RESTful API using NodeJs, Express, Mongoose, Typescript and JSON Web Tokens
Greetings 👋 and welcome to the morfi backend server repository, which contains the code that manages the store page, user registration and client communication. In addition, the front-end section of the application has been updated to React, which is responsible for communicating with the server.
(Please bear in mind that the site will take a while to load since it's deployed on a free tier, but it will load, just give it some time 😉)
- https://morfi-react.vercel.app - Front-end deployment in vercel.
- https://node-rest-jwt.onrender.com - Back-end deployment in render (cold start ❄️, so it will be the slower of the two).
- Session management with JSON Web Tokens (aka "jwt") (authentication, session inactivity, auto-login, token rotation, etc)
- Artillery performance testing
- Nodemailer and Twilio for sending emails, SMS and whatsapp messages
- Query-based filtering of products
- A socket.io-based chat implementation
- Swagger-made documentation
- You can upload images to the cloud with cloudinary and express-fileupload
- Application logging with winston
- Utilizing CORS for whitelisting origins
- Mocha, chai, supertests for unit testing
- Multi-threading and clustering are optional methods to improve performance.
- Validation with express-validator
You can find API documentation by running the server locally in http://localhost:8080/docs or in json format in http://localhost:8080/docs.json. In case of postman, you can find it at this URL:
In order to avoid misunderstandings, I will proceed to explain authentication in the following paragraph. 👇
JWT tokens are validated using middleware called JwtMiddleware and PermissionMiddleware. These middleware can be commented out or removed to accelerate the testing process.
JwtMiddleware is in charge of reading and decrypting the tokens stored in the authorization request and attaching them in the response that is passed to the next middleware using res.locals.jwt, the tokens should be sent in Bearer ${token} format to work correctly.
In contrast, PermissionMiddleware checks a user's permissions. 😅
As soon as a user is authenticated, they are given an access token (in the response body) and a refresh token (in the response headers). The access token validates that they are authenticated and that they have sufficient permissions, while the refresh token is used to see whether the session is still active and to create new access tokens (which expire every 10 minutes).
A total of two endpoints require cookies (to function correctly), while the rest use access tokens.
- /auth is used to authenticate an already registered user, using email and password, and if successful it returns 2 tokens, the refresh token and the access token, this endpoint does not require cookies.
- /auth/refresh-token allows you to renew the refresh token and the access token and extend the lifetime of your session, which by default lasts 24 hours (the lifetime of the refresh token), this endpoint requires the refresh token to be stored in the cookies.
- /auth/logout is responsible for deleting the client's refresh token, this endpoint requires that the refresh token is stored in the cookies.
✍ The front-end of the application already handles all this, however, if you wish to make a request by hand, include the following headings:
-
Using the JWT requires authorization (in this case a Bearer followed by a token).
headers.set('authorization', `Bearer ${token}`);
-
You may be able to include the credentials (cookies) in your request, but that is not necessary if you access any other endpoint than /auth/**
credentials: 'include';
An example of the frontend code responsible for performing this task.
- In cluster mode, socket.io generates errors
npm installThis requires that you have already pre-configured the ".env" file. You can find the example in .env.example.
We use npm run development because npm start is reserved for production environments. If you start with npm start, you'll have to include your origin in the app.config.ts file to avoid CORS errors.
npm run developmentnpm run testContributions, issues and feature requests are welcome!
Feel free to check
issues page. You
can also take a look at the contributing guide.
Copyright © 2022 enzoarguello512.
This project is
MIT
licensed.