This is a project meant to be used as a starting point for APIs that require user sign up/sign in and authentication. Meant to be consumed by a SPA.
TODO:
- Currently researching and working on a password reset mechanism
- Another security mechanism against CSRF.
- Throttle requests
Tried following json:api specification for the design of the API for the error responses, but didn't get a good example for other response objects.
The auth system uses 16 random bytes generated with the node.js crypto module as authentication tokens.
Project uses mongoose.js for data modeling and express.js for easy server setup.
To run project locally:
- Clone repo
npm installin root directory- Add your mongoDB uri to
secrets.jsfile or add it to your ENV variables npm startto run nodemon in watch mode- Use postman to test endpoints or curl if you're cool
- User registers account. Password is hashed and salted with bcrypt and is stored in database
- User enters credentials, server validates credentials. If valid, a random 16 byte token is generated and stored in database along with the user ID of the requesting user
- Token is set in a cookie along with the server's response
- Client includes cookie on subsequent requests.
- Protected endpoints send request through authentication middleware, which checks token received in request to exist in database and have a status of 'valid'. Only endpoints that use the authentication in this project are the api/users/me and api/users/logout, to be used as examples of how it would work
- To logout, client would send request to api/users/logout with their auth token. If token exists and is valid, set its status as 'expired'
Feedback and PR's welcome. Follow me @yanglorenzana, DM's always open.