A comprehensive RESTful API implementation with robust security features including OAuth 2.0, JWT tokens, and role-based access control.
This API implementation includes:
-
- Registration & Login
- Access tokens (short-lived)
- Refresh tokens (long-lived)
- Token revocation
-
- Stateless authentication
- Payload encryption
- Role & permission encoding
-
- Granular permission management
- Resource ownership checks
- Role-based API endpoints
-
- HTTPS enforcement(in production)
- Helmet.js security headers
- CSRF protection
- Rate limiting (IP-based and Redis-backed)
- MongoDB injection protection
- XSS protection
- HTTP parameter pollution protection
- Secure cookie settings
- Request logging
- Input validation
- Node.js(v14+)
- MongoDB(v4+)
- Redis(optional, for production rate limiting)
git clone https://github.com/NK-Forge/Portfolio/tree/main/Secure_RESTful_API
cd secure_restful_apinpm installcp .env.example .env# Generate secure random strings for JWT_ACCESS_SECRET and JWT_REFRESH_SECRET
# You can use: node -e
"console.log(require('crypto').randomBytes(32).toString('hex'))"npm run devnpm start-
- Request body:
{ "username": "user1", "email": "user1@example.com", "password": "password123" } - Response:User object with access and refresh tokens
- Request body:
-
- Request body:
{ "username": "user1", "email": "user1@example.com", "password": "password123" } - Response:User object with access and refresh tokens
- Request body:
-
- Request body:
{ "refreshToken": "your-refresh-token" } - Response:New access and refresh tokens
- Request body:
-
- Headers:
Authorization: Bearer your-access-token - Response:Success message
- Headers:
-
- Headers:
Authorization: Bearer your-access-token - Response:Success message
- Headers:
-
- Headers:
Authorization: Bearer your-access-token - Response:User object
- Headers:
-
- Headers:
Authorization: Bearer your-access-token - Request body:
{ "username": "updated_username" } - Response:Updated user object
- Headers:
-
- Headers:
Authorization: Bearer your-access-token - Request body:
{ "roles": ["user", "admin"] } - Response:Updated user object
- Headers:
-
- Headers:
Authorization: Bearer your-access-token - Response:Empty object
- Headers:
-
- Headers:
Authorization: Bearer your-access-token - Request body:
{ "title": "Resource Title", "description": "Resource description", "accessLevel": "private" } - Responce:Resource object
- Headers:
-
- Headers:
Authorization: Bearer your-access-token*Response:Array of resource objects
- Headers:
-
- Headers:
Authorization: Bearer your-access-token - Response:Resource object
- Headers:
-
- Headers:
Authorization: Bearer your-access-token - Request body:
{ "title": "Updated Title" } - Response:Updated resource object
- Headers:
-
- Headers:
Authorization: bearer your-access-token - Responce: Empty object
- Headers:
-
- Headers:
Authorization: Bearer your-access-token - Request body:
{ "userId": "user_id", "role": "role_name" } - Response:Updated resource object
- Headers:
-
- Headers:
Authorization: Bearer your-access-token - Request body:
{ "userId": "user_id", "role": "role_name" } - Response:Updated resource object
- Headers:
- Never expose your JWT secrets or any API keys in client-side code
- Rotate secrets and keys regularly
- Use environment variables for all sensitive configuration
- Validate all input data before processing
- Use schema validation libraries(like Joi or Yup)
- Sanitize inputs to prevent injection attacks
- Implemenmt least privilege principle
- Check permissions on every protected route
- Validate user roles and permissions
- Encrypt sensitive data at rest
- Use HTTPS for data in transit
- Implement proper database security
- Use generic error messages to clients
- Log detailed errors server-side
- Don't expose stack traces in production
- Log all authentication events
- Monitor for suspicious activity
- Implement audit trails for sensitive operations
Run tests with:
npm testThis project is licensed under the MIT License-see the LICENSE file for details.