A production-ready authentication system built with MongoDB, Express, React, Node.js, and TypeScript.
- β User registration with email verification
- β Secure login with JWT (Access + Refresh tokens)
- β Password reset via email
- β Change password (for logged-in users)
- β Session management with token rotation
- β True logout (token invalidation)
- β Password hashing with bcrypt
- β httpOnly cookies for refresh tokens
- β Rate limiting on auth endpoints
- β Input validation and sanitization
- β Role-based access control (RBAC)
- β XSS protection
- β CORS configuration
- β User management dashboard
- β View all users
- β Update user roles
- β Delete users
- β User statistics
- β Email verification
- β Welcome emails
- β Password reset emails
- β Resend verification option
- Tech Stack
- Installation
- Environment Variables
- API Documentation
- Project Structure
- Testing
- Deployment
- Contributing
Backend:
- Node.js & Express.js
- TypeScript
- MongoDB & Mongoose
- JWT (jsonwebtoken)
- bcryptjs
- Resend
- express-rate-limit
- express-validator
- cookie-parser
Development:
- ts-node-dev
- TypeScript
- ESLint (optional)
- Prettier (optional)
- Node.js (v18 or higher)
- MongoDB (local or Atlas)
- npm or yarn
- Clone the repository
git clone https://github.com/Favourof/mern-auth-system
cd mern-auth-system- Install dependencies
npm install- Create .env file
cp .env.example .env-
Configure environment variables (see Environment Variables)
-
Start development server
npm run devServer will run on http://localhost:5000
Create a .env file in the server directory:
# Server Configuration
PORT=
NODE_ENV=development
# Database
MONGO_URL=mongodb://localhost:27017/auth-db
# JWT Secrets (generate with: node -e "console.log(require('crypto').randomBytes(64).toString('hex'))")
JWT_SECRET=your_access_token_secret_here
JWT_REFRESH_SECRET=your_refresh_token_secret_here
# Client URL
CLIENT_URL=https://client-mu-ebon.vercel.app/
# Email Configuration
RESEND_API_KEY=
EMAIL_FROM=noreply@yourapp.comnode -e "console.log(require('crypto').randomBytes(64).toString('hex'))"Run this twice to generate two different secrets.
base_url:http://localhost:4002/api
- Import Collection
- Set Environment Variables
base_url:http://localhost:4002/apiaccess_token: (set after login)
# 1. Register
POST /api/auth/register
# 2. Check console for verification link
# 3. Verify email
POST /api/auth/verify-email
# 4. Login
POST /api/auth/login
# 5. Access protected route
GET /api/auth/me
# 6. Logout
POST /api/auth/logout
# 7. Refreash-token
POST /api/auth/refresh
# 8. Request Password Reset
POST /api/auth/forgot-password
# 9. Reset-password
POST /api/auth/reset-password
# 10. Change-password
GET /api/auth/change-password
# 11. Get All user
GET api/admin/users
# 12. Get user by id
GET api/admin/users/:id
# 13. Change User Role
PUT api/admin/users/:id
# 14. get user stats
GET api/admin/stats
# 15. Delete user by id
Delete api/admin/:id
- Push to GitHub
git add .
git commit -m "Ready for deployment"
git push origin main- Connect to Railway/Render
- Import repository
- Add environment variables
- Deploy
- MongoDB Atlas Setup
- Create cluster
- Whitelist Railway/Render IPs (or allow all)
- Update
MONGO_URLin environment variables
- Set
NODE_ENV=production - Use strong JWT secrets
- Configure real email service (SendGrid, AWS SES)
- Enable CORS for your frontend domain only
- Set secure cookie options
- Add monitoring (e.g., Sentry)
- Enable HTTPS
- Set up proper logging
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the MIT License.
Your Name
- GitHub: @favourof
- LinkedIn: Favour Omotosho Ezekiel
For support, email favourtobiloba200@gmail.com or open an issue on GitHub.
https://client-mu-ebon.vercel.app/
β If you find this project helpful, please give it a star!