Shopio is a backend application built using Spring Boot that implements a secure and scalable user authentication system with email-based OTP verification, JWT authentication, and role-based access control.
This project focuses on real-world backend practices, security, and clean architecture.
- Unique username and email validation
- Password hashing using BCrypt
- Default CUSTOMER role assignment
- Admin registration via secret header
- Email verification required before login
- OTP generation during registration
- OTP sent via email (SMTP – development mode)
- OTP expires after 5 minutes
- OTP is single-use
- Invalid or expired OTPs are rejected
- OTP resend cooldown
- Old OTP invalidation
- Attempt limits to prevent brute-force attacks
- Login allowed only for verified users
- JWT-based authentication
- Secure token handling
- Role-based access control (ADMIN, CUSTOMER)
- Custom Spring Security configuration
- CSRF disabled for REST APIs
- Stateless authentication
- Secrets managed via environment variables
.envexcluded from version control
- Java 17
- Spring Boot
- Spring Security
- JWT (JSON Web Tokens)
- PostgreSQL
- JPA / Hibernate
- Spring Mail (SMTP)
- Maven
Create a .env file (not committed):
MAIL_USERNAME=your_email@gmail.com
MAIL_PASSWORD=your_app_password
JWT_SECRET=your_jwt_secret_key
ADMIN_SECRET=SHOPIO_ADMIN_2026
POST /api/users/registerPOST /api/users/verify-otpPOST /api/auth/login
- Secure authentication design
- OTP-based email verification
- Spring Security & JWT integration
- Environment-based secret management
- Clean backend architecture
This project is intended for learning and demonstration purposes.