This project is a backend API built with Express.js, focusing on user authentication, authorization, and subscription management, with a strong emphasis on security. It integrates Arcjet for request protection, uses JWT for authentication, and Mongoose for data modeling.
- Sign-up with password hashing using bcrypt
- Sign-in with JWT-based authentication
- Sign-out functionality (pending full implementation)
- Retrieve all users
- Retrieve a specific user by ID (excluding password)
- Create subscriptions
- Retrieve all subscriptions for a user
- Retrieve all subscriptions
- Retrieve a specific subscription by ID
- Request protection with Arcjet (rate limiting, bot detection, spoofed bot detection)
- Authorization middleware to protect routes
- Centralized error handling middleware for consistent error responses
- MongoDB with Mongoose schema models
- Cookie parser
- Body parsing (
JSONandURL-encoded)
- Upstash Workflow for sending subscription renewal reminders
- Reminder emails sent via
sendReminderEmailutility
-
Sets up the Express.js server
-
Connects to MongoDB
-
Configures middleware:
express.json()andexpress.urlencoded()for parsing request bodiescookie-parserfor handling cookiesarcjetMiddlewarefor request protection
-
Defines API routes:
/api/v1/auth– authentication endpoints/api/v1/users– user management endpoints/api/v1/subscriptions– subscription management endpoints/api/v1/workflows– workflow endpoints
-
Uses
errorMiddlewarefor centralized error handling -
Starts the server on the specified port
config/env.js: Stores environment variables (PORT, JWT secret, etc.)config/arcjet.js: Configures the Arcjet client
database/mongodb.js: Connects to MongoDB using Mongoose
models/user.model.js: Mongoose schema for User (name, email, password)models/subscription.model.js: Mongoose schema for Subscription
controllers/auth.controller.js: Handles sign-up, sign-in, sign-outcontrollers/user.controller.js: Retrieves users and user by IDcontrollers/subscriptions.controller.js: Handles subscription CRUD operations
routes/auth.routes.js: Routes for user authenticationroutes/user.routes.js: Routes for user managementroutes/subscriptions.routes.js: Routes for subscription managementroutes/workflow.routes.js: Routes for workflows
middleware/error.middleware.js: Formats and sends error responsesmiddleware/authorize.js: Verifies JWT and attaches user to requestsmiddleware/arcjet.middleware.js: Arcjet-based route protection
workflows/subscriptions.workflow.js: Defines Upstash Workflow for reminders
utils/send-email.js: Sends reminder emails to users
expressmongoosebcryptjsjsonwebtokencookie-parser@upstash/workflowdayjs@arcjet/client@arcjet/inspect
- Password Hashing: Passwords are securely hashed with
bcrypt - JWT Authentication: Authenticated sessions use JSON Web Tokens
- Authorization Middleware: Validates JWTs and protects sensitive routes
- Arcjet Protection: Guards against bot traffic, spoofing, and rate abuse
- Centralized Error Handling: Ensures consistent error response formatting
- Input Validation: Mongoose schemas provide base validation
- Least Privilege Principle: Enforced by route-level authorization
- Add Input Validation: Use
Joiorexpress-validatorfor advanced validation - Implement Refresh Tokens: Improve security and UX for JWT sessions
- Testing: Add unit and integration tests with
JestorMocha - API Documentation: Generate docs using
SwaggerorOpenAPI - Logging: Integrate
WinstonorMorganfor request logging - CORS Configuration: Secure the API with proper origin policies
- Rate Limiting: Fine-tune Arcjet configurations
- HTTPS in Production: Enforce secure connections in live environments
- Complete Sign-Out Functionality: Finalize logout handling