AuthSphere is a production-ready MERN stack authentication and task management system built for a Backend Developer Intern assignment. It includes secure JWT auth, role-based access control, scalable REST APIs, Swagger/Postman documentation, Docker support, tests, and a clean React dashboard.
Screenshots are stored in
docs/screenshots/.
| Auth | Dashboard |
|---|---|
![]() |
![]() |
http://localhost:5173/register
http://localhost:5173/dashboard
- π User registration and login
- π JWT access token + refresh token flow
- π§ Password hashing with
bcryptjs - π‘οΈ Role-based access control:
userandadmin - β Task CRUD with ownership rules
- π Task search, filter, sort, pagination, and detail page
- π§Ύ Audit logs and admin activity timeline
- π Admin analytics dashboard
- π₯ Admin user management: list, update role, soft delete
- π€ Profile update, change password, and soft delete account
- π¦ Rate limiting for auth and API routes
- π§Ό Input validation and sanitization
- π Swagger UI and Postman collection
- π³ Docker and production Dockerfiles
- π§ͺ Backend tests with Jest, Supertest, and MongoDB Memory Server
- π Dark mode support
- π GitHub Actions CI
| Layer | Tools |
|---|---|
| Frontend | React, Vite, React Router DOM, Axios, Tailwind CSS |
| Backend | Node.js, Express.js, MongoDB, Mongoose |
| Auth/Security | JWT, Refresh Tokens, bcryptjs, Helmet, CORS, Rate Limit |
| Docs | Swagger UI, Postman Collection |
| Testing | Jest, Supertest, MongoDB Memory Server |
| Deployment | Vercel, Render, MongoDB Atlas, Docker |
AuthSphere/
backend/
src/
config/
controllers/
docs/
middleware/
models/
routes/
scripts/
utils/
validations/
tests/
.env.example
Dockerfile
Dockerfile.prod
package.json
frontend/
src/
api/
components/
context/
pages/
.env.example
Dockerfile
Dockerfile.prod
package.json
docs/
screenshots/
.github/workflows/ci.yml
docker-compose.yml
cd backend
npm install
copy .env.example .env
npm run devBackend URL:
http://localhost:5000
PORT=5000
NODE_ENV=development
MONGO_URI=mongodb://127.0.0.1:27017/authsphere
JWT_SECRET=replace_with_a_long_secure_secret
JWT_EXPIRES_IN=15m
JWT_REFRESH_SECRET=replace_with_a_second_long_secure_secret
JWT_REFRESH_EXPIRES_IN=7d
CLIENT_URLS=http://localhost:5173,http://localhost:5174
ADMIN_NAME=Main Admin
ADMIN_EMAIL=admin@example.com
ADMIN_PASSWORD=Admin@12345Public registration always creates a normal user. Create or update the first admin safely with:
cd backend
npm run seed:adminThen login with the admin email/password from .env.
cd frontend
npm install
copy .env.example .env
npm run devFrontend URL:
http://localhost:5173
VITE_API_URL=http://localhost:5000/api/v1
VITE_DEMO_ADMIN_EMAIL=admin@example.com
VITE_DEMO_ADMIN_PASSWORD=Admin@12345Start the backend, then open Swagger:
http://localhost:5000/api-docs
Postman collection:
backend/src/docs/postman_collection.json
Base URL:
/api/v1
| Method | Endpoint | Access | Description |
|---|---|---|---|
| POST | /auth/register |
Public | Register user |
| POST | /auth/login |
Public | Login user |
| POST | /auth/refresh |
Public cookie | Refresh access token |
| POST | /auth/logout |
User/Admin | Logout and revoke refresh token |
| GET | /auth/me |
User/Admin | Current logged-in user |
| GET | /profile |
User/Admin | Get profile |
| PATCH | /profile |
User/Admin | Update profile |
| PATCH | /profile/password |
User/Admin | Change password |
| DELETE | /profile |
User/Admin | Soft delete own profile |
| GET | /tasks |
User/Admin | Paginated task list with filters |
| POST | /tasks |
User/Admin | Create task |
| GET | /tasks/:id |
User/Admin | Get task detail |
| PATCH | /tasks/:id |
User/Admin | Update task |
| DELETE | /tasks/:id |
User/Admin | Soft delete task |
| GET | /users |
Admin | List users |
| PATCH | /users/:id/role |
Admin | Update user role |
| DELETE | /users/:id |
Admin | Soft delete user |
| GET | /admin/analytics |
Admin | Dashboard analytics |
| GET | /admin/activity |
Admin | Audit activity timeline |
| GET | /admin/search?q=value |
Admin | Global search |
Task filters example:
GET /api/v1/tasks?page=1&limit=10&status=pending&search=demo&sort=newest
cd backend
npm testCurrent test coverage includes:
- β Public registration creates only normal users
- β Invalid login is rejected
- β Task ownership and admin task visibility
- β User route blocks non-admin access
Run the full local stack with MongoDB:
docker compose up --buildServices:
Frontend: http://localhost:5173
Backend: http://localhost:5000
MongoDB: mongodb://localhost:27017/authsphere
Production Dockerfiles:
backend/Dockerfile.prod
frontend/Dockerfile.prod
- Create a new Render Web Service.
- Set root directory to
backend. - Build command:
npm install. - Start command:
npm start. - Add all backend environment variables.
- Use MongoDB Atlas for
MONGO_URI.
- Import the repository in Vercel.
- Set root directory to
frontend. - Build command:
npm run build. - Output directory:
dist. - Set
VITE_API_URLto your deployed backend API URL.
- Public users cannot self-register as admin.
- Admin is created through a protected seed script.
- Passwords are hashed using bcrypt.
- JWT access tokens are short-lived.
- Refresh token is stored in an HTTP-only cookie.
- Auth routes are rate limited.
- Inputs are validated and sanitized.
- Helmet adds secure HTTP headers.
- Soft delete protects against accidental permanent data loss.
- API versioning uses
/api/v1. - Modular backend folders support new features cleanly.
- Task listing is paginated and indexed.
- Admin analytics use a short in-memory cache.
- Redis can later replace in-memory cache and improve rate limiting.
- Audit logs help production debugging and compliance.
- Multiple backend instances can run behind a load balancer.
- GitHub Actions CI runs backend tests and frontend builds.
- β Registration and login APIs
- β Password hashing
- β JWT authentication
- β Role-based access control
- β Task CRUD APIs
- β API versioning
- β Error handling
- β Validation and sanitization
- β Swagger/Postman docs
- β MongoDB schema with Mongoose
- β React frontend UI
- β Protected dashboard
- β Docker support
- β README setup and deployment guide

