A complete RESTful API built with Node.js, Express, TypeScript, and MongoDB featuring user authentication and CRUD operations.
- π User authentication with session tokens
- πͺ Cookie-based session management
- π Protected routes with middleware
- π€ User CRUD operations
- π Password hashing with crypto
- π TypeScript for type safety
- ποΈ MongoDB database
- Runtime: Node.js
- Framework: Express.js
- Language: TypeScript
- Database: MongoDB with Mongoose
- Authentication: Custom session-based auth with crypto
- Node.js (v14 or higher)
- MongoDB (local or Atlas)
- npm or yarn
- Clone the repository:
git clone https://github.com/kunstewi/rest-api.git
cd rest-api- Install dependencies:
npm install- Create a
.envfile in the root directory:
cp .env.example .env- Update the
.envfile with your configuration:
PORT=5000
MONGO_URI=mongodb://localhost:27017/rest-api
SECRET=your-secret-key-herenpm startThe server will start on http://localhost:5000 (or your configured PORT).
POST /auth/register
Content-Type: application/json
{
"username": "john_doe",
"email": "john@example.com",
"password": "securepassword123"
}POST /auth/login
Content-Type: application/json
{
"email": "john@example.com",
"password": "securepassword123"
}Response: Sets a session cookie KUNSTEWI-AUTH
POST /auth/logoutNote: Requires authentication cookie
All user endpoints require authentication (session cookie).
GET /users
Cookie: KUNSTEWI-AUTH=<session-token>GET /users/:id
Cookie: KUNSTEWI-AUTH=<session-token>PATCH /users/:id
Cookie: KUNSTEWI-AUTH=<session-token>
Content-Type: application/json
{
"username": "new_username"
}Note: Users can only update their own profile
DELETE /users/:id
Cookie: KUNSTEWI-AUTH=<session-token>Note: Users can only delete their own account
rest-api/
βββ src/
β βββ controllers/
β β βββ authenticationController.ts # Auth logic
β β βββ userController.ts # User CRUD logic
β βββ db/
β β βββ db.ts # Database connection
β β βββ users.ts # User model & queries
β βββ helpers/
β β βββ helper.ts # Crypto utilities
β βββ middlewares/
β β βββ isAuthenticated.ts # Auth middleware
β β βββ isOwner.ts # Ownership middleware
β βββ router/
β β βββ authenticationRouter.ts # Auth routes
β β βββ userRouter.ts # User routes
β β βββ router.ts # Main router
β βββ index.ts # App entry point
β βββ types.ts # TypeScript types
βββ .env.example # Environment template
βββ .gitignore
βββ nodemon.json
βββ package.json
βββ tsconfig.json
Verifies that the user has a valid session token in their cookies. Attaches the user object to req.identity.
Verifies that the authenticated user owns the resource they're trying to modify (based on URL parameter ID).
- Passwords are hashed using HMAC-SHA256 with unique salts
- Session tokens are generated using crypto random bytes
- Authentication state is maintained via HTTP-only cookies
- Protected routes require valid session tokens
- Ownership verification prevents unauthorized modifications
curl -X POST http://localhost:5000/auth/register \
-H "Content-Type: application/json" \
-d '{"username":"testuser","email":"test@example.com","password":"test123"}'curl -X POST http://localhost:5000/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"test@example.com","password":"test123"}' \
-c cookies.txtcurl -X GET http://localhost:5000/users \
-b cookies.txtcurl -X PATCH http://localhost:5000/users/<user-id> \
-H "Content-Type: application/json" \
-d '{"username":"newusername"}' \
-b cookies.txt| Variable | Description | Example |
|---|---|---|
PORT |
Server port | 5000 |
MONGO_URI |
MongoDB connection string | mongodb://localhost:27017/rest-api |
SECRET |
Secret key for hashing | your-secret-key |
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
ISC
kunstewi