A production-grade authentication and authorization backend built with TypeScript, Express, and MongoDB, designed with clean architecture, security-first thinking, and long-term reusability in mind.
This project is intended as a professional backend foundation that can be reused across future projects and deployed in real production environments.
Authentication systems are deceptively complex. Beyond basic login and registration, a robust system must handle:
- Secure credential storage
- Token lifecycle management
- Account protection against abuse
- Password recovery and verification
- Clean error handling
- Maintainable architecture
This project implements a complete, real-world authentication backend, intentionally designed to be extended, reused, and production-hardened over time.
The system follows a layered architecture with strict separation of concerns:
- Routes
- Define HTTP endpoints
- Attach middleware
- Controllers
- Handle HTTP request/response
- No business logic
- Services
- Core authentication logic
- Security rules and workflows
- Repositories
- All database access
- No business logic
- Models
- Schema definitions and lifecycle hooks
- Middlewares
- Authentication, authorization, error handling
This structure mirrors real production backends and enables maintainability, testability, and long-term evolution.
┌─────────────────────┐
│ Client │
│ (Postman / Frontend)│
└─────────┬───────────┘
│ HTTP Requests
▼
┌─────────────────────┐
│ Routes │
│ (Express Router) │
└─────────┬───────────┘
│
▼
┌─────────────────────┐
│ Controllers │
│ (Request / Response)│
└─────────┬───────────┘
│
▼
┌─────────────────────┐
│ Services │
│ (Auth Logic & │
│ Security Rules) │
└─────────┬───────────┘
│
▼
┌─────────────────────┐
│ Repositories │
│ (Database Access) │
└─────────┬───────────┘
│
▼
┌─────────────────────┐
│ MongoDB │
│ (Users, Tokens) │
└─────────────────────┘
- Email uniqueness enforced
- Passwords hashed using bcrypt
- Input validation with Zod
- Secure password comparison
- JWT access token issuance
- Account lockout on repeated failures
- Stateless access tokens
- Middleware-based route protection
- Role-based access control (RBAC)
- Long-lived refresh tokens
- Rotation on use
- Server-side storage and revocation
- One-time reset tokens
- Tokens hashed before storage
- Expiry enforced
- Password re-hash on reset
- Secure verification tokens
- Token hashing and expiry
- Email verification state tracked in database
This project explicitly prioritizes security:
-
Password Hashing
- bcrypt with strong cost factor
- No plaintext passwords stored
-
Token Security
- Reset and verification tokens hashed before storage
- Database leaks do not expose usable tokens
-
Account Protection
- Failed login attempt tracking
- Temporary account lockout
-
JWT Strategy
- Short-lived access tokens
- Refresh tokens stored and revocable
-
Error Handling
- Centralized JSON error handling
- No sensitive data leaked to clients
- Language: TypeScript
- Runtime: Node.js
- Framework: Express
- Database: MongoDB
- ODM: Mongoose
- Authentication: JWT
- Validation: Zod
- Security: bcrypt
- Logging: Winston
npm install