Moda is a full-stack e-commerce web application built with Node.js, Express, EJS, Socket.IO, and Microsoft SQL Server. The project provides a server-rendered shopping experience with authentication, product browsing, cart and wishlist management, checkout, order tracking, reviews, notifications, and transactional email support.
Moda is designed as a complete retail storefront for fashion and accessories. It combines server-side rendering with interactive client-side behavior to support a responsive shopping workflow across desktop and mobile devices.
The application includes customer account management, email verification, profile management, product discovery, category filtering, real-time notifications, and order lifecycle tracking. Static product seed data is used alongside database-backed user, cart, wishlist, review, order, notification, and email records.
- User registration, login, logout, and session management
- Email verification and password reset flows
- Product catalog for home, shop, men, women, kids, and accessories
- Product detail pages with ratings, reviews, and related product suggestions
- Cart and wishlist management
- Secure checkout workflow with CSRF protection
- Order history and order tracking views
- Review submission and review deletion
- User profile editing with image upload support
- Real-time user notifications with Socket.IO
- Contact form and transactional email delivery with Nodemailer
- SQL Server backed sessions using
connect-mssql-v2 - Production-focused security middleware with Helmet, rate limiting, secure cookies, and CSRF validation
- Responsive EJS views with custom CSS, Bootstrap, and Tailwind configuration
| Package | Purpose |
|---|---|
| Node.js + Express | Server and routing |
| EJS | Server-side templating |
Microsoft SQL Server + mssql |
Primary database |
connect-mssql-v2 |
SQL-backed session store |
| Express Session | Session management |
| Socket.IO | Real-time notifications |
| Nodemailer | Transactional email |
| Multer + Cloudinary | File upload and image storage |
| Node Cron | Scheduled background tasks |
| Helmet + Express Rate Limit | Security middleware |
| Validator | Input validation |
| Technology | Purpose |
|---|---|
| EJS Templates | Server-rendered views |
| Bootstrap | UI component base |
| Tailwind CSS | Utility class configuration |
| Custom CSS Modules | Per-page styling |
| Client-side JavaScript | AJAX workflows, filtering, sorting, cart, wishlist, reviews, and notifications |
- SQL Server for application data and sessions
- JSON seed files for product catalog data
- Kebab-case static asset naming under
public/image - Static documents under
public/documents
.
|-- cloudinary/ # Cloudinary storage configuration
|-- database/ # SQL Server connection and schema migration logic
|-- helper-functions/ # Email, search, rating, notification, and validation helpers
|-- middleware/ # Authentication, CSRF, user, cart, wishlist, order, and verification middleware
|-- partials/ # Shared EJS partials
|-- public/ # Static CSS, images, and documents
|-- routes/ # Express route modules
|-- seeds/ # Product, accessory, notification, and rating seed data
|-- views/ # Page-level EJS templates
|-- main.js # Application entry point
|-- package.json # Project scripts and dependencies
`-- tailwind.config.js # Tailwind configuration
Create a .env file in the project root with the required runtime configuration.
PORT=3000
NODE_ENV=development
DB_USER=your_database_user
DB_PASSWORD=your_database_password
DB_SERVER=your_database_server
DB_PORT=1433
DB_NAME=your_database_name
SESSION_SECRET=your_secure_session_secret
BASE_URL=http://localhost:3000
GMAIL_USER=your_email_address
GMAIL_PASS=your_email_password_or_app_password
CLOUDINARY_CLOUD_NAME=your_cloudinary_cloud_name
CLOUDINARY_KEY=your_cloudinary_api_key
CLOUDINARY_SECRET=your_cloudinary_api_secretInstall dependencies from the project root.
npm installStart the development server with Nodemon.
npm run devStart the application in production mode.
npm startThe application listens on the port defined by PORT.
The application expects a SQL Server database configured through the .env variables. On startup, database/migrate.js runs schema checks for required tracking and password reset columns.
Before running in production, confirm that:
- Database credentials are valid.
- The SQL Server firewall allows connections from the deployment environment.
SESSION_SECRETis set to a strong private value.- Email and Cloudinary credentials are configured.
BASE_URLmatches the deployed application URL.
The application includes several production-oriented safeguards:
- Helmet security headers
- General request rate limiting
- Stricter rate limiting for authentication routes
- HTTP-only session cookies
- Secure cookies when
NODE_ENV=production - CSRF token middleware
- Session storage in SQL Server
- Sanitized production logging without sensitive request bodies, CSRF token values, or email payloads
Static images in public/image use kebab-case naming. This keeps paths consistent across Windows, Linux, and cloud deployment environments where case sensitivity can differ.
Examples:
public/image/home/card-1.avifpublic/image/logos/master-card.svgpublic/image/vectors/empty-cart.svgpublic/image/charts/size-chart-men.jpg
npm run dev
npm startBefore deploying, verify the following:
NODE_ENVis set toproduction.SESSION_SECRETis configured and private.- SQL Server credentials are available in the environment.
- Cloudinary credentials are available if profile image uploads are enabled.
- Email credentials are available for verification, password reset, contact, and order emails.
- All static asset paths use kebab-case and resolve correctly.
- The deployment platform provides HTTPS so secure cookies can be used.
This project is licensed under the MIT License. See the license file for details.