A modern, full-stack authentication and authorization system built with React, Node.js, and MongoDB, implementing industry-standard security practices.
- Admin Panel: Log in as an administrator to view, edit, or delete users or moderators.
- Moderator Dashboard: If logged in as a moderator, navigate to the moderator panel to manage moderator-specific tasks.
- Features
- Tech Stack
- Installation
- Running the Application
- Testing
- Security Best Practices
- API Documentation
- Contributing
- License
- Secure user registration and login
- Role-Based Access Control (RBAC)
- JWT-based authentication
- Two-Factor Authentication (2FA)
- Session management with token blacklisting
- Password hashing with bcrypt
- Rate limiting to prevent brute force attacks
- Helmet.js for security headers
- CORS protection
- Input validation and sanitization
- Secure password policies
- Automated token cleanup
- Login attempt monitoring
- User profile management
- Admin panel for user administration
- Email verification
- Password reset functionality
- Modern Material-UI interface
- Responsive design
- Protected routes
- User-friendly error handling
- Comprehensive test suite (Jest)
- Development and production configurations
- Code splitting for optimal performance
- Environment-based configurations
- Frontend: React, Material-UI, React Router
- Backend: Node.js, Express
- Database: MongoDB with Mongoose
- Authentication: JWT, Speakeasy (2FA)
- Security: Helmet, CORS, Express-validator
- Testing: Jest, React Testing Library
- Others: Nodemailer, QRCode
- Clone the repository:
git clone [repository-url]
cd secureAuth- Install dependencies:
# Install backend dependencies
npm install
# Install frontend dependencies
cd client
npm install- Set up environment variables:
# Copy example env file
cp .env.example .env- Configure your environment variables in
.env
# Run both frontend and backend
npm run dev
# Run backend only
npm run server
# Run frontend only
npm run client# Build frontend
cd client
npm run build
# Start server
cd ..
npm start# Run all tests
npm test
# Run backend tests
npm run test:backend
# Run frontend tests
npm run test:frontend
# Run tests in watch mode
npm run test:watch- Implements rate limiting for API endpoints
- Uses secure HTTP headers with Helmet.js
- Stores passwords using bcrypt hashing
- Implements JWT token blacklisting
- Monitors and limits login attempts
- Provides 2FA for additional security
- Validates and sanitizes all user inputs
- Implements CORS protection
POST /api/auth/register- User registrationPOST /api/auth/login- User loginPOST /api/auth/logout- User logoutPOST /api/auth/2fa/setup- Setup 2FAPOST /api/auth/2fa/verify- Verify 2FA tokenPOST /api/auth/2fa/disable- Disable 2FAPOST /api/auth/2fa/notify- Send 2FA status notificationPOST /api/auth/change-password- Change user passwordPOST /api/auth/refresh-token- Refresh access token
GET /api/protected/profile- Get user profilePUT /api/protected/profile- Update user profileGET /api/protected/users- List all users (Admin only)PUT /api/protected/users/:id- Update user role (Admin only)DELETE /api/protected/users/:id- Delete user (Admin and Moderator)
- Admin: Full access to all endpoints
- Moderator: Can delete regular users, access moderator-specific features
- User: Access to profile management and basic features
- JWT token rotation with refresh tokens
- Two-Factor Authentication (2FA) with backup codes
- Password history tracking
- Account lockout after failed attempts
- Email notifications for security events
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the ISC License.