🚀 Strict Auth Service – Open Contribution Repo

Hey there! I’m Yatharth Kumar Saxena, and over the last 30 days, I hand-crafted a zero-compromise authentication system for modern production use cases — featuring secure login, strict device binding, rate limiters, and complete audit logging. After 296 commits and 4500+ lines of code, I'm opening it up for the world. Let’s build together.

---

📑 Table of Contents

• 📖 Introduction
• 🔍 Core Highlights
• 🧩 Current Architecture
• 🗂️ Folder Structure
• 🧑‍💻 Open Contribution Areas
• 🤝 How to Contribute
• ⚙️ Tech Stack & Principles
• 🎯 Final Takeaway

---

📖 Introduction

This is the open-source counterpart to my private Strict Authentication Service. While the original repository was focused on internal implementation and experimentation, this one is about collaboration, innovation, and collective engineering.

“System fails. Design survives.” — YKS

---

🔍 Core Highlights

This isn’t just login/signup — it’s a full-blown auth engine with enterprise readiness.

• 🔑 JWT-based stateless sessions (access & refresh)
• 🔐 Admin-only protected routes (with ADMxxxxx prefix)
• 📵 Strict device policy: Only one device per user, one user per device
• ⏱️ Request tracking (requestCount, lastRequestAt) per device
• 🔁 Auto-expiry & re-allocation of device slots if inactive
• 🔄 Full logout (DB + cookies + logs)
• 🧾 Structured audit logging (with SYSTEM, USER, ADMIN)
• 🚫 Rate limiting for login/signup/change-password
• 📜 Cookie & header-based token response (double fallback)
• ⚠️ Dynamic field validation (regex + length-based)

---

🧩 Current Architecture

Design Principles:
☑️ SOLID · ☑️ DRY · ☑️ KISS · ☑️ YAGNI

Patterns in Play:
🧱 Singleton · 🏭 Factory · 🧬 Strategy · 🔗 Chain of Responsibility

This system is modular, testable, and microservice-ready — designed with scalability and readability in mind.

🧠 Session Management Note:

• A user can only stay logged in from one device at a time.
• If they log in from another device, the previous session is invalidated.
• Each device is uniquely tied to only one user at any point in time.

---

🗂️ Folder Structure

Total files: 60+ (excluding node_modules)

📁 Folder	🏷️ Description
configs/	✅ Application configs (env, auth, cookie, token, HTTP codes, regex, etc.)
controllers/	🎮 Express route handlers — directly handle incoming HTTP requests
middlewares/	🛡️ Role guards, device parsers, rate-limiters, access control checks
rate-limiters/	📊 Route-based in-memory limiter logic and dynamic Prisma-based limiter service
services/	🧠 Core business logic — login, registration, ID generation, validation, logout
utils/	🧰 Helper utilities — logs, token, cookie, validators, device utils, etc.
clients/	🛢️ Prisma clients — handles public.prisma and private.prisma connections
routers/	🌐 Route layer — Express router-level mappings for all APIs
cron-jobs/	⏱️ Time-based background jobs (e.g., cleanup, expiry, stale sessions)
internal/	🛰️ Internal API call handlers (service-to-service calls if extended later)
README.md	🧭 You are here — full repo structure, purpose, and setup instructions

Each module has its own README.md inside the folder for context and usage.

---

🧑‍💻 Open Contribution Areas

Here’s what we’re actively looking to build or improve:

1. 📲 OTP Verification Workflow

• After sign-up, users remain isActive: false until OTP verification.
• Implement 6-digit OTP with a 30s expiry & retry logic.
• Ideal: Plug this as a strategy module or plug-in service.

2. 🔑 Forgot Password API

• One-time token/email flow.
• TTL-based token expiry or OTP-based verification.
• Ensure rate limit + log tracking.

3. 📈 Advanced Logging Integration

• Plug in winston or pino.
• Add traceIDs, log rotation, and transport options.

4. ⚡ Performance Boosting

• In-memory cache for device/user lookups.
• Graceful shutdown handling.
• Add Prometheus metrics integration (optional).

5. 🧼 Bug Fixes, Cleanup, Refactors

• Strict validator improvements
• Mongoose index improvements (e.g., TTL)
• Controller decoupling or route modularization

🛑 Must follow design principles & architecture style.

---

🤝 How to Contribute

1. Fork ➜ clone ➜ git checkout -b feature/your-feature
2. Run npm install ➜ rename .env.sample ➜ .env
3. Make your changes with clear commit messages
4. Open a PR — mention issue number and design rationale
5. Don’t forget unit tests for new logic

---

⚙️ Tech Stack & Principles

Layer	Tech
🚀 Backend	Node.js + Express.js
🧠 DB	PostgreSQL (Prisma ORM)
🔐 Auth	JWT (stateless), cookie fallback
📞 Logs	Console + audit logs (JSON-ready)
⏱️ Limiting	User + Device rate limiters
♻️ Cleanup	Cron jobs (expired logs, stale users)

---

🎯 Final Takeaway

This project started as my personal dive into enterprise-grade authentication systems. Now, it’s yours too.
Whether it’s your first PR or a production-grade refactor — welcome aboard.

Let’s build a fortress of security — the clean way. 🔐

— Yatharth Kumar Saxena