Node.js REST API: Express.js Backend with MongoDB and JWT Authentication
Contents
Node.js REST API: Express.js Backend with MongoDB and JWT Authentication
In this post, I’ll share insights from my Node.js REST API project, which demonstrates comprehensive backend development using Express.js, MongoDB integration, JWT authentication, middleware architecture, and robust error handling for scalable web applications.
Project Overview
The Node.js REST API is a comprehensive backend service built with Express.js that provides a robust foundation for web applications. It features MongoDB integration, JWT-based authentication, comprehensive middleware, data validation, and scalable architecture patterns for modern web development.
Technical Architecture
Project Structure
nodejs-api/
├── src/
│ ├── controllers/
│ │ ├── authController.js
│ │ ├── userController.js
│ │ ├── productController.js
│ │ ├── orderController.js
│ │ └── categoryController.js
│ ├── models/
│ │ ├── User.js
│ │ ├── Product.js
│ │ ├── Order.js
│ │ ├── Category.js
│ │ └── index.js
│ ├── routes/
│ │ ├── auth.js
│ │ ├── users.js
│ │ ├── products.js
│ │ ├── orders.js
│ │ ├── categories.js
│ │ └── index.js
│ ├── middleware/
│ │ ├── auth.js
│ │ ├── validation.js
│ │ ├── errorHandler.js
│ │ ├── rateLimiter.js
│ │ ├── cors.js
│ │ └── logger.js
│ ├── services/
│ │ ├── authService.js
│ │ ├── emailService.js
│ │ ├── fileUploadService.js
│ │ └── cacheService.js
│ ├── utils/
│ │ ├── database.js
│ │ ├── jwt.js
│ │ ├── bcrypt.js
│ │ ├── validators.js
│ │ ├── helpers.js
│ │ └── constants.js
│ ├── config/
│ │ ├── database.js
│ │ ├── jwt.js
│ │ ├── email.js
│ │ └── index.js
│ ├── tests/
│ │ ├── unit/
│ │ ├── integration/
│ │ └── fixtures/
│ ├── app.js
│ └── server.js
├── docs/
│ ├── api.md
│ ├── deployment.md
│ └── development.md
├── package.json
├── .env.example
├── .gitignore
├── .eslintrc.js
├── .prettierrc
└── README.mdCore Implementation
Express Application Setup
// src/app.js
const express = require('express');
const cors = require('cors');
const helmet = require('helmet');
const morgan = require('morgan');
const compression = require('compression');
const rateLimit = require('express-rate-limit');
const errorHandler = require('./middleware/errorHandler');
const logger = require('./middleware/logger');
const routes = require('./routes');
const app = express();
// Security middleware
app.use(helmet());
app.use(cors({
origin: process.env.ALLOWED_ORIGINS?.split(',') || ['http://localhost:3000'],
credentials: true
}));
// Rate limiting
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP to 100 requests per windowMs
message: 'Too many requests from this IP, please try again later.',
standardHeaders: true,
legacyHeaders: false,
});
app.use(limiter);
// Compression middleware
app.use(compression());
// Logging middleware
app.use(morgan('combined', { stream: { write: message => logger.info(message.trim()) } }));
// Body parsing middleware
app.use(express.json({ limit: '10mb' }));
app.use(express.urlencoded({ extended: true, limit: '10mb' }));
// Static files
app.use('/uploads', express.static('uploads'));
// Health check endpoint
app.get('/health', (req, res) => {
res.status(200).json({
status: 'OK',
timestamp: new Date().toISOString(),
uptime: process.uptime(),
environment: process.env.NODE_ENV
});
});
// API routes
app.use('/api/v1', routes);
// 404 handler
app.use('*', (req, res) => {
res.status(404).json({
success: false,
message: 'Route not found',
path: req.originalUrl
});
});
// Global error handler
app.use(errorHandler);
module.exports = app;Database Models
// src/models/User.js
const mongoose = require('mongoose');
const bcrypt = require('bcryptjs');
const jwt = require('jsonwebtoken');
const userSchema = new mongoose.Schema({
firstName: {
type: String,
required: [true, 'First name is required'],
trim: true,
maxlength: [50, 'First name cannot exceed 50 characters']
},
lastName: {
type: String,
required: [true, 'Last name is required'],
trim: true,
maxlength: [50, 'Last name cannot exceed 50 characters']
},
email: {
type: String,
required: [true, 'Email is required'],
unique: true,
lowercase: true,
trim: true,
match: [/^\w+([.-]?\w+)*@\w+([.-]?\w+)*(\.\w{2,3})+$/, 'Please enter a valid email']
},
password: {
type: String,
required: [true, 'Password is required'],
minlength: [6, 'Password must be at least 6 characters'],
select: false
},
role: {
type: String,
enum: ['user', 'admin', 'moderator'],
default: 'user'
},
avatar: {
type: String,
default: null
},
phone: {
type: String,
trim: true,
match: [/^\+?[\d\s\-\(\)]+$/, 'Please enter a valid phone number']
},
address: {
street: String,
city: String,
state: String,
zipCode: String,
country: String
},
isEmailVerified: {
type: Boolean,
default: false
},
emailVerificationToken: String,
passwordResetToken: String,
passwordResetExpires: Date,
lastLogin: Date,
isActive: {
type: Boolean,
default: true
},
preferences: {
theme: {
type: String,
enum: ['light', 'dark'],
default: 'light'
},
notifications: {
email: {
type: Boolean,
default: true
},
push: {
type: Boolean,
default: true
}
}
}
}, {
timestamps: true,
toJSON: { virtuals: true },
toObject: { virtuals: true }
});
// Virtual for full name
userSchema.virtual('fullName').get(function() {
return `${this.firstName} ${this.lastName}`;
});
// Index for better query performance
userSchema.index({ email: 1 });
userSchema.index({ role: 1 });
userSchema.index({ isActive: 1 });
// Pre-save middleware to hash password
userSchema.pre('save', async function(next) {
if (!this.isModified('password')) return next();
try {
const salt = await bcrypt.genSalt(12);
this.password = await bcrypt.hash(this.password, salt);
next();
} catch (error) {
next(error);
}
});
// Instance method to check password
userSchema.methods.comparePassword = async function(candidatePassword) {
return await bcrypt.compare(candidatePassword, this.password);
};
// Instance method to generate JWT token
userSchema.methods.generateAuthToken = function() {
return jwt.sign(
{
userId: this._id,
email: this.email,
role: this.role
},
process.env.JWT_SECRET,
{ expiresIn: process.env.JWT_EXPIRE || '7d' }
);
};
// Instance method to generate refresh token
userSchema.methods.generateRefreshToken = function() {
return jwt.sign(
{ userId: this._id },
process.env.JWT_REFRESH_SECRET,
{ expiresIn: process.env.JWT_REFRESH_EXPIRE || '30d' }
);
};
// Static method to find user by email
userSchema.statics.findByEmail = function(email) {
return this.findOne({ email: email.toLowerCase() });
};
// Static method to find active users
userSchema.statics.findActiveUsers = function() {
return this.find({ isActive: true });
};
module.exports = mongoose.model('User', userSchema);// src/models/Product.js
const mongoose = require('mongoose');
const productSchema = new mongoose.Schema({
name: {
type: String,
required: [true, 'Product name is required'],
trim: true,
maxlength: [100, 'Product name cannot exceed 100 characters']
},
description: {
type: String,
required: [true, 'Product description is required'],
maxlength: [1000, 'Description cannot exceed 1000 characters']
},
price: {
type: Number,
required: [true, 'Product price is required'],
min: [0, 'Price cannot be negative']
},
originalPrice: {
type: Number,
min: [0, 'Original price cannot be negative']
},
category: {
type: mongoose.Schema.Types.ObjectId,
ref: 'Category',
required: [true, 'Product category is required']
},
brand: {
type: String,
trim: true,
maxlength: [50, 'Brand name cannot exceed 50 characters']
},
sku: {
type: String,
unique: true,
sparse: true,
trim: true,
uppercase: true
},
images: [{
url: {
type: String,
required: true
},
alt: String,
isPrimary: {
type: Boolean,
default: false
}
}],
inventory: {
quantity: {
type: Number,
required: true,
min: [0, 'Quantity cannot be negative'],
default: 0
},
lowStockThreshold: {
type: Number,
default: 10,
min: [0, 'Low stock threshold cannot be negative']
},
trackInventory: {
type: Boolean,
default: true
}
},
specifications: [{
name: {
type: String,
required: true
},
value: {
type: String,
required: true
}
}],
tags: [{
type: String,
trim: true,
lowercase: true
}],
ratings: {
average: {
type: Number,
default: 0,
min: [0, 'Rating cannot be negative'],
max: [5, 'Rating cannot exceed 5']
},
count: {
type: Number,
default: 0,
min: [0, 'Rating count cannot be negative']
}
},
isActive: {
type: Boolean,
default: true
},
isFeatured: {
type: Boolean,
default: false
},
weight: {
type: Number,
min: [0, 'Weight cannot be negative']
},
dimensions: {
length: Number,
width: Number,
height: Number,
unit: {
type: String,
enum: ['cm', 'in', 'm'],
default: 'cm'
}
},
seo: {
metaTitle: String,
metaDescription: String,
slug: {
type: String,
unique: true,
sparse: true,
lowercase: true
}
}
}, {
timestamps: true,
toJSON: { virtuals: true },
toObject: { virtuals: true }
});
// Virtual for discount percentage
productSchema.virtual('discountPercentage').get(function() {
if (this.originalPrice && this.originalPrice > this.price) {
return Math.round(((this.originalPrice - this.price) / this.originalPrice) * 100);
}
return 0;
});
// Virtual for stock status
productSchema.virtual('stockStatus').get(function() {
if (!this.inventory.trackInventory) return 'unlimited';
if (this.inventory.quantity === 0) return 'out_of_stock';
if (this.inventory.quantity <= this.inventory.lowStockThreshold) return 'low_stock';
return 'in_stock';
});
// Indexes for better query performance
productSchema.index({ name: 'text', description: 'text' });
productSchema.index({ category: 1 });
productSchema.index({ price: 1 });
productSchema.index({ isActive: 1 });
productSchema.index({ isFeatured: 1 });
productSchema.index({ 'seo.slug': 1 });
productSchema.index({ tags: 1 });
// Pre-save middleware to generate SKU if not provided
productSchema.pre('save', function(next) {
if (!this.sku) {
this.sku = `PRD-${Date.now()}-${Math.random().toString(36).substr(2, 5).toUpperCase()}`;
}
next();
});
// Pre-save middleware to generate slug if not provided
productSchema.pre('save', function(next) {
if (!this.seo.slug) {
this.seo.slug = this.name
.toLowerCase()
.replace(/[^a-z0-9]+/g, '-')
.replace(/(^-|-$)/g, '');
}
next();
});
// Static method to find products by category
productSchema.statics.findByCategory = function(categoryId) {
return this.find({ category: categoryId, isActive: true });
};
// Static method to find featured products
productSchema.statics.findFeatured = function() {
return this.find({ isFeatured: true, isActive: true });
};
// Static method to search products
productSchema.statics.searchProducts = function(query) {
return this.find({
$text: { $search: query },
isActive: true
}, {
score: { $meta: 'textScore' }
}).sort({ score: { $meta: 'textScore' } });
};
module.exports = mongoose.model('Product', productSchema);Authentication Controller
// src/controllers/authController.js
const User = require('../models/User');
const jwt = require('../utils/jwt');
const { validationResult } = require('express-validator');
const emailService = require('../services/emailService');
const logger = require('../middleware/logger');
// Register new user
const register = async (req, res, next) => {
try {
// Check for validation errors
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({
success: false,
message: 'Validation failed',
errors: errors.array()
});
}
const { firstName, lastName, email, password, phone } = req.body;
// Check if user already exists
const existingUser = await User.findByEmail(email);
if (existingUser) {
return res.status(409).json({
success: false,
message: 'User with this email already exists'
});
}
// Create new user
const user = new User({
firstName,
lastName,
email,
password,
phone
});
await user.save();
// Generate email verification token
const verificationToken = jwt.generateVerificationToken(user._id);
user.emailVerificationToken = verificationToken;
await user.save();
// Send verification email
try {
await emailService.sendVerificationEmail(user.email, verificationToken);
} catch (emailError) {
logger.error('Failed to send verification email:', emailError);
// Don't fail registration if email fails
}
// Generate tokens
const accessToken = user.generateAuthToken();
const refreshToken = user.generateRefreshToken();
// Remove sensitive data
const userResponse = user.toObject();
delete userResponse.password;
delete userResponse.emailVerificationToken;
logger.info(`New user registered: ${user.email}`);
res.status(201).json({
success: true,
message: 'User registered successfully',
data: {
user: userResponse,
tokens: {
accessToken,
refreshToken
}
}
});
} catch (error) {
next(error);
}
};
// Login user
const login = async (req, res, next) => {
try {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({
success: false,
message: 'Validation failed',
errors: errors.array()
});
}
const { email, password } = req.body;
// Find user and include password for comparison
const user = await User.findByEmail(email).select('+password');
if (!user) {
return res.status(401).json({
success: false,
message: 'Invalid email or password'
});
}
// Check if user is active
if (!user.isActive) {
return res.status(401).json({
success: false,
message: 'Account is deactivated'
});
}
// Check password
const isPasswordValid = await user.comparePassword(password);
if (!isPasswordValid) {
return res.status(401).json({
success: false,
message: 'Invalid email or password'
});
}
// Update last login
user.lastLogin = new Date();
await user.save();
// Generate tokens
const accessToken = user.generateAuthToken();
const refreshToken = user.generateRefreshToken();
// Remove sensitive data
const userResponse = user.toObject();
delete userResponse.password;
logger.info(`User logged in: ${user.email}`);
res.json({
success: true,
message: 'Login successful',
data: {
user: userResponse,
tokens: {
accessToken,
refreshToken
}
}
});
} catch (error) {
next(error);
}
};
// Refresh token
const refreshToken = async (req, res, next) => {
try {
const { refreshToken } = req.body;
if (!refreshToken) {
return res.status(400).json({
success: false,
message: 'Refresh token is required'
});
}
// Verify refresh token
const decoded = jwt.verifyRefreshToken(refreshToken);
const user = await User.findById(decoded.userId);
if (!user || !user.isActive) {
return res.status(401).json({
success: false,
message: 'Invalid refresh token'
});
}
// Generate new tokens
const newAccessToken = user.generateAuthToken();
const newRefreshToken = user.generateRefreshToken();
res.json({
success: true,
message: 'Token refreshed successfully',
data: {
tokens: {
accessToken: newAccessToken,
refreshToken: newRefreshToken
}
}
});
} catch (error) {
next(error);
}
};
// Logout user
const logout = async (req, res, next) => {
try {
// In a real application, you might want to blacklist the token
// For now, we'll just return a success message
logger.info(`User logged out: ${req.user.email}`);
res.json({
success: true,
message: 'Logout successful'
});
} catch (error) {
next(error);
}
};
// Forgot password
const forgotPassword = async (req, res, next) => {
try {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({
success: false,
message: 'Validation failed',
errors: errors.array()
});
}
const { email } = req.body;
const user = await User.findByEmail(email);
if (!user) {
// Don't reveal if email exists or not
return res.json({
success: true,
message: 'If the email exists, a password reset link has been sent'
});
}
// Generate reset token
const resetToken = jwt.generatePasswordResetToken(user._id);
user.passwordResetToken = resetToken;
user.passwordResetExpires = Date.now() + 10 * 60 * 1000; // 10 minutes
await user.save();
// Send reset email
try {
await emailService.sendPasswordResetEmail(user.email, resetToken);
} catch (emailError) {
logger.error('Failed to send password reset email:', emailError);
return res.status(500).json({
success: false,
message: 'Failed to send password reset email'
});
}
logger.info(`Password reset requested for: ${user.email}`);
res.json({
success: true,
message: 'If the email exists, a password reset link has been sent'
});
} catch (error) {
next(error);
}
};
// Reset password
const resetPassword = async (req, res, next) => {
try {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({
success: false,
message: 'Validation failed',
errors: errors.array()
});
}
const { token, password } = req.body;
// Verify reset token
const decoded = jwt.verifyPasswordResetToken(token);
const user = await User.findOne({
_id: decoded.userId,
passwordResetToken: token,
passwordResetExpires: { $gt: Date.now() }
});
if (!user) {
return res.status(400).json({
success: false,
message: 'Invalid or expired reset token'
});
}
// Update password
user.password = password;
user.passwordResetToken = undefined;
user.passwordResetExpires = undefined;
await user.save();
logger.info(`Password reset successful for: ${user.email}`);
res.json({
success: true,
message: 'Password reset successful'
});
} catch (error) {
next(error);
}
};
// Verify email
const verifyEmail = async (req, res, next) => {
try {
const { token } = req.params;
const decoded = jwt.verifyVerificationToken(token);
const user = await User.findOne({
_id: decoded.userId,
emailVerificationToken: token
});
if (!user) {
return res.status(400).json({
success: false,
message: 'Invalid verification token'
});
}
// Mark email as verified
user.isEmailVerified = true;
user.emailVerificationToken = undefined;
await user.save();
logger.info(`Email verified for: ${user.email}`);
res.json({
success: true,
message: 'Email verified successfully'
});
} catch (error) {
next(error);
}
};
module.exports = {
register,
login,
refreshToken,
logout,
forgotPassword,
resetPassword,
verifyEmail
};Middleware Implementation
// src/middleware/auth.js
const jwt = require('../utils/jwt');
const User = require('../models/User');
// Authenticate user
const authenticate = async (req, res, next) => {
try {
const token = req.header('Authorization')?.replace('Bearer ', '');
if (!token) {
return res.status(401).json({
success: false,
message: 'Access token is required'
});
}
// Verify token
const decoded = jwt.verifyAccessToken(token);
const user = await User.findById(decoded.userId);
if (!user || !user.isActive) {
return res.status(401).json({
success: false,
message: 'Invalid or expired token'
});
}
req.user = user;
next();
} catch (error) {
if (error.name === 'JsonWebTokenError') {
return res.status(401).json({
success: false,
message: 'Invalid token'
});
}
if (error.name === 'TokenExpiredError') {
return res.status(401).json({
success: false,
message: 'Token expired'
});
}
next(error);
}
};
// Authorize user roles
const authorize = (...roles) => {
return (req, res, next) => {
if (!req.user) {
return res.status(401).json({
success: false,
message: 'Authentication required'
});
}
if (!roles.includes(req.user.role)) {
return res.status(403).json({
success: false,
message: 'Insufficient permissions'
});
}
next();
};
};
// Optional authentication (doesn't fail if no token)
const optionalAuth = async (req, res, next) => {
try {
const token = req.header('Authorization')?.replace('Bearer ', '');
if (token) {
const decoded = jwt.verifyAccessToken(token);
const user = await User.findById(decoded.userId);
if (user && user.isActive) {
req.user = user;
}
}
next();
} catch (error) {
// Continue without authentication
next();
}
};
module.exports = {
authenticate,
authorize,
optionalAuth
};// src/middleware/errorHandler.js
const logger = require('./logger');
const errorHandler = (err, req, res, next) => {
let error = { ...err };
error.message = err.message;
// Log error
logger.error(err);
// Mongoose bad ObjectId
if (err.name === 'CastError') {
const message = 'Resource not found';
error = { message, statusCode: 404 };
}
// Mongoose duplicate key
if (err.code === 11000) {
const message = 'Duplicate field value entered';
error = { message, statusCode: 400 };
}
// Mongoose validation error
if (err.name === 'ValidationError') {
const message = Object.values(err.errors).map(val => val.message).join(', ');
error = { message, statusCode: 400 };
}
// JWT errors
if (err.name === 'JsonWebTokenError') {
const message = 'Invalid token';
error = { message, statusCode: 401 };
}
if (err.name === 'TokenExpiredError') {
const message = 'Token expired';
error = { message, statusCode: 401 };
}
res.status(error.statusCode || 500).json({
success: false,
message: error.message || 'Server Error',
...(process.env.NODE_ENV === 'development' && { stack: err.stack })
});
};
module.exports = errorHandler;JWT Utility Functions
// src/utils/jwt.js
const jwt = require('jsonwebtoken');
const generateAccessToken = (payload) => {
return jwt.sign(payload, process.env.JWT_SECRET, {
expiresIn: process.env.JWT_EXPIRE || '15m'
});
};
const generateRefreshToken = (payload) => {
return jwt.sign(payload, process.env.JWT_REFRESH_SECRET, {
expiresIn: process.env.JWT_REFRESH_EXPIRE || '7d'
});
};
const generateVerificationToken = (userId) => {
return jwt.sign({ userId }, process.env.JWT_SECRET, {
expiresIn: '24h'
});
};
const generatePasswordResetToken = (userId) => {
return jwt.sign({ userId }, process.env.JWT_SECRET, {
expiresIn: '10m'
});
};
const verifyAccessToken = (token) => {
return jwt.verify(token, process.env.JWT_SECRET);
};
const verifyRefreshToken = (token) => {
return jwt.verify(token, process.env.JWT_REFRESH_SECRET);
};
const verifyVerificationToken = (token) => {
return jwt.verify(token, process.env.JWT_SECRET);
};
const verifyPasswordResetToken = (token) => {
return jwt.verify(token, process.env.JWT_SECRET);
};
module.exports = {
generateAccessToken,
generateRefreshToken,
generateVerificationToken,
generatePasswordResetToken,
verifyAccessToken,
verifyRefreshToken,
verifyVerificationToken,
verifyPasswordResetToken
};Lessons Learned
Node.js Development
- Express.js: Advanced Express.js patterns and middleware
- MongoDB: Comprehensive MongoDB integration with Mongoose
- Authentication: JWT-based authentication and authorization
- Error Handling: Robust error handling and logging
API Design
- RESTful Design: Proper REST API design principles
- Validation: Comprehensive input validation
- Security: Security best practices and middleware
- Documentation: Clear API documentation
Database Design
- Schema Design: Efficient MongoDB schema design
- Indexing: Strategic indexing for performance
- Relationships: Proper data relationships and references
- Validation: Database-level validation
Security Practices
- Authentication: Secure authentication mechanisms
- Authorization: Role-based access control
- Data Protection: Password hashing and data encryption
- Rate Limiting: API rate limiting and protection
Future Enhancements
Advanced Features
- Real-time Features: WebSocket integration
- File Upload: Advanced file upload and management
- Caching: Redis caching implementation
- Search: Elasticsearch integration
Technical Improvements
- Performance: Query optimization and caching
- Monitoring: Advanced monitoring and analytics
- Testing: Comprehensive test coverage
- Deployment: Containerization and CI/CD
Conclusion
The Node.js REST API demonstrates comprehensive backend development expertise and modern web API practices. Key achievements include:
- Express.js: Advanced Express.js application architecture
- MongoDB: Comprehensive database integration
- Authentication: Secure JWT-based authentication
- Middleware: Robust middleware architecture
- Error Handling: Comprehensive error handling
- Security: Security best practices implementation
The project is available on GitHub and serves as a comprehensive example of modern Node.js backend development.
This project represents my deep dive into Node.js backend development and demonstrates how Express.js and MongoDB can be used to build robust, scalable web APIs. The lessons learned here continue to influence my approach to backend development and API design.