A complete RESTful API built with Node.js, Express, TypeScript, and MongoDB featuring user authentication and CRUD operations.
- 🔐 User authentication with session tokens
- 🍪 Cookie-based session management
- 🔒 Protected routes with middleware
- 👤 User CRUD operations
- 🔑 Password hashing with crypto
- 📝 TypeScript for type safety
- 🗄️ MongoDB database
- Runtime: Node.js
- Framework: Express.js
- Language: TypeScript
- Database: MongoDB with Mongoose
- Authentication: Custom session-based auth with crypto
- Node.js (v14 or higher)
- MongoDB (local or Atlas)
- npm or yarn
- Clone the repository:
git clone https://github.com/kunstewi/rest-api.git
cd rest-api- Install dependencies:
npm install- Create a
.envfile in the root directory:
cp .env.example .env- Update the
.envfile with your configuration:
PORT=5000
MONGO_URI=mongodb://localhost:27017/rest-api
SECRET=your-secret-key-herenpm startThe server will start on http://localhost:5000 (or your configured PORT).
POST /auth/register
Content-Type: application/json
{
"username": "john_doe",
"email": "[email protected]",
"password": "securepassword123"
}POST /auth/login
Content-Type: application/json
{
"email": "[email protected]",
"password": "securepassword123"
}Response: Sets a session cookie KUNSTEWI-AUTH
POST /auth/logoutNote: Requires authentication cookie
All user endpoints require authentication (session cookie).
GET /users
Cookie: KUNSTEWI-AUTH=<session-token>GET /users/:id
Cookie: KUNSTEWI-AUTH=<session-token>PATCH /users/:id
Cookie: KUNSTEWI-AUTH=<session-token>
Content-Type: application/json
{
"username": "new_username"
}Note: Users can only update their own profile
DELETE /users/:id
Cookie: KUNSTEWI-AUTH=<session-token>Note: Users can only delete their own account
rest-api/
├── src/
│ ├── controllers/
│ │ ├── authenticationController.ts # Auth logic
│ │ └── userController.ts # User CRUD logic
│ ├── db/
│ │ ├── db.ts # Database connection
│ │ └── users.ts # User model & queries
│ ├── helpers/
│ │ └── helper.ts # Crypto utilities
│ ├── middlewares/
│ │ ├── isAuthenticated.ts # Auth middleware
│ │ └── isOwner.ts # Ownership middleware
│ ├── router/
│ │ ├── authenticationRouter.ts # Auth routes
│ │ ├── userRouter.ts # User routes
│ │ └── router.ts # Main router
│ ├── index.ts # App entry point
│ └── types.ts # TypeScript types
├── .env.example # Environment template
├── .gitignore
├── nodemon.json
├── package.json
└── tsconfig.json
Verifies that the user has a valid session token in their cookies. Attaches the user object to req.identity.
Verifies that the authenticated user owns the resource they're trying to modify (based on URL parameter ID).
- Passwords are hashed using HMAC-SHA256 with unique salts
- Session tokens are generated using crypto random bytes
- Authentication state is maintained via HTTP-only cookies
- Protected routes require valid session tokens
- Ownership verification prevents unauthorized modifications
curl -X POST http://localhost:5000/auth/register \
-H "Content-Type: application/json" \
-d '{"username":"testuser","email":"[email protected]","password":"test123"}'curl -X POST http://localhost:5000/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"[email protected]","password":"test123"}' \
-c cookies.txtcurl -X GET http://localhost:5000/users \
-b cookies.txtcurl -X PATCH http://localhost:5000/users/<user-id> \
-H "Content-Type: application/json" \
-d '{"username":"newusername"}' \
-b cookies.txt| Variable | Description | Example |
|---|---|---|
PORT |
Server port | 5000 |
MONGO_URI |
MongoDB connection string | mongodb://localhost:27017/rest-api |
SECRET |
Secret key for hashing | your-secret-key |
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
ISC
kunstewi