Secure Task API

A security-focused REST API for task management built with Node.js, Express, and MongoDB.

This project demonstrates production-style authentication and security practices including JWT authentication, refresh token rotation, reuse detection, and session management.

Security Features

Advanced Authentication: Full JWT-based system with Refresh Token Rotation
Reuse Detection: Automatic invalidation of token families upon Refresh Token Reuse Detection
Session Management: Secure Logout (single device) or a Global Logout from all active Devices
Data Protection: Industry-standard Password Hashing with bcrypt
Threat Mitigation: Integrated Rate Limiting and suspicious Request Logging to identify and block brute-force attempts.
Secure Transport: Hardened Secure HTTP-only cookies and Helmet security headers

Other Feature

API Documentation: Interactive Swagger/OpenAPI UI for live endpoint testing.

Infrastructure & DevSecOps

Docker containerization
CI/CD pipeline using GitHub Actions
Static application security testing with Semgrep
Container vulnerability scanning using Trivy

Tech Stack

Node.js
Express
MongoDB (Mongoose)
JSON Web Token (JWT)
bcrypt (password hashing)
Node.js crypto (refresh token hashing)
cookie-parser
helmet
express-rate-limit
morgan
swagger (swagger-jsdoc + swagger UI)
Docker

API Endpoints

Authentication

POST/api/auth/signup

POST/api/auth/login

POST/api/auth/refresh

POST/api/auth/logout

POST/api/auth/logout-all

Tasks

GET /api/tasks

POST /api/tasks

PUT /api/tasks/:id

DELETE /api/tasks/:id

Security Architecture

This API implements multiple security layers:

Password are hashed using bcrypt before storage.
Refresh tokens are stored hashed in MongoDB.
Refresh token rotation ensures stolen tokens cannot be reused.
Reuse detection revokes all sessions if token theft is detected.
Helmet adds HTTP security headers.
Rate limiting prevents brute-force login attempts.

Pipeline Diagram

Developer push

↓

Github Actions

↓

SAST (Semgrep)

↓

Docker Build

↓

Container Scan (Trivy)

Running the Project

Clone the repository:

git clone

install dependencies:

npm install

create a .env file with

MONGODB_URI=yourmongodb_connection
JWT_ACCESS_SECRET=your_secret_key

Start the server:

npm run dev

Server runs on:

http://localhost:3000

Running with Docker

Build the image:

docker build -t secure-task-api

Run the container

docker run -p 3000:3000 secure-task-api

The API will be available at

http://localhost:3000

Interactive API documentation

http://localhost:3000/api-doc

Name		Name	Last commit message	Last commit date
Latest commit History 41 Commits
.github/workflows		.github/workflows
controller		controller
data		data
middleware		middleware
models		models
node_modules		node_modules
requests		requests
routes		routes
utils		utils
.dockerignore		.dockerignore
.gitignore		.gitignore
Dockerfile		Dockerfile
README.md		README.md
index.js		index.js
package-lock.json		package-lock.json
package.json		package.json
semgrep-rules.yml		semgrep-rules.yml
swagger.js		swagger.js

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Secure Task API

Security Features

Other Feature

Infrastructure & DevSecOps

Tech Stack

API Endpoints

Authentication

Tasks

Security Architecture

Pipeline Diagram

Running the Project

Running with Docker

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

Secure Task API

Security Features

Other Feature

Infrastructure & DevSecOps

Tech Stack

API Endpoints

Authentication

Tasks

Security Architecture

Pipeline Diagram

Running the Project

Running with Docker

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages