This is the backend service for Uzima, built with Express and MongoDB.
- RESTful API for user authentication, records, appointments, and Stellar integration
- Swagger UI documentation at
/docs - Cron jobs for scheduled reminders
- Sentry integration for real-time error monitoring and performance tracing
- Rate limiting with Redis to prevent abuse and brute force attacks
- Inventory: real-time stock tracking with FIFO and low-stock alerts
- Comprehensive Password Policy: Complexity validation, breach detection, expiry management, and account lockout
- Node.js v16 or higher
- npm v8 or higher
- MongoDB database
- Redis server (for rate limiting)
- A Sentry project and DSN (Data Source Name)
- Clone the repo:
git clone https://github.com/Stellar-Uzima/Uzima-Backend.git cd Uzima-Backend - Install dependencies:
npm install
Create a .env file in the project root (you can copy from .env.example) and set:
# Core Configuration
MONGO_URI=<your MongoDB URI>
PORT=5000
JWT_SECRET=<your JWT secret>
NODE_ENV=development
# Email Configuration
SMTP_HOST=<smtp host>`
SMTP_PORT=<smtp port>
SMTP_USER=<smtp user>
SMTP_PASS=<smtp password>
MAIL_FROM="Telemed Support <support@yourdomain.com>"
# Monitoring & Logging
SENTRY_DSN=<your Sentry DSN>
REDIS_URL=redis://localhost:6379
# Password Policy Configuration
PASSWORD_MIN_LENGTH=8
PASSWORD_MAX_LENGTH=64
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_REQUIRE_LOWERCASE=true
PASSWORD_REQUIRE_NUMBER=true
PASSWORD_REQUIRE_SPECIAL_CHAR=true
PASSWORD_EXPIRY_DAYS=90
PASSWORD_HISTORY_COUNT=5
# Account Security
MAX_LOGIN_ATTEMPTS=5
LOGIN_LOCKOUT_DURATION_MINUTES=15
# Breach Detection (haveibeenpwned API)
HIBP_CHECK_ENABLED=true
HIBP_API_TIMEOUT_MS=5000
HIBP_API_RETRY_COUNT=1
# Password Policy Logging
LOG_PASSWORD_CHANGES=true
LOG_FAILED_LOGIN_ATTEMPTS=true
LOG_ACCOUNT_LOCKOUTS=trueStart in development mode (with nodemon):
npm run devStart in production mode:
npm startThe API is now available at http://localhost:<PORT> and Swagger UI at http://localhost:<PORT>/docs.
REST endpoints (under /api/inventory):
POST /create item{ sku, name, threshold, lots? }GET /list itemsGET /:skufetch one itemPATCH /:skuupdate name/category/unit/threshold/metadataPOST /:sku/lotsadd stock to lot{ lotNumber, quantity, expiryDate }POST /:sku/consumeconsume stock FIFO{ quantity }
WebSocket events (Socket.IO, connect to the same host):
inventory:updatepayload{ type, item, lotsConsumed? }inventory:lowStockpayload{ sku, name, totalQuantity, threshold, lots }
Behavior:
- FIFO consumption prioritizes earliest
expiryDatelots - Low-stock alerts emit when
totalQuantity <= threshold - All changes are audit-logged in
InventoryAuditLog
Uzima Backend includes enterprise-grade password security with comprehensive policies:
- Password Complexity: Enforces minimum 8 characters with uppercase, lowercase, numbers, and special characters
- Password History: Prevents reuse of last 5 passwords
- Password Expiry: Passwords expire after 90 days with warnings at 30, 14, and 7 days
- Breach Detection: Checks passwords against haveibeenpwned database using k-anonymity for privacy
- Strength Scoring: Provides 0-4 password strength scores with actionable feedback
- Account Lockout: Locks account after 5 failed login attempts for 15 minutes
- Force Password Change: Enforces password update on expiry or admin reset
- Audit Logging: All password changes logged for compliance
POST /api/auth/password/strength- Check password strength (public)POST /api/auth/password/change- Change password (authenticated)GET /api/auth/password/status- Get password status (authenticated)
All password policy settings are configurable via environment variables (see PASSWORD_POLICY_ENV_CONFIG.md):
PASSWORD_MIN_LENGTH, PASSWORD_MAX_LENGTH, PASSWORD_EXPIRY_DAYS, PASSWORD_HISTORY_COUNT,
MAX_LOGIN_ATTEMPTS, LOG_PASSWORD_CHANGES, HIBP_CHECK_ENABLED, etc.
For complete documentation, see PASSWORD_POLICY_README.md.
Uzima Backend is configured to report runtime errors and performance traces to Sentry.
- Ensure
SENTRY_DSNis set in.env. - Run the app.
- Open your browser and visit:
This will throw a test error.
http://localhost:<PORT>/debug-sentry - Verify the error appears in your Sentry project under Issues.
Sentry captures performance traces for all incoming requests (sampling rate = 100%).
- Call any endpoint (e.g.,
/api). - In Sentry Dashboard, go to Performance β Transactions to inspect traces and response times.
The API implements comprehensive rate limiting to prevent abuse and brute force attacks:
- General API: 100 requests per 15 minutes
- Authentication: 5 requests per 15 minutes
- 2FA Operations: 10 requests per 15 minutes
- File Uploads: 20 requests per hour
- Admin Operations: 200 requests per 15 minutes
Rate limits are enforced per-IP for anonymous users and per-user for authenticated users. When limits are exceeded, the API returns HTTP 429 with retry information.
For detailed information, see RATE_LIMITING.md.
# Test rate limiting functionality
node test-rate-limit.jsWe use npm audit and GitHub Actions to ensure our dependencies are secure.
- CI Integration: Every Pull Request to
mainordeveloptriggers a security check that fails if High or Critical vulnerabilities are found. - Manual Check: You can run the security check locally:
npm run security:check
- Automated Fixes: GitHub Dependabot is configured to automatically create Pull Requests for vulnerable dependencies.
-
Detection:
- CI pipeline fails on
npm run security:check. - Dependabot alerts or PRs are created.
- CI pipeline fails on
-
Resolution:
- For Dependabot PRs: Review the changelog and compatibility, then merge if tests pass.
- Manual Fixes:
Run
npm audit fixto automatically fix compatible vulnerabilities.For breaking changes, runnpm audit fix
npm audit fix --forcewith caution or manually upgrade the package inpackage.json.
-
Verification:
- Run
npm run security:checkto confirm no high/critical vulnerabilities remain. - Push changes to trigger the CI pipeline.
- Run
- Configure alerts and dashboards in Sentry for proactive notifications.
- Monitor rate limit violations in Redis and application logs.
ISC