This backend system is built to manage financial records with role-based access control. It allows users to create, view, update, and delete records based on their role.
- User authentication using JWT
- Role-based access (Admin and Viewer)
- Create, read, update, delete financial records
- Filter records by type and category
- Dashboard summary (income, expenses, balance)
- Input validation and error handling
- Node.js
- Express.js
- MongoDB (Mongoose)
- JWT Authentication
- POST /api/auth/register
- POST /api/auth/login
- POST /api/records (Admin only)
- GET /api/records
- GET /api/records?type=expense
- GET /api/records/summary
- PUT /api/records/:id (Admin only)
- DELETE /api/records/:id (Admin only)
- Admin: Full access
- Viewer: Read-only access
- Clone the repository
- Run
npm install - Create
.envfile: MONGO_URI=your_mongodb_connection JWT_SECRET=your_secret - Run
npm run dev
This project focuses on backend logic, API design, and access control.
-
Register a user with role (admin or viewer)
-
Login to get JWT token
-
Use the token in Authorization header: Authorization: Bearer
-
Admin can:
- Create records
- Update records
- Delete records
-
Viewer can:
- View their own financial records (user-specific data)
- View summary based on their own records
-
Use query parameters for filtering:
- /api/records?type=income
- /api/records?category=food
Example: POST /api/records Authorization: Bearer Body: { "amount": 500, "type": "expense", "category": "food" }
- The request is received by the Express server
- Routes direct the request to the appropriate controller
- Middleware verifies JWT token and user role
- Controller processes the request and interacts with MongoDB
- Response is sent back to the client
Authentication Flow:
- User logs in → server generates JWT token
- Token is sent in headers for protected routes
- Middleware verifies token and extracts user information
Data Flow: Client → Routes → Middleware → Controller → Database → Response
- Clean separation of concerns using routes, controllers, and middleware
- Role-based access control implemented using custom middleware
- Secure authentication using JWT and password hashing
- Passwords are securely hashed using bcrypt before storing in database
- User-specific data handling (records linked to logged-in user)
- Input validation and proper error handling
This project can be further enhanced with the following improvements:
-
Role Enhancement
- Introduce additional roles such as Analyst with access to global data
- Restrict role assignment during registration (only admin can assign roles)
-
Advanced Access Control
- Allow analysts/viewers to view all records for better dashboard insights
- Implement fine-grained permissions (read/write per resource)
-
Pagination & Performance
- Add pagination for large datasets (e.g., limit, skip)
- Optimize queries for better performance
-
Search & Filtering
- Add advanced filtering (date range, multiple categories)
- Implement search functionality for records
-
Dashboard Enhancements
- Category-wise analytics
- Monthly/weekly trends
- Graph-ready API responses
-
Security Improvements
- Use refresh tokens for better authentication handling
- Store JWT secret securely using environment management
- Add rate limiting to prevent abuse
-
Validation Enhancements
- Use validation libraries (e.g., Joi or express-validator)
- Strong schema validation for all inputs
-
Soft Delete
- Instead of deleting records permanently, mark them as inactive
-
API Documentation
- Add Swagger or Postman documentation for easier usage
-
Testing
- Add unit and integration tests for reliability
-
Deployment
- Deploy backend using services like Render or AWS
- Add environment-based configuration (development/production)
This project demonstrates a structured approach to backend development, including authentication, authorization, data management, and API design. It can be further extended into a production-ready system with the improvements listed above. This project reflects my understanding of backend development concepts such as authentication, authorization, and data handling.