Authentication & Authorization REST API
Features
- Register a user
- Verify user's email address
- Send forgot password via email
- Reset password
- Get current user
- Login
- Logout
- Access token
- Refresh tokens
- API Restriction (Authorization)
- TDD
- Swagger Docs (OpenAPI)
- Performance Metrics
Tech Stack Used
- TypeScript - Static-Type checking
- Express@5 - Web server
- Typegoose - Mongoose wrapper for creating TypeScript interfaces and models
- argon2 - Password Hashing
- Zod - Validation
- jsonwebtoken - Signing and Verifying JSON web tokens
- Nodemailer - Sending Emails
- Pino - Logging
- config - Managing Configuration
Tech Stack Used (For Testing)
- jest - Testing framework
- ts-jest - A Jest transformer with source map support that lets you use Jest to test projects written in TS.
- MongoDB In-Memory Server - DB for mocking/testing that is isolated
- Supertest - provide a high-level abstraction for testing HTTP
Tech Stack Used (For Documenting APIs)
- swagger-js-doc - reads your JSDoc-annotated source code and generates an OpenAPI (Swagger) spec
- swagger-ui-express - auto-generate swagger-ui generated API docs from express
Tech Stack Used (For Performance Metrics)
- prom-client - Use to gather metrics
- response-time - Middleware for express to gather response time for each request
Tools Used
Structure
- User API
- Create user
- Verify user
- Request reset password code
- Reset password
- Get current user
- Authentication API
- Create user session
- Delete user session
- Get new access token with refresh tokens
Generating Keys
- Generate new keys: JSEncrypt
- RSA 1024 bit
- Base64 encode the keys: Base64Encode
- Private and Public Keys for Access and Refresh
Access & Refresh Token Flow
graph TD
A[Authorized Request]--> B{Is the access token valid?}
B -->|NO| C(Return Unauthorized error)
B -->|YES| D{Has the access token expired?}
D -->|YES| E{Is a valid refresh token included?}
D -->|NO| F["Process request (Go to route handler)"]
E -->|YES| G(Issue a new access token)
E -->|NO| C