This backend is built with Node.js, Express.js, and MongoDB Atlas to handle user authentication, role-based access control (RBAC), and user management functionalities. It includes features like secure password hashing, JWT-based authentication, and role-based permissions for users, moderators, and admins.
You can access the live project at: https://vrv-security-two.vercel.app/login.
Admin Credentials
To log in as an admin and explore all available features, use the following credentials:
- Email:
admin@vrv.com- Password:
Admin@123
- Technology Stack
- Features
- Roles and Permissions
- Controllers
- Middlewares
- Security Features
- Usage and API Endpoints
- Setup Instructions
- Future Enhancements
- Node.js: Server-side runtime environment.
- Express.js: Web framework for building RESTful APIs.
- MongoDB Atlas: Cloud-based database for managing user data.
- bcrypt.js: Library for hashing passwords.
- jsonwebtoken (JWT): For secure user authentication.
-
JWT Authentication:
- Generates a secure
access_tokenupon successful login. - Token contains the user's
_idandrole. - Token expiry times are adjustable via
token-expiry.constant.js:- User: 24 hours.
- Admin/Moderator: 1 hour.
- Generates a secure
-
Password Security:
- Uses
bcrypt.jsto hash passwords before storing them in the database.
- Uses
-
Role-Based Access Control (RBAC):
- User: Can view their profile.
- Moderator: Can view all registered users but cannot make changes.
- Admin: Can view, delete, and now update the roles of users.
- The admin can change roles between
UserandModeratorusing the route:
PATCH /user/profile-role/:userId. - The maximum number of moderators is configurable in
moderator.constant.js(default: 5). - Note: The project allows only one admin through the interface, while multiple users and moderators are allowed.
- The admin can change roles between
-
User Registration and Login:
- Users can sign up and log in via forms on the website.
- Passwords and emails are validated for security.
- Checks for duplicate emails during signup.
-
Automatic Admin Creation:
- If no admin exists, one is created automatically using credentials from ENV variables:
ADMIN_USERNAME = {username} ADMIN_EMAIL = {email} ADMIN_PASSWORD = {password} - Logs success or failure in the server logs during startup.
- If no admin exists, one is created automatically using credentials from ENV variables:
-
CORS Configuration:
- Proper CORS options are implemented to enhance security.
| Role | Permissions |
|---|---|
| User | View their profile. |
| Moderator | View all registered users (read-only access). |
| Admin | View, delete users, and update user roles. |
- Endpoints:
POST /auth/signup:- Registers a new user.
- Validates email and password format.
- Ensures
passwordmatchesconfirmPassword. - Hashes the password using
bcrypt. - Checks for duplicate emails in the database.
POST /auth/login:- Authenticates user credentials.
- Generates a JWT token containing
_idandrole.
- Endpoints:
GET /user/profile:- Fetches the logged-in user's profile.
- Accessible only to
Userrole.
GET /user/all-profile:- Fetches all registered users.
- Accessible to
ModeratorandAdminroles.
PATCH /user/profile-role/:userId:- Updates the role of a user.
- Role can be toggled between
UserandModerator. - Admin-only access.
DELETE /user/profile/:userId:- Deletes a user by ID.
- Accessible only to
Adminrole.
-
Token Middleware:
- Verifies JWT tokens for:
- Validity.
- Expiration.
- Correct signature.
- Adds the decoded token data (
_idandrole) to the request object (req.user).
- Verifies JWT tokens for:
-
Authorize Middleware:
- Ensures the user has the appropriate role for the requested route.
- Rejects access with a
403 Forbiddenresponse if the user lacks the required permissions.
| Endpoint | Method | Description | Authorization |
|---|---|---|---|
/auth/signup |
POST | Registers a new user with email and password. | Public |
/auth/login |
POST | Logs in a user and returns a JWT token. | Public |
/user/profile |
GET | Retrieves the logged-in user's profile. | User |
/user/all-profile |
GET | Fetches all users. | Moderator, Admin |
/user/profile-role/:id |
PATCH | Updates a user's role (User ↔ Moderator). |
Admin |
/user/profile/:id |
DELETE | Deletes a user's profile by their ID. | Admin |
- Password Hashing:
- Ensures passwords are securely stored using
bcryptwith a salt factor.
- Ensures passwords are securely stored using
- JWT Authentication:
- Access tokens are generated and verified using a secret key.
- Tokens are short-lived to minimize risk.
- CORS Options:
- Configured to restrict access to trusted origins.
- Input Validation:
- Ensures emails follow standard patterns.
- Confirms passwords match before storing.
- Automatic Admin Creation:
- Logs errors if admin creation fails, while ensuring server continuity.
To run the project locally, ensure you have Node.js and MongoDB installed. Follow these steps:
-
Clone the repository:
git clone https://github.com/DeepakS-Github/VRV-Security-Backend-Intern-Assignment cd VRV-Security-Backend-Intern-Assignment -
Frontend Setup:
- Navigate to the project
clientfolder. - Create a
.envfile in the root directory of theclientfolder. - Add the following environment variables to the client
.envfile:VITE_SERVER_URL = "https://vrv-security-server.onrender.com" # Use the hosted backend URL # For local development, use the local server URL: # VITE_SERVER_URL = "http://localhost:{PORT}" # Replace {PORT} with the port number defined in your server's `.env` file - To run the Frontend:
npm run dev
- Navigate to the project
-
Backend Setup:
- Navigate to the
serverfolder. - Create a
.envfile in the root directory of theserverfolder. - Add the following environment variables to the client
.envfile:MONGO_DB_URL = {mongodb url} JWT_SECRET = {jwt secret} PORT = {port} ADMIN_USERNAME = {custom_admin_username} ADMIN_EMAIL = {custom_admin_email} ADMIN_PASSWORD = {custom_admin_password} - To run the Backend:
node index
- Navigate to the
- Add password reset functionality.
- Implement account deactivation instead of permanent deletion.
- Add activity logging for admin actions (e.g., deleting users).
- Use refresh tokens for improved authentication management.
- Implement rate-limiting to prevent brute-force attacks.