A full-featured, modern social media web application built with Node.js, Express, and MySQL
- Secure Authentication: JWT-based authentication with password hashing (bcrypt)
- User Profiles: Customizable profiles with avatar, cover photo, bio, location, and website
- Privacy Controls: Public/private account options with granular privacy settings
- User Verification: Blue checkmark system for verified users
- Online Status: Real-time online/offline status with privacy controls
- Posts: Create text posts with support for images and videos
- Interactions: Like, comment, and share posts
- Nested Comments: Threaded comment system with replies
- Hashtags: Automatic hashtag extraction and trending hashtags
- Mentions: Tag users with @mentions and get notified
- Follow System: Follow/unfollow users to curate your personalized feed
- Direct Messaging: One-on-one chat with Socket.io
- Typing Indicators: See when someone is typing in real-time
- Online Status: Real-time user presence tracking
- Notifications: Instant notifications for likes, comments, follows, and mentions
- Unread Counts: Track unread messages and notifications
- Feed: Personalized feed based on who you follow
- Explore Page: Discover trending posts and popular content
- User Search: Find users by username or full name
- Post Search: Search posts by content
- Hashtag Search: Browse posts by hashtags
- Trending: See what's popular with trending hashtags
- Suggestions: Get personalized user recommendations
- Dark Mode: Toggle between light and dark themes
- Responsive Design: Works seamlessly on mobile, tablet, and desktop
- PWA Support: Install as a progressive web app
- Infinite Scroll: Smooth content loading
- Modern UI: Clean design with gradient accents
- Statistics: View total users, posts, comments, likes, and activity metrics
- User Management: View all users, delete users, toggle verification status
- Content Moderation: View and delete posts
- Reports: Handle user reports and complaints
- Activity Tracking: Monitor active users and recent registrations
- Password Security: Minimum 8 characters with complexity requirements (uppercase, lowercase, number)
- File Upload Security: Magic byte validation for uploaded files
- CSRF Protection: Double-submit cookie pattern for CSRF protection
- Input Validation: Comprehensive input validation and sanitization
- SQL Injection Protection: Parameterized queries throughout
- XSS Prevention: Content sanitization with DOMPurify
- Rate Limiting: API rate limiting to prevent abuse
- JWT Authentication: Secure token-based authentication
- File Access Control: Granular access control for uploaded files
- Socket.io Authentication: JWT authentication for real-time connections
-
Clone or download the project
cd C:\Users\USER\Desktop\ZFlex
-
Install dependencies
npm install
-
Set up environment variables
- Copy
env example.mdto.env - Update database credentials if needed (default works with XAMPP)
- Copy
-
Set up database
- Start XAMPP (Apache + MySQL)
- Open phpMyAdmin:
http://localhost/phpmyadmin - Create database:
zflex - Import
database/schema.sql - (Optional) Import
database/sample_users_fresh.sqlfor test users - (Optional) Import
database/sample_posts.sqlfor sample posts
-
Start the server
npm start
Or for development with auto-restart:
npm run dev
-
Open your browser
http://localhost:3000
- HTML5 - Semantic markup
- CSS3 - Modern styling with gradients and animations
- Vanilla JavaScript - No frameworks, pure JS
- Font Awesome 6.4 - Icon library
- Socket.io Client - Real-time communication
- Node.js - JavaScript runtime
- Express.js - Web framework
- MySQL2 - Database driver with connection pooling
- Socket.io - WebSocket library for real-time features
- bcrypt - Password hashing (10 salt rounds)
- jsonwebtoken - JWT authentication tokens
- multer - File upload handling
- express-validator - Input validation
- file-type - Magic byte validation for file uploads
- dompurify - XSS prevention
- csrf - CSRF protection
- cookie-parser - Cookie parsing
- express-rate-limit - API rate limiting
- winston - Logging
- morgan - HTTP request logging
- MySQL - Relational database
- Optimized Indexes - Fast queries
- Foreign Keys - Data integrity
- Cascading Deletes - Clean data management
- Triggers - Automatic hashtag count updates
ZFlex/
├── config/
│ ├── database.js # Database connection pool
│ ├── env-validator.js # Environment variable validation
│ └── logger.js # Winston logging configuration
├── database/
│ ├── schema.sql # Database schema (run this first)
│ ├── sample_users_fresh.sql # Sample users with secure passwords
│ └── sample_posts.sql # Sample text-only posts
├── middleware/
│ ├── auth.js # JWT authentication middleware
│ ├── csrf.js # CSRF protection middleware
│ ├── optionalAuth.js # Optional authentication
│ ├── security.js # Security headers, rate limiting, input sanitization
│ └── upload.js # File upload with magic byte validation
├── routes/
│ ├── admin.js # Admin dashboard routes
│ ├── auth.js # Authentication routes (register, login, verify)
│ ├── comments.js # Comment system routes
│ ├── follow.js # Follow/unfollow routes
│ ├── hashtags.js # Hashtag routes
│ ├── likes.js # Like/unlike routes
│ ├── messages.js # Direct messaging routes
│ ├── notifications.js # Notification routes
│ ├── posts.js # Post CRUD routes
│ └── users.js # User management routes
├── scripts/
│ ├── generate-hash.js # Generate bcrypt password hash
│ ├── generate-sample-passwords.js # Generate sample user passwords
│ └── reconcile-hashtags.js # Hashtag reconciliation utility
├── public/
│ ├── components/ # Reusable HTML components
│ ├── css/ # Stylesheets
│ ├── images/ # Default images
│ ├── js/ # Frontend JavaScript
│ └── *.html # HTML pages
├── uploads/ # User-uploaded files
│ ├── covers/ # Cover photos
│ ├── messages/ # Message attachments
│ ├── posts/ # Post media
│ └── profiles/ # Profile pictures
├── logs/ # Application logs
├── server.js # Main server file
├── package.json # Dependencies and scripts
└── README.md # This file
POST /api/auth/register- Register new user (Rate limited: 3/hour)POST /api/auth/login- Login user (Rate limited: 5/15min)GET /api/auth/verify- Verify JWT token
GET /api/users/:id- Get user profilePUT /api/users/profile- Update profilePOST /api/users/profile-picture- Upload profile picturePOST /api/users/cover-photo- Upload cover photoGET /api/users/search/:query- Search usersGET /api/users/suggestions/follow- Get follow suggestionsGET /api/users/:id/followers- Get user's followersGET /api/users/:id/following- Get user's followingPOST /api/users/change-email- Change emailPOST /api/users/change-password- Change passwordGET /api/users/status/:userId- Get online statusPOST /api/users/status/bulk- Get bulk online status
GET /api/posts/feed- Get personalized feedGET /api/posts/explore- Get explore postsGET /api/posts/:id- Get single postGET /api/posts/user/:userId- Get user's postsGET /api/posts/search/:query- Search postsGET /api/posts/hashtag/:tag- Get posts by hashtagGET /api/posts/trending/hashtags- Get trending hashtagsPOST /api/posts- Create new post (max 5000 chars, supports images/videos)PUT /api/posts/:id- Update postDELETE /api/posts/:id- Delete post
GET /api/comments/post/:postId- Get post comments (nested)POST /api/comments- Add comment (max 1000 chars)PUT /api/comments/:id- Update commentDELETE /api/comments/:id- Delete comment
POST /api/likes/post/:postId- Toggle post likePOST /api/likes/comment/:commentId- Toggle comment likeGET /api/likes/post/:postId/users- Get users who liked post
POST /api/follow/:userId- Follow/unfollow userGET /api/follow/check/:userId- Check follow status
GET /api/messages/conversations- Get conversations listGET /api/messages/:userId- Get messages with userPOST /api/messages- Send message (supports file attachments)PUT /api/messages/:messageId/read- Mark message as readGET /api/messages/unread/count- Get unread countDELETE /api/messages/clear/:userId- Clear chatPOST /api/messages/block/:userId- Block/unblock userGET /api/messages/block/:userId- Check block status
GET /api/notifications- Get notifications (limit 50)GET /api/notifications/unread/count- Get unread countPUT /api/notifications/:id/read- Mark as readPUT /api/notifications/read/all- Mark all as readDELETE /api/notifications/:id- Delete notification
GET /api/hashtags/trending- Get trending hashtagsGET /api/hashtags/:tag- Get hashtag detailsGET /api/hashtags/search/:query- Search hashtags
GET /api/admin/stats- Get statisticsGET /api/admin/users- Get all users (paginated)GET /api/admin/posts- Get all posts (paginated)DELETE /api/admin/users/:id- Delete userDELETE /api/admin/posts/:id- Delete postPUT /api/admin/users/:id/verify- Toggle verificationGET /api/admin/reports- Get reportsPUT /api/admin/reports/:id- Update report status
- JWT token-based authentication
- Password hashing with bcrypt (10 salt rounds)
- Password requirements: 8+ chars, uppercase, lowercase, number
- Admin role verification
- Socket.io authentication for real-time connections
- Express-validator for input validation
- DOMPurify for XSS prevention
- SQL injection protection via parameterized queries
- File upload validation (magic bytes, not just extensions)
- Magic byte validation for uploaded files
- File type restrictions (images: JPEG, PNG, GIF, WebP; videos: MP4, MOV, AVI)
- File size limits (50MB max)
- Filename sanitization
- Granular file access control
- Login: 5 attempts per 15 minutes
- Registration: 3 attempts per hour
- API: 200 requests per minute
- Upload: 10 uploads per 15 minutes
- Double-submit cookie pattern
- CSRF tokens for state-changing requests
- httpOnly cookies with SameSite attribute
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- X-XSS-Protection: 1; mode=block
- Strict-Transport-Security
- X-Powered-By header removed
- No stack traces in production
- Generic error messages for users
- Detailed logging server-side only
ZFlex uses a modern gradient color scheme:
- Primary Gradient:
#7A00FF→#FF5AD9 - Background:
#FAFAFA(light) /#0F0F0F(dark) - Text:
#1A1A1A(light) /#FFFFFF(dark)
The design features:
- Rounded corners and soft shadows
- Smooth transitions and animations
- Gradient buttons and accents
- Clean, minimal interface
- Responsive mobile-first design
- Mobile (< 768px): Single column, vertical scroll, mobile navigation
- Tablet (768px - 1200px): Two columns, optimized layout
- Desktop (> 1200px): Three columns with sidebars, full feature set
- Chrome (recommended)
- Firefox
- Safari
- Edge
- Opera
After setting up the database, you can import sample data:
-
Sample Users (15 users including 1 admin):
- Admin:
admin@zflex.com/Admin123! - Regular users: Any email from the list /
User123! - See
database/sample_users_fresh.sqlfor all credentials
- Admin:
-
Sample Posts (23 text-only posts):
- Import
database/sample_posts.sqlfor sample content
- Import
npm run devnode scripts/generate-hash.js yourpasswordnode scripts/generate-sample-passwords.jsnode scripts/reconcile-hashtags.jsCreate a .env file in the root directory:
PORT=3000
DB_HOST=localhost
DB_USER=root
DB_PASSWORD=
DB_NAME=zflex
JWT_SECRET=your-secret-key-here-minimum-32-characters
JWT_EXPIRE=7d
NODE_ENV=development
ALLOWED_ORIGINS=https://yourdomain.com,https://www.yourdomain.com
CSRF_SECRET=your-csrf-secret-hereImportant:
- Change
JWT_SECRETto a strong random string (minimum 32 characters) - In production, set
NODE_ENV=productionand configureALLOWED_ORIGINS CSRF_SECRETshould be different fromJWT_SECRETfor better security
ISC License - feel free to use this project for learning or commercial purposes.
AR Rahim-- Built with ❤️
⭐ Star this project if you find it useful!