📌 express-jwt-role-authentication-api
A secure, scalable, production-grade authentication backend built using Node.js, Express, JWT, HttpOnly cookies, Refresh Tokens, and Role-Based Authorization.
This project demonstrates modern authentication techniques used in real-world enterprise applications.
🚀 Features ✅ User Authentication
Signup with hashed password (bcryptjs)
Login with JWT Access Token + Refresh Token
HttpOnly cookie-based session (secure)
Auto token refresh endpoint
Logout with safe cookie clearing
🔐 JWT Security
Short-lived Access Token
Long-lived Refresh Token
Tokens stored securely
Role stored inside JWT payload
🛡 Role-Based Authorization Three roles supported:
| Role | Permissions |
|---|---|
| user | Can view & update own profile |
| admin | Full access to user management |
| moderator | (Extendable) |
🔒 Protected Routes
/profile → Only logged-in users
/admin/* → Only admin role
Token verification middleware
Role middleware (allowRoles)
📂 Tech Stack
Node.js
Express.js
MongoDB + Mongoose
JWT
bcryptjs
cookie-parser
express-validator
dotenv
📁 Project Structure
project/ │ ├── controllers/ │ └── authController.js │ ├── middleware/ │ ├── authMiddleware.js │ └── roleMiddleware.js │ ├── models/ │ └── User.js │ ├── routes/ │ ├── authRoutes.js │ └── userRoutes.js │ ├── utils/ │ └── tokenGenerator.js │ ├── config/ │ └── db.js │ ├── .env ├── server.js └── package.json
🔑 Environment Variables (.env)
PORT=3000 MONGO_URI=mongodb://127.0.0.1:27017/psignup
ACCESS_TOKEN_SECRET=your_access_token_secret REFRESH_TOKEN_SECRET=your_refresh_token_secret
ACCESS_TOKEN_EXPIRE=15m REFRESH_TOKEN_EXPIRE=7d
🧪 API Endpoints 🔹 Auth Routes
| Method | Route | Description |
|---|---|---|
| POST | /api/auth/signup |
User signup |
| POST | /api/auth/login |
User login |
| POST | /api/auth/refresh |
Generate new access token |
| GET | /api/auth/logout |
Logout user |
🔹 User Routes
| Method | Route | Protection | Description |
|---|---|---|---|
| GET | /api/user/profile |
user/admin | View profile |
| PUT | /api/user/update |
user/admin | Update profile |
| DELETE | /api/user/delete |
user | Delete own account |
| GET | /api/user/admin/all-users |
admin | Get all users |
| PUT | /api/user/admin/update-role/:id |
admin | Change role |
| DELETE | /api/user/admin/delete/:id |
admin | Delete any user |
🔥 How the System Works 1️⃣ Signup
User creates account → password hashed → stored safely.
2️⃣ Login
Email/password validated
Access Token generated
Refresh Token stored in DB + HttpOnly cookie
3️⃣ Protected Routes
Access Token sent in Authorization header:
Bearer
4️⃣ Access Token Expired → Auto Refresh
Client calls refresh token API
New Access Token returned
User stays logged in
5️⃣ Logout
Refresh token removed from DB
Cookie cleared properly
🛡 Security Practices Used
HttpOnly cookies
SameSite cookie security
Access token short expiry
Refresh token rotation
Role-based authorization
No passwords stored in plain text
Centralized token generator
Clean architecture
💡 Future Enhancements
Email verification
Reset password
Activity logs
CAPTCHA on login
Rate limiting
🧑💻 Author
Pankaj Kumar Advanced Node.js Developer | Web2 + Web3 Engineer Strong backend + authentication knowledge.
🎯 Final Notes
This backend is production-ready, scalable, secure, and professional. Absolutely perfect for:
Large-scale apps
SaaS platforms
Admin dashboards
Enterprise-level role control
MERN stack projects