A secure backend built with Node.js, Express, MongoDB, JWT, and bcrypt.
auth-system/
βββ src/
β βββ config/
β β βββ db.js # MongoDB connection
β βββ controllers/
β β βββ authController.js # Register & Login logic
β β βββ userController.js # User CRUD operations
β βββ middleware/
β β βββ auth.js # JWT verify + Role guard
β βββ models/
β β βββ User.js # Mongoose schema (auto-hashes password)
β βββ routes/
β β βββ authRoutes.js # /api/auth/*
β β βββ userRoutes.js # /api/users/*
β βββ server.js # Entry point
βββ .env
βββ package.json
βββ README.md
- Node.js v18+
- MongoDB (local or MongoDB Atlas)
npm installEdit .env with your values:
PORT=5000
MONGO_URI=mongodb://localhost:27017/learning_platform
JWT_SECRET=your_super_secret_key_here
JWT_EXPIRES_IN=7d# Development (auto-restart)
npm run dev
# Production
npm startServer starts at: http://localhost:5000
| Concept | Implementation |
|---|---|
| Password Hashing | bcryptjs with salt rounds = 12 |
| Token | JWT signed with JWT_SECRET, expires in 7 days |
| Token Location | Authorization: Bearer <token> header |
| Role Guard | restrictTo('admin') middleware on protected routes |
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/auth/register |
Register a new user |
| POST | /api/auth/login |
Login and get JWT token |
| Method | Endpoint | Role | Description |
|---|---|---|---|
| GET | /api/users/me |
Student / Admin | Get own profile |
| PUT | /api/users/me |
Student / Admin | Update own profile |
| GET | /api/users |
Admin only | Get all users |
| GET | /api/users/:id |
Admin only | Get any user by ID |
| DELETE | /api/users/:id |
Admin only | Delete any user |
Request:
POST /api/auth/register
Content-Type: application/json
{
"name": "Rahul Sharma",
"email": "[email protected]",
"password": "secret123",
"role": "student"
}Response (201):
{
"message": "Registration successful.",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"user": {
"id": "6639f3a1b8e6a20012345678",
"name": "Rahul Sharma",
"email": "[email protected]",
"role": "student"
}
}Request:
POST /api/auth/login
Content-Type: application/json
{
"email": "[email protected]",
"password": "secret123"
}Response (200):
{
"message": "Login successful.",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"user": {
"id": "6639f3a1b8e6a20012345678",
"name": "Rahul Sharma",
"email": "[email protected]",
"role": "student"
}
}Request:
GET /api/users/me
Authorization: Bearer <your_token>Response (200):
{
"user": {
"_id": "6639f3a1b8e6a20012345678",
"name": "Rahul Sharma",
"email": "[email protected]",
"role": "student",
"bio": "",
"createdAt": "2024-05-01T10:00:00.000Z"
}
}Request:
PUT /api/users/me
Authorization: Bearer <your_token>
Content-Type: application/json
{
"name": "Rahul S.",
"bio": "I love learning!"
}Response (200):
{
"message": "Profile updated successfully.",
"user": {
"_id": "6639f3a1b8e6a20012345678",
"name": "Rahul S.",
"bio": "I love learning!",
"role": "student"
}
}Request:
GET /api/users
Authorization: Bearer <admin_token>Response (200):
{
"count": 2,
"users": [
{ "_id": "...", "name": "Rahul Sharma", "email": "[email protected]", "role": "student" },
{ "_id": "...", "name": "Admin User", "email": "[email protected]", "role": "admin" }
]
}Request:
DELETE /api/users/6639f3a1b8e6a20012345678
Authorization: Bearer <admin_token>Response (200):
{
"message": "User \"Rahul Sharma\" deleted successfully."
}A student trying to access admin routes:
Response (403):
{
"message": "Access denied. Only [admin] can perform this action."
}Response (401):
{
"message": "Access denied. No token provided."
}- Register a user β copy the
token - In subsequent requests, add header:
Authorization: Bearer <token> - Register an admin with
"role": "admin"to test admin routes