
- Patient-initiated appointment booking
- Doctor appointment acceptance/rejection
- Email notifications for appointment updates
- Status tracking (pending, accepted, rejected, completed)
-
Video Consultations
- Agora RTC integration for video calls
- Dynamic token generation for secure calls
- Call history and duration tracking
- Appointment-linked video sessions
-
Clinical Visit Summaries
- Doctor-created visit summaries
- Patient medical history tracking
- Structured clinical data storage
- Visit timeline per patient
-
AI-Powered Features
- GROQ AI integration for intelligent summaries
- Clinical data retrieval and analysis
- Natural language processing for medical records
-
Real-time Chat
- Session-based messaging system
- Doctor-patient communication
- Message history and persistence
- Session management
The MedConnect backend is built on a robust, scalable architecture following RESTful API design principles and microservices patterns. The system is designed to handle healthcare data securely while maintaining high performance and reliability.
The backend follows a layered architecture pattern:
- API Layer: Express.js routes with middleware for authentication and validation
- Controller Layer: Business logic handlers for each domain (auth, appointments, visits, etc.)
- Service Layer: Reusable business services (email, video tokens, AI integration)
- Data Access Layer: Mongoose models with schema validation
- External Integrations:
- Agora.io: Real-time video/audio communication
- Brevo SMTP: Transactional email delivery
- MongoDB Atlas: Cloud database with automatic backups
- Google OAuth: Secure authentication provider
- GROQ AI: Intelligent clinical summaries
- Request Flow: Client β API Gateway β Authentication Middleware β Controller β Service β Database
- Response Flow: Database β Service β Controller β Response Formatter β Client
- Real-time Communication: Client β Agora RTC β Backend Token Service
- Email Notifications: Event Trigger β Email Service β Brevo SMTP β Recipient
For frontend architecture details, see the frontend documentation.
- Node.js >= 14.0.0
- MongoDB >= 4.4
- npm or yarn
- Gmail account (for email notifications)
- Agora account (for video calls)
- GROQ API key (for AI features)
- Google OAuth credentials (for OAuth login)
git clone <repository-url>
cd b2b-backendnpm installCreate a .env file in the root directory. Copy the contents from .env.example:
cp .env.example .envUpdate the .env file with your configuration values. See Environment Variables section for details.
Development mode:
npm run devProduction mode:
npm startThe server will start on http://localhost:5000 (or your configured PORT).
| Variable | Description | Example |
|---|---|---|
NODE_ENV |
Environment mode | development or production |
PORT |
Server port | 5000 |
| Variable | Description | Example |
|---|---|---|
MONGODB_URI |
MongoDB connection string | mongodb://localhost:27017/medconnect_db |
| Variable | Description | Example |
|---|---|---|
JWT_ACCESS_SECRET |
Secret for access tokens (min 32 chars) | your_secure_access_secret_key |
JWT_REFRESH_SECRET |
Secret for refresh tokens (min 32 chars) | your_secure_refresh_secret_key |
JWT_ACCESS_EXPIRY |
Access token expiration | 15m |
JWT_REFRESH_EXPIRY |
Refresh token expiration | 7d |
| Variable | Description | Example |
|---|---|---|
FRONTEND_URL |
Frontend application URL for CORS | http://localhost:3000 |
COOKIE_DOMAIN |
Cookie domain | localhost |
| Variable | Description | How to Get |
|---|---|---|
GOOGLE_CLIENT_ID |
Google OAuth client ID | Google Cloud Console |
GOOGLE_CLIENT_SECRET |
Google OAuth client secret | Google Cloud Console |
GOOGLE_CALLBACK_URL |
OAuth callback URL | http://localhost:5000/api/oauth/google/callback |
| Variable | Description | How to Get |
|---|---|---|
GROQ_API_KEY |
GROQ AI API key | GROQ Console |
| Variable | Description | Example |
|---|---|---|
EMAIL_HOST |
SMTP host | smtp.gmail.com |
EMAIL_PORT |
SMTP port | 587 |
EMAIL_SECURE |
Use TLS | false |
EMAIL_USER |
Gmail address | your-email@gmail.com |
EMAIL_PASSWORD |
Gmail app password | Get from Gmail settings |
EMAIL_FROM_NAME |
Sender name | MedConnect |
EMAIL_FROM_ADDRESS |
Sender email | your-email@gmail.com |
Note: For Gmail, you need to generate an App Password.
| Variable | Description | How to Get |
|---|---|---|
AGORA_APP_ID |
Agora application ID | Agora Console |
AGORA_APP_CERTIFICATE |
Agora app certificate | Agora Console |
http://localhost:5000/api
POST /api/auth/register
Content-Type: application/json
{
"name": "John Doe",
"email": "john@example.com",
"password": "securePassword123",
"role": "patient"
}POST /api/auth/login
Content-Type: application/json
{
"email": "john@example.com",
"password": "securePassword123"
}GET /api/oauth/googlePOST /api/auth/logout
Authorization: Bearer <access_token>POST /api/appointments
Authorization: Bearer <access_token>
Content-Type: application/json
{
"doctorId": "doctor_id",
"date": "2024-01-15",
"time": "10:00",
"reason": "Regular checkup"
}GET /api/appointments/doctor
Authorization: Bearer <access_token>PUT /api/appointments/:id/accept
Authorization: Bearer <access_token>POST /api/visit-summary
Authorization: Bearer <access_token>
Content-Type: application/json
{
"patientId": "patient_id",
"symptoms": "Fever, headache",
"diagnosis": "Common cold",
"prescriptions": ["Rest", "Hydration"],
"notes": "Follow up in 1 week"
}GET /api/patient/visits
Authorization: Bearer <access_token>POST /api/video-calls/generate-token
Authorization: Bearer <access_token>
Content-Type: application/json
{
"channelName": "appointment_123",
"role": "publisher"
}POST /api/chat/sessions
Authorization: Bearer <access_token>
Content-Type: application/json
{
"participantId": "user_id"
}POST /api/chat/sessions/:sessionId/messages
Authorization: Bearer <access_token>
Content-Type: application/json
{
"content": "Hello, Doctor!"
}POST /api/admin/doctors
Authorization: Bearer <access_token>
Content-Type: application/json
{
"name": "Dr. Smith",
"email": "dr.smith@example.com",
"password": "securePassword123",
"specialization": "Cardiology"
}b2b-backend/
βββ src/
β βββ app.js # Application entry point
β βββ config/ # Configuration files
β β βββ db.js # MongoDB connection
β β βββ env.js # Environment variables
β β βββ passport.js # Passport OAuth configuration
β βββ controllers/ # Request handlers
β β βββ auth.controller.js
β β βββ appointment.controller.js
β β βββ visit.controller.js
β β βββ chat.controller.js
β β βββ ...
β βββ models/ # Mongoose schemas
β β βββ user.model.js
β β βββ appointment.model.js
β β βββ visitSummary.model.js
β β βββ chatSession.model.js
β β βββ ...
β βββ routes/ # API routes
β β βββ auth.routes.js
β β βββ appointment.routes.js
β β βββ visit.routes.js
β β βββ ...
β βββ middleware/ # Custom middleware
β β βββ auth.middleware.js
β β βββ error.middleware.js
β βββ services/ # Business logic
β βββ utils/ # Helper functions
βββ .env # Environment variables (git-ignored)
βββ .env.example # Environment template
βββ package.json # Dependencies
βββ README.md # This file
- JWT Authentication: Secure token-based authentication
- Password Hashing: bcrypt with salt rounds
- HTTP-only Cookies: Prevent XSS attacks
- CORS Protection: Configured allowed origins
- Rate Limiting: Request throttling (recommended for production)
- Input Validation: Request data sanitization
- Security Headers: X-Frame-Options, X-Content-Type-Options, etc.
-
Environment Variables
- Set
NODE_ENV=production - Use strong, unique secrets for JWT
- Configure production MongoDB URI
- Update
FRONTEND_URLto production domain - Set secure cookie domain
- Set
-
Database
- Use MongoDB Atlas or hosted MongoDB
- Enable authentication
- Set up backups
- Create indexes for performance
-
Security
- Enable HTTPS
- Set secure cookie flags
- Implement rate limiting
- Configure CORS for production domains
- Use environment-specific secrets
-
Monitoring
- Set up logging (Winston, Morgan)
- Monitor server health
- Track API usage
- Set up error tracking (Sentry)
- Heroku: Add
Procfilewithweb: node src/app.js - Railway: Auto-detects Node.js apps
- DigitalOcean: Use App Platform or Droplets
- AWS: EC2, Elastic Beanstalk, or Lambda
- Render: Direct deployment from Git
# Run tests (if configured)
npm test
# Health check
curl http://localhost:5000/health- Ensure MongoDB is running
- Check
MONGODB_URIis correct - Verify network connectivity
- Check MongoDB credentials
- Verify Google credentials
- Check callback URL matches Google Console
- Ensure
FRONTEND_URLis correct
- Use Gmail App Password (not regular password)
- Enable "Less secure app access" if needed
- Check SMTP settings
- Verify Agora credentials
- Check App ID and Certificate
- Ensure token generation is working
This project is licensed under the ISC License.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
For questions or issues, please open an issue in the repository or contact the development team.
Built with β€οΈ for modern healthcare